From fe2500aa99137c9ce35907c118745d65a0c0c07e Mon Sep 17 00:00:00 2001 From: George Hazan Date: Tue, 17 Sep 2019 12:36:24 +0300 Subject: libcurl updated to 7.66 --- libs/libcurl/docs/CHANGES | 10998 +++++++++++++++++++++----------------------- 1 file changed, 5304 insertions(+), 5694 deletions(-) (limited to 'libs/libcurl/docs/CHANGES') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index 447b46a526..0047ab41ac 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,8010 +6,7620 @@ Changelog -Version 7.65.3 (19 Jul 2019) +Version 7.66.0 (10 Sep 2019) -Daniel Stenberg (19 Jul 2019) -- RELEASE-NOTES: 7.65.3 +Daniel Stenberg (10 Sep 2019) +- RELEASE-NOTES: curl 7.66.0 -- THANKS: 7.65.3 status +- THANKS: from the 7.66.0 release -- progress: make the progress meter appear again +- curl: make sure the parallel transfers do them all - Fix regression caused by 21080e1 + The logic could erroneously break the loop too early before all + transfers had been transferred. - Reported-by: Chih-Hsuan Yen - Fixes #4122 - Closes #4124 + Reported-by: Tom van der Woerdt + Fixes #4316 + Closes #4317 -- version: bump to 7.65.3 +- urlapi: one colon is enough for the strspn() input (typo) -- RELEASE-NOTES: Contributors or now 1990 +- urlapi: verify the IPv6 numerical address + + It needs to parse correctly. Otherwise it could be tricked into letting + through a-f using host names that libcurl would then resolve. Like + '[ab.be]'. + + Reported-by: Thomas Vegas + Closes #4315 -Version 7.65.2 (17 Jul 2019) +- [Clément Notin brought this change] -Daniel Stenberg (17 Jul 2019) -- RELEASE-NOTES: 7.65.2 + openssl: use SSL_CTX_set__proto_version() when available + + OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use + when available. Existing code is preserved for older versions of + OpenSSL. + + Closes #4304 -- THANKS: add contributors from 7.65.2 +- [Clément Notin brought this change] -Jay Satiro (17 Jul 2019) -- [aasivov brought this change] + openssl: indent, re-organize and add comments - cmake: Fix finding Brotli on case-sensitive file systems - - - Find package "Brotli" instead of "BROTLI" since the former is the - casing used for CMake/FindBrotli.cmake, and otherwise find_package - may fail on a case-sensitive file system. - - Fixes https://github.com/curl/curl/issues/4117 +- [migueljcrum brought this change] -- CURLOPT_RANGE.3: Caution against using it for HTTP PUT + sspi: fix memory leaks - AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've - cautioned against using it for that purpose and included a workaround. + Closes #4299 + +- travis: disable ngtcp2 builds (again) + +- Curl_fillreadbuffer: avoid double-free trailer buf on error - Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html - Reported-by: Christopher Head + Reviewed-by: Jay Satiro + Reported-by: Thomas Vegas - Closes https://github.com/curl/curl/issues/3814 + Closes #4307 -- [Stefano Simonelli brought this change] +- tool_setopt: handle a libcurl build without netrc support + + Reported-by: codesniffer13 on github + Fixes #4302 + Closes #4305 - CURLOPT_SEEKDATA.3: fix variable name +- security:read_data fix bad realloc() - Closes https://github.com/curl/curl/pull/4118 + ... that could end up a double-free + + CVE-2019-5481 + Bug: https://curl.haxx.se/docs/CVE-2019-5481.html -- [georgeok brought this change] +- [Thomas Vegas brought this change] - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH + tftp: Alloc maximum blksize, and use default unless OACK is received - If the SSL backend is Schannel and the user specifies an Schannel CALG_ - that is not supported by the protocol or the server then curl returns - CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. + Fixes potential buffer overflow from 'recvfrom()', should the server + return an OACK without blksize. - Fixes https://github.com/curl/curl/issues/3389 - Closes https://github.com/curl/curl/pull/4106 + Bug: https://curl.haxx.se/docs/CVE-2019-5482.html + CVE-2019-5482 -- [Daniel Gustafsson brought this change] +- [Thomas Vegas brought this change] - nss: inspect returnvalue of token check + tftp: return error when packet is too small for options + +- KNOWN_BUGS/TODO: cleanup and remove outdated issues + +- RELEASE-NOTES: synced + +- netrc: free 'home' on error - PK11_IsPresent() checks for the token for the given slot is available, - and sets needlogin flags for the PK11_Authenticate() call. Should it - return false, we should however treat it as an error and bail out. + Follow-up to f9c7ba9096ec2 - Closes https://github.com/curl/curl/pull/4110 + Coverity CID 1453474 + + Closes #4291 -- docs: Explain behavior change in --tlsv1. options since 7.54 +- urldata: avoid 'generic', use dedicated pointers - Since 7.54 --tlsv1. options use the specified version or later, however - older versions of curl documented it as using just the specified version - which may or may not have happened depending on the TLS library. - Document this discrepancy to allay confusion for users familiar with the - old documentation that expect just the specified version. + For the 'proto' union within the connectdata struct. - Fixes https://github.com/curl/curl/issues/4097 - Closes https://github.com/curl/curl/pull/4119 + Closes #4290 -- libcurl: Restrict redirect schemes (follow-up) +- cleanup: move functions out of url.c and make them static - - Allow FTPS on redirect. + Closes #4289 + +- smtp: check for and bail out on too short EHLO response - - Update default allowed redirect protocols in documentation. + Otherwise, a three byte response would make the smtp_state_ehlo_resp() + function misbehave. - Follow-up to 6080ea0. + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/16918 - Ref: https://github.com/curl/curl/pull/4094 + Assisted-by: Max Dymond - Closes https://github.com/curl/curl/pull/4115 + Closes #4287 -Daniel Stenberg (16 Jul 2019) -- test1173: make it also check all libcurl option man pages - - ... and adjust those that cause errors +- smb: init *msg to NULL in smb_send_and_recv() - Closes #4116 - -- curl: only accept COLUMNS less than 10000 + ... it might otherwise return OK from this function leaving that pointer + uninitialized. - ... as larger values would rather indicate something silly (and could - potentially cause buffer problems). + Bug: https://crbug.com/oss-fuzz/16907 - Reported-by: pendrek at hackerone - Closes #4114 + Closes #4286 -- dist: add manpage-syntax.pl +- ROADMAP: updated after recent user poll - follow-up to 7fb66c403 + In rough prio order -- test1173: detect some basic man page format mistakes +- THANKS: remove duplicate + +- Curl_addr2string: take an addrlen argument too - Triggered by PR #4111 + This allows the function to figure out if a unix domain socket has a + file name or not associated with it! When a socket is created with + socketpair(), as done in the fuzzer testing, the path struct member is + uninitialized and must not be accessed. - Closes #4113 + Bug: https://crbug.com/oss-fuzz/16699 + + Closes #4283 -Jay Satiro (15 Jul 2019) -- [Bjarni Ingi Gislason brought this change] +- [Rolf Eike Beer brought this change] - docs: Fix missing lines caused by undefined macros + CMake: remove needless newlines at end of gss variables + +- [Rolf Eike Beer brought this change] + + CI: remove duplicate configure flag for LGTM.com + +- [Rolf Eike Beer brought this change] + + CMake: use platform dependent name for dlopen() library - - Escape apostrophes at line start. + Closes #4279 + +- quiche: expire when poll returned data - Some lines begin with a "'" (apostrophe, single quote), which is then - interpreted as a control character in *roff. + ... to make sure we continue draining the queue until empty - Such lines are interpreted as being a call to a macro, and if - undefined, the lines are removed from the output. + Closes #4281 + +- quiche: decrease available buffer size, don't assign it! - Bug: https://bugs.debian.org/926352 - Signed-off-by: Bjarni Ingi Gislason + Found-by: Jeremy Lainé + +- RELEASE-NOTES: synced + +- [Kyohei Kadota brought this change] + + curl: fix include conditions + +- [Kyohei Kadota brought this change] + + plan9: fix installation instructions - Submitted-by: Alessandro Ghedini + Closes #4276 + +- ngtcp2: on h3 stream close, call expire - Closes https://github.com/curl/curl/pull/4111 + ... to trigger a new read to detect the stream close! + + Closes #4275 -Daniel Stenberg (14 Jul 2019) -- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl - follow-up to 6080ea098 + Closes #4278 -- [Linos Giannopoulos brought this change] +- ngtcp2: set flow control window to stream buffer size + + Closes #4274 - libcurl: Add testcase for gopher redirects +- [Christopher Head brought this change] + + CURLOPT_HEADERFUNCTION.3: clarify - The testcase ensures that redirects to CURLPROTO_GOPHER won't be - allowed, by default, in the future. Also, curl is being used - for convenience while keeping the testcases DRY. + Closes #4273 + +- CURLINFO docs: mention that in redirects times are added - The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is - redirected to CURLPROTO_GOPHER + Suggested-by: Brandon Dong + Fixes #4250 + Closes #4269 + +- travis: enable ngtcp2 builds again - Signed-off-by: Linos Giannopoulos + Switched to the openssl-quic-draft-22 openssl branch. + + Closes #4271 -- [Linos Giannopoulos brought this change] +- HTTP3: switched openssl branch to use - libcurl: Restrict redirect schemes +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl - All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS - counterpart were allowed for redirect. This vastly broadens the - exploitation surface in case of a vulnerability such as SSRF [1], where - libcurl-based clients are forced to make requests to arbitrary hosts. + Closes #4270 + +- http2: when marked for closure and wanted to close == OK - For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based - protocol by URL-encoding a payload in the URI. Gopher will open a TCP - connection and send the payload. + It could otherwise return an error even when closed correctly if GOAWAY + had been received previously. - Only HTTP/HTTPS and FTP are allowed. All other protocols have to be - explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. + Reported-by: Tom van der Woerdt + Fixes #4267 + Closes #4268 + +- RELEASE-NOTES: synced + +- build-openssl: fix build with Visual Studio 2019 - [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ + Reviewed-by: Marcel Raad + Contributed-by: osabc on github + Fixes #4188 + Closes #4266 + +Kamil Dudka (26 Aug 2019) +- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure - Signed-off-by: Linos Giannopoulos + This is a follow-up to https://github.com/curl/curl/pull/3864 . - Closes #4094 + Closes #4224 -- [Zenju brought this change] +Daniel Stenberg (26 Aug 2019) +- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows + + Closes #4040 - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number +- quiche: send the HTTP body correctly on callback uploads - Closes #4100 + Closes #4265 -- [Peter Simonyi brought this change] +- travis: disable ngtcp2 builds (temporarily) + + Just too many API changes right now + + Closes #4264 - http: allow overriding timecond with custom header +- ngtcp2: add support for SSLKEYLOGFILE - With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. - If-Modified-Since). Allow this to be replaced or suppressed with - CURLOPT_HTTPHEADER. + Closes #4260 + +- ngtcp2: improve h3 response receiving - Fixes #4103 - Closes #4109 + Closes #4259 -Jay Satiro (11 Jul 2019) -- [Juergen Hoetzel brought this change] +- ngtcp2: use nghttp3_version() - smb: Use the correct error code for access denied on file open +- ngtcp2: sync with upstream API changes - - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. + Assisted-by: Tatsuhiro Tsujikawa + +- [Kyle Abramowitz brought this change] + + scp: fix directory name length used in memcpy - Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. + Fix read off end of array due to bad pointer math in getworkingpath for + SCP home directory case. - Closes https://github.com/curl/curl/pull/4095 - -- [Daniel Gustafsson brought this change] + Closes #4258 - DEPRECATE: fixup versions and spelling +- http: the 'closed' struct field is used by both ngh2 and ngh3 - Correctly set the July 17 version to 7.65.2, and update spelling to - be consistent. Also fix a typo. + and remove 'header_recvbuf', not used for anything - Closes https://github.com/curl/curl/pull/4107 + Reported-by: Jeremy Lainé + + Closes #4257 -- [Gisle Vanem brought this change] +- ngtcp2: accept upload via callback + + Closes #4256 - system_win32: fix clang warning +- defines: avoid underscore-prefixed defines - - Declare variable in header as extern. + Double-underscored or underscore plus uppercase letter at least. - Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 - -Daniel Gustafsson (10 Jul 2019) -- headers: Remove no longer exported functions + ... as they're claimed to be reserved. - There were a leftover few prototypes of Curl_ functions that we used to - export but no longer do, this removes those prototypes and cleans up any - comments still referring to them. + Reported-by: patnyb on github - Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() - Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() - were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. - Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. + Fixes #4254 + Closes #4255 + +- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) - For the remainder, I didn't trawl the Git logs hard enough to capture - their exact time of deletion, but they were all gone: Curl_splayprint(), - Curl_http2_send_request(), Curl_global_host_cache_dtor(), - Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), - Curl_http_auth_stage() and Curl_close_connections(). + Runs no tests - Closes #4096 - Reviewed-by: Daniel Stenberg + Closes #4253 -- CMake: fix typos and spelling +- travis: bump to using nghttp2 version 1.39.2 + + Closes #4252 -- [Kyle Edwards brought this change] +- [Gisle Vanem brought this change] - CMake: Convert errant elseif() to else() + docs/examples/curlx: fix errors - CMake interprets an elseif() with no arguments as elseif(FALSE), - resulting in the elseif() block not being executed. That is not what - was intended here. Change the empty elseif() to an else() as it was - intended. + Initialise 'mimetype' and require the -p12 arg. - Closes #4101 - Reported-by: Artalus - Reviewed-by: Daniel Gustafsson + Closes #4248 -- buildconf: fix header filename +- cleanup: remove DOT_CHAR completely - The header file inclusion had a typo, it should be .h and not .hd. - Fix by renaming. + Follow-up to f9c7ba9096ec - Fixes #4102 - Reported-by: AceCrow on Github + The use of DOT_CHAR for ".ssh" was probably a mistake and is removed + now. + + Pointed-out-by: Gisle Vanem + Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 + + Closes #4247 -- [Jan Chren brought this change] +- spnego_sspi: add typecast to fix build warning + + Reported in build "Win32 target on Debian Stretch (64-bit) - + i686-w64-mingw32 - gcc-20170516" + + Closes #4245 - configure: fix --disable-code-coverage +- openssl: build warning free with boringssl - This fixes the case when --disable-code-coverage supplied to ./configure - would result in coverage="yes" being set. + Closes #4244 + +- curl: make --libcurl use CURL_HTTP_VERSION_3 - Closes #4099 - Reviewed-by: Daniel Gustafsson + Closes #4243 -- cleanup: fix typo in comment +- ngtcp2: make postfields-set posts work + + Closes #4242 -- RELEASE-NOTES: synced +- http: remove chunked-encoding and expect header use for HTTP/3 -Jay Satiro (6 Jul 2019) -- [Daniel Gustafsson brought this change] +- [Alessandro Ghedini brought this change] - nss: support using libnss on macOS + configure: use pkg-config to detect quiche - The file suffix for dynamically loadable objects on macOS is .dylib, - which need to be added for the module definitions in order to get the - NSS TLS backend to work properly on macOS. + This removes the need to hard-code the quiche target path in + configure.ac. - Closes https://github.com/curl/curl/pull/4046 + This depends on https://github.com/cloudflare/quiche/pull/128 + + Closes #4237 -- [Daniel Gustafsson brought this change] +- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 + + For a long time (since 7.28.1) we've returned error when setting the + value to 1 to make applications notice that we stopped supported the old + behavior for 1. Starting now, we treat 1 and 2 exactly the same. + + Closes #4241 - nss: don't set unused parameter +- curl: use .curlrc (with a dot) on Windows as well - The value of the maxPTDs parameter to PR_Init() has since at least - NSPR 2.1, which was released sometime in 1998, been marked ignored - as is accordingly not used in the initialization code. Setting it - to a value when calling PR_Init() is thus benign, but indicates an - intent which may be misleading. Reset the value to zero to improve - clarity. + Fall-back to _curlrc if the dot-version is missing. - Closes https://github.com/curl/curl/pull/4054 - -- [Daniel Gustafsson brought this change] + Co-Authored-By: Steve Holme + + Closes #4230 - nss: only cache valid CRL entries +- netrc: make the code try ".netrc" on Windows as well - Change the logic around such that we only keep CRLs that NSS actually - ended up caching around for later deletion. If CERT_CacheCRL() fails - then there is little point in delaying the freeing of the CRL as it - is not used. + ... but fall back and try "_netrc" too if the dot version didn't work. - Closes https://github.com/curl/curl/pull/4053 - -- [Gergely Nagy brought this change] + Co-Authored-By: Steve Holme - lib: Use UTF-8 encoding in comments +- ngtcp2: use ngtcp2_version() to get the run-time version - Some editors and IDEs assume that source files use UTF-8 file encodings. - It also fixes the build with MSVC when /utf-8 command line option is - used (this option is mandatory for some other open-source projects, this - is useful when using the same options is desired for building all - libraries of a project). + ... which of course doesn't have to be the same used at build-time. - Closes https://github.com/curl/curl/pull/4087 - -- [Caleb Raitto brought this change] + Function just recently merged in ngtcp2. - CURLOPT_HEADEROPT.3: Fix example +- ngtcp2: move the h3 initing to immediately after the rx key - Fix an issue where example builds a curl_slist, but fails to actually - use it, or free it. + To fix a segfault and to better deal with 0-RTT - Closes https://github.com/curl/curl/pull/4090 + Assisted-by: Tatsuhiro Tsujikawa -- [Shankar Jadhavar brought this change] +- [Alessandro Ghedini brought this change] - winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG + quiche: register debug callback once and earlier - - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. + The quiche debug callback is global and can only be initialized once, so + make sure we don't do it multiple times (e.g. if multiple requests are + executed). - - Also removed some ^M chars from file. + In addition this initializes the callback before the connection is + created, so we get logs for the handshake as well. - Prior to this change while building on Windows platform even if we pass - the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does - not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. + Closes #4236 + +- ssh: add a generic Curl_ssh_version function for SSH backends - Closes https://github.com/curl/curl/pull/4086 + Closes #4235 -Daniel Stenberg (4 Jul 2019) -- doh-url.d: added in 7.62.0 +- base64: check for SSH, not specific SSH backends -Jay Satiro (30 Jun 2019) -- docs: Fix links to OpenSSL docs +- vssh: move ssh init/cleanup functions into backend code + +- vssh: create directory for SSH backend code + +- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 - OpenSSL changed their manual locations and does not redirect to the new - locations. + HTTP3 is now already in full progress - Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html - Reported-by: Daniel Stenberg + Downgrade redirects can be achived almost exactly like that by setting + CURLOPT_REDIR_PROTOCOLS. -Daniel Stenberg (26 Jun 2019) -- [Gaël PORTAY brought this change] +- RELEASE-NOTES: synced - curl_multi_wait.3: escape backslash in example +- travis: add a quiche build - The backslash in the character Line Feed must be escaped. + Closes #4207 + +- http: fix use of credentials from URL when using HTTP proxy - The current man-page outputs the code as following: + When a username and password are provided in the URL, they were wrongly + removed from the stored URL so that subsequent uses of the same URL + wouldn't find the crendentials. This made doing HTTP auth with multiple + connections (like Digest) mishave. - fprintf(stderr, "curl_multi failed, code %d.0, mc); + Regression from 46e164069d1a5230 (7.62.0) - The commit fixes it as follow: + Test case 335 added to verify. - fprintf(stderr, "curl_multi failed, code %d\n", mc); + Reported-by: Mike Crowe - Closes #4079 + Fixes #4228 + Closes #4229 -- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined +- [Mike Crowe brought this change] + + tests: Replace outdated test case numbering documentation - ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is - built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for - UWP (with "VC-WIN32-UWP"). + Tests are no longer grouped by numeric range[1]. Let's stop saying that + and provide some alternative advice for numbering tests. - Reported-by: Vasily Lobaskin - Fixes #4073 - Closes #4077 + [1] https://curl.haxx.se/mail/lib-2019-08/0043.html + + Closes #4227 -- test1521: adapt to SLISTPOINT +- travis: reduce number of torture tests in 'coverage' - The header now has the slist-using options marked as SLISTPOINT so this - makes sure test 1521 understands that. + ... to make it complete in time. This cut seems not almost not affect + the coverage percentage and yet completes within 35 minutes on travis + where the previous runs recently always timed out after 50. - Follow-up to ae99b4de1c443ae989 + Closes #4223 + +- [Igor Makarov brought this change] + + configure: use -lquiche to link to quiche - Closes #4074 + Closes #4226 -- win32: make DLL loading a no-op for UWP +- ngtcp2: provide the callbacks as a static struct - Reported-by: Michael Brehm - Fixes #4060 - Closes #4072 + ... instead of having them in quicsocket -- [1ocalhost brought this change] +- [Tatsuhiro Tsujikawa brought this change] - configure: fix typo '--disable-http-uath' + ngtcp2: add missing nghttp3_conn_add_write_offset call - Closes #4076 + Closes #4225 -- [Niklas Hambüchen brought this change] +- [Tatsuhiro Tsujikawa brought this change] - docs: fix string suggesting HTTP/2 is not the default - - Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the - man page that new default is mentioned, but the section at the top - contradicted it until now. - - Also remove claim that setting the HTTP version is not sensible. - - Closes #4075 + ngtcp2: deal with stream close -- RELEASE-NOTES: synced +- [Tatsuhiro Tsujikawa brought this change] -- [Stephan Szabo brought this change] + ngtcp2: Consume QUIC STREAM data properly - tests: update fixed IP for hostip/clientip split +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: don't reinitialize SSL on Retry + +- multi: getsock improvements for QUIC connecting + +- connect: connections are persistent by default for HTTP/3 + +- quiche: happy eyeballs - These tests give differences for me on linux when using a hostip - pointing to the external ip address for the local machine. + Closes #4220 + +- ngtcp2: do QUIC connections happy-eyeballs friendly + +- curl_version: bump string buffer size to 250 - Closes #4070 + With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which + causes a truncated output). -Daniel Gustafsson (24 Jun 2019) -- http: clarify header buffer size calculation +- CURLOPT_ALTSVC.3: use a "" file name to not load from a file + +Jay Satiro (14 Aug 2019) +- vauth: Use CURLE_AUTH_ERROR for auth function errors - The header buffer size calculation can from static analysis seem to - overlow as it performs an addition between two size_t variables and - stores the result in a size_t variable. Overflow is however guarded - against elsewhere since the input to the addition is regulated by - the maximum read buffer size. Clarify this with a comment since the - question was asked. + - Add new error code CURLE_AUTH_ERROR. - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (24 Jun 2019) -- KNOWN_BUGS: Don't clear digest for single realm + Prior to this change auth function errors were signaled by + CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was + technically correct. - Closes #3267 + Ref: https://github.com/curl/curl/pull/3848 + + Co-authored-by: Dominik Hölzl + + Closes https://github.com/curl/curl/pull/3864 -- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname +Daniel Stenberg (13 Aug 2019) +- curl_version_info: make the quic_version a const - Closes #3284 + Follow-up from 1a2df1518ad8653f + + Closes #4222 -- http2: call done_sending on end of upload +- examples: add http3.c, altsvc.c and http3-present.c - To make sure a HTTP/2 stream registers the end of stream. + Closes #4221 + +Peter Wu (13 Aug 2019) +- nss: use TLSv1.3 as default if supported - Bug #4043 made me find this problem but this fix doesn't correct the - reported issue. + SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported + range in NSS 3.45. It looks like the intention is to raise the minimum + version rather than lowering the maximum, so adjust accordingly. Note + that the caller (nss_setup_connect) initializes the version range to + (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. - Closes #4068 + Closes #4187 + Reviewed-by: Daniel Stenberg + Reviewed-by: Kamil Dudka -- [James Brown brought this change] +Daniel Stenberg (13 Aug 2019) +- quic.h: remove unused proto - c-ares: honor port numbers in CURLOPT_DNS_SERVERS +- curl_version_info.3: mentioned ALTSVC and HTTP3 - By using ares_set_servers_ports_csv on new enough c-ares. + ... and sorted the list alphabetically + +- lib/quic.c: unused - removed + +- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - Fixes #4066 - Closes #4067 + Follow-up to 98c3f148 that removed it from the header file -Daniel Gustafsson (24 Jun 2019) -- CURLMOPT_SOCKETFUNCTION.3: fix typo +- [Junho Choi brought this change] -Daniel Stenberg (24 Jun 2019) -- [Koen Dergent brought this change] + docs/HTTP3: simplify quiche build instruction + + Use --recursive to get boringssl in one line + + Closes #4219 - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds +- altsvc: make it use h3-22 with ngtcp2 as well + +- ngtcp2: initial h3 request work - Closes #4061 + Closes #4217 -- test153: fix content-length to avoid occasional hang +- curl_version_info: offer quic (and h3) library info - Closes #4065 + Closes #4216 + +- HTTP3: use ngtcp2's draft-22 branch - RELEASE-NOTES: synced -- multi: enable multiplexing by default (again) - - It was originally made default in d7c4213bd0c (7.62.0) but mistakenly - reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. +- CURLOPT_READFUNCTION.3: provide inline example - Closes #4051 + ... instead of mentioning one in another place -- typecheck: add 3 missing strings and a callback data pointer - - Closes #4050 +- [Tatsuhiro Tsujikawa brought this change] -- tests: add disable-scan.pl to dist + ngtcp2: send HTTP/3 request with nghttp3 - follow-up from 29177f422a5 + This commit makes sending HTTP/3 request with nghttp3 work. It + minimally receives HTTP response and calls nghttp3 callbacks, but no + processing is made at the moment. - Closes #4059 + Closes #4215 -- http2: don't call stream-close on already closed streams - - Closes #4055 +- nghttp3: initial h3 template code added -Marcel Raad (20 Jun 2019) -- travis: enable alt-svc for coverage build +- nghttp3: required when ngtcp2 is used for QUIC - Closes + - checked for by configure + - updated docs/HTTP3.md + - shown in the version string + + Closes #4210 -- travis: enable libssh2 for coverage build +- [Eric Wong brought this change] + + asyn-thread: issue CURL_POLL_REMOVE before closing socket - It was enabled by default before commit c92d2e14cfb. + This avoids EBADF errors from EPOLL_CTL_DEL operations in the + ephiperfifo.c example. EBADF is dangerous in multi-threaded + applications where I rely on epoll_ctl to operate on the same + epoll description from different threads. - Disable torture tests 600 and 601 because of - https://github.com/curl/curl/issues/1678. + Follow-up to eb9a604f8d7db8 - Closes + Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html + Closes #4211 -- travis: disable threaded resolver for coverage build +- [Carlo Marcelo Arenas Belón brought this change] + + configure: avoid undefined check_for_ca_bundle - This enables more tests. + instead of using a "greater than 0" test, check for variable being + set, as it is always set to 1, and could be left unset if non of + OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. - Closes + Closes #4213 -- travis: enable brotli for all xenial jobs +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Send ALPN h3-22 - There's no need for a separate job, and no need to build it from source - with Xenial. + Closes #4212 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: use ngtcp2_settings_default and specify initial_ts + +- curl_global_init_mem.3: mention it was added in 7.12.0 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: make the QUIC handshake work - Closes + Closes #4209 -- travis: enable warnings-as-errors for coverage build +- [Alex Mayorga brought this change] + + HTTP3.md: Update quiche build instructions - Closes + Added cloning for quiche and BoringSSL and modified the build + instructions so they work on a clean folder. + + Closes #4208 -GitHub (20 Jun 2019) -- [Gisle Vanem brought this change] +- CURLOPT_H3: removed + + There's no use for this anymore and it was never in a release. + + Closes #4206 - system_win32: fix typo +- http3: make connection reuse work + + Closes #4204 -Daniel Stenberg (20 Jun 2019) -- typecheck: CURLOPT_CONNECT_TO takes an slist too +- quiche: add SSLKEYLOGFILE support + +- cleanup: s/curl_debug/curl_dbg_debug in comments and docs - Additionally, add an alias in curl.h for slist-using options so that - we can grep/parse those out at will. + Leftovers from the function rename back in 76b63489495 - Closes #4042 + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com + mitcomment-34601751 + + Closes #4203 -- [Stephan Szabo brought this change] +- RELEASE-NOTES: synced - tests: support non-localhost HOSTIP for dict/smb servers +- alt-svc: add protocol version selection masking - smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for - binding the server which when we were running the tests with a separate - HOSTIP and CLIENTIP had failures verifying the server from the device we - were testing. + So that users can mask in/out specific HTTP versions when Alt-Svc is + used. - This changes them to take the address from runtests.py and default to - localhost/127.0.0.1 if none is given. + - Removed "h2c" and updated test case accordingly + - Changed how the altsvc struct is laid out + - Added ifdefs to make the unittest run even in a quiche-tree - Closes #4048 + Closes #4201 -- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT +- http3: fix the HTTP/3 in the request, make alt-svc set right versions + + Closes #4200 -- configure: --disable-progress-meter +- alt-svc: send Alt-Used: in redirected requests - Builds libcurl without support for the built-in progress meter. + RFC 7838 section 5: - Closes #4023 + When using an alternative service, clients SHOULD include an Alt-Used + header field in all requests. + + Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus + this is deemed ok). + + You can disable sending this header just like you disable any other HTTP + header in libcurl. + + Closes #4199 -- curl: improved skip-setopt-options when built with disabled features +- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - Reduces #ifdefs in src/tool_operate.c + Even though it cannot fall-back to a lower HTTP version automatically. The + safer way to upgrade remains via CURLOPT_ALTSVC. - Follow-up from 4e86f2fc4e6 - Closes #3936 + CURLOPT_H3 no longer has any bits that do anything and might be removed + before we remove the experimental label. + + Updated the curl tool accordingly to use "--http3". + + Closes #4197 -Steve Holme (18 Jun 2019) -- netrc: Return the correct error code when out of memory +- docs/ALTSVC: remove what works and the experimental explanation - Introduced in 763c5178. + Also, put the TODO items at the bottom. - Closes #4036 + Closes #4198 -Daniel Stenberg (18 Jun 2019) -- config-os400: add getpeername and getsockname defines +- docs/EXPERIMENTAL: explain what it means and what's experimental now + +- curl: make use of CURLINFO_RETRY_AFTER when retrying - Reported-by: jonrumsey on github - Fixes #4037 - Closes #4039 + If a Retry-After: header was used in the response, that value overrides + other retry timing options. + + Fixes #3794 + Closes #4195 -- runtests: keep logfiles around by default +- curl: use CURLINFO_PROTOCOL to check for HTTP(s) - Make '-k' a no-op. The singletest function now clears the log directory - BEFORE each individual test and not after, which makes it possible to - always keep the logfiles around after a test has been run. No need to - specify -k anymore. Keeping the option parsing around to work with users - of old habits. + ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. + +- CURLINFO_RETRY_AFTER: parse the Retry-After header value - Some tests also didn't work properly when -k was used (since the old - logs would be kep when a new test starts) which this change also fixes. + This is only the libcurl part that provides the information. There's no + user of the parsed value. This change includes three new tests for the + parser. - Closes #4035 + Ref: #3794 -- [Gergely Nagy brought this change] +- docs/ALTSVC.md: first basic file format description - openssl: fix pubkey/signature algorithm detection in certinfo +- curl: have -w's 'http_version' show '3' for HTTP/3 - Certinfo gives the same result for all OpenSSL versions. - Also made printing RSA pubkeys consistent with older versions. + Closes #4196 + +- curl.h: add CURL_HTTP_VERSION_3 to the version enum - Reported-by: Michael Wallner - Fixes #3706 - Closes #4030 + It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with + CURLINFO_HTTP_VERSION. -- conn_maxage: move the check to prune_dead_connections() +- quiche: make use of the connection timeout API properly + +- quiche: make POSTFIELDS posts work + +- quiche: improved error handling and memory cleanups + +- quiche: flush egress in h3_stream_recv() too + +- RELEASE-NOTES: synced + +Jay Satiro (6 Aug 2019) +- [Patrick Monnerat brought this change] + + os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). - ... and avoid the locking issue. + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Reported-by: Kunal Ekawde - Fixes #4029 - Closes #4032 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -- tests: have runtests figure out disabled features +- tests: Fix the line endings for the SASL alt-auth tests - ... so that runtests can skip individual test cases that test features - that are explicitly disabled in this build. This new logic is intended - for disabled features that aren't otherwise easily visible through the - curl_version_info() or other API calls. + - Change data and protocol sections to CRLF line endings. - tests/server/disabled is a newly built executable that will output a - list of disabled features. Outputs nothing for a default build. + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. - Closes #3950 - -- test188/189: fix Content-Length + Follow-up to grandparent commit which added the tests. - This cures the flaky test results + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Closes #4034 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -- [Thomas Gamper brought this change] +- [Steve Holme brought this change] - winbuild: use WITH_PREFIX if given + examples: Added SASL PLAIN authorisation identity (authzid) examples - Closes #4031 - -Daniel Gustafsson (17 Jun 2019) -- openssl: remove outdated comment + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), - which is why we switched to CONF_modules_load_file() and introduced - a comment stating why. This behavior was however changed in OpenSSL - commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now - outdated and incorrect comment. The mentioned commit also declares - OPENSSL_config() deprecated so keep the current coding. + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Closes #4033 - Reviewed-by: Daniel Stenberg + Closes https://github.com/curl/curl/pull/4186 -Daniel Stenberg (16 Jun 2019) -- RELEASE-NOTES: synced +- [Steve Holme brought this change] -Patrick Monnerat (16 Jun 2019) -- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. + curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - Use it in curl_easy_setopt_ccsid(). + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Reported-by: jonrumsey on github - Fixes #3833 - Closes #4028 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -Daniel Stenberg (15 Jun 2019) -- runtests: report single test time + total duration +- [Steve Holme brought this change] + + sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - ... after each successful test. + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. - Closes #4027 - -- multi: fix the transfer hash function + Fixes #3653 + Closes #3790 - Follow-up from 8b987cc7eb + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Reported-by: Tom van der Woerdt - Fixes #4018 - Closes #4024 + Closes https://github.com/curl/curl/pull/4186 -- unit1654: cleanup on memory failure - - ... to make it handle torture tests properly. +Daniel Stenberg (6 Aug 2019) +- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested + +- [Yiming Jing brought this change] + + mesalink: implement client authentication - Reported-by: Marcel Raad - Fixes #4021 - Closes #4022 + Closes #4184 -Marcel Raad (13 Jun 2019) -- krb5: fix compiler warning +- curl_multi_poll: a sister to curl_multi_wait() that waits more - Even though the variable was used in a DEBUGASSERT, GCC 8 warned in - debug mode: - krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] + Repeatedly we see problems where using curl_multi_wait() is difficult or + just awkward because if it has no file descriptor to wait for + internally, it returns immediately and leaves it to the caller to wait + for a small amount of time in order to avoid occasional busy-looping. - Just suppress the warning and declare the variable unconditionally - instead of only for DEBUGBUILD (which also missed the check for - HAVE_ASSERT_H). + This is often missed or misunderstood, leading to underperforming + applications. - Closes https://github.com/curl/curl/pull/4020 + This change introduces curl_multi_poll() as a replacement drop-in + function that accepts the exact same set of arguments. This function + works identically to curl_multi_wait() - EXCEPT - for the case when + there's nothing to wait for internally, as then this function will by + itself wait for a "suitable" short time before it returns. This + effectiely avoids all risks of busy-looping and should also make it less + likely that apps "over-wait". + + This also changes the curl tool to use this funtion internally when + doing parallel transfers and changes curl_easy_perform() to use it + internally. + + Closes #4163 -Daniel Stenberg (13 Jun 2019) -- quote.d: asterisk prefix works for SFTP as well +- quiche:h3_stream_recv return 0 at end of stream - Reported-by: Ben Voris - Fixes #4017 - Closes #4019 + ... and remove some verbose messages we don't need. Made transfers from + facebook.com work better. -- multi: fix the transfer hashes in the socket hash entries +- altsvc: make quiche use h3-22 now + +- quiche: show the actual version number + +- quiche: first working HTTP/3 request - - The transfer hashes weren't using the correct keys so removing entries - failed. + - enable debug log + - fix use of quiche API + - use download buffer + - separate header/body - - Simplified the iteration logic over transfers sharing the same socket and - they now simply are set to expire and thus get handled in the "regular" - timer loop instead. + Closes #4193 + +- http09: disable HTTP/0.9 by default in both tool and library - Reported-by: Tom van der Woerdt - Fixes #4012 - Closes #4014 + As the plan has been laid out in DEPRECATED. Update docs accordingly and + verify in test 1174. Now requires the option to be set to allow HTTP/0.9 + responses. + + Closes #4191 -Jay Satiro (12 Jun 2019) -- [Cliff Crosland brought this change] +- quiche: initial h3 request send/receive - url: Fix CURLOPT_MAXAGE_CONN time comparison +- lib/Makefile.am: make checksrc run in vquic too + +- altsvc: fix removal of expired cache entry - Old connections are meant to expire from the connection cache after - CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x - that value. This occurs because a time value measured in milliseconds is - accidentally divided by 1M instead of by 1,000. + Closes #4192 + +- RELEASE-NOTES: synced + +Steve Holme (4 Aug 2019) +- md4: Use our own MD4 implementation when no crypto libraries are available - Closes https://github.com/curl/curl/pull/4013 + Closes #3780 -Daniel Stenberg (11 Jun 2019) -- test1165: verify that CURL_DISABLE_ symbols are in sync +- md4: No need to include Curl_md4.h for each TLS library + +- md4: No need for the NTLM code to call Curl_md4it() for each TLS library - between configure.ac and source code. They should be possible to switch - on/off in configure AND be used in source code. + As the NTLM code no longer calls any of TLS libraries' specific MD4 + functions, there is no need to call this function for each #ifdef. -- configure: remove CURL_DISABLE_TLS_SRP +- md4: Move the mbed TLS MD4 implementation out of the NTLM code + +- md4: Move the WinCrypt implementation out of the NTLM code + +- md4: Move the SecureTransport implementation out of the NTLM code + +- md4: Use the Curl_md4it() function for OpenSSL based NTLM + +- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code + +- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code + +Jay Satiro (4 Aug 2019) +- OS400: Add CURLOPT_H3 symbols - It isn't used by code so stop providing the define. + Follow-up to 3af0e76 which added experimental H3 support. - Closes #4010 + Closes https://github.com/curl/curl/pull/4185 -- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" +Daniel Stenberg (3 Aug 2019) +- url: make use of new HTTP version if alt-svc has one + +- url: set conn->transport to default TCP at init time + +- altsvc: with quiche, use the quiche h3 alpn string - This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. + Closes #4183 + +- alt-svc: more liberal ALPN name parsing - Apparently several of the appveyor windows builds broke. + Allow pretty much anything to be part of the ALPN identifier. In + particular minus, which is used for "h3-20" (in-progress HTTP/3 + versions) etc. + + Updated test 356. + Closes #4182 -- [sergey-raevskiy brought this change] +- quiche: use the proper HTTP/3 ALPN - cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified +- quiche: add failf() calls for two error cases - Reviewed-by: Jakub Zakrzewski - Closes #3770 + To aid debugging + + Closes #4181 -- RELEASE-NOTES: synced +- mailmap: added Kyohei Kadota -- http2: remove CURL_DISABLE_TYPECHECK define +Kamil Dudka (1 Aug 2019) +- http_negotiate: improve handling of gss_init_sec_context() failures - ... in http2-less builds as it served no use. - -- configure: more --disable switches to toggle off individual features + If HTTPAUTH_GSSNEGOTIATE was used for a POST request and + gss_init_sec_context() failed, the POST request was sent + with empty body. This commit also restores the original + behavior of `curl --fail --negotiate`, which was changed + by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. - ... actual support in the code for disabling these has already landed. + Add regression tests 2077 and 2078 to cover this. - Closes #4009 + Fixes #3992 + Closes #4171 -- wolfssl: fix key pinning build error +Daniel Stenberg (1 Aug 2019) +- mailmap: added 4 more names - follow-up from deb9462ff2de8 + Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli -- CURLMOPT_SOCKETFUNCTION.3: clarified +- mailmap: add Giorgos Oikonomou + +- src/makefile: fix uncompressed hugehelp.c generation - Moved away the callback explanation from curl_multi_socket_action.3 and - expanded it somewhat. + Regression from 5cf5d57ab9 (7.64.1) - Closes #4006 + Fixed-by: Lance Ware + Fixes #4176 + Closes #4177 -- wolfssl: fixup for SNI use +- appveyor: pass on -k to make + +- timediff: make it 64 bit (if possible) even with 32 bit time_t - follow-up from deb9462ff2de8 + ... to make it hold microseconds too. - Closes #4007 + Fixes #4165 + Closes #4168 -- CURLOPT_CAINFO.3: polished wording - - Clarify the functionality when built to use Schannel and Secure - Transport and stop calling it the "recommended" or "preferred" way and - instead rather call it the default. +- ROADMAP: parallel transfers are merged now + +- getenv: support up to 4K environment variable contents on windows - Removed the reference to the ssl comparison table as it isn't necessary. + Reported-by: Michal Čaplygin + Fixes #4174 + Closes #4175 + +- [Kyohei Kadota brought this change] + + plan9: add support for running on Plan 9 - Reported-by: Richard Alcock - Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html - Closes #4005 + Closes #3701 -GitHub (10 Jun 2019) -- [Daniel Stenberg brought this change] +- [Kyohei Kadota brought this change] - SECURITY.md: created + ntlm: explicit type casting + +- [Justin brought this change] + + curl.h: fix outdated comment - Brief security policy description for use/display on github. + Closes #4167 -Daniel Gustafsson (10 Jun 2019) -- tool_cb_prg: Fix integer overflow in progress bar +- curl: remove outdated comment - Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar - width calculation to avoid integer overflow, but failed to account for - the fact that initial_size is initialized to -1 when the file size is - retrieved from the remote on an upload, causing another signed integer - overflow. Fix by separately checking for this case before the width - calculation. + Turned bad with commit b8894085000 - Closes #3984 - Reported-by: Brian Carpenter (Geeknik Labs) - Reviewed-by: Daniel Stenberg + Reported-by: niallor on github + Fixes #4172 + Closes #4173 -Daniel Stenberg (10 Jun 2019) -- wolfssl: refer to it as wolfSSL only +- cleanup: remove the 'numsocks' argument used in many places - Remove support for, references to and use of "cyaSSL" from the source - and docs. wolfSSL is the current name and there's no point in keeping - references to ancient history. + It was used (intended) to pass in the size of the 'socks' array that is + also passed to these functions, but was rarely actually checked/used and + the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries + that should be used instead. - Assisted-by: Daniel Gustafsson + Closes #4169 + +- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - Closes #3903 + Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) + + Reported-by: Jonathan Cardoso Machado + Assisted-by: Jay Satiro + + Fixes #4136 + Closes #4162 + +- mailmap: Amit Katyal + +- asyn-thread: removed unused variable + + Follow-up to eb9a604f. Mistake caused by me when I edited the commit + before push... - RELEASE-NOTES: synced -- bindlocal: detect and avoid IP version mismatches in bind() +- [Amit Katyal brought this change] + + asyn-thread: create a socketpair to wait on - Reported-by: Alex Grebenschikov - Fixes #3993 - Closes #4002 + Closes #4157 -- multi: make sure 'data' can present in several sockhash entries +- curl: cap the maximum allowed values for retry time arguments - Since more than one socket can be used by each transfer at a given time, - each sockhash entry how has its own hash table with transfers using that - socket. + ... to avoid integer overflows later when multiplying with 1000 to + convert seconds to milliseconds. - In addition, the sockhash entry can now be marked 'blocked = TRUE'" - which then makes the delete function just set 'removed = TRUE' instead - of removing it "for real", as a way to not rip out the carpet under the - feet of a parent function that iterates over the transfers of that same - sockhash entry. + Added test 1269 to verify. - Reported-by: Tom van der Woerdt - Fixes #3961 - Fixes #3986 - Fixes #3995 - Fixes #4004 - Closes #3997 - -- [Sorcus brought this change] + Reported-by: Jason Lee + Closes #4166 - libcurl-tutorial.3: Fix small typo (mutipart -> multipart) +- progress: reset download/uploaded counter - Fixed-by: MrSorcus on github - Closes #4000 + ... to make CURLOPT_MAX_RECV_SPEED_LARGE and + CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that + reuse the same handle. + + Fixed-by: Ironbars13 on github + Fixes #4084 + Closes #4161 -- unpause: trigger a timeout for event-based transfers +- http2_recv: trigger another read when the last data is returned - ... so that timeouts or other state machine actions get going again - after a changing pause state. For example, if the last delivery was - paused there's no pending socket activity. + ... so that end-of-stream is detected properly. - Reported-by: sstruchtrup on github - Fixes #3994 - Closes #4001 + Reported-by: Tom van der Woerdt + Fixes #4043 + Closes #4160 -Marcel Raad (9 Jun 2019) -- travis: use xenial LLVM package for scan-build +- curl: avoid uncessary libcurl timeouts (in parallel mode) - I missed that in commit 99a49d6. - -- travis: update scan-build job to xenial + When curl_multi_wait() returns OK without file descriptors to wait for, + it might already have done a long timeout. - Closes https://github.com/curl/curl/pull/3999 + Closes #4159 -Daniel Stenberg (8 Jun 2019) -- bump: start working on 7.65.2 +- [Balazs Kovacsics brought this change] -Marcel Raad (5 Jun 2019) -- examples/htmltitle: use C++ casts between pointer types + HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - Compilers and static analyzers warn about using C-style casts here. + If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, + automatically add a Transfer-Encoding: chunked header, same as it is + already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update + test 1514 according to the new behaviour. - Closes https://github.com/curl/curl/pull/3975 + Closes #4138 -- examples/fopen: fix comparison +Jay Satiro (29 Jul 2019) +- [Daniel Stenberg brought this change] + + winbuild: add vquic to list of build directories - As want is size_t, (file->buffer_pos - want) is unsigned, so checking - if it's less than zero makes no sense. - Check if file->buffer_pos is less than want instead to avoid the - unsigned integer wraparound. + This fixes the winbuild build method which broke several days ago + when experimental quic support was added in 3af0e76. - Closes https://github.com/curl/curl/pull/3975 + Reported-by: Michael Lee + + Fixes https://github.com/curl/curl/issues/4158 -- build: fix Codacy warnings +- easy: resize receive buffer on easy handle reset - Reduce variable scopes and remove redundant variable stores. + - In curl_easy_reset attempt to resize the receive buffer to its default + size. If realloc fails then continue using the previous size. - Closes https://github.com/curl/curl/pull/3975 - -- sws: remove unused variables + Prior to this change curl_easy_reset did not properly handle resetting + the receive buffer (data->state.buffer). It reset the variable holding + its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) + but then did not actually resize the buffer. If a user resized the + buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the + default, later called curl_easy_reset and attempted to reuse the handle + then a heap overflow would very likely occur during that handle's next + transfer. - Unused since commit 2f44e94. + Reported-by: Felix Hädicke - Closes https://github.com/curl/curl/pull/3975 - -Version 7.65.1 (4 Jun 2019) - -Daniel Stenberg (4 Jun 2019) -- RELEASE-NOTES: 7.65.1 - -- THANKS: new contributors from 7.65.1 + Fixes https://github.com/curl/curl/issues/4143 + Closes https://github.com/curl/curl/pull/4145 -Steve Holme (4 Jun 2019) -- [Frank Gevaerts brought this change] +- [Brad Spencer brought this change] - ssl: Update outdated "openssl-only" comments for supported backends + examples: Avoid reserved names in hiperfifo examples - These are for features that used to be openssl-only but were expanded - over time to support other SSL backends. + - Trade in __attribute__((unused)) for the classic (void)x to silence + unused symbols. - Closes #3985 - -Daniel Stenberg (4 Jun 2019) -- curl_share_setopt.3: improve wording [ci ship] + Because the classic way is not gcc specific. Also because the prior + method mapped to symbol _Unused, which starts with _ and a capital + letter which is reserved. - Reported-by: Carlos ORyan - -Steve Holme (4 Jun 2019) -- tool_parsecfg: Use correct return type for GetModuleFileName() + Assisted-by: The Infinnovation team - GetModuleFileName() returns a DWORD which is a typedef of an unsigned - long and not an int. + Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 - Closes #3980 + Closes https://github.com/curl/curl/pull/4153 -Daniel Stenberg (3 Jun 2019) -- TODO: "at least N milliseconds between requests" [ci skip] - - Suggested-by: dkwolfe4 on github - Closes #3920 +Daniel Stenberg (25 Jul 2019) +- RELEASE-NOTES: synced -Steve Holme (2 Jun 2019) -- tests/server/.gitignore: Add socksd to the ignore list - - Missed in 04fd6755. - - Closes #3978 +- [Felix Hädicke brought this change] -- tool_parsecfg: Fix control flow issue (DEADCODE) + ssh-libssh: do not specify O_APPEND when not in append mode - Follow-up to 8144ba38. + Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not + make much sense. And this combination of flags is not accepted by all + SFTP servers (at least not Apache SSHD). - Detected by Coverity CID 1445663 - Closes #3976 + Fixes #4147 + Closes #4148 -Daniel Stenberg (2 Jun 2019) -- [Sergey Ogryzkov brought this change] +- [Gergely Nagy brought this change] - NTLM: reset proxy "multipass" state when CONNECT request is done + multi: call detach_connection before Curl_disconnect - Closes #3972 - -- test334: verify HTTP 204 response with chunked coding header + Curl_disconnect bails out if conn->easyq is not empty, detach_connection + needs to be called first to remove the current easy from the queue. - Verifies that a bodyless response don't parse this content-related - header. - -- [Michael Kaufmann brought this change] + Fixes #4144 + Closes #4151 - http: don't parse body-related headers bodyless responses - - Responses with status codes 1xx, 204 or 304 don't have a response body. For - these, don't parse these headers: +Jay Satiro (23 Jul 2019) +- tool_operate: fix implicit call to easysrc_cleanup - - Content-Encoding - - Content-Length - - Content-Range - - Last-Modified - - Transfer-Encoding + easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not + defined, and prior to this change would be called regardless. - This change ensures that HTTP/2 upgrades work even if a - "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. + Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 + Reported-by: Marcel Raad - Co-authored-by: Daniel Stenberg - Closes #3702 - Fixes #3968 - Closes #3977 + Closes https://github.com/curl/curl/pull/4142 -- tls13-docs: mention it is only for OpenSSL >= 1.1.1 +Daniel Stenberg (22 Jul 2019) +- curl:create_transfers check return code from curl_easy_setopt - Reported-by: Jay Satiro - Co-authored-by: Jay Satiro - Fixes #3938 - Closes #3946 + From commit b8894085 + + Pointed out by Coverity CID 1451703 + + Closes #4134 -- dump-header.d: spell out that no headers == empty file [ci skip] +- HTTP3: initial (experimental) support - Reported-by: wesinator at github - Fixes #3964 - Closes #3974 + USe configure --with-ngtcp2 or --with-quiche + + Using either option will enable a HTTP3 build. + Co-authored-by: Alessandro Ghedini + + Closes #3500 -- singlesocket: use separate variable for inner loop +- curl: remove dead code - An inner loop within the singlesocket() function wrongly re-used the - variable for the outer loop which then could cause an infinite - loop. Change to using a separate variable! + The loop never loops (since b889408500), pointed out by Coverity (CID + 1451702) - Reported-by: Eric Wu - Fixes #3970 - Closes #3973 + Closes #4133 -- RELEASE-NOTES: synced +- docs/PARALLEL-TRANSFERS: correct the version number -- [Josie Huddleston brought this change] +- docs/PARALLEL-TRANSFERS: added - http2: Stop drain from being permanently set on +- curl: support parallel transfers - Various functions called within Curl_http2_done() can have the - side-effect of setting the Easy connection into drain mode (by calling - drain_this()). However, the last time we unset this for a transfer (by - calling drained_transfer()) is at the beginning of Curl_http2_done(). - If the Curl_easy is reused for another transfer, it is then stuck in - drain mode permanently, which in practice makes it unable to write any - data in the new transfer. + This is done by making sure each individual transfer is first added to a + linked list as then they can be performed serially, or at will, in + parallel. - This fix moves the last call to drained_transfer() to later in - Curl_http2_done(), after the functions that could potentially call for a - drain. + Closes #3804 + +- docs/MANUAL.md: converted to markdown from plain text - Fixes #3966 - Closes #3967 - Reported-by: Josie-H + ... will make it render as a nicer web page. + + Closes #4131 -Steve Holme (29 May 2019) -- conncache: Remove the DEBUGASSERT on length check +- curl_version_info: provide nghttp2 details - We trust the calling code as this is an internal function. + Introducing CURLVERSION_SIXTH with nghttp2 info. - Closes #3962 + Closes #4121 -Jay Satiro (29 May 2019) -- [Gisle Vanem brought this change] +- bump: start working on 7.66.0 - system_win32: fix function prototype +- source: remove names from source comments - - Change if_nametoindex parameter type from char * to const char *. + Several reasons: - Follow-up to 09eef8af from this morning. + - we can't add everyone who's helping out so its unfair to just a few + selected ones. + - we already list all helpers in THANKS and in RELEASE-NOTES for each + release + - we don't want to give the impression that some parts of the code is + "owned" or "controlled" by specific persons - Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 + Assisted-by: Daniel Gustafsson + Closes #4129 -Marcel Raad (29 May 2019) -- appveyor: add Visual Studio solution build +Version 7.65.3 (19 Jul 2019) + +Daniel Stenberg (19 Jul 2019) +- RELEASE-NOTES: 7.65.3 + +- THANKS: 7.65.3 status + +- progress: make the progress meter appear again - Closes https://github.com/curl/curl/pull/3941 + Fix regression caused by 21080e1 + + Reported-by: Chih-Hsuan Yen + Fixes #4122 + Closes #4124 -- appveyor: add support for other build systems +- version: bump to 7.65.3 + +- RELEASE-NOTES: Contributors or now 1990 + +Version 7.65.2 (17 Jul 2019) + +Daniel Stenberg (17 Jul 2019) +- RELEASE-NOTES: 7.65.2 + +- THANKS: add contributors from 7.65.2 + +Jay Satiro (17 Jul 2019) +- [aasivov brought this change] + + cmake: Fix finding Brotli on case-sensitive file systems - Introduce BUILD_SYSTEM variable, which is currently always CMake. + - Find package "Brotli" instead of "BROTLI" since the former is the + casing used for CMake/FindBrotli.cmake, and otherwise find_package + may fail on a case-sensitive file system. - Closes https://github.com/curl/curl/pull/3941 + Fixes https://github.com/curl/curl/issues/4117 -Steve Holme (29 May 2019) -- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows +- CURLOPT_RANGE.3: Caution against using it for HTTP PUT - This fixes the static dependency on iphlpapi.lib and allows curl to - build for targets prior to Windows Vista. + AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've + cautioned against using it for that purpose and included a workaround. - This partially reverts 170bd047. + Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html + Reported-by: Christopher Head - Fixes #3960 - Closes #3958 + Closes https://github.com/curl/curl/issues/3814 -Daniel Stenberg (29 May 2019) -- http: fix "error: equality comparison with extraneous parentheses" +- [Stefano Simonelli brought this change] -- parse_proxy: make sure portptr is initialized - - Reported-by: Benbuck Nason + CURLOPT_SEEKDATA.3: fix variable name - fixes #3959 + Closes https://github.com/curl/curl/pull/4118 -- url: default conn->port to the same as conn->remote_port +- [Giorgos Oikonomou brought this change] + + CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - ... so that it has a sensible value when ConnectionExists() is called which - needs it set to differentiate host "bundles" correctly on port number! + If the SSL backend is Schannel and the user specifies an Schannel CALG_ + that is not supported by the protocol or the server then curl returns + CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. - Also, make conncache:hashkey() use correct port for bundles that are proxy vs - host connections. + Fixes https://github.com/curl/curl/issues/3389 + Closes https://github.com/curl/curl/pull/4106 + +- [Daniel Gustafsson brought this change] + + nss: inspect returnvalue of token check - Probably a regression from 7.62.0 + PK11_IsPresent() checks for the token for the given slot is available, + and sets needlogin flags for the PK11_Authenticate() call. Should it + return false, we should however treat it as an error and bail out. - Reported-by: Tom van der Woerdt - Fixes #3956 - Closes #3957 + Closes https://github.com/curl/curl/pull/4110 -- conncache: make "bundles" per host name when doing proxy tunnels +- docs: Explain behavior change in --tlsv1. options since 7.54 - Only HTTP proxy use where multiple host names can be used over the same - connection should use the proxy host name for bundles. + Since 7.54 --tlsv1. options use the specified version or later, however + older versions of curl documented it as using just the specified version + which may or may not have happened depending on the TLS library. + Document this discrepancy to allay confusion for users familiar with the + old documentation that expect just the specified version. - Reported-by: Tom van der Woerdt - Fixes #3951 - Closes #3955 + Fixes https://github.com/curl/curl/issues/4097 + Closes https://github.com/curl/curl/pull/4119 -- multi: track users of a socket better +- libcurl: Restrict redirect schemes (follow-up) - They need to be removed from the socket hash linked list with more care. + - Allow FTPS on redirect. - When sh_delentry() is called to remove a sockethash entry, remove all - individual transfers from the list first. To enable this, each Curl_easy struct - now stores a pointer to the sockethash entry to know how to remove itself. + - Update default allowed redirect protocols in documentation. - Reported-by: Tom van der Woerdt and Kunal Ekawde + Follow-up to 6080ea0. - Fixes #3952 - Fixes #3904 - Closes #3953 + Ref: https://github.com/curl/curl/pull/4094 + + Closes https://github.com/curl/curl/pull/4115 -Steve Holme (28 May 2019) -- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version +Daniel Stenberg (16 Jul 2019) +- test1173: make it also check all libcurl option man pages - Microsoft added support for Unix Domain Sockets in Windows 10 1803 - (RS4). Rather than expect the user to enable Unix Domain Sockets by - uncommenting the #define that was added in 0fd6221f we use the RS4 - pre-processor variable that is present in newer versions of the - Windows SDK. - - Closes #3939 - -Daniel Stenberg (28 May 2019) -- [Jonas Vautherin brought this change] - - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables + ... and adjust those that cause errors - Closes #3945 + Closes #4116 -Marcel Raad (27 May 2019) -- HAProxy tests: add keywords +- curl: only accept COLUMNS less than 10000 - Add the proxy and haproxy keywords in order to be able to exclude or - run these specific tests. + ... as larger values would rather indicate something silly (and could + potentially cause buffer problems). - Closes https://github.com/curl/curl/pull/3949 - -Daniel Stenberg (27 May 2019) -- [Maksim Stsepanenka brought this change] + Reported-by: pendrek at hackerone + Closes #4114 - tests: make test 1420 and 1406 work with rtsp-disabled libcurl +- dist: add manpage-syntax.pl - Closes #3948 - -Kamil Dudka (27 May 2019) -- [Hubert Kario brought this change] + follow-up to 7fb66c403 - nss: allow to specify TLS 1.3 ciphers if supported by NSS +- test1173: detect some basic man page format mistakes - Closes #3916 - -Daniel Stenberg (26 May 2019) -- RELEASE-NOTES: synced + Triggered by PR #4111 + + Closes #4113 -- [Jay Satiro brought this change] +Jay Satiro (15 Jul 2019) +- [Bjarni Ingi Gislason brought this change] - Revert all SASL authzid (new feature) commits + docs: Fix missing lines caused by undefined macros - - Revert all commits related to the SASL authzid feature since the next - release will be a patch release, 7.65.1. + - Escape apostrophes at line start. - Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined - for the next release, assuming it would be a feature release 7.66.0. - However instead the next release will be a patch release, 7.65.1 and - will not contain any new features. + Some lines begin with a "'" (apostrophe, single quote), which is then + interpreted as a control character in *roff. - After the patch release after the reverted commits can be restored by - using cherry-pick: + Such lines are interpreted as being a call to a macro, and if + undefined, the lines are removed from the output. - git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 + Bug: https://bugs.debian.org/926352 + Signed-off-by: Bjarni Ingi Gislason - Details for all reverted commits: + Submitted-by: Alessandro Ghedini - Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." + Closes https://github.com/curl/curl/pull/4111 + +Daniel Stenberg (14 Jul 2019) +- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults - This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. + follow-up to 6080ea098 + +- [Linos Giannopoulos brought this change] + + libcurl: Add testcase for gopher redirects - Revert "tests: Fix the line endings for the SASL alt-auth tests" + The testcase ensures that redirects to CURLPROTO_GOPHER won't be + allowed, by default, in the future. Also, curl is being used + for convenience while keeping the testcases DRY. - This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. + The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is + redirected to CURLPROTO_GOPHER - Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" + Signed-off-by: Linos Giannopoulos + +- [Linos Giannopoulos brought this change] + + libcurl: Restrict redirect schemes - This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. + All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS + counterpart were allowed for redirect. This vastly broadens the + exploitation surface in case of a vulnerability such as SSRF [1], where + libcurl-based clients are forced to make requests to arbitrary hosts. - Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" + For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based + protocol by URL-encoding a payload in the URI. Gopher will open a TCP + connection and send the payload. - This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. + Only HTTP/HTTPS and FTP are allowed. All other protocols have to be + explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. - Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" + [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ - This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. - -- [dbrowndan brought this change] - - FAQ: more minor updates and spelling fixes + Signed-off-by: Linos Giannopoulos - Closes #3937 + Closes #4094 -- RELEASE-NOTES: synced +- [Zenju brought this change] -- sectransp: handle errSSLPeerAuthCompleted from SSLRead() + openssl: define HAVE_SSL_GET_SHUTDOWN based on version number - Reported-by: smuellerDD on github - Fixes #3932 - Closes #3933 - -GitHub (24 May 2019) -- [Gisle Vanem brought this change] + Closes #4100 - Fix typo. +- [Peter Simonyi brought this change] -Daniel Stenberg (23 May 2019) -- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + http: allow overriding timecond with custom header - Reported-by: Marcel Raad - Fixes #3926 - Closes #3929 - -Steve Holme (23 May 2019) -- winbuild: Use two space indentation + With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. + If-Modified-Since). Allow this to be replaced or suppressed with + CURLOPT_HTTPHEADER. - Closes #3930 + Fixes #4103 + Closes #4109 -GitHub (23 May 2019) -- [Gisle Vanem brought this change] +Jay Satiro (11 Jul 2019) +- [Juergen Hoetzel brought this change] - tool_parse_cfg: Avoid 2 fopen() for WIN32 + smb: Use the correct error code for access denied on file open - Using the memdebug.h mem-leak feature, I noticed 2 calls like: - FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. - No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. - -Daniel Stenberg (23 May 2019) -- md4: include the mbedtls config.h to get the MD4 info - -- md4: build correctly with openssl without MD4 + Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. - Reported-by: elsamuko at github - Fixes #3921 - Closes #3922 + Closes https://github.com/curl/curl/pull/4095 -Patrick Monnerat (23 May 2019) -- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). +- [Daniel Gustafsson brought this change] -Daniel Stenberg (23 May 2019) -- .github/FUNDING: mention our opencollective "home" [ci skip] + DEPRECATE: fixup versions and spelling + + Correctly set the July 17 version to 7.65.2, and update spelling to + be consistent. Also fix a typo. + + Closes https://github.com/curl/curl/pull/4107 -Marcel Raad (23 May 2019) -- [Zenju brought this change] +- [Gisle Vanem brought this change] - config-win32: add support for if_nametoindex and getsockname + system_win32: fix clang warning - Closes https://github.com/curl/curl/pull/3923 + - Declare variable in header as extern. + + Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 -Jay Satiro (23 May 2019) -- tests: Fix the line endings for the SASL alt-auth tests +Daniel Gustafsson (10 Jul 2019) +- headers: Remove no longer exported functions - - Change data and protocol sections to CRLF line endings. + There were a leftover few prototypes of Curl_ functions that we used to + export but no longer do, this removes those prototypes and cleans up any + comments still referring to them. - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() + Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() + were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. + Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. - Follow-up to a9499ff from today which added the tests. + For the remainder, I didn't trawl the Git logs hard enough to capture + their exact time of deletion, but they were all gone: Curl_splayprint(), + Curl_http2_send_request(), Curl_global_host_cache_dtor(), + Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), + Curl_http_auth_stage() and Curl_close_connections(). - Ref: https://github.com/curl/curl/pull/3790 + Closes #4096 + Reviewed-by: Daniel Stenberg -Daniel Stenberg (23 May 2019) -- url: fix bad #ifdef +- CMake: fix typos and spelling + +- [Kyle Edwards brought this change] + + CMake: Convert errant elseif() to else() - Regression since e91e48161235272ff485. + CMake interprets an elseif() with no arguments as elseif(FALSE), + resulting in the elseif() block not being executed. That is not what + was intended here. Change the empty elseif() to an else() as it was + intended. - Reported-by: Tom Greenslade - Fixes #3924 - Closes #3925 + Closes #4101 + Reported-by: Artalus + Reviewed-by: Daniel Gustafsson -- Revert "progress: CURL_DISABLE_PROGRESS_METER" +- buildconf: fix header filename - This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + The header file inclusion had a typo, it should be .h and not .hd. + Fix by renaming. - Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + - CURLOPT_LOW_SPEED_TIME + Fixes #4102 + Reported-by: AceCrow on Github + +- [Jan Chren brought this change] + + configure: fix --disable-code-coverage - Reported-by: Dave Reisner + This fixes the case when --disable-code-coverage supplied to ./configure + would result in coverage="yes" being set. - Fixes #3927 - Closes #3928 + Closes #4099 + Reviewed-by: Daniel Gustafsson -Steve Holme (22 May 2019) -- examples: Added SASL PLAIN authorisation identity (authzid) examples +- cleanup: fix typo in comment -- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool +- RELEASE-NOTES: synced -- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID +Jay Satiro (6 Jul 2019) +- [Daniel Gustafsson brought this change] + + nss: support using libnss on macOS - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. - - Fixed #3653 - Closes #3790 - -Marc Hoersken (22 May 2019) -- tests: add support to test against OpenSSH for Windows + The file suffix for dynamically loadable objects on macOS is .dylib, + which need to be added for the module definitions in order to get the + NSS TLS backend to work properly on macOS. - Testing against OpenSSH for Windows requires v7.7.0.0 or newer - due to the use of AllowUsers and DenyUsers. For more info see: - https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config + Closes https://github.com/curl/curl/pull/4046 -Daniel Stenberg (22 May 2019) -- bump: start on the next release +- [Daniel Gustafsson brought this change] -Marcel Raad (22 May 2019) -- examples: fix "clarify calculation precedence" warnings + nss: don't set unused parameter - Closes https://github.com/curl/curl/pull/3919 - -- hiperfifo: remove unused variable + The value of the maxPTDs parameter to PR_Init() has since at least + NSPR 2.1, which was released sometime in 1998, been marked ignored + as is accordingly not used in the initialization code. Setting it + to a value when calling PR_Init() is thus benign, but indicates an + intent which may be misleading. Reset the value to zero to improve + clarity. - Closes https://github.com/curl/curl/pull/3919 + Closes https://github.com/curl/curl/pull/4054 -- examples: remove dead variable stores - - Closes https://github.com/curl/curl/pull/3919 +- [Daniel Gustafsson brought this change] -- examples: reduce variable scopes + nss: only cache valid CRL entries - Closes https://github.com/curl/curl/pull/3919 - -- http2-download: fix format specifier + Change the logic around such that we only keep CRLs that NSS actually + ended up caching around for later deletion. If CERT_CacheCRL() fails + then there is little point in delaying the freeing of the CRL as it + is not used. - Closes https://github.com/curl/curl/pull/3919 + Closes https://github.com/curl/curl/pull/4053 -Daniel Stenberg (22 May 2019) -- PolarSSL: deprecate support step 1. Removed from configure. - - Also removed mentions from most docs. +- [Gergely Nagy brought this change] + + lib: Use UTF-8 encoding in comments - Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html + Some editors and IDEs assume that source files use UTF-8 file encodings. + It also fixes the build with MSVC when /utf-8 command line option is + used (this option is mandatory for some other open-source projects, this + is useful when using the same options is desired for building all + libraries of a project). - Closes #3888 + Closes https://github.com/curl/curl/pull/4087 -- configure/cmake: check for if_nametoindex() - - - adds the check to cmake +- [Caleb Raitto brought this change] + + CURLOPT_HEADEROPT.3: Fix example - - fixes the configure check to work for cross-compiled windows builds + Fix an issue where example builds a curl_slist, but fails to actually + use it, or free it. - Closes #3917 + Closes https://github.com/curl/curl/pull/4090 -- parse_proxy: use the IPv6 zone id if given +- [Shankar Jadhavar brought this change] + + winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - If the proxy string is given as an IPv6 numerical address with a zone - id, make sure to use that for the connect to the proxy. + - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - Reported-by: Edmond Yu + - Also removed some ^M chars from file. - Fixes #3482 - Closes #3918 + Prior to this change while building on Windows platform even if we pass + the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does + not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. + + Closes https://github.com/curl/curl/pull/4086 -Version 7.65.0 (22 May 2019) +Daniel Stenberg (4 Jul 2019) +- doh-url.d: added in 7.62.0 -Daniel Stenberg (22 May 2019) -- RELEASE-NOTES: 7.65.0 release +Jay Satiro (30 Jun 2019) +- docs: Fix links to OpenSSL docs + + OpenSSL changed their manual locations and does not redirect to the new + locations. + + Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html + Reported-by: Daniel Stenberg -- THANKS: from the 7.65.0 release-notes +Daniel Stenberg (26 Jun 2019) +- [Gaël PORTAY brought this change] -- url: convert the zone id from a IPv6 URL to correct scope id + curl_multi_wait.3: escape backslash in example - Reported-by: GitYuanQu on github - Fixes #3902 - Closes #3914 - -- configure: detect getsockname and getpeername on windows too + The backslash in the character Line Feed must be escaped. - Made detection macros for these two functions in the same style as other - functions possibly in winsock in the hope this will work better to - detect these functions when cross-compiling for Windows. + The current man-page outputs the code as following: - Follow-up to e91e4816123 + fprintf(stderr, "curl_multi failed, code %d.0, mc); - Fixes #3913 - Closes #3915 - -Marcel Raad (21 May 2019) -- examples: remove unused variables + The commit fixes it as follow: - Fixes Codacy/CppCheck warnings. + fprintf(stderr, "curl_multi failed, code %d\n", mc); - Closes + Closes #4079 -Daniel Gustafsson (21 May 2019) -- udpateconninfo: mark variable unused +- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - When compiling without getpeername() or getsockname(), the sockfd - paramter to Curl_udpateconninfo() became unused after commit e91e481612 - added ifdef guards. + ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is + built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for + UWP (with "VC-WIN32-UWP"). - Closes #3910 - Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 - Reviewed-by: Marcel Raad, Daniel Stenberg + Reported-by: Vasily Lobaskin + Fixes #4073 + Closes #4077 -- ftp: move ftp_ccc in under featureflag +- test1521: adapt to SLISTPOINT - Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under - the FTP featureflag in the UserDefined struct, but vtls callsites were - still using it unprotected. + The header now has the slist-using options marked as SLISTPOINT so this + makes sure test 1521 understands that. - Closes #3912 - Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 - Reviewed-by: Daniel Stenberg, Marcel Raad + Follow-up to ae99b4de1c443ae989 + + Closes #4074 -Daniel Stenberg (20 May 2019) -- curl: report error for "--no-" on non-boolean options +- win32: make DLL loading a no-op for UWP - Reported-by: Olen Andoni - Fixes #3906 - Closes #3907 + Reported-by: Michael Brehm + Fixes #4060 + Closes #4072 -- [Guy Poizat brought this change] +- [1ocalhost brought this change] - mbedtls: enable use of EC keys + configure: fix typo '--disable-http-uath' - Closes #3892 + Closes #4076 -- lib1560: add tests for parsing URL with too long scheme +- [Niklas Hambüchen brought this change] + + docs: fix string suggesting HTTP/2 is not the default - Ref: #3905 + Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the + man page that new default is mentioned, but the section at the top + contradicted it until now. + + Also remove claim that setting the HTTP version is not sensible. + + Closes #4075 -- [Omar Ramadan brought this change] +- RELEASE-NOTES: synced - urlapi: increase supported scheme length to 40 bytes +- [Stephan Szabo brought this change] + + tests: update fixed IP for hostip/clientip split - The longest currently registered URI scheme at IANA is 36 bytes long. + These tests give differences for me on linux when using a hostip + pointing to the external ip address for the local machine. - Closes #3905 - Closes #3900 + Closes #4070 -Marcel Raad (20 May 2019) -- lib: reduce variable scopes +Daniel Gustafsson (24 Jun 2019) +- http: clarify header buffer size calculation - Fixes Codacy/CppCheck warnings. + The header buffer size calculation can from static analysis seem to + overlow as it performs an addition between two size_t variables and + stores the result in a size_t variable. Overflow is however guarded + against elsewhere since the input to the addition is regulated by + the maximum read buffer size. Clarify this with a comment since the + question was asked. - Closes https://github.com/curl/curl/pull/3872 + Reviewed-by: Daniel Stenberg -- tool_formparse: remove redundant assignment +Daniel Stenberg (24 Jun 2019) +- KNOWN_BUGS: Don't clear digest for single realm - Just initialize word_begin with the correct value. + Closes #3267 + +- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname - Closes https://github.com/curl/curl/pull/3873 + Closes #3284 -- ssh: move variable declaration to where it's used +- http2: call done_sending on end of upload - This way, we need only one call to free. + To make sure a HTTP/2 stream registers the end of stream. - Closes https://github.com/curl/curl/pull/3873 + Bug #4043 made me find this problem but this fix doesn't correct the + reported issue. + + Closes #4068 -- ssh-libssh: remove unused variable +- [James Brown brought this change] + + c-ares: honor port numbers in CURLOPT_DNS_SERVERS - sock was only used to be assigned to fd_read. + By using ares_set_servers_ports_csv on new enough c-ares. - Closes https://github.com/curl/curl/pull/3873 + Fixes #4066 + Closes #4067 -Daniel Stenberg (20 May 2019) -- test332: verify the blksize fix +Daniel Gustafsson (24 Jun 2019) +- CURLMOPT_SOCKETFUNCTION.3: fix typo -- tftp: use the current blksize for recvfrom() +Daniel Stenberg (24 Jun 2019) +- [Koen Dergent brought this change] + + curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds - bug: https://curl.haxx.se/docs/CVE-2019-5436.html - Reported-by: l00p3r on hackerone - CVE-2019-5436 + Closes #4061 -Daniel Gustafsson (19 May 2019) -- version: make ssl_version buffer match for multi_ssl +- test153: fix content-length to avoid occasional hang - When running a multi TLS backend build the version string needs more - buffer space. Make the internal ssl_buffer stack buffer match the one - in Curl_multissl_version() to allow for the longer string. For single - TLS backend builds there is no use in extended to buffer. This is a - fallout from #3863 which fixes up the multi_ssl string generation to - avoid a buffer overflow when the buffer is too small. - - Closes #3875 - Reviewed-by: Daniel Stenberg + Closes #4065 -Steve Holme (18 May 2019) -- http_ntlm_wb: Handle auth for only a single request - - Currently when the server responds with 401 on NTLM authenticated - connection (re-used) we consider it to have failed. However this is - legitimate and may happen when for example IIS is set configured to - 'authPersistSingleRequest' or when the request goes thru a proxy (with - 'via' header). +- RELEASE-NOTES: synced + +- multi: enable multiplexing by default (again) - Implemented by imploying an additional state once a connection is - re-used to indicate that if we receive 401 we need to restart - authentication. + It was originally made default in d7c4213bd0c (7.62.0) but mistakenly + reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. - Missed in fe6049f0. + Closes #4051 -- http_ntlm_wb: Cleanup handshake after clean NTLM failure +- typecheck: add 3 missing strings and a callback data pointer - Missed in 50b87c4e. + Closes #4050 -- http_ntlm_wb: Return the correct error on receiving an empty auth message +- tests: add disable-scan.pl to dist - Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. + follow-up from 29177f422a5 - Closes #3894 + Closes #4059 -Daniel Stenberg (18 May 2019) -- curl: make code work with protocol-disabled libcurl +- http2: don't call stream-close on already closed streams - Closes #3844 - -- libcurl: #ifdef away more code for disabled features/protocols - -- progress: CURL_DISABLE_PROGRESS_METER - -- hostip: CURL_DISABLE_SHUFFLE_DNS - -- netrc: CURL_DISABLE_NETRC + Closes #4055 -Viktor Szakats (16 May 2019) -- docs: Markdown and misc improvements [ci skip] +Marcel Raad (20 Jun 2019) +- travis: enable alt-svc for coverage build - Approved-by: Daniel Stenberg - Closes #3896 + Closes -- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] +- travis: enable libssh2 for coverage build - Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 - Approved-by: Daniel Stenberg - Closes #3895 - -Daniel Stenberg (16 May 2019) -- travis: add an osx http-only build + It was enabled by default before commit c92d2e14cfb. - Closes #3887 + Disable torture tests 600 and 601 because of + https://github.com/curl/curl/issues/1678. + + Closes -- cleanup: remove FIXME and TODO comments +- travis: disable threaded resolver for coverage build - They serve very little purpose and mostly just add noise. Most of them - have been around for a very long time. I read them all before removing - or rephrasing them. + This enables more tests. - Ref: #3876 - Closes #3883 + Closes -- curl: don't set FTP options for FTP-disabled builds +- travis: enable brotli for all xenial jobs - ... since libcurl has started to be totally unaware of options for - disabled protocols they now return error. + There's no need for a separate job, and no need to build it from source + with Xenial. - Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 + Closes + +- travis: enable warnings-as-errors for coverage build - Reported-by: Marcel Raad - Closes #3886 + Closes -Steve Holme (16 May 2019) -- http_ntlm_wb: Move the type-2 message processing into a dedicated function +GitHub (20 Jun 2019) +- [Gisle Vanem brought this change] + + system_win32: fix typo + +Daniel Stenberg (20 Jun 2019) +- typecheck: CURLOPT_CONNECT_TO takes an slist too - This brings the code inline with the other HTTP authentication mechanisms. + Additionally, add an alias in curl.h for slist-using options so that + we can grep/parse those out at will. - Closes #3890 - -Daniel Stenberg (15 May 2019) -- RELEASE-NOTES: synced + Closes #4042 -- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] +- [Stephan Szabo brought this change] -- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] + tests: support non-localhost HOSTIP for dict/smb servers - Reported-by: Roy Bellingan - Bug: #3885 + smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for + binding the server which when we were running the tests with a separate + HOSTIP and CLIENTIP had failures verifying the server from the device we + were testing. + + This changes them to take the address from runtests.py and default to + localhost/127.0.0.1 if none is given. + + Closes #4048 -- parse_proxy: use the URL parser API +- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT + +- configure: --disable-progress-meter - As we treat a given proxy as a URL we should use the unified URL parser - to extract the parts out of it. + Builds libcurl without support for the built-in progress meter. - Closes #3878 + Closes #4023 -Steve Holme (15 May 2019) -- http_negotiate: Move the Negotiate state out of the negotiatedata structure +- curl: improved skip-setopt-options when built with disabled features - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. + Reduces #ifdefs in src/tool_operate.c - Closes #3882 + Follow-up from 4e86f2fc4e6 + Closes #3936 -- http_ntlm: Move the NTLM state out of the ntlmdata structure +Steve Holme (18 Jun 2019) +- netrc: Return the correct error code when out of memory - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. + Introduced in 763c5178. + + Closes #4036 -- url: Move the negotiate state type into a dedicated enum +Daniel Stenberg (18 Jun 2019) +- config-os400: add getpeername and getsockname defines + + Reported-by: jonrumsey on github + Fixes #4037 + Closes #4039 -- url: Remove duplicate clean up of the winbind variables in conn_shutdown() +- runtests: keep logfiles around by default - Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior - to calling conn_shutdown() and it in turn performs this, there is no - need to perform the same action in conn_shutdown(). + Make '-k' a no-op. The singletest function now clears the log directory + BEFORE each individual test and not after, which makes it possible to + always keep the logfiles around after a test has been run. No need to + specify -k anymore. Keeping the option parsing around to work with users + of old habits. - Closes #3881 + Some tests also didn't work properly when -k was used (since the old + logs would be kep when a new test starts) which this change also fixes. + + Closes #4035 -Daniel Stenberg (14 May 2019) -- urlapi: require a non-zero host name length when parsing URL +- [Gergely Nagy brought this change] + + openssl: fix pubkey/signature algorithm detection in certinfo - Updated test 1560 to verify. + Certinfo gives the same result for all OpenSSL versions. + Also made printing RSA pubkeys consistent with older versions. - Closes #3880 + Reported-by: Michael Wallner + Fixes #3706 + Closes #4030 -- configure: error out if OpenSSL wasn't detected when asked for +- conn_maxage: move the check to prune_dead_connections() - If --with-ssl is used and configure still couldn't enable SSL this - creates an error instead of just silently ignoring the fact. + ... and avoid the locking issue. - Suggested-by: Isaiah Norton - Fixes #3824 - Closes #3830 + Reported-by: Kunal Ekawde + Fixes #4029 + Closes #4032 -Daniel Gustafsson (14 May 2019) -- imap: Fix typo in comment +- tests: have runtests figure out disabled features + + ... so that runtests can skip individual test cases that test features + that are explicitly disabled in this build. This new logic is intended + for disabled features that aren't otherwise easily visible through the + curl_version_info() or other API calls. + + tests/server/disabled is a newly built executable that will output a + list of disabled features. Outputs nothing for a default build. + + Closes #3950 -Steve Holme (14 May 2019) -- url: Remove unnecessary initialisation from allocate_conn() +- test188/189: fix Content-Length - No need to set variables to zero as calloc() does this for us. + This cures the flaky test results - Closes #3879 + Closes #4034 -Daniel Stenberg (14 May 2019) -- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] +- [Thomas Gamper brought this change] + + winbuild: use WITH_PREFIX if given - Clues-provided-by: Jay Satiro - Clues-provided-by: Jeroen Ooms - Fixes #3711 - Closes #3874 + Closes #4031 -Daniel Gustafsson (13 May 2019) -- vtls: fix potential ssl_buffer stack overflow +Daniel Gustafsson (17 Jun 2019) +- openssl: remove outdated comment - In Curl_multissl_version() it was possible to overflow the passed in - buffer if the generated version string exceeded the size of the buffer. - Fix by inverting the logic, and also make sure to not exceed the local - buffer during the string generation. + OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), + which is why we switched to CONF_modules_load_file() and introduced + a comment stating why. This behavior was however changed in OpenSSL + commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now + outdated and incorrect comment. The mentioned commit also declares + OPENSSL_config() deprecated so keep the current coding. - Closes #3863 - Reported-by: nevv on HackerOne/curl - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Closes #4033 + Reviewed-by: Daniel Stenberg -Daniel Stenberg (13 May 2019) +Daniel Stenberg (16 Jun 2019) - RELEASE-NOTES: synced -- appveyor: also build "/ci" branches like travis - -- pingpong: disable more when no pingpong enabled +Patrick Monnerat (16 Jun 2019) +- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. + + Use it in curl_easy_setopt_ccsid(). + + Reported-by: jonrumsey on github + Fixes #3833 + Closes #4028 -- proxy: acknowledge DISABLE_PROXY more - -- parsedate: CURL_DISABLE_PARSEDATE - -- sasl: only enable if there's a protocol enabled using it - -- mime: acknowledge CURL_DISABLE_MIME +Daniel Stenberg (15 Jun 2019) +- runtests: report single test time + total duration + + ... after each successful test. + + Closes #4027 -- wildcard: disable from build when FTP isn't present +- multi: fix the transfer hash function + + Follow-up from 8b987cc7eb + + Reported-by: Tom van der Woerdt + Fixes #4018 + Closes #4024 -- http: CURL_DISABLE_HTTP_AUTH +- unit1654: cleanup on memory failure + + ... to make it handle torture tests properly. + + Reported-by: Marcel Raad + Fixes #4021 + Closes #4022 -- base64: build conditionally if there are users +Marcel Raad (13 Jun 2019) +- krb5: fix compiler warning + + Even though the variable was used in a DEBUGASSERT, GCC 8 warned in + debug mode: + krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] + + Just suppress the warning and declare the variable unconditionally + instead of only for DEBUGBUILD (which also missed the check for + HAVE_ASSERT_H). + + Closes https://github.com/curl/curl/pull/4020 -- doh: CURL_DISABLE_DOH +Daniel Stenberg (13 Jun 2019) +- quote.d: asterisk prefix works for SFTP as well + + Reported-by: Ben Voris + Fixes #4017 + Closes #4019 -Steve Holme (12 May 2019) -- auth: Rename the various authentication clean up functions +- multi: fix the transfer hashes in the socket hash entries - For consistency and to a avoid confusion. + - The transfer hashes weren't using the correct keys so removing entries + failed. - Closes #3869 + - Simplified the iteration logic over transfers sharing the same socket and + they now simply are set to expire and thus get handled in the "regular" + timer loop instead. + + Reported-by: Tom van der Woerdt + Fixes #4012 + Closes #4014 -Daniel Stenberg (12 May 2019) -- [Jay Satiro brought this change] +Jay Satiro (12 Jun 2019) +- [Cliff Crosland brought this change] - docs/INSTALL: fix broken link [ci skip] + url: Fix CURLOPT_MAXAGE_CONN time comparison - Reported-by: Joombalaya on github - Fixes #3818 - -Marcel Raad (12 May 2019) -- easy: fix another "clarify calculation precedence" warning + Old connections are meant to expire from the connection cache after + CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x + that value. This occurs because a time value measured in milliseconds is + accidentally divided by 1M instead of by 1,000. - I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + Closes https://github.com/curl/curl/pull/4013 -- build: fix "clarify calculation precedence" warnings - - Codacy/CppCheck warns about this. Consistently use parentheses as we - already do in some places to silence the warning. +Daniel Stenberg (11 Jun 2019) +- test1165: verify that CURL_DISABLE_ symbols are in sync - Closes https://github.com/curl/curl/pull/3866 + between configure.ac and source code. They should be possible to switch + on/off in configure AND be used in source code. -- cmake: restore C89 compatibility of CurlTests.c +- configure: remove CURL_DISABLE_TLS_SRP - I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and - 97de97daefc2ed084c91eff34af2426f2e55e134. + It isn't used by code so stop providing the define. - Reported-by: Viktor Szakats - Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 - Closes https://github.com/curl/curl/pull/3868 + Closes #4010 -Steve Holme (11 May 2019) -- http_ntlm: Corrected the name of the include guard +- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" - Missed in f0bdd72c. + This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. - Closes #3867 + Apparently several of the appveyor windows builds broke. -- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - - Closes #3861 +- [sergey-raevskiy brought this change] -- http_negotiate: Don't expose functions when HTTP is disabled + cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified + + Reviewed-by: Jakub Zakrzewski + Closes #3770 -Daniel Stenberg (11 May 2019) -- SECURITY-PROCESS: fix links [ci skip] +- RELEASE-NOTES: synced -Marcel Raad (11 May 2019) -- CMake: suppress unused variable warnings +- http2: remove CURL_DISABLE_TYPECHECK define - I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. + ... in http2-less builds as it served no use. -Daniel Stenberg (11 May 2019) -- doh: disable DOH for the cases it doesn't work - - Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for - DOH resolves. This fix disables DOH for those. +- configure: more --disable switches to toggle off individual features - Limitation added to KNOWN_BUGS. + ... actual support in the code for disabling these has already landed. - Fixes #3850 - Closes #3857 + Closes #4009 -Jay Satiro (11 May 2019) -- checksrc.bat: Ignore snprintf warnings in docs/examples - - .. because we allow snprintf use in docs/examples. +- wolfssl: fix key pinning build error - Closes https://github.com/curl/curl/pull/3862 + follow-up from deb9462ff2de8 -Steve Holme (10 May 2019) -- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() +- CURLMOPT_SOCKETFUNCTION.3: clarified - ...and misalignment of these comments. From a78c61a4. + Moved away the callback explanation from curl_multi_socket_action.3 and + expanded it somewhat. - Closes #3860 + Closes #4006 -Jay Satiro (10 May 2019) -- Revert "multi: support verbose conncache closure handle" - - This reverts commit b0972bc. +- wolfssl: fixup for SNI use - - No longer show verbose output for the conncache closure handle. + follow-up from deb9462ff2de8 - The offending commit was added so that the conncache closure handle - would inherit verbose mode from the user's easy handle. (Note there is - no way for the user to set options for the closure handle which is why - that was necessary.) Other debug settings such as the debug function - were not also inherited since we determined that could lead to crashes - if the user's per-handle private data was used on an unexpected handle. + Closes #4007 + +- CURLOPT_CAINFO.3: polished wording - The reporter here says he has a debug function to capture the verbose - output, and does not expect or want any output to stderr; however - because the conncache closure handle does not inherit the debug function - the verbose output for that handle does go to stderr. + Clarify the functionality when built to use Schannel and Secure + Transport and stop calling it the "recommended" or "preferred" way and + instead rather call it the default. - There are other plausible scenarios as well such as the user redirects - stderr on their handle, which is also not inherited since it could lead - to crashes when used on an unexpected handle. + Removed the reference to the ssl comparison table as it isn't necessary. - Short of allowing the user to set options for the conncache closure - handle I don't think there's much we can safely do except no longer - inherit the verbose setting. + Reported-by: Richard Alcock + Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html + Closes #4005 + +GitHub (10 Jun 2019) +- [Daniel Stenberg brought this change] + + SECURITY.md: created - Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html - Reported-by: Kristoffer Gleditsch + Brief security policy description for use/display on github. + +Daniel Gustafsson (10 Jun 2019) +- tool_cb_prg: Fix integer overflow in progress bar - Ref: https://github.com/curl/curl/pull/3598 - Ref: https://github.com/curl/curl/pull/3618 + Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar + width calculation to avoid integer overflow, but failed to account for + the fact that initial_size is initialized to -1 when the file size is + retrieved from the remote on an upload, causing another signed integer + overflow. Fix by separately checking for this case before the width + calculation. - Closes https://github.com/curl/curl/pull/3856 + Closes #3984 + Reported-by: Brian Carpenter (Geeknik Labs) + Reviewed-by: Daniel Stenberg -Steve Holme (10 May 2019) -- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() +Daniel Stenberg (10 Jun 2019) +- wolfssl: refer to it as wolfSSL only - From 6012fa5a. + Remove support for, references to and use of "cyaSSL" from the source + and docs. wolfSSL is the current name and there's no point in keeping + references to ancient history. - Closes #3858 - -Daniel Stenberg (9 May 2019) -- BUG-BOUNTY: minor formatting fixes [ci skip] + Assisted-by: Daniel Gustafsson + + Closes #3903 - RELEASE-NOTES: synced -- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] +- bindlocal: detect and avoid IP version mismatches in bind() - Closes #3839 + Reported-by: Alex Grebenschikov + Fixes #3993 + Closes #4002 -Kamil Dudka (9 May 2019) -- http_negotiate: do not treat failure of gss_init_sec_context() as fatal +- multi: make sure 'data' can present in several sockhash entries - Fixes #3726 - Closes #3849 + Since more than one socket can be used by each transfer at a given time, + each sockhash entry how has its own hash table with transfers using that + socket. + + In addition, the sockhash entry can now be marked 'blocked = TRUE'" + which then makes the delete function just set 'removed = TRUE' instead + of removing it "for real", as a way to not rip out the carpet under the + feet of a parent function that iterates over the transfers of that same + sockhash entry. + + Reported-by: Tom van der Woerdt + Fixes #3961 + Fixes #3986 + Fixes #3995 + Fixes #4004 + Closes #3997 -- spnego_gssapi: fix return code on gss_init_sec_context() failure +- [Sorcus brought this change] + + libcurl-tutorial.3: Fix small typo (mutipart -> multipart) - Fixes #3726 - Closes #3849 + Fixed-by: MrSorcus on github + Closes #4000 -Steve Holme (9 May 2019) -- gen_resp_file.bat: Removed unnecessary @ from all but the first command +- unpause: trigger a timeout for event-based transfers - There is need to use @ on every command once echo has been turned off. + ... so that timeouts or other state machine actions get going again + after a changing pause state. For example, if the last delivery was + paused there's no pending socket activity. - Closes #3854 + Reported-by: sstruchtrup on github + Fixes #3994 + Closes #4001 -Jay Satiro (8 May 2019) -- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies +Marcel Raad (9 Jun 2019) +- travis: use xenial LLVM package for scan-build - - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to - the destination host. + I missed that in commit 99a49d6. + +- travis: update scan-build job to xenial - We already do something similar for HTTPS proxies by not sending h2. [1] + Closes https://github.com/curl/curl/pull/3999 + +Daniel Stenberg (8 Jun 2019) +- bump: start working on 7.65.2 + +Marcel Raad (5 Jun 2019) +- examples/htmltitle: use C++ casts between pointer types - Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would - incorrectly use HTTP/2 to talk to the proxy, which is not something we - support (yet?). Also it's debatable whether or not that setting should - apply to HTTP/2 proxies. + Compilers and static analyzers warn about using C-style casts here. - [1]: https://github.com/curl/curl/commit/17c5d05 + Closes https://github.com/curl/curl/pull/3975 + +- examples/fopen: fix comparison - Bug: https://github.com/curl/curl/issues/3570 - Bug: https://github.com/curl/curl/issues/3832 + As want is size_t, (file->buffer_pos - want) is unsigned, so checking + if it's less than zero makes no sense. + Check if file->buffer_pos is less than want instead to avoid the + unsigned integer wraparound. - Closes https://github.com/curl/curl/pull/3853 + Closes https://github.com/curl/curl/pull/3975 -Marcel Raad (8 May 2019) -- travis: update mesalink build to xenial +- build: fix Codacy warnings - Closes https://github.com/curl/curl/pull/3842 - -Daniel Stenberg (8 May 2019) -- [Ricky Leverence brought this change] + Reduce variable scopes and remove redundant variable stores. + + Closes https://github.com/curl/curl/pull/3975 - OpenSSL: Report -fips in version if OpenSSL is built with FIPS +- sws: remove unused variables - Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS - define. It uses this define to determine whether to publish -fips at - the end of the version displayed. Applications that utilize the version - reported by OpenSSL will see a mismatch if they compare it to what curl - reports, as curl is not modifying the version in the same way. This - change simply adds a check to see if OPENSSL_FIPS is defined, and will - alter the reported version to match what OpenSSL itself provides. This - only appears to be applicable in versions of OpenSSL <1.1.1 + Unused since commit 2f44e94. - Closes #3771 + Closes https://github.com/curl/curl/pull/3975 -Kamil Dudka (7 May 2019) +Version 7.65.1 (4 Jun 2019) + +Daniel Stenberg (4 Jun 2019) +- RELEASE-NOTES: 7.65.1 + +- THANKS: new contributors from 7.65.1 + +Steve Holme (4 Jun 2019) - [Frank Gevaerts brought this change] - nss: allow fifos and character devices for certificates. - - Currently you can do things like --cert <(cat ./cert.crt) with (at least) the - openssl backend, but that doesn't work for nss because is_file rejects fifos. + ssl: Update outdated "openssl-only" comments for supported backends - I don't actually know if this is sufficient, nss might do things internally - (like seeking back) that make this not work, so actual testing is needed. + These are for features that used to be openssl-only but were expanded + over time to support other SSL backends. - Closes #3807 - -Daniel Gustafsson (6 May 2019) -- test2100: Fix typos in test description + Closes #3985 -Daniel Stenberg (6 May 2019) -- ssh: define USE_SSH if SSH is enabled (any backend) +Daniel Stenberg (4 Jun 2019) +- curl_share_setopt.3: improve wording [ci ship] - Closes #3846 + Reported-by: Carlos ORyan -Steve Holme (5 May 2019) -- winbuild: Add our standard copyright header to the winbuild batch files +Steve Holme (4 Jun 2019) +- tool_parsecfg: Use correct return type for GetModuleFileName() + + GetModuleFileName() returns a DWORD which is a typedef of an unsigned + long and not an int. + + Closes #3980 -- makedebug: Fix ERRORLEVEL detection after running where.exe +Daniel Stenberg (3 Jun 2019) +- TODO: "at least N milliseconds between requests" [ci skip] - Closes #3838 + Suggested-by: dkwolfe4 on github + Closes #3920 -Daniel Stenberg (5 May 2019) -- urlapi: add CURLUPART_ZONEID to set and get +Steve Holme (2 Jun 2019) +- tests/server/.gitignore: Add socksd to the ignore list - The zoneid can be used with IPv6 numerical addresses. + Missed in 04fd6755. - Updated test 1560 to verify. + Closes #3978 + +- tool_parsecfg: Fix control flow issue (DEADCODE) - Closes #3834 + Follow-up to 8144ba38. + + Detected by Coverity CID 1445663 + Closes #3976 -- [Taiyu Len brought this change] +Daniel Stenberg (2 Jun 2019) +- [Sergey Ogryzkov brought this change] - WRITEFUNCTION: add missing set_in_callback around callback + NTLM: reset proxy "multipass" state when CONNECT request is done - Closes #3837 + Closes #3972 -- RELEASE-NOTES: synced +- test334: verify HTTP 204 response with chunked coding header + + Verifies that a bodyless response don't parse this content-related + header. -- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] +- [Michael Kaufmann brought this change] + + http: don't parse body-related headers bodyless responses - Reported-by: Ricardo Gomes + Responses with status codes 1xx, 204 or 304 don't have a response body. For + these, don't parse these headers: - Bug: #3537 - Closes #3836 - -- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + - Content-Encoding + - Content-Length + - Content-Range + - Last-Modified + - Transfer-Encoding - The time field in the curl_fileinfo struct will always be zero. No code - was ever implemented to actually convert the date string to a time_t. + This change ensures that HTTP/2 upgrades work even if a + "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. - Fixes #3829 - Closes #3835 - -- OS400/ccsidcurl.c: code style fixes + Co-authored-by: Daniel Stenberg + Closes #3702 + Fixes #3968 + Closes #3977 -- OS400/ccsidcurl: replace use of Curl_vsetopt - - (and make the code style comply) +- tls13-docs: mention it is only for OpenSSL >= 1.1.1 - Fixes #3833 + Reported-by: Jay Satiro + Co-authored-by: Jay Satiro + Fixes #3938 + Closes #3946 -- urlapi: strip off scope id from numerical IPv6 addresses +- dump-header.d: spell out that no headers == empty file [ci skip] - ... to make the host name "usable". Store the scope id and put it back - when extracting a URL out of it. + Reported-by: wesinator at github + Fixes #3964 + Closes #3974 + +- singlesocket: use separate variable for inner loop - Also makes curl_url_set() syntax check CURLUPART_HOST. + An inner loop within the singlesocket() function wrongly re-used the + variable for the outer loop which then could cause an infinite + loop. Change to using a separate variable! - Fixes #3817 - Closes #3822 + Reported-by: Eric Wu + Fixes #3970 + Closes #3973 - RELEASE-NOTES: synced -- multiif.h: remove unused protos +- [Josie Huddleston brought this change] + + http2: Stop drain from being permanently set on - ... for functions related to pipelining. Those functions were removed in - 2f44e94efb3df. + Various functions called within Curl_http2_done() can have the + side-effect of setting the Easy connection into drain mode (by calling + drain_this()). However, the last time we unset this for a transfer (by + calling drained_transfer()) is at the beginning of Curl_http2_done(). + If the Curl_easy is reused for another transfer, it is then stuck in + drain mode permanently, which in practice makes it unable to write any + data in the new transfer. - Closes #3828 - -- [Yiming Jing brought this change] + This fix moves the last call to drained_transfer() to later in + Curl_http2_done(), after the functions that could potentially call for a + drain. + + Fixes #3966 + Closes #3967 + Reported-by: Josie-H - travis: mesalink: temporarily disable test 3001 +Steve Holme (29 May 2019) +- conncache: Remove the DEBUGASSERT on length check - ... due to SHA-1 signatures in test certs + We trust the calling code as this is an internal function. + + Closes #3962 -- [Yiming Jing brought this change] +Jay Satiro (29 May 2019) +- [Gisle Vanem brought this change] - travis: upgrade the MesaLink TLS backend to v1.0.0 + system_win32: fix function prototype - Closes #3823 - Closes #3776 - -- ConnectionExists: improve non-multiplexing use case + - Change if_nametoindex parameter type from char * to const char *. - - better log output + Follow-up to 09eef8af from this morning. - - make sure multiplex is enabled for it to be used + Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 -- multi: provide Curl_multiuse_state to update information +Marcel Raad (29 May 2019) +- appveyor: add Visual Studio solution build - As soon as a TLS backend gets ALPN conformation about the specific HTTP - version it can now set the multiplex situation for the "bundle" and - trigger moving potentially queued up transfers to the CONNECT state. + Closes https://github.com/curl/curl/pull/3941 -- process_pending_handles: mark queued transfers as previously pending +- appveyor: add support for other build systems - With transfers being queued up, we only move one at a a time back to the - CONNECT state but now we mark moved transfers so that when a moved - transfer is confirmed "successful" (it connected) it will trigger the - move of another pending transfer. Previously, it would otherwise wait - until the transfer was done before doing this. This makes queued up - pending transfers get processed (much) faster. - -- http: mark bundle as not for multiuse on < HTTP/2 response + Introduce BUILD_SYSTEM variable, which is currently always CMake. - Fixes #3813 - Closes #3815 + Closes https://github.com/curl/curl/pull/3941 -Daniel Gustafsson (1 May 2019) -- cookie: Guard against possible NULL ptr deref +Steve Holme (29 May 2019) +- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows - In case the name pointer isn't set (due to memory pressure most likely) - we need to skip the prefix matching and reject with a badcookie to avoid - a possible NULL pointer dereference. + This fixes the static dependency on iphlpapi.lib and allows curl to + build for targets prior to Windows Vista. - Closes #3820 #3821 - Reported-by: Jonathan Moerman - Reviewed-by: Daniel Stenberg - -Patrick Monnerat (30 Apr 2019) -- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings - -Kamil Dudka (29 Apr 2019) -- nss: provide more specific error messages on failed init + This partially reverts 170bd047. - Closes #3808 + Fixes #3960 + Closes #3958 -Daniel Stenberg (29 Apr 2019) -- [Reed Loden brought this change] +Daniel Stenberg (29 May 2019) +- http: fix "error: equality comparison with extraneous parentheses" - docs: minor polish to the bug bounty / security docs +- parse_proxy: make sure portptr is initialized - Closes #3811 - -- CURL_MAX_INPUT_LENGTH: largest acceptable string input size + Reported-by: Benbuck Nason - This limits all accepted input strings passed to libcurl to be less than - CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: - curl_easy_setopt() and curl_url_set(). + fixes #3959 + +- url: default conn->port to the same as conn->remote_port - The 8000000 number is arbitrary picked and is meant to detect mistakes - or abuse, not to limit actual practical use cases. By limiting the - acceptable string lengths we also reduce the risk of integer overflows - all over. + ... so that it has a sensible value when ConnectionExists() is called which + needs it set to differentiate host "bundles" correctly on port number! - NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + Also, make conncache:hashkey() use correct port for bundles that are proxy vs + host connections. - Test 1559 verifies. + Probably a regression from 7.62.0 - Closes #3805 - -- [Tseng Jun brought this change] + Reported-by: Tom van der Woerdt + Fixes #3956 + Closes #3957 - curlver.h: use parenthesis in CURL_VERSION_BITS macro +- conncache: make "bundles" per host name when doing proxy tunnels - Closes #3809 - -Marcel Raad (27 Apr 2019) -- [Simon Warta brought this change] - - cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP + Only HTTP proxy use where multiple host names can be used over the same + connection should use the proxy host name for bundles. - Closes https://github.com/curl/curl/pull/3769 - -Steve Holme (23 Apr 2019) -- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + Reported-by: Tom van der Woerdt + Fixes #3951 + Closes #3955 -- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 +- multi: track users of a socket better - Just like we do for mbed TLS, use our local implementation of MD4 when - OpenSSL doesn't support it. This allows a type-3 message to include the - NT response. - -Daniel Gustafsson (23 Apr 2019) -- INTERNALS: fix misindentation of ToC item + They need to be removed from the socket hash linked list with more care. - Kerberos was incorrectly indented as a subsection under FTP, which is - incorrect as they are both top level sections. A fix for this was first - attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that - was a few paddles short of being complete. - -- [Aron Bergman brought this change] - - INTERNALS: Add structs to ToC + When sh_delentry() is called to remove a sockethash entry, remove all + individual transfers from the list first. To enable this, each Curl_easy struct + now stores a pointer to the sockethash entry to know how to remove itself. - Add the subsections under "Structs in libcurl" to the table of contents. + Reported-by: Tom van der Woerdt and Kunal Ekawde - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson - -- [Aron Bergman brought this change] + Fixes #3952 + Fixes #3904 + Closes #3953 - INTERNALS: Add code highlighting +Steve Holme (28 May 2019) +- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version - Make all struct members under the Curl_handler section - print in monospace font. + Microsoft added support for Unix Domain Sockets in Windows 10 1803 + (RS4). Rather than expect the user to enable Unix Domain Sockets by + uncommenting the #define that was added in 0fd6221f we use the RS4 + pre-processor variable that is present in newer versions of the + Windows SDK. - Closes #3801 - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Closes #3939 -Daniel Stenberg (22 Apr 2019) -- docs/BUG-BOUNTY: bug bounty time [skip ci] - - Introducing the curl bug bounty program on hackerone. We now recommend - filing security issues directly in the hackerone ticket system which - only is readable to curl security team members. - - Assisted-by: Daniel Gustafsson - - Closes #3488 +Daniel Stenberg (28 May 2019) +- [Jonas Vautherin brought this change] -Steve Holme (22 Apr 2019) -- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables - RFC 4616 specifies the authzid is optional in the client authentication - message and that the server will derive the authorisation identity - (authzid) from the authentication identity (authcid) when not specified - by the client. - -Jay Satiro (22 Apr 2019) -- [Gisle Vanem brought this change] + Closes #3945 - memdebug: fix variable name +Marcel Raad (27 May 2019) +- HAProxy tests: add keywords - Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + Add the proxy and haproxy keywords in order to be able to exclude or + run these specific tests. - Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + Closes https://github.com/curl/curl/pull/3949 -Steve Holme (21 Apr 2019) -- vauth/cleartext: Don't send the authzid if it is empty +Daniel Stenberg (27 May 2019) +- [Maksim Stsepanenka brought this change] + + tests: make test 1420 and 1406 work with rtsp-disabled libcurl - Follow up to 762a292f. + Closes #3948 -Daniel Stenberg (21 Apr 2019) -- test 196,197,198: add 'retry' keyword [skip ci] +Kamil Dudka (27 May 2019) +- [Hubert Kario brought this change] + + nss: allow to specify TLS 1.3 ciphers if supported by NSS + + Closes #3916 +Daniel Stenberg (26 May 2019) - RELEASE-NOTES: synced -- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse +- [Jay Satiro brought this change] + + Revert all SASL authzid (new feature) commits - ... and disconnect too old ones instead of trying to reuse. + - Revert all commits related to the SASL authzid feature since the next + release will be a patch release, 7.65.1. - Default max age is set to 118 seconds. + Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined + for the next release, assuming it would be a feature release 7.66.0. + However instead the next release will be a patch release, 7.65.1 and + will not contain any new features. - Ref: #3722 - Closes #3782 - -Daniel Gustafsson (20 Apr 2019) -- [Po-Chuan Hsieh brought this change] - - altsvc: Fix building with cookies disables + After the patch release after the reverted commits can be restored by + using cherry-pick: - ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if - check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is - disabled. Fix by splitting out the function into a separate file which can - be included where needed. + git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 - Closes #3717 - Reviewed-by: Daniel Gustafsson - Reviewed-by: Marcel Raad - -Daniel Stenberg (20 Apr 2019) -- test1002: correct the name [skip ci] - -- test660: verify CONNECT_ONLY with IMAP + Details for all reverted commits: - which basically just makes sure LOGOUT is *not* issued on disconnect - -- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." - Since the connection has been used by the "outside" we don't know the - state of it anymore and curl should not use it anymore. + This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. - Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html + Revert "tests: Fix the line endings for the SASL alt-auth tests" - Closes #3795 - -- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) + This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. - The list of names must be in sync with the defined states in the header - file! - -Steve Holme (16 Apr 2019) -- openvms: Remove pre-processors for Windows as VMS cannot support them - -- openvms: Remove pre-processor for SecureTransport as VMS cannot support it + Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" - Fixes #3768 - Closes #3785 - -Jay Satiro (16 Apr 2019) -- TODO: Add issue link to an existing entry - -Daniel Stenberg (16 Apr 2019) -- RELEASE-NOTES: synced - -Jay Satiro (16 Apr 2019) -- tool_help: Warn if curl and libcurl versions do not match + This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. - .. because functionality may be affected if the versions differ. + Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" - This commit implements TODO 18.7 "warning if curl version is not in sync - with libcurl version". + This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. - Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" - Closes https://github.com/curl/curl/pull/3774 - -Steve Holme (16 Apr 2019) -- md5: Update the function signature following d84da52d + This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. -- md5: Forgot to update the code alignment in d84da52d +- [dbrowndan brought this change] -- md5: Return CURLcode from the internally accessible functions + FAQ: more minor updates and spelling fixes - Following 28f826b3 to return CURLE_OK instead of numeric 0. + Closes #3937 -Daniel Gustafsson (15 Apr 2019) -- tests: Run global cleanup at end of tests +- RELEASE-NOTES: synced + +- sectransp: handle errSSLPeerAuthCompleted from SSLRead() - Make sure to run curl_global_cleanup() when shutting down the test - suite to release any resources allocated in the SSL setup. This is - clearly visible when running tests with PolarSSL where the thread - lock calloc() memory which isn't released when not running cleanup. - Below is an excerpt from the autobuild logs: - - ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 - ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) - ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) - ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup - (polarssl_threadlock.c:54) - ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) - ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) - ==12368== by 0x118B4C: global_init (easy.c:158) - ==12368== by 0x118BF5: curl_global_init (easy.c:221) - ==12368== by 0x118D0B: curl_easy_init (easy.c:299) - ==12368== by 0x114E96: test (lib1906.c:32) - ==12368== by 0x115495: main (first.c:174) - - Closes #3783 - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg + Reported-by: smuellerDD on github + Fixes #3932 + Closes #3933 -Marcel Raad (15 Apr 2019) -- travis: use mbedtls from Xenial - - No need to build it from source anymore. - - Closes https://github.com/curl/curl/pull/3779 +GitHub (24 May 2019) +- [Gisle Vanem brought this change] -- travis: use libpsl from Xenial - - This makes building libpsl and libidn2 from source unnecessary and - removes the need for the autopoint and libunistring-dev packages. - - Closes https://github.com/curl/curl/pull/3779 + Fix typo. -Daniel Stenberg (15 Apr 2019) -- runtests: start socksd like other servers - - ... without a $srcdir prefix. Triggered by the failures in several - autobuilds. +Daniel Stenberg (23 May 2019) +- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() - Closes #3781 + Reported-by: Marcel Raad + Fixes #3926 + Closes #3929 -Daniel Gustafsson (14 Apr 2019) -- socksd: Fix typos +Steve Holme (23 May 2019) +- winbuild: Use two space indentation - Reviewed-by: Daniel Stenberg + Closes #3930 -- socksd: Properly decorate static variables +GitHub (23 May 2019) +- [Gisle Vanem brought this change] + + tool_parse_cfg: Avoid 2 fopen() for WIN32 - Mark global variables static to avoid compiler warning in Clang when - using -Wmissing-variable-declarations. + Using the memdebug.h mem-leak feature, I noticed 2 calls like: + FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - Closes #3778 - Reviewed-by: Daniel Stenberg + No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. -Steve Holme (14 Apr 2019) -- md(4|5): Fixed indentation oddities with the importation of replacement code - - The indentation from 211d5329 and 57d6d253 was a little strange as - parts didn't align correctly, uses 4 spaces rather than 2. Checked - the indentation of the original source so it aligns, albeit, using - curl style. +Daniel Stenberg (23 May 2019) +- md4: include the mbedtls config.h to get the MD4 info -- md5: Code style to return CURLE_OK rather than numeric 0 +- md4: build correctly with openssl without MD4 + + Reported-by: elsamuko at github + Fixes #3921 + Closes #3922 -- md5: Corrected code style for some pointer arguments +Patrick Monnerat (23 May 2019) +- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). -Marcel Raad (13 Apr 2019) -- travis: update some builds to xenial - - Xenial comes with more up-to-date software versions and more available - packages, some of which we currently build from source. Unfortunately, - some builds would fail with Xenial because of assertion failures in - Valgrind when using OpenSSL, so leave these at Trusty. - - Closes https://github.com/curl/curl/pull/3777 +Daniel Stenberg (23 May 2019) +- .github/FUNDING: mention our opencollective "home" [ci skip] -Daniel Stenberg (13 Apr 2019) -- test: make tests and test scripts use socksd for SOCKS - - Make all SOCKS tests use socksd instead of ssh. +Marcel Raad (23 May 2019) +- [Zenju brought this change] -- socksd: new SOCKS 4+5 server for tests + config-win32: add support for if_nametoindex and getsockname - Closes #3752 + Closes https://github.com/curl/curl/pull/3923 -- singleipconnect: show port in the verbose "Trying ..." message +Jay Satiro (23 May 2019) +- tests: Fix the line endings for the SASL alt-auth tests - To aid debugging better. - -- [tmilburn brought this change] - - CURLOPT_ADDRESS_SCOPE: fix range check and more + - Change data and protocol sections to CRLF line endings. - Commit 9081014 fixed most of the confusing issues between scope id and - scope however 844896d added bad limits checking assuming that the scope - is being set and not the scope id. + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. - I have fixed the documentation so it all refers to scope ids. + Follow-up to a9499ff from today which added the tests. - In addition Curl_if2ip refered to the scope id as remote_scope_id which - is incorrect, so I renamed it to local_scope_id. + Ref: https://github.com/curl/curl/pull/3790 + +Daniel Stenberg (23 May 2019) +- url: fix bad #ifdef - Adjusted-by: Daniel Stenberg + Regression since e91e48161235272ff485. - Closes #3655 - Closes #3765 - Fixes #3713 + Reported-by: Tom Greenslade + Fixes #3924 + Closes #3925 -- urlapi: stricter CURLUPART_PORT parsing +- Revert "progress: CURL_DISABLE_PROGRESS_METER" - Only allow well formed decimal numbers in the input. + This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. - Document that the number MUST be between 1 and 65535. + Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + + CURLOPT_LOW_SPEED_TIME - Add tests to test 1560 to verify the above. + Reported-by: Dave Reisner - Ref: https://github.com/curl/curl/issues/3753 - Closes #3762 + Fixes #3927 + Closes #3928 -Jay Satiro (13 Apr 2019) -- [Jan Ehrhardt brought this change] +Steve Holme (22 May 2019) +- examples: Added SASL PLAIN authorisation identity (authzid) examples - winbuild: Support MultiSSL builds - - - Remove the lines in winbuild/Makefile.vc that generate an error with - multiple SSL backends. - - - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL - backends are set. - - Closes https://github.com/curl/curl/pull/3772 +- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool -Daniel Stenberg (12 Apr 2019) -- travis: remove mesalink builds (temporarily?) +- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - Since the mesalink build started to fail on travis, even though we build - a fixed release version, we disable it to prevent it from blocking - progress. + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. - Closes #3767 + Fixed #3653 + Closes #3790 -- openssl: mark connection for close on TLS close_notify - - Without this, detecting and avoid reusing a closed TLS connection - (without a previous GOAWAY) when doing HTTP/2 is tricky. +Marc Hoersken (22 May 2019) +- tests: add support to test against OpenSSH for Windows - Reported-by: Tom van der Woerdt - Fixes #3750 - Closes #3763 + Testing against OpenSSH for Windows requires v7.7.0.0 or newer + due to the use of AllowUsers and DenyUsers. For more info see: + https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config -- RELEASE-NOTES: synced +Daniel Stenberg (22 May 2019) +- bump: start on the next release -Steve Holme (11 Apr 2019) -- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - - Functionally this doesn't change anything as we still use the username - for both the authorisation identity and the authentication identity. +Marcel Raad (22 May 2019) +- examples: fix "clarify calculation precedence" warnings - Closes #3757 + Closes https://github.com/curl/curl/pull/3919 -Daniel Stenberg (11 Apr 2019) -- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage +- hiperfifo: remove unused variable - Based-on-code-by: Poul T Lomholt + Closes https://github.com/curl/curl/pull/3919 -- url: always clone the CUROPT_CURLU handle - - Since a few code paths actually update that data. - - Fixes #3753 - Closes #3761 +- examples: remove dead variable stores - Reported-by: Poul T Lomholt + Closes https://github.com/curl/curl/pull/3919 -- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - - Remove the code too. The functionality has been disabled in code since - 7.62.0. Setting this option will from now on simply be ignored and have - no function. +- examples: reduce variable scopes - Closes #3654 + Closes https://github.com/curl/curl/pull/3919 -Marcel Raad (11 Apr 2019) -- travis: install libgnutls28-dev only for --with-gnutls build - - Reduces the time needed for the other jobs a little. +- http2-download: fix format specifier - Closes https://github.com/curl/curl/pull/3721 + Closes https://github.com/curl/curl/pull/3919 -- travis: install libnss3-dev only for --with-nss build - - Reduces the time needed for the other jobs a little. +Daniel Stenberg (22 May 2019) +- PolarSSL: deprecate support step 1. Removed from configure. - Closes https://github.com/curl/curl/pull/3721 - -- travis: install libssh2-dev only for --with-libssh2 build + Also removed mentions from most docs. - Reduces the time needed for the other jobs a little. + Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html - Closes https://github.com/curl/curl/pull/3721 + Closes #3888 -- travis: install libssh-dev only for --with-libssh build +- configure/cmake: check for if_nametoindex() - Reduces the time needed for the other jobs a little. + - adds the check to cmake - Closes https://github.com/curl/curl/pull/3721 + - fixes the configure check to work for cross-compiled windows builds + + Closes #3917 -- travis: install krb5-user only for --with-gssapi build +- parse_proxy: use the IPv6 zone id if given - Reduces the time needed for the other jobs a little. + If the proxy string is given as an IPv6 numerical address with a zone + id, make sure to use that for the connect to the proxy. - Closes https://github.com/curl/curl/pull/3721 - -- travis: install lcov only for the coverage job + Reported-by: Edmond Yu - Reduces the time needed for the other jobs a little. + Fixes #3482 + Closes #3918 + +Version 7.65.0 (22 May 2019) + +Daniel Stenberg (22 May 2019) +- RELEASE-NOTES: 7.65.0 release + +- THANKS: from the 7.65.0 release-notes + +- url: convert the zone id from a IPv6 URL to correct scope id - Closes https://github.com/curl/curl/pull/3721 + Reported-by: GitYuanQu on github + Fixes #3902 + Closes #3914 -- travis: install clang only when needed +- configure: detect getsockname and getpeername on windows too - This reduces the GCC job runtimes a little and it's needed to - selectively update clang builds to xenial. + Made detection macros for these two functions in the same style as other + functions possibly in winsock in the hope this will work better to + detect these functions when cross-compiling for Windows. - Closes https://github.com/curl/curl/pull/3721 - -- AppVeyor: enable testing for WinSSL build + Follow-up to e91e4816123 - Closes https://github.com/curl/curl/pull/3725 + Fixes #3913 + Closes #3915 -- build: fix Codacy/CppCheck warnings +Marcel Raad (21 May 2019) +- examples: remove unused variables - - remove unused variables - - declare conditionally used variables conditionally - - suppress unused variable warnings in the CMake tests - - remove dead variable stores - - consistently use WIN32 macro to detect Windows + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3739 + Closes -- polarssl_threadlock: remove conditionally unused code +Daniel Gustafsson (21 May 2019) +- udpateconninfo: mark variable unused - Make functions no-ops if neither both USE_THREADS_POSIX and - HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are - defined. Previously, if only one of them was defined, there was either - code compiled that did nothing useful or the wrong header included for - the functions used. + When compiling without getpeername() or getsockname(), the sockfd + paramter to Curl_udpateconninfo() became unused after commit e91e481612 + added ifdef guards. - Also, move POLARSSL_MUTEX_T define to implementation file as it's not - used externally. + Closes #3910 + Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 + Reviewed-by: Marcel Raad, Daniel Stenberg + +- ftp: move ftp_ccc in under featureflag - Closes https://github.com/curl/curl/pull/3739 + Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under + the FTP featureflag in the UserDefined struct, but vtls callsites were + still using it unprotected. + + Closes #3912 + Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 + Reviewed-by: Daniel Stenberg, Marcel Raad -- lib557: initialize variables +Daniel Stenberg (20 May 2019) +- curl: report error for "--no-" on non-boolean options - These variables are only conditionally initialized. + Reported-by: Olen Andoni + Fixes #3906 + Closes #3907 + +- [Guy Poizat brought this change] + + mbedtls: enable use of EC keys - Closes https://github.com/curl/curl/pull/3739 + Closes #3892 -- lib509: add missing include for strdup +- lib1560: add tests for parsing URL with too long scheme - Closes https://github.com/curl/curl/pull/3739 + Ref: #3905 -- README.md: fix no-consecutive-blank-lines Codacy warning +- [Omar Ramadan brought this change] + + urlapi: increase supported scheme length to 40 bytes - Consistently use one blank line between blocks. + The longest currently registered URI scheme at IANA is 36 bytes long. - Closes https://github.com/curl/curl/pull/3739 + Closes #3905 + Closes #3900 -- tests/server/util: fix Windows Unicode build +Marcel Raad (20 May 2019) +- lib: reduce variable scopes - Always use the ANSI version of FormatMessage as we don't have the - curl_multibyte gear available here. + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3758 + Closes https://github.com/curl/curl/pull/3872 -Daniel Stenberg (11 Apr 2019) -- curl_easy_getinfo.3: fix minor formatting mistake +- tool_formparse: remove redundant assignment + + Just initialize word_begin with the correct value. + + Closes https://github.com/curl/curl/pull/3873 -Daniel Gustafsson (11 Apr 2019) -- xattr: skip unittest on unsupported platforms +- ssh: move variable declaration to where it's used - The stripcredentials unittest fails to compile on platforms without - xattr support, for example the Solaris member in the buildfarm which - fails with the following: + This way, we need only one call to free. - CC unit1621-unit1621.o - CC ../libtest/unit1621-first.o - CCLD unit1621 - Undefined first referenced - symbol in file - stripcredentials unit1621-unit1621.o - goto problem 2 - ld: fatal: symbol referencing errors. No output written to .libs/unit1621 - collect2: error: ld returned 1 exit status - gmake[2]: *** [Makefile:996: unit1621] Error 1 + Closes https://github.com/curl/curl/pull/3873 + +- ssh-libssh: remove unused variable - Fix by excluding the test on such platforms by using the reverse - logic from where stripcredentials() is defined. + sock was only used to be assigned to fd_read. - Closes #3759 - Reviewed-by: Daniel Stenberg + Closes https://github.com/curl/curl/pull/3873 -Steve Holme (11 Apr 2019) -- emailL Added reference to RFC8314 for implicit TLS +Daniel Stenberg (20 May 2019) +- test332: verify the blksize fix -- README: Schannel, stop calling it "winssl" +- tftp: use the current blksize for recvfrom() - Stick to "Schannel" everywhere - follow up to 180501cb. + bug: https://curl.haxx.se/docs/CVE-2019-5436.html + Reported-by: l00p3r on hackerone + CVE-2019-5436 -Jakub Zakrzewski (10 Apr 2019) -- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use +Daniel Gustafsson (19 May 2019) +- version: make ssl_version buffer match for multi_ssl - This fixes GSSAPI builds with the libraries in a non-standard location. - The testing for recv() were failing because it failed to link - the Kerberos libraries, which are not needed for this or subsequent - tests. + When running a multi TLS backend build the version string needs more + buffer space. Make the internal ssl_buffer stack buffer match the one + in Curl_multissl_version() to allow for the longer string. For single + TLS backend builds there is no use in extended to buffer. This is a + fallout from #3863 which fixes up the multi_ssl string generation to + avoid a buffer overflow when the buffer is too small. - fixes #3743 - closes #3744 + Closes #3875 + Reviewed-by: Daniel Stenberg -- cmake: avoid linking executable for some tests with cmake 3.6+ +Steve Holme (18 May 2019) +- http_ntlm_wb: Handle auth for only a single request - With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() - (which is used by check_c_source_compiles()) will build static library - instead of executable. This avoids linking additional libraries in and thus - speeds up those checks a little. + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). - This commit also avoids #3743 (GSSAPI build errors) on itself with cmake - 3.6 or above. That issue was fixed separately for all versions. + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. - Ref: #3744 + Missed in fe6049f0. -- cmake: minor cleanup - - - Remove nneeded include_regular_expression. - It was setting what is already a default. +- http_ntlm_wb: Cleanup handshake after clean NTLM failure - - Remove duplicated include. + Missed in 50b87c4e. + +- http_ntlm_wb: Return the correct error on receiving an empty auth message - - Don't check for pre-3.0.0 CMake version. - We already require at least 3.0.0, so it's just clutter. + Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. - Ref: #3744 - -Steve Holme (8 Apr 2019) -- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ - -- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) - -- build-openssl.bat: Perform the install for each build type directly after the build + Closes #3894 -- build-openssl.bat: Split the install of static and shared build types +Daniel Stenberg (18 May 2019) +- curl: make code work with protocol-disabled libcurl + + Closes #3844 -- build-openssl.bat: Split the building of static and shared build types +- libcurl: #ifdef away more code for disabled features/protocols -- build-openssl.bat: Move the installation into a separate function +- progress: CURL_DISABLE_PROGRESS_METER -- build-openssl.bat: Move the build step into a separate function +- hostip: CURL_DISABLE_SHUFFLE_DNS -- build-openssl.bat: Move the OpenSSL configuration into a separate function +- netrc: CURL_DISABLE_NETRC -- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised +Viktor Szakats (16 May 2019) +- docs: Markdown and misc improvements [ci skip] - Should the parent environment set this variable then the build might - not be performed as the user intended. - -Daniel Stenberg (8 Apr 2019) -- socks: fix error message + Approved-by: Daniel Stenberg + Closes #3896 -- config.d: clarify that initial : and = might need quoting [skip ci] +- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] - Fixes #3738 - Closes #3749 + Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 + Approved-by: Daniel Stenberg + Closes #3895 -- RELEASE-NOTES: synced +Daniel Stenberg (16 May 2019) +- travis: add an osx http-only build - bumped to 7.65.0 for next release + Closes #3887 -- socks5: user name and passwords must be shorter than 256 +- cleanup: remove FIXME and TODO comments - bytes... since the protocol needs to store the length in a single byte field. + They serve very little purpose and mostly just add noise. Most of them + have been around for a very long time. I read them all before removing + or rephrasing them. - Reported-by: XmiliaH on github - Fixes #3737 - Closes #3740 - -- [Jakub Zakrzewski brought this change] - - test: urlapi: urlencode characters above 0x7f correctly + Ref: #3876 + Closes #3883 -- [Jakub Zakrzewski brought this change] - - urlapi: urlencode characters above 0x7f correctly - - fixes #3741 - Closes #3742 - -- [Even Rouault brought this change] - - multi_runsingle(): fix use-after-free - - Fixes #3745 - Closes #3746 - - The following snippet - ``` - - int main() - { - CURL* hCurlHandle = curl_easy_init(); - curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); - curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); - curl_easy_perform(hCurlHandle); - curl_easy_cleanup(hCurlHandle); - return 0; - } - ``` - triggers the following Valgrind warning +- curl: don't set FTP options for FTP-disabled builds - ``` - ==4125== Invalid read of size 8 - ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) - ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) - ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd - ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) - ==4125== by 0x4E62C36: conn_free (url.c:756) - ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) - ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) - ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Block was alloc'd at - ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) - ==4125== by 0x4E6438E: allocate_conn (url.c:1654) - ==4125== by 0x4E685B4: create_conn (url.c:3496) - ==4125== by 0x4E6968F: Curl_connect (url.c:4023) - ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ``` + ... since libcurl has started to be totally unaware of options for + disabled protocols they now return error. - This has been bisected to commit 2f44e94 + Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 - Credit to OSS Fuzz + Reported-by: Marcel Raad + Closes #3886 -- pipelining: removed +Steve Holme (16 May 2019) +- http_ntlm_wb: Move the type-2 message processing into a dedicated function - As previously planned and documented in DEPRECATE.md, all pipelining - code is removed. + This brings the code inline with the other HTTP authentication mechanisms. - Closes #3651 + Closes #3890 -- [cclauss brought this change] +Daniel Stenberg (15 May 2019) +- RELEASE-NOTES: synced - tests: make Impacket (SMB server) Python 3 compatible - - Closes #3731 - Fixes #3289 +- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] -Marcel Raad (6 Apr 2019) -- [Simon Warta brought this change] +- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] + + Reported-by: Roy Bellingan + Bug: #3885 - cmake: set SSL_BACKENDS +- parse_proxy: use the URL parser API - This groups all SSL backends into the feature "SSL" and sets the - SSL_BACKENDS analogue to configure.ac + As we treat a given proxy as a URL we should use the unified URL parser + to extract the parts out of it. - Closes https://github.com/curl/curl/pull/3736 - -- [Simon Warta brought this change] + Closes #3878 - cmake: don't run SORT on empty list +Steve Holme (15 May 2019) +- http_negotiate: Move the Negotiate state out of the negotiatedata structure - In case of an empty list, SORTing leads to the cmake error "list - sub-command SORT requires list to be present." + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. - Closes https://github.com/curl/curl/pull/3736 - -Daniel Gustafsson (5 Apr 2019) -- [Eli Schwartz brought this change] + Closes #3882 - configure: fix default location for fish completions +- http_ntlm: Move the NTLM state out of the ntlmdata structure - Fish defines a vendor completions directory for completions that are not - installed as part of the fish project itself, and the vendor completions - are preferred if they exist. This prevents trying to overwrite the - builtin curl.fish completion (or creating file conflicts in distro - packaging). + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. + +- url: Move the negotiate state type into a dedicated enum + +- url: Remove duplicate clean up of the winbind variables in conn_shutdown() - Prefer the pkg-config defined location exported by fish, if it can be - found, and fall back to the correct directory defined by most systems. + Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior + to calling conn_shutdown() and it in turn performs this, there is no + need to perform the same action in conn_shutdown(). - Closes #3723 - Reviewed-by: Daniel Gustafsson + Closes #3881 -Marcel Raad (5 Apr 2019) -- ftplistparser: fix LGTM alert "Empty block without comment" +Daniel Stenberg (14 May 2019) +- urlapi: require a non-zero host name length when parsing URL - Removing the block is consistent with line 954/957. + Updated test 1560 to verify. - Closes https://github.com/curl/curl/pull/3732 + Closes #3880 -- transfer: fix LGTM alert "Comparison is always true" +- configure: error out if OpenSSL wasn't detected when asked for - Just remove the redundant condition, which also makes it clear that - k->buf is always 0-terminated if this break is not hit. + If --with-ssl is used and configure still couldn't enable SSL this + creates an error instead of just silently ignoring the fact. - Closes https://github.com/curl/curl/pull/3732 + Suggested-by: Isaiah Norton + Fixes #3824 + Closes #3830 -Jay Satiro (4 Apr 2019) -- [Rikard Falkeborn brought this change] +Daniel Gustafsson (14 May 2019) +- imap: Fix typo in comment - smtp: fix compiler warning - - - Fix clang string-plus-int warning. - - Clang 8 warns about adding a string to an int does not append to the - string. Indeed it doesn't, but that was not the intention either. Use - array indexing as suggested to silence the warning. There should be no - functional changes. - - (In other words clang warns about "foo"+2 but not &"foo"[2] so use the - latter.) +Steve Holme (14 May 2019) +- url: Remove unnecessary initialisation from allocate_conn() - smtp.c:1221:29: warning: adding 'int' to a string does not append to the - string [-Wstring-plus-int] - eob = strdup(SMTP_EOB + 2); - ~~~~~~~~~~~~~~~~^~~~ + No need to set variables to zero as calloc() does this for us. - Closes https://github.com/curl/curl/pull/3729 + Closes #3879 -Marcel Raad (4 Apr 2019) -- VS projects: use Unicode for VC10+ +Daniel Stenberg (14 May 2019) +- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] - All Windows APIs have been natively UTF-16 since Windows 2000 and the - non-Unicode variants are just wrappers around them. Only Windows 9x - doesn't understand Unicode without the UnicoWS DLL. As later Visual - Studio versions cannot target Windows 9x anyway, using the ANSI API - doesn't really have any benefit there. + Clues-provided-by: Jay Satiro + Clues-provided-by: Jeroen Ooms + Fixes #3711 + Closes #3874 + +Daniel Gustafsson (13 May 2019) +- vtls: fix potential ssl_buffer stack overflow - This avoids issues like KNOWN_BUGS 6.5. + In Curl_multissl_version() it was possible to overflow the passed in + buffer if the generated version string exceeded the size of the buffer. + Fix by inverting the logic, and also make sure to not exceed the local + buffer during the string generation. - Ref: https://github.com/curl/curl/issues/2120 - Closes https://github.com/curl/curl/pull/3720 + Closes #3863 + Reported-by: nevv on HackerOne/curl + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg -Daniel Gustafsson (3 Apr 2019) +Daniel Stenberg (13 May 2019) - RELEASE-NOTES: synced - - Bump the version in progress to 7.64.2, if we merge any "change" - before the cut-off date we can update the version. -- [Tim Rühsen brought this change] +- appveyor: also build "/ci" branches like travis - documentation: Fix several typos - - Closes #3724 - Reviewed-by: Jakub Zakrzewski - Reviewed-by: Daniel Gustafsson +- pingpong: disable more when no pingpong enabled -Jay Satiro (2 Apr 2019) -- [Mert Yazıcıoğlu brought this change] +- proxy: acknowledge DISABLE_PROXY more - vauth/oauth2: Fix OAUTHBEARER token generation +- parsedate: CURL_DISABLE_PARSEDATE + +- sasl: only enable if there's a protocol enabled using it + +- mime: acknowledge CURL_DISABLE_MIME + +- wildcard: disable from build when FTP isn't present + +- http: CURL_DISABLE_HTTP_AUTH + +- base64: build conditionally if there are users + +- doh: CURL_DISABLE_DOH + +Steve Holme (12 May 2019) +- auth: Rename the various authentication clean up functions - OAUTHBEARER tokens were incorrectly generated in a format similar to - XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the - RFC7628. + For consistency and to a avoid confusion. - Fixes: #2487 - Reported-by: Paolo Mossino + Closes #3869 + +Daniel Stenberg (12 May 2019) +- [Jay Satiro brought this change] + + docs/INSTALL: fix broken link [ci skip] - Closes https://github.com/curl/curl/pull/3377 + Reported-by: Joombalaya on github + Fixes #3818 -Marcel Raad (2 Apr 2019) -- tool_cb_wrt: fix bad-function-cast warning +Marcel Raad (12 May 2019) +- easy: fix another "clarify calculation precedence" warning - Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the - warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. - Extend fhnd's scope and reuse that variable instead of calling - _get_osfhandle a second time to fix the warning again. - - Closes https://github.com/curl/curl/pull/3718 + I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. -- VC15 project: remove MinimalRebuild +- build: fix "clarify calculation precedence" warnings - Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the - library project, but I forgot the tool project template. Now also - removed for that. - -Dan Fandrich (1 Apr 2019) -- cirrus: Customize the disabled tests per FreeBSD version + Codacy/CppCheck warns about this. Consistently use parentheses as we + already do in some places to silence the warning. - Try to run as many test cases as possible on each OS version. - 12.0 passes 13 more tests than the older versions, so we might as well - run them. + Closes https://github.com/curl/curl/pull/3866 -Daniel Stenberg (1 Apr 2019) -- tool_help: include for strcasecmp +- cmake: restore C89 compatibility of CurlTests.c - Reported-by: Wyatt O'Day - Fixes #3715 - Closes #3716 + I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and + 97de97daefc2ed084c91eff34af2426f2e55e134. + + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 + Closes https://github.com/curl/curl/pull/3868 -Daniel Gustafsson (31 Mar 2019) -- scripts: fix typos +Steve Holme (11 May 2019) +- http_ntlm: Corrected the name of the include guard + + Missed in f0bdd72c. + + Closes #3867 -Dan Fandrich (28 Mar 2019) -- travis: allow builds on branches named "ci" +- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - This allows a way to test changes other than through PRs. + Closes #3861 -Daniel Stenberg (27 Mar 2019) -- [Brad Spencer brought this change] +- http_negotiate: Don't expose functions when HTTP is disabled - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries +Daniel Stenberg (11 May 2019) +- SECURITY-PROCESS: fix links [ci skip] + +Marcel Raad (11 May 2019) +- CMake: suppress unused variable warnings - Closes #3699 + I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. -- multi: improved HTTP_1_1_REQUIRED handling +Daniel Stenberg (11 May 2019) +- doh: disable DOH for the cases it doesn't work - Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error - on first flight. + Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for + DOH resolves. This fix disables DOH for those. - Reported-by: niner on github - Fixes #3696 - Closes #3707 - -- [Leonardo Taccari brought this change] - - configure: avoid unportable `==' test(1) operator + Limitation added to KNOWN_BUGS. - Closes #3709 - -Version 7.64.1 (27 Mar 2019) - -Daniel Stenberg (27 Mar 2019) -- RELEASE: 7.64.1 + Fixes #3850 + Closes #3857 -- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" +Jay Satiro (11 May 2019) +- checksrc.bat: Ignore snprintf warnings in docs/examples - This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. + .. because we allow snprintf use in docs/examples. - Fixes #3708 - -- [Christian Schmitz brought this change] + Closes https://github.com/curl/curl/pull/3862 - ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set +Steve Holme (10 May 2019) +- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - Closes #3704 + ...and misalignment of these comments. From a78c61a4. + + Closes #3860 -Jay Satiro (26 Mar 2019) -- tool_cb_wrt: fix writing to Windows null device NUL +Jay Satiro (10 May 2019) +- Revert "multi: support verbose conncache closure handle" - - Improve console detection. + This reverts commit b0972bc. - Prior to this change WriteConsole could be called to write to a handle - that may not be a console, which would cause an error. This issue is - limited to character devices that are not also consoles such as the null - device NUL. + - No longer show verbose output for the conncache closure handle. - Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 - Reported-by: Gisle Vanem - -- CURLMOPT_PIPELINING.3: fix typo - -Daniel Stenberg (25 Mar 2019) -- TODO: config file parsing + The offending commit was added so that the conncache closure handle + would inherit verbose mode from the user's easy handle. (Note there is + no way for the user to set options for the closure handle which is why + that was necessary.) Other debug settings such as the debug function + were not also inherited since we determined that could lead to crashes + if the user's per-handle private data was used on an unexpected handle. - Closes #3698 - -Jay Satiro (24 Mar 2019) -- os400: Disable Alt-Svc by default since it's experimental + The reporter here says he has a debug function to capture the verbose + output, and does not expect or want any output to stderr; however + because the conncache closure handle does not inherit the debug function + the verbose output for that handle does go to stderr. - Follow-up to 520f0b4 which added Alt-Svc support and enabled it by - default for OS400. Since the feature is experimental, it should be - disabled by default. + There are other plausible scenarios as well such as the user redirects + stderr on their handle, which is also not inherited since it could lead + to crashes when used on an unexpected handle. - Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 - Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html + Short of allowing the user to set options for the conncache closure + handle I don't think there's much we can safely do except no longer + inherit the verbose setting. - Closes https://github.com/curl/curl/pull/3688 - -Dan Fandrich (24 Mar 2019) -- tests: Fixed XML validation errors in some test files. - -- tests: Fix some incorrect precheck error messages. + Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html + Reported-by: Kristoffer Gleditsch - [ci skip] - -Daniel Stenberg (22 Mar 2019) -- curl_url.3: this is not experimental anymore - -- travis: bump the used wolfSSL version to 4.0.0 + Ref: https://github.com/curl/curl/pull/3598 + Ref: https://github.com/curl/curl/pull/3618 - Test 311 is now fine, leaving only 313 (CRL) disabled. + Closes https://github.com/curl/curl/pull/3856 + +Steve Holme (10 May 2019) +- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() - Test 313 details can be found here: - https://github.com/wolfSSL/wolfssl/issues/1546 + From 6012fa5a. - Closes #3697 + Closes #3858 -Daniel Gustafsson (22 Mar 2019) -- lib: Fix typos in comments +Daniel Stenberg (9 May 2019) +- BUG-BOUNTY: minor formatting fixes [ci skip] -David Woodhouse (20 Mar 2019) -- openssl: if cert type is ENG and no key specified, key is ENG too +- RELEASE-NOTES: synced + +- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] - Fixes #3692 - Closes #3692 + Closes #3839 -Daniel Stenberg (20 Mar 2019) -- sectransp: tvOS 11 is required for ALPN support +Kamil Dudka (9 May 2019) +- http_negotiate: do not treat failure of gss_init_sec_context() as fatal - Reported-by: nianxuejie on github - Assisted-by: Nick Zitzmann - Assisted-by: Jay Satiro - Fixes #3689 - Closes #3690 + Fixes #3726 + Closes #3849 -- test1541: threaded connection sharing +- spnego_gssapi: fix return code on gss_init_sec_context() failure - The threaded-shared-conn.c example turned into test case. Only works if - pthread was detected. + Fixes #3726 + Closes #3849 + +Steve Holme (9 May 2019) +- gen_resp_file.bat: Removed unnecessary @ from all but the first command - An attempt to detect future regressions such as e3a53e3efb942a5 + There is need to use @ on every command once echo has been turned off. - Closes #3687 + Closes #3854 -Patrick Monnerat (17 Mar 2019) -- os400: alt-svc support. +Jay Satiro (8 May 2019) +- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - Although experimental, enable it in the platform config file. - Upgrade ILE/RPG binding. - -Daniel Stenberg (17 Mar 2019) -- conncache: use conn->data to know if a transfer owns it + - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to + the destination host. - - make sure an already "owned" connection isn't returned unless - multiplexed. + We already do something similar for HTTPS proxies by not sending h2. [1] - - clear ->data when returning the connection to the cache again + Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would + incorrectly use HTTP/2 to talk to the proxy, which is not something we + support (yet?). Also it's debatable whether or not that setting should + apply to HTTP/2 proxies. - Regression since 7.62.0 (probably in commit 1b76c38904f0) + [1]: https://github.com/curl/curl/commit/17c5d05 - Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + Bug: https://github.com/curl/curl/issues/3570 + Bug: https://github.com/curl/curl/issues/3832 - Closes #3686 + Closes https://github.com/curl/curl/pull/3853 -- RELEASE-NOTES: synced +Marcel Raad (8 May 2019) +- travis: update mesalink build to xenial + + Closes https://github.com/curl/curl/pull/3842 -- [Chris Young brought this change] +Daniel Stenberg (8 May 2019) +- [Ricky Leverence brought this change] - configure: add --with-amissl + OpenSSL: Report -fips in version if OpenSSL is built with FIPS - AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. - It also requires all programs using it to use bsdsocket.library - directly, rather than accessing socket functions through clib, which - libcurl was not necessarily doing previously. Configure will now check - for the headers and ensure they are included if found. + Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS + define. It uses this define to determine whether to publish -fips at + the end of the version displayed. Applications that utilize the version + reported by OpenSSL will see a mismatch if they compare it to what curl + reports, as curl is not modifying the version in the same way. This + change simply adds a check to see if OPENSSL_FIPS is defined, and will + alter the reported version to match what OpenSSL itself provides. This + only appears to be applicable in versions of OpenSSL <1.1.1 - Closes #3677 + Closes #3771 -- [Chris Young brought this change] +Kamil Dudka (7 May 2019) +- [Frank Gevaerts brought this change] - vtls: rename some of the SSL functions + nss: allow fifos and character devices for certificates. - ... in the SSL structure as AmiSSL is using macros for the socket API - functions. - -- [Chris Young brought this change] - - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr - -- [Chris Young brought this change] - - tool_operate: build on AmigaOS - -- makefile: make checksrc and hugefile commands "silent" + Currently you can do things like --cert <(cat ./cert.crt) with (at least) the + openssl backend, but that doesn't work for nss because is_file rejects fifos. - ... to match the style already used for compiling, linking - etc. Acknowledges 'make V=1' to enable verbose. + I don't actually know if this is sufficient, nss might do things internally + (like seeking back) that make this not work, so actual testing is needed. - Closes #3681 + Closes #3807 -- curl.1: --user and --proxy-user are hidden from ps output +Daniel Gustafsson (6 May 2019) +- test2100: Fix typos in test description + +Daniel Stenberg (6 May 2019) +- ssh: define USE_SSH if SSH is enabled (any backend) - Suggested-by: Eric Curtin - Improved-by: Dan Fandrich - Ref: #3680 + Closes #3846 + +Steve Holme (5 May 2019) +- winbuild: Add our standard copyright header to the winbuild batch files + +- makedebug: Fix ERRORLEVEL detection after running where.exe - Closes #3683 + Closes #3838 -- curl.1: mark the argument to --cookie as +Daniel Stenberg (5 May 2019) +- urlapi: add CURLUPART_ZONEID to set and get - From a discussion in #3676 + The zoneid can be used with IPv6 numerical addresses. - Suggested-by: Tim Rühsen + Updated test 1560 to verify. - Closes #3682 - -Dan Fandrich (14 Mar 2019) -- fuzzer: Only clone the latest fuzzer code, for speed. + Closes #3834 -Daniel Stenberg (14 Mar 2019) -- [Dominik Hölzl brought this change] +- [Taiyu Len brought this change] - Negotiate: fix for HTTP POST with Negotiate - - * Adjusted unit tests 2056, 2057 - * do not generally close connections with CURLAUTH_NEGOTIATE after every request - * moved negotiatedata from UrlState to connectdata - * Added stream rewind logic for CURLAUTH_NEGOTIATE - * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC - * Consider authproblem state for CURLAUTH_NEGOTIATE - * Consider reuse_forbid for CURLAUTH_NEGOTIATE - * moved and adjusted negotiate authentication state handling from - output_auth_headers into Curl_output_negotiate - * Curl_output_negotiate: ensure auth done is always set - * Curl_output_negotiate: Set auth done also if result code is - GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may - also indicate the last challenge request (only works with disabled - Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) - * Consider "Persistent-Auth" header, detect if not present; - Reset/Cleanup negotiate after authentication if no persistent - authentication - * apply changes introduced with #2546 for negotiate rewind logic + WRITEFUNCTION: add missing set_in_callback around callback - Fixes #1261 - Closes #1975 + Closes #3837 -- [Marc Schlatter brought this change] +- RELEASE-NOTES: synced - http: send payload when (proxy) authentication is done - - The check that prevents payload from sending in case of authentication - doesn't check properly if the authentication is done or not. +- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] - They're cases where the proxy respond "200 OK" before sending - authentication challenge. This change takes care of that. + Reported-by: Ricardo Gomes - Fixes #2431 - Closes #3669 + Bug: #3537 + Closes #3836 -- file: fix "Checking if unsigned variable 'readcount' is less than zero." +- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - Pointed out by codacy + The time field in the curl_fileinfo struct will always be zero. No code + was ever implemented to actually convert the date string to a time_t. - Closes #3672 + Fixes #3829 + Closes #3835 -- memdebug: log pointer before freeing its data +- OS400/ccsidcurl.c: code style fixes + +- OS400/ccsidcurl: replace use of Curl_vsetopt - Coverity warned for two potentional "Use after free" cases. Both are false - positives because the memory wasn't used, it was only the actual pointer - value that was logged. + (and make the code style comply) - The fix still changes the order of execution to avoid the warnings. + Fixes #3833 + +- urlapi: strip off scope id from numerical IPv6 addresses - Coverity CID 1443033 and 1443034 + ... to make the host name "usable". Store the scope id and put it back + when extracting a URL out of it. - Closes #3671 + Also makes curl_url_set() syntax check CURLUPART_HOST. + + Fixes #3817 + Closes #3822 - RELEASE-NOTES: synced -Marcel Raad (12 Mar 2019) -- travis: actually use updated compiler versions - - For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the - new GCC versions were only used for the coverage build and for building - nghttp2, while the new clang version was not used at all. - - BoringSSL needs to use the default GCC as it respects CC, but not CXX, - so it would otherwise pass gcc 8 options to g++ 4.8 and fail. - - Also remove GCC 7, it's not needed anymore. +- multiif.h: remove unused protos - Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + ... for functions related to pipelining. Those functions were removed in + 2f44e94efb3df. - Closes https://github.com/curl/curl/pull/3670 + Closes #3828 -- travis: update clang to version 7 +- [Yiming Jing brought this change] + + travis: mesalink: temporarily disable test 3001 - Closes https://github.com/curl/curl/pull/3670 + ... due to SHA-1 signatures in test certs -Jay Satiro (11 Mar 2019) -- [Andre Guibert de Bruet brought this change] +- [Yiming Jing brought this change] - examples/externalsocket: add missing close socket calls - - .. and for Windows also call WSACleanup since we call WSAStartup. - - The example is to demonstrate handling the socket independently of - libcurl. In this case libcurl is not responsible for creating, opening - or closing the socket, it is handled by the application (our example). + travis: upgrade the MesaLink TLS backend to v1.0.0 - Fixes https://github.com/curl/curl/pull/3663 + Closes #3823 + Closes #3776 -Daniel Stenberg (11 Mar 2019) -- multi: removed unused code for request retries +- ConnectionExists: improve non-multiplexing use case - This code was once used for the non multi-interface using code path, but - ever since easy_perform was turned into a wrapper around the multi - interface, this code path never runs. + - better log output - Closes #3666 + - make sure multiplex is enabled for it to be used -Jay Satiro (11 Mar 2019) -- doh: inherit some SSL options from user's easy handle - - - Inherit SSL options for the doh handle but not SSL client certs, - SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, - SSL pinned public key, SSL ciphers, SSL id cache setting, - SSL kerberos or SSL gss-api settings. - - - Fix inheritance of verbose setting. - - - Inherit NOSIGNAL. - - There is no way for the user to set options for the doh (DNS-over-HTTPS) - handles and instead we inherit some options from the user's easy handle. - - My thinking for the SSL options not inherited is they are most likely - not intended by the user for the DOH transfer. I did inherit insecure - because I think that should still be in control of the user. - - Prior to this change doh did not work for me because CAINFO was not - inherited. Also verbose was set always which AFAICT was a bug (#3660). +- multi: provide Curl_multiuse_state to update information - Fixes https://github.com/curl/curl/issues/3660 - Closes https://github.com/curl/curl/pull/3661 + As soon as a TLS backend gets ALPN conformation about the specific HTTP + version it can now set the multiplex situation for the "bundle" and + trigger moving potentially queued up transfers to the CONNECT state. -Daniel Stenberg (9 Mar 2019) -- test331: verify set-cookie for dotless host name +- process_pending_handles: mark queued transfers as previously pending - Reproduced bug #3649 - Closes #3659 + With transfers being queued up, we only move one at a a time back to the + CONNECT state but now we mark moved transfers so that when a moved + transfer is confirmed "successful" (it connected) it will trigger the + move of another pending transfer. Previously, it would otherwise wait + until the transfer was done before doing this. This makes queued up + pending transfers get processed (much) faster. -- Revert "cookies: extend domain checks to non psl builds" - - This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. +- http: mark bundle as not for multiuse on < HTTP/2 response - Regression shipped in 7.64.0 - Fixes #3649 + Fixes #3813 + Closes #3815 -- memdebug: make debug-specific functions use curl_dbg_ prefix +Daniel Gustafsson (1 May 2019) +- cookie: Guard against possible NULL ptr deref - To not "collide" or use up the regular curl_ name space. Also makes them - easier to detect in helper scripts. + In case the name pointer isn't set (due to memory pressure most likely) + we need to skip the prefix matching and reject with a badcookie to avoid + a possible NULL pointer dereference. - Closes #3656 + Closes #3820 #3821 + Reported-by: Jonathan Moerman + Reviewed-by: Daniel Stenberg -- cmdline-opts/proxytunnel.d: the option tunnnels all protocols - - Clarify the language and simplify. - - Reported-by: Daniel Lublin - Closes #3658 +Patrick Monnerat (30 Apr 2019) +- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings -- KNOWN_BUGS: Client cert (MTLS) issues with Schannel +Kamil Dudka (29 Apr 2019) +- nss: provide more specific error messages on failed init - Closes #3145 - -- ROADMAP: updated to some more current things to work on - -- tests: fix multiple may be used uninitialized warnings + Closes #3808 -- RELEASE-NOTES: synced +Daniel Stenberg (29 Apr 2019) +- [Reed Loden brought this change] -- source: fix two 'nread' may be used uninitialized warnings - - Both seem to be false positives but we don't like warnings. + docs: minor polish to the bug bounty / security docs - Closes #3646 + Closes #3811 -- gopher: remove check for path == NULL +- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - Since it can't be NULL and it makes Coverity believe we lack proper NULL - checks. Verified by test 659, landed in commit 15401fa886b. + This limits all accepted input strings passed to libcurl to be less than + CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: + curl_easy_setopt() and curl_url_set(). - Pointed out by Coverity CID 1442746. - - Assisted-by: Dan Fandrich - Fixes #3617 - Closes #3642 - -- examples: only include - - That's the only public curl header we should encourage use of. - - Reviewed-by: Marcel Raad - Closes #3645 - -- ssh: loop the state machine if not done and not blocking + The 8000000 number is arbitrary picked and is meant to detect mistakes + or abuse, not to limit actual practical use cases. By limiting the + acceptable string lengths we also reduce the risk of integer overflows + all over. - If the state machine isn't complete, didn't fail and it didn't return - due to blocking it can just as well loop again. + NOTE: This does not apply to `CURLOPT_POSTFIELDS`. - This addresses the problem with SFTP directory listings where we would - otherwise return back to the parent and as the multi state machine - doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the - doing phase isn't complete, it would return out when in reality there - was more data to deal with. + Test 1559 verifies. - Fixes #3506 - Closes #3644 + Closes #3805 -Jay Satiro (5 Mar 2019) -- multi: support verbose conncache closure handle - - - Change closure handle to receive verbose setting from the easy handle - most recently added via curl_multi_add_handle. - - The closure handle is a special easy handle used for closing cached - connections. It receives limited settings from the easy handle most - recently added to the multi handle. Prior to this change that did not - include verbose which was a problem because on connection shutdown - verbose mode was not acknowledged. - - Ref: https://github.com/curl/curl/pull/3598 - - Co-authored-by: Daniel Stenberg - - Closes https://github.com/curl/curl/pull/3618 +- [Tseng Jun brought this change] -Daniel Stenberg (4 Mar 2019) -- CURLU: fix NULL dereference when used over proxy - - Test 659 verifies - - Also fixed the test 658 name + curlver.h: use parenthesis in CURL_VERSION_BITS macro - Closes #3641 + Closes #3809 -- altsvc_out: check the return code from Curl_gmtime - - Pointed out by Coverity, CID 1442956. - - Closes #3640 +Marcel Raad (27 Apr 2019) +- [Simon Warta brought this change] -- docs/ALTSVC.md: docs describing the approach + cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP - Closes #3498 + Closes https://github.com/curl/curl/pull/3769 -- alt-svc: add a travis build +Steve Holme (23 Apr 2019) +- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 -- alt-svc: add test 355 and 356 to verify with command line curl +- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 + + Just like we do for mbed TLS, use our local implementation of MD4 when + OpenSSL doesn't support it. This allows a type-3 message to include the + NT response. -- alt-svc: the curl command line bits +Daniel Gustafsson (23 Apr 2019) +- INTERNALS: fix misindentation of ToC item + + Kerberos was incorrectly indented as a subsection under FTP, which is + incorrect as they are both top level sections. A fix for this was first + attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that + was a few paddles short of being complete. -- alt-svc: the libcurl bits +- [Aron Bergman brought this change] -- travis: add build using gnutls + INTERNALS: Add structs to ToC - Closes #3637 - -- RELEASE-NOTES: synced + Add the subsections under "Structs in libcurl" to the table of contents. + + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -- [Simon Legner brought this change] +- [Aron Bergman brought this change] - scripts/completion.pl: also generate fish completion file + INTERNALS: Add code highlighting - This is the renamed script formerly known as zsh.pl + Make all struct members under the Curl_handler section + print in monospace font. - Closes #3545 + Closes #3801 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -- gnutls: remove call to deprecated gnutls_compression_get_name +Daniel Stenberg (22 Apr 2019) +- docs/BUG-BOUNTY: bug bounty time [skip ci] - It has been deprecated by GnuTLS since a year ago and now causes build - warnings. + Introducing the curl bug bounty program on hackerone. We now recommend + filing security issues directly in the hackerone ticket system which + only is readable to curl security team members. - Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f - Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + Assisted-by: Daniel Gustafsson - Closes #3636 + Closes #3488 -Jay Satiro (2 Mar 2019) -- system_win32: move win32_init here from easy.c +Steve Holme (22 Apr 2019) +- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - .. since system_win32 is a more appropriate location for the functions - and to extern the globals. + RFC 4616 specifies the authzid is optional in the client authentication + message and that the server will derive the authorisation identity + (authzid) from the authentication identity (authcid) when not specified + by the client. + +Jay Satiro (22 Apr 2019) +- [Gisle Vanem brought this change] + + memdebug: fix variable name - Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 - Reported-by: Gisle Vanem + Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. - Closes https://github.com/curl/curl/pull/3625 + Ref: https://github.com/curl/curl/commit/76b6348#r33259088 -Daniel Stenberg (1 Mar 2019) -- curl_easy_duphandle.3: clarify that a duped handle has no shares - - Reported-by: Sara Golemon +Steve Holme (21 Apr 2019) +- vauth/cleartext: Don't send the authzid if it is empty - Fixes #3592 - Closes #3634 + Follow up to 762a292f. -- 10-at-a-time.c: fix too long line +Daniel Stenberg (21 Apr 2019) +- test 196,197,198: add 'retry' keyword [skip ci] -- [Arnaud Rebillout brought this change] +- RELEASE-NOTES: synced - examples: various fixes in ephiperfifo.c +- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - The main change here is the timer value that was wrong, it was given in - usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * - 1000). This resulted in the callback being invoked WAY TOO OFTEN. + ... and disconnect too old ones instead of trying to reuse. - As a quick check you can run this command before and after applying this - commit: + Default max age is set to 118 seconds. - # shell 1 - ./ephiperfifo 2>&1 | tee ephiperfifo.log - # shell 2 - echo http://hacking.elboulangero.com > hiper.fifo + Ref: #3722 + Closes #3782 + +Daniel Gustafsson (20 Apr 2019) +- [Po-Chuan Hsieh brought this change] + + altsvc: Fix building with cookies disables - Then just compare the size of the logs files. + ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if + check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is + disabled. Fix by splitting out the function into a separate file which can + be included where needed. - Closes #3633 - Fixes #3632 - Signed-off-by: Arnaud Rebillout + Closes #3717 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Marcel Raad -- urldata: simplify bytecounters - - - no need to have them protocol specific +Daniel Stenberg (20 Apr 2019) +- test1002: correct the name [skip ci] + +- test660: verify CONNECT_ONLY with IMAP - - no need to set pointers to them with the Curl_setup_transfer() call + which basically just makes sure LOGOUT is *not* issued on disconnect + +- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - - make Curl_setup_transfer() operate on a transfer pointer, not - connection + Since the connection has been used by the "outside" we don't know the + state of it anymore and curl should not use it anymore. - - switch some counters from long to the more proper curl_off_t type + Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html - Closes #3627 + Closes #3795 -- examples/10-at-a-time.c: improve readability and simplify +- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) - - use better variable names to explain their purposes - - convert logic to curl_multi_wait() + The list of names must be in sync with the defined states in the header + file! -- threaded-resolver: shutdown the resolver thread without error message - - When a transfer is done, the resolver thread will be brought down. That - could accidentally generate an error message in the error buffer even - though this is not an error situationand the transfer would still return - OK. An application that still reads the error buffer could find a - "Could not resolve host: [host name]" message there and get confused. +Steve Holme (16 Apr 2019) +- openvms: Remove pre-processors for Windows as VMS cannot support them + +- openvms: Remove pre-processor for SecureTransport as VMS cannot support it - Reported-by: Michael Schmid - Fixes #3629 - Closes #3630 + Fixes #3768 + Closes #3785 -- [Ԝеѕ brought this change] +Jay Satiro (16 Apr 2019) +- TODO: Add issue link to an existing entry - docs: update max-redirs.d phrasing - - clarify redir - "in absurdum" doesn't seem to make sense in this context - - Closes #3631 +Daniel Stenberg (16 Apr 2019) +- RELEASE-NOTES: synced -- ssh: fix Condition '!status' is always true +Jay Satiro (16 Apr 2019) +- tool_help: Warn if curl and libcurl versions do not match - in the same sftp_done function in both SSH backends. Simplify them - somewhat. + .. because functionality may be affected if the versions differ. - Pointed out by Codacy. + This commit implements TODO 18.7 "warning if curl version is not in sync + with libcurl version". - Closes #3628 + Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + + Closes https://github.com/curl/curl/pull/3774 -- test578: make it read data from the correct test +Steve Holme (16 Apr 2019) +- md5: Update the function signature following d84da52d -- Curl_easy: remove req.maxfd - never used! +- md5: Forgot to update the code alignment in d84da52d + +- md5: Return CURLcode from the internally accessible functions - Introduced in 8b6314ccfb, but not used anymore in current code. Unclear - since when. + Following 28f826b3 to return CURLE_OK instead of numeric 0. + +Daniel Gustafsson (15 Apr 2019) +- tests: Run global cleanup at end of tests - Closes #3626 + Make sure to run curl_global_cleanup() when shutting down the test + suite to release any resources allocated in the SSL setup. This is + clearly visible when running tests with PolarSSL where the thread + lock calloc() memory which isn't released when not running cleanup. + Below is an excerpt from the autobuild logs: + + ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 + ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) + ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) + ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup + (polarssl_threadlock.c:54) + ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) + ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) + ==12368== by 0x118B4C: global_init (easy.c:158) + ==12368== by 0x118BF5: curl_global_init (easy.c:221) + ==12368== by 0x118D0B: curl_easy_init (easy.c:299) + ==12368== by 0x114E96: test (lib1906.c:32) + ==12368== by 0x115495: main (first.c:174) + + Closes #3783 + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg -- http: set state.infilesize when sending formposts +Marcel Raad (15 Apr 2019) +- travis: use mbedtls from Xenial - Without it set, we would unwillingly triger the "HTTP error before end - of send, stop sending" condition even if the entire POST body had been - sent (since it wouldn't know the expected size) which would - unnecessarily log that message and close the connection when it didn't - have to. + No need to build it from source anymore. - Reported-by: Matt McClure - Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html - Closes #3624 + Closes https://github.com/curl/curl/pull/3779 -- INSTALL: refer to the current TLS library names and configure options +- travis: use libpsl from Xenial + + This makes building libpsl and libidn2 from source unnecessary and + removes the need for the autopoint and libunistring-dev packages. + + Closes https://github.com/curl/curl/pull/3779 -- FAQ: minor updates and spelling fixes +Daniel Stenberg (15 Apr 2019) +- runtests: start socksd like other servers + + ... without a $srcdir prefix. Triggered by the failures in several + autobuilds. + + Closes #3781 -- GOVERNANCE.md: minor spelling fixes +Daniel Gustafsson (14 Apr 2019) +- socksd: Fix typos + + Reviewed-by: Daniel Stenberg -- Secure Transport: no more "darwinssl" +- socksd: Properly decorate static variables - Everyone calls it Secure Transport, now we do too. + Mark global variables static to avoid compiler warning in Clang when + using -Wmissing-variable-declarations. - Reviewed-by: Nick Zitzmann + Closes #3778 + Reviewed-by: Daniel Stenberg + +Steve Holme (14 Apr 2019) +- md(4|5): Fixed indentation oddities with the importation of replacement code - Closes #3619 + The indentation from 211d5329 and 57d6d253 was a little strange as + parts didn't align correctly, uses 4 spaces rather than 2. Checked + the indentation of the original source so it aligns, albeit, using + curl style. -Marcel Raad (27 Feb 2019) -- AppVeyor: add classic MinGW build +- md5: Code style to return CURLE_OK rather than numeric 0 + +- md5: Corrected code style for some pointer arguments + +Marcel Raad (13 Apr 2019) +- travis: update some builds to xenial - But use the MSYS2 shell rather than the default MSYS shell because of - POSIX path conversion issues. Classic MinGW is only available on the - Visual Studio 2015 image. + Xenial comes with more up-to-date software versions and more available + packages, some of which we currently build from source. Unfortunately, + some builds would fail with Xenial because of assertion failures in + Valgrind when using OpenSSL, so leave these at Trusty. - Closes https://github.com/curl/curl/pull/3623 + Closes https://github.com/curl/curl/pull/3777 -- AppVeyor: add MinGW-w64 build - - Add a MinGW-w64 build using CMake's MSYS Makefiles generator. - Use the Visual Studio 2015 image as it has GCC 8, while the - Visual Studio 2017 image only has GCC 7.2. +Daniel Stenberg (13 Apr 2019) +- test: make tests and test scripts use socksd for SOCKS - Closes https://github.com/curl/curl/pull/3623 + Make all SOCKS tests use socksd instead of ssh. -Daniel Stenberg (27 Feb 2019) -- cookies: only save the cookie file if the engine is enabled +- socksd: new SOCKS 4+5 server for tests - Follow-up to 8eddb8f4259. + Closes #3752 + +- singleipconnect: show port in the verbose "Trying ..." message - If the cookieinfo pointer is NULL there really is nothing to save. + To aid debugging better. + +- [tmilburn brought this change] + + CURLOPT_ADDRESS_SCOPE: fix range check and more - Without this fix, we got a problem when a handle was using shared object - with cookies and is told to "FLUSH" it to file (which worked) and then - the share object was removed and when the easy handle was closed just - afterwards it has no cookieinfo and no cookies so it decided to save an - empty jar (overwriting the file just flushed). + Commit 9081014 fixed most of the confusing issues between scope id and + scope however 844896d added bad limits checking assuming that the scope + is being set and not the scope id. - Test 1905 now verifies that this works. + I have fixed the documentation so it all refers to scope ids. - Assisted-by: Michael Wallner - Assisted-by: Marcel Raad + In addition Curl_if2ip refered to the scope id as remote_scope_id which + is incorrect, so I renamed it to local_scope_id. - Closes #3621 - -- [DaVieS brought this change] - - cacertinmem.c: use multiple certificates for loading CA-chain + Adjusted-by: Daniel Stenberg - Closes #3421 + Closes #3655 + Closes #3765 + Fixes #3713 -- urldata: convert bools to bitfields and move to end +- urlapi: stricter CURLUPART_PORT parsing - This allows the compiler to pack and align the structs better in - memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 - makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. + Only allow well formed decimal numbers in the input. - Removed an unused struct field. + Document that the number MUST be between 1 and 65535. - No functionality changes. + Add tests to test 1560 to verify the above. - Closes #3610 + Ref: https://github.com/curl/curl/issues/3753 + Closes #3762 -- [Don J Olmstead brought this change] +Jay Satiro (13 Apr 2019) +- [Jan Ehrhardt brought this change] - curl.h: use __has_declspec_attribute for shared builds + winbuild: Support MultiSSL builds - Closes #3616 - -- curl: display --version features sorted alphabetically + - Remove the lines in winbuild/Makefile.vc that generate an error with + multiple SSL backends. - Closes #3611 + - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL + backends are set. + + Closes https://github.com/curl/curl/pull/3772 -- runtests: detect "schannel" as an alias for "winssl" +Daniel Stenberg (12 Apr 2019) +- travis: remove mesalink builds (temporarily?) - Follow-up to 180501cb02 + Since the mesalink build started to fail on travis, even though we build + a fixed release version, we disable it to prevent it from blocking + progress. - Reported-by: Marcel Raad - Fixes #3609 - Closes #3620 + Closes #3767 -Marcel Raad (26 Feb 2019) -- AppVeyor: update to Visual Studio 2017 +- openssl: mark connection for close on TLS close_notify - Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a - moving target anymore as the last update, Update 9, has been released. + Without this, detecting and avoid reusing a closed TLS connection + (without a previous GOAWAY) when doing HTTP/2 is tricky. - Closes https://github.com/curl/curl/pull/3606 + Reported-by: Tom van der Woerdt + Fixes #3750 + Closes #3763 -- AppVeyor: switch VS 2015 builds to VS 2017 image +- RELEASE-NOTES: synced + +Steve Holme (11 Apr 2019) +- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + Functionally this doesn't change anything as we still use the username + for both the authorisation identity and the authentication identity. - Closes https://github.com/curl/curl/pull/3606 + Closes #3757 -- AppVeyor: explicitly select worker image - - Currently, we're using the default Visual Studio 2015 image for - everything. +Daniel Stenberg (11 Apr 2019) +- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - Closes https://github.com/curl/curl/pull/3606 + Based-on-code-by: Poul T Lomholt -Daniel Stenberg (26 Feb 2019) -- strerror: make the strerror function use local buffers +- url: always clone the CUROPT_CURLU handle - Instead of using a fixed 256 byte buffer in the connectdata struct. + Since a few code paths actually update that data. - In my build, this reduces the size of the connectdata struct by 11.8%, - from 2160 to 1904 bytes with no functionality or performance loss. + Fixes #3753 + Closes #3761 - This also fixes a bug in schannel's Curl_verify_certificate where it - called Curl_sspi_strerror when it should have called Curl_strerror for - string from GetLastError. the only effect would have been no text or the - wrong text being shown for the error. + Reported-by: Poul T Lomholt + +- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - Co-authored-by: Jay Satiro + Remove the code too. The functionality has been disabled in code since + 7.62.0. Setting this option will from now on simply be ignored and have + no function. - Closes #3612 - -- [Michael Wallner brought this change] + Closes #3654 - cookies: fix NULL dereference if flushing cookies with no CookieInfo set +Marcel Raad (11 Apr 2019) +- travis: install libgnutls28-dev only for --with-gnutls build - Regression brought by a52e46f3900fb0 (shipped in 7.63.0) + Reduces the time needed for the other jobs a little. - Closes #3613 + Closes https://github.com/curl/curl/pull/3721 -Marcel Raad (26 Feb 2019) -- AppVeyor: re-enable test 500 +- travis: install libnss3-dev only for --with-nss build - It's passing now. + Reduces the time needed for the other jobs a little. - Closes https://github.com/curl/curl/pull/3615 + Closes https://github.com/curl/curl/pull/3721 -- AppVeyor: remove redundant builds +- travis: install libssh2-dev only for --with-libssh2 build - Remove the Visual Studio 2012 and 2013 builds as they add little value. + Reduces the time needed for the other jobs a little. - Ref: https://github.com/curl/curl/pull/3606 - Closes https://github.com/curl/curl/pull/3614 + Closes https://github.com/curl/curl/pull/3721 -Daniel Stenberg (25 Feb 2019) -- RELEASE-NOTES: synced - -- [Bernd Mueller brought this change] - - OpenSSL: add support for TLS ASYNC state +- travis: install libssh-dev only for --with-libssh build - Closes #3591 - -Jay Satiro (25 Feb 2019) -- [Michael Felt brought this change] + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 - acinclude: add additional libraries to check for LDAP support +- travis: install krb5-user only for --with-gssapi build - - Add an additional check for LDAP that also checks for OpenSSL since - on AIX those libraries may be required to link LDAP properly. + Reduces the time needed for the other jobs a little. - Fixes https://github.com/curl/curl/issues/3595 - Closes https://github.com/curl/curl/pull/3596 - -- [georgeok brought this change] + Closes https://github.com/curl/curl/pull/3721 - schannel: support CALG_ECDH_EPHEM algorithm +- travis: install lcov only for the coverage job - Add support for Ephemeral elliptic curve Diffie-Hellman key exchange - algorithm option when selecting ciphers. This became available on the - Win10 SDK. + Reduces the time needed for the other jobs a little. - Closes https://github.com/curl/curl/pull/3608 + Closes https://github.com/curl/curl/pull/3721 -Daniel Stenberg (24 Feb 2019) -- multi: call multi_done on connect timeouts +- travis: install clang only when needed - Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get - updated correctly and could end up getting reported to the application - completely wrong (way too small). + This reduces the GCC job runtimes a little and it's needed to + selectively update clang builds to xenial. - Reported-by: accountantM on github - Fixes #3602 - Closes #3605 + Closes https://github.com/curl/curl/pull/3721 -- examples: remove recursive calls to curl_multi_socket_action - - From within the timer callbacks. Recursive is problematic for several - reasons. They should still work, but this way the examples and the - documentation becomes simpler. I don't think we need to encourage - recursive calls. +- AppVeyor: enable testing for WinSSL build - Discussed in #3537 - Closes #3601 + Closes https://github.com/curl/curl/pull/3725 -Marcel Raad (23 Feb 2019) -- configure: remove CURL_CHECK_FUNC_FDOPEN call +- build: fix Codacy/CppCheck warnings - The macro itself has been removed in commit - 11974ac859c5d82def59e837e0db56fef7f6794e. + - remove unused variables + - declare conditionally used variables conditionally + - suppress unused variable warnings in the CMake tests + - remove dead variable stores + - consistently use WIN32 macro to detect Windows - Closes https://github.com/curl/curl/pull/3604 + Closes https://github.com/curl/curl/pull/3739 -Daniel Stenberg (23 Feb 2019) -- wolfssl: stop custom-adding curves +- polarssl_threadlock: remove conditionally unused code - since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in - wolfSSL 3.10.2 and later) it sends these curves by default already. + Make functions no-ops if neither both USE_THREADS_POSIX and + HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are + defined. Previously, if only one of them was defined, there was either + code compiled that did nothing useful or the wrong header included for + the functions used. - Pointed-out-by: David Garske + Also, move POLARSSL_MUTEX_T define to implementation file as it's not + used externally. - Closes #3599 + Closes https://github.com/curl/curl/pull/3739 -- configure: remove the unused fdopen macro +- lib557: initialize variables - and the two remaining #ifdefs for it + These variables are only conditionally initialized. - Closes #3600 + Closes https://github.com/curl/curl/pull/3739 -Jay Satiro (22 Feb 2019) -- url: change conn shutdown order to unlink data as last step - - - Split off connection shutdown procedure from Curl_disconnect into new - function conn_shutdown. - - - Change the shutdown procedure to close the sockets before - disassociating the transfer. +- lib509: add missing include for strdup - Prior to this change the sockets were closed after disassociating the - transfer so SOCKETFUNCTION wasn't called since the transfer was already - disassociated. That likely came about from recent work started in - Jan 2019 (#3442) to separate transfers from connections. + Closes https://github.com/curl/curl/pull/3739 + +- README.md: fix no-consecutive-blank-lines Codacy warning - Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html - Reported-by: Pavel Löbl + Consistently use one blank line between blocks. - Closes https://github.com/curl/curl/issues/3597 - Closes https://github.com/curl/curl/pull/3598 + Closes https://github.com/curl/curl/pull/3739 -Marcel Raad (22 Feb 2019) -- Fix strict-prototypes GCC warning +- tests/server/util: fix Windows Unicode build - As seen in the MinGW autobuilds. Caused by commit - f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. - -Dan Fandrich (21 Feb 2019) -- tests: Fixed XML validation errors in some test files. - -Daniel Stenberg (20 Feb 2019) -- TODO: Allow SAN names in HTTP/2 server push + Always use the ANSI version of FormatMessage as we don't have the + curl_multibyte gear available here. - Suggested-by: Nicolas Grekas + Closes https://github.com/curl/curl/pull/3758 -- RELEASE-NOTES: synced +Daniel Stenberg (11 Apr 2019) +- curl_easy_getinfo.3: fix minor formatting mistake -- curl: remove MANUAL from -M output +Daniel Gustafsson (11 Apr 2019) +- xattr: skip unittest on unsupported platforms - ... and remove it from the dist tarball. It has served its time, it - barely gets updated anymore and "everything curl" is now convering all - this document once tried to include, and does it more and better. + The stripcredentials unittest fails to compile on platforms without + xattr support, for example the Solaris member in the buildfarm which + fails with the following: - In the compressed scenario, this removes ~15K data from the binary, - which is 25% of the -M output. + CC unit1621-unit1621.o + CC ../libtest/unit1621-first.o + CCLD unit1621 + Undefined first referenced + symbol in file + stripcredentials unit1621-unit1621.o + goto problem 2 + ld: fatal: symbol referencing errors. No output written to .libs/unit1621 + collect2: error: ld returned 1 exit status + gmake[2]: *** [Makefile:996: unit1621] Error 1 - It remains in the git repo for now for as long as the web site builds a - page using that as source. It renders poorly on the site (especially for - mobile users) so its not even good there. + Fix by excluding the test on such platforms by using the reverse + logic from where stripcredentials() is defined. - Closes #3587 + Closes #3759 + Reviewed-by: Daniel Stenberg -- http2: verify :athority in push promise requests - - RFC 7540 says we should verify that the push is for an "authoritative" - server. We make sure of this by only allowing push with an :athority - header that matches the host that was asked for in the URL. - - Fixes #3577 - Reported-by: Nicolas Grekas - Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html - Closes #3581 +Steve Holme (11 Apr 2019) +- emailL Added reference to RFC8314 for implicit TLS -- singlesocket: fix the 'sincebefore' placement +- README: Schannel, stop calling it "winssl" - The variable wasn't properly reset within the loop and thus could remain - set for sockets that hadn't been set before and miss notifying the app. + Stick to "Schannel" everywhere - follow up to 180501cb. + +Jakub Zakrzewski (10 Apr 2019) +- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - This is a follow-up to 4c35574 (shipped in curl 7.64.0) + This fixes GSSAPI builds with the libraries in a non-standard location. + The testing for recv() were failing because it failed to link + the Kerberos libraries, which are not needed for this or subsequent + tests. - Reported-by: buzo-ffm on github - Detected-by: Jan Alexander Steffens - Fixes #3585 - Closes #3589 + fixes #3743 + closes #3744 -- connection: never reuse CONNECT_ONLY conections +- cmake: avoid linking executable for some tests with cmake 3.6+ - and make CONNECT_ONLY conections never reuse any existing ones either. + With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() + (which is used by check_c_source_compiles()) will build static library + instead of executable. This avoids linking additional libraries in and thus + speeds up those checks a little. - Reported-by: Pavel Löbl - Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html - Closes #3586 - -Patrick Monnerat (19 Feb 2019) -- cli tool: fix mime post with --disable-libcurl-option configure option + This commit also avoids #3743 (GSSAPI build errors) on itself with cmake + 3.6 or above. That issue was fixed separately for all versions. - Reported-by: Marcel Raad - Fixes #3576 - Closes #3583 + Ref: #3744 -Daniel Stenberg (19 Feb 2019) -- x509asn1: cleanup and unify code layout +- cmake: minor cleanup - - rename 'n' to buflen in functions, and use size_t for them. Don't pass - in negative buffer lengths. + - Remove nneeded include_regular_expression. + It was setting what is already a default. - - move most function comments to above the function starts like we use - to + - Remove duplicated include. - - remove several unnecessary typecasts (especially of NULL) + - Don't check for pre-3.0.0 CMake version. + We already require at least 3.0.0, so it's just clutter. - Reviewed-by: Patrick Monnerat - Closes #3582 + Ref: #3744 -- curl_multi_remove_handle.3: use at any time, just not from within callbacks - - [ci skip] +Steve Holme (8 Apr 2019) +- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ -- http: make adding a blank header thread-safe - - Previously the function would edit the provided header in-place when a - semicolon is used to signify an empty header. This made it impossible to - use the same set of custom headers in multiple threads simultaneously. - - This approach now makes a local copy when it needs to edit the string. - - Reported-by: d912e3 on github - Fixes #3578 - Closes #3579 +- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) -- unit1651: survive curl_easy_init() fails +- build-openssl.bat: Perform the install for each build type directly after the build -- [Frank Gevaerts brought this change] +- build-openssl.bat: Split the install of static and shared build types - rand: Fix a mismatch between comments in source and header. - - Reported-by: Björn Stenberg - Closes #3584 +- build-openssl.bat: Split the building of static and shared build types -Patrick Monnerat (18 Feb 2019) -- x509asn1: replace single char with an array - - Although safe in this context, using a single char as an array may - cause invalid accesses to adjacent memory locations. - - Detected by Coverity. +- build-openssl.bat: Move the installation into a separate function -Daniel Stenberg (18 Feb 2019) -- examples/http2-serverpush: add some sensible error checks - - To avoid NULL pointer dereferences etc in the case of problems. - - Closes #3580 +- build-openssl.bat: Move the build step into a separate function -Jay Satiro (18 Feb 2019) -- easy: fix win32 init to work without CURL_GLOBAL_WIN32 - - - Change the behavior of win32_init so that the required initialization - procedures are not affected by CURL_GLOBAL_WIN32 flag. - - libcurl via curl_global_init supports initializing for win32 with an - optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop - Winsock initialization. It did so internally by skipping win32_init() - when that flag was set. Since then win32_init() has been expanded to - include required initialization routines that are separate from - Winsock and therefore must be called in all cases. This commit fixes - it so that CURL_GLOBAL_WIN32 only controls the optional win32 - initialization (which is Winsock initialization, according to our doc). - - The only users affected by this change are those that don't pass - CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the - risk of a potential crash. - - Ref: https://github.com/curl/curl/pull/3573 +- build-openssl.bat: Move the OpenSSL configuration into a separate function + +- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised - Fixes https://github.com/curl/curl/issues/3313 - Closes https://github.com/curl/curl/pull/3575 + Should the parent environment set this variable then the build might + not be performed as the user intended. -Daniel Gustafsson (17 Feb 2019) -- cookie: Add support for cookie prefixes +Daniel Stenberg (8 Apr 2019) +- socks: fix error message + +- config.d: clarify that initial : and = might need quoting [skip ci] - The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes - and how they should affect cookie initialization, which has been - adopted by the major browsers. This adds support for the two prefixes - defined, __Host- and __Secure, and updates the testcase with the - supplied examples from the draft. + Fixes #3738 + Closes #3749 + +- RELEASE-NOTES: synced - Closes #3554 - Reviewed-by: Daniel Stenberg + bumped to 7.65.0 for next release -- mbedtls: release sessionid resources on error +- socks5: user name and passwords must be shorter than 256 - If mbedtls_ssl_get_session() fails, it may still have allocated - memory that needs to be freed to avoid leaking. Call the library - API function to release session resources on this errorpath as - well as on Curl_ssl_addsessionid() errors. + bytes... since the protocol needs to store the length in a single byte field. - Closes: #3574 - Reported-by: Michał Antoniak - Reviewed-by: Daniel Stenberg + Reported-by: XmiliaH on github + Fixes #3737 + Closes #3740 -Patrick Monnerat (16 Feb 2019) -- cli tool: refactor encoding conversion sequence for switch case fallthrough. +- [Jakub Zakrzewski brought this change] -- version.c: silent scan-build even when librtmp is not enabled + test: urlapi: urlencode characters above 0x7f correctly -Daniel Stenberg (15 Feb 2019) -- RELEASE-NOTES: synced +- [Jakub Zakrzewski brought this change] -- Curl_now: figure out windows version in win32_init + urlapi: urlencode characters above 0x7f correctly - ... and avoid use of static variables that aren't thread safe. + fixes #3741 + Closes #3742 + +- [Even Rouault brought this change] + + multi_runsingle(): fix use-after-free - Fixes regression from e9ababd4f5a (present in the 7.64.0 release) + Fixes #3745 + Closes #3746 - Reported-by: Paul Groke - Fixes #3572 - Closes #3573 - -Marcel Raad (15 Feb 2019) -- unit1307: just fail without FTP support + The following snippet + ``` - I missed to check this in with commit - 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. - This fixes the actual linker error. + int main() + { + CURL* hCurlHandle = curl_easy_init(); + curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); + curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); + curl_easy_perform(hCurlHandle); + curl_easy_cleanup(hCurlHandle); + return 0; + } + ``` + triggers the following Valgrind warning - Closes https://github.com/curl/curl/pull/3568 - -Daniel Stenberg (15 Feb 2019) -- travis: enable valgrind for the iconv tests too + ``` + ==4125== Invalid read of size 8 + ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) + ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) + ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd + ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) + ==4125== by 0x4E62C36: conn_free (url.c:756) + ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) + ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) + ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Block was alloc'd at + ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) + ==4125== by 0x4E6438E: allocate_conn (url.c:1654) + ==4125== by 0x4E685B4: create_conn (url.c:3496) + ==4125== by 0x4E6968F: Curl_connect (url.c:4023) + ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ``` - Closes #3571 - -- travis: add scan-build + This has been bisected to commit 2f44e94 - Closes #3564 + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 + Credit to OSS Fuzz -- examples/sftpuploadresume: Value stored to 'result' is never read +- pipelining: removed - Detected by scan-build - -- examples/http2-upload: cleaned up + As previously planned and documented in DEPRECATE.md, all pipelining + code is removed. - Fix scan-build warnings, no globals, no silly handle scan. Also remove - handles from the multi before cleaning up. + Closes #3651 -- examples/http2-download: cleaned up - - To avoid scan-build warnings and global variables. +- [cclauss brought this change] -- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' + tests: make Impacket (SMB server) Python 3 compatible - Detected by scan-build + Closes #3731 + Fixes #3289 -- examples/httpcustomheader: Value stored to 'res' is never read - - Detected by scan-build +Marcel Raad (6 Apr 2019) +- [Simon Warta brought this change] -- examples: remove superfluous null-pointer checks - - in ftpget, ftpsget and sftpget, so that scan-build stops warning for - potential NULL pointer dereference below! + cmake: set SSL_BACKENDS - Detected by scan-build - -- strip_trailing_dot: make sure NULL is never used for strlen + This groups all SSL backends into the feature "SSL" and sets the + SSL_BACKENDS analogue to configure.ac - scan-build warning: Null pointer passed as an argument to a 'nonnull' - parameter + Closes https://github.com/curl/curl/pull/3736 -- [Jay Satiro brought this change] +- [Simon Warta brought this change] - connection_check: restore original conn->data after the check + cmake: don't run SORT on empty list - - Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. + In case of an empty list, SORTing leads to the cmake error "list + sub-command SORT requires list to be present." - This is a follow-up to 38d8e1b 2019-02-11. + Closes https://github.com/curl/curl/pull/3736 + +Daniel Gustafsson (5 Apr 2019) +- [Eli Schwartz brought this change] + + configure: fix default location for fish completions - History: + Fish defines a vendor completions directory for completions that are not + installed as part of the fish project itself, and the vendor completions + are preferred if they exist. This prevents trying to overwrite the + builtin curl.fish completion (or creating file conflicts in distro + packaging). - It was discovered a month ago that before checking whether to extract a - dead connection that that connection should be associated with a "live" - transfer for the check (ie original conn->data ignored and set to the - passed in data). A fix was landed in 54b201b which did that and also - cleared conn->data after the check. The original conn->data was not - restored, so presumably it was thought that a valid conn->data was no - longer needed. + Prefer the pkg-config defined location exported by fish, if it can be + found, and fall back to the correct directory defined by most systems. - Several days later it was discovered that a valid conn->data was needed - after the check and follow-up fix was landed in bbae24c which partially - reverted the original fix and attempted to limit the scope of when - conn->data was changed to only when pruning dead connections. In that - case conn->data was not cleared and the original conn->data not - restored. + Closes #3723 + Reviewed-by: Daniel Gustafsson + +Marcel Raad (5 Apr 2019) +- ftplistparser: fix LGTM alert "Empty block without comment" - A month later it was discovered that the original fix was somewhat - correct; a "live" transfer is needed for the check in all cases - because original conn->data could be null which could cause a bad deref - at arbitrary points in the check. A fix was landed in 38d8e1b which - expanded the scope to all cases. conn->data was not cleared and the - original conn->data not restored. + Removing the block is consistent with line 954/957. - A day later it was discovered that not restoring the original conn->data - may lead to busy loops in applications that use the event interface, and - given this observation it's a pretty safe assumption that there is some - code path that still needs the original conn->data. This commit is the - follow-up fix for that, it restores the original conn->data after the - connection check. + Closes https://github.com/curl/curl/pull/3732 + +- transfer: fix LGTM alert "Comparison is always true" - Assisted-by: tholin@users.noreply.github.com - Reported-by: tholin@users.noreply.github.com + Just remove the redundant condition, which also makes it clear that + k->buf is always 0-terminated if this break is not hit. - Fixes https://github.com/curl/curl/issues/3542 - Closes #3559 + Closes https://github.com/curl/curl/pull/3732 -- memdebug: bring back curl_mark_sclose +Jay Satiro (4 Apr 2019) +- [Rikard Falkeborn brought this change] + + smtp: fix compiler warning - Used by debug builds with NSS. + - Fix clang string-plus-int warning. - Reverted from 05b100aee247bb - -Patrick Monnerat (14 Feb 2019) -- transfer.c: do not compute length of undefined hex buffer. + Clang 8 warns about adding a string to an int does not append to the + string. Indeed it doesn't, but that was not the intention either. Use + array indexing as suggested to silence the warning. There should be no + functional changes. - On non-ascii platforms, the chunked hex header was measured for char code - conversion length, even for chunked trailers that do not have an hex header. - In addition, the efective length is already known: use it. - Since the hex length can be zero, only convert if needed. + (In other words clang warns about "foo"+2 but not &"foo"[2] so use the + latter.) - Reported by valgrind. - -Daniel Stenberg (14 Feb 2019) -- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP + smtp.c:1221:29: warning: adding 'int' to a string does not append to the + string [-Wstring-plus-int] + eob = strdup(SMTP_EOB + 2); + ~~~~~~~~~~~~~~~~^~~~ - Closes #2367 + Closes https://github.com/curl/curl/pull/3729 -Patrick Monnerat (14 Feb 2019) -- x509asn1: "Dereference of null pointer" +Marcel Raad (4 Apr 2019) +- VS projects: use Unicode for VC10+ - Detected by scan-build (false positive). - -Daniel Stenberg (14 Feb 2019) -- configure: show features as well in the final summary + All Windows APIs have been natively UTF-16 since Windows 2000 and the + non-Unicode variants are just wrappers around them. Only Windows 9x + doesn't understand Unicode without the UnicoWS DLL. As later Visual + Studio versions cannot target Windows 9x anyway, using the ANSI API + doesn't really have any benefit there. - Closes #3569 - -- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 + This avoids issues like KNOWN_BUGS 6.5. - Closes #2905 + Ref: https://github.com/curl/curl/issues/2120 + Closes https://github.com/curl/curl/pull/3720 -- KNOWN_BUGS: Deflate error after all content was received +Daniel Gustafsson (3 Apr 2019) +- RELEASE-NOTES: synced - Closes #2719 + Bump the version in progress to 7.64.2, if we merge any "change" + before the cut-off date we can update the version. -- gssapi: fix deprecated header warnings - - Heimdal includes on FreeBSD spewed out lots of them. Less so now. - - Closes #3566 +- [Tim Rühsen brought this change] -- TODO: Upgrade to websockets + documentation: Fix several typos - Closes #3523 + Closes #3724 + Reviewed-by: Jakub Zakrzewski + Reviewed-by: Daniel Gustafsson -- TODO: cmake test suite improvements - - Closes #3109 +Jay Satiro (2 Apr 2019) +- [Mert Yazıcıoğlu brought this change] -Patrick Monnerat (13 Feb 2019) -- curl: "Dereference of null pointer" + vauth/oauth2: Fix OAUTHBEARER token generation - Rephrase to satisfy scan-build. - -Marcel Raad (13 Feb 2019) -- unit1307: require FTP support + OAUTHBEARER tokens were incorrectly generated in a format similar to + XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the + RFC7628. - This test doesn't link without FTP support after - fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch - unavailable without FTP support. + Fixes: #2487 + Reported-by: Paolo Mossino - Closes https://github.com/curl/curl/pull/3565 + Closes https://github.com/curl/curl/pull/3377 -Daniel Stenberg (13 Feb 2019) -- TODO: TFO support on Windows +Marcel Raad (2 Apr 2019) +- tool_cb_wrt: fix bad-function-cast warning - Nobody works on this now. + Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the + warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. + Extend fhnd's scope and reuse that variable instead of calling + _get_osfhandle a second time to fix the warning again. - Closes #3378 + Closes https://github.com/curl/curl/pull/3718 -- multi: Dereference of null pointer - - Mostly a false positive, but this makes the code easier to read anyway. - - Detected by scan-build. +- VC15 project: remove MinimalRebuild - Closes #3563 + Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the + library project, but I forgot the tool project template. Now also + removed for that. -- urlglob: Argument with 'nonnull' attribute passed null +Dan Fandrich (1 Apr 2019) +- cirrus: Customize the disabled tests per FreeBSD version - Detected by scan-build. + Try to run as many test cases as possible on each OS version. + 12.0 passes 13 more tests than the older versions, so we might as well + run them. -Jay Satiro (12 Feb 2019) -- schannel: restore some debug output but only for debug builds - - Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy - debug output in DEBUGF but omitted a few lines. +Daniel Stenberg (1 Apr 2019) +- tool_help: include for strcasecmp - Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 + Reported-by: Wyatt O'Day + Fixes #3715 + Closes #3716 -- examples/crawler: Fix the Accept-Encoding setting - - - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default - supported encodings. - - Prior to this change the specific encodings of gzip and deflate were set - but there's no guarantee they'd be supported by the user's libcurl. +Daniel Gustafsson (31 Mar 2019) +- scripts: fix typos -Daniel Stenberg (12 Feb 2019) -- mime: put the boundary buffer into the curl_mime struct +Dan Fandrich (28 Mar 2019) +- travis: allow builds on branches named "ci" - ... instead of allocating it separately and point to it. It is - fixed-size and always used for each part. + This allows a way to test changes other than through PRs. + +Daniel Stenberg (27 Mar 2019) +- [Brad Spencer brought this change] + + resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - Closes #3561 + Closes #3699 -- schannel: be quiet +- multi: improved HTTP_1_1_REQUIRED handling - Convert numerous infof() calls into debug-build only messages since they - are annoyingly verbose for regular applications. Removed a few. + Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error + on first flight. - Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html - Reported-by: Volker Schmid - Closes #3552 + Reported-by: niner on github + Fixes #3696 + Closes #3707 -- [Romain Geissler brought this change] +- [Leonardo Taccari brought this change] - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning + configure: avoid unportable `==' test(1) operator - Closes #3562 + Closes #3709 -- http2: multi_connchanged() moved from multi.c, only used for h2 - - Closes #3557 +Version 7.64.1 (27 Mar 2019) -- curl: "Function call argument is an uninitialized value" - - Follow-up to cac0e4a6ad14b42471eb - - Detected by scan-build - Closes #3560 +Daniel Stenberg (27 Mar 2019) +- RELEASE: 7.64.1 -- pretransfer: don't strlen() POSTFIELDS set for GET requests +- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - ... since that data won't be used in the request anyway. + This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - Fixes #3548 - Reported-by: Renaud Allard - Close #3549 + Fixes #3708 -- multi: remove verbose "Expire in" ... messages - - Reported-by: James Brown - Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html - Closes #3558 +- [Christian Schmitz brought this change] -- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set + ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set - Reported-by: MAntoniak on github - Fixes #3553 - Closes #3556 + Closes #3704 -Daniel Gustafsson (12 Feb 2019) -- non-ascii.c: fix typos in comments +Jay Satiro (26 Mar 2019) +- tool_cb_wrt: fix writing to Windows null device NUL - Fix two occurrences of s/convers/converts/ spotted while reading code. - -Daniel Stenberg (12 Feb 2019) -- fnmatch: disable if FTP is disabled + - Improve console detection. - Closes #3551 + Prior to this change WriteConsole could be called to write to a handle + that may not be a console, which would cause an error. This issue is + limited to character devices that are not also consoles such as the null + device NUL. + + Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 + Reported-by: Gisle Vanem -- curl_path: only enabled for SSH builds +- CURLMOPT_PIPELINING.3: fix typo -- [Frank Gevaerts brought this change] +Daniel Stenberg (25 Mar 2019) +- TODO: config file parsing + + Closes #3698 - tests: add stderr comparison to the test suite +Jay Satiro (24 Mar 2019) +- os400: Disable Alt-Svc by default since it's experimental - The code is more or less copied from the stdout comparison code, maybe - some better reuse is possible. + Follow-up to 520f0b4 which added Alt-Svc support and enabled it by + default for OS400. Since the feature is experimental, it should be + disabled by default. - test 1457 is adjusted to make the output actually match (by using --silent) - test 506 used without actually needing it, so that block is removed + Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 + Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html - Closes #3536 + Closes https://github.com/curl/curl/pull/3688 -Patrick Monnerat (11 Feb 2019) -- cli tool: do not use mime.h private structures. - - Option -F generates an intermediate representation of the mime structure - that is used later to create the libcurl mime structure and generate - the --libcurl statements. +Dan Fandrich (24 Mar 2019) +- tests: Fixed XML validation errors in some test files. + +- tests: Fix some incorrect precheck error messages. - Reported-by: Daniel Stenberg - Fixes #3532 - Closes #3546 + [ci skip] -Daniel Stenberg (11 Feb 2019) -- curlver: bump to 7.64.1-dev +Daniel Stenberg (22 Mar 2019) +- curl_url.3: this is not experimental anymore -- RELEASE-NOTES: synced +- travis: bump the used wolfSSL version to 4.0.0 - and bump the version in progress to 7.64.1. If we merge any "change" - before the cut-off date, we update again. - -Daniel Gustafsson (11 Feb 2019) -- curl: follow-up to 3f16990ec84 + Test 311 is now fine, leaving only 313 (CRL) disabled. - Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was - inadvertently introducing a new bug in the ternary expression. + Test 313 details can be found here: + https://github.com/wolfSSL/wolfssl/issues/1546 - Close #3555 - Reviewed-by: Daniel Stenberg + Closes #3697 -- dns: release sharelock as soon as possible +Daniel Gustafsson (22 Mar 2019) +- lib: Fix typos in comments + +David Woodhouse (20 Mar 2019) +- openssl: if cert type is ENG and no key specified, key is ENG too - There is no benefit to holding the data sharelock when freeing the - addrinfo in case it fails, so ensure releaseing it as soon as we can - rather than holding on to it. This also aligns the code with other - consumers of sharelocks. + Fixes #3692 + Closes #3692 + +Daniel Stenberg (20 Mar 2019) +- sectransp: tvOS 11 is required for ALPN support - Closes #3516 - Reviewed-by: Daniel Stenberg + Reported-by: nianxuejie on github + Assisted-by: Nick Zitzmann + Assisted-by: Jay Satiro + Fixes #3689 + Closes #3690 -Daniel Stenberg (11 Feb 2019) -- curl: follow-up to b49652ac66cc0 +- test1541: threaded connection sharing - On FreeBSD, return non-zero on error otherwise zero. + The threaded-shared-conn.c example turned into test case. Only works if + pthread was detected. - Reported-by: Marcel Raad - -- multi: (void)-prefix when ignoring return values + An attempt to detect future regressions such as e3a53e3efb942a5 - ... and added braces to two function calls which fixes warnings if they - are replace by empty macros at build-time. + Closes #3687 -- curl: fix FreeBSD compiler warning in the --xattr code +Patrick Monnerat (17 Mar 2019) +- os400: alt-svc support. - Closes #3550 + Although experimental, enable it in the platform config file. + Upgrade ILE/RPG binding. -- connection_check: set ->data to the transfer doing the check +Daniel Stenberg (17 Mar 2019) +- conncache: use conn->data to know if a transfer owns it - The http2 code for connection checking needs a transfer to use. Make - sure a working one is set before handler->connection_check() is called. + - make sure an already "owned" connection isn't returned unless + multiplexed. - Reported-by: jnbr on github - Fixes #3541 - Closes #3547 - -- hostip: make create_hostcache_id avoid alloc + free + - clear ->data when returning the connection to the cache again - Closes #3544 + Regression since 7.62.0 (probably in commit 1b76c38904f0) + + Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + + Closes #3686 -- scripts/singleuse: script to use to track single-use functions +- RELEASE-NOTES: synced + +- [Chris Young brought this change] + + configure: add --with-amissl - That is functions that are declared global but are not used from outside - of the file in which it is declared. Such functions should be made - static or even at times be removed. + AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. + It also requires all programs using it to use bsdsocket.library + directly, rather than accessing socket functions through clib, which + libcurl was not necessarily doing previously. Configure will now check + for the headers and ensure they are included if found. - It also verifies that all used curl_ prefixed functions are "blessed" + Closes #3677 + +- [Chris Young brought this change] + + vtls: rename some of the SSL functions - Closes #3538 + ... in the SSL structure as AmiSSL is using macros for the socket API + functions. -- cleanup: make local functions static +- [Chris Young brought this change] + + tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + +- [Chris Young brought this change] + + tool_operate: build on AmigaOS + +- makefile: make checksrc and hugefile commands "silent" - urlapi: turn three local-only functions into statics + ... to match the style already used for compiling, linking + etc. Acknowledges 'make V=1' to enable verbose. - conncache: make conncache_find_first_connection static + Closes #3681 + +- curl.1: --user and --proxy-user are hidden from ps output - multi: make detach_connnection static + Suggested-by: Eric Curtin + Improved-by: Dan Fandrich + Ref: #3680 - connect: make getaddressinfo static + Closes #3683 + +- curl.1: mark the argument to --cookie as - curl_ntlm_core: make hmac_md5 static + From a discussion in #3676 - http2: make two functions static + Suggested-by: Tim Rühsen - http: make http_setup_conn static + Closes #3682 + +Dan Fandrich (14 Mar 2019) +- fuzzer: Only clone the latest fuzzer code, for speed. + +Daniel Stenberg (14 Mar 2019) +- [Dominik Hölzl brought this change] + + Negotiate: fix for HTTP POST with Negotiate - connect: make tcpnodelay static + * Adjusted unit tests 2056, 2057 + * do not generally close connections with CURLAUTH_NEGOTIATE after every request + * moved negotiatedata from UrlState to connectdata + * Added stream rewind logic for CURLAUTH_NEGOTIATE + * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC + * Consider authproblem state for CURLAUTH_NEGOTIATE + * Consider reuse_forbid for CURLAUTH_NEGOTIATE + * moved and adjusted negotiate authentication state handling from + output_auth_headers into Curl_output_negotiate + * Curl_output_negotiate: ensure auth done is always set + * Curl_output_negotiate: Set auth done also if result code is + GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may + also indicate the last challenge request (only works with disabled + Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) + * Consider "Persistent-Auth" header, detect if not present; + Reset/Cleanup negotiate after authentication if no persistent + authentication + * apply changes introduced with #2546 for negotiate rewind logic - tests: make UNITTEST a thing to mark functions with, so they can be static for - normal builds and non-static for unit test builds + Fixes #1261 + Closes #1975 + +- [Marc Schlatter brought this change] + + http: send payload when (proxy) authentication is done - ... and mark Curl_shuffle_addr accordingly. + The check that prevents payload from sending in case of authentication + doesn't check properly if the authentication is done or not. - url: make up_free static + They're cases where the proxy respond "200 OK" before sending + authentication challenge. This change takes care of that. - setopt: make vsetopt static + Fixes #2431 + Closes #3669 + +- file: fix "Checking if unsigned variable 'readcount' is less than zero." - curl_endian: make write32_le static + Pointed out by codacy - rtsp: make rtsp_connisdead static + Closes #3672 + +- memdebug: log pointer before freeing its data - warnless: remove unused functions + Coverity warned for two potentional "Use after free" cases. Both are false + positives because the memory wasn't used, it was only the actual pointer + value that was logged. - memdebug: remove one unused function, made another static - -Dan Fandrich (10 Feb 2019) -- cirrus: Added FreeBSD builds using Cirrus CI. + The fix still changes the order of execution to avoid the warnings. - The build logs will be at https://cirrus-ci.com/github/curl/curl + Coverity CID 1443033 and 1443034 - Some tests are currently failing and so disabled for now. The SSH server - isn't starting for the SSH tests due to unsupported options used in its - config file. The DICT server also is failing on startup. + Closes #3671 -Daniel Stenberg (9 Feb 2019) -- url/idnconvert: remove scan for <= 32 ascii values +- RELEASE-NOTES: synced + +Marcel Raad (12 Mar 2019) +- travis: actually use updated compiler versions - The check was added back in fa939220df before the URL parser would catch - these problems and therefore these will never trigger now. + For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the + new GCC versions were only used for the coverage build and for building + nghttp2, while the new clang version was not used at all. - Closes #3539 - -- urlapi: reduce variable scope, remove unreachable 'break' + BoringSSL needs to use the default GCC as it respects CC, but not CXX, + so it would otherwise pass gcc 8 options to g++ 4.8 and fail. - Both nits pointed out by codacy.com + Also remove GCC 7, it's not needed anymore. - Closes #3540 + Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + + Closes https://github.com/curl/curl/pull/3670 -Alessandro Ghedini (7 Feb 2019) -- zsh.pl: escape ':' character +- travis: update clang to version 7 - ':' is interpreted as separator by zsh, so if used as part of the argument - or option's description it needs to be escaped. + Closes https://github.com/curl/curl/pull/3670 + +Jay Satiro (11 Mar 2019) +- [Andre Guibert de Bruet brought this change] + + examples/externalsocket: add missing close socket calls - The problem can be reproduced as follows: + .. and for Windows also call WSACleanup since we call WSAStartup. - % curl --reso - % curl -E + The example is to demonstrate handling the socket independently of + libcurl. In this case libcurl is not responsible for creating, opening + or closing the socket, it is handled by the application (our example). - Bug: https://bugs.debian.org/921452 + Fixes https://github.com/curl/curl/pull/3663 -- zsh.pl: update regex to better match curl -h output +Daniel Stenberg (11 Mar 2019) +- multi: removed unused code for request retries - The current regex fails to match '<...>' arguments properly (e.g. those - with spaces in them), which causes an completion script with wrong - descriptions for some options. + This code was once used for the non multi-interface using code path, but + ever since easy_perform was turned into a wrapper around the multi + interface, this code path never runs. - Here's a diff of the generated completion script, comparing the previous - version to the one with this fix: + Closes #3666 + +Jay Satiro (11 Mar 2019) +- doh: inherit some SSL options from user's easy handle - --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 - +++ _curl 2019-02-05 20:57:29.453349040 +0000 - @@ -9,48 +9,48 @@ + - Inherit SSL options for the doh handle but not SSL client certs, + SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, + SSL pinned public key, SSL ciphers, SSL id cache setting, + SSL kerberos or SSL gss-api settings. - _arguments -C -S \ - --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ - + --resolve'[Resolve the host+port to this address]':'' \ - {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ - {-D,--dump-header}'[Write the received headers to ]':'':_files \ - {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ - --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ - {-E,--cert}'[Client certificate file and password]':'' \ - --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ - --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ - --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ - --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ - + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ - --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ - --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ - + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ - --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ - + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ - {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ - --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ - --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ - --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ - --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ - {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ - --local-port'[Force use of RANGE for local port numbers]':'' \ - --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ - {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - - --location-trusted'[--location, and send auth to other hosts]':'Like' \ - + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ - --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ - {-O,--remote-name}'[Write output to a file named as the remote file]' \ - + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ - + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ - --trace-ascii'[Like --trace, but without hex output]':'':_files \ - --connect-timeout'[Maximum time allowed for connection]':'' \ - --expect100-timeout'[How long to wait for 100-continue]':'' \ - {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ - + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ - {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ - --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ - --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - - --ignore-content-length'[the size of the remote resource]':'Ignore' \ - {-k,--insecure}'[Allow insecure server connections when using SSL]' \ - + --location-trusted'[Like --location, and send auth to other hosts]' \ - --mail-auth'[Originator address of the original email]':'
' \ - --noproxy'[List of hosts which do not use proxy]':'' \ - --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ - @@ -62,18 +62,19 @@ - --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ - --cacert'[CA certificate to verify peer against]':'':_files \ - {-H,--header}'[Pass custom header(s) to server]':'
' \ - + --ignore-content-length'[Ignore the size of the remote resource]' \ - {-i,--include}'[Include protocol response headers in the output]' \ - --proxy-header'[Pass custom header(s) to proxy]':'
' \ - --unix-socket'[Connect through this Unix domain socket]':'' \ - {-w,--write-out}'[Use output FORMAT after completion]':'' \ - - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ - {-o,--output}'[Write to file instead of stdout]':'':_files \ - - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ - + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ - --socks4a'[SOCKS4a proxy on given host + port]':'' \ - {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ - {-z,--time-cond}'[Transfer based on a time condition]':'