From 3b96a0dcef3c7e1de852025cfea5a9e56486021c Mon Sep 17 00:00:00 2001 From: dartraiden Date: Sat, 12 Dec 2020 21:52:50 +0300 Subject: libcurl: update to 7.74.0 --- libs/libcurl/docs/CHANGES | 10102 ++++++++++++++++++++++---------------------- libs/libcurl/docs/THANKS | 22 + 2 files changed, 5067 insertions(+), 5057 deletions(-) (limited to 'libs/libcurl/docs') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index b5bc305951..56859b4993 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,7447 +6,7435 @@ Changelog -Version 7.73.0 (14 Oct 2020) +Version 7.74.0 (9 Dec 2020) -Daniel Stenberg (14 Oct 2020) +Daniel Stenberg (9 Dec 2020) - RELEASE-NOTES: synced - for 7.73.0 + for 7.74.0 -- THANKS: from 7.73.0 and .mailmap fixes +Jay Satiro (7 Dec 2020) +- [Jacob Hoffman-Andrews brought this change] -- mailmap: fixups of some contributors + urldata: restore comment on ssl_connect_data.use + + This comment was originally on the `use` field, but was separated from + its field in 62a2534. + + Closes https://github.com/curl/curl/pull/6287 -- projects/build-wolfssl.bat: fix the copyright year range +Daniel Stenberg (7 Dec 2020) +- VERSIONS: refreshed + + We always use the patch number these days: all releases are + "major.minor.patch" -Marc Hoersken (14 Oct 2020) -- [Sergei Nikulov brought this change] +- [Jakub Zakrzewski brought this change] - CI/tests: fix invocation of tests for CMake builds - - Update appveyor.yml to set env variable TFLAGS and run tests - Remove curly braces due to CMake error (${TFLAGS} -> $TFLAGS) - Move testdeps build to build step (per review comments) + cmake: don't use reserved target name 'test' - Reviewed-by: Marc Hörsken + CMake up to 3.10 always reserves this name - Closes #6066 - Fixes #6052 + Fixes #6257 + Closes #6258 -- tests/server/util.c: fix support for Windows Unicode builds +- openssl: make the OCSP verification verify the certificate id - Detected via #6066 - Closes #6070 - -Daniel Stenberg (13 Oct 2020) -- [Jay Satiro brought this change] + CVE-2020-8286 + + Reported by anonymous + + Bug: https://curl.se/docs/CVE-2020-8286.html - strerror: Revert to local codepage for Windows error string +- ftp: make wc_statemach loop instead of recurse - - Change get_winapi_error() to return the error string in the local - codepage instead of UTF-8 encoding. + CVE-2020-8285 - Two weeks ago bed5f84 fixed get_winapi_error() to work on xbox, but it - also changed the error string's encoding from local codepage to UTF-8. + Fixes #6255 + Bug: https://curl.se/docs/CVE-2020-8285.html + Reported-by: xnynx on github + +- ftp: CURLOPT_FTP_SKIP_PASV_IP by default - We return the local codepage version of the error string because if it - is output to the user's terminal it will likely be with functions which - expect the local codepage (eg fprintf, failf, infof). + The command line tool also independently sets --ftp-skip-pasv-ip by + default. - This is essentially a partial revert of bed5f84. The support for xbox - remains but the error string is reverted back to local codepage. + Ten test cases updated to adapt the modified --libcurl output. - Ref: https://github.com/curl/curl/pull/6005 + Bug: https://curl.se/docs/CVE-2020-8284.html + CVE-2020-8284 - Reviewed-by: Marcel Raad - Closes #6065 + Reported-by: Varnavas Papaioannou -Marc Hoersken (13 Oct 2020) -- CI/tests: use verification curl for test reporting APIs +- urlapi: don't accept blank port number field without scheme - Avoid using our own, potentially installed, curl for - the test reporting APIs in case it is broken. + ... as it makes the URL parser accept "very-long-hostname://" as a valid + host name and we don't want that. The parser now only accepts a blank + (no digits) after the colon if the URL starts with a scheme. - Reviewed-by: Daniel Stenberg + Reported-by: d4d on hackerone - Preparation for #6049 - Closes #6063 + Closes #6283 -Viktor Szakats (12 Oct 2020) -- windows: fix comparison of mismatched types warning +- Revert "multi: implement wait using winsock events" - clang 10, mingw-w64: - ``` - vtls/openssl.c:2917:33: warning: comparison of integers of different signs: 'DWORD' (aka 'unsigned long') and 'HRESULT' (aka 'long') - [-Wsign-compare] - if(GetLastError() != CRYPT_E_NOT_FOUND) - ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~ - ``` + This reverts commit d2a7d7c185f98df8f3e585e5620cbc0482e45fac. - Approved-by: Daniel Stenberg - Closes #6062 + This commit also reverts the subsequent follow-ups to that commit, which + were all done within windows #ifdefs that are removed in this + change. Marc helped me verify this. + + Fixes #6146 + Closes #6281 -Daniel Stenberg (11 Oct 2020) -- [Viktor Szakats brought this change] +- [Klaus Crusius brought this change] - src/Makefile.m32: fix undefined curlx_dyn_* errors + ftp: retry getpeername for FTP with TCP_FASTOPEN - by linking `lib/dynbuf.c` when building a static curl binary. - Previously this source file was only included when building - a dynamic curl binary. This was likely possibly because no - functions from the `src/Makefile.inc` / `CURLX_CFILES` sources - were actually required for a curl tool build. This has - recently changed with the introduction of `curlx_dyn_*()` - memory functions and their use by the tool sources. + In the case of TFO, the remote host name is not resolved at the + connetion time. - Closes #6060 - -- HISTORY: curl verifies SSL certs by default since version 7.10 - -Marc Hoersken (8 Oct 2020) -- runtests.pl: use $LIBDIR variable instead of hardcoded path + For FTP that has lead to missing hostname for the secondary connection. + Therefore the name resolution is done at the time, when FTP requires it. - Reviewed-by: Daniel Stenberg - Closes #6051 + Fixes #6252 + Closes #6265 + Closes #6282 -Daniel Stenberg (7 Oct 2020) -- checksrc: detect // comments on column 0 +- [Thomas Danielsson brought this change] + + scripts/completion.pl: parse all opts - Spotted while working on #6045 + For tab-completion it may be preferable to include all the + available options. - Closes #6048 + Closes #6280 -- [Frederik Wedel-Heinen brought this change] +- RELEASE-NOTES: synced - mbedtls: add missing header when defining MBEDTLS_DEBUG +- openssl: use OPENSSL_init_ssl() with >= 1.1.0 - Closes #6045 + Reported-by: Kovalkov Dmitrii and Per Nilsson + Fixes #6254 + Fixes #6256 + Closes #6260 -- curl: make sure setopt CURLOPT_IPRESOLVE passes on a long +- SECURITY-PROCESS: disclose on hackerone - Previously, it would pass on a define (int) which could make libcurl - read junk as a value - which prevented the CURLOPT_IPRESOLVE option to - "take". This could then make test 2100 do two DoH requests instead of - one! + Once a vulnerability has been published, the hackerone issue should be + disclosed. For tranparency. - Fixes #6042 - Closes #6043 + Closes #6275 -- RELEASE-NOTES: synced +Marc Hoersken (3 Dec 2020) +- tests/util.py: fix compatibility with Python 2 + + Backporting the Python 3 implementation of setStream + to ClosingFileHandler as a fallback within Python 2. + + Reported-by: Jay Satiro + + Fixes #6259 + Closes #6270 -- scripts/release-notes.pl: don't "embed" $ in format string for printf() +Daniel Gustafsson (3 Dec 2020) +- docs: fix typos and markup in ETag manpage sections - ... since they might contain %-codes that mess up the output! + Reported-by: emanruse on github + Fixes #6273 -Jay Satiro (5 Oct 2020) -- [M.R.T brought this change] +Daniel Stenberg (2 Dec 2020) +- quiche: close the connection + + Reported-by: Junho Choi + Fixes #6213 + Closes #6217 - build-wolfssl: fix build with Visual Studio 2019 +Jay Satiro (2 Dec 2020) +- ngtcp2: Fix build error due to symbol name change - Closes https://github.com/curl/curl/pull/6033 + - NGTCP2_CRYPTO_LEVEL_APP -> NGTCP2_CRYPTO_LEVEL_APPLICATION + + ngtcp2/ngtcp2@76232e9 changed the name. + + ngtcp2 master is required to build curl with http3 support. + + Closes https://github.com/curl/curl/pull/6271 -Daniel Stenberg (4 Oct 2020) -- runtests: add %repeat[]% for test files +Daniel Stenberg (1 Dec 2020) +- [Klaus Crusius brought this change] + + cmake: check for linux/tcp.h - ... and use this new keywords in all the test files larger than 50K to reduce - their sizes and make them a lot easier to read and understand. + The HAVE_LINUX_TCP_H define was not set by cmake. - Closes #6040 + Closes #6252 -- [Emil Engler brought this change] +- NEW-PROTOCOL: document what needs to be done to add one + + Closes #6263 - --help: move two options from the misc category +- splay: rename Curl_splayremovebyaddr to Curl_splayremove - The cmdline opts delegation and suppress-connect-headers - fit better into auth and proxy rather than misc. + ... and remove the old unused proto for the old Curl_splayremove + version. - Follow-up to aa8777f63febc - Closes #6038 + Closes #6269 -- [Samanta Navarro brought this change] +- openssl: free mem_buf in error path + + To fix a memory-leak. + + Closes #6267 - docs/opts: fix typos in two manual pages +- openssl: remove #if 0 leftover - Closes #6039 + Follow-up to 4c9768565ec3a9 (from Sep 2008) + + Closes #6268 -- ldap: reduce the amount of #ifdefs needed +- ntlm: avoid malloc(0) on zero length user and domain - Closes #6035 + ... and simplify the too-long checks somewhat. + + Detected by OSS-Fuzz + + Closes #6264 -- runtests: provide curl's version string as %VERSION for tests +- RELEASE-NOTES: synced + +Marc Hoersken (28 Nov 2020) +- tests/server/tftpd.c: close upload file in case of abort - ... so that we can check HTTP requests for User-Agent: curl/%VERSION + Commit c353207 removed the closing right after do_tftp + which covered the case of abort. This handles that case. - Update 600+ test cases accordingly. + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Closes #6037 + Follow up to #6209 + Closes #6234 -- checksrc: warn on space after exclamation mark +Daniel Stenberg (26 Nov 2020) +- [Daiki Ueno brought this change] + + ngtcp2: use the minimal version of QUIC supported by ngtcp2 - Closes #6034 + Closes #6250 -- test1465: verify --libcurl with binary POST data +- [Daiki Ueno brought this change] -- runtests: allow generating a binary sequence from hex + ngtcp2: advertise h3 ALPN unconditionally + + Closes #6250 -- tool_setopt: escape binary data to hex, not octal +- [Daiki Ueno brought this change] -- curl: make --libcurl show binary posts correctly + vquic/ngtcp2.h: define local_addr as sockaddr_storage - Reported-by: Stephan Mühlstrasser - Fixes #6031 - Closes #6032 + This field needs to be wide enough to hold sockaddr_in6 when + connecting via IPv6. Otherwise, ngtcp2_conn_read_pkt will drop the + packets because of the address mismatch: + I00000022 [...] con ignore packet from unknown path + + We can safely assume that struct sockaddr_storage is available, as it + is used in the public interface of ngtcp2. + + Closes #6250 -Jay Satiro (1 Oct 2020) -- strerror: fix null deref on winapi out-of-memory +- socks: check for DNS entries with the right port number - Follow-up to bed5f84 from several days ago. + The resolve call is done with the right port number, but the subsequent + check used the wrong one, which then could find a previous resolve which + would return and leave the fresh resolve "incomplete" and leaking + memory. - Ref: https://github.com/curl/curl/pull/6005 + Fixes #6247 + Closes #6253 -Daniel Stenberg (1 Oct 2020) -- [Kamil Dudka brought this change] +- curl_setup: USE_RESOLVE_ON_IPS is for Apple native resolver use + + ... so don't define it when instructed to use c-ares! - vtls: deduplicate some DISABLE_PROXY ifdefs +- test506: make it not run in c-ares builds - ... in the code of gtls, nss, and openssl + As the asynch nature of it may trigger events in another order. A c-ares + upgrade made it break. - Closes #5735 + Reported-by: Marc Hörsken + Fixes #6247 -- RELEASE-NOTES: synced +- runtests: make 'c-ares' a "feature" to depend on + + ... also added to the docs. + +- tool_writeout: use off_t getinfo-types instead of doubles + + Commit 3b80d3ca46b12e52342 (June 2017) introduced getinfo replacement + variables that use curl_off_t instead of doubles. Switch the --write-out + function over to use them. + + Closes #6248 - [Emil Engler brought this change] - TODO: Add OpenBSD libtool notice + file: avoid duplicated code sequence - See #5862 - Closes #6030 + file_disconnect() is identical with file_do() except the function header + but as the arguments are unused anyway so why not just return file_do() + directly! + + Reviewed-by: Daniel Stenberg + Closes #6249 -- tests/unit/README: convert to markdown +- [Rikard Falkeborn brought this change] + + infof/failf calls: fix format specifiers - ... and add to dist! + Update a few format specifiers to match what is being printed. - Closes #6028 + Closes #6241 -- tests/README: convert to markdown +- docs/INTERNALS: remove reference to Curl_sendf() - Closes #6028 - -- include/README: convert to markdown + The function has been removed from common usage. Also removed comment in + gopher.c that still referenced it. - Closes #6028 + Reported-by: Rikard Falkeborn + Fixes #6242 + Closes #6243 -- examples/README: convert to markdown - - Closes #6028 +- [Rikard Falkeborn brought this change] -- configure: don't say HTTPS-proxy is enabled when disabled! + examples: update .gitignore - Reported-by: Kamil Dudka - Reviewed-by: Kamil Dudka - Bug: https://github.com/curl/curl/pull/5735#issuecomment-701376388 - Closes #6029 - -Daniel Gustafsson (30 Sep 2020) -- src: Consistently spell whitespace without whitespace + Add files that are generated by 'make examples' and remove some that + have been renamed. - Whitespace is spelled without a space between white and space, so - make sure to consistently spell it that way across the codebase. + The commits that renamed the programs are e9625c5bc6c046a (imap.c and + simplesmtp.c were renamed to imap-fetch.c and smtp-send.c) and + ad39e7ec01e7 (pop3slist.c and pop3s.c were renamed to pop3-list.c and + pop3-ssl.c). - Closes #6023 - Reviewed-by: Daniel Stenberg - Reviewed-by: Emil Engler + Closes #6240 -- MANUAL: update examples to resolve without redirects +- asyn: use 'struct thread_data *' instead of 'void *' - www.netscape.com is redirecting to a cookie consent form on Aol, and - cool.haxx.se isn't responding to FTP anymore. Replace with examples - that resolves in case users try out the commands when reading the - manual. + To reduce use of types that can't be checked at compile time. Also + removes several typecasts. - Closes #6024 - Reviewed-by: Daniel Stenberg - Reviewed-by: Emil Engler + ... and rename the struct field from 'os_specific' to 'tdata'. + + Closes #6239 + Reviewed-by: Jay Satiro -Daniel Stenberg (30 Sep 2020) -- HISTORY: add some 2020 events +Viktor Szakats (23 Nov 2020) +- Makefile.m32: add support for UNICODE builds + + It requires the linker to support the `-municode` option. + This is available in more recent mingw-w64 releases. + + Ref: https://gcc.gnu.org/onlinedocs/gcc/x86-Windows-Options.html + Ref: https://stackoverflow.com/questions/3571250/wwinmain-unicode-and-mingw/11706847#11706847 + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + + Closes #6228 -- sectransp: make it build with --disable-proxy +Daniel Stenberg (23 Nov 2020) +- urldata: remove 'void *protop' and create the union 'p' - Follow-up from #5466 and f3d501dc678d80 - Reported-by: Javier Navarro - Fixes #6025 - Closes #6026 + ... to avoid the use of 'void *' for the protocol specific structs done + per transfer. + + Closes #6238 -- ECH: renamed from ESNI in docs and configure +- winbuild: remove docs from Makefiles and refer to README.md - Encrypted Client Hello (ECH) is the current name. + Reduce risk for conflicting docs and makes it to a single place to fix + and polish. - Closes #6022 + add these missing options to the readme: + + ENABLE_OPENSSL_AUTO_LOAD_CONFIG and ENABLE_UNICODE + + clarify ENABLE_SCHANNEL default varies + + Fixes #6216 + Closes #6227 + Co-Authored-by: Jay Satiro -- configure: use "no" instead of "disabled" for the end summary +- [Daiki Ueno brought this change] + + http3: use the master branch of GnuTLS for testing - ... for consistency but also to make them more distinctly stand out next - to the "enabled" lines. + Closes #6235 -- TODO: SSH over HTTPS proxy with more backends +- KNOWN_BUGS: curl with wolfSSL lacks support for renegotiation - ... as right now only the libssh2 backend supports it. + Closes #5839 -- libssh2: handle the SSH protocols done over HTTPS proxy +- KNOWN_BUGS: wakeup socket disconnect causes havoc - Reported-by: Robin Douine - Fixes #4295 - Closes #6021 + Closes #6132 + Closes #6133 -- [Emil Engler brought this change] +- RELEASE-NOTES: synced - memdebug: remove 9 year old unused debug function +- [Oliver Urbann brought this change] + + curl: add compatibility for Amiga and GCC 6.5 - There used to be a way to have memdebug fill allocated memory. 9 years - later this has no value there (valgrind and ASAN etc are way better). If - people need to know about it they can have a look at VCS logs. + Changes are mainly reordering and adding of includes required + to compile with a more recent version of GCC. - Closes #5973 + Closes #6220 -- sendf: move Curl_sendf to dict.c and make it static +Marc Hoersken (20 Nov 2020) +- tests/server/tftpd.c: close upload file right after transfer - ... as the only remaining user of that function. Also fix gopher.c to - instead use Curl_write() + Make sure uploaded file is no longer locked after the + transfer while waiting for the final ACK to be handled. - Closes #6020 + Assisted-by: Daniel Stenberg + + Bug: #6058 + Closes #6209 -- ROADMAP: updates and cleanups +- CI/cirrus: simplify logic for disabled tests - Fix the HSTS PR + The OpenSSH server instance for the testsuite cannot + be started on FreeBSD, therefore the SFTP and SCP + tests are disabled right away from the beginning. - Remove DoT, thread-safe init and hard-coded localhost. I feel very - little interest for these with users so I downgrade them to plain "TODO" - entries again. - -- schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root + The previous OS version specific logic for SKIP_TESTS + is no longer needed/used and can therefore be removed. - This matches what is returned in other TLS backends in the same - situation. + Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - Reviewed-by: Emil Engler - Follow-up to 5a3efb1 - Reported-by: iammrtau on github - Fixes #6003 - Closes #6018 + Follow up to #6211 + Closes #6229 -- RELEASE-NOTES: synced - -- ftp: make a 552 response return CURLE_REMOTE_DISK_FULL +Daniel Gustafsson (20 Nov 2020) +- mailmap: Daniel Hwang - Added test 348 to verify. Added a 'STOR' command to the test FTP - server to enable test 348. Documented the command in FILEFORMAT.md + Add Daniel Hwang to the mailmap to cover the alternative spelling + Daniel Lee Hwang which was used in one commit. - Reported-by: Duncan Wilcox - Fixes #6016 - Closes #6017 + Closes #6230 + Reviewed-by: Daniel Stenberg -- pause: only trigger a reread if the unpause sticks +- openssl: guard against OOM on context creation - As an unpause might itself get paused again and then triggering another - reread doesn't help. + EVP_MD_CTX_create will allocate memory for the context and returns + NULL in case the allocation fails. Make sure to catch any allocation + failures and exit early if so. - Follow-up from e040146f22608fd9 (shipped since 7.69.1) + In passing, also move to EVP_DigestInit rather than EVP_DigestInit_ex + as the latter is intended for ENGINE selection which we don't do. - Bug: https://curl.haxx.se/mail/lib-2020-09/0081.html - Patch-by: Kunal Chandarana - Fixes #5988 - Closes #6013 + Closes #6224 + Reviewed-by: Daniel Stenberg + Reviewed-by: Emil Engler -- test163[12]: require http to be built-in to run - - ... as speaking over an HTTPS proxy implies http! - - Closes #6014 +Daniel Stenberg (19 Nov 2020) +- [Vincent Torri brought this change] -- ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define + cmake: use libcurl.rc in all Windows builds - Closes #6012 + Reviewed-by: Marcel Raad + Closes #6215 -- [Javier Blazquez brought this change] +- [Cristian Morales Vega brought this change] - strerror: honor Unicode API choice on Windows + cmake: make CURL_ZLIB a tri-state variable - Closes #6005 + By differentiating between ON and AUTO it can make a missing zlib + library a hard error when CURL_ZLIB=ON is used. + + Reviewed-by: Jakub Zakrzewski + Closes #6221 + Fixes #6173 -- imap: make imap_send use dynbuf for the send buffer management +- quiche: remove 'static' from local buffer - Reuses the buffer and thereby reduces number of mallocs over a transfer. + For thread-safety - Closes #6010 + Closes #6223 -- Curl_send: return error when pre_receive_plain can't malloc - - ... will probably trigger some false DEAD CODE positives on non-windows - code analyzers for the conditional code. +- KNOWN_BUGS: cmake: libspsl is not supported - Closes #6011 + Closes #6214 -- ftp: separate FTPS from FTP over "HTTPS proxy" +- KNOWN_BUGS: cmake autodetects cert paths when cross-compiling - When using HTTPS proxy, SSL is used but not in the view of the FTP - protocol handler itself so separate the connection's use of SSL from the - FTP control connection's sue. + Closes #6178 + +- KNOWN_BUGS: cmake build doesn't fail if zlib not found - Reported-by: Mingtao Yang - Fixes #5523 - Closes #6006 + Closes #6173 -Dan Fandrich (23 Sep 2020) -- tests/data: Fix some mismatched XML tags in test cases +- KNOWN_BUGS: cmake libcurl.pc uses absolute library paths - This allows these test files to pass xmllint. + Closes #6169 -Daniel Stenberg (23 Sep 2020) -- pingpong: use a dynbuf for the *_pp_sendf() function +- KNOWN_BUGS: cmake: generated .pc file contains strange entries - ... reuses the same dynamic buffer instead of doing repeated malloc/free - cycles. + Closes #6167 + +- KNOWN_BUGS: cmake uses -lpthread instead of Threads::Threads - Test case 100 (FTP dir list PASV) does 7 fewer memory allocation calls - after this change in my test setup (132 => 125), curl 7.72.0 needed 140 - calls for this. + Closes #6166 + +- KNOWN_BUGS: cmake build in Linux links libcurl to libdl - Test case 103 makes 9 less allocations now (130). Down from 149 in - 7.72.0. + Closes #6165 + +- KNOWN_BUGS: make a new section for cmake topics - Closes #6004 + Closes #6219 -- dynbuf: add Curl_dyn_vaddf +- [Emil Engler brought this change] + + cirrus: build with FreeBSD 12.2 in CirrusCI - Closes #6004 + Closes #6211 -- dynbuf: make *addf() not require extra mallocs +Marc Hoersken (14 Nov 2020) +- tests/*server.py: close log file after each log line - ... by introducing a printf() function that appends directly into a - dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if - the buffer is already big enough it can just printf directly into it. + Make sure the log file is not locked once a test has + finished and align with the behavior of our logmsg. - Since this less-malloc version requires tthe use of a library internal - printf function, we only provide this version when building libcurl and - not for the dynbuf code that is used when building the curl tool. + Rename curl_test_data.py to be a general util.py. + Format and sort Python imports with isort/VSCode. - Closes #5998 + Bug: #6058 + Closes #6206 -- KNOWN_BUGS: Unable to use PKCS12 certificate with Secure Transport +Daniel Stenberg (13 Nov 2020) +- CURLOPT_HSTS.3: document the file format - Closes #5403 + Closes #6205 -- pingpong: remove a malloc per Curl_pp_vsendf call +- RELEASE-NOTES: synced + +- release-notes.pl: detect #[number] better for Ref: etc + +- curl: only warn not fail, if not finding the home dir - This typically makes 7-9 fewer mallocs per FTP transfer. + ... as there's no good reason to error out completely. - Closes #5997 + Reported-by: Andreas Fischer + Fixes #6200 + Closes #6201 -- symbian: drop support +- httpput-postfields.c: new example doing PUT with POSTFIELDS - The OS is deprecated. I see no traces of anyone having actually built - curl for Symbian after 2012. + Proposed-by: Jeroen Ooms + Ref: #6186 + Closes #6188 + +- [Tobias Hieta brought this change] + + cmake: correctly handle linker flags for static libs - The public headers are unmodified. + curl CMake was setting the the EXE flags for static libraries which made + the /manifest:no flag ended up when linking the static library, which is + not a valid flag for lib.exe or llvm-lib.exe and caused llvm-lib to exit + with an error. - Closes #5989 + The better way to handle this is to make sure that we pass the correct + linker flags to CMAKE_STATIC_LINKER_FLAGS instead. + + Reviewed-by: Jakub Zakrzewski + Closes #6195 -- RELEASE-NOTES: synced +- [Tobias Hieta brought this change] -- curl_krb5.h: rename from krb5.h + cmake: don't pass -fvisibility=hidden to clang-cl on Windows - Follow-up from f4873ebd0be32cf + When using clang-cl on windows -fvisibility=hidden is not an known + argument. Instead it behaves exactly like MSVC in this case. So let's + make sure we take that path. - Turns out some older openssl installations go bananas otherwise. - Reported-by: Tom van der Woerdt - Fixes #5995 - Closes #5996 - -- test1297: verify GOT_NOTHING with http proxy tunnel + In CMake clang-cl sets both CMAKE_C_COMPILER_ID=clang and MSVC get's + defined since clang-cl is basically a MSVC emulator. So guarding like we + do in this patch seems logical. + + Reviewed-by: Jakub Zakrzewski + Closes #6194 -- http_proxy: do not count proxy headers in the header bytecount +- http_proxy: use enum with state names for 'keepon' - ... as that counter is subsequently used to detect if nothing was - returned from the peer. This made curl return CURLE_OK when it should - have returned CURLE_GOT_NOTHING. + To make the code clearer, change the 'keepon' from an int to an enum + with better state names. - Fixes #5992 - Reported-by: Tom van der Woerdt - Closes #5994 + Reported-by: Niranjan Hasabnis + Bug: https://curl.se/mail/lib-2020-11/0026.html + Closes #6193 -- setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument +- curl_easy_escape: limit output string length to 3 * max input - Fixed two return code mixups. CURLE_UNKNOWN_OPTION is saved for when the - option is, yeah, not known. Clarified this in the setopt man page too. + ... instead of the limiting it to just the max input size. As every + input byte can be expanded to 3 output bytes, this could limit the input + string to 2.66 MB instead of the intended 8 MB. - Closes #5993 + Reported-by: Marc Schlatter + Closes #6192 -- krb5: merged security.c and krb specific FTP functions in here +- docs: document the 8MB input string limit - These two files were always tightly connected and it was hard to - understand what went into which. This also allows us to make the - ftpsend() function static (moved from ftp.c). + for curl_easy_escape and curl_easy_setopt() - Removed security.c - Renamed curl_sec.h to krb5.h + The limit is there to catch mistakes and abuse. It is meant to be large + enough to allow virtually all "fine" use cases. - Closes #5987 + Reported-by: Marc Schlatter + Fixes #6190 + Closes #6191 -- Curl_handler: add 'family' to each protocol +- mqttd: fclose test file when done - Makes get_protocol_family() faster and it moves the knowledge about the - "families" to each protocol handler, where it belongs. + Reported-by: Marc Hörsken + Reviewed-by: Jay Satiro + Bug: #6058 + Closes #6189 + +- RELEASE-NOTES: synced + +- THANKS-filter: ignore autobuild links + +- Revert "libcurl.pc: make it relocatable" - Closes #5986 + This reverts commit 3862c37b6373a55ca704171d45ba5ee91dec2c9f. + + That fix should either be done differently or with an option. + + Reported-by: asavah on github + Fixes #6157 + Closes #6183 -- parsedate: tune the date to epoch conversion +- examples/httpput: remove use of CURLOPT_PUT - By avoiding an unnecessary error check and the temp use of the tm - struct, the time2epoch conversion function gets a little bit faster. - When repeating test 517, the updated version is perhaps 1% faster (on - one particular build on one particular architecture). + It is deprecated and unnecessary since it already sets CURLOPT_UPLOAD. - Closes #5985 + Reported-by: Jeroen Ooms + Fixes #6186 + Closes #6187 -- cmake: remove scary warning +- Curl_pgrsStartNow: init speed limit time stamps at start - Remove the text saying + By setting the speed limit time stamps unconditionally at transfer + start, we can start off a transfer without speed limits and yet allow + them to get set during transfer and have an effect. - "the curl cmake build system is poorly maintained. Be aware" + Reported-by: Kael1117 on github + Fixes #6162 + Closes #6184 + +- ngtcp2: adapt to recent nghttp3 updates - ... not because anything changed just now, but to encourage users to use - it and subsequently improve it. + 'reset_stream' was added to the nghttp3_conn_callbacks struct - Closes #5984 + Closes #6185 -- docs/MQTT: remove outdated paaragraphs +- configure: pass -pthread to Libs.private for pkg-config + + Reported-by: Cristian Morales Vega + Fixes #6168 + Closes #6181 -- docs/MQTT: not experimental anymore +- altsvc: minimize variable scope and avoid "DEAD_STORE" - Follow-up to e37e4468688d8f + Closes #6182 -- docs/RESOURCES: remove +- FAQ: remove "Why is there a HTTP/1.1 in my HTTP/2 request?" - This document is not maintained and rather than trying to refresh it, - let's kill it. A more up-to-date document with relevant RFCs is this - page on the curl website: https://curl.haxx.se/rfc/ + This hasn't been the case for a while now, remove. + +- FAQ: refresh "Why do I get "certificate verify failed" - Closes #5980 + Add more details, remove references to ancient curl version. -- docs/TheArtOfHttpScripting: convert to markdown +- test493: verify --hsts upgrade and that %{url_effective} reflects that - Makes it easier to browse on github etc. Offers (better) links. + Closes #6175 + +- url: make sure an HSTS upgrade updates URL and scheme correctly - It should be noted that this document is already mostly outdated and - "Everything curl" at https://ec.haxx.se/ is a better resource and - tutorial. + Closes #6175 + +- tool_operate: set HSTS with CURLOPT_HSTS to pass on filename - Closes #5981 + Closes #6175 -- BUGS: convert document to markdown +- hsts: remove debug code leftovers - Closes #5979 + Closes #6175 -- --help: strdup the category +- FAQ: refreshed - ... since it is converted and the original pointer is freed on Windows - unicode handling. + - remove a few ancient questions + - add configure with static libs question + - updated wording in several places + - lowercased curl - Follow-up to aa8777f63febc - Fixes #5977 - Closes #5978 - Reported-by: xwxbug on github + Closes #6177 -- CHECKSRC: document two missing warnings - -- RELEASE-NOTES: synced +Daniel Gustafsson (5 Nov 2020) +- examples: fix comment syntax + + Commit ac0a88fd2 accidentally added a stray character outside of the + comment which broke compilation. Fix by removing. + + Reported-by: autobuild https://curl.se/dev/log.cgi?id=20201105084306-12742 -- ftp: avoid risk of reading uninitialized integers +- hsts: Remove pointless call to free in errorpath - If the received PASV response doesn't match the expected pattern, we - could end up reading uninitialized integers for IP address and port - number. + The line variable will always be NULL in the error path, so remove + the free call since it's pointless. - Issue pointed out by muse.dev - Closes #5972 + Closes #6170 + Reviewed-by: Daniel Stenberg -- [Quentin Balland brought this change] +- docs: Fix various typos in documentation + + Closes #6171 + Reviewed-by: Daniel Stenberg - easy_reset: clear retry counter +Daniel Stenberg (5 Nov 2020) +- copyright: fix year ranges - Closes #5975 - Fixes #5974 + Follow-up from 4d2f8006777 -- ftp: get rid of the PPSENDF macro +- HISTORY: the new domain + +- curl.se: new home - The use of such a macro hides some of what's actually going on to the - reader and is generally disapproved of in the project. + Closes #6172 + +- KNOWN_BUGS: FTPS with Schannel times out file list operation - Closes #5971 + Reported-by: bobmitchell1956 on github + Closes #5284 -- man pages: switch to https://example.com URLs +- KNOWN_BUGS: SMB tests fail with Python 2 - Since HTTPS is "the new normal", this update changes a lot of man page - examples to use https://example.com instead of the previous "http://..." + Reported-by: Jay Satiro + Closes #5983 + +- KNOWN_BUGS: LDAPS with NSS is slow - Closes #5969 + Reported-by: nosajsnikta on github + Closes #5874 -- github: remove the duplicate "Security vulnerability" entry +Sergei Nikulov (4 Nov 2020) +- travis: use ninja-build for CMake builds - ... since github adds an entry automatically by itself. + Added package ninja-build to environment + Use ninja to speed up CMake builds - Closes #5970 + Closes #6077 -- [Emil Engler brought this change] +Daniel Stenberg (4 Nov 2020) +- [Harry Sintonen brought this change] - github: use new issue template feature - - This helps us to avoid getting feature requests as well as security - bugs reported into the issue tracker. + rtsp: error out on empty Session ID, unified the code + +- [Harry Sintonen brought this change] + + rtsp: fixed the RTST Session ID mismatch in test 570 - Closes #5936 + Closes #6161 -- [Emil Engler brought this change] +- [Harry Sintonen brought this change] - urlapi: use more Curl_safefree + rtsp: fixed Session ID comparison to refuse prefix - Closes #5968 + Closes #6161 -Marc Hoersken (17 Sep 2020) -- multi: align WinSock mask variables in Curl_multi_wait +- RELEASE-NOTES: synced - Also skip pre-checking sockets to set timeout_ms to 0 - after the first socket has been detected to be ready. + (forgot to update the list of contributors) + +- RELEASE-NOTES: synced + +- curlver: bumped to 7.74.0 + +- hsts: add read/write callbacks + + - read/write callback options + - man pages for the 4 new setopts + - test 1915 verifies the callbacks + + Closes #5896 + +- hsts: add support for Strict-Transport-Security + + - enable in the build (configure) + - header parsing + - host name lookup + - unit tests for the above + - CI build + - CURL_VERSION_HSTS bit + - curl_version_info support + - curl -V output + - curl-config --features + - CURLOPT_HSTS_CTRL + - man page for CURLOPT_HSTS_CTRL + - curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl) + - man page for --hsts + - save cache to disk + - load cache from disk + - CURLOPT_HSTS + - man page for CURLOPT_HSTS + - added docs/HSTS.md + - fixed --version docs + - adjusted curl_easy_duphandle + + Closes #5896 + +- [Sergei Nikulov brought this change] + + CI/tests: enable test target on TravisCI for CMake builds - Reviewed-by: rcombs on github - Reviewed-by: Daniel Stenberg + Added test-nonflaky target to CMake builds - Follow up to #5886 + Disabled test 1139 because the cmake build doesn't create docs/curl.1 + + Closes #6074 -- multi: reuse WinSock events variable in Curl_multi_wait +- tool_debug_cb: do not assume zero-terminated data - Since the struct is quite large (1 long and 10 ints) we - declare it once at the beginning of the function instead - of multiple times inside loops to avoid stack movements. + Follow-up to d70a5b5a0f5e3 + +- sendf: move the verbose-check into Curl_debug - Reviewed-by: Viktor Szakats - Reviewed-by: Daniel Stenberg + Saves us from having the same check done everywhere. - Closes #5886 + Closes #6159 -Daniel Stenberg (16 Sep 2020) -- TODO: dynamically decide to use socketpair +- travis: use valgrind when running tests for debug builds - Suggested-by: Anders Bakken + Except the non-x86 and sanitizer builds - Closes #4829 + Closes #6154 -- TODO: add PR reference for native IDN support on macOS - - As there was work started on this that never got completed. +- header.d: fix syntax mistake - Closes #5371 + follow-up from 1144886f38fd0 -- tool_help.h: update copyright year range +- [Harry Sintonen brought this change] + + gnutls: fix memory leaks (certfields memory wasn't released) - Follow-up from aa8777f63febca + Closes #6153 -- CI/azure: disable test 571 in the msys2 builds +- tests: add missing global_init/cleanup calls - It's just too flaky there + Without the cleanup call in these test files, the mbedTLS backend leaks + memory. - Reviewed-by: Marc Hoersken - Closes #5954 + Closes #6156 -- tool_writeout: protect fputs() from NULL +- tool_operate: --retry for HTTP 408 responses too - When the code was changed to do fputs() instead of fprintf() it got - sensitive for NULL pointers; add checks for that. + This was inadvertently dropped from the code when the parallel support + was added. - Follow-up from 0c1e767e83ec66 + Regression since b88940850 (7.66.0) - Closes #5963 + Reviewed-by: Jay Satiro + Closes #6155 -- test3015: verify stdout "as text" +- http: pass correct header size to debug callback for chunked post - Follow-up from 0c1e767e83e to please win32 tests + ... when the chunked framing was added, the size of the "body part" of + the data was calculated wrongly so the debug callback would get told a + header chunk a few bytes too big that would also contain the first few + bytes of the request body. - Closes #5962 + Reported-by: Dirk Wetter + Ref: #6144 + Closes #6147 -- travis: use libressl v3.1.4 instead of master +- header.d: mention the "Transfer-Encoding: chunked" handling - ... as their git master seems too fragile to use (and 3.2.1 which is the - latest has a build failure). - - Closes #5964 + Ref: #6144 + Closes #6148 -- tests/FILEFORMAT: document type=shell for +- acinclude: detect manually set minimum macos/ipod version + + ... even if set in the CC or IPHONEOS/MACOSX_DEPLOYMENT_TARGET + variables. + + Reported-by: hamstergene on github + Fixes #6138 + Closes #6140 -- tests/FILEFORMAT: document nonewline support for +Jay Satiro (29 Oct 2020) +- tests: fix some http/2 tests for older versions of nghttpx - The one in , that creates files. + - Add regex that strips http/2 server header name to those http/2 tests + that don't already have it. - Follow-up from b83947c8df7 + - Improve that regex in all http/2 tests. + + Tests 358 and 359 were failing for me before this change on a system + that uses an older version of nghttpx which includes its version number + in the server header. + + Closes https://github.com/curl/curl/pull/6139 -- [anio brought this change] +Daniel Stenberg (30 Oct 2020) +- RELEASE-NOTES: synced - tool_writeout: add new writeout variable, %{num_headers} +- [Cristian Morales Vega brought this change] + + configure: use pkgconfig to find openSSL when cross-compiling - This variable gives the number of headers. + This reverts 736a40fec (November 2004), which doesn't explain why it was + done. - Closes #5947 + Closes #6145 -- tool_urlglob: fix compiler warning "unreachable code" +- tool_operate: bail out proper on errors for parallel setup - (On Windows builds.) + ... otherwise for example trying to upload a missing file just causes a + loop. - Follow-up to 70a3b003d9 + Reported-by: BrumBrum on hackerone + Closes #6141 -- [Gergely Nagy brought this change] +- [Sergei Nikulov brought this change] - vtls: deduplicate client certificates in ssl_config_data + CMake: make BUILD_TESTING dependent option - Closes #5629 + CMake will now handle BUILD_TESTING depending on PERL_FOUND and + CURL_DISABLE_TESTING + + Ref: #6036 + Closes #6072 -- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND +- libssh2: fix transport over HTTPS proxy - This is primarily interesting for cases where CURLOPT_NOBODY is set as - previously curl would not return an error for this case. + The fix in #6021 was not enough. This fix makes sure SCP/SFTP content + can also be transfered over a HTTPS proxy. - MDTM getting 550 now also returns this error (it returned - CURLE_FTP_COULDNT_RETR_FILE before) in order to unify return codes for - missing files across protocols and specific FTP commands. + Fixes #6113 + Closes #6128 + +- curl.1: add an "OUTPUT" section at the top of the manpage - libcurl already returns error on a 550 as a MDTM response (when - CURLOPT_FILETIME is set). If CURLOPT_NOBODY is not set, an error would - happen subsequently anyway since the RETR command would fail. + Explain the basic concepts behind curl output. - Add test 1913 and 1914 to verify. Updated several tests accordingly due - to the updated SIZE behavior. + Inspired by #6124 - Reported-by: Tomas Berger - Fixes #5953 - Closes #5957 + Closes #6134 -- curl: make checkpasswd use dynbuf - - Closes #5952 +- mailmap: set Viktor Szakats's email -- curl: make glob_match_url use dynbuf +- runtests: show keywords when no tests ran - Closes #5952 - -- curl: make file2memory use dynbuf + To help out future debugging, runtests now outputs the list of keywords + when it fails because no tests ran. - Closes #5952 + Ref: #6120 + Closes #6126 -- curl: make file2string use dynbuf +Jay Satiro (26 Oct 2020) +- CURLOPT_DNS_USE_GLOBAL_CACHE.3: fix typo - Closes #5952 + Reported-by: Rui LIU + + Closes https://github.com/curl/curl/issues/6131 -- [Antarpreet Singh brought this change] +- range.d: fix typo + + Follow-up to 15ae039 from earlier today. - imap: set cselect_bits to CURL_CSELECT_IN initially +Daniel Stenberg (26 Oct 2020) +- CI/github: work-around for brew breakage on macOS - ... when continuing a transfer from a FETCH response. + ... and make it use OpenSSL 1.1 properly - When the size of the file was small enough that the entirety of the - transfer happens in a single go and schannel buffers holds the entire - data. However, it wasn't completely read in Curl_pp_readresp since a - line break was found before that could happen. So, by the time we are in - imap_state_fetch_resp - there's data in buffers that needs to be read - via Curl_read but nothing to read from the socket. After we setup a - transfer (Curl_setup_transfer), curl just waits on the socket state to - change - which doesn't happen since no new data ever comes. + Fixes #6130 + Closes #6129 + +- [José Joaquín Atria brought this change] + + range.d: clarify that curl will not parse multipart responses - Closes #5961 + Closes #6127 + Fixes #6124 - RELEASE-NOTES: synced -- test434: test -K use in a single line without newline - - Closes #5946 +- [Baruch Siach brought this change] -- runtests: allow creating files without newlines + libssh2: fix build with disabled proxy support - Closes #5946 - -- curl: use curlx_dynbuf for realloc when loading config files + Build breaks because the http_proxy field is missing: - ... fixes an integer overflow at the same time. + vssh/libssh2.c:3119:10: error: 'struct connectdata' has no member named 'http_proxy' - Reported-by: ihsinme on github - Assisted-by: Jay Satiro + Regression from #6021, shipped in curl 7.73.0 - Closes #5946 + Closes #6125 -- dynbuf: provide curlx_ names for reuse by the curl tool +- alt-svc: enable by default - Closes #5946 - -- dynbuf: make sure Curl_dyn_tail() zero terminates + Remove CURLALTSVC_IMMEDIATELY, which was never implemented/supported. - Closes #5959 + alt-svc support in curl is no longer considered experimental + + Closes #5868 -- tests: add test1912 to the dist +- CI/appveyor: remove (unused) runtests.pl -b option + +- [Emil Engler brought this change] + + tool_help: make "output" description less confusing - Follow-up to 70984ce1be4cab6c + Currently the description of "output" is misleading when comparing it + "verbose". + + Closes #6118 -- docs/LICENSE-MIXING: remove +- CI/appveyor: disable test 571 in two cmake builds - This document is not maintained and I feel that it doesn't provide much - value to users anymore (if it ever did). + ... they're simply too flaky there. - Closes #5955 + Closes #6119 -- [Laramie Leavitt brought this change] +- cmake: set the unicode feature in curl-config on Windows + + ... if built that way. To make it match curl -V output. + + Reviewed-by: Marcel Raad + Closes #6117 - http: consolidate nghttp2_session_mem_recv() call paths +- libssh2: require version 1.0 or later - Previously there were several locations that called - nghttp2_session_mem_recv and handled responses slightly differently. - Those have been converted to call the existing - h2_process_pending_input() function. + ... and simplify the code accordingly. libssh2 version 1.0 was released + in April 2009. - Moved the end-of-session check to h2_process_pending_input() since the - only place the end-of-session state can change is after nghttp2 - processes additional input frames. + Closes #6116 + +- KNOWN_BUGS: mention the individual cmake issues - This will likely fix the fuzzing error. While I don't have a root cause - the out-of-bounds read seems like a use after free, so moving the - nghttp2_session_check_request_allowed() call to a location with a - guaranteed nghttp2 session seems reasonable. + ... to make them easier to refer to and address separately and + one-by-one. + +- CMake: store IDN2 information in curl_config.h - Also updated a few nghttp2 callsites to include error messages and added - a few additional error checks. + This allows the build to enable IDN properly and it makes test 1014 + happier. - Closes #5648 + Ref: #6074 + Closes #6108 -- HISTORY: mention alt-svc added in 2019 +- CMake: call the feature unixsockets without dash - ... and make 1996 the first year subtitle + ... so that curl-config gets correct and makes test 1014 happy! + + Ref: #6074 + Closes #6108 -- base64: also build for pop3 and imap +- CI/travis: add brotli and zstd to the libssh2 build - Follow-up to the fix in 20417a13fb8f83 + ... to make sure such tests are run with valgrind. Suppress the zstd + valgrind warnings we get with version 1.3.3 on Ubuntu 18.04 (for debug + and non-debug builds). - Reported-by: Michael Olbrich - Fixes #5937 - Closes #5948 + Closes #6105 -- base64: enable in build with SMTP +- runtests: revert the mistaken edit of $CURL - The oauth2 support is used with SMTP and it uses base64 functions. + Regression from c4693adc62 + +- RELEASE-NOTES: synced + +- curl_url_set.3: fix typo in the RETURN VALUE section - Reported-by: Michael Olbrich - Fixes #5937 - Closes #5938 + Reported-by: Basuke Suzuki + Fixes #6102 -- curl_mime_headers.3: fix the example's use of curl_slist_append +Jay Satiro (17 Oct 2020) +- [Daniel Stenberg brought this change] + + packages/OS400: make the source code-style compliant - Reported-by: sofaboss on github - Fixes #5942 - Closes #5943 + ... and make sure 'make checksrc' in the root dir also verifies the + packages/OS400 sources. + + Closes https://github.com/curl/curl/pull/6085 -- lib583: fix enum mixup +- os400: Sync libcurl API options - grrr the previous follow-up to 17fcdf6a31 was wrong + This fixes the OS400 build and also an incorrect entry for + CURLINFO_APPCONNECT_TIME_T where it was treated as + CURLINFO_STARTTRANSFER_TIME_T. + + Reported-by: Jon Rumsey + + Fixes https://github.com/curl/curl/issues/6083 + Closes https://github.com/curl/curl/pull/6084 -- libtest: fix build errors +Daniel Stenberg (16 Oct 2020) +- CURLOPT_NOBODY.3: fix typo - Follow-up from 17fcdf6a310d4c8076 + Reported-by: Basuke Suzuki + Fixes #6097 -- lib: fix -Wassign-enum warnings +Marc Hoersken (16 Oct 2020) +- CI/azure: improve on flakiness by avoiding libtool wrappers - configure --enable-debug now enables -Wassign-enum with clang, - identifying several enum "abuses" also fixed. + Install curl binaries into MinGW bin folder and use that + for the tests in order to avoid libtool wrapper binaries. - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/879007f8118771f4896334731aaca5850a154675#commitcomment-42087553 + The libtool wrapper binaries (not scripts) on Windows seem + to be one of the possible causes for the following issues: - Closes #5929 + 1. Process output can be lost in the wrapper process chain. + 2. Killing the wrapper process does not kill the actual one. + + Derived from #5904 + Closes #6049 -- RELEASE-NOTES: synced +Daniel Stenberg (16 Oct 2020) +- CURLOPT_URL.3: clarify SCP/SFTP URLs are for uploads as well -- [Diven Qi brought this change] +- [Zenju brought this change] - url: use blank credentials when using proxy w/o username and password + CURLOPT_TCP_NODELAY.3: fix comment in example code - Fixes proxy regression brought in commit ad829b21ae (7.71.0) + Closes #6096 + +- openssl: acknowledge SRP disabling in configure properly - Fixed #5911 - Closes #5914 + Follow-up to 68a513247409 + + Use a new separate define that is the combination of both + HAVE_OPENSSL_SRP and USE_TLS_SRP: USE_OPENSSL_SRP + + Bug: https://curl.haxx.se/mail/lib-2020-10/0037.html + + Closes #6094 -- travis: add a build using libressl (from git master) +Viktor Szakats (16 Oct 2020) +- http3: fix two build errors, silence warnings - The v3.2.1 tag (latest release atm) results in a broken build. + * fix two build errors due to mismatch between function + declarations and their definitions + * silence two mismatched signs warnings via casts - Closes #5932 + Approved-by: Daniel Stenberg + Closes #6093 -- configure: let --enable-debug set -Wenum-conversion with gcc >= 10 +- Makefile.m32: add support for HTTP/3 via ngtcp2+nghttp3 - Unfortunately, this option is not detecting the same issues as clang's - -Wassign-enum flag, but should still be useful to detect future - mistakes. + Approved-by: Daniel Stenberg + Closes #6092 + +Daniel Stenberg (16 Oct 2020) +- tool_operate: fix compiler warning when --libcurl is disabled - Closes #5930 + Closes #6095 -- openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification +- checksrc: warn on empty line before open brace - If the error reason from the lib is - SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return - CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR. + ... and fix a few occurances - This unifies the libcurl return code and makes libressl run test 313 - (CRL testing) fine. + Closes #6088 + +- urlapi: URL encode a '+' in the query part - Closes #5934 + ... when asked to with CURLU_URLENCODE. + + Extended test 1560 to verify. + Reported-by: Dietmar Hauser + Fixes #6086 + Closes #6087 -- FAQ: refreshed some very old language +- [Cristian Morales Vega brought this change] -- cmake: make HTTP_ONLY also disable MQTT + libcurl.pc: make it relocatable - ... and alphasort the order of disabling protocols to make it easier to - browse. + It supposes when people specify the libdir/includedir they do it to + change where under prefix/exec_prefix it should be, not to make it + independent of prefix/exec_prefix. - Closes #5931 + Closes #6061 -- libtest: remove lib1541 leftovers +- runtests: return error if no tests ran - Caused automake errors. + ... and make TESTFAIL stand out a little better by adding newlines + before and after. - Follow-up to 8ca54a03ea08a + Reported-by: Marc Hörsken + Issue: #6052 + Closes #6053 -- tests/libtests: remove test 1900 and 2033 +- docs/FEATURE: convert to markdown - We already remove the test files, now remove the libtest codes as well. + ... and clean it up a bit. - Follow-up to e50a877df74 + Closes #6067 -Marc Hoersken (7 Sep 2020) -- CI/azure: add test number to title for display in analytics +- [Philipp Klaus Krause brought this change] + + strerror: use 'const' as the string should never be modified - To ease identification of tests the test number is added to - the test case title in order to have it on the Azure DevOps - Analytics pages and reports which currently do not show it. + Closes #6068 + +- [Jay Satiro brought this change] + + connect: repair build without ipv6 availability - Bump test case revision to make Azure DevOps update titles. + Assisted-by: Daniel Stenberg + Reported-by: Tom G. Christensen - Closes #5927 + Fixes https://github.com/curl/curl/issues/6069 + Closes https://github.com/curl/curl/pull/6071 -Daniel Stenberg (6 Sep 2020) -- altsvc: clone setting in curl_easy_duphandle +- RELEASE-NOTES: synced - The cache content is not duplicated, like other caches, but the setting - and specified file name are. + Started over for the journey to next release. + +- src/tool_filetime: disable -Wformat on mingw for this file - Test 1908 is extended to verify this somewhat. Since the duplicated - handle gets the same file name, the test unfortunately overwrites the - same file twice (with different contents) which makes it hard to check - automatically. + With gcc 10 on mingw we otherwise get this warning: - Closes #5923 + error: ISO C does not support the 'I' printf flag [-Werror=format=] + + Fixes #6079 + Closes #6082 -- test1541: remove since it is a known bug +- test122[12]: remove these two tests - A shared connection cache is not thread-safe is a known issue. Stop - testing this until we believe this issue is addressed. Reduces - occasional test failures we don't care about. + ... and remove the objnames scripts they tested. They're not used for + anything anymore so testing them serves no purpose! - The test code in lib1541.c is left in git to allow us to restore it when - we get to fix this. + Reported-by: Marc Hörsken + Fixes #6080 + Closes #6081 + +Version 7.73.0 (14 Oct 2020) + +Daniel Stenberg (14 Oct 2020) +- RELEASE-NOTES: synced - Closes #5922 + for 7.73.0 -- tests: remove pipelining tests +- THANKS: from 7.73.0 and .mailmap fixes + +- mailmap: fixups of some contributors + +- projects/build-wolfssl.bat: fix the copyright year range + +Marc Hoersken (14 Oct 2020) +- [Sergei Nikulov brought this change] + + CI/tests: fix invocation of tests for CMake builds - Remove the tests 530, 584, 1900, 1901, 1902, 1903 and 2033. They were - previously disabled. + Update appveyor.yml to set env variable TFLAGS and run tests + Remove curly braces due to CMake error (${TFLAGS} -> $TFLAGS) + Move testdeps build to build step (per review comments) - The Pipelining code was removed from curl in commit 2f44e94efb3df8e, - April 2019. + Reviewed-by: Marc Hörsken - Closes #5921 + Closes #6066 + Fixes #6052 -- curl: retry delays in parallel mode no longer sleeps blocking - - The previous sleep for retries would block all other concurrent - transfers. Starting now, the retry will instead be properly marked to - not get restarted until after the delay time but other transfers can - still continue in the mean time. +- tests/server/util.c: fix support for Windows Unicode builds - Closes #5917 + Detected via #6066 + Closes #6070 -- curl:parallel_transfers: make sure retry readds the transfer - - Reported-by: htasta on github - Fixes #5905 - Closes #5917 +Daniel Stenberg (13 Oct 2020) +- [Jay Satiro brought this change] -- build: drop support for building with Watcom + strerror: Revert to local codepage for Windows error string - These files are not maintained, they seem to have no users, Watcom - compilers look like not having users nor releases anymore. + - Change get_winapi_error() to return the error string in the local + codepage instead of UTF-8 encoding. - Closes #5918 - -- winbuild/rundebug.cmd: remove + Two weeks ago bed5f84 fixed get_winapi_error() to work on xbox, but it + also changed the error string's encoding from local codepage to UTF-8. - Seems to have been added by mistake? Not included in dists. + We return the local codepage version of the error string because if it + is output to the user's terminal it will likely be with functions which + expect the local codepage (eg fprintf, failf, infof). - Closes #5919 - -- curl: in retry output don't call all problems "transient" + This is essentially a partial revert of bed5f84. The support for xbox + remains but the error string is reverted back to local codepage. - ... because when --retry-all-errors is used, the error isn't necessarily - transient at all. + Ref: https://github.com/curl/curl/pull/6005 - Closes #5916 + Reviewed-by: Marcel Raad + Closes #6065 -- easygetopt: pass a valid enum to avoid compiler warning +Marc Hoersken (13 Oct 2020) +- CI/tests: use verification curl for test reporting APIs - "integer constant not in range of enumerated type 'CURLoption'" + Avoid using our own, potentially installed, curl for + the test reporting APIs in case it is broken. - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/6ebe63fac23f38df911edc348e8ccc72280f9434#commitcomment-42042843 + Reviewed-by: Daniel Stenberg - Closes #5915 - -- [Emil Engler brought this change] + Preparation for #6049 + Closes #6063 - tests: Add tests for new --help +Viktor Szakats (12 Oct 2020) +- windows: fix comparison of mismatched types warning - This commit is a part of "--help me if you can" + clang 10, mingw-w64: + ``` + vtls/openssl.c:2917:33: warning: comparison of integers of different signs: 'DWORD' (aka 'unsigned long') and 'HRESULT' (aka 'long') + [-Wsign-compare] + if(GetLastError() != CRYPT_E_NOT_FOUND) + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~ + ``` - Closes #5680 + Approved-by: Daniel Stenberg + Closes #6062 -- [Emil Engler brought this change] +Daniel Stenberg (11 Oct 2020) +- [Viktor Szakats brought this change] - tool: update --help with categories + src/Makefile.m32: fix undefined curlx_dyn_* errors - This commit is a part of "--help me if you can" + by linking `lib/dynbuf.c` when building a static curl binary. + Previously this source file was only included when building + a dynamic curl binary. This was likely possibly because no + functions from the `src/Makefile.inc` / `CURLX_CFILES` sources + were actually required for a curl tool build. This has + recently changed with the introduction of `curlx_dyn_*()` + memory functions and their use by the tool sources. - Closes #5680 + Closes #6060 -- [Emil Engler brought this change] +- HISTORY: curl verifies SSL certs by default since version 7.10 - docs: add categories to all cmdline opts +Marc Hoersken (8 Oct 2020) +- runtests.pl: use $LIBDIR variable instead of hardcoded path - Adapted gen.pl with 'listcats' + Reviewed-by: Daniel Stenberg + Closes #6051 + +Daniel Stenberg (7 Oct 2020) +- checksrc: detect // comments on column 0 - This commit is a part of "--help me if you can" + Spotted while working on #6045 - Closes #5680 + Closes #6048 -- RELEASE-NOTES: synced +- [Frederik Wedel-Heinen brought this change] -- [ihsinme brought this change] + mbedtls: add missing header when defining MBEDTLS_DEBUG + + Closes #6045 - connect.c: remove superfluous 'else' in Curl_getconnectinfo +- curl: make sure setopt CURLOPT_IPRESOLVE passes on a long - Closes #5912 + Previously, it would pass on a define (int) which could make libcurl + read junk as a value - which prevented the CURLOPT_IPRESOLVE option to + "take". This could then make test 2100 do two DoH requests instead of + one! + + Fixes #6042 + Closes #6043 -- [Samuel Marks brought this change] +- RELEASE-NOTES: synced - CMake: remove explicit `CMAKE_ANSI_CFLAGS` - - This variable was removed from cmake in commit - https://gitlab.kitware.com/cmake/cmake/commit/5a834b0bb0bc288. A later - CMake commit removes the variable from the tests, claiming that it was - removed in CMake 2.6 +- scripts/release-notes.pl: don't "embed" $ in format string for printf() - Reviewed-By: Peter Wu - Closes #5439 + ... since they might contain %-codes that mess up the output! -- [cbe brought this change] +Jay Satiro (5 Oct 2020) +- [M.R.T brought this change] - libssh2: pass on the error from ssh_force_knownhost_key_type + build-wolfssl: fix build with Visual Studio 2019 - Closes #5909 + Closes https://github.com/curl/curl/pull/6033 -- scripts/delta: add diffstat summary +Daniel Stenberg (4 Oct 2020) +- runtests: add %repeat[]% for test files - ... and make output more table-like + ... and use this new keywords in all the test files larger than 50K to reduce + their sizes and make them a lot easier to read and understand. + + Closes #6040 -- [Martin Bašti brought this change] +- [Emil Engler brought this change] - http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set + --help: move two options from the misc category - ... in case NO_PROXY takes an effect + The cmdline opts delegation and suppress-connect-headers + fit better into auth and proxy rather than misc. - Without this patch, the following command crashes: + Follow-up to aa8777f63febc + Closes #6038 + +- [Samanta Navarro brought this change] + + docs/opts: fix typos in two manual pages - $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \ - git clone https://github.com/curl/curl.git + Closes #6039 + +- ldap: reduce the amount of #ifdefs needed - Minimal libcurl-based reproducer: + Closes #6035 + +- runtests: provide curl's version string as %VERSION for tests - #include + ... so that we can check HTTP requests for User-Agent: curl/%VERSION - int main() { - CURL *curl = curl_easy_init(); - if(curl) { - CURLcode ret; - curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/"); - curl_easy_setopt(curl, CURLOPT_PROXY, "example.com"); - /* set the proxy type */ - curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); - curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com"); - curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); - ret = curl_easy_perform(curl); - curl_easy_cleanup(curl); - return ret; - } - return -1; - } + Update 600+ test cases accordingly. - Assisted-by: Kamil Dudka - Bug: https://bugzilla.redhat.com/1873327 - Closes #5902 + Closes #6037 -- travis: add a CI job with openssl3 (from git master) +- checksrc: warn on space after exclamation mark - Closes #5908 + Closes #6034 -- openssl: avoid error conditions when importing native CA - - The code section that is OpenSSL 3+ specific now uses the same logic as - is used in the version < 3 section. It caused a compiler error without - it. - - Closes #5907 +- test1465: verify --libcurl with binary POST data -- setopt: avoid curl_ on local variable - - Closes #5906 +- runtests: allow generating a binary sequence from hex -- mqtt.c: avoid curl_ prefix on local variable - - Closes #5906 +- tool_setopt: escape binary data to hex, not octal -- wildcard: strip "curl_" prefix from private symbols +- curl: make --libcurl show binary posts correctly - Closes #5906 + Reported-by: Stephan Mühlstrasser + Fixes #6031 + Closes #6032 -- vtls: make it 'struct Curl_ssl_session' +Jay Satiro (1 Oct 2020) +- strerror: fix null deref on winapi out-of-memory - Use uppercase C for internal symbols. + Follow-up to bed5f84 from several days ago. - Closes #5906 + Ref: https://github.com/curl/curl/pull/6005 -- curl_threads: make it 'struct Curl_actual_call' +Daniel Stenberg (1 Oct 2020) +- [Kamil Dudka brought this change] + + vtls: deduplicate some DISABLE_PROXY ifdefs - Internal names should not be prefixed "curl_" + ... in the code of gtls, nss, and openssl - Closes #5906 + Closes #5735 -- schannel: make it 'struct Curl_schannel*' - - As internal global names should use captical C. +- RELEASE-NOTES: synced + +- [Emil Engler brought this change] + + TODO: Add OpenBSD libtool notice - Closes #5906 + See #5862 + Closes #6030 -- hash: make it 'struct Curl_hash' +- tests/unit/README: convert to markdown - As internal global names should use captical C. + ... and add to dist! - Closes #5906 + Closes #6028 -- llist: make it "struct Curl_llist" - - As internal global names should use captical C. +- tests/README: convert to markdown - Closes #5906 + Closes #6028 -Marc Hoersken (2 Sep 2020) -- telnet.c: depend on static requirement of WinSock version 2 +- include/README: convert to markdown - Drop dynamic loading of ws2_32.dll and instead rely on the - imported version which is now required to be at least 2.2. + Closes #6028 + +- examples/README: convert to markdown - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - Reviewed-by: Viktor Szakats + Closes #6028 + +- configure: don't say HTTPS-proxy is enabled when disabled! - Closes #5854 + Reported-by: Kamil Dudka + Reviewed-by: Kamil Dudka + Bug: https://github.com/curl/curl/pull/5735#issuecomment-701376388 + Closes #6029 -- win32: drop support for WinSock version 1, require version 2 +Daniel Gustafsson (30 Sep 2020) +- src: Consistently spell whitespace without whitespace - IPv6, telnet and now also the multi API require WinSock - version 2 which is available starting with Windows 95. + Whitespace is spelled without a space between white and space, so + make sure to consistently spell it that way across the codebase. - Therefore we think it is time to drop support for version 1. + Closes #6023 + Reviewed-by: Daniel Stenberg + Reviewed-by: Emil Engler + +- MANUAL: update examples to resolve without redirects - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - Reviewed-by: Viktor Szakats + www.netscape.com is redirecting to a cookie consent form on Aol, and + cool.haxx.se isn't responding to FTP anymore. Replace with examples + that resolves in case users try out the commands when reading the + manual. - Follow up to #5634 - Closes #5854 + Closes #6024 + Reviewed-by: Daniel Stenberg + Reviewed-by: Emil Engler -- select: align poll emulation to return all relevant events - - The poll emulation via select already consumes POLLRDNORM, - POLLWRNORM and POLLRDBAND as input events. Therefore it - should also return them as output events if signaled. +Daniel Stenberg (30 Sep 2020) +- HISTORY: add some 2020 events + +- sectransp: make it build with --disable-proxy - Also fix indentation in input event handling block. + Follow-up from #5466 and f3d501dc678d80 + Reported-by: Javier Navarro + Fixes #6025 + Closes #6026 + +- ECH: renamed from ESNI in docs and configure - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Encrypted Client Hello (ECH) is the current name. - Replaces #5852 - Closes #5883 + Closes #6022 -- CI/azure: MQTT is now enabled by default +- configure: use "no" instead of "disabled" for the end summary - Reviewed-by: Daniel Stenberg + ... for consistency but also to make them more distinctly stand out next + to the "enabled" lines. + +- TODO: SSH over HTTPS proxy with more backends - Follow up to #5858 - Closes #5903 + ... as right now only the libssh2 backend supports it. -Daniel Stenberg (2 Sep 2020) -- copyright.pl: ignore buildconf +- libssh2: handle the SSH protocols done over HTTPS proxy + + Reported-by: Robin Douine + Fixes #4295 + Closes #6021 -- test971: show test mismatches "inline" +- [Emil Engler brought this change] -- lib/Makefile.am: bump VERSIONINFO due to new functions + memdebug: remove 9 year old unused debug function - ... we're generally bad at this, but we are adding new functions for - this release. + There used to be a way to have memdebug fill allocated memory. 9 years + later this has no value there (valgrind and ASAN etc are way better). If + people need to know about it they can have a look at VCS logs. - Closes #5899 + Closes #5973 -- optiontable: use DEBUGBUILD +- sendf: move Curl_sendf to dict.c and make it static - Follow-up to commit 6e18568ba38 (#5877) + ... as the only remaining user of that function. Also fix gopher.c to + instead use Curl_write() + + Closes #6020 -- cmdline-opts/gen.pl: generate nicer "See Also" in curl.1 +- ROADMAP: updates and cleanups - If there are more than two items in the list, use commas for all but the - last separator which is set to 'and'. Reads better. + Fix the HSTS PR - Closes #5898 + Remove DoT, thread-safe init and hard-coded localhost. I feel very + little interest for these with users so I downgrade them to plain "TODO" + entries again. -- curl.1: add see also no-progress-meter on two spots +- schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root - Ref: #5894 + This matches what is returned in other TLS backends in the same + situation. - Closes #5897 + Reviewed-by: Jay Satiro + Reviewed-by: Emil Engler + Follow-up to 5a3efb1 + Reported-by: iammrtau on github + Fixes #6003 + Closes #6018 - RELEASE-NOTES: synced -- mqtt: enable by default +- ftp: make a 552 response return CURLE_REMOTE_DISK_FULL - No longer considered experimental. + Added test 348 to verify. Added a 'STOR' command to the test FTP + server to enable test 348. Documented the command in FILEFORMAT.md - Closes #5858 + Reported-by: Duncan Wilcox + Fixes #6016 + Closes #6017 -- [Michael Baentsch brought this change] +- pause: only trigger a reread if the unpause sticks + + As an unpause might itself get paused again and then triggering another + reread doesn't help. + + Follow-up from e040146f22608fd9 (shipped since 7.69.1) + + Bug: https://curl.haxx.se/mail/lib-2020-09/0081.html + Patch-by: Kunal Chandarana + Fixes #5988 + Closes #6013 - tls: add CURLOPT_SSL_EC_CURVES and --curves +- test163[12]: require http to be built-in to run - Closes #5892 + ... as speaking over an HTTPS proxy implies http! + + Closes #6014 -- url: remove funny embedded comments in Curl_disonnect calls +- ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define + + Closes #6012 -- [Chris Paulson-Ellis brought this change] +- [Javier Blazquez brought this change] - conn: check for connection being dead before reuse + strerror: honor Unicode API choice on Windows - Prevents incorrect reuse of an HTTP connection that has been prematurely - shutdown() by the server. + Closes #6005 + +- imap: make imap_send use dynbuf for the send buffer management - Partial revert of 755083d00deb16 + Reuses the buffer and thereby reduces number of mallocs over a transfer. - Fixes #5884 - Closes #5893 + Closes #6010 -Marc Hoersken (29 Aug 2020) -- buildconf: exec autoreconf to avoid additional process +- Curl_send: return error when pre_receive_plain can't malloc - Also make buildconf exit with the return code of autoreconf. + ... will probably trigger some false DEAD CODE positives on non-windows + code analyzers for the conditional code. - Reviewed-by: Daniel Stenberg + Closes #6011 + +- ftp: separate FTPS from FTP over "HTTPS proxy" - Follow up to #5853 - Closes #5890 + When using HTTPS proxy, SSL is used but not in the view of the FTP + protocol handler itself so separate the connection's use of SSL from the + FTP control connection's sue. + + Reported-by: Mingtao Yang + Fixes #5523 + Closes #6006 -- CI/azure: no longer ignore results of test 1013 +Dan Fandrich (23 Sep 2020) +- tests/data: Fix some mismatched XML tags in test cases - Follow up to #5771 - Closes #5889 + This allows these test files to pass xmllint. -- docs: add description about CI platforms to CONTRIBUTE.md +Daniel Stenberg (23 Sep 2020) +- pingpong: use a dynbuf for the *_pp_sendf() function - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro + ... reuses the same dynamic buffer instead of doing repeated malloc/free + cycles. - Closes #5882 - -Daniel Stenberg (29 Aug 2020) -- tests/getpart: use MIME::Base64 instead of home-cooked + Test case 100 (FTP dir list PASV) does 7 fewer memory allocation calls + after this change in my test setup (132 => 125), curl 7.72.0 needed 140 + calls for this. - Since we already use the base64 package since a while back, we can just - as well switch to that here too. + Test case 103 makes 9 less allocations now (130). Down from 149 in + 7.72.0. - It also happens to use the exact same function name, which otherwise - causes a run-time warning. + Closes #6004 + +- dynbuf: add Curl_dyn_vaddf - Reported-by: Marc Hörsken - Fixes #5885 - Closes #5887 + Closes #6004 -Marcel Raad (29 Aug 2020) -- ntlm: fix condition for curl_ntlm_core usage +- dynbuf: make *addf() not require extra mallocs - `USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES - backend is fine, but was excluded before. + ... by introducing a printf() function that appends directly into a + dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if + the buffer is already big enough it can just printf directly into it. - This also fixes test 1013 as the condition for SMB support in - configure.ac didn't match the condition in the source code. Now it - does. + Since this less-malloc version requires tthe use of a library internal + printf function, we only provide this version when building libcurl and + not for the dynbuf code that is used when building the curl tool. - Fixes https://github.com/curl/curl/issues/1262 - Closes https://github.com/curl/curl/pull/5771 + Closes #5998 -- AppVeyor: switch 64-bit Schannel Debug CMake builds to Unicode - - The Schannel builds are the most useful to verify as they make the most - use of the Windows API. Classic MinGW doesn't support Unicode at all, - only MinGW-w64 and MSVC do. +- KNOWN_BUGS: Unable to use PKCS12 certificate with Secure Transport - Closes https://github.com/curl/curl/pull/5843 + Closes #5403 -- CMake: add option to enable Unicode on Windows +- pingpong: remove a malloc per Curl_pp_vsendf call - As already existing for winbuild. + This typically makes 7-9 fewer mallocs per FTP transfer. - Closes https://github.com/curl/curl/pull/5843 + Closes #5997 -Marc Hoersken (29 Aug 2020) -- select: simplify return code handling for poll and select - - poll and select already return -1 on error according to POSIX, - so there is no need to perform a <0 to -1 conversion in code. +- symbian: drop support - Also we can just use one check with <= 0 on the return code. + The OS is deprecated. I see no traces of anyone having actually built + curl for Symbian after 2012. - Assisted-by: Daniel Stenberg - Reviewed-by: Jay Satiro + The public headers are unmodified. - Replaces #5852 - Closes #5880 + Closes #5989 -Daniel Stenberg (28 Aug 2020) - RELEASE-NOTES: synced -- [Jeroen Ooms brought this change] - - tests: add test1912 with typechecks +- curl_krb5.h: rename from krb5.h - Validates that gcc-typecheck macros match the new option type API. + Follow-up from f4873ebd0be32cf - Closes #5873 + Turns out some older openssl installations go bananas otherwise. + Reported-by: Tom van der Woerdt + Fixes #5995 + Closes #5996 -- easyoptions: provide debug function when DEBUGBUILD - - ... not CURLDEBUG as they're not always set in conjunction. +- test1297: verify GOT_NOTHING with http proxy tunnel + +- http_proxy: do not count proxy headers in the header bytecount - Follow-up to 6ebe63fac23f38df + ... as that counter is subsequently used to detect if nothing was + returned from the peer. This made curl return CURLE_OK when it should + have returned CURLE_GOT_NOTHING. - Fixes #5877 - Closes #5878 + Fixes #5992 + Reported-by: Tom van der Woerdt + Closes #5994 -Marc Hoersken (28 Aug 2020) -- sockfilt: handle FD_CLOSE winsock event on write socket +- setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument - Learn from the way Cygwin handles and maps the WinSock events - to simulate correct and complete poll and select behaviour - according to Richard W. Stevens Network Programming book. + Fixed two return code mixups. CURLE_UNKNOWN_OPTION is saved for when the + option is, yeah, not known. Clarified this in the setopt man page too. - Follow up to #5867 - Closes #5879 + Closes #5993 -- multi: handle connection state winsock events +- krb5: merged security.c and krb specific FTP functions in here - Learn from the way Cygwin handles and maps the WinSock events - to simulate correct and complete poll and select behaviour - according to Richard W. Stevens Network Programming book. + These two files were always tightly connected and it was hard to + understand what went into which. This also allows us to make the + ftpsend() function static (moved from ftp.c). - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad + Removed security.c + Renamed curl_sec.h to krb5.h - Follow up to #5634 - Closes #5867 + Closes #5987 -Daniel Stenberg (28 Aug 2020) -- Curl_pgrsTime - return new time to avoid timeout integer overflow - - Setting a timeout to INT_MAX could cause an immediate error to get - returned as timeout because of an overflow when different values of - 'now' were used. +- Curl_handler: add 'family' to each protocol - This is primarily fixed by having Curl_pgrsTime() return the "now" when - TIMER_STARTSINGLE is set so that the parent function will continue using - that time. + Makes get_protocol_family() faster and it moves the knowledge about the + "families" to each protocol handler, where it belongs. - Reported-by: Ionuț-Francisc Oancea - Fixes #5583 - Closes #5847 + Closes #5986 -- TLS: fix SRP detection by using the proper #ifdefs +- parsedate: tune the date to epoch conversion - USE_TLS_SRP will be true if *any* selected TLS backend can use SRP + By avoiding an unnecessary error check and the temp use of the tm + struct, the time2epoch conversion function gets a little bit faster. + When repeating test 517, the updated version is perhaps 1% faster (on + one particular build on one particular architecture). - HAVE_OPENSSL_SRP is defined when OpenSSL can use it + Closes #5985 + +- cmake: remove scary warning - HAVE_GNUTLS_SRP is defined when GnuTLS can use it + Remove the text saying - Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is - set if at least one of the supported backends offers SRP. + "the curl cmake build system is poorly maintained. Be aware" - Reported-by: Stefan Strogin - Fixes #5865 - Closes #5870 + ... not because anything changed just now, but to encourage users to use + it and subsequently improve it. + + Closes #5984 -- [Dan Kenigsberg brought this change] +- docs/MQTT: remove outdated paaragraphs - docs: SSLCERTS: fix English syntax - - Signed-off-by: Dan Kenigsberg +- docs/MQTT: not experimental anymore - Closes #5876 + Follow-up to e37e4468688d8f -- [Alessandro Ghedini brought this change] +- docs/RESOURCES: remove + + This document is not maintained and rather than trying to refresh it, + let's kill it. A more up-to-date document with relevant RFCs is this + page on the curl website: https://curl.haxx.se/rfc/ + + Closes #5980 - docs: non-existing macros in man pages +- docs/TheArtOfHttpScripting: convert to markdown - As reported by man(1) when invoked as: + Makes it easier to browse on github etc. Offers (better) links. - man --warnings -E UTF-8 -l -Tutf8 -Z >/dev/null + It should be noted that this document is already mostly outdated and + "Everything curl" at https://ec.haxx.se/ is a better resource and + tutorial. - Closes #5846 - -- [Alessandro Ghedini brought this change] + Closes #5981 - curl.1: fix typo invokved -> invoked +- BUGS: convert document to markdown - Closes #5846 + Closes #5979 -- buildconf: invoke 'autoreconf -fi' instead +- --help: strdup the category - The custom script isn't necessary anymore - but remains for simplicity - and just invokes autoreconf. + ... since it is converted and the original pointer is freed on Windows + unicode handling. - Closes #5853 + Follow-up to aa8777f63febc + Fixes #5977 + Closes #5978 + Reported-by: xwxbug on github -- [Emil Engler brought this change] +- CHECKSRC: document two missing warnings - lib: make Curl_gethostname accept a const pointer +- RELEASE-NOTES: synced + +- ftp: avoid risk of reading uninitialized integers - The address of that variable never gets changed, only the data in it so - why not make it a "char * const"? + If the received PASV response doesn't match the expected pattern, we + could end up reading uninitialized integers for IP address and port + number. - Closes #5866 + Issue pointed out by muse.dev + Closes #5972 -- docs/libcurl: update "Added in" version for curl_easy_option* - - Follow-up to 6ebe63fac23f38 +- [Quentin Balland brought this change] -- scripts: improve the "get latest curl release tag" logic + easy_reset: clear retry counter - ... by insiting on it matching "^curl-". + Closes #5975 + Fixes #5974 -- configure: added --disable-get-easy-options +- ftp: get rid of the PPSENDF macro - To allow disabling of the curl_easy_option APIs in a build. + The use of such a macro hides some of what's actually going on to the + reader and is generally disapproved of in the project. - Closes #5365 + Closes #5971 -- options: API for meta-data about easy options - - const struct curl_easyoption *curl_easy_option_by_name(const char *name); +- man pages: switch to https://example.com URLs - const struct curl_easyoption *curl_easy_option_by_id (CURLoption id); + Since HTTPS is "the new normal", this update changes a lot of man page + examples to use https://example.com instead of the previous "http://..." - const struct curl_easyoption * - curl_easy_option_next(const struct curl_easyoption *prev); + Closes #5969 + +- github: remove the duplicate "Security vulnerability" entry - The purpose is to provide detailed enough information to allow for - example libcurl bindings to get option information at run-time about - what easy options that exist and what arguments they expect. + ... since github adds an entry automatically by itself. - Assisted-by: Jeroen Ooms - Closes #5365 + Closes #5970 -- [Eric Curtin brought this change] +- [Emil Engler brought this change] - HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29 + github: use new issue template feature - Closes #5871 + This helps us to avoid getting feature requests as well as security + bugs reported into the issue tracker. + + Closes #5936 -- RELEASE-NOTES: synced +- [Emil Engler brought this change] -Jay Satiro (26 Aug 2020) -- openssl: Fix wincrypt symbols conflict with BoringSSL + urlapi: use more Curl_safefree - OpenSSL undefines the conflicting symbols but BoringSSL does not so we - must do it ourselves. + Closes #5968 + +Marc Hoersken (17 Sep 2020) +- multi: align WinSock mask variables in Curl_multi_wait - Reported-by: Samuel Tranchet - Assisted-by: Javier Blazquez + Also skip pre-checking sockets to set timeout_ms to 0 + after the first socket has been detected to be ready. - Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371 - Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73 + Reviewed-by: rcombs on github + Reviewed-by: Daniel Stenberg - Fixes https://github.com/curl/curl/issues/5669 - Closes https://github.com/curl/curl/pull/5857 + Follow up to #5886 -Daniel Stenberg (26 Aug 2020) -- socketpair: allow CURL_DISABLE_SOCKETPAIR +- multi: reuse WinSock events variable in Curl_multi_wait - ... to completely disable the use of socketpair + Since the struct is quite large (1 long and 10 ints) we + declare it once at the beginning of the function instead + of multiple times inside loops to avoid stack movements. - Closes #5850 - -- curl_get_line: build only if cookies or alt-svc are enabled + Reviewed-by: Viktor Szakats + Reviewed-by: Daniel Stenberg - Closes #5851 - -- [fullincome brought this change] + Closes #5886 - schannel: fix memory leak when using get_cert_location +Daniel Stenberg (16 Sep 2020) +- TODO: dynamically decide to use socketpair - The get_cert_location function allocates memory only on success. - Previously get_cert_location was able to allocate memory and return - error. It wasn't obvious and in this case the memory wasn't - released. + Suggested-by: Anders Bakken - Fixes #5855 - Closes #5860 - -- [Emil Engler brought this change] + Closes #4829 - git: ignore libtests in 3XXX area +- TODO: add PR reference for native IDN support on macOS - Currently the file tests/libtest/lib3010 is not getting - ignored by git. This fixes it by adding the 3XXX area to - the according .gitignore file. + As there was work started on this that never got completed. - Closes #5859 + Closes #5371 -- [Emil Engler brought this change] +- tool_help.h: update copyright year range + + Follow-up from aa8777f63febca - doh: add error message for DOH_DNS_NAME_TOO_LONG +- CI/azure: disable test 571 in the msys2 builds - When this error code was introduced in b6a53fff6c1d07e8a9, it was - forgotten to be added in the errors array and doh_strerror function. + It's just too flaky there - Closes #5863 + Reviewed-by: Marc Hoersken + Closes #5954 -- ngtcp2: adapt to the new pkt_info arguments +- tool_writeout: protect fputs() from NULL - Guidance-by: Tatsuhiro Tsujikawa + When the code was changed to do fputs() instead of fprintf() it got + sensitive for NULL pointers; add checks for that. - Closes #5864 - -- winbuild/README.md: make visible + Follow-up from 0c1e767e83ec66 - Follow-up to be753add31c2d8c + Closes #5963 -- winbuild: convert the instruction text to README.md +- test3015: verify stdout "as text" - Closes #5861 - -- lib1560: verify "redirect" to double-slash leading URL + Follow-up from 0c1e767e83e to please win32 tests - Closes #5849 + Closes #5962 -Marc Hoersken (25 Aug 2020) -- multi: expand pre-check for socket readiness - - Check readiness of all sockets before waiting on them - to avoid locking in case the one-time event FD_WRITE - was already consumed by a previous wait operation. +- travis: use libressl v3.1.4 instead of master - More information about WinSock network events: - https://docs.microsoft.com/en-us/windows/win32/api/ - winsock2/nf-winsock2-wsaeventselect#return-value + ... as their git master seems too fragile to use (and 3.2.1 which is the + latest has a build failure). - Closes #5634 + Closes #5964 -- [rcombs brought this change] +- tests/FILEFORMAT: document type=shell for - multi: implement wait using winsock events - - This avoids using a pair of TCP ports to provide wakeup functionality - for every multi instance on Windows, where socketpair() is emulated - using a TCP socket on loopback which could in turn lead to socket - resource exhaustion. +- tests/FILEFORMAT: document nonewline support for - A previous version of this patch failed to account for how in WinSock, - FD_WRITE is set only once when writing becomes possible and not again - until after a send has failed due to the buffer filling. This contrasts - to how FD_READ and FD_OOB continue to be set until the conditions they - refer to no longer apply. This meant that if a user wrote some data to - a socket, but not enough data to completely fill its send buffer, then - waited on that socket to become writable, we'd erroneously stall until - their configured timeout rather than returning immediately. + The one in , that creates files. - This version of the patch addresses that issue by checking each socket - we're waiting on to become writable with select() before the wait, and - zeroing the timeout if it's already writable. + Follow-up from b83947c8df7 + +- [anio brought this change] + + tool_writeout: add new writeout variable, %{num_headers} - Assisted-by: Marc Hörsken - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - Tested-by: Gergely Nagy - Tested-by: Rasmus Melchior Jacobsen - Tested-by: Tomas Berger + This variable gives the number of headers. - Replaces #5397 - Reverts #5632 - Closes #5634 + Closes #5947 -- select: reduce duplication of Curl_poll in Curl_socket_check - - Change Curl_socket_check to use select-fallback in Curl_poll - instead of implementing it in Curl_socket_check and Curl_poll. +- tool_urlglob: fix compiler warning "unreachable code" - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + (On Windows builds.) - Replaces #5262 and #5492 - Closes #5707 + Follow-up to 70a3b003d9 -- select: fix poll-based check not detecting connect failure - - This commit changes Curl_socket_check to use POLLPRI to - check for connect failure on the write socket, because - POLLPRI maps to fds_err. This is in line with select(2). +- [Gergely Nagy brought this change] + + vtls: deduplicate client certificates in ssl_config_data - The select-based socket check correctly checks for connect - failures by adding the write socket also to fds_err. + Closes #5629 + +- ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND - The poll-based implementation (which internally can itself - fallback to select again) did not previously check for - connect failure by using POLLPRI with the write socket. + This is primarily interesting for cases where CURLOPT_NOBODY is set as + previously curl would not return an error for this case. - See the follow up commit to this for more information. + MDTM getting 550 now also returns this error (it returned + CURLE_FTP_COULDNT_RETR_FILE before) in order to unify return codes for + missing files across protocols and specific FTP commands. - This commit makes sure connect failures can be detected - and handled if HAVE_POLL_FINE is defined, eg. on msys2-devel. + libcurl already returns error on a 550 as a MDTM response (when + CURLOPT_FILETIME is set). If CURLOPT_NOBODY is not set, an error would + happen subsequently anyway since the RETR command would fail. - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + Add test 1913 and 1914 to verify. Updated several tests accordingly due + to the updated SIZE behavior. - Replaces #5509 - Prepares #5707 + Reported-by: Tomas Berger + Fixes #5953 + Closes #5957 -- select.h: make socket validation macros test for INVALID_SOCKET - - With Winsock the valid range is [0..INVALID_SOCKET-1] according to - https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg +- curl: make checkpasswd use dynbuf - Closes #5760 + Closes #5952 -Daniel Stenberg (24 Aug 2020) -- docs: --output-dir is added in 7.73.0, nothing else +- curl: make glob_match_url use dynbuf - Follow-up to 5620d2cc78c0 + Closes #5952 -- curl: add --output-dir - - Works with --create-dirs and with -J - - Add test 3008, 3009, 3011, 3012 and 3013 to verify. +- curl: make file2memory use dynbuf - Closes #5637 + Closes #5952 -- configure: fix pkg-config detecting wolfssl - - When amending the include path with "/wolfssl", this now properly strips - off all whitespace from the path variable! Previously this would lead to - pkg-config builds creating bad command lines. +- curl: make file2string use dynbuf - Closes #5848 + Closes #5952 -- [Michael Musset brought this change] +- [Antarpreet Singh brought this change] - sftp: add the option CURLKHSTAT_FINE_REPLACE + imap: set cselect_bits to CURL_CSELECT_IN initially - Replace the old fingerprint of the host with a new. + ... when continuing a transfer from a FETCH response. - Closes #5685 + When the size of the file was small enough that the entirety of the + transfer happens in a single go and schannel buffers holds the entire + data. However, it wasn't completely read in Curl_pp_readresp since a + line break was found before that could happen. So, by the time we are in + imap_state_fetch_resp - there's data in buffers that needs to be read + via Curl_read but nothing to read from the socket. After we setup a + transfer (Curl_setup_transfer), curl just waits on the socket state to + change - which doesn't happen since no new data ever comes. + + Closes #5961 - RELEASE-NOTES: synced - - The next release is now to become 7.73.0 -- checksrc: verify do-while and spaces between the braces - - Updated mprintf.c to comply +- test434: test -K use in a single line without newline - Closes #5845 + Closes #5946 -- curl: support XDG_CONFIG_HOME to find .curlrc - - Added test433 to verify. Updated documentation. +- runtests: allow creating files without newlines - Reviewed-by: Jay Satiro - Suggested-by: Eli Schwartz - Fixes #5829 - Closes #5837 + Closes #5946 -- etag: save and use the full received contents +- curl: use curlx_dynbuf for realloc when loading config files - ... which makes it support weak tags and non-standard etags too! + ... fixes an integer overflow at the same time. - Added test case 347 to verify blank incoming ETag: + Reported-by: ihsinme on github + Assisted-by: Jay Satiro - Fixes #5610 - Closes #5833 + Closes #5946 -- setopt: if the buffer exists, refuse the new BUFFERSIZE - - The buffer only exists during transfer and then we shouldn't change the - size (the setopt is not documented to work then). +- dynbuf: provide curlx_ names for reuse by the curl tool - Reported-by: Harry Sintonen - Closes #5842 - -- [COFFEETALES brought this change] + Closes #5946 - sftp: add new quote commands 'atime' and 'mtime' +- dynbuf: make sure Curl_dyn_tail() zero terminates - Closes #5810 + Closes #5959 -- CURLE_PROXY: new error code - - Failures clearly returned from a (SOCKS) proxy now causes this return - code. Previously the situation was not very clear as what would be - returned and when. - - In addition: when this error code is returned, an application can use - CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then - returns a value from the new 'CURLproxycode' enum. +- tests: add test1912 to the dist - Closes #5770 + Follow-up to 70984ce1be4cab6c -- runtests: make cleardir() erase dot files too +- docs/LICENSE-MIXING: remove - Because test cases might use dot files. + This document is not maintained and I feel that it doesn't provide much + value to users anymore (if it ever did). - Closes #5838 + Closes #5955 -- KNOWN_BUGS: 'no_proxy' string-matches IPv6 numerical addreses +- [Laramie Leavitt brought this change] + + http: consolidate nghttp2_session_mem_recv() call paths - Also: the current behavior is now documented in the curl.1 and - CURLOPT_NOPROXY.3 man pages. + Previously there were several locations that called + nghttp2_session_mem_recv and handled responses slightly differently. + Those have been converted to call the existing + h2_process_pending_input() function. - Reported-by: Andrew Barnes - Closes #5745 - Closes #5841 - -Viktor Szakats (22 Aug 2020) -- Makefile.m32: add ability to override zstd libs [ci skip] + Moved the end-of-session check to h2_process_pending_input() since the + only place the end-of-session state can change is after nghttp2 + processes additional input frames. - Similarly to brotli, where this was already possible. - E.g. it allows to link zstd statically to libcurl.dll. + This will likely fix the fuzzing error. While I don't have a root cause + the out-of-bounds read seems like a use after free, so moving the + nghttp2_session_check_request_allowed() call to a location with a + guaranteed nghttp2 session seems reasonable. - Ref: https://github.com/curl/curl-for-win/issues/12 - Ref: https://github.com/curl/curl-for-win/commit/d9b266afd2e5d3f5604483010ef62340b5918c89 + Also updated a few nghttp2 callsites to include error messages and added + a few additional error checks. - Closes https://github.com/curl/curl/pull/5840 + Closes #5648 -Daniel Stenberg (21 Aug 2020) -- runtests: avoid 'fail to start' repeated messages in attempt loops +- HISTORY: mention alt-svc added in 2019 - Closes #5834 + ... and make 1996 the first year subtitle -- runtests: clear pid variables when failing to start a server +- base64: also build for pop3 and imap - ... as otherwise the parent doesn't detect the failure and believe it - actually worked to start. + Follow-up to the fix in 20417a13fb8f83 - Reported-by: Christian Weisgerber - Bug: https://curl.haxx.se/mail/lib-2020-08/0018.html - Closes #5834 + Reported-by: Michael Olbrich + Fixes #5937 + Closes #5948 -- TODO: Virtual external sockets +- base64: enable in build with SMTP - Closes #5835 + The oauth2 support is used with SMTP and it uses base64 functions. + + Reported-by: Michael Olbrich + Fixes #5937 + Closes #5938 -- [Don J Olmstead brought this change] +- curl_mime_headers.3: fix the example's use of curl_slist_append + + Reported-by: sofaboss on github + Fixes #5942 + Closes #5943 - dist: add missing CMake Find modules to the distribution +- lib583: fix enum mixup - Closes #5836 + grrr the previous follow-up to 17fcdf6a31 was wrong -- RELEASE-NOTES: synced +- libtest: fix build errors - ... and version bumped to 7.72.1 + Follow-up from 17fcdf6a310d4c8076 -- tls: provide the CApath verbose log on its own line +- lib: fix -Wassign-enum warnings - ... not newline separated from the previous line. This makes it output - asterisk prefixed properly like other verbose putput! + configure --enable-debug now enables -Wassign-enum with clang, + identifying several enum "abuses" also fixed. - Reported-by: jmdavitt on github - Fixes #5826 - Closes #5827 - -Version 7.72.0 (19 Aug 2020) + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/879007f8118771f4896334731aaca5850a154675#commitcomment-42087553 + + Closes #5929 -Daniel Stenberg (19 Aug 2020) - RELEASE-NOTES: synced - - The curl 7.72.0 release -- THANKS: add names from curl 7.72.0 release +- [Diven Qi brought this change] -Jay Satiro (18 Aug 2020) -- KNOWN_BUGS: Schannel TLS 1.2 handshake bug in old Windows versions + url: use blank credentials when using proxy w/o username and password - Reported-by: plujon@users.noreply.github.com + Fixes proxy regression brought in commit ad829b21ae (7.71.0) - Closes https://github.com/curl/curl/issues/5488 + Fixed #5911 + Closes #5914 -Daniel Stenberg (17 Aug 2020) -- Curl_easy: remember last connection by id, not by pointer - - CVE-2020-8231 +- travis: add a build using libressl (from git master) - Bug: https://curl.haxx.se/docs/CVE-2020-8231.html + The v3.2.1 tag (latest release atm) results in a broken build. - Reported-by: Marc Aldorasi - Closes #5824 - -- examples/rtsp.c: correct the copyright year - -- RELEASE-PROCEDURE.md: add more future release dates - -- [H3RSKO brought this change] + Closes #5932 - docs: change "web site" to "website" - - According to wikipedia: +- configure: let --enable-debug set -Wenum-conversion with gcc >= 10 - While "web site" was the original spelling, this variant has become - rarely used, and "website" has become the standard spelling + Unfortunately, this option is not detecting the same issues as clang's + -Wassign-enum flag, but should still be useful to detect future + mistakes. - Closes #5822 - -- [Bevan Weiss brought this change] + Closes #5930 - CMake: don't complain about missing nroff +- openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification - The curl_nroff_check() was always being called, and complaining if - *NROFF wasn't found, even when not making the manual. + If the error reason from the lib is + SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return + CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR. - Only check for nroff (and complain) if actually making the manual + This unifies the libcurl return code and makes libressl run test 313 + (CRL testing) fine. - Closes #5817 + Closes #5934 -- [Brian Inglis brought this change] +- FAQ: refreshed some very old language - libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin - - copy the LDFLAGS approach for adding same option with `libhostname` in - `libtest/Makefile.am`: +- cmake: make HTTP_ONLY also disable MQTT - - init `libstubgss_la_LDFLAGS_EXTRA` variable, - - add option to variable inside conditional, - - use variable in `libstubgss_la_LDFLAGS` + ... and alphasort the order of disabling protocols to make it easier to + browse. - Fixes #5819 - Closes #5820 + Closes #5931 -- docs: clarify MAX_SEND/RECV_SPEED functionality +- libtest: remove lib1541 leftovers - ... in particular what happens if the maximum speed limit is set to a - value that's smaller than the transfer buffer size in use. + Caused automake errors. - Reported-by: Tomas Berger - Fixes #5788 - Closes #5813 + Follow-up to 8ca54a03ea08a -- test1140: compare stdout - - To make problems more immediately obvious when tests fail. +- tests/libtests: remove test 1900 and 2033 - Closes #5814 - -- asyn-ares: correct some bad comments + We already remove the test files, now remove the libtest codes as well. - Closes #5812 - -- [Emil Engler brought this change] + Follow-up to e50a877df74 - docs: Add video link to docs/CONTRIBUTE.md +Marc Hoersken (7 Sep 2020) +- CI/azure: add test number to title for display in analytics - Closes #5811 - -- curl-config: ignore REQUIRE_LIB_DEPS in --libs output + To ease identification of tests the test number is added to + the test case title in order to have it on the Azure DevOps + Analytics pages and reports which currently do not show it. - Fixes a curl-config issue on cygwin by making sure REQUIRE_LIB_DEPS is - not considered for the --libs output. + Bump test case revision to make Azure DevOps update titles. - Reported-by: ramsay-jones on github - Assisted-by: Brian Inglis and Ken Brown - Fixes #5793 - Closes #5808 - -- copyright: update/correct the year range on a few files - -- scripts/copyright.pl: ignore .muse files - -- [Emil Engler brought this change] + Closes #5927 - multi: Remove 10-year old out-commented code +Daniel Stenberg (6 Sep 2020) +- altsvc: clone setting in curl_easy_duphandle - The code hasn't been touched since 2010-08-18 + The cache content is not duplicated, like other caches, but the setting + and specified file name are. - Closes #5805 - -- KNOWN_BUGS: A shared connection cache is not thread-safe + Test 1908 is extended to verify this somewhat. Since the duplicated + handle gets the same file name, the test unfortunately overwrites the + same file twice (with different contents) which makes it hard to check + automatically. - Closes #4915 - Closes #5802 + Closes #5923 -- CONTRIBUTE: extend git commit message description +- test1541: remove since it is a known bug - In particular how the first line works. + A shared connection cache is not thread-safe is a known issue. Stop + testing this until we believe this issue is addressed. Reduces + occasional test failures we don't care about. - Closes #5803 - -- RELEASE-NOTES: synced - -- [Stefan Yohansson brought this change] + The test code in lib1541.c is left in git to allow us to restore it when + we get to fix this. + + Closes #5922 - transfer: move retrycount from connect struct to easy handle +- tests: remove pipelining tests - This flag was applied to the connection struct that is released on - retry. These changes move the retry counter into Curl_easy struct that - lives across retries and retains the new connection. + Remove the tests 530, 584, 1900, 1901, 1902, 1903 and 2033. They were + previously disabled. - Reported-by: Cherish98 on github - Fixes #5794 - Closes #5800 - -- libssh2: s/ssherr/sftperr/ + The Pipelining code was removed from curl in commit 2f44e94efb3df8e, + April 2019. - The debug output used ssherr instead of sftperr which not only outputs - the wrong error code but also casues a warning on Windows. + Closes #5921 + +- curl: retry delays in parallel mode no longer sleeps blocking - Follow-up to 7370b4e39f1 + The previous sleep for retries would block all other concurrent + transfers. Starting now, the retry will instead be properly marked to + not get restarted until after the delay time but other transfers can + still continue in the mean time. - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/7370b4e39f1390e701f5b68d910c619151daf72b#r41334700 - Closes #5799 + Closes #5917 -- ftp: don't do ssl_shutdown instead of ssl_close - - The shutdown function is for downgrading a connection from TLS to plain, - and this is not requested here. +- curl:parallel_transfers: make sure retry readds the transfer - Have ssl_close reset the TLS connection state. + Reported-by: htasta on github + Fixes #5905 + Closes #5917 + +- build: drop support for building with Watcom - This partially reverts commit f002c850d98d + These files are not maintained, they seem to have no users, Watcom + compilers look like not having users nor releases anymore. - Reported-by: Rasmus Melchior Jacobsen - Reported-by: Denis Goleshchikhin - Fixes #5797 + Closes #5918 -Marc Hoersken (9 Aug 2020) -- CI/azure: fix test outcome values and use latest API version +- winbuild/rundebug.cmd: remove - This makes sure that tests ignored or skipped are not shown - just in the category "Other", but with their correct state. + Seems to have been added by mistake? Not included in dists. - Closes #5796 + Closes #5919 -- CI/azure: show runtime stats to investigate slowness +- curl: in retry output don't call all problems "transient" - Also avoid naming conflict of TFLAGS env and tflags variables. + ... because when --retry-all-errors is used, the error isn't necessarily + transient at all. - Closes #5776 + Closes #5916 -Daniel Stenberg (8 Aug 2020) -- TLS naming: fix more Winssl and Darwinssl leftovers +- easygetopt: pass a valid enum to avoid compiler warning - The CMake option is now called CMAKE_USE_SCHANNEL + "integer constant not in range of enumerated type 'CURLoption'" - The winbuild flag is USE_SCHANNEL + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/6ebe63fac23f38df911edc348e8ccc72280f9434#commitcomment-42042843 - The CI jobs and build scripts only use the new names and the new name - options + Closes #5915 + +- [Emil Engler brought this change] + + tests: Add tests for new --help - Tests now require 'Schannel' (when necessary) + This commit is a part of "--help me if you can" - Closes #5795 + Closes #5680 -- smtp_parse_address: handle blank input string properly - - Closes #5792 +- [Emil Engler brought this change] -- runtests: run the DICT server on a random port number + tool: update --help with categories - Removed support for -b (base port number) + This commit is a part of "--help me if you can" - Closes #5783 + Closes #5680 -- RELEASE-NOTES: synced +- [Emil Engler brought this change] -- runtests: move the TELNET server to a dynamic port + docs: add categories to all cmdline opts - Rename the port variable to TELNETPORT to better match the existing - pattern. + Adapted gen.pl with 'listcats' - Closes #5785 - -- ngtcp2: adapt to error code rename + This commit is a part of "--help me if you can" - Closes #5786 + Closes #5680 -- runtests: move the smbserver to use a dynamic port number - - Closes #5782 +- RELEASE-NOTES: synced -- runtests: run the http2 tests on a random port number +- [ihsinme brought this change] + + connect.c: remove superfluous 'else' in Curl_getconnectinfo - Closes #5779 + Closes #5912 -- gtls: survive not being able to get name/issuer +- [Samuel Marks brought this change] + + CMake: remove explicit `CMAKE_ANSI_CFLAGS` - Closes #5778 + This variable was removed from cmake in commit + https://gitlab.kitware.com/cmake/cmake/commit/5a834b0bb0bc288. A later + CMake commit removes the variable from the tests, claiming that it was + removed in CMake 2.6 + + Reviewed-By: Peter Wu + Closes #5439 -- runtests: move the gnutls-serv tests to a dynamic port +- [cbe brought this change] + + libssh2: pass on the error from ssh_force_knownhost_key_type - Affects test 320, 321, 322 and 324. + Closes #5909 + +- scripts/delta: add diffstat summary - Closes #5778 + ... and make output more table-like -- runtests: support dynamicly base64 encoded sections in tests +- [Martin Bašti brought this change] + + http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set - This allows us to make test cases to use base64 at run-time and still - use and verify information determined at run-time, such as the IMAP test - server's port number in test 842. + ... in case NO_PROXY takes an effect - This change makes 12 tests run again that basically never ran since we - moved to dynamic port numbers. + Without this patch, the following command crashes: - ftpserver.pl is adjusted to load test instructions and test number from - the preprocessed test file. + $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \ + git clone https://github.com/curl/curl.git - FILEFORMAT.md now documents the new base64 encoding syntax. + Minimal libcurl-based reproducer: - Reported-by: Marcel Raad - Fixes #5761 - Closes #5775 - -- curl.1: add a few missing valid exit codes + #include - 93 - 96 can be returned as well. + int main() { + CURL *curl = curl_easy_init(); + if(curl) { + CURLcode ret; + curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/"); + curl_easy_setopt(curl, CURLOPT_PROXY, "example.com"); + /* set the proxy type */ + curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); + curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com"); + curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); + ret = curl_easy_perform(curl); + curl_easy_cleanup(curl); + return ret; + } + return -1; + } - Closes #5777 + Assisted-by: Kamil Dudka + Bug: https://bugzilla.redhat.com/1873327 + Closes #5902 -- TODO: Use multiple parallel transfers for a single download +- travis: add a CI job with openssl3 (from git master) - Closes #5774 + Closes #5908 -- TODO: Set the modification date on an uploaded file +- openssl: avoid error conditions when importing native CA - Closes #5768 - -- [Thomas M. DuBuisson brought this change] - - CI: Add muse CI config + The code section that is OpenSSL 3+ specific now uses the same logic as + is used in the version < 3 section. It caused a compiler error without + it. - Closes #5772 + Closes #5907 -- [Thomas M. DuBuisson brought this change] +- setopt: avoid curl_ on local variable + + Closes #5906 - travis/script.sh: fix use of `-n' with unquoted envvar +- mqtt.c: avoid curl_ prefix on local variable - Shellcheck tells us "-n doesn't work with unquoted arguments. quote or - use [[ ]]." + Closes #5906 + +- wildcard: strip "curl_" prefix from private symbols - And testing shows: + Closes #5906 + +- vtls: make it 'struct Curl_ssl_session' - ``` - docker run --rm -it ubuntu bash - root@fe85ce156856:/# [ -n $DOES_NOT_EXIST ] && echo "I ran" - I ran - root@fe85ce156856:/# [ -n "$DOES_NOT_EXIST" ] && echo "I ran" - root@fe85ce156856:/# - ``` + Use uppercase C for internal symbols. - Closes #5773 + Closes #5906 -- h2: repair trailer handling - - The previous h2 trailer fix in 54a2b63 was wrong and caused a - regression: it cannot deal with trailers immediately when read since - they may be read off the connection by the wrong 'data' owner. +- curl_threads: make it 'struct Curl_actual_call' - This change reverts the logic back to gathering all trailers into a - single buffer, like before 54a2b63. + Internal names should not be prefixed "curl_" - Reported-by: Tadej Vengust - Fixes #5663 - Closes #5769 + Closes #5906 -Viktor Szakats (3 Aug 2020) -- windows: disable Unix Sockets for old mingw +- schannel: make it 'struct Curl_schannel*' - Classic mingw and 10y+ old versions of mingw-w64 don't ship with - Windows headers having the typedef necessary for Unix Sockets - support, so try detecting these environments to disable this - feature. + As internal global names should use captical C. - Ref: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/cf6afc57179a5910621215f8f4037d406892072c/ + Closes #5906 + +- hash: make it 'struct Curl_hash' - Reviewed-by: Daniel Stenberg + As internal global names should use captical C. - Fixes #5674 - Closes #5758 + Closes #5906 -Marcel Raad (3 Aug 2020) -- test1908: treat file as text +- llist: make it "struct Curl_llist" - Fixes the line endings on Windows. + As internal global names should use captical C. - Closes https://github.com/curl/curl/pull/5767 + Closes #5906 -- TrackMemory tests: ignore realloc and free in getenv.c +Marc Hoersken (2 Sep 2020) +- telnet.c: depend on static requirement of WinSock version 2 - These are only called for WIN32. + Drop dynamic loading of ws2_32.dll and instead rely on the + imported version which is now required to be at least 2.2. - Closes https://github.com/curl/curl/pull/5767 - -Daniel Stenberg (3 Aug 2020) -- tests/FILEFORMAT.md: mention %HTTP2PORT - -- RELEASE-NOTES: synced + Reviewed-by: Marcel Raad + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + Reviewed-by: Viktor Szakats + + Closes #5854 -- tlsv1.3.d. only for TLS-using connections +- win32: drop support for WinSock version 1, require version 2 - ... and rephrase that "not all" TLS backends support it. + IPv6, telnet and now also the multi API require WinSock + version 2 which is available starting with Windows 95. - Closes #5764 - -- tls-max.d: this option is only for TLS-using connections + Therefore we think it is time to drop support for version 1. - Ref: #5763 - Closes #5764 - -Marcel Raad (2 Aug 2020) -- [Cameron Cawley brought this change] - - tool_doswin: Simplify Windows version detection + Reviewed-by: Marcel Raad + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + Reviewed-by: Viktor Szakats - Closes https://github.com/curl/curl/pull/5754 - -- [Cameron Cawley brought this change] + Follow up to #5634 + Closes #5854 - win32: Add Curl_verify_windows_version() to curlx +- select: align poll emulation to return all relevant events - Closes https://github.com/curl/curl/pull/5754 - -- runtests.pl: treat LibreSSL and BoringSSL as OpenSSL + The poll emulation via select already consumes POLLRDNORM, + POLLWRNORM and POLLRDBAND as input events. Therefore it + should also return them as output events if signaled. - This makes the tests that require the OpenSSL feature also run for - those two compatible libraries. + Also fix indentation in input event handling block. - Closes https://github.com/curl/curl/pull/5762 + Assisted-by: Jay Satiro + Reviewed-by: Daniel Stenberg + + Replaces #5852 + Closes #5883 -Daniel Stenberg (1 Aug 2020) -- multi: Condition 'extrawait' is always true +- CI/azure: MQTT is now enabled by default - Reported by Codacy. + Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - Closes #5759 + Follow up to #5858 + Closes #5903 -Marcel Raad (1 Aug 2020) -- openssl: fix build with LibreSSL < 2.9.1 - - `SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were - introduced in LibreSSL 2.9.1 [0]. +Daniel Stenberg (2 Sep 2020) +- copyright.pl: ignore buildconf + +- test971: show test mismatches "inline" + +- lib/Makefile.am: bump VERSIONINFO due to new functions - [0] https://github.com/libressl-portable/openbsd/commit/0db809ee178457c8170abfae3931d7bd13abf3ef + ... we're generally bad at this, but we are adding new functions for + this release. - Closes https://github.com/curl/curl/pull/5757 + Closes #5899 -Daniel Stenberg (1 Aug 2020) -- [Marc Aldorasi brought this change] +- optiontable: use DEBUGBUILD + + Follow-up to commit 6e18568ba38 (#5877) - multi_remove_handle: close unused connect-only connections +- cmdline-opts/gen.pl: generate nicer "See Also" in curl.1 - Previously any connect-only connections in a multi handle would be kept - alive until the multi handle was closed. Since these connections cannot - be re-used, they can be marked for closure when the associated easy - handle is removed from the multi handle. + If there are more than two items in the list, use commas for all but the + last separator which is set to 'and'. Reads better. - Closes #5749 + Closes #5898 -- checksrc: invoke script with -D to find .checksrc proper +- curl.1: add see also no-progress-meter on two spots - Without the -D command line option, checksrc.pl won't know which - directory to load the ".checksrc" file from when building out of the - source tree. + Ref: #5894 - Reported-by: Marcel Raad - Fixes #5715 - Closes #5755 + Closes #5897 -- [Carlo Marcelo Arenas Belón brought this change] +- RELEASE-NOTES: synced - buildconf: retire ares buildconf invocation +- mqtt: enable by default - no longer needed after 4259d2df7dd95637a4b1e3fb174fe5e5aef81069 + No longer considered experimental. + + Closes #5858 -- [Carlo Marcelo Arenas Belón brought this change] +- [Michael Baentsch brought this change] - buildconf: excempt defunct reference to ACLOCAL_FLAGS + tls: add CURLOPT_SSL_EC_CURVES and --curves - retired with 09f278121e815028adb24d228d8092fc6cb022aa but kept around as - the name is generic enough that it might be in use and relied upon from - the environment. + Closes #5892 -- [Carlo Marcelo Arenas Belón brought this change] +- url: remove funny embedded comments in Curl_disonnect calls - buildconf: avoid array concatenation in die() +- [Chris Paulson-Ellis brought this change] + + conn: check for connection being dead before reuse - reported as error SC2145[1] by shellcheck, but not expected to cause - any behavioural differences otherwise. + Prevents incorrect reuse of an HTTP connection that has been prematurely + shutdown() by the server. - [1] https://github.com/koalaman/shellcheck/wiki/SC2145 + Partial revert of 755083d00deb16 - Closes #5701 + Fixes #5884 + Closes #5893 -- travis: add ppc64le and s390x builds +Marc Hoersken (29 Aug 2020) +- buildconf: exec autoreconf to avoid additional process - Closes #5752 - -Marc Hoersken (31 Jul 2020) -- connect: remove redundant message about connect failure + Also make buildconf exit with the return code of autoreconf. Reviewed-by: Daniel Stenberg - Closes #5708 + Follow up to #5853 + Closes #5890 -- tests/sshserver.pl: fix compatibility with OpenSSH for Windows +- CI/azure: no longer ignore results of test 1013 - Follow up to #5721 + Follow up to #5771 + Closes #5889 -- CI/azure: install libssh2 for use with msys2-based builds - - This enables building and running the SFTP tests. - Unfortunately OpenSSH for Windows does not support SCP (yet). +- docs: add description about CI platforms to CONTRIBUTE.md Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad + Reviewed-by: Jay Satiro - Closes #5721 + Closes #5882 -- CI/azure: increase Windows job timeout once again +Daniel Stenberg (29 Aug 2020) +- tests/getpart: use MIME::Base64 instead of home-cooked - Avoid aborted jobs due to performance issues on Azure DevOps. + Since we already use the base64 package since a while back, we can just + as well switch to that here too. - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + It also happens to use the exact same function name, which otherwise + causes a run-time warning. - Closes #5738 + Reported-by: Marc Hörsken + Fixes #5885 + Closes #5887 -Jay Satiro (30 Jul 2020) -- TODO: Schannel: 'Add option to allow abrupt server closure' +Marcel Raad (29 Aug 2020) +- ntlm: fix condition for curl_ntlm_core usage - We should offer an option to allow abrupt server closures (server closes - SSL transfer without sending a known termination point such as length of - transfer or close_notify alert). Abrupt server closures are usually - because of misconfigured or very old servers. + `USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES + backend is fine, but was excluded before. - Closes https://github.com/curl/curl/issues/4427 - -- url: fix CURLU and location following + This also fixes test 1013 as the condition for SMB support in + configure.ac didn't match the condition in the source code. Now it + does. - Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was - incorrectly used for the location follow, resulting in infinite requests - to the original location. + Fixes https://github.com/curl/curl/issues/1262 + Closes https://github.com/curl/curl/pull/5771 + +- AppVeyor: switch 64-bit Schannel Debug CMake builds to Unicode - Reported-by: sspiri@users.noreply.github.com + The Schannel builds are the most useful to verify as they make the most + use of the Windows API. Classic MinGW doesn't support Unicode at all, + only MinGW-w64 and MSVC do. - Fixes https://github.com/curl/curl/issues/5709 - Closes https://github.com/curl/curl/pull/5713 - -Daniel Stenberg (30 Jul 2020) -- RELEASE-NOTES: synced - -- [divinity76 brought this change] + Closes https://github.com/curl/curl/pull/5843 - docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions +- CMake: add option to enable Unicode on Windows - it helps make it obvious that most developers don't have to care about - the CURLM_CALL_MULTI_PERFORM value (last release using it is nearly 11 - years old, November 4 2009) + As already existing for winbuild. - Closes #5744 + Closes https://github.com/curl/curl/pull/5843 -Jay Satiro (29 Jul 2020) -- tool_cb_wrt: fix outfile mode flags for Windows - - - Use S_IREAD and S_IWRITE mode permission flags to create the file - on Windows instead of S_IRUSR, S_IWUSR, etc. +Marc Hoersken (29 Aug 2020) +- select: simplify return code handling for poll and select - Windows only accepts a combination of S_IREAD and S_IWRITE. It does not - acknowledge other combinations, for which it may generate an assertion. + poll and select already return -1 on error according to POSIX, + so there is no need to perform a <0 to -1 conversion in code. - This is a follow-up to 81b4e99 from yesterday, which improved the - existing file check with -J. + Also we can just use one check with <= 0 on the return code. - Ref: https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/open-wopen#remarks - Ref: https://github.com/curl/curl/pull/5731 + Assisted-by: Daniel Stenberg + Reviewed-by: Jay Satiro - Closes https://github.com/curl/curl/pull/5742 + Replaces #5852 + Closes #5880 -Daniel Stenberg (28 Jul 2020) -- checksrc: ban gmtime/localtime - - They're not thread-safe so they should not be used in libcurl code. +Daniel Stenberg (28 Aug 2020) +- RELEASE-NOTES: synced + +- [Jeroen Ooms brought this change] + + tests: add test1912 with typechecks - Explictly enabled when deemed necessary and in examples and tests + Validates that gcc-typecheck macros match the new option type API. - Reviewed-by: Nicolas Sterchele - Closes #5732 + Closes #5873 -- transfer: fix data_pending for builds with both h2 and h3 enabled +- easyoptions: provide debug function when DEBUGBUILD - Closes #5734 - -- curl_multi_setopt: fix compiler warning "result is always false" + ... not CURLDEBUG as they're not always set in conjunction. - On systems with 32 bit long the expression is always false. Avoid - the warning. + Follow-up to 6ebe63fac23f38df - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232 - Closes #5736 + Fixes #5877 + Closes #5878 -- curl: improve the existing file check with -J +Marc Hoersken (28 Aug 2020) +- sockfilt: handle FD_CLOSE winsock event on write socket - Previously a file that isn't user-readable but is user-writable would - not be properly avoided and would get overwritten. + Learn from the way Cygwin handles and maps the WinSock events + to simulate correct and complete poll and select behaviour + according to Richard W. Stevens Network Programming book. - Reported-by: BrumBrum on hackerone - Assisted-by: Jay Satiro - Bug: https://hackerone.com/reports/926638 - Closes #5731 - -- [Jonathan Nieder brought this change] + Follow up to #5867 + Closes #5879 - multi: update comment to say easyp list is linear +- multi: handle connection state winsock events - Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1, - 2013-08-02), the easy handle list is not circular but ends with - ->next pointing to NULL. + Learn from the way Cygwin handles and maps the WinSock events + to simulate correct and complete poll and select behaviour + according to Richard W. Stevens Network Programming book. - Reported-by: Masaya Suzuki - Closes #5737 + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + + Follow up to #5634 + Closes #5867 -- CURLOPT_NOBODY.3: fix the syntax for referring to options +Daniel Stenberg (28 Aug 2020) +- Curl_pgrsTime - return new time to avoid timeout integer overflow - As test 1140 fails otherwise! + Setting a timeout to INT_MAX could cause an immediate error to get + returned as timeout because of an overflow when different values of + 'now' were used. - Follow-up to e1bac81cc815 - -- ngtcp2: store address in sockaddr_storage + This is primarily fixed by having Curl_pgrsTime() return the "now" when + TIMER_STARTSINGLE is set so that the parent function will continue using + that time. - Reported-by: Tatsuhiro Tsujikawa - Closes #5733 + Reported-by: Ionuț-Francisc Oancea + Fixes #5583 + Closes #5847 -- CURLOPT_NOBODY.3: clarify what setting to 0 means +- TLS: fix SRP detection by using the proper #ifdefs - ... and mention that HTTP with other methods than HEAD might get a body and - there's no option available to stop that. + USE_TLS_SRP will be true if *any* selected TLS backend can use SRP - Closes #5729 - -- setopt: unset NOBODY switches to GET if still HEAD + HAVE_OPENSSL_SRP is defined when OpenSSL can use it - Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented - action but before 7.71.0 that used to switch back to GET and with this - change (assuming the method is still set to HEAD) this behavior is - brought back. + HAVE_GNUTLS_SRP is defined when GnuTLS can use it - Reported-by: causal-agent on github - Fixes #5725 - Closes #5728 + Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is + set if at least one of the supported backends offers SRP. + + Reported-by: Stefan Strogin + Fixes #5865 + Closes #5870 -- [Ehren Bendler brought this change] +- [Dan Kenigsberg brought this change] - configure: cleanup wolfssl + pkg-config conflicts when cross compiling. + docs: SSLCERTS: fix English syntax - Also choose a different wolfSSL function to test for NTLM support. + Signed-off-by: Dan Kenigsberg - Fixes #5605 - Closes #5682 + Closes #5876 -- configure: show zstd "no" in summary when built without it - - Reported-by: Marc Hörsken - Fixes #5720 - Closes #5730 +- [Alessandro Ghedini brought this change] -- quiche: handle calling disconnect twice + docs: non-existing macros in man pages - Reported-by: lilongyan-huawei on github - Fixes #5726 - Closes #5727 + As reported by man(1) when invoked as: + + man --warnings -E UTF-8 -l -Tutf8 -Z >/dev/null + + Closes #5846 -- [Nicolas Sterchele brought this change] +- [Alessandro Ghedini brought this change] - getinfo: reset retry-after value in initinfo - - - Avoid re-using retry_after value from preceding request - - Add libtest 3010 to verify + curl.1: fix typo invokved -> invoked - Reported-by: joey-l-us on github - Fixes #5661 - Closes #5672 + Closes #5846 -Marcel Raad (27 Jul 2020) -- WIN32: stop forcing narrow-character API +- buildconf: invoke 'autoreconf -fi' instead - Except where the results are only used for character output. - getenv is not touched because it's part of the public API, and having - it return UTF-8 instead of ANSI would be a breaking change. + The custom script isn't necessary anymore - but remains for simplicity + and just invokes autoreconf. - Fixes https://github.com/curl/curl/issues/5658 - Fixes https://github.com/curl/curl/issues/5712 - Closes https://github.com/curl/curl/pull/5718 + Closes #5853 -Jay Satiro (27 Jul 2020) -- [Tobias Stoeckmann brought this change] +- [Emil Engler brought this change] - mprintf: Fix stack overflows - - Stack overflows can occur with precisions for integers and floats. - - Proof of concepts: - - curl_mprintf("%d, %.*1$d", 500, 1); - - curl_mprintf("%d, %+0500.*1$f", 500, 1); - - Ideally, compile with -fsanitize=address which makes this undefined - behavior a bit more defined for debug purposes. - - The format strings are valid. The overflows occur due to invalid - arguments. If these arguments are variables with contents controlled - by an attacker, the function's stack can be corrupted. + lib: make Curl_gethostname accept a const pointer - Also see CVE-2016-9586 which partially fixed the float aspect. + The address of that variable never gets changed, only the data in it so + why not make it a "char * const"? - Signed-off-by: Tobias Stoeckmann + Closes #5866 + +- docs/libcurl: update "Added in" version for curl_easy_option* - Closes https://github.com/curl/curl/pull/5722 + Follow-up to 6ebe63fac23f38 -- [Tobias Stoeckmann brought this change] +- scripts: improve the "get latest curl release tag" logic + + ... by insiting on it matching "^curl-". - mprintf: Fix dollar string handling +- configure: added --disable-get-easy-options - Verify that specified parameters are in range. If parameters are too - large, fail early on and avoid out of boundary accesses. + To allow disabling of the curl_easy_option APIs in a build. - Also do not read behind boundaries of illegal format strings. + Closes #5365 + +- options: API for meta-data about easy options - These are defensive measures since it is expected that format strings - are well-formed. Format strings should not be modifiable by user - input due to possible generic format string attacks. + const struct curl_easyoption *curl_easy_option_by_name(const char *name); - Closes https://github.com/curl/curl/pull/5722 - -Daniel Stenberg (26 Jul 2020) -- ntlm: free target_info before (re-)malloc + const struct curl_easyoption *curl_easy_option_by_id (CURLoption id); - OSS-Fuzz found a way this could get called again with the pointer still - pointing to a malloc'ed memory, leading to a leak. + const struct curl_easyoption * + curl_easy_option_next(const struct curl_easyoption *prev); - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379 + The purpose is to provide detailed enough information to allow for + example libcurl bindings to get option information at run-time about + what easy options that exist and what arguments they expect. - Closes #5724 + Assisted-by: Jeroen Ooms + Closes #5365 -Marcel Raad (26 Jul 2020) -- CI/macos: set minimum macOS version - - This enables some deprecation warnings. - Previously, autotools defaulted to 10.8. +- [Eric Curtin brought this change] + + HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29 - Closes https://github.com/curl/curl/pull/5723 + Closes #5871 -Daniel Stenberg (26 Jul 2020) - RELEASE-NOTES: synced -Marcel Raad (25 Jul 2020) -- CI/macos: enable warnings as errors for CMake builds +Jay Satiro (26 Aug 2020) +- openssl: Fix wincrypt symbols conflict with BoringSSL - Closes https://github.com/curl/curl/pull/5716 - -- CMake: fix test for warning suppressions + OpenSSL undefines the conflicting symbols but BoringSSL does not so we + must do it ourselves. - GCC doesn't warn for unknown `-Wno-` options, except if there are other - warnings or errors [0]. This was problematic with `CURL_WERROR` as that - warning-as-error cannot be suppressed. Notably, this always happened - with `-Wno-pedantic-ms-format` when not targeting Windows. So test for - the positive form of the warning instead, which should always result in - a diagnostic if unknown. + Reported-by: Samuel Tranchet + Assisted-by: Javier Blazquez - [0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html + Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371 + Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73 - Closes https://github.com/curl/curl/pull/5714 + Fixes https://github.com/curl/curl/issues/5669 + Closes https://github.com/curl/curl/pull/5857 -Jay Satiro (23 Jul 2020) -- curl.h: update CURLINFO_LASTONE - - CURLINFO_LASTONE should have been updated when - CURLINFO_EFFECTIVE_METHOD was added. +Daniel Stenberg (26 Aug 2020) +- socketpair: allow CURL_DISABLE_SOCKETPAIR - Reported-by: xwxbug@users.noreply.github.com + ... to completely disable the use of socketpair - Fixes https://github.com/curl/curl/issues/5711 + Closes #5850 -Marc Hoersken (22 Jul 2020) -- CI/azure: unconditionally enable warnings-as-errors with autotools - - Reviewed-by: Marcel Raad +- curl_get_line: build only if cookies or alt-svc are enabled - Follow up to #5694 - Closes #5706 + Closes #5851 -Marcel Raad (21 Jul 2020) -- doh: remove redundant cast - - Closes https://github.com/curl/curl/pull/5704 +- [fullincome brought this change] -- CI/macos: unconditionally enable warnings-as-errors with autotools + schannel: fix memory leak when using get_cert_location - Previously, warnings were only visible in the output for most jobs. + The get_cert_location function allocates memory only on success. + Previously get_cert_location was able to allocate memory and return + error. It wasn't obvious and in this case the memory wasn't + released. - Closes https://github.com/curl/curl/pull/5694 - -- util: silence conversion warnings - - timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might - be a 64-bit integer. This is the case when building for recent macOS - versions, for example. Just treat tv_usec as an int, which should - hopefully always be sufficient on systems with - `HAVE_CLOCK_GETTIME_MONOTONIC`. - - Closes https://github.com/curl/curl/pull/5695 + Fixes #5855 + Closes #5860 -- md(4|5): don't use deprecated macOS functions - - They are marked as deprecated for -mmacosx-version-min >= 10.15, - which might result in warnings-as-errors. - - Closes https://github.com/curl/curl/pull/5695 +- [Emil Engler brought this change] -Daniel Stenberg (18 Jul 2020) -- strdup: remove the odd strlen check + git: ignore libtests in 3XXX area - It confuses code analyzers with its use of -1 for unsigned value. Also, - a check that's not normally used in strdup() code - and not necessary. + Currently the file tests/libtest/lib3010 is not getting + ignored by git. This fixes it by adding the 3XXX area to + the according .gitignore file. - Closes #5697 + Closes #5859 -- [Alessandro Ghedini brought this change] +- [Emil Engler brought this change] - travis: update quiche builds for new boringssl layout - - This is required after https://github.com/cloudflare/quiche/pull/593 - moved BoringSSL around slightly. + doh: add error message for DOH_DNS_NAME_TOO_LONG - This also means that Go is not needed to build BoringSSL anymore (the - one provided by quiche anyway). + When this error code was introduced in b6a53fff6c1d07e8a9, it was + forgotten to be added in the errors array and doh_strerror function. - Closes #5691 + Closes #5863 -Marcel Raad (17 Jul 2020) -- configure: allow disabling warnings +- ngtcp2: adapt to the new pkt_info arguments - When using `--enable-warnings`, it was not possible to disable warnings - via CFLAGS that got explicitly enabled. Now warnings are not enabled - anymore if they are explicitly disabled (or enabled) in CFLAGS. This - works for at least GCC, clang, and TCC as they have corresponding - `-Wno-` options for every warning. + Guidance-by: Tatsuhiro Tsujikawa - Closes https://github.com/curl/curl/pull/5689 + Closes #5864 -Daniel Stenberg (16 Jul 2020) -- ngtcp2: adjust to recent sockaddr updates +- winbuild/README.md: make visible - Closes #5690 + Follow-up to be753add31c2d8c -- page-header: provide protocol details in the curl.1 man page +- winbuild: convert the instruction text to README.md - Add protocol and version specific information about all protocols curl - supports. + Closes #5861 + +- lib1560: verify "redirect" to double-slash leading URL - Fixes #5679 - Reported-by: tbugfinder on github - Closes #5686 + Closes #5849 -Daniel Gustafsson (16 Jul 2020) -- docs: Update a few leftover mentions of DarwinSSL +Marc Hoersken (25 Aug 2020) +- multi: expand pre-check for socket readiness - Commit 76a9c3c4be10b3d4d379d5b23ca76806bbae536a renamed DarwinSSL to the - more correct/common name Secure Transport, but a few mentions in the docs - remained. + Check readiness of all sockets before waiting on them + to avoid locking in case the one-time event FD_WRITE + was already consumed by a previous wait operation. - Closes #5688 - Reviewed-by: Daniel Stenberg + More information about WinSock network events: + https://docs.microsoft.com/en-us/windows/win32/api/ + winsock2/nf-winsock2-wsaeventselect#return-value + + Closes #5634 -Daniel Stenberg (16 Jul 2020) -- file2memory: use a define instead of -1 unsigned value +- [rcombs brought this change] + + multi: implement wait using winsock events - ... to use the maximum value for 'size_t' when detecting integer overflow. - Changed the limit to max/4 as already that seems unreasonably large. + This avoids using a pair of TCP ports to provide wakeup functionality + for every multi instance on Windows, where socketpair() is emulated + using a TCP socket on loopback which could in turn lead to socket + resource exhaustion. - Codacy didn't like the previous approach. + A previous version of this patch failed to account for how in WinSock, + FD_WRITE is set only once when writing becomes possible and not again + until after a send has failed due to the buffer filling. This contrasts + to how FD_READ and FD_OOB continue to be set until the conditions they + refer to no longer apply. This meant that if a user wrote some data to + a socket, but not enough data to completely fill its send buffer, then + waited on that socket to become writable, we'd erroneously stall until + their configured timeout rather than returning immediately. - Closes #5683 - -- CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream + This version of the patch addresses that issue by checking each socket + we're waiting on to become writable with select() before the wait, and + zeroing the timeout if it's already writable. - ... by adding support for a new dedicated return code. + Assisted-by: Marc Hörsken + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg + Tested-by: Gergely Nagy + Tested-by: Rasmus Melchior Jacobsen + Tested-by: Tomas Berger - Suggested-by: Jonathan Cardoso - Assisted-by: Erik Johansson - URL: https://curl.haxx.se/mail/lib-2020-06/0099.html - Closes #5636 - -- [Baruch Siach brought this change] + Replaces #5397 + Reverts #5632 + Closes #5634 - nss: fix build with disabled proxy support +- select: reduce duplication of Curl_poll in Curl_socket_check - Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is - defined. + Change Curl_socket_check to use select-fallback in Curl_poll + instead of implementing it in Curl_socket_check and Curl_poll. - Closes #5667 - -- test1139: make it display the difference on test failures + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + + Replaces #5262 and #5492 + Closes #5707 -- test1119: verify stdout in the test +- select: fix poll-based check not detecting connect failure - So that failures will be displayed in the terminal, as it makes test failures - visually displayed easier and faster. + This commit changes Curl_socket_check to use POLLPRI to + check for connect failure on the write socket, because + POLLPRI maps to fds_err. This is in line with select(2). - Closes #5644 - -- curl: add %{method} to the -w variables + The select-based socket check correctly checks for connect + failures by adding the write socket also to fds_err. - Gets the CURLINFO_EFFECTIVE_METHOD from libcurl. + The poll-based implementation (which internally can itself + fallback to select again) did not previously check for + connect failure by using POLLPRI with the write socket. - Added test 1197 to verify. - -- CURLINFO_EFFECTIVE_METHOD: added + See the follow up commit to this for more information. - Provide the HTTP method that was used on the latest request, which might - be relevant for users when there was one or more redirects involved. + This commit makes sure connect failures can be detected + and handled if HAVE_POLL_FINE is defined, eg. on msys2-devel. - Closes #5511 + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + + Replaces #5509 + Prepares #5707 -Viktor Szakats (14 Jul 2020) -- windows: add unicode to feature list +- select.h: make socket validation macros test for INVALID_SOCKET + With Winsock the valid range is [0..INVALID_SOCKET-1] according to + https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2 + + Reviewed-by: Jay Satiro Reviewed-by: Marcel Raad - Reviewed-by: Marc Hörsken + Reviewed-by: Daniel Stenberg - Closes #5491 + Closes #5760 -Daniel Stenberg (14 Jul 2020) -- multi: remove two checks always true +Daniel Stenberg (24 Aug 2020) +- docs: --output-dir is added in 7.73.0, nothing else - Detected by Codacy - Closes #5676 + Follow-up to 5620d2cc78c0 -Marc Hoersken (13 Jul 2020) -- workflows: limit what branches to run CodeQL on +- curl: add --output-dir - Align CodeQL action with existing CI actions: - - Update branch filter to avoid duplicate CI runs. - - Shorten workflow name due to informative job name. + Works with --create-dirs and with -J - Reviewed-by: Daniel Stenberg + Add test 3008, 3009, 3011, 3012 and 3013 to verify. - Closes #5660 + Closes #5637 -- appveyor: collect libcurl.dll variants with prefix or suffix - - On some platforms libcurl is build with a platform-specific - prefix and/or a version number suffix. +- configure: fix pkg-config detecting wolfssl - Assisted-by: Jay Satiro + When amending the include path with "/wolfssl", this now properly strips + off all whitespace from the path variable! Previously this would lead to + pkg-config builds creating bad command lines. - Closes #5659 + Closes #5848 -Daniel Stenberg (12 Jul 2020) -- [ihsinme brought this change] +- [Michael Musset brought this change] - socks: use size_t for size variable + sftp: add the option CURLKHSTAT_FINE_REPLACE - Use the unsigned type (size_t) in the arithmetic of pointers. In this - context, the signed type (ssize_t) is used unnecessarily. + Replace the old fingerprint of the host with a new. - Authored-by: ihsinme on github - Closes #5654 + Closes #5685 - RELEASE-NOTES: synced - ... and bumped to 7.72.0 as the next release version number - -- [Gilles Vollant brought this change] + The next release is now to become 7.73.0 - content_encoding: add zstd decoding support +- checksrc: verify do-while and spaces between the braces - include zstd curl patch for Makefile.m32 from vszakats - and include Add CMake support for zstd from Peter Wu + Updated mprintf.c to comply - Helped-by: Viktor Szakats - Helped-by: Peter Wu - Closes #5453 + Closes #5845 -- asyn.h: remove the Curl_resolver_getsock define +- curl: support XDG_CONFIG_HOME to find .curlrc - - not used - - used the wrong number of arguments - - confused the Codeacy code analyzer + Added test433 to verify. Updated documentation. - Closes #5647 - -- [Nicolas Sterchele brought this change] + Reviewed-by: Jay Satiro + Suggested-by: Eli Schwartz + Fixes #5829 + Closes #5837 - configure.ac: Sort features name in summary +- etag: save and use the full received contents - - Same as protocols + ... which makes it support weak tags and non-standard etags too! - Closes #5656 - -- [Matthias Naegler brought this change] - - cmake: fix windows xp build - - Reviewed-by: Marcel Raad - Closes #5662 - -- ngtcp2: update to modified qlog callback prototype + Added test case 347 to verify blank incoming ETag: - Closes #5675 + Fixes #5610 + Closes #5833 -- transfer: fix memory-leak with CURLOPT_CURLU in a duped handle +- setopt: if the buffer exists, refuse the new BUFFERSIZE - Added test case 674 to reproduce and verify the bug report. + The buffer only exists during transfer and then we shouldn't change the + size (the setopt is not documented to work then). - Fixes #5665 - Reported-by: NobodyXu on github - Closes #5673 + Reported-by: Harry Sintonen + Closes #5842 -- [Baruch Siach brought this change] +- [COFFEETALES brought this change] - bearssl: fix build with disabled proxy support - - Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is - defined. + sftp: add new quote commands 'atime' and 'mtime' - Reviewed-by: Nicolas Sterchele - Closes #5666 - -- RELEASE-NOTES: synced - -Jay Satiro (11 Jul 2020) -- [Carlo Marcelo Arenas Belón brought this change] + Closes #5810 - cirrus-ci: upgrade 11-STABLE to 11.4 +- CURLE_PROXY: new error code - Meant to be the last of the 11 series and so make sure that all - other references reflect all 11 versions so they can be retired - together later. + Failures clearly returned from a (SOCKS) proxy now causes this return + code. Previously the situation was not very clear as what would be + returned and when. - Closes https://github.com/curl/curl/pull/5668 - -- [Filip Salomonsson brought this change] - - CURLINFO_CERTINFO.3: fix typo + In addition: when this error code is returned, an application can use + CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then + returns a value from the new 'CURLproxycode' enum. - Closes https://github.com/curl/curl/pull/5655 + Closes #5770 -Daniel Stenberg (4 Jul 2020) -- http2: only do the *done() cleanups for HTTP +- runtests: make cleardir() erase dot files too - Follow-up to ef86daf4d3 + Because test cases might use dot files. - Closes #5650 - Fixes #5646 - -- [Alex Kiernan brought this change] + Closes #5838 - gnutls: repair the build with `CURL_DISABLE_PROXY` - - `http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn` - if `CURL_DISABLE_PROXY` is enabled. Repair the build with that - configuration. +- KNOWN_BUGS: 'no_proxy' string-matches IPv6 numerical addreses - Signed-off-by: Alex Kiernan - Closes #5645 - -Alex Kiernan (3 Jul 2020) -- gnutls: Fetch backend when using proxy + Also: the current behavior is now documented in the curl.1 and + CURLOPT_NOPROXY.3 man pages. - Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge") - Signed-off-by: Alex Kiernan - -Daniel Stenberg (3 Jul 2020) -- [Laramie Leavitt brought this change] + Reported-by: Andrew Barnes + Closes #5745 + Closes #5841 - http2: close the http2 connection when no more requests may be sent - - Well-behaving HTTP2 servers send two GOAWAY messages. The first - message is a warning that indicates that the server is going to - stop accepting streams. The second one actually closes the stream. - - nghttp2 reports this state (and the other state of no more stream - identifiers) via the call nghttp2_session_check_request_allowed(). - In this state the client should not create more streams on the - session (tcp connection), and in curl this means that the server - has requested that the connection is closed. - - It would be also be possible to put the connclose() call into the - on_http2_frame_recv() function that triggers on the GOAWAY message. - - This fixes a bug seen when the client sees the following sequence of - frames: +Viktor Szakats (22 Aug 2020) +- Makefile.m32: add ability to override zstd libs [ci skip] - // advisory GOAWAY - HTTP2 GOAWAY [stream-id = 0, promised-stream-id = -1] - ... some additional frames + Similarly to brotli, where this was already possible. + E.g. it allows to link zstd statically to libcurl.dll. - // final GOAWAY - HTTP2 GOAWAY [stream-id = 0, promised-stream-id = N ] + Ref: https://github.com/curl/curl-for-win/issues/12 + Ref: https://github.com/curl/curl-for-win/commit/d9b266afd2e5d3f5604483010ef62340b5918c89 - Before this change, curl will attempt to reuse the connection even - after the last stream, will encounter this error: + Closes https://github.com/curl/curl/pull/5840 + +Daniel Stenberg (21 Aug 2020) +- runtests: avoid 'fail to start' repeated messages in attempt loops - * Found bundle for host localhost: 0x5595f0a694e0 [can multiplex] - * Re-using existing connection! (#0) with host localhost - * Connected to localhost (::1) port 10443 (#0) - * Using Stream ID: 9 (easy handle 0x5595f0a72e30) - > GET /index.html?5 HTTP/2 - > Host: localhost:10443 - > user-agent: curl/7.68.0 - > accept: */* - > - * stopped the pause stream! - * Connection #0 to host localhost left intact - curl: (16) Error in the HTTP2 framing layer + Closes #5834 + +- runtests: clear pid variables when failing to start a server - This error may posion the connection cache, causing future requests - which resolve to the same curl connection to go through the same error - path. + ... as otherwise the parent doesn't detect the failure and believe it + actually worked to start. - Closes #5643 + Reported-by: Christian Weisgerber + Bug: https://curl.haxx.se/mail/lib-2020-08/0018.html + Closes #5834 -- ftpserver: don't verify SMTP MAIL FROM names - - Rely on tests asking the names to get refused instead - test servers - should be as dumb as possible. Edited test 914, 955 and 959 accordingly. +- TODO: Virtual external sockets - Closes #5639 + Closes #5835 -- curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated +- [Don J Olmstead brought this change] + + dist: add missing CMake Find modules to the distribution - This came up in #5640. It make sense to clarify this in the docs! + Closes #5836 + +- RELEASE-NOTES: synced - Reminded-by: Kamil Dudka - Closes #5642 + ... and version bumped to 7.72.1 -Kamil Dudka (3 Jul 2020) -- tool_getparam: make --krb option work again +- tls: provide the CApath verbose log on its own line - It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301. + ... not newline separated from the previous line. This makes it output + asterisk prefixed properly like other verbose putput! - Bug: https://bugzilla.redhat.com/1833193 - Closes #5640 + Reported-by: jmdavitt on github + Fixes #5826 + Closes #5827 -Daniel Stenberg (2 Jul 2020) -- [Jeremy Maitin-Shepard brought this change] +Version 7.72.0 (19 Aug 2020) - http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages +Daniel Stenberg (19 Aug 2020) +- RELEASE-NOTES: synced - Confusingly, nghttp2 has two different error code enums: + The curl 7.72.0 release + +- THANKS: add names from curl 7.72.0 release + +Jay Satiro (18 Aug 2020) +- KNOWN_BUGS: Schannel TLS 1.2 handshake bug in old Windows versions - - nghttp2_error, to be used with nghttp2_strerror - - nghttp2_error_code, to be used with nghttp2_http2_strerror + Reported-by: plujon@users.noreply.github.com - Closes #5641 + Closes https://github.com/curl/curl/issues/5488 -Marcel Raad (2 Jul 2020) -- url: silence MSVC warning +Daniel Stenberg (17 Aug 2020) +- Curl_easy: remember last connection by id, not by pointer - Since commit f3d501dc678, if proxy support is disabled, MSVC warns: - url.c : warning C4701: potentially uninitialized local variable - 'hostaddr' used - url.c : error C4703: potentially uninitialized local pointer variable - 'hostaddr' used + CVE-2020-8231 - That could actually only happen if both `conn->bits.proxy` and - `CURL_DISABLE_PROXY` were enabled. - Initialize it to NULL to silence the warning. + Bug: https://curl.haxx.se/docs/CVE-2020-8231.html - Closes https://github.com/curl/curl/pull/5638 - -Daniel Stenberg (1 Jul 2020) -- RELEASE-NOTES: synced - -Version 7.71.1 (30 Jun 2020) + Reported-by: Marc Aldorasi + Closes #5824 -Daniel Stenberg (30 Jun 2020) -- RELEASE-NOTES: curl 7.71.1 +- examples/rtsp.c: correct the copyright year -- THANKS: add contributors to 7.71.1 +- RELEASE-PROCEDURE.md: add more future release dates -- scripts/copyright.pl: skip .dcignore +- [H3RSKO brought this change] -- Revert "multi: implement wait using winsock events" + docs: change "web site" to "website" - This reverts commit 8bc25c590e530de87595d1bb3577f699eb1309b9. + According to wikipedia: - That commit (from #5397) introduced a regression in 7.71.0. + While "web site" was the original spelling, this variant has become + rarely used, and "website" has become the standard spelling - Reported-by: tmkk on github - Fixes #5631 - Closes #5632 - -- TODO: Add flag to specify download directory + Closes #5822 -- TODO: return code to CURLMOPT_PUSHFUNCTION to fail connection +- [Bevan Weiss brought this change] -- cirrus-ci: disable FreeBSD 13 (again) - - It has been failing for a good while again. This time we better leave it - disabled until we have more reason to believe it behaves. + CMake: don't complain about missing nroff - Closes #5628 - -- ngtcp2: sync with current master + The curl_nroff_check() was always being called, and complaining if + *NROFF wasn't found, even when not making the manual. - ngtcp2 added two new callbacks + Only check for nroff (and complain) if actually making the manual - Reported-by: Lucien Zürcher - Fixes #5624 - Closes #5627 + Closes #5817 -- examples/multithread.c: call curl_global_cleanup() +- [Brian Inglis brought this change] + + libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin - Reported-by: qiandu2006 on github - Fixes #5622 - Closes #5623 - -- vtls: compare cert blob when finding a connection to reuse + copy the LDFLAGS approach for adding same option with `libhostname` in + `libtest/Makefile.am`: - Reported-by: Gergely Nagy - Fixes #5617 - Closes #5619 - -- RELEASE-NOTES: synced + - init `libstubgss_la_LDFLAGS_EXTRA` variable, + - add option to variable inside conditional, + - use variable in `libstubgss_la_LDFLAGS` + + Fixes #5819 + Closes #5820 -- terminology: call them null-terminated strings +- docs: clarify MAX_SEND/RECV_SPEED functionality - Updated terminology in docs, comments and phrases to refer to C strings - as "null-terminated". Done to unify with how most other C oriented docs - refer of them and what users in general seem to prefer (based on a - single highly unscientific poll on twitter). + ... in particular what happens if the maximum speed limit is set to a + value that's smaller than the transfer buffer size in use. - Reported-by: coinhubs on github - Fixes #5598 - Closes #5608 + Reported-by: Tomas Berger + Fixes #5788 + Closes #5813 -- http: fix proxy auth with blank password +- test1140: compare stdout - Regression in 7.71.0 + To make problems more immediately obvious when tests fail. - Added test case 346 to verify. + Closes #5814 + +- asyn-ares: correct some bad comments - Reported-by: Kristoffer Gleditsch - Fixes #5613 - Closes #5616 + Closes #5812 -- .dcignore: ignore tests and docs directories +- [Emil Engler brought this change] + + docs: Add video link to docs/CONTRIBUTE.md - This is a config file for deepcode.ai, a static code analyzer. + Closes #5811 -Jay Satiro (26 Jun 2020) -- tool_cb_hdr: Fix etag warning output and return code +- curl-config: ignore REQUIRE_LIB_DEPS in --libs output - - Return 'failure' on failure, to follow the existing style. + Fixes a curl-config issue on cygwin by making sure REQUIRE_LIB_DEPS is + not considered for the --libs output. - - Put Warning: and the warning message on the same line. + Reported-by: ramsay-jones on github + Assisted-by: Brian Inglis and Ken Brown + Fixes #5793 + Closes #5808 + +- copyright: update/correct the year range on a few files + +- scripts/copyright.pl: ignore .muse files + +- [Emil Engler brought this change] + + multi: Remove 10-year old out-commented code - Ref: https://github.com/curl/curl/issues/5610 + The code hasn't been touched since 2010-08-18 - Closes https://github.com/curl/curl/pull/5612 + Closes #5805 -Daniel Stenberg (26 Jun 2020) -- CURLOPT_READFUNCTION.3: provide the upload data size up front +- KNOWN_BUGS: A shared connection cache is not thread-safe - Assisted-by: Jay Satiro - Closes #5607 + Closes #4915 + Closes #5802 -- test1539: do a HTTP 1.0 POST without a set size (fails) +- CONTRIBUTE: extend git commit message description - Attempt to reproduce #5593. Test case 1514 is very similar but uses - HTTP/1.1 and thus switches to chunked. + In particular how the first line works. - Closes #5595 + Closes #5803 -- [Baruch Siach brought this change] +- RELEASE-NOTES: synced - mbedtls: fix build with disabled proxy support - - Don't reference fields that do not exist. Fixes build failure: +- [Stefan Yohansson brought this change] + + transfer: move retrycount from connect struct to easy handle - vtls/mbedtls.c: In function 'mbed_connect_step1': - vtls/mbedtls.c:249:54: error: 'struct connectdata' has no member named 'http_proxy' + This flag was applied to the connection struct that is released on + retry. These changes move the retry counter into Curl_easy struct that + lives across retries and retains the new connection. - Closes #5615 + Reported-by: Cherish98 on github + Fixes #5794 + Closes #5800 -- codeql-analysis.yml: fix the 'languages' setting +- libssh2: s/ssherr/sftperr/ - It needs a 'with:' in front of it. - -GitHub (26 Jun 2020) -- [Daniel Stenberg brought this change] - - gtihub: codeql-analysis.yml + The debug output used ssherr instead of sftperr which not only outputs + the wrong error code but also casues a warning on Windows. - enables code security scanning with github actions + Follow-up to 7370b4e39f1 + + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/7370b4e39f1390e701f5b68d910c619151daf72b#r41334700 + Closes #5799 -Daniel Stenberg (25 Jun 2020) -- tests: verify newline in username and password for HTTP +- ftp: don't do ssl_shutdown instead of ssl_close - test 1296 is a simply command line test + The shutdown function is for downgrading a connection from TLS to plain, + and this is not requested here. - test 1910 is a libcurl test including a redirect - -- url: allow user + password to contain "control codes" for HTTP(S) + Have ssl_close reset the TLS connection state. - Reported-by: Jon Johnson Jr - Fixes #5582 - Closes #5592 + This partially reverts commit f002c850d98d + + Reported-by: Rasmus Melchior Jacobsen + Reported-by: Denis Goleshchikhin + Fixes #5797 -- escape: make the URL decode able to reject only %00 bytes +Marc Hoersken (9 Aug 2020) +- CI/azure: fix test outcome values and use latest API version - ... or all "control codes" or nothing. + This makes sure that tests ignored or skipped are not shown + just in the category "Other", but with their correct state. - Assisted-by: Nicolas Sterchele + Closes #5796 -- http2: set the correct URL in pushed transfers +- CI/azure: show runtime stats to investigate slowness - ...previously CURLINFO_EFFECTIVE_URL would report the URL of the - original "mother transfer", not the actually pushed resource. + Also avoid naming conflict of TFLAGS env and tflags variables. - Reported-by: Jonathan Cardoso Machado - Fixes #5589 - Closes #5591 - -Jay Satiro (25 Jun 2020) -- [Javier Blazquez brought this change] + Closes #5776 - openssl: Fix compilation on Windows when ngtcp2 is enabled +Daniel Stenberg (8 Aug 2020) +- TLS naming: fix more Winssl and Darwinssl leftovers - - Include wincrypt before OpenSSL includes so that the latter can - properly handle any conflicts between the two. + The CMake option is now called CMAKE_USE_SCHANNEL - Closes https://github.com/curl/curl/pull/5606 - -Daniel Stenberg (25 Jun 2020) -- test543: extended to verify zero length input + The winbuild flag is USE_SCHANNEL - As was reported in #5601 - -- escape: zero length input should return a zero length output + The CI jobs and build scripts only use the new names and the new name + options - Regression added in 7.71.0. + Tests now require 'Schannel' (when necessary) - Fixes #5601 - Reported-by: Kristoffer Gleditsch - Closes #5602 + Closes #5795 -- Curl_inet_ntop: always check the return code +- smtp_parse_address: handle blank input string properly - Reported-by: Siva Sivaraman - Fixes #5412 - Closes #5597 + Closes #5792 -- sendf: improve the message on client write errors +- runtests: run the DICT server on a random port number - Replace "Failed writing body (X != Y)" with - "Failure writing output to destination". Possibly slightly less cryptic. + Removed support for -b (base port number) - Reported-by: coinhubs on github - Fixes #5594 - Closes #5596 + Closes #5783 - RELEASE-NOTES: synced -- curlver: start working on 7.71.1 - -- [Denis Baručić brought this change] - - DYNBUF.md: fix a typo: trail => tail +- runtests: move the TELNET server to a dynamic port - Closes #5599 + Rename the port variable to TELNETPORT to better match the existing + pattern. + + Closes #5785 -Version 7.71.0 (23 Jun 2020) +- ngtcp2: adapt to error code rename + + Closes #5786 -Daniel Stenberg (23 Jun 2020) -- RELEASE-NOTES: curl 7.71.0 release +- runtests: move the smbserver to use a dynamic port number + + Closes #5782 -- THANKS: curl 7.71.0 additions +- runtests: run the http2 tests on a random port number + + Closes #5779 -- url: make sure pushed streams get an allocated download buffer +- gtls: survive not being able to get name/issuer - Follow-up to c4e6968127e876b0 + Closes #5778 + +- runtests: move the gnutls-serv tests to a dynamic port - When a new transfer is created, as a resuly of an acknowledged push, - that transfer needs a download buffer allocated. + Affects test 320, 321, 322 and 324. - Closes #5590 + Closes #5778 -Jay Satiro (22 Jun 2020) -- openssl: Don't ignore CA paths when using Windows CA store +- runtests: support dynamicly base64 encoded sections in tests - This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does - not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default - locations. Instead the CA store can now be used at the same time. + This allows us to make test cases to use base64 at run-time and still + use and verify information determined at run-time, such as the IMAP test + server's port number in test 842. - The change is due to the impending release. The issue is still being - discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and - is now documented as experimental. + This change makes 12 tests run again that basically never ran since we + moved to dynamic port numbers. - Ref: bc052cc (parent commit) - Ref: https://github.com/curl/curl/issues/5585 - -- tool_operate: Don't use Windows CA store as a fallback + ftpserver.pl is adjusted to load test instructions and test number from + the preprocessed test file. - Background: + FILEFORMAT.md now documents the new base64 encoding syntax. - 148534d added CURLSSLOPT_NATIVE_CA to use the Windows OS certificate - store in libcurl w/ OpenSSL on Windows. CURLSSLOPT_NATIVE_CA overrides - CURLOPT_CAINFO if both are set. The curl tool will fall back to - CURLSSLOPT_NATIVE_CA if it could not find a certificate bundle to set - via CURLOPT_CAINFO. - - Problem: - - libcurl may be built with hardcoded paths to a certificate bundle or - directory, and if CURLSSLOPT_NATIVE_CA is used then those paths are - ignored. - - Solution: - - A solution is still being discussed but since there's an impending - release this commit removes using CURLSSLOPT_NATIVE_CA in the curl tool. - - Ref: https://github.com/curl/curl/issues/5585 + Reported-by: Marcel Raad + Fixes #5761 + Closes #5775 -- openssl: Fix CA fallback logic for OpenSSL 3.0 build +- curl.1: add a few missing valid exit codes - Prior to this change I assume a build error would occur when - CURL_CA_FALLBACK was used. + 93 - 96 can be returned as well. - Closes https://github.com/curl/curl/pull/5587 - -Daniel Stenberg (22 Jun 2020) -- copyright: update mismatched copyright years + Closes #5777 -- test1460: verify that -Ji is not ok +- TODO: Use multiple parallel transfers for a single download + + Closes #5774 -- tool_getparam: -i is not OK if -J is used +- TODO: Set the modification date on an uploaded file - Reported-by: sn on hackerone - Bug: https://curl.haxx.se/docs/CVE-2020-8177.html + Closes #5768 -- [Peter Wu brought this change] +- [Thomas M. DuBuisson brought this change] - CMake: ignore INTERFACE_LIBRARY targets for pkg-config file + CI: Add muse CI config - Reviewed-by: Marcel Raad - Fixes #5512 - Closes #5517 + Closes #5772 -- [Valentyn Korniienko brought this change] +- [Thomas M. DuBuisson brought this change] - multibyte: Fixed access-> waccess to file for Windows Plarform + travis/script.sh: fix use of `-n' with unquoted envvar - Reviewed-by: Marcel Raad - Closes #5580 - -- altsvc: bump to h3-29 + Shellcheck tells us "-n doesn't work with unquoted arguments. quote or + use [[ ]]." - Closes #5584 - -- urlglob: treat literal IPv6 addresses with zone IDs as a host name + And testing shows: - ... and not as a "glob". Now done by passing the supposed host to the - URL parser which supposedly will do a better job at identifying "real" - numerical IPv6 addresses. + ``` + docker run --rm -it ubuntu bash + root@fe85ce156856:/# [ -n $DOES_NOT_EXIST ] && echo "I ran" + I ran + root@fe85ce156856:/# [ -n "$DOES_NOT_EXIST" ] && echo "I ran" + root@fe85ce156856:/# + ``` - Reported-by: puckipedia on github - Fixes #5576 - Closes #5579 - -- test1179: verify error message for non-existing cmdline option + Closes #5773 -- tool_getparam: repair the error message for unknown flag +- h2: repair trailer handling - Follow-up to 9e5669f3880674 - Detected by Coverity CID 1464582 ("Logically dead code") + The previous h2 trailer fix in 54a2b63 was wrong and caused a + regression: it cannot deal with trailers immediately when read since + they may be read off the connection by the wrong 'data' owner. - Closes #5577 - -- FILEFORMAT: describe verify/stderr + This change reverts the logic back to gathering all trailers into a + single buffer, like before 54a2b63. + + Reported-by: Tadej Vengust + Fixes #5663 + Closes #5769 -- connect: improve happy eyeballs handling +Viktor Szakats (3 Aug 2020) +- windows: disable Unix Sockets for old mingw - For QUIC but also for regular TCP when the second family runs out of IPs - with a failure while the first family is still trying to connect. + Classic mingw and 10y+ old versions of mingw-w64 don't ship with + Windows headers having the typedef necessary for Unix Sockets + support, so try detecting these environments to disable this + feature. - Separated the timeout handling for IPv4 and IPv6 connections when they - both have a number of addresses to iterate over. - -- ngtcp2: never call fprintf() in lib code in release version - -- ngtcp2: fix happy eyeballs quic connect crash + Ref: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/cf6afc57179a5910621215f8f4037d406892072c/ - Reported-by: Peter Wu - Fixes #5565 - Closes #5568 - -- select: remove the unused ELAPSED_MS() macro + Reviewed-by: Daniel Stenberg - Closes #5573 - -Marc Hoersken (17 Jun 2020) -- [rcombs brought this change] + Fixes #5674 + Closes #5758 - multi: implement wait using winsock events - - This avoids using a pair of TCP ports to provide wakeup functionality - for every multi instance on Windows, where socketpair() is emulated - using a TCP socket on loopback which could in turn lead to socket - resource exhaustion. +Marcel Raad (3 Aug 2020) +- test1908: treat file as text - Reviewed-by: Gergely Nagy - Reviewed-by: Marc Hörsken + Fixes the line endings on Windows. - Closes #5397 + Closes https://github.com/curl/curl/pull/5767 -Daniel Stenberg (17 Jun 2020) -- manpage: add three missing environment variables +- TrackMemory tests: ignore realloc and free in getenv.c - CURL_SSL_BACKEND, QLOGDIR and SSLKEYLOGFILE + These are only called for WIN32. - Closes #5571 + Closes https://github.com/curl/curl/pull/5767 + +Daniel Stenberg (3 Aug 2020) +- tests/FILEFORMAT.md: mention %HTTP2PORT - RELEASE-NOTES: synced -- configure: for wolfSSL, check for the DES func needed for NTLM +- tlsv1.3.d. only for TLS-using connections - Also adds pkg-config support for the wolfSSL detection. - -- [Ruurd Beerstra brought this change] - - ntlm: enable NTLM support with wolfSSL + ... and rephrase that "not all" TLS backends support it. - When wolfSSL is built with its OpenSSL API layer, it fetures the same DES* - functions that OpenSSL has. This change take advantage of that. + Closes #5764 + +- tls-max.d: this option is only for TLS-using connections - Co-authored-by: Daniel Stenberg - Closes #5556 - Fixes #5548 + Ref: #5763 + Closes #5764 -- http: move header storage to Curl_easy from connectdata +Marcel Raad (2 Aug 2020) +- [Cameron Cawley brought this change] + + tool_doswin: Simplify Windows version detection - Since the connection can be used by many independent requests (using - HTTP/2 or HTTP/3), things like user-agent and other transfer-specific - data MUST NOT be kept connection oriented as it could lead to requests - getting the wrong string for their requests. This struct data was - lingering like this due to old HTTP1 legacy thinking where it didn't - mattered.. + Closes https://github.com/curl/curl/pull/5754 + +- [Cameron Cawley brought this change] + + win32: Add Curl_verify_windows_version() to curlx - Fixes #5566 - Closes #5567 + Closes https://github.com/curl/curl/pull/5754 -- CODE_REVIEW.md: how to do code reviews in curl +- runtests.pl: treat LibreSSL and BoringSSL as OpenSSL - Assisted-by: Daniel Gustafsson - Assisted-by: Rich Salz - Assisted-by: Hugo van Kemenade - Assisted-by: James Fuller - Assisted-by: Marc Hörsken - Assisted-by: Jay Satiro + This makes the tests that require the OpenSSL feature also run for + those two compatible libraries. - Closes #5555 + Closes https://github.com/curl/curl/pull/5762 -- altsvc: remove the num field from the altsvc struct +Daniel Stenberg (1 Aug 2020) +- multi: Condition 'extrawait' is always true - It was superfluous since we have the list.size alredy + Reported by Codacy. - Reported-by: Jay Satiro - Fixes #5553 - Closes #5563 + Reviewed-by: Marcel Raad + Closes #5759 -- version.d: expanded and alpha-sorted +Marcel Raad (1 Aug 2020) +- openssl: fix build with LibreSSL < 2.9.1 - Added a few missing features not previously mentioned. Ordered them - alphabetically. + `SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were + introduced in LibreSSL 2.9.1 [0]. - Closes #5558 - -- ABI.md: rename to .md and polish the markdown + [0] https://github.com/libressl-portable/openbsd/commit/0db809ee178457c8170abfae3931d7bd13abf3ef - Closes #5562 + Closes https://github.com/curl/curl/pull/5757 -- HELP-US: add a section for "smaller tasks" - - The point of this section is to meet the CII Best Practices gold level - critera: +Daniel Stenberg (1 Aug 2020) +- [Marc Aldorasi brought this change] + + multi_remove_handle: close unused connect-only connections - "The project MUST clearly identify small tasks that can be performed by - new or casual contributors" + Previously any connect-only connections in a multi handle would be kept + alive until the multi handle was closed. Since these connections cannot + be re-used, they can be marked for closure when the associated easy + handle is removed from the multi handle. - Closes #5560 + Closes #5749 -- TODO: retry on the redirected-to URL +- checksrc: invoke script with -D to find .checksrc proper - Closes #5462 - -- mailmap: Nicolas Sterchele + Without the -D command line option, checksrc.pl won't know which + directory to load the ".checksrc" file from when building out of the + source tree. + + Reported-by: Marcel Raad + Fixes #5715 + Closes #5755 -- [Nicolas Sterchele brought this change] +- [Carlo Marcelo Arenas Belón brought this change] - TODO: remove 19.3 section title - - Follow-up to ad6416986755e417c66e2c6, which caused wrong formatting on - curl documentation website + buildconf: retire ares buildconf invocation - Closes #5561 + no longer needed after 4259d2df7dd95637a4b1e3fb174fe5e5aef81069 -- [Martin V brought this change] +- [Carlo Marcelo Arenas Belón brought this change] - test1560: avoid possibly negative association in wording + buildconf: excempt defunct reference to ACLOCAL_FLAGS - Closes #5549 - -- share: don't set the share flag it something fails - - When asking for a specific feature to be shared in the share object, - that bit was previously set unconditionally even if the shared feature - failed or otherwise wouldn't work. - - Closes #5554 - -- buildconf: remove -print from the find command that removes files - - It's just too annoying and unnecessary to get a long list of files shown + retired with 09f278121e815028adb24d228d8092fc6cb022aa but kept around as + the name is generic enough that it might be in use and relied upon from + the environment. -- RELEASE-NOTES: synced +- [Carlo Marcelo Arenas Belón brought this change] -- wording: avoid blacklist/whitelist stereotypes - - Instead of discussing if there's value or meaning (implied or not) in - the colors, let's use words without the same possibly negative - associations. + buildconf: avoid array concatenation in die() - Closes #5546 - -Jay Satiro (9 Jun 2020) -- tool_getparam: fix memory leak in parse_args + reported as error SC2145[1] by shellcheck, but not expected to cause + any behavioural differences otherwise. - Prior to this change in Windows Unicode builds most parsed options would - not be freed. + [1] https://github.com/koalaman/shellcheck/wiki/SC2145 - Found using _CrtDumpMemoryLeaks(). + Closes #5701 + +- travis: add ppc64le and s390x builds - Ref: https://github.com/curl/curl/issues/5545 + Closes #5752 -Daniel Stenberg (8 Jun 2020) -- socks: detect connection close during handshake +Marc Hoersken (31 Jul 2020) +- connect: remove redundant message about connect failure - The SOCKS4/5 state machines weren't properly terminated when the proxy - connection got closed, leading to a busy-loop. + Reviewed-by: Daniel Stenberg - Reported-By: zloi-user on github - Fixes #5532 - Closes #5542 - -- [James Fuller brought this change] + Closes #5708 - multi: add defensive check on data->multi->num_alive +- tests/sshserver.pl: fix compatibility with OpenSSH for Windows - Closes #5540 + Follow up to #5721 -- Curl_addrinfo: use one malloc instead of three +- CI/azure: install libssh2 for use with msys2-based builds - To reduce the amount of allocations needed for creating a Curl_addrinfo - struct, make a single larger malloc instead of three separate smaller - ones. + This enables building and running the SFTP tests. + Unfortunately OpenSSH for Windows does not support SCP (yet). - Closes #5533 - -- [Alessandro Ghedini brought this change] + Reviewed-by: Daniel Stenberg + + Closes #5721 - quiche: update SSLKEYLOGFILE support +- CI/azure: increase Windows job timeout once again - quiche now requires the application to explicitly set the keylog path - for each connection, rather than reading the environment variable - itself. + Avoid aborted jobs due to performance issues on Azure DevOps. - Closes #5541 + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + + Closes #5738 -- tests: add two simple tests for --login-options +Jay Satiro (30 Jul 2020) +- TODO: Schannel: 'Add option to allow abrupt server closure' - Test 895 and 896 - as a follow-up to a3e972313b + We should offer an option to allow abrupt server closures (server closes + SSL transfer without sending a known termination point such as length of + transfer or close_notify alert). Abrupt server closures are usually + because of misconfigured or very old servers. - Closes #5539 + Closes https://github.com/curl/curl/issues/4427 -- ngtcp2: update with recent API changes +- url: fix CURLU and location following - Syncs with ngtcp2 commit 7e9a917d386d98 merged June 7 2020. + Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was + incorrectly used for the location follow, resulting in infinite requests + to the original location. - Assisted-by: Tatsuhiro Tsujikawa - Closes #5538 + Reported-by: sspiri@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/5709 + Closes https://github.com/curl/curl/pull/5713 -- [James Fuller brought this change] +Daniel Stenberg (30 Jul 2020) +- RELEASE-NOTES: synced - socks: remove unreachable breaks in socks.c and mime.c - - Closes #5537 +- [divinity76 brought this change] -- tool_cfgable: free login_options at exit + docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions - Memory leak - Reported-by: Geeknik Labs - Fixes #5535 - Closes #5536 + it helps make it obvious that most developers don't have to care about + the CURLM_CALL_MULTI_PERFORM value (last release using it is nearly 11 + years old, November 4 2009) + + Closes #5744 -- libssh2: keep sftp errors as 'unsigned long' +Jay Satiro (29 Jul 2020) +- tool_cb_wrt: fix outfile mode flags for Windows - Remove weird work-around for storing the SFTP errors as int instead of - the "unsigned long" that libssh2 actually returns for SFTP errors. + - Use S_IREAD and S_IWRITE mode permission flags to create the file + on Windows instead of S_IRUSR, S_IWUSR, etc. - Closes #5534 - -Marc Hoersken (6 Jun 2020) -- timeouts: move ms timeouts to timediff_t from int and long + Windows only accepts a combination of S_IREAD and S_IWRITE. It does not + acknowledge other combinations, for which it may generate an assertion. - Now that all functions in select.[ch] take timediff_t instead - of the limited int or long, we can remove type conversions - and related preprocessor checks to silence compiler warnings. + This is a follow-up to 81b4e99 from yesterday, which improved the + existing file check with -J. - Avoiding conversions from time_t was already done in 842f73de. + Ref: https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/open-wopen#remarks + Ref: https://github.com/curl/curl/pull/5731 - Based upon #5262 - Supersedes #5214, #5220 and #5221 - Follow up to #5343 and #5479 - Closes #5490 - -Daniel Stenberg (6 Jun 2020) -- [François Rigault brought this change] + Closes https://github.com/curl/curl/pull/5742 - openssl: set FLAG_TRUSTED_FIRST unconditionally +Daniel Stenberg (28 Jul 2020) +- checksrc: ban gmtime/localtime - On some systems, openssl 1.0.x is still the default, but it has been - patched to contain all the recent security fixes. As a result of this - patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be - defined, while the previous behavior of openssl to not look at trusted - chains first, remains. + They're not thread-safe so they should not be used in libcurl code. - Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to - probe for the behavior of openssl based on the existence ofmacros. + Explictly enabled when deemed necessary and in examples and tests - Closes #5530 + Reviewed-by: Nicolas Sterchele + Closes #5732 -- server/util: fix logmsg format using curl_off_t argument +- transfer: fix data_pending for builds with both h2 and h3 enabled - ... this caused segfaults on armv7. + Closes #5734 + +- curl_multi_setopt: fix compiler warning "result is always false" - Regression added in dd0365d560aea5a (7.70.0) + On systems with 32 bit long the expression is always false. Avoid + the warning. - Reviewed-by: Jay Satiro - Closes #5529 - -- RELEASE-NOTES: synced - -- [Cherish98 brought this change] + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232 + Closes #5736 - socks: fix expected length of SOCKS5 reply +- curl: improve the existing file check with -J - Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the - reply ATYP is X'01'. This resulted in erroneously expecting more bytes - when the request length is greater than the reply length (e.g., when - remotely resolving the hostname). + Previously a file that isn't user-readable but is user-writable would + not be properly avoided and would get overwritten. - Closes #5527 + Reported-by: BrumBrum on hackerone + Assisted-by: Jay Satiro + Bug: https://hackerone.com/reports/926638 + Closes #5731 -Marc Hoersken (5 Jun 2020) -- .gitignore: add directory containing the stats repo - - Since the new curl/stats repository is designed to be - checked out into the curl repository working tree as stats/ - it should be on the ignore list to aid in commit staging. +- [Jonathan Nieder brought this change] -Daniel Stenberg (5 Jun 2020) -- [Adnan Khan brought this change] + multi: update comment to say easyp list is linear + + Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1, + 2013-08-02), the easy handle list is not circular but ends with + ->next pointing to NULL. + + Reported-by: Masaya Suzuki + Closes #5737 - HTTP3.md: clarify cargo build directory +- CURLOPT_NOBODY.3: fix the syntax for referring to options - Cargo needs to be called from within the 'quiche' directory. + As test 1140 fails otherwise! - Closes #5522 + Follow-up to e1bac81cc815 -- user-agent.d: spell out what happens given a blank argument +- ngtcp2: store address in sockaddr_storage - Closes #5525 + Reported-by: Tatsuhiro Tsujikawa + Closes #5733 -- trailers: switch h1-trailer logic to use dynbuf +- CURLOPT_NOBODY.3: clarify what setting to 0 means - In the continued effort to remove "manual" realloc schemes. + ... and mention that HTTP with other methods than HEAD might get a body and + there's no option available to stop that. - Closes #5524 + Closes #5729 -- CURLINFO_ACTIVESOCKET.3: clarify the description +- setopt: unset NOBODY switches to GET if still HEAD - Reported-by: Jay Satiro - Fixes #5299 - Closes #5520 + Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented + action but before 7.71.0 that used to switch back to GET and with this + change (assuming the method is still set to HEAD) this behavior is + brought back. + + Reported-by: causal-agent on github + Fixes #5725 + Closes #5728 -- mailmap: Don J Olmstead +- [Ehren Bendler brought this change] -- configure: only strip first -L from LDFLAGS + configure: cleanup wolfssl + pkg-config conflicts when cross compiling. - In the logic that works out if a given OpenSSL path works, it stripped - off a possibly leading -L flag using an incorrect sed pattern which - would remove all instances of -L in the string, including if the path - itself contained that two-letter sequence! + Also choose a different wolfSSL function to test for NTLM support. - The same pattern was used and is now updated in multiple places. Now it - only removes -L if it starts the strings. + Fixes #5605 + Closes #5682 + +- configure: show zstd "no" in summary when built without it - Reported-by: Mohamed Osama - Fixes #5519 - Closes #5521 + Reported-by: Marc Hörsken + Fixes #5720 + Closes #5730 -Peter Wu (4 Jun 2020) -- quiche: advertise draft 28 support +- quiche: handle calling disconnect twice - Fix the verbose message while at it, quiche currently supports draft - 27 and draft 28 simultaneously. + Reported-by: lilongyan-huawei on github + Fixes #5726 + Closes #5727 + +- [Nicolas Sterchele brought this change] + + getinfo: reset retry-after value in initinfo - Closes #5518 + - Avoid re-using retry_after value from preceding request + - Add libtest 3010 to verify + + Reported-by: joey-l-us on github + Fixes #5661 + Closes #5672 -Daniel Stenberg (4 Jun 2020) -- KNOWN_BUGS: RTSP authentication breaks without redirect support +Marcel Raad (27 Jul 2020) +- WIN32: stop forcing narrow-character API - Closes #4750 + Except where the results are only used for character output. + getenv is not touched because it's part of the public API, and having + it return UTF-8 instead of ANSI would be a breaking change. + + Fixes https://github.com/curl/curl/issues/5658 + Fixes https://github.com/curl/curl/issues/5712 + Closes https://github.com/curl/curl/pull/5718 -Jay Satiro (4 Jun 2020) -- projects: Add crypt32.lib to dependencies for all OpenSSL configs +Jay Satiro (27 Jul 2020) +- [Tobias Stoeckmann brought this change] + + mprintf: Fix stack overflows - Windows project configurations that use OpenSSL with USE_WIN32_CRYPTO - need crypt32. + Stack overflows can occur with precisions for integers and floats. - Follow-up to 148534d which added CURLSSLOPT_NATIVE_CA for 7.71.0. + Proof of concepts: + - curl_mprintf("%d, %.*1$d", 500, 1); + - curl_mprintf("%d, %+0500.*1$f", 500, 1); - The changes that are in this commit were made by script. + Ideally, compile with -fsanitize=address which makes this undefined + behavior a bit more defined for debug purposes. - Ref: https://gist.github.com/jay/a1861b50ecce2b32931237180f856e28 + The format strings are valid. The overflows occur due to invalid + arguments. If these arguments are variables with contents controlled + by an attacker, the function's stack can be corrupted. - Closes https://github.com/curl/curl/pull/5516 - -Marc Hoersken (3 Jun 2020) -- CI/macos: fix 'is already installed' errors by using bundle + Also see CVE-2016-9586 which partially fixed the float aspect. - Avoid failing CI builds due to nghttp2 being already installed. + Signed-off-by: Tobias Stoeckmann - Closes #5513 - -Daniel Stenberg (3 Jun 2020) -- altsvc: fix 'dsthost' may be used uninitialized in this function + Closes https://github.com/curl/curl/pull/5722 -- RELEASE-NOTES: synced +- [Tobias Stoeckmann brought this change] -- urldata: let the HTTP method be in the set.* struct + mprintf: Fix dollar string handling - When the method is updated inside libcurl we must still not change the - method as set by the user as then repeated transfers with that same - handle might not execute the same operation anymore! + Verify that specified parameters are in range. If parameters are too + large, fail early on and avoid out of boundary accesses. - This fixes the libcurl part of #5462 + Also do not read behind boundaries of illegal format strings. - Test 1633 added to verify. + These are defensive measures since it is expected that format strings + are well-formed. Format strings should not be modifiable by user + input due to possible generic format string attacks. - Closes #5499 + Closes https://github.com/curl/curl/pull/5722 -- hostip: fix the memory-leak introduced in 67d2802 +Daniel Stenberg (26 Jul 2020) +- ntlm: free target_info before (re-)malloc - Fixes #5503 - Closes #5504 - -- test970: make it require proxy support + OSS-Fuzz found a way this could get called again with the pointer still + pointing to a malloc'ed memory, leading to a leak. - This test verifies the -w %json output and the test case includes a full - generated "blob". If there's no proxy support built into libcurl, it - will return an error for proxy related info variables and they will not - be included in the json, thus causing a mismatch and this test fails. + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379 - Reported-by: Marc Hörsken - Fixes #5501 - Closes #5502 - -- [Radoslav Georgiev brought this change] + Closes #5724 - examples/http2-down/upload: add error checks - - If `index.html` does not exist in the directory from which the example - is invoked, the fopen(upload, "rb") invocation in `setup` would fail, - returning NULL. This value is subsequently passed as the FILE* argument - of the `fread` invocation in the `read_callback` function, which is the - actual cause of the crash (apparently `fread` assumes that argument to - be non-null). +Marcel Raad (26 Jul 2020) +- CI/macos: set minimum macOS version - In addition, mitigate some possible crashes of similar origin. + This enables some deprecation warnings. + Previously, autotools defaulted to 10.8. - Closes #5463 + Closes https://github.com/curl/curl/pull/5723 -- [kotoriのねこ brought this change] +Daniel Stenberg (26 Jul 2020) +- RELEASE-NOTES: synced - examples/ephiperfifo: turn off interval when setting timerfd +Marcel Raad (25 Jul 2020) +- CI/macos: enable warnings as errors for CMake builds - Reported-by: therealhirudo on github - Fixes #5485 - Closes #5497 - -- [Saleem Abdulrasool brought this change] + Closes https://github.com/curl/curl/pull/5716 - vtls: repair the build with `CURL_DISABLE_PROXY` +- CMake: fix test for warning suppressions - `http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY` - is enabled. Repair the build with that configuration. + GCC doesn't warn for unknown `-Wno-` options, except if there are other + warnings or errors [0]. This was problematic with `CURL_WERROR` as that + warning-as-error cannot be suppressed. Notably, this always happened + with `-Wno-pedantic-ms-format` when not targeting Windows. So test for + the positive form of the warning instead, which should always result in + a diagnostic if unknown. - Follow-up to f3d501dc67 + [0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html - Closes #5498 + Closes https://github.com/curl/curl/pull/5714 -- transfer: remove k->str NULL check +Jay Satiro (23 Jul 2020) +- curl.h: update CURLINFO_LASTONE - "Null-checking k->str suggests that it may be null, but it has already - been dereferenced on all paths leading to the check" - and it can't - legally be NULL at this point. Remove check. + CURLINFO_LASTONE should have been updated when + CURLINFO_EFFECTIVE_METHOD was added. - Detected by Coverity CID 1463884 + Reported-by: xwxbug@users.noreply.github.com - Closes #5495 + Fixes https://github.com/curl/curl/issues/5711 -Marc Hoersken (1 Jun 2020) -- select: always use Sleep in Curl_wait_ms on Win32 +Marc Hoersken (22 Jul 2020) +- CI/azure: unconditionally enable warnings-as-errors with autotools - Since Win32 almost always will also have USE_WINSOCK, - we can reduce complexity and always use Sleep there. + Reviewed-by: Marcel Raad - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Follow up to #5694 + Closes #5706 + +Marcel Raad (21 Jul 2020) +- doh: remove redundant cast - Follow up to #5343 - Closes #5489 + Closes https://github.com/curl/curl/pull/5704 -Daniel Stenberg (31 May 2020) -- conncache: download buffer needs +1 size for trailing zero +- CI/macos: unconditionally enable warnings-as-errors with autotools - Follow-up to c4e6968127e - Detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5727799779524608 + Previously, warnings were only visible in the output for most jobs. + + Closes https://github.com/curl/curl/pull/5694 -Marc Hoersken (31 May 2020) -- azure: use matrix strategy to avoid configuration redundancy +- util: silence conversion warnings - This also includes the following changes: + timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might + be a 64-bit integer. This is the case when building for recent macOS + versions, for example. Just treat tv_usec as an int, which should + hopefully always be sufficient on systems with + `HAVE_CLOCK_GETTIME_MONOTONIC`. - - Use the same timeout for all jobs on Linux (60 minutes) - and Windows (90 minutes) - - Use CLI stable apt-get install -y instead of apt install - which warns about that and run apt-get update first - - Enable MQTT for Windows msys2 builds instead of - legacy msys1 builds - - Add ./configure --prefix parameter to the msys2 builds - - The MSYSTEM environment variable is now preset inside - the container images for the msys2 builds + Closes https://github.com/curl/curl/pull/5695 + +- md(4|5): don't use deprecated macOS functions - Note: on Azure Pipelines the matrix strategy is basically - just a simple list of job copies and not really a matrix. + They are marked as deprecated for -mmacosx-version-min >= 10.15, + which might result in warnings-as-errors. - Closes #5468 + Closes https://github.com/curl/curl/pull/5695 -Daniel Stenberg (30 May 2020) -- build: disable more code/data when built without proxy support +Daniel Stenberg (18 Jul 2020) +- strdup: remove the odd strlen check - Added build to travis to verify + It confuses code analyzers with its use of -1 for unsigned value. Also, + a check that's not normally used in strdup() code - and not necessary. - Closes #5466 + Closes #5697 -- url: alloc the download buffer at transfer start +- [Alessandro Ghedini brought this change] + + travis: update quiche builds for new boringssl layout - ... and free it as soon as the transfer is done. It removes the extra - alloc when a new size is set with setopt() and reduces memory for unused - easy handles. + This is required after https://github.com/cloudflare/quiche/pull/593 + moved BoringSSL around slightly. - In addition: the closure_handle now doesn't use an allocated buffer at - all but the smallest supported size as a stack based one. + This also means that Go is not needed to build BoringSSL anymore (the + one provided by quiche anyway). - Closes #5472 + Closes #5691 -- timeouts: change millisecond timeouts to timediff_t from time_t +Marcel Raad (17 Jul 2020) +- configure: allow disabling warnings - For millisecond timers we like timediff_t better. Also, time_t can be - unsigned so returning a negative value doesn't work then. + When using `--enable-warnings`, it was not possible to disable warnings + via CFLAGS that got explicitly enabled. Now warnings are not enabled + anymore if they are explicitly disabled (or enabled) in CFLAGS. This + works for at least GCC, clang, and TCC as they have corresponding + `-Wno-` options for every warning. - Closes #5479 + Closes https://github.com/curl/curl/pull/5689 -Marc Hoersken (30 May 2020) -- select: add overflow checks for timeval conversions +Daniel Stenberg (16 Jul 2020) +- ngtcp2: adjust to recent sockaddr updates - Using time_t and suseconds_t if suseconds_t is available, - long on Windows (maybe others in the future) and int elsewhere. + Closes #5690 + +- page-header: provide protocol details in the curl.1 man page - Also handle case of ULONG_MAX being greater or equal to INFINITE. + Add protocol and version specific information about all protocols curl + supports. - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Fixes #5679 + Reported-by: tbugfinder on github + Closes #5686 + +Daniel Gustafsson (16 Jul 2020) +- docs: Update a few leftover mentions of DarwinSSL - Part of #5343 + Commit 76a9c3c4be10b3d4d379d5b23ca76806bbae536a renamed DarwinSSL to the + more correct/common name Secure Transport, but a few mentions in the docs + remained. + + Closes #5688 + Reviewed-by: Daniel Stenberg -- select: use timediff_t instead of time_t and int for timeout_ms +Daniel Stenberg (16 Jul 2020) +- file2memory: use a define instead of -1 unsigned value - Make all functions in select.[ch] take timeout_ms as timediff_t - which should always be large enough and signed on all platforms - to take all possible timeout values and avoid type conversions. + ... to use the maximum value for 'size_t' when detecting integer overflow. + Changed the limit to max/4 as already that seems unreasonably large. - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Codacy didn't like the previous approach. - Replaces #5107 and partially #5262 - Related to #5240 and #5286 - Closes #5343 + Closes #5683 -- unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode' +- CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream - GCC 10 warns about this with warning: implicit conversion - from 'SANITIZEcode' to 'CURLcode' [-Wenum-conversion] + ... by adding support for a new dedicated return code. - Since 'expected_result' is not really of type 'CURLcode' and - it is not exposed in any way, we can just use 'SANITIZEcode'. + Suggested-by: Jonathan Cardoso + Assisted-by: Erik Johansson + URL: https://curl.haxx.se/mail/lib-2020-06/0099.html + Closes #5636 + +- [Baruch Siach brought this change] + + nss: fix build with disabled proxy support - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad + Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is + defined. - Closes #5476 + Closes #5667 -- tests/libtest: fix undefined reference to 'curlx_win32_fopen' +- test1139: make it display the difference on test failures + +- test1119: verify stdout in the test - Since curl_setup.h now makes use of curlx_win32_fopen for Win32 - builds with USE_WIN32_LARGE_FILES or USE_WIN32_SMALL_FILES defined, - we need to include the relevant files for tests using fopen, - because the libtest sources are also including curl_setup.h + So that failures will be displayed in the terminal, as it makes test failures + visually displayed easier and faster. + + Closes #5644 + +- curl: add %{method} to the -w variables + + Gets the CURLINFO_EFFECTIVE_METHOD from libcurl. + + Added test 1197 to verify. + +- CURLINFO_EFFECTIVE_METHOD: added + + Provide the HTTP method that was used on the latest request, which might + be relevant for users when there was one or more redirects involved. + + Closes #5511 + +Viktor Szakats (14 Jul 2020) +- windows: add unicode to feature list Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg + Reviewed-by: Marc Hörsken - Follow up to #3784 (ffdddb45d9) - Closes #5475 + Closes #5491 -- appveyor: add non-debug plain autotools-based build +Daniel Stenberg (14 Jul 2020) +- multi: remove two checks always true - This should enable us to catch linking issues with the - testsuite early, like the one described/fixed in #5475. + Detected by Codacy + Closes #5676 + +Marc Hoersken (13 Jul 2020) +- workflows: limit what branches to run CodeQL on + + Align CodeQL action with existing CI actions: + - Update branch filter to avoid duplicate CI runs. + - Shorten workflow name due to informative job name. Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad - Closes #5477 + Closes #5660 + +- appveyor: collect libcurl.dll variants with prefix or suffix + + On some platforms libcurl is build with a platform-specific + prefix and/or a version number suffix. + + Assisted-by: Jay Satiro + + Closes #5659 + +Daniel Stenberg (12 Jul 2020) +- [ihsinme brought this change] + + socks: use size_t for size variable + + Use the unsigned type (size_t) in the arithmetic of pointers. In this + context, the signed type (ssize_t) is used unnecessarily. + + Authored-by: ihsinme on github + Closes #5654 -Daniel Stenberg (29 May 2020) - RELEASE-NOTES: synced + + ... and bumped to 7.72.0 as the next release version number -- Revert "buildconf: use find -execdir" +- [Gilles Vollant brought this change] + + content_encoding: add zstd decoding support - This partially reverts commit c712009838f44211958854de431315586995bc61. + include zstd curl patch for Makefile.m32 from vszakats + and include Add CMake support for zstd from Peter Wu - Keep the ares_ files removed but bring back the older way to run find, - to make it work with busybox's find, as apparently that's being used. + Helped-by: Viktor Szakats + Helped-by: Peter Wu + Closes #5453 + +- asyn.h: remove the Curl_resolver_getsock define - Reported-by: Max Peal - Fixes #5483 - Closes #5484 + - not used + - used the wrong number of arguments + - confused the Codeacy code analyzer + + Closes #5647 -- server/sws: fix asan warning on use of uninitialized variable +- [Nicolas Sterchele brought this change] -- libssh2: improved error output for wrong quote syntax + configure.ac: Sort features name in summary - Reported-by: Werner Stolz + - Same as protocols - Closes #5474 + Closes #5656 -- mk-lib1521: generate code for testing BLOB options as well +- [Matthias Naegler brought this change] + + cmake: fix windows xp build - Follow-up to cac5374298b3 + Reviewed-by: Marcel Raad + Closes #5662 + +- ngtcp2: update to modified qlog callback prototype - Closes #5478 + Closes #5675 -- configure: repair the check if argv can be written to +- transfer: fix memory-leak with CURLOPT_CURLU in a duped handle - Due to bad escaping of the test code, the test wouldn't build and thus - result in a negative test result, which would lead to the unconditional - assumption that overwriting the arguments doesn't work and thus curl - would never hide credentials given in the command line, even when it - would otherwise be possible. + Added test case 674 to reproduce and verify the bug report. - Regression from commit 2d4c2152c (7.60.0) + Fixes #5665 + Reported-by: NobodyXu on github + Closes #5673 + +- [Baruch Siach brought this change] + + bearssl: fix build with disabled proxy support - Reported-by: huzunhao on github - Fixes #5470 - Closes #5471 + Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is + defined. + + Reviewed-by: Nicolas Sterchele + Closes #5666 -Peter Wu (28 May 2020) -- CMake: rebuild Makefile.inc.cmake when Makefile.inc changes +- RELEASE-NOTES: synced + +Jay Satiro (11 Jul 2020) +- [Carlo Marcelo Arenas Belón brought this change] + + cirrus-ci: upgrade 11-STABLE to 11.4 - Otherwise the build might fail due to missing source files, as - demonstrated by the recent keylog.c addition on an existing build dir. + Meant to be the last of the 11 series and so make sure that all + other references reflect all 11 versions so they can be retired + together later. - Closes #5469 + Closes https://github.com/curl/curl/pull/5668 -Daniel Stenberg (28 May 2020) -- urldata: fix comments: Curl_done() is called multi_done() now +- [Filip Salomonsson brought this change] + + CURLINFO_CERTINFO.3: fix typo - ... since 575e885db + Closes https://github.com/curl/curl/pull/5655 -Peter Wu (27 May 2020) -- ngtcp2: use common key log routine for better thread-safety +Daniel Stenberg (4 Jul 2020) +- http2: only do the *done() cleanups for HTTP - Tested with ngtcp2 built against the OpenSSL library. Additionally - tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC). + Follow-up to ef86daf4d3 - The TLS backend (independent of QUIC) may or may not already have opened - the keylog file before. Therefore Curl_tls_keylog_open is always called - to ensure the file is open. + Closes #5650 + Fixes #5646 -- wolfssl: add SSLKEYLOGFILE support +- [Alex Kiernan brought this change] + + gnutls: repair the build with `CURL_DISABLE_PROXY` - Tested following the same curl and tshark commands as in commit - "vtls: Extract and simplify key log file handling from OpenSSL" using - WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with - `./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`. + `http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn` + if `CURL_DISABLE_PROXY` is enabled. Repair the build with that + configuration. - Full support for this feature requires certain wolfSSL build options, - see "Availability note" in lib/vtls/wolfssl.c for details. + Signed-off-by: Alex Kiernan + Closes #5645 + +Alex Kiernan (3 Jul 2020) +- gnutls: Fetch backend when using proxy - Closes #5327 + Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge") + Signed-off-by: Alex Kiernan -- vtls: Extract and simplify key log file handling from OpenSSL +Daniel Stenberg (3 Jul 2020) +- [Laramie Leavitt brought this change] + + http2: close the http2 connection when no more requests may be sent - Create a set of routines for TLS key log file handling to enable reuse - with other TLS backends. Simplify the OpenSSL backend as follows: + Well-behaving HTTP2 servers send two GOAWAY messages. The first + message is a warning that indicates that the server is going to + stop accepting streams. The second one actually closes the stream. - - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled. - - Do not perform dynamic memory allocation when preparing a log entry. - Unless the TLS specifications change we can suffice with a reasonable - fixed-size buffer. - - Simplify state tracking when SSL_CTX_set_keylog_callback is - unavailable. My original sslkeylog.c code included this tracking in - order to handle multiple calls to SSL_connect and detect new keys - after renegotiation (via SSL_read/SSL_write). For curl however we can - be sure that a single master secret eventually becomes available - after SSL_connect, so a simple flag is sufficient. An alternative to - the flag is examining SSL_state(), but this seems more complex and is - not pursued. Capturing keys after server renegotiation was already - unsupported in curl and remains unsupported. + nghttp2 reports this state (and the other state of no more stream + identifiers) via the call nghttp2_session_check_request_allowed(). + In this state the client should not create more streams on the + session (tcp connection), and in curl this means that the server + has requested that the connection is closed. - Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f - (`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`) - against an OpenSSL 1.1.1f server configured with: + It would be also be possible to put the connclose() call into the + on_http2_frame_recv() function that triggers on the GOAWAY message. - # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2 - openssl s_server -www -tls1 - # Likewise, but fail the server handshake. - openssl s_server -www -tls1 -Verify 2 - # TLS 1.3 test. No need to test the failing server handshake. - openssl s_server -www -tls1_3 + This fixes a bug seen when the client sees the following sequence of + frames: - Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly - written using Wireshark. For the first and third case, expect four - matches per connection (decrypted Server Finished, Client Finished, HTTP - Request, HTTP Response). For the second case where the handshake fails, - expect a decrypted Server Finished only. + // advisory GOAWAY + HTTP2 GOAWAY [stream-id = 0, promised-stream-id = -1] + ... some additional frames - tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \ - -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \ - -dtls.port==4433,http -ohttp.desegment_body:FALSE \ - -Y 'tls.handshake.verify_data or http' + // final GOAWAY + HTTP2 GOAWAY [stream-id = 0, promised-stream-id = N ] - A single connection can easily be identified via the `tcp.stream` field. + Before this change, curl will attempt to reuse the connection even + after the last stream, will encounter this error: + + * Found bundle for host localhost: 0x5595f0a694e0 [can multiplex] + * Re-using existing connection! (#0) with host localhost + * Connected to localhost (::1) port 10443 (#0) + * Using Stream ID: 9 (easy handle 0x5595f0a72e30) + > GET /index.html?5 HTTP/2 + > Host: localhost:10443 + > user-agent: curl/7.68.0 + > accept: */* + > + * stopped the pause stream! + * Connection #0 to host localhost left intact + curl: (16) Error in the HTTP2 framing layer + + This error may posion the connection cache, causing future requests + which resolve to the same curl connection to go through the same error + path. + + Closes #5643 -Daniel Stenberg (27 May 2020) -- FILEFORMAT: add more features that tests can depend on +- ftpserver: don't verify SMTP MAIL FROM names + + Rely on tests asking the names to get refused instead - test servers + should be as dumb as possible. Edited test 914, 955 and 959 accordingly. + + Closes #5639 -- [Michael Kaufmann brought this change] +- curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated + + This came up in #5640. It make sense to clarify this in the docs! + + Reminded-by: Kamil Dudka + Closes #5642 - transfer: close connection after excess data has been read +Kamil Dudka (3 Jul 2020) +- tool_getparam: make --krb option work again - For HTTP 1.x, it's a protocol error when the server sends more bytes - than announced. If this happens, don't reuse the connection, because the - start position of the next response is undefined. + It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301. - Closes #5440 + Bug: https://bugzilla.redhat.com/1833193 + Closes #5640 -- [Estanislau Augé-Pujadas brought this change] +Daniel Stenberg (2 Jul 2020) +- [Jeremy Maitin-Shepard brought this change] - Revert "ssh: ignore timeouts during disconnect" + http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages - This reverts commit f31760e63b4e9ef1eb25f8f211390f8239388515. Shipped in - curl 7.54.1. + Confusingly, nghttp2 has two different error code enums: - Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html - Closes #5465 + - nghttp2_error, to be used with nghttp2_strerror + - nghttp2_error_code, to be used with nghttp2_http2_strerror + + Closes #5641 -- urldata: connect related booleans live in struct ConnectBits +Marcel Raad (2 Jul 2020) +- url: silence MSVC warning - And remove a few unused booleans! + Since commit f3d501dc678, if proxy support is disabled, MSVC warns: + url.c : warning C4701: potentially uninitialized local variable + 'hostaddr' used + url.c : error C4703: potentially uninitialized local pointer variable + 'hostaddr' used - Closes #5461 + That could actually only happen if both `conn->bits.proxy` and + `CURL_DISABLE_PROXY` were enabled. + Initialize it to NULL to silence the warning. + + Closes https://github.com/curl/curl/pull/5638 -- hostip: on macOS avoid DoH when given a numerical IP address +Daniel Stenberg (1 Jul 2020) +- RELEASE-NOTES: synced + +Version 7.71.1 (30 Jun 2020) + +Daniel Stenberg (30 Jun 2020) +- RELEASE-NOTES: curl 7.71.1 + +- THANKS: add contributors to 7.71.1 + +- scripts/copyright.pl: skip .dcignore + +- Revert "multi: implement wait using winsock events" - When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that - numerical IP addresses still need to get "resolved" - but not with DoH. + This reverts commit 8bc25c590e530de87595d1bb3577f699eb1309b9. - Reported-by: Viktor Szakats - Fixes #5454 - Closes #5459 + That commit (from #5397) introduced a regression in 7.71.0. + + Reported-by: tmkk on github + Fixes #5631 + Closes #5632 -- ngtcp2: cleanup memory when failing to connect +- TODO: Add flag to specify download directory + +- TODO: return code to CURLMOPT_PUSHFUNCTION to fail connection + +- cirrus-ci: disable FreeBSD 13 (again) - Reported-by: Peter Wu - Fixes #5447 (the ngtcp2 side of it) - Closes #5451 + It has been failing for a good while again. This time we better leave it + disabled until we have more reason to believe it behaves. + + Closes #5628 -- quiche: clean up memory properly when failing to connect +- ngtcp2: sync with current master - Addresses the quiche side of #5447 - Reported-by: Peter Wu - Closes #5450 + ngtcp2 added two new callbacks + + Reported-by: Lucien Zürcher + Fixes #5624 + Closes #5627 -- cleanup: use a single space after equals sign in assignments +- examples/multithread.c: call curl_global_cleanup() + + Reported-by: qiandu2006 on github + Fixes #5622 + Closes #5623 -- url: accept "any length" credentials for proxy auth +- vtls: compare cert blob when finding a connection to reuse - They're only limited to the maximum string input restrictions, not to - 256 bytes. + Reported-by: Gergely Nagy + Fixes #5617 + Closes #5619 + +- RELEASE-NOTES: synced + +- terminology: call them null-terminated strings - Added test 1178 to verify + Updated terminology in docs, comments and phrases to refer to C strings + as "null-terminated". Done to unify with how most other C oriented docs + refer of them and what users in general seem to prefer (based on a + single highly unscientific poll on twitter). - Reported-by: Will Roberts - Fixes #5448 - Closes #5449 + Reported-by: coinhubs on github + Fixes #5598 + Closes #5608 -- [Maksim Stsepanenka brought this change] +- http: fix proxy auth with blank password + + Regression in 7.71.0 + + Added test case 346 to verify. + + Reported-by: Kristoffer Gleditsch + Fixes #5613 + Closes #5616 - test1167: fixes in badsymbols.pl +- .dcignore: ignore tests and docs directories - Closes #5442 + This is a config file for deepcode.ai, a static code analyzer. -- altsvc: fix parser for lines ending with CRLF +Jay Satiro (26 Jun 2020) +- tool_cb_hdr: Fix etag warning output and return code - Fixed the alt-svc parser to treat a newline as end of line. + - Return 'failure' on failure, to follow the existing style. - The unit tests in test 1654 were done without CRLF and thus didn't quite - match the real world. Now they use CRLF as well. + - Put Warning: and the warning message on the same line. + + Ref: https://github.com/curl/curl/issues/5610 + + Closes https://github.com/curl/curl/pull/5612 + +Daniel Stenberg (26 Jun 2020) +- CURLOPT_READFUNCTION.3: provide the upload data size up front - Reported-by: Peter Wu - Assisted-by: Peter Wu Assisted-by: Jay Satiro - Fixes #5445 - Closes #5446 + Closes #5607 -Viktor Szakats (25 May 2020) -- all: fix codespell errors +- test1539: do a HTTP 1.0 POST without a set size (fails) - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - Closes https://github.com/curl/curl/pull/5452 + Attempt to reproduce #5593. Test case 1514 is very similar but uses + HTTP/1.1 and thus switches to chunked. + + Closes #5595 -Peter Wu (25 May 2020) -- ngtcp2: fix build with current ngtcp2 master implementing draft 28 +- [Baruch Siach brought this change] + + mbedtls: fix build with disabled proxy support - Based on client.cc changes from ngtcp2. Tested with current git master, - ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380. + Don't reference fields that do not exist. Fixes build failure: - Fixes #5444 - Closes #5443 + vtls/mbedtls.c: In function 'mbed_connect_step1': + vtls/mbedtls.c:249:54: error: 'struct connectdata' has no member named 'http_proxy' + + Closes #5615 -Daniel Stenberg (25 May 2020) -- RELEASE-NOTES: synced +- codeql-analysis.yml: fix the 'languages' setting - moved the new setopts up to a "change" + It needs a 'with:' in front of it. -- RELEASE-NOTES: synced +GitHub (26 Jun 2020) +- [Daniel Stenberg brought this change] -- copyright: updated year ranges out of sync + gtihub: codeql-analysis.yml - ... and whitelisted a few more files in the the copyright.pl script. + enables code security scanning with github actions -- [Gilles Vollant brought this change] +Daniel Stenberg (25 Jun 2020) +- tests: verify newline in username and password for HTTP + + test 1296 is a simply command line test + + test 1910 is a libcurl test including a redirect - setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency +- url: allow user + password to contain "control codes" for HTTP(S) - Closes #5431 + Reported-by: Jon Johnson Jr + Fixes #5582 + Closes #5592 -- curl: remove -J "informational" written on stdout +- escape: make the URL decode able to reject only %00 bytes - curl would previously show "curl: Saved to filename 'name from header'" - if -J was used and a name was picked from the Content-Disposition - header. That output could interfer with other stdout output, such as -w. + ... or all "control codes" or nothing. - This commit removes that output line. - Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html - Reported-by: Коваленко Анатолий Викторович - Closes #5435 + Assisted-by: Nicolas Sterchele -Peter Wu (22 May 2020) -- travis: simplify quiche build instructions wrt boringssl +- http2: set the correct URL in pushed transfers - quiche builds boringssl as static library, reuse that instead of - building another shared library. + ...previously CURLINFO_EFFECTIVE_URL would report the URL of the + original "mother transfer", not the actually pushed resource. - Closes #5438 + Reported-by: Jonathan Cardoso Machado + Fixes #5589 + Closes #5591 -- configure: fix pthread check with static boringssl - - A shared boringssl/OpenSSL library requires -lcrypto only for linking. - A static build additionally requires `-ldl -lpthread`. In the latter - case `-lpthread` is added to LIBS which prevented `-pthread` from being - added to CFLAGS. Clear LIBS to fix linking failures for libtest tests. +Jay Satiro (25 Jun 2020) +- [Javier Blazquez brought this change] -Daniel Stenberg (22 May 2020) -- Revert "sendf: make failf() use the mvsnprintf() return code" + openssl: Fix compilation on Windows when ngtcp2 is enabled - This reverts commit 74623551f306990e70c7c5515b88972005604a74. + - Include wincrypt before OpenSSL includes so that the latter can + properly handle any conflicts between the two. - Instead mark the function call with (void). Getting the return code and - using it instead triggered Coverity warning CID 1463596 because - snprintf() can return a negative value... + Closes https://github.com/curl/curl/pull/5606 + +Daniel Stenberg (25 Jun 2020) +- test543: extended to verify zero length input - Closes #5441 + As was reported in #5601 -- typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *' +- escape: zero length input should return a zero length output - Reported-by: Billyzou0741326 on github - Fixes #5432 - Closes #5436 + Regression added in 7.71.0. + + Fixes #5601 + Reported-by: Kristoffer Gleditsch + Closes #5602 -- tests/server/util.h: add extern to silence compiler warning +- Curl_inet_ntop: always check the return code - Follow-up from a3b0699d5c1 + Reported-by: Siva Sivaraman + Fixes #5412 + Closes #5597 -- typecheck-gcc.h: fix the OFF_T check +- sendf: improve the message on client write errors - The option number also needs to be less than CURLOPTTYPE_BLOB. + Replace "Failed writing body (X != Y)" with + "Failure writing output to destination". Possibly slightly less cryptic. - Follow-up to cac5374298 - Reported-by: Jeroen Ooms - Bug: https://github.com/curl/curl/pull/5365#issuecomment-631084114 + Reported-by: coinhubs on github + Fixes #5594 + Closes #5596 -- TODO: --dry-run - - Closes #5426 +- RELEASE-NOTES: synced -- TODO: Ratelimit or wait between serial requests - - Closes #5406 +- curlver: start working on 7.71.1 -- tool_paramhlp: fixup C89 mistake +- [Denis Baručić brought this change] + + DYNBUF.md: fix a typo: trail => tail - Follow-up to c5f0a9db22. + Closes #5599 -- [Siva Sivaraman brought this change] +Version 7.71.0 (23 Jun 2020) - tool_paramhlp: fixed potentially uninitialized strtol() variable - - Seems highly unlikely to actually be possible, but better safe than - sorry. - - Closes #5417 +Daniel Stenberg (23 Jun 2020) +- RELEASE-NOTES: curl 7.71.0 release -- [Siva Sivaraman brought this change] +- THANKS: curl 7.71.0 additions - tool_operate: fixed potentially uninitialized variables +- url: make sure pushed streams get an allocated download buffer - ... in curl_easy_getinfo() calls. They're harmless but clearing the - variables makes the code safer and comforts the reader. + Follow-up to c4e6968127e876b0 - Closes #5416 - -- sha256: move assign to the declaration line + When a new transfer is created, as a resuly of an acknowledged push, + that transfer needs a download buffer allocated. - Follow-up to fae30656. Should've been squashed with that commit... - -- [Siva Sivaraman brought this change] + Closes #5590 - sha256: fixed potentially uninitialized variable +Jay Satiro (22 Jun 2020) +- openssl: Don't ignore CA paths when using Windows CA store - Closes #5414 - -- sendf: make failf() use the mvsnprintf() return code + This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does + not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default + locations. Instead the CA store can now be used at the same time. - ... and avoid a strlen() call. Fixes a MonocleAI warning. + The change is due to the impending release. The issue is still being + discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and + is now documented as experimental. - Reported-by: MonocleAI - Fixes #5413 - Closes #5420 + Ref: bc052cc (parent commit) + Ref: https://github.com/curl/curl/issues/5585 -- hostip: make Curl_printable_address not return anything +- tool_operate: Don't use Windows CA store as a fallback - It was not used much anyway and instead we let it store a blank buffer - in case of failure. + Background: - Reported-by: MonocleAI - Fixes #5411 - Closes #5418 - -- ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void) + 148534d added CURLSSLOPT_NATIVE_CA to use the Windows OS certificate + store in libcurl w/ OpenSSL on Windows. CURLSSLOPT_NATIVE_CA overrides + CURLOPT_CAINFO if both are set. The curl tool will fall back to + CURLSSLOPT_NATIVE_CA if it could not find a certificate bundle to set + via CURLOPT_CAINFO. - They're done on purpose, make that visible in the code. - Reported-by: MonocleAI - Fixes #5412 - Closes #549 + Problem: + + libcurl may be built with hardcoded paths to a certificate bundle or + directory, and if CURLSSLOPT_NATIVE_CA is used then those paths are + ignored. + + Solution: + + A solution is still being discussed but since there's an impending + release this commit removes using CURLSSLOPT_NATIVE_CA in the curl tool. + + Ref: https://github.com/curl/curl/issues/5585 -- TODO: forbid TLS post-handshake auth and do TLS record padding +- openssl: Fix CA fallback logic for OpenSSL 3.0 build - Closes #5396 - Closes #5398 + Prior to this change I assume a build error would occur when + CURL_CA_FALLBACK was used. + + Closes https://github.com/curl/curl/pull/5587 -- RELEASE-NOTES: synced +Daniel Stenberg (22 Jun 2020) +- copyright: update mismatched copyright years -- dynbuf: return NULL when there's no buffer length - - ... as returning a "" is not a good idea as the string is supposed to be - allocated and returning a const string will cause issues. +- test1460: verify that -Ji is not ok + +- tool_getparam: -i is not OK if -J is used - Reported-by: Brian Carpenter - Follow-up to ed35d6590e72c - Closes #5405 + Reported-by: sn on hackerone + Bug: https://curl.haxx.se/docs/CVE-2020-8177.html -Peter Wu (16 May 2020) -- travis: upgrade to bionic, clang-9, improve readability +- [Peter Wu brought this change] + + CMake: ignore INTERFACE_LIBRARY targets for pkg-config file - Changes, partially to reduce build failures from external dependencies: - - Upgrade Ubuntu and drop unnecessary third-party repos. - - Properly clone apt config to ensure retries. - - Upgrade to clang-9 from the standard repos. - - Use Ubuntu 20.04 focal for the libssh build, use of ssh_get_publickey - fails on -Werror=deprecated-declarations in Ubuntu 18.04. Do not use - focal everywhere yet since Travis CI has not documented this option. - In focal, python-impacket (Py2.7) has been removed, leaving only - python3-impacket. Since it is only needed for SMB tests and not SSH, - skip it for the libssh job since it might need more work. - - apt: Remove gcc-8 and libstdc++-8-dev, already installed via g++-8. + Reviewed-by: Marcel Raad + Fixes #5512 + Closes #5517 + +- [Valentyn Korniienko brought this change] + + multibyte: Fixed access-> waccess to file for Windows Plarform - Non-functional cleanups: - - Simplify test matrix, drop redundant os and compiler keys. - - Deprecation fixes: remove sudo, rename matrix -> jobs. - - Every job has an 'env' key, put this key first in a list item. + Reviewed-by: Marcel Raad + Closes #5580 + +- altsvc: bump to h3-29 - Closes #5370 + Closes #5584 -- travis: whitespace-only changes for consistency +- urlglob: treat literal IPv6 addresses with zone IDs as a host name - Automatically apply a consistent indentation with: + ... and not as a "glob". Now done by passing the supposed host to the + URL parser which supposedly will do a better job at identifying "real" + numerical IPv6 addresses. - python3 -c 'from ruamel.yaml import YAML;y=YAML();d=y.load(open(".travis.yml"));y.width=500;y.dump(d,open(".travis.yml.new","w"))' + Reported-by: puckipedia on github + Fixes #5576 + Closes #5579 + +- test1179: verify error message for non-existing cmdline option + +- tool_getparam: repair the error message for unknown flag - followed by manually re-indenting three comments. + Follow-up to 9e5669f3880674 + Detected by Coverity CID 1464582 ("Logically dead code") - Closes #5370 + Closes #5577 -- CMake: add libssh build support - - Closes #5372 +- FILEFORMAT: describe verify/stderr -Daniel Stenberg (15 May 2020) -- KNOWN_BUGS: wolfssh: publickey auth doesn't work +- connect: improve happy eyeballs handling - Closes #4820 - -- KNOWN_BUGS: OS400 port requires deprecated IBM library + For QUIC but also for regular TCP when the second family runs out of IPs + with a failure while the first family is still trying to connect. - Closes #5176 + Separated the timeout handling for IPv4 and IPv6 connections when they + both have a number of addresses to iterate over. -- [Vyron Tsingaras brought this change] +- ngtcp2: never call fprintf() in lib code in release version - http2: keep trying to send pending frames after req.upload_done +- ngtcp2: fix happy eyeballs quic connect crash - Fixes #1410 - Closes #5401 - -- [Gilles Vollant brought this change] + Reported-by: Peter Wu + Fixes #5565 + Closes #5568 - setopt: support certificate options in memory with struct curl_blob +- select: remove the unused ELAPSED_MS() macro - This change introduces a generic way to provide binary data in setopt - options, called BLOBs. + Closes #5573 + +Marc Hoersken (17 Jun 2020) +- [rcombs brought this change] + + multi: implement wait using winsock events - This change introduces these new setopts: + This avoids using a pair of TCP ports to provide wakeup functionality + for every multi instance on Windows, where socketpair() is emulated + using a TCP socket on loopback which could in turn lead to socket + resource exhaustion. - CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB, - CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB. + Reviewed-by: Gergely Nagy + Reviewed-by: Marc Hörsken - Reviewed-by: Daniel Stenberg - Closes #5357 + Closes #5397 -- source cleanup: remove all custom typedef structs - - - Stick to a single unified way to use structs - - Make checksrc complain on 'typedef struct {' - - Allow them in tests, public headers and examples +Daniel Stenberg (17 Jun 2020) +- manpage: add three missing environment variables - - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually - typedef different types/structs depending on build conditions. + CURL_SSL_BACKEND, QLOGDIR and SSLKEYLOGFILE - Closes #5338 + Closes #5571 -- travis: remove the .checksrc fiddling +- RELEASE-NOTES: synced -- ftp: make domore_getsock() return the secondary socket properly +- configure: for wolfSSL, check for the DES func needed for NTLM - Previously, after PASV and immediately after the data connection has - connected, the function would only return the control socket to wait for - which then made the data connection simply timeout and not get polled - correctly. This become obvious when running test 1631 and 1632 event- - based. + Also adds pkg-config support for the wolfSSL detection. -- test1632: verify FTP through HTTPS-proxy with connection re-use +- [Ruurd Beerstra brought this change] -- test1631: verify FTP download through HTTPS-proxy + ntlm: enable NTLM support with wolfSSL + + When wolfSSL is built with its OpenSSL API layer, it fetures the same DES* + functions that OpenSSL has. This change take advantage of that. + + Co-authored-by: Daniel Stenberg + Closes #5556 + Fixes #5548 -- sws: as last resort, get test number from server cmd file +- http: move header storage to Curl_easy from connectdata - If it can't be found in the request. Also support --cmdfile to set it to - a custom file name. + Since the connection can be used by many independent requests (using + HTTP/2 or HTTP/3), things like user-agent and other transfer-specific + data MUST NOT be kept connection oriented as it could lead to requests + getting the wrong string for their requests. This struct data was + lingering like this due to old HTTP1 legacy thinking where it didn't + mattered.. - runtests.pl always writes this file with the test number in it since a - while back. + Fixes #5566 + Closes #5567 -- ftp: shut down the secondary connection properly when SSL is used +- CODE_REVIEW.md: how to do code reviews in curl - Reported-by: Neal Poole - Fixes #5340 - Closes #5385 + Assisted-by: Daniel Gustafsson + Assisted-by: Rich Salz + Assisted-by: Hugo van Kemenade + Assisted-by: James Fuller + Assisted-by: Marc Hörsken + Assisted-by: Jay Satiro + + Closes #5555 -Marcel Raad (14 May 2020) -- KNOWN_BUGS: adapt 5.5 to recent changes +- altsvc: remove the num field from the altsvc struct - It only applies to non-Unicode builds now. - Also merge 5.10 into it as it's effectively a duplicate. + It was superfluous since we have the list.size alredy - Closes https://github.com/curl/curl/pull/3784 + Reported-by: Jay Satiro + Fixes #5553 + Closes #5563 -- curl_setup: support Unicode functions to open files on Windows +- version.d: expanded and alpha-sorted - Use them only if `_UNICODE` is defined, in which case command-line - arguments have been converted to UTF-8. + Added a few missing features not previously mentioned. Ordered them + alphabetically. - Closes https://github.com/curl/curl/pull/3784 + Closes #5558 -- tool: support UTF-16 command line on Windows +- ABI.md: rename to .md and polish the markdown - - use `wmain` instead of `main` when `_UNICODE` is defined [0] - - define `argv_item_t` as `wchar_t *` in this case - - use the curl_multibyte gear to convert the command-line arguments to - UTF-8 + Closes #5562 + +- HELP-US: add a section for "smaller tasks" - This makes it possible to pass parameters with characters outside of - the current locale on Windows, which is required for some tests, e.g. - the IDN tests. Out of the box, this currently only works with the - Visual Studio project files, which default to Unicode, and winbuild - with the `ENABLE_UNICODE` option. + The point of this section is to meet the CII Best Practices gold level + critera: - [0] https://devblogs.microsoft.com/oldnewthing/?p=40643 + "The project MUST clearly identify small tasks that can be performed by + new or casual contributors" - Ref: https://github.com/curl/curl/issues/3747 - Closes https://github.com/curl/curl/pull/3784 + Closes #5560 -- curl_multibyte: add to curlx +- TODO: retry on the redirected-to URL - This will also be needed in the tool and tests. + Closes #5462 + +- mailmap: Nicolas Sterchele + +- [Nicolas Sterchele brought this change] + + TODO: remove 19.3 section title - Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512 - Closes https://github.com/curl/curl/pull/3784 + Follow-up to ad6416986755e417c66e2c6, which caused wrong formatting on + curl documentation website + + Closes #5561 -Daniel Stenberg (14 May 2020) -- url: make the updated credentials URL-encoded in the URL +- [Martin V brought this change] + + test1560: avoid possibly negative association in wording - Found-by: Gregory Jefferis - Reported-by: Jeroen Ooms - Added test 1168 to verify. Bug spotted when doing a redirect. - Bug: https://github.com/jeroen/curl/issues/224 - Closes #5400 + Closes #5549 -- tests: add https-proxy support to the test suite +- share: don't set the share flag it something fails - Initial test 1630 added with basic HTTPS-proxy use. HTTPS-proxy is like - HTTP proxy but with a full TLS connection to the proxy. + When asking for a specific feature to be shared in the share object, + that bit was previously set unconditionally even if the shared feature + failed or otherwise wouldn't work. - Closes #5399 + Closes #5554 -- mailmap: James Fuller +- buildconf: remove -print from the find command that removes files + + It's just too annoying and unnecessary to get a long list of files shown -- [Major_Tom brought this change] +- RELEASE-NOTES: synced - vauth/cleartext: fix theoretical integer overflow - - Fix theoretical integer overflow in Curl_auth_create_plain_message. +- wording: avoid blacklist/whitelist stereotypes - The security impact of the overflow was discussed on hackerone. We - agreed this is more of a theoretical vulnerability, as the integer - overflow would only be triggerable on systems using 32-bits size_t with - over 4GB of available memory space for the process. + Instead of discussing if there's value or meaning (implied or not) in + the colors, let's use words without the same possibly negative + associations. - Closes #5391 + Closes #5546 -Jay Satiro (13 May 2020) -- curl.1: Quote globbed URLs +Jay Satiro (9 Jun 2020) +- tool_getparam: fix memory leak in parse_args - - Quote the globbing example URLs that contain characters [] {} since - otherwise they may be interpreted as shell metacharacters. + Prior to this change in Windows Unicode builds most parsed options would + not be freed. - Bug: https://github.com/curl/curl/issues/5388 - Reported-by: John Simpson + Found using _CrtDumpMemoryLeaks(). - Closes https://github.com/curl/curl/pull/5394 + Ref: https://github.com/curl/curl/issues/5545 -Daniel Stenberg (14 May 2020) -- checksrc: enhance the ASTERISKSPACE and update code accordingly +Daniel Stenberg (8 Jun 2020) +- socks: detect connection close during handshake - Fine: "struct hello *world" + The SOCKS4/5 state machines weren't properly terminated when the proxy + connection got closed, leading to a busy-loop. - Not fine: "struct hello* world" (and variations) + Reported-By: zloi-user on github + Fixes #5532 + Closes #5542 + +- [James Fuller brought this change] + + multi: add defensive check on data->multi->num_alive + + Closes #5540 + +- Curl_addrinfo: use one malloc instead of three + + To reduce the amount of allocations needed for creating a Curl_addrinfo + struct, make a single larger malloc instead of three separate smaller + ones. - Closes #5386 + Closes #5533 -- docs/options-in-versions: which version added each cmdline option +- [Alessandro Ghedini brought this change] + + quiche: update SSLKEYLOGFILE support - Added test 971 to verify that the list is in sync with the files in - cmdline-opts. The check also verifies that .d-files that uses Added: - specify the same version number as the options-in-versions file does. + quiche now requires the application to explicitly set the keylog path + for each connection, rather than reading the environment variable + itself. - Closes #5381 + Closes #5541 -- docs: unify protocol lists +- tests: add two simple tests for --login-options - We boast support for 25 transfer protocols. Make sure the lists are - consistent + Test 895 and 896 - as a follow-up to a3e972313b - Closes #5384 + Closes #5539 -- OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN +- ngtcp2: update with recent API changes - ... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. + Syncs with ngtcp2 commit 7e9a917d386d98 merged June 7 2020. - Reported-by: Michael Kaufmann - Fixes #5374 - Closes #5376 - -- tls13-ciphers.d: shorten the Arg - -- sasl-authzid.d: add Arg: and shorten the desc + Assisted-by: Tatsuhiro Tsujikawa + Closes #5538 -- cert-type.d: mention the available types in the desc +- [James Fuller brought this change] -- tool: shorten 3 --help descriptions - - --happy-eyeballs-timeout-ms, --resolve and --ssl-revoke-best-effort - - gen.pl already warned about these lines but we didn't listen + socks: remove unreachable breaks in socks.c and mime.c - Closes #5379 + Closes #5537 -- configure: the wolfssh backend does not provide SCP +- tool_cfgable: free login_options at exit - Closes #5387 - -- RELEASE-NOTES: synced + Memory leak + Reported-by: Geeknik Labs + Fixes #5535 + Closes #5536 -- url: reject too long input when parsing credentials +- libssh2: keep sftp errors as 'unsigned long' - Since input passed to libcurl with CURLOPT_USERPWD and - CURLOPT_PROXYUSERPWD circumvents the regular string length check we have - in Curl_setstropt(), the input length limit is enforced in - Curl_parse_login_details too, separately. + Remove weird work-around for storing the SFTP errors as int instead of + the "unsigned long" that libssh2 actually returns for SFTP errors. - Reported-by: Thomas Bouzerar - Closes #5383 - -- list-only.d: this option existed already in 4.0 + Closes #5534 -Jay Satiro (12 May 2020) -- retry-all-errors.d: Shorten the summary line +Marc Hoersken (6 Jun 2020) +- timeouts: move ms timeouts to timediff_t from int and long - Follow-up to b995bb5 from a few moments ago. + Now that all functions in select.[ch] take timediff_t instead + of the limited int or long, we can remove type conversions + and related preprocessor checks to silence compiler warnings. - Reported-by: Daniel Stenberg + Avoiding conversions from time_t was already done in 842f73de. - Ref: https://github.com/curl/curl/commit/b995bb5#r39108929 + Based upon #5262 + Supersedes #5214, #5220 and #5221 + Follow up to #5343 and #5479 + Closes #5490 -- [denzor brought this change] +Daniel Stenberg (6 Jun 2020) +- [François Rigault brought this change] - easy: fix dangling pointer on easy_perform fail + openssl: set FLAG_TRUSTED_FIRST unconditionally - Closes https://github.com/curl/curl/pull/5363 - -- tool: Add option --retry-all-errors to retry on any error + On some systems, openssl 1.0.x is still the default, but it has been + patched to contain all the recent security fixes. As a result of this + patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be + defined, while the previous behavior of openssl to not look at trusted + chains first, remains. - The "sledgehammer" of retrying. + Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to + probe for the behavior of openssl based on the existence ofmacros. - Closes https://github.com/curl/curl/pull/5185 - -Daniel Stenberg (12 May 2020) -- [James Le Cuirot brought this change] + Closes #5530 - libcurl.pc: Merge Libs.private into Libs for static-only builds - - A project being built entirely statically will call pkg-config with - --static, which utilises the Libs.private field. Conversely it will - not use --static when not being built entirely statically, even if - there is only a static build of libcurl available. This will most - likely cause the build to fail due to underlinking unless we merge the - Libs fields. +- server/util: fix logmsg format using curl_off_t argument - Consider that this is what the Meson build system does when it - generates pkg-config files. + ... this caused segfaults on armv7. - I have also reflected this in the --libs argument of curl-config even - though REQUIRE_LIB_DEPS always seems to be "yes" anyway. + Regression added in dd0365d560aea5a (7.70.0) - Closes #5373 + Reviewed-by: Jay Satiro + Closes #5529 -- [Peter Wu brought this change] +- RELEASE-NOTES: synced - CMake: fix runtests.pl with CMake, add new test targets +- [Cherish98 brought this change] + + socks: fix expected length of SOCKS5 reply - * runtests.pl: - - Fix out-of-tree build under CMake when srcdir is not set. Default - srcdir to the location of runtests.pl. - - Add a hack to allow CMake to use the TFLAGS option as documented - in tests/README and used in scripts/travis/script.sh. - * Bump CMake version to 3.2 for USES_TERMINAL, dropping Debian Jessie - support (no one should care, it is already EOL.). - * Remove CTest since it defines its own 'test' target with no tests - since all unittests are already broken and not built by default. - * Add new test targets based on the options from Makefile.am. Since - new test targets are rarely added, I opted for duplicating the - runtests.pl options as opposed to creating a new Makefile.inc file. - Use top-level target names (test-x) instead of x-test since that is - used by CI and others. + Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the + reply ATYP is X'01'. This resulted in erroneously expecting more bytes + when the request length is greater than the reply length (e.g., when + remotely resolving the hostname). - Closes #5358 - -- [Peter Wu brought this change] + Closes #5527 - CMake: do not build test programs by default - - The default target should only build libcurl and curl. Add a dedicated - 'testdeps' target which will be used later when running tests. Note that - unittests are currently broken in CMake and already excluded. +Marc Hoersken (5 Jun 2020) +- .gitignore: add directory containing the stats repo - Closes #5368 + Since the new curl/stats repository is designed to be + checked out into the curl repository working tree as stats/ + it should be on the ignore list to aid in commit staging. -- FILEFORMAT: moved up the variables section and further polished +Daniel Stenberg (5 Jun 2020) +- [Adnan Khan brought this change] -- runtests: remove ftp2 support, not used + HTTP3.md: clarify cargo build directory - We once supported two separate ftp instances in the test suite. Has not - been used the last decade. + Cargo needs to be called from within the 'quiche' directory. - Closes #5375 + Closes #5522 -- url: sort the protocol schemes in rough popularity order +- user-agent.d: spell out what happens given a blank argument - When looking for a protocol match among supported schemes, check the - most "popular" schemes first. It has zero functionality difference and - for all practical purposes a speed difference will not be measureable - but it still think it makes sense to put the least likely matches last. + Closes #5525 + +- trailers: switch h1-trailer logic to use dynbuf - "Popularity" based on the 2019 user survey. + In the continued effort to remove "manual" realloc schemes. - Closes #5377 + Closes #5524 -Marc Hoersken (11 May 2020) -- test1238: avoid tftpd being busy for tests shortly following - - The tftpd server may still be busy if the total timeout of - 25 seconds has not been reached or no sread error was received - during or after the execution of the timeout test 1238. +- CURLINFO_ACTIVESOCKET.3: clarify the description - Once the next TFTP test comes around (eg. 1242 or 1243), - those will fail because the tftpd server is still waiting - on data from curl due to the UDP protocol being stateless - and having no connection close. On Linux this error may not - happen, because ICMP errors generated due to a swrite error - can also be returned async on the next sread call instead. + Reported-by: Jay Satiro + Fixes #5299 + Closes #5520 + +- mailmap: Don J Olmstead + +- configure: only strip first -L from LDFLAGS - Therefore we will now just kill the tftpd server after test - 1238 to make sure that the following tests are not affected. + In the logic that works out if a given OpenSSL path works, it stripped + off a possibly leading -L flag using an incorrect sed pattern which + would remove all instances of -L in the string, including if the path + itself contained that two-letter sequence! - This enables us to no longer ignore tests 1242, 1243, 2002 - and 2003 on the CI platforms CirrusCI and AppVeyor. + The same pattern was used and is now updated in multiple places. Now it + only removes -L if it starts the strings. - Assisted-by: Peter Wu - Closes #5364 + Reported-by: Mohamed Osama + Fixes #5519 + Closes #5521 -Daniel Stenberg (11 May 2020) -- write-out.d: added "response_code" +Peter Wu (4 Jun 2020) +- quiche: advertise draft 28 support + + Fix the verbose message while at it, quiche currently supports draft + 27 and draft 28 simultaneously. + + Closes #5518 -- KNOWN_BUGS: Build with staticly built dependency +Daniel Stenberg (4 Jun 2020) +- KNOWN_BUGS: RTSP authentication breaks without redirect support - I rewrote the item 5.4 to be more generic about static dependencies. + Closes #4750 -- ROADMAP: remove old entries +Jay Satiro (4 Jun 2020) +- projects: Add crypt32.lib to dependencies for all OpenSSL configs - MQTT - the start has already landed + Windows project configurations that use OpenSSL with USE_WIN32_CRYPTO + need crypt32. - tiny-curl - also mostly landed and is a continuous work + Follow-up to 148534d which added CURLSSLOPT_NATIVE_CA for 7.71.0. - make menuconfig - basically no interest from users, not pushing there - -- [Peter Wu brought this change] - - travis: Add ngtcp2 and quiche tests for CMake + The changes that are in this commit were made by script. - To avoid an explosion of jobs, extend the existing CMake tests with - ngtcp2 and quiche support. macOS was previously moved to GitHub actions, - so the non-Linux case can be dropped. - -- [Peter Wu brought this change] + Ref: https://gist.github.com/jay/a1861b50ecce2b32931237180f856e28 + + Closes https://github.com/curl/curl/pull/5516 - CMake: add ENABLE_ALT_SVC option +Marc Hoersken (3 Jun 2020) +- CI/macos: fix 'is already installed' errors by using bundle - Tested alt-svc with quiche. While at it, add missing MultiSSL reporting - (not tested). + Avoid failing CI builds due to nghttp2 being already installed. + + Closes #5513 -- [Peter Wu brought this change] +Daniel Stenberg (3 Jun 2020) +- altsvc: fix 'dsthost' may be used uninitialized in this function - CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche) +- RELEASE-NOTES: synced + +- urldata: let the HTTP method be in the set.* struct - Add three new CMake Find modules (using the curl license, but I grant - others the right to apply the CMake BSD license instead). + When the method is updated inside libcurl we must still not change the + method as set by the user as then repeated transfers with that same + handle might not execute the same operation anymore! - This CMake config is simpler than the autotools one because it assumes - ngtcp2 and nghttp3 to be used together. Another difference is that this - CMake config checks whether QUIC is actually supported by the TLS - library (patched OpenSSL or boringssl) since this can be a common - configuration mistake that could result in build errors later. + This fixes the libcurl part of #5462 - Unlike autotools, CMake does not warn you that the features are - experimental. The user is supposed to already know that and read the - documentation. It requires a very special build environment anyway. + Test 1633 added to verify. - Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from - current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure - out which features (libldap-2.4, libssh2) to disable due to conflicts - with boringssl. + Closes #5499 + +- hostip: fix the memory-leak introduced in 67d2802 - Closes #5359 + Fixes #5503 + Closes #5504 -Marc Hoersken (10 May 2020) -- tests/server/tftpd.c: fix include and enhance debug logging +- test970: make it require proxy support - setjmp.h should only be included if HAVE_SETJMP_H is defined. + This test verifies the -w %json output and the test case includes a full + generated "blob". If there's no proxy support built into libcurl, it + will return an error for proxy related info variables and they will not + be included in the json, thus causing a mismatch and this test fails. - Add additional log statements to see wether reads and writes - are blocking or finishing before an alarm signal is received. + Reported-by: Marc Hörsken + Fixes #5501 + Closes #5502 + +- [Radoslav Georgiev brought this change] + + examples/http2-down/upload: add error checks - Assisted-by: Peter Wu - Part of #5364 + If `index.html` does not exist in the directory from which the example + is invoked, the fopen(upload, "rb") invocation in `setup` would fail, + returning NULL. This value is subsequently passed as the FILE* argument + of the `fread` invocation in the `read_callback` function, which is the + actual cause of the crash (apparently `fread` assumes that argument to + be non-null). + + In addition, mitigate some possible crashes of similar origin. + + Closes #5463 -Daniel Stenberg (10 May 2020) -- tool_operate: only set CURLOPT_SSL_OPTIONS if SSL support is present +- [kotoriのねこ brought this change] + + examples/ephiperfifo: turn off interval when setting timerfd - Reported-by: Marcel Raad - Follow-up to 148534db5 - Fixes #5367 - Closes #5369 + Reported-by: therealhirudo on github + Fixes #5485 + Closes #5497 -Marc Hoersken (9 May 2020) -- appveyor: update comments to be clear about toolchain +- [Saleem Abdulrasool brought this change] + + vtls: repair the build with `CURL_DISABLE_PROXY` - - CMake-based MSYS builds use mingw-w64 to cross-compile. - - autotools-based builds are compiled using msys2-devel. + `http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY` + is enabled. Repair the build with that configuration. - The difference is that the later ones are not cross-compiled - to Windows and instead require the msys2 runtime to be present. + Follow-up to f3d501dc67 - At the moment only the Azure Pipelines CI builds actually - run autotools-based cross-compilation builds for Windows. + Closes #5498 -- TODO: update regarding missing Schannel features +- transfer: remove k->str NULL check - Some aspects have already been implemented over the years. + "Null-checking k->str suggests that it may be null, but it has already + been dereferenced on all paths leading to the check" - and it can't + legally be NULL at this point. Remove check. - 15.1 Client certificates are now supported: + Detected by Coverity CID 1463884 - - System stores via e35b0256eb34f1fe562e3e2a2615beb50a391c52 - - PKCS#12 files via 0fdf96512613574591f501d63fe49495ba40e1d5 + Closes #5495 + +Marc Hoersken (1 Jun 2020) +- select: always use Sleep in Curl_wait_ms on Win32 - 15.2 Ciphers can now be specified through: + Since Win32 almost always will also have USE_WINSOCK, + we can reduce complexity and always use Sleep there. - - Algorithms via 9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28 + Assisted-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Stenberg and Marcel Raad - Closes #5358 - -Daniel Stenberg (8 May 2020) -- checksrc: close the .checksrc file handle when done reading + Follow up to #5343 + Closes #5489 -- RELEASE-NOTES: synced +Daniel Stenberg (31 May 2020) +- conncache: download buffer needs +1 size for trailing zero - And bumped next version to 7.71.0 - -- [Gilles Vollant brought this change] + Follow-up to c4e6968127e + Detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5727799779524608 - CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl) +Marc Hoersken (31 May 2020) +- azure: use matrix strategy to avoid configuration redundancy - Closes #4346 - -- TODO: native IDN support on macOS - -- urlapi: accept :: as a valid IPv6 address + This also includes the following changes: - Text 1560 is extended to verify. + - Use the same timeout for all jobs on Linux (60 minutes) + and Windows (90 minutes) + - Use CLI stable apt-get install -y instead of apt install + which warns about that and run apt-get update first + - Enable MQTT for Windows msys2 builds instead of + legacy msys1 builds + - Add ./configure --prefix parameter to the msys2 builds + - The MSYSTEM environment variable is now preset inside + the container images for the msys2 builds - Reported-by: Pavel Volgarev - Fixes #5344 - Closes #5351 - -- THANKS-filter: Peter Wang - -- [Peter Wang brought this change] + Note: on Azure Pipelines the matrix strategy is basically + just a simple list of job copies and not really a matrix. + + Closes #5468 - *_sspi: fix bad uses of CURLE_NOT_BUILT_IN +Daniel Stenberg (30 May 2020) +- build: disable more code/data when built without proxy support - Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other - instances of QuerySecurityPackageInfo failing, as in - commit 2a81439553286f12cd04a4bdcdf66d8e026d8201. + Added build to travis to verify - Closes #5355 - -- docs/HTTP3: add qlog to the quiche build instruction + Closes #5466 -- ngtcp2: introduce qlog support +- url: alloc the download buffer at transfer start - If the QLOGDIR environment variable is set, enable qlogging. + ... and free it as soon as the transfer is done. It removes the extra + alloc when a new size is set with setopt() and reduces memory for unused + easy handles. - ... and create Curl_qlogdir() in the new generic vquic/vquic.c file for - QUIC functions that are backend independent. + In addition: the closure_handle now doesn't use an allocated buffer at + all but the smallest supported size as a stack based one. - Closes #5353 + Closes #5472 -- ntlm_sspi: fix bad use of CURLE_NOT_BUILT_IN +- timeouts: change millisecond timeouts to timediff_t from time_t - That return code is reserved for build-time conditional code not being - present while this was a regular run-time error from a Windows API. + For millisecond timers we like timediff_t better. Also, time_t can be + unsigned so returning a negative value doesn't work then. - Reported-by: wangp on github - Fixes #5349 - Closes #5350 - -- runtests: show elapsed test time with higher precision (ms) - -- RELEASE-NOTES: synced + Closes #5479 -- http2: simplify and clean up trailer handling +Marc Hoersken (30 May 2020) +- select: add overflow checks for timeval conversions - Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in - ed35d6590e72. This should make the trailer handling more straight forward and - hopefully less error-prone. + Using time_t and suseconds_t if suseconds_t is available, + long on Windows (maybe others in the future) and int elsewhere. - Deliver the trailer header to the callback already at receive-time. No - longer caches the trailers to get delivered at end of stream. + Also handle case of ULONG_MAX being greater or equal to INFINITE. - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030 - Closes #5348 - -Marc Hoersken (7 May 2020) -- appveyor: disable test 1139 instead of ignoring it + Assisted-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Spending time on manpage checking makes no sense - for these builds due to lacking manpage support. + Part of #5343 -- appveyor: disable flaky test 1501 and ignore broken 1056 +- select: use timediff_t instead of time_t and int for timeout_ms - Test 1501 is flaky on Windows CI due to being time sensitive - and the testsuite relying on taskkill.exe to check for the - existance of processes which can take to much time itself. + Make all functions in select.[ch] take timeout_ms as timediff_t + which should always be large enough and signed on all platforms + to take all possible timeout values and avoid type conversions. - Test 1056 is broken in autotools-based Windows builds due - to scope ID support missing in these builds at the moment. + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + + Replaces #5107 and partially #5262 + Related to #5240 and #5286 + Closes #5343 -- test613.pl: make tests 613 and 614 work with OpenSSH for Windows +- unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode' - OpenSSH for Windows shows group and other/world permissions as *, - because those concepts do not exist on Windows. It also does not - show the current or parent directory, so we just ignore those. + GCC 10 warns about this with warning: implicit conversion + from 'SANITIZEcode' to 'CURLcode' [-Wenum-conversion] + + Since 'expected_result' is not really of type 'CURLcode' and + it is not exposed in any way, we can just use 'SANITIZEcode'. Reviewed-by: Daniel Stenberg - Closes #5328 - -Daniel Stenberg (6 May 2020) -- runtests: set +x mode again + Reviewed-by: Marcel Raad + + Closes #5476 -- libssh2: convert over to use dynbuf +- tests/libtest: fix undefined reference to 'curlx_win32_fopen' + + Since curl_setup.h now makes use of curlx_win32_fopen for Win32 + builds with USE_WIN32_LARGE_FILES or USE_WIN32_SMALL_FILES defined, + we need to include the relevant files for tests using fopen, + because the libtest sources are also including curl_setup.h - In my very basic test that lists sftp://127.0.0.1/tmp/, this patched - code makes 161 allocations compared to 194 in git master. A 17% - reduction. + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg - Closes #5336 - -- travis: add "qlog" as feature in the quiche build + Follow up to #3784 (ffdddb45d9) + Closes #5475 -- quiche: enable qlog output +- appveyor: add non-debug plain autotools-based build - quiche has the potential to log qlog files. To enable this, you must - build quiche with the qlog feature enabled `cargo build --features - qlog`. curl then passes a file descriptor to quiche, which takes - ownership of the file. The FD transfer only works on UNIX. + This should enable us to catch linking issues with the + testsuite early, like the one described/fixed in #5475. - The convention is to enable logging when the QLOGDIR environment is - set. This should be a path to a folder where files are written with the - naming template .qlog. + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad - Co-authored-by: Lucas Pardue - Replaces #5337 - Closes #5341 + Closes #5477 -- urldata.h: remove #define HEADERSIZE, not used anymore - - Follow-up to ed35d6590e72c +Daniel Stenberg (29 May 2020) +- RELEASE-NOTES: synced -- ngtcp2: convert to dynbuf +- Revert "buildconf: use find -execdir" - Closes #5335 - -- connect: make happy eyeballs work for QUIC (again) + This partially reverts commit c712009838f44211958854de431315586995bc61. - Follow-up from dbd16c3e256c6c (regression in 7.70.0) + Keep the ares_ files removed but bring back the older way to run find, + to make it work with busybox's find, as apparently that's being used. - Closes #5334 - -- connect: add two asserts to clue code analyzers in a little + Reported-by: Max Peal + Fixes #5483 + Closes #5484 -- http_proxy: ported to use dynbuf instead of a static size buffer - - Removes a 16K static buffer from the easy handle. Simplifies the code. +- server/sws: fix asan warning on use of uninitialized variable -- dynbuf: introduce internal generic dynamic buffer functions +- libssh2: improved error output for wrong quote syntax - A common set of functions instead of many separate implementations for - creating buffers that can grow when appending data to them. Existing - functionality has been ported over. + Reported-by: Werner Stolz - In my early basic testing, the total number of allocations seem at - roughly the same amount as before, possibly a few less. + Closes #5474 + +- mk-lib1521: generate code for testing BLOB options as well - See docs/DYNBUF.md for a description of the API. + Follow-up to cac5374298b3 - Closes #5300 + Closes #5478 -- runtests: remove sleep calls +- configure: repair the check if argv can be written to - Remove many one second sleeps that were done *after* each newly started - test server already has been verified. They should not have any purpose - there. + Due to bad escaping of the test code, the test wouldn't build and thus + result in a negative test result, which would lead to the unconditional + assumption that overwriting the arguments doesn't work and thus curl + would never hide credentials given in the command line, even when it + would otherwise be possible. - Closes #5323 + Regression from commit 2d4c2152c (7.60.0) + + Reported-by: huzunhao on github + Fixes #5470 + Closes #5471 -- asyn-*: remove support for never-used NULL entry pointers +Peter Wu (28 May 2020) +- CMake: rebuild Makefile.inc.cmake when Makefile.inc changes - ... and instead convert those to asserts to make sure they are truly - never NULL. + Otherwise the build might fail due to missing source files, as + demonstrated by the recent keylog.c addition on an existing build dir. - Closes #5324 - -- [Emil Engler brought this change] + Closes #5469 - doc: Rename VERSIONS to VERSIONS.md as it already has Markdown syntax +Daniel Stenberg (28 May 2020) +- urldata: fix comments: Curl_done() is called multi_done() now - Closes #5325 + ... since 575e885db -Jay Satiro (2 May 2020) -- asyn-thread: fix cppcheck warning - - - Check for NULL entry parameter before attempting to deref entry in - Curl_resolver_is_resolved, like is already done in asyn-ares. - - This is to silence cppcheck which does not seem to understand that - asyn-ares and asyn-thread have separate Curl_resolver_is_resolved - and those units are mutually exclusive. Prior to this change it warned - of a scenario where asyn-thread's Curl_resolver_is_resolved is called - with a NULL entry from asyn-ares, but that couldn't happen. +Peter Wu (27 May 2020) +- ngtcp2: use common key log routine for better thread-safety - Reported-by: rl1987@users.noreply.github.com + Tested with ngtcp2 built against the OpenSSL library. Additionally + tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC). - Fixes https://github.com/curl/curl/issues/5326 + The TLS backend (independent of QUIC) may or may not already have opened + the keylog file before. Therefore Curl_tls_keylog_open is always called + to ensure the file is open. -- select: fix overflow protection in Curl_socket_check +- wolfssl: add SSLKEYLOGFILE support - Follow-up to a96c752 which changed the timeout_ms type from time_t to - timediff_t. + Tested following the same curl and tshark commands as in commit + "vtls: Extract and simplify key log file handling from OpenSSL" using + WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with + `./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`. - Ref: https://github.com/curl/curl/pull/5240 + Full support for this feature requires certain wolfSSL build options, + see "Availability note" in lib/vtls/wolfssl.c for details. - Closes https://github.com/curl/curl/pull/5286 + Closes #5327 -Marc Hoersken (2 May 2020) -- sockfilt: make select_ws stop waiting on exit signal event +- vtls: Extract and simplify key log file handling from OpenSSL - This makes sure that select_ws behaves similar to real select - which stops waiting on a signal handler being triggered. + Create a set of routines for TLS key log file handling to enable reuse + with other TLS backends. Simplify the OpenSSL backend as follows: - This makes it possible to gracefully stop sockfilt.exe on - Windows with taskkill /IM sockfilt.exe (without /F force flag). + - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled. + - Do not perform dynamic memory allocation when preparing a log entry. + Unless the TLS specifications change we can suffice with a reasonable + fixed-size buffer. + - Simplify state tracking when SSL_CTX_set_keylog_callback is + unavailable. My original sslkeylog.c code included this tracking in + order to handle multiple calls to SSL_connect and detect new keys + after renegotiation (via SSL_read/SSL_write). For curl however we can + be sure that a single master secret eventually becomes available + after SSL_connect, so a simple flag is sufficient. An alternative to + the flag is examining SSL_state(), but this seems more complex and is + not pursued. Capturing keys after server renegotiation was already + unsupported in curl and remains unsupported. - Reviewed-by: Jay Satiro - Part of #5260 - -- tests/server/util.[ch]: add exit event to stop waiting on Windows + Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f + (`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`) + against an OpenSSL 1.1.1f server configured with: - This commit adds a global exit event to the test servers that - Windows-specific wait routines can use to get triggered if the - program was signaled to be terminated, eg. select_ws in sockfilt.c + # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2 + openssl s_server -www -tls1 + # Likewise, but fail the server handshake. + openssl s_server -www -tls1 -Verify 2 + # TLS 1.3 test. No need to test the failing server handshake. + openssl s_server -www -tls1_3 - The exit event will be managed by the signal handling code and is - set to not reset automatically to support multiple wait routines. + Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly + written using Wireshark. For the first and third case, expect four + matches per connection (decrypted Server Finished, Client Finished, HTTP + Request, HTTP Response). For the second case where the handshake fails, + expect a decrypted Server Finished only. - Reviewed-by: Jay Satiro - Closes #5260 - -- tests/server/util.c: fix thread handle not being closed + tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \ + -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \ + -dtls.port==4433,http -ohttp.desegment_body:FALSE \ + -Y 'tls.handshake.verify_data or http' - Reviewed-by: Jay Satiro - Part of #5260 + A single connection can easily be identified via the `tcp.stream` field. -- tests/server/util.c: use raise instead of calling signal handler - - Use raise to trigger signal handler instead of calling it - directly and causing potential unexpected control flow. - - Reviewed-by: Jay Satiro - Part of #5260 +Daniel Stenberg (27 May 2020) +- FILEFORMAT: add more features that tests can depend on -- tests: add support for SSH server variant specific transfer paths +- [Michael Kaufmann brought this change] + + transfer: close connection after excess data has been read - OpenSSH for Windows requires paths in the format of /C:/ - instead of the pseudo-POSIX paths /cygdrive/c/ or just /c/ + For HTTP 1.x, it's a protocol error when the server sends more bytes + than announced. If this happens, don't reuse the connection, because the + start position of the next response is undefined. - Reviewed-by: Daniel Stenberg - Closes #5298 + Closes #5440 -Daniel Stenberg (2 May 2020) -- RELEASE-NOTES: synced +- [Estanislau Augé-Pujadas brought this change] -- libssh2: set the expected total size in SCP upload init + Revert "ssh: ignore timeouts during disconnect" - ... as otherwise the progress callback gets called without that - information, making the progress meter have less info. + This reverts commit f31760e63b4e9ef1eb25f8f211390f8239388515. Shipped in + curl 7.54.1. - Reported-by: Murugan Balraj - Bug: https://curl.haxx.se/mail/archive-2020-05/0000.html - Closes #5317 - -- runtests: make the logmsg from the ssh server only show in verbose + Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html + Closes #5465 -- tests: make test 1248 + 1249 use %NOLISTENPORT +- urldata: connect related booleans live in struct ConnectBits - ... instead of a port of a non-running server so that it works - stand-alone. + And remove a few unused booleans! - Closes #5318 + Closes #5461 -- examples: remove asiohiper.cpp +- hostip: on macOS avoid DoH when given a numerical IP address - This example has repeatedly been reported to contain bugs, and as users - copy and paste code from this into production, I now deem it better to - not provide the example at all. + When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that + numerical IP addresses still need to get "resolved" - but not with DoH. - Closes #5090 - Closes #5322 + Reported-by: Viktor Szakats + Fixes #5454 + Closes #5459 -- [Emil Engler brought this change] +- ngtcp2: cleanup memory when failing to connect + + Reported-by: Peter Wu + Fixes #5447 (the ngtcp2 side of it) + Closes #5451 - doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3 +- quiche: clean up memory properly when failing to connect - Closes #5320 + Addresses the quiche side of #5447 + Reported-by: Peter Wu + Closes #5450 -- [Emil Engler brought this change] +- cleanup: use a single space after equals sign in assignments - KNOWN_BUGS: Remove "curl --upload-file . hang if delay in STDIN" - - It was fixed in 9a2cbf3 +- url: accept "any length" credentials for proxy auth - Closes #5319 - -- cirrus: disable SFTP and SCP tests + They're only limited to the maximum string input restrictions, not to + 256 bytes. - ... as we can't seem to start the sshd server on it. Those problems - existed before d1239b50bececd (running the SSH server on a random port), - but they're more noticable now since there are more failed attempts in - the logs. + Added test 1178 to verify - Closes #5315 + Reported-by: Will Roberts + Fixes #5448 + Closes #5449 -- [Emil Engler brought this change] +- [Maksim Stsepanenka brought this change] - runtests: fix typo in the existence of disabled tests checker + test1167: fixes in badsymbols.pl - Closes #5316 + Closes #5442 -Dan Fandrich (30 Apr 2020) -- test75: Remove precheck test +- altsvc: fix parser for lines ending with CRLF - This has not been needed since commit 9fa42bed and often prevents it - from running at all with dynamic test ports. - -- tests: Stop referring to server ports when they're not used + Fixed the alt-svc parser to treat a newline as end of line. - Several tests referred to specific server ports even when the test - didn't actually use that server or specify that it's needed. In such - cases, the test harness substitutes the text "[not running]" as the port - number which causes many such tests to fail due to the inability to - parse the URL. These tests are changed to use %NOLISTENPORT which will - always be substituted correctly. - -Daniel Stenberg (30 Apr 2020) -- [Emil Engler brought this change] + The unit tests in test 1654 were done without CRLF and thus didn't quite + match the real world. Now they use CRLF as well. + + Reported-by: Peter Wu + Assisted-by: Peter Wu + Assisted-by: Jay Satiro + Fixes #5445 + Closes #5446 - GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT +Viktor Szakats (25 May 2020) +- all: fix codespell errors - Closes #5287 + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + Closes https://github.com/curl/curl/pull/5452 -- conncache: various concept cleanups +Peter Wu (25 May 2020) +- ngtcp2: fix build with current ngtcp2 master implementing draft 28 - More connection cache accesses are protected by locks. + Based on client.cc changes from ngtcp2. Tested with current git master, + ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380. - CONNCACHE_* is a beter prefix for the connection cache lock macros. + Fixes #5444 + Closes #5443 + +Daniel Stenberg (25 May 2020) +- RELEASE-NOTES: synced - Curl_attach_connnection: now called as soon as there's a connection - struct available and before the connection is added to the connection - cache. + moved the new setopts up to a "change" + +- RELEASE-NOTES: synced + +- copyright: updated year ranges out of sync - Curl_disconnect: now assumes that the connection is already removed from - the connection cache. + ... and whitelisted a few more files in the the copyright.pl script. + +- [Gilles Vollant brought this change] + + setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency - Ref: #4915 - Closes #5009 + Closes #5431 -- tests: tests: run stunnel for HTTPS and FTPS on dynamic ports +- curl: remove -J "informational" written on stdout - As stunnel is an external tool and it has no specific option to export - the actually used port number when asked to listen to 0, runtests - instead iterates over ten randomly picked high number ports and sticks - to the first one stunnel can listen to. + curl would previously show "curl: Saved to filename 'name from header'" + if -J was used and a name was picked from the Content-Disposition + header. That output could interfer with other stdout output, such as -w. - Closes #5267 + This commit removes that output line. + Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html + Reported-by: Коваленко Анатолий Викторович + Closes #5435 -- tests: pick a random port number for SSH +Peter Wu (22 May 2020) +- travis: simplify quiche build instructions wrt boringssl - Since sshd doesn't have such an option by itself, we iterate over a - series of random ports until one works. + quiche builds boringssl as static library, reuse that instead of + building another shared library. - Closes #5273 - -- [Rikard Falkeborn brought this change] + Closes #5438 - libtest/cmake: Remove commented code - - These were commented out in e9dd0998706a when Makefile.inc was included - instead. 11 years have passed since then and the commented code is of - course very outdated. Remove it to avoid confusion. +- configure: fix pthread check with static boringssl - Closes #5311 + A shared boringssl/OpenSSL library requires -lcrypto only for linking. + A static build additionally requires `-ldl -lpthread`. In the latter + case `-lpthread` is added to LIBS which prevented `-pthread` from being + added to CFLAGS. Clear LIBS to fix linking failures for libtest tests. -- schannel: source code reindent +Daniel Stenberg (22 May 2020) +- Revert "sendf: make failf() use the mvsnprintf() return code" - White space edits only. Conform better to standard curl source code - indenting style. + This reverts commit 74623551f306990e70c7c5515b88972005604a74. - Closes #5305 + Instead mark the function call with (void). Getting the return code and + using it instead triggered Coverity warning CID 1463596 because + snprintf() can return a negative value... + + Closes #5441 -Kamil Dudka (29 Apr 2020) -- test1177: look for curl.h in source directory +- typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *' - If we use a separate build directory, there is no copy of the header. + Reported-by: Billyzou0741326 on github + Fixes #5432 + Closes #5436 + +- tests/server/util.h: add extern to silence compiler warning - Closes #5310 + Follow-up from a3b0699d5c1 -- tests: look for preprocessed tests in build directory +- typecheck-gcc.h: fix the OFF_T check - ... which is not always the same directory as source directory + The option number also needs to be less than CURLOPTTYPE_BLOB. - Closes #5310 + Follow-up to cac5374298 + Reported-by: Jeroen Ooms + Bug: https://github.com/curl/curl/pull/5365#issuecomment-631084114 -Daniel Stenberg (29 Apr 2020) -- RELEASE-NOTES: synced +- TODO: --dry-run - ... and bumped curlver.h to 7.70.1 - -Version 7.70.0 (29 Apr 2020) - -Daniel Stenberg (29 Apr 2020) -- RELEASE-NOTES: 7.70.0 + Closes #5426 -- THANKS: synced with the 7.70.0 release +- TODO: Ratelimit or wait between serial requests + + Closes #5406 -- headers: copyright range fix +- tool_paramhlp: fixup C89 mistake + + Follow-up to c5f0a9db22. -- [Rikard Falkeborn brought this change] +- [Siva Sivaraman brought this change] - doh: Constify some input pointers + tool_paramhlp: fixed potentially uninitialized strtol() variable - Closes #5306 + Seems highly unlikely to actually be possible, but better safe than + sorry. + + Closes #5417 -- nss: check for PK11_CreateDigestContext() returning NULL +- [Siva Sivaraman brought this change] + + tool_operate: fixed potentially uninitialized variables - ... to avoid crashes! + ... in curl_easy_getinfo() calls. They're harmless but clearing the + variables makes the code safer and comforts the reader. - Reported-by: Hao Wu - Fixes #5302 - Closes #5303 + Closes #5416 -- travis: bump the wolfssl CI build to use 4.4.0 +- sha256: move assign to the declaration line - Closes #5301 + Follow-up to fae30656. Should've been squashed with that commit... -- copyright updates: adjust year ranges +- [Siva Sivaraman brought this change] -Marc Hoersken (26 Apr 2020) -- CI: do not include */ci branches in PR builds + sha256: fixed potentially uninitialized variable - Align Azure Pipelines with GitHub Actions. + Closes #5414 -Daniel Stenberg (25 Apr 2020) -- runtests: check for the disabled tests relative srcdir - - To make it work correctly for out-of-tree builds. - - Follow-up to 75e8feb6fb08b +- sendf: make failf() use the mvsnprintf() return code - Bug: https://github.com/curl/curl/pull/5288#issuecomment-619346389 - Reported-by: Marcel Raad - Closes #5297 - -- runtests: revert commenting out a line I did for debugging + ... and avoid a strlen() call. Fixes a MonocleAI warning. - Follow-up to 11091cd4d. It was not meant to be pushed! + Reported-by: MonocleAI + Fixes #5413 + Closes #5420 -- smtp: set auth correctly +- hostip: make Curl_printable_address not return anything - Regression since 7.69.0 and 68fb25fa3fcff. + It was not used much anyway and instead we let it store a blank buffer + in case of failure. - The code wrongly assigned 'from' instead of 'auth' which probably was a - copy and paste mistake from other code, leading to that auth could - remain NULL and later cause an error to be returned. + Reported-by: MonocleAI + Fixes #5411 + Closes #5418 + +- ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void) - Assisted-by: Eric Sauvageau - Fixes #5294 - Closes #5295 + They're done on purpose, make that visible in the code. + Reported-by: MonocleAI + Fixes #5412 + Closes #549 -Marcel Raad (25 Apr 2020) -- lib: clean up whitespace +- TODO: forbid TLS post-handshake auth and do TLS record padding - This fixes CodeFactor warnings. + Closes #5396 + Closes #5398 -Daniel Stenberg (25 Apr 2020) -- [Anderson Toshiyuki Sasaki brought this change] +- RELEASE-NOTES: synced + +- dynbuf: return NULL when there's no buffer length + + ... as returning a "" is not a good idea as the string is supposed to be + allocated and returning a const string will cause issues. + + Reported-by: Brian Carpenter + Follow-up to ed35d6590e72c + Closes #5405 - libssh: avoid options override by configuration files +Peter Wu (16 May 2020) +- travis: upgrade to bionic, clang-9, improve readability - Previously, options set explicitly through command line options could be - overridden by the configuration files parsed automatically when - ssh_connect() was called. + Changes, partially to reduce build failures from external dependencies: + - Upgrade Ubuntu and drop unnecessary third-party repos. + - Properly clone apt config to ensure retries. + - Upgrade to clang-9 from the standard repos. + - Use Ubuntu 20.04 focal for the libssh build, use of ssh_get_publickey + fails on -Werror=deprecated-declarations in Ubuntu 18.04. Do not use + focal everywhere yet since Travis CI has not documented this option. + In focal, python-impacket (Py2.7) has been removed, leaving only + python3-impacket. Since it is only needed for SMB tests and not SSH, + skip it for the libssh job since it might need more work. + - apt: Remove gcc-8 and libstdc++-8-dev, already installed via g++-8. - By calling ssh_options_parse_config() explicitly, the configuration - files are parsed before setting the options, avoiding the options - override. Once the configuration files are parsed, the automatic - configuration parsing is not executed. + Non-functional cleanups: + - Simplify test matrix, drop redundant os and compiler keys. + - Deprecation fixes: remove sudo, rename matrix -> jobs. + - Every job has an 'env' key, put this key first in a list item. - Fixes #4972 - Closes #5283 - Signed-off-by: Anderson Toshiyuki Sasaki + Closes #5370 -- runtests: when mentions http, kill http/2 too +- travis: whitespace-only changes for consistency - Since the http2 test server is a mere proxy that needs to know about the - dynamic port the HTTP server is using, it too needs to get restarted - when the http server is killed. + Automatically apply a consistent indentation with: - A regression caused by 80d6515. + python3 -c 'from ruamel.yaml import YAML;y=YAML();d=y.load(open(".travis.yml"));y.width=500;y.dump(d,open(".travis.yml.new","w"))' - Fixes #5289 - Closes #5291 - -- [Yuri Slobodyanyuk brought this change] - - docs: fix two typos + followed by manually re-indenting three comments. - Closes #5292 - -- [Emil Engler brought this change] + Closes #5370 - tests/git: ignore mqttd and port files +- CMake: add libssh build support - Closes #5290 + Closes #5372 -- tests: make runtests check that disabled tests exists +Daniel Stenberg (15 May 2020) +- KNOWN_BUGS: wolfssh: publickey auth doesn't work - ... and error out if so. Removed '536' from DISABLED as there is no such - test file. + Closes #4820 + +- KNOWN_BUGS: OS400 port requires deprecated IBM library - Closes #5288 + Closes #5176 -- test1154: set a proper name +- [Vyron Tsingaras brought this change] -- select: make Curl_socket_check take timediff_t timeout - - Coverity found CID 1461718: - - Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms > - 9223372036854775807L" is always false regardless of the values of its - operands. This occurs as the logical second operand of "||". + http2: keep trying to send pending frames after req.upload_done - Closes #5240 + Fixes #1410 + Closes #5401 -- [i-ky brought this change] +- [Gilles Vollant brought this change] - libcurl-multi.3: added missing full stop + setopt: support certificate options in memory with struct curl_blob - Closes #5285 - -Jay Satiro (22 Apr 2020) -- transfer: Switch PUT to GET/HEAD on 303 redirect + This change introduces a generic way to provide binary data in setopt + options, called BLOBs. - Prior to this change if there was a 303 reply to a PUT request then - the subsequent request to respond to that redirect would also be a PUT. - It was determined that was most likely incorrect based on the language - of the RFCs. Basically 303 means "see other" resource, which implies it - is most likely not the same resource, therefore we should not try to PUT - to that different resource. + This change introduces these new setopts: - Refer to the discussions in #5237 and #5248 for more information. + CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB, + CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB. - Fixes https://github.com/curl/curl/issues/5237 - Closes https://github.com/curl/curl/pull/5248 + Reviewed-by: Daniel Stenberg + Closes #5357 -Daniel Stenberg (22 Apr 2020) -- lib/mk-ca-bundle: skip empty certs +- source cleanup: remove all custom typedef structs - Reviewed-by: Emil Engler - Reported-by: Ashwin Metpalli - Fixes #5278 - Closes #5280 - -- version: skip idn2_check_version() check and add precaution + - Stick to a single unified way to use structs + - Make checksrc complain on 'typedef struct {' + - Allow them in tests, public headers and examples - A gcc-10's -fanalyze complaint made me spot and do these improvements. + - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually + typedef different types/structs depending on build conditions. - Closes #5281 - -- RELEASE-NOTES: synced + Closes #5338 -- [Brian Bergeron brought this change] +- travis: remove the .checksrc fiddling - curl.h: update comment typo - - "routines with be invoked" -> "routines will be invoked" +- ftp: make domore_getsock() return the secondary socket properly - Closes #5279 + Previously, after PASV and immediately after the data connection has + connected, the function would only return the control socket to wait for + which then made the data connection simply timeout and not get polled + correctly. This become obvious when running test 1631 and 1632 event- + based. -- [Emil Engler brought this change] +- test1632: verify FTP through HTTPS-proxy with connection re-use - GnuTLS: Don't skip really long certificate fields - - Closes #5271 +- test1631: verify FTP download through HTTPS-proxy -- gnutls: bump lowest supported version to 3.1.10 +- sws: as last resort, get test number from server cmd file - GnuTLS 3.1.10 added new functions we want to use. That version was - released on Mar 22, 2013. Removing support for older versions also - greatly simplifies the code. + If it can't be found in the request. Also support --cmdfile to set it to + a custom file name. - Ref: #5271 - Closes #5276 + runtests.pl always writes this file with the test number in it since a + while back. -- mqtt: make NOSTATE get within the debug name array +- ftp: shut down the secondary connection properly when SSL is used + + Reported-by: Neal Poole + Fixes #5340 + Closes #5385 -- tests: run the RTSP test server on a dynamic port number +Marcel Raad (14 May 2020) +- KNOWN_BUGS: adapt 5.5 to recent changes - To avoid port collisions. + It only applies to non-Unicode builds now. + Also merge 5.10 into it as it's effectively a duplicate. - Closes #5272 + Closes https://github.com/curl/curl/pull/3784 -- tests: add %NOLISTENPORT and use it - - The purpose with this variable is to provide a port number that is - reasonably likely to not have a listener on the local host so that tests - can try connect failures against it. It uses port 47 - "reserved" - according to IANA. +- curl_setup: support Unicode functions to open files on Windows - Updated six tests to use it instead of the previous different ports. + Use them only if `_UNICODE` is defined, in which case command-line + arguments have been converted to UTF-8. - Assisted-by: Emil Engler - Closes #5270 + Closes https://github.com/curl/curl/pull/3784 -- mqtt: remove code with no purpose +- tool: support UTF-16 command line on Windows - Detected by Coverity. CID 1462319. + - use `wmain` instead of `main` when `_UNICODE` is defined [0] + - define `argv_item_t` as `wchar_t *` in this case + - use the curl_multibyte gear to convert the command-line arguments to + UTF-8 - "The same code is executed when the condition result is true or false, - because the code in the if-then branch and after the if statement is - identical." + This makes it possible to pass parameters with characters outside of + the current locale on Windows, which is required for some tests, e.g. + the IDN tests. Out of the box, this currently only works with the + Visual Studio project files, which default to Unicode, and winbuild + with the `ENABLE_UNICODE` option. - Closes #5275 + [0] https://devblogs.microsoft.com/oldnewthing/?p=40643 + + Ref: https://github.com/curl/curl/issues/3747 + Closes https://github.com/curl/curl/pull/3784 -- mqtt: fix Curl_read() error handling while reading remaining length +- curl_multibyte: add to curlx - Detected by Coverity. CID 1462320. + This will also be needed in the tool and tests. - Closes #5274 + Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512 + Closes https://github.com/curl/curl/pull/3784 -- server/tftpd: fix compiler warning +Daniel Stenberg (14 May 2020) +- url: make the updated credentials URL-encoded in the URL - Follow-up from 369ce38ac1d - Reported-by: Marc Hörsken + Found-by: Gregory Jefferis + Reported-by: Jeroen Ooms + Added test 1168 to verify. Bug spotted when doing a redirect. + Bug: https://github.com/jeroen/curl/issues/224 + Closes #5400 -- http: free memory when Alt-Used header creation fails due to OOM +- tests: add https-proxy support to the test suite - Reported-by: James Fuller - Fixes #5268 - Closes #5269 - -Daniel Gustafsson (20 Apr 2020) -- lib: fix typos in comments and errormessages + Initial test 1630 added with basic HTTPS-proxy use. HTTPS-proxy is like + HTTP proxy but with a full TLS connection to the proxy. - This fixes a few randomly spotted typos in recently merged code, most - notably one in a userfacing errormessage the schannel code. + Closes #5399 -Daniel Stenberg (20 Apr 2020) -- tests: run the SOCKS test server on a dynamic port number - - Closes #5266 +- mailmap: James Fuller -- [Johannes Schindelin brought this change] +- [Major_Tom brought this change] - multi-ssl: reset the SSL backend on `Curl_global_cleanup()` - - When cURL is compiled with support for multiple SSL backends, it is - possible to configure an SSL backend via `curl_global_sslset()`, but - only *before* `curl_global_init()` was called. + vauth/cleartext: fix theoretical integer overflow - If another SSL backend should be used after that, a user might be - tempted to call `curl_global_cleanup()` to start over. However, we did - not foresee that use case and forgot to reset the SSL backend in that - cleanup. + Fix theoretical integer overflow in Curl_auth_create_plain_message. - Let's allow that use case. + The security impact of the overflow was discussed on hackerone. We + agreed this is more of a theoretical vulnerability, as the integer + overflow would only be triggerable on systems using 32-bits size_t with + over 4GB of available memory space for the process. - Fixes #5255 - Closes #5257 - Reported-by: davidedec on github - Signed-off-by: Johannes Schindelin + Closes #5391 -- tests: run the TFTP test server on a dynamic port number +Jay Satiro (13 May 2020) +- curl.1: Quote globbed URLs - Picking a dynamic unused port is better than a fixed to avoid the - collision risk. + - Quote the globbing example URLs that contain characters [] {} since + otherwise they may be interpreted as shell metacharacters. - Closes #5265 + Bug: https://github.com/curl/curl/issues/5388 + Reported-by: John Simpson + + Closes https://github.com/curl/curl/pull/5394 -- mqtt: improve the state machine +Daniel Stenberg (14 May 2020) +- checksrc: enhance the ASTERISKSPACE and update code accordingly - To handle PUBLISH before SUBACK and more. + Fine: "struct hello *world" - Updated the existing tests and added three new ones. + Not fine: "struct hello* world" (and variations) - Reported-by: Christoph Krey - Bug: https://curl.haxx.se/mail/lib-2020-04/0021.html - Closes #5246 - -- runtests: always put test number in servercmd file - -- RELEASE-NOTES: synced - -- release-notes.pl: fix parsing typo - -James Fuller (20 Apr 2020) -- ensure all references to ports are replaced by vars - -- add more alt-svc test coverage + Closes #5386 -Daniel Stenberg (20 Apr 2020) -- test1247: use http server to get the port number set +- docs/options-in-versions: which version added each cmdline option - Follow-up to 0f5db7b263f + Added test 971 to verify that the list is in sync with the files in + cmdline-opts. The check also verifies that .d-files that uses Added: + specify the same version number as the options-in-versions file does. + + Closes #5381 -- runtests: use a unix domain socket path with the pid in the name +- docs: unify protocol lists - To make it impossible for test cases to access the file name without - using the proper variable for the purpose. + We boast support for 25 transfer protocols. Make sure the lists are + consistent - Closes #5264 - -Daniel Gustafsson (19 Apr 2020) -- [Mipsters on github brought this change] + Closes #5384 - src: Remove C99 constructs to ensure C89 compliance +- OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN - This fixes the error: 'for' loop initial declaration used outside C99 - mode by declaring the loop increment variable in the beginning of the - block instead of inside the for loop. + ... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. - Fixes #5254 - Reviewed-by: Daniel Gustafsson + Reported-by: Michael Kaufmann + Fixes #5374 + Closes #5376 -Daniel Stenberg (19 Apr 2020) -- runtests: dummy init the ports variables to avoid warnings - - ... and generate something that can help debug test cases. +- tls13-ciphers.d: shorten the Arg -- [Patrick Monnerat brought this change] +- sasl-authzid.d: add Arg: and shorten the desc - mime: properly check Content-Type even if it has parameters +- cert-type.d: mention the available types in the desc + +- tool: shorten 3 --help descriptions - New test 669 checks this fix is effective. + --happy-eyeballs-timeout-ms, --resolve and --ssl-revoke-best-effort - Fixes #5256 - Closes #5258 - Reported-by: thanhchungbtc on github - -- tests/FILEFORMAT: converted to markdown and extended + gen.pl already warned about these lines but we didn't listen - Closes #5261 - -- test1245: make it work with dynamic FTP server port + Closes #5379 -- test1055: make it work with dynamic FTP port +- configure: the wolfssh backend does not provide SCP + + Closes #5387 -- test1028: make it run on dynamic FTP server port +- RELEASE-NOTES: synced -- tests: move pingpong server to dynamic listening port +- url: reject too long input when parsing credentials - FTP, IMAP, POP3, SMTP and their IPv6 versions are now all on dynamic - ports + Since input passed to libcurl with CURLOPT_USERPWD and + CURLOPT_PROXYUSERPWD circumvents the regular string length check we have + in Curl_setstropt(), the input length limit is enforced in + Curl_parse_login_details too, separately. - Test 842-845 are unfortunately a bit hard to move over to this concept - right now and require "default port" still... - -- test1056: work with dynamic HTTP ipv6 port + Reported-by: Thomas Bouzerar + Closes #5383 -- test1448: work with dynamic HTTP server port +- list-only.d: this option existed already in 4.0 -- tests: introduce preprocessed test cases +Jay Satiro (12 May 2020) +- retry-all-errors.d: Shorten the summary line - The runtests script now always performs variable replacement on the - entire test source file before the test gets executed, and saves the - updated version in a temporary file (log/test[num]) so that all test - case readers/servers can use that version (if present) and thus enjoy - the powers of test case variable substitution. + Follow-up to b995bb5 from a few moments ago. - This is necessary to allow complete port number freedom. + Reported-by: Daniel Stenberg - Test 309 is updated to work with a non-fixed port number thanks to this. + Ref: https://github.com/curl/curl/commit/b995bb5#r39108929 -- tests: make 2006-2010 handle different port number lengths +- [denzor brought this change] -- tests: run the sws server on "any port" - - Makes the test servers for HTTP and Gopher pop up on a currently unused - port and runtests adapts to that! + easy: fix dangling pointer on easy_perform fail - Closes #5247 + Closes https://github.com/curl/curl/pull/5363 -Marc Hoersken (18 Apr 2020) -- sockfilt: tidy variable naming and data structure in select_ws +- tool: Add option --retry-all-errors to retry on any error - This commit does not introduce any logical changes to the code. + The "sledgehammer" of retrying. - Reviewed-by: Jay Satiro and Marcel Raad - Closes #5238 + Closes https://github.com/curl/curl/pull/5185 -Daniel Stenberg (17 Apr 2020) -- [Anderson Toshiyuki Sasaki brought this change] +Daniel Stenberg (12 May 2020) +- [James Le Cuirot brought this change] - libssh: Use new ECDSA key types to check known hosts + libcurl.pc: Merge Libs.private into Libs for static-only builds - From libssh 0.9.0, ssh_key_type() returns different key types for ECDSA - keys depending on the curve. + A project being built entirely statically will call pkg-config with + --static, which utilises the Libs.private field. Conversely it will + not use --static when not being built entirely statically, even if + there is only a static build of libcurl available. This will most + likely cause the build to fail due to underlinking unless we merge the + Libs fields. - Signed-off-by: Anderson Toshiyuki Sasaki - Fixes #5252 - Closes #5253 - -Marcel Raad (17 Apr 2020) -- appveyor: add Unicode winbuild jobs + Consider that this is what the Meson build system does when it + generates pkg-config files. - These are cheap as they don't build tests. + I have also reflected this in the --libs argument of curl-config even + though REQUIRE_LIB_DEPS always seems to be "yes" anyway. - Closes https://github.com/curl/curl/pull/5063 + Closes #5373 -Daniel Stenberg (16 Apr 2020) -- mqttd: s/errno/SOCKERRNO - - To behave proper on Windows - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/5e855bbd18f84a02c951be7cac6188276818cdac#r38507132 - Closes #5241 +- [Peter Wu brought this change] -- buildconf: use find -execdir instead, remove -print and the ares files + CMake: fix runtests.pl with CMake, add new test targets - Follow-up to 1e41bec96a6e + * runtests.pl: + - Fix out-of-tree build under CMake when srcdir is not set. Default + srcdir to the location of runtests.pl. + - Add a hack to allow CMake to use the TFLAGS option as documented + in tests/README and used in scripts/travis/script.sh. + * Bump CMake version to 3.2 for USES_TERMINAL, dropping Debian Jessie + support (no one should care, it is already EOL.). + * Remove CTest since it defines its own 'test' target with no tests + since all unittests are already broken and not built by default. + * Add new test targets based on the options from Makefile.am. Since + new test targets are rarely added, I opted for duplicating the + runtests.pl options as opposed to creating a new Makefile.inc file. + Use top-level target names (test-x) instead of x-test since that is + used by CI and others. - Suggested-by: Marc Hörsken + Closes #5358 -- [Alexander V. Tikhonov brought this change] +- [Peter Wu brought this change] - buildconf: avoid using tempfile when removing files + CMake: do not build test programs by default - Closes #5213 - -- copyright: bump the copyright year range - -- scripts/release-notes.pl: accept colon after the Fixes/Closes keywords + The default target should only build libcurl and curl. Add a dedicated + 'testdeps' target which will be used later when running tests. Note that + unittests are currently broken in CMake and already excluded. + + Closes #5368 -- [JP Mens brought this change] +- FILEFORMAT: moved up the variables section and further polished - docs/MQTT: replace confusing 80 by 75 +- runtests: remove ftp2 support, not used - I was a bit surprised by the `80`: first thought: what's HTTP doing - here? ;) + We once supported two separate ftp instances in the test suite. Has not + been used the last decade. - Closes #5236 - -- [Brad King brought this change] + Closes #5375 - cmake: Avoid MSVC C4273 warnings in send/recv checks - - We use `check_c_source_compiles` to check possible send/recv signatures - by reproducing the forward declarations from system headers. On Windows - the `winsock2.h` header adds dll linkage settings to its forward - declaration. If ours does not match the compiler warns: +- url: sort the protocol schemes in rough popularity order - warning C4273: 'recv': inconsistent dll linkage + When looking for a protocol match among supported schemes, check the + most "popular" schemes first. It has zero functionality difference and + for all practical purposes a speed difference will not be measureable + but it still think it makes sense to put the least likely matches last. - Add `WINSOCK_API_LINKAGE` to our test signatures when it is defined so - that our linkage is consistent with that from `winsock2.h`. + "Popularity" based on the 2019 user survey. - Fixes #4764 - Closes #5232 + Closes #5377 -Jay Satiro (14 Apr 2020) -- KNOWN_BUGS: Add entry 'Blocking socket operations' +Marc Hoersken (11 May 2020) +- test1238: avoid tftpd being busy for tests shortly following - - Add threaded resolver cleanup and GSSAPI for FTP to the TODO list of - known blocking operations. + The tftpd server may still be busy if the total timeout of + 25 seconds has not been reached or no sread error was received + during or after the execution of the timeout test 1238. - - New known bugs entry 'Blocking socket operations in non-blocking API' - that directs to the TODO's list of known blocking operations. + Once the next TFTP test comes around (eg. 1242 or 1243), + those will fail because the tftpd server is still waiting + on data from curl due to the UDP protocol being stateless + and having no connection close. On Linux this error may not + happen, because ICMP errors generated due to a swrite error + can also be returned async on the next sread call instead. - Ref: https://github.com/curl/curl/pull/5214#issuecomment-612488021 + Therefore we will now just kill the tftpd server after test + 1238 to make sure that the following tests are not affected. - Reported-by: Marc Hoersken + This enables us to no longer ignore tests 1242, 1243, 2002 + and 2003 on the CI platforms CirrusCI and AppVeyor. - Closes https://github.com/curl/curl/pull/5216 + Assisted-by: Peter Wu + Closes #5364 -Marc Hoersken (14 Apr 2020) -- test2043: use revoked.badssl.com instead of revoked.grc.com +Daniel Stenberg (11 May 2020) +- write-out.d: added "response_code" + +- KNOWN_BUGS: Build with staticly built dependency - The certificate of revoked.grc.com has expired on 2020-04-13. + I rewrote the item 5.4 to be more generic about static dependencies. + +- ROADMAP: remove old entries - Reviewed-by: Jay Satiro + MQTT - the start has already landed - Closes #5233 - -- sockfilt: fix broken pipe on Windows to be ready in select_ws + tiny-curl - also mostly landed and is a continuous work - Closes #5228 - -Daniel Stenberg (14 Apr 2020) -- RELEASE-NOTES: synced - -- scripts/release-notes: fix duplicate output header - -- github/workflow: enable MQTT in the macOS debug build - -- azure: add mqtt support to one of the Windows builds - -- travis: add mqtt job on Linux - -- tests: add four MQTT tests 1190 - 1193 + make menuconfig - basically no interest from users, not pushing there -- tests: add the mqtt test server mqttd +- [Peter Wu brought this change] -- tests: support hex encoded data and mqtt server + travis: Add ngtcp2 and quiche tests for CMake - The mqtt server is started using a "random" port. + To avoid an explosion of jobs, extend the existing CMake tests with + ngtcp2 and quiche support. macOS was previously moved to GitHub actions, + so the non-Linux case can be dropped. -- [Björn Stenberg brought this change] +- [Peter Wu brought this change] - mqtt: add new experimental protocol + CMake: add ENABLE_ALT_SVC option - Closes #5173 + Tested alt-svc with quiche. While at it, add missing MultiSSL reporting + (not tested). -- TODO: Consider convenience options for JSON and XML? - - Closes #5203 +- [Peter Wu brought this change] -- tool: do not declare functions with Curl_ prefix + CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche) - To avoid collision risks with private libcurl symbols when linked with - static versions (or just versions not hiding internal symbols). + Add three new CMake Find modules (using the curl license, but I grant + others the right to apply the CMake BSD license instead). - Reported-by: hydra3333 on github - Fixes #5219 - Closes #5234 - -- [Nathaniel R. Lewis brought this change] - - cmake: add aliases so exported target names are available in tree + This CMake config is simpler than the autotools one because it assumes + ngtcp2 and nghttp3 to be used together. Another difference is that this + CMake config checks whether QUIC is actually supported by the TLS + library (patched OpenSSL or boringssl) since this can be a common + configuration mistake that could result in build errors later. - Reviewed-by: Brad King - Closes #5206 - -- version: increase buffer space for ssl version output + Unlike autotools, CMake does not warn you that the features are + experimental. The user is supposed to already know that and read the + documentation. It requires a very special build environment anyway. - To avoid it getting truncated, especially when several SSL backends are - built-in. + Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from + current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure + out which features (libldap-2.4, libssh2) to disable due to conflicts + with boringssl. - Reported-by: Gisle Vanem - Fixes #5222 - Closes #5226 + Closes #5359 -Marc Hoersken (13 Apr 2020) -- cirrus: no longer ignore test 504 which is working again +Marc Hoersken (10 May 2020) +- tests/server/tftpd.c: fix include and enhance debug logging - The test is working again, because TCP blackholing is disabled. - -- appveyor: completely disable tests that fail to timeout early + setjmp.h should only be included if HAVE_SETJMP_H is defined. - The tests changed from ignored to disabled are tests that are - about connecting to non-listening socket. On AppVeyor these - tests are not reliable, because for some unknown reason the - connect is not timing out before the test time limit is reached. - -Daniel Stenberg (13 Apr 2020) -- test1908: avoid using fixed port number in test data + Add additional log statements to see wether reads and writes + are blocking or finishing before an alarm signal is received. - Closes #5225 - -Jay Satiro (12 Apr 2020) -- [Andrew Kurushin brought this change] + Assisted-by: Peter Wu + Part of #5364 - schannel: Fix blocking timeout logic +Daniel Stenberg (10 May 2020) +- tool_operate: only set CURLOPT_SSL_OPTIONS if SSL support is present - - Fix schannel_send for the case when no timeout was set. + Reported-by: Marcel Raad + Follow-up to 148534db5 + Fixes #5367 + Closes #5369 + +Marc Hoersken (9 May 2020) +- appveyor: update comments to be clear about toolchain - Prior to this change schannel would error if the socket was not ready - to send data and no timeout was set. + - CMake-based MSYS builds use mingw-w64 to cross-compile. + - autotools-based builds are compiled using msys2-devel. - This commit is similar to parent commit 89dc6e0 which recently made the - same change for SOCKS, for the same reason. Basically it was not well - understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms - but actually means no timeout. + The difference is that the later ones are not cross-compiled + to Windows and instead require the msys2 runtime to be present. - Fixes https://github.com/curl/curl/issues/5177 - Closes https://github.com/curl/curl/pull/5221 + At the moment only the Azure Pipelines CI builds actually + run autotools-based cross-compilation builds for Windows. -- socks: Fix blocking timeout logic +- TODO: update regarding missing Schannel features - - Document in Curl_timeleft's comment block that returning 0 signals no - timeout (ie there's infinite time left). + Some aspects have already been implemented over the years. - - Fix SOCKS' Curl_blockread_all for the case when no timeout was set. + 15.1 Client certificates are now supported: - Prior to this change if the timeout had a value of 0 and that was passed - to SOCKET_READABLE it would return right away instead of blocking. That - was likely because it was not well understood that when Curl_timeleft - returns 0 it is not a timeout of 0 ms but actually means no timeout. + - System stores via e35b0256eb34f1fe562e3e2a2615beb50a391c52 + - PKCS#12 files via 0fdf96512613574591f501d63fe49495ba40e1d5 - Ref: https://github.com/curl/curl/pull/5214#issuecomment-612512360 + 15.2 Ciphers can now be specified through: - Closes https://github.com/curl/curl/pull/5220 + - Algorithms via 9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28 + + Reviewed-by: Daniel Stenberg and Marcel Raad + Closes #5358 -- [Marc Hoersken brought this change] +Daniel Stenberg (8 May 2020) +- checksrc: close the .checksrc file handle when done reading - gopher: check remaining time left during write busy loop - - Prior to this change gopher's blocking code would block forever, - ignoring any set timeout value. - - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg +- RELEASE-NOTES: synced - Similar to #5220 and #5221 - Closes #5214 + And bumped next version to 7.71.0 -Daniel Stenberg (13 Apr 2020) -- [Dirkjan Bussink brought this change] +- [Gilles Vollant brought this change] - gnutls: ensure TLS 1.3 when SRP isn't requested - - When SRP is requested in the priority string, GnuTLS will disable - support for TLS 1.3. Before this change, curl would always add +SRP to - the priority list, effectively always disabling TLS 1.3 support. - - With this change, +SRP is only added to the priority list when SRP - authentication is also requested. This also allows updating the error - handling here to not have to retry without SRP. This is because SRP is - only added when requested and in that case a retry is not needed. + CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl) - Closes #5223 + Closes #4346 -Marc Hoersken (12 Apr 2020) -- tests/server: add hidden window to gracefully handle WM_CLOSE - - Forward Window events as signals to existing signal event handler. +- TODO: native IDN support on macOS -- tests/server: add CTRL event handler for Win32 consoles +- urlapi: accept :: as a valid IPv6 address - Forward CTRL events as signals to existing signal event handler. - -- tests/server: move all signal handling routines to util.[ch] + Text 1560 is extended to verify. - Avoid code duplication to prepare for portability enhancements. + Reported-by: Pavel Volgarev + Fixes #5344 + Closes #5351 -Daniel Stenberg (12 Apr 2020) -- compressed.d: stress that the headers are not modified - - Suggested-by: Michael Osipov - Assisted-by: Jay Satiro - Bug: https://github.com/curl/curl/issues/5182#issuecomment-611638008 - Closes #5217 +- THANKS-filter: Peter Wang -Marc Hoersken (11 Apr 2020) -- tests/server/util.c: use curl_off_t instead of long for pid +- [Peter Wang brought this change] + + *_sspi: fix bad uses of CURLE_NOT_BUILT_IN - Avoid potential overflow of huge PIDs on Windows. + Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other + instances of QuerySecurityPackageInfo failing, as in + commit 2a81439553286f12cd04a4bdcdf66d8e026d8201. - Related to #5188 - Assisted-by: Marcel Raad + Closes #5355 -- tests: use Cygwin/msys PIDs for stunnel and sshd on Windows - - Since the Windows versions of both programs would write Windows - PIDs to their pidfiles which we cannot handle, we need to use - our known perl.exe Cygwin/msys PID together with exec() in order - to tie the spawned processes to the existance of our perl.exe +- docs/HTTP3: add qlog to the quiche build instruction + +- ngtcp2: introduce qlog support - The perl.exe that is executing secureserver.pl and sshserver.pl - has a Cygwin/msys PID, because it is started inside Cygwin/msys. + If the QLOGDIR environment variable is set, enable qlogging. - Related to #5188 - -- tests: add Windows compatible pidwait like pidkill and pidterm + ... and create Curl_qlogdir() in the new generic vquic/vquic.c file for + QUIC functions that are backend independent. - Related to #5188 + Closes #5353 -- tests: fix conflict between Cygwin/msys and Windows PIDs - - Add 65536 to Windows PIDs to allow Windows specific treatment - by having disjunct ranges for Cygwin/msys and Windows PIDs. +- ntlm_sspi: fix bad use of CURLE_NOT_BUILT_IN - See also: - - https://cygwin.com/git/?p=newlib-cygwin.git;a=commit; ↵ - h=b5e1003722cb14235c4f166be72c09acdffc62ea - - https://cygwin.com/git/?p=newlib-cygwin.git;a=commit; ↵ - h=448cf5aa4b429d5a9cebf92a0da4ab4b5b6d23fe + That return code is reserved for build-time conditional code not being + present while this was a regular run-time error from a Windows API. - Replaces #5178 - Closes #5188 + Reported-by: wangp on github + Fixes #5349 + Closes #5350 -Daniel Stenberg (11 Apr 2020) -- RELEASE-NOTES: synced +- runtests: show elapsed test time with higher precision (ms) -- release-notes.pl: detect the start of the references in cleanup mode +- RELEASE-NOTES: synced -- Revert "file: on Windows, refuse paths that start with \\" +- http2: simplify and clean up trailer handling - This reverts commit 1b71bc532bde8621fd3260843f8197182a467ff2. + Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in + ed35d6590e72. This should make the trailer handling more straight forward and + hopefully less error-prone. - Reminded-by: Chris Roberts - Bug: https://curl.haxx.se/mail/archive-2020-04/0013.html + Deliver the trailer header to the callback already at receive-time. No + longer caches the trailers to get delivered at end of stream. - Closes #5215 + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030 + Closes #5348 -Jay Satiro (11 Apr 2020) -- lib: fix conversion warnings for SOCKET_WRITABLE/READABLE +Marc Hoersken (7 May 2020) +- appveyor: disable test 1139 instead of ignoring it - - If loss of data may occur converting a timediff_t to time_t and - the time value is > TIME_T_MAX then treat it as TIME_T_MAX. + Spending time on manpage checking makes no sense + for these builds due to lacking manpage support. + +- appveyor: disable flaky test 1501 and ignore broken 1056 - This is a follow-up to 8843678 which removed the (time_t) typecast - from the macros so that conversion warnings could be identified. + Test 1501 is flaky on Windows CI due to being time sensitive + and the testsuite relying on taskkill.exe to check for the + existance of processes which can take to much time itself. - Closes https://github.com/curl/curl/pull/5199 + Test 1056 is broken in autotools-based Windows builds due + to scope ID support missing in these builds at the moment. -- test1148: tolerate progress updates better (again) - - - Ignore intermediate progress updates. +- test613.pl: make tests 613 and 614 work with OpenSSH for Windows - - Support locales that use a character other than period as decimal - separator (eg 100,0%). + OpenSSH for Windows shows group and other/world permissions as *, + because those concepts do not exist on Windows. It also does not + show the current or parent directory, so we just ignore those. - test1148 checks that the progress finishes at 100% and has the right - bar width. Prior to this change the test assumed that the only progress - reported for such a quick transfer was 100%, however in rare instances - (like in the CI where transfer time can slow considerably) there may be - intermediate updates. For example, below is stderrlog1148 from a failed - CI run with explicit \r and \n added (it is one line; broken up so that - it's easier to understand). + Reviewed-by: Daniel Stenberg + Closes #5328 + +Daniel Stenberg (6 May 2020) +- runtests: set +x mode again + +- libssh2: convert over to use dynbuf - \r - \r################################## 48.3% - \r######################################################################## 100.0% - \n + In my very basic test that lists sftp://127.0.0.1/tmp/, this patched + code makes 161 allocations compared to 194 in git master. A 17% + reduction. - Closes https://github.com/curl/curl/pull/5194 + Closes #5336 -Marc Hoersken (10 Apr 2020) -- sshserver.pl: use cached Win32 environment check variable +- travis: add "qlog" as feature in the quiche build -- appveyor: partially revert 3413a110 to keep build without proxy +- quiche: enable qlog output - Ref: #5211 and #4526 - Reported-by: Marcel Raad + quiche has the potential to log qlog files. To enable this, you must + build quiche with the qlog feature enabled `cargo build --features + qlog`. curl then passes a file descriptor to quiche, which takes + ownership of the file. The FD transfer only works on UNIX. + + The convention is to enable logging when the QLOGDIR environment is + set. This should be a path to a folder where files are written with the + naming template .qlog. + + Co-authored-by: Lucas Pardue + Replaces #5337 + Closes #5341 -- appveyor: ignore failing 'connect to non-listening proxy' tests +- urldata.h: remove #define HEADERSIZE, not used anymore - Closes #5211 + Follow-up to ed35d6590e72c -- CI/macos: convert CRLF to LF and align indentation +- ngtcp2: convert to dynbuf + + Closes #5335 -Daniel Stenberg (9 Apr 2020) -- url: allow non-HTTPS altsvc-matching for debug builds +- connect: make happy eyeballs work for QUIC (again) - This is already partly supported but this part was missing. - Reported-by: James Fuller + Follow-up from dbd16c3e256c6c (regression in 7.70.0) - Closes #5205 + Closes #5334 -- server/resolve: remove AI_CANONNAME to make macos tell the truth - - With this bit set, my mac successfully resolves "ip6-localhost" when in - fact there is no such host known to my machine! That in turn made test - 241 wrongly execute and fail. +- connect: add two asserts to clue code analyzers in a little + +- http_proxy: ported to use dynbuf instead of a static size buffer - Closes #5202 + Removes a 16K static buffer from the easy handle. Simplifies the code. -- runtests: fix warning about using an undefined variable +- dynbuf: introduce internal generic dynamic buffer functions - Follow-up from 4d939ef6ceb2db1 + A common set of functions instead of many separate implementations for + creating buffers that can grow when appending data to them. Existing + functionality has been ported over. + + In my early basic testing, the total number of allocations seem at + roughly the same amount as before, possibly a few less. + + See docs/DYNBUF.md for a description of the API. + + Closes #5300 -- release-notes: fix the initial reference list output +- runtests: remove sleep calls + + Remove many one second sleeps that were done *after* each newly started + test server already has been verified. They should not have any purpose + there. + + Closes #5323 -- github actions: run when pushed to master or */ci + PRs +- asyn-*: remove support for never-used NULL entry pointers - Avoid double-builds when using "local" branches for PRs. For both macos - and fuzz jobs. + ... and instead convert those to asserts to make sure they are truly + never NULL. - Closes #5201 + Closes #5324 -- runtests: provide nicer errormsg when protocol "dump" file is empty +- [Emil Engler brought this change] -- [Gilles Vollant brought this change] + doc: Rename VERSIONS to VERSIONS.md as it already has Markdown syntax + + Closes #5325 - schannel: support .P12 or .PFX client certificates +Jay Satiro (2 May 2020) +- asyn-thread: fix cppcheck warning - Used with curl command line option like this: --cert - : --cert-type p12 + - Check for NULL entry parameter before attempting to deref entry in + Curl_resolver_is_resolved, like is already done in asyn-ares. - Closes #5193 + This is to silence cppcheck which does not seem to understand that + asyn-ares and asyn-thread have separate Curl_resolver_is_resolved + and those units are mutually exclusive. Prior to this change it warned + of a scenario where asyn-thread's Curl_resolver_is_resolved is called + with a NULL entry from asyn-ares, but that couldn't happen. + + Reported-by: rl1987@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/5326 -- tests: verify split initial HTTP requests with CURL_SMALLREQSEND +- select: fix overflow protection in Curl_socket_check - test1294: "split request" being when the entire request isn't sent in - the first go, and the remainder is sent in the PERFORM state. A GET - request is otherwise not sending anything during PERFORM. + Follow-up to a96c752 which changed the timeout_ms type from time_t to + timediff_t. - test1295: same kind of split but with POST + Ref: https://github.com/curl/curl/pull/5240 - Closes #5197 + Closes https://github.com/curl/curl/pull/5286 -- http: don't consider upload done if the request isn't completely sent off +Marc Hoersken (2 May 2020) +- sockfilt: make select_ws stop waiting on exit signal event - Fixes #4919 - Closes #5197 - -- http: allow Curl_add_buffer_send() to do a short first send by force + This makes sure that select_ws behaves similar to real select + which stops waiting on a signal handler being triggered. - In a debug build, settting the environment variable "CURL_SMALLREQSEND" - will make the first HTTP request send not send more bytes than the set - amount, thus ending up verifying that the logic for handling a split - HTTP request send works correctly. + This makes it possible to gracefully stop sockfilt.exe on + Windows with taskkill /IM sockfilt.exe (without /F force flag). + + Reviewed-by: Jay Satiro + Part of #5260 -- connect: store connection info for QUIC connections +- tests/server/util.[ch]: add exit event to stop waiting on Windows - Restores the --head functionality to the curl utility which extracts - 'protocol' that is stored that way. + This commit adds a global exit event to the test servers that + Windows-specific wait routines can use to get triggered if the + program was signaled to be terminated, eg. select_ws in sockfilt.c - Reported-by: James Fuller - Fixes #5196 - Closes #5198 + The exit event will be managed by the signal handling code and is + set to not reset automatically to support multiple wait routines. + + Reviewed-by: Jay Satiro + Closes #5260 -- tests/README: update the port numbers list +- tests/server/util.c: fix thread handle not being closed - Since the pipelining server is long gone. - Reported-by: James Fuller + Reviewed-by: Jay Satiro + Part of #5260 -- select: remove typecast from SOCKET_WRITABLE/READABLE macros +- tests/server/util.c: use raise instead of calling signal handler - So that they don't hide conversions-by-mistake + Use raise to trigger signal handler instead of calling it + directly and causing potential unexpected control flow. Reviewed-by: Jay Satiro - Closes #5190 + Part of #5260 -- CURLOPT_WRITEFUNCTION.3: add inline example and new see-also +- tests: add support for SSH server variant specific transfer paths - Closes #5192 - -- release-notes: output trailing references sorted numerically + OpenSSH for Windows requires paths in the format of /C:/ + instead of the pseudo-POSIX paths /cygdrive/c/ or just /c/ + + Reviewed-by: Daniel Stenberg + Closes #5298 -- cleanup: correct copyright year range on a few files +Daniel Stenberg (2 May 2020) +- RELEASE-NOTES: synced -- configure: remove use of -vec-report0 from CFLAGS with icc +- libssh2: set the expected total size in SCP upload init - ... as it apparently isn't (always) supported. - Reported-by: Alain Miniussi - Fixes #5096 - Closes #5191 + ... as otherwise the progress callback gets called without that + information, making the progress meter have less info. + + Reported-by: Murugan Balraj + Bug: https://curl.haxx.se/mail/archive-2020-05/0000.html + Closes #5317 + +- runtests: make the logmsg from the ssh server only show in verbose -- warnless: remove code block for icc that didn't work +- tests: make test 1248 + 1249 use %NOLISTENPORT - Reported-by: Alain Miniussi - Fixes #5096 + ... instead of a port of a non-running server so that it works + stand-alone. + + Closes #5318 -Marc Hoersken (6 Apr 2020) -- dist: add missing setup-win32.h +- examples: remove asiohiper.cpp - Follow up to d820224b8b + This example has repeatedly been reported to contain bugs, and as users + copy and paste code from this into production, I now deem it better to + not provide the example at all. + + Closes #5090 + Closes #5322 -Daniel Stenberg (6 Apr 2020) -- RELEASE-NOTES: synced +- [Emil Engler brought this change] -- scripts/release-notes.pl: add helper script for RELEASE-NOTES maintenance + doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3 - This script helps putting entries in the RELEASE-NOTES using a coherent - style and sorting with a minimal human editing effort - as long as the - first line in the commit message is good enough! There's a short howto - at the top of the file. + Closes #5320 -- [Dennis Felsing brought this change] +- [Emil Engler brought this change] - configure: don't check for Security.framework when cross-compiling - - Since it checks for the local file, not the cross-compiled one. + KNOWN_BUGS: Remove "curl --upload-file . hang if delay in STDIN" - Closes #5189 - -- TODO: Option to make -Z merge lined based outputs on stdout + It was fixed in 9a2cbf3 - Closes #5175 + Closes #5319 -- lib: never define CURL_CA_BUNDLE with a getenv - - - it breaks the build (since 6de756c9b1de34b7a1) - - it's not documented and not consistent across platforms - - the curl tool does that getenv magic +- cirrus: disable SFTP and SCP tests - Bug: https://github.com/curl/curl/commit/6de756c#r38127030 - Reported-by: Gisle Vanem + ... as we can't seem to start the sshd server on it. Those problems + existed before d1239b50bececd (running the SSH server on a random port), + but they're more noticable now since there are more failed attempts in + the logs. - Closes #5187 + Closes #5315 -Marc Hoersken (5 Apr 2020) -- lib670: use the same Win32 API check as all other lib tests +- [Emil Engler brought this change] -- appveyor: use random test server ports based upon APPVEYOR_API_URL - - Avoid conflicts of test server ports with AppVeyor API on localhost. + runtests: fix typo in the existence of disabled tests checker - Closes #5034 + Closes #5316 -- appveyor: sort builds by type and add two new variants +Dan Fandrich (30 Apr 2020) +- test75: Remove precheck test - Related to #5034 and #5063 + This has not been needed since commit 9fa42bed and often prevents it + from running at all with dynamic test ports. -- appveyor: show failed tests in log even if test is ignored +- tests: Stop referring to server ports when they're not used - And print API response with newline only if there is one + Several tests referred to specific server ports even when the test + didn't actually use that server or specify that it's needed. In such + cases, the test harness substitutes the text "[not running]" as the port + number which causes many such tests to fail due to the inability to + parse the URL. These tests are changed to use %NOLISTENPORT which will + always be substituted correctly. -- appveyor: turn disabled tests into ignored result tests +Daniel Stenberg (30 Apr 2020) +- [Emil Engler brought this change] -Daniel Stenberg (5 Apr 2020) -- KNOWN_BUGS: fixed "USE_UNIX_SOCKETS on Windows" + GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT - Fixed with #5170 (commit 23a870f2fd041278) + Closes #5287 -- test1566: verify --etag-compare that gets a 304 back +- conncache: various concept cleanups - Verifies the fix in #5183 + More connection cache accesses are protected by locks. - Closes #5186 - -- [Kwon-Young Choi brought this change] - - CURLINFO_CONDITION_UNMET: return true for 304 http status code + CONNCACHE_* is a beter prefix for the connection cache lock macros. - In libcurl, CURLINFO_CONDITION_UNMET is used to avoid writing to the - output file if the server did not transfered a file based on time - condition. In the same manner, getting a 304 HTTP response back from the - server, for example after passing a custom If-Match-* header, also - fulfill this condition. + Curl_attach_connnection: now called as soon as there's a connection + struct available and before the connection is added to the connection + cache. - Fixes #5181 - Closes #5183 - -- [Kwon-Young Choi brought this change] - - curl: allow both --etag-compare and --etag-save with same file name + Curl_disconnect: now assumes that the connection is already removed from + the connection cache. - This change inverse the order of processing for the --etag-compare and - --etag-save option to process first --etag-compare. This in turn allows - to use the same file name to compare and save an etag. + Ref: #4915 + Closes #5009 + +- tests: tests: run stunnel for HTTPS and FTPS on dynamic ports - The original behavior of not failing if the etag file does not exists is - conserved. + As stunnel is an external tool and it has no specific option to export + the actually used port number when asked to listen to 0, runtests + instead iterates over ten randomly picked high number ports and sticks + to the first one stunnel can listen to. - Fixes #5179 - Closes #5180 + Closes #5267 -Viktor Szakats (4 Apr 2020) -- windows: enable UnixSockets with all build toolchains +- tests: pick a random port number for SSH - Extend existing unix socket support in Windows builds to be - enabled for all toolchain vendors or versions. (Previously - it was only supported with certain MSVC versions + more recent - Windows 10 SDKs) + Since sshd doesn't have such an option by itself, we iterate over a + series of random ports until one works. - Ref: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ - Ref: https://github.com/curl/curl/issues/5162 - Closes: https://github.com/curl/curl/pull/5170 + Closes #5273 -Daniel Stenberg (4 Apr 2020) -- KNOWN_BUGS: Store TLS context per transfer instead of per connection +- [Rikard Falkeborn brought this change] + + libtest/cmake: Remove commented code - Closes #5102 + These were commented out in e9dd0998706a when Makefile.inc was included + instead. 11 years have passed since then and the commented code is of + course very outdated. Remove it to avoid confusion. + + Closes #5311 -Marc Hoersken (3 Apr 2020) -- sockfilt: remove redundancy in timeout handling +- schannel: source code reindent - And update other logmsg output in select_ws on Windows. + White space edits only. Conform better to standard curl source code + indenting style. + + Closes #5305 -- sockfilt: fix handling of ready closed sockets on Windows +Kamil Dudka (29 Apr 2020) +- test1177: look for curl.h in source directory - Replace the incomplete workaround regarding FD_CLOSE - only signalling once by instead doing a pre-check with - standard select and storing the result for later use. + If we use a separate build directory, there is no copy of the header. - select keeps triggering on closed sockets on Windows while - WSAEventSelect fires only once with data still available. - By doing the pre-check we do not run in a deadlock - due to waiting forever for another FD_CLOSE event. + Closes #5310 -- sockfilt: fix race-condition of waiting threads and event handling +- tests: look for preprocessed tests in build directory - Fix race-condition of waiting threads finishing while events are - already being processed which lead to invalid or skipped events. + ... which is not always the same directory as source directory - Use mutex to check for one event at a time or do post-processing. - In addition to mutex-based locking use specific event as signal. + Closes #5310 + +Daniel Stenberg (29 Apr 2020) +- RELEASE-NOTES: synced - Closes #5156 + ... and bumped curlver.h to 7.70.1 -Daniel Stenberg (2 Apr 2020) -- [Leo Neat brought this change] +Version 7.70.0 (29 Apr 2020) - CI-fuzz: increase fuzz time to 40 minutes - - Closes #5174 +Daniel Stenberg (29 Apr 2020) +- RELEASE-NOTES: 7.70.0 -Marc Hoersken (2 Apr 2020) -- CI: increase Azure Pipelines timeouts due to performance issues - - The current demand on Azure negatively impacts the CI performance. +- THANKS: synced with the 7.70.0 release -- runtests.pl: log host OS as detected by Perl environment +- headers: copyright range fix -- ftpserver.pl: log before and after data connection is closed +- [Rikard Falkeborn brought this change] -Daniel Stenberg (1 Apr 2020) -- RELEASE-NOTES: synced + doh: Constify some input pointers + + Closes #5306 -- RELEASE-PROCEDURE.md: run the copyright.pl script! +- nss: check for PK11_CreateDigestContext() returning NULL + + ... to avoid crashes! + + Reported-by: Hao Wu + Fixes #5302 + Closes #5303 -- vquic/ngtcp2.h: update copyright year range +- travis: bump the wolfssl CI build to use 4.4.0 - Follow-up to 0736ee73d346a52 + Closes #5301 -- [Daiki Ueno brought this change] +- copyright updates: adjust year ranges - CI: add build with ngtcp2 + gnutls on Travis CI +Marc Hoersken (26 Apr 2020) +- CI: do not include */ci branches in PR builds + + Align Azure Pipelines with GitHub Actions. -- [Daiki Ueno brought this change] +Daniel Stenberg (25 Apr 2020) +- runtests: check for the disabled tests relative srcdir + + To make it work correctly for out-of-tree builds. + + Follow-up to 75e8feb6fb08b + + Bug: https://github.com/curl/curl/pull/5288#issuecomment-619346389 + Reported-by: Marcel Raad + Closes #5297 - vquic: add support for GnuTLS backend of ngtcp2 +- runtests: revert commenting out a line I did for debugging - Currently, the TLS backend used by vquic/ngtcp2.c is selected at compile - time. Therefore OpenSSL support needs to be explicitly disabled. + Follow-up to 11091cd4d. It was not meant to be pushed! + +- smtp: set auth correctly + + Regression since 7.69.0 and 68fb25fa3fcff. + + The code wrongly assigned 'from' instead of 'auth' which probably was a + copy and paste mistake from other code, leading to that auth could + remain NULL and later cause an error to be returned. + + Assisted-by: Eric Sauvageau + Fixes #5294 + Closes #5295 + +Marcel Raad (25 Apr 2020) +- lib: clean up whitespace - Signed-off-by: Daiki Ueno - Closes #5148 + This fixes CodeFactor warnings. -- [Gisle Vanem brought this change] +Daniel Stenberg (25 Apr 2020) +- [Anderson Toshiyuki Sasaki brought this change] - examples/sessioninfo.c: add include to fix compiler warning + libssh: avoid options override by configuration files - Fixes #5171 + Previously, options set explicitly through command line options could be + overridden by the configuration files parsed automatically when + ssh_connect() was called. + + By calling ssh_options_parse_config() explicitly, the configuration + files are parsed before setting the options, avoiding the options + override. Once the configuration files are parsed, the automatic + configuration parsing is not executed. + + Fixes #4972 + Closes #5283 + Signed-off-by: Anderson Toshiyuki Sasaki -- misc: copyright year updates +- runtests: when mentions http, kill http/2 too - Follow-up to 7a71965e9 + Since the http2 test server is a mere proxy that needs to know about the + dynamic port the HTTP server is using, it too needs to get restarted + when the http server is killed. + + A regression caused by 80d6515. + + Fixes #5289 + Closes #5291 -- [Harry Sintonen brought this change] +- [Yuri Slobodyanyuk brought this change] - build: fixed build for systems with select() in unistd.h + docs: fix two typos - Closes #5169 + Closes #5292 -- memdebug: don't log free(NULL) - - ... it serves no purpose and fills up the log. +- [Emil Engler brought this change] -- cleanup: insert newline after if() conditions + tests/git: ignore mqttd and port files - Our code style mandates we put the conditional block on a separate - line. These mistakes are now detected by the updated checksrc. + Closes #5290 -- checksrc: warn on obvious conditional blocks on the same line as if() +- tests: make runtests check that disabled tests exists - Closes #5164 - -- [Roger Orr brought this change] - - cmake: add CMAKE_MSVC_RUNTIME_LIBRARY + ... and error out if so. Removed '536' from DISABLED as there is no such + test file. - Fixes #5165 - Closes #5167 + Closes #5288 -- [Daiki Ueno brought this change] +- test1154: set a proper name - ngtcp2: update to git master for the key installation API change +- select: make Curl_socket_check take timediff_t timeout - This updates the ngtcp2 OpenSSL backend to follow the API change in - commit 32e703164 of ngtcp2. + Coverity found CID 1461718: - Notable changes are: - - ngtcp2_crypto_derive_and_install_{rx,tx}_key have been added to replace - ngtcp2_crypto_derive_and_install_key - - the 'side' argument of ngtcp2_crypto_derive_and_install_initial_key - has been removed + Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms > + 9223372036854775807L" is always false regardless of the values of its + operands. This occurs as the logical second operand of "||". - Fixes #5166 - Closes #5168 + Closes #5240 -- [Cyrus brought this change] +- [i-ky brought this change] - SECURITY.md: minor rephrase + libcurl-multi.3: added missing full stop - Closes #5158 + Closes #5285 -- output.d: quote the URL when globbing - - Some shells do globbing of their own unless the URL is quoted, so maybe - encourage this. +Jay Satiro (22 Apr 2020) +- transfer: Switch PUT to GET/HEAD on 303 redirect - Co-authored-by: Jay Satiro - Closes #5160 - -- dist: add tests/version-scan.pl to tarball + Prior to this change if there was a 303 reply to a PUT request then + the subsequent request to respond to that redirect would also be a PUT. + It was determined that was most likely incorrect based on the language + of the RFCs. Basically 303 means "see other" resource, which implies it + is most likely not the same resource, therefore we should not try to PUT + to that different resource. - ... used in test 1177. + Refer to the discussions in #5237 and #5248 for more information. - Follow-up to a97d826f6de3 + Fixes https://github.com/curl/curl/issues/5237 + Closes https://github.com/curl/curl/pull/5248 -- test1177: verify that all the CURL_VERSION_ bits are documented +Daniel Stenberg (22 Apr 2020) +- lib/mk-ca-bundle: skip empty certs + + Reviewed-by: Emil Engler + Reported-by: Ashwin Metpalli + Fixes #5278 + Closes #5280 -- curl.h: remnove CURL_VERSION_ESNI. Never supported nor documented +- version: skip idn2_check_version() check and add precaution - Considered experimental and therefore we can do this. + A gcc-10's -fanalyze complaint made me spot and do these improvements. - Closes #5157 + Closes #5281 -- KNOWN_BUGS: DoH doesn't inherit all transfer options - - Closes #4578 - Closes #4579 +- RELEASE-NOTES: synced -- KNOWN_BUGS: DoH leaks memory after followlocation - - Closes #4592 +- [Brian Bergeron brought this change] -- KNOWN_BUGS: "FTPS needs session reuse" + curl.h: update comment typo - Closes #4654 + "routines with be invoked" -> "routines will be invoked" + + Closes #5279 -- KNOWN_BUGS: "stick to same family over SOCKS pro" is presumed fixed +- [Emil Engler brought this change] -- TODO: Set custom client ip when using haproxy protocol + GnuTLS: Don't skip really long certificate fields - Closes #5125 + Closes #5271 -Michael Kaufmann (27 Mar 2020) -- writeout_json: Fix data type issues - - Load long values correctly (e.g. for http_code). - - Use curl_off_t (not long) for: - - size_download (CURLINFO_SIZE_DOWNLOAD_T) - - size_upload (CURLINFO_SIZE_UPLOAD_T) +- gnutls: bump lowest supported version to 3.1.10 - The unit for these values is bytes/second, not microseconds: - - speed_download (CURLINFO_SPEED_DOWNLOAD_T) - - speed_upload (CURLINFO_SPEED_UPLOAD_T) + GnuTLS 3.1.10 added new functions we want to use. That version was + released on Mar 22, 2013. Removing support for older versions also + greatly simplifies the code. - Fixes #5131 - Closes #5152 + Ref: #5271 + Closes #5276 -Daniel Stenberg (27 Mar 2020) -- mailmap: fixup a few author names/fields - - Douglas Steinwand, Gökhan Şengün, Jessa Chandler, Julian Z and - Svyatoslav Mishyn +- mqtt: make NOSTATE get within the debug name array -- version: add 'cainfo' and 'capath' to version info struct +- tests: run the RTSP test server on a dynamic port number - Suggested-by: Timothe Litt - URL: https://curl.haxx.se/mail/lib-2020-03/0090.html - Reviewed-by: Jay Satiro + To avoid port collisions. - Closes #5150 - -- RELEASE-NOTES: synced + Closes #5272 -Jay Satiro (26 Mar 2020) -- SSLCERTS.md: Fix example code for setting CA cert file +- tests: add %NOLISTENPORT and use it - Prior to this change the documentation erroneously said use - CURLOPT_CAPATH to set a CA cert file. + The purpose with this variable is to provide a port number that is + reasonably likely to not have a listener on the local host so that tests + can try connect failures against it. It uses port 47 - "reserved" + according to IANA. - Bug: https://curl.haxx.se/mail/lib-2020-03/0121.html - Reported-by: Timothe Litt + Updated six tests to use it instead of the previous different ports. - Closes https://github.com/curl/curl/pull/5151 + Assisted-by: Emil Engler + Closes #5270 -Marc Hoersken (26 Mar 2020) -- sockfilt: add logmsg output to select_ws_wait_thread on Windows +- mqtt: remove code with no purpose - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg + Detected by Coverity. CID 1462319. - Closes #5086 - -Daniel Stenberg (26 Mar 2020) -- docs/make: generate curl.1 from listed files only + "The same code is executed when the condition result is true or false, + because the code in the if-then branch and after the if statement is + identical." - Previously it rendered the page from files matching "*.d" in the correct - directory, which worked fine in git builds when the files were added but - made it easy to forget adding the files to the dist. + Closes #5275 + +- mqtt: fix Curl_read() error handling while reading remaining length - Now, only man page sections listed in DPAGES in Makefile.inc will be - used, thus "forcing" us to update this to get the man page right and get - it included in the dist at the same time. + Detected by Coverity. CID 1462320. - Ref: #5146 - Closes #5149 + Closes #5274 -- openssl: adapt to functions marked as deprecated since version 3 +- server/tftpd: fix compiler warning - OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES - functions we use. + Follow-up from 369ce38ac1d + Reported-by: Marc Hörsken + +- http: free memory when Alt-Used header creation fails due to OOM - Fix the MD4 and SSL_CTX_load_verify_locations warnings. + Reported-by: James Fuller + Fixes #5268 + Closes #5269 + +Daniel Gustafsson (20 Apr 2020) +- lib: fix typos in comments and errormessages - In configure, detect OpenSSL v3 and if so, inhibit the deprecation - warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and - until we rewrite the code to use non-deprecated functions we better - ignore these warnings as they don't help us. + This fixes a few randomly spotted typos in recently merged code, most + notably one in a userfacing errormessage the schannel code. + +Daniel Stenberg (20 Apr 2020) +- tests: run the SOCKS test server on a dynamic port number - Closes #5139 + Closes #5266 -- dist: add mail-rcpt-allowfails.d to the tarball +- [Johannes Schindelin brought this change] + + multi-ssl: reset the SSL backend on `Curl_global_cleanup()` - Reported-by: Maksim Stsepanenka - Reviewed-by: Jat Satiro + When cURL is compiled with support for multiple SSL backends, it is + possible to configure an SSL backend via `curl_global_sslset()`, but + only *before* `curl_global_init()` was called. + + If another SSL backend should be used after that, a user might be + tempted to call `curl_global_cleanup()` to start over. However, we did + not foresee that use case and forgot to reset the SSL backend in that + cleanup. - Closes #5146 - -- travis: update the ngtcp2 build to use the latest OpenSSL patch + Let's allow that use case. - ... which also makes it OpenSSL 1.1.1d based and not v3. + Fixes #5255 + Closes #5257 + Reported-by: davidedec on github + Signed-off-by: Johannes Schindelin -Marc Hoersken (24 Mar 2020) -- CI: remove default Ubuntu build from GitHub Actions +- tests: run the TFTP test server on a dynamic port number - We are already running a very similar Ubuntu build on Travis CI. - The macOS variant of this default build is kept on Github Actions. - -- CI: bring GitHub Actions fuzzing job in line with macOS jobs + Picking a dynamic unused port is better than a fixed to avoid the + collision risk. - Update YAML formatting, job naming and triggers. + Closes #5265 -- CI: migrate macOS jobs from Azure and Travis CI to GitHub Actions +- mqtt: improve the state machine - Reduce workload on Azure Pipelines and Travis CI while - consolidating macOS jobs onto less utilized GitHub Actions. + To handle PUBLISH before SUBACK and more. - Reviewed-by: Daniel Stenberg + Updated the existing tests and added three new ones. - Closes #5124 + Reported-by: Christoph Krey + Bug: https://curl.haxx.se/mail/lib-2020-04/0021.html + Closes #5246 -Daniel Stenberg (24 Mar 2020) -- config: remove all defines of HAVE_DES_H - - As there's no code using it. - - Closes #5144 +- runtests: always put test number in servercmd file -- copyright: fix out-of-date copyright ranges and missing headers - - Reported by the new script 'scripts/copyright.pl'. The script has a - regex whitelist for the files that don't need copyright headers. - - Removed three (mostly usesless) README files from docs/ +- RELEASE-NOTES: synced + +- release-notes.pl: fix parsing typo + +James Fuller (20 Apr 2020) +- ensure all references to ports are replaced by vars + +- add more alt-svc test coverage + +Daniel Stenberg (20 Apr 2020) +- test1247: use http server to get the port number set - Closes #5141 + Follow-up to 0f5db7b263f -- packages: add OS400/chkstrings.c to the dist +- runtests: use a unix domain socket path with the pid in the name - Reported-by: Jon Rumsey - Fixes #5142 - Closes #5143 + To make it impossible for test cases to access the file name without + using the proper variable for the purpose. + + Closes #5264 -- [Clément Notin brought this change] +Daniel Gustafsson (19 Apr 2020) +- [Mipsters on github brought this change] - nghttp2: 1.12.0 required + src: Remove C99 constructs to ensure C89 compliance - since nghttp2_session_set_local_window_size is needed + This fixes the error: 'for' loop initial declaration used outside C99 + mode by declaring the loop increment variable in the beginning of the + block instead of inside the for loop. - Closes #5140 + Fixes #5254 + Reviewed-by: Daniel Gustafsson -- RELEASE-NOTES: synced +Daniel Stenberg (19 Apr 2020) +- runtests: dummy init the ports variables to avoid warnings + + ... and generate something that can help debug test cases. -- [Calvin Buckley brought this change] +- [Patrick Monnerat brought this change] - OS400: Update strings for ccsid-ifier + mime: properly check Content-Type even if it has parameters - Fixes build. + New test 669 checks this fix is effective. - Closes #5132 + Fixes #5256 + Closes #5258 + Reported-by: thanhchungbtc on github -- cirrus: make freebsd ignore the tests instead of skipping - - To allow us to see in the CI logs how they actually behave +- tests/FILEFORMAT: converted to markdown and extended - Closes #5091 + Closes #5261 -- cirrus: move the sanitizer build from freebsd 13 to freebsd 12 +- test1245: make it work with dynamic FTP server port -- Revert "cirrus-ci: disable the FreeBSD 13 builds" - - This reverts commit 691b71be930f0e285c8f7a76efd56bbe0576cda6. +- test1055: make it work with dynamic FTP port -- getinfo: provide CURLINFO_HEADER_SIZE and CURLINFO_REQUEST_SIZE override - - To let debug-builds return fake values, like in test 970. - - Ref: #5131 - Closes #5136 +- test1028: make it run on dynamic FTP server port -- test970: improve the test +- tests: move pingpong server to dynamic listening port - - send more data to make problems more obvious - - don't start the data with minus, it makes diffs harder to read - - skip the headers in the stdout comparison - - save to a file name to also verify 'filename_effective' + FTP, IMAP, POP3, SMTP and their IPv6 versions are now all on dynamic + ports - Ref: #5131 + Test 842-845 are unfortunately a bit hard to move over to this concept + right now and require "default port" still... -- CURLINFO_NUM_CONNECTS: improve accuracy - - The counter was not bumped in all cases correctly. - - Reported-by: Marcel Raad - Ref: #5131 - Closes #5135 +- test1056: work with dynamic HTTP ipv6 port -- TODO: Use "random" ports for the test servers +- test1448: work with dynamic HTTP server port -- lib/curl_setup: adjust the copyright year range +- tests: introduce preprocessed test cases + + The runtests script now always performs variable replacement on the + entire test source file before the test gets executed, and saves the + updated version in a temporary file (log/test[num]) so that all test + case readers/servers can use that version (if present) and thus enjoy + the powers of test case variable substitution. + + This is necessary to allow complete port number freedom. - Follow-up from d820224b8 + Test 309 is updated to work with a non-fixed port number thanks to this. + +- tests: make 2006-2010 handle different port number lengths -Jay Satiro (21 Mar 2020) -- curl_setup: define _WIN32_WINNT_[OS] symbols +- tests: run the sws server on "any port" - .. because not all Windows build systems have those symbols, and even - those that do may be missing newer symbols (eg the Windows 7 SDK does - not define _WIN32_WINNT_WIN10). + Makes the test servers for HTTP and Gopher pop up on a currently unused + port and runtests adapts to that! - Those symbols are used in build-time logic to decide which API to use - and prior to this change if the symbols were missing it would have - resulted in deprecated API being used when more recent functions were - available (eg GetVersionEx used instead of VerifyVersionInfo). + Closes #5247 + +Marc Hoersken (18 Apr 2020) +- sockfilt: tidy variable naming and data structure in select_ws - Reported-by: FuccDucc@users.noreply.github.com + This commit does not introduce any logical changes to the code. - Probably fixes https://github.com/curl/curl/issues/4995 - Closes https://github.com/curl/curl/pull/5057 + Reviewed-by: Jay Satiro and Marcel Raad + Closes #5238 -- [Ross Burton brought this change] +Daniel Stenberg (17 Apr 2020) +- [Anderson Toshiyuki Sasaki brought this change] - curl-functions.m4: remove inappropriate AC_REQUIRE - - AC_REQUIRE means "if this macro hasn't been executed already, execute - it". So in a wrapper around AC_RUN_IFELSE, AC_REQUIRE(AC_RUN_IFELSE) - isn't correct at that will execute AC_RUN_IFELSE without any arguments. + libssh: Use new ECDSA key types to check known hosts - With autoconf 2.69 this is basically a no-op, but with autoconf 2.70, - AC_RUN_IFELSE without a default value when cross-compiling is fatal. - The result is that curl with autoconf 2.70 cannot cross-compile. + From libssh 0.9.0, ssh_key_type() returns different key types for ECDSA + keys depending on the curve. - Fixes https://github.com/curl/curl/issues/5126 - Closes https://github.com/curl/curl/pull/5130 + Signed-off-by: Anderson Toshiyuki Sasaki + Fixes #5252 + Closes #5253 -Marc Hoersken (20 Mar 2020) -- ci/tests: fix Azure Pipelines not running Windows containers - - Workaround posted here: microsoft/azure-pipelines-agent#2864 +Marcel Raad (17 Apr 2020) +- appveyor: add Unicode winbuild jobs - Assisted-by: Simon Chalifoux - Assisted-by: Tommy Petty + These are cheap as they don't build tests. - Fixes #5117 - Closes #5129 + Closes https://github.com/curl/curl/pull/5063 -Daniel Stenberg (20 Mar 2020) -- tests: add test 430, 431 and 432 to verify the --config fix +Daniel Stenberg (16 Apr 2020) +- mqttd: s/errno/SOCKERRNO - Verify the fixes in 4e0b4fee4 - -- [Rici Lake brought this change] + To behave proper on Windows + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/5e855bbd18f84a02c951be7cac6188276818cdac#r38507132 + Closes #5241 - cmdline: fix handling of OperationConfig linked list (--next) +- buildconf: use find -execdir instead, remove -print and the ares files - Ensures that -K/--config inserts new items at the end of the list - instead of overwriting the second item, and that after a -K/--config - option has been parsed, the option parser's view of the current config - is update. + Follow-up to 1e41bec96a6e - Fixes #5120 - Closes #5123 - -Marc Hoersken (20 Mar 2020) -- test2100: fix static port instead of dynamic value being used + Suggested-by: Marc Hörsken -- test970: fix static ip:port instead of dynamic values being used +- [Alexander V. Tikhonov brought this change] -Daniel Stenberg (19 Mar 2020) -- secure transport: remove the BACKEND define kludge + buildconf: avoid using tempfile when removing files - Closes #5122 + Closes #5213 -- mbedtls: remove the BACKEND define kludge +- copyright: bump the copyright year range -- bearssl: remove the BACKEND define kludge +- scripts/release-notes.pl: accept colon after the Fixes/Closes keywords -- wolfssl: remove the BACKEND define kludge +- [JP Mens brought this change] -- nss: remove the BACKEND define kludge + docs/MQTT: replace confusing 80 by 75 + + I was a bit surprised by the `80`: first thought: what's HTTP doing + here? ;) + + Closes #5236 -- gnutls: remove the BACKEND define kludge +- [Brad King brought this change] -- openssl: remove the BACKEND define kludge + cmake: Avoid MSVC C4273 warnings in send/recv checks + + We use `check_c_source_compiles` to check possible send/recv signatures + by reproducing the forward declarations from system headers. On Windows + the `winsock2.h` header adds dll linkage settings to its forward + declaration. If ours does not match the compiler warns: + + warning C4273: 'recv': inconsistent dll linkage - Use a proper variable instead to make it easier to use a debugger and - read the code. + Add `WINSOCK_API_LINKAGE` to our test signatures when it is defined so + that our linkage is consistent with that from `winsock2.h`. + + Fixes #4764 + Closes #5232 -Marc Hoersken (19 Mar 2020) -- tests: make Python-based servers compatible with Python 2 and 3 +Jay Satiro (14 Apr 2020) +- KNOWN_BUGS: Add entry 'Blocking socket operations' - Update smbserver.py and negtelnetserver.py to be compatible with - Python 3 while staying backwards-compatible to support Python 2. + - Add threaded resolver cleanup and GSSAPI for FTP to the TODO list of + known blocking operations. - Fix string encoding and handling of echoed and transferred data. + - New known bugs entry 'Blocking socket operations in non-blocking API' + that directs to the TODO's list of known blocking operations. - Tested with both Python 2.7.17 and Python 3.7.7 + Ref: https://github.com/curl/curl/pull/5214#issuecomment-612488021 - Reported-by: Daniel Stenberg - Assisted-by: Kamil Dudka - Reviewed-by: Marcel Raad + Reported-by: Marc Hoersken - Fixes #5104 - Closes #5110 + Closes https://github.com/curl/curl/pull/5216 -Daniel Stenberg (18 Mar 2020) -- writeout_json: use curl_off_t printf() option for the time output +Marc Hoersken (14 Apr 2020) +- test2043: use revoked.badssl.com instead of revoked.grc.com + + The certificate of revoked.grc.com has expired on 2020-04-13. - Follow-up to: 04c03416e68fd635a15 + Reviewed-by: Jay Satiro - Closes #5115 + Closes #5233 -- RELEASE-NOTES: synced +- sockfilt: fix broken pipe on Windows to be ready in select_ws - Uh, I missed this in 1a46b218db + Closes #5228 +Daniel Stenberg (14 Apr 2020) - RELEASE-NOTES: synced - - ... and bumped curlver.h to 7.70.0 -Jay Satiro (18 Mar 2020) -- http2: Fix erroneous debug message that h2 connection closed - - Prior to this change in libcurl debug builds http2 stream closure was - erroneously referred to as connection closure. - - Before: - * nread <= 0, server closed connection, bailing - - After: - * nread == 0, stream closed, bailing - - Closes https://github.com/curl/curl/pull/5118 +- scripts/release-notes: fix duplicate output header -Daniel Stenberg (18 Mar 2020) -- tool_setopt: correct the copyright year range - - Follow-up to 5450428491 +- github/workflow: enable MQTT in the macOS debug build -Jay Satiro (18 Mar 2020) -- [Johannes Schindelin brought this change] +- azure: add mqtt support to one of the Windows builds - schannel: add "best effort" revocation check option - - - Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and - --ssl-revoke-best-effort to allow a "best effort" revocation check. - - A best effort revocation check ignores errors that the revocation check - was unable to take place. The reasoning is described in detail below and - discussed further in the PR. - - --- - - When running e.g. with Fiddler, the schannel backend fails with an - unhelpful error message: - - Unknown error (0x80092012) - The revocation function was unable - to check revocation for the certificate. - - Sadly, many enterprise users who are stuck behind MITM proxies suffer - the very same problem. - - This has been discussed in plenty of issues: - https://github.com/curl/curl/issues/3727, - https://github.com/curl/curl/issues/264, for example. - - In the latter, a Microsoft Edge developer even made the case that the - common behavior is to ignore issues when a certificate has no recorded - distribution point for revocation lists, or when the server is offline. - This is also known as "best effort" strategy and addresses the Fiddler - issue. +- travis: add mqtt job on Linux + +- tests: add four MQTT tests 1190 - 1193 + +- tests: add the mqtt test server mqttd + +- tests: support hex encoded data and mqtt server - Unfortunately, this strategy was not chosen as the default for schannel - (and is therefore a backend-specific behavior: OpenSSL seems to happily - ignore the offline servers and missing distribution points). + The mqtt server is started using a "random" port. + +- [Björn Stenberg brought this change] + + mqtt: add new experimental protocol - To maintain backward-compatibility, we therefore add a new flag - (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option - (`--ssl-revoke-best-effort`) to select the new behavior. + Closes #5173 + +- TODO: Consider convenience options for JSON and XML? - Due to the many related issues Git for Windows and GitHub Desktop, the - plan is to make this behavior the default in these software packages. + Closes #5203 + +- tool: do not declare functions with Curl_ prefix - The test 2070 was added to verify this behavior, adapted from 310. + To avoid collision risks with private libcurl symbols when linked with + static versions (or just versions not hiding internal symbols). - Based-on-work-by: georgeok - Co-authored-by: Markus Olsson - Signed-off-by: Johannes Schindelin + Reported-by: hydra3333 on github + Fixes #5219 + Closes #5234 + +- [Nathaniel R. Lewis brought this change] + + cmake: add aliases so exported target names are available in tree - Closes https://github.com/curl/curl/pull/4981 + Reviewed-by: Brad King + Closes #5206 -- multi: Improve parameter check for curl_multi_remove_handle +- version: increase buffer space for ssl version output - - If an easy handle is owned by a multi different from the one specified - then return CURLM_BAD_EASY_HANDLE. + To avoid it getting truncated, especially when several SSL backends are + built-in. - Prior to this change I assume user error could cause corruption. + Reported-by: Gisle Vanem + Fixes #5222 + Closes #5226 + +Marc Hoersken (13 Apr 2020) +- cirrus: no longer ignore test 504 which is working again - Closes https://github.com/curl/curl/pull/5116 + The test is working again, because TCP blackholing is disabled. -Viktor Szakats (17 Mar 2020) -- windows: suppress UI in all CryptAcquireContext() calls +- appveyor: completely disable tests that fail to timeout early - Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters - Reviewed-by: Marc Hörsken - Closes https://github.com/curl/curl/pull/5088 + The tests changed from ignored to disabled are tests that are + about connecting to non-listening socket. On AppVeyor these + tests are not reliable, because for some unknown reason the + connect is not timing out before the test time limit is reached. -Daniel Stenberg (17 Mar 2020) -- writeout_json: add missing comma to fix the HTTP version +Daniel Stenberg (13 Apr 2020) +- test1908: avoid using fixed port number in test data - Follow-up to 04c03416e68fd635a15 + Closes #5225 + +Jay Satiro (12 Apr 2020) +- [Andrew Kurushin brought this change] -- test 970: verify --write-out '%{json}' + schannel: Fix blocking timeout logic + + - Fix schannel_send for the case when no timeout was set. - Makes curl_easy_getinfo() of "variable" numerical content instead return - the number set in the env variable `CURL_TIME`. + Prior to this change schannel would error if the socket was not ready + to send data and no timeout was set. - Makes curl_version() of "variable" textual content. This guarantees a - stable version string which can be tested against. Environment variable - `CURL_VERSION` defines the content. + This commit is similar to parent commit 89dc6e0 which recently made the + same change for SOCKS, for the same reason. Basically it was not well + understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms + but actually means no timeout. - Assisted-by: Mathias Gumz - -- [Mathias Gumz brought this change] + Fixes https://github.com/curl/curl/issues/5177 + Closes https://github.com/curl/curl/pull/5221 - writeout: support to generate JSON output - - This commit adds support to generate JSON via the writeout feature: +- socks: Fix blocking timeout logic - -w "%{json}" + - Document in Curl_timeleft's comment block that returning 0 signals no + timeout (ie there's infinite time left). - It leverages the existing infrastructure as much as possible. Thus, - generating the JSON on STDERR is possible by: + - Fix SOCKS' Curl_blockread_all for the case when no timeout was set. - -w "%{stderr}%{json}" + Prior to this change if the timeout had a value of 0 and that was passed + to SOCKET_READABLE it would return right away instead of blocking. That + was likely because it was not well understood that when Curl_timeleft + returns 0 it is not a timeout of 0 ms but actually means no timeout. - This implements a variant of - https://github.com/curl/curl/wiki/JSON#--write-out-json. + Ref: https://github.com/curl/curl/pull/5214#issuecomment-612512360 - Closes #4870 + Closes https://github.com/curl/curl/pull/5220 -- CI: stop ignoring 323, it is disabled +- [Marc Hoersken brought this change] -- DISABLED: disable test 323 - - The test uses SRP to "a server not supporting it" but modern stunnel - versions will silently accept it and remain happy. The test is therefore - faulty. - - I haven't figured out how to make stunnel explicitly reject SRP-using - connects. + gopher: check remaining time left during write busy loop - Reported-by: Marc Hörsken - Fixes #5105 - Closes #5113 - -Marc Hoersken (17 Mar 2020) -- ci/tests: increase timeouts for torture builds on Azure Pipelines + Prior to this change gopher's blocking code would block forever, + ignoring any set timeout value. - For some reason the torture builds have slowed down recently. + Assisted-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Reported-by: Daniel Stenberg + Similar to #5220 and #5221 + Closes #5214 -Daniel Stenberg (16 Mar 2020) -- cmake: add support for building with wolfSSL - - My working build cmdline: - - $ cmake -DCMAKE_PREFIX_PATH=$HOME/build-wolfssl -DCMAKE_USE_WOLFSSL=ON . - - Assisted-by: Brad King - Closes #5095 +Daniel Stenberg (13 Apr 2020) +- [Dirkjan Bussink brought this change] -- tool_operate: fix add_parallel_transfers when more are in queue - - Trying to return early from the function if no new transfers were added - would break the "morep" argument and cause issues. This could lead to - zero content "transfers" (within quotes since they would never be - started) when parallel-max was reduced. + gnutls: ensure TLS 1.3 when SRP isn't requested - Reported-by: Gavin Wong - Analyzed-by: Jay Satiro - Fixes #4937 - Closes #5112 - -- vtls: free ssl_config leftovers on out-of-memory + When SRP is requested in the priority string, GnuTLS will disable + support for TLS 1.3. Before this change, curl would always add +SRP to + the priority list, effectively always disabling TLS 1.3 support. - Torture testing 2034 and 2037 found this. + With this change, +SRP is only added to the priority list when SRP + authentication is also requested. This also allows updating the error + handling here to not have to retry without SRP. This is because SRP is + only added when requested and in that case a retry is not needed. - Reported-by: Marc Hörsken - Fixes #5108 - Closes #5109 + Closes #5223 -Marc Hoersken (16 Mar 2020) -- ci/tests: fix Azure Pipelines not running for pull requests +Marc Hoersken (12 Apr 2020) +- tests/server: add hidden window to gracefully handle WM_CLOSE - Closes #5111 + Forward Window events as signals to existing signal event handler. -Daniel Stenberg (15 Mar 2020) -- gskit: update the copyright year range +- tests/server: add CTRL event handler for Win32 consoles - Follow-up from 083603c63a3 + Forward CTRL events as signals to existing signal event handler. -Marc Hoersken (15 Mar 2020) -- gskit: use our internal select wrapper for portability +- tests/server: move all signal handling routines to util.[ch] - Follow up to c52b342 - Closes #5106 + Avoid code duplication to prepare for portability enhancements. -- tests: fix verification of stdout in test 1452 due to newline +Daniel Stenberg (12 Apr 2020) +- compressed.d: stress that the headers are not modified - Fixes test1452:41:1: error: missing tag before + Suggested-by: Michael Osipov + Assisted-by: Jay Satiro + Bug: https://github.com/curl/curl/issues/5182#issuecomment-611638008 + Closes #5217 -- ci/tests: install impacket for SMB tests on FreeBSD using CirrusCI - - Also force the package index/cache to be updated before installing. +Marc Hoersken (11 Apr 2020) +- tests/server/util.c: use curl_off_t instead of long for pid - Closes #5103 - -- tests/README: add note about manually installing python-impacket + Avoid potential overflow of huge PIDs on Windows. - Follow up to 4be2560 + Related to #5188 + Assisted-by: Marcel Raad -Daniel Stenberg (15 Mar 2020) -- transfer: cap retries of "dead connections" to 5 - - When libcurl retries a connection due to it being "seemingly dead" or by - REFUSED_STREAM, it will now only do it up five times before giving up, - to avoid never-ending loops. +- tests: use Cygwin/msys PIDs for stunnel and sshd on Windows - Reported-by: Dima Tisnek - Bug: https://curl.haxx.se/mail/lib-2020-03/0044.html - Closes #5074 - -- TODO: TLS-PSK with OpenSSL + Since the Windows versions of both programs would write Windows + PIDs to their pidfiles which we cannot handle, we need to use + our known perl.exe Cygwin/msys PID together with exec() in order + to tie the spawned processes to the existance of our perl.exe - Closes #5081 - -Marc Hoersken (15 Mar 2020) -- select: add 'timeout_ms' wrap-around precaution to Curl_select - -- select: fix 'pending_ms' is assigned a value that is never used + The perl.exe that is executing secureserver.pl and sshserver.pl + has a Cygwin/msys PID, because it is started inside Cygwin/msys. - Detected by Codacy + Related to #5188 -- select: move duplicate select preparation code into Curl_select +- tests: add Windows compatible pidwait like pidkill and pidterm - Reviewed by Daniel Stenberg - Reviewed by Marcel Raad - Closes #5078 + Related to #5188 -Daniel Stenberg (15 Mar 2020) -- connect: happy eyeballs cleanup +- tests: fix conflict between Cygwin/msys and Windows PIDs - Make sure each separate index in connn->tempaddr[] is used for a fixed - family (and only that family) during the connection process. + Add 65536 to Windows PIDs to allow Windows specific treatment + by having disjunct ranges for Cygwin/msys and Windows PIDs. - If family one takes a long time and family two fails immediately, the - previous logic could misbehave and retry the same family two address - repeatedly. + See also: + - https://cygwin.com/git/?p=newlib-cygwin.git;a=commit; ↵ + h=b5e1003722cb14235c4f166be72c09acdffc62ea + - https://cygwin.com/git/?p=newlib-cygwin.git;a=commit; ↵ + h=448cf5aa4b429d5a9cebf92a0da4ab4b5b6d23fe - Reported-by: Paul Vixie - Reported-by: Jay Satiro - Fixes #5083 - Fixes #4954 - Closes #5089 + Replaces #5178 + Closes #5188 -Marc Hoersken (15 Mar 2020) -- ci/tests: fix and align setting TFLAGS for make test-nonflaky +Daniel Stenberg (11 Apr 2020) +- RELEASE-NOTES: synced -- ci/tests: install test suite dependencies stunnel and impacket +- release-notes.pl: detect the start of the references in cleanup mode -- tests: remove python_dependencies for smbserver from our tree +- Revert "file: on Windows, refuse paths that start with \\" - Users of the SMB tests will have to install impacket manually. + This reverts commit 1b71bc532bde8621fd3260843f8197182a467ff2. - Reasoning: our in-tree version of impacket was quite outdated - and only compatible with Python 2 which is already end-of-life. - Upgrading to Python 3 and a compatible impacket version would - require to import additional Python-only and CPython-extension - dependencies. This would have hindered portability enormously. + Reminded-by: Chris Roberts + Bug: https://curl.haxx.se/mail/archive-2020-04/0013.html - Closes #5094 + Closes #5215 -Jay Satiro (14 Mar 2020) -- Makefile.m32: Improve windres parameter compatibility - - - s/COFF/coff/ +Jay Satiro (11 Apr 2020) +- lib: fix conversion warnings for SOCKET_WRITABLE/READABLE - Some versions of windres do not recognize uppercase COFF as a valid - way to specify the COFF output format. + - If loss of data may occur converting a timediff_t to time_t and + the time value is > TIME_T_MAX then treat it as TIME_T_MAX. - Reported-by: Steven Penny + This is a follow-up to 8843678 which removed the (time_t) typecast + from the macros so that conversion warnings could be identified. - Fixes https://github.com/curl/curl/issues/5099 - Closes https://github.com/curl/curl/pull/5101 + Closes https://github.com/curl/curl/pull/5199 -- easy: Fix curl_easy_duphandle for builds missing IPv6 that use c-ares - - - Ignore CURLE_NOT_BUILT_IN errors returned by c-ares functions in - curl_easy_duphandle. - - Prior to this change if c-ares was used as the resolver backend and - either it was too old or libcurl was built without IPv6 support then - some of our resolver functions could return CURLE_NOT_BUILT_IN to - curl_easy_duphandle causing it to fail. +- test1148: tolerate progress updates better (again) - Caused by c8f086b which shipped in 7.69.1. + - Ignore intermediate progress updates. - Reported-by: Karl Chen + - Support locales that use a character other than period as decimal + separator (eg 100,0%). - Fixes https://github.com/curl/curl/issues/5097 - Closes https://github.com/curl/curl/pull/5100 - -Daniel Stenberg (13 Mar 2020) -- docs: add warnings about FILE: URLs on Windows + test1148 checks that the progress finishes at 100% and has the right + bar width. Prior to this change the test assumed that the only progress + reported for such a quick transfer was 100%, however in rare instances + (like in the CI where transfer time can slow considerably) there may be + intermediate updates. For example, below is stderrlog1148 from a failed + CI run with explicit \r and \n added (it is one line; broken up so that + it's easier to understand). - - --url man page section - - libcurl-security.3 gets the full text - - CURLOPT_URL.3 + \r + \r################################## 48.3% + \r######################################################################## 100.0% + \n - Reported-by: Tim Sedlmeyer + Closes https://github.com/curl/curl/pull/5194 -- server/getpart: make the "XML-parser" stricter - - When extracting a
and there's no before -
, this now outputs an error and returns a wrong string to - make users spot the mistake. - - Ref: #5070 - Closes #5071 +Marc Hoersken (10 Apr 2020) +- sshserver.pl: use cached Win32 environment check variable -Marc Hoersken (13 Mar 2020) -- impacket: some more Python 3 code compatibility updates +- appveyor: partially revert 3413a110 to keep build without proxy - This makes smbserver load on Python 3, but still not work completely. + Ref: #5211 and #4526 + Reported-by: Marcel Raad -- smbserver: pin Python version to 2 since we are not yet 3 compatible - - Even though the existing code can be fixed to run on Python 3, the - tests will fail due to the Unicode transition the protocol is invalid. +- appveyor: ignore failing 'connect to non-listening proxy' tests - Follow up to ee63837 - Closes #5085 + Closes #5211 -Daniel Stenberg (12 Mar 2020) -- [Viktor Szakats brought this change] +- CI/macos: convert CRLF to LF and align indentation - cleanup: fix some text/comment typos +Daniel Stenberg (9 Apr 2020) +- url: allow non-HTTPS altsvc-matching for debug builds - Closes #5087 - -Marc Hoersken (12 Mar 2020) -- smbserver: fix Python version specific ConfigParser import + This is already partly supported but this part was missing. + Reported-by: James Fuller - Follow up to ee63837 and 8c7c4a6 - Fixes #5077 + Closes #5205 -Daniel Stenberg (11 Mar 2020) -- RELEASE-NOTES: synced +- server/resolve: remove AI_CANONNAME to make macos tell the truth + + With this bit set, my mac successfully resolves "ip6-localhost" when in + fact there is no such host known to my machine! That in turn made test + 241 wrongly execute and fail. - bumped to 7.69.2 + Closes #5202 -Dan Fandrich (11 Mar 2020) -- tests/data: Fix some XML formatting issues in test cases +- runtests: fix warning about using an undefined variable - This allows these test files to pass xmllint. + Follow-up from 4d939ef6ceb2db1 -Daniel Stenberg (11 Mar 2020) -- [Muhammad Herdiansyah brought this change] +- release-notes: fix the initial reference list output - Makefile: run the cd commands in a subshell +- github actions: run when pushed to master or */ci + PRs - In bmake, if the directory is changed (with cd or anything else), bmake - won't return to the "root directory" on the next command (in the same - Makefile rule). This commit runs the cd command in a subshell so it - would work in bmake. + Avoid double-builds when using "local" branches for PRs. For both macos + and fuzz jobs. - Closes #5073 + Closes #5201 + +- runtests: provide nicer errormsg when protocol "dump" file is empty + +- [Gilles Vollant brought this change] -- configure: convert -I to -isystem as a last step + schannel: support .P12 or .PFX client certificates - As all the -I uses in CFLAGS at that point are for system headers and - third party libraries this helps us remove/ignore warnings on those! + Used with curl command line option like this: --cert + : --cert-type p12 - Closes #5060 + Closes #5193 -- configure: fix -pedantic-errors for GCC 5 and later +- tests: verify split initial HTTP requests with CURL_SMALLREQSEND - If --enable-werror is used. + test1294: "split request" being when the entire request isn't sent in + the first go, and the remainder is sent in the PERFORM state. A GET + request is otherwise not sending anything during PERFORM. - Follow-up to d5c0351055d5709da which added it too early in the configure - script before $compiler_num was set correctly and thus this option was - never used. + test1295: same kind of split but with POST - Reported-by: Stepan Efremov - Fixes #5067 - Closes #5068 + Closes #5197 -- configure: document 'compiler_num' for gcc - - The CURL_CHECK_COMPILER_GNU_C function sets the number to MAJOR*100 + - MINOR and ignores the patch version, and since gcc version 7 it only - sets it to MAJOR*100. +- http: don't consider upload done if the request isn't completely sent off - Reported-by: Stepan Efremov - Ref: #5067 - Closes #5069 - -Version 7.69.1 (11 Mar 2020) - -Daniel Stenberg (11 Mar 2020) -- RELEASE-NOTES: 7.69.1 - -- THANKS: from the 7.69.1 release - -- [Marc Hoersken brought this change] + Fixes #4919 + Closes #5197 - test1129: fix invalid case of closing XML-tag and Content-Length +- http: allow Curl_add_buffer_send() to do a short first send by force - Fixes #5070 - Closes #5072 + In a debug build, settting the environment variable "CURL_SMALLREQSEND" + will make the first HTTP request send not send more bytes than the set + amount, thus ending up verifying that the logic for handling a split + HTTP request send works correctly. -Marc Hoersken (10 Mar 2020) -- tests/data: fix static ip instead of dynamic value being used +- connect: store connection info for QUIC connections - Follow up to 94ced8e - -- tests/data: fix static ip:port instead of dynamic values being used + Restores the --head functionality to the curl utility which extracts + 'protocol' that is stored that way. - Closes #5065 + Reported-by: James Fuller + Fixes #5196 + Closes #5198 -- tests/server: fix missing use of exe_ext helper function +- tests/README: update the port numbers list - Follow up to 9819984 and 3dce984 - Reviewed-By: Daniel Stenberg - Closes #5064 - -- runtests: log minimal and maximal used port numbers - -Daniel Stenberg (9 Mar 2020) -- [James Fuller brought this change] + Since the pipelining server is long gone. + Reported-by: James Fuller - sftp: fix segfault regression introduced by #4747 +- select: remove typecast from SOCKET_WRITABLE/READABLE macros - This fix adds a defensive check for the case where the char *name in - struct libssh2_knownhost is NULL + So that they don't hide conversions-by-mistake - Fixes #5041 - Closes #5062 - -- RELEASE-NOTES: synced + Reviewed-by: Jay Satiro + Closes #5190 -- socks4: fix host resolve regression - - 1. The socks4 state machine was broken in the host resolving phase - - 2. The code now insists on IPv4-only when using SOCKS4 as the protocol - only supports that. - - Regression from #4907 and 4a4b63d, shipped in 7.69.0 +- CURLOPT_WRITEFUNCTION.3: add inline example and new see-also - Reported-by: amishmm on github - Bug: https://github.com/curl/curl/issues/5053#issuecomment-596191594 - Closes #5061 - -- [Patrick Monnerat brought this change] + Closes #5192 - silly web server: silent a compilation warning - - Recent gcc warns when byte count of strncpy() equals the destination - buffer size. Since the destination buffer is previously cleared and - the source string is always shorter, reducing the byte count by one - silents the warning without affecting the result. - - Closes #5059 +- release-notes: output trailing references sorted numerically -- [Patrick Monnerat brought this change] +- cleanup: correct copyright year range on a few files - cookie: get_top_domain() sets zero length for null domains +- configure: remove use of -vec-report0 from CFLAGS with icc - This silents a compilation warning with gcc -O3. - -- [Patrick Monnerat brought this change] + ... as it apparently isn't (always) supported. + Reported-by: Alain Miniussi + Fixes #5096 + Closes #5191 - test 1560: avoid valgrind false positives - - When using maximum code optimization level (-O3), valgrind wrongly - detects uses of uninitialized values in strcmp(). +- warnless: remove code block for icc that didn't work - Preset buffers with all zeroes to avoid that. + Reported-by: Alain Miniussi + Fixes #5096 -Steve Holme (8 Mar 2020) -- sha256: Added WinCrypt implementation +Marc Hoersken (6 Apr 2020) +- dist: add missing setup-win32.h - Closed #5030 + Follow up to d820224b8b -- sha256: Added SecureTransport implementation +Daniel Stenberg (6 Apr 2020) +- RELEASE-NOTES: synced -Daniel Stenberg (7 Mar 2020) -- lib1564: reduce number of mid-wait wakeup calls - - This test does A LOT of *wakeup() calls and then calls curl_multi_poll() - twice. The first *poll() is then expected to return early and the second - not - as the first is supposed to drain the socketpair pipe. - - It turns out however that when given "excessive" amounts of writes to - the pipe, some operating systems (the Solaris based are known) will - return EAGAIN before the pipe is drained, which in our test case causes - the second *poll() call to also abort early. - - This change attempts to avoid the OS-specific behaviors in the test by - reducing the amount of wakeup calls from 1234567 to 10. +- scripts/release-notes.pl: add helper script for RELEASE-NOTES maintenance - Reported-by: Andy Fiddaman - Fixes #5037 - Closes #5058 + This script helps putting entries in the RELEASE-NOTES using a coherent + style and sorting with a minimal human editing effort - as long as the + first line in the commit message is good enough! There's a short howto + at the top of the file. -- [Patrick Monnerat brought this change] +- [Dennis Felsing brought this change] - mime: fix the binary encoder to handle large data properly + configure: don't check for Security.framework when cross-compiling - New test 666 checks this is effective. - As upload buffer size is significant in this kind of tests, shorten it - in similar test 652. + Since it checks for the local file, not the cross-compiled one. - Fixes #4860 - Closes #4833 - Reported-by: RuurdBeerstra on github - -- [Patrick Monnerat brought this change] + Closes #5189 - mime: do not perform more than one read in a row - - Input buffer filling may delay the data sending if data reads are slow. - To overcome this problem, file and callback data reads do not accumulate - in buffer anymore. All other data (memory data and mime framing) are - considered as fast and still concatenated in buffer. - As this may highly impact performance in terms of data overhead, an early - end of part data check is added to spare a read call. - When encoding a part's data, an encoder may require more bytes than made - available by a single read. In this case, the above rule does not apply - and reads are performed until the encoder is able to deliver some data. - - Tests 643, 644, 645, 650 and 654 have been adapted to the output data - changes, with test data size reduced to avoid the boredom of long lists of - 1-byte chunks in verification data. - New test 667 checks mimepost using single-byte read callback with encoder. - New test 668 checks the end of part data early detection. +- TODO: Option to make -Z merge lined based outputs on stdout - Fixes #4826 - Reported-by: MrdUkk on github - -- [Patrick Monnerat brought this change] + Closes #5175 - mime: latch last read callback status. +- lib: never define CURL_CA_BUNDLE with a getenv + + - it breaks the build (since 6de756c9b1de34b7a1) + - it's not documented and not consistent across platforms + - the curl tool does that getenv magic - In case a read callback returns a status (pause, abort, eof, - error) instead of a byte count, drain the bytes read so far but - remember this status for further processing. - Takes care of not losing data when pausing, and properly resume a - paused mime structure when requested. - New tests 670-673 check unpausing cases, with easy or multi - interface and mime or form api. + Bug: https://github.com/curl/curl/commit/6de756c#r38127030 + Reported-by: Gisle Vanem - Fixes #4813 - Reported-by: MrdUkk on github - -Marc Hoersken (7 Mar 2020) -- runtests: fix missing use of exe_ext helper function + Closes #5187 -Daniel Stenberg (7 Mar 2020) -- [Ernst Sjöstrand brought this change] +Marc Hoersken (5 Apr 2020) +- lib670: use the same Win32 API check as all other lib tests - ares: store dns parameters for duphandle - - With c-ares the dns parameters lives in ares_channel. Store them in the - curl handle and set them again in easy_duphandle. +- appveyor: use random test server ports based upon APPVEYOR_API_URL - Regression introduced in #3228 (6765e6d), shipped in curl 7.63.0. + Avoid conflicts of test server ports with AppVeyor API on localhost. - Fixes #4893 - Closes #5020 - Signed-off-by: Ernst Sjöstrand + Closes #5034 -- version: make curl_version* thread-safe without using global context +- appveyor: sort builds by type and add two new variants - Closes #5010 - -- RELEASE-NOTES: synced + Related to #5034 and #5063 -Marc Hoersken (7 Mar 2020) -- tests: use native Sleep function as fallback on Windows +- appveyor: show failed tests in log even if test is ignored - Reviewed-By: Daniel Stenberg - Closes #5054 + And print API response with newline only if there is one -- perl: align order and completeness of Windows OS checks +- appveyor: turn disabled tests into ignored result tests -Daniel Stenberg (7 Mar 2020) -- tool_cb_see: set correct copyright year range +Daniel Stenberg (5 Apr 2020) +- KNOWN_BUGS: fixed "USE_UNIX_SOCKETS on Windows" - Follow-up to a39e5bfb9 + Fixed with #5170 (commit 23a870f2fd041278) -Marc Hoersken (7 Mar 2020) -- seek: fix fallback for missing ftruncate on Windows +- test1566: verify --etag-compare that gets a 304 back - This fixes test 198 on versions of MinGW-w64 without ftruncate + Verifies the fix in #5183 - Reviewed-By: Daniel Stenberg - Reviewed-By: Marcel Raad - Closes #5055 + Closes #5186 -- config-win32: Windows does not have ftruncate +- [Kwon-Young Choi brought this change] -Daniel Stenberg (7 Mar 2020) -- pause: force a connection (re-)check after unpausing + CURLINFO_CONDITION_UNMET: return true for 304 http status code - There might be data available that was already read off the socket, for - example in the TLS layer. + In libcurl, CURLINFO_CONDITION_UNMET is used to avoid writing to the + output file if the server did not transfered a file based on time + condition. In the same manner, getting a 304 HTTP response back from the + server, for example after passing a custom If-Match-* header, also + fulfill this condition. - Reported-by: Anders Berg - Fixes #4966 - Closes #5049 + Fixes #5181 + Closes #5183 -- socks5: switch state properly when the resolve is done - - Regression from 4a4b63d (and #4907) - Reported-by: vitaha85 on github - Fixes #5053 - Closes #5056 +- [Kwon-Young Choi brought this change] -Jay Satiro (7 Mar 2020) -- libssh: Fix matching user-specified MD5 hex key + curl: allow both --etag-compare and --etag-save with same file name - Prior to this change a match would never be successful because it - was mistakenly coded to compare binary data from libssh to a - user-specified hex string (ie CURLOPT_SSH_HOST_PUBLIC_KEY_MD5). + This change inverse the order of processing for the --etag-compare and + --etag-save option to process first --etag-compare. This in turn allows + to use the same file name to compare and save an etag. - Reported-by: fds242@users.noreply.github.com + The original behavior of not failing if the etag file does not exists is + conserved. - Fixes https://github.com/curl/curl/issues/4971 - Closes https://github.com/curl/curl/pull/4974 + Fixes #5179 + Closes #5180 -Daniel Stenberg (6 Mar 2020) -- pause: bail out on bad input +Viktor Szakats (4 Apr 2020) +- windows: enable UnixSockets with all build toolchains - A NULL easy handle or an easy handle without an associated connection - cannot be paused or unpaused. + Extend existing unix socket support in Windows builds to be + enabled for all toolchain vendors or versions. (Previously + it was only supported with certain MSVC versions + more recent + Windows 10 SDKs) - Closes #5050 + Ref: https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows/ + Ref: https://github.com/curl/curl/issues/5162 + Closes: https://github.com/curl/curl/pull/5170 -Steve Holme (6 Mar 2020) -- unit1612: fixed the inclusion and compilation of the HMAC unit test - - Follow up to 3f74e5e6 to fix: - - - A typo in Makefile.inc where unit1611 was used instead - - Some compilation issues in unit1612.c +Daniel Stenberg (4 Apr 2020) +- KNOWN_BUGS: Store TLS context per transfer instead of per connection - Closes #5024 + Closes #5102 -Daniel Stenberg (6 Mar 2020) -- pause: return early for calls that don't change pause state +Marc Hoersken (3 Apr 2020) +- sockfilt: remove redundancy in timeout handling - Reviewed-by: Patrick Monnerat - Ref: #4833 - Closes #5026 + And update other logmsg output in select_ws on Windows. -Jay Satiro (6 Mar 2020) -- curl_share_setopt.3: Note sharing cookies doesn't enable the engine - - Follow-up to d0a7ee3 which fixed a bug in 7.66.0 that caused - CURL_LOCK_DATA_COOKIE to enable the easy handle's cookie engine. +- sockfilt: fix handling of ready closed sockets on Windows - Bug: https://curl.haxx.se/mail/lib-2020-03/0019.html - Reported-by: Felipe Gasper + Replace the incomplete workaround regarding FD_CLOSE + only signalling once by instead doing a pre-check with + standard select and storing the result for later use. - Closes https://github.com/curl/curl/pull/5048 + select keeps triggering on closed sockets on Windows while + WSAEventSelect fires only once with data still available. + By doing the pre-check we do not run in a deadlock + due to waiting forever for another FD_CLOSE event. -- multi: skip EINTR check on wakeup socket if it was closed +- sockfilt: fix race-condition of waiting threads and event handling - - Don't check errno on wakeup socket if sread returned 0 since sread - doesn't set errno in that case. + Fix race-condition of waiting threads finishing while events are + already being processed which lead to invalid or skipped events. - This is a follow-up to cf7760a from several days ago which fixed - Curl_multi_wait to stop busy looping sread on the non-blocking wakeup - socket if it was closed (ie sread returns 0). Due to a logic error it - was still possible to busy loop in that case if errno == EINTR. + Use mutex to check for one event at a time or do post-processing. + In addition to mutex-based locking use specific event as signal. - Closes https://github.com/curl/curl/pull/5047 + Closes #5156 -Daniel Stenberg (6 Mar 2020) -- transfer: set correct copyright year range +Daniel Stenberg (2 Apr 2020) +- [Leo Neat brought this change] -- urldata: remove the 'stream_was_rewound' connectdata struct member - - ... as it is never set anywhere. + CI-fuzz: increase fuzz time to 40 minutes - Follow-up to 2f44e94ef - Closes #5046 + Closes #5174 -- Revert "pause: force-drain the transfer on unpause" - - This reverts commit fa0216b294af4c7113a9040ca65eefc7fc18ac1c (from #5000) - - Clearly that didn't solve the problem correctly. +Marc Hoersken (2 Apr 2020) +- CI: increase Azure Pipelines timeouts due to performance issues - Reported-by: Christopher Reid - Reopens #4966 - Fixes #5044 + The current demand on Azure negatively impacts the CI performance. + +- runtests.pl: log host OS as detected by Perl environment + +- ftpserver.pl: log before and after data connection is closed +Daniel Stenberg (1 Apr 2020) - RELEASE-NOTES: synced - - and bumped curlver.h -- MANUAL: update a dict-using command line - - The 'web1913' database is now invalid, use 'gcide' instead. +- RELEASE-PROCEDURE.md: run the copyright.pl script! -- KNOWN_BUGS: configure --with-gssapi with Heimdal is ignored on macOS +- vquic/ngtcp2.h: update copyright year range - Closes #3841 + Follow-up to 0736ee73d346a52 -- polarssl: remove more references and mentions - - Assisted-by: Jay Satiro - Follow-up to 6357a19ff29dac04 - Closes #5036 +- [Daiki Ueno brought this change] -Marc Hoersken (4 Mar 2020) -- tests: wrap ignored test failures in braces + CI: add build with ngtcp2 + gnutls on Travis CI -- tests: align some Windows sleep defines with each other +- [Daiki Ueno brought this change] -- tests: try to make sleeping portable by avoiding select + vquic: add support for GnuTLS backend of ngtcp2 - select does not support just waiting on Windows: - https://perldoc.perl.org/perlport.html#select + Currently, the TLS backend used by vquic/ngtcp2.c is selected at compile + time. Therefore OpenSSL support needs to be explicitly disabled. - Reviewed-By: Daniel Stenberg - Closes #5035 + Signed-off-by: Daiki Ueno + Closes #5148 -Daniel Stenberg (4 Mar 2020) -- runtests.1: rephrase how to specify what tests to run - - Also mention the new tilde-prefixed way to ignore test results. - - Reviewed-By: Marc Hoersken - Closes #5033 +- [Gisle Vanem brought this change] -- cirrus-ci: disable the FreeBSD 13 builds - - FreeBSD 13.0 is apparently close to a year away from a stable release - and has proven to cause intermittent builds failures recently. + examples/sessioninfo.c: add include to fix compiler warning - Assisted-by: Dan Fandrich - Assisted-by: Fedor Korotkov - Fixes #5028 - Closes #5029 + Fixes #5171 -Version 7.69.0 (4 Mar 2020) +- misc: copyright year updates + + Follow-up to 7a71965e9 -Daniel Stenberg (4 Mar 2020) -- RELEASE-NOTES: 7.69.0 +- [Harry Sintonen brought this change] -- THANKS: from 7.69.0 + build: fixed build for systems with select() in unistd.h - Now sorted case insensitive + Closes #5169 -Marc Hoersken (3 Mar 2020) -- ci/tests: fix escaping of testnames and disable proxy for CI APIs +- memdebug: don't log free(NULL) - Follow up to ada581f and c0d8b96 - Closes #5031 + ... it serves no purpose and fills up the log. -Jay Satiro (3 Mar 2020) -- cmake: Show HTTPS-proxy in the features output - - - Show HTTPS-proxy in the features output for those backends that - support it: OpenSSL, GnuTLS and NSS. - - Prior to this change HTTPS-proxy was missing from the cmake features - output even if curl was built with it. Only cmake output was affected. - Both the library and tool correctly reported the feature. - - Bug: https://curl.haxx.se/mail/lib-2020-03/0008.html - Reported-by: David Lopes +- cleanup: insert newline after if() conditions - Closes https://github.com/curl/curl/pull/5025 + Our code style mandates we put the conditional block on a separate + line. These mistakes are now detected by the updated checksrc. -Marc Hoersken (3 Mar 2020) -- ci/tests: Make it possible to still run but ignore failing tests - - This enables the development of a solution for the failing tests by - running them on CI while ignoring their result for the overall status. +- checksrc: warn on obvious conditional blocks on the same line as if() - Closes #4994 + Closes #5164 -- README.md: add Azure DevOps Pipelines build status badge +- [Roger Orr brought this change] -- ci/tests: Move CI test result creation above environment setup - - This avoids using our test servers as proxy to the AppVeyor API. + cmake: add CMAKE_MSVC_RUNTIME_LIBRARY - Closes #5022 + Fixes #5165 + Closes #5167 -- ci/tests: Send test results to AppVeyor for status overview - - Closes #5021 +- [Daiki Ueno brought this change] -Daniel Stenberg (3 Mar 2020) -- Revert "sha256: Added SecureTransport implementation" + ngtcp2: update to git master for the key installation API change - This reverts commit 4feb38deed33fed14ff7c370a6a9153c661dbb9c (from #4956) + This updates the ngtcp2 OpenSSL backend to follow the API change in + commit 32e703164 of ngtcp2. - That commit broke test 1610 on macos builds without TLS. + Notable changes are: + - ngtcp2_crypto_derive_and_install_{rx,tx}_key have been added to replace + ngtcp2_crypto_derive_and_install_key + - the 'side' argument of ngtcp2_crypto_derive_and_install_initial_key + has been removed - Closes #5027 + Fixes #5166 + Closes #5168 -- dist: include tests/azure.pm in the tarball - - Bug: https://github.com/curl/curl/commit/ada581f2cc32f48c1629b729707ac19208435b27#commitcomment-37601589 - Reported-by: Marcel Raad +- [Cyrus brought this change] -Steve Holme (3 Mar 2020) -- configure.ac: Disable metalink if mbedTLS is specified - - Follow up to cdcc9df1 and #5006. Even though I mentioned mbedTLS as - being one of the backends that metalink needs to be disabled for, I - seem to have included it in the list of allowed SSL/TLS backends in - comnfigure.ac :( + SECURITY.md: minor rephrase - Closes #5013 + Closes #5158 -- sha256: Tidy up following recent changes +- output.d: quote the URL when globbing - Reviewed-by: Daniel Stenberg - Closes #4956 - -- sha256: Added WinCrypt implementation - -- sha256: Added SecureTransport implementation - -- sha256: Added mbedtls implementation - -- sha256: Added GNU TLS gcrypt implementation - -- sha256: Added GNU TLS Nettle implementation - -Jay Satiro (2 Mar 2020) -- curl_escape.3: Add a link to curl_free + Some shells do globbing of their own unless the URL is quoted, so maybe + encourage this. - Ref: https://github.com/curl/curl/pull/5016#issuecomment-593628582 + Co-authored-by: Jay Satiro + Closes #5160 -- curl_getenv.3: Fix the memory handling description - - - Tell the user to call curl_free() to free the pointer returned by - curl_getenv(). +- dist: add tests/version-scan.pl to tarball - Prior to this change the user was directed to call free(), but that - would not work in cases where the library and application use separate C - runtimes and therefore have separate heap memory management. + ... used in test 1177. - Closes https://github.com/curl/curl/pull/5016 + Follow-up to a97d826f6de3 -Daniel Stenberg (2 Mar 2020) -- [Nick Zitzmann brought this change] +- test1177: verify that all the CURL_VERSION_ bits are documented - md4: use init/update/final functions in Secure Transport +- curl.h: remnove CURL_VERSION_ESNI. Never supported nor documented - We can use CC_MD4_Init/Update/Final without having to allocate memory - directly. + Considered experimental and therefore we can do this. - Closes #4979 - -Marc Hoersken (2 Mar 2020) -- ci/tests: some MacOS builds randomly take longer than 20min + Closes #5157 -Daniel Stenberg (2 Mar 2020) -- multi_wait: stop loop when sread() returns zero - - It's unclear why it would ever return zero here, but this change fixes - Robert's problem and it shouldn't loop forever... +- KNOWN_BUGS: DoH doesn't inherit all transfer options - Reported-by: Robert Dunaj - Bug: https://curl.haxx.se/mail/archive-2020-02/0011.html - Closes #5019 + Closes #4578 + Closes #4579 -- http: mark POSTs with no body as "upload done" from the start - - As we have logic that checks if we get a >= 400 reponse code back before - the upload is done, which then got confused since it wasn't "done" but - yet there was no data to send! +- KNOWN_BUGS: DoH leaks memory after followlocation - Reported-by: IvanoG on github - Fixes #4996 - Closes #5002 + Closes #4592 -- tests: disable 962, 963 and 964 on Windows - - These tests are also doing UTF-8 SMTP. +- KNOWN_BUGS: "FTPS needs session reuse" - Follow-up to df207d2dd93b9e73 - -Marc Hoersken (2 Mar 2020) -- ci/tests: fine-tune Azure Pipeline timeouts with a small puffer - -Daniel Stenberg (2 Mar 2020) -- configure: bump the AC_COPYRIGHT year range - -- [Steve Holme brought this change] + Closes #4654 - tests: disable SMTP UTF-8 tests on Windows - - Fixes #4988 - Closes #4992 +- KNOWN_BUGS: "stick to same family over SOCKS pro" is presumed fixed -- formdata/mime: copyright year range update +- TODO: Set custom client ip when using haproxy protocol - Due to the merge/revert cycle + Closes #5125 -- Revert "mime: latch last read callback status." +Michael Kaufmann (27 Mar 2020) +- writeout_json: Fix data type issues - This reverts commit 87869e38d7afdec3ef1bb4965711458b088e254f. + Load long values correctly (e.g. for http_code). - Fixes #5014 - Closes #5015 - Reopens #4833 - -- Revert "mime: do not perform more than one read in a row" + Use curl_off_t (not long) for: + - size_download (CURLINFO_SIZE_DOWNLOAD_T) + - size_upload (CURLINFO_SIZE_UPLOAD_T) - This reverts commit ed0f357f7d25566110d4302f33759f4ffb5a6f83. - -- Revert "mime: fix the binary encoder to handle large data properly" + The unit for these values is bytes/second, not microseconds: + - speed_download (CURLINFO_SPEED_DOWNLOAD_T) + - speed_upload (CURLINFO_SPEED_UPLOAD_T) - This reverts commit b2caaa0681f329eed317ffb6ae6927f4a539f0c1. + Fixes #5131 + Closes #5152 -- altsvc: both h3 backends now speak h3-27 +Daniel Stenberg (27 Mar 2020) +- mailmap: fixup a few author names/fields - ... also updated the HTTP3 build description for ngtcp2 accordingly. - -- [Patrick Monnerat brought this change] + Douglas Steinwand, Gökhan Şengün, Jessa Chandler, Julian Z and + Svyatoslav Mishyn - mime: fix the binary encoder to handle large data properly +- version: add 'cainfo' and 'capath' to version info struct - New test 666 checks this is effective. - As upload buffer size is significant in this kind of tests, shorten it - in similar test 652. + Suggested-by: Timothe Litt + URL: https://curl.haxx.se/mail/lib-2020-03/0090.html + Reviewed-by: Jay Satiro - Fixes #4860 - Reported-by: RuurdBeerstra on github + Closes #5150 -- [Patrick Monnerat brought this change] +- RELEASE-NOTES: synced - mime: do not perform more than one read in a row +Jay Satiro (26 Mar 2020) +- SSLCERTS.md: Fix example code for setting CA cert file - Input buffer filling may delay the data sending if data reads are slow. - To overcome this problem, file and callback data reads do not accumulate - in buffer anymore. All other data (memory data and mime framing) are - considered as fast and still concatenated in buffer. - As this may highly impact performance in terms of data overhead, an early - end of part data check is added to spare a read call. - When encoding a part's data, an encoder may require more bytes than made - available by a single read. In this case, the above rule does not apply - and reads are performed until the encoder is able to deliver some data. + Prior to this change the documentation erroneously said use + CURLOPT_CAPATH to set a CA cert file. - Tests 643, 644, 645, 650 and 654 have been adapted to the output data - changes, with test data size reduced to avoid the boredom of long lists of - 1-byte chunks in verification data. - New test 664 checks mimepost using single-byte read callback with encoder. - New test 665 checks the end of part data early detection. + Bug: https://curl.haxx.se/mail/lib-2020-03/0121.html + Reported-by: Timothe Litt - Fixes #4826 - Reported-by: MrdUkk on github - -- [Patrick Monnerat brought this change] + Closes https://github.com/curl/curl/pull/5151 - mime: latch last read callback status. +Marc Hoersken (26 Mar 2020) +- sockfilt: add logmsg output to select_ws_wait_thread on Windows - In case a read callback returns a status (pause, abort, eof, - error) instead of a byte count, drain the bytes read so far but - remember this status for further processing. - Takes care of not losing data when pausing, and properly resume a - paused mime structure when requested. - New tests 670-673 check unpausing cases, with easy or multi - interface and mime or form api. + Assisted-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Fixes #4813 - Reported-by: MrdUkk on github - Closes #4833 + Closes #5086 -Steve Holme (1 Mar 2020) -- unit1651: Fixed conversion compilation warning +Daniel Stenberg (26 Mar 2020) +- docs/make: generate curl.1 from listed files only + + Previously it rendered the page from files matching "*.d" in the correct + directory, which worked fine in git builds when the files were added but + made it easy to forget adding the files to the dist. - 371:17: warning: conversion to 'unsigned char' from 'int' may alter its - value [-Wconversion] + Now, only man page sections listed in DPAGES in Makefile.inc will be + used, thus "forcing" us to update this to get the man page right and get + it included in the dist at the same time. - Closes #5008 + Ref: #5146 + Closes #5149 -- configure.ac: Disable metalink support if an incompatible SSL/TLS specified +- openssl: adapt to functions marked as deprecated since version 3 - tool_metalink only supports cryptography from OpenSSL, GnuTLS, NSS, - The Win32 Crypto library and Apple's Common Crypto library. + OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES + functions we use. - If an TLS backend such as mbedTLS or WolfSSL is specified then the - following error is given during compilation along, with a load of - unresolved extern errors: + Fix the MD4 and SSL_CTX_load_verify_locations warnings. - Can't compile METALINK support without a crypto library. + In configure, detect OpenSSL v3 and if so, inhibit the deprecation + warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and + until we rewrite the code to use non-deprecated functions we better + ignore these warnings as they don't help us. - Reviewed-by: Daniel Stenberg - Closes #5006 + Closes #5139 -Marc Hoersken (1 Mar 2020) -- ci/tests: Update Azure DevOps pipeline job display names +- dist: add mail-rcpt-allowfails.d to the tarball - Make the configure step more descriptive and align others. - -- ci/tests: Fix typo in previous commit 597cf2 - -- ci/tests: Make sure that the AZURE_ACCESS_TOKEN is available + Reported-by: Maksim Stsepanenka + Reviewed-by: Jat Satiro - For security reasons the access token is not available to PR builds. - Therefore we should not try to use the DevOps API with an empty token. + Closes #5146 diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS index 9e037eecf1..fcac1f5f30 100644 --- a/libs/libcurl/docs/THANKS +++ b/libs/libcurl/docs/THANKS @@ -116,6 +116,7 @@ Andre Heinecke Andreas Damm Andreas Falkenhahn Andreas Farber +Andreas Fischer Andreas Kostyrka Andreas Malzahn Andreas Ntaflos @@ -201,6 +202,7 @@ Austin Green Avery Fay Axel Tillequin Ayoub Boudhar +b9a1 on github Balaji Parasuram Balaji S Rao Balaji Salunke @@ -407,6 +409,7 @@ Craig Markwardt crazydef on github Cris Bailiff Cristian Greco +Cristian Morales Vega Cristian Rodríguez Curt Bogmine Cynthia Coan @@ -415,6 +418,7 @@ Cyrill Osterwalder Cédric Connes Cédric Deltheil D. Flinkmann +d4d on hackerone d912e3 on github Da-Yoon Chung daboul on github @@ -532,6 +536,7 @@ Dheeraj Sangamkar Didier Brisebourg Diego Bes Diego Casorran +Dietmar Hauser Dilyan Palauzov Dima Barsky Dima Pasechnik @@ -545,6 +550,7 @@ Dinar Dirk Eddelbuettel Dirk Feytons Dirk Manske +Dirk Wetter Dirkjan Bussink Diven Qi divinity76 on github @@ -620,6 +626,7 @@ Elliot Saba Ellis Pritchard Elmira A Semenova elsamuko on github +emanruse on github Emanuele Bovisio Emil Engler Emil Lerner @@ -883,6 +890,7 @@ Jack Zhang Jackarain on github Jacky Lam Jacob Barthelmeh +Jacob Hoffman-Andrews Jacob Meuser Jacob Moshenko Jactry Zeng @@ -1081,6 +1089,7 @@ Joshua Kwan Joshua Swink Josie Huddleston Josue Andrade Gomes +José Joaquín Atria Jozef Kralik JP Mens Juan Barreto @@ -1117,6 +1126,7 @@ Jörg Mueller-Tolk Jörn Hartroth K. R. Walker ka7 on github +Kael1117 on github Kai Engert Kai Noda Kai Sommerfeld @@ -1160,6 +1170,7 @@ Kimmo Kinnunen Kirill Marchuk Kjell Ericson Kjetil Jacobsen +Klaus Crusius Klaus Stein Klevtsov Vadim Kobi Gurkan @@ -1168,6 +1179,7 @@ Konstantin Isakov Konstantin Kushnir kotoriのねこ kouzhudong on github +Kovalkov Dmitrii kreshano on github Kris Kennaway Krishnendu Majumdar @@ -1547,6 +1559,7 @@ Nikos Tsipinakis niner on github Ning Dong Nir Soffer +Niranjan Hasabnis Nis Jorgensen nk NobodyXu on github @@ -1556,6 +1569,7 @@ nopjmp on github Norbert Frese Norbert Kett Norbert Novotny +nosajsnikta on github NTMan on Github Octavio Schroeder Ofer @@ -1571,6 +1585,7 @@ Oliver Gondža Oliver Graute Oliver Kuckertz Oliver Schindler +Oliver Urbann Olivier Berger Olivier Brunel Omar Ramadan @@ -1647,6 +1662,7 @@ pendrek at hackerone Peng Li Per Lundberg Per Malmberg +Per Nilsson Pete Lomax Peter Bray Peter Forret @@ -1687,6 +1703,7 @@ Philip Craig Philip Gladstone Philip Langdale Philip Prindeville +Philipp Klaus Krause Philipp Waehnert Philippe Hameau Philippe Marguinaud @@ -1853,6 +1870,7 @@ Rosimildo da Silva Ross Burton Roy Bellingan Roy Shan +Rui LIU Rune Kleveland Ruslan Baratov Ruslan Gazizov @@ -2053,6 +2071,7 @@ therealhirudo on github tholin on github Thomas Bouzerar Thomas Braun +Thomas Danielsson Thomas Gamper Thomas Glanzmann Thomas J. Moore @@ -2107,6 +2126,7 @@ Todd Short Todd Vierling Tom Benoist Tom Donovan +Tom G. Christensen Tom Grace Tom Greenslade Tom Lee @@ -2164,6 +2184,7 @@ Valentin David Valentyn Korniienko Valerii Zapodovnikov vanillajonathan on github +Varnavas Papaioannou Vasiliy Faronov Vasily Lobaskin Vasy Okhin @@ -2231,6 +2252,7 @@ Xiang Xiao Xiangbin Li Xiaoyin Liu XmiliaH on github +xnynx on github xwxbug on github Yaakov Selkowitz Yang Tse -- cgit v1.2.3