_ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | | (__| |_| | _ <| |___ \___|\___/|_| \_\_____| Changelog Version 7.65.0 (22 May 2019) Daniel Stenberg (22 May 2019) - RELEASE-NOTES: 7.65.0 release - THANKS: from the 7.65.0 release-notes - url: convert the zone id from a IPv6 URL to correct scope id Reported-by: GitYuanQu on github Fixes #3902 Closes #3914 - configure: detect getsockname and getpeername on windows too Made detection macros for these two functions in the same style as other functions possibly in winsock in the hope this will work better to detect these functions when cross-compiling for Windows. Follow-up to e91e4816123 Fixes #3913 Closes #3915 Marcel Raad (21 May 2019) - examples: remove unused variables Fixes Codacy/CppCheck warnings. Closes Daniel Gustafsson (21 May 2019) - udpateconninfo: mark variable unused When compiling without getpeername() or getsockname(), the sockfd paramter to Curl_udpateconninfo() became unused after commit e91e481612 added ifdef guards. Closes #3910 Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 Reviewed-by: Marcel Raad, Daniel Stenberg - ftp: move ftp_ccc in under featureflag Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under the FTP featureflag in the UserDefined struct, but vtls callsites were still using it unprotected. Closes #3912 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 Reviewed-by: Daniel Stenberg, Marcel Raad Daniel Stenberg (20 May 2019) - curl: report error for "--no-" on non-boolean options Reported-by: Olen Andoni Fixes #3906 Closes #3907 - [Guy Poizat brought this change] mbedtls: enable use of EC keys Closes #3892 - lib1560: add tests for parsing URL with too long scheme Ref: #3905 - [Omar Ramadan brought this change] urlapi: increase supported scheme length to 40 bytes The longest currently registered URI scheme at IANA is 36 bytes long. Closes #3905 Closes #3900 Marcel Raad (20 May 2019) - lib: reduce variable scopes Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872 - tool_formparse: remove redundant assignment Just initialize word_begin with the correct value. Closes https://github.com/curl/curl/pull/3873 - ssh: move variable declaration to where it's used This way, we need only one call to free. Closes https://github.com/curl/curl/pull/3873 - ssh-libssh: remove unused variable sock was only used to be assigned to fd_read. Closes https://github.com/curl/curl/pull/3873 Daniel Stenberg (20 May 2019) - test332: verify the blksize fix - tftp: use the current blksize for recvfrom() bug: https://curl.haxx.se/docs/CVE-2019-5436.html Reported-by: l00p3r on hackerone CVE-2019-5436 Daniel Gustafsson (19 May 2019) - version: make ssl_version buffer match for multi_ssl When running a multi TLS backend build the version string needs more buffer space. Make the internal ssl_buffer stack buffer match the one in Curl_multissl_version() to allow for the longer string. For single TLS backend builds there is no use in extended to buffer. This is a fallout from #3863 which fixes up the multi_ssl string generation to avoid a buffer overflow when the buffer is too small. Closes #3875 Reviewed-by: Daniel Stenberg Steve Holme (18 May 2019) - http_ntlm_wb: Handle auth for only a single request Currently when the server responds with 401 on NTLM authenticated connection (re-used) we consider it to have failed. However this is legitimate and may happen when for example IIS is set configured to 'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header). Implemented by imploying an additional state once a connection is re-used to indicate that if we receive 401 we need to restart authentication. Missed in fe6049f0. - http_ntlm_wb: Cleanup handshake after clean NTLM failure Missed in 50b87c4e. - http_ntlm_wb: Return the correct error on receiving an empty auth message Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. Closes #3894 Daniel Stenberg (18 May 2019) - curl: make code work with protocol-disabled libcurl Closes #3844 - libcurl: #ifdef away more code for disabled features/protocols - progress: CURL_DISABLE_PROGRESS_METER - hostip: CURL_DISABLE_SHUFFLE_DNS - netrc: CURL_DISABLE_NETRC Viktor Szakats (16 May 2019) - docs: Markdown and misc improvements [ci skip] Approved-by: Daniel Stenberg Closes #3896 - docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 Approved-by: Daniel Stenberg Closes #3895 Daniel Stenberg (16 May 2019) - travis: add an osx http-only build Closes #3887 - cleanup: remove FIXME and TODO comments They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883 - curl: don't set FTP options for FTP-disabled builds ... since libcurl has started to be totally unaware of options for disabled protocols they now return error. Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 Reported-by: Marcel Raad Closes #3886 Steve Holme (16 May 2019) - http_ntlm_wb: Move the type-2 message processing into a dedicated function This brings the code inline with the other HTTP authentication mechanisms. Closes #3890 Daniel Stenberg (15 May 2019) - RELEASE-NOTES: synced - docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] Reported-by: Roy Bellingan Bug: #3885 - parse_proxy: use the URL parser API As we treat a given proxy as a URL we should use the unified URL parser to extract the parts out of it. Closes #3878 Steve Holme (15 May 2019) - http_negotiate: Move the Negotiate state out of the negotiatedata structure Given that this member variable is not used by the SASL based protocols there is no need to have it here. Closes #3882 - http_ntlm: Move the NTLM state out of the ntlmdata structure Given that this member variable is not used by the SASL based protocols there is no need to have it here. - url: Move the negotiate state type into a dedicated enum - url: Remove duplicate clean up of the winbind variables in conn_shutdown() Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior to calling conn_shutdown() and it in turn performs this, there is no need to perform the same action in conn_shutdown(). Closes #3881 Daniel Stenberg (14 May 2019) - urlapi: require a non-zero host name length when parsing URL Updated test 1560 to verify. Closes #3880 - configure: error out if OpenSSL wasn't detected when asked for If --with-ssl is used and configure still couldn't enable SSL this creates an error instead of just silently ignoring the fact. Suggested-by: Isaiah Norton Fixes #3824 Closes #3830 Daniel Gustafsson (14 May 2019) - imap: Fix typo in comment Steve Holme (14 May 2019) - url: Remove unnecessary initialisation from allocate_conn() No need to set variables to zero as calloc() does this for us. Closes #3879 Daniel Stenberg (14 May 2019) - CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] Clues-provided-by: Jay Satiro Clues-provided-by: Jeroen Ooms Fixes #3711 Closes #3874 Daniel Gustafsson (13 May 2019) - vtls: fix potential ssl_buffer stack overflow In Curl_multissl_version() it was possible to overflow the passed in buffer if the generated version string exceeded the size of the buffer. Fix by inverting the logic, and also make sure to not exceed the local buffer during the string generation. Closes #3863 Reported-by: nevv on HackerOne/curl Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg Daniel Stenberg (13 May 2019) - RELEASE-NOTES: synced - appveyor: also build "/ci" branches like travis - pingpong: disable more when no pingpong enabled - proxy: acknowledge DISABLE_PROXY more - parsedate: CURL_DISABLE_PARSEDATE - sasl: only enable if there's a protocol enabled using it - mime: acknowledge CURL_DISABLE_MIME - wildcard: disable from build when FTP isn't present - http: CURL_DISABLE_HTTP_AUTH - base64: build conditionally if there are users - doh: CURL_DISABLE_DOH Steve Holme (12 May 2019) - auth: Rename the various authentication clean up functions For consistency and to a avoid confusion. Closes #3869 Daniel Stenberg (12 May 2019) - [Jay Satiro brought this change] docs/INSTALL: fix broken link [ci skip] Reported-by: Joombalaya on github Fixes #3818 Marcel Raad (12 May 2019) - easy: fix another "clarify calculation precedence" warning I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. - build: fix "clarify calculation precedence" warnings Codacy/CppCheck warns about this. Consistently use parentheses as we already do in some places to silence the warning. Closes https://github.com/curl/curl/pull/3866 - cmake: restore C89 compatibility of CurlTests.c I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and 97de97daefc2ed084c91eff34af2426f2e55e134. Reported-by: Viktor Szakats Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 Closes https://github.com/curl/curl/pull/3868 Steve Holme (11 May 2019) - http_ntlm: Corrected the name of the include guard Missed in f0bdd72c. Closes #3867 - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled Closes #3861 - http_negotiate: Don't expose functions when HTTP is disabled Daniel Stenberg (11 May 2019) - SECURITY-PROCESS: fix links [ci skip] Marcel Raad (11 May 2019) - CMake: suppress unused variable warnings I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. Daniel Stenberg (11 May 2019) - doh: disable DOH for the cases it doesn't work Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for DOH resolves. This fix disables DOH for those. Limitation added to KNOWN_BUGS. Fixes #3850 Closes #3857 Jay Satiro (11 May 2019) - checksrc.bat: Ignore snprintf warnings in docs/examples .. because we allow snprintf use in docs/examples. Closes https://github.com/curl/curl/pull/3862 Steve Holme (10 May 2019) - vauth: Fix incorrect function description for Curl_auth_user_contains_domain() ...and misalignment of these comments. From a78c61a4. Closes #3860 Jay Satiro (10 May 2019) - Revert "multi: support verbose conncache closure handle" This reverts commit b0972bc. - No longer show verbose output for the conncache closure handle. The offending commit was added so that the conncache closure handle would inherit verbose mode from the user's easy handle. (Note there is no way for the user to set options for the closure handle which is why that was necessary.) Other debug settings such as the debug function were not also inherited since we determined that could lead to crashes if the user's per-handle private data was used on an unexpected handle. The reporter here says he has a debug function to capture the verbose output, and does not expect or want any output to stderr; however because the conncache closure handle does not inherit the debug function the verbose output for that handle does go to stderr. There are other plausible scenarios as well such as the user redirects stderr on their handle, which is also not inherited since it could lead to crashes when used on an unexpected handle. Short of allowing the user to set options for the conncache closure handle I don't think there's much we can safely do except no longer inherit the verbose setting. Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html Reported-by: Kristoffer Gleditsch Ref: https://github.com/curl/curl/pull/3598 Ref: https://github.com/curl/curl/pull/3618 Closes https://github.com/curl/curl/pull/3856 Steve Holme (10 May 2019) - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() From 6012fa5a. Closes #3858 Daniel Stenberg (9 May 2019) - BUG-BOUNTY: minor formatting fixes [ci skip] - RELEASE-NOTES: synced - BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] Closes #3839 Kamil Dudka (9 May 2019) - http_negotiate: do not treat failure of gss_init_sec_context() as fatal Fixes #3726 Closes #3849 - spnego_gssapi: fix return code on gss_init_sec_context() failure Fixes #3726 Closes #3849 Steve Holme (9 May 2019) - gen_resp_file.bat: Removed unnecessary @ from all but the first command There is need to use @ on every command once echo has been turned off. Closes #3854 Jay Satiro (8 May 2019) - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to the destination host. We already do something similar for HTTPS proxies by not sending h2. [1] Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would incorrectly use HTTP/2 to talk to the proxy, which is not something we support (yet?). Also it's debatable whether or not that setting should apply to HTTP/2 proxies. [1]: https://github.com/curl/curl/commit/17c5d05 Bug: https://github.com/curl/curl/issues/3570 Bug: https://github.com/curl/curl/issues/3832 Closes https://github.com/curl/curl/pull/3853 Marcel Raad (8 May 2019) - travis: update mesalink build to xenial Closes https://github.com/curl/curl/pull/3842 Daniel Stenberg (8 May 2019) - [Ricky Leverence brought this change] OpenSSL: Report -fips in version if OpenSSL is built with FIPS Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Closes #3771 Kamil Dudka (7 May 2019) - [Frank Gevaerts brought this change] nss: allow fifos and character devices for certificates. Currently you can do things like --cert <(cat ./cert.crt) with (at least) the openssl backend, but that doesn't work for nss because is_file rejects fifos. I don't actually know if this is sufficient, nss might do things internally (like seeking back) that make this not work, so actual testing is needed. Closes #3807 Daniel Gustafsson (6 May 2019) - test2100: Fix typos in test description Daniel Stenberg (6 May 2019) - ssh: define USE_SSH if SSH is enabled (any backend) Closes #3846 Steve Holme (5 May 2019) - winbuild: Add our standard copyright header to the winbuild batch files - makedebug: Fix ERRORLEVEL detection after running where.exe Closes #3838 Daniel Stenberg (5 May 2019) - urlapi: add CURLUPART_ZONEID to set and get The zoneid can be used with IPv6 numerical addresses. Updated test 1560 to verify. Closes #3834 - [Taiyu Len brought this change] WRITEFUNCTION: add missing set_in_callback around callback Closes #3837 - RELEASE-NOTES: synced - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] Reported-by: Ricardo Gomes Bug: #3537 Closes #3836 - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value The time field in the curl_fileinfo struct will always be zero. No code was ever implemented to actually convert the date string to a time_t. Fixes #3829 Closes #3835 - OS400/ccsidcurl.c: code style fixes - OS400/ccsidcurl: replace use of Curl_vsetopt (and make the code style comply) Fixes #3833 - urlapi: strip off scope id from numerical IPv6 addresses ... to make the host name "usable". Store the scope id and put it back when extracting a URL out of it. Also makes curl_url_set() syntax check CURLUPART_HOST. Fixes #3817 Closes #3822 - RELEASE-NOTES: synced - multiif.h: remove unused protos ... for functions related to pipelining. Those functions were removed in 2f44e94efb3df. Closes #3828 - [Yiming Jing brought this change] travis: mesalink: temporarily disable test 3001 ... due to SHA-1 signatures in test certs - [Yiming Jing brought this change] travis: upgrade the MesaLink TLS backend to v1.0.0 Closes #3823 Closes #3776 - ConnectionExists: improve non-multiplexing use case - better log output - make sure multiplex is enabled for it to be used - multi: provide Curl_multiuse_state to update information As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state. - process_pending_handles: mark queued transfers as previously pending With transfers being queued up, we only move one at a a time back to the CONNECT state but now we mark moved transfers so that when a moved transfer is confirmed "successful" (it connected) it will trigger the move of another pending transfer. Previously, it would otherwise wait until the transfer was done before doing this. This makes queued up pending transfers get processed (much) faster. - http: mark bundle as not for multiuse on < HTTP/2 response Fixes #3813 Closes #3815 Daniel Gustafsson (1 May 2019) - cookie: Guard against possible NULL ptr deref In case the name pointer isn't set (due to memory pressure most likely) we need to skip the prefix matching and reject with a badcookie to avoid a possible NULL pointer dereference. Closes #3820 #3821 Reported-by: Jonathan Moerman Reviewed-by: Daniel Stenberg Patrick Monnerat (30 Apr 2019) - os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings Kamil Dudka (29 Apr 2019) - nss: provide more specific error messages on failed init Closes #3808 Daniel Stenberg (29 Apr 2019) - [Reed Loden brought this change] docs: minor polish to the bug bounty / security docs Closes #3811 - CURL_MAX_INPUT_LENGTH: largest acceptable string input size This limits all accepted input strings passed to libcurl to be less than CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: curl_easy_setopt() and curl_url_set(). The 8000000 number is arbitrary picked and is meant to detect mistakes or abuse, not to limit actual practical use cases. By limiting the acceptable string lengths we also reduce the risk of integer overflows all over. NOTE: This does not apply to `CURLOPT_POSTFIELDS`. Test 1559 verifies. Closes #3805 - [Tseng Jun brought this change] curlver.h: use parenthesis in CURL_VERSION_BITS macro Closes #3809 Marcel Raad (27 Apr 2019) - [Simon Warta brought this change] cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP Closes https://github.com/curl/curl/pull/3769 Steve Holme (23 Apr 2019) - ntlm: Missed pre-processor || (or) during rebase for cd15acd0 - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 Just like we do for mbed TLS, use our local implementation of MD4 when OpenSSL doesn't support it. This allows a type-3 message to include the NT response. Daniel Gustafsson (23 Apr 2019) - INTERNALS: fix misindentation of ToC item Kerberos was incorrectly indented as a subsection under FTP, which is incorrect as they are both top level sections. A fix for this was first attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that was a few paddles short of being complete. - [Aron Bergman brought this change] INTERNALS: Add structs to ToC Add the subsections under "Structs in libcurl" to the table of contents. Reviewed-by: Daniel Stenberg Reviewed-by: Daniel Gustafsson - [Aron Bergman brought this change] INTERNALS: Add code highlighting Make all struct members under the Curl_handler section print in monospace font. Closes #3801 Reviewed-by: Daniel Stenberg Reviewed-by: Daniel Gustafsson Daniel Stenberg (22 Apr 2019) - docs/BUG-BOUNTY: bug bounty time [skip ci] Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. Assisted-by: Daniel Gustafsson Closes #3488 Steve Holme (22 Apr 2019) - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 RFC 4616 specifies the authzid is optional in the client authentication message and that the server will derive the authorisation identity (authzid) from the authentication identity (authcid) when not specified by the client. Jay Satiro (22 Apr 2019) - [Gisle Vanem brought this change] memdebug: fix variable name Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. Ref: https://github.com/curl/curl/commit/76b6348#r33259088 Steve Holme (21 Apr 2019) - vauth/cleartext: Don't send the authzid if it is empty Follow up to 762a292f. Daniel Stenberg (21 Apr 2019) - test 196,197,198: add 'retry' keyword [skip ci] - RELEASE-NOTES: synced - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse ... and disconnect too old ones instead of trying to reuse. Default max age is set to 118 seconds. Ref: #3722 Closes #3782 Daniel Gustafsson (20 Apr 2019) - [Po-Chuan Hsieh brought this change] altsvc: Fix building with cookies disables ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is disabled. Fix by splitting out the function into a separate file which can be included where needed. Closes #3717 Reviewed-by: Daniel Gustafsson Reviewed-by: Marcel Raad Daniel Stenberg (20 Apr 2019) - test1002: correct the name [skip ci] - test660: verify CONNECT_ONLY with IMAP which basically just makes sure LOGOUT is *not* issued on disconnect - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" Since the connection has been used by the "outside" we don't know the state of it anymore and curl should not use it anymore. Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html Closes #3795 - multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) The list of names must be in sync with the defined states in the header file! Steve Holme (16 Apr 2019) - openvms: Remove pre-processors for Windows as VMS cannot support them - openvms: Remove pre-processor for SecureTransport as VMS cannot support it Fixes #3768 Closes #3785 Jay Satiro (16 Apr 2019) - TODO: Add issue link to an existing entry Daniel Stenberg (16 Apr 2019) - RELEASE-NOTES: synced Jay Satiro (16 Apr 2019) - tool_help: Warn if curl and libcurl versions do not match .. because functionality may be affected if the versions differ. This commit implements TODO 18.7 "warning if curl version is not in sync with libcurl version". Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 Closes https://github.com/curl/curl/pull/3774 Steve Holme (16 Apr 2019) - md5: Update the function signature following d84da52d - md5: Forgot to update the code alignment in d84da52d - md5: Return CURLcode from the internally accessible functions Following 28f826b3 to return CURLE_OK instead of numeric 0. Daniel Gustafsson (15 Apr 2019) - tests: Run global cleanup at end of tests Make sure to run curl_global_cleanup() when shutting down the test suite to release any resources allocated in the SSL setup. This is clearly visible when running tests with PolarSSL where the thread lock calloc() memory which isn't released when not running cleanup. Below is an excerpt from the autobuild logs: ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup (polarssl_threadlock.c:54) ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) ==12368== by 0x118B4C: global_init (easy.c:158) ==12368== by 0x118BF5: curl_global_init (easy.c:221) ==12368== by 0x118D0B: curl_easy_init (easy.c:299) ==12368== by 0x114E96: test (lib1906.c:32) ==12368== by 0x115495: main (first.c:174) Closes #3783 Reviewed-by: Marcel Raad Reviewed-by: Daniel Stenberg Marcel Raad (15 Apr 2019) - travis: use mbedtls from Xenial No need to build it from source anymore. Closes https://github.com/curl/curl/pull/3779 - travis: use libpsl from Xenial This makes building libpsl and libidn2 from source unnecessary and removes the need for the autopoint and libunistring-dev packages. Closes https://github.com/curl/curl/pull/3779 Daniel Stenberg (15 Apr 2019) - runtests: start socksd like other servers ... without a $srcdir prefix. Triggered by the failures in several autobuilds. Closes #3781 Daniel Gustafsson (14 Apr 2019) - socksd: Fix typos Reviewed-by: Daniel Stenberg - socksd: Properly decorate static variables Mark global variables static to avoid compiler warning in Clang when using -Wmissing-variable-declarations. Closes #3778 Reviewed-by: Daniel Stenberg Steve Holme (14 Apr 2019) - md(4|5): Fixed indentation oddities with the importation of replacement code The indentation from 211d5329 and 57d6d253 was a little strange as parts didn't align correctly, uses 4 spaces rather than 2. Checked the indentation of the original source so it aligns, albeit, using curl style. - md5: Code style to return CURLE_OK rather than numeric 0 - md5: Corrected code style for some pointer arguments Marcel Raad (13 Apr 2019) - travis: update some builds to xenial Xenial comes with more up-to-date software versions and more available packages, some of which we currently build from source. Unfortunately, some builds would fail with Xenial because of assertion failures in Valgrind when using OpenSSL, so leave these at Trusty. Closes https://github.com/curl/curl/pull/3777 Daniel Stenberg (13 Apr 2019) - test: make tests and test scripts use socksd for SOCKS Make all SOCKS tests use socksd instead of ssh. - socksd: new SOCKS 4+5 server for tests Closes #3752 - singleipconnect: show port in the verbose "Trying ..." message To aid debugging better. - [tmilburn brought this change] CURLOPT_ADDRESS_SCOPE: fix range check and more Commit 9081014 fixed most of the confusing issues between scope id and scope however 844896d added bad limits checking assuming that the scope is being set and not the scope id. I have fixed the documentation so it all refers to scope ids. In addition Curl_if2ip refered to the scope id as remote_scope_id which is incorrect, so I renamed it to local_scope_id. Adjusted-by: Daniel Stenberg Closes #3655 Closes #3765 Fixes #3713 - urlapi: stricter CURLUPART_PORT parsing Only allow well formed decimal numbers in the input. Document that the number MUST be between 1 and 65535. Add tests to test 1560 to verify the above. Ref: https://github.com/curl/curl/issues/3753 Closes #3762 Jay Satiro (13 Apr 2019) - [Jan Ehrhardt brought this change] winbuild: Support MultiSSL builds - Remove the lines in winbuild/Makefile.vc that generate an error with multiple SSL backends. - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL backends are set. Closes https://github.com/curl/curl/pull/3772 Daniel Stenberg (12 Apr 2019) - travis: remove mesalink builds (temporarily?) Since the mesalink build started to fail on travis, even though we build a fixed release version, we disable it to prevent it from blocking progress. Closes #3767 - openssl: mark connection for close on TLS close_notify Without this, detecting and avoid reusing a closed TLS connection (without a previous GOAWAY) when doing HTTP/2 is tricky. Reported-by: Tom van der Woerdt Fixes #3750 Closes #3763 - RELEASE-NOTES: synced Steve Holme (11 Apr 2019) - vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 Functionally this doesn't change anything as we still use the username for both the authorisation identity and the authentication identity. Closes #3757 Daniel Stenberg (11 Apr 2019) - test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage Based-on-code-by: Poul T Lomholt - url: always clone the CUROPT_CURLU handle Since a few code paths actually update that data. Fixes #3753 Closes #3761 Reported-by: Poul T Lomholt - CURLOPT_DNS_USE_GLOBAL_CACHE: remove Remove the code too. The functionality has been disabled in code since 7.62.0. Setting this option will from now on simply be ignored and have no function. Closes #3654 Marcel Raad (11 Apr 2019) - travis: install libgnutls28-dev only for --with-gnutls build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install libnss3-dev only for --with-nss build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install libssh2-dev only for --with-libssh2 build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install libssh-dev only for --with-libssh build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install krb5-user only for --with-gssapi build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install lcov only for the coverage job Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install clang only when needed This reduces the GCC job runtimes a little and it's needed to selectively update clang builds to xenial. Closes https://github.com/curl/curl/pull/3721 - AppVeyor: enable testing for WinSSL build Closes https://github.com/curl/curl/pull/3725 - build: fix Codacy/CppCheck warnings - remove unused variables - declare conditionally used variables conditionally - suppress unused variable warnings in the CMake tests - remove dead variable stores - consistently use WIN32 macro to detect Windows Closes https://github.com/curl/curl/pull/3739 - polarssl_threadlock: remove conditionally unused code Make functions no-ops if neither both USE_THREADS_POSIX and HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are defined. Previously, if only one of them was defined, there was either code compiled that did nothing useful or the wrong header included for the functions used. Also, move POLARSSL_MUTEX_T define to implementation file as it's not used externally. Closes https://github.com/curl/curl/pull/3739 - lib557: initialize variables These variables are only conditionally initialized. Closes https://github.com/curl/curl/pull/3739 - lib509: add missing include for strdup Closes https://github.com/curl/curl/pull/3739 - README.md: fix no-consecutive-blank-lines Codacy warning Consistently use one blank line between blocks. Closes https://github.com/curl/curl/pull/3739 - tests/server/util: fix Windows Unicode build Always use the ANSI version of FormatMessage as we don't have the curl_multibyte gear available here. Closes https://github.com/curl/curl/pull/3758 Daniel Stenberg (11 Apr 2019) - curl_easy_getinfo.3: fix minor formatting mistake Daniel Gustafsson (11 Apr 2019) - xattr: skip unittest on unsupported platforms The stripcredentials unittest fails to compile on platforms without xattr support, for example the Solaris member in the buildfarm which fails with the following: CC unit1621-unit1621.o CC ../libtest/unit1621-first.o CCLD unit1621 Undefined first referenced symbol in file stripcredentials unit1621-unit1621.o goto problem 2 ld: fatal: symbol referencing errors. No output written to .libs/unit1621 collect2: error: ld returned 1 exit status gmake[2]: *** [Makefile:996: unit1621] Error 1 Fix by excluding the test on such platforms by using the reverse logic from where stripcredentials() is defined. Closes #3759 Reviewed-by: Daniel Stenberg Steve Holme (11 Apr 2019) - emailL Added reference to RFC8314 for implicit TLS - README: Schannel, stop calling it "winssl" Stick to "Schannel" everywhere - follow up to 180501cb. Jakub Zakrzewski (10 Apr 2019) - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use This fixes GSSAPI builds with the libraries in a non-standard location. The testing for recv() were failing because it failed to link the Kerberos libraries, which are not needed for this or subsequent tests. fixes #3743 closes #3744 - cmake: avoid linking executable for some tests with cmake 3.6+ With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() (which is used by check_c_source_compiles()) will build static library instead of executable. This avoids linking additional libraries in and thus speeds up those checks a little. This commit also avoids #3743 (GSSAPI build errors) on itself with cmake 3.6 or above. That issue was fixed separately for all versions. Ref: #3744 - cmake: minor cleanup - Remove nneeded include_regular_expression. It was setting what is already a default. - Remove duplicated include. - Don't check for pre-3.0.0 CMake version. We already require at least 3.0.0, so it's just clutter. Ref: #3744 Steve Holme (8 Apr 2019) - build-openssl.bat: Fixed support for OpenSSL v1.1.0+ - build-openssl.bat: Perfer the use of if statements rather than goto (where possible) - build-openssl.bat: Perform the install for each build type directly after the build - build-openssl.bat: Split the install of static and shared build types - build-openssl.bat: Split the building of static and shared build types - build-openssl.bat: Move the installation into a separate function - build-openssl.bat: Move the build step into a separate function - build-openssl.bat: Move the OpenSSL configuration into a separate function - build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised Should the parent environment set this variable then the build might not be performed as the user intended. Daniel Stenberg (8 Apr 2019) - socks: fix error message - config.d: clarify that initial : and = might need quoting [skip ci] Fixes #3738 Closes #3749 - RELEASE-NOTES: synced bumped to 7.65.0 for next release - socks5: user name and passwords must be shorter than 256 bytes... since the protocol needs to store the length in a single byte field. Reported-by: XmiliaH on github Fixes #3737 Closes #3740 - [Jakub Zakrzewski brought this change] test: urlapi: urlencode characters above 0x7f correctly - [Jakub Zakrzewski brought this change] urlapi: urlencode characters above 0x7f correctly fixes #3741 Closes #3742 - [Even Rouault brought this change] multi_runsingle(): fix use-after-free Fixes #3745 Closes #3746 The following snippet ``` int main() { CURL* hCurlHandle = curl_easy_init(); curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); curl_easy_perform(hCurlHandle); curl_easy_cleanup(hCurlHandle); return 0; } ``` triggers the following Valgrind warning ``` ==4125== Invalid read of size 8 ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) ==4125== by 0x4E766A0: easy_transfer (easy.c:625) ==4125== by 0x4E76915: easy_perform (easy.c:719) ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) ==4125== by 0x4008BE: main (in /home/even/curl/test) ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) ==4125== by 0x4E62C36: conn_free (url.c:756) ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) ==4125== by 0x4E766A0: easy_transfer (easy.c:625) ==4125== by 0x4E76915: easy_perform (easy.c:719) ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) ==4125== by 0x4008BE: main (in /home/even/curl/test) ==4125== Block was alloc'd at ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) ==4125== by 0x4E6438E: allocate_conn (url.c:1654) ==4125== by 0x4E685B4: create_conn (url.c:3496) ==4125== by 0x4E6968F: Curl_connect (url.c:4023) ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) ==4125== by 0x4E766A0: easy_transfer (easy.c:625) ==4125== by 0x4E76915: easy_perform (easy.c:719) ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) ==4125== by 0x4008BE: main (in /home/even/curl/test) ``` This has been bisected to commit 2f44e94 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 Credit to OSS Fuzz - pipelining: removed As previously planned and documented in DEPRECATE.md, all pipelining code is removed. Closes #3651 - [cclauss brought this change] tests: make Impacket (SMB server) Python 3 compatible Closes #3731 Fixes #3289 Marcel Raad (6 Apr 2019) - [Simon Warta brought this change] cmake: set SSL_BACKENDS This groups all SSL backends into the feature "SSL" and sets the SSL_BACKENDS analogue to configure.ac Closes https://github.com/curl/curl/pull/3736 - [Simon Warta brought this change] cmake: don't run SORT on empty list In case of an empty list, SORTing leads to the cmake error "list sub-command SORT requires list to be present." Closes https://github.com/curl/curl/pull/3736 Daniel Gustafsson (5 Apr 2019) - [Eli Schwartz brought this change] configure: fix default location for fish completions Fish defines a vendor completions directory for completions that are not installed as part of the fish project itself, and the vendor completions are preferred if they exist. This prevents trying to overwrite the builtin curl.fish completion (or creating file conflicts in distro packaging). Prefer the pkg-config defined location exported by fish, if it can be found, and fall back to the correct directory defined by most systems. Closes #3723 Reviewed-by: Daniel Gustafsson Marcel Raad (5 Apr 2019) - ftplistparser: fix LGTM alert "Empty block without comment" Removing the block is consistent with line 954/957. Closes https://github.com/curl/curl/pull/3732 - transfer: fix LGTM alert "Comparison is always true" Just remove the redundant condition, which also makes it clear that k->buf is always 0-terminated if this break is not hit. Closes https://github.com/curl/curl/pull/3732 Jay Satiro (4 Apr 2019) - [Rikard Falkeborn brought this change] smtp: fix compiler warning - Fix clang string-plus-int warning. Clang 8 warns about adding a string to an int does not append to the string. Indeed it doesn't, but that was not the intention either. Use array indexing as suggested to silence the warning. There should be no functional changes. (In other words clang warns about "foo"+2 but not &"foo"[2] so use the latter.) smtp.c:1221:29: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] eob = strdup(SMTP_EOB + 2); ~~~~~~~~~~~~~~~~^~~~ Closes https://github.com/curl/curl/pull/3729 Marcel Raad (4 Apr 2019) - VS projects: use Unicode for VC10+ All Windows APIs have been natively UTF-16 since Windows 2000 and the non-Unicode variants are just wrappers around them. Only Windows 9x doesn't understand Unicode without the UnicoWS DLL. As later Visual Studio versions cannot target Windows 9x anyway, using the ANSI API doesn't really have any benefit there. This avoids issues like KNOWN_BUGS 6.5. Ref: https://github.com/curl/curl/issues/2120 Closes https://github.com/curl/curl/pull/3720 Daniel Gustafsson (3 Apr 2019) - RELEASE-NOTES: synced Bump the version in progress to 7.64.2, if we merge any "change" before the cut-off date we can update the version. - [Tim Rühsen brought this change] documentation: Fix several typos Closes #3724 Reviewed-by: Jakub Zakrzewski Reviewed-by: Daniel Gustafsson Jay Satiro (2 Apr 2019) - [Mert Yazıcıoğlu brought this change] vauth/oauth2: Fix OAUTHBEARER token generation OAUTHBEARER tokens were incorrectly generated in a format similar to XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the RFC7628. Fixes: #2487 Reported-by: Paolo Mossino Closes https://github.com/curl/curl/pull/3377 Marcel Raad (2 Apr 2019) - tool_cb_wrt: fix bad-function-cast warning Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. Extend fhnd's scope and reuse that variable instead of calling _get_osfhandle a second time to fix the warning again. Closes https://github.com/curl/curl/pull/3718 - VC15 project: remove MinimalRebuild Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the library project, but I forgot the tool project template. Now also removed for that. Dan Fandrich (1 Apr 2019) - cirrus: Customize the disabled tests per FreeBSD version Try to run as many test cases as possible on each OS version. 12.0 passes 13 more tests than the older versions, so we might as well run them. Daniel Stenberg (1 Apr 2019) - tool_help: include for strcasecmp Reported-by: Wyatt O'Day Fixes #3715 Closes #3716 Daniel Gustafsson (31 Mar 2019) - scripts: fix typos Dan Fandrich (28 Mar 2019) - travis: allow builds on branches named "ci" This allows a way to test changes other than through PRs. Daniel Stenberg (27 Mar 2019) - [Brad Spencer brought this change] resolve: apply Happy Eyeballs philosophy to parallel c-ares queries Closes #3699 - multi: improved HTTP_1_1_REQUIRED handling Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error on first flight. Reported-by: niner on github Fixes #3696 Closes #3707 - [Leonardo Taccari brought this change] configure: avoid unportable `==' test(1) operator Closes #3709 Version 7.64.1 (27 Mar 2019) Daniel Stenberg (27 Mar 2019) - RELEASE: 7.64.1 - Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. Fixes #3708 - [Christian Schmitz brought this change] ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set Closes #3704 Jay Satiro (26 Mar 2019) - tool_cb_wrt: fix writing to Windows null device NUL - Improve console detection. Prior to this change WriteConsole could be called to write to a handle that may not be a console, which would cause an error. This issue is limited to character devices that are not also consoles such as the null device NUL. Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 Reported-by: Gisle Vanem - CURLMOPT_PIPELINING.3: fix typo Daniel Stenberg (25 Mar 2019) - TODO: config file parsing Closes #3698 Jay Satiro (24 Mar 2019) - os400: Disable Alt-Svc by default since it's experimental Follow-up to 520f0b4 which added Alt-Svc support and enabled it by default for OS400. Since the feature is experimental, it should be disabled by default. Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html Closes https://github.com/curl/curl/pull/3688 Dan Fandrich (24 Mar 2019) - tests: Fixed XML validation errors in some test files. - tests: Fix some incorrect precheck error messages. [ci skip] Daniel Stenberg (22 Mar 2019) - curl_url.3: this is not experimental anymore - travis: bump the used wolfSSL version to 4.0.0 Test 311 is now fine, leaving only 313 (CRL) disabled. Test 313 details can be found here: https://github.com/wolfSSL/wolfssl/issues/1546 Closes #3697 Daniel Gustafsson (22 Mar 2019) - lib: Fix typos in comments David Woodhouse (20 Mar 2019) - openssl: if cert type is ENG and no key specified, key is ENG too Fixes #3692 Closes #3692 Daniel Stenberg (20 Mar 2019) - sectransp: tvOS 11 is required for ALPN support Reported-by: nianxuejie on github Assisted-by: Nick Zitzmann Assisted-by: Jay Satiro Fixes #3689 Closes #3690 - test1541: threaded connection sharing The threaded-shared-conn.c example turned into test case. Only works if pthread was detected. An attempt to detect future regressions such as e3a53e3efb942a5 Closes #3687 Patrick Monnerat (17 Mar 2019) - os400: alt-svc support. Although experimental, enable it in the platform config file. Upgrade ILE/RPG binding. Daniel Stenberg (17 Mar 2019) - conncache: use conn->data to know if a transfer owns it - make sure an already "owned" connection isn't returned unless multiplexed. - clear ->data when returning the connection to the cache again Regression since 7.62.0 (probably in commit 1b76c38904f0) Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html Closes #3686 - RELEASE-NOTES: synced - [Chris Young brought this change] configure: add --with-amissl AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. It also requires all programs using it to use bsdsocket.library directly, rather than accessing socket functions through clib, which libcurl was not necessarily doing previously. Configure will now check for the headers and ensure they are included if found. Closes #3677 - [Chris Young brought this change] vtls: rename some of the SSL functions ... in the SSL structure as AmiSSL is using macros for the socket API functions. - [Chris Young brought this change] tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr - [Chris Young brought this change] tool_operate: build on AmigaOS - makefile: make checksrc and hugefile commands "silent" ... to match the style already used for compiling, linking etc. Acknowledges 'make V=1' to enable verbose. Closes #3681 - curl.1: --user and --proxy-user are hidden from ps output Suggested-by: Eric Curtin Improved-by: Dan Fandrich Ref: #3680 Closes #3683 - curl.1: mark the argument to --cookie as From a discussion in #3676 Suggested-by: Tim Rühsen Closes #3682 Dan Fandrich (14 Mar 2019) - fuzzer: Only clone the latest fuzzer code, for speed. Daniel Stenberg (14 Mar 2019) - [Dominik Hölzl brought this change] Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975 - [Marc Schlatter brought this change] http: send payload when (proxy) authentication is done The check that prevents payload from sending in case of authentication doesn't check properly if the authentication is done or not. They're cases where the proxy respond "200 OK" before sending authentication challenge. This change takes care of that. Fixes #2431 Closes #3669 - file: fix "Checking if unsigned variable 'readcount' is less than zero." Pointed out by codacy Closes #3672 - memdebug: log pointer before freeing its data Coverity warned for two potentional "Use after free" cases. Both are false positives because the memory wasn't used, it was only the actual pointer value that was logged. The fix still changes the order of execution to avoid the warnings. Coverity CID 1443033 and 1443034 Closes #3671 - RELEASE-NOTES: synced Marcel Raad (12 Mar 2019) - travis: actually use updated compiler versions For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the new GCC versions were only used for the coverage build and for building nghttp2, while the new clang version was not used at all. BoringSSL needs to use the default GCC as it respects CC, but not CXX, so it would otherwise pass gcc 8 options to g++ 4.8 and fail. Also remove GCC 7, it's not needed anymore. Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning Closes https://github.com/curl/curl/pull/3670 - travis: update clang to version 7 Closes https://github.com/curl/curl/pull/3670 Jay Satiro (11 Mar 2019) - [Andre Guibert de Bruet brought this change] examples/externalsocket: add missing close socket calls .. and for Windows also call WSACleanup since we call WSAStartup. The example is to demonstrate handling the socket independently of libcurl. In this case libcurl is not responsible for creating, opening or closing the socket, it is handled by the application (our example). Fixes https://github.com/curl/curl/pull/3663 Daniel Stenberg (11 Mar 2019) - multi: removed unused code for request retries This code was once used for the non multi-interface using code path, but ever since easy_perform was turned into a wrapper around the multi interface, this code path never runs. Closes #3666 Jay Satiro (11 Mar 2019) - doh: inherit some SSL options from user's easy handle - Inherit SSL options for the doh handle but not SSL client certs, SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, SSL pinned public key, SSL ciphers, SSL id cache setting, SSL kerberos or SSL gss-api settings. - Fix inheritance of verbose setting. - Inherit NOSIGNAL. There is no way for the user to set options for the doh (DNS-over-HTTPS) handles and instead we inherit some options from the user's easy handle. My thinking for the SSL options not inherited is they are most likely not intended by the user for the DOH transfer. I did inherit insecure because I think that should still be in control of the user. Prior to this change doh did not work for me because CAINFO was not inherited. Also verbose was set always which AFAICT was a bug (#3660). Fixes https://github.com/curl/curl/issues/3660 Closes https://github.com/curl/curl/pull/3661 Daniel Stenberg (9 Mar 2019) - test331: verify set-cookie for dotless host name Reproduced bug #3649 Closes #3659 - Revert "cookies: extend domain checks to non psl builds" This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. Regression shipped in 7.64.0 Fixes #3649 - memdebug: make debug-specific functions use curl_dbg_ prefix To not "collide" or use up the regular curl_ name space. Also makes them easier to detect in helper scripts. Closes #3656 - cmdline-opts/proxytunnel.d: the option tunnnels all protocols Clarify the language and simplify. Reported-by: Daniel Lublin Closes #3658 - KNOWN_BUGS: Client cert (MTLS) issues with Schannel Closes #3145 - ROADMAP: updated to some more current things to work on - tests: fix multiple may be used uninitialized warnings - RELEASE-NOTES: synced - source: fix two 'nread' may be used uninitialized warnings Both seem to be false positives but we don't like warnings. Closes #3646 - gopher: remove check for path == NULL Since it can't be NULL and it makes Coverity believe we lack proper NULL checks. Verified by test 659, landed in commit 15401fa886b. Pointed out by Coverity CID 1442746. Assisted-by: Dan Fandrich Fixes #3617 Closes #3642 - examples: only include That's the only public curl header we should encourage use of. Reviewed-by: Marcel Raad Closes #3645 - ssh: loop the state machine if not done and not blocking If the state machine isn't complete, didn't fail and it didn't return due to blocking it can just as well loop again. This addresses the problem with SFTP directory listings where we would otherwise return back to the parent and as the multi state machine doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the doing phase isn't complete, it would return out when in reality there was more data to deal with. Fixes #3506 Closes #3644 Jay Satiro (5 Mar 2019) - multi: support verbose conncache closure handle - Change closure handle to receive verbose setting from the easy handle most recently added via curl_multi_add_handle. The closure handle is a special easy handle used for closing cached connections. It receives limited settings from the easy handle most recently added to the multi handle. Prior to this change that did not include verbose which was a problem because on connection shutdown verbose mode was not acknowledged. Ref: https://github.com/curl/curl/pull/3598 Co-authored-by: Daniel Stenberg Closes https://github.com/curl/curl/pull/3618 Daniel Stenberg (4 Mar 2019) - CURLU: fix NULL dereference when used over proxy Test 659 verifies Also fixed the test 658 name Closes #3641 - altsvc_out: check the return code from Curl_gmtime Pointed out by Coverity, CID 1442956. Closes #3640 - docs/ALTSVC.md: docs describing the approach Closes #3498 - alt-svc: add a travis build - alt-svc: add test 355 and 356 to verify with command line curl - alt-svc: the curl command line bits - alt-svc: the libcurl bits - travis: add build using gnutls Closes #3637 - RELEASE-NOTES: synced - [Simon Legner brought this change] scripts/completion.pl: also generate fish completion file This is the renamed script formerly known as zsh.pl Closes #3545 - gnutls: remove call to deprecated gnutls_compression_get_name It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636 Jay Satiro (2 Mar 2019) - system_win32: move win32_init here from easy.c .. since system_win32 is a more appropriate location for the functions and to extern the globals. Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 Reported-by: Gisle Vanem Closes https://github.com/curl/curl/pull/3625 Daniel Stenberg (1 Mar 2019) - curl_easy_duphandle.3: clarify that a duped handle has no shares Reported-by: Sara Golemon Fixes #3592 Closes #3634 - 10-at-a-time.c: fix too long line - [Arnaud Rebillout brought this change] examples: various fixes in ephiperfifo.c The main change here is the timer value that was wrong, it was given in usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * 1000). This resulted in the callback being invoked WAY TOO OFTEN. As a quick check you can run this command before and after applying this commit: # shell 1 ./ephiperfifo 2>&1 | tee ephiperfifo.log # shell 2 echo http://hacking.elboulangero.com > hiper.fifo Then just compare the size of the logs files. Closes #3633 Fixes #3632 Signed-off-by: Arnaud Rebillout - urldata: simplify bytecounters - no need to have them protocol specific - no need to set pointers to them with the Curl_setup_transfer() call - make Curl_setup_transfer() operate on a transfer pointer, not connection - switch some counters from long to the more proper curl_off_t type Closes #3627 - examples/10-at-a-time.c: improve readability and simplify - use better variable names to explain their purposes - convert logic to curl_multi_wait() - threaded-resolver: shutdown the resolver thread without error message When a transfer is done, the resolver thread will be brought down. That could accidentally generate an error message in the error buffer even though this is not an error situationand the transfer would still return OK. An application that still reads the error buffer could find a "Could not resolve host: [host name]" message there and get confused. Reported-by: Michael Schmid Fixes #3629 Closes #3630 - [Ԝеѕ brought this change] docs: update max-redirs.d phrasing clarify redir - "in absurdum" doesn't seem to make sense in this context Closes #3631 - ssh: fix Condition '!status' is always true in the same sftp_done function in both SSH backends. Simplify them somewhat. Pointed out by Codacy. Closes #3628 - test578: make it read data from the correct test - Curl_easy: remove req.maxfd - never used! Introduced in 8b6314ccfb, but not used anymore in current code. Unclear since when. Closes #3626 - http: set state.infilesize when sending formposts Without it set, we would unwillingly triger the "HTTP error before end of send, stop sending" condition even if the entire POST body had been sent (since it wouldn't know the expected size) which would unnecessarily log that message and close the connection when it didn't have to. Reported-by: Matt McClure Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html Closes #3624 - INSTALL: refer to the current TLS library names and configure options - FAQ: minor updates and spelling fixes - GOVERNANCE.md: minor spelling fixes - Secure Transport: no more "darwinssl" Everyone calls it Secure Transport, now we do too. Reviewed-by: Nick Zitzmann Closes #3619 Marcel Raad (27 Feb 2019) - AppVeyor: add classic MinGW build But use the MSYS2 shell rather than the default MSYS shell because of POSIX path conversion issues. Classic MinGW is only available on the Visual Studio 2015 image. Closes https://github.com/curl/curl/pull/3623 - AppVeyor: add MinGW-w64 build Add a MinGW-w64 build using CMake's MSYS Makefiles generator. Use the Visual Studio 2015 image as it has GCC 8, while the Visual Studio 2017 image only has GCC 7.2. Closes https://github.com/curl/curl/pull/3623 Daniel Stenberg (27 Feb 2019) - cookies: only save the cookie file if the engine is enabled Follow-up to 8eddb8f4259. If the cookieinfo pointer is NULL there really is nothing to save. Without this fix, we got a problem when a handle was using shared object with cookies and is told to "FLUSH" it to file (which worked) and then the share object was removed and when the easy handle was closed just afterwards it has no cookieinfo and no cookies so it decided to save an empty jar (overwriting the file just flushed). Test 1905 now verifies that this works. Assisted-by: Michael Wallner Assisted-by: Marcel Raad Closes #3621 - [DaVieS brought this change] cacertinmem.c: use multiple certificates for loading CA-chain Closes #3421 - urldata: convert bools to bitfields and move to end This allows the compiler to pack and align the structs better in memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. Removed an unused struct field. No functionality changes. Closes #3610 - [Don J Olmstead brought this change] curl.h: use __has_declspec_attribute for shared builds Closes #3616 - curl: display --version features sorted alphabetically Closes #3611 - runtests: detect "schannel" as an alias for "winssl" Follow-up to 180501cb02 Reported-by: Marcel Raad Fixes #3609 Closes #3620 Marcel Raad (26 Feb 2019) - AppVeyor: update to Visual Studio 2017 Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a moving target anymore as the last update, Update 9, has been released. Closes https://github.com/curl/curl/pull/3606 - AppVeyor: switch VS 2015 builds to VS 2017 image The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. Closes https://github.com/curl/curl/pull/3606 - AppVeyor: explicitly select worker image Currently, we're using the default Visual Studio 2015 image for everything. Closes https://github.com/curl/curl/pull/3606 Daniel Stenberg (26 Feb 2019) - strerror: make the strerror function use local buffers Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612 - [Michael Wallner brought this change] cookies: fix NULL dereference if flushing cookies with no CookieInfo set Regression brought by a52e46f3900fb0 (shipped in 7.63.0) Closes #3613 Marcel Raad (26 Feb 2019) - AppVeyor: re-enable test 500 It's passing now. Closes https://github.com/curl/curl/pull/3615 - AppVeyor: remove redundant builds Remove the Visual Studio 2012 and 2013 builds as they add little value. Ref: https://github.com/curl/curl/pull/3606 Closes https://github.com/curl/curl/pull/3614 Daniel Stenberg (25 Feb 2019) - RELEASE-NOTES: synced - [Bernd Mueller brought this change] OpenSSL: add support for TLS ASYNC state Closes #3591 Jay Satiro (25 Feb 2019) - [Michael Felt brought this change] acinclude: add additional libraries to check for LDAP support - Add an additional check for LDAP that also checks for OpenSSL since on AIX those libraries may be required to link LDAP properly. Fixes https://github.com/curl/curl/issues/3595 Closes https://github.com/curl/curl/pull/3596 - [georgeok brought this change] schannel: support CALG_ECDH_EPHEM algorithm Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608 Daniel Stenberg (24 Feb 2019) - multi: call multi_done on connect timeouts Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get updated correctly and could end up getting reported to the application completely wrong (way too small). Reported-by: accountantM on github Fixes #3602 Closes #3605 - examples: remove recursive calls to curl_multi_socket_action From within the timer callbacks. Recursive is problematic for several reasons. They should still work, but this way the examples and the documentation becomes simpler. I don't think we need to encourage recursive calls. Discussed in #3537 Closes #3601 Marcel Raad (23 Feb 2019) - configure: remove CURL_CHECK_FUNC_FDOPEN call The macro itself has been removed in commit 11974ac859c5d82def59e837e0db56fef7f6794e. Closes https://github.com/curl/curl/pull/3604 Daniel Stenberg (23 Feb 2019) - wolfssl: stop custom-adding curves since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in wolfSSL 3.10.2 and later) it sends these curves by default already. Pointed-out-by: David Garske Closes #3599 - configure: remove the unused fdopen macro and the two remaining #ifdefs for it Closes #3600 Jay Satiro (22 Feb 2019) - url: change conn shutdown order to unlink data as last step - Split off connection shutdown procedure from Curl_disconnect into new function conn_shutdown. - Change the shutdown procedure to close the sockets before disassociating the transfer. Prior to this change the sockets were closed after disassociating the transfer so SOCKETFUNCTION wasn't called since the transfer was already disassociated. That likely came about from recent work started in Jan 2019 (#3442) to separate transfers from connections. Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html Reported-by: Pavel Löbl Closes https://github.com/curl/curl/issues/3597 Closes https://github.com/curl/curl/pull/3598 Marcel Raad (22 Feb 2019) - Fix strict-prototypes GCC warning As seen in the MinGW autobuilds. Caused by commit f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. Dan Fandrich (21 Feb 2019) - tests: Fixed XML validation errors in some test files. Daniel Stenberg (20 Feb 2019) - TODO: Allow SAN names in HTTP/2 server push Suggested-by: Nicolas Grekas - RELEASE-NOTES: synced - curl: remove MANUAL from -M output ... and remove it from the dist tarball. It has served its time, it barely gets updated anymore and "everything curl" is now convering all this document once tried to include, and does it more and better. In the compressed scenario, this removes ~15K data from the binary, which is 25% of the -M output. It remains in the git repo for now for as long as the web site builds a page using that as source. It renders poorly on the site (especially for mobile users) so its not even good there. Closes #3587 - http2: verify :athority in push promise requests RFC 7540 says we should verify that the push is for an "authoritative" server. We make sure of this by only allowing push with an :athority header that matches the host that was asked for in the URL. Fixes #3577 Reported-by: Nicolas Grekas Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html Closes #3581 - singlesocket: fix the 'sincebefore' placement The variable wasn't properly reset within the loop and thus could remain set for sockets that hadn't been set before and miss notifying the app. This is a follow-up to 4c35574 (shipped in curl 7.64.0) Reported-by: buzo-ffm on github Detected-by: Jan Alexander Steffens Fixes #3585 Closes #3589 - connection: never reuse CONNECT_ONLY conections and make CONNECT_ONLY conections never reuse any existing ones either. Reported-by: Pavel Löbl Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html Closes #3586 Patrick Monnerat (19 Feb 2019) - cli tool: fix mime post with --disable-libcurl-option configure option Reported-by: Marcel Raad Fixes #3576 Closes #3583 Daniel Stenberg (19 Feb 2019) - x509asn1: cleanup and unify code layout - rename 'n' to buflen in functions, and use size_t for them. Don't pass in negative buffer lengths. - move most function comments to above the function starts like we use to - remove several unnecessary typecasts (especially of NULL) Reviewed-by: Patrick Monnerat Closes #3582 - curl_multi_remove_handle.3: use at any time, just not from within callbacks [ci skip] - http: make adding a blank header thread-safe Previously the function would edit the provided header in-place when a semicolon is used to signify an empty header. This made it impossible to use the same set of custom headers in multiple threads simultaneously. This approach now makes a local copy when it needs to edit the string. Reported-by: d912e3 on github Fixes #3578 Closes #3579 - unit1651: survive curl_easy_init() fails - [Frank Gevaerts brought this change] rand: Fix a mismatch between comments in source and header. Reported-by: Björn Stenberg Closes #3584 Patrick Monnerat (18 Feb 2019) - x509asn1: replace single char with an array Although safe in this context, using a single char as an array may cause invalid accesses to adjacent memory locations. Detected by Coverity. Daniel Stenberg (18 Feb 2019) - examples/http2-serverpush: add some sensible error checks To avoid NULL pointer dereferences etc in the case of problems. Closes #3580 Jay Satiro (18 Feb 2019) - easy: fix win32 init to work without CURL_GLOBAL_WIN32 - Change the behavior of win32_init so that the required initialization procedures are not affected by CURL_GLOBAL_WIN32 flag. libcurl via curl_global_init supports initializing for win32 with an optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop Winsock initialization. It did so internally by skipping win32_init() when that flag was set. Since then win32_init() has been expanded to include required initialization routines that are separate from Winsock and therefore must be called in all cases. This commit fixes it so that CURL_GLOBAL_WIN32 only controls the optional win32 initialization (which is Winsock initialization, according to our doc). The only users affected by this change are those that don't pass CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the risk of a potential crash. Ref: https://github.com/curl/curl/pull/3573 Fixes https://github.com/curl/curl/issues/3313 Closes https://github.com/curl/curl/pull/3575 Daniel Gustafsson (17 Feb 2019) - cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg - mbedtls: release sessionid resources on error If mbedtls_ssl_get_session() fails, it may still have allocated memory that needs to be freed to avoid leaking. Call the library API function to release session resources on this errorpath as well as on Curl_ssl_addsessionid() errors. Closes: #3574 Reported-by: Michał Antoniak Reviewed-by: Daniel Stenberg Patrick Monnerat (16 Feb 2019) - cli tool: refactor encoding conversion sequence for switch case fallthrough. - version.c: silent scan-build even when librtmp is not enabled Daniel Stenberg (15 Feb 2019) - RELEASE-NOTES: synced - Curl_now: figure out windows version in win32_init ... and avoid use of static variables that aren't thread safe. Fixes regression from e9ababd4f5a (present in the 7.64.0 release) Reported-by: Paul Groke Fixes #3572 Closes #3573 Marcel Raad (15 Feb 2019) - unit1307: just fail without FTP support I missed to check this in with commit 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. This fixes the actual linker error. Closes https://github.com/curl/curl/pull/3568 Daniel Stenberg (15 Feb 2019) - travis: enable valgrind for the iconv tests too Closes #3571 - travis: add scan-build Closes #3564 - examples/sftpuploadresume: Value stored to 'result' is never read Detected by scan-build - examples/http2-upload: cleaned up Fix scan-build warnings, no globals, no silly handle scan. Also remove handles from the multi before cleaning up. - examples/http2-download: cleaned up To avoid scan-build warnings and global variables. - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' Detected by scan-build - examples/httpcustomheader: Value stored to 'res' is never read Detected by scan-build - examples: remove superfluous null-pointer checks in ftpget, ftpsget and sftpget, so that scan-build stops warning for potential NULL pointer dereference below! Detected by scan-build - strip_trailing_dot: make sure NULL is never used for strlen scan-build warning: Null pointer passed as an argument to a 'nonnull' parameter - [Jay Satiro brought this change] connection_check: restore original conn->data after the check - Save the original conn->data before it's changed to the specified data transfer for the connection check and then restore it afterwards. This is a follow-up to 38d8e1b 2019-02-11. History: It was discovered a month ago that before checking whether to extract a dead connection that that connection should be associated with a "live" transfer for the check (ie original conn->data ignored and set to the passed in data). A fix was landed in 54b201b which did that and also cleared conn->data after the check. The original conn->data was not restored, so presumably it was thought that a valid conn->data was no longer needed. Several days later it was discovered that a valid conn->data was needed after the check and follow-up fix was landed in bbae24c which partially reverted the original fix and attempted to limit the scope of when conn->data was changed to only when pruning dead connections. In that case conn->data was not cleared and the original conn->data not restored. A month later it was discovered that the original fix was somewhat correct; a "live" transfer is needed for the check in all cases because original conn->data could be null which could cause a bad deref at arbitrary points in the check. A fix was landed in 38d8e1b which expanded the scope to all cases. conn->data was not cleared and the original conn->data not restored. A day later it was discovered that not restoring the original conn->data may lead to busy loops in applications that use the event interface, and given this observation it's a pretty safe assumption that there is some code path that still needs the original conn->data. This commit is the follow-up fix for that, it restores the original conn->data after the connection check. Assisted-by: tholin@users.noreply.github.com Reported-by: tholin@users.noreply.github.com Fixes https://github.com/curl/curl/issues/3542 Closes #3559 - memdebug: bring back curl_mark_sclose Used by debug builds with NSS. Reverted from 05b100aee247bb Patrick Monnerat (14 Feb 2019) - transfer.c: do not compute length of undefined hex buffer. On non-ascii platforms, the chunked hex header was measured for char code conversion length, even for chunked trailers that do not have an hex header. In addition, the efective length is already known: use it. Since the hex length can be zero, only convert if needed. Reported by valgrind. Daniel Stenberg (14 Feb 2019) - KNOWN_BUGS: Cannot compile against a static build of OpenLDAP Closes #2367 Patrick Monnerat (14 Feb 2019) - x509asn1: "Dereference of null pointer" Detected by scan-build (false positive). Daniel Stenberg (14 Feb 2019) - configure: show features as well in the final summary Closes #3569 - KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 Closes #2905 - KNOWN_BUGS: Deflate error after all content was received Closes #2719 - gssapi: fix deprecated header warnings Heimdal includes on FreeBSD spewed out lots of them. Less so now. Closes #3566 - TODO: Upgrade to websockets Closes #3523 - TODO: cmake test suite improvements Closes #3109 Patrick Monnerat (13 Feb 2019) - curl: "Dereference of null pointer" Rephrase to satisfy scan-build. Marcel Raad (13 Feb 2019) - unit1307: require FTP support This test doesn't link without FTP support after fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch unavailable without FTP support. Closes https://github.com/curl/curl/pull/3565 Daniel Stenberg (13 Feb 2019) - TODO: TFO support on Windows Nobody works on this now. Closes #3378 - multi: Dereference of null pointer Mostly a false positive, but this makes the code easier to read anyway. Detected by scan-build. Closes #3563 - urlglob: Argument with 'nonnull' attribute passed null Detected by scan-build. Jay Satiro (12 Feb 2019) - schannel: restore some debug output but only for debug builds Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy debug output in DEBUGF but omitted a few lines. Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - examples/crawler: Fix the Accept-Encoding setting - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default supported encodings. Prior to this change the specific encodings of gzip and deflate were set but there's no guarantee they'd be supported by the user's libcurl. Daniel Stenberg (12 Feb 2019) - mime: put the boundary buffer into the curl_mime struct ... instead of allocating it separately and point to it. It is fixed-size and always used for each part. Closes #3561 - schannel: be quiet Convert numerous infof() calls into debug-build only messages since they are annoyingly verbose for regular applications. Removed a few. Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html Reported-by: Volker Schmid Closes #3552 - [Romain Geissler brought this change] Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning Closes #3562 - http2: multi_connchanged() moved from multi.c, only used for h2 Closes #3557 - curl: "Function call argument is an uninitialized value" Follow-up to cac0e4a6ad14b42471eb Detected by scan-build Closes #3560 - pretransfer: don't strlen() POSTFIELDS set for GET requests ... since that data won't be used in the request anyway. Fixes #3548 Reported-by: Renaud Allard Close #3549 - multi: remove verbose "Expire in" ... messages Reported-by: James Brown Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html Closes #3558 - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set Reported-by: MAntoniak on github Fixes #3553 Closes #3556 Daniel Gustafsson (12 Feb 2019) - non-ascii.c: fix typos in comments Fix two occurrences of s/convers/converts/ spotted while reading code. Daniel Stenberg (12 Feb 2019) - fnmatch: disable if FTP is disabled Closes #3551 - curl_path: only enabled for SSH builds - [Frank Gevaerts brought this change] tests: add stderr comparison to the test suite The code is more or less copied from the stdout comparison code, maybe some better reuse is possible. test 1457 is adjusted to make the output actually match (by using --silent) test 506 used without actually needing it, so that block is removed Closes #3536 Patrick Monnerat (11 Feb 2019) - cli tool: do not use mime.h private structures. Option -F generates an intermediate representation of the mime structure that is used later to create the libcurl mime structure and generate the --libcurl statements. Reported-by: Daniel Stenberg Fixes #3532 Closes #3546 Daniel Stenberg (11 Feb 2019) - curlver: bump to 7.64.1-dev - RELEASE-NOTES: synced and bump the version in progress to 7.64.1. If we merge any "change" before the cut-off date, we update again. Daniel Gustafsson (11 Feb 2019) - curl: follow-up to 3f16990ec84 Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was inadvertently introducing a new bug in the ternary expression. Close #3555 Reviewed-by: Daniel Stenberg - dns: release sharelock as soon as possible There is no benefit to holding the data sharelock when freeing the addrinfo in case it fails, so ensure releaseing it as soon as we can rather than holding on to it. This also aligns the code with other consumers of sharelocks. Closes #3516 Reviewed-by: Daniel Stenberg Daniel Stenberg (11 Feb 2019) - curl: follow-up to b49652ac66cc0 On FreeBSD, return non-zero on error otherwise zero. Reported-by: Marcel Raad - multi: (void)-prefix when ignoring return values ... and added braces to two function calls which fixes warnings if they are replace by empty macros at build-time. - curl: fix FreeBSD compiler warning in the --xattr code Closes #3550 - connection_check: set ->data to the transfer doing the check The http2 code for connection checking needs a transfer to use. Make sure a working one is set before handler->connection_check() is called. Reported-by: jnbr on github Fixes #3541 Closes #3547 - hostip: make create_hostcache_id avoid alloc + free Closes #3544 - scripts/singleuse: script to use to track single-use functions That is functions that are declared global but are not used from outside of the file in which it is declared. Such functions should be made static or even at times be removed. It also verifies that all used curl_ prefixed functions are "blessed" Closes #3538 - cleanup: make local functions static urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static Dan Fandrich (10 Feb 2019) - cirrus: Added FreeBSD builds using Cirrus CI. The build logs will be at https://cirrus-ci.com/github/curl/curl Some tests are currently failing and so disabled for now. The SSH server isn't starting for the SSH tests due to unsupported options used in its config file. The DICT server also is failing on startup. Daniel Stenberg (9 Feb 2019) - url/idnconvert: remove scan for <= 32 ascii values The check was added back in fa939220df before the URL parser would catch these problems and therefore these will never trigger now. Closes #3539 - urlapi: reduce variable scope, remove unreachable 'break' Both nits pointed out by codacy.com Closes #3540 Alessandro Ghedini (7 Feb 2019) - zsh.pl: escape ':' character ':' is interpreted as separator by zsh, so if used as part of the argument or option's description it needs to be escaped. The problem can be reproduced as follows: % curl --reso % curl -E Bug: https://bugs.debian.org/921452 - zsh.pl: update regex to better match curl -h output The current regex fails to match '<...>' arguments properly (e.g. those with spaces in them), which causes an completion script with wrong descriptions for some options. Here's a diff of the generated completion script, comparing the previous version to the one with this fix: --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 +++ _curl 2019-02-05 20:57:29.453349040 +0000 @@ -9,48 +9,48 @@ _arguments -C -S \ --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ + --resolve'[Resolve the host+port to this address]':'' \ {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ {-D,--dump-header}'[Write the received headers to ]':'':_files \ {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ {-E,--cert}'[Client certificate file and password]':'' \ --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ --local-port'[Force use of RANGE for local port numbers]':'' \ --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - --location-trusted'[--location, and send auth to other hosts]':'Like' \ + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ {-O,--remote-name}'[Write output to a file named as the remote file]' \ + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ --trace-ascii'[Like --trace, but without hex output]':'':_files \ --connect-timeout'[Maximum time allowed for connection]':'' \ --expect100-timeout'[How long to wait for 100-continue]':'' \ {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - --ignore-content-length'[the size of the remote resource]':'Ignore' \ {-k,--insecure}'[Allow insecure server connections when using SSL]' \ + --location-trusted'[Like --location, and send auth to other hosts]' \ --mail-auth'[Originator address of the original email]':'
' \ --noproxy'[List of hosts which do not use proxy]':'' \ --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ @@ -62,18 +62,19 @@ --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ --cacert'[CA certificate to verify peer against]':'':_files \ {-H,--header}'[Pass custom header(s) to server]':'
' \ + --ignore-content-length'[Ignore the size of the remote resource]' \ {-i,--include}'[Include protocol response headers in the output]' \ --proxy-header'[Pass custom header(s) to proxy]':'
' \ --unix-socket'[Connect through this Unix domain socket]':'' \ {-w,--write-out}'[Use output FORMAT after completion]':'' \ - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ {-o,--output}'[Write to file instead of stdout]':'':_files \ - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ --socks4a'[SOCKS4a proxy on given host + port]':'' \ {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ {-z,--time-cond}'[Transfer based on a time condition]':'