From fed632f293b2ac474f5da2d65f35c92867bdaebc Mon Sep 17 00:00:00 2001 From: dartraiden Date: Thu, 18 Jul 2019 16:27:13 +0300 Subject: libcurl: update to 7.65.2 --- libs/libcurl/docs/CHANGES | 11273 ++++++++++++++++++++++---------------------- libs/libcurl/docs/THANKS | 25 + 2 files changed, 5724 insertions(+), 5574 deletions(-) (limited to 'libs/libcurl/docs') diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index 945a790b24..57280ebcc6 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,7907 +6,8032 @@ Changelog -Version 7.65.1 (4 Jun 2019) +Version 7.65.2 (17 Jul 2019) -Daniel Stenberg (4 Jun 2019) -- RELEASE-NOTES: 7.65.1 +Daniel Stenberg (17 Jul 2019) +- RELEASE-NOTES: 7.65.2 -- THANKS: new contributors from 7.65.1 +- THANKS: add contributors from 7.65.2 -Steve Holme (4 Jun 2019) -- [Frank Gevaerts brought this change] +Jay Satiro (17 Jul 2019) +- [aasivov brought this change] - ssl: Update outdated "openssl-only" comments for supported backends + cmake: Fix finding Brotli on case-sensitive file systems - These are for features that used to be openssl-only but were expanded - over time to support other SSL backends. + - Find package "Brotli" instead of "BROTLI" since the former is the + casing used for CMake/FindBrotli.cmake, and otherwise find_package + may fail on a case-sensitive file system. - Closes #3985 + Fixes https://github.com/curl/curl/issues/4117 -Daniel Stenberg (4 Jun 2019) -- curl_share_setopt.3: improve wording [ci ship] +- CURLOPT_RANGE.3: Caution against using it for HTTP PUT - Reported-by: Carlos ORyan - -Steve Holme (4 Jun 2019) -- tool_parsecfg: Use correct return type for GetModuleFileName() + AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've + cautioned against using it for that purpose and included a workaround. - GetModuleFileName() returns a DWORD which is a typedef of an unsigned - long and not an int. + Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html + Reported-by: Christopher Head - Closes #3980 + Closes https://github.com/curl/curl/issues/3814 -Daniel Stenberg (3 Jun 2019) -- TODO: "at least N milliseconds between requests" [ci skip] - - Suggested-by: dkwolfe4 on github - Closes #3920 +- [Stefano Simonelli brought this change] -Steve Holme (2 Jun 2019) -- tests/server/.gitignore: Add socksd to the ignore list - - Missed in 04fd6755. + CURLOPT_SEEKDATA.3: fix variable name - Closes #3978 + Closes https://github.com/curl/curl/pull/4118 -- tool_parsecfg: Fix control flow issue (DEADCODE) +- [georgeok brought this change] + + CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - Follow-up to 8144ba38. + If the SSL backend is Schannel and the user specifies an Schannel CALG_ + that is not supported by the protocol or the server then curl returns + CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. - Detected by Coverity CID 1445663 - Closes #3976 + Fixes https://github.com/curl/curl/issues/3389 + Closes https://github.com/curl/curl/pull/4106 -Daniel Stenberg (2 Jun 2019) -- [Sergey Ogryzkov brought this change] +- [Daniel Gustafsson brought this change] - NTLM: reset proxy "multipass" state when CONNECT request is done + nss: inspect returnvalue of token check - Closes #3972 - -- test334: verify HTTP 204 response with chunked coding header + PK11_IsPresent() checks for the token for the given slot is available, + and sets needlogin flags for the PK11_Authenticate() call. Should it + return false, we should however treat it as an error and bail out. - Verifies that a bodyless response don't parse this content-related - header. + Closes https://github.com/curl/curl/pull/4110 -- [Michael Kaufmann brought this change] +- docs: Explain behavior change in --tlsv1. options since 7.54 + + Since 7.54 --tlsv1. options use the specified version or later, however + older versions of curl documented it as using just the specified version + which may or may not have happened depending on the TLS library. + Document this discrepancy to allay confusion for users familiar with the + old documentation that expect just the specified version. + + Fixes https://github.com/curl/curl/issues/4097 + Closes https://github.com/curl/curl/pull/4119 - http: don't parse body-related headers bodyless responses +- libcurl: Restrict redirect schemes (follow-up) - Responses with status codes 1xx, 204 or 304 don't have a response body. For - these, don't parse these headers: + - Allow FTPS on redirect. - - Content-Encoding - - Content-Length - - Content-Range - - Last-Modified - - Transfer-Encoding + - Update default allowed redirect protocols in documentation. - This change ensures that HTTP/2 upgrades work even if a - "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. + Follow-up to 6080ea0. - Co-authored-by: Daniel Stenberg - Closes #3702 - Fixes #3968 - Closes #3977 - -- tls13-docs: mention it is only for OpenSSL >= 1.1.1 + Ref: https://github.com/curl/curl/pull/4094 - Reported-by: Jay Satiro - Co-authored-by: Jay Satiro - Fixes #3938 - Closes #3946 + Closes https://github.com/curl/curl/pull/4115 -- dump-header.d: spell out that no headers == empty file [ci skip] +Daniel Stenberg (16 Jul 2019) +- test1173: make it also check all libcurl option man pages - Reported-by: wesinator at github - Fixes #3964 - Closes #3974 + ... and adjust those that cause errors + + Closes #4116 -- singlesocket: use separate variable for inner loop +- curl: only accept COLUMNS less than 10000 - An inner loop within the singlesocket() function wrongly re-used the - variable for the outer loop which then could cause an infinite - loop. Change to using a separate variable! + ... as larger values would rather indicate something silly (and could + potentially cause buffer problems). - Reported-by: Eric Wu - Fixes #3970 - Closes #3973 + Reported-by: pendrek at hackerone + Closes #4114 -- RELEASE-NOTES: synced +- dist: add manpage-syntax.pl + + follow-up to 7fb66c403 -- [Josie Huddleston brought this change] +- test1173: detect some basic man page format mistakes + + Triggered by PR #4111 + + Closes #4113 - http2: Stop drain from being permanently set on +Jay Satiro (15 Jul 2019) +- [Bjarni Ingi Gislason brought this change] + + docs: Fix missing lines caused by undefined macros - Various functions called within Curl_http2_done() can have the - side-effect of setting the Easy connection into drain mode (by calling - drain_this()). However, the last time we unset this for a transfer (by - calling drained_transfer()) is at the beginning of Curl_http2_done(). - If the Curl_easy is reused for another transfer, it is then stuck in - drain mode permanently, which in practice makes it unable to write any - data in the new transfer. + - Escape apostrophes at line start. - This fix moves the last call to drained_transfer() to later in - Curl_http2_done(), after the functions that could potentially call for a - drain. + Some lines begin with a "'" (apostrophe, single quote), which is then + interpreted as a control character in *roff. - Fixes #3966 - Closes #3967 - Reported-by: Josie-H + Such lines are interpreted as being a call to a macro, and if + undefined, the lines are removed from the output. + + Bug: https://bugs.debian.org/926352 + Signed-off-by: Bjarni Ingi Gislason + + Submitted-by: Alessandro Ghedini + + Closes https://github.com/curl/curl/pull/4111 -Steve Holme (29 May 2019) -- conncache: Remove the DEBUGASSERT on length check +Daniel Stenberg (14 Jul 2019) +- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults - We trust the calling code as this is an internal function. + follow-up to 6080ea098 + +- [Linos Giannopoulos brought this change] + + libcurl: Add testcase for gopher redirects - Closes #3962 + The testcase ensures that redirects to CURLPROTO_GOPHER won't be + allowed, by default, in the future. Also, curl is being used + for convenience while keeping the testcases DRY. + + The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is + redirected to CURLPROTO_GOPHER + + Signed-off-by: Linos Giannopoulos -Jay Satiro (29 May 2019) -- [Gisle Vanem brought this change] +- [Linos Giannopoulos brought this change] - system_win32: fix function prototype + libcurl: Restrict redirect schemes - - Change if_nametoindex parameter type from char * to const char *. + All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS + counterpart were allowed for redirect. This vastly broadens the + exploitation surface in case of a vulnerability such as SSRF [1], where + libcurl-based clients are forced to make requests to arbitrary hosts. - Follow-up to 09eef8af from this morning. + For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based + protocol by URL-encoding a payload in the URI. Gopher will open a TCP + connection and send the payload. - Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 + Only HTTP/HTTPS and FTP are allowed. All other protocols have to be + explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. + + [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ + + Signed-off-by: Linos Giannopoulos + + Closes #4094 -Marcel Raad (29 May 2019) -- appveyor: add Visual Studio solution build +- [Zenju brought this change] + + openssl: define HAVE_SSL_GET_SHUTDOWN based on version number - Closes https://github.com/curl/curl/pull/3941 + Closes #4100 -- appveyor: add support for other build systems +- [Peter Simonyi brought this change] + + http: allow overriding timecond with custom header - Introduce BUILD_SYSTEM variable, which is currently always CMake. + With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. + If-Modified-Since). Allow this to be replaced or suppressed with + CURLOPT_HTTPHEADER. - Closes https://github.com/curl/curl/pull/3941 + Fixes #4103 + Closes #4109 -Steve Holme (29 May 2019) -- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows +Jay Satiro (11 Jul 2019) +- [Juergen Hoetzel brought this change] + + smb: Use the correct error code for access denied on file open - This fixes the static dependency on iphlpapi.lib and allows curl to - build for targets prior to Windows Vista. + - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. - This partially reverts 170bd047. + Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. - Fixes #3960 - Closes #3958 + Closes https://github.com/curl/curl/pull/4095 -Daniel Stenberg (29 May 2019) -- http: fix "error: equality comparison with extraneous parentheses" +- [Daniel Gustafsson brought this change] -- parse_proxy: make sure portptr is initialized + DEPRECATE: fixup versions and spelling - Reported-by: Benbuck Nason + Correctly set the July 17 version to 7.65.2, and update spelling to + be consistent. Also fix a typo. - fixes #3959 + Closes https://github.com/curl/curl/pull/4107 -- url: default conn->port to the same as conn->remote_port +- [Gisle Vanem brought this change] + + system_win32: fix clang warning - ... so that it has a sensible value when ConnectionExists() is called which - needs it set to differentiate host "bundles" correctly on port number! + - Declare variable in header as extern. - Also, make conncache:hashkey() use correct port for bundles that are proxy vs - host connections. + Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 + +Daniel Gustafsson (10 Jul 2019) +- headers: Remove no longer exported functions - Probably a regression from 7.62.0 + There were a leftover few prototypes of Curl_ functions that we used to + export but no longer do, this removes those prototypes and cleans up any + comments still referring to them. - Reported-by: Tom van der Woerdt - Fixes #3956 - Closes #3957 - -- conncache: make "bundles" per host name when doing proxy tunnels + Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() + Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() + were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. + Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. - Only HTTP proxy use where multiple host names can be used over the same - connection should use the proxy host name for bundles. + For the remainder, I didn't trawl the Git logs hard enough to capture + their exact time of deletion, but they were all gone: Curl_splayprint(), + Curl_http2_send_request(), Curl_global_host_cache_dtor(), + Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), + Curl_http_auth_stage() and Curl_close_connections(). - Reported-by: Tom van der Woerdt - Fixes #3951 - Closes #3955 + Closes #4096 + Reviewed-by: Daniel Stenberg -- multi: track users of a socket better +- CMake: fix typos and spelling + +- [Kyle Edwards brought this change] + + CMake: Convert errant elseif() to else() - They need to be removed from the socket hash linked list with more care. + CMake interprets an elseif() with no arguments as elseif(FALSE), + resulting in the elseif() block not being executed. That is not what + was intended here. Change the empty elseif() to an else() as it was + intended. - When sh_delentry() is called to remove a sockethash entry, remove all - individual transfers from the list first. To enable this, each Curl_easy struct - now stores a pointer to the sockethash entry to know how to remove itself. + Closes #4101 + Reported-by: Artalus + Reviewed-by: Daniel Gustafsson + +- buildconf: fix header filename - Reported-by: Tom van der Woerdt and Kunal Ekawde + The header file inclusion had a typo, it should be .h and not .hd. + Fix by renaming. - Fixes #3952 - Fixes #3904 - Closes #3953 + Fixes #4102 + Reported-by: AceCrow on Github -Steve Holme (28 May 2019) -- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version +- [Jan Chren brought this change] + + configure: fix --disable-code-coverage - Microsoft added support for Unix Domain Sockets in Windows 10 1803 - (RS4). Rather than expect the user to enable Unix Domain Sockets by - uncommenting the #define that was added in 0fd6221f we use the RS4 - pre-processor variable that is present in newer versions of the - Windows SDK. + This fixes the case when --disable-code-coverage supplied to ./configure + would result in coverage="yes" being set. - Closes #3939 + Closes #4099 + Reviewed-by: Daniel Gustafsson -Daniel Stenberg (28 May 2019) -- [Jonas Vautherin brought this change] +- cleanup: fix typo in comment - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables +- RELEASE-NOTES: synced + +Jay Satiro (6 Jul 2019) +- [Daniel Gustafsson brought this change] + + nss: support using libnss on macOS - Closes #3945 + The file suffix for dynamically loadable objects on macOS is .dylib, + which need to be added for the module definitions in order to get the + NSS TLS backend to work properly on macOS. + + Closes https://github.com/curl/curl/pull/4046 -Marcel Raad (27 May 2019) -- HAProxy tests: add keywords +- [Daniel Gustafsson brought this change] + + nss: don't set unused parameter - Add the proxy and haproxy keywords in order to be able to exclude or - run these specific tests. + The value of the maxPTDs parameter to PR_Init() has since at least + NSPR 2.1, which was released sometime in 1998, been marked ignored + as is accordingly not used in the initialization code. Setting it + to a value when calling PR_Init() is thus benign, but indicates an + intent which may be misleading. Reset the value to zero to improve + clarity. - Closes https://github.com/curl/curl/pull/3949 + Closes https://github.com/curl/curl/pull/4054 -Daniel Stenberg (27 May 2019) -- [Maksim Stsepanenka brought this change] +- [Daniel Gustafsson brought this change] - tests: make test 1420 and 1406 work with rtsp-disabled libcurl + nss: only cache valid CRL entries - Closes #3948 + Change the logic around such that we only keep CRLs that NSS actually + ended up caching around for later deletion. If CERT_CacheCRL() fails + then there is little point in delaying the freeing of the CRL as it + is not used. + + Closes https://github.com/curl/curl/pull/4053 -Kamil Dudka (27 May 2019) -- [Hubert Kario brought this change] +- [Gergely Nagy brought this change] - nss: allow to specify TLS 1.3 ciphers if supported by NSS + lib: Use UTF-8 encoding in comments - Closes #3916 + Some editors and IDEs assume that source files use UTF-8 file encodings. + It also fixes the build with MSVC when /utf-8 command line option is + used (this option is mandatory for some other open-source projects, this + is useful when using the same options is desired for building all + libraries of a project). + + Closes https://github.com/curl/curl/pull/4087 -Daniel Stenberg (26 May 2019) -- RELEASE-NOTES: synced +- [Caleb Raitto brought this change] -- [Jay Satiro brought this change] + CURLOPT_HEADEROPT.3: Fix example + + Fix an issue where example builds a curl_slist, but fails to actually + use it, or free it. + + Closes https://github.com/curl/curl/pull/4090 - Revert all SASL authzid (new feature) commits +- [Shankar Jadhavar brought this change] + + winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - - Revert all commits related to the SASL authzid feature since the next - release will be a patch release, 7.65.1. + - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined - for the next release, assuming it would be a feature release 7.66.0. - However instead the next release will be a patch release, 7.65.1 and - will not contain any new features. + - Also removed some ^M chars from file. - After the patch release after the reverted commits can be restored by - using cherry-pick: + Prior to this change while building on Windows platform even if we pass + the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does + not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. - git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 + Closes https://github.com/curl/curl/pull/4086 + +Daniel Stenberg (4 Jul 2019) +- doh-url.d: added in 7.62.0 + +Jay Satiro (30 Jun 2019) +- docs: Fix links to OpenSSL docs - Details for all reverted commits: + OpenSSL changed their manual locations and does not redirect to the new + locations. - Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." + Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html + Reported-by: Daniel Stenberg + +Daniel Stenberg (26 Jun 2019) +- [Gaël PORTAY brought this change] + + curl_multi_wait.3: escape backslash in example - This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. + The backslash in the character Line Feed must be escaped. - Revert "tests: Fix the line endings for the SASL alt-auth tests" + The current man-page outputs the code as following: - This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. + fprintf(stderr, "curl_multi failed, code %d.0, mc); - Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" + The commit fixes it as follow: - This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. + fprintf(stderr, "curl_multi failed, code %d\n", mc); - Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" + Closes #4079 + +- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. + ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is + built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for + UWP (with "VC-WIN32-UWP"). - Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" + Reported-by: Vasily Lobaskin + Fixes #4073 + Closes #4077 + +- test1521: adapt to SLISTPOINT - This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. + The header now has the slist-using options marked as SLISTPOINT so this + makes sure test 1521 understands that. + + Follow-up to ae99b4de1c443ae989 + + Closes #4074 -- [dbrowndan brought this change] +- win32: make DLL loading a no-op for UWP + + Reported-by: Michael Brehm + Fixes #4060 + Closes #4072 - FAQ: more minor updates and spelling fixes +- [1ocalhost brought this change] + + configure: fix typo '--disable-http-uath' - Closes #3937 + Closes #4076 -- RELEASE-NOTES: synced +- [Niklas Hambüchen brought this change] -- sectransp: handle errSSLPeerAuthCompleted from SSLRead() + docs: fix string suggesting HTTP/2 is not the default - Reported-by: smuellerDD on github - Fixes #3932 - Closes #3933 + Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the + man page that new default is mentioned, but the section at the top + contradicted it until now. + + Also remove claim that setting the HTTP version is not sensible. + + Closes #4075 -GitHub (24 May 2019) -- [Gisle Vanem brought this change] +- RELEASE-NOTES: synced - Fix typo. +- [Stephan Szabo brought this change] -Daniel Stenberg (23 May 2019) -- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + tests: update fixed IP for hostip/clientip split - Reported-by: Marcel Raad - Fixes #3926 - Closes #3929 + These tests give differences for me on linux when using a hostip + pointing to the external ip address for the local machine. + + Closes #4070 -Steve Holme (23 May 2019) -- winbuild: Use two space indentation +Daniel Gustafsson (24 Jun 2019) +- http: clarify header buffer size calculation - Closes #3930 + The header buffer size calculation can from static analysis seem to + overlow as it performs an addition between two size_t variables and + stores the result in a size_t variable. Overflow is however guarded + against elsewhere since the input to the addition is regulated by + the maximum read buffer size. Clarify this with a comment since the + question was asked. + + Reviewed-by: Daniel Stenberg -GitHub (23 May 2019) -- [Gisle Vanem brought this change] +Daniel Stenberg (24 Jun 2019) +- KNOWN_BUGS: Don't clear digest for single realm + + Closes #3267 - tool_parse_cfg: Avoid 2 fopen() for WIN32 +- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname - Using the memdebug.h mem-leak feature, I noticed 2 calls like: - FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + Closes #3284 + +- http2: call done_sending on end of upload - No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. + To make sure a HTTP/2 stream registers the end of stream. + + Bug #4043 made me find this problem but this fix doesn't correct the + reported issue. + + Closes #4068 -Daniel Stenberg (23 May 2019) -- md4: include the mbedtls config.h to get the MD4 info +- [James Brown brought this change] -- md4: build correctly with openssl without MD4 + c-ares: honor port numbers in CURLOPT_DNS_SERVERS - Reported-by: elsamuko at github - Fixes #3921 - Closes #3922 + By using ares_set_servers_ports_csv on new enough c-ares. + + Fixes #4066 + Closes #4067 -Patrick Monnerat (23 May 2019) -- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). +Daniel Gustafsson (24 Jun 2019) +- CURLMOPT_SOCKETFUNCTION.3: fix typo -Daniel Stenberg (23 May 2019) -- .github/FUNDING: mention our opencollective "home" [ci skip] +Daniel Stenberg (24 Jun 2019) +- [Koen Dergent brought this change] -Marcel Raad (23 May 2019) -- [Zenju brought this change] + curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds + + Closes #4061 - config-win32: add support for if_nametoindex and getsockname +- test153: fix content-length to avoid occasional hang - Closes https://github.com/curl/curl/pull/3923 + Closes #4065 -Jay Satiro (23 May 2019) -- tests: Fix the line endings for the SASL alt-auth tests +- RELEASE-NOTES: synced + +- multi: enable multiplexing by default (again) - - Change data and protocol sections to CRLF line endings. + It was originally made default in d7c4213bd0c (7.62.0) but mistakenly + reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + Closes #4051 + +- typecheck: add 3 missing strings and a callback data pointer - Follow-up to a9499ff from today which added the tests. + Closes #4050 + +- tests: add disable-scan.pl to dist - Ref: https://github.com/curl/curl/pull/3790 + follow-up from 29177f422a5 + + Closes #4059 -Daniel Stenberg (23 May 2019) -- url: fix bad #ifdef +- http2: don't call stream-close on already closed streams - Regression since e91e48161235272ff485. + Closes #4055 + +Marcel Raad (20 Jun 2019) +- travis: enable alt-svc for coverage build - Reported-by: Tom Greenslade - Fixes #3924 - Closes #3925 + Closes -- Revert "progress: CURL_DISABLE_PROGRESS_METER" +- travis: enable libssh2 for coverage build - This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + It was enabled by default before commit c92d2e14cfb. - Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + - CURLOPT_LOW_SPEED_TIME + Disable torture tests 600 and 601 because of + https://github.com/curl/curl/issues/1678. - Reported-by: Dave Reisner + Closes + +- travis: disable threaded resolver for coverage build - Fixes #3927 - Closes #3928 + This enables more tests. + + Closes -Steve Holme (22 May 2019) -- examples: Added SASL PLAIN authorisation identity (authzid) examples +- travis: enable brotli for all xenial jobs + + There's no need for a separate job, and no need to build it from source + with Xenial. + + Closes -- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool +- travis: enable warnings-as-errors for coverage build + + Closes -- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID +GitHub (20 Jun 2019) +- [Gisle Vanem brought this change] + + system_win32: fix typo + +Daniel Stenberg (20 Jun 2019) +- typecheck: CURLOPT_CONNECT_TO takes an slist too - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. + Additionally, add an alias in curl.h for slist-using options so that + we can grep/parse those out at will. - Fixed #3653 - Closes #3790 + Closes #4042 -Marc Hoersken (22 May 2019) -- tests: add support to test against OpenSSH for Windows +- [Stephan Szabo brought this change] + + tests: support non-localhost HOSTIP for dict/smb servers - Testing against OpenSSH for Windows requires v7.7.0.0 or newer - due to the use of AllowUsers and DenyUsers. For more info see: - https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config + smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for + binding the server which when we were running the tests with a separate + HOSTIP and CLIENTIP had failures verifying the server from the device we + were testing. + + This changes them to take the address from runtests.py and default to + localhost/127.0.0.1 if none is given. + + Closes #4048 -Daniel Stenberg (22 May 2019) -- bump: start on the next release +- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT -Marcel Raad (22 May 2019) -- examples: fix "clarify calculation precedence" warnings +- configure: --disable-progress-meter - Closes https://github.com/curl/curl/pull/3919 - -- hiperfifo: remove unused variable + Builds libcurl without support for the built-in progress meter. - Closes https://github.com/curl/curl/pull/3919 + Closes #4023 -- examples: remove dead variable stores +- curl: improved skip-setopt-options when built with disabled features - Closes https://github.com/curl/curl/pull/3919 + Reduces #ifdefs in src/tool_operate.c + + Follow-up from 4e86f2fc4e6 + Closes #3936 -- examples: reduce variable scopes +Steve Holme (18 Jun 2019) +- netrc: Return the correct error code when out of memory - Closes https://github.com/curl/curl/pull/3919 + Introduced in 763c5178. + + Closes #4036 -- http2-download: fix format specifier +Daniel Stenberg (18 Jun 2019) +- config-os400: add getpeername and getsockname defines - Closes https://github.com/curl/curl/pull/3919 + Reported-by: jonrumsey on github + Fixes #4037 + Closes #4039 -Daniel Stenberg (22 May 2019) -- PolarSSL: deprecate support step 1. Removed from configure. +- runtests: keep logfiles around by default - Also removed mentions from most docs. + Make '-k' a no-op. The singletest function now clears the log directory + BEFORE each individual test and not after, which makes it possible to + always keep the logfiles around after a test has been run. No need to + specify -k anymore. Keeping the option parsing around to work with users + of old habits. - Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html + Some tests also didn't work properly when -k was used (since the old + logs would be kep when a new test starts) which this change also fixes. - Closes #3888 + Closes #4035 -- configure/cmake: check for if_nametoindex() +- [Gergely Nagy brought this change] + + openssl: fix pubkey/signature algorithm detection in certinfo - - adds the check to cmake + Certinfo gives the same result for all OpenSSL versions. + Also made printing RSA pubkeys consistent with older versions. - - fixes the configure check to work for cross-compiled windows builds + Reported-by: Michael Wallner + Fixes #3706 + Closes #4030 + +- conn_maxage: move the check to prune_dead_connections() - Closes #3917 + ... and avoid the locking issue. + + Reported-by: Kunal Ekawde + Fixes #4029 + Closes #4032 -- parse_proxy: use the IPv6 zone id if given +- tests: have runtests figure out disabled features - If the proxy string is given as an IPv6 numerical address with a zone - id, make sure to use that for the connect to the proxy. + ... so that runtests can skip individual test cases that test features + that are explicitly disabled in this build. This new logic is intended + for disabled features that aren't otherwise easily visible through the + curl_version_info() or other API calls. - Reported-by: Edmond Yu + tests/server/disabled is a newly built executable that will output a + list of disabled features. Outputs nothing for a default build. - Fixes #3482 - Closes #3918 + Closes #3950 -Version 7.65.0 (22 May 2019) +- test188/189: fix Content-Length + + This cures the flaky test results + + Closes #4034 -Daniel Stenberg (22 May 2019) -- RELEASE-NOTES: 7.65.0 release +- [Thomas Gamper brought this change] -- THANKS: from the 7.65.0 release-notes + winbuild: use WITH_PREFIX if given + + Closes #4031 -- url: convert the zone id from a IPv6 URL to correct scope id +Daniel Gustafsson (17 Jun 2019) +- openssl: remove outdated comment - Reported-by: GitYuanQu on github - Fixes #3902 - Closes #3914 + OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), + which is why we switched to CONF_modules_load_file() and introduced + a comment stating why. This behavior was however changed in OpenSSL + commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now + outdated and incorrect comment. The mentioned commit also declares + OPENSSL_config() deprecated so keep the current coding. + + Closes #4033 + Reviewed-by: Daniel Stenberg -- configure: detect getsockname and getpeername on windows too +Daniel Stenberg (16 Jun 2019) +- RELEASE-NOTES: synced + +Patrick Monnerat (16 Jun 2019) +- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. - Made detection macros for these two functions in the same style as other - functions possibly in winsock in the hope this will work better to - detect these functions when cross-compiling for Windows. + Use it in curl_easy_setopt_ccsid(). - Follow-up to e91e4816123 + Reported-by: jonrumsey on github + Fixes #3833 + Closes #4028 + +Daniel Stenberg (15 Jun 2019) +- runtests: report single test time + total duration - Fixes #3913 - Closes #3915 + ... after each successful test. + + Closes #4027 -Marcel Raad (21 May 2019) -- examples: remove unused variables +- multi: fix the transfer hash function - Fixes Codacy/CppCheck warnings. + Follow-up from 8b987cc7eb - Closes + Reported-by: Tom van der Woerdt + Fixes #4018 + Closes #4024 -Daniel Gustafsson (21 May 2019) -- udpateconninfo: mark variable unused +- unit1654: cleanup on memory failure - When compiling without getpeername() or getsockname(), the sockfd - paramter to Curl_udpateconninfo() became unused after commit e91e481612 - added ifdef guards. + ... to make it handle torture tests properly. - Closes #3910 - Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 - Reviewed-by: Marcel Raad, Daniel Stenberg + Reported-by: Marcel Raad + Fixes #4021 + Closes #4022 -- ftp: move ftp_ccc in under featureflag +Marcel Raad (13 Jun 2019) +- krb5: fix compiler warning - Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under - the FTP featureflag in the UserDefined struct, but vtls callsites were - still using it unprotected. + Even though the variable was used in a DEBUGASSERT, GCC 8 warned in + debug mode: + krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] - Closes #3912 - Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 - Reviewed-by: Daniel Stenberg, Marcel Raad + Just suppress the warning and declare the variable unconditionally + instead of only for DEBUGBUILD (which also missed the check for + HAVE_ASSERT_H). + + Closes https://github.com/curl/curl/pull/4020 -Daniel Stenberg (20 May 2019) -- curl: report error for "--no-" on non-boolean options +Daniel Stenberg (13 Jun 2019) +- quote.d: asterisk prefix works for SFTP as well - Reported-by: Olen Andoni - Fixes #3906 - Closes #3907 + Reported-by: Ben Voris + Fixes #4017 + Closes #4019 -- [Guy Poizat brought this change] +- multi: fix the transfer hashes in the socket hash entries + + - The transfer hashes weren't using the correct keys so removing entries + failed. + + - Simplified the iteration logic over transfers sharing the same socket and + they now simply are set to expire and thus get handled in the "regular" + timer loop instead. + + Reported-by: Tom van der Woerdt + Fixes #4012 + Closes #4014 - mbedtls: enable use of EC keys +Jay Satiro (12 Jun 2019) +- [Cliff Crosland brought this change] + + url: Fix CURLOPT_MAXAGE_CONN time comparison - Closes #3892 + Old connections are meant to expire from the connection cache after + CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x + that value. This occurs because a time value measured in milliseconds is + accidentally divided by 1M instead of by 1,000. + + Closes https://github.com/curl/curl/pull/4013 -- lib1560: add tests for parsing URL with too long scheme +Daniel Stenberg (11 Jun 2019) +- test1165: verify that CURL_DISABLE_ symbols are in sync - Ref: #3905 + between configure.ac and source code. They should be possible to switch + on/off in configure AND be used in source code. -- [Omar Ramadan brought this change] +- configure: remove CURL_DISABLE_TLS_SRP + + It isn't used by code so stop providing the define. + + Closes #4010 - urlapi: increase supported scheme length to 40 bytes +- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" - The longest currently registered URI scheme at IANA is 36 bytes long. + This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. - Closes #3905 - Closes #3900 + Apparently several of the appveyor windows builds broke. -Marcel Raad (20 May 2019) -- lib: reduce variable scopes +- [sergey-raevskiy brought this change] + + cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified - Fixes Codacy/CppCheck warnings. + Reviewed-by: Jakub Zakrzewski + Closes #3770 + +- RELEASE-NOTES: synced + +- http2: remove CURL_DISABLE_TYPECHECK define - Closes https://github.com/curl/curl/pull/3872 + ... in http2-less builds as it served no use. -- tool_formparse: remove redundant assignment +- configure: more --disable switches to toggle off individual features - Just initialize word_begin with the correct value. + ... actual support in the code for disabling these has already landed. - Closes https://github.com/curl/curl/pull/3873 + Closes #4009 -- ssh: move variable declaration to where it's used +- wolfssl: fix key pinning build error - This way, we need only one call to free. + follow-up from deb9462ff2de8 + +- CURLMOPT_SOCKETFUNCTION.3: clarified - Closes https://github.com/curl/curl/pull/3873 + Moved away the callback explanation from curl_multi_socket_action.3 and + expanded it somewhat. + + Closes #4006 -- ssh-libssh: remove unused variable +- wolfssl: fixup for SNI use - sock was only used to be assigned to fd_read. + follow-up from deb9462ff2de8 - Closes https://github.com/curl/curl/pull/3873 + Closes #4007 -Daniel Stenberg (20 May 2019) -- test332: verify the blksize fix +- CURLOPT_CAINFO.3: polished wording + + Clarify the functionality when built to use Schannel and Secure + Transport and stop calling it the "recommended" or "preferred" way and + instead rather call it the default. + + Removed the reference to the ssl comparison table as it isn't necessary. + + Reported-by: Richard Alcock + Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html + Closes #4005 -- tftp: use the current blksize for recvfrom() +GitHub (10 Jun 2019) +- [Daniel Stenberg brought this change] + + SECURITY.md: created - bug: https://curl.haxx.se/docs/CVE-2019-5436.html - Reported-by: l00p3r on hackerone - CVE-2019-5436 + Brief security policy description for use/display on github. -Daniel Gustafsson (19 May 2019) -- version: make ssl_version buffer match for multi_ssl +Daniel Gustafsson (10 Jun 2019) +- tool_cb_prg: Fix integer overflow in progress bar - When running a multi TLS backend build the version string needs more - buffer space. Make the internal ssl_buffer stack buffer match the one - in Curl_multissl_version() to allow for the longer string. For single - TLS backend builds there is no use in extended to buffer. This is a - fallout from #3863 which fixes up the multi_ssl string generation to - avoid a buffer overflow when the buffer is too small. + Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar + width calculation to avoid integer overflow, but failed to account for + the fact that initial_size is initialized to -1 when the file size is + retrieved from the remote on an upload, causing another signed integer + overflow. Fix by separately checking for this case before the width + calculation. - Closes #3875 + Closes #3984 + Reported-by: Brian Carpenter (Geeknik Labs) Reviewed-by: Daniel Stenberg -Steve Holme (18 May 2019) -- http_ntlm_wb: Handle auth for only a single request +Daniel Stenberg (10 Jun 2019) +- wolfssl: refer to it as wolfSSL only - Currently when the server responds with 401 on NTLM authenticated - connection (re-used) we consider it to have failed. However this is - legitimate and may happen when for example IIS is set configured to - 'authPersistSingleRequest' or when the request goes thru a proxy (with - 'via' header). + Remove support for, references to and use of "cyaSSL" from the source + and docs. wolfSSL is the current name and there's no point in keeping + references to ancient history. - Implemented by imploying an additional state once a connection is - re-used to indicate that if we receive 401 we need to restart - authentication. + Assisted-by: Daniel Gustafsson - Missed in fe6049f0. + Closes #3903 -- http_ntlm_wb: Cleanup handshake after clean NTLM failure +- RELEASE-NOTES: synced + +- bindlocal: detect and avoid IP version mismatches in bind() - Missed in 50b87c4e. + Reported-by: Alex Grebenschikov + Fixes #3993 + Closes #4002 -- http_ntlm_wb: Return the correct error on receiving an empty auth message +- multi: make sure 'data' can present in several sockhash entries - Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. + Since more than one socket can be used by each transfer at a given time, + each sockhash entry how has its own hash table with transfers using that + socket. - Closes #3894 - -Daniel Stenberg (18 May 2019) -- curl: make code work with protocol-disabled libcurl + In addition, the sockhash entry can now be marked 'blocked = TRUE'" + which then makes the delete function just set 'removed = TRUE' instead + of removing it "for real", as a way to not rip out the carpet under the + feet of a parent function that iterates over the transfers of that same + sockhash entry. - Closes #3844 - -- libcurl: #ifdef away more code for disabled features/protocols - -- progress: CURL_DISABLE_PROGRESS_METER - -- hostip: CURL_DISABLE_SHUFFLE_DNS + Reported-by: Tom van der Woerdt + Fixes #3961 + Fixes #3986 + Fixes #3995 + Fixes #4004 + Closes #3997 -- netrc: CURL_DISABLE_NETRC +- [Sorcus brought this change] -Viktor Szakats (16 May 2019) -- docs: Markdown and misc improvements [ci skip] + libcurl-tutorial.3: Fix small typo (mutipart -> multipart) - Approved-by: Daniel Stenberg - Closes #3896 + Fixed-by: MrSorcus on github + Closes #4000 -- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] +- unpause: trigger a timeout for event-based transfers - Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 - Approved-by: Daniel Stenberg - Closes #3895 - -Daniel Stenberg (16 May 2019) -- travis: add an osx http-only build + ... so that timeouts or other state machine actions get going again + after a changing pause state. For example, if the last delivery was + paused there's no pending socket activity. - Closes #3887 + Reported-by: sstruchtrup on github + Fixes #3994 + Closes #4001 -- cleanup: remove FIXME and TODO comments +Marcel Raad (9 Jun 2019) +- travis: use xenial LLVM package for scan-build - They serve very little purpose and mostly just add noise. Most of them - have been around for a very long time. I read them all before removing - or rephrasing them. - - Ref: #3876 - Closes #3883 + I missed that in commit 99a49d6. -- curl: don't set FTP options for FTP-disabled builds - - ... since libcurl has started to be totally unaware of options for - disabled protocols they now return error. - - Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 +- travis: update scan-build job to xenial - Reported-by: Marcel Raad - Closes #3886 + Closes https://github.com/curl/curl/pull/3999 -Steve Holme (16 May 2019) -- http_ntlm_wb: Move the type-2 message processing into a dedicated function +Daniel Stenberg (8 Jun 2019) +- bump: start working on 7.65.2 + +Marcel Raad (5 Jun 2019) +- examples/htmltitle: use C++ casts between pointer types - This brings the code inline with the other HTTP authentication mechanisms. + Compilers and static analyzers warn about using C-style casts here. - Closes #3890 - -Daniel Stenberg (15 May 2019) -- RELEASE-NOTES: synced - -- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] + Closes https://github.com/curl/curl/pull/3975 -- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] +- examples/fopen: fix comparison - Reported-by: Roy Bellingan - Bug: #3885 + As want is size_t, (file->buffer_pos - want) is unsigned, so checking + if it's less than zero makes no sense. + Check if file->buffer_pos is less than want instead to avoid the + unsigned integer wraparound. + + Closes https://github.com/curl/curl/pull/3975 -- parse_proxy: use the URL parser API +- build: fix Codacy warnings - As we treat a given proxy as a URL we should use the unified URL parser - to extract the parts out of it. + Reduce variable scopes and remove redundant variable stores. - Closes #3878 + Closes https://github.com/curl/curl/pull/3975 -Steve Holme (15 May 2019) -- http_negotiate: Move the Negotiate state out of the negotiatedata structure +- sws: remove unused variables - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. + Unused since commit 2f44e94. - Closes #3882 + Closes https://github.com/curl/curl/pull/3975 -- http_ntlm: Move the NTLM state out of the ntlmdata structure - - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. +Version 7.65.1 (4 Jun 2019) -- url: Move the negotiate state type into a dedicated enum +Daniel Stenberg (4 Jun 2019) +- RELEASE-NOTES: 7.65.1 -- url: Remove duplicate clean up of the winbind variables in conn_shutdown() - - Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior - to calling conn_shutdown() and it in turn performs this, there is no - need to perform the same action in conn_shutdown(). - - Closes #3881 +- THANKS: new contributors from 7.65.1 -Daniel Stenberg (14 May 2019) -- urlapi: require a non-zero host name length when parsing URL - - Updated test 1560 to verify. - - Closes #3880 +Steve Holme (4 Jun 2019) +- [Frank Gevaerts brought this change] -- configure: error out if OpenSSL wasn't detected when asked for + ssl: Update outdated "openssl-only" comments for supported backends - If --with-ssl is used and configure still couldn't enable SSL this - creates an error instead of just silently ignoring the fact. + These are for features that used to be openssl-only but were expanded + over time to support other SSL backends. - Suggested-by: Isaiah Norton - Fixes #3824 - Closes #3830 + Closes #3985 -Daniel Gustafsson (14 May 2019) -- imap: Fix typo in comment +Daniel Stenberg (4 Jun 2019) +- curl_share_setopt.3: improve wording [ci ship] + + Reported-by: Carlos ORyan -Steve Holme (14 May 2019) -- url: Remove unnecessary initialisation from allocate_conn() +Steve Holme (4 Jun 2019) +- tool_parsecfg: Use correct return type for GetModuleFileName() - No need to set variables to zero as calloc() does this for us. + GetModuleFileName() returns a DWORD which is a typedef of an unsigned + long and not an int. - Closes #3879 + Closes #3980 -Daniel Stenberg (14 May 2019) -- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] +Daniel Stenberg (3 Jun 2019) +- TODO: "at least N milliseconds between requests" [ci skip] - Clues-provided-by: Jay Satiro - Clues-provided-by: Jeroen Ooms - Fixes #3711 - Closes #3874 + Suggested-by: dkwolfe4 on github + Closes #3920 -Daniel Gustafsson (13 May 2019) -- vtls: fix potential ssl_buffer stack overflow +Steve Holme (2 Jun 2019) +- tests/server/.gitignore: Add socksd to the ignore list - In Curl_multissl_version() it was possible to overflow the passed in - buffer if the generated version string exceeded the size of the buffer. - Fix by inverting the logic, and also make sure to not exceed the local - buffer during the string generation. + Missed in 04fd6755. - Closes #3863 - Reported-by: nevv on HackerOne/curl - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (13 May 2019) -- RELEASE-NOTES: synced - -- appveyor: also build "/ci" branches like travis - -- pingpong: disable more when no pingpong enabled - -- proxy: acknowledge DISABLE_PROXY more - -- parsedate: CURL_DISABLE_PARSEDATE - -- sasl: only enable if there's a protocol enabled using it - -- mime: acknowledge CURL_DISABLE_MIME - -- wildcard: disable from build when FTP isn't present - -- http: CURL_DISABLE_HTTP_AUTH - -- base64: build conditionally if there are users - -- doh: CURL_DISABLE_DOH + Closes #3978 -Steve Holme (12 May 2019) -- auth: Rename the various authentication clean up functions +- tool_parsecfg: Fix control flow issue (DEADCODE) - For consistency and to a avoid confusion. + Follow-up to 8144ba38. - Closes #3869 + Detected by Coverity CID 1445663 + Closes #3976 -Daniel Stenberg (12 May 2019) -- [Jay Satiro brought this change] +Daniel Stenberg (2 Jun 2019) +- [Sergey Ogryzkov brought this change] - docs/INSTALL: fix broken link [ci skip] + NTLM: reset proxy "multipass" state when CONNECT request is done - Reported-by: Joombalaya on github - Fixes #3818 + Closes #3972 -Marcel Raad (12 May 2019) -- easy: fix another "clarify calculation precedence" warning +- test334: verify HTTP 204 response with chunked coding header - I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + Verifies that a bodyless response don't parse this content-related + header. -- build: fix "clarify calculation precedence" warnings +- [Michael Kaufmann brought this change] + + http: don't parse body-related headers bodyless responses - Codacy/CppCheck warns about this. Consistently use parentheses as we - already do in some places to silence the warning. + Responses with status codes 1xx, 204 or 304 don't have a response body. For + these, don't parse these headers: - Closes https://github.com/curl/curl/pull/3866 - -- cmake: restore C89 compatibility of CurlTests.c + - Content-Encoding + - Content-Length + - Content-Range + - Last-Modified + - Transfer-Encoding - I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and - 97de97daefc2ed084c91eff34af2426f2e55e134. + This change ensures that HTTP/2 upgrades work even if a + "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. - Reported-by: Viktor Szakats - Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 - Closes https://github.com/curl/curl/pull/3868 + Co-authored-by: Daniel Stenberg + Closes #3702 + Fixes #3968 + Closes #3977 -Steve Holme (11 May 2019) -- http_ntlm: Corrected the name of the include guard +- tls13-docs: mention it is only for OpenSSL >= 1.1.1 - Missed in f0bdd72c. + Reported-by: Jay Satiro + Co-authored-by: Jay Satiro + Fixes #3938 + Closes #3946 + +- dump-header.d: spell out that no headers == empty file [ci skip] - Closes #3867 + Reported-by: wesinator at github + Fixes #3964 + Closes #3974 -- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled +- singlesocket: use separate variable for inner loop - Closes #3861 + An inner loop within the singlesocket() function wrongly re-used the + variable for the outer loop which then could cause an infinite + loop. Change to using a separate variable! + + Reported-by: Eric Wu + Fixes #3970 + Closes #3973 -- http_negotiate: Don't expose functions when HTTP is disabled +- RELEASE-NOTES: synced -Daniel Stenberg (11 May 2019) -- SECURITY-PROCESS: fix links [ci skip] +- [Josie Huddleston brought this change] -Marcel Raad (11 May 2019) -- CMake: suppress unused variable warnings + http2: Stop drain from being permanently set on - I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. - -Daniel Stenberg (11 May 2019) -- doh: disable DOH for the cases it doesn't work - - Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for - DOH resolves. This fix disables DOH for those. + Various functions called within Curl_http2_done() can have the + side-effect of setting the Easy connection into drain mode (by calling + drain_this()). However, the last time we unset this for a transfer (by + calling drained_transfer()) is at the beginning of Curl_http2_done(). + If the Curl_easy is reused for another transfer, it is then stuck in + drain mode permanently, which in practice makes it unable to write any + data in the new transfer. - Limitation added to KNOWN_BUGS. + This fix moves the last call to drained_transfer() to later in + Curl_http2_done(), after the functions that could potentially call for a + drain. - Fixes #3850 - Closes #3857 + Fixes #3966 + Closes #3967 + Reported-by: Josie-H -Jay Satiro (11 May 2019) -- checksrc.bat: Ignore snprintf warnings in docs/examples +Steve Holme (29 May 2019) +- conncache: Remove the DEBUGASSERT on length check - .. because we allow snprintf use in docs/examples. + We trust the calling code as this is an internal function. - Closes https://github.com/curl/curl/pull/3862 + Closes #3962 -Steve Holme (10 May 2019) -- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - - ...and misalignment of these comments. From a78c61a4. - - Closes #3860 +Jay Satiro (29 May 2019) +- [Gisle Vanem brought this change] -Jay Satiro (10 May 2019) -- Revert "multi: support verbose conncache closure handle" + system_win32: fix function prototype - This reverts commit b0972bc. + - Change if_nametoindex parameter type from char * to const char *. - - No longer show verbose output for the conncache closure handle. + Follow-up to 09eef8af from this morning. - The offending commit was added so that the conncache closure handle - would inherit verbose mode from the user's easy handle. (Note there is - no way for the user to set options for the closure handle which is why - that was necessary.) Other debug settings such as the debug function - were not also inherited since we determined that could lead to crashes - if the user's per-handle private data was used on an unexpected handle. + Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 + +Marcel Raad (29 May 2019) +- appveyor: add Visual Studio solution build - The reporter here says he has a debug function to capture the verbose - output, and does not expect or want any output to stderr; however - because the conncache closure handle does not inherit the debug function - the verbose output for that handle does go to stderr. + Closes https://github.com/curl/curl/pull/3941 + +- appveyor: add support for other build systems - There are other plausible scenarios as well such as the user redirects - stderr on their handle, which is also not inherited since it could lead - to crashes when used on an unexpected handle. + Introduce BUILD_SYSTEM variable, which is currently always CMake. - Short of allowing the user to set options for the conncache closure - handle I don't think there's much we can safely do except no longer - inherit the verbose setting. + Closes https://github.com/curl/curl/pull/3941 + +Steve Holme (29 May 2019) +- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows - Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html - Reported-by: Kristoffer Gleditsch + This fixes the static dependency on iphlpapi.lib and allows curl to + build for targets prior to Windows Vista. - Ref: https://github.com/curl/curl/pull/3598 - Ref: https://github.com/curl/curl/pull/3618 + This partially reverts 170bd047. - Closes https://github.com/curl/curl/pull/3856 + Fixes #3960 + Closes #3958 -Steve Holme (10 May 2019) -- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() +Daniel Stenberg (29 May 2019) +- http: fix "error: equality comparison with extraneous parentheses" + +- parse_proxy: make sure portptr is initialized - From 6012fa5a. + Reported-by: Benbuck Nason - Closes #3858 - -Daniel Stenberg (9 May 2019) -- BUG-BOUNTY: minor formatting fixes [ci skip] - -- RELEASE-NOTES: synced + fixes #3959 -- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] +- url: default conn->port to the same as conn->remote_port - Closes #3839 - -Kamil Dudka (9 May 2019) -- http_negotiate: do not treat failure of gss_init_sec_context() as fatal + ... so that it has a sensible value when ConnectionExists() is called which + needs it set to differentiate host "bundles" correctly on port number! - Fixes #3726 - Closes #3849 - -- spnego_gssapi: fix return code on gss_init_sec_context() failure + Also, make conncache:hashkey() use correct port for bundles that are proxy vs + host connections. - Fixes #3726 - Closes #3849 + Probably a regression from 7.62.0 + + Reported-by: Tom van der Woerdt + Fixes #3956 + Closes #3957 -Steve Holme (9 May 2019) -- gen_resp_file.bat: Removed unnecessary @ from all but the first command +- conncache: make "bundles" per host name when doing proxy tunnels - There is need to use @ on every command once echo has been turned off. + Only HTTP proxy use where multiple host names can be used over the same + connection should use the proxy host name for bundles. - Closes #3854 + Reported-by: Tom van der Woerdt + Fixes #3951 + Closes #3955 -Jay Satiro (8 May 2019) -- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies +- multi: track users of a socket better - - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to - the destination host. + They need to be removed from the socket hash linked list with more care. - We already do something similar for HTTPS proxies by not sending h2. [1] + When sh_delentry() is called to remove a sockethash entry, remove all + individual transfers from the list first. To enable this, each Curl_easy struct + now stores a pointer to the sockethash entry to know how to remove itself. - Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would - incorrectly use HTTP/2 to talk to the proxy, which is not something we - support (yet?). Also it's debatable whether or not that setting should - apply to HTTP/2 proxies. + Reported-by: Tom van der Woerdt and Kunal Ekawde - [1]: https://github.com/curl/curl/commit/17c5d05 + Fixes #3952 + Fixes #3904 + Closes #3953 + +Steve Holme (28 May 2019) +- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version - Bug: https://github.com/curl/curl/issues/3570 - Bug: https://github.com/curl/curl/issues/3832 + Microsoft added support for Unix Domain Sockets in Windows 10 1803 + (RS4). Rather than expect the user to enable Unix Domain Sockets by + uncommenting the #define that was added in 0fd6221f we use the RS4 + pre-processor variable that is present in newer versions of the + Windows SDK. - Closes https://github.com/curl/curl/pull/3853 + Closes #3939 -Marcel Raad (8 May 2019) -- travis: update mesalink build to xenial - - Closes https://github.com/curl/curl/pull/3842 +Daniel Stenberg (28 May 2019) +- [Jonas Vautherin brought this change] -Daniel Stenberg (8 May 2019) -- [Ricky Leverence brought this change] + cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables + + Closes #3945 - OpenSSL: Report -fips in version if OpenSSL is built with FIPS +Marcel Raad (27 May 2019) +- HAProxy tests: add keywords - Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS - define. It uses this define to determine whether to publish -fips at - the end of the version displayed. Applications that utilize the version - reported by OpenSSL will see a mismatch if they compare it to what curl - reports, as curl is not modifying the version in the same way. This - change simply adds a check to see if OPENSSL_FIPS is defined, and will - alter the reported version to match what OpenSSL itself provides. This - only appears to be applicable in versions of OpenSSL <1.1.1 + Add the proxy and haproxy keywords in order to be able to exclude or + run these specific tests. - Closes #3771 + Closes https://github.com/curl/curl/pull/3949 -Kamil Dudka (7 May 2019) -- [Frank Gevaerts brought this change] +Daniel Stenberg (27 May 2019) +- [Maksim Stsepanenka brought this change] - nss: allow fifos and character devices for certificates. - - Currently you can do things like --cert <(cat ./cert.crt) with (at least) the - openssl backend, but that doesn't work for nss because is_file rejects fifos. - - I don't actually know if this is sufficient, nss might do things internally - (like seeking back) that make this not work, so actual testing is needed. + tests: make test 1420 and 1406 work with rtsp-disabled libcurl - Closes #3807 + Closes #3948 -Daniel Gustafsson (6 May 2019) -- test2100: Fix typos in test description +Kamil Dudka (27 May 2019) +- [Hubert Kario brought this change] -Daniel Stenberg (6 May 2019) -- ssh: define USE_SSH if SSH is enabled (any backend) + nss: allow to specify TLS 1.3 ciphers if supported by NSS - Closes #3846 + Closes #3916 -Steve Holme (5 May 2019) -- winbuild: Add our standard copyright header to the winbuild batch files +Daniel Stenberg (26 May 2019) +- RELEASE-NOTES: synced -- makedebug: Fix ERRORLEVEL detection after running where.exe - - Closes #3838 +- [Jay Satiro brought this change] -Daniel Stenberg (5 May 2019) -- urlapi: add CURLUPART_ZONEID to set and get + Revert all SASL authzid (new feature) commits - The zoneid can be used with IPv6 numerical addresses. + - Revert all commits related to the SASL authzid feature since the next + release will be a patch release, 7.65.1. - Updated test 1560 to verify. + Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined + for the next release, assuming it would be a feature release 7.66.0. + However instead the next release will be a patch release, 7.65.1 and + will not contain any new features. - Closes #3834 - -- [Taiyu Len brought this change] - - WRITEFUNCTION: add missing set_in_callback around callback + After the patch release after the reverted commits can be restored by + using cherry-pick: - Closes #3837 - -- RELEASE-NOTES: synced - -- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] + git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 - Reported-by: Ricardo Gomes + Details for all reverted commits: - Bug: #3537 - Closes #3836 - -- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." - The time field in the curl_fileinfo struct will always be zero. No code - was ever implemented to actually convert the date string to a time_t. + This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. - Fixes #3829 - Closes #3835 - -- OS400/ccsidcurl.c: code style fixes - -- OS400/ccsidcurl: replace use of Curl_vsetopt + Revert "tests: Fix the line endings for the SASL alt-auth tests" - (and make the code style comply) + This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. - Fixes #3833 - -- urlapi: strip off scope id from numerical IPv6 addresses + Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" - ... to make the host name "usable". Store the scope id and put it back - when extracting a URL out of it. + This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. - Also makes curl_url_set() syntax check CURLUPART_HOST. + Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" - Fixes #3817 - Closes #3822 - -- RELEASE-NOTES: synced - -- multiif.h: remove unused protos + This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. - ... for functions related to pipelining. Those functions were removed in - 2f44e94efb3df. + Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" - Closes #3828 + This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. -- [Yiming Jing brought this change] +- [dbrowndan brought this change] - travis: mesalink: temporarily disable test 3001 + FAQ: more minor updates and spelling fixes - ... due to SHA-1 signatures in test certs + Closes #3937 -- [Yiming Jing brought this change] +- RELEASE-NOTES: synced - travis: upgrade the MesaLink TLS backend to v1.0.0 +- sectransp: handle errSSLPeerAuthCompleted from SSLRead() - Closes #3823 - Closes #3776 + Reported-by: smuellerDD on github + Fixes #3932 + Closes #3933 -- ConnectionExists: improve non-multiplexing use case - - - better log output - - - make sure multiplex is enabled for it to be used +GitHub (24 May 2019) +- [Gisle Vanem brought this change] -- multi: provide Curl_multiuse_state to update information - - As soon as a TLS backend gets ALPN conformation about the specific HTTP - version it can now set the multiplex situation for the "bundle" and - trigger moving potentially queued up transfers to the CONNECT state. + Fix typo. -- process_pending_handles: mark queued transfers as previously pending +Daniel Stenberg (23 May 2019) +- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() - With transfers being queued up, we only move one at a a time back to the - CONNECT state but now we mark moved transfers so that when a moved - transfer is confirmed "successful" (it connected) it will trigger the - move of another pending transfer. Previously, it would otherwise wait - until the transfer was done before doing this. This makes queued up - pending transfers get processed (much) faster. + Reported-by: Marcel Raad + Fixes #3926 + Closes #3929 -- http: mark bundle as not for multiuse on < HTTP/2 response +Steve Holme (23 May 2019) +- winbuild: Use two space indentation - Fixes #3813 - Closes #3815 + Closes #3930 -Daniel Gustafsson (1 May 2019) -- cookie: Guard against possible NULL ptr deref +GitHub (23 May 2019) +- [Gisle Vanem brought this change] + + tool_parse_cfg: Avoid 2 fopen() for WIN32 - In case the name pointer isn't set (due to memory pressure most likely) - we need to skip the prefix matching and reject with a badcookie to avoid - a possible NULL pointer dereference. + Using the memdebug.h mem-leak feature, I noticed 2 calls like: + FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - Closes #3820 #3821 - Reported-by: Jonathan Moerman - Reviewed-by: Daniel Stenberg + No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. -Patrick Monnerat (30 Apr 2019) -- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings +Daniel Stenberg (23 May 2019) +- md4: include the mbedtls config.h to get the MD4 info -Kamil Dudka (29 Apr 2019) -- nss: provide more specific error messages on failed init +- md4: build correctly with openssl without MD4 - Closes #3808 + Reported-by: elsamuko at github + Fixes #3921 + Closes #3922 -Daniel Stenberg (29 Apr 2019) -- [Reed Loden brought this change] +Patrick Monnerat (23 May 2019) +- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). - docs: minor polish to the bug bounty / security docs - - Closes #3811 +Daniel Stenberg (23 May 2019) +- .github/FUNDING: mention our opencollective "home" [ci skip] -- CURL_MAX_INPUT_LENGTH: largest acceptable string input size +Marcel Raad (23 May 2019) +- [Zenju brought this change] + + config-win32: add support for if_nametoindex and getsockname - This limits all accepted input strings passed to libcurl to be less than - CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: - curl_easy_setopt() and curl_url_set(). + Closes https://github.com/curl/curl/pull/3923 + +Jay Satiro (23 May 2019) +- tests: Fix the line endings for the SASL alt-auth tests - The 8000000 number is arbitrary picked and is meant to detect mistakes - or abuse, not to limit actual practical use cases. By limiting the - acceptable string lengths we also reduce the risk of integer overflows - all over. + - Change data and protocol sections to CRLF line endings. - NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. - Test 1559 verifies. + Follow-up to a9499ff from today which added the tests. - Closes #3805 - -- [Tseng Jun brought this change] + Ref: https://github.com/curl/curl/pull/3790 - curlver.h: use parenthesis in CURL_VERSION_BITS macro +Daniel Stenberg (23 May 2019) +- url: fix bad #ifdef - Closes #3809 - -Marcel Raad (27 Apr 2019) -- [Simon Warta brought this change] - - cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP + Regression since e91e48161235272ff485. - Closes https://github.com/curl/curl/pull/3769 - -Steve Holme (23 Apr 2019) -- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + Reported-by: Tom Greenslade + Fixes #3924 + Closes #3925 -- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 +- Revert "progress: CURL_DISABLE_PROGRESS_METER" - Just like we do for mbed TLS, use our local implementation of MD4 when - OpenSSL doesn't support it. This allows a type-3 message to include the - NT response. - -Daniel Gustafsson (23 Apr 2019) -- INTERNALS: fix misindentation of ToC item + This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. - Kerberos was incorrectly indented as a subsection under FTP, which is - incorrect as they are both top level sections. A fix for this was first - attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that - was a few paddles short of being complete. - -- [Aron Bergman brought this change] - - INTERNALS: Add structs to ToC + Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + + CURLOPT_LOW_SPEED_TIME - Add the subsections under "Structs in libcurl" to the table of contents. + Reported-by: Dave Reisner - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Fixes #3927 + Closes #3928 -- [Aron Bergman brought this change] +Steve Holme (22 May 2019) +- examples: Added SASL PLAIN authorisation identity (authzid) examples - INTERNALS: Add code highlighting - - Make all struct members under the Curl_handler section - print in monospace font. - - Closes #3801 - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson +- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool -Daniel Stenberg (22 Apr 2019) -- docs/BUG-BOUNTY: bug bounty time [skip ci] - - Introducing the curl bug bounty program on hackerone. We now recommend - filing security issues directly in the hackerone ticket system which - only is readable to curl security team members. +- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - Assisted-by: Daniel Gustafsson + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. - Closes #3488 + Fixed #3653 + Closes #3790 -Steve Holme (22 Apr 2019) -- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 +Marc Hoersken (22 May 2019) +- tests: add support to test against OpenSSH for Windows - RFC 4616 specifies the authzid is optional in the client authentication - message and that the server will derive the authorisation identity - (authzid) from the authentication identity (authcid) when not specified - by the client. + Testing against OpenSSH for Windows requires v7.7.0.0 or newer + due to the use of AllowUsers and DenyUsers. For more info see: + https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config -Jay Satiro (22 Apr 2019) -- [Gisle Vanem brought this change] +Daniel Stenberg (22 May 2019) +- bump: start on the next release - memdebug: fix variable name +Marcel Raad (22 May 2019) +- examples: fix "clarify calculation precedence" warnings - Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + Closes https://github.com/curl/curl/pull/3919 + +- hiperfifo: remove unused variable - Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + Closes https://github.com/curl/curl/pull/3919 -Steve Holme (21 Apr 2019) -- vauth/cleartext: Don't send the authzid if it is empty +- examples: remove dead variable stores - Follow up to 762a292f. + Closes https://github.com/curl/curl/pull/3919 -Daniel Stenberg (21 Apr 2019) -- test 196,197,198: add 'retry' keyword [skip ci] +- examples: reduce variable scopes + + Closes https://github.com/curl/curl/pull/3919 -- RELEASE-NOTES: synced +- http2-download: fix format specifier + + Closes https://github.com/curl/curl/pull/3919 -- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse +Daniel Stenberg (22 May 2019) +- PolarSSL: deprecate support step 1. Removed from configure. - ... and disconnect too old ones instead of trying to reuse. + Also removed mentions from most docs. - Default max age is set to 118 seconds. + Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html - Ref: #3722 - Closes #3782 - -Daniel Gustafsson (20 Apr 2019) -- [Po-Chuan Hsieh brought this change] + Closes #3888 - altsvc: Fix building with cookies disables +- configure/cmake: check for if_nametoindex() - ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if - check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is - disabled. Fix by splitting out the function into a separate file which can - be included where needed. + - adds the check to cmake - Closes #3717 - Reviewed-by: Daniel Gustafsson - Reviewed-by: Marcel Raad - -Daniel Stenberg (20 Apr 2019) -- test1002: correct the name [skip ci] - -- test660: verify CONNECT_ONLY with IMAP + - fixes the configure check to work for cross-compiled windows builds - which basically just makes sure LOGOUT is *not* issued on disconnect + Closes #3917 -- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - - Since the connection has been used by the "outside" we don't know the - state of it anymore and curl should not use it anymore. - - Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html +- parse_proxy: use the IPv6 zone id if given - Closes #3795 - -- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) + If the proxy string is given as an IPv6 numerical address with a zone + id, make sure to use that for the connect to the proxy. - The list of names must be in sync with the defined states in the header - file! - -Steve Holme (16 Apr 2019) -- openvms: Remove pre-processors for Windows as VMS cannot support them - -- openvms: Remove pre-processor for SecureTransport as VMS cannot support it + Reported-by: Edmond Yu - Fixes #3768 - Closes #3785 - -Jay Satiro (16 Apr 2019) -- TODO: Add issue link to an existing entry - -Daniel Stenberg (16 Apr 2019) -- RELEASE-NOTES: synced + Fixes #3482 + Closes #3918 -Jay Satiro (16 Apr 2019) -- tool_help: Warn if curl and libcurl versions do not match - - .. because functionality may be affected if the versions differ. - - This commit implements TODO 18.7 "warning if curl version is not in sync - with libcurl version". - - Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 - - Closes https://github.com/curl/curl/pull/3774 +Version 7.65.0 (22 May 2019) -Steve Holme (16 Apr 2019) -- md5: Update the function signature following d84da52d +Daniel Stenberg (22 May 2019) +- RELEASE-NOTES: 7.65.0 release -- md5: Forgot to update the code alignment in d84da52d +- THANKS: from the 7.65.0 release-notes -- md5: Return CURLcode from the internally accessible functions +- url: convert the zone id from a IPv6 URL to correct scope id - Following 28f826b3 to return CURLE_OK instead of numeric 0. + Reported-by: GitYuanQu on github + Fixes #3902 + Closes #3914 -Daniel Gustafsson (15 Apr 2019) -- tests: Run global cleanup at end of tests +- configure: detect getsockname and getpeername on windows too - Make sure to run curl_global_cleanup() when shutting down the test - suite to release any resources allocated in the SSL setup. This is - clearly visible when running tests with PolarSSL where the thread - lock calloc() memory which isn't released when not running cleanup. - Below is an excerpt from the autobuild logs: + Made detection macros for these two functions in the same style as other + functions possibly in winsock in the hope this will work better to + detect these functions when cross-compiling for Windows. - ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 - ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) - ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) - ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup - (polarssl_threadlock.c:54) - ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) - ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) - ==12368== by 0x118B4C: global_init (easy.c:158) - ==12368== by 0x118BF5: curl_global_init (easy.c:221) - ==12368== by 0x118D0B: curl_easy_init (easy.c:299) - ==12368== by 0x114E96: test (lib1906.c:32) - ==12368== by 0x115495: main (first.c:174) + Follow-up to e91e4816123 - Closes #3783 - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg + Fixes #3913 + Closes #3915 -Marcel Raad (15 Apr 2019) -- travis: use mbedtls from Xenial +Marcel Raad (21 May 2019) +- examples: remove unused variables - No need to build it from source anymore. + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3779 + Closes -- travis: use libpsl from Xenial +Daniel Gustafsson (21 May 2019) +- udpateconninfo: mark variable unused - This makes building libpsl and libidn2 from source unnecessary and - removes the need for the autopoint and libunistring-dev packages. + When compiling without getpeername() or getsockname(), the sockfd + paramter to Curl_udpateconninfo() became unused after commit e91e481612 + added ifdef guards. - Closes https://github.com/curl/curl/pull/3779 + Closes #3910 + Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 + Reviewed-by: Marcel Raad, Daniel Stenberg -Daniel Stenberg (15 Apr 2019) -- runtests: start socksd like other servers +- ftp: move ftp_ccc in under featureflag - ... without a $srcdir prefix. Triggered by the failures in several - autobuilds. + Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under + the FTP featureflag in the UserDefined struct, but vtls callsites were + still using it unprotected. - Closes #3781 + Closes #3912 + Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 + Reviewed-by: Daniel Stenberg, Marcel Raad -Daniel Gustafsson (14 Apr 2019) -- socksd: Fix typos +Daniel Stenberg (20 May 2019) +- curl: report error for "--no-" on non-boolean options - Reviewed-by: Daniel Stenberg + Reported-by: Olen Andoni + Fixes #3906 + Closes #3907 -- socksd: Properly decorate static variables - - Mark global variables static to avoid compiler warning in Clang when - using -Wmissing-variable-declarations. +- [Guy Poizat brought this change] + + mbedtls: enable use of EC keys - Closes #3778 - Reviewed-by: Daniel Stenberg + Closes #3892 -Steve Holme (14 Apr 2019) -- md(4|5): Fixed indentation oddities with the importation of replacement code +- lib1560: add tests for parsing URL with too long scheme - The indentation from 211d5329 and 57d6d253 was a little strange as - parts didn't align correctly, uses 4 spaces rather than 2. Checked - the indentation of the original source so it aligns, albeit, using - curl style. + Ref: #3905 -- md5: Code style to return CURLE_OK rather than numeric 0 +- [Omar Ramadan brought this change] -- md5: Corrected code style for some pointer arguments + urlapi: increase supported scheme length to 40 bytes + + The longest currently registered URI scheme at IANA is 36 bytes long. + + Closes #3905 + Closes #3900 -Marcel Raad (13 Apr 2019) -- travis: update some builds to xenial +Marcel Raad (20 May 2019) +- lib: reduce variable scopes - Xenial comes with more up-to-date software versions and more available - packages, some of which we currently build from source. Unfortunately, - some builds would fail with Xenial because of assertion failures in - Valgrind when using OpenSSL, so leave these at Trusty. + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3777 + Closes https://github.com/curl/curl/pull/3872 -Daniel Stenberg (13 Apr 2019) -- test: make tests and test scripts use socksd for SOCKS +- tool_formparse: remove redundant assignment - Make all SOCKS tests use socksd instead of ssh. + Just initialize word_begin with the correct value. + + Closes https://github.com/curl/curl/pull/3873 -- socksd: new SOCKS 4+5 server for tests +- ssh: move variable declaration to where it's used - Closes #3752 + This way, we need only one call to free. + + Closes https://github.com/curl/curl/pull/3873 -- singleipconnect: show port in the verbose "Trying ..." message +- ssh-libssh: remove unused variable - To aid debugging better. + sock was only used to be assigned to fd_read. + + Closes https://github.com/curl/curl/pull/3873 -- [tmilburn brought this change] +Daniel Stenberg (20 May 2019) +- test332: verify the blksize fix - CURLOPT_ADDRESS_SCOPE: fix range check and more +- tftp: use the current blksize for recvfrom() - Commit 9081014 fixed most of the confusing issues between scope id and - scope however 844896d added bad limits checking assuming that the scope - is being set and not the scope id. + bug: https://curl.haxx.se/docs/CVE-2019-5436.html + Reported-by: l00p3r on hackerone + CVE-2019-5436 + +Daniel Gustafsson (19 May 2019) +- version: make ssl_version buffer match for multi_ssl - I have fixed the documentation so it all refers to scope ids. + When running a multi TLS backend build the version string needs more + buffer space. Make the internal ssl_buffer stack buffer match the one + in Curl_multissl_version() to allow for the longer string. For single + TLS backend builds there is no use in extended to buffer. This is a + fallout from #3863 which fixes up the multi_ssl string generation to + avoid a buffer overflow when the buffer is too small. - In addition Curl_if2ip refered to the scope id as remote_scope_id which - is incorrect, so I renamed it to local_scope_id. + Closes #3875 + Reviewed-by: Daniel Stenberg + +Steve Holme (18 May 2019) +- http_ntlm_wb: Handle auth for only a single request - Adjusted-by: Daniel Stenberg + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). - Closes #3655 - Closes #3765 - Fixes #3713 + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. + + Missed in fe6049f0. -- urlapi: stricter CURLUPART_PORT parsing +- http_ntlm_wb: Cleanup handshake after clean NTLM failure - Only allow well formed decimal numbers in the input. + Missed in 50b87c4e. + +- http_ntlm_wb: Return the correct error on receiving an empty auth message - Document that the number MUST be between 1 and 65535. + Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. - Add tests to test 1560 to verify the above. + Closes #3894 + +Daniel Stenberg (18 May 2019) +- curl: make code work with protocol-disabled libcurl - Ref: https://github.com/curl/curl/issues/3753 - Closes #3762 + Closes #3844 -Jay Satiro (13 Apr 2019) -- [Jan Ehrhardt brought this change] +- libcurl: #ifdef away more code for disabled features/protocols - winbuild: Support MultiSSL builds +- progress: CURL_DISABLE_PROGRESS_METER + +- hostip: CURL_DISABLE_SHUFFLE_DNS + +- netrc: CURL_DISABLE_NETRC + +Viktor Szakats (16 May 2019) +- docs: Markdown and misc improvements [ci skip] - - Remove the lines in winbuild/Makefile.vc that generate an error with - multiple SSL backends. + Approved-by: Daniel Stenberg + Closes #3896 + +- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] - - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL - backends are set. + Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 + Approved-by: Daniel Stenberg + Closes #3895 + +Daniel Stenberg (16 May 2019) +- travis: add an osx http-only build - Closes https://github.com/curl/curl/pull/3772 + Closes #3887 -Daniel Stenberg (12 Apr 2019) -- travis: remove mesalink builds (temporarily?) +- cleanup: remove FIXME and TODO comments - Since the mesalink build started to fail on travis, even though we build - a fixed release version, we disable it to prevent it from blocking - progress. + They serve very little purpose and mostly just add noise. Most of them + have been around for a very long time. I read them all before removing + or rephrasing them. - Closes #3767 + Ref: #3876 + Closes #3883 -- openssl: mark connection for close on TLS close_notify +- curl: don't set FTP options for FTP-disabled builds - Without this, detecting and avoid reusing a closed TLS connection - (without a previous GOAWAY) when doing HTTP/2 is tricky. + ... since libcurl has started to be totally unaware of options for + disabled protocols they now return error. - Reported-by: Tom van der Woerdt - Fixes #3750 - Closes #3763 - -- RELEASE-NOTES: synced + Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 + + Reported-by: Marcel Raad + Closes #3886 -Steve Holme (11 Apr 2019) -- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 +Steve Holme (16 May 2019) +- http_ntlm_wb: Move the type-2 message processing into a dedicated function - Functionally this doesn't change anything as we still use the username - for both the authorisation identity and the authentication identity. + This brings the code inline with the other HTTP authentication mechanisms. - Closes #3757 + Closes #3890 -Daniel Stenberg (11 Apr 2019) -- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - - Based-on-code-by: Poul T Lomholt +Daniel Stenberg (15 May 2019) +- RELEASE-NOTES: synced -- url: always clone the CUROPT_CURLU handle +- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] + +- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] - Since a few code paths actually update that data. + Reported-by: Roy Bellingan + Bug: #3885 + +- parse_proxy: use the URL parser API - Fixes #3753 - Closes #3761 + As we treat a given proxy as a URL we should use the unified URL parser + to extract the parts out of it. - Reported-by: Poul T Lomholt + Closes #3878 -- CURLOPT_DNS_USE_GLOBAL_CACHE: remove +Steve Holme (15 May 2019) +- http_negotiate: Move the Negotiate state out of the negotiatedata structure - Remove the code too. The functionality has been disabled in code since - 7.62.0. Setting this option will from now on simply be ignored and have - no function. + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. - Closes #3654 + Closes #3882 -Marcel Raad (11 Apr 2019) -- travis: install libgnutls28-dev only for --with-gnutls build - - Reduces the time needed for the other jobs a little. +- http_ntlm: Move the NTLM state out of the ntlmdata structure - Closes https://github.com/curl/curl/pull/3721 + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. -- travis: install libnss3-dev only for --with-nss build +- url: Move the negotiate state type into a dedicated enum + +- url: Remove duplicate clean up of the winbind variables in conn_shutdown() - Reduces the time needed for the other jobs a little. + Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior + to calling conn_shutdown() and it in turn performs this, there is no + need to perform the same action in conn_shutdown(). - Closes https://github.com/curl/curl/pull/3721 + Closes #3881 -- travis: install libssh2-dev only for --with-libssh2 build +Daniel Stenberg (14 May 2019) +- urlapi: require a non-zero host name length when parsing URL - Reduces the time needed for the other jobs a little. + Updated test 1560 to verify. - Closes https://github.com/curl/curl/pull/3721 + Closes #3880 -- travis: install libssh-dev only for --with-libssh build +- configure: error out if OpenSSL wasn't detected when asked for - Reduces the time needed for the other jobs a little. + If --with-ssl is used and configure still couldn't enable SSL this + creates an error instead of just silently ignoring the fact. - Closes https://github.com/curl/curl/pull/3721 + Suggested-by: Isaiah Norton + Fixes #3824 + Closes #3830 -- travis: install krb5-user only for --with-gssapi build +Daniel Gustafsson (14 May 2019) +- imap: Fix typo in comment + +Steve Holme (14 May 2019) +- url: Remove unnecessary initialisation from allocate_conn() - Reduces the time needed for the other jobs a little. + No need to set variables to zero as calloc() does this for us. - Closes https://github.com/curl/curl/pull/3721 + Closes #3879 -- travis: install lcov only for the coverage job - - Reduces the time needed for the other jobs a little. +Daniel Stenberg (14 May 2019) +- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] - Closes https://github.com/curl/curl/pull/3721 + Clues-provided-by: Jay Satiro + Clues-provided-by: Jeroen Ooms + Fixes #3711 + Closes #3874 -- travis: install clang only when needed +Daniel Gustafsson (13 May 2019) +- vtls: fix potential ssl_buffer stack overflow - This reduces the GCC job runtimes a little and it's needed to - selectively update clang builds to xenial. + In Curl_multissl_version() it was possible to overflow the passed in + buffer if the generated version string exceeded the size of the buffer. + Fix by inverting the logic, and also make sure to not exceed the local + buffer during the string generation. - Closes https://github.com/curl/curl/pull/3721 + Closes #3863 + Reported-by: nevv on HackerOne/curl + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg -- AppVeyor: enable testing for WinSSL build - - Closes https://github.com/curl/curl/pull/3725 +Daniel Stenberg (13 May 2019) +- RELEASE-NOTES: synced -- build: fix Codacy/CppCheck warnings +- appveyor: also build "/ci" branches like travis + +- pingpong: disable more when no pingpong enabled + +- proxy: acknowledge DISABLE_PROXY more + +- parsedate: CURL_DISABLE_PARSEDATE + +- sasl: only enable if there's a protocol enabled using it + +- mime: acknowledge CURL_DISABLE_MIME + +- wildcard: disable from build when FTP isn't present + +- http: CURL_DISABLE_HTTP_AUTH + +- base64: build conditionally if there are users + +- doh: CURL_DISABLE_DOH + +Steve Holme (12 May 2019) +- auth: Rename the various authentication clean up functions - - remove unused variables - - declare conditionally used variables conditionally - - suppress unused variable warnings in the CMake tests - - remove dead variable stores - - consistently use WIN32 macro to detect Windows + For consistency and to a avoid confusion. - Closes https://github.com/curl/curl/pull/3739 + Closes #3869 -- polarssl_threadlock: remove conditionally unused code - - Make functions no-ops if neither both USE_THREADS_POSIX and - HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are - defined. Previously, if only one of them was defined, there was either - code compiled that did nothing useful or the wrong header included for - the functions used. +Daniel Stenberg (12 May 2019) +- [Jay Satiro brought this change] + + docs/INSTALL: fix broken link [ci skip] - Also, move POLARSSL_MUTEX_T define to implementation file as it's not - used externally. + Reported-by: Joombalaya on github + Fixes #3818 + +Marcel Raad (12 May 2019) +- easy: fix another "clarify calculation precedence" warning - Closes https://github.com/curl/curl/pull/3739 + I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. -- lib557: initialize variables +- build: fix "clarify calculation precedence" warnings - These variables are only conditionally initialized. + Codacy/CppCheck warns about this. Consistently use parentheses as we + already do in some places to silence the warning. - Closes https://github.com/curl/curl/pull/3739 + Closes https://github.com/curl/curl/pull/3866 -- lib509: add missing include for strdup +- cmake: restore C89 compatibility of CurlTests.c - Closes https://github.com/curl/curl/pull/3739 + I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and + 97de97daefc2ed084c91eff34af2426f2e55e134. + + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 + Closes https://github.com/curl/curl/pull/3868 -- README.md: fix no-consecutive-blank-lines Codacy warning +Steve Holme (11 May 2019) +- http_ntlm: Corrected the name of the include guard - Consistently use one blank line between blocks. + Missed in f0bdd72c. - Closes https://github.com/curl/curl/pull/3739 + Closes #3867 -- tests/server/util: fix Windows Unicode build - - Always use the ANSI version of FormatMessage as we don't have the - curl_multibyte gear available here. +- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - Closes https://github.com/curl/curl/pull/3758 + Closes #3861 -Daniel Stenberg (11 Apr 2019) -- curl_easy_getinfo.3: fix minor formatting mistake +- http_negotiate: Don't expose functions when HTTP is disabled -Daniel Gustafsson (11 Apr 2019) -- xattr: skip unittest on unsupported platforms +Daniel Stenberg (11 May 2019) +- SECURITY-PROCESS: fix links [ci skip] + +Marcel Raad (11 May 2019) +- CMake: suppress unused variable warnings - The stripcredentials unittest fails to compile on platforms without - xattr support, for example the Solaris member in the buildfarm which - fails with the following: + I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. + +Daniel Stenberg (11 May 2019) +- doh: disable DOH for the cases it doesn't work - CC unit1621-unit1621.o - CC ../libtest/unit1621-first.o - CCLD unit1621 - Undefined first referenced - symbol in file - stripcredentials unit1621-unit1621.o - goto problem 2 - ld: fatal: symbol referencing errors. No output written to .libs/unit1621 - collect2: error: ld returned 1 exit status - gmake[2]: *** [Makefile:996: unit1621] Error 1 + Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for + DOH resolves. This fix disables DOH for those. - Fix by excluding the test on such platforms by using the reverse - logic from where stripcredentials() is defined. + Limitation added to KNOWN_BUGS. - Closes #3759 - Reviewed-by: Daniel Stenberg + Fixes #3850 + Closes #3857 -Steve Holme (11 Apr 2019) -- emailL Added reference to RFC8314 for implicit TLS +Jay Satiro (11 May 2019) +- checksrc.bat: Ignore snprintf warnings in docs/examples + + .. because we allow snprintf use in docs/examples. + + Closes https://github.com/curl/curl/pull/3862 -- README: Schannel, stop calling it "winssl" +Steve Holme (10 May 2019) +- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - Stick to "Schannel" everywhere - follow up to 180501cb. + ...and misalignment of these comments. From a78c61a4. + + Closes #3860 -Jakub Zakrzewski (10 Apr 2019) -- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use +Jay Satiro (10 May 2019) +- Revert "multi: support verbose conncache closure handle" - This fixes GSSAPI builds with the libraries in a non-standard location. - The testing for recv() were failing because it failed to link - the Kerberos libraries, which are not needed for this or subsequent - tests. + This reverts commit b0972bc. - fixes #3743 - closes #3744 + - No longer show verbose output for the conncache closure handle. + + The offending commit was added so that the conncache closure handle + would inherit verbose mode from the user's easy handle. (Note there is + no way for the user to set options for the closure handle which is why + that was necessary.) Other debug settings such as the debug function + were not also inherited since we determined that could lead to crashes + if the user's per-handle private data was used on an unexpected handle. + + The reporter here says he has a debug function to capture the verbose + output, and does not expect or want any output to stderr; however + because the conncache closure handle does not inherit the debug function + the verbose output for that handle does go to stderr. + + There are other plausible scenarios as well such as the user redirects + stderr on their handle, which is also not inherited since it could lead + to crashes when used on an unexpected handle. + + Short of allowing the user to set options for the conncache closure + handle I don't think there's much we can safely do except no longer + inherit the verbose setting. + + Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html + Reported-by: Kristoffer Gleditsch + + Ref: https://github.com/curl/curl/pull/3598 + Ref: https://github.com/curl/curl/pull/3618 + + Closes https://github.com/curl/curl/pull/3856 -- cmake: avoid linking executable for some tests with cmake 3.6+ +Steve Holme (10 May 2019) +- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() - With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() - (which is used by check_c_source_compiles()) will build static library - instead of executable. This avoids linking additional libraries in and thus - speeds up those checks a little. + From 6012fa5a. - This commit also avoids #3743 (GSSAPI build errors) on itself with cmake - 3.6 or above. That issue was fixed separately for all versions. + Closes #3858 + +Daniel Stenberg (9 May 2019) +- BUG-BOUNTY: minor formatting fixes [ci skip] + +- RELEASE-NOTES: synced + +- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] - Ref: #3744 + Closes #3839 -- cmake: minor cleanup +Kamil Dudka (9 May 2019) +- http_negotiate: do not treat failure of gss_init_sec_context() as fatal - - Remove nneeded include_regular_expression. - It was setting what is already a default. + Fixes #3726 + Closes #3849 + +- spnego_gssapi: fix return code on gss_init_sec_context() failure - - Remove duplicated include. + Fixes #3726 + Closes #3849 + +Steve Holme (9 May 2019) +- gen_resp_file.bat: Removed unnecessary @ from all but the first command - - Don't check for pre-3.0.0 CMake version. - We already require at least 3.0.0, so it's just clutter. + There is need to use @ on every command once echo has been turned off. - Ref: #3744 + Closes #3854 -Steve Holme (8 Apr 2019) -- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ +Jay Satiro (8 May 2019) +- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + + - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to + the destination host. + + We already do something similar for HTTPS proxies by not sending h2. [1] + + Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would + incorrectly use HTTP/2 to talk to the proxy, which is not something we + support (yet?). Also it's debatable whether or not that setting should + apply to HTTP/2 proxies. + + [1]: https://github.com/curl/curl/commit/17c5d05 + + Bug: https://github.com/curl/curl/issues/3570 + Bug: https://github.com/curl/curl/issues/3832 + + Closes https://github.com/curl/curl/pull/3853 -- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) +Marcel Raad (8 May 2019) +- travis: update mesalink build to xenial + + Closes https://github.com/curl/curl/pull/3842 -- build-openssl.bat: Perform the install for each build type directly after the build +Daniel Stenberg (8 May 2019) +- [Ricky Leverence brought this change] -- build-openssl.bat: Split the install of static and shared build types + OpenSSL: Report -fips in version if OpenSSL is built with FIPS + + Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS + define. It uses this define to determine whether to publish -fips at + the end of the version displayed. Applications that utilize the version + reported by OpenSSL will see a mismatch if they compare it to what curl + reports, as curl is not modifying the version in the same way. This + change simply adds a check to see if OPENSSL_FIPS is defined, and will + alter the reported version to match what OpenSSL itself provides. This + only appears to be applicable in versions of OpenSSL <1.1.1 + + Closes #3771 -- build-openssl.bat: Split the building of static and shared build types +Kamil Dudka (7 May 2019) +- [Frank Gevaerts brought this change] -- build-openssl.bat: Move the installation into a separate function + nss: allow fifos and character devices for certificates. + + Currently you can do things like --cert <(cat ./cert.crt) with (at least) the + openssl backend, but that doesn't work for nss because is_file rejects fifos. + + I don't actually know if this is sufficient, nss might do things internally + (like seeking back) that make this not work, so actual testing is needed. + + Closes #3807 -- build-openssl.bat: Move the build step into a separate function +Daniel Gustafsson (6 May 2019) +- test2100: Fix typos in test description -- build-openssl.bat: Move the OpenSSL configuration into a separate function +Daniel Stenberg (6 May 2019) +- ssh: define USE_SSH if SSH is enabled (any backend) + + Closes #3846 -- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised +Steve Holme (5 May 2019) +- winbuild: Add our standard copyright header to the winbuild batch files + +- makedebug: Fix ERRORLEVEL detection after running where.exe - Should the parent environment set this variable then the build might - not be performed as the user intended. + Closes #3838 -Daniel Stenberg (8 Apr 2019) -- socks: fix error message +Daniel Stenberg (5 May 2019) +- urlapi: add CURLUPART_ZONEID to set and get + + The zoneid can be used with IPv6 numerical addresses. + + Updated test 1560 to verify. + + Closes #3834 -- config.d: clarify that initial : and = might need quoting [skip ci] +- [Taiyu Len brought this change] + + WRITEFUNCTION: add missing set_in_callback around callback - Fixes #3738 - Closes #3749 + Closes #3837 - RELEASE-NOTES: synced - - bumped to 7.65.0 for next release -- socks5: user name and passwords must be shorter than 256 +- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] - bytes... since the protocol needs to store the length in a single byte field. + Reported-by: Ricardo Gomes - Reported-by: XmiliaH on github - Fixes #3737 - Closes #3740 + Bug: #3537 + Closes #3836 -- [Jakub Zakrzewski brought this change] +- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + + The time field in the curl_fileinfo struct will always be zero. No code + was ever implemented to actually convert the date string to a time_t. + + Fixes #3829 + Closes #3835 - test: urlapi: urlencode characters above 0x7f correctly +- OS400/ccsidcurl.c: code style fixes -- [Jakub Zakrzewski brought this change] +- OS400/ccsidcurl: replace use of Curl_vsetopt + + (and make the code style comply) + + Fixes #3833 - urlapi: urlencode characters above 0x7f correctly +- urlapi: strip off scope id from numerical IPv6 addresses - fixes #3741 - Closes #3742 + ... to make the host name "usable". Store the scope id and put it back + when extracting a URL out of it. + + Also makes curl_url_set() syntax check CURLUPART_HOST. + + Fixes #3817 + Closes #3822 -- [Even Rouault brought this change] +- RELEASE-NOTES: synced - multi_runsingle(): fix use-after-free +- multiif.h: remove unused protos - Fixes #3745 - Closes #3746 + ... for functions related to pipelining. Those functions were removed in + 2f44e94efb3df. - The following snippet - ``` - - int main() - { - CURL* hCurlHandle = curl_easy_init(); - curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); - curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); - curl_easy_perform(hCurlHandle); - curl_easy_cleanup(hCurlHandle); - return 0; - } - ``` - triggers the following Valgrind warning - - ``` - ==4125== Invalid read of size 8 - ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) - ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) - ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd - ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) - ==4125== by 0x4E62C36: conn_free (url.c:756) - ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) - ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) - ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Block was alloc'd at - ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) - ==4125== by 0x4E6438E: allocate_conn (url.c:1654) - ==4125== by 0x4E685B4: create_conn (url.c:3496) - ==4125== by 0x4E6968F: Curl_connect (url.c:4023) - ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ``` - - This has been bisected to commit 2f44e94 - - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 - Credit to OSS Fuzz - -- pipelining: removed - - As previously planned and documented in DEPRECATE.md, all pipelining - code is removed. - - Closes #3651 + Closes #3828 -- [cclauss brought this change] +- [Yiming Jing brought this change] - tests: make Impacket (SMB server) Python 3 compatible + travis: mesalink: temporarily disable test 3001 - Closes #3731 - Fixes #3289 + ... due to SHA-1 signatures in test certs -Marcel Raad (6 Apr 2019) -- [Simon Warta brought this change] +- [Yiming Jing brought this change] - cmake: set SSL_BACKENDS - - This groups all SSL backends into the feature "SSL" and sets the - SSL_BACKENDS analogue to configure.ac + travis: upgrade the MesaLink TLS backend to v1.0.0 - Closes https://github.com/curl/curl/pull/3736 - -- [Simon Warta brought this change] + Closes #3823 + Closes #3776 - cmake: don't run SORT on empty list +- ConnectionExists: improve non-multiplexing use case - In case of an empty list, SORTing leads to the cmake error "list - sub-command SORT requires list to be present." + - better log output - Closes https://github.com/curl/curl/pull/3736 - -Daniel Gustafsson (5 Apr 2019) -- [Eli Schwartz brought this change] + - make sure multiplex is enabled for it to be used - configure: fix default location for fish completions +- multi: provide Curl_multiuse_state to update information - Fish defines a vendor completions directory for completions that are not - installed as part of the fish project itself, and the vendor completions - are preferred if they exist. This prevents trying to overwrite the - builtin curl.fish completion (or creating file conflicts in distro - packaging). + As soon as a TLS backend gets ALPN conformation about the specific HTTP + version it can now set the multiplex situation for the "bundle" and + trigger moving potentially queued up transfers to the CONNECT state. + +- process_pending_handles: mark queued transfers as previously pending - Prefer the pkg-config defined location exported by fish, if it can be - found, and fall back to the correct directory defined by most systems. + With transfers being queued up, we only move one at a a time back to the + CONNECT state but now we mark moved transfers so that when a moved + transfer is confirmed "successful" (it connected) it will trigger the + move of another pending transfer. Previously, it would otherwise wait + until the transfer was done before doing this. This makes queued up + pending transfers get processed (much) faster. + +- http: mark bundle as not for multiuse on < HTTP/2 response - Closes #3723 - Reviewed-by: Daniel Gustafsson + Fixes #3813 + Closes #3815 -Marcel Raad (5 Apr 2019) -- ftplistparser: fix LGTM alert "Empty block without comment" +Daniel Gustafsson (1 May 2019) +- cookie: Guard against possible NULL ptr deref - Removing the block is consistent with line 954/957. + In case the name pointer isn't set (due to memory pressure most likely) + we need to skip the prefix matching and reject with a badcookie to avoid + a possible NULL pointer dereference. - Closes https://github.com/curl/curl/pull/3732 + Closes #3820 #3821 + Reported-by: Jonathan Moerman + Reviewed-by: Daniel Stenberg -- transfer: fix LGTM alert "Comparison is always true" - - Just remove the redundant condition, which also makes it clear that - k->buf is always 0-terminated if this break is not hit. +Patrick Monnerat (30 Apr 2019) +- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings + +Kamil Dudka (29 Apr 2019) +- nss: provide more specific error messages on failed init - Closes https://github.com/curl/curl/pull/3732 + Closes #3808 -Jay Satiro (4 Apr 2019) -- [Rikard Falkeborn brought this change] +Daniel Stenberg (29 Apr 2019) +- [Reed Loden brought this change] - smtp: fix compiler warning + docs: minor polish to the bug bounty / security docs - - Fix clang string-plus-int warning. + Closes #3811 + +- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - Clang 8 warns about adding a string to an int does not append to the - string. Indeed it doesn't, but that was not the intention either. Use - array indexing as suggested to silence the warning. There should be no - functional changes. + This limits all accepted input strings passed to libcurl to be less than + CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: + curl_easy_setopt() and curl_url_set(). - (In other words clang warns about "foo"+2 but not &"foo"[2] so use the - latter.) + The 8000000 number is arbitrary picked and is meant to detect mistakes + or abuse, not to limit actual practical use cases. By limiting the + acceptable string lengths we also reduce the risk of integer overflows + all over. - smtp.c:1221:29: warning: adding 'int' to a string does not append to the - string [-Wstring-plus-int] - eob = strdup(SMTP_EOB + 2); - ~~~~~~~~~~~~~~~~^~~~ + NOTE: This does not apply to `CURLOPT_POSTFIELDS`. - Closes https://github.com/curl/curl/pull/3729 + Test 1559 verifies. + + Closes #3805 -Marcel Raad (4 Apr 2019) -- VS projects: use Unicode for VC10+ +- [Tseng Jun brought this change] + + curlver.h: use parenthesis in CURL_VERSION_BITS macro - All Windows APIs have been natively UTF-16 since Windows 2000 and the - non-Unicode variants are just wrappers around them. Only Windows 9x - doesn't understand Unicode without the UnicoWS DLL. As later Visual - Studio versions cannot target Windows 9x anyway, using the ANSI API - doesn't really have any benefit there. + Closes #3809 + +Marcel Raad (27 Apr 2019) +- [Simon Warta brought this change] + + cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP - This avoids issues like KNOWN_BUGS 6.5. + Closes https://github.com/curl/curl/pull/3769 + +Steve Holme (23 Apr 2019) +- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + +- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 - Ref: https://github.com/curl/curl/issues/2120 - Closes https://github.com/curl/curl/pull/3720 + Just like we do for mbed TLS, use our local implementation of MD4 when + OpenSSL doesn't support it. This allows a type-3 message to include the + NT response. -Daniel Gustafsson (3 Apr 2019) -- RELEASE-NOTES: synced +Daniel Gustafsson (23 Apr 2019) +- INTERNALS: fix misindentation of ToC item - Bump the version in progress to 7.64.2, if we merge any "change" - before the cut-off date we can update the version. + Kerberos was incorrectly indented as a subsection under FTP, which is + incorrect as they are both top level sections. A fix for this was first + attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that + was a few paddles short of being complete. -- [Tim Rühsen brought this change] +- [Aron Bergman brought this change] - documentation: Fix several typos + INTERNALS: Add structs to ToC - Closes #3724 - Reviewed-by: Jakub Zakrzewski - Reviewed-by: Daniel Gustafsson + Add the subsections under "Structs in libcurl" to the table of contents. + + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -Jay Satiro (2 Apr 2019) -- [Mert Yazıcıoğlu brought this change] +- [Aron Bergman brought this change] - vauth/oauth2: Fix OAUTHBEARER token generation - - OAUTHBEARER tokens were incorrectly generated in a format similar to - XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the - RFC7628. + INTERNALS: Add code highlighting - Fixes: #2487 - Reported-by: Paolo Mossino + Make all struct members under the Curl_handler section + print in monospace font. - Closes https://github.com/curl/curl/pull/3377 + Closes #3801 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -Marcel Raad (2 Apr 2019) -- tool_cb_wrt: fix bad-function-cast warning +Daniel Stenberg (22 Apr 2019) +- docs/BUG-BOUNTY: bug bounty time [skip ci] - Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the - warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. - Extend fhnd's scope and reuse that variable instead of calling - _get_osfhandle a second time to fix the warning again. + Introducing the curl bug bounty program on hackerone. We now recommend + filing security issues directly in the hackerone ticket system which + only is readable to curl security team members. - Closes https://github.com/curl/curl/pull/3718 - -- VC15 project: remove MinimalRebuild + Assisted-by: Daniel Gustafsson - Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the - library project, but I forgot the tool project template. Now also - removed for that. + Closes #3488 -Dan Fandrich (1 Apr 2019) -- cirrus: Customize the disabled tests per FreeBSD version +Steve Holme (22 Apr 2019) +- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - Try to run as many test cases as possible on each OS version. - 12.0 passes 13 more tests than the older versions, so we might as well - run them. + RFC 4616 specifies the authzid is optional in the client authentication + message and that the server will derive the authorisation identity + (authzid) from the authentication identity (authcid) when not specified + by the client. -Daniel Stenberg (1 Apr 2019) -- tool_help: include for strcasecmp - - Reported-by: Wyatt O'Day - Fixes #3715 - Closes #3716 +Jay Satiro (22 Apr 2019) +- [Gisle Vanem brought this change] -Daniel Gustafsson (31 Mar 2019) -- scripts: fix typos + memdebug: fix variable name + + Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + + Ref: https://github.com/curl/curl/commit/76b6348#r33259088 -Dan Fandrich (28 Mar 2019) -- travis: allow builds on branches named "ci" +Steve Holme (21 Apr 2019) +- vauth/cleartext: Don't send the authzid if it is empty - This allows a way to test changes other than through PRs. + Follow up to 762a292f. -Daniel Stenberg (27 Mar 2019) -- [Brad Spencer brought this change] +Daniel Stenberg (21 Apr 2019) +- test 196,197,198: add 'retry' keyword [skip ci] - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - - Closes #3699 +- RELEASE-NOTES: synced -- multi: improved HTTP_1_1_REQUIRED handling +- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error - on first flight. + ... and disconnect too old ones instead of trying to reuse. - Reported-by: niner on github - Fixes #3696 - Closes #3707 - -- [Leonardo Taccari brought this change] - - configure: avoid unportable `==' test(1) operator + Default max age is set to 118 seconds. - Closes #3709 - -Version 7.64.1 (27 Mar 2019) + Ref: #3722 + Closes #3782 -Daniel Stenberg (27 Mar 2019) -- RELEASE: 7.64.1 +Daniel Gustafsson (20 Apr 2019) +- [Po-Chuan Hsieh brought this change] -- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" + altsvc: Fix building with cookies disables - This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. + ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if + check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is + disabled. Fix by splitting out the function into a separate file which can + be included where needed. - Fixes #3708 + Closes #3717 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Marcel Raad -- [Christian Schmitz brought this change] +Daniel Stenberg (20 Apr 2019) +- test1002: correct the name [skip ci] - ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set +- test660: verify CONNECT_ONLY with IMAP - Closes #3704 + which basically just makes sure LOGOUT is *not* issued on disconnect -Jay Satiro (26 Mar 2019) -- tool_cb_wrt: fix writing to Windows null device NUL - - - Improve console detection. +- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - Prior to this change WriteConsole could be called to write to a handle - that may not be a console, which would cause an error. This issue is - limited to character devices that are not also consoles such as the null - device NUL. + Since the connection has been used by the "outside" we don't know the + state of it anymore and curl should not use it anymore. - Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 - Reported-by: Gisle Vanem - -- CURLMOPT_PIPELINING.3: fix typo - -Daniel Stenberg (25 Mar 2019) -- TODO: config file parsing + Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html - Closes #3698 + Closes #3795 -Jay Satiro (24 Mar 2019) -- os400: Disable Alt-Svc by default since it's experimental - - Follow-up to 520f0b4 which added Alt-Svc support and enabled it by - default for OS400. Since the feature is experimental, it should be - disabled by default. - - Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 - Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html +- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) - Closes https://github.com/curl/curl/pull/3688 + The list of names must be in sync with the defined states in the header + file! -Dan Fandrich (24 Mar 2019) -- tests: Fixed XML validation errors in some test files. +Steve Holme (16 Apr 2019) +- openvms: Remove pre-processors for Windows as VMS cannot support them -- tests: Fix some incorrect precheck error messages. +- openvms: Remove pre-processor for SecureTransport as VMS cannot support it - [ci skip] + Fixes #3768 + Closes #3785 -Daniel Stenberg (22 Mar 2019) -- curl_url.3: this is not experimental anymore +Jay Satiro (16 Apr 2019) +- TODO: Add issue link to an existing entry -- travis: bump the used wolfSSL version to 4.0.0 +Daniel Stenberg (16 Apr 2019) +- RELEASE-NOTES: synced + +Jay Satiro (16 Apr 2019) +- tool_help: Warn if curl and libcurl versions do not match - Test 311 is now fine, leaving only 313 (CRL) disabled. + .. because functionality may be affected if the versions differ. - Test 313 details can be found here: - https://github.com/wolfSSL/wolfssl/issues/1546 + This commit implements TODO 18.7 "warning if curl version is not in sync + with libcurl version". - Closes #3697 + Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + + Closes https://github.com/curl/curl/pull/3774 -Daniel Gustafsson (22 Mar 2019) -- lib: Fix typos in comments +Steve Holme (16 Apr 2019) +- md5: Update the function signature following d84da52d -David Woodhouse (20 Mar 2019) -- openssl: if cert type is ENG and no key specified, key is ENG too - - Fixes #3692 - Closes #3692 +- md5: Forgot to update the code alignment in d84da52d -Daniel Stenberg (20 Mar 2019) -- sectransp: tvOS 11 is required for ALPN support +- md5: Return CURLcode from the internally accessible functions - Reported-by: nianxuejie on github - Assisted-by: Nick Zitzmann - Assisted-by: Jay Satiro - Fixes #3689 - Closes #3690 + Following 28f826b3 to return CURLE_OK instead of numeric 0. -- test1541: threaded connection sharing +Daniel Gustafsson (15 Apr 2019) +- tests: Run global cleanup at end of tests - The threaded-shared-conn.c example turned into test case. Only works if - pthread was detected. + Make sure to run curl_global_cleanup() when shutting down the test + suite to release any resources allocated in the SSL setup. This is + clearly visible when running tests with PolarSSL where the thread + lock calloc() memory which isn't released when not running cleanup. + Below is an excerpt from the autobuild logs: - An attempt to detect future regressions such as e3a53e3efb942a5 + ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 + ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) + ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) + ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup + (polarssl_threadlock.c:54) + ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) + ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) + ==12368== by 0x118B4C: global_init (easy.c:158) + ==12368== by 0x118BF5: curl_global_init (easy.c:221) + ==12368== by 0x118D0B: curl_easy_init (easy.c:299) + ==12368== by 0x114E96: test (lib1906.c:32) + ==12368== by 0x115495: main (first.c:174) - Closes #3687 + Closes #3783 + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg -Patrick Monnerat (17 Mar 2019) -- os400: alt-svc support. +Marcel Raad (15 Apr 2019) +- travis: use mbedtls from Xenial - Although experimental, enable it in the platform config file. - Upgrade ILE/RPG binding. - -Daniel Stenberg (17 Mar 2019) -- conncache: use conn->data to know if a transfer owns it + No need to build it from source anymore. - - make sure an already "owned" connection isn't returned unless - multiplexed. + Closes https://github.com/curl/curl/pull/3779 + +- travis: use libpsl from Xenial - - clear ->data when returning the connection to the cache again + This makes building libpsl and libidn2 from source unnecessary and + removes the need for the autopoint and libunistring-dev packages. - Regression since 7.62.0 (probably in commit 1b76c38904f0) + Closes https://github.com/curl/curl/pull/3779 + +Daniel Stenberg (15 Apr 2019) +- runtests: start socksd like other servers - Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + ... without a $srcdir prefix. Triggered by the failures in several + autobuilds. - Closes #3686 - -- RELEASE-NOTES: synced + Closes #3781 -- [Chris Young brought this change] +Daniel Gustafsson (14 Apr 2019) +- socksd: Fix typos + + Reviewed-by: Daniel Stenberg - configure: add --with-amissl +- socksd: Properly decorate static variables - AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. - It also requires all programs using it to use bsdsocket.library - directly, rather than accessing socket functions through clib, which - libcurl was not necessarily doing previously. Configure will now check - for the headers and ensure they are included if found. + Mark global variables static to avoid compiler warning in Clang when + using -Wmissing-variable-declarations. - Closes #3677 - -- [Chris Young brought this change] + Closes #3778 + Reviewed-by: Daniel Stenberg - vtls: rename some of the SSL functions +Steve Holme (14 Apr 2019) +- md(4|5): Fixed indentation oddities with the importation of replacement code - ... in the SSL structure as AmiSSL is using macros for the socket API - functions. - -- [Chris Young brought this change] - - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + The indentation from 211d5329 and 57d6d253 was a little strange as + parts didn't align correctly, uses 4 spaces rather than 2. Checked + the indentation of the original source so it aligns, albeit, using + curl style. -- [Chris Young brought this change] +- md5: Code style to return CURLE_OK rather than numeric 0 - tool_operate: build on AmigaOS +- md5: Corrected code style for some pointer arguments -- makefile: make checksrc and hugefile commands "silent" +Marcel Raad (13 Apr 2019) +- travis: update some builds to xenial - ... to match the style already used for compiling, linking - etc. Acknowledges 'make V=1' to enable verbose. + Xenial comes with more up-to-date software versions and more available + packages, some of which we currently build from source. Unfortunately, + some builds would fail with Xenial because of assertion failures in + Valgrind when using OpenSSL, so leave these at Trusty. - Closes #3681 + Closes https://github.com/curl/curl/pull/3777 -- curl.1: --user and --proxy-user are hidden from ps output - - Suggested-by: Eric Curtin - Improved-by: Dan Fandrich - Ref: #3680 +Daniel Stenberg (13 Apr 2019) +- test: make tests and test scripts use socksd for SOCKS - Closes #3683 + Make all SOCKS tests use socksd instead of ssh. -- curl.1: mark the argument to --cookie as - - From a discussion in #3676 - - Suggested-by: Tim Rühsen +- socksd: new SOCKS 4+5 server for tests - Closes #3682 - -Dan Fandrich (14 Mar 2019) -- fuzzer: Only clone the latest fuzzer code, for speed. - -Daniel Stenberg (14 Mar 2019) -- [Dominik Hölzl brought this change] + Closes #3752 - Negotiate: fix for HTTP POST with Negotiate - - * Adjusted unit tests 2056, 2057 - * do not generally close connections with CURLAUTH_NEGOTIATE after every request - * moved negotiatedata from UrlState to connectdata - * Added stream rewind logic for CURLAUTH_NEGOTIATE - * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC - * Consider authproblem state for CURLAUTH_NEGOTIATE - * Consider reuse_forbid for CURLAUTH_NEGOTIATE - * moved and adjusted negotiate authentication state handling from - output_auth_headers into Curl_output_negotiate - * Curl_output_negotiate: ensure auth done is always set - * Curl_output_negotiate: Set auth done also if result code is - GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may - also indicate the last challenge request (only works with disabled - Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) - * Consider "Persistent-Auth" header, detect if not present; - Reset/Cleanup negotiate after authentication if no persistent - authentication - * apply changes introduced with #2546 for negotiate rewind logic +- singleipconnect: show port in the verbose "Trying ..." message - Fixes #1261 - Closes #1975 + To aid debugging better. -- [Marc Schlatter brought this change] +- [tmilburn brought this change] - http: send payload when (proxy) authentication is done + CURLOPT_ADDRESS_SCOPE: fix range check and more - The check that prevents payload from sending in case of authentication - doesn't check properly if the authentication is done or not. + Commit 9081014 fixed most of the confusing issues between scope id and + scope however 844896d added bad limits checking assuming that the scope + is being set and not the scope id. - They're cases where the proxy respond "200 OK" before sending - authentication challenge. This change takes care of that. + I have fixed the documentation so it all refers to scope ids. - Fixes #2431 - Closes #3669 - -- file: fix "Checking if unsigned variable 'readcount' is less than zero." + In addition Curl_if2ip refered to the scope id as remote_scope_id which + is incorrect, so I renamed it to local_scope_id. - Pointed out by codacy + Adjusted-by: Daniel Stenberg - Closes #3672 + Closes #3655 + Closes #3765 + Fixes #3713 -- memdebug: log pointer before freeing its data +- urlapi: stricter CURLUPART_PORT parsing - Coverity warned for two potentional "Use after free" cases. Both are false - positives because the memory wasn't used, it was only the actual pointer - value that was logged. + Only allow well formed decimal numbers in the input. - The fix still changes the order of execution to avoid the warnings. + Document that the number MUST be between 1 and 65535. - Coverity CID 1443033 and 1443034 + Add tests to test 1560 to verify the above. - Closes #3671 + Ref: https://github.com/curl/curl/issues/3753 + Closes #3762 -- RELEASE-NOTES: synced +Jay Satiro (13 Apr 2019) +- [Jan Ehrhardt brought this change] -Marcel Raad (12 Mar 2019) -- travis: actually use updated compiler versions + winbuild: Support MultiSSL builds - For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the - new GCC versions were only used for the coverage build and for building - nghttp2, while the new clang version was not used at all. + - Remove the lines in winbuild/Makefile.vc that generate an error with + multiple SSL backends. - BoringSSL needs to use the default GCC as it respects CC, but not CXX, - so it would otherwise pass gcc 8 options to g++ 4.8 and fail. + - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL + backends are set. - Also remove GCC 7, it's not needed anymore. + Closes https://github.com/curl/curl/pull/3772 + +Daniel Stenberg (12 Apr 2019) +- travis: remove mesalink builds (temporarily?) - Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + Since the mesalink build started to fail on travis, even though we build + a fixed release version, we disable it to prevent it from blocking + progress. - Closes https://github.com/curl/curl/pull/3670 + Closes #3767 -- travis: update clang to version 7 +- openssl: mark connection for close on TLS close_notify - Closes https://github.com/curl/curl/pull/3670 + Without this, detecting and avoid reusing a closed TLS connection + (without a previous GOAWAY) when doing HTTP/2 is tricky. + + Reported-by: Tom van der Woerdt + Fixes #3750 + Closes #3763 -Jay Satiro (11 Mar 2019) -- [Andre Guibert de Bruet brought this change] +- RELEASE-NOTES: synced - examples/externalsocket: add missing close socket calls - - .. and for Windows also call WSACleanup since we call WSAStartup. +Steve Holme (11 Apr 2019) +- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - The example is to demonstrate handling the socket independently of - libcurl. In this case libcurl is not responsible for creating, opening - or closing the socket, it is handled by the application (our example). + Functionally this doesn't change anything as we still use the username + for both the authorisation identity and the authentication identity. - Fixes https://github.com/curl/curl/pull/3663 + Closes #3757 -Daniel Stenberg (11 Mar 2019) -- multi: removed unused code for request retries - - This code was once used for the non multi-interface using code path, but - ever since easy_perform was turned into a wrapper around the multi - interface, this code path never runs. +Daniel Stenberg (11 Apr 2019) +- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - Closes #3666 + Based-on-code-by: Poul T Lomholt -Jay Satiro (11 Mar 2019) -- doh: inherit some SSL options from user's easy handle +- url: always clone the CUROPT_CURLU handle - - Inherit SSL options for the doh handle but not SSL client certs, - SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, - SSL pinned public key, SSL ciphers, SSL id cache setting, - SSL kerberos or SSL gss-api settings. + Since a few code paths actually update that data. - - Fix inheritance of verbose setting. + Fixes #3753 + Closes #3761 - - Inherit NOSIGNAL. + Reported-by: Poul T Lomholt + +- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - There is no way for the user to set options for the doh (DNS-over-HTTPS) - handles and instead we inherit some options from the user's easy handle. + Remove the code too. The functionality has been disabled in code since + 7.62.0. Setting this option will from now on simply be ignored and have + no function. - My thinking for the SSL options not inherited is they are most likely - not intended by the user for the DOH transfer. I did inherit insecure - because I think that should still be in control of the user. + Closes #3654 + +Marcel Raad (11 Apr 2019) +- travis: install libgnutls28-dev only for --with-gnutls build - Prior to this change doh did not work for me because CAINFO was not - inherited. Also verbose was set always which AFAICT was a bug (#3660). + Reduces the time needed for the other jobs a little. - Fixes https://github.com/curl/curl/issues/3660 - Closes https://github.com/curl/curl/pull/3661 + Closes https://github.com/curl/curl/pull/3721 -Daniel Stenberg (9 Mar 2019) -- test331: verify set-cookie for dotless host name +- travis: install libnss3-dev only for --with-nss build - Reproduced bug #3649 - Closes #3659 + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -- Revert "cookies: extend domain checks to non psl builds" +- travis: install libssh2-dev only for --with-libssh2 build - This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. + Reduces the time needed for the other jobs a little. - Regression shipped in 7.64.0 - Fixes #3649 + Closes https://github.com/curl/curl/pull/3721 -- memdebug: make debug-specific functions use curl_dbg_ prefix +- travis: install libssh-dev only for --with-libssh build - To not "collide" or use up the regular curl_ name space. Also makes them - easier to detect in helper scripts. + Reduces the time needed for the other jobs a little. - Closes #3656 + Closes https://github.com/curl/curl/pull/3721 -- cmdline-opts/proxytunnel.d: the option tunnnels all protocols +- travis: install krb5-user only for --with-gssapi build - Clarify the language and simplify. + Reduces the time needed for the other jobs a little. - Reported-by: Daniel Lublin - Closes #3658 + Closes https://github.com/curl/curl/pull/3721 -- KNOWN_BUGS: Client cert (MTLS) issues with Schannel +- travis: install lcov only for the coverage job - Closes #3145 - -- ROADMAP: updated to some more current things to work on - -- tests: fix multiple may be used uninitialized warnings - -- RELEASE-NOTES: synced + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -- source: fix two 'nread' may be used uninitialized warnings +- travis: install clang only when needed - Both seem to be false positives but we don't like warnings. + This reduces the GCC job runtimes a little and it's needed to + selectively update clang builds to xenial. - Closes #3646 + Closes https://github.com/curl/curl/pull/3721 -- gopher: remove check for path == NULL +- AppVeyor: enable testing for WinSSL build - Since it can't be NULL and it makes Coverity believe we lack proper NULL - checks. Verified by test 659, landed in commit 15401fa886b. + Closes https://github.com/curl/curl/pull/3725 + +- build: fix Codacy/CppCheck warnings - Pointed out by Coverity CID 1442746. + - remove unused variables + - declare conditionally used variables conditionally + - suppress unused variable warnings in the CMake tests + - remove dead variable stores + - consistently use WIN32 macro to detect Windows - Assisted-by: Dan Fandrich - Fixes #3617 - Closes #3642 + Closes https://github.com/curl/curl/pull/3739 -- examples: only include - - That's the only public curl header we should encourage use of. +- polarssl_threadlock: remove conditionally unused code - Reviewed-by: Marcel Raad - Closes #3645 - -- ssh: loop the state machine if not done and not blocking - - If the state machine isn't complete, didn't fail and it didn't return - due to blocking it can just as well loop again. + Make functions no-ops if neither both USE_THREADS_POSIX and + HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are + defined. Previously, if only one of them was defined, there was either + code compiled that did nothing useful or the wrong header included for + the functions used. - This addresses the problem with SFTP directory listings where we would - otherwise return back to the parent and as the multi state machine - doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the - doing phase isn't complete, it would return out when in reality there - was more data to deal with. + Also, move POLARSSL_MUTEX_T define to implementation file as it's not + used externally. - Fixes #3506 - Closes #3644 + Closes https://github.com/curl/curl/pull/3739 -Jay Satiro (5 Mar 2019) -- multi: support verbose conncache closure handle +- lib557: initialize variables - - Change closure handle to receive verbose setting from the easy handle - most recently added via curl_multi_add_handle. + These variables are only conditionally initialized. - The closure handle is a special easy handle used for closing cached - connections. It receives limited settings from the easy handle most - recently added to the multi handle. Prior to this change that did not - include verbose which was a problem because on connection shutdown - verbose mode was not acknowledged. + Closes https://github.com/curl/curl/pull/3739 + +- lib509: add missing include for strdup - Ref: https://github.com/curl/curl/pull/3598 + Closes https://github.com/curl/curl/pull/3739 + +- README.md: fix no-consecutive-blank-lines Codacy warning - Co-authored-by: Daniel Stenberg + Consistently use one blank line between blocks. - Closes https://github.com/curl/curl/pull/3618 + Closes https://github.com/curl/curl/pull/3739 -Daniel Stenberg (4 Mar 2019) -- CURLU: fix NULL dereference when used over proxy - - Test 659 verifies +- tests/server/util: fix Windows Unicode build - Also fixed the test 658 name + Always use the ANSI version of FormatMessage as we don't have the + curl_multibyte gear available here. - Closes #3641 + Closes https://github.com/curl/curl/pull/3758 -- altsvc_out: check the return code from Curl_gmtime +Daniel Stenberg (11 Apr 2019) +- curl_easy_getinfo.3: fix minor formatting mistake + +Daniel Gustafsson (11 Apr 2019) +- xattr: skip unittest on unsupported platforms - Pointed out by Coverity, CID 1442956. + The stripcredentials unittest fails to compile on platforms without + xattr support, for example the Solaris member in the buildfarm which + fails with the following: - Closes #3640 - -- docs/ALTSVC.md: docs describing the approach + CC unit1621-unit1621.o + CC ../libtest/unit1621-first.o + CCLD unit1621 + Undefined first referenced + symbol in file + stripcredentials unit1621-unit1621.o + goto problem 2 + ld: fatal: symbol referencing errors. No output written to .libs/unit1621 + collect2: error: ld returned 1 exit status + gmake[2]: *** [Makefile:996: unit1621] Error 1 - Closes #3498 - -- alt-svc: add a travis build - -- alt-svc: add test 355 and 356 to verify with command line curl - -- alt-svc: the curl command line bits - -- alt-svc: the libcurl bits - -- travis: add build using gnutls + Fix by excluding the test on such platforms by using the reverse + logic from where stripcredentials() is defined. - Closes #3637 + Closes #3759 + Reviewed-by: Daniel Stenberg -- RELEASE-NOTES: synced +Steve Holme (11 Apr 2019) +- emailL Added reference to RFC8314 for implicit TLS -- [Simon Legner brought this change] +- README: Schannel, stop calling it "winssl" + + Stick to "Schannel" everywhere - follow up to 180501cb. - scripts/completion.pl: also generate fish completion file +Jakub Zakrzewski (10 Apr 2019) +- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - This is the renamed script formerly known as zsh.pl + This fixes GSSAPI builds with the libraries in a non-standard location. + The testing for recv() were failing because it failed to link + the Kerberos libraries, which are not needed for this or subsequent + tests. - Closes #3545 + fixes #3743 + closes #3744 -- gnutls: remove call to deprecated gnutls_compression_get_name +- cmake: avoid linking executable for some tests with cmake 3.6+ - It has been deprecated by GnuTLS since a year ago and now causes build - warnings. + With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() + (which is used by check_c_source_compiles()) will build static library + instead of executable. This avoids linking additional libraries in and thus + speeds up those checks a little. - Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f - Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + This commit also avoids #3743 (GSSAPI build errors) on itself with cmake + 3.6 or above. That issue was fixed separately for all versions. - Closes #3636 + Ref: #3744 -Jay Satiro (2 Mar 2019) -- system_win32: move win32_init here from easy.c - - .. since system_win32 is a more appropriate location for the functions - and to extern the globals. +- cmake: minor cleanup - Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 - Reported-by: Gisle Vanem + - Remove nneeded include_regular_expression. + It was setting what is already a default. - Closes https://github.com/curl/curl/pull/3625 - -Daniel Stenberg (1 Mar 2019) -- curl_easy_duphandle.3: clarify that a duped handle has no shares + - Remove duplicated include. - Reported-by: Sara Golemon + - Don't check for pre-3.0.0 CMake version. + We already require at least 3.0.0, so it's just clutter. - Fixes #3592 - Closes #3634 + Ref: #3744 -- 10-at-a-time.c: fix too long line +Steve Holme (8 Apr 2019) +- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ -- [Arnaud Rebillout brought this change] +- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) - examples: various fixes in ephiperfifo.c - - The main change here is the timer value that was wrong, it was given in - usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * - 1000). This resulted in the callback being invoked WAY TOO OFTEN. - - As a quick check you can run this command before and after applying this - commit: - - # shell 1 - ./ephiperfifo 2>&1 | tee ephiperfifo.log - # shell 2 - echo http://hacking.elboulangero.com > hiper.fifo - - Then just compare the size of the logs files. - - Closes #3633 - Fixes #3632 - Signed-off-by: Arnaud Rebillout +- build-openssl.bat: Perform the install for each build type directly after the build -- urldata: simplify bytecounters - - - no need to have them protocol specific - - - no need to set pointers to them with the Curl_setup_transfer() call - - - make Curl_setup_transfer() operate on a transfer pointer, not - connection - - - switch some counters from long to the more proper curl_off_t type - - Closes #3627 +- build-openssl.bat: Split the install of static and shared build types -- examples/10-at-a-time.c: improve readability and simplify - - - use better variable names to explain their purposes - - convert logic to curl_multi_wait() +- build-openssl.bat: Split the building of static and shared build types -- threaded-resolver: shutdown the resolver thread without error message - - When a transfer is done, the resolver thread will be brought down. That - could accidentally generate an error message in the error buffer even - though this is not an error situationand the transfer would still return - OK. An application that still reads the error buffer could find a - "Could not resolve host: [host name]" message there and get confused. - - Reported-by: Michael Schmid - Fixes #3629 - Closes #3630 +- build-openssl.bat: Move the installation into a separate function -- [Ԝеѕ brought this change] +- build-openssl.bat: Move the build step into a separate function - docs: update max-redirs.d phrasing - - clarify redir - "in absurdum" doesn't seem to make sense in this context - - Closes #3631 +- build-openssl.bat: Move the OpenSSL configuration into a separate function -- ssh: fix Condition '!status' is always true - - in the same sftp_done function in both SSH backends. Simplify them - somewhat. - - Pointed out by Codacy. +- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised - Closes #3628 + Should the parent environment set this variable then the build might + not be performed as the user intended. -- test578: make it read data from the correct test +Daniel Stenberg (8 Apr 2019) +- socks: fix error message -- Curl_easy: remove req.maxfd - never used! +- config.d: clarify that initial : and = might need quoting [skip ci] - Introduced in 8b6314ccfb, but not used anymore in current code. Unclear - since when. + Fixes #3738 + Closes #3749 + +- RELEASE-NOTES: synced - Closes #3626 + bumped to 7.65.0 for next release -- http: set state.infilesize when sending formposts +- socks5: user name and passwords must be shorter than 256 - Without it set, we would unwillingly triger the "HTTP error before end - of send, stop sending" condition even if the entire POST body had been - sent (since it wouldn't know the expected size) which would - unnecessarily log that message and close the connection when it didn't - have to. + bytes... since the protocol needs to store the length in a single byte field. - Reported-by: Matt McClure - Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html - Closes #3624 + Reported-by: XmiliaH on github + Fixes #3737 + Closes #3740 -- INSTALL: refer to the current TLS library names and configure options +- [Jakub Zakrzewski brought this change] -- FAQ: minor updates and spelling fixes + test: urlapi: urlencode characters above 0x7f correctly -- GOVERNANCE.md: minor spelling fixes +- [Jakub Zakrzewski brought this change] -- Secure Transport: no more "darwinssl" - - Everyone calls it Secure Transport, now we do too. + urlapi: urlencode characters above 0x7f correctly - Reviewed-by: Nick Zitzmann - - Closes #3619 + fixes #3741 + Closes #3742 -Marcel Raad (27 Feb 2019) -- AppVeyor: add classic MinGW build - - But use the MSYS2 shell rather than the default MSYS shell because of - POSIX path conversion issues. Classic MinGW is only available on the - Visual Studio 2015 image. - - Closes https://github.com/curl/curl/pull/3623 +- [Even Rouault brought this change] -- AppVeyor: add MinGW-w64 build + multi_runsingle(): fix use-after-free - Add a MinGW-w64 build using CMake's MSYS Makefiles generator. - Use the Visual Studio 2015 image as it has GCC 8, while the - Visual Studio 2017 image only has GCC 7.2. + Fixes #3745 + Closes #3746 - Closes https://github.com/curl/curl/pull/3623 - -Daniel Stenberg (27 Feb 2019) -- cookies: only save the cookie file if the engine is enabled + The following snippet + ``` - Follow-up to 8eddb8f4259. + int main() + { + CURL* hCurlHandle = curl_easy_init(); + curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); + curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); + curl_easy_perform(hCurlHandle); + curl_easy_cleanup(hCurlHandle); + return 0; + } + ``` + triggers the following Valgrind warning - If the cookieinfo pointer is NULL there really is nothing to save. + ``` + ==4125== Invalid read of size 8 + ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) + ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) + ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd + ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) + ==4125== by 0x4E62C36: conn_free (url.c:756) + ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) + ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) + ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Block was alloc'd at + ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) + ==4125== by 0x4E6438E: allocate_conn (url.c:1654) + ==4125== by 0x4E685B4: create_conn (url.c:3496) + ==4125== by 0x4E6968F: Curl_connect (url.c:4023) + ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ``` - Without this fix, we got a problem when a handle was using shared object - with cookies and is told to "FLUSH" it to file (which worked) and then - the share object was removed and when the easy handle was closed just - afterwards it has no cookieinfo and no cookies so it decided to save an - empty jar (overwriting the file just flushed). + This has been bisected to commit 2f44e94 - Test 1905 now verifies that this works. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 + Credit to OSS Fuzz + +- pipelining: removed - Assisted-by: Michael Wallner - Assisted-by: Marcel Raad + As previously planned and documented in DEPRECATE.md, all pipelining + code is removed. - Closes #3621 + Closes #3651 -- [DaVieS brought this change] +- [cclauss brought this change] - cacertinmem.c: use multiple certificates for loading CA-chain + tests: make Impacket (SMB server) Python 3 compatible - Closes #3421 + Closes #3731 + Fixes #3289 -- urldata: convert bools to bitfields and move to end - - This allows the compiler to pack and align the structs better in - memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 - makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. - - Removed an unused struct field. +Marcel Raad (6 Apr 2019) +- [Simon Warta brought this change] + + cmake: set SSL_BACKENDS - No functionality changes. + This groups all SSL backends into the feature "SSL" and sets the + SSL_BACKENDS analogue to configure.ac - Closes #3610 + Closes https://github.com/curl/curl/pull/3736 -- [Don J Olmstead brought this change] +- [Simon Warta brought this change] - curl.h: use __has_declspec_attribute for shared builds + cmake: don't run SORT on empty list - Closes #3616 - -- curl: display --version features sorted alphabetically + In case of an empty list, SORTing leads to the cmake error "list + sub-command SORT requires list to be present." - Closes #3611 + Closes https://github.com/curl/curl/pull/3736 -- runtests: detect "schannel" as an alias for "winssl" - - Follow-up to 180501cb02 - - Reported-by: Marcel Raad - Fixes #3609 - Closes #3620 +Daniel Gustafsson (5 Apr 2019) +- [Eli Schwartz brought this change] -Marcel Raad (26 Feb 2019) -- AppVeyor: update to Visual Studio 2017 - - Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a - moving target anymore as the last update, Update 9, has been released. + configure: fix default location for fish completions - Closes https://github.com/curl/curl/pull/3606 - -- AppVeyor: switch VS 2015 builds to VS 2017 image + Fish defines a vendor completions directory for completions that are not + installed as part of the fish project itself, and the vendor completions + are preferred if they exist. This prevents trying to overwrite the + builtin curl.fish completion (or creating file conflicts in distro + packaging). - The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + Prefer the pkg-config defined location exported by fish, if it can be + found, and fall back to the correct directory defined by most systems. - Closes https://github.com/curl/curl/pull/3606 + Closes #3723 + Reviewed-by: Daniel Gustafsson -- AppVeyor: explicitly select worker image +Marcel Raad (5 Apr 2019) +- ftplistparser: fix LGTM alert "Empty block without comment" - Currently, we're using the default Visual Studio 2015 image for - everything. + Removing the block is consistent with line 954/957. - Closes https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3732 -Daniel Stenberg (26 Feb 2019) -- strerror: make the strerror function use local buffers - - Instead of using a fixed 256 byte buffer in the connectdata struct. - - In my build, this reduces the size of the connectdata struct by 11.8%, - from 2160 to 1904 bytes with no functionality or performance loss. - - This also fixes a bug in schannel's Curl_verify_certificate where it - called Curl_sspi_strerror when it should have called Curl_strerror for - string from GetLastError. the only effect would have been no text or the - wrong text being shown for the error. +- transfer: fix LGTM alert "Comparison is always true" - Co-authored-by: Jay Satiro + Just remove the redundant condition, which also makes it clear that + k->buf is always 0-terminated if this break is not hit. - Closes #3612 + Closes https://github.com/curl/curl/pull/3732 -- [Michael Wallner brought this change] +Jay Satiro (4 Apr 2019) +- [Rikard Falkeborn brought this change] - cookies: fix NULL dereference if flushing cookies with no CookieInfo set + smtp: fix compiler warning - Regression brought by a52e46f3900fb0 (shipped in 7.63.0) + - Fix clang string-plus-int warning. - Closes #3613 - -Marcel Raad (26 Feb 2019) -- AppVeyor: re-enable test 500 + Clang 8 warns about adding a string to an int does not append to the + string. Indeed it doesn't, but that was not the intention either. Use + array indexing as suggested to silence the warning. There should be no + functional changes. - It's passing now. + (In other words clang warns about "foo"+2 but not &"foo"[2] so use the + latter.) - Closes https://github.com/curl/curl/pull/3615 + smtp.c:1221:29: warning: adding 'int' to a string does not append to the + string [-Wstring-plus-int] + eob = strdup(SMTP_EOB + 2); + ~~~~~~~~~~~~~~~~^~~~ + + Closes https://github.com/curl/curl/pull/3729 -- AppVeyor: remove redundant builds +Marcel Raad (4 Apr 2019) +- VS projects: use Unicode for VC10+ - Remove the Visual Studio 2012 and 2013 builds as they add little value. + All Windows APIs have been natively UTF-16 since Windows 2000 and the + non-Unicode variants are just wrappers around them. Only Windows 9x + doesn't understand Unicode without the UnicoWS DLL. As later Visual + Studio versions cannot target Windows 9x anyway, using the ANSI API + doesn't really have any benefit there. - Ref: https://github.com/curl/curl/pull/3606 - Closes https://github.com/curl/curl/pull/3614 + This avoids issues like KNOWN_BUGS 6.5. + + Ref: https://github.com/curl/curl/issues/2120 + Closes https://github.com/curl/curl/pull/3720 -Daniel Stenberg (25 Feb 2019) +Daniel Gustafsson (3 Apr 2019) - RELEASE-NOTES: synced + + Bump the version in progress to 7.64.2, if we merge any "change" + before the cut-off date we can update the version. -- [Bernd Mueller brought this change] +- [Tim Rühsen brought this change] - OpenSSL: add support for TLS ASYNC state + documentation: Fix several typos - Closes #3591 + Closes #3724 + Reviewed-by: Jakub Zakrzewski + Reviewed-by: Daniel Gustafsson -Jay Satiro (25 Feb 2019) -- [Michael Felt brought this change] +Jay Satiro (2 Apr 2019) +- [Mert Yazıcıoğlu brought this change] - acinclude: add additional libraries to check for LDAP support + vauth/oauth2: Fix OAUTHBEARER token generation - - Add an additional check for LDAP that also checks for OpenSSL since - on AIX those libraries may be required to link LDAP properly. + OAUTHBEARER tokens were incorrectly generated in a format similar to + XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the + RFC7628. - Fixes https://github.com/curl/curl/issues/3595 - Closes https://github.com/curl/curl/pull/3596 - -- [georgeok brought this change] + Fixes: #2487 + Reported-by: Paolo Mossino + + Closes https://github.com/curl/curl/pull/3377 - schannel: support CALG_ECDH_EPHEM algorithm +Marcel Raad (2 Apr 2019) +- tool_cb_wrt: fix bad-function-cast warning - Add support for Ephemeral elliptic curve Diffie-Hellman key exchange - algorithm option when selecting ciphers. This became available on the - Win10 SDK. + Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the + warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. + Extend fhnd's scope and reuse that variable instead of calling + _get_osfhandle a second time to fix the warning again. - Closes https://github.com/curl/curl/pull/3608 + Closes https://github.com/curl/curl/pull/3718 -Daniel Stenberg (24 Feb 2019) -- multi: call multi_done on connect timeouts - - Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get - updated correctly and could end up getting reported to the application - completely wrong (way too small). +- VC15 project: remove MinimalRebuild - Reported-by: accountantM on github - Fixes #3602 - Closes #3605 + Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the + library project, but I forgot the tool project template. Now also + removed for that. -- examples: remove recursive calls to curl_multi_socket_action +Dan Fandrich (1 Apr 2019) +- cirrus: Customize the disabled tests per FreeBSD version - From within the timer callbacks. Recursive is problematic for several - reasons. They should still work, but this way the examples and the - documentation becomes simpler. I don't think we need to encourage - recursive calls. + Try to run as many test cases as possible on each OS version. + 12.0 passes 13 more tests than the older versions, so we might as well + run them. + +Daniel Stenberg (1 Apr 2019) +- tool_help: include for strcasecmp - Discussed in #3537 - Closes #3601 + Reported-by: Wyatt O'Day + Fixes #3715 + Closes #3716 -Marcel Raad (23 Feb 2019) -- configure: remove CURL_CHECK_FUNC_FDOPEN call +Daniel Gustafsson (31 Mar 2019) +- scripts: fix typos + +Dan Fandrich (28 Mar 2019) +- travis: allow builds on branches named "ci" - The macro itself has been removed in commit - 11974ac859c5d82def59e837e0db56fef7f6794e. + This allows a way to test changes other than through PRs. + +Daniel Stenberg (27 Mar 2019) +- [Brad Spencer brought this change] + + resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - Closes https://github.com/curl/curl/pull/3604 + Closes #3699 -Daniel Stenberg (23 Feb 2019) -- wolfssl: stop custom-adding curves +- multi: improved HTTP_1_1_REQUIRED handling - since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in - wolfSSL 3.10.2 and later) it sends these curves by default already. + Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error + on first flight. - Pointed-out-by: David Garske + Reported-by: niner on github + Fixes #3696 + Closes #3707 + +- [Leonardo Taccari brought this change] + + configure: avoid unportable `==' test(1) operator - Closes #3599 + Closes #3709 -- configure: remove the unused fdopen macro +Version 7.64.1 (27 Mar 2019) + +Daniel Stenberg (27 Mar 2019) +- RELEASE: 7.64.1 + +- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - and the two remaining #ifdefs for it + This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - Closes #3600 + Fixes #3708 -Jay Satiro (22 Feb 2019) -- url: change conn shutdown order to unlink data as last step +- [Christian Schmitz brought this change] + + ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set - - Split off connection shutdown procedure from Curl_disconnect into new - function conn_shutdown. + Closes #3704 + +Jay Satiro (26 Mar 2019) +- tool_cb_wrt: fix writing to Windows null device NUL - - Change the shutdown procedure to close the sockets before - disassociating the transfer. + - Improve console detection. - Prior to this change the sockets were closed after disassociating the - transfer so SOCKETFUNCTION wasn't called since the transfer was already - disassociated. That likely came about from recent work started in - Jan 2019 (#3442) to separate transfers from connections. + Prior to this change WriteConsole could be called to write to a handle + that may not be a console, which would cause an error. This issue is + limited to character devices that are not also consoles such as the null + device NUL. - Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html - Reported-by: Pavel Löbl + Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 + Reported-by: Gisle Vanem + +- CURLMOPT_PIPELINING.3: fix typo + +Daniel Stenberg (25 Mar 2019) +- TODO: config file parsing - Closes https://github.com/curl/curl/issues/3597 - Closes https://github.com/curl/curl/pull/3598 + Closes #3698 -Marcel Raad (22 Feb 2019) -- Fix strict-prototypes GCC warning +Jay Satiro (24 Mar 2019) +- os400: Disable Alt-Svc by default since it's experimental - As seen in the MinGW autobuilds. Caused by commit - f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. + Follow-up to 520f0b4 which added Alt-Svc support and enabled it by + default for OS400. Since the feature is experimental, it should be + disabled by default. + + Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 + Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html + + Closes https://github.com/curl/curl/pull/3688 -Dan Fandrich (21 Feb 2019) +Dan Fandrich (24 Mar 2019) - tests: Fixed XML validation errors in some test files. -Daniel Stenberg (20 Feb 2019) -- TODO: Allow SAN names in HTTP/2 server push +- tests: Fix some incorrect precheck error messages. - Suggested-by: Nicolas Grekas + [ci skip] -- RELEASE-NOTES: synced +Daniel Stenberg (22 Mar 2019) +- curl_url.3: this is not experimental anymore -- curl: remove MANUAL from -M output - - ... and remove it from the dist tarball. It has served its time, it - barely gets updated anymore and "everything curl" is now convering all - this document once tried to include, and does it more and better. +- travis: bump the used wolfSSL version to 4.0.0 - In the compressed scenario, this removes ~15K data from the binary, - which is 25% of the -M output. + Test 311 is now fine, leaving only 313 (CRL) disabled. - It remains in the git repo for now for as long as the web site builds a - page using that as source. It renders poorly on the site (especially for - mobile users) so its not even good there. + Test 313 details can be found here: + https://github.com/wolfSSL/wolfssl/issues/1546 - Closes #3587 + Closes #3697 -- http2: verify :athority in push promise requests +Daniel Gustafsson (22 Mar 2019) +- lib: Fix typos in comments + +David Woodhouse (20 Mar 2019) +- openssl: if cert type is ENG and no key specified, key is ENG too - RFC 7540 says we should verify that the push is for an "authoritative" - server. We make sure of this by only allowing push with an :athority - header that matches the host that was asked for in the URL. + Fixes #3692 + Closes #3692 + +Daniel Stenberg (20 Mar 2019) +- sectransp: tvOS 11 is required for ALPN support - Fixes #3577 - Reported-by: Nicolas Grekas - Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html - Closes #3581 + Reported-by: nianxuejie on github + Assisted-by: Nick Zitzmann + Assisted-by: Jay Satiro + Fixes #3689 + Closes #3690 -- singlesocket: fix the 'sincebefore' placement +- test1541: threaded connection sharing - The variable wasn't properly reset within the loop and thus could remain - set for sockets that hadn't been set before and miss notifying the app. + The threaded-shared-conn.c example turned into test case. Only works if + pthread was detected. - This is a follow-up to 4c35574 (shipped in curl 7.64.0) + An attempt to detect future regressions such as e3a53e3efb942a5 - Reported-by: buzo-ffm on github - Detected-by: Jan Alexander Steffens - Fixes #3585 - Closes #3589 + Closes #3687 -- connection: never reuse CONNECT_ONLY conections - - and make CONNECT_ONLY conections never reuse any existing ones either. +Patrick Monnerat (17 Mar 2019) +- os400: alt-svc support. - Reported-by: Pavel Löbl - Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html - Closes #3586 + Although experimental, enable it in the platform config file. + Upgrade ILE/RPG binding. -Patrick Monnerat (19 Feb 2019) -- cli tool: fix mime post with --disable-libcurl-option configure option +Daniel Stenberg (17 Mar 2019) +- conncache: use conn->data to know if a transfer owns it - Reported-by: Marcel Raad - Fixes #3576 - Closes #3583 - -Daniel Stenberg (19 Feb 2019) -- x509asn1: cleanup and unify code layout + - make sure an already "owned" connection isn't returned unless + multiplexed. - - rename 'n' to buflen in functions, and use size_t for them. Don't pass - in negative buffer lengths. + - clear ->data when returning the connection to the cache again - - move most function comments to above the function starts like we use - to + Regression since 7.62.0 (probably in commit 1b76c38904f0) - - remove several unnecessary typecasts (especially of NULL) + Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html - Reviewed-by: Patrick Monnerat - Closes #3582 + Closes #3686 -- curl_multi_remove_handle.3: use at any time, just not from within callbacks - - [ci skip] +- RELEASE-NOTES: synced -- http: make adding a blank header thread-safe - - Previously the function would edit the provided header in-place when a - semicolon is used to signify an empty header. This made it impossible to - use the same set of custom headers in multiple threads simultaneously. +- [Chris Young brought this change] + + configure: add --with-amissl - This approach now makes a local copy when it needs to edit the string. + AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. + It also requires all programs using it to use bsdsocket.library + directly, rather than accessing socket functions through clib, which + libcurl was not necessarily doing previously. Configure will now check + for the headers and ensure they are included if found. - Reported-by: d912e3 on github - Fixes #3578 - Closes #3579 - -- unit1651: survive curl_easy_init() fails + Closes #3677 -- [Frank Gevaerts brought this change] +- [Chris Young brought this change] - rand: Fix a mismatch between comments in source and header. + vtls: rename some of the SSL functions - Reported-by: Björn Stenberg - Closes #3584 + ... in the SSL structure as AmiSSL is using macros for the socket API + functions. -Patrick Monnerat (18 Feb 2019) -- x509asn1: replace single char with an array +- [Chris Young brought this change] + + tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + +- [Chris Young brought this change] + + tool_operate: build on AmigaOS + +- makefile: make checksrc and hugefile commands "silent" - Although safe in this context, using a single char as an array may - cause invalid accesses to adjacent memory locations. + ... to match the style already used for compiling, linking + etc. Acknowledges 'make V=1' to enable verbose. - Detected by Coverity. + Closes #3681 -Daniel Stenberg (18 Feb 2019) -- examples/http2-serverpush: add some sensible error checks +- curl.1: --user and --proxy-user are hidden from ps output - To avoid NULL pointer dereferences etc in the case of problems. + Suggested-by: Eric Curtin + Improved-by: Dan Fandrich + Ref: #3680 - Closes #3580 + Closes #3683 -Jay Satiro (18 Feb 2019) -- easy: fix win32 init to work without CURL_GLOBAL_WIN32 +- curl.1: mark the argument to --cookie as - - Change the behavior of win32_init so that the required initialization - procedures are not affected by CURL_GLOBAL_WIN32 flag. + From a discussion in #3676 - libcurl via curl_global_init supports initializing for win32 with an - optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop - Winsock initialization. It did so internally by skipping win32_init() - when that flag was set. Since then win32_init() has been expanded to - include required initialization routines that are separate from - Winsock and therefore must be called in all cases. This commit fixes - it so that CURL_GLOBAL_WIN32 only controls the optional win32 - initialization (which is Winsock initialization, according to our doc). + Suggested-by: Tim Rühsen - The only users affected by this change are those that don't pass - CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the - risk of a potential crash. + Closes #3682 + +Dan Fandrich (14 Mar 2019) +- fuzzer: Only clone the latest fuzzer code, for speed. + +Daniel Stenberg (14 Mar 2019) +- [Dominik Hölzl brought this change] + + Negotiate: fix for HTTP POST with Negotiate - Ref: https://github.com/curl/curl/pull/3573 + * Adjusted unit tests 2056, 2057 + * do not generally close connections with CURLAUTH_NEGOTIATE after every request + * moved negotiatedata from UrlState to connectdata + * Added stream rewind logic for CURLAUTH_NEGOTIATE + * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC + * Consider authproblem state for CURLAUTH_NEGOTIATE + * Consider reuse_forbid for CURLAUTH_NEGOTIATE + * moved and adjusted negotiate authentication state handling from + output_auth_headers into Curl_output_negotiate + * Curl_output_negotiate: ensure auth done is always set + * Curl_output_negotiate: Set auth done also if result code is + GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may + also indicate the last challenge request (only works with disabled + Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) + * Consider "Persistent-Auth" header, detect if not present; + Reset/Cleanup negotiate after authentication if no persistent + authentication + * apply changes introduced with #2546 for negotiate rewind logic - Fixes https://github.com/curl/curl/issues/3313 - Closes https://github.com/curl/curl/pull/3575 + Fixes #1261 + Closes #1975 -Daniel Gustafsson (17 Feb 2019) -- cookie: Add support for cookie prefixes +- [Marc Schlatter brought this change] + + http: send payload when (proxy) authentication is done - The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes - and how they should affect cookie initialization, which has been - adopted by the major browsers. This adds support for the two prefixes - defined, __Host- and __Secure, and updates the testcase with the - supplied examples from the draft. + The check that prevents payload from sending in case of authentication + doesn't check properly if the authentication is done or not. - Closes #3554 - Reviewed-by: Daniel Stenberg + They're cases where the proxy respond "200 OK" before sending + authentication challenge. This change takes care of that. + + Fixes #2431 + Closes #3669 -- mbedtls: release sessionid resources on error +- file: fix "Checking if unsigned variable 'readcount' is less than zero." - If mbedtls_ssl_get_session() fails, it may still have allocated - memory that needs to be freed to avoid leaking. Call the library - API function to release session resources on this errorpath as - well as on Curl_ssl_addsessionid() errors. + Pointed out by codacy - Closes: #3574 - Reported-by: Michał Antoniak - Reviewed-by: Daniel Stenberg - -Patrick Monnerat (16 Feb 2019) -- cli tool: refactor encoding conversion sequence for switch case fallthrough. + Closes #3672 -- version.c: silent scan-build even when librtmp is not enabled +- memdebug: log pointer before freeing its data + + Coverity warned for two potentional "Use after free" cases. Both are false + positives because the memory wasn't used, it was only the actual pointer + value that was logged. + + The fix still changes the order of execution to avoid the warnings. + + Coverity CID 1443033 and 1443034 + + Closes #3671 -Daniel Stenberg (15 Feb 2019) - RELEASE-NOTES: synced -- Curl_now: figure out windows version in win32_init +Marcel Raad (12 Mar 2019) +- travis: actually use updated compiler versions - ... and avoid use of static variables that aren't thread safe. + For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the + new GCC versions were only used for the coverage build and for building + nghttp2, while the new clang version was not used at all. - Fixes regression from e9ababd4f5a (present in the 7.64.0 release) + BoringSSL needs to use the default GCC as it respects CC, but not CXX, + so it would otherwise pass gcc 8 options to g++ 4.8 and fail. - Reported-by: Paul Groke - Fixes #3572 - Closes #3573 - -Marcel Raad (15 Feb 2019) -- unit1307: just fail without FTP support + Also remove GCC 7, it's not needed anymore. - I missed to check this in with commit - 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. - This fixes the actual linker error. + Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning - Closes https://github.com/curl/curl/pull/3568 + Closes https://github.com/curl/curl/pull/3670 -Daniel Stenberg (15 Feb 2019) -- travis: enable valgrind for the iconv tests too +- travis: update clang to version 7 - Closes #3571 + Closes https://github.com/curl/curl/pull/3670 -- travis: add scan-build +Jay Satiro (11 Mar 2019) +- [Andre Guibert de Bruet brought this change] + + examples/externalsocket: add missing close socket calls - Closes #3564 + .. and for Windows also call WSACleanup since we call WSAStartup. + + The example is to demonstrate handling the socket independently of + libcurl. In this case libcurl is not responsible for creating, opening + or closing the socket, it is handled by the application (our example). + + Fixes https://github.com/curl/curl/pull/3663 -- examples/sftpuploadresume: Value stored to 'result' is never read +Daniel Stenberg (11 Mar 2019) +- multi: removed unused code for request retries - Detected by scan-build + This code was once used for the non multi-interface using code path, but + ever since easy_perform was turned into a wrapper around the multi + interface, this code path never runs. + + Closes #3666 -- examples/http2-upload: cleaned up +Jay Satiro (11 Mar 2019) +- doh: inherit some SSL options from user's easy handle - Fix scan-build warnings, no globals, no silly handle scan. Also remove - handles from the multi before cleaning up. + - Inherit SSL options for the doh handle but not SSL client certs, + SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, + SSL pinned public key, SSL ciphers, SSL id cache setting, + SSL kerberos or SSL gss-api settings. + + - Fix inheritance of verbose setting. + + - Inherit NOSIGNAL. + + There is no way for the user to set options for the doh (DNS-over-HTTPS) + handles and instead we inherit some options from the user's easy handle. + + My thinking for the SSL options not inherited is they are most likely + not intended by the user for the DOH transfer. I did inherit insecure + because I think that should still be in control of the user. + + Prior to this change doh did not work for me because CAINFO was not + inherited. Also verbose was set always which AFAICT was a bug (#3660). + + Fixes https://github.com/curl/curl/issues/3660 + Closes https://github.com/curl/curl/pull/3661 -- examples/http2-download: cleaned up +Daniel Stenberg (9 Mar 2019) +- test331: verify set-cookie for dotless host name - To avoid scan-build warnings and global variables. + Reproduced bug #3649 + Closes #3659 -- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' +- Revert "cookies: extend domain checks to non psl builds" - Detected by scan-build + This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. + + Regression shipped in 7.64.0 + Fixes #3649 -- examples/httpcustomheader: Value stored to 'res' is never read +- memdebug: make debug-specific functions use curl_dbg_ prefix - Detected by scan-build + To not "collide" or use up the regular curl_ name space. Also makes them + easier to detect in helper scripts. + + Closes #3656 -- examples: remove superfluous null-pointer checks +- cmdline-opts/proxytunnel.d: the option tunnnels all protocols - in ftpget, ftpsget and sftpget, so that scan-build stops warning for - potential NULL pointer dereference below! + Clarify the language and simplify. - Detected by scan-build + Reported-by: Daniel Lublin + Closes #3658 -- strip_trailing_dot: make sure NULL is never used for strlen +- KNOWN_BUGS: Client cert (MTLS) issues with Schannel - scan-build warning: Null pointer passed as an argument to a 'nonnull' - parameter + Closes #3145 -- [Jay Satiro brought this change] +- ROADMAP: updated to some more current things to work on - connection_check: restore original conn->data after the check +- tests: fix multiple may be used uninitialized warnings + +- RELEASE-NOTES: synced + +- source: fix two 'nread' may be used uninitialized warnings - - Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. + Both seem to be false positives but we don't like warnings. - This is a follow-up to 38d8e1b 2019-02-11. + Closes #3646 + +- gopher: remove check for path == NULL - History: + Since it can't be NULL and it makes Coverity believe we lack proper NULL + checks. Verified by test 659, landed in commit 15401fa886b. - It was discovered a month ago that before checking whether to extract a - dead connection that that connection should be associated with a "live" - transfer for the check (ie original conn->data ignored and set to the - passed in data). A fix was landed in 54b201b which did that and also - cleared conn->data after the check. The original conn->data was not - restored, so presumably it was thought that a valid conn->data was no - longer needed. + Pointed out by Coverity CID 1442746. - Several days later it was discovered that a valid conn->data was needed - after the check and follow-up fix was landed in bbae24c which partially - reverted the original fix and attempted to limit the scope of when - conn->data was changed to only when pruning dead connections. In that - case conn->data was not cleared and the original conn->data not - restored. + Assisted-by: Dan Fandrich + Fixes #3617 + Closes #3642 + +- examples: only include - A month later it was discovered that the original fix was somewhat - correct; a "live" transfer is needed for the check in all cases - because original conn->data could be null which could cause a bad deref - at arbitrary points in the check. A fix was landed in 38d8e1b which - expanded the scope to all cases. conn->data was not cleared and the - original conn->data not restored. + That's the only public curl header we should encourage use of. - A day later it was discovered that not restoring the original conn->data - may lead to busy loops in applications that use the event interface, and - given this observation it's a pretty safe assumption that there is some - code path that still needs the original conn->data. This commit is the - follow-up fix for that, it restores the original conn->data after the - connection check. + Reviewed-by: Marcel Raad + Closes #3645 + +- ssh: loop the state machine if not done and not blocking - Assisted-by: tholin@users.noreply.github.com - Reported-by: tholin@users.noreply.github.com + If the state machine isn't complete, didn't fail and it didn't return + due to blocking it can just as well loop again. - Fixes https://github.com/curl/curl/issues/3542 - Closes #3559 + This addresses the problem with SFTP directory listings where we would + otherwise return back to the parent and as the multi state machine + doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the + doing phase isn't complete, it would return out when in reality there + was more data to deal with. + + Fixes #3506 + Closes #3644 -- memdebug: bring back curl_mark_sclose +Jay Satiro (5 Mar 2019) +- multi: support verbose conncache closure handle - Used by debug builds with NSS. + - Change closure handle to receive verbose setting from the easy handle + most recently added via curl_multi_add_handle. - Reverted from 05b100aee247bb - -Patrick Monnerat (14 Feb 2019) -- transfer.c: do not compute length of undefined hex buffer. + The closure handle is a special easy handle used for closing cached + connections. It receives limited settings from the easy handle most + recently added to the multi handle. Prior to this change that did not + include verbose which was a problem because on connection shutdown + verbose mode was not acknowledged. - On non-ascii platforms, the chunked hex header was measured for char code - conversion length, even for chunked trailers that do not have an hex header. - In addition, the efective length is already known: use it. - Since the hex length can be zero, only convert if needed. + Ref: https://github.com/curl/curl/pull/3598 - Reported by valgrind. - -Daniel Stenberg (14 Feb 2019) -- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP + Co-authored-by: Daniel Stenberg - Closes #2367 + Closes https://github.com/curl/curl/pull/3618 -Patrick Monnerat (14 Feb 2019) -- x509asn1: "Dereference of null pointer" +Daniel Stenberg (4 Mar 2019) +- CURLU: fix NULL dereference when used over proxy - Detected by scan-build (false positive). + Test 659 verifies + + Also fixed the test 658 name + + Closes #3641 -Daniel Stenberg (14 Feb 2019) -- configure: show features as well in the final summary +- altsvc_out: check the return code from Curl_gmtime - Closes #3569 + Pointed out by Coverity, CID 1442956. + + Closes #3640 -- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 +- docs/ALTSVC.md: docs describing the approach - Closes #2905 + Closes #3498 -- KNOWN_BUGS: Deflate error after all content was received +- alt-svc: add a travis build + +- alt-svc: add test 355 and 356 to verify with command line curl + +- alt-svc: the curl command line bits + +- alt-svc: the libcurl bits + +- travis: add build using gnutls - Closes #2719 + Closes #3637 -- gssapi: fix deprecated header warnings +- RELEASE-NOTES: synced + +- [Simon Legner brought this change] + + scripts/completion.pl: also generate fish completion file - Heimdal includes on FreeBSD spewed out lots of them. Less so now. + This is the renamed script formerly known as zsh.pl - Closes #3566 + Closes #3545 -- TODO: Upgrade to websockets +- gnutls: remove call to deprecated gnutls_compression_get_name - Closes #3523 - -- TODO: cmake test suite improvements + It has been deprecated by GnuTLS since a year ago and now causes build + warnings. - Closes #3109 - -Patrick Monnerat (13 Feb 2019) -- curl: "Dereference of null pointer" + Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f + Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html - Rephrase to satisfy scan-build. + Closes #3636 -Marcel Raad (13 Feb 2019) -- unit1307: require FTP support +Jay Satiro (2 Mar 2019) +- system_win32: move win32_init here from easy.c - This test doesn't link without FTP support after - fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch - unavailable without FTP support. + .. since system_win32 is a more appropriate location for the functions + and to extern the globals. - Closes https://github.com/curl/curl/pull/3565 + Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 + Reported-by: Gisle Vanem + + Closes https://github.com/curl/curl/pull/3625 -Daniel Stenberg (13 Feb 2019) -- TODO: TFO support on Windows +Daniel Stenberg (1 Mar 2019) +- curl_easy_duphandle.3: clarify that a duped handle has no shares - Nobody works on this now. + Reported-by: Sara Golemon - Closes #3378 + Fixes #3592 + Closes #3634 -- multi: Dereference of null pointer +- 10-at-a-time.c: fix too long line + +- [Arnaud Rebillout brought this change] + + examples: various fixes in ephiperfifo.c - Mostly a false positive, but this makes the code easier to read anyway. + The main change here is the timer value that was wrong, it was given in + usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * + 1000). This resulted in the callback being invoked WAY TOO OFTEN. - Detected by scan-build. + As a quick check you can run this command before and after applying this + commit: - Closes #3563 - -- urlglob: Argument with 'nonnull' attribute passed null + # shell 1 + ./ephiperfifo 2>&1 | tee ephiperfifo.log + # shell 2 + echo http://hacking.elboulangero.com > hiper.fifo - Detected by scan-build. + Then just compare the size of the logs files. + + Closes #3633 + Fixes #3632 + Signed-off-by: Arnaud Rebillout -Jay Satiro (12 Feb 2019) -- schannel: restore some debug output but only for debug builds +- urldata: simplify bytecounters - Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy - debug output in DEBUGF but omitted a few lines. + - no need to have them protocol specific - Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - -- examples/crawler: Fix the Accept-Encoding setting + - no need to set pointers to them with the Curl_setup_transfer() call - - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default - supported encodings. + - make Curl_setup_transfer() operate on a transfer pointer, not + connection - Prior to this change the specific encodings of gzip and deflate were set - but there's no guarantee they'd be supported by the user's libcurl. - -Daniel Stenberg (12 Feb 2019) -- mime: put the boundary buffer into the curl_mime struct + - switch some counters from long to the more proper curl_off_t type - ... instead of allocating it separately and point to it. It is - fixed-size and always used for each part. + Closes #3627 + +- examples/10-at-a-time.c: improve readability and simplify - Closes #3561 + - use better variable names to explain their purposes + - convert logic to curl_multi_wait() -- schannel: be quiet +- threaded-resolver: shutdown the resolver thread without error message - Convert numerous infof() calls into debug-build only messages since they - are annoyingly verbose for regular applications. Removed a few. + When a transfer is done, the resolver thread will be brought down. That + could accidentally generate an error message in the error buffer even + though this is not an error situationand the transfer would still return + OK. An application that still reads the error buffer could find a + "Could not resolve host: [host name]" message there and get confused. - Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html - Reported-by: Volker Schmid - Closes #3552 + Reported-by: Michael Schmid + Fixes #3629 + Closes #3630 -- [Romain Geissler brought this change] +- [Ԝеѕ brought this change] - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning + docs: update max-redirs.d phrasing - Closes #3562 - -- http2: multi_connchanged() moved from multi.c, only used for h2 + clarify redir - "in absurdum" doesn't seem to make sense in this context - Closes #3557 + Closes #3631 -- curl: "Function call argument is an uninitialized value" +- ssh: fix Condition '!status' is always true - Follow-up to cac0e4a6ad14b42471eb + in the same sftp_done function in both SSH backends. Simplify them + somewhat. - Detected by scan-build - Closes #3560 + Pointed out by Codacy. + + Closes #3628 -- pretransfer: don't strlen() POSTFIELDS set for GET requests +- test578: make it read data from the correct test + +- Curl_easy: remove req.maxfd - never used! - ... since that data won't be used in the request anyway. + Introduced in 8b6314ccfb, but not used anymore in current code. Unclear + since when. - Fixes #3548 - Reported-by: Renaud Allard - Close #3549 + Closes #3626 -- multi: remove verbose "Expire in" ... messages +- http: set state.infilesize when sending formposts - Reported-by: James Brown - Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html - Closes #3558 - -- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set - - Reported-by: MAntoniak on github - Fixes #3553 - Closes #3556 - -Daniel Gustafsson (12 Feb 2019) -- non-ascii.c: fix typos in comments + Without it set, we would unwillingly triger the "HTTP error before end + of send, stop sending" condition even if the entire POST body had been + sent (since it wouldn't know the expected size) which would + unnecessarily log that message and close the connection when it didn't + have to. - Fix two occurrences of s/convers/converts/ spotted while reading code. + Reported-by: Matt McClure + Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html + Closes #3624 -Daniel Stenberg (12 Feb 2019) -- fnmatch: disable if FTP is disabled - - Closes #3551 +- INSTALL: refer to the current TLS library names and configure options -- curl_path: only enabled for SSH builds +- FAQ: minor updates and spelling fixes -- [Frank Gevaerts brought this change] +- GOVERNANCE.md: minor spelling fixes - tests: add stderr comparison to the test suite +- Secure Transport: no more "darwinssl" - The code is more or less copied from the stdout comparison code, maybe - some better reuse is possible. + Everyone calls it Secure Transport, now we do too. - test 1457 is adjusted to make the output actually match (by using --silent) - test 506 used without actually needing it, so that block is removed + Reviewed-by: Nick Zitzmann - Closes #3536 + Closes #3619 -Patrick Monnerat (11 Feb 2019) -- cli tool: do not use mime.h private structures. +Marcel Raad (27 Feb 2019) +- AppVeyor: add classic MinGW build - Option -F generates an intermediate representation of the mime structure - that is used later to create the libcurl mime structure and generate - the --libcurl statements. + But use the MSYS2 shell rather than the default MSYS shell because of + POSIX path conversion issues. Classic MinGW is only available on the + Visual Studio 2015 image. - Reported-by: Daniel Stenberg - Fixes #3532 - Closes #3546 - -Daniel Stenberg (11 Feb 2019) -- curlver: bump to 7.64.1-dev + Closes https://github.com/curl/curl/pull/3623 -- RELEASE-NOTES: synced +- AppVeyor: add MinGW-w64 build - and bump the version in progress to 7.64.1. If we merge any "change" - before the cut-off date, we update again. + Add a MinGW-w64 build using CMake's MSYS Makefiles generator. + Use the Visual Studio 2015 image as it has GCC 8, while the + Visual Studio 2017 image only has GCC 7.2. + + Closes https://github.com/curl/curl/pull/3623 -Daniel Gustafsson (11 Feb 2019) -- curl: follow-up to 3f16990ec84 +Daniel Stenberg (27 Feb 2019) +- cookies: only save the cookie file if the engine is enabled - Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was - inadvertently introducing a new bug in the ternary expression. + Follow-up to 8eddb8f4259. - Close #3555 - Reviewed-by: Daniel Stenberg - -- dns: release sharelock as soon as possible + If the cookieinfo pointer is NULL there really is nothing to save. - There is no benefit to holding the data sharelock when freeing the - addrinfo in case it fails, so ensure releaseing it as soon as we can - rather than holding on to it. This also aligns the code with other - consumers of sharelocks. + Without this fix, we got a problem when a handle was using shared object + with cookies and is told to "FLUSH" it to file (which worked) and then + the share object was removed and when the easy handle was closed just + afterwards it has no cookieinfo and no cookies so it decided to save an + empty jar (overwriting the file just flushed). - Closes #3516 - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (11 Feb 2019) -- curl: follow-up to b49652ac66cc0 + Test 1905 now verifies that this works. - On FreeBSD, return non-zero on error otherwise zero. + Assisted-by: Michael Wallner + Assisted-by: Marcel Raad - Reported-by: Marcel Raad + Closes #3621 -- multi: (void)-prefix when ignoring return values - - ... and added braces to two function calls which fixes warnings if they - are replace by empty macros at build-time. +- [DaVieS brought this change] -- curl: fix FreeBSD compiler warning in the --xattr code + cacertinmem.c: use multiple certificates for loading CA-chain - Closes #3550 + Closes #3421 -- connection_check: set ->data to the transfer doing the check +- urldata: convert bools to bitfields and move to end - The http2 code for connection checking needs a transfer to use. Make - sure a working one is set before handler->connection_check() is called. + This allows the compiler to pack and align the structs better in + memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 + makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. - Reported-by: jnbr on github - Fixes #3541 - Closes #3547 + Removed an unused struct field. + + No functionality changes. + + Closes #3610 -- hostip: make create_hostcache_id avoid alloc + free +- [Don J Olmstead brought this change] + + curl.h: use __has_declspec_attribute for shared builds - Closes #3544 + Closes #3616 -- scripts/singleuse: script to use to track single-use functions +- curl: display --version features sorted alphabetically - That is functions that are declared global but are not used from outside - of the file in which it is declared. Such functions should be made - static or even at times be removed. + Closes #3611 + +- runtests: detect "schannel" as an alias for "winssl" - It also verifies that all used curl_ prefixed functions are "blessed" + Follow-up to 180501cb02 - Closes #3538 + Reported-by: Marcel Raad + Fixes #3609 + Closes #3620 -- cleanup: make local functions static - - urlapi: turn three local-only functions into statics +Marcel Raad (26 Feb 2019) +- AppVeyor: update to Visual Studio 2017 - conncache: make conncache_find_first_connection static + Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a + moving target anymore as the last update, Update 9, has been released. - multi: make detach_connnection static + Closes https://github.com/curl/curl/pull/3606 + +- AppVeyor: switch VS 2015 builds to VS 2017 image - connect: make getaddressinfo static + The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. - curl_ntlm_core: make hmac_md5 static + Closes https://github.com/curl/curl/pull/3606 + +- AppVeyor: explicitly select worker image - http2: make two functions static + Currently, we're using the default Visual Studio 2015 image for + everything. - http: make http_setup_conn static + Closes https://github.com/curl/curl/pull/3606 + +Daniel Stenberg (26 Feb 2019) +- strerror: make the strerror function use local buffers - connect: make tcpnodelay static + Instead of using a fixed 256 byte buffer in the connectdata struct. - tests: make UNITTEST a thing to mark functions with, so they can be static for - normal builds and non-static for unit test builds + In my build, this reduces the size of the connectdata struct by 11.8%, + from 2160 to 1904 bytes with no functionality or performance loss. - ... and mark Curl_shuffle_addr accordingly. + This also fixes a bug in schannel's Curl_verify_certificate where it + called Curl_sspi_strerror when it should have called Curl_strerror for + string from GetLastError. the only effect would have been no text or the + wrong text being shown for the error. - url: make up_free static + Co-authored-by: Jay Satiro - setopt: make vsetopt static + Closes #3612 + +- [Michael Wallner brought this change] + + cookies: fix NULL dereference if flushing cookies with no CookieInfo set - curl_endian: make write32_le static + Regression brought by a52e46f3900fb0 (shipped in 7.63.0) - rtsp: make rtsp_connisdead static + Closes #3613 + +Marcel Raad (26 Feb 2019) +- AppVeyor: re-enable test 500 - warnless: remove unused functions + It's passing now. - memdebug: remove one unused function, made another static + Closes https://github.com/curl/curl/pull/3615 -Dan Fandrich (10 Feb 2019) -- cirrus: Added FreeBSD builds using Cirrus CI. +- AppVeyor: remove redundant builds - The build logs will be at https://cirrus-ci.com/github/curl/curl + Remove the Visual Studio 2012 and 2013 builds as they add little value. - Some tests are currently failing and so disabled for now. The SSH server - isn't starting for the SSH tests due to unsupported options used in its - config file. The DICT server also is failing on startup. + Ref: https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3614 -Daniel Stenberg (9 Feb 2019) -- url/idnconvert: remove scan for <= 32 ascii values - - The check was added back in fa939220df before the URL parser would catch - these problems and therefore these will never trigger now. +Daniel Stenberg (25 Feb 2019) +- RELEASE-NOTES: synced + +- [Bernd Mueller brought this change] + + OpenSSL: add support for TLS ASYNC state - Closes #3539 + Closes #3591 -- urlapi: reduce variable scope, remove unreachable 'break' +Jay Satiro (25 Feb 2019) +- [Michael Felt brought this change] + + acinclude: add additional libraries to check for LDAP support - Both nits pointed out by codacy.com + - Add an additional check for LDAP that also checks for OpenSSL since + on AIX those libraries may be required to link LDAP properly. - Closes #3540 + Fixes https://github.com/curl/curl/issues/3595 + Closes https://github.com/curl/curl/pull/3596 -Alessandro Ghedini (7 Feb 2019) -- zsh.pl: escape ':' character +- [georgeok brought this change] + + schannel: support CALG_ECDH_EPHEM algorithm - ':' is interpreted as separator by zsh, so if used as part of the argument - or option's description it needs to be escaped. + Add support for Ephemeral elliptic curve Diffie-Hellman key exchange + algorithm option when selecting ciphers. This became available on the + Win10 SDK. - The problem can be reproduced as follows: + Closes https://github.com/curl/curl/pull/3608 + +Daniel Stenberg (24 Feb 2019) +- multi: call multi_done on connect timeouts - % curl --reso - % curl -E + Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get + updated correctly and could end up getting reported to the application + completely wrong (way too small). - Bug: https://bugs.debian.org/921452 + Reported-by: accountantM on github + Fixes #3602 + Closes #3605 -- zsh.pl: update regex to better match curl -h output - - The current regex fails to match '<...>' arguments properly (e.g. those - with spaces in them), which causes an completion script with wrong - descriptions for some options. - - Here's a diff of the generated completion script, comparing the previous - version to the one with this fix: +- examples: remove recursive calls to curl_multi_socket_action - --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 - +++ _curl 2019-02-05 20:57:29.453349040 +0000 - @@ -9,48 +9,48 @@ + From within the timer callbacks. Recursive is problematic for several + reasons. They should still work, but this way the examples and the + documentation becomes simpler. I don't think we need to encourage + recursive calls. - _arguments -C -S \ - --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ - + --resolve'[Resolve the host+port to this address]':'' \ - {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ - {-D,--dump-header}'[Write the received headers to ]':'':_files \ - {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ - --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ - {-E,--cert}'[Client certificate file and password]':'' \ - --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ - --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ - --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ - --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ - + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ - --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ - --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ - + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ - --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ - + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ - {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ - --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ - --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ - --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ - --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ - {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ - --local-port'[Force use of RANGE for local port numbers]':'' \ - --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ - {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - - --location-trusted'[--location, and send auth to other hosts]':'Like' \ - + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ - --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ - {-O,--remote-name}'[Write output to a file named as the remote file]' \ - + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ - + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ - --trace-ascii'[Like --trace, but without hex output]':'':_files \ - --connect-timeout'[Maximum time allowed for connection]':'' \ - --expect100-timeout'[How long to wait for 100-continue]':'' \ - {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ - + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ - {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ - --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ - --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - - --ignore-content-length'[the size of the remote resource]':'Ignore' \ - {-k,--insecure}'[Allow insecure server connections when using SSL]' \ - + --location-trusted'[Like --location, and send auth to other hosts]' \ - --mail-auth'[Originator address of the original email]':'
' \ - --noproxy'[List of hosts which do not use proxy]':'' \ - --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ - @@ -62,18 +62,19 @@ - --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ - --cacert'[CA certificate to verify peer against]':'':_files \ - {-H,--header}'[Pass custom header(s) to server]':'
' \ - + --ignore-content-length'[Ignore the size of the remote resource]' \ - {-i,--include}'[Include protocol response headers in the output]' \ - --proxy-header'[Pass custom header(s) to proxy]':'
' \ - --unix-socket'[Connect through this Unix domain socket]':'' \ - {-w,--write-out}'[Use output FORMAT after completion]':'' \ - - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ - {-o,--output}'[Write to file instead of stdout]':'':_files \ - - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ - + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ - --socks4a'[SOCKS4a proxy on given host + port]':'' \ - {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ - {-z,--time-cond}'[Transfer based on a time condition]':'