1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Changelog 8 9 Version 7.64.1 (27 Mar 2019) 10 11 Daniel Stenberg (27 Mar 2019) 12 - RELEASE: 7.64.1 13 14 - Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" 15 16 This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. 17 18 Fixes #3708 19 20 - [Christian Schmitz brought this change] 21 22 ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set 23 24 Closes #3704 25 26 Jay Satiro (26 Mar 2019) 27 - tool_cb_wrt: fix writing to Windows null device NUL 28 29 - Improve console detection. 30 31 Prior to this change WriteConsole could be called to write to a handle 32 that may not be a console, which would cause an error. This issue is 33 limited to character devices that are not also consoles such as the null 34 device NUL. 35 36 Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 37 Reported-by: Gisle Vanem 38 39 - CURLMOPT_PIPELINING.3: fix typo 40 41 Daniel Stenberg (25 Mar 2019) 42 - TODO: config file parsing 43 44 Closes #3698 45 46 Jay Satiro (24 Mar 2019) 47 - os400: Disable Alt-Svc by default since it's experimental 48 49 Follow-up to 520f0b4 which added Alt-Svc support and enabled it by 50 default for OS400. Since the feature is experimental, it should be 51 disabled by default. 52 53 Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 54 Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html 55 56 Closes https://github.com/curl/curl/pull/3688 57 58 Dan Fandrich (24 Mar 2019) 59 - tests: Fixed XML validation errors in some test files. 60 61 - tests: Fix some incorrect precheck error messages. 62 63 [ci skip] 64 65 Daniel Stenberg (22 Mar 2019) 66 - curl_url.3: this is not experimental anymore 67 68 - travis: bump the used wolfSSL version to 4.0.0 69 70 Test 311 is now fine, leaving only 313 (CRL) disabled. 71 72 Test 313 details can be found here: 73 https://github.com/wolfSSL/wolfssl/issues/1546 74 75 Closes #3697 76 77 Daniel Gustafsson (22 Mar 2019) 78 - lib: Fix typos in comments 79 80 David Woodhouse (20 Mar 2019) 81 - openssl: if cert type is ENG and no key specified, key is ENG too 82 83 Fixes #3692 84 Closes #3692 85 86 Daniel Stenberg (20 Mar 2019) 87 - sectransp: tvOS 11 is required for ALPN support 88 89 Reported-by: nianxuejie on github 90 Assisted-by: Nick Zitzmann 91 Assisted-by: Jay Satiro 92 Fixes #3689 93 Closes #3690 94 95 - test1541: threaded connection sharing 96 97 The threaded-shared-conn.c example turned into test case. Only works if 98 pthread was detected. 99 100 An attempt to detect future regressions such as e3a53e3efb942a5 101 102 Closes #3687 103 104 Patrick Monnerat (17 Mar 2019) 105 - os400: alt-svc support. 106 107 Although experimental, enable it in the platform config file. 108 Upgrade ILE/RPG binding. 109 110 Daniel Stenberg (17 Mar 2019) 111 - conncache: use conn->data to know if a transfer owns it 112 113 - make sure an already "owned" connection isn't returned unless 114 multiplexed. 115 116 - clear ->data when returning the connection to the cache again 117 118 Regression since 7.62.0 (probably in commit 1b76c38904f0) 119 120 Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html 121 122 Closes #3686 123 124 - RELEASE-NOTES: synced 125 126 - [Chris Young brought this change] 127 128 configure: add --with-amissl 129 130 AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. 131 It also requires all programs using it to use bsdsocket.library 132 directly, rather than accessing socket functions through clib, which 133 libcurl was not necessarily doing previously. Configure will now check 134 for the headers and ensure they are included if found. 135 136 Closes #3677 137 138 - [Chris Young brought this change] 139 140 vtls: rename some of the SSL functions 141 142 ... in the SSL structure as AmiSSL is using macros for the socket API 143 functions. 144 145 - [Chris Young brought this change] 146 147 tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr 148 149 - [Chris Young brought this change] 150 151 tool_operate: build on AmigaOS 152 153 - makefile: make checksrc and hugefile commands "silent" 154 155 ... to match the style already used for compiling, linking 156 etc. Acknowledges 'make V=1' to enable verbose. 157 158 Closes #3681 159 160 - curl.1: --user and --proxy-user are hidden from ps output 161 162 Suggested-by: Eric Curtin 163 Improved-by: Dan Fandrich 164 Ref: #3680 165 166 Closes #3683 167 168 - curl.1: mark the argument to --cookie as <data|filename> 169 170 From a discussion in #3676 171 172 Suggested-by: Tim Rhsen 173 174 Closes #3682 175 176 Dan Fandrich (14 Mar 2019) 177 - fuzzer: Only clone the latest fuzzer code, for speed. 178 179 Daniel Stenberg (14 Mar 2019) 180 - [Dominik Hlzl brought this change] 181 182 Negotiate: fix for HTTP POST with Negotiate 183 184 * Adjusted unit tests 2056, 2057 185 * do not generally close connections with CURLAUTH_NEGOTIATE after every request 186 * moved negotiatedata from UrlState to connectdata 187 * Added stream rewind logic for CURLAUTH_NEGOTIATE 188 * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC 189 * Consider authproblem state for CURLAUTH_NEGOTIATE 190 * Consider reuse_forbid for CURLAUTH_NEGOTIATE 191 * moved and adjusted negotiate authentication state handling from 192 output_auth_headers into Curl_output_negotiate 193 * Curl_output_negotiate: ensure auth done is always set 194 * Curl_output_negotiate: Set auth done also if result code is 195 GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may 196 also indicate the last challenge request (only works with disabled 197 Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) 198 * Consider "Persistent-Auth" header, detect if not present; 199 Reset/Cleanup negotiate after authentication if no persistent 200 authentication 201 * apply changes introduced with #2546 for negotiate rewind logic 202 203 Fixes #1261 204 Closes #1975 205 206 - [Marc Schlatter brought this change] 207 208 http: send payload when (proxy) authentication is done 209 210 The check that prevents payload from sending in case of authentication 211 doesn't check properly if the authentication is done or not. 212 213 They're cases where the proxy respond "200 OK" before sending 214 authentication challenge. This change takes care of that. 215 216 Fixes #2431 217 Closes #3669 218 219 - file: fix "Checking if unsigned variable 'readcount' is less than zero." 220 221 Pointed out by codacy 222 223 Closes #3672 224 225 - memdebug: log pointer before freeing its data 226 227 Coverity warned for two potentional "Use after free" cases. Both are false 228 positives because the memory wasn't used, it was only the actual pointer 229 value that was logged. 230 231 The fix still changes the order of execution to avoid the warnings. 232 233 Coverity CID 1443033 and 1443034 234 235 Closes #3671 236 237 - RELEASE-NOTES: synced 238 239 Marcel Raad (12 Mar 2019) 240 - travis: actually use updated compiler versions 241 242 For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the 243 new GCC versions were only used for the coverage build and for building 244 nghttp2, while the new clang version was not used at all. 245 246 BoringSSL needs to use the default GCC as it respects CC, but not CXX, 247 so it would otherwise pass gcc 8 options to g++ 4.8 and fail. 248 249 Also remove GCC 7, it's not needed anymore. 250 251 Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning 252 253 Closes https://github.com/curl/curl/pull/3670 254 255 - travis: update clang to version 7 256 257 Closes https://github.com/curl/curl/pull/3670 258 259 Jay Satiro (11 Mar 2019) 260 - [Andre Guibert de Bruet brought this change] 261 262 examples/externalsocket: add missing close socket calls 263 264 .. and for Windows also call WSACleanup since we call WSAStartup. 265 266 The example is to demonstrate handling the socket independently of 267 libcurl. In this case libcurl is not responsible for creating, opening 268 or closing the socket, it is handled by the application (our example). 269 270 Fixes https://github.com/curl/curl/pull/3663 271 272 Daniel Stenberg (11 Mar 2019) 273 - multi: removed unused code for request retries 274 275 This code was once used for the non multi-interface using code path, but 276 ever since easy_perform was turned into a wrapper around the multi 277 interface, this code path never runs. 278 279 Closes #3666 280 281 Jay Satiro (11 Mar 2019) 282 - doh: inherit some SSL options from user's easy handle 283 284 - Inherit SSL options for the doh handle but not SSL client certs, 285 SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, 286 SSL pinned public key, SSL ciphers, SSL id cache setting, 287 SSL kerberos or SSL gss-api settings. 288 289 - Fix inheritance of verbose setting. 290 291 - Inherit NOSIGNAL. 292 293 There is no way for the user to set options for the doh (DNS-over-HTTPS) 294 handles and instead we inherit some options from the user's easy handle. 295 296 My thinking for the SSL options not inherited is they are most likely 297 not intended by the user for the DOH transfer. I did inherit insecure 298 because I think that should still be in control of the user. 299 300 Prior to this change doh did not work for me because CAINFO was not 301 inherited. Also verbose was set always which AFAICT was a bug (#3660). 302 303 Fixes https://github.com/curl/curl/issues/3660 304 Closes https://github.com/curl/curl/pull/3661 305 306 Daniel Stenberg (9 Mar 2019) 307 - test331: verify set-cookie for dotless host name 308 309 Reproduced bug #3649 310 Closes #3659 311 312 - Revert "cookies: extend domain checks to non psl builds" 313 314 This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. 315 316 Regression shipped in 7.64.0 317 Fixes #3649 318 319 - memdebug: make debug-specific functions use curl_dbg_ prefix 320 321 To not "collide" or use up the regular curl_ name space. Also makes them 322 easier to detect in helper scripts. 323 324 Closes #3656 325 326 - cmdline-opts/proxytunnel.d: the option tunnnels all protocols 327 328 Clarify the language and simplify. 329 330 Reported-by: Daniel Lublin 331 Closes #3658 332 333 - KNOWN_BUGS: Client cert (MTLS) issues with Schannel 334 335 Closes #3145 336 337 - ROADMAP: updated to some more current things to work on 338 339 - tests: fix multiple may be used uninitialized warnings 340 341 - RELEASE-NOTES: synced 342 343 - source: fix two 'nread' may be used uninitialized warnings 344 345 Both seem to be false positives but we don't like warnings. 346 347 Closes #3646 348 349 - gopher: remove check for path == NULL 350 351 Since it can't be NULL and it makes Coverity believe we lack proper NULL 352 checks. Verified by test 659, landed in commit 15401fa886b. 353 354 Pointed out by Coverity CID 1442746. 355 356 Assisted-by: Dan Fandrich 357 Fixes #3617 358 Closes #3642 359 360 - examples: only include <curl/curl.h> 361 362 That's the only public curl header we should encourage use of. 363 364 Reviewed-by: Marcel Raad 365 Closes #3645 366 367 - ssh: loop the state machine if not done and not blocking 368 369 If the state machine isn't complete, didn't fail and it didn't return 370 due to blocking it can just as well loop again. 371 372 This addresses the problem with SFTP directory listings where we would 373 otherwise return back to the parent and as the multi state machine 374 doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the 375 doing phase isn't complete, it would return out when in reality there 376 was more data to deal with. 377 378 Fixes #3506 379 Closes #3644 380 381 Jay Satiro (5 Mar 2019) 382 - multi: support verbose conncache closure handle 383 384 - Change closure handle to receive verbose setting from the easy handle 385 most recently added via curl_multi_add_handle. 386 387 The closure handle is a special easy handle used for closing cached 388 connections. It receives limited settings from the easy handle most 389 recently added to the multi handle. Prior to this change that did not 390 include verbose which was a problem because on connection shutdown 391 verbose mode was not acknowledged. 392 393 Ref: https://github.com/curl/curl/pull/3598 394 395 Co-authored-by: Daniel Stenberg 396 397 Closes https://github.com/curl/curl/pull/3618 398 399 Daniel Stenberg (4 Mar 2019) 400 - CURLU: fix NULL dereference when used over proxy 401 402 Test 659 verifies 403 404 Also fixed the test 658 name 405 406 Closes #3641 407 408 - altsvc_out: check the return code from Curl_gmtime 409 410 Pointed out by Coverity, CID 1442956. 411 412 Closes #3640 413 414 - docs/ALTSVC.md: docs describing the approach 415 416 Closes #3498 417 418 - alt-svc: add a travis build 419 420 - alt-svc: add test 355 and 356 to verify with command line curl 421 422 - alt-svc: the curl command line bits 423 424 - alt-svc: the libcurl bits 425 426 - travis: add build using gnutls 427 428 Closes #3637 429 430 - RELEASE-NOTES: synced 431 432 - [Simon Legner brought this change] 433 434 scripts/completion.pl: also generate fish completion file 435 436 This is the renamed script formerly known as zsh.pl 437 438 Closes #3545 439 440 - gnutls: remove call to deprecated gnutls_compression_get_name 441 442 It has been deprecated by GnuTLS since a year ago and now causes build 443 warnings. 444 445 Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f 446 Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html 447 448 Closes #3636 449 450 Jay Satiro (2 Mar 2019) 451 - system_win32: move win32_init here from easy.c 452 453 .. since system_win32 is a more appropriate location for the functions 454 and to extern the globals. 455 456 Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 457 Reported-by: Gisle Vanem 458 459 Closes https://github.com/curl/curl/pull/3625 460 461 Daniel Stenberg (1 Mar 2019) 462 - curl_easy_duphandle.3: clarify that a duped handle has no shares 463 464 Reported-by: Sara Golemon 465 466 Fixes #3592 467 Closes #3634 468 469 - 10-at-a-time.c: fix too long line 470 471 - [Arnaud Rebillout brought this change] 472 473 examples: various fixes in ephiperfifo.c 474 475 The main change here is the timer value that was wrong, it was given in 476 usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * 477 1000). This resulted in the callback being invoked WAY TOO OFTEN. 478 479 As a quick check you can run this command before and after applying this 480 commit: 481 482 # shell 1 483 ./ephiperfifo 2>&1 | tee ephiperfifo.log 484 # shell 2 485 echo http://hacking.elboulangero.com > hiper.fifo 486 487 Then just compare the size of the logs files. 488 489 Closes #3633 490 Fixes #3632 491 Signed-off-by: Arnaud Rebillout <arnaud.rebillout (a] collabora.com> 492 493 - urldata: simplify bytecounters 494 495 - no need to have them protocol specific 496 497 - no need to set pointers to them with the Curl_setup_transfer() call 498 499 - make Curl_setup_transfer() operate on a transfer pointer, not 500 connection 501 502 - switch some counters from long to the more proper curl_off_t type 503 504 Closes #3627 505 506 - examples/10-at-a-time.c: improve readability and simplify 507 508 - use better variable names to explain their purposes 509 - convert logic to curl_multi_wait() 510 511 - threaded-resolver: shutdown the resolver thread without error message 512 513 When a transfer is done, the resolver thread will be brought down. That 514 could accidentally generate an error message in the error buffer even 515 though this is not an error situationand the transfer would still return 516 OK. An application that still reads the error buffer could find a 517 "Could not resolve host: [host name]" message there and get confused. 518 519 Reported-by: Michael Schmid 520 Fixes #3629 521 Closes #3630 522 523 - [ brought this change] 524 525 docs: update max-redirs.d phrasing 526 527 clarify redir - "in absurdum" doesn't seem to make sense in this context 528 529 Closes #3631 530 531 - ssh: fix Condition '!status' is always true 532 533 in the same sftp_done function in both SSH backends. Simplify them 534 somewhat. 535 536 Pointed out by Codacy. 537 538 Closes #3628 539 540 - test578: make it read data from the correct test 541 542 - Curl_easy: remove req.maxfd - never used! 543 544 Introduced in 8b6314ccfb, but not used anymore in current code. Unclear 545 since when. 546 547 Closes #3626 548 549 - http: set state.infilesize when sending formposts 550 551 Without it set, we would unwillingly triger the "HTTP error before end 552 of send, stop sending" condition even if the entire POST body had been 553 sent (since it wouldn't know the expected size) which would 554 unnecessarily log that message and close the connection when it didn't 555 have to. 556 557 Reported-by: Matt McClure 558 Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html 559 Closes #3624 560 561 - INSTALL: refer to the current TLS library names and configure options 562 563 - FAQ: minor updates and spelling fixes 564 565 - GOVERNANCE.md: minor spelling fixes 566 567 - Secure Transport: no more "darwinssl" 568 569 Everyone calls it Secure Transport, now we do too. 570 571 Reviewed-by: Nick Zitzmann 572 573 Closes #3619 574 575 Marcel Raad (27 Feb 2019) 576 - AppVeyor: add classic MinGW build 577 578 But use the MSYS2 shell rather than the default MSYS shell because of 579 POSIX path conversion issues. Classic MinGW is only available on the 580 Visual Studio 2015 image. 581 582 Closes https://github.com/curl/curl/pull/3623 583 584 - AppVeyor: add MinGW-w64 build 585 586 Add a MinGW-w64 build using CMake's MSYS Makefiles generator. 587 Use the Visual Studio 2015 image as it has GCC 8, while the 588 Visual Studio 2017 image only has GCC 7.2. 589 590 Closes https://github.com/curl/curl/pull/3623 591 592 Daniel Stenberg (27 Feb 2019) 593 - cookies: only save the cookie file if the engine is enabled 594 595 Follow-up to 8eddb8f4259. 596 597 If the cookieinfo pointer is NULL there really is nothing to save. 598 599 Without this fix, we got a problem when a handle was using shared object 600 with cookies and is told to "FLUSH" it to file (which worked) and then 601 the share object was removed and when the easy handle was closed just 602 afterwards it has no cookieinfo and no cookies so it decided to save an 603 empty jar (overwriting the file just flushed). 604 605 Test 1905 now verifies that this works. 606 607 Assisted-by: Michael Wallner 608 Assisted-by: Marcel Raad 609 610 Closes #3621 611 612 - [DaVieS brought this change] 613 614 cacertinmem.c: use multiple certificates for loading CA-chain 615 616 Closes #3421 617 618 - urldata: convert bools to bitfields and move to end 619 620 This allows the compiler to pack and align the structs better in 621 memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 622 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. 623 624 Removed an unused struct field. 625 626 No functionality changes. 627 628 Closes #3610 629 630 - [Don J Olmstead brought this change] 631 632 curl.h: use __has_declspec_attribute for shared builds 633 634 Closes #3616 635 636 - curl: display --version features sorted alphabetically 637 638 Closes #3611 639 640 - runtests: detect "schannel" as an alias for "winssl" 641 642 Follow-up to 180501cb02 643 644 Reported-by: Marcel Raad 645 Fixes #3609 646 Closes #3620 647 648 Marcel Raad (26 Feb 2019) 649 - AppVeyor: update to Visual Studio 2017 650 651 Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a 652 moving target anymore as the last update, Update 9, has been released. 653 654 Closes https://github.com/curl/curl/pull/3606 655 656 - AppVeyor: switch VS 2015 builds to VS 2017 image 657 658 The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. 659 660 Closes https://github.com/curl/curl/pull/3606 661 662 - AppVeyor: explicitly select worker image 663 664 Currently, we're using the default Visual Studio 2015 image for 665 everything. 666 667 Closes https://github.com/curl/curl/pull/3606 668 669 Daniel Stenberg (26 Feb 2019) 670 - strerror: make the strerror function use local buffers 671 672 Instead of using a fixed 256 byte buffer in the connectdata struct. 673 674 In my build, this reduces the size of the connectdata struct by 11.8%, 675 from 2160 to 1904 bytes with no functionality or performance loss. 676 677 This also fixes a bug in schannel's Curl_verify_certificate where it 678 called Curl_sspi_strerror when it should have called Curl_strerror for 679 string from GetLastError. the only effect would have been no text or the 680 wrong text being shown for the error. 681 682 Co-authored-by: Jay Satiro 683 684 Closes #3612 685 686 - [Michael Wallner brought this change] 687 688 cookies: fix NULL dereference if flushing cookies with no CookieInfo set 689 690 Regression brought by a52e46f3900fb0 (shipped in 7.63.0) 691 692 Closes #3613 693 694 Marcel Raad (26 Feb 2019) 695 - AppVeyor: re-enable test 500 696 697 It's passing now. 698 699 Closes https://github.com/curl/curl/pull/3615 700 701 - AppVeyor: remove redundant builds 702 703 Remove the Visual Studio 2012 and 2013 builds as they add little value. 704 705 Ref: https://github.com/curl/curl/pull/3606 706 Closes https://github.com/curl/curl/pull/3614 707 708 Daniel Stenberg (25 Feb 2019) 709 - RELEASE-NOTES: synced 710 711 - [Bernd Mueller brought this change] 712 713 OpenSSL: add support for TLS ASYNC state 714 715 Closes #3591 716 717 Jay Satiro (25 Feb 2019) 718 - [Michael Felt brought this change] 719 720 acinclude: add additional libraries to check for LDAP support 721 722 - Add an additional check for LDAP that also checks for OpenSSL since 723 on AIX those libraries may be required to link LDAP properly. 724 725 Fixes https://github.com/curl/curl/issues/3595 726 Closes https://github.com/curl/curl/pull/3596 727 728 - [georgeok brought this change] 729 730 schannel: support CALG_ECDH_EPHEM algorithm 731 732 Add support for Ephemeral elliptic curve Diffie-Hellman key exchange 733 algorithm option when selecting ciphers. This became available on the 734 Win10 SDK. 735 736 Closes https://github.com/curl/curl/pull/3608 737 738 Daniel Stenberg (24 Feb 2019) 739 - multi: call multi_done on connect timeouts 740 741 Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get 742 updated correctly and could end up getting reported to the application 743 completely wrong (way too small). 744 745 Reported-by: accountantM on github 746 Fixes #3602 747 Closes #3605 748 749 - examples: remove recursive calls to curl_multi_socket_action 750 751 From within the timer callbacks. Recursive is problematic for several 752 reasons. They should still work, but this way the examples and the 753 documentation becomes simpler. I don't think we need to encourage 754 recursive calls. 755 756 Discussed in #3537 757 Closes #3601 758 759 Marcel Raad (23 Feb 2019) 760 - configure: remove CURL_CHECK_FUNC_FDOPEN call 761 762 The macro itself has been removed in commit 763 11974ac859c5d82def59e837e0db56fef7f6794e. 764 765 Closes https://github.com/curl/curl/pull/3604 766 767 Daniel Stenberg (23 Feb 2019) 768 - wolfssl: stop custom-adding curves 769 770 since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in 771 wolfSSL 3.10.2 and later) it sends these curves by default already. 772 773 Pointed-out-by: David Garske 774 775 Closes #3599 776 777 - configure: remove the unused fdopen macro 778 779 and the two remaining #ifdefs for it 780 781 Closes #3600 782 783 Jay Satiro (22 Feb 2019) 784 - url: change conn shutdown order to unlink data as last step 785 786 - Split off connection shutdown procedure from Curl_disconnect into new 787 function conn_shutdown. 788 789 - Change the shutdown procedure to close the sockets before 790 disassociating the transfer. 791 792 Prior to this change the sockets were closed after disassociating the 793 transfer so SOCKETFUNCTION wasn't called since the transfer was already 794 disassociated. That likely came about from recent work started in 795 Jan 2019 (#3442) to separate transfers from connections. 796 797 Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html 798 Reported-by: Pavel Lbl 799 800 Closes https://github.com/curl/curl/issues/3597 801 Closes https://github.com/curl/curl/pull/3598 802 803 Marcel Raad (22 Feb 2019) 804 - Fix strict-prototypes GCC warning 805 806 As seen in the MinGW autobuilds. Caused by commit 807 f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. 808 809 Dan Fandrich (21 Feb 2019) 810 - tests: Fixed XML validation errors in some test files. 811 812 Daniel Stenberg (20 Feb 2019) 813 - TODO: Allow SAN names in HTTP/2 server push 814 815 Suggested-by: Nicolas Grekas 816 817 - RELEASE-NOTES: synced 818 819 - curl: remove MANUAL from -M output 820 821 ... and remove it from the dist tarball. It has served its time, it 822 barely gets updated anymore and "everything curl" is now convering all 823 this document once tried to include, and does it more and better. 824 825 In the compressed scenario, this removes ~15K data from the binary, 826 which is 25% of the -M output. 827 828 It remains in the git repo for now for as long as the web site builds a 829 page using that as source. It renders poorly on the site (especially for 830 mobile users) so its not even good there. 831 832 Closes #3587 833 834 - http2: verify :athority in push promise requests 835 836 RFC 7540 says we should verify that the push is for an "authoritative" 837 server. We make sure of this by only allowing push with an :athority 838 header that matches the host that was asked for in the URL. 839 840 Fixes #3577 841 Reported-by: Nicolas Grekas 842 Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html 843 Closes #3581 844 845 - singlesocket: fix the 'sincebefore' placement 846 847 The variable wasn't properly reset within the loop and thus could remain 848 set for sockets that hadn't been set before and miss notifying the app. 849 850 This is a follow-up to 4c35574 (shipped in curl 7.64.0) 851 852 Reported-by: buzo-ffm on github 853 Detected-by: Jan Alexander Steffens 854 Fixes #3585 855 Closes #3589 856 857 - connection: never reuse CONNECT_ONLY conections 858 859 and make CONNECT_ONLY conections never reuse any existing ones either. 860 861 Reported-by: Pavel Lbl 862 Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html 863 Closes #3586 864 865 Patrick Monnerat (19 Feb 2019) 866 - cli tool: fix mime post with --disable-libcurl-option configure option 867 868 Reported-by: Marcel Raad 869 Fixes #3576 870 Closes #3583 871 872 Daniel Stenberg (19 Feb 2019) 873 - x509asn1: cleanup and unify code layout 874 875 - rename 'n' to buflen in functions, and use size_t for them. Don't pass 876 in negative buffer lengths. 877 878 - move most function comments to above the function starts like we use 879 to 880 881 - remove several unnecessary typecasts (especially of NULL) 882 883 Reviewed-by: Patrick Monnerat 884 Closes #3582 885 886 - curl_multi_remove_handle.3: use at any time, just not from within callbacks 887 888 [ci skip] 889 890 - http: make adding a blank header thread-safe 891 892 Previously the function would edit the provided header in-place when a 893 semicolon is used to signify an empty header. This made it impossible to 894 use the same set of custom headers in multiple threads simultaneously. 895 896 This approach now makes a local copy when it needs to edit the string. 897 898 Reported-by: d912e3 on github 899 Fixes #3578 900 Closes #3579 901 902 - unit1651: survive curl_easy_init() fails 903 904 - [Frank Gevaerts brought this change] 905 906 rand: Fix a mismatch between comments in source and header. 907 908 Reported-by: Bjrn Stenberg <bjorn (a] haxx.se> 909 Closes #3584 910 911 Patrick Monnerat (18 Feb 2019) 912 - x509asn1: replace single char with an array 913 914 Although safe in this context, using a single char as an array may 915 cause invalid accesses to adjacent memory locations. 916 917 Detected by Coverity. 918 919 Daniel Stenberg (18 Feb 2019) 920 - examples/http2-serverpush: add some sensible error checks 921 922 To avoid NULL pointer dereferences etc in the case of problems. 923 924 Closes #3580 925 926 Jay Satiro (18 Feb 2019) 927 - easy: fix win32 init to work without CURL_GLOBAL_WIN32 928 929 - Change the behavior of win32_init so that the required initialization 930 procedures are not affected by CURL_GLOBAL_WIN32 flag. 931 932 libcurl via curl_global_init supports initializing for win32 with an 933 optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop 934 Winsock initialization. It did so internally by skipping win32_init() 935 when that flag was set. Since then win32_init() has been expanded to 936 include required initialization routines that are separate from 937 Winsock and therefore must be called in all cases. This commit fixes 938 it so that CURL_GLOBAL_WIN32 only controls the optional win32 939 initialization (which is Winsock initialization, according to our doc). 940 941 The only users affected by this change are those that don't pass 942 CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the 943 risk of a potential crash. 944 945 Ref: https://github.com/curl/curl/pull/3573 946 947 Fixes https://github.com/curl/curl/issues/3313 948 Closes https://github.com/curl/curl/pull/3575 949 950 Daniel Gustafsson (17 Feb 2019) 951 - cookie: Add support for cookie prefixes 952 953 The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes 954 and how they should affect cookie initialization, which has been 955 adopted by the major browsers. This adds support for the two prefixes 956 defined, __Host- and __Secure, and updates the testcase with the 957 supplied examples from the draft. 958 959 Closes #3554 960 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 961 962 - mbedtls: release sessionid resources on error 963 964 If mbedtls_ssl_get_session() fails, it may still have allocated 965 memory that needs to be freed to avoid leaking. Call the library 966 API function to release session resources on this errorpath as 967 well as on Curl_ssl_addsessionid() errors. 968 969 Closes: #3574 970 Reported-by: Micha Antoniak <M.Antoniak (a] posnet.com> 971 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 972 973 Patrick Monnerat (16 Feb 2019) 974 - cli tool: refactor encoding conversion sequence for switch case fallthrough. 975 976 - version.c: silent scan-build even when librtmp is not enabled 977 978 Daniel Stenberg (15 Feb 2019) 979 - RELEASE-NOTES: synced 980 981 - Curl_now: figure out windows version in win32_init 982 983 ... and avoid use of static variables that aren't thread safe. 984 985 Fixes regression from e9ababd4f5a (present in the 7.64.0 release) 986 987 Reported-by: Paul Groke 988 Fixes #3572 989 Closes #3573 990 991 Marcel Raad (15 Feb 2019) 992 - unit1307: just fail without FTP support 993 994 I missed to check this in with commit 995 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. 996 This fixes the actual linker error. 997 998 Closes https://github.com/curl/curl/pull/3568 999 1000 Daniel Stenberg (15 Feb 2019) 1001 - travis: enable valgrind for the iconv tests too 1002 1003 Closes #3571 1004 1005 - travis: add scan-build 1006 1007 Closes #3564 1008 1009 - examples/sftpuploadresume: Value stored to 'result' is never read 1010 1011 Detected by scan-build 1012 1013 - examples/http2-upload: cleaned up 1014 1015 Fix scan-build warnings, no globals, no silly handle scan. Also remove 1016 handles from the multi before cleaning up. 1017 1018 - examples/http2-download: cleaned up 1019 1020 To avoid scan-build warnings and global variables. 1021 1022 - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' 1023 1024 Detected by scan-build 1025 1026 - examples/httpcustomheader: Value stored to 'res' is never read 1027 1028 Detected by scan-build 1029 1030 - examples: remove superfluous null-pointer checks 1031 1032 in ftpget, ftpsget and sftpget, so that scan-build stops warning for 1033 potential NULL pointer dereference below! 1034 1035 Detected by scan-build 1036 1037 - strip_trailing_dot: make sure NULL is never used for strlen 1038 1039 scan-build warning: Null pointer passed as an argument to a 'nonnull' 1040 parameter 1041 1042 - [Jay Satiro brought this change] 1043 1044 connection_check: restore original conn->data after the check 1045 1046 - Save the original conn->data before it's changed to the specified 1047 data transfer for the connection check and then restore it afterwards. 1048 1049 This is a follow-up to 38d8e1b 2019-02-11. 1050 1051 History: 1052 1053 It was discovered a month ago that before checking whether to extract a 1054 dead connection that that connection should be associated with a "live" 1055 transfer for the check (ie original conn->data ignored and set to the 1056 passed in data). A fix was landed in 54b201b which did that and also 1057 cleared conn->data after the check. The original conn->data was not 1058 restored, so presumably it was thought that a valid conn->data was no 1059 longer needed. 1060 1061 Several days later it was discovered that a valid conn->data was needed 1062 after the check and follow-up fix was landed in bbae24c which partially 1063 reverted the original fix and attempted to limit the scope of when 1064 conn->data was changed to only when pruning dead connections. In that 1065 case conn->data was not cleared and the original conn->data not 1066 restored. 1067 1068 A month later it was discovered that the original fix was somewhat 1069 correct; a "live" transfer is needed for the check in all cases 1070 because original conn->data could be null which could cause a bad deref 1071 at arbitrary points in the check. A fix was landed in 38d8e1b which 1072 expanded the scope to all cases. conn->data was not cleared and the 1073 original conn->data not restored. 1074 1075 A day later it was discovered that not restoring the original conn->data 1076 may lead to busy loops in applications that use the event interface, and 1077 given this observation it's a pretty safe assumption that there is some 1078 code path that still needs the original conn->data. This commit is the 1079 follow-up fix for that, it restores the original conn->data after the 1080 connection check. 1081 1082 Assisted-by: tholin (a] users.noreply.github.com 1083 Reported-by: tholin (a] users.noreply.github.com 1084 1085 Fixes https://github.com/curl/curl/issues/3542 1086 Closes #3559 1087 1088 - memdebug: bring back curl_mark_sclose 1089 1090 Used by debug builds with NSS. 1091 1092 Reverted from 05b100aee247bb 1093 1094 Patrick Monnerat (14 Feb 2019) 1095 - transfer.c: do not compute length of undefined hex buffer. 1096 1097 On non-ascii platforms, the chunked hex header was measured for char code 1098 conversion length, even for chunked trailers that do not have an hex header. 1099 In addition, the efective length is already known: use it. 1100 Since the hex length can be zero, only convert if needed. 1101 1102 Reported by valgrind. 1103 1104 Daniel Stenberg (14 Feb 2019) 1105 - KNOWN_BUGS: Cannot compile against a static build of OpenLDAP 1106 1107 Closes #2367 1108 1109 Patrick Monnerat (14 Feb 2019) 1110 - x509asn1: "Dereference of null pointer" 1111 1112 Detected by scan-build (false positive). 1113 1114 Daniel Stenberg (14 Feb 2019) 1115 - configure: show features as well in the final summary 1116 1117 Closes #3569 1118 1119 - KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 1120 1121 Closes #2905 1122 1123 - KNOWN_BUGS: Deflate error after all content was received 1124 1125 Closes #2719 1126 1127 - gssapi: fix deprecated header warnings 1128 1129 Heimdal includes on FreeBSD spewed out lots of them. Less so now. 1130 1131 Closes #3566 1132 1133 - TODO: Upgrade to websockets 1134 1135 Closes #3523 1136 1137 - TODO: cmake test suite improvements 1138 1139 Closes #3109 1140 1141 Patrick Monnerat (13 Feb 2019) 1142 - curl: "Dereference of null pointer" 1143 1144 Rephrase to satisfy scan-build. 1145 1146 Marcel Raad (13 Feb 2019) 1147 - unit1307: require FTP support 1148 1149 This test doesn't link without FTP support after 1150 fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch 1151 unavailable without FTP support. 1152 1153 Closes https://github.com/curl/curl/pull/3565 1154 1155 Daniel Stenberg (13 Feb 2019) 1156 - TODO: TFO support on Windows 1157 1158 Nobody works on this now. 1159 1160 Closes #3378 1161 1162 - multi: Dereference of null pointer 1163 1164 Mostly a false positive, but this makes the code easier to read anyway. 1165 1166 Detected by scan-build. 1167 1168 Closes #3563 1169 1170 - urlglob: Argument with 'nonnull' attribute passed null 1171 1172 Detected by scan-build. 1173 1174 Jay Satiro (12 Feb 2019) 1175 - schannel: restore some debug output but only for debug builds 1176 1177 Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy 1178 debug output in DEBUGF but omitted a few lines. 1179 1180 Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 1181 1182 - examples/crawler: Fix the Accept-Encoding setting 1183 1184 - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default 1185 supported encodings. 1186 1187 Prior to this change the specific encodings of gzip and deflate were set 1188 but there's no guarantee they'd be supported by the user's libcurl. 1189 1190 Daniel Stenberg (12 Feb 2019) 1191 - mime: put the boundary buffer into the curl_mime struct 1192 1193 ... instead of allocating it separately and point to it. It is 1194 fixed-size and always used for each part. 1195 1196 Closes #3561 1197 1198 - schannel: be quiet 1199 1200 Convert numerous infof() calls into debug-build only messages since they 1201 are annoyingly verbose for regular applications. Removed a few. 1202 1203 Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html 1204 Reported-by: Volker Schmid 1205 Closes #3552 1206 1207 - [Romain Geissler brought this change] 1208 1209 Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning 1210 1211 Closes #3562 1212 1213 - http2: multi_connchanged() moved from multi.c, only used for h2 1214 1215 Closes #3557 1216 1217 - curl: "Function call argument is an uninitialized value" 1218 1219 Follow-up to cac0e4a6ad14b42471eb 1220 1221 Detected by scan-build 1222 Closes #3560 1223 1224 - pretransfer: don't strlen() POSTFIELDS set for GET requests 1225 1226 ... since that data won't be used in the request anyway. 1227 1228 Fixes #3548 1229 Reported-by: Renaud Allard 1230 Close #3549 1231 1232 - multi: remove verbose "Expire in" ... messages 1233 1234 Reported-by: James Brown 1235 Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html 1236 Closes #3558 1237 1238 - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set 1239 1240 Reported-by: MAntoniak on github 1241 Fixes #3553 1242 Closes #3556 1243 1244 Daniel Gustafsson (12 Feb 2019) 1245 - non-ascii.c: fix typos in comments 1246 1247 Fix two occurrences of s/convers/converts/ spotted while reading code. 1248 1249 Daniel Stenberg (12 Feb 2019) 1250 - fnmatch: disable if FTP is disabled 1251 1252 Closes #3551 1253 1254 - curl_path: only enabled for SSH builds 1255 1256 - [Frank Gevaerts brought this change] 1257 1258 tests: add stderr comparison to the test suite 1259 1260 The code is more or less copied from the stdout comparison code, maybe 1261 some better reuse is possible. 1262 1263 test 1457 is adjusted to make the output actually match (by using --silent) 1264 test 506 used <stderr> without actually needing it, so that <stderr> block is removed 1265 1266 Closes #3536 1267 1268 Patrick Monnerat (11 Feb 2019) 1269 - cli tool: do not use mime.h private structures. 1270 1271 Option -F generates an intermediate representation of the mime structure 1272 that is used later to create the libcurl mime structure and generate 1273 the --libcurl statements. 1274 1275 Reported-by: Daniel Stenberg 1276 Fixes #3532 1277 Closes #3546 1278 1279 Daniel Stenberg (11 Feb 2019) 1280 - curlver: bump to 7.64.1-dev 1281 1282 - RELEASE-NOTES: synced 1283 1284 and bump the version in progress to 7.64.1. If we merge any "change" 1285 before the cut-off date, we update again. 1286 1287 Daniel Gustafsson (11 Feb 2019) 1288 - curl: follow-up to 3f16990ec84 1289 1290 Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was 1291 inadvertently introducing a new bug in the ternary expression. 1292 1293 Close #3555 1294 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 1295 1296 - dns: release sharelock as soon as possible 1297 1298 There is no benefit to holding the data sharelock when freeing the 1299 addrinfo in case it fails, so ensure releaseing it as soon as we can 1300 rather than holding on to it. This also aligns the code with other 1301 consumers of sharelocks. 1302 1303 Closes #3516 1304 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 1305 1306 Daniel Stenberg (11 Feb 2019) 1307 - curl: follow-up to b49652ac66cc0 1308 1309 On FreeBSD, return non-zero on error otherwise zero. 1310 1311 Reported-by: Marcel Raad 1312 1313 - multi: (void)-prefix when ignoring return values 1314 1315 ... and added braces to two function calls which fixes warnings if they 1316 are replace by empty macros at build-time. 1317 1318 - curl: fix FreeBSD compiler warning in the --xattr code 1319 1320 Closes #3550 1321 1322 - connection_check: set ->data to the transfer doing the check 1323 1324 The http2 code for connection checking needs a transfer to use. Make 1325 sure a working one is set before handler->connection_check() is called. 1326 1327 Reported-by: jnbr on github 1328 Fixes #3541 1329 Closes #3547 1330 1331 - hostip: make create_hostcache_id avoid alloc + free 1332 1333 Closes #3544 1334 1335 - scripts/singleuse: script to use to track single-use functions 1336 1337 That is functions that are declared global but are not used from outside 1338 of the file in which it is declared. Such functions should be made 1339 static or even at times be removed. 1340 1341 It also verifies that all used curl_ prefixed functions are "blessed" 1342 1343 Closes #3538 1344 1345 - cleanup: make local functions static 1346 1347 urlapi: turn three local-only functions into statics 1348 1349 conncache: make conncache_find_first_connection static 1350 1351 multi: make detach_connnection static 1352 1353 connect: make getaddressinfo static 1354 1355 curl_ntlm_core: make hmac_md5 static 1356 1357 http2: make two functions static 1358 1359 http: make http_setup_conn static 1360 1361 connect: make tcpnodelay static 1362 1363 tests: make UNITTEST a thing to mark functions with, so they can be static for 1364 normal builds and non-static for unit test builds 1365 1366 ... and mark Curl_shuffle_addr accordingly. 1367 1368 url: make up_free static 1369 1370 setopt: make vsetopt static 1371 1372 curl_endian: make write32_le static 1373 1374 rtsp: make rtsp_connisdead static 1375 1376 warnless: remove unused functions 1377 1378 memdebug: remove one unused function, made another static 1379 1380 Dan Fandrich (10 Feb 2019) 1381 - cirrus: Added FreeBSD builds using Cirrus CI. 1382 1383 The build logs will be at https://cirrus-ci.com/github/curl/curl 1384 1385 Some tests are currently failing and so disabled for now. The SSH server 1386 isn't starting for the SSH tests due to unsupported options used in its 1387 config file. The DICT server also is failing on startup. 1388 1389 Daniel Stenberg (9 Feb 2019) 1390 - url/idnconvert: remove scan for <= 32 ascii values 1391 1392 The check was added back in fa939220df before the URL parser would catch 1393 these problems and therefore these will never trigger now. 1394 1395 Closes #3539 1396 1397 - urlapi: reduce variable scope, remove unreachable 'break' 1398 1399 Both nits pointed out by codacy.com 1400 1401 Closes #3540 1402 1403 Alessandro Ghedini (7 Feb 2019) 1404 - zsh.pl: escape ':' character 1405 1406 ':' is interpreted as separator by zsh, so if used as part of the argument 1407 or option's description it needs to be escaped. 1408 1409 The problem can be reproduced as follows: 1410 1411 % curl --reso<TAB> 1412 % curl -E <TAB> 1413 1414 Bug: https://bugs.debian.org/921452 1415 1416 - zsh.pl: update regex to better match curl -h output 1417 1418 The current regex fails to match '<...>' arguments properly (e.g. those 1419 with spaces in them), which causes an completion script with wrong 1420 descriptions for some options. 1421 1422 Here's a diff of the generated completion script, comparing the previous 1423 version to the one with this fix: 1424 1425 --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 1426 +++ _curl 2019-02-05 20:57:29.453349040 +0000 1427 @@ -9,48 +9,48 @@ 1428 1429 _arguments -C -S \ 1430 --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'<milliseconds>' \ 1431 + --resolve'[Resolve the host+port to this address]':'<host:port:address[,address]...>' \ 1432 {-c,--cookie-jar}'[Write cookies to <filename> after operation]':'<filename>':_files \ 1433 {-D,--dump-header}'[Write the received headers to <filename>]':'<filename>':_files \ 1434 {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'<seconds>' \ 1435 --proxy-cacert'[CA certificate to verify peer against for proxy]':'<file>':_files \ 1436 - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'<list' \ 1437 + --tls13-ciphers'[TLS 1.3 cipher suites to use]':'<list of TLS 1.3 ciphersuites>' \ 1438 {-E,--cert}'[Client certificate file and password]':'<certificate[:password]>' \ 1439 --libcurl'[Dump libcurl equivalent code of this command line]':'<file>':_files \ 1440 --proxy-capath'[CA directory to verify peer against for proxy]':'<dir>':_files \ 1441 - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ 1442 --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'<hashes>' \ 1443 --crlfile'[Get a CRL list in PEM format from the given file]':'<file>':_files \ 1444 - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ 1445 - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ 1446 + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ 1447 --abstract-unix-socket'[Connect via abstract Unix domain socket]':'<path>' \ 1448 --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'<hashes>' \ 1449 + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ 1450 --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'<phrase>' \ 1451 + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ 1452 {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ 1453 --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'<host[:port]>' \ 1454 --proto-default'[Use PROTOCOL for any URL missing a scheme]':'<protocol>' \ 1455 - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'<ciphersuite' \ 1456 + --proxy-tls13-ciphers'[TLS 1.3 proxy cipher suites]':'<ciphersuite list>' \ 1457 --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'<name>' \ 1458 --ftp-alternative-to-user'[String to replace USER \[name\]]':'<command>' \ 1459 - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ 1460 {-T,--upload-file}'[Transfer local FILE to destination]':'<file>':_files \ 1461 --local-port'[Force use of RANGE for local port numbers]':'<num/range>' \ 1462 --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'<type>' \ 1463 {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ 1464 - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ 1465 - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ 1466 - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ 1467 - --location-trusted'[--location, and send auth to other hosts]':'Like' \ 1468 + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ 1469 --proxy-cert-type'[Client certificate type for HTTPS proxy]':'<type>' \ 1470 {-O,--remote-name}'[Write output to a file named as the remote file]' \ 1471 + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ 1472 + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ 1473 --trace-ascii'[Like --trace, but without hex output]':'<file>':_files \ 1474 --connect-timeout'[Maximum time allowed for connection]':'<seconds>' \ 1475 --expect100-timeout'[How long to wait for 100-continue]':'<seconds>' \ 1476 {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ 1477 + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ 1478 {-m,--max-time}'[Maximum time allowed for the transfer]':'<seconds>' \ 1479 --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'<address>' \ 1480 --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'<address>' \ 1481 - --ignore-content-length'[the size of the remote resource]':'Ignore' \ 1482 {-k,--insecure}'[Allow insecure server connections when using SSL]' \ 1483 + --location-trusted'[Like --location, and send auth to other hosts]' \ 1484 --mail-auth'[Originator address of the original email]':'<address>' \ 1485 --noproxy'[List of hosts which do not use proxy]':'<no-proxy-list>' \ 1486 --proto-redir'[Enable/disable PROTOCOLS on redirect]':'<protocols>' \ 1487 @@ -62,18 +62,19 @@ 1488 --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ 1489 --cacert'[CA certificate to verify peer against]':'<file>':_files \ 1490 {-H,--header}'[Pass custom header(s) to server]':'<header/@file>' \ 1491 + --ignore-content-length'[Ignore the size of the remote resource]' \ 1492 {-i,--include}'[Include protocol response headers in the output]' \ 1493 --proxy-header'[Pass custom header(s) to proxy]':'<header/@file>' \ 1494 --unix-socket'[Connect through this Unix domain socket]':'<path>' \ 1495 {-w,--write-out}'[Use output FORMAT after completion]':'<format>' \ 1496 - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ 1497 {-o,--output}'[Write to file instead of stdout]':'<file>':_files \ 1498 - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ 1499 + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ 1500 --socks4a'[SOCKS4a proxy on given host + port]':'<host[:port]>' \ 1501 {-Y,--speed-limit}'[Stop transfers slower than this]':'<speed>' \ 1502 {-z,--time-cond}'[Transfer based on a time condition]':'<time>' \ 1503 --capath'[CA directory to verify peer against]':'<dir>':_files \ 1504 {-f,--fail}'[Fail silently (no output at all) on HTTP errors]' \ 1505 + --http2-prior-knowledge'[Use HTTP 2 without HTTP/1.1 Upgrade]' \ 1506 --proxy-tlspassword'[TLS password for HTTPS proxy]':'<string>' \ 1507 {-U,--proxy-user}'[Proxy user and password]':'<user:password>' \ 1508 --proxy1.0'[Use HTTP/1.0 proxy on given port]':'<host[:port]>' \ 1509 @@ -81,52 +82,49 @@ 1510 {-A,--user-agent}'[Send User-Agent <name> to server]':'<name>' \ 1511 --egd-file'[EGD socket path for random data]':'<file>':_files \ 1512 --fail-early'[Fail on first transfer error, do not continue]' \ 1513 - --haproxy-protocol'[HAProxy PROXY protocol v1 header]':'Send' \ 1514 - --preproxy'[Use this proxy first]':'[protocol://]host[:port]' \ 1515 + {-J,--remote-header-name}'[Use the header-provided filename]' \ 1516 --retry-max-time'[Retry only within this period]':'<seconds>' \ 1517 --socks4'[SOCKS4 proxy on given host + port]':'<host[:port]>' \ 1518 --socks5'[SOCKS5 proxy on given host + port]':'<host[:port]>' \ 1519 - --socks5-gssapi-nec'[with NEC SOCKS5 server]':'Compatibility' \ 1520 - --ssl-allow-beast'[security flaw to improve interop]':'Allow' \ 1521 --cert-status'[Verify the status of the server certificate]' \ 1522 - --ftp-create-dirs'[the remote dirs if not present]':'Create' \ 1523 {-:,--next}'[Make next URL use its separate set of options]' \ 1524 --proxy-key-type'[Private key file type for proxy]':'<type>' \ 1525 - --remote-name-all'[the remote file name for all URLs]':'Use' \ 1526 {-X,--request}'[Specify request command to use]':'<command>' \ 1527 --retry'[Retry request if transient problems occur]':'<num>' \ 1528 - --ssl-no-revoke'[cert revocation checks (WinSSL)]':'Disable' \ 1529 --cert-type'[Certificate file type (DER/PEM/ENG)]':'<type>' \ 1530 --connect-to'[Connect to host]':'<HOST1:PORT1:HOST2:PORT2>' \ 1531 --create-dirs'[Create necessary local directory hierarchy]' \ 1532 + --haproxy-protocol'[Send HAProxy PROXY protocol v1 header]' \ 1533 --max-redirs'[Maximum number of redirects allowed]':'<num>' \ 1534 {-n,--netrc}'[Must read .netrc for user name and password]' \ 1535 + {-x,--proxy}'[\[protocol://\]host\[:port\] Use this proxy]' \ 1536 --proxy-crlfile'[Set a CRL list for proxy]':'<file>':_files \ 1537 --sasl-ir'[Enable initial response in SASL authentication]' \ 1538 - --socks5-gssapi'[GSS-API auth for SOCKS5 proxies]':'Enable' \ 1539 + --socks5-gssapi-nec'[Compatibility with NEC SOCKS5 server]' \ 1540 + --ssl-allow-beast'[Allow security flaw to improve interop]' \ 1541 + --ftp-create-dirs'[Create the remote dirs if not present]' \ 1542 --interface'[Use network INTERFACE (or address)]':'<name>' \ 1543 --key-type'[Private key file type (DER/PEM/ENG)]':'<type>' \ 1544 --netrc-file'[Specify FILE for netrc]':'<filename>':_files \ 1545 {-N,--no-buffer}'[Disable buffering of the output stream]' \ 1546 --proxy-service-name'[SPNEGO proxy service name]':'<name>' \ 1547 - --styled-output'[styled output for HTTP headers]':'Enable' \ 1548 + --remote-name-all'[Use the remote file name for all URLs]' \ 1549 + --ssl-no-revoke'[Disable cert revocation checks (WinSSL)]' \ 1550 --max-filesize'[Maximum file size to download]':'<bytes>' \ 1551 --negotiate'[Use HTTP Negotiate (SPNEGO) authentication]' \ 1552 --no-keepalive'[Disable TCP keepalive on the connection]' \ 1553 {-#,--progress-bar}'[Display transfer progress as a bar]' \ 1554 - {-x,--proxy}'[Use this proxy]':'[protocol://]host[:port]' \ 1555 - --proxy-anyauth'[any proxy authentication method]':'Pick' \ 1556 {-Q,--quote}'[Send command(s) to server before transfer]' \ 1557 - --request-target'[the target for this request]':'Specify' \ 1558 + --socks5-gssapi'[Enable GSS-API auth for SOCKS5 proxies]' \ 1559 {-u,--user}'[Server user and password]':'<user:password>' \ 1560 {-K,--config}'[Read config from a file]':'<file>':_files \ 1561 {-C,--continue-at}'[Resumed transfer offset]':'<offset>' \ 1562 --data-raw'[HTTP POST data, '\''@'\'' allowed]':'<data>' \ 1563 - --disallow-username-in-url'[username in url]':'Disallow' \ 1564 --krb'[Enable Kerberos with security <level>]':'<level>' \ 1565 --proxy-ciphers'[SSL ciphers to use for proxy]':'<list>' \ 1566 --proxy-digest'[Use Digest authentication on the proxy]' \ 1567 --proxy-tlsuser'[TLS username for HTTPS proxy]':'<name>' \ 1568 + --styled-output'[Enable styled output for HTTP headers]' \ 1569 {-b,--cookie}'[Send cookies from string/file]':'<data>' \ 1570 --data-urlencode'[HTTP POST data url encoded]':'<data>' \ 1571 --delegation'[GSS-API delegation permission]':'<LEVEL>' \ 1572 @@ -134,7 +132,10 @@ 1573 --post301'[Do not switch to GET after following a 301]' \ 1574 --post302'[Do not switch to GET after following a 302]' \ 1575 --post303'[Do not switch to GET after following a 303]' \ 1576 + --proxy-anyauth'[Pick any proxy authentication method]' \ 1577 + --request-target'[Specify the target for this request]' \ 1578 --trace-time'[Add time stamps to trace/verbose output]' \ 1579 + --disallow-username-in-url'[Disallow username in url]' \ 1580 --dns-servers'[DNS server addrs to use]':'<addresses>' \ 1581 {-G,--get}'[Put the post data in the URL and use GET]' \ 1582 --limit-rate'[Limit transfer speed to RATE]':'<speed>' \ 1583 @@ -148,21 +149,21 @@ 1584 --metalink'[Process given URLs as metalink XML file]' \ 1585 --tr-encoding'[Request compressed transfer encoding]' \ 1586 --xattr'[Store metadata in extended file attributes]' \ 1587 - --ftp-skip-pasv-ip'[the IP address for PASV]':'Skip' \ 1588 --pass'[Pass phrase for the private key]':'<phrase>' \ 1589 --proxy-ntlm'[Use NTLM authentication on the proxy]' \ 1590 {-S,--show-error}'[Show error even when -s is used]' \ 1591 - --ciphers'[of ciphers> SSL ciphers to use]':'<list' \ 1592 + --ciphers'[SSL ciphers to use]':'<list of ciphers>' \ 1593 --form-string'[Specify multipart MIME data]':'<name=string>' \ 1594 --login-options'[Server login options]':'<options>' \ 1595 --tftp-blksize'[Set TFTP BLKSIZE option]':'<value>' \ 1596 - --tftp-no-options'[not send any TFTP options]':'Do' \ 1597 {-v,--verbose}'[Make the operation more talkative]' \ 1598 + --ftp-skip-pasv-ip'[Skip the IP address for PASV]' \ 1599 --proxy-key'[Private key for HTTPS proxy]':'<key>' \ 1600 {-F,--form}'[Specify multipart MIME data]':'<name=content>' \ 1601 --mail-from'[Mail from this address]':'<address>' \ 1602 --oauth2-bearer'[OAuth 2 Bearer Token]':'<token>' \ 1603 --proto'[Enable/disable PROTOCOLS]':'<protocols>' \ 1604 + --tftp-no-options'[Do not send any TFTP options]' \ 1605 --tlsauthtype'[TLS authentication type]':'<type>' \ 1606 --doh-url'[Resolve host names over DOH]':'<URL>' \ 1607 --no-sessionid'[Disable SSL session-ID reusing]' \ 1608 @@ -173,14 +174,13 @@ 1609 --ftp-ssl-ccc'[Send CCC after authenticating]' \ 1610 {-4,--ipv4}'[Resolve names to IPv4 addresses]' \ 1611 {-6,--ipv6}'[Resolve names to IPv6 addresses]' \ 1612 - --netrc-optional'[either .netrc or URL]':'Use' \ 1613 --service-name'[SPNEGO service name]':'<name>' \ 1614 {-V,--version}'[Show version number and quit]' \ 1615 --data-ascii'[HTTP POST ASCII data]':'<data>' \ 1616 --ftp-account'[Account data string]':'<data>' \ 1617 - --compressed-ssh'[SSH compression]':'Enable' \ 1618 --disable-eprt'[Inhibit using EPRT or LPRT]' \ 1619 --ftp-method'[Control CWD usage]':'<method>' \ 1620 + --netrc-optional'[Use either .netrc or URL]' \ 1621 --pubkey'[SSH Public key file name]':'<key>' \ 1622 --raw'[Do HTTP "raw"; no transfer decoding]' \ 1623 --anyauth'[Pick any authentication method]' \ 1624 @@ -189,6 +189,7 @@ 1625 --no-alpn'[Disable the ALPN TLS extension]' \ 1626 --tcp-nodelay'[Use the TCP_NODELAY option]' \ 1627 {-B,--use-ascii}'[Use ASCII/text transfer]' \ 1628 + --compressed-ssh'[Enable SSH compression]' \ 1629 --digest'[Use HTTP Digest Authentication]' \ 1630 --proxy-tlsv1'[Use TLSv1 for HTTPS proxy]' \ 1631 --engine'[Crypto engine to use]':'<name>' \ 1632 1633 Marcel Raad (7 Feb 2019) 1634 - tool_operate: fix typecheck warning 1635 1636 Use long for CURLOPT_HTTP09_ALLOWED to fix the following warning: 1637 tool_operate.c: In function 'operate_do': 1638 ../include/curl/typecheck-gcc.h:47:9: error: call to 1639 '_curl_easy_setopt_err_long' declared with attribute warning: 1640 curl_easy_setopt expects a long argument for this option [-Werror] 1641 1642 Closes https://github.com/curl/curl/pull/3534 1643 1644 Jay Satiro (6 Feb 2019) 1645 - [Chris Araman brought this change] 1646 1647 url: close TLS before removing conn from cache 1648 1649 - Fix potential crashes in schannel shutdown. 1650 1651 Ensure any TLS shutdown messages are sent before removing the 1652 association between the connection and the easy handle. Reverts 1653 @bagder's previous partial fix for #3412. 1654 1655 Fixes https://github.com/curl/curl/issues/3412 1656 Fixes https://github.com/curl/curl/issues/3505 1657 Closes https://github.com/curl/curl/pull/3531 1658 1659 Daniel Gustafsson (6 Feb 2019) 1660 - INTERNALS.md: fix subsection depth and link 1661 1662 The Kerberos subsection was mistakenly a subsubsection under FTP, and 1663 the curlx subsection was missing an anchor for the TOC link. 1664 1665 Closes #3529 1666 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 1667 1668 Version 7.64.0 (6 Feb 2019) 1669 1670 Daniel Stenberg (6 Feb 2019) 1671 - RELEASE-NOTES: 7.64.0 1672 1673 - RELEASE-PROCEDURE: update the release calendar 1674 1675 - THANKS: 7.64.0 status 1676 1677 Daniel Gustafsson (5 Feb 2019) 1678 - ROADMAP: remove already performed item 1679 1680 Commit 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 introduced support 1681 for the draft-ietf-httpbis-cookie-alone-01 cookie draft, and while 1682 the entry was removed from the TODO it was mistakenly left here. 1683 Fix by removing and rewording the entry slightly. 1684 1685 Closes #3530 1686 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 1687 1688 - [Etienne Simard brought this change] 1689 1690 CONTRIBUTE.md: Fix grammatical errors 1691 1692 Fix grammatical errors making the document read better. Also fixes 1693 a typo. 1694 1695 Closes #3525 1696 Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se> 1697 1698 Daniel Stenberg (4 Feb 2019) 1699 - [Julian Z brought this change] 1700 1701 docs: use $(INSTALL_DATA) to install man page 1702 1703 Fixes #3518 1704 Closes #3522 1705 1706 Jay Satiro (4 Feb 2019) 1707 - [Ladar Levison brought this change] 1708 1709 runtests.pl: Fix perl call to include srcdir 1710 1711 - Use explicit include opt for perl calls. 1712 1713 Prior to this change some scripts couldn't find their dependencies. 1714 1715 At the top, perl is called using with the "-Isrcdir" option, and it 1716 works: 1717 1718 https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183 1719 1720 But on line 3868, that option is omitted. This caused problems for me, 1721 as the symbol-scan.pl script in particular couldn't find its 1722 dependencies properly: 1723 1724 https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868 1725 1726 This patch fixes that oversight by making calls to perl sub-shells 1727 uniform. 1728 1729 Closes https://github.com/curl/curl/pull/3496 1730 1731 Daniel Stenberg (4 Feb 2019) 1732 - [Daniel Gustafsson brought this change] 1733 1734 smtp: avoid risk of buffer overflow in strtol 1735 1736 If the incoming len 5, but the buffer does not have a termination 1737 after 5 bytes, the strtol() call may keep reading through the line 1738 buffer until is exceeds its boundary. Fix by ensuring that we are 1739 using a bounded read with a temporary buffer on the stack. 1740 1741 Bug: https://curl.haxx.se/docs/CVE-2019-3823.html 1742 Reported-by: Brian Carpenter (Geeknik Labs) 1743 CVE-2019-3823 1744 1745 - ntlm: fix *_type3_message size check to avoid buffer overflow 1746 1747 Bug: https://curl.haxx.se/docs/CVE-2019-3822.html 1748 Reported-by: Wenxiang Qian 1749 CVE-2019-3822 1750 1751 - NTLM: fix size check condition for type2 received data 1752 1753 Bug: https://curl.haxx.se/docs/CVE-2018-16890.html 1754 Reported-by: Wenxiang Qian 1755 CVE-2018-16890 1756 1757 Marcel Raad (1 Feb 2019) 1758 - [georgeok brought this change] 1759 1760 spnego_sspi: add support for channel binding 1761 1762 Attempt to add support for Secure Channel binding when negotiate 1763 authentication is used. The problem to solve is that by default IIS 1764 accepts channel binding and curl doesn't utilise them. The result was a 1765 401 response. Scope affects only the Schannel(winssl)-SSPI combination. 1766 1767 Fixes https://github.com/curl/curl/issues/3503 1768 Closes https://github.com/curl/curl/pull/3509 1769 1770 Daniel Stenberg (1 Feb 2019) 1771 - RELEASE-NOTES: synced 1772 1773 - schannel: stop calling it "winssl" 1774 1775 Stick to "Schannel" everywhere. The configure option --with-winssl is 1776 kept to allow existing builds to work but --with-schannel is added as an 1777 alias. 1778 1779 Closes #3504 1780 1781 - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time 1782 1783 To make sure Curl_timeleft() also thinks the timeout has been reached 1784 when one of the EXPIRE_*TIMEOUTs expires. 1785 1786 Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html 1787 Reported-by: Zhao Yisha 1788 Closes #3501 1789 1790 - [John Marshall brought this change] 1791 1792 doc: use meaningless port number in CURLOPT_LOCALPORT example 1793 1794 Use an ephemeral port number here; previously the example had 8080 1795 which could be confusing as the common web server port number might 1796 be misinterpreted as suggesting this option affects the remote port. 1797 1798 URL: https://curl.haxx.se/mail/lib-2019-01/0084.html 1799 Closes #3513 1800 1801 GitHub (29 Jan 2019) 1802 - [Gisle Vanem brought this change] 1803 1804 Escape the '\' 1805 1806 A backslash should be escaped in Roff / Troff. 1807 1808 Jay Satiro (29 Jan 2019) 1809 - TODO: WinSSL: 'Add option to disable client cert auto-send' 1810 1811 By default WinSSL selects and send a client certificate automatically, 1812 but for privacy and consistency we should offer an option to disable the 1813 default auto-send behavior. 1814 1815 Reported-by: Jeroen Ooms 1816 1817 Closes https://github.com/curl/curl/issues/2262 1818 1819 Daniel Stenberg (28 Jan 2019) 1820 - [Jeremie Rapin brought this change] 1821 1822 sigpipe: if mbedTLS is used, ignore SIGPIPE 1823 1824 mbedTLS doesn't have a sigpipe management. If a write/read occurs when 1825 the remote closes the socket, the signal is raised and kills the 1826 application. Use the curl mecanisms fix this behavior. 1827 1828 Signed-off-by: Jeremie Rapin <j.rapin (a] overkiz.com> 1829 1830 Closes #3502 1831 1832 - unit1653: make it survive torture tests 1833 1834 Jay Satiro (28 Jan 2019) 1835 - [Michael Kujawa brought this change] 1836 1837 timeval: Disable MSVC Analyzer GetTickCount warning 1838 1839 Compiling with msvc /analyze and a recent Windows SDK warns against 1840 using GetTickCount (Suggests to use GetTickCount64 instead.) 1841 1842 Since GetTickCount is only being used when GetTickCount64 isn't 1843 available, I am disabling that warning. 1844 1845 Fixes https://github.com/curl/curl/issues/3437 1846 Closes https://github.com/curl/curl/pull/3440 1847 1848 Daniel Stenberg (26 Jan 2019) 1849 - configure: rewrite --enable-code-coverage 1850 1851 The previously used ax_code_coverage.m4 is not license compatible and 1852 must not be used. 1853 1854 Reported-by: William A. Rowe Jr 1855 Fixes #3497 1856 Closes #3499 1857 1858 - [Felix Hdicke brought this change] 1859 1860 setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh 1861 1862 CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for 1863 libssh as well. So accepting these options only when compiling with 1864 libssh2 is wrong here. 1865 1866 Fixes #3493 1867 Closes #3494 1868 1869 - [Felix Hdicke brought this change] 1870 1871 libssh: do not let libssh create socket 1872 1873 By default, libssh creates a new socket, instead of using the socket 1874 created by curl for SSH connections. 1875 1876 Pass the socket created by curl to libssh using ssh_options_set() with 1877 SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket 1878 instead of creating a new one. 1879 1880 This approach is very similar to what is done in the libssh2 code, where 1881 the socket created by curl is passed to libssh2 when 1882 libssh2_session_startup() is called. 1883 1884 Fixes #3491 1885 Closes #3495 1886 1887 - RELEASE-NOTES: synced 1888 1889 - [Archangel_SDY brought this change] 1890 1891 schannel: preserve original certificate path parameter 1892 1893 Fixes #3480 1894 Closes #3487 1895 1896 - KNOWN_BUGS: tests not compatible with python3 1897 1898 Closes #3289 1899 [skip ci] 1900 1901 Daniel Gustafsson (20 Jan 2019) 1902 - memcmp: avoid doing single char memcmp 1903 1904 There is no real gain in performing memcmp() comparisons on single 1905 characters, so change these to array subscript inspections which 1906 saves a call and makes the code clearer. 1907 1908 Closes #3486 1909 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 1910 Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com> 1911 1912 Daniel Stenberg (19 Jan 2019) 1913 - COPYING: it's 2019 1914 1915 [skip ci] 1916 1917 - [hhb brought this change] 1918 1919 configure: fix recv/send/select detection on Android 1920 1921 This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9. 1922 1923 The overloadable attribute is removed again starting from 1924 NDK17. Actually they only exist in two NDK versions (15 and 16). With 1925 overloadable, the first condition tried will succeed. Results in wrong 1926 detection result. 1927 1928 Closes #3484 1929 1930 Marcel Raad (19 Jan 2019) 1931 - [georgeok brought this change] 1932 1933 ntlm_sspi: add support for channel binding 1934 1935 Windows extended potection (aka ssl channel binding) is required 1936 to login to ntlm IIS endpoint, otherwise the server returns 401 1937 responses. 1938 1939 Fixes #3280 1940 Closes #3321 1941 1942 Daniel Stenberg (18 Jan 2019) 1943 - schannel: on connection close there might not be a transfer 1944 1945 Reported-by: Marcel Raad 1946 Fixes #3412 1947 Closes #3483 1948 1949 - [Joel Depooter brought this change] 1950 1951 ssh: log the libssh2 error message when ssh session startup fails 1952 1953 When a ssh session startup fails, it is useful to know why it has 1954 failed. This commit changes the message from: 1955 "Failure establishing ssh session" 1956 to something like this, for example: 1957 "Failure establishing ssh session: -5, Unable to exchange encryption keys" 1958 1959 Closes #3481 1960 1961 Alessandro Ghedini (16 Jan 2019) 1962 - Fix typo in manpage 1963 1964 Daniel Stenberg (16 Jan 2019) 1965 - RELEASE-NOTES: synced 1966 1967 Sergei Nikulov (16 Jan 2019) 1968 - cmake: updated check for HAVE_POLL_FINE to match autotools 1969 1970 Daniel Stenberg (16 Jan 2019) 1971 - curl-compilers.m4: check for __ibmxl__ to detect xlclang 1972 1973 Follow-up to 2fa0d57e2e3. The __xlc__ symbol is only defined there if a 1974 particular flag is used for legacy macros. 1975 1976 Fixes #3474 1977 Closes #3479 1978 1979 - openssl: fix the SSL_get_tlsext_status_ocsp_resp call 1980 1981 .... to not pass in a const in the second argument as that's not how it 1982 is supposed to be used and might cause compiler warnings. 1983 1984 Reported-by: Pavel Pavlov 1985 Fixes #3477 1986 Closes #3478 1987 1988 - curl-compilers.m4: detect xlclang 1989 1990 Since it isn't totally clang compatible, we detect this IBM clang 1991 front-end and if detected, avoids some clang specific magic. 1992 1993 Reported-by: Kees Dekker 1994 Fixes #3474 1995 Closes #3476 1996 1997 - README: add codacy code quality badge 1998 1999 [skip ci] 2000 2001 - extract_if_dead: follow-up to 54b201b48c90a 2002 2003 extract_if_dead() dead is called from two functions, and only one of 2004 them should get conn->data updated and now neither call path clears it. 2005 2006 scan-build found a case where conn->data would be NULL dereferenced in 2007 ConnectionExists() otherwise. 2008 2009 Closes #3473 2010 2011 - multi: remove "Dead assignment" 2012 2013 Found by scan-build. Follow-up to 4c35574bb785ce. 2014 2015 Closes #3471 2016 2017 - tests: move objnames-* from lib into tests 2018 2019 Since they're used purely for testing purposes, I think they should 2020 rather be stored there. 2021 2022 Closes #3470 2023 2024 Sergei Nikulov (15 Jan 2019) 2025 - travis: added cmake build for osx 2026 2027 Daniel Stenberg (14 Jan 2019) 2028 - [Frank Gevaerts brought this change] 2029 2030 cookie: fix comment typo (url_path_len -> uri_path_len) 2031 2032 Closes #3469 2033 2034 Marcel Raad (14 Jan 2019) 2035 - winbuild: conditionally use /DZLIB_WINAPI 2036 2037 zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have 2038 the ZLIB_WINAPI define set by default. Using them requires that define 2039 too. 2040 2041 Ref: https://zlib.net/DLL_FAQ.txt 2042 2043 Fixes https://github.com/curl/curl/issues/3133 2044 Closes https://github.com/curl/curl/pull/3460 2045 2046 Daniel Stenberg (14 Jan 2019) 2047 - src/Makefile: make 'tidy' target work for metalink builds 2048 2049 - extract_if_dead: use a known working transfer when checking connections 2050 2051 Make sure that this function sets a proper "live" transfer for the 2052 connection before calling the protocol-specific connection check 2053 function, and then clear it again afterward as a non-used connection has 2054 no current transfer. 2055 2056 Reported-by: Jeroen Ooms 2057 Reviewed-by: Marcel Raad 2058 Reviewed-by: Daniel Gustafsson 2059 Fixes #3463 2060 Closes #3464 2061 2062 - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated 2063 2064 OpenSSL_version() replaces OpenSSL_version_num() 2065 2066 Closes #3462 2067 2068 Sergei Nikulov (11 Jan 2019) 2069 - cmake: added checks for HAVE_VARIADIC_MACROS_C99 and HAVE_VARIADIC_MACROS_GCC 2070 2071 Daniel Stenberg (11 Jan 2019) 2072 - urldata: rename easy_conn to just conn 2073 2074 We use "conn" everywhere to be a pointer to the connection. 2075 2076 Introduces two functions that "attaches" and "detaches" the connection 2077 to and from the transfer. 2078 2079 Going forward, we should favour using "data->conn" (since a transfer 2080 always only has a single connection or none at all) to "conn->data" 2081 (since a connection can have none, one or many transfers associated with 2082 it and updating conn->data to be correct is error prone and a frequent 2083 reason for internal issues). 2084 2085 Closes #3442 2086 2087 - tool_cb_prg: avoid integer overflow 2088 2089 When calculating the progress bar width. 2090 2091 Reported-by: Peng Li 2092 Fixes #3456 2093 Closes #3458 2094 2095 Daniel Gustafsson (11 Jan 2019) 2096 - travis: turn off copyright year checks in checksrc 2097 2098 Invoking the maintainer intended COPYRIGHTYEAR check for everyone 2099 in the PR pipeline is too invasive, especially at the turn of the 2100 year when many files get affected. Remove and leave it as a tool 2101 for maintainers to verify patches before commits. 2102 2103 This reverts f7bdf4b2e1d81b2652b81b9b3029927589273b41. 2104 2105 After discussion with: Daniel Stenberg 2106 2107 Daniel Stenberg (10 Jan 2019) 2108 - KNOWN_BUGS: cmake makes unusable tool_hugehelp.c with MinGW 2109 2110 Closes #3125 2111 2112 - KNOWN_BUGS: Improve --data-urlencode space encoding 2113 2114 Closes #3229 2115 2116 Patrick Monnerat (10 Jan 2019) 2117 - os400: add a missing closing bracket 2118 2119 See https://github.com/curl/curl/issues/3453#issuecomment-453054458 2120 2121 Reported-by: jonrumsey on github 2122 2123 - os400: fix extra parameter syntax error. 2124 2125 Reported-by: jonrumsey on github 2126 Closes #3453 2127 2128 Daniel Stenberg (10 Jan 2019) 2129 - test1558: verify CURLINFO_PROTOCOL on file:// transfer 2130 2131 Attempt to reproduce issue #3444. 2132 2133 Closes #3447 2134 2135 - RELEASE-NOTES: synced 2136 2137 - xattr: strip credentials from any URL that is stored 2138 2139 Both user and password are cleared uncondtitionally. 2140 2141 Added unit test 1621 to verify. 2142 2143 Fixes #3423 2144 Closes #3433 2145 2146 - cookies: allow secure override when done over HTTPS 2147 2148 Added test 1562 to verify. 2149 2150 Reported-by: Jeroen Ooms 2151 Fixes #3445 2152 Closes #3450 2153 2154 - multi: multiplexing improvements 2155 2156 Fixes #3436 2157 Closes #3448 2158 2159 Problem 1 2160 2161 After LOTS of scratching my head, I eventually realized that even when doing 2162 10 uploads in parallel, sometimes the socket callback to the application that 2163 tells it what to wait for on the socket, looked like it would reflect the 2164 status of just the single transfer that just changed state. 2165 2166 Digging into the code revealed that this was indeed the truth. When multiple 2167 transfers are using the same connection, the application did not correctly get 2168 the *combined* flags for all transfers which then could make it switch to READ 2169 (only) when in fact most transfers wanted to get told when the socket was 2170 WRITEABLE. 2171 2172 Problem 1b 2173 2174 A separate but related regression had also been introduced by me when I 2175 cleared connection/transfer association better a while ago, as now the logic 2176 couldn't find the connection and see if that was marked as used by more 2177 transfers and then it would also prematurely remove the socket from the socket 2178 hash table even in times other transfers were still using it! 2179 2180 Fix 1 2181 2182 Make sure that each socket stored in the socket hash has a "combined" action 2183 field of what to ask the application to wait for, that is potentially the ORed 2184 action of multiple parallel transfers. And remove that socket hash entry only 2185 if there are no transfers left using it. 2186 2187 Problem 2 2188 2189 The socket hash entry stored an association to a single transfer using that 2190 socket - and when curl_multi_socket_action() was called to tell libcurl about 2191 activities on that specific socket only that transfer was "handled". 2192 2193 This was WRONG, as a single socket/connection can be used by numerous parallel 2194 transfers and not necessarily a single one. 2195 2196 Fix 2 2197 2198 We now store a list of handles in the socket hashtable entry and when libcurl 2199 is told there's traffic for a particular socket, it now iterates over all 2200 known transfers using that single socket. 2201 2202 - test1561: improve test name 2203 2204 [skip ci] 2205 2206 - [Katsuhiko YOSHIDA brought this change] 2207 2208 cookies: skip custom cookies when redirecting cross-site 2209 2210 Closes #3417 2211 2212 - THANKS: fixups and a dedupe 2213 2214 [skip ci] 2215 2216 - timediff: fix math for unsigned time_t 2217 2218 Bug: https://curl.haxx.se/mail/lib-2018-12/0088.html 2219 2220 Closes #3449 2221 2222 - [Bernhard M. Wiedemann brought this change] 2223 2224 tests: allow tests to pass by 2037-02-12 2225 2226 similar to commit f508d29f3902104018 2227 2228 Closes #3443 2229 2230 - RELEASE-NOTES: synced 2231 2232 - [Brad Spencer brought this change] 2233 2234 curl_multi_remove_handle() don't block terminating c-ares requests 2235 2236 Added Curl_resolver_kill() for all three resolver modes, which only 2237 blocks when necessary, along with test 1592 to confirm 2238 curl_multi_remove_handle() doesn't block unless it must. 2239 2240 Closes #3428 2241 Fixes #3371 2242 2243 - Revert "http_negotiate: do not close connection until negotiation is completed" 2244 2245 This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. 2246 2247 This also reopens PR #3275 which brought the change now reverted. 2248 2249 Fixes #3384 2250 Closes #3439 2251 2252 - curl/urlapi.h: include "curl.h" first 2253 2254 This allows programs to include curl/urlapi.h directly. 2255 2256 Reviewed-by: Daniel Gustafsson 2257 Reported-by: Ben Kohler 2258 Fixes #3438 2259 Closes #3441 2260 2261 Marcel Raad (6 Jan 2019) 2262 - VS projects: fix build warning 2263 2264 Starting with Visual Studio 2017 Update 9, Visual Studio doesn't like 2265 the MinimalRebuild option anymore and warns: 2266 2267 cl : Command line warning D9035: option 'Gm' has been deprecated and 2268 will be removed in a future release 2269 2270 The option can be safely removed so that the default is used. 2271 2272 Closes https://github.com/curl/curl/pull/3425 2273 2274 - schannel: fix compiler warning 2275 2276 When building with Unicode on MSVC, the compiler warns about freeing a 2277 pointer to const in Curl_unicodefree. Fix this by declaring it as 2278 non-const and casting the argument to Curl_convert_UTF8_to_tchar to 2279 non-const too, like we do in all other places. 2280 2281 Closes https://github.com/curl/curl/pull/3435 2282 2283 Daniel Stenberg (4 Jan 2019) 2284 - [Rikard Falkeborn brought this change] 2285 2286 printf: introduce CURL_FORMAT_TIMEDIFF_T 2287 2288 - [Rikard Falkeborn brought this change] 2289 2290 printf: fix format specifiers 2291 2292 Closes #3426 2293 2294 - libtest/stub_gssapi: use "real" snprintf 2295 2296 ... since it doesn't link with libcurl. 2297 2298 Reverts the commit dcd6f81025 changes from this file. 2299 2300 Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html 2301 Reported-by: Shlomi Fish 2302 Reviewed-by: Daniel Gustafsson 2303 Reviewed-by: Kamil Dudka 2304 2305 Closes #3434 2306 2307 - INTERNALS: correct some outdated function names 2308 2309 Closes #3431 2310 2311 - docs/version.d: mention MultiSSL 2312 2313 Reviewed-by: Daniel Gustafsson 2314 Closes #3432 2315 2316 Daniel Gustafsson (2 Jan 2019) 2317 - [Rikard Falkeborn brought this change] 2318 2319 examples: Update .gitignore 2320 2321 Add a few missing examples to make `make examples` not leave the 2322 workspace in a dirty state. 2323 2324 Closes #3427 2325 Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se> 2326 2327 - THANKS: add more missing names 2328 2329 Add Adrian Burcea who made the artwork for the curl://up 2018 event 2330 which was held in Stockholm, Sweden. 2331 2332 - docs: mention potential leak in curl_slist_append 2333 2334 When a non-empty list is appended to, and used as the returnvalue, 2335 the list pointer can leak in case of an allocation failure in the 2336 curl_slist_append() call. This is correctly handled in curl code 2337 usage but we weren't explicitly pointing it out in the API call 2338 documentation. Fix by extending the RETURNVALUE manpage section 2339 and example code. 2340 2341 Closes #3424 2342 Reported-by: dnivras on github 2343 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2344 2345 Marcel Raad (1 Jan 2019) 2346 - tvnow: silence conversion warnings 2347 2348 MinGW-w64 defaults to targeting Windows 7 now, so GetTickCount64 is 2349 used and the milliseconds are represented as unsigned long long, 2350 leading to a compiler warning when implicitly converting them to long. 2351 2352 Daniel Stenberg (1 Jan 2019) 2353 - THANKS: dedupe more names 2354 2355 Researched-by: Tae Wong 2356 2357 Marcel Raad (1 Jan 2019) 2358 - [Markus Moeller brought this change] 2359 2360 ntlm: update selection of type 3 response 2361 2362 NTLM2 did not work i.e. no NTLMv2 response was created. Changing the 2363 check seems to work. 2364 2365 Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf 2366 2367 Fixes https://github.com/curl/curl/issues/3286 2368 Closes https://github.com/curl/curl/pull/3287 2369 Closes https://github.com/curl/curl/pull/3415 2370 2371 Daniel Stenberg (31 Dec 2018) 2372 - THANKS: added missing names from year <= 2000 2373 2374 Due to a report of a missing name in THANKS I manually went through an 2375 old CHANGES.0 file and added many previously missing names here. 2376 2377 Daniel Gustafsson (30 Dec 2018) 2378 - urlapi: fix parsing ipv6 with zone index 2379 2380 The previous fix for parsing IPv6 URLs with a zone index was a paddle 2381 short for URLs without an explicit port. This patch fixes that case 2382 and adds a unit test case. 2383 2384 This bug was highlighted by issue #3408, and while it's not the full 2385 fix for the problem there it is an isolated bug that should be fixed 2386 regardless. 2387 2388 Closes #3411 2389 Reported-by: GitYuanQu on github 2390 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2391 2392 Daniel Stenberg (30 Dec 2018) 2393 - THANKS: dedupe Guenter Knauf 2394 2395 Reported-by: Tae Wong 2396 2397 - THANKS: missing name from the 6.3.1 release! 2398 2399 Daniel Gustafsson (27 Dec 2018) 2400 - RELEASE-NOTES: synced 2401 2402 - [Claes Jakobsson brought this change] 2403 2404 hostip: support wildcard hosts 2405 2406 This adds support for wildcard hosts in CURLOPT_RESOLVE. These are 2407 try-last so any non-wildcard entry is resolved first. If specified, 2408 any host not matched by another CURLOPT_RESOLVE config will use this 2409 as fallback. 2410 2411 Example send a.com to 10.0.0.1 and everything else to 10.0.0.2: 2412 curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \ 2413 https://a.com https://b.com 2414 2415 This is probably quite similar to using: 2416 --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443 2417 2418 Closes #3406 2419 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2420 2421 - url: fix incorrect indentation 2422 2423 Patrick Monnerat (26 Dec 2018) 2424 - os400: upgrade ILE/RPG binding. 2425 2426 - Trailer function support. 2427 - http 0.9 option. 2428 - curl_easy_upkeep. 2429 2430 Daniel Gustafsson (25 Dec 2018) 2431 - FAQ: remove mention of sourceforge for github 2432 2433 The project bug tracker is no longer hosted at sourceforge but is now 2434 hosted on the curl Github page. Update the FAQ to reflect. 2435 2436 Closes #3410 2437 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2438 2439 - openvms: fix typos in documentation 2440 2441 - openvms: fix OpenSSL discovery on VAX 2442 2443 The DCL code had a typo in one of the commands which would make the 2444 OpenSSL discovery on VAX fail. The correct syntax is F$ENVIRONMENT. 2445 2446 Closes #3407 2447 Reviewed-by: Viktor Szakats <commit (a] vszakats.net> 2448 2449 Daniel Stenberg (24 Dec 2018) 2450 - [Ruslan Baratov brought this change] 2451 2452 cmake: use lowercase for function name like the rest of the code 2453 2454 Reviewed-by: Sergei Nikulov 2455 2456 closes #3196 2457 2458 - Revert "libssh: no data pointer == nothing to do" 2459 2460 This reverts commit c98ee5f67f497195c9 since commit f3ce38739fa fixed the 2461 problem in a more generic way. 2462 2463 - disconnect: set conn->data for protocol disconnect 2464 2465 Follow-up to fb445a1e18d: Set conn->data explicitly to point out the 2466 current transfer when invoking the protocol-specific disconnect function 2467 so that it can work correctly. 2468 2469 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173 2470 2471 Jay Satiro (23 Dec 2018) 2472 - [Pavel Pavlov brought this change] 2473 2474 timeval: Use high resolution timestamps on Windows 2475 2476 - Use QueryPerformanceCounter on Windows Vista+ 2477 2478 There is confusing info floating around that QueryPerformanceCounter 2479 can leap etc, which might have been true long time ago, but no longer 2480 the case nowadays (perhaps starting from WinXP?). Also, boost and 2481 std::chrono::steady_clock use QueryPerformanceCounter in a similar way. 2482 2483 Prior to this change GetTickCount or GetTickCount64 was used, which has 2484 lower resolution. That is still the case for <= XP. 2485 2486 Fixes https://github.com/curl/curl/issues/3309 2487 Closes https://github.com/curl/curl/pull/3318 2488 2489 Daniel Stenberg (22 Dec 2018) 2490 - libssh: no data pointer == nothing to do 2491 2492 - conncache_unlock: avoid indirection by changing input argument type 2493 2494 - disconnect: separate connections and easy handles better 2495 2496 Do not assume/store assocation between a given easy handle and the 2497 connection if it can be avoided. 2498 2499 Long-term, the 'conn->data' pointer should probably be removed as it is a 2500 little too error-prone. Still used very widely though. 2501 2502 Reported-by: masbug on github 2503 Fixes #3391 2504 Closes #3400 2505 2506 - libssh: free sftp_canonicalize_path() data correctly 2507 2508 Assisted-by: Harry Sintonen 2509 2510 Fixes #3402 2511 Closes #3403 2512 2513 - RELEASE-NOTES: synced 2514 2515 - http: added options for allowing HTTP/0.9 responses 2516 2517 Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose. 2518 2519 For now, both the tool and library allow HTTP/0.9 by default. 2520 docs/DEPRECATE.md lays out the plan for when to reverse that default: 6 2521 months after the 7.64.0 release. The options are added already now so 2522 that applications/scripts can start using them already now. 2523 2524 Fixes #2873 2525 Closes #3383 2526 2527 - if2ip: remove unused function Curl_if_is_interface_name 2528 2529 Closes #3401 2530 2531 - http2: clear pause stream id if it gets closed 2532 2533 Reported-by: Florian Pritz 2534 2535 Fixes #3392 2536 Closes #3399 2537 2538 Daniel Gustafsson (20 Dec 2018) 2539 - [David Garske brought this change] 2540 2541 wolfssl: Perform cleanup 2542 2543 This adds a cleanup callback for cyassl. Resolves possible memory leak 2544 when using ECC fixed point cache. 2545 2546 Closes #3395 2547 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2548 Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se> 2549 2550 Daniel Stenberg (20 Dec 2018) 2551 - mbedtls: follow-up VERIFYHOST fix from f097669248 2552 2553 Fix-by: Eric Rosenquist 2554 2555 Fixes #3376 2556 Closes #3390 2557 2558 - curlver: bump to 7.64.0 for next release 2559 2560 Daniel Gustafsson (19 Dec 2018) 2561 - cookies: extend domain checks to non psl builds 2562 2563 Ensure to perform the checks we have to enforce a sane domain in 2564 the cookie request. The check for non-PSL enabled builds is quite 2565 basic but it's better than nothing. 2566 2567 Closes #2964 2568 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2569 2570 Daniel Stenberg (19 Dec 2018) 2571 - [Matus Uzak brought this change] 2572 2573 smb: fix incorrect path in request if connection reused 2574 2575 Follow-up to 09e401e01bf9. If connection gets reused, then data member 2576 will be copied, but not the proto member. As a result, in smb_do(), 2577 path has been set from the original proto.share data. 2578 2579 Closes #3388 2580 2581 - curl -J: do not append to the destination file 2582 2583 Reported-by: Kamil Dudka 2584 Fixes #3380 2585 Closes #3381 2586 2587 - mbedtls: use VERIFYHOST 2588 2589 Previously, VERIFYPEER would enable/disable all checks. 2590 2591 Reported-by: Eric Rosenquist 2592 Fixes #3376 2593 Closes #3380 2594 2595 - pingpong: change default response timeout to 120 seconds 2596 2597 Previously it was 30 minutes 2598 2599 - pingpong: ignore regular timeout in disconnect phase 2600 2601 The timeout set with CURLOPT_TIMEOUT is no longer used when 2602 disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP, 2603 POP3). 2604 2605 Reported-by: jasal82 on github 2606 2607 Fixes #3264 2608 Closes #3374 2609 2610 - TODO: Windows: set attribute 'archive' for completed downloads 2611 2612 Closes #3354 2613 2614 - RELEASE-NOTES: synced 2615 2616 - http: minor whitespace cleanup from f464535b 2617 2618 - [Ayoub Boudhar brought this change] 2619 2620 http: Implement trailing headers for chunked transfers 2621 2622 This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION 2623 options that allow a callback based approach to sending trailing headers 2624 with chunked transfers. 2625 2626 The test server (sws) was updated to take into account the detection of the 2627 end of transfer in the case of trailing headers presence. 2628 2629 Test 1591 checks that trailing headers can be sent using libcurl. 2630 2631 Closes #3350 2632 2633 - darwinssl: accept setting max-tls with default min-tls 2634 2635 Reported-by: Andrei Neculau 2636 Fixes #3367 2637 Closes #3373 2638 2639 - gopher: fix memory leak from 9026083ddb2a9 2640 2641 - [Leonardo Taccari brought this change] 2642 2643 test1201: Add a trailing `?' to the selector 2644 2645 This verify that the `?' in the selector is kept as is. 2646 2647 Verifies the fix in #3370 2648 2649 - [Leonardo Taccari brought this change] 2650 2651 gopher: always include the entire gopher-path in request 2652 2653 After the migration to URL API all octets in the selector after the 2654 first `?' were interpreted as query and accidentally discarded and not 2655 passed to the server. 2656 2657 Add a gopherpath to always concatenate possible path and query URL 2658 pieces. 2659 2660 Fixes #3369 2661 Closes #3370 2662 2663 - [Leonardo Taccari brought this change] 2664 2665 urlapi: distinguish possibly empty query 2666 2667 If just a `?' to indicate the query is passed always store a zero length 2668 query instead of having a NULL query. 2669 2670 This permits to distinguish URL with trailing `?'. 2671 2672 Fixes #3369 2673 Closes #3370 2674 2675 Daniel Gustafsson (13 Dec 2018) 2676 - OS400: handle memory error in list conversion 2677 2678 Curl_slist_append_nodup() returns NULL when it fails to create a new 2679 item for the specified list, and since the coding here reassigned the 2680 new list on top of the old list it would result in a dangling pointer 2681 and lost memory. Also, in case we hit an allocation failure at some 2682 point during the conversion, with allocation succeeding again on the 2683 subsequent call(s) we will return a truncated list around the malloc 2684 failure point. Fix by assigning to a temporary list pointer, which can 2685 be checked (which is the common pattern for slist appending), and free 2686 all the resources on allocation failure. 2687 2688 Closes #3372 2689 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2690 2691 - cookies: leave secure cookies alone 2692 2693 Only allow secure origins to be able to write cookies with the 2694 'secure' flag set. This reduces the risk of non-secure origins 2695 to influence the state of secure origins. This implements IETF 2696 Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates 2697 RFC6265. 2698 2699 Closes #2956 2700 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2701 2702 Daniel Stenberg (13 Dec 2018) 2703 - docs: fix the --tls-max description 2704 2705 Reported-by: Tobias Lindgren 2706 Pointed out in #3367 2707 2708 Closes #3368 2709 2710 Daniel Gustafsson (12 Dec 2018) 2711 - urlapi: Fix port parsing of eol colon 2712 2713 A URL with a single colon without a portnumber should use the default 2714 port, discarding the colon. Fix, add a testcase and also do little bit 2715 of comment wordsmithing. 2716 2717 Closes #3365 2718 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2719 2720 Version 7.63.0 (12 Dec 2018) 2721 2722 Daniel Stenberg (12 Dec 2018) 2723 - RELEASE-NOTES: 7.63.0 2724 2725 - THANKS: from the curl 7.62.0 cycle 2726 2727 - test1519: use lib1518 and test CURLINFO_REDIRECT_URL more 2728 2729 - Curl_follow: extract the Location: header field unvalidated 2730 2731 ... when not actually following the redirect. Otherwise we return error 2732 for this and an application can't extract the value. 2733 2734 Test 1518 added to verify. 2735 2736 Reported-by: Pavel Pavlov 2737 Fixes #3340 2738 Closes #3364 2739 2740 - multi: convert two timeout variables to timediff_t 2741 2742 The time_t type is unsigned on some systems and these variables are used 2743 to hold return values from functions that return timediff_t 2744 already. timediff_t is always a signed type. 2745 2746 Closes #3363 2747 2748 - delta: use --diff-filter on the git diff-tree invokes 2749 2750 Suggested-by: Dave Reisner 2751 2752 Patrick Monnerat (11 Dec 2018) 2753 - documentation: curl_formadd field and file names are now escaped 2754 2755 Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition 2756 header without special processing: this may lead to invalid RFC 822 2757 quoted-strings. 2758 7.56.0 introduces escaping of backslashes and double quotes in these names: 2759 mention it in the documentation. 2760 2761 Reported-by: daboul on github 2762 Closes #3361 2763 2764 Daniel Stenberg (11 Dec 2018) 2765 - scripts/delta: show repo delta info from last release 2766 2767 ... where "last release" should be the git tag in the repo. 2768 2769 Daniel Gustafsson (11 Dec 2018) 2770 - tests: add urlapi unittest 2771 2772 This adds a new unittest intended to cover the internal functions in 2773 the urlapi code, starting with parse_port(). In order to avoid name 2774 collisions in debug builds, parse_port() is renamed Curl_parse_port() 2775 since it will be exported. 2776 2777 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2778 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 2779 2780 - urlapi: fix portnumber parsing for ipv6 zone index 2781 2782 An IPv6 URL which contains a zone index includes a '%%25<zode id>' 2783 string before the ending ']' bracket. The parsing logic wasn't set 2784 up to cope with the zone index however, resulting in a malformed url 2785 error being returned. Fix by breaking the parsing into two stages 2786 to correctly handle the zone index. 2787 2788 Closes #3355 2789 Closes #3319 2790 Reported-by: tonystz on Github 2791 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 2792 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 2793 2794 Daniel Stenberg (11 Dec 2018) 2795 - [Jay Satiro brought this change] 2796 2797 http: fix HTTP auth to include query in URI 2798 2799 - Include query in the path passed to generate HTTP auth. 2800 2801 Recent changes to use the URL API internally (46e1640, 7.62.0) 2802 inadvertently broke authentication URIs by omitting the query. 2803 2804 Fixes https://github.com/curl/curl/issues/3353 2805 Closes #3356 2806 2807 - [Michael Kaufmann brought this change] 2808 2809 http: don't set CURLINFO_CONDITION_UNMET for http status code 204 2810 2811 The http status code 204 (No Content) should not change the "condition 2812 unmet" flag. Only the http status code 304 (Not Modified) should do 2813 this. 2814 2815 Closes #359 2816 2817 - [Samuel Surtees brought this change] 2818 2819 ldap: fix LDAP URL parsing regressions 2820 2821 - Match URL scheme with LDAP and LDAPS 2822 - Retrieve attributes, scope and filter from URL query instead 2823 2824 Regression brought in 46e164069d1a5230 (7.62.0) 2825 2826 Closes #3362 2827 2828 - RELEASE-NOTES: synced 2829 2830 - [Stefan Kanthak brought this change] 2831 2832 (lib)curl.rc: fixup for minor bugs 2833 2834 All resources defined in lib/libcurl.rc and curl.rc are language 2835 neutral. 2836 2837 winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the 2838 ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong. 2839 2840 Replace the hard-coded constants in both *.rc files with #define'd 2841 values. 2842 2843 Thumbs-uped-by: Rod Widdowson, Johannes Schindelin 2844 URL: https://curl.haxx.se/mail/lib-2018-11/0000.html 2845 Closes #3348 2846 2847 - test329: verify cookie max-age=0 immediate expiry 2848 2849 - cookies: expire "Max-Age=0" immediately 2850 2851 Reported-by: Jeroen Ooms 2852 Fixes #3351 2853 Closes #3352 2854 2855 - [Johannes Schindelin brought this change] 2856 2857 Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1 2858 2859 This is a companion patch to cbea2fd2c (NTLM: force the connection to 2860 HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1 2861 preemptively. However, with other (Negotiate) authentication it is not 2862 clear to this developer whether there is a way to make it work with 2863 HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the 2864 error HTTP_1_1_REQUIRED. 2865 2866 Note: we will still keep the NTLM workaround, as it avoids an extra 2867 round trip. 2868 2869 Daniel Stenberg helped a lot with this patch, in particular by 2870 suggesting to introduce the Curl_h2_http_1_1_error() function. 2871 2872 Closes #3349 2873 2874 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 2875 2876 - [Ben Greear brought this change] 2877 2878 openssl: fix unused variable compiler warning with old openssl 2879 2880 URL: https://curl.haxx.se/mail/lib-2018-11/0055.html 2881 2882 Closes #3347 2883 2884 - [Johannes Schindelin brought this change] 2885 2886 NTLM: force the connection to HTTP/1.1 2887 2888 Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces 2889 the capability. However, NTLM authentication only works with HTTP/1.1, 2890 and will likely remain in that boat (for details, see 2891 https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported). 2892 2893 When we just found out that we want to use NTLM, and when the current 2894 connection runs in HTTP/2 mode, let's force the connection to be closed 2895 and to be re-opened using HTTP/1.1. 2896 2897 Fixes https://github.com/curl/curl/issues/3341. 2898 Closes #3345 2899 2900 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 2901 2902 - [Johannes Schindelin brought this change] 2903 2904 curl_global_sslset(): id == -1 is not necessarily an error 2905 2906 It is allowed to call that function with id set to -1, specifying the 2907 backend by the name instead. We should imitate what is done further down 2908 in that function to allow for that. 2909 2910 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 2911 2912 Closes #3346 2913 2914 Johannes Schindelin (6 Dec 2018) 2915 - .gitattributes: make tabs in indentation a visible error 2916 2917 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 2918 2919 Daniel Stenberg (6 Dec 2018) 2920 - RELEASE-NOTES: synced 2921 2922 - doh: fix memory leak in OOM situation 2923 2924 Reviewed-by: Daniel Gustafsson 2925 Closes #3342 2926 2927 - doh: make it work for h2-disabled builds too 2928 2929 Reported-by: dtmsecurity at github 2930 Fixes #3325 2931 Closes #3336 2932 2933 - packages: remove old leftover files and dirs 2934 2935 This subdir has mostly become an attic of never-used cruft from the 2936 past. 2937 2938 Closes #3331 2939 2940 - [Gergely Nagy brought this change] 2941 2942 openssl: do not use file BIOs if not requested 2943 2944 Moves the file handling BIO calls to the branch of the code where they 2945 are actually used. 2946 2947 Closes #3339 2948 2949 - [Paul Howarth brought this change] 2950 2951 nss: Fix compatibility with nss versions 3.14 to 3.15 2952 2953 - [Paul Howarth brought this change] 2954 2955 nss: Improve info message when falling back SSL protocol 2956 2957 Use descriptive text strings rather than decimal numbers. 2958 2959 - [Paul Howarth brought this change] 2960 2961 nss: Fall back to latest supported SSL version 2962 2963 NSS may be built without support for the latest SSL/TLS versions, 2964 leading to "SSL version range is not valid" errors when the library 2965 code supports a recent version (e.g. TLS v1.3) but it has explicitly 2966 been disabled. 2967 2968 This change adjusts the maximum SSL version requested by libcurl to 2969 be the maximum supported version at runtime, as long as that version 2970 is at least as high as the minimum version required by libcurl. 2971 2972 Fixes #3261 2973 2974 Daniel Gustafsson (3 Dec 2018) 2975 - travis: enable COPYRIGHTYEAR extended warning 2976 2977 The extended warning for checking incorrect COPYRIGHTYEAR is quite 2978 expensive to run, so rather than expecting every developer to do it 2979 we ensure it's turned on locally for Travis. 2980 2981 - checksrc: add COPYRIGHTYEAR check 2982 2983 Forgetting to bump the year in the copyright clause when hacking has 2984 been quite common among curl developers, but a traditional checksrc 2985 check isn't a good fit as it would penalize anyone hacking on January 2986 1st (among other things). This adds a more selective COPYRIGHTYEAR 2987 check which intends to only cover the currently hacked on changeset. 2988 2989 The check for updated copyright year is currently not enforced on all 2990 files but only on files edited and/or committed locally. This is due to 2991 the amount of files which aren't updated with their correct copyright 2992 year at the time of their respective commit. 2993 2994 To further avoid running this expensive check for every developer, it 2995 adds a new local override mode for checksrc where a .checksrc file can 2996 be used to turn on extended warnings locally. 2997 2998 Closes #3303 2999 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3000 3001 Daniel Stenberg (3 Dec 2018) 3002 - CHECKSRC.md: document more warnings 3003 3004 Closes #3335 3005 [ci skip] 3006 3007 - RELEASE-NOTES: synced 3008 3009 - SECURITY-PROCESS: bountygraph shuts down 3010 3011 This backpedals back the documents to the state before bountygraph. 3012 3013 Closes #3311 3014 3015 - curl: fix memory leak reading --writeout from file 3016 3017 If another string had been set first, the writout function for reading 3018 the syntax from file would leak the previously allocated memory. 3019 3020 Reported-by: Brian Carpenter 3021 Fixes #3322 3022 Closes #3330 3023 3024 - tool_main: rename function to make it unique and better 3025 3026 ... there's already another function in the curl tool named 3027 free_config_fields! 3028 3029 Daniel Gustafsson (29 Nov 2018) 3030 - TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry 3031 3032 Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option 3033 making it a manual code-edit operation to turn it back on. The removal 3034 process has thus started and is now documented in docs/DEPRECATE.md so 3035 remove from the TODO to avoid anyone looking for something to pick up 3036 spend cycles on an already in-progress entry. 3037 3038 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3039 3040 Jay Satiro (29 Nov 2018) 3041 - [Sevan Janiyan brought this change] 3042 3043 connect: fix building for recent versions of Minix 3044 3045 EBADIOCTL doesn't exist on more recent Minix. 3046 There have also been substantial changes to the network stack. 3047 Fixes build on Minix 3.4rc 3048 3049 Closes https://github.com/curl/curl/pull/3323 3050 3051 - [Konstantin Kushnir brought this change] 3052 3053 CMake: fix MIT/Heimdal Kerberos detection 3054 3055 - fix syntax error in FindGSS.cmake 3056 - correct krb5 include directory. FindGSS exports 3057 "GSS_INCLUDE_DIR" variable. 3058 3059 Closes https://github.com/curl/curl/pull/3316 3060 3061 Daniel Stenberg (28 Nov 2018) 3062 - test328: verify Content-Encoding: none 3063 3064 Because of issue #3315 3065 3066 Closes #3317 3067 3068 - [James Knight brought this change] 3069 3070 configure: include all libraries in ssl-libs fetch 3071 3072 When compiling a collection of SSL libraries to link against (SSL_LIBS), 3073 ensure all libraries are included. The call `--libs-only-l` can produce 3074 only a subset of found in a `--libs` call (e.x. pthread may be excluded). 3075 Adding `--libs-only-other` ensures other libraries are also included in 3076 the list. This corrects select build environments compiling against a 3077 static version of OpenSSL. Before the change, the following could be 3078 observed: 3079 3080 checking for openssl options with pkg-config... found 3081 configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl " 3082 configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib " 3083 configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include " 3084 checking for HMAC_Update in -lcrypto... no 3085 checking for HMAC_Init_ex in -lcrypto... no 3086 checking OpenSSL linking with -ldl... no 3087 checking OpenSSL linking with -ldl and -lpthread... no 3088 configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more. 3089 configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this. 3090 ... 3091 SSL support: no (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} ) 3092 ... 3093 3094 And include the other libraries when compiling SSL_LIBS succeeds with: 3095 3096 checking for openssl options with pkg-config... found 3097 configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread " 3098 configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib " 3099 configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include " 3100 checking for HMAC_Update in -lcrypto... yes 3101 checking for SSL_connect in -lssl... yes 3102 ... 3103 SSL support: enabled (OpenSSL) 3104 ... 3105 3106 Signed-off-by: James Knight <james.d.knight (a] live.com> 3107 Closes #3193 3108 3109 Daniel Gustafsson (26 Nov 2018) 3110 - doh: fix typo in infof call 3111 3112 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3113 3114 - cmdline-opts/gen.pl: define the correct varname 3115 3116 The variable definition had a small typo making it declare another 3117 variable then the intended. 3118 3119 Closes #3304 3120 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3121 3122 Daniel Stenberg (25 Nov 2018) 3123 - RELEASE-NOTES: synced 3124 3125 - curl_easy_perform: fix timeout handling 3126 3127 curl_multi_wait() was erroneously used from within 3128 curl_easy_perform(). It could lead to it believing there was no socket 3129 to wait for and then instead sleep for a while instead of monitoring the 3130 socket and then miss acting on that activity as swiftly as it should 3131 (causing an up to 1000 ms delay). 3132 3133 Reported-by: Antoni Villalonga 3134 Fixes #3305 3135 Closes #3306 3136 Closes #3308 3137 3138 - CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times 3139 3140 - cookies: create the cookiejar even if no cookies to save 3141 3142 Important for when the file is going to be read again and thus must not 3143 contain old contents! 3144 3145 Adds test 327 to verify. 3146 3147 Reported-by: daboul on github 3148 Fixes #3299 3149 Closes #3300 3150 3151 - checksrc: ban snprintf use, add command line flag to override warns 3152 3153 - snprintf: renamed and we now only use msnprintf() 3154 3155 The function does not return the same value as snprintf() normally does, 3156 so readers may be mislead into thinking the code works differently than 3157 it actually does. A different function name makes this easier to detect. 3158 3159 Reported-by: Tomas Hoger 3160 Assisted-by: Daniel Gustafsson 3161 Fixes #3296 3162 Closes #3297 3163 3164 - [Tobias Hintze brought this change] 3165 3166 test: update test20/1322 for eglibc bug workaround 3167 3168 The tests 20 and 1322 are using getaddrinfo of libc for resolving. In 3169 eglibc-2.19 there is a memory leakage and invalid free bug which 3170 surfaces in some special circumstances (PF_UNSPEC hint with invalid or 3171 non-existent names). The valgrind runs in testing fail in these 3172 situations. 3173 3174 As the tests 20/1322 are not specific on either protocol (IPv4/IPv6) 3175 this commit changes the hints to IPv4 protocol by passing `--ipv4` flag 3176 on the tests' command line. This prevents the valgrind failures. 3177 3178 - [Tobias Hintze brought this change] 3179 3180 host names: allow trailing dot in name resolve, then strip it 3181 3182 Delays stripping of trailing dots to after resolving the hostname. 3183 3184 Fixes #3022 3185 Closes #3222 3186 3187 - [UnknownShadow200 brought this change] 3188 3189 CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description 3190 3191 Closes #3295 3192 3193 Daniel Gustafsson (21 Nov 2018) 3194 - configure: Fix typo in comment 3195 3196 Michael Kaufmann (21 Nov 2018) 3197 - openssl: support session resume with TLS 1.3 3198 3199 Session resumption information is not available immediately after a TLS 1.3 3200 handshake. The client must wait until the server has sent a session ticket. 3201 3202 Use OpenSSL's "new session" callback to get the session information and put it 3203 into curl's session cache. For TLS 1.3 sessions, this callback will be invoked 3204 after the server has sent a session ticket. 3205 3206 The "new session" callback is invoked only if OpenSSL's session cache is 3207 enabled, so enable it and use the "external storage" mode which lets curl manage 3208 the contents of the session cache. 3209 3210 A pointer to the connection data and the sockindex are now saved as "SSL extra 3211 data" to make them available to the callback. 3212 3213 This approach also works for old SSL/TLS versions and old OpenSSL versions. 3214 3215 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3216 3217 Fixes #3202 3218 Closes #3271 3219 3220 - ssl: fix compilation with OpenSSL 0.9.7 3221 3222 - ENGINE_cleanup() was used without including "openssl/engine.h" 3223 - enable engine support for OpenSSL 0.9.7 3224 3225 Closes #3266 3226 3227 Daniel Stenberg (21 Nov 2018) 3228 - openssl: disable TLS renegotiation with BoringSSL 3229 3230 Since we're close to feature freeze, this change disables this feature 3231 with an #ifdef. Define ALLOW_RENEG at build-time to enable. 3232 3233 This could be converted to a bit for CURLOPT_SSL_OPTIONS to let 3234 applications opt-in this. 3235 3236 Concern-raised-by: David Benjamin 3237 Fixes #3283 3238 Closes #3293 3239 3240 - [Romain Fliedel brought this change] 3241 3242 ares: remove fd from multi fd set when ares is about to close the fd 3243 3244 When using c-ares for asyn dns, the dns socket fd was silently closed 3245 by c-ares without curl being aware. curl would then 'realize' the fd 3246 has been removed at next call of Curl_resolver_getsock, and only then 3247 notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with 3248 CURL_POLL_REMOVE. At this point the fd is already closed. 3249 3250 By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this 3251 patch allows curl to be notified that the fd is not longer needed 3252 for neither for write nor read. At this point by calling 3253 Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE 3254 before the fd is actually closed by ares. 3255 3256 In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore 3257 since it does not allow passing a different sock_state_cb_data 3258 3259 Closes #3238 3260 3261 - [Romain Fliedel brought this change] 3262 3263 examples/ephiperfifo: report error when epoll_ctl fails 3264 3265 Daniel Gustafsson (20 Nov 2018) 3266 - [pkubaj brought this change] 3267 3268 ntlm: Remove redundant ifdef USE_OPENSSL 3269 3270 lib/curl_ntlm.c had code that read as follows: 3271 3272 #ifdef USE_OPENSSL 3273 # ifdef USE_OPENSSL 3274 # else 3275 # .. 3276 # endif 3277 #endif 3278 3279 Remove the redundant USE_OPENSSL along with #else (it's not possible to 3280 reach it anyway). The removed construction is a leftover from when the 3281 SSLeay support was removed. 3282 3283 Closes #3269 3284 Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se> 3285 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3286 3287 Daniel Stenberg (20 Nov 2018) 3288 - [Han Han brought this change] 3289 3290 ssl: replace all internal uses of CURLE_SSL_CACERT 3291 3292 Closes #3291 3293 3294 Han Han (19 Nov 2018) 3295 - docs: add more description to unified ssl error codes 3296 3297 - curle: move deprecated error code to ifndef block 3298 3299 Patrick Monnerat (19 Nov 2018) 3300 - os400: add CURLOPT_CURLU to ILE/RPG binding. 3301 3302 - os400: Add curl_easy_conn_upkeep() to ILE/RPG binding. 3303 3304 - os400: fix return type of curl_easy_pause() in ILE/RPG binding. 3305 3306 Daniel Stenberg (19 Nov 2018) 3307 - RELEASE-NOTES: synced 3308 3309 - impacket: add LICENSE 3310 3311 The license for the impacket package was not in our tree. 3312 3313 Imported now from upstream's 3314 https://github.com/SecureAuthCorp/impacket/blob/master/LICENSE 3315 3316 Reported-by: infinnovation-dev on github 3317 Fixes #3276 3318 Closes #3277 3319 3320 Daniel Gustafsson (18 Nov 2018) 3321 - tool_doswin: Fix uninitialized field warning 3322 3323 The partial struct initialization in 397664a065abffb7c3445ca9 caused 3324 a warning on uninitialized MODULEENTRY32 struct members: 3325 3326 /src/tool_doswin.c:681:3: warning: missing initializer for field 3327 'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}' 3328 [-Wmissing-field-initializers] 3329 3330 This is sort of a bogus warning as the remaining members will be set 3331 to zero by the compiler, as all omitted members are. Nevertheless, 3332 remove the warning by omitting all members and setting the dwSize 3333 members explicitly. 3334 3335 Closes #3254 3336 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 3337 Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com> 3338 3339 - openssl: Remove SSLEAY leftovers 3340 3341 Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't 3342 compatible with the SSLeay library. This removes the few leftovers that 3343 were omitted in the less frequently used platform targets. 3344 3345 Closes #3270 3346 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3347 3348 Daniel Stenberg (16 Nov 2018) 3349 - [Elia Tufarolo brought this change] 3350 3351 http_negotiate: do not close connection until negotiation is completed 3352 3353 Fix HTTP POST using CURLAUTH_NEGOTIATE. 3354 3355 Closes #3275 3356 3357 - pop3: only do APOP with a valid timestamp 3358 3359 Brought-by: bobmitchell1956 on github 3360 Fixes #3278 3361 Closes #3279 3362 3363 Jay Satiro (16 Nov 2018) 3364 - [Peter Wu brought this change] 3365 3366 openssl: do not log excess "TLS app data" lines for TLS 1.3 3367 3368 The SSL_CTX_set_msg_callback callback is not just called for the 3369 Handshake or Alert protocols, but also for the raw record header 3370 (SSL3_RT_HEADER) and the decrypted inner record type 3371 (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid 3372 excess debug spam when using `curl -v` against a TLSv1.3-enabled server: 3373 3374 * TLSv1.3 (IN), TLS app data, [no content] (0): 3375 3376 (Following this message, another callback for the decrypted 3377 handshake/alert messages will be be present anyway.) 3378 3379 Closes https://github.com/curl/curl/pull/3281 3380 3381 Marc Hoersken (15 Nov 2018) 3382 - tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows 3383 3384 SO_EXCLUSIVEADDRUSE is on by default on Vista or newer, 3385 but does not work together with SO_REUSEADDR being on. 3386 3387 The default changes were made with stunnel 5.34 and 5.35. 3388 3389 Daniel Stenberg (13 Nov 2018) 3390 - [Kamil Dudka brought this change] 3391 3392 nss: remove version selecting dead code 3393 3394 Closes #3262 3395 3396 - nss: set default max-tls to 1.3/1.2 3397 3398 Fixes #3261 3399 3400 Daniel Gustafsson (13 Nov 2018) 3401 - tool_cb_wrt: Silence function cast compiler warning 3402 3403 Commit 5bfaa86ceb3c2a9ac474a928e748c4a86a703b33 introduced a new 3404 compiler warning on Windows cross compilation with GCC. See below 3405 for an example of the warning from the autobuild logs (whitespace 3406 edited to fit): 3407 3408 /src/tool_cb_wrt.c:175:9: warning: cast from function call of type 3409 'intptr_t {aka long long int}' to non-matching type 'void *' 3410 [-Wbad-function-cast] 3411 (HANDLE) _get_osfhandle(fileno(outs->stream)), 3412 ^ 3413 3414 Store the return value from _get_osfhandle() in an intermediate 3415 variable and cast the variable in WriteConsoleW() rather than the 3416 function call directly to avoid a compiler warning. 3417 3418 In passing, also add inspection of the MultiByteToWideChar() return 3419 value and return failure in case an error is reported. 3420 3421 Closes #3263 3422 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 3423 Reviewed-by: Viktor Szakats <commit (a] vszakats.net> 3424 3425 Daniel Stenberg (12 Nov 2018) 3426 - nss: fix fallthrough comment to fix picky compiler warning 3427 3428 - docs: expanded on some CURLU details 3429 3430 - [Tim Rhsen brought this change] 3431 3432 ftp: avoid two unsigned int overflows in FTP listing parser 3433 3434 Curl_ftp_parselist: avoid unsigned integer overflows 3435 3436 The overflow has no real world impact, just avoid it for "best 3437 practice". 3438 3439 Closes #3225 3440 3441 - curl: --local-port range was not "including" 3442 3443 The end port number in a given range was not included in the range used, 3444 as it is documented to be. 3445 3446 Reported-by: infinnovation-dev on github 3447 Fixes #3251 3448 Closes #3255 3449 3450 - [Jrmy Rocher brought this change] 3451 3452 openssl: support BoringSSL TLS renegotiation 3453 3454 As per BoringSSL porting documentation [1], BoringSSL rejects peer 3455 renegotiations by default. 3456 3457 curl fails when trying to authenticate to server through client 3458 certificate if it is requested by server after the initial TLS 3459 handshake. 3460 3461 Enable renegotiation by default with BoringSSL to get same behavior as 3462 with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] 3463 which was introduced in commit 1d5ef3bb1eb9 [3]. 3464 3465 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation 3466 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 3467 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 3468 3469 Signed-off-by: Jrmy Rocher <rocher.jeremy (a] gmail.com> 3470 Fixes #3258 3471 Closes #3259 3472 3473 - HISTORY: add some milestones 3474 3475 Added a few of the more notable milestones in curl history that were 3476 missing. Primarily more recent ones but I also noted some older that 3477 could be worth mentioning. 3478 3479 [ci skip] 3480 Closes #3257 3481 3482 Daniel Gustafsson (9 Nov 2018) 3483 - KNOWN_BUGS: add --proxy-any connection issue 3484 3485 Add the identified issue with --proxy-any and proxy servers which 3486 advertise authentication schemes other than the supported one. 3487 3488 Closes #876 3489 Closes #3250 3490 Reported-by: NTMan on Github 3491 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3492 3493 Daniel Stenberg (9 Nov 2018) 3494 - [Jim Fuller brought this change] 3495 3496 setopt: add CURLOPT_CURLU 3497 3498 Allows an application to pass in a pre-parsed URL via a URL handle. 3499 3500 Closes #3227 3501 3502 - [Gisle Vanem brought this change] 3503 3504 docs: ESCape "\n" codes 3505 3506 Groff / Troff will display a: 3507 printaf("Errno: %ld\n", error); 3508 as: 3509 printf("Errno: %ld0, error); 3510 3511 when a "\n" is not escaped. Use "\\n" instead. 3512 3513 Closes #3246 3514 3515 - curl: --local-port fix followup 3516 3517 Regression by 52db54869e6. 3518 3519 Reported-by: infinnovation-dev on github 3520 Fixes #3248 3521 Closes #3249 3522 3523 GitHub (7 Nov 2018) 3524 - [Gisle Vanem brought this change] 3525 3526 More "\n" ESCaping 3527 3528 Daniel Stenberg (7 Nov 2018) 3529 - RELEASE-NOTES: synced 3530 3531 - curl: fix --local-port integer overflow 3532 3533 The tool's local port command line range parser didn't check for integer 3534 overflows and could pass "weird" data to libcurl for this option. 3535 libcurl however, has a strict range check for the values so it rejects 3536 anything outside of the accepted range. 3537 3538 Reported-by: Brian Carpenter 3539 Closes #3242 3540 3541 - curl: correct the switch() logic in ourWriteOut 3542 3543 Follow-up to e431daf013, as I did the wrong correction for a compiler 3544 warning. It should be a break and not a fall-through. 3545 3546 Pointed-out-by: Frank Gevaerts 3547 3548 - [Frank Gevaerts brought this change] 3549 3550 curl: add %{stderr} and %{stdout} for --write-out 3551 3552 Closes #3115 3553 3554 Daniel Gustafsson (7 Nov 2018) 3555 - winssl: be consistent in Schannel capitalization 3556 3557 The productname from Microsoft is "Schannel", but in infof/failf 3558 reporting we use "schannel". This removes different versions. 3559 3560 Closes #3243 3561 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3562 3563 Daniel Stenberg (7 Nov 2018) 3564 - TODO: Have the URL API offer IDN decoding 3565 3566 Similar to how URL decoding/encoding is done, we could have URL 3567 functions to convert IDN host names to punycode. 3568 3569 Suggested-by: Alexey Melnichuk 3570 Closes #3232 3571 3572 - urlapi: only skip encoding the first '=' with APPENDQUERY set 3573 3574 APPENDQUERY + URLENCODE would skip all equals signs but now it only skip 3575 encoding the first to better allow "name=content" for any content. 3576 3577 Reported-by: Alexey Melnichuk 3578 Fixes #3231 3579 Closes #3231 3580 3581 - url: a short host name + port is not a scheme 3582 3583 The function identifying a leading "scheme" part of the URL considered a 3584 few letters ending with a colon to be a scheme, making something like 3585 "short:80" to become an unknown scheme instead of a short host name and 3586 a port number. 3587 3588 Extended test 1560 to verify. 3589 3590 Also fixed test203 to use file_pwd to make it get the correct path on 3591 windows. Removed test 2070 since it was a duplicate of 203. 3592 3593 Assisted-by: Marcel Raad 3594 Reported-by: Hagai Auro 3595 Fixes #3220 3596 Fixes #3233 3597 Closes #3223 3598 Closes #3235 3599 3600 - [Sangamkar brought this change] 3601 3602 libcurl: stop reading from paused transfers 3603 3604 In the transfer loop it would previously not acknwledge the pause bit 3605 and continue until drained or loop ended. 3606 3607 Closes #3240 3608 3609 Jay Satiro (6 Nov 2018) 3610 - tool: add undocumented option --dump-module-paths for win32 3611 3612 - Add an undocumented diagnostic option for Windows to show the full 3613 paths of all loaded modules regardless of whether or not libcurl 3614 initialization succeeds. 3615 3616 This is needed so that in the CI we can get a list of all DLL 3617 dependencies after initialization (when they're most likely to have 3618 finished loading) and then package them as artifacts so that a 3619 functioning build can be downloaded. Also I imagine it may have some use 3620 as a diagnostic for help requests. 3621 3622 Ref: https://github.com/curl/curl/pull/3103 3623 3624 Closes https://github.com/curl/curl/pull/3208 3625 3626 - curl_multibyte: fix a malloc overcalculation 3627 3628 Prior to this change twice as many bytes as necessary were malloc'd when 3629 converting wchar to UTF8. To allay confusion in the future I also 3630 changed the variable name for the amount of bytes from len to bytes. 3631 3632 Closes https://github.com/curl/curl/pull/3209 3633 3634 Michael Kaufmann (5 Nov 2018) 3635 - netrc: don't ignore the login name specified with "--user" 3636 3637 - for "--netrc", don't ignore the login/password specified with "--user", 3638 only ignore the login/password in the URL. 3639 This restores the netrc behaviour of curl 7.61.1 and earlier. 3640 - fix the documentation of CURL_NETRC_REQUIRED 3641 - improve the detection of login/password changes when reading .netrc 3642 - don't read .netrc if both login and password are already set 3643 3644 Fixes #3213 3645 Closes #3224 3646 3647 Patrick Monnerat (5 Nov 2018) 3648 - OS400: add URL API ccsid wrappers and sync ILE/RPG bindings 3649 3650 Daniel Stenberg (5 Nov 2018) 3651 - [Yasuhiro Matsumoto brought this change] 3652 3653 curl: fixed UTF-8 in current console code page (Windows) 3654 3655 Fixes #3211 3656 Fixes #3175 3657 Closes #3212 3658 3659 - TODO: 2.6 multi upkeep 3660 3661 Closes #3199 3662 3663 Daniel Gustafsson (5 Nov 2018) 3664 - unittest: make 1652 stable across collations 3665 3666 The previous coding used a format string whose output depended on the 3667 current locale of the environment running the test. Since the gist of 3668 the test is to have a format string, with the actual formatting being 3669 less important, switch to a more stable formatstring with decimals. 3670 3671 Reported-by: Marcel Raad 3672 Closes #3234 3673 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3674 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 3675 3676 Daniel Stenberg (5 Nov 2018) 3677 - Revert "url: a short host name + port is not a scheme" 3678 3679 This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. 3680 3681 This commit caused test failures on appveyor/windows. Work on fixing them is 3682 in #3235. 3683 3684 - symbols-in-versions: add missing CURLU_ symbols 3685 3686 ...and fix symbol-scan.pl to also scan urlapi.h 3687 3688 Reported-by: Alexey Melnichuk 3689 Fixes #3226 3690 Closes #3230 3691 3692 Daniel Gustafsson (3 Nov 2018) 3693 - infof: clearly indicate truncation 3694 3695 The internal buffer in infof() is limited to 2048 bytes of payload plus 3696 an additional byte for NULL termination. Servers with very long error 3697 messages can however cause truncation of the string, which currently 3698 isn't very clear, and leads to badly formatted output. 3699 3700 This appends a "...\n" (or just "..." in case the format didn't with a 3701 newline char) marker to the end of the string to clearly show 3702 that it has been truncated. 3703 3704 Also include a unittest covering infof() to try and catch any bugs 3705 introduced in this quite important function. 3706 3707 Closes #3216 3708 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3709 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 3710 3711 Michael Kaufmann (3 Nov 2018) 3712 - tool_getparam: fix some comments 3713 3714 Daniel Stenberg (3 Nov 2018) 3715 - url: a short host name + port is not a scheme 3716 3717 The function identifying a leading "scheme" part of the URL considered a few 3718 letters ending with a colon to be a scheme, making something like "short:80" 3719 to become an unknown scheme instead of a short host name and a port number. 3720 3721 Extended test 1560 to verify. 3722 3723 Reported-by: Hagai Auro 3724 Fixes #3220 3725 Closes #3223 3726 3727 - URL: fix IPv6 numeral address parser 3728 3729 Regression from 46e164069d1a52. Extended test 1560 to verify. 3730 3731 Reported-by: tpaukrt on github 3732 Fixes #3218 3733 Closes #3219 3734 3735 - travis: remove curl before a normal build 3736 3737 on Linux. To make sure the test suite runs with its newly build tool and 3738 doesn't require an external one present. 3739 3740 Bug: #3198 3741 Closes #3200 3742 3743 - [Tim Rhsen brought this change] 3744 3745 mprintf: avoid unsigned integer overflow warning 3746 3747 The overflow has no real world impact. 3748 Just avoid it for "best practice". 3749 3750 Code change suggested by "The Infinnovation Team" and Daniel Stenberg. 3751 Closes #3184 3752 3753 - Curl_follow: accept non-supported schemes for "fake" redirects 3754 3755 When not actually following the redirect and the target URL is only 3756 stored for later retrieval, curl always accepted "non-supported" 3757 schemes. This was a regression from 46e164069d1a5230. 3758 3759 Reported-by: Brad King 3760 Fixes #3210 3761 Closes #3215 3762 3763 Daniel Gustafsson (2 Nov 2018) 3764 - openvms: fix example name 3765 3766 Commit efc696a2e09225bfeab4 renamed persistant.c to persistent.c to 3767 fix the typo in the name, but missed to update the OpenVMS package 3768 files which still looked for the old name. 3769 3770 Closes #3217 3771 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3772 Reviewed-by: Viktor Szakats <commit (a] vszakats.net> 3773 3774 Daniel Stenberg (1 Nov 2018) 3775 - configure: show CFLAGS, LDFLAGS etc in summary 3776 3777 To make it easier to understand other people's and remote builds etc. 3778 3779 Closes #3207 3780 3781 - version: bump for next cycle 3782 3783 - axtls: removed 3784 3785 As has been outlined in the DEPRECATE.md document, the axTLS code has 3786 been disabled for 6 months and is hereby removed. 3787 3788 Use a better supported TLS library! 3789 3790 Assisted-by: Daniel Gustafsson 3791 Closes #3194 3792 3793 - [marcosdiazr brought this change] 3794 3795 schannel: make CURLOPT_CERTINFO support using Issuer chain 3796 3797 Closes #3197 3798 3799 - travis: build with sanitize=address,undefined,signed-integer-overflow 3800 3801 ... using clang 3802 3803 Closes #3190 3804 3805 - schannel: use Curl_ prefix for global private symbols 3806 3807 Curl_verify_certificate() must use the Curl_ prefix since it is globally 3808 available in the lib and otherwise steps outside of our namespace! 3809 3810 Closes #3201 3811 3812 Kamil Dudka (1 Nov 2018) 3813 - tests: drop http_pipe.py script no longer used 3814 3815 It is unused since commit f7208df7d9d5cd5e15e2d89237e828f32b63f135. 3816 3817 Closes #3204 3818 3819 Daniel Stenberg (31 Oct 2018) 3820 - runtests: use the local curl for verifying 3821 3822 ... revert the mistaken change brought in commit 8440616f53. 3823 3824 Reported-by: Alessandro Ghedini 3825 Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html 3826 3827 Closes #3198 3828 3829 Version 7.62.0 (30 Oct 2018) 3830 3831 Daniel Stenberg (30 Oct 2018) 3832 - RELEASE-NOTES: 7.62.0 3833 3834 - THANKS: 7.62.0 status 3835 3836 Daniel Gustafsson (30 Oct 2018) 3837 - vtls: add MesaLink to curl_sslbackend enum 3838 3839 MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the 3840 backend was never added to the curl_sslbackend enum in curl/curl.h. 3841 This adds the new backend to the enum and updates the relevant docs. 3842 3843 Closes #3195 3844 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3845 3846 Daniel Stenberg (30 Oct 2018) 3847 - [Ruslan Baratov brought this change] 3848 3849 cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable 3850 3851 Closes #3191 3852 3853 - test2080: verify the fix for CVE-2018-16842 3854 3855 - voutf: fix bad arethmetic when outputting warnings to stderr 3856 3857 CVE-2018-16842 3858 Reported-by: Brian Carpenter 3859 Bug: https://curl.haxx.se/docs/CVE-2018-16842.html 3860 3861 - [Tuomo Rinne brought this change] 3862 3863 cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in 3864 3865 Closes #3123 3866 3867 - [Tuomo Rinne brought this change] 3868 3869 cmake: add find_dependency call for ZLIB to CMake config file 3870 3871 - [Tuomo Rinne brought this change] 3872 3873 cmake: add support for transitive ZLIB target 3874 3875 - unit1650: fix "null pointer passed as argument 1 to memcmp" 3876 3877 Detected by UndefinedBehaviorSanitizer 3878 3879 Closes #3187 3880 3881 - travis: add a "make tidy" build that runs clang-tidy 3882 3883 Closes #3182 3884 3885 - unit1300: fix stack-use-after-scope AddressSanitizer warning 3886 3887 Closes #3186 3888 3889 - Curl_auth_create_plain_message: fix too-large-input-check 3890 3891 CVE-2018-16839 3892 Reported-by: Harry Sintonen 3893 Bug: https://curl.haxx.se/docs/CVE-2018-16839.html 3894 3895 - Curl_close: clear data->multi_easy on free to avoid use-after-free 3896 3897 Regression from b46cfbc068 (7.59.0) 3898 CVE-2018-16840 3899 Reported-by: Brian Carpenter (Geeknik Labs) 3900 3901 Bug: https://curl.haxx.se/docs/CVE-2018-16840.html 3902 3903 - [randomswdev brought this change] 3904 3905 system.h: use proper setting with Sun C++ as well 3906 3907 system.h selects the proper Sun settings when __SUNPRO_C is defined. The 3908 Sun compiler does not define it when compiling C++ files. I'm adding a 3909 check also on __SUNPRO_CC to allow curl to work properly also when used 3910 in a C++ project on Sun Solaris. 3911 3912 Closes #3181 3913 3914 - rand: add comment to skip a clang-tidy false positive 3915 3916 - test1651: unit test Curl_extract_certinfo() 3917 3918 The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel. 3919 3920 - x509asn1: always check return code from getASN1Element() 3921 3922 - Makefile: add 'tidy' target that runs clang-tidy 3923 3924 Available in the root, src and lib dirs. 3925 3926 Closes #3163 3927 3928 - RELEASE-PROCEDURE: adjust the release dates 3929 3930 See: https://curl.haxx.se/mail/lib-2018-10/0107.html 3931 3932 Patrick Monnerat (27 Oct 2018) 3933 - x509asn1: suppress left shift on signed value 3934 3935 Use an unsigned variable: as the signed operation behavior is undefined, 3936 this change silents clang-tidy about it. 3937 3938 Ref: https://github.com/curl/curl/pull/3163 3939 Reported-By: Daniel Stenberg 3940 3941 Michael Kaufmann (27 Oct 2018) 3942 - multi: Fix error handling in the SENDPROTOCONNECT state 3943 3944 If Curl_protocol_connect() returns an error code, 3945 handle the error instead of switching to the next state. 3946 3947 Closes #3170 3948 3949 Daniel Stenberg (27 Oct 2018) 3950 - RELEASE-NOTES: synced 3951 3952 - openssl: output the correct cipher list on TLS 1.3 error 3953 3954 When failing to set the 1.3 cipher suite, the wrong string pointer would 3955 be used in the error message. Most often saying "(nil)". 3956 3957 Reported-by: Ricky-Tigg on github 3958 Fixes #3178 3959 Closes #3180 3960 3961 - docs/CIPHERS: fix the TLS 1.3 cipher names 3962 3963 ... picked straight from the OpenSSL man page: 3964 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html 3965 3966 Reported-by: Ricky-Tigg on github 3967 Bug: #3178 3968 3969 Marcel Raad (27 Oct 2018) 3970 - travis: install gnutls-bin package 3971 3972 This is required for gnutls-serv, which enables a few more tests. 3973 3974 Closes https://github.com/curl/curl/pull/2958 3975 3976 Daniel Gustafsson (26 Oct 2018) 3977 - ssh: free the session on init failures 3978 3979 Ensure to clear the session object in case the libssh2 initialization 3980 fails. 3981 3982 It could be argued that the libssh2 error function should be called to 3983 get a proper error message in this case. But since the only error path 3984 in libssh2_knownhost_init() is memory a allocation failure it's safest 3985 to avoid since the libssh2 error handling allocates memory. 3986 3987 Closes #3179 3988 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 3989 3990 Daniel Stenberg (26 Oct 2018) 3991 - docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date 3992 3993 ... I'm moving it up one week due to travels. The rest stays. 3994 3995 - [Daniel Gustafsson brought this change] 3996 3997 openssl: make 'done' a proper boolean 3998 3999 Closes #3176 4000 4001 - gtls: Values stored to but never read 4002 4003 Detected by clang-tidy 4004 4005 Closes #3176 4006 4007 - [Alexey Eremikhin brought this change] 4008 4009 curl.1: --ipv6 mutexes ipv4 (fixed typo) 4010 4011 Fixes #3171 4012 Closes #3172 4013 4014 - tool_main: make TerminalSettings static 4015 4016 Reported-by: Gisle Vanem 4017 Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819 4018 Closes #3161 4019 4020 - curl-config.in: remove dependency on bc 4021 4022 Reported-by: Dima Pasechnik 4023 Fixes #3143 4024 Closes #3174 4025 4026 - [Gisle Vanem brought this change] 4027 4028 rtmp: fix for compiling with lwIP 4029 4030 Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: 4031 curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' 4032 setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, 4033 ^ 4034 curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' 4035 #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) 4036 ^ 4037 Closes #3155 4038 4039 - configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T 4040 4041 Follow-up to #3166 which did the cmake part of this. This type/define is 4042 not used. 4043 4044 Closes #3168 4045 4046 - [Ruslan Baratov brought this change] 4047 4048 cmake: remove unused variables 4049 4050 Remove variables: 4051 * HAVE_SOCKLEN_T 4052 * CURL_SIZEOF_CURL_SOCKLEN_T 4053 * CURL_TYPEOF_CURL_SOCKLEN_T 4054 4055 Closes #3166 4056 4057 Michael Kaufmann (25 Oct 2018) 4058 - urldata: Fix comment in header 4059 4060 The "connecting" function is used by multiple protocols, not only FTP 4061 4062 - netrc: free temporary strings if memory allocation fails 4063 4064 - Change the inout parameters after all needed memory has been 4065 allocated. Do not change them if something goes wrong. 4066 - Free the allocated temporary strings if strdup() fails. 4067 4068 Closes #3122 4069 4070 Daniel Stenberg (24 Oct 2018) 4071 - [Ruslan Baratov brought this change] 4072 4073 config: Remove unused SIZEOF_VOIDP 4074 4075 Closes #3162 4076 4077 - RELEASE-NOTES: synced 4078 4079 GitHub (23 Oct 2018) 4080 - [Gisle Vanem brought this change] 4081 4082 Fix for compiling with lwIP (3) 4083 4084 lwIP on Windows does not have a WSAIoctl() function. 4085 But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing. 4086 4087 Daniel Stenberg (23 Oct 2018) 4088 - Curl_follow: return better errors on URL problems 4089 4090 ... by making the converter function global and accessible. 4091 4092 Closes #3153 4093 4094 - Curl_follow: remove remaining free(newurl) 4095 4096 Follow-up to 05564e750e8f0c. This function no longer frees the passed-in 4097 URL. 4098 4099 Reported-by: Michael Kaufmann 4100 Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm 4101 ent-30985666 4102 4103 Daniel Gustafsson (23 Oct 2018) 4104 - headers: end all headers with guard comment 4105 4106 Most headerfiles end with a /* <headerguard> */ comment, but it was 4107 missing from some. The comment isn't the most important part of our 4108 code documentation but consistency has an intrinsic value in itself. 4109 This adds header guard comments to the files that were lacking it. 4110 4111 Closes #3158 4112 Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com> 4113 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4114 4115 Jay Satiro (23 Oct 2018) 4116 - CIPHERS.md: Mention the options used to set TLS 1.3 ciphers 4117 4118 Closes https://github.com/curl/curl/pull/3159 4119 4120 Daniel Stenberg (20 Oct 2018) 4121 - docs/BUG-BOUNTY: the sponsors actually decide the amount 4122 4123 Retract the previous approach as the sponsors will be the ones to set the 4124 final amounts. 4125 4126 Closes #3152 4127 [ci skip] 4128 4129 - multi: avoid double-free 4130 4131 Curl_follow() no longer frees the string. Make sure it happens in the 4132 caller function, like we normally handle allocations. 4133 4134 This bug was introduced with the use of the URL API internally, it has 4135 never been in a release version 4136 4137 Reported-by: Dario Weier 4138 Closes #3149 4139 4140 - multi: make the closure handle "inherit" CURLOPT_NOSIGNAL 4141 4142 Otherwise, closing that handle can still cause surprises! 4143 4144 Reported-by: Martin Ankerl 4145 Fixes #3138 4146 Closes #3147 4147 4148 Marcel Raad (19 Oct 2018) 4149 - VS projects: add USE_IPV6 4150 4151 The Visual Studio builds didn't use IPv6. Add it to all projects since 4152 Visual Studio 2008, which is verified to build via AppVeyor. 4153 4154 Closes https://github.com/curl/curl/pull/3137 4155 4156 - config_win32: enable LDAPS 4157 4158 As done in the autotools and CMake builds by default. 4159 4160 Closes https://github.com/curl/curl/pull/3137 4161 4162 Daniel Stenberg (18 Oct 2018) 4163 - travis: add build for "configure --disable-verbose" 4164 4165 Closes #3144 4166 4167 Kamil Dudka (17 Oct 2018) 4168 - tool_cb_hdr: handle failure of rename() 4169 4170 Detected by Coverity. 4171 4172 Closes #3140 4173 Reviewed-by: Jay Satiro 4174 4175 Daniel Stenberg (17 Oct 2018) 4176 - RELEASE-NOTES: synced 4177 4178 - docs/SECURITY-PROCESS: the hackerone IBB program drops curl 4179 4180 ... now there's only BountyGraph. 4181 4182 Jay Satiro (16 Oct 2018) 4183 - [Matthew Whitehead brought this change] 4184 4185 x509asn1: Fix SAN IP address verification 4186 4187 For IP addresses in the subject alternative name field, the length 4188 of the IP address (and hence the number of bytes to perform a 4189 memcmp on) is incorrectly calculated to be zero. The code previously 4190 subtracted q from name.end. where in a successful case q = name.end 4191 and therefore addrlen equalled 0. The change modifies the code to 4192 subtract name.beg from name.end to calculate the length correctly. 4193 4194 The issue only affects libcurl with GSKit SSL, not other SSL backends. 4195 The issue is not a security issue as IP verification would always fail. 4196 4197 Fixes #3102 4198 Closes #3141 4199 4200 Daniel Gustafsson (15 Oct 2018) 4201 - INSTALL: mention mesalink in TLS section 4202 4203 Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the 4204 MesaLink vtls backend, but missed updating the TLS section containing 4205 supported backends in the docs. 4206 4207 Closes #3134 4208 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4209 4210 Marcel Raad (14 Oct 2018) 4211 - nonblock: fix unused parameter warning 4212 4213 If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not 4214 used. 4215 4216 Michael Kaufmann (13 Oct 2018) 4217 - Curl_follow: Always free the passed new URL 4218 4219 Closes #3124 4220 4221 Viktor Szakats (12 Oct 2018) 4222 - replace rawgit links [ci skip] 4223 4224 Ref: https://rawgit.com/ "RawGit has reached the end of its useful life" 4225 Ref: https://news.ycombinator.com/item?id=18202481 4226 Closes https://github.com/curl/curl/pull/3131 4227 4228 Daniel Stenberg (12 Oct 2018) 4229 - docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018 4230 4231 [ci skip] 4232 4233 - travis: make distcheck scan for BOM markers 4234 4235 and remove BOM from projects/wolfssl_override.props 4236 4237 Closes #3126 4238 4239 Marcel Raad (11 Oct 2018) 4240 - CMake: remove BOM 4241 4242 Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea. 4243 4244 Reported-by: Viktor Szakats 4245 Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136 4246 4247 Daniel Gustafsson (10 Oct 2018) 4248 - transfer: fix typo in comment 4249 4250 Michael Kaufmann (10 Oct 2018) 4251 - docs: add "see also" links for SSL options 4252 4253 - link TLS 1.2 and TLS 1.3 options 4254 - link proxy and non-proxy options 4255 4256 Closes #3121 4257 4258 Marcel Raad (10 Oct 2018) 4259 - AppVeyor: remove BDIR variable that sneaked in again 4260 4261 Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added 4262 again in 9f3be5672dc4dda30ab43e0152e13d714a84d762. 4263 4264 - CMake: disable -Wpedantic-ms-format 4265 4266 As done in the autotools build. This is required for MinGW, which 4267 supports only %I64 for printing 64-bit values, but warns about it. 4268 4269 Closes https://github.com/curl/curl/pull/3120 4270 4271 Viktor Szakats (9 Oct 2018) 4272 - ldap: show precise LDAP call in error message on Windows 4273 4274 Also add a unique but common text ('bind via') to make it 4275 easy to grep this specific failure regardless of platform. 4276 4277 Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468 4278 Closes https://github.com/curl/curl/pull/3118 4279 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4280 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 4281 4282 Daniel Stenberg (9 Oct 2018) 4283 - docs/DEPRECATE: minor reformat to render nicer on web 4284 4285 Daniel Gustafsson (9 Oct 2018) 4286 - CURLOPT_SSL_VERIFYSTATUS: Fix typo 4287 4288 Changes s/OSCP/OCSP/ and bumps the copyright year due to the change. 4289 4290 Marcel Raad (9 Oct 2018) 4291 - curl_setup: define NOGDI on Windows 4292 4293 This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h> 4294 on MinGW. 4295 4296 Closes https://github.com/curl/curl/pull/3113 4297 4298 - Windows: fixes for MinGW targeting Windows Vista 4299 4300 Classic MinGW has neither InitializeCriticalSectionEx nor 4301 GetTickCount64, independent of the target Windows version. 4302 4303 Closes https://github.com/curl/curl/pull/3113 4304 4305 Daniel Stenberg (8 Oct 2018) 4306 - TODO: fixed 'API for URL parsing/splitting' 4307 4308 Daniel Gustafsson (8 Oct 2018) 4309 - KNOWN_BUGS: Fix various typos 4310 4311 Closes #3112 4312 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4313 4314 Viktor Szakats (8 Oct 2018) 4315 - spelling fixes [ci skip] 4316 4317 as detected by codespell 1.14.0 4318 4319 Closes https://github.com/curl/curl/pull/3114 4320 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 4321 4322 Daniel Stenberg (8 Oct 2018) 4323 - RELEASE-NOTES: synced 4324 4325 - curl_ntlm_wb: check aprintf() return codes 4326 4327 ... when they return NULL we're out of memory and MUST return failure. 4328 4329 closes #3111 4330 4331 - docs/BUG-BOUNTY: proposed additional docs 4332 4333 Bug bounty explainer. See https://bountygraph.com/programs/curl 4334 4335 Closes #3067 4336 4337 - [Rick Deist brought this change] 4338 4339 hostip: fix check on Curl_shuffle_addr return value 4340 4341 Closes #3110 4342 4343 - FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output 4344 4345 Now FILE transfers send headers to the header callback like HTTP and 4346 other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) 4347 work for FILE in the callbacks. 4348 4349 Makes "curl -i file://.." and "curl -I file://.." work like before 4350 again. Applied the bold header logic to them too. 4351 4352 Regression from c1c2762 (7.61.0) 4353 4354 Reported-by: Shaun Jackman 4355 Fixes #3083 4356 Closes #3101 4357 4358 Daniel Gustafsson (7 Oct 2018) 4359 - gskit: make sure to terminate version string 4360 4361 In case a very small buffer was passed to the version function, it could 4362 result in the buffer not being NULL-terminated since strncpy() doesn't 4363 guarantee a terminator on an overflowed buffer. Rather than adding code 4364 to terminate (and handle zero-sized buffers), move to using snprintf() 4365 instead like all the other vtls backends. 4366 4367 Closes #3105 4368 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4369 Reviewed-by: Viktor Szakats <commit (a] vszakats.net> 4370 4371 - TODO: add LD_PRELOAD support on macOS 4372 4373 Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394. 4374 4375 - runtests: skip ld_preload tests on macOS 4376 4377 The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests 4378 requiring it. 4379 4380 Fixes #2394 4381 Closes #3106 4382 Reported-by: Github user @jakirkham 4383 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4384 4385 Marcel Raad (7 Oct 2018) 4386 - AppVeyor: use Debug builds to run tests 4387 4388 This enables more tests. 4389 4390 Closes https://github.com/curl/curl/pull/3104 4391 4392 - AppVeyor: add HTTP_ONLY build 4393 4394 Closes https://github.com/curl/curl/pull/3104 4395 4396 - AppVeyor: add WinSSL builds 4397 4398 Use the oldest and latest Windows SDKs for them. 4399 Also, remove all but one OpenSSL build. 4400 4401 Closes https://github.com/curl/curl/pull/3104 4402 4403 - AppVeyor: add remaining Visual Studio versions 4404 4405 This adds Visual Studio 9 and 10 builds. 4406 There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32 4407 build. Also, VC9 cannot be used for running the test suite. 4408 4409 Closes https://github.com/curl/curl/pull/3104 4410 4411 - AppVeyor: break long line 4412 4413 Closes https://github.com/curl/curl/pull/3104 4414 4415 - AppVeyor: remove unused BDIR variable 4416 4417 Closes https://github.com/curl/curl/pull/3104 4418 4419 Daniel Stenberg (6 Oct 2018) 4420 - test2100: test DoH using IPv4-only 4421 4422 To make it only send one DoH request and avoid the race condition that 4423 could lead to the requests getting sent in reversed order and thus 4424 making it hard to compare in the test case. 4425 4426 Fixes #3107 4427 Closes #3108 4428 4429 - tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> too 4430 4431 [ci skip] 4432 4433 - RELEASE-NOTES: synced 4434 4435 - [Dmitry Kostjuchenko brought this change] 4436 4437 timeval: fix use of weak symbol clock_gettime() on Apple platforms 4438 4439 Closes #3048 4440 4441 - doh: keep the IPv4 address in (original) network byte order 4442 4443 Ideally this will fix the reversed order shown in SPARC tests: 4444 4445 resp 8: Expected 127.0.0.1 got 1.0.0.127 4446 4447 Closes #3091 4448 4449 Jay Satiro (5 Oct 2018) 4450 - INTERNALS.md: wrap lines longer than 79 4451 4452 Daniel Gustafsson (5 Oct 2018) 4453 - INTERNALS: escape reference to parameter 4454 4455 The parameter reference <string> was causing rendering issues in the 4456 generated HTML page, as <string> isn't a valid HTML tag. Fix by back- 4457 tick escaping it. 4458 4459 Closes #3099 4460 Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com> 4461 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4462 4463 - checksrc: handle zero scoped ignore commands 4464 4465 If a !checksrc! disable command specified to ignore zero errors, it was 4466 still added to the ignore block even though nothing was ignored. While 4467 there were no blocks ignored that shouldn't be ignored, the processing 4468 ended with with a warning: 4469 4470 <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE) 4471 /* !checksrc! disable LONGLINE 0 */ 4472 ^ 4473 Fix by instead treating a zero ignore as a a badcommand and throw a 4474 warning for that one. 4475 4476 Closes #3096 4477 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4478 4479 - checksrc: enable strict mode and warnings 4480 4481 Enable strict and warnings mode for checksrc to ensure we aren't missing 4482 anything due to bugs in the checking code. This uncovered a few things 4483 which are all fixed in this commit: 4484 4485 * several variables were used uninitialized 4486 * several variables were not defined in the correct scope 4487 * the whitelist filehandle was read even if the file didn't exist 4488 * the enable_warn() call when a disable counter had expired was passing 4489 incorrect variables, but since the checkwarn() call is unlikely to hit 4490 (the counter is only decremented to zero on actual ignores) it didn't 4491 manifest a problem. 4492 4493 Closes #3090 4494 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4495 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 4496 4497 Marcel Raad (5 Oct 2018) 4498 - CMake: suppress MSVC warning C4127 for libtest 4499 4500 It's issued by older Windows SDKs (prior to version 8.0). 4501 4502 Sergei Nikulov (5 Oct 2018) 4503 - Merge branch 'dmitrykos-fix_missing_CMake_defines' 4504 4505 - [Dmitry Kostjuchenko brought this change] 4506 4507 cmake: test and set missed defines during configuration 4508 4509 Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC. 4510 4511 Closes #3097 4512 4513 Marcel Raad (5 Oct 2018) 4514 - AppVeyor: disable test 500 4515 4516 It almost always results in 4517 "starttransfer vs total: 0.000001 0.000000". 4518 I cannot reproduce this locally, so disable it for now. 4519 4520 Closes https://github.com/curl/curl/pull/3100 4521 4522 - AppVeyor: set custom install prefix 4523 4524 CMake's default has spaces and in 32-bit mode parentheses, which result 4525 in syntax errors in curl-config. 4526 4527 Closes https://github.com/curl/curl/pull/3100 4528 4529 - AppVeyor: Remove non-SSL non-test builds 4530 4531 They don't add much value. 4532 4533 Closes https://github.com/curl/curl/pull/3100 4534 4535 - AppVeyor: run test suite 4536 4537 Use the preinstalled MSYS2 bash for that. 4538 Disable test 1139 as the CMake build doesn't generate curl.1. 4539 4540 Ref: https://github.com/curl/curl/issues/3070#issuecomment-425922224 4541 Closes https://github.com/curl/curl/pull/3100 4542 4543 - AppVeyor: use in-tree build 4544 4545 Required to run the tests. 4546 4547 Closes https://github.com/curl/curl/pull/3100 4548 4549 Daniel Stenberg (4 Oct 2018) 4550 - doh: make sure TTL isn't re-inited by second (discarded?) response 4551 4552 Closes #3092 4553 4554 - test320: strip out more HTML when comparing 4555 4556 To make the test case work with different gnutls-serv versions better. 4557 4558 Reported-by: Kamil Dudka 4559 Fixes #3093 4560 Closes #3094 4561 4562 Marcel Raad (4 Oct 2018) 4563 - runtests: use Windows paths for Windows curl 4564 4565 curl generated by CMake's Visual Studio generator has "Windows" in the 4566 version number. 4567 4568 Daniel Stenberg (4 Oct 2018) 4569 - [Colin Hogben brought this change] 4570 4571 tests/negtelnetserver.py: fix Python2-ism in neg TELNET server 4572 4573 Fix problems caused by differences in treatment of bytes objects between 4574 python2 and python3. 4575 4576 Fixes #2929 4577 Closes #3080 4578 4579 Daniel Gustafsson (3 Oct 2018) 4580 - memory: ensure to check allocation results 4581 4582 The result of a memory allocation should always be checked, as we may 4583 run under memory pressure where even a small allocation can fail. This 4584 adds checking and error handling to a few cases where the allocation 4585 wasn't checked for success. In the ftp case, the freeing of the path 4586 variable is moved ahead of the allocation since there is little point 4587 in keeping it around across the strdup, and the separation makes for 4588 more readable code. In nwlib, the lock is aslo freed in the error path. 4589 4590 Also bumps the copyright years on affected files. 4591 4592 Closes #3084 4593 Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com> 4594 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4595 4596 - comment: Fix multiple typos in function parameters 4597 4598 Ensure that the parameters in the comment match the actual names in the 4599 prototype. 4600 4601 Closes #3079 4602 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4603 4604 - CURLOPT_SSLVERSION.3: fix typos and consistent spelling 4605 4606 Use TLS vX.Y throughout the document, instead of TLS X.Y, as that was 4607 already done in all but a few cases. Also fix a few typos. 4608 4609 Closes #3076 4610 Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com> 4611 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4612 4613 - SECURITY-PROCESS: make links into hyperlinks 4614 4615 Use proper Markdown hyperlink format for the Bountygraph links in order 4616 for the generated website page to be more user friendly. Also link to 4617 the sponsors to give them a little extra credit. 4618 4619 Closes #3082 4620 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 4621 4622 Jay Satiro (3 Oct 2018) 4623 - CURLOPT_HEADER.3: fix typo 4624 4625 - nss: fix nssckbi module loading on Windows 4626 4627 - Use .DLL extension instead of .so to load modules on Windows. 4628 4629 Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html 4630 Reported-by: Maxime Legros 4631 4632 Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442 4633 4634 Closes https://github.com/curl/curl/pull/3086 4635 4636 - data-binary.d: clarify default content-type is x-www-form-urlencoded 4637 4638 - Advise user that --data-binary sends a default content type of 4639 x-www-form-urlencoded, and to have the data treated as arbitrary 4640 binary data by the server set the content-type header to octet-stream. 4641 4642 Ref: https://github.com/curl/curl/pull/2852#issuecomment-426465094 4643 4644 Closes https://github.com/curl/curl/pull/3085 4645 4646 Marcel Raad (2 Oct 2018) 4647 - test1299: use single quotes around asterisk 4648 4649 Ref: https://github.com/curl/curl/issues/1751#issuecomment-321522580 4650 4651 Daniel Stenberg (2 Oct 2018) 4652 - docs/CIPHERS: mention the colon separation for OpenSSL 4653 4654 Bug: #3077 4655 4656 - runtests: ignore disabled even when ranges are given 4657 4658 runtests.pl support running a range of tests, like "44 to 127". Starting 4659 now, the code makes sure that even such given ranges will ignore tests 4660 that are marked as disabled. 4661 4662 Disabled tests can still be run by explictly specifying that test 4663 number. 4664 4665 Closes #3075 4666 4667 - urlapi: starting with a drive letter on win32 is not an abs url 4668 4669 ... and libcurl doesn't support any single-letter URL schemes (if there 4670 even exist any) so it should be fairly risk-free. 4671 4672 Reported-by: Marcel Raad 4673 4674 Fixes #3070 4675 Closes #3071 4676 4677 Marcel Raad (2 Oct 2018) 4678 - doh: fix curl_easy_setopt argument type 4679 4680 CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit 4681 MinGW. 4682 4683 Daniel Stenberg (2 Oct 2018) 4684 - RELEASE-NOTES: synced 4685 4686 Jay Satiro (1 Oct 2018) 4687 - [Ruslan Baratov brought this change] 4688 4689 CMake: Improve config installation 4690 4691 Use 'GNUInstallDirs' standard module to set destinations of installed 4692 files. 4693 4694 Use uppercase "CURL" names instead of lowercase "curl" to match standard 4695 'FindCURL.cmake' CMake module: 4696 * https://cmake.org/cmake/help/latest/module/FindCURL.html 4697 4698 Meaning: 4699 * Install 'CURLConfig.cmake' instead of 'curl-config.cmake' 4700 * User should call 'find_package(CURL)' instead of 'find_package(curl)' 4701 4702 Use 'configure_package_config_file' function to generate 4703 'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template 4704 file smaller and handle components better. E.g. current configuration 4705 report no error if user specified unknown components (note: new 4706 configuration expects no components, report error if user will try to 4707 specify any). 4708 4709 Closes https://github.com/curl/curl/pull/2849 4710 4711 Daniel Stenberg (1 Oct 2018) 4712 - test1650: make it depend on http/2 4713 4714 Follow-up to 570008c99da0ccbb as it gets link errors. 4715 4716 Reported-by: Michael Kaufmann 4717 Closes #3068 4718 4719 - [Nate Prewitt brought this change] 4720 4721 MANUAL: minor grammar fix 4722 4723 Noticed a typo reading through the docs. 4724 4725 Closes #3069 4726 4727 - doh: only build if h2 enabled 4728 4729 The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version 4730 of HTTP for use with DoH". 4731 4732 Reported-by: Marcel Raad 4733 Closes #3066 4734 4735 - test2100: require http2 to run 4736 4737 Reported-by: Marcel Raad 4738 Fixes #3064 4739 Closes #3065 4740 4741 - multi: fix memory leak in content encoding related error path 4742 4743 ... a missing multi_done() call. 4744 4745 Credit to OSS-Fuzz 4746 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728 4747 Closes #3063 4748 4749 - travis: bump the Secure Transport build to use xcode 10 4750 4751 Due to an issue with travis 4752 (https://github.com/travis-ci/travis-ci/issues/9956) we've been using 4753 Xcode 9.2 for darwinssl builds for a while. Now xcode 10 is offered as 4754 an alternative and as it builds curl+darwinssl fine that seems like a 4755 better choice. 4756 4757 Closes #3062 4758 4759 - [Rich Turner brought this change] 4760 4761 curl: enabled Windows VT Support and UTF-8 output 4762 4763 Enabled Console VT support (if running OS supports VT) in tool_main.c. 4764 4765 Fixes #3008 4766 Closes #3011 4767 4768 - multi: fix location URL memleak in error path 4769 4770 Follow-up to #3044 - fix a leak OSS-Fuzz detected 4771 Closes #3057 4772 4773 Sergei Nikulov (28 Sep 2018) 4774 - cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...) 4775 4776 - [Brad King brought this change] 4777 4778 cmake: Backport to work with CMake 3.0 again 4779 4780 Changes in commit 7867aaa9a0 (cmake: link curl to the OpenSSL targets 4781 instead of lib absolute paths, 2018-07-17) and commit f826b4ce98 (cmake: 4782 bumped minimum version to 3.4, 2018-07-19) required CMake 3.4 to fix 4783 issue #2746. This broke support for users on older versions of CMake 4784 even if they just want to build curl and do not care whether transitive 4785 dependencies work. 4786 4787 Backport the logic to work with CMake 3.0 again by implementing the 4788 fix only when the version of CMake is at least 3.4. 4789 4790 Marcel Raad (27 Sep 2018) 4791 - curl_threads: fix classic MinGW compile break 4792 4793 Classic MinGW still has _beginthreadex's return type as unsigned long 4794 instead of uintptr_t [0]. uintptr_t is not even defined because of [1]. 4795 4796 [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167 4797 [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90 4798 4799 Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807 4800 Closes https://github.com/curl/curl/pull/3051 4801 4802 Daniel Stenberg (26 Sep 2018) 4803 - configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE 4804 4805 fix a few leftovers 4806 4807 Fixes #3006 4808 Closes #3049 4809 4810 - [Doron Behar brought this change] 4811 4812 example/htmltidy: fix include paths of tidy libraries 4813 4814 Closes #3050 4815 4816 - RELEASE-NOTES: synced 4817 4818 - Curl_http2_done: fix memleak in error path 4819 4820 Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for 4821 early failures. 4822 4823 Detected by OSS-Fuzz 4824 4825 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669 4826 Closes #3046 4827 4828 - http: fix memleak in rewind error path 4829 4830 If the rewind would fail, a strdup() would not get freed. 4831 4832 Detected by OSS-Fuzz 4833 4834 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 4835 Closes #3044 4836 4837 Viktor Szakats (24 Sep 2018) 4838 - test320: fix regression in [ci skip] 4839 4840 The value in question is coming directly from `gnutls-serv`, so it cannot 4841 be modified freely. 4842 4843 Reported-by: Marcel Raad 4844 Ref: https://github.com/curl/curl/commit/6ae6b2a533e8630afbb21f570305bd4ceece6348#commitcomment-30621004 4845 4846 Daniel Stenberg (24 Sep 2018) 4847 - Curl_retry_request: fix memory leak 4848 4849 Detected by OSS-Fuzz 4850 4851 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648 4852 Closes #3042 4853 4854 - openssl: load built-in engines too 4855 4856 Regression since 38203f1 4857 4858 Reported-by: Jean Fabrice 4859 Fixes #3023 4860 Closes #3040 4861 4862 - [Christian Heimes brought this change] 4863 4864 OpenSSL: enable TLS 1.3 post-handshake auth 4865 4866 OpenSSL 1.1.1 requires clients to opt-in for post-handshake 4867 authentication. 4868 4869 Fixes: https://github.com/curl/curl/issues/3026 4870 Signed-off-by: Christian Heimes <christian (a] python.org> 4871 4872 Closes https://github.com/curl/curl/pull/3027 4873 4874 - [Even Rouault brought this change] 4875 4876 Curl_dedotdotify(): always nul terminate returned string. 4877 4878 This fixes potential out-of-buffer access on "file:./" URL 4879 4880 $ valgrind curl "file:./" 4881 ==24516== Memcheck, a memory error detector 4882 ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. 4883 ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info 4884 ==24516== Command: /home/even/install-curl-git/bin/curl file:./ 4885 ==24516== 4886 ==24516== Conditional jump or move depends on uninitialised value(s) 4887 ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 4888 ==24516== by 0x4EBB315: seturl (urlapi.c:801) 4889 ==24516== by 0x4EBB568: parseurl (urlapi.c:861) 4890 ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) 4891 ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) 4892 ==24516== by 0x4E67AEF: create_conn (url.c:3613) 4893 ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) 4894 ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) 4895 ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) 4896 ==24516== by 0x4E7558C: easy_transfer (easy.c:686) 4897 ==24516== by 0x4E75801: easy_perform (easy.c:779) 4898 ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) 4899 4900 Was originally spotted by 4901 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 4902 Credit to OSS-Fuzz 4903 4904 Closes #3039 4905 4906 Viktor Szakats (23 Sep 2018) 4907 - update URLs in tests 4908 4909 - and one in docs/MANUAL as well 4910 4911 Closes https://github.com/curl/curl/pull/3038 4912 4913 - whitespace fixes 4914 4915 - replace tabs with spaces where possible 4916 - remove line ending spaces 4917 - remove double/triple newlines at EOF 4918 - fix a non-UTF-8 character 4919 - cleanup a few indentations/line continuations 4920 in manual examples 4921 4922 Closes https://github.com/curl/curl/pull/3037 4923 4924 Daniel Stenberg (23 Sep 2018) 4925 - http: add missing return code check 4926 4927 Detected by Coverity. CID 1439610. 4928 4929 Follow-up from 46e164069d1a523 4930 4931 Closes #3034 4932 4933 - ftp: don't access pointer before NULL check 4934 4935 Detected by Coverity. CID 1439611. 4936 4937 Follow-up from 46e164069d1a523 4938 4939 - unit1650: fix out of boundary access 4940 4941 Fixes #2987 4942 Closes #3035 4943 4944 Viktor Szakats (23 Sep 2018) 4945 - docs/examples: URL updates 4946 4947 - also update two URLs outside of docs/examples 4948 - fix spelling of filename persistant.c 4949 - fix three long lines that started failing checksrc.pl 4950 4951 Closes https://github.com/curl/curl/pull/3036 4952 4953 - examples/Makefile.m32: sync with core [ci skip] 4954 4955 also: 4956 - fix two warnings in synctime.c (one of them Windows-specific) 4957 - upgrade URLs in synctime.c and remove a broken one 4958 4959 Closes https://github.com/curl/curl/pull/3033 4960 4961 Daniel Stenberg (22 Sep 2018) 4962 - examples/parseurl.c: show off the URL API a bit 4963 4964 Closes #3030 4965 4966 - SECURITY-PROCESS: mention the bountygraph program [ci skip] 4967 4968 Closes #3032 4969 4970 - url: use the URL API internally as well 4971 4972 ... to make it a truly unified URL parser. 4973 4974 Closes #3017 4975 4976 Viktor Szakats (22 Sep 2018) 4977 - URL and mailmap updates, remove an obsolete directory [ci skip] 4978 4979 Closes https://github.com/curl/curl/pull/3031 4980 4981 Daniel Stenberg (22 Sep 2018) 4982 - RELEASE-NOTES: synced 4983 4984 - configure: force-use -lpthreads on HPUX 4985 4986 When trying to detect pthreads use on HPUX the checks will succeed 4987 without the correct -l option but then end up failing at run-time. 4988 4989 Reported-by: Eason-Yu on github 4990 Fixes #2697 4991 Closes #3025 4992 4993 - [Erik Minekus brought this change] 4994 4995 Curl_saferealloc: Fixed typo in docblock 4996 4997 Closes #3029 4998 4999 - urlapi: fix support for address scope in IPv6 numerical addresses 5000 5001 Closes #3024 5002 5003 - [Loganaden Velvindron brought this change] 5004 5005 GnutTLS: TLS 1.3 support 5006 5007 Closes #2971 5008 5009 - TODO: c-ares and CURLOPT_OPENSOCKETFUNCTION 5010 5011 Removed DoH. 5012 5013 Closes #2734 5014 5015 Jay Satiro (20 Sep 2018) 5016 - vtls: fix ssl version "or later" behavior change for many backends 5017 5018 - Treat CURL_SSLVERSION_MAX_NONE the same as 5019 CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use 5020 the minimum version also as the maximum. 5021 5022 This is a follow-up to 6015cef which changed the behavior of setting 5023 the SSL version so that the requested version would only be the minimum 5024 and not the maximum. It appears it was (mostly) implemented in OpenSSL 5025 but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to 5026 mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. 5027 5028 - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. 5029 5030 Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was 5031 erroneously treated as always TLS 1.3, and would cause an error if 5032 OpenSSL was built without TLS 1.3 support. 5033 5034 Co-authored-by: Daniel Gustafsson 5035 5036 Fixes https://github.com/curl/curl/issues/2969 5037 Closes https://github.com/curl/curl/pull/3012 5038 5039 Daniel Stenberg (20 Sep 2018) 5040 - certs: generate tests certs with sha256 digest algorithm 5041 5042 As OpenSSL 1.1.1 starts to complain and fail on sha1 CAs: 5043 5044 "SSL certificate problem: CA signature digest algorithm too weak" 5045 5046 Closes #3014 5047 5048 - urlapi: document the error codes, remove two unused ones 5049 5050 Assisted-by: Daniel Gustafsson 5051 Closes #3019 5052 5053 - urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance 5054 5055 In order for this API to fully work for libcurl itself, it now offers a 5056 CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host 5057 name prefix just like libcurl always did. If there's no known prefix, it 5058 will guess "http://". 5059 5060 Separately, it relaxes the check of the host name so that IDN host names 5061 can be passed in as well. 5062 5063 Both these changes are necessary for libcurl itself to use this API. 5064 5065 Assisted-by: Daniel Gustafsson 5066 Closes #3018 5067 5068 Kamil Dudka (19 Sep 2018) 5069 - nss: try to connect even if libnssckbi.so fails to load 5070 5071 One can still use CA certificates stored in NSS database. 5072 5073 Reported-by: Maxime Legros 5074 Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html 5075 5076 Closes #3016 5077 5078 Daniel Gustafsson (19 Sep 2018) 5079 - urlapi: don't set value which is never read 5080 5081 In the CURLUPART_URL case, there is no codepath which invokes url 5082 decoding so remove the assignment of the urldecode variable. This 5083 fixes the deadstore bug-report from clang static analysis. 5084 5085 Closes #3015 5086 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5087 5088 - todo: Update reference to already done item 5089 5090 TODO item 1.1 was implemented in commit 946ce5b61f, update reference 5091 to it with instead referencing the implemented option. 5092 5093 Closes #3013 5094 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5095 5096 Daniel Stenberg (18 Sep 2018) 5097 - RELEASE-NOTES: synced 5098 5099 - [slodki brought this change] 5100 5101 cmake: don't require OpenSSL if USE_OPENSSL=OFF 5102 5103 User must have OpenSSL installed even if not used by libcurl at all 5104 since 7.61.1 release. Broken at 5105 7867aaa9a01decf93711428462335be8cef70212 5106 5107 Reviewed-by: Sergei Nikulov 5108 Closes #3001 5109 5110 - curl_multi_wait: call getsock before figuring out timeout 5111 5112 .... since getsock may update the expiry timer. 5113 5114 Fixes #2996 5115 Closes #3000 5116 5117 - examples/http2-pushinmemory: receive HTTP/2 pushed files in memory 5118 5119 Closes #3004 5120 5121 Daniel Gustafsson (18 Sep 2018) 5122 - darwinssl: Fix realloc memleak 5123 5124 The reallocation was using the input pointer for the return value, which 5125 leads to a memory leak on reallication failure. Fix by instead use the 5126 safe internal API call Curl_saferealloc(). 5127 5128 Closes #3005 5129 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5130 Reviewed-by: Nick Zitzmann <nickzman (a] gmail.com> 5131 5132 - [Kruzya brought this change] 5133 5134 examples: Fix memory leaks from realloc errors 5135 5136 Make sure to not overwrite the reallocated pointer in realloc() calls 5137 to avoid a memleak on memory errors. 5138 5139 - memory: add missing curl_printf header 5140 5141 ftp_send_command() was using vsnprintf() without including the libcurl 5142 *rintf() replacement header. Fix by including curl_printf.h and also 5143 add curl_memory.h while at it since memdebug.h depends on it. 5144 5145 Closes #2999 5146 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5147 5148 Daniel Stenberg (16 Sep 2018) 5149 - [Si brought this change] 5150 5151 curl: update --tlsv* descriptions in --help output 5152 5153 Closes #2994 5154 5155 - http: made Curl_add_buffer functions take a pointer-pointer 5156 5157 ... so that they can clear the original pointer on failure, which makes 5158 the error-paths and their cleanups easier. 5159 5160 Closes #2992 5161 5162 - http2: fix memory leaks on error-path 5163 5164 - [Rikard Falkeborn brought this change] 5165 5166 libtest: Add chkdecimalpoint to .gitignore 5167 5168 Closes #2998 5169 5170 Viktor Szakats (14 Sep 2018) 5171 - secure Openwall URLs 5172 5173 Daniel Stenberg (14 Sep 2018) 5174 - openssl: show "proper" version number for libressl builds 5175 5176 Closes #2989 5177 5178 - [Rainer Jung brought this change] 5179 5180 openssl: assume engine support in 0.9.8 or later 5181 5182 Fixes #2983 5183 Closes #2988 5184 5185 Daniel Gustafsson (13 Sep 2018) 5186 - sendf: use failf() rather than Curl_failf() 5187 5188 The failf() macro is the name used for invoking Curl_failf(). While 5189 there isn't a way to turn off failf like there is for infof, but it's 5190 still a good idea to use the macro. 5191 5192 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5193 5194 - sendf: Fix whitespace in infof/failf concatenation 5195 5196 Strings broken on multiple rows in the .c file need to have appropriate 5197 whitespace padding on either side of the concatenation point to render 5198 a correct amalgamated string. Fix by adding a space at the occurrences 5199 found. 5200 5201 Closes #2986 5202 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5203 5204 - krb5: fix memory leak in krb_auth 5205 5206 The FTP command allocated by aprintf() must be freed after usage. 5207 5208 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5209 5210 - ftp: include command in Curl_ftpsend sendbuffer 5211 5212 Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed 5213 the actual command to be sent from the send buffer in a refactoring. 5214 Add back copying the command into the buffer. Also add more guards 5215 against malformed input while at it. 5216 5217 Closes #2985 5218 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5219 5220 - ntlm_wb: Fix memory leaks in ntlm_wb_response 5221 5222 When erroring out on a request being too large, the existing buffer was 5223 leaked. Fix by explicitly freeing on the way out. 5224 5225 Closes #2966 5226 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5227 5228 Daniel Stenberg (13 Sep 2018) 5229 - [Yiming Jing brought this change] 5230 5231 travis: build the MesaLink vtls backend with MesaLink 0.7.1 5232 5233 - [Yiming Jing brought this change] 5234 5235 runtests.pl: run tests against the MesaLink vtls backend 5236 5237 - [Yiming Jing brought this change] 5238 5239 vtls: add a MesaLink vtls backend 5240 5241 Closes #2984 5242 5243 - [Yiming Jing brought this change] 5244 5245 configure.ac: add a MesaLink vtls backend 5246 5247 - [Dave Reisner brought this change] 5248 5249 curl_url_set.3: properly escape \n in example code 5250 5251 This yields 5252 5253 "the scheme is %s\n" 5254 5255 instead of 5256 5257 "the scheme is %s0 5258 5259 Closes #2970 5260 5261 - [Dave Reisner brought this change] 5262 5263 curl_url_set.3: fix typo in reference to CURLU_APPENDQUERY 5264 5265 - urlglob: improve error message 5266 5267 to help user understand what the problem is 5268 5269 Reported-by: Daniel Shahaf 5270 5271 Fixes #2763 5272 Closes #2977 5273 5274 - [Yiming Jing brought this change] 5275 5276 tests/certs: rebuild certs with 2048-bit RSA keys 5277 5278 The previous test certificates contained RSA keys of only 1024 bits. 5279 However, RSA claims that 1024-bit RSA keys are likely to become 5280 crackable some time before 2010. The NIST recommends at least 2048-bit 5281 keys for RSA for now. 5282 5283 Better use full 2048 also for testing. 5284 5285 Closes #2973 5286 5287 Daniel Gustafsson (12 Sep 2018) 5288 - TODO: fix typo in item 5289 5290 Closes #2968 5291 Reviewed-by: Daniel Stenberg <daniel (a] haxx.se> 5292 5293 Marcel Raad (12 Sep 2018) 5294 - anyauthput: fix compiler warning on 64-bit Windows 5295 5296 On Windows, the read function from <io.h> is used, which has its byte 5297 count parameter as unsigned int instead of size_t. 5298 5299 Closes https://github.com/curl/curl/pull/2972 5300 5301 Viktor Szakats (12 Sep 2018) 5302 - lib: fix gcc8 warning on Windows 5303 5304 Closes https://github.com/curl/curl/pull/2979 5305 5306 Jay Satiro (12 Sep 2018) 5307 - openssl: fix gcc8 warning 5308 5309 - Use memcpy instead of strncpy to copy a string without termination, 5310 since gcc8 warns about using strncpy to copy as many bytes from a 5311 string as its length. 5312 5313 Suggested-by: Viktor Szakats 5314 5315 Closes https://github.com/curl/curl/issues/2980 5316 5317 Daniel Stenberg (10 Sep 2018) 5318 - libcurl-url.3: overview man page for the URL API 5319 5320 Closes #2967 5321 5322 - example/asiohiper: insert warning comment about its status 5323 5324 This example is simply not working correctly but there's nobody around 5325 with the skills and energy to fix it. 5326 5327 Closes #2407 5328 5329 Kamil Dudka (10 Sep 2018) 5330 - docs/cmdline-opts: update the documentation of --tlsv1.0 5331 5332 ... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9 5333 5334 Closes #2955 5335 5336 - docs/examples: do not wait when no transfers are running 5337 5338 Closes #2948 5339 5340 Daniel Stenberg (10 Sep 2018) 5341 - [Daniel Gustafsson brought this change] 5342 5343 cookies: Move failure case label to end of function 5344 5345 Rather than jumping backwards to where failure cleanup happens 5346 to be performed, move the failure case to end of the function 5347 where it is expected per existing coding convention. 5348 5349 Closes #2965 5350 5351 - [Daniel Gustafsson brought this change] 5352 5353 misc: fix typos in comments 5354 5355 Closes #2963 5356 5357 - [Daniel Gustafsson brought this change] 5358 5359 cookies: fix leak when writing cookies to file 5360 5361 If the formatting fails, we error out on a fatal error and 5362 clean up on the way out. The array was however freed within 5363 the wrong scope and was thus never freed in case the cookies 5364 were written to a file instead of STDOUT. 5365 5366 Closes #2957 5367 5368 - [Daniel Gustafsson brought this change] 5369 5370 cookies: Remove redundant expired check 5371 5372 Expired cookies have already been purged at a later expiration time 5373 before this check, so remove the redundant check. 5374 5375 closes #2962 5376 5377 - ntlm_wb: bail out if the response gets overly large 5378 5379 Exit the realloc() loop if the response turns out ridiculously large to 5380 avoid worse problems. 5381 5382 Reported-by: Harry Sintonen 5383 Closes #2959 5384 5385 - [Daniel Gustafsson brought this change] 5386 5387 url.c: fix comment typo and indentation 5388 5389 Closes #2960 5390 5391 - urlapi: avoid derefencing a possible NULL pointer 5392 5393 Coverity CID 1439134 5394 5395 - RELEASE-NOTES: synced 5396 5397 Marcel Raad (8 Sep 2018) 5398 - test324: fix after 3f3b26d6feb0667714902e836af608094235fca2 5399 5400 The expected error code is now 60. 51 is dead. 5401 5402 Daniel Stenberg (8 Sep 2018) 5403 - curl_url_set.3: correct description 5404 5405 - curl_url-docs: fix AVAILABILITY as Added in curl 7.62.0 5406 5407 - URL-API 5408 5409 See header file and man pages for API. All documented API details work 5410 and are tested in the 1560 test case. 5411 5412 Closes #2842 5413 5414 - curl_easy_upkeep: removed 'conn' from the name 5415 5416 ... including the associated option. 5417 5418 Fixes #2951 5419 Closes #2952 5420 5421 - [Max Dymond brought this change] 5422 5423 upkeep: add a connection upkeep API: curl_easy_conn_upkeep() 5424 5425 Add functionality so that protocols can do custom keepalive on their 5426 connections, when an external API function is called. 5427 5428 Add docs for the new options in 7.62.0 5429 5430 Closes #1641 5431 5432 - [Philipp Waehnert brought this change] 5433 5434 configure: add option to disable automatic OpenSSL config loading 5435 5436 Sometimes it may be considered a security risk to load an external 5437 OpenSSL configuration automatically inside curl_global_init(). The 5438 configuration option --disable-ssl-auto-load-config disables this 5439 automatism. The Windows build scripts winbuild/Makefile.vs provide a 5440 corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean 5441 value. 5442 5443 Setting neither of these options corresponds to the previous behavior 5444 loading the external OpenSSL configuration automatically. 5445 5446 Fixes #2724 5447 Closes #2791 5448 5449 - doh: minor edits to please Coverity 5450 5451 The gcc typecheck macros and coverity combined made it warn on the 2nd 5452 argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it. 5453 5454 Coverity CID 1439115 and CID 1439114. 5455 5456 - schannel: avoid switch-cases that go to default anyway 5457 5458 SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of 5459 mingw and would require an ifdef otherwise. 5460 5461 Reported-by: Thomas Glanzmann 5462 Approved-by: Marc Hrsken 5463 Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html 5464 Closes #2950 5465 5466 - [Nicklas Avn brought this change] 5467 5468 imap: change from "FETCH" to "UID FETCH" 5469 5470 ... and add "MAILINDEX". 5471 5472 As described in #2789, this is a suggested solution. Changing UID=xx to 5473 actually get mail with UID xx and add "MAILINDEX" to get a mail with a 5474 special index in the mail box (old behavior). So MAILINDEX=1 gives the 5475 first non deleted mail in the mail box. 5476 5477 Fixes #2789 5478 Closes #2815 5479 5480 - CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size 5481 5482 This is step 3 of #2888. 5483 5484 Fixes #2888 5485 Closes #2896 5486 5487 - travis: add the DOH tests to the torture testing 5488 5489 - DOH: add test case 1650 and 2100 5490 5491 - curl: --doh-url added 5492 5493 - setopt: add CURLOPT_DOH_URL 5494 5495 Closes #2668 5496 5497 - [Han Han brought this change] 5498 5499 ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code 5500 5501 Long live CURLE_PEER_FAILED_VERIFICATION 5502 5503 - [Han Han brought this change] 5504 5505 x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert 5506 5507 CURLE_PEER_FAILED_VERIFICATION makes more sense because Curl_parseX509 5508 does not allocate memory internally as its first argument is a pointer 5509 to the certificate structure. The same error code is also returned by 5510 Curl_verifyhost when its call to Curl_parseX509 fails so the change 5511 makes error handling more consistent. 5512 5513 - [Han Han brought this change] 5514 5515 openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer 5516 5517 Failure to extract the issuer name from the server certificate should 5518 return a more specific error code like on other TLS backends. 5519 5520 - [Han Han brought this change] 5521 5522 schannel: unified error code handling 5523 5524 Closes #2901 5525 5526 - [Han Han brought this change] 5527 5528 darwinssl: more specific and unified error codes 5529 5530 Closes #2901 5531 5532 - CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated 5533 5534 Disable the CURLOPT_DNS_USE_GLOBAL_CACHE option and mark it for 5535 deprecation and complete removal in six months. 5536 5537 Bug: https://curl.haxx.se/mail/lib-2018-09/0010.html 5538 Closes #2942 5539 5540 - url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled 5541 5542 Closes #2709 5543 5544 - multiplex: enable by default 5545 5546 Starting 7.62.0, multiplexing is enabled by default in multi handles. 5547 5548 - [Jim Fuller brought this change] 5549 5550 tests: add unit tests for url.c 5551 5552 Approved-by: Daniel Gustafsson 5553 Closes #2937 5554 5555 - test1452: mark as flaky 5556 5557 makes it not run in the CI builds 5558 5559 Closes #2941 5560 5561 - pipelining: deprecated 5562 5563 Transparently. The related curl_multi_setopt() options all still returns 5564 OK when pipelining is selected. 5565 5566 To re-enable the support, the single line change in lib/multi.c needs to 5567 be reverted. 5568 5569 See docs/DEPRECATE.md 5570 5571 Closes #2705 5572 5573 - RELEASE-NOTES: start working on 7.62.0 5574 5575 Version 7.61.1 (4 Sep 2018) 5576 5577 Daniel Stenberg (4 Sep 2018) 5578 - THANKS: 7.61.1 status 5579 5580 - RELEASE-NOTES: 7.61.1 5581 5582 - Curl_getoff_all_pipelines: ignore unused return values 5583 5584 Since scan-build would warn on the dead "Dead store/Dead increment" 5585 5586 Viktor Szakats (4 Sep 2018) 5587 - sftp: fix indentation 5588 5589 Daniel Stenberg (4 Sep 2018) 5590 - [Przemysaw Tomaszewski brought this change] 5591 5592 sftp: don't send post-qoute sequence when retrying a connection 5593 5594 Fixes #2939 5595 Closes #2940 5596 5597 Kamil Dudka (3 Sep 2018) 5598 - url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work 5599 5600 This is a follow-up to PR #2607 and PR #2926. 5601 5602 Closes #2936 5603 5604 Daniel Stenberg (3 Sep 2018) 5605 - [Jay Satiro brought this change] 5606 5607 tool_operate: Add http code 408 to transient list for --retry 5608 5609 - Treat 408 request timeout as transient so that curl will retry the 5610 request if --retry was used. 5611 5612 Closes #2925 5613 5614 - [Jay Satiro brought this change] 5615 5616 openssl: Fix setting TLS 1.3 cipher suites 5617 5618 The flag indicating TLS 1.3 cipher support in the OpenSSL backend was 5619 missing. 5620 5621 Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 5622 Reported-by: Kamil Dudka 5623 5624 Closes #2926 5625 5626 - Curl_ntlm_core_mk_nt_hash: return error on too long password 5627 5628 ... since it would cause an integer overflow if longer than (max size_t 5629 / 2). 5630 5631 This is CVE-2018-14618 5632 5633 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html 5634 Closes #2756 5635 Reported-by: Zhaoyang Wu 5636 5637 - [Rikard Falkeborn brought this change] 5638 5639 http2: Use correct format identifier for stream_id 5640 5641 Closes #2928 5642 5643 Marcel Raad (2 Sep 2018) 5644 - test1148: fix precheck output 5645 5646 "precheck command error" is not very helpful. 5647 5648 Daniel Stenberg (1 Sep 2018) 5649 - all: s/int/size_t cleanup 5650 5651 Assisted-by: Rikard Falkeborn 5652 5653 Closes #2922 5654 5655 - ssh-libssh: use FALLTHROUGH to silence gcc8 5656 5657 Jay Satiro (31 Aug 2018) 5658 - tool_operate: Fix setting proxy TLS 1.3 ciphers 5659 5660 Daniel Stenberg (31 Aug 2018) 5661 - [Daniel Gustafsson brought this change] 5662 5663 cookies: support creation-time attribute for cookies 5664 5665 According to RFC6265 section 5.4, cookies with equal path lengths 5666 SHOULD be sorted by creation-time (earlier first). This adds a 5667 creation-time record to the cookie struct in order to make cookie 5668 sorting more deterministic. The creation-time is defined as the 5669 order of the cookies in the jar, the first cookie read fro the 5670 jar being the oldest. The creation-time is thus not serialized 5671 into the jar. Also remove the strcmp() matching in the sorting as 5672 there is no lexicographic ordering in RFC6265. Existing tests are 5673 updated to match. 5674 5675 Closes #2524 5676 5677 Marcel Raad (31 Aug 2018) 5678 - Don't use Windows path %PWD for SSH tests 5679 5680 All these tests failed on Windows because something like 5681 sftp://%HOSTIP:%SSHPORT%PWD/ 5682 expanded to 5683 sftp://127.0.0.1:1234c:/msys64/home/bla/curl 5684 and then curl complained about the port number ending with a letter. 5685 5686 Use the original POSIX path instead of the Windows path created in 5687 checksystem to fix this. 5688 5689 Closes https://github.com/curl/curl/pull/2920 5690 5691 Jay Satiro (29 Aug 2018) 5692 - CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warning 5693 5694 Reported-by: Daniel Stenberg 5695 5696 Closes https://github.com/curl/curl/issues/2916 5697 5698 Daniel Stenberg (28 Aug 2018) 5699 - THANKS-filter: dedup Daniel Jeliski 5700 5701 - RELEASE-NOTES: synced 5702 5703 - CURLOPT_ACCEPT_ENCODING.3: list them comma-separated [ci skip] 5704 5705 - CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip] 5706 5707 Added a warning! 5708 5709 Closes #2915 5710 5711 - curl: fix time-of-check, time-of-use race in dir creation 5712 5713 Patch-by: Jay Satiro 5714 Detected by Coverity 5715 Fixes #2739 5716 Closes #2912 5717 5718 - cmdline-opts/page-footer: fix edit mistake 5719 5720 There was a missing newline. 5721 5722 follow-up to a7ba60bb7250 5723 5724 - docs: clarify NO_PROXY env variable functionality 5725 5726 Reported-by: Kirill Marchuk 5727 Fixes #2773 5728 Closes #2911 5729 5730 Marcel Raad (24 Aug 2018) 5731 - lib1522: fix curl_easy_setopt argument type 5732 5733 CURLOPT_POSTFIELDSIZE is a long option. 5734 5735 - curl_threads: silence bad-function-cast warning 5736 5737 As uintptr_t and HANDLE are always the same size, this warning is 5738 harmless. Just silence it using an intermediate uintptr_t variable. 5739 5740 Closes https://github.com/curl/curl/pull/2908 5741 5742 Daniel Stenberg (24 Aug 2018) 5743 - README: add appveyor build badge [ci skip] 5744 5745 Closes #2913 5746 5747 - [Ihor Karpenko brought this change] 5748 5749 schannel: client certificate store opening fix 5750 5751 1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) 5752 while opening certificate store would be sufficient in this scenario and 5753 less-demanding in sense of required user credentials ( for example, 5754 IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore 5755 call without any of flags mentioned above ), 5756 5757 2) as 'cert_store_name' is a DWORD, attempt to format its value like a 5758 string ( in "Failed to open cert store" error message ) will throw null 5759 pointer exception 5760 5761 3) adding GetLastError(), in my opinion, will make error message more 5762 useful. 5763 5764 Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html 5765 5766 Closes #2909 5767 5768 - [Leonardo Taccari brought this change] 5769 5770 gopher: Do not translate `?' to `%09' 5771 5772 Since GOPHER support was added in curl `?' character was automatically 5773 translated to `%09' (`\t'). 5774 5775 However, this behaviour does not seems documented in RFC 4266 and for 5776 search selectors it is documented to directly use `%09' in the URL. 5777 Apart that several gopher servers in the current gopherspace have CGI 5778 support where `?' is used as part of the selector and translating it to 5779 `%09' often leads to surprising results. 5780 5781 Closes #2910 5782 5783 Marcel Raad (23 Aug 2018) 5784 - cookie tests: treat files as text 5785 5786 Fixes test failures because of wrong line endings on Windows. 5787 5788 Daniel Stenberg (23 Aug 2018) 5789 - libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation 5790 5791 Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to 5792 avoid the risk of getting a SIGPIPE. 5793 5794 Either way, a multi-threaded application that uses libcurl/openssl needs 5795 to have a signhandler for or ignore SIGPIPE on its own. 5796 5797 Based on discussions in #2800 5798 Closes #2904 5799 5800 - RELEASE-NOTES: synced 5801 5802 Marcel Raad (22 Aug 2018) 5803 - Tests: fixes for Windows 5804 5805 - test 1268 requires unix sockets 5806 - test 2072 must be disabled also for MSYS/MinGW 5807 5808 Daniel Stenberg (22 Aug 2018) 5809 - http2: abort the send_callback if not setup yet 5810 5811 When Curl_http2_done() gets called before the http2 data is setup all 5812 the way, we cannot send anything and this should just return an error. 5813 5814 Detected by OSS-Fuzz 5815 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012 5816 5817 - http2: remove four unused nghttp2 callbacks 5818 5819 Closes #2903 5820 5821 - x509asn1: use FALLTHROUGH 5822 5823 ... as no other comments are accepted since 014ed7c22f51463 5824 5825 Marcel Raad (21 Aug 2018) 5826 - test1148: disable if decimal separator is not point 5827 5828 Modifying the locale with environment variables doesn't work for native 5829 Windows applications. Just disable the test in this case if the decimal 5830 separator is something different than a point. Use a precheck with a 5831 small C program to achieve that. 5832 5833 Closes https://github.com/curl/curl/pull/2786 5834 5835 - Enable more GCC warnings 5836 5837 This enables the following additional warnings: 5838 -Wold-style-definition 5839 -Warray-bounds=2 instead of the default 1 5840 -Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not 5841 respected for older versions 5842 -Wunused-const-variable, which enables level 2 instead of the default 1 5843 -Warray-bounds also in debug mode through -ftree-vrp 5844 -Wnull-dereference also in debug mode through 5845 -fdelete-null-pointer-checks 5846 5847 Closes https://github.com/curl/curl/pull/2747 5848 5849 - curl-compilers: enable -Wimplicit-fallthrough=4 for GCC 5850 5851 This enables level 4 instead of the default level 3, which of the 5852 currently used comments only allows /* FALLTHROUGH */ to silence the 5853 warning. 5854 5855 Closes https://github.com/curl/curl/pull/2747 5856 5857 - curl-compilers: enable -Wbad-function-cast on GCC 5858 5859 This warning used to be enabled only for clang as it's a bit stricter 5860 on GCC. Silence the remaining occurrences and enable it on GCC too. 5861 5862 Closes https://github.com/curl/curl/pull/2747 5863 5864 - configure: conditionally enable pedantic-errors 5865 5866 Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5, 5867 pedantic-errors was synonymous to -Werror=pedantic [0], which is still 5868 the case for clang [1]. With GCC 5, it became complementary [2]. 5869 5870 Also fix a resulting error in acinclude.m4 as main's return type was 5871 missing, which is illegal in C99. 5872 5873 [0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html 5874 [1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages 5875 [2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html 5876 5877 Closes https://github.com/curl/curl/pull/2747 5878 5879 - Remove unused definitions 5880 5881 Closes https://github.com/curl/curl/pull/2747 5882 5883 Daniel Stenberg (21 Aug 2018) 5884 - x509asn1: make several functions static 5885 5886 and remove the private SIZE_T_MAX define and use the generic one. 5887 5888 Closes #2902 5889 5890 - INTERNALS: require GnuTLS >= 2.11.3 5891 5892 Since the public pinning support was brought in e644866caf4. GnuTLS 5893 2.11.3 was released in October 2010. 5894 5895 Figured out in #2890 5896 5897 - http2: avoid set_stream_user_data() before stream is assigned 5898 5899 ... before the stream is started, we have it set to -1. 5900 5901 Fixes #2894 5902 Closes #2898 5903 5904 - SSLCERTS: improve the openssl command line 5905 5906 ... for extracting certs from a live HTTPS server to make a cacerts.pem 5907 from them. 5908 5909 - docs/SECURITY-PROCESS: now we name the files after the CVE id 5910 5911 - RELEASE-NOTES: synced 5912 5913 - upload: change default UPLOAD_BUFSIZE to 64KB 5914 5915 To make uploads significantly faster in some circumstances. 5916 5917 Part 2 of #2888 5918 Closes #2892 5919 5920 - upload: allocate upload buffer on-demand 5921 5922 Saves 16KB on the easy handle for operations that don't need that 5923 buffer. 5924 5925 Part 1 of #2888 5926 5927 - [Laurent Bonnans brought this change] 5928 5929 vtls: reinstantiate engine on duplicated handles 5930 5931 Handles created with curl_easy_duphandle do not use the SSL engine set 5932 up in the original handle. This fixes the issue by storing the engine 5933 name in the internal url state and setting the engine from its name 5934 inside curl_easy_duphandle. 5935 5936 Reported-by: Anton Gerasimov 5937 Signed-of-by: Laurent Bonnans 5938 Fixes #2829 5939 Closes #2833 5940 5941 - http2: make sure to send after RST_STREAM 5942 5943 If this is the last stream on this connection, the RST_STREAM might not 5944 get pushed to the wire otherwise. 5945 5946 Fixes #2882 5947 Closes #2887 5948 Researched-by: Michael Kaufmann 5949 5950 - test1268: check the stderr output as "text" 5951 5952 Follow-up to 099f37e9c57 5953 5954 Pointed-out-by: Marcel Raad 5955 5956 - urldata: remove unused pipe_broke struct field 5957 5958 This struct field is never set TRUE in any existing code path. This 5959 change removes the field completely. 5960 5961 Closes #2871 5962 5963 - curl: warn the user if a given file name looks like an option 5964 5965 ... simply because this is usually a sign of the user having omitted the 5966 file name and the next option is instead "eaten" by the parser as a file 5967 name. 5968 5969 Add test1268 to verify 5970 5971 Closes #2885 5972 5973 - http2: check nghttp2_session_set_stream_user_data return code 5974 5975 Might help bug #2688 debugging 5976 5977 Closes #2880 5978 5979 - travis: revert back to gcc-7 for coverage builds 5980 5981 ... since the gcc-8 ones seem to fail frequently. 5982 5983 Follow-up from b85207199544ca 5984 5985 Closes #2886 5986 5987 - RELEASE-NOTES: synced 5988 5989 ... and now listed in alphabetical order! 5990 5991 - [Adrien brought this change] 5992 5993 CMake: CMake config files are defining CURL_STATICLIB for static builds 5994 5995 This change allows to use the CMake config files generated by Curl's 5996 CMake scripts for static builds of the library. 5997 The symbol CURL_STATIC lib must be defined to compile downstream, 5998 thus the config package is the perfect place to do so. 5999 6000 Fixes #2817 6001 Closes #2823 6002 Reported-by: adnn on github 6003 Reviewed-by: Sergei Nikulov 6004 6005 - TODO: host name sections in config files 6006 6007 Kamil Dudka (14 Aug 2018) 6008 - ssh-libssh: fix infinite connect loop on invalid private key 6009 6010 Added test 656 (based on test 604) to verify the fix. 6011 6012 Bug: https://bugzilla.redhat.com/1595135 6013 6014 Closes #2879 6015 6016 - ssh-libssh: reduce excessive verbose output about pubkey auth 6017 6018 The verbose message "Authentication using SSH public key file" was 6019 printed each time the ssh_userauth_publickey_auto() was called, which 6020 meant each time a packet was transferred over network because the API 6021 operates in non-blocking mode. 6022 6023 This patch makes sure that the verbose message is printed just once 6024 (when the authentication state is entered by the SSH state machine). 6025 6026 Daniel Stenberg (14 Aug 2018) 6027 - travis: disable h2 torture tests for "coverage" 6028 6029 Since they started to fail almost 100% since a few days. 6030 6031 Closes #2876 6032 6033 Marcel Raad (14 Aug 2018) 6034 - travis: update to GCC 8 6035 6036 Closes https://github.com/curl/curl/pull/2869 6037 6038 Daniel Stenberg (13 Aug 2018) 6039 - http: fix for tiny "HTTP/0.9" response 6040 6041 Deal with tiny "HTTP/0.9" (header-less) responses by checking the 6042 status-line early, even before a full "HTTP/" is received to allow 6043 detecting 0.9 properly. 6044 6045 Test 1266 and 1267 added to verify. 6046 6047 Fixes #2420 6048 Closes #2872 6049 6050 Kamil Dudka (13 Aug 2018) 6051 - docs: add disallow-username-in-url.d and haproxy-protocol.d on the list 6052 6053 ... to make make the files appear in distribution tarballs 6054 6055 Closes #2856 6056 6057 - .travis.yml: verify that man pages can be regenerated 6058 6059 ... when curl is built from distribution tarball 6060 6061 Closes #2856 6062 6063 Marcel Raad (11 Aug 2018) 6064 - Split non-portable part off test 1133 6065 6066 Split off testing file names with double quotes into new test 1158. 6067 Disable it for MSYS using a precheck as it doesn't support file names 6068 with double quotes (but Cygwin does, for example). 6069 6070 Fixes https://github.com/curl/curl/issues/2796 6071 Closes https://github.com/curl/curl/pull/2854 6072 6073 Jay Satiro (11 Aug 2018) 6074 - projects: Improve Windows perl detection in batch scripts 6075 6076 - Determine if perl is in the user's PATH by running perl.exe. 6077 6078 Prior to this change detection was done by checking the PATH for perl/ 6079 but that did not work in all cases (eg git install includes perl but 6080 not in perl/ path). 6081 6082 Bug: https://github.com/curl/curl/pull/2865 6083 Reported-by: Daniel Jeliski 6084 6085 - [Michael Kaufmann brought this change] 6086 6087 docs: Improve the manual pages of some callbacks 6088 6089 - CURLOPT_HEADERFUNCTION: add newlines 6090 - CURLOPT_INTERLEAVEFUNCTION: fix the description of 'userdata' 6091 - CURLOPT_READDATA: mention crashes, same as in CURLOPT_WRITEDATA 6092 - CURLOPT_READFUNCTION: rename 'instream' to 'userdata' and explain 6093 how to set it 6094 6095 Closes https://github.com/curl/curl/pull/2868 6096 6097 Marcel Raad (11 Aug 2018) 6098 - GCC: silence -Wcast-function-type uniformly 6099 6100 Pointed-out-by: Rikard Falkeborn 6101 Closes https://github.com/curl/curl/pull/2860 6102 6103 - Silence GCC 8 cast-function-type warnings 6104 6105 On Windows, casting between unrelated function types is fine and 6106 sometimes even necessary, so just use an intermediate cast to 6107 (void (*) (void)) to silence the warning as described in [0]. 6108 6109 [0] https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html 6110 6111 Closes https://github.com/curl/curl/pull/2860 6112 6113 Daniel Stenberg (11 Aug 2018) 6114 - CURLINFO_SIZE_UPLOAD: fix missing counter update 6115 6116 Adds test 1522 for verification. 6117 6118 Reported-by: cjmsoregan 6119 Fixes #2847 6120 Closes #2864 6121 6122 - [Daniel Jelinski brought this change] 6123 6124 Documentation: fix CURLOPT_SSH_COMPRESSION copy/paste bug 6125 6126 Closes #2867 6127 6128 - RELEASE-NOTES: synced 6129 6130 - openssl: fix potential NULL pointer deref in is_pkcs11_uri 6131 6132 Follow-up to 298d2565e 6133 Coverity CID 1438387 6134 6135 Marcel Raad (10 Aug 2018) 6136 - travis: execute "set -eo pipefail" for coverage build 6137 6138 Follow-up to 2de63ab179eb78630ee039ad94fb2a5423df522d and 6139 0b87c963252d3504552ee0c8cf4402bd65a80af5. 6140 6141 Closes https://github.com/curl/curl/pull/2862 6142 6143 Daniel Stenberg (10 Aug 2018) 6144 - lib1502: fix memory leak in torture test 6145 6146 Reported-by: Marcel Raad 6147 Fixes #2861 6148 Closes #2863 6149 6150 - docs: mention NULL is fine input to several functions 6151 6152 Fixes #2837 6153 Closes #2858 6154 Reported-by: Markus Elfring 6155 6156 - [Bas van Schaik brought this change] 6157 6158 README.md: add LGTM.com code quality grade for C/C++ 6159 6160 Closes #2857 6161 6162 - [Rikard Falkeborn brought this change] 6163 6164 test1531: Add timeout 6165 6166 Previously, the macro TEST_HANG_TIMEOUT was unused, but since there is 6167 looping going on, we might as well add timing instead of removing it. 6168 6169 Closes #2853 6170 6171 - [Rikard Falkeborn brought this change] 6172 6173 test1540: Remove unused macro TEST_HANG_TIMEOUT 6174 6175 The macro has never been used, and it there is not really any place 6176 where it would make sense to add timing checks. 6177 6178 Closes #2852 6179 6180 - [Rikard Falkeborn brought this change] 6181 6182 asyn-thread: Remove unused macro 6183 6184 The macro seems to never have been used. 6185 6186 Closes #2852 6187 6188 - [Rikard Falkeborn brought this change] 6189 6190 http_proxy: Remove unused macro SELECT_TIMEOUT 6191 6192 Usage was removed in 5113ad0424044458ac497fa1458ebe0101356b22. 6193 6194 Closes #2852 6195 6196 - [Rikard Falkeborn brought this change] 6197 6198 formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT 6199 6200 Its usage was removed in 6201 84ad1fd3047815f9c6e78728bb351b828eac10b1. 6202 6203 Closes #2852 6204 6205 - [Rikard Falkeborn brought this change] 6206 6207 telnet: Remove unused macros TELOPTS and TELCMDS 6208 6209 Their usage was removed in 3a145180cc754a5959ca971ef3cd243c5c83fc51. 6210 6211 Closes #2852 6212 6213 - [Daniel Jelinski brought this change] 6214 6215 openssl: fix debug messages 6216 6217 Fixes #2806 6218 Closes #2843 6219 6220 - configure: fix for -lpthread detection with OpenSSL and pkg-config 6221 6222 ... by making sure it uses the -I provided by pkg-config! 6223 6224 Reported-by: pszemus on github 6225 Fixes #2848 6226 Closes #2850 6227 6228 - RELEASE-NOTES: synced 6229 6230 - windows: follow up to the buffer-tuning 1ba1dba7 6231 6232 Somehow I didn't include the amended version of the previous fix. This 6233 is the missing piece. 6234 6235 Pointed-out-by: Viktor Szakats 6236 6237 - [Daniel Jelinski brought this change] 6238 6239 windows: implement send buffer tuning 6240 6241 Significantly enhances upload performance on modern Windows versions. 6242 6243 Bug: https://curl.haxx.se/mail/lib-2018-07/0080.html 6244 Closes #2762 6245 Fixes #2224 6246 6247 - [Anderson Toshiyuki Sasaki brought this change] 6248 6249 ssl: set engine implicitly when a PKCS#11 URI is provided 6250 6251 This allows the use of PKCS#11 URI for certificates and keys without 6252 setting the corresponding type as "ENG" and the engine as "pkcs11" 6253 explicitly. If a PKCS#11 URI is provided for certificate, key, 6254 proxy_certificate or proxy_key, the corresponding type is set as "ENG" 6255 if not provided and the engine is set to "pkcs11" if not provided. 6256 6257 Acked-by: Nikos Mavrogiannopoulos 6258 Closes #2333 6259 6260 - [Ruslan Baratov brought this change] 6261 6262 CMake: Respect BUILD_SHARED_LIBS 6263 6264 Use standard CMake variable BUILD_SHARED_LIBS instead of introducing 6265 custom option CURL_STATICLIB. 6266 6267 Use '-DBUILD_SHARED_LIBS=%SHARED%' in appveyor.yml. 6268 6269 Reviewed-by: Sergei Nikulov 6270 Closes #2755 6271 6272 - [John Butterfield brought this change] 6273 6274 cmake: bumped minimum version to 3.4 6275 6276 Closes #2753 6277 6278 - [John Butterfield brought this change] 6279 6280 cmake: link curl to the OpenSSL targets instead of lib absolute paths 6281 6282 Reviewed-by: Jakub Zakrzewski 6283 Reviewed-by: Sergei Nikulov 6284 Closes #2753 6285 6286 - travis: build darwinssl on macos 10.12 6287 6288 ... as building on 10.13.x before 10.13.4 leads to link errors. 6289 6290 Assisted-by: Nick Zitzmann 6291 Fixes #2835 6292 Closes #2845 6293 6294 - DEPRECATE: remove release date from 7.62.0 6295 6296 Since it will slip and the version is the important part there, not the 6297 date. 6298 6299 - lib/Makefile: only do symbol hiding if told to 6300 6301 This restores the ability to build a static lib with 6302 --disable-symbol-hiding to keep non-curl_ symbols. 6303 6304 Researched-by: Dan Fandrich 6305 Reported-by: Ran Mozes 6306 Fixes #2830 6307 Closes #2831 6308 6309 Marcel Raad (2 Aug 2018) 6310 - hostip: fix unused variable warning 6311 6312 addresses is only used in an infof call, which is a macro expanding to 6313 nothing if CURL_DISABLE_VERBOSE_STRINGS is set. 6314 6315 Daniel Stenberg (2 Aug 2018) 6316 - test1307: disabled 6317 6318 Turns out that since we're using the native fnmatch function now when 6319 available, and they simply disagree on a huge number of test patterns 6320 that make it hard to test this function like this... 6321 6322 Fixes #2825 6323 6324 - smb: don't mark it done in smb_do 6325 6326 Follow-up to 09e401e01bf9. The SMB protocol handler needs to use its 6327 doing function too, which requires smb_do() to not mark itself as 6328 done... 6329 6330 Closes #2822 6331 6332 - [Rikard Falkeborn brought this change] 6333 6334 general: fix printf specifiers 6335 6336 Closes #2818 6337 6338 - RELEASE-NOTES: synced 6339 6340 - mailmap: Daniel Jelinski 6341 6342 - [Harry Sintonen brought this change] 6343 6344 HTTP: Don't attempt to needlessly decompress redirect body 6345 6346 This change fixes a regression where redirect body would needlessly be 6347 decompressed even though it was to be ignored anyway. As it happens this 6348 causes secondary issues since there appears to be a bug in apache2 that 6349 it in certain conditions generates a corrupt zlib response. The 6350 regression was created by commit: 6351 dbcced8e32b50c068ac297106f0502ee200a1ebd 6352 6353 Discovered-by: Harry Sintonen 6354 Closes #2798 6355 6356 - curl: use Content-Disposition before the "URL end" for -OJ 6357 6358 Regression introduced in 7.61.0 6359 6360 Reported-by: Thomas Klausner 6361 Fixes #2783 6362 Closes #2813 6363 6364 - [Daniel Jelinski brought this change] 6365 6366 retry: return error if rewind was necessary but didn't happen 6367 6368 Fixes #2801 6369 Closes #2812 6370 6371 - http2: clear the drain counter in Curl_http2_done 6372 6373 Reported-by: Andrei Virtosu 6374 Fixes #2800 6375 Closes #2809 6376 6377 - smb: fix memory leak on early failure 6378 6379 ... by making sure connection related data (->share) is stored in the 6380 connection and not in the easy handle. 6381 6382 Detected by OSS-fuzz 6383 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 6384 Fixes #2769 6385 Closes #2810 6386 6387 - travis: run a 'make checksrc' too 6388 6389 ... to make sure the examples are all checked. 6390 6391 Closes #2811 6392 6393 Jay Satiro (29 Jul 2018) 6394 - examples/ephiperfifo: checksrc compliance 6395 6396 - [Michael Kaufmann brought this change] 6397 6398 sws: handle EINTR when calling select() 6399 6400 Closes https://github.com/curl/curl/pull/2808 6401 6402 Daniel Stenberg (29 Jul 2018) 6403 - test1157: follow-up to 35ecffb9 6404 6405 Ignore the user-agent line. 6406 Pointed-out-by: Marcel Raad 6407 6408 Michael Kaufmann (29 Jul 2018) 6409 - tests/http_pipe.py: Use /usr/bin/env to find python 6410 6411 Daniel Stenberg (28 Jul 2018) 6412 - TODO: Support Authority Information Access certificate extension (AIA) 6413 6414 Closes #2793 6415 6416 - conn_free: updated comment to clarify 6417 6418 Let's call it disassociate instead of disconnect since the latter term 6419 is used so much for (TCP) connections already. 6420 6421 - test1157: test -H from empty file 6422 6423 Verifies bugfix #2797 6424 6425 - [Tobias Blomberg brought this change] 6426 6427 curl: Fix segfault when -H @headerfile is empty 6428 6429 The curl binary would crash if the -H command line option was given a 6430 filename to read using the @filename syntax but that file was empty. 6431 6432 Closes #2797 6433 6434 - mime: check Curl_rand_hex's return code 6435 6436 Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html 6437 Reported-by: Jeffrey Walton 6438 Closes #2795 6439 6440 - [Josh Bialkowski brought this change] 6441 6442 docs/examples: add hiperfifo example using linux epoll/timerfd 6443 6444 Closes #2804 6445 6446 - [Daro Here brought this change] 6447 6448 docs/INSTALL.md: minor formatting fixes 6449 6450 Closes #2794 6451 6452 - [Christopher Head brought this change] 6453 6454 docs/CURLOPT_URL: fix indentation 6455 6456 The statement, The application does not have to keep the string around 6457 after setting this option, appears to be indented under the RTMP 6458 paragraph. It actually applies to all protocols, not just RTMP. 6459 Eliminate the extra indentation. 6460 6461 Closes #2788 6462 6463 - [Christopher Head brought this change] 6464 6465 docs/CURLOPT_WRITEFUNCTION: size is always 1 6466 6467 For compatibility with `fwrite`, the `CURLOPT_WRITEFUNCTION` callback is 6468 passed two `size_t` parameters which, when multiplied, designate the 6469 number of bytes of data passed in. In practice, CURL always sets the 6470 first parameter (`size`) to 1. 6471 6472 This practice is also enshrined in documentation and cannot be changed 6473 in future. The documentation states that the default callback is 6474 `fwrite`, which means `fwrite` must be a suitable function for this 6475 purpose. However, the documentation also states that the callback must 6476 return the number of *bytes* it successfully handled, whereas ISO C 6477 `fwrite` returns the number of items (each of size `size`) which it 6478 wrote. The only way these numbers can be equal is if `size` is 1. 6479 6480 Since `size` is 1 and can never be changed in future anyway, document 6481 that fact explicitly and let users rely on it. 6482 6483 Closes #2787 6484 6485 - [Carie Pointer brought this change] 6486 6487 wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random 6488 6489 RNG structure must be freed by call to FreeRng after its use in 6490 Curl_cyassl_random. This call fixes Valgrind failures when running the 6491 test suite with wolfSSL. 6492 6493 Closes #2784 6494 6495 - [Even Rouault brought this change] 6496 6497 reuse_conn(): free old_conn->options 6498 6499 This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with 6500 connection reuse. 6501 6502 I found this with oss-fuzz on GDAL and curl master: 6503 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582 6504 I couldn't reproduce with the oss-fuzz original test case, but looking 6505 at curl source code pointed to this well reproducable leak. 6506 6507 Closes #2790 6508 6509 Marcel Raad (25 Jul 2018) 6510 - [Daniel Jelinski brought this change] 6511 6512 system_win32: fix version checking 6513 6514 In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false 6515 when run on windows 10.0. This patch addresses that error. 6516 6517 Closes https://github.com/curl/curl/pull/2792 6518 6519 Daniel Stenberg (24 Jul 2018) 6520 - [Johannes Schindelin brought this change] 6521 6522 auth: pick Bearer authentication whenever a token is available 6523 6524 So far, the code tries to pick an authentication method only if 6525 user/password credentials are available, which is not the case for 6526 Bearer authentictation... 6527 6528 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 6529 Closes #2754 6530 6531 - [Johannes Schindelin brought this change] 6532 6533 auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer token 6534 6535 The Bearer authentication was added to cURL 7.61.0, but there is a 6536 problem: if CURLAUTH_ANY is selected, and the server supports multiple 6537 authentication methods including the Bearer method, we strongly prefer 6538 that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer 6539 authentication fails, we will never even try to attempt any other 6540 method. 6541 6542 This is particularly unfortunate when we already know that we do not 6543 have any Bearer token to work with. 6544 6545 Such a scenario happens e.g. when using Git to push to Visual Studio 6546 Team Services (which supports Basic and Bearer authentication among 6547 other methods) and specifying the Personal Access Token directly in the 6548 URL (this aproach is frequently taken by automated builds). 6549 6550 Let's make sure that we have a Bearer token to work with before we 6551 select the Bearer authentication among the available authentication 6552 methods. 6553 6554 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 6555 Closes #2754 6556 6557 Marcel Raad (22 Jul 2018) 6558 - test320: treat curl320.out file as binary 6559 6560 Otherwise, LF line endings are converted to CRLF on Windows, 6561 but no conversion is done for the reply, so the test case fails. 6562 6563 Closes https://github.com/curl/curl/pull/2776 6564 6565 Daniel Stenberg (22 Jul 2018) 6566 - vtls: set conn->data when closing TLS 6567 6568 Follow-up to 1b76c38904f0. The VTLS backends that close down the TLS 6569 layer for a connection still needs a Curl_easy handle for the session_id 6570 cache etc. 6571 6572 Fixes #2764 6573 Closes #2771 6574 6575 Marcel Raad (21 Jul 2018) 6576 - tests: fixes for Windows line endlings 6577 6578 Set mode="text" when line endings depend on the system representation. 6579 6580 Closes https://github.com/curl/curl/pull/2772 6581 6582 - test214: disable MSYS2's POSIX path conversion for URL 6583 6584 By default, the MSYS2 bash converts all backslashes to forward slashes 6585 in URLs. Disable this with MSYS2_ARG_CONV_EXCL for the test to pass. 6586 6587 Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces 6588 6589 Daniel Stenberg (20 Jul 2018) 6590 - http2: several cleanups 6591 6592 - separate easy handle from connections better 6593 - added asserts on a number of places 6594 - added sanity check of pipelines for debug builds 6595 6596 Closes #2751 6597 6598 - smb_getsock: always wait for write socket too 6599 6600 ... the protocol is doing read/write a lot, so it needs to write often 6601 even when downloading. A more proper fix could check for eactly when it 6602 wants to write and only ask for it then. 6603 6604 Without this fix, an SMB download could easily get stuck when the event-driven 6605 API was used. 6606 6607 Closes #2768 6608 6609 Marcel Raad (20 Jul 2018) 6610 - test1143: disable MSYS2's POSIX path conversion 6611 6612 By default, the MSYS2 bash interprets http:/%HOSTIP:%HTTPPORT/want/1143 6613 as a POSIX file list and converts it to a Windows file list. 6614 Disable this with MSYS2_ARG_CONV_EXCL for the test to pass. 6615 6616 Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces 6617 Closes https://github.com/curl/curl/pull/2765 6618 6619 Daniel Stenberg (18 Jul 2018) 6620 - RELEASE-NOTES: sync 6621 6622 ... and work toward 7.61.1 6623 6624 - [Ruslan Baratov brought this change] 6625 6626 CMake: Update scripts to use consistent style 6627 6628 Closes #2727 6629 Reviewed-by: Sergei Nikulov 6630 6631 - header output: switch off all styles, not just unbold 6632 6633 ... the "unbold" sequence doesn't work on the mac Terminal. 6634 6635 Reported-by: Zero King 6636 Fixes #2736 6637 Closes #2738 6638 6639 Nick Zitzmann (14 Jul 2018) 6640 - [Rodger Combs brought this change] 6641 6642 darwinssl: add support for ALPN negotiation 6643 6644 Marcel Raad (14 Jul 2018) 6645 - test1422: add required file feature 6646 6647 curl configured with --enable-debug --disable-file currently complains 6648 on test1422: 6649 Info: Protocol "file" not supported or disabled in libcurl 6650 6651 Make test1422 dependend on enabled FILE protocol to fix this. 6652 6653 Fixes https://github.com/curl/curl/issues/2741 6654 Closes https://github.com/curl/curl/pull/2742 6655 6656 Patrick Monnerat (12 Jul 2018) 6657 - content_encoding: accept up to 4 unknown trailer bytes after raw deflate data 6658 6659 Some servers issue raw deflate data that may be followed by an undocumented 6660 trailer. This commit makes curl tolerate such a trailer of up to 4 bytes 6661 before considering the data is in error. 6662 6663 Reported-by: clbr on github 6664 Fixes #2719 6665 6666 Daniel Stenberg (12 Jul 2018) 6667 - smb: fix memory-leak in URL parse error path 6668 6669 Detected by OSS-Fuzz 6670 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 6671 Closes #2740 6672 6673 Marcel Raad (12 Jul 2018) 6674 - schannel: enable CALG_TLS1PRF for w32api >= 5.1 6675 6676 The definition of CALG_TLS1PRF has been fixed in the 5.1 branch: 6677 https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5 6678 6679 Daniel Stenberg (12 Jul 2018) 6680 - docs/SECURITY-PROCESS: mention bounty, drop pre-notify 6681 6682 + The hackerone bounty and its process 6683 6684 - We don't and can't handle pre-notification 6685 6686 - multi: always do the COMPLETED procedure/state 6687 6688 It was previously erroneously skipped in some situations. 6689 6690 libtest/libntlmconnect.c wrongly depended on wrong behavior (that it 6691 would get a zero timeout) when no handles are "running" in a multi 6692 handle. That behavior is no longer present with this fix. Now libcurl 6693 will always return a -1 timeout when all handles are completed. 6694 6695 Closes #2733 6696 6697 - Curl_getoff_all_pipelines: improved for multiplexed 6698 6699 On multiplexed connections, transfers can be removed from anywhere not 6700 just at the head as for pipelines. 6701 6702 - ares: check for NULL in completed-callback 6703 6704 - conn: remove the boolean 'inuse' field 6705 6706 ... as the usage needs to be counted. 6707 6708 - [Paul Howarth brought this change] 6709 6710 openssl: assume engine support in 1.0.0 or later 6711 6712 Commit 38203f1585da changed engine detection to be version-based, 6713 with a baseline of openssl 1.0.1. This does in fact break builds 6714 with openssl 1.0.0, which has engine support - the configure script 6715 detects that ENGINE_cleanup() is available - but <openssl/engine.h> 6716 doesn't get included to declare it. 6717 6718 According to upstream documentation, engine support was added to 6719 mainstream openssl builds as of version 0.9.7: 6720 https://github.com/openssl/openssl/blob/master/README.ENGINE 6721 6722 This commit drops the version test down to 1.0.0 as version 1.0.0d 6723 is the oldest version I have to test with. 6724 6725 Closes #2732 6726 6727 Marcel Raad (11 Jul 2018) 6728 - schannel: fix MinGW compile break 6729 6730 Original MinGW's w32api has a sytax error in its definition of 6731 CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF 6732 until this bug [1] is fixed. 6733 6734 [0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h 6735 [1] https://osdn.net/projects/mingw/ticket/38391 6736 6737 Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043 6738 Closes https://github.com/curl/curl/pull/2728 6739 6740 Daniel Stenberg (11 Jul 2018) 6741 - examples/crawler.c: move #ifdef to column 0 6742 6743 Apparently the C => HTML converter on the web site doesn't quite like it 6744 otherwise. 6745 6746 Reported-by: Jeroen Ooms 6747 6748 Version 7.61.0 (11 Jul 2018) 6749 6750 Daniel Stenberg (11 Jul 2018) 6751 - release: 7.61.0 6752 6753 - TODO: Configurable loading of OpenSSL configuration file 6754 6755 Closes #2724 6756 6757 - post303.d: clarify that this is an RFC violation 6758 6759 ... and not the other way around, which this previously said. 6760 6761 Reported-by: Vasiliy Faronov 6762 Fixes #2723 6763 Closes #2726 6764 6765 - [Ruslan Baratov brought this change] 6766 6767 CMake: remove redundant and old end-of-block syntax 6768 6769 Reviewed-by: Jakub Zakrzewski 6770 Closes #2715 6771 6772 Jay Satiro (9 Jul 2018) 6773 - lib/curl_setup.h: remove unicode character 6774 6775 Follow-up to 82ce416. 6776 6777 Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818 6778 6779 Daniel Stenberg (9 Jul 2018) 6780 - lib/curl_setup.h: remove unicode bom from 8272ec50f02 6781 6782 Marcel Raad (9 Jul 2018) 6783 - schannel: fix -Wsign-compare warning 6784 6785 MinGW warns: 6786 /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in 6787 conditional expression [-Wsign-compare] 6788 6789 Fix this by casting the ptrdiff_t to size_t as we know it's positive. 6790 6791 Closes https://github.com/curl/curl/pull/2721 6792 6793 - schannel: workaround for wrong function signature in w32api 6794 6795 Original MinGW's w32api has CryptHashData's second parameter as BYTE * 6796 instead of const BYTE *. 6797 6798 Closes https://github.com/curl/curl/pull/2721 6799 6800 - schannel: make more cipher options conditional 6801 6802 They are not defined in the original MinGW's <wincrypt.h>. 6803 6804 Closes https://github.com/curl/curl/pull/2721 6805 6806 - curl_setup: include <winerror.h> before <windows.h> 6807 6808 Otherwise, only part of it gets pulled in through <windows.h> on 6809 original MinGW. 6810 6811 Fixes https://github.com/curl/curl/issues/2361 6812 Closes https://github.com/curl/curl/pull/2721 6813 6814 - examples: fix -Wformat warnings 6815 6816 When size_t is not a typedef for unsigned long (as usually the case on 6817 Windows), GCC emits -Wformat warnings when using lu and lx format 6818 specifiers with size_t. Silence them with explicit casts to 6819 unsigned long. 6820 6821 Closes https://github.com/curl/curl/pull/2721 6822 6823 Daniel Stenberg (9 Jul 2018) 6824 - smtp: use the upload buffer size for scratch buffer malloc 6825 6826 ... not the read buffer size, as that can be set smaller and thus cause 6827 a buffer overflow! CVE-2018-0500 6828 6829 Reported-by: Peter Wu 6830 Bug: https://curl.haxx.se/docs/adv_2018-70a2.html 6831 6832 - [Dave Reisner brought this change] 6833 6834 scripts: include _curl as part of CLEANFILES 6835 6836 Closes #2718 6837 6838 - [Nick Zitzmann brought this change] 6839 6840 darwinssl: allow High Sierra users to build the code using GCC 6841 6842 ...but GCC users lose out on TLS 1.3 support, since we can't weak-link 6843 enumeration constants. 6844 6845 Fixes #2656 6846 Closes #2703 6847 6848 - [Ruslan Baratov brought this change] 6849 6850 CMake: Remove unused 'output_var' from 'collect_true' 6851 6852 Variable 'output_var' is not used and can be removed. 6853 Function 'collect_true' renamed to 'count_true'. 6854 6855 - [Ruslan Baratov brought this change] 6856 6857 CMake: Remove unused functions 6858 6859 Closes #2711 6860 6861 - KNOWN_BUGS: Stick to same family over SOCKS proxy 6862 6863 - libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE 6864 6865 ... because otherwise not everything get closed down correctly. 6866 6867 Fixes #2708 6868 Closes #2712 6869 6870 - libssh: include line number in state change debug messages 6871 6872 Closes #2713 6873 6874 - KNOWN_BUGS: Borland support is dropped, AIX problem is too old 6875 6876 - [Jeroen Ooms brought this change] 6877 6878 example/crawler.c: simple crawler based on libxml2 6879 6880 Closes #2706 6881 6882 - RELEASE-NOTES: synced 6883 6884 - DEPRECATE: include year when specifying date 6885 6886 - DEPRECATE: linkified 6887 6888 - DEPRECATE: mention the PR that disabled axTLS 6889 6890 - docs/DEPRECATE.md: spelling and minor formatting 6891 6892 - DEPRECATE: new doc describing planned item removals 6893 6894 Closes #2704 6895 6896 - [Gisle Vanem brought this change] 6897 6898 telnet: fix clang warnings 6899 6900 telnet.c(1401,28): warning: cast from function call of type 'int' to 6901 non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast] 6902 6903 Fixes #2696 6904 Closes #2700 6905 6906 - docs: fix missed option name markups 6907 6908 - [Gaurav Malhotra brought this change] 6909 6910 openssl: Remove some dead code 6911 6912 Closes #2698 6913 6914 - openssl: make the requested TLS version the *minimum* wanted 6915 6916 The code treated the set version as the *exact* version to require in 6917 the TLS handshake, which is not what other TLS backends do and probably 6918 not what most people expect either. 6919 6920 Reported-by: Andreas Olsson 6921 Assisted-by: Gaurav Malhotra 6922 Fixes #2691 6923 Closes #2694 6924 6925 - RELEASE-NOTES: synced 6926 6927 - openssl: allow TLS 1.3 by default 6928 6929 Reported-by: Andreas Olsson 6930 Fixes #2692 6931 Closes #2693 6932 6933 - [Adrian Peniak brought this change] 6934 6935 CURLINFO_TLS_SSL_PTR.3: improve the example 6936 6937 The previous example was a little bit confusing, because SSL* structure 6938 (or other "in use" SSL connection pointer) is not accessible after the 6939 transfer is completed, therefore working with the raw TLS library 6940 specific pointer needs to be done during transfer. 6941 6942 Closes #2690 6943 6944 - travis: add a build using the synchronous name resolver 6945 6946 ... since default uses the threaded one and we test the c-ares build 6947 already. 6948 6949 Closes #2689 6950 6951 - configure: remove CURL_CHECK_NI_WITHSCOPEID too 6952 6953 Since it isn't used either and requires the getnameinfo check 6954 6955 Follow-up to 0aeca41702d2 6956 6957 - getnameinfo: not used 6958 6959 Closes #2687 6960 6961 - easy_perform: use *multi_timeout() to get wait times 6962 6963 ... and trim the threaded Curl_resolver_getsock() to return zero 6964 millisecond wait times during the first three milliseconds so that 6965 localhost or names in the OS resolver cache gets detected and used 6966 faster. 6967 6968 Closes #2685 6969 6970 Max Dymond (27 Jun 2018) 6971 - configure: Add dependent libraries after crypto 6972 6973 The linker is pretty dumb and processes things left to right, keeping a 6974 tally of symbols it hasn't resolved yet. So, we need -ldl to appear 6975 after -lcrypto otherwise the linker won't find the dl functions. 6976 6977 Closes #2684 6978 6979 Daniel Stenberg (27 Jun 2018) 6980 - GOVERNANCE: linkify, changed some titles 6981 6982 - GOVERNANCE: add maintainer details/duties 6983 6984 - url: check Curl_conncache_add_conn return code 6985 6986 ... it was previously unchecked in two places and thus errors could 6987 remain undetected and cause trouble. 6988 6989 Closes #2681 6990 6991 - include/README: remove "hacking" advice, not the right place 6992 6993 - RELEASE-NOTES: synced 6994 6995 - CURLOPT_SSL_VERIFYPEER.3: fix syntax mistake 6996 6997 Follow-up to b6a16afa0aa5 6998 6999 - netrc: use a larger buffer 7000 7001 ... to work with longer passwords etc. Grow it from a 256 to a 4096 7002 bytes buffer. 7003 7004 Reported-by: Dario Nieuwenhuis 7005 Fixes #2676 7006 Closes #2680 7007 7008 - [Patrick Schlangen brought this change] 7009 7010 CURLOPT_SSL_VERIFYPEER.3: Add performance note 7011 7012 Closes #2673 7013 7014 - [Javier Blazquez brought this change] 7015 7016 multi: fix crash due to dangling entry in connect-pending list 7017 7018 Fixes #2677 7019 Closes #2679 7020 7021 - ConnectionExists: make sure conn->data is set when "taking" a connection 7022 7023 Follow-up to 2c15693. 7024 7025 Bug #2674 7026 Closes #2675 7027 7028 - [Kevin R. Bulgrien brought this change] 7029 7030 system.h: fix for gcc on 32 bit OpenServer 7031 7032 Bug: https://curl.haxx.se/mail/lib-2018-06/0100.html 7033 7034 - [Raphael Gozzo brought this change] 7035 7036 cmake: allow multiple SSL backends 7037 7038 This will make possible to select the SSL backend (using 7039 curl_global_sslset()) even when the libcurl is built using CMake 7040 7041 Closes #2665 7042 7043 - url: fix dangling conn->data pointer 7044 7045 By masking sure to use the *current* easy handle with extracted 7046 connections from the cache, and make sure to NULLify the ->data pointer 7047 when the connection is put into the cache to make this mistake easier to 7048 detect in the future. 7049 7050 Reported-by: Will Dietz 7051 Fixes #2669 7052 Closes #2672 7053 7054 - CURLOPT_INTERFACE.3: interface names not supported on Windows 7055 7056 - travis: run more tests for coverage check 7057 7058 ... run a few more tortured based and run all tests event-based. 7059 7060 Closes #2664 7061 7062 - multi: fix memory leak when stopped during name resolve 7063 7064 When the application just started the transfer and then stops it while 7065 the name resolve in the background thread hasn't completed, we need to 7066 wait for the resolve to complete and then cleanup data accordingly. 7067 7068 Enabled test 1553 again and added test 1590 to also check when the host 7069 name resolves successfully. 7070 7071 Detected by OSS-fuzz. 7072 Closes #1968 7073 7074 Viktor Szakats (15 Jun 2018) 7075 - maketgz: delete .bak files, fix indentation 7076 7077 Ref: https://github.com/curl/curl/pull/2660 7078 7079 Closes https://github.com/curl/curl/pull/2662 7080 7081 Daniel Stenberg (15 Jun 2018) 7082 - runtests.pl: remove debug leftover from bb9a340c73f3 7083 7084 - curl-confopts.m4: fix typo from ed224f23d5beb 7085 7086 Fixes my local configure to detect a custom installed c-ares without 7087 pkgconfig. 7088 7089 - docs/RELEASE-PROCEDURE.md: renamed to use .md extension 7090 7091 Closes #2663 7092 7093 - RELEASE-PROCEDURE: gpg sign the tags 7094 7095 - RELEASE-NOTES: synced 7096 7097 - CURLOPT_HTTPAUTH.3: CURLAUTH_BEARER was added in 7.61.0 7098 7099 - [Mamta Upadhyay brought this change] 7100 7101 maketgz: fix sed issues on OSX 7102 7103 maketgz creates release tarballs and removes the -DEV string in curl 7104 version (e.g. 7.58.0-DEV), else -DEV shows up on command line when curl 7105 is run. maketgz works fine on linux but fails on OSX. Problem is with 7106 the sed commands that use option -i without an extension. Maketgz 7107 expects GNU sed instead of BSD and this simply won't work on OSX. Adding 7108 a backup extension .bak after -i fixes this issue 7109 7110 Running the script as if on OSX gives this error: 7111 7112 sed: -e: No such file or directory 7113 7114 Adding a .bak extension resolves it 7115 7116 Closes #2660 7117 7118 - configure: enhance ability to detect/build with static openssl 7119 7120 Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for 7121 building with static libs without pkg-config. 7122 7123 Reported-by: Marcel Raad 7124 Fixes #2199 7125 Closes #2659 7126 7127 - configure: use pkg-config for c-ares detection 7128 7129 First check if there's c-ares information given as pkg-config info and use 7130 that as first preference. 7131 7132 Reported-by: pszemus on github 7133 Fixes #2203 7134 Closes #2658 7135 7136 - GOVERNANCE.md: explains how this project is run 7137 7138 Closes #2657 7139 7140 - KNOWN_BUGS: NTLM doen't support password with character 7141 7142 Closes #2120 7143 7144 - KNOWN_BUGS: slow connect to localhost on Windows 7145 7146 Closes #2281 7147 7148 - [Matteo Bignotti brought this change] 7149 7150 mk-ca-bundle.pl: make -u delete certdata.txt if found not changed 7151 7152 certdata.txt should be deleted also when the process is interrupted by 7153 "same certificate downloaded, exiting" 7154 7155 The certdata.txt is currently kept on disk even if you give the -u 7156 option 7157 7158 Closes #2655 7159 7160 - progress: remove a set of unused defines 7161 7162 Reported-by: Peter Wu 7163 Closes #2654 7164 7165 - TODO: "Option to refuse usernames in URLs" done 7166 7167 Implemented by Bjrn in 946ce5b61f 7168 7169 - [Lyman Epp brought this change] 7170 7171 Curl_init_do: handle NULL connection pointer passed in 7172 7173 Closes #2653 7174 7175 - runtests: support variables in <strippart> 7176 7177 ... and make use of that to make 1455 work better without using a fixed 7178 local port number. 7179 7180 Fixes #2649 7181 Closes #2650 7182 7183 - Curl_debug: remove dead printhost code 7184 7185 The struct field is never set (since 5e0d9aea3) so remove the use of it 7186 and remove the connectdata pointer from the prototype. 7187 7188 Reported-by: Tejas 7189 Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html 7190 Closes #2647 7191 7192 Viktor Szakats (12 Jun 2018) 7193 - schannel: avoid incompatible pointer warning 7194 7195 with clang-6.0: 7196 ``` 7197 vtls/schannel_verify.c: In function 'add_certs_to_store': 7198 vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types] 7199 &cert_context)) { 7200 ^ 7201 In file included from /usr/share/mingw-w64/include/schannel.h:10:0, 7202 from /usr/share/mingw-w64/include/schnlsp.h:9, 7203 from vtls/schannel.h:29, 7204 from vtls/schannel_verify.c:40: 7205 /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}' 7206 WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags, 7207 ^~~~~~~~~~~~~~~~ 7208 ``` 7209 Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264 7210 7211 Closes https://github.com/curl/curl/pull/2648 7212 7213 Daniel Stenberg (12 Jun 2018) 7214 - [Robert Prag brought this change] 7215 7216 schannel: support selecting ciphers 7217 7218 Given the contstraints of SChannel, I'm exposing these as the algorithms 7219 themselves instead; while replicating the ciphersuite as specified by 7220 OpenSSL would have been preferable, I found no way in the SChannel API 7221 to do so. 7222 7223 To use this from the commandline, you need to pass the names of contants 7224 defining the desired algorithms. For example, curl --ciphers 7225 "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM" 7226 https://github.com The specific names come from wincrypt.h 7227 7228 Closes #2630 7229 7230 - [Bernhard M. Wiedemann brought this change] 7231 7232 test 46: make test pass after 2025 7233 7234 shifting the expiry date to 2037 for now 7235 to be before the possibly problematic year 2038 7236 7237 similar in spirit to commit e6293cf8764e9eecb 7238 7239 Closes #2646 7240 7241 - [Marian Klymov brought this change] 7242 7243 cppcheck: fix warnings 7244 7245 - Get rid of variable that was generating false positive warning 7246 (unitialized) 7247 7248 - Fix issues in tests 7249 7250 - Reduce scope of several variables all over 7251 7252 etc 7253 7254 Closes #2631 7255 7256 - openssl: assume engine support in 1.0.1 or later 7257 7258 Previously it was checked for in configure/cmake, but that would then 7259 leave other build systems built without engine support. 7260 7261 While engine support probably existed prior to 1.0.1, I decided to play 7262 safe. If someone experience a problem with this, we can widen the 7263 version check. 7264 7265 Fixes #2641 7266 Closes #2644 7267 7268 - RELEASE-NOTES: synced 7269 7270 - RELEASE-PROCEDURE: update the release calendar for 2019 7271 7272 - [Gisle Vanem brought this change] 7273 7274 boringssl + schannel: undef X509_NAME in lib/schannel.h 7275 7276 Fixes the build problem when both boringssl and schannel are enabled. 7277 7278 Fixes #2634 7279 Closes #2643 7280 7281 - [Vladimir Kotal brought this change] 7282 7283 mk-ca-bundle.pl: leave certificate name untouched in decode() 7284 7285 Closes #2640 7286 7287 - [Rikard Falkeborn brought this change] 7288 7289 tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES 7290 7291 This removes the generated lib1521.c when running make clean. 7292 7293 Closes #2633 7294 7295 - [Rikard Falkeborn brought this change] 7296 7297 tests/libtest: Add lib1521 to nodist_SOURCES 7298 7299 Since 467da3af0, lib1521.c is generated instead of checked in. According 7300 to the commit message, the intention was to remove it from the tarball 7301 as well. However, it is still present when running make dist. To remove 7302 it, add it to nodist_lib1521_SOURCES. This also means there is no need 7303 for the manually added dist-rule in the Makefile. 7304 7305 Also update CMakelists.txt to handle the fact that we now may have 7306 nodist_SOURCES. 7307 7308 - [Stephan Mhlstrasser brought this change] 7309 7310 system.h: add support for IBM xlc C compiler 7311 7312 Added a section to system.h guarded with __xlc__ for the IBM xml C 7313 compiler. Before this change the section titled 'generic "safe guess" on 7314 old 32 bit style' was used, which resulted in a wrong definition of 7315 CURL_TYPEOF_CURL_SOCKLEN_T, and for 64-bit also CURL_TYPEOF_CURL_OFF_T 7316 was wrong. 7317 7318 Compilation warnings fixed with this change: 7319 7320 CC libcurl_la-ftp.lo 7321 "ftp.c", line 290.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7322 "ftp.c", line 293.48: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7323 "ftp.c", line 1070.49: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7324 "ftp.c", line 1154.53: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7325 "ftp.c", line 1187.51: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7326 CC libcurl_la-connect.lo 7327 "connect.c", line 448.56: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7328 "connect.c", line 516.66: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7329 "connect.c", line 687.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7330 "connect.c", line 696.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7331 CC libcurl_la-tftp.lo 7332 "tftp.c", line 1115.33: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. 7333 7334 Closes #2637 7335 7336 - cmdline-opts/cert-type.d: mention "p12" as a recognized type as well 7337 7338 Viktor Szakats (3 Jun 2018) 7339 - spelling fixes 7340 7341 Detected using the `codespell` tool (version 1.13.0). 7342 7343 Also secure and fix an URL. 7344 7345 Daniel Stenberg (2 Jun 2018) 7346 - axtls: follow-up spell fix of comment 7347 7348 - axTLS: not considered fit for use 7349 7350 URL: https://curl.haxx.se/mail/lib-2018-06/0000.html 7351 7352 This is step one. It adds #error statements that require source edits to 7353 make curl build again if asked to use axTLS. At a later stage we might 7354 remove the axTLS specific code completely. 7355 7356 Closes #2628 7357 7358 - build: remove the Borland specific makefiles 7359 7360 According to the user survey 2018, not even one out of 670 users use 7361 them. Nobody on the mailing list spoke up for them either. 7362 7363 Closes #2629 7364 7365 - curl_addrinfo: use same #ifdef conditions in source as header 7366 7367 ... for curl_dofreeaddrinfo 7368 7369 - multi: remove a DEBUGF() 7370 7371 ... it might call infof() with a NULL first argument that isn't harmful 7372 but makes it not do anything. The infof() line is not very useful 7373 anymore, it has served it purpose. Good riddance! 7374 7375 Fixes #2627 7376 7377 - [Alibek.Jorajev brought this change] 7378 7379 CURLOPT_RESOLVE: always purge old entry first 7380 7381 If there's an existing entry using the selected name. 7382 7383 Closes #2622 7384 7385 - fnmatch: use the system one if available 7386 7387 If configure detects fnmatch to be available, use that instead of our 7388 custom one for FTP wildcard pattern matching. For standard compliance, 7389 to reduce our footprint and to use already well tested and well 7390 exercised code. 7391 7392 A POSIX fnmatch behaves slightly different than the internal function 7393 for a few test patterns currently and the macOS one yet slightly 7394 different. Test case 1307 is adjusted for these differences. 7395 7396 Closes #2626 7397 7398 Patrick Monnerat (31 May 2018) 7399 - os400: add new option in ILE/RPG binding 7400 7401 Follow-up to commit 946ce5b 7402 7403 Daniel Stenberg (31 May 2018) 7404 - tests/libtest/.gitignore: follow-up fix to ignore lib5* too 7405 7406 - KNOWN_BUGS: CURL_GLOBAL_SSL 7407 7408 Closes #2276 7409 7410 - [Bernhard Walle brought this change] 7411 7412 configure: check for declaration of getpwuid_r 7413 7414 On our x86 Android toolchain, getpwuid_r is implemented but the header 7415 is missing: 7416 7417 netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration] 7418 7419 Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved 7420 the prototype to curl_setup.h. 7421 7422 Signed-off-by: Bernhard Walle <bernhard (a] bwalle.de> 7423 Closes #2609 7424 7425 - [Rikard Falkeborn brought this change] 7426 7427 tests: update .gitignore for libtests 7428 7429 Closes #2624 7430 7431 - [Rikard Falkeborn brought this change] 7432 7433 strictness: correct {infof, failf} format specifiers 7434 7435 Closes #2623 7436 7437 - [Bjrn Stenberg brought this change] 7438 7439 option: disallow username in URL 7440 7441 Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes 7442 libcurl reject URLs with a username in them. 7443 7444 Closes #2340 7445 7446 - libcurl-security.3: improved layout for two rememdy lists 7447 7448 - libcurl-security.3: refer to URL instead of in-source markdown file 7449 7450 Viktor Szakats (30 May 2018) 7451 - curl.rc: embed manifest for correct Windows version detection 7452 7453 * enable it in `src/Makefile.m32` 7454 * enable it in `winbuild/MakefileBuild.vc` if a custom manifest is 7455 _not_ enabled via the existing `EMBED_MANIFEST` option 7456 * enable it for all Windows CMake builds (also disable the built-in 7457 minimal manifest, added by CMake by default.) 7458 7459 For other build systems, add the `-DCURL_EMBED_MANIFEST` option to 7460 the list of RC (Resource Compiler) flags to enable the manifest 7461 included in `src/curl.rc`. This may require to disable whatever 7462 automatic or other means in which way another manifest is added to 7463 `curl.exe`. 7464 7465 Notice that Borland C doesn't support this method due to a 7466 long-pending resource compiler bug. Watcom C may also not handle 7467 it correctly when the `-zm` `wrc` option is used (this option may 7468 be unnecessary though) and regardless of options in certain earlier 7469 revisions of the 2.0 beta version. 7470 7471 Closes https://github.com/curl/curl/pull/1221 7472 Fixes https://github.com/curl/curl/issues/2591 7473 7474 Patrick Monnerat (30 May 2018) 7475 - os400: sync EBCDIC wrappers and ILE/RPG binding with latest options 7476 7477 - os400: implement mime api EBCDIC wrappers 7478 7479 Also sync ILE/RPG binding to define the new functions. 7480 7481 Daniel Stenberg (29 May 2018) 7482 - setopt: add TLS 1.3 ciphersuites 7483 7484 Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. 7485 7486 curl: added --tls13-ciphers and --proxy-tls13-ciphers 7487 7488 Fixes #2435 7489 Reported-by: zzq1015 on github 7490 Closes #2607 7491 7492 - configure: override AR_FLAGS to silence warning 7493 7494 The automake default ar flags are 'cru', but the 'u' flag in there 7495 causes warnings on many modern Linux distros. Removing 'u' may have a 7496 minor performance impact on older distros but should not cause harm. 7497 7498 Explained on the automake mailing list already back in April 2015: 7499 7500 https://www.mail-archive.com/automake-patches@gnu.org/msg07705.html 7501 7502 Reported-by: elephoenix on github 7503 Fixes #2617 7504 Closes #2619 7505 7506 Sergei Nikulov (29 May 2018) 7507 - cmake: fixed comments in compile checks code 7508 7509 Daniel Stenberg (29 May 2018) 7510 - INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib 7511 7512 ... the older description doesn't work 7513 7514 Reported-by: Peter Varga 7515 Fixes #2615 7516 Closes #2616 7517 7518 - [Will Dietz brought this change] 7519 7520 KNOWN_BUGS: restore text regarding #2101. 7521 7522 This was added earlier but appears to have been removed accidentally. 7523 7524 AFAICT this is very much still an issue. 7525 7526 ----- 7527 7528 I say "accidentally" because the text seems to have harmlessly snuck 7529 into [1] (which makes no mention of it). [1] was later reverted for 7530 unspecified reasons in [2], presumably because the mentioned issue was 7531 fixed or invalid. 7532 7533 [1] de9fac00c40db321d44fa6fbab6eb62ec4c83998 7534 [2] 16d1f369403cbb04bd7b085eabbeebf159473fc2 7535 7536 Closes #2618 7537 7538 - fnmatch: insist on escaped bracket to match 7539 7540 A non-escaped bracket ([) is for a character group - as documented. It 7541 will *not* match an individual bracket anymore. Test case 1307 updated 7542 accordingly to match. 7543 7544 Problem detected by OSS-Fuzz, although this fix is probably not a final 7545 fix for the notorious timeout issues. 7546 7547 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525 7548 Closes #2614 7549 7550 Patrick Monnerat (28 May 2018) 7551 - psl: use latest psl and refresh it periodically 7552 7553 The latest psl is cached in the multi or share handle. It is refreshed 7554 before use after 72 hours. 7555 New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing. 7556 If the latest psl is not available, the builtin psl is used. 7557 7558 Reported-by: Yaakov Selkowitz 7559 Fixes #2553 7560 Closes #2601 7561 7562 Daniel Stenberg (28 May 2018) 7563 - [Fabrice Fontaine brought this change] 7564 7565 configure: fix ssh2 linking when built with a static mbedtls 7566 7567 The ssh2 pkg-config file could contain the following lines when build 7568 with a static version of mbedtls: 7569 Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a 7570 Libs.private: /xxx/libmbedcrypto.a 7571 7572 This static mbedtls library must be used to correctly detect ssh2 7573 support and this library must be copied in libcurl.pc otherwise 7574 compilation of any application (such as upmpdcli) with libcurl will fail 7575 when trying to found mbedtls functions included in libssh2. So, replace 7576 pkg-config --libs-only-l by pkg-config --libs. 7577 7578 Fixes: 7579 - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a 7580 7581 Signed-off-by: Fabrice Fontaine <fontaine.fabrice (a] gmail.com> 7582 Closes #2613 7583 7584 - RELEASE-NOTES: synced 7585 7586 - [Bernhard Walle brought this change] 7587 7588 cmake: check for getpwuid_r 7589 7590 The autotools-based build system does it, so we do it also in CMake. 7591 7592 Bug: #2609 7593 Signed-off-by: Bernhard Walle <bernhard (a] bwalle.de> 7594 7595 - cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options 7596 7597 - [Frank Gevaerts brought this change] 7598 7599 curl.1: Fix cmdline-opts reference errors. 7600 7601 --data, --form, and --ntlm were declared to be mutually exclusive with 7602 non-existing options. --data and --form referred to --upload (which is 7603 short for --upload-file and therefore did work, so this one was merely 7604 a bit confusing), --ntlm referred to --negotiated instead of --negotiate. 7605 7606 Closes #2612 7607 7608 - [Frank Gevaerts brought this change] 7609 7610 docs: fix cmdline-opts metadata headers case consistency. 7611 7612 Almost all headers start with an uppercase letter, but some didn't. 7613 7614 - mailmap: Max Savenkov 7615 7616 Sergei Nikulov (28 May 2018) 7617 - [Max Savenkov brought this change] 7618 7619 Fix the test for fsetxattr and strerror_r tests in CMake to work without compiling 7620 7621 Daniel Stenberg (27 May 2018) 7622 - mailmap: a Richard Alcock fixup 7623 7624 - [Richard Alcock brought this change] 7625 7626 schannel: add failf calls for client certificate failures 7627 7628 Closes #2604 7629 7630 - [Richard Alcock brought this change] 7631 7632 winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST 7633 7634 Change requirement from $(DISTDIR) to $(DIRDIST) 7635 7636 closes #2603 7637 7638 - [Richard Alcock brought this change] 7639 7640 winbuild: only delete OUTFILE if it exists 7641 7642 This removes the slightly annoying "Could not file LIBCURL_OBJS.inc" and 7643 "Could not find CURL_OBJS.inc.inc" message when building into a clean 7644 folder. 7645 7646 closes #2602 7647 7648 - [Alejandro R. Sedeo brought this change] 7649 7650 content_encoding: handle zlib versions too old for Z_BLOCK 7651 7652 Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available. 7653 7654 Fixes #2606 7655 Closes #2608 7656 7657 - multi: provide a socket to wait for in Curl_protocol_getsock 7658 7659 ... even when there's no protocol specific handler setup. 7660 7661 Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html 7662 Reported-by: Sean Miller 7663 Closes #2600 7664 7665 - [Linus Lewandowski brought this change] 7666 7667 httpauth: add support for Bearer tokens 7668 7669 Closes #2102 7670 7671 - TODO: CURLINFO_PAUSE_STATE 7672 7673 Closes #2588 7674 7675 Sergei Nikulov (24 May 2018) 7676 - cmake: set -d postfix for debug builds if not specified 7677 using -DCMAKE_DEBUG_POSTFIX explicitly 7678 7679 fixes #2121, obsoletes #2384 7680 7681 Daniel Stenberg (23 May 2018) 7682 - configure: add basic test of --with-ssl prefix 7683 7684 When given a prefix, the $PREFIX_OPENSSL/lib/openssl.pc or 7685 $PREFIX_OPENSSL/include/openssl/ssl.h files must be present or cause an 7686 error. Helps users detect when giving configure the wrong path. 7687 7688 Reported-by: Oleg Pudeyev 7689 Assisted-by: Per Malmberg 7690 Fixes #2580 7691 7692 Patrick Monnerat (22 May 2018) 7693 - http resume: skip body if http code 416 (range error) is ignored. 7694 7695 This avoids appending error data to already existing good data. 7696 7697 Test 92 is updated to match this change. 7698 New test 1156 checks all combinations of --range/--resume, --fail, 7699 Content-Range header and http status code 200/416. 7700 7701 Fixes #1163 7702 Reported-By: Ithubg on github 7703 Closes #2578 7704 7705 Daniel Stenberg (22 May 2018) 7706 - tftp: make sure error is zero terminated before printfing it 7707 7708 - configure: add missing m4/ax_compile_check_sizeof.m4 7709 7710 follow-up to mistake in 6876ccf90b4 7711 7712 Jay Satiro (22 May 2018) 7713 - [Johannes Schindelin brought this change] 7714 7715 schannel: make CAinfo parsing resilient to CR/LF 7716 7717 OpenSSL has supported --cacert for ages, always accepting LF-only line 7718 endings ("Unix line endings") as well as CR/LF line endings ("Windows 7719 line endings"). 7720 7721 When we introduced support for --cacert also with Secure Channel (or in 7722 cURL speak: "WinSSL"), we did not take care to support CR/LF line 7723 endings, too, even if we are much more likely to receive input in that 7724 form when using Windows. 7725 7726 Let's fix that. 7727 7728 Happily, CryptQueryObject(), the function we use to parse the ca-bundle, 7729 accepts CR/LF input already, and the trailing LF before the END 7730 CERTIFICATE marker catches naturally any CR/LF line ending, too. So all 7731 we need to care about is the BEGIN CERTIFICATE marker. We do not 7732 actually need to verify here that the line ending is CR/LF. Just 7733 checking for a CR or an LF is really plenty enough. 7734 7735 Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de> 7736 7737 Closes https://github.com/curl/curl/pull/2592 7738 7739 Daniel Stenberg (22 May 2018) 7740 - CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit 7741 7742 - RELEASE-NOTES: synced 7743 7744 - KNOWN_BUGS: mention the -O with %-encoded file names 7745 7746 Closes #2573 7747 7748 - checksrc: make sure sizeof() is used *with* parentheses 7749 7750 ... and unify the source code to adhere. 7751 7752 Closes #2563 7753 7754 - curl: added --styled-output 7755 7756 It is enabled by default, so --no-styled-output will switch off the 7757 detection/use of bold headers. 7758 7759 Closes #2538 7760 7761 - curl: show headers in bold 7762 7763 The feature is only enabled if the output is believed to be a tty. 7764 7765 -J: There's some minor differences and improvements in -J handling, as 7766 now J should work with -i and it actually creates a file first using the 7767 initial name and then *renames* that to the one found in 7768 Content-Disposition (if any). 7769 7770 -i: only shows headers for HTTP transfers now (as documented). 7771 Previously it would also show for pieces of the transfer that were HTTP 7772 (for example when doing FTP over a HTTP proxy). 7773 7774 -i: now shows trailers as well. Previously they were not shown at all. 7775 7776 --libcurl: the CURLOPT_HEADER is no longer set, as the header output is 7777 now done in the header callback. 7778 7779 - configure: compile-time SIZEOF checks 7780 7781 ... instead of exeucting code to get the size. Removes the use of 7782 LD_LIBRARY_PATH for this. 7783 7784 Fixes #2586 7785 Closes #2589 7786 Reported-by: Bernhard Walle 7787 7788 - configure: replace AC_TRY_RUN with CURL_RUN_IFELSE 7789 7790 ... and export LD_LIBRARY_PATH properly. This is a follow-up from 7791 2d4c215. 7792 7793 Fixes #2586 7794 Reported-by: Bernhard Walle 7795 7796 - docs: clarify CURLOPT_HTTPGET somewhat 7797 7798 Reported-by: bsammon on github 7799 Fixes #2590 7800 7801 - curl_fnmatch: only allow two asterisks for matching 7802 7803 The previous limit of 5 can still end up in situation that takes a very 7804 long time and consumes a lot of CPU. 7805 7806 If there is still a rare use case for this, a user can provide their own 7807 fnmatch callback for a version that allows a larger set of wildcards. 7808 7809 This commit was triggered by yet another OSS-Fuzz timeout due to this. 7810 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369 7811 7812 Closes #2587 7813 7814 - checksrc: fix too long line 7815 7816 follow-up to e05ad5d 7817 7818 - [Aleks brought this change] 7819 7820 docs: mention HAproxy protocol "version 1" 7821 7822 ...as there's also a version 2. 7823 7824 Closes #2579 7825 7826 - examples/progressfunc: make it build on older libcurls 7827 7828 This example was changed in ce2140a8c1 to use the new microsecond based 7829 getinfo option. This change makes it conditionally keep using the older 7830 option so that the example still builds with older libcurl versions. 7831 7832 Closes #2584 7833 7834 - stub_gssapi: fix numerous 'unused parameter' warnings 7835 7836 follow-up to d9e92fd9fd1d 7837 7838 - [Philip Prindeville brought this change] 7839 7840 getinfo: add microsecond precise timers for various intervals 7841 7842 Provide a set of new timers that return the time intervals using integer 7843 number of microseconds instead of floats. 7844 7845 The new info names are as following: 7846 7847 CURLINFO_APPCONNECT_TIME_T 7848 CURLINFO_CONNECT_TIME_T 7849 CURLINFO_NAMELOOKUP_TIME_T 7850 CURLINFO_PRETRANSFER_TIME_T 7851 CURLINFO_REDIRECT_TIME_T 7852 CURLINFO_STARTTRANSFER_TIME_T 7853 CURLINFO_TOTAL_TIME_T 7854 7855 Closes #2495 7856 7857 - openssl: acknowledge --tls-max for default version too 7858 7859 ... previously it only used the max setting if a TLS version was also 7860 explicitly asked for. 7861 7862 Reported-by: byte_bucket 7863 Fixes #2571 7864 Closes #2572 7865 7866 - bump: start working on the pending 7.61.0 7867 7868 - [Dagobert Michelsen brought this change] 7869 7870 tests/libtest/Makefile: Do not unconditionally add gcc-specific flags 7871 7872 The warning flag leads e.g. Sun Studio compiler to bail out. 7873 7874 Closes #2576 7875 7876 - schannel_verify: fix build for non-schannel 7877 7878 Jay Satiro (16 May 2018) 7879 - rand: fix typo 7880 7881 - schannel: disable manual verify if APIs not available 7882 7883 .. because original MinGW and old compilers do not have the Windows API 7884 definitions needed to support manual verification. 7885 7886 - [Archangel_SDY brought this change] 7887 7888 schannel: disable client cert option if APIs not available 7889 7890 Original MinGW targets Windows 2000 by default, which lacks some APIs and 7891 definitions for this feature. Disable it if these APIs are not available. 7892 7893 Closes https://github.com/curl/curl/pull/2522 7894 7895 Version 7.60.0 (15 May 2018) 7896 7897 Daniel Stenberg (15 May 2018) 7898 - RELEASE-NOTES: 7.60.0 release 7899 7900 - THANKS: added people from the curl 7.60.0 release 7901 7902 - docs/libcurl/index.html: removed 7903 7904 The HTML files are long gone from the dist, now remove the last HTML 7905 file pointing to those missing files. 7906 7907 d 7908 7909 - [steini2000 brought this change] 7910 7911 http2: remove unused variable 7912 7913 Closes #2570 7914 7915 - [steini2000 brought this change] 7916 7917 http2: use easy handle of stream for logging 7918 7919 - gcc: disable picky gcc-8 function pointer warnings in two places 7920 7921 Reported-by: Rikard Falkeborn 7922 Bug: #2560 7923 Closes #2569 7924 7925 - http2: use the correct function pointer typedef 7926 7927 Fixes gcc-8 picky compiler warnings 7928 Reported-by: Rikard Falkeborn 7929 Bug: #2560 7930 Closes #2568 7931 7932 - CODE_STYLE: mention return w/o parens, but sizeof with 7933 7934 ... and remove the github markdown syntax so that it renders better on 7935 the web site. Also, don't use back-ticks inlined to allow the CSS to 7936 highlight source code better. 7937 7938 - [Rikard Falkeborn brought this change] 7939 7940 examples: Fix format specifiers 7941 7942 Closes #2561 7943 7944 - [Rikard Falkeborn brought this change] 7945 7946 tool: Fix format specifiers 7947 7948 - [Rikard Falkeborn brought this change] 7949 7950 ntlm: Fix format specifiers 7951 7952 - [Rikard Falkeborn brought this change] 7953 7954 tests: Fix format specifiers 7955 7956 - [Rikard Falkeborn brought this change] 7957 7958 lib: Fix format specifiers 7959 7960 - contributors.sh: use "on github", not at 7961 7962 - http2: getsock fix for uploads 7963 7964 When there's an upload in progress, make sure to wait for the socket to 7965 become writable. 7966 7967 Detected-by: steini2000 on github 7968 Bug: #2520 7969 Closes #2567 7970 7971 - pingpong: fix response cache memcpy overflow 7972 7973 Response data for a handle with a large buffer might be cached and then 7974 used with the "closure" handle when it has a smaller buffer and then the 7975 larger cache will be copied and overflow the new smaller heap based 7976 buffer. 7977 7978 Reported-by: Dario Weisser 7979 CVE: CVE-2018-1000300 7980 Bug: https://curl.haxx.se/docs/adv_2018-82c2.html 7981 7982 - http: restore buffer pointer when bad response-line is parsed 7983 7984 ... leaving the k->str could lead to buffer over-reads later on. 7985 7986 CVE: CVE-2018-1000301 7987 Assisted-by: Max Dymond 7988 7989 Detected by OSS-Fuzz. 7990 Bug: https://curl.haxx.se/docs/adv_2018-b138.html 7991 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 7992 7993 Patrick Monnerat (13 May 2018) 7994 - cookies: do not take cookie name as a parameter 7995 7996 RFC 6265 section 4.2.1 does not set restrictions on cookie names. 7997 This is a follow-up to commit 7f7fcd0. 7998 Also explicitly check proper syntax of cookie name/value pair. 7999 8000 New test 1155 checks that cookie names are not reserved words. 8001 8002 Reported-By: anshnd at github 8003 Fixes #2564 8004 Closes #2566 8005 8006 Daniel Stenberg (12 May 2018) 8007 - smb: reject negative file sizes 8008 8009 Assisted-by: Max Dymond 8010 8011 Detected by OSS-Fuzz 8012 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245 8013