Home | History | Annotate | Download | only in curl
      1                                   _   _ ____  _
      2                               ___| | | |  _ \| |
      3                              / __| | | | |_) | |
      4                             | (__| |_| |  _ <| |___
      5                              \___|\___/|_| \_\_____|
      6 
      7                                   Changelog
      8 
      9 Version 7.64.1 (27 Mar 2019)
     10 
     11 Daniel Stenberg (27 Mar 2019)
     12 - RELEASE: 7.64.1
     13 
     14 - Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set"
     15   
     16   This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00.
     17   
     18   Fixes #3708
     19 
     20 - [Christian Schmitz brought this change]
     21 
     22   ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set
     23   
     24   Closes #3704
     25 
     26 Jay Satiro (26 Mar 2019)
     27 - tool_cb_wrt: fix writing to Windows null device NUL
     28   
     29   - Improve console detection.
     30   
     31   Prior to this change WriteConsole could be called to write to a handle
     32   that may not be a console, which would cause an error. This issue is
     33   limited to character devices that are not also consoles such as the null
     34   device NUL.
     35   
     36   Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724
     37   Reported-by: Gisle Vanem
     38 
     39 - CURLMOPT_PIPELINING.3: fix typo
     40 
     41 Daniel Stenberg (25 Mar 2019)
     42 - TODO: config file parsing
     43   
     44   Closes #3698
     45 
     46 Jay Satiro (24 Mar 2019)
     47 - os400: Disable Alt-Svc by default since it's experimental
     48   
     49   Follow-up to 520f0b4 which added Alt-Svc support and enabled it by
     50   default for OS400. Since the feature is experimental, it should be
     51   disabled by default.
     52   
     53   Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332
     54   Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html
     55   
     56   Closes https://github.com/curl/curl/pull/3688
     57 
     58 Dan Fandrich (24 Mar 2019)
     59 - tests: Fixed XML validation errors in some test files.
     60 
     61 - tests: Fix some incorrect precheck error messages.
     62   
     63   [ci skip]
     64 
     65 Daniel Stenberg (22 Mar 2019)
     66 - curl_url.3: this is not experimental anymore
     67 
     68 - travis: bump the used wolfSSL version to 4.0.0
     69   
     70   Test 311 is now fine, leaving only 313 (CRL) disabled.
     71   
     72   Test 313 details can be found here:
     73   https://github.com/wolfSSL/wolfssl/issues/1546
     74   
     75   Closes #3697
     76 
     77 Daniel Gustafsson (22 Mar 2019)
     78 - lib: Fix typos in comments
     79 
     80 David Woodhouse (20 Mar 2019)
     81 - openssl: if cert type is ENG and no key specified, key is ENG too
     82   
     83   Fixes #3692
     84   Closes #3692
     85 
     86 Daniel Stenberg (20 Mar 2019)
     87 - sectransp: tvOS 11 is required for ALPN support
     88   
     89   Reported-by: nianxuejie on github
     90   Assisted-by: Nick Zitzmann
     91   Assisted-by: Jay Satiro
     92   Fixes #3689
     93   Closes #3690
     94 
     95 - test1541: threaded connection sharing
     96   
     97   The threaded-shared-conn.c example turned into test case. Only works if
     98   pthread was detected.
     99   
    100   An attempt to detect future regressions such as e3a53e3efb942a5
    101   
    102   Closes #3687
    103 
    104 Patrick Monnerat (17 Mar 2019)
    105 - os400: alt-svc support.
    106   
    107   Although experimental, enable it in the platform config file.
    108   Upgrade ILE/RPG binding.
    109 
    110 Daniel Stenberg (17 Mar 2019)
    111 - conncache: use conn->data to know if a transfer owns it
    112   
    113   - make sure an already "owned" connection isn't returned unless
    114     multiplexed.
    115   
    116   - clear ->data when returning the connection to the cache again
    117   
    118   Regression since 7.62.0 (probably in commit 1b76c38904f0)
    119   
    120   Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html
    121   
    122   Closes #3686
    123 
    124 - RELEASE-NOTES: synced
    125 
    126 - [Chris Young brought this change]
    127 
    128   configure: add --with-amissl
    129   
    130   AmiSSL is an Amiga native library which provides a wrapper over OpenSSL.
    131   It also requires all programs using it to use bsdsocket.library
    132   directly, rather than accessing socket functions through clib, which
    133   libcurl was not necessarily doing previously. Configure will now check
    134   for the headers and ensure they are included if found.
    135   
    136   Closes #3677
    137 
    138 - [Chris Young brought this change]
    139 
    140   vtls: rename some of the SSL functions
    141   
    142   ... in the SSL structure as AmiSSL is using macros for the socket API
    143   functions.
    144 
    145 - [Chris Young brought this change]
    146 
    147   tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
    148 
    149 - [Chris Young brought this change]
    150 
    151   tool_operate: build on AmigaOS
    152 
    153 - makefile: make checksrc and hugefile commands "silent"
    154   
    155   ... to match the style already used for compiling, linking
    156   etc. Acknowledges 'make V=1' to enable verbose.
    157   
    158   Closes #3681
    159 
    160 - curl.1: --user and --proxy-user are hidden from ps output
    161   
    162   Suggested-by: Eric Curtin
    163   Improved-by: Dan Fandrich
    164   Ref: #3680
    165   
    166   Closes #3683
    167 
    168 - curl.1: mark the argument to --cookie as <data|filename>
    169   
    170   From a discussion in #3676
    171   
    172   Suggested-by: Tim Rhsen
    173   
    174   Closes #3682
    175 
    176 Dan Fandrich (14 Mar 2019)
    177 - fuzzer: Only clone the latest fuzzer code, for speed.
    178 
    179 Daniel Stenberg (14 Mar 2019)
    180 - [Dominik Hlzl brought this change]
    181 
    182   Negotiate: fix for HTTP POST with Negotiate
    183   
    184   * Adjusted unit tests 2056, 2057
    185   * do not generally close connections with CURLAUTH_NEGOTIATE after every request
    186   * moved negotiatedata from UrlState to connectdata
    187   * Added stream rewind logic for CURLAUTH_NEGOTIATE
    188   * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC
    189   * Consider authproblem state for CURLAUTH_NEGOTIATE
    190   * Consider reuse_forbid for CURLAUTH_NEGOTIATE
    191   * moved and adjusted negotiate authentication state handling from
    192     output_auth_headers into Curl_output_negotiate
    193   * Curl_output_negotiate: ensure auth done is always set
    194   * Curl_output_negotiate: Set auth done also if result code is
    195     GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may
    196     also indicate the last challenge request (only works with disabled
    197     Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1)
    198   * Consider "Persistent-Auth" header, detect if not present;
    199     Reset/Cleanup negotiate after authentication if no persistent
    200     authentication
    201   * apply changes introduced with #2546 for negotiate rewind logic
    202   
    203   Fixes #1261
    204   Closes #1975
    205 
    206 - [Marc Schlatter brought this change]
    207 
    208   http: send payload when (proxy) authentication is done
    209   
    210   The check that prevents payload from sending in case of authentication
    211   doesn't check properly if the authentication is done or not.
    212   
    213   They're cases where the proxy respond "200 OK" before sending
    214   authentication challenge. This change takes care of that.
    215   
    216   Fixes #2431
    217   Closes #3669
    218 
    219 - file: fix "Checking if unsigned variable 'readcount' is less than zero."
    220   
    221   Pointed out by codacy
    222   
    223   Closes #3672
    224 
    225 - memdebug: log pointer before freeing its data
    226   
    227   Coverity warned for two potentional "Use after free" cases. Both are false
    228   positives because the memory wasn't used, it was only the actual pointer
    229   value that was logged.
    230   
    231   The fix still changes the order of execution to avoid the warnings.
    232   
    233   Coverity CID 1443033 and 1443034
    234   
    235   Closes #3671
    236 
    237 - RELEASE-NOTES: synced
    238 
    239 Marcel Raad (12 Mar 2019)
    240 - travis: actually use updated compiler versions
    241   
    242   For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the
    243   new GCC versions were only used for the coverage build and for building
    244   nghttp2, while the new clang version was not used at all.
    245   
    246   BoringSSL needs to use the default GCC as it respects CC, but not CXX,
    247   so it would otherwise pass gcc 8 options to g++ 4.8 and fail.
    248   
    249   Also remove GCC 7, it's not needed anymore.
    250   
    251   Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning
    252   
    253   Closes https://github.com/curl/curl/pull/3670
    254 
    255 - travis: update clang to version 7
    256   
    257   Closes https://github.com/curl/curl/pull/3670
    258 
    259 Jay Satiro (11 Mar 2019)
    260 - [Andre Guibert de Bruet brought this change]
    261 
    262   examples/externalsocket: add missing close socket calls
    263   
    264   .. and for Windows also call WSACleanup since we call WSAStartup.
    265   
    266   The example is to demonstrate handling the socket independently of
    267   libcurl. In this case libcurl is not responsible for creating, opening
    268   or closing the socket, it is handled by the application (our example).
    269   
    270   Fixes https://github.com/curl/curl/pull/3663
    271 
    272 Daniel Stenberg (11 Mar 2019)
    273 - multi: removed unused code for request retries
    274   
    275   This code was once used for the non multi-interface using code path, but
    276   ever since easy_perform was turned into a wrapper around the multi
    277   interface, this code path never runs.
    278   
    279   Closes #3666
    280 
    281 Jay Satiro (11 Mar 2019)
    282 - doh: inherit some SSL options from user's easy handle
    283   
    284   - Inherit SSL options for the doh handle but not SSL client certs,
    285     SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert,
    286     SSL pinned public key, SSL ciphers, SSL id cache setting,
    287     SSL kerberos or SSL gss-api settings.
    288   
    289   - Fix inheritance of verbose setting.
    290   
    291   - Inherit NOSIGNAL.
    292   
    293   There is no way for the user to set options for the doh (DNS-over-HTTPS)
    294   handles and instead we inherit some options from the user's easy handle.
    295   
    296   My thinking for the SSL options not inherited is they are most likely
    297   not intended by the user for the DOH transfer. I did inherit insecure
    298   because I think that should still be in control of the user.
    299   
    300   Prior to this change doh did not work for me because CAINFO was not
    301   inherited. Also verbose was set always which AFAICT was a bug (#3660).
    302   
    303   Fixes https://github.com/curl/curl/issues/3660
    304   Closes https://github.com/curl/curl/pull/3661
    305 
    306 Daniel Stenberg (9 Mar 2019)
    307 - test331: verify set-cookie for dotless host name
    308   
    309   Reproduced bug #3649
    310   Closes #3659
    311 
    312 - Revert "cookies: extend domain checks to non psl builds"
    313   
    314   This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0.
    315   
    316   Regression shipped in 7.64.0
    317   Fixes #3649
    318 
    319 - memdebug: make debug-specific functions use curl_dbg_ prefix
    320   
    321   To not "collide" or use up the regular curl_ name space. Also makes them
    322   easier to detect in helper scripts.
    323   
    324   Closes #3656
    325 
    326 - cmdline-opts/proxytunnel.d: the option tunnnels all protocols
    327   
    328   Clarify the language and simplify.
    329   
    330   Reported-by: Daniel Lublin
    331   Closes #3658
    332 
    333 - KNOWN_BUGS: Client cert (MTLS) issues with Schannel
    334   
    335   Closes #3145
    336 
    337 - ROADMAP: updated to some more current things to work on
    338 
    339 - tests: fix multiple may be used uninitialized warnings
    340 
    341 - RELEASE-NOTES: synced
    342 
    343 - source: fix two 'nread' may be used uninitialized warnings
    344   
    345   Both seem to be false positives but we don't like warnings.
    346   
    347   Closes #3646
    348 
    349 - gopher: remove check for path == NULL
    350   
    351   Since it can't be NULL and it makes Coverity believe we lack proper NULL
    352   checks. Verified by test 659, landed in commit 15401fa886b.
    353   
    354   Pointed out by Coverity CID 1442746.
    355   
    356   Assisted-by: Dan Fandrich
    357   Fixes #3617
    358   Closes #3642
    359 
    360 - examples: only include <curl/curl.h>
    361   
    362   That's the only public curl header we should encourage use of.
    363   
    364   Reviewed-by: Marcel Raad
    365   Closes #3645
    366 
    367 - ssh: loop the state machine if not done and not blocking
    368   
    369   If the state machine isn't complete, didn't fail and it didn't return
    370   due to blocking it can just as well loop again.
    371   
    372   This addresses the problem with SFTP directory listings where we would
    373   otherwise return back to the parent and as the multi state machine
    374   doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the
    375   doing phase isn't complete, it would return out when in reality there
    376   was more data to deal with.
    377   
    378   Fixes #3506
    379   Closes #3644
    380 
    381 Jay Satiro (5 Mar 2019)
    382 - multi: support verbose conncache closure handle
    383   
    384   - Change closure handle to receive verbose setting from the easy handle
    385     most recently added via curl_multi_add_handle.
    386   
    387   The closure handle is a special easy handle used for closing cached
    388   connections. It receives limited settings from the easy handle most
    389   recently added to the multi handle. Prior to this change that did not
    390   include verbose which was a problem because on connection shutdown
    391   verbose mode was not acknowledged.
    392   
    393   Ref: https://github.com/curl/curl/pull/3598
    394   
    395   Co-authored-by: Daniel Stenberg
    396   
    397   Closes https://github.com/curl/curl/pull/3618
    398 
    399 Daniel Stenberg (4 Mar 2019)
    400 - CURLU: fix NULL dereference when used over proxy
    401   
    402   Test 659 verifies
    403   
    404   Also fixed the test 658 name
    405   
    406   Closes #3641
    407 
    408 - altsvc_out: check the return code from Curl_gmtime
    409   
    410   Pointed out by Coverity, CID 1442956.
    411   
    412   Closes #3640
    413 
    414 - docs/ALTSVC.md: docs describing the approach
    415   
    416   Closes #3498
    417 
    418 - alt-svc: add a travis build
    419 
    420 - alt-svc: add test 355 and 356 to verify with command line curl
    421 
    422 - alt-svc: the curl command line bits
    423 
    424 - alt-svc: the libcurl bits
    425 
    426 - travis: add build using gnutls
    427   
    428   Closes #3637
    429 
    430 - RELEASE-NOTES: synced
    431 
    432 - [Simon Legner brought this change]
    433 
    434   scripts/completion.pl: also generate fish completion file
    435   
    436   This is the renamed script formerly known as zsh.pl
    437   
    438   Closes #3545
    439 
    440 - gnutls: remove call to deprecated gnutls_compression_get_name
    441   
    442   It has been deprecated by GnuTLS since a year ago and now causes build
    443   warnings.
    444   
    445   Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f
    446   Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html
    447   
    448   Closes #3636
    449 
    450 Jay Satiro (2 Mar 2019)
    451 - system_win32: move win32_init here from easy.c
    452   
    453   .. since system_win32 is a more appropriate location for the functions
    454   and to extern the globals.
    455   
    456   Ref: https://github.com/curl/curl/commit/ca597ad#r32446578
    457   Reported-by: Gisle Vanem
    458   
    459   Closes https://github.com/curl/curl/pull/3625
    460 
    461 Daniel Stenberg (1 Mar 2019)
    462 - curl_easy_duphandle.3: clarify that a duped handle has no shares
    463   
    464   Reported-by: Sara Golemon
    465   
    466   Fixes #3592
    467   Closes #3634
    468 
    469 - 10-at-a-time.c: fix too long line
    470 
    471 - [Arnaud Rebillout brought this change]
    472 
    473   examples: various fixes in ephiperfifo.c
    474   
    475   The main change here is the timer value that was wrong, it was given in
    476   usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 *
    477   1000). This resulted in the callback being invoked WAY TOO OFTEN.
    478   
    479   As a quick check you can run this command before and after applying this
    480   commit:
    481   
    482       # shell 1
    483       ./ephiperfifo 2>&1 | tee ephiperfifo.log
    484       # shell 2
    485       echo http://hacking.elboulangero.com > hiper.fifo
    486   
    487   Then just compare the size of the logs files.
    488   
    489   Closes #3633
    490   Fixes #3632
    491   Signed-off-by: Arnaud Rebillout <arnaud.rebillout (a] collabora.com>
    492 
    493 - urldata: simplify bytecounters
    494   
    495   - no need to have them protocol specific
    496   
    497   - no need to set pointers to them with the Curl_setup_transfer() call
    498   
    499   - make Curl_setup_transfer() operate on a transfer pointer, not
    500     connection
    501   
    502   - switch some counters from long to the more proper curl_off_t type
    503   
    504   Closes #3627
    505 
    506 - examples/10-at-a-time.c: improve readability and simplify
    507   
    508    - use better variable names to explain their purposes
    509    - convert logic to curl_multi_wait()
    510 
    511 - threaded-resolver: shutdown the resolver thread without error message
    512   
    513   When a transfer is done, the resolver thread will be brought down. That
    514   could accidentally generate an error message in the error buffer even
    515   though this is not an error situationand the transfer would still return
    516   OK.  An application that still reads the error buffer could find a
    517   "Could not resolve host: [host name]" message there and get confused.
    518   
    519   Reported-by: Michael Schmid
    520   Fixes #3629
    521   Closes #3630
    522 
    523 - [ brought this change]
    524 
    525   docs: update max-redirs.d phrasing
    526   
    527   clarify redir - "in absurdum" doesn't seem to make sense in this context
    528   
    529   Closes #3631
    530 
    531 - ssh: fix Condition '!status' is always true
    532   
    533   in the same sftp_done function in both SSH backends. Simplify them
    534   somewhat.
    535   
    536   Pointed out by Codacy.
    537   
    538   Closes #3628
    539 
    540 - test578: make it read data from the correct test
    541 
    542 - Curl_easy: remove req.maxfd - never used!
    543   
    544   Introduced in 8b6314ccfb, but not used anymore in current code. Unclear
    545   since when.
    546   
    547   Closes #3626
    548 
    549 - http: set state.infilesize when sending formposts
    550   
    551   Without it set, we would unwillingly triger the "HTTP error before end
    552   of send, stop sending" condition even if the entire POST body had been
    553   sent (since it wouldn't know the expected size) which would
    554   unnecessarily log that message and close the connection when it didn't
    555   have to.
    556   
    557   Reported-by: Matt McClure
    558   Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html
    559   Closes #3624
    560 
    561 - INSTALL: refer to the current TLS library names and configure options
    562 
    563 - FAQ: minor updates and spelling fixes
    564 
    565 - GOVERNANCE.md: minor spelling fixes
    566 
    567 - Secure Transport: no more "darwinssl"
    568   
    569   Everyone calls it Secure Transport, now we do too.
    570   
    571   Reviewed-by: Nick Zitzmann
    572   
    573   Closes #3619
    574 
    575 Marcel Raad (27 Feb 2019)
    576 - AppVeyor: add classic MinGW build
    577   
    578   But use the MSYS2 shell rather than the default MSYS shell because of
    579   POSIX path conversion issues. Classic MinGW is only available on the
    580   Visual Studio 2015 image.
    581   
    582   Closes https://github.com/curl/curl/pull/3623
    583 
    584 - AppVeyor: add MinGW-w64 build
    585   
    586   Add a MinGW-w64 build using CMake's MSYS Makefiles generator.
    587   Use the Visual Studio 2015 image as it has GCC 8, while the
    588   Visual Studio 2017 image only has GCC 7.2.
    589   
    590   Closes https://github.com/curl/curl/pull/3623
    591 
    592 Daniel Stenberg (27 Feb 2019)
    593 - cookies: only save the cookie file if the engine is enabled
    594   
    595   Follow-up to 8eddb8f4259.
    596   
    597   If the cookieinfo pointer is NULL there really is nothing to save.
    598   
    599   Without this fix, we got a problem when a handle was using shared object
    600   with cookies and is told to "FLUSH" it to file (which worked) and then
    601   the share object was removed and when the easy handle was closed just
    602   afterwards it has no cookieinfo and no cookies so it decided to save an
    603   empty jar (overwriting the file just flushed).
    604   
    605   Test 1905 now verifies that this works.
    606   
    607   Assisted-by: Michael Wallner
    608   Assisted-by: Marcel Raad
    609   
    610   Closes #3621
    611 
    612 - [DaVieS brought this change]
    613 
    614   cacertinmem.c: use multiple certificates for loading CA-chain
    615   
    616   Closes #3421
    617 
    618 - urldata: convert bools to bitfields and move to end
    619   
    620   This allows the compiler to pack and align the structs better in
    621   memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2
    622   makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000.
    623   
    624   Removed an unused struct field.
    625   
    626   No functionality changes.
    627   
    628   Closes #3610
    629 
    630 - [Don J Olmstead brought this change]
    631 
    632   curl.h: use __has_declspec_attribute for shared builds
    633   
    634   Closes #3616
    635 
    636 - curl: display --version features sorted alphabetically
    637   
    638   Closes #3611
    639 
    640 - runtests: detect "schannel" as an alias for "winssl"
    641   
    642   Follow-up to 180501cb02
    643   
    644   Reported-by: Marcel Raad
    645   Fixes #3609
    646   Closes #3620
    647 
    648 Marcel Raad (26 Feb 2019)
    649 - AppVeyor: update to Visual Studio 2017
    650   
    651   Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a
    652   moving target anymore as the last update, Update 9, has been released.
    653   
    654   Closes https://github.com/curl/curl/pull/3606
    655 
    656 - AppVeyor: switch VS 2015 builds to VS 2017 image
    657   
    658   The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed.
    659   
    660   Closes https://github.com/curl/curl/pull/3606
    661 
    662 - AppVeyor: explicitly select worker image
    663   
    664   Currently, we're using the default Visual Studio 2015 image for
    665   everything.
    666   
    667   Closes https://github.com/curl/curl/pull/3606
    668 
    669 Daniel Stenberg (26 Feb 2019)
    670 - strerror: make the strerror function use local buffers
    671   
    672   Instead of using a fixed 256 byte buffer in the connectdata struct.
    673   
    674   In my build, this reduces the size of the connectdata struct by 11.8%,
    675   from 2160 to 1904 bytes with no functionality or performance loss.
    676   
    677   This also fixes a bug in schannel's Curl_verify_certificate where it
    678   called Curl_sspi_strerror when it should have called Curl_strerror for
    679   string from GetLastError. the only effect would have been no text or the
    680   wrong text being shown for the error.
    681   
    682   Co-authored-by: Jay Satiro
    683   
    684   Closes #3612
    685 
    686 - [Michael Wallner brought this change]
    687 
    688   cookies: fix NULL dereference if flushing cookies with no CookieInfo set
    689   
    690   Regression brought by a52e46f3900fb0 (shipped in 7.63.0)
    691   
    692   Closes #3613
    693 
    694 Marcel Raad (26 Feb 2019)
    695 - AppVeyor: re-enable test 500
    696   
    697   It's passing now.
    698   
    699   Closes https://github.com/curl/curl/pull/3615
    700 
    701 - AppVeyor: remove redundant builds
    702   
    703   Remove the Visual Studio 2012 and 2013 builds as they add little value.
    704   
    705   Ref: https://github.com/curl/curl/pull/3606
    706   Closes https://github.com/curl/curl/pull/3614
    707 
    708 Daniel Stenberg (25 Feb 2019)
    709 - RELEASE-NOTES: synced
    710 
    711 - [Bernd Mueller brought this change]
    712 
    713   OpenSSL: add support for TLS ASYNC state
    714   
    715   Closes #3591
    716 
    717 Jay Satiro (25 Feb 2019)
    718 - [Michael Felt brought this change]
    719 
    720   acinclude: add additional libraries to check for LDAP support
    721   
    722   - Add an additional check for LDAP that also checks for OpenSSL since
    723     on AIX those libraries may be required to link LDAP properly.
    724   
    725   Fixes https://github.com/curl/curl/issues/3595
    726   Closes https://github.com/curl/curl/pull/3596
    727 
    728 - [georgeok brought this change]
    729 
    730   schannel: support CALG_ECDH_EPHEM algorithm
    731   
    732   Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
    733   algorithm option when selecting ciphers. This became available on the
    734   Win10 SDK.
    735   
    736   Closes https://github.com/curl/curl/pull/3608
    737 
    738 Daniel Stenberg (24 Feb 2019)
    739 - multi: call multi_done on connect timeouts
    740   
    741   Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get
    742   updated correctly and could end up getting reported to the application
    743   completely wrong (way too small).
    744   
    745   Reported-by: accountantM on github
    746   Fixes #3602
    747   Closes #3605
    748 
    749 - examples: remove recursive calls to curl_multi_socket_action
    750   
    751   From within the timer callbacks. Recursive is problematic for several
    752   reasons. They should still work, but this way the examples and the
    753   documentation becomes simpler. I don't think we need to encourage
    754   recursive calls.
    755   
    756   Discussed in #3537
    757   Closes #3601
    758 
    759 Marcel Raad (23 Feb 2019)
    760 - configure: remove CURL_CHECK_FUNC_FDOPEN call
    761   
    762   The macro itself has been removed in commit
    763   11974ac859c5d82def59e837e0db56fef7f6794e.
    764   
    765   Closes https://github.com/curl/curl/pull/3604
    766 
    767 Daniel Stenberg (23 Feb 2019)
    768 - wolfssl: stop custom-adding curves
    769   
    770   since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in
    771   wolfSSL 3.10.2 and later) it sends these curves by default already.
    772   
    773   Pointed-out-by: David Garske
    774   
    775   Closes #3599
    776 
    777 - configure: remove the unused fdopen macro
    778   
    779   and the two remaining #ifdefs for it
    780   
    781   Closes #3600
    782 
    783 Jay Satiro (22 Feb 2019)
    784 - url: change conn shutdown order to unlink data as last step
    785   
    786   - Split off connection shutdown procedure from Curl_disconnect into new
    787     function conn_shutdown.
    788   
    789   - Change the shutdown procedure to close the sockets before
    790     disassociating the transfer.
    791   
    792   Prior to this change the sockets were closed after disassociating the
    793   transfer so SOCKETFUNCTION wasn't called since the transfer was already
    794   disassociated. That likely came about from recent work started in
    795   Jan 2019 (#3442) to separate transfers from connections.
    796   
    797   Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html
    798   Reported-by: Pavel Lbl
    799   
    800   Closes https://github.com/curl/curl/issues/3597
    801   Closes https://github.com/curl/curl/pull/3598
    802 
    803 Marcel Raad (22 Feb 2019)
    804 - Fix strict-prototypes GCC warning
    805   
    806   As seen in the MinGW autobuilds. Caused by commit
    807   f26bc29cfec0be84c67cf74065cf8e5e78fd68b7.
    808 
    809 Dan Fandrich (21 Feb 2019)
    810 - tests: Fixed XML validation errors in some test files.
    811 
    812 Daniel Stenberg (20 Feb 2019)
    813 - TODO: Allow SAN names in HTTP/2 server push
    814   
    815   Suggested-by: Nicolas Grekas
    816 
    817 - RELEASE-NOTES: synced
    818 
    819 - curl: remove MANUAL from -M output
    820   
    821   ... and remove it from the dist tarball. It has served its time, it
    822   barely gets updated anymore and "everything curl" is now convering all
    823   this document once tried to include, and does it more and better.
    824   
    825   In the compressed scenario, this removes ~15K data from the binary,
    826   which is 25% of the -M output.
    827   
    828   It remains in the git repo for now for as long as the web site builds a
    829   page using that as source. It renders poorly on the site (especially for
    830   mobile users) so its not even good there.
    831   
    832   Closes #3587
    833 
    834 - http2: verify :athority in push promise requests
    835   
    836   RFC 7540 says we should verify that the push is for an "authoritative"
    837   server. We make sure of this by only allowing push with an :athority
    838   header that matches the host that was asked for in the URL.
    839   
    840   Fixes #3577
    841   Reported-by: Nicolas Grekas
    842   Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html
    843   Closes #3581
    844 
    845 - singlesocket: fix the 'sincebefore' placement
    846   
    847   The variable wasn't properly reset within the loop and thus could remain
    848   set for sockets that hadn't been set before and miss notifying the app.
    849   
    850   This is a follow-up to 4c35574 (shipped in curl 7.64.0)
    851   
    852   Reported-by: buzo-ffm on github
    853   Detected-by: Jan Alexander Steffens
    854   Fixes #3585
    855   Closes #3589
    856 
    857 - connection: never reuse CONNECT_ONLY conections
    858   
    859   and make CONNECT_ONLY conections never reuse any existing ones either.
    860   
    861   Reported-by: Pavel Lbl
    862   Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html
    863   Closes #3586
    864 
    865 Patrick Monnerat (19 Feb 2019)
    866 - cli tool: fix mime post with --disable-libcurl-option configure option
    867   
    868   Reported-by: Marcel Raad
    869   Fixes #3576
    870   Closes #3583
    871 
    872 Daniel Stenberg (19 Feb 2019)
    873 - x509asn1: cleanup and unify code layout
    874   
    875   - rename 'n' to buflen in functions, and use size_t for them. Don't pass
    876     in negative buffer lengths.
    877   
    878   - move most function comments to above the function starts like we use
    879     to
    880   
    881   - remove several unnecessary typecasts (especially of NULL)
    882   
    883   Reviewed-by: Patrick Monnerat
    884   Closes #3582
    885 
    886 - curl_multi_remove_handle.3: use at any time, just not from within callbacks
    887   
    888   [ci skip]
    889 
    890 - http: make adding a blank header thread-safe
    891   
    892   Previously the function would edit the provided header in-place when a
    893   semicolon is used to signify an empty header. This made it impossible to
    894   use the same set of custom headers in multiple threads simultaneously.
    895   
    896   This approach now makes a local copy when it needs to edit the string.
    897   
    898   Reported-by: d912e3 on github
    899   Fixes #3578
    900   Closes #3579
    901 
    902 - unit1651: survive curl_easy_init() fails
    903 
    904 - [Frank Gevaerts brought this change]
    905 
    906   rand: Fix a mismatch between comments in source and header.
    907   
    908   Reported-by: Bjrn Stenberg <bjorn (a] haxx.se>
    909   Closes #3584
    910 
    911 Patrick Monnerat (18 Feb 2019)
    912 - x509asn1: replace single char with an array
    913   
    914   Although safe in this context, using a single char as an array may
    915   cause invalid accesses to adjacent memory locations.
    916   
    917   Detected by Coverity.
    918 
    919 Daniel Stenberg (18 Feb 2019)
    920 - examples/http2-serverpush: add some sensible error checks
    921   
    922   To avoid NULL pointer dereferences etc in the case of problems.
    923   
    924   Closes #3580
    925 
    926 Jay Satiro (18 Feb 2019)
    927 - easy: fix win32 init to work without CURL_GLOBAL_WIN32
    928   
    929   - Change the behavior of win32_init so that the required initialization
    930     procedures are not affected by CURL_GLOBAL_WIN32 flag.
    931   
    932   libcurl via curl_global_init supports initializing for win32 with an
    933   optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop
    934   Winsock initialization. It did so internally by skipping win32_init()
    935   when that flag was set. Since then win32_init() has been expanded to
    936   include required initialization routines that are separate from
    937   Winsock and therefore must be called in all cases. This commit fixes
    938   it so that CURL_GLOBAL_WIN32 only controls the optional win32
    939   initialization (which is Winsock initialization, according to our doc).
    940   
    941   The only users affected by this change are those that don't pass
    942   CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the
    943   risk of a potential crash.
    944   
    945   Ref: https://github.com/curl/curl/pull/3573
    946   
    947   Fixes https://github.com/curl/curl/issues/3313
    948   Closes https://github.com/curl/curl/pull/3575
    949 
    950 Daniel Gustafsson (17 Feb 2019)
    951 - cookie: Add support for cookie prefixes
    952   
    953   The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
    954   and how they should affect cookie initialization, which has been
    955   adopted by the major browsers. This adds support for the two prefixes
    956   defined, __Host- and __Secure, and updates the testcase with the
    957   supplied examples from the draft.
    958   
    959   Closes #3554
    960   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
    961 
    962 - mbedtls: release sessionid resources on error
    963   
    964   If mbedtls_ssl_get_session() fails, it may still have allocated
    965   memory that needs to be freed to avoid leaking. Call the library
    966   API function to release session resources on this errorpath as
    967   well as on Curl_ssl_addsessionid() errors.
    968   
    969   Closes: #3574
    970   Reported-by: Micha Antoniak <M.Antoniak (a] posnet.com>
    971   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
    972 
    973 Patrick Monnerat (16 Feb 2019)
    974 - cli tool: refactor encoding conversion sequence for switch case fallthrough.
    975 
    976 - version.c: silent scan-build even when librtmp is not enabled
    977 
    978 Daniel Stenberg (15 Feb 2019)
    979 - RELEASE-NOTES: synced
    980 
    981 - Curl_now: figure out windows version in win32_init
    982   
    983   ... and avoid use of static variables that aren't thread safe.
    984   
    985   Fixes regression from e9ababd4f5a (present in the 7.64.0 release)
    986   
    987   Reported-by: Paul Groke
    988   Fixes #3572
    989   Closes #3573
    990 
    991 Marcel Raad (15 Feb 2019)
    992 - unit1307: just fail without FTP support
    993   
    994   I missed to check this in with commit
    995   71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test.
    996   This fixes the actual linker error.
    997   
    998   Closes https://github.com/curl/curl/pull/3568
    999 
   1000 Daniel Stenberg (15 Feb 2019)
   1001 - travis: enable valgrind for the iconv tests too
   1002   
   1003   Closes #3571
   1004 
   1005 - travis: add scan-build
   1006   
   1007   Closes #3564
   1008 
   1009 - examples/sftpuploadresume: Value stored to 'result' is never read
   1010   
   1011   Detected by scan-build
   1012 
   1013 - examples/http2-upload: cleaned up
   1014   
   1015   Fix scan-build warnings, no globals, no silly handle scan. Also remove
   1016   handles from the multi before cleaning up.
   1017 
   1018 - examples/http2-download: cleaned up
   1019   
   1020   To avoid scan-build warnings and global variables.
   1021 
   1022 - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
   1023   
   1024   Detected by scan-build
   1025 
   1026 - examples/httpcustomheader: Value stored to 'res' is never read
   1027   
   1028   Detected by scan-build
   1029 
   1030 - examples: remove superfluous null-pointer checks
   1031   
   1032   in ftpget, ftpsget and sftpget, so that scan-build stops warning for
   1033   potential NULL pointer dereference below!
   1034   
   1035   Detected by scan-build
   1036 
   1037 - strip_trailing_dot: make sure NULL is never used for strlen
   1038   
   1039   scan-build warning: Null pointer passed as an argument to a 'nonnull'
   1040   parameter
   1041 
   1042 - [Jay Satiro brought this change]
   1043 
   1044   connection_check: restore original conn->data after the check
   1045   
   1046   - Save the original conn->data before it's changed to the specified
   1047     data transfer for the connection check and then restore it afterwards.
   1048   
   1049   This is a follow-up to 38d8e1b 2019-02-11.
   1050   
   1051   History:
   1052   
   1053   It was discovered a month ago that before checking whether to extract a
   1054   dead connection that that connection should be associated with a "live"
   1055   transfer for the check (ie original conn->data ignored and set to the
   1056   passed in data). A fix was landed in 54b201b which did that and also
   1057   cleared conn->data after the check. The original conn->data was not
   1058   restored, so presumably it was thought that a valid conn->data was no
   1059   longer needed.
   1060   
   1061   Several days later it was discovered that a valid conn->data was needed
   1062   after the check and follow-up fix was landed in bbae24c which partially
   1063   reverted the original fix and attempted to limit the scope of when
   1064   conn->data was changed to only when pruning dead connections. In that
   1065   case conn->data was not cleared and the original conn->data not
   1066   restored.
   1067   
   1068   A month later it was discovered that the original fix was somewhat
   1069   correct; a "live" transfer is needed for the check in all cases
   1070   because original conn->data could be null which could cause a bad deref
   1071   at arbitrary points in the check. A fix was landed in 38d8e1b which
   1072   expanded the scope to all cases. conn->data was not cleared and the
   1073   original conn->data not restored.
   1074   
   1075   A day later it was discovered that not restoring the original conn->data
   1076   may lead to busy loops in applications that use the event interface, and
   1077   given this observation it's a pretty safe assumption that there is some
   1078   code path that still needs the original conn->data. This commit is the
   1079   follow-up fix for that, it restores the original conn->data after the
   1080   connection check.
   1081   
   1082   Assisted-by: tholin (a] users.noreply.github.com
   1083   Reported-by: tholin (a] users.noreply.github.com
   1084   
   1085   Fixes https://github.com/curl/curl/issues/3542
   1086   Closes #3559
   1087 
   1088 - memdebug: bring back curl_mark_sclose
   1089   
   1090   Used by debug builds with NSS.
   1091   
   1092   Reverted from 05b100aee247bb
   1093 
   1094 Patrick Monnerat (14 Feb 2019)
   1095 - transfer.c: do not compute length of undefined hex buffer.
   1096   
   1097   On non-ascii platforms, the chunked hex header was measured for char code
   1098   conversion length, even for chunked trailers that do not have an hex header.
   1099   In addition, the efective length is already known: use it.
   1100   Since the hex length can be zero, only convert if needed.
   1101   
   1102   Reported by valgrind.
   1103 
   1104 Daniel Stenberg (14 Feb 2019)
   1105 - KNOWN_BUGS: Cannot compile against a static build of OpenLDAP
   1106   
   1107   Closes #2367
   1108 
   1109 Patrick Monnerat (14 Feb 2019)
   1110 - x509asn1: "Dereference of null pointer"
   1111   
   1112   Detected by scan-build (false positive).
   1113 
   1114 Daniel Stenberg (14 Feb 2019)
   1115 - configure: show features as well in the final summary
   1116   
   1117   Closes #3569
   1118 
   1119 - KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10
   1120   
   1121   Closes #2905
   1122 
   1123 - KNOWN_BUGS: Deflate error after all content was received
   1124   
   1125   Closes #2719
   1126 
   1127 - gssapi: fix deprecated header warnings
   1128   
   1129   Heimdal includes on FreeBSD spewed out lots of them. Less so now.
   1130   
   1131   Closes #3566
   1132 
   1133 - TODO: Upgrade to websockets
   1134   
   1135   Closes #3523
   1136 
   1137 - TODO: cmake test suite improvements
   1138   
   1139   Closes #3109
   1140 
   1141 Patrick Monnerat (13 Feb 2019)
   1142 - curl: "Dereference of null pointer"
   1143   
   1144   Rephrase to satisfy scan-build.
   1145 
   1146 Marcel Raad (13 Feb 2019)
   1147 - unit1307: require FTP support
   1148   
   1149   This test doesn't link without FTP support after
   1150   fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch
   1151   unavailable without FTP support.
   1152   
   1153   Closes https://github.com/curl/curl/pull/3565
   1154 
   1155 Daniel Stenberg (13 Feb 2019)
   1156 - TODO: TFO support on Windows
   1157   
   1158   Nobody works on this now.
   1159   
   1160   Closes #3378
   1161 
   1162 - multi: Dereference of null pointer
   1163   
   1164   Mostly a false positive, but this makes the code easier to read anyway.
   1165   
   1166   Detected by scan-build.
   1167   
   1168   Closes #3563
   1169 
   1170 - urlglob: Argument with 'nonnull' attribute passed null
   1171   
   1172   Detected by scan-build.
   1173 
   1174 Jay Satiro (12 Feb 2019)
   1175 - schannel: restore some debug output but only for debug builds
   1176   
   1177   Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
   1178   debug output in DEBUGF but omitted a few lines.
   1179   
   1180   Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
   1181 
   1182 - examples/crawler: Fix the Accept-Encoding setting
   1183   
   1184   - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default
   1185     supported encodings.
   1186   
   1187   Prior to this change the specific encodings of gzip and deflate were set
   1188   but there's no guarantee they'd be supported by the user's libcurl.
   1189 
   1190 Daniel Stenberg (12 Feb 2019)
   1191 - mime: put the boundary buffer into the curl_mime struct
   1192   
   1193   ... instead of allocating it separately and point to it. It is
   1194   fixed-size and always used for each part.
   1195   
   1196   Closes #3561
   1197 
   1198 - schannel: be quiet
   1199   
   1200   Convert numerous infof() calls into debug-build only messages since they
   1201   are annoyingly verbose for regular applications. Removed a few.
   1202   
   1203   Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
   1204   Reported-by: Volker Schmid
   1205   Closes #3552
   1206 
   1207 - [Romain Geissler brought this change]
   1208 
   1209   Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
   1210   
   1211   Closes #3562
   1212 
   1213 - http2: multi_connchanged() moved from multi.c, only used for h2
   1214   
   1215   Closes #3557
   1216 
   1217 - curl: "Function call argument is an uninitialized value"
   1218   
   1219   Follow-up to cac0e4a6ad14b42471eb
   1220   
   1221   Detected by scan-build
   1222   Closes #3560
   1223 
   1224 - pretransfer: don't strlen() POSTFIELDS set for GET requests
   1225   
   1226   ... since that data won't be used in the request anyway.
   1227   
   1228   Fixes #3548
   1229   Reported-by: Renaud Allard
   1230   Close #3549
   1231 
   1232 - multi: remove verbose "Expire in" ... messages
   1233   
   1234   Reported-by: James Brown
   1235   Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html
   1236   Closes #3558
   1237 
   1238 - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
   1239   
   1240   Reported-by: MAntoniak on github
   1241   Fixes #3553
   1242   Closes #3556
   1243 
   1244 Daniel Gustafsson (12 Feb 2019)
   1245 - non-ascii.c: fix typos in comments
   1246   
   1247   Fix two occurrences of s/convers/converts/ spotted while reading code.
   1248 
   1249 Daniel Stenberg (12 Feb 2019)
   1250 - fnmatch: disable if FTP is disabled
   1251   
   1252   Closes #3551
   1253 
   1254 - curl_path: only enabled for SSH builds
   1255 
   1256 - [Frank Gevaerts brought this change]
   1257 
   1258   tests: add stderr comparison to the test suite
   1259   
   1260   The code is more or less copied from the stdout comparison code, maybe
   1261   some better reuse is possible.
   1262   
   1263   test 1457 is adjusted to make the output actually match (by using --silent)
   1264   test 506 used <stderr> without actually needing it, so that <stderr> block is removed
   1265   
   1266   Closes #3536
   1267 
   1268 Patrick Monnerat (11 Feb 2019)
   1269 - cli tool: do not use mime.h private structures.
   1270   
   1271   Option -F generates an intermediate representation of the mime structure
   1272   that is used later to create the libcurl mime structure and generate
   1273   the --libcurl statements.
   1274   
   1275   Reported-by: Daniel Stenberg
   1276   Fixes #3532
   1277   Closes #3546
   1278 
   1279 Daniel Stenberg (11 Feb 2019)
   1280 - curlver: bump to 7.64.1-dev
   1281 
   1282 - RELEASE-NOTES: synced
   1283   
   1284   and bump the version in progress to 7.64.1. If we merge any "change"
   1285   before the cut-off date, we update again.
   1286 
   1287 Daniel Gustafsson (11 Feb 2019)
   1288 - curl: follow-up to 3f16990ec84
   1289   
   1290   Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was
   1291   inadvertently introducing a new bug in the ternary expression.
   1292   
   1293   Close #3555
   1294   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   1295 
   1296 - dns: release sharelock as soon as possible
   1297   
   1298   There is no benefit to holding the data sharelock when freeing the
   1299   addrinfo in case it fails, so ensure releaseing it as soon as we can
   1300   rather than holding on to it. This also aligns the code with other
   1301   consumers of sharelocks.
   1302   
   1303   Closes #3516
   1304   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   1305 
   1306 Daniel Stenberg (11 Feb 2019)
   1307 - curl: follow-up to b49652ac66cc0
   1308   
   1309   On FreeBSD, return non-zero on error otherwise zero.
   1310   
   1311   Reported-by: Marcel Raad
   1312 
   1313 - multi: (void)-prefix when ignoring return values
   1314   
   1315   ... and added braces to two function calls which fixes warnings if they
   1316   are replace by empty macros at build-time.
   1317 
   1318 - curl: fix FreeBSD compiler warning in the --xattr code
   1319   
   1320   Closes #3550
   1321 
   1322 - connection_check: set ->data to the transfer doing the check
   1323   
   1324   The http2 code for connection checking needs a transfer to use. Make
   1325   sure a working one is set before handler->connection_check() is called.
   1326   
   1327   Reported-by: jnbr on github
   1328   Fixes #3541
   1329   Closes #3547
   1330 
   1331 - hostip: make create_hostcache_id avoid alloc + free
   1332   
   1333   Closes #3544
   1334 
   1335 - scripts/singleuse: script to use to track single-use functions
   1336   
   1337   That is functions that are declared global but are not used from outside
   1338   of the file in which it is declared. Such functions should be made
   1339   static or even at times be removed.
   1340   
   1341   It also verifies that all used curl_ prefixed functions are "blessed"
   1342   
   1343   Closes #3538
   1344 
   1345 - cleanup: make local functions static
   1346   
   1347   urlapi: turn three local-only functions into statics
   1348   
   1349   conncache: make conncache_find_first_connection static
   1350   
   1351   multi: make detach_connnection static
   1352   
   1353   connect: make getaddressinfo static
   1354   
   1355   curl_ntlm_core: make hmac_md5 static
   1356   
   1357   http2: make two functions static
   1358   
   1359   http: make http_setup_conn static
   1360   
   1361   connect: make tcpnodelay static
   1362   
   1363   tests: make UNITTEST a thing to mark functions with, so they can be static for
   1364   normal builds and non-static for unit test builds
   1365   
   1366   ... and mark Curl_shuffle_addr accordingly.
   1367   
   1368   url: make up_free static
   1369   
   1370   setopt: make vsetopt static
   1371   
   1372   curl_endian: make write32_le static
   1373   
   1374   rtsp: make rtsp_connisdead static
   1375   
   1376   warnless: remove unused functions
   1377   
   1378   memdebug: remove one unused function, made another static
   1379 
   1380 Dan Fandrich (10 Feb 2019)
   1381 - cirrus: Added FreeBSD builds using Cirrus CI.
   1382   
   1383   The build logs will be at https://cirrus-ci.com/github/curl/curl
   1384   
   1385   Some tests are currently failing and so disabled for now. The SSH server
   1386   isn't starting for the SSH tests due to unsupported options used in its
   1387   config file. The DICT server also is failing on startup.
   1388 
   1389 Daniel Stenberg (9 Feb 2019)
   1390 - url/idnconvert: remove scan for <= 32 ascii values
   1391   
   1392   The check was added back in fa939220df before the URL parser would catch
   1393   these problems and therefore these will never trigger now.
   1394   
   1395   Closes #3539
   1396 
   1397 - urlapi: reduce variable scope, remove unreachable 'break'
   1398   
   1399   Both nits pointed out by codacy.com
   1400   
   1401   Closes #3540
   1402 
   1403 Alessandro Ghedini (7 Feb 2019)
   1404 - zsh.pl: escape ':' character
   1405   
   1406   ':' is interpreted as separator by zsh, so if used as part of the argument
   1407   or option's description it needs to be escaped.
   1408   
   1409   The problem can be reproduced as follows:
   1410   
   1411    % curl --reso<TAB>
   1412    % curl -E <TAB>
   1413   
   1414   Bug: https://bugs.debian.org/921452
   1415 
   1416 - zsh.pl: update regex to better match curl -h output
   1417   
   1418   The current regex fails to match '<...>' arguments properly (e.g. those
   1419   with spaces in them), which causes an completion script with wrong
   1420   descriptions for some options.
   1421   
   1422   Here's a diff of the generated completion script, comparing the previous
   1423   version to the one with this fix:
   1424   
   1425   --- /usr/share/zsh/vendor-completions/_curl     2019-01-15 20:47:40.000000000 +0000
   1426   +++ _curl       2019-02-05 20:57:29.453349040 +0000
   1427   @@ -9,48 +9,48 @@
   1428   
   1429    _arguments -C -S \
   1430      --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'<milliseconds>' \
   1431   +  --resolve'[Resolve the host+port to this address]':'<host:port:address[,address]...>' \
   1432      {-c,--cookie-jar}'[Write cookies to <filename> after operation]':'<filename>':_files \
   1433      {-D,--dump-header}'[Write the received headers to <filename>]':'<filename>':_files \
   1434      {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'<seconds>' \
   1435      --proxy-cacert'[CA certificate to verify peer against for proxy]':'<file>':_files \
   1436   -  --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'<list' \
   1437   +  --tls13-ciphers'[TLS 1.3 cipher suites to use]':'<list of TLS 1.3 ciphersuites>' \
   1438      {-E,--cert}'[Client certificate file and password]':'<certificate[:password]>' \
   1439      --libcurl'[Dump libcurl equivalent code of this command line]':'<file>':_files \
   1440      --proxy-capath'[CA directory to verify peer against for proxy]':'<dir>':_files \
   1441   -  --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \
   1442      --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'<hashes>' \
   1443      --crlfile'[Get a CRL list in PEM format from the given file]':'<file>':_files \
   1444   -  --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \
   1445   -  --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \
   1446   +  --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \
   1447      --abstract-unix-socket'[Connect via abstract Unix domain socket]':'<path>' \
   1448      --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'<hashes>' \
   1449   +  --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \
   1450      --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'<phrase>' \
   1451   +  --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \
   1452      {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \
   1453      --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'<host[:port]>' \
   1454      --proto-default'[Use PROTOCOL for any URL missing a scheme]':'<protocol>' \
   1455   -  --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'<ciphersuite' \
   1456   +  --proxy-tls13-ciphers'[TLS 1.3 proxy cipher suites]':'<ciphersuite list>' \
   1457      --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'<name>' \
   1458      --ftp-alternative-to-user'[String to replace USER \[name\]]':'<command>' \
   1459   -  --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \
   1460      {-T,--upload-file}'[Transfer local FILE to destination]':'<file>':_files \
   1461      --local-port'[Force use of RANGE for local port numbers]':'<num/range>' \
   1462      --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'<type>' \
   1463      {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \
   1464   -  --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \
   1465   -  --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \
   1466   -  {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \
   1467   -  --location-trusted'[--location, and send auth to other hosts]':'Like' \
   1468   +  --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \
   1469      --proxy-cert-type'[Client certificate type for HTTPS proxy]':'<type>' \
   1470      {-O,--remote-name}'[Write output to a file named as the remote file]' \
   1471   +  --retry-connrefused'[Retry on connection refused (use with --retry)]' \
   1472   +  --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \
   1473      --trace-ascii'[Like --trace, but without hex output]':'<file>':_files \
   1474      --connect-timeout'[Maximum time allowed for connection]':'<seconds>' \
   1475      --expect100-timeout'[How long to wait for 100-continue]':'<seconds>' \
   1476      {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \
   1477   +  {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \
   1478      {-m,--max-time}'[Maximum time allowed for the transfer]':'<seconds>' \
   1479      --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'<address>' \
   1480      --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'<address>' \
   1481   -  --ignore-content-length'[the size of the remote resource]':'Ignore' \
   1482      {-k,--insecure}'[Allow insecure server connections when using SSL]' \
   1483   +  --location-trusted'[Like --location, and send auth to other hosts]' \
   1484      --mail-auth'[Originator address of the original email]':'<address>' \
   1485      --noproxy'[List of hosts which do not use proxy]':'<no-proxy-list>' \
   1486      --proto-redir'[Enable/disable PROTOCOLS on redirect]':'<protocols>' \
   1487   @@ -62,18 +62,19 @@
   1488      --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \
   1489      --cacert'[CA certificate to verify peer against]':'<file>':_files \
   1490      {-H,--header}'[Pass custom header(s) to server]':'<header/@file>' \
   1491   +  --ignore-content-length'[Ignore the size of the remote resource]' \
   1492      {-i,--include}'[Include protocol response headers in the output]' \
   1493      --proxy-header'[Pass custom header(s) to proxy]':'<header/@file>' \
   1494      --unix-socket'[Connect through this Unix domain socket]':'<path>' \
   1495      {-w,--write-out}'[Use output FORMAT after completion]':'<format>' \
   1496   -  --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \
   1497      {-o,--output}'[Write to file instead of stdout]':'<file>':_files \
   1498   -  {-J,--remote-header-name}'[the header-provided filename]':'Use' \
   1499   +  --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \
   1500      --socks4a'[SOCKS4a proxy on given host + port]':'<host[:port]>' \
   1501      {-Y,--speed-limit}'[Stop transfers slower than this]':'<speed>' \
   1502      {-z,--time-cond}'[Transfer based on a time condition]':'<time>' \
   1503      --capath'[CA directory to verify peer against]':'<dir>':_files \
   1504      {-f,--fail}'[Fail silently (no output at all) on HTTP errors]' \
   1505   +  --http2-prior-knowledge'[Use HTTP 2 without HTTP/1.1 Upgrade]' \
   1506      --proxy-tlspassword'[TLS password for HTTPS proxy]':'<string>' \
   1507      {-U,--proxy-user}'[Proxy user and password]':'<user:password>' \
   1508      --proxy1.0'[Use HTTP/1.0 proxy on given port]':'<host[:port]>' \
   1509   @@ -81,52 +82,49 @@
   1510      {-A,--user-agent}'[Send User-Agent <name> to server]':'<name>' \
   1511      --egd-file'[EGD socket path for random data]':'<file>':_files \
   1512      --fail-early'[Fail on first transfer error, do not continue]' \
   1513   -  --haproxy-protocol'[HAProxy PROXY protocol v1 header]':'Send' \
   1514   -  --preproxy'[Use this proxy first]':'[protocol://]host[:port]' \
   1515   +  {-J,--remote-header-name}'[Use the header-provided filename]' \
   1516      --retry-max-time'[Retry only within this period]':'<seconds>' \
   1517      --socks4'[SOCKS4 proxy on given host + port]':'<host[:port]>' \
   1518      --socks5'[SOCKS5 proxy on given host + port]':'<host[:port]>' \
   1519   -  --socks5-gssapi-nec'[with NEC SOCKS5 server]':'Compatibility' \
   1520   -  --ssl-allow-beast'[security flaw to improve interop]':'Allow' \
   1521      --cert-status'[Verify the status of the server certificate]' \
   1522   -  --ftp-create-dirs'[the remote dirs if not present]':'Create' \
   1523      {-:,--next}'[Make next URL use its separate set of options]' \
   1524      --proxy-key-type'[Private key file type for proxy]':'<type>' \
   1525   -  --remote-name-all'[the remote file name for all URLs]':'Use' \
   1526      {-X,--request}'[Specify request command to use]':'<command>' \
   1527      --retry'[Retry request if transient problems occur]':'<num>' \
   1528   -  --ssl-no-revoke'[cert revocation checks (WinSSL)]':'Disable' \
   1529      --cert-type'[Certificate file type (DER/PEM/ENG)]':'<type>' \
   1530      --connect-to'[Connect to host]':'<HOST1:PORT1:HOST2:PORT2>' \
   1531      --create-dirs'[Create necessary local directory hierarchy]' \
   1532   +  --haproxy-protocol'[Send HAProxy PROXY protocol v1 header]' \
   1533      --max-redirs'[Maximum number of redirects allowed]':'<num>' \
   1534      {-n,--netrc}'[Must read .netrc for user name and password]' \
   1535   +  {-x,--proxy}'[\[protocol://\]host\[:port\] Use this proxy]' \
   1536      --proxy-crlfile'[Set a CRL list for proxy]':'<file>':_files \
   1537      --sasl-ir'[Enable initial response in SASL authentication]' \
   1538   -  --socks5-gssapi'[GSS-API auth for SOCKS5 proxies]':'Enable' \
   1539   +  --socks5-gssapi-nec'[Compatibility with NEC SOCKS5 server]' \
   1540   +  --ssl-allow-beast'[Allow security flaw to improve interop]' \
   1541   +  --ftp-create-dirs'[Create the remote dirs if not present]' \
   1542      --interface'[Use network INTERFACE (or address)]':'<name>' \
   1543      --key-type'[Private key file type (DER/PEM/ENG)]':'<type>' \
   1544      --netrc-file'[Specify FILE for netrc]':'<filename>':_files \
   1545      {-N,--no-buffer}'[Disable buffering of the output stream]' \
   1546      --proxy-service-name'[SPNEGO proxy service name]':'<name>' \
   1547   -  --styled-output'[styled output for HTTP headers]':'Enable' \
   1548   +  --remote-name-all'[Use the remote file name for all URLs]' \
   1549   +  --ssl-no-revoke'[Disable cert revocation checks (WinSSL)]' \
   1550      --max-filesize'[Maximum file size to download]':'<bytes>' \
   1551      --negotiate'[Use HTTP Negotiate (SPNEGO) authentication]' \
   1552      --no-keepalive'[Disable TCP keepalive on the connection]' \
   1553      {-#,--progress-bar}'[Display transfer progress as a bar]' \
   1554   -  {-x,--proxy}'[Use this proxy]':'[protocol://]host[:port]' \
   1555   -  --proxy-anyauth'[any proxy authentication method]':'Pick' \
   1556      {-Q,--quote}'[Send command(s) to server before transfer]' \
   1557   -  --request-target'[the target for this request]':'Specify' \
   1558   +  --socks5-gssapi'[Enable GSS-API auth for SOCKS5 proxies]' \
   1559      {-u,--user}'[Server user and password]':'<user:password>' \
   1560      {-K,--config}'[Read config from a file]':'<file>':_files \
   1561      {-C,--continue-at}'[Resumed transfer offset]':'<offset>' \
   1562      --data-raw'[HTTP POST data, '\''@'\'' allowed]':'<data>' \
   1563   -  --disallow-username-in-url'[username in url]':'Disallow' \
   1564      --krb'[Enable Kerberos with security <level>]':'<level>' \
   1565      --proxy-ciphers'[SSL ciphers to use for proxy]':'<list>' \
   1566      --proxy-digest'[Use Digest authentication on the proxy]' \
   1567      --proxy-tlsuser'[TLS username for HTTPS proxy]':'<name>' \
   1568   +  --styled-output'[Enable styled output for HTTP headers]' \
   1569      {-b,--cookie}'[Send cookies from string/file]':'<data>' \
   1570      --data-urlencode'[HTTP POST data url encoded]':'<data>' \
   1571      --delegation'[GSS-API delegation permission]':'<LEVEL>' \
   1572   @@ -134,7 +132,10 @@
   1573      --post301'[Do not switch to GET after following a 301]' \
   1574      --post302'[Do not switch to GET after following a 302]' \
   1575      --post303'[Do not switch to GET after following a 303]' \
   1576   +  --proxy-anyauth'[Pick any proxy authentication method]' \
   1577   +  --request-target'[Specify the target for this request]' \
   1578      --trace-time'[Add time stamps to trace/verbose output]' \
   1579   +  --disallow-username-in-url'[Disallow username in url]' \
   1580      --dns-servers'[DNS server addrs to use]':'<addresses>' \
   1581      {-G,--get}'[Put the post data in the URL and use GET]' \
   1582      --limit-rate'[Limit transfer speed to RATE]':'<speed>' \
   1583   @@ -148,21 +149,21 @@
   1584      --metalink'[Process given URLs as metalink XML file]' \
   1585      --tr-encoding'[Request compressed transfer encoding]' \
   1586      --xattr'[Store metadata in extended file attributes]' \
   1587   -  --ftp-skip-pasv-ip'[the IP address for PASV]':'Skip' \
   1588      --pass'[Pass phrase for the private key]':'<phrase>' \
   1589      --proxy-ntlm'[Use NTLM authentication on the proxy]' \
   1590      {-S,--show-error}'[Show error even when -s is used]' \
   1591   -  --ciphers'[of ciphers> SSL ciphers to use]':'<list' \
   1592   +  --ciphers'[SSL ciphers to use]':'<list of ciphers>' \
   1593      --form-string'[Specify multipart MIME data]':'<name=string>' \
   1594      --login-options'[Server login options]':'<options>' \
   1595      --tftp-blksize'[Set TFTP BLKSIZE option]':'<value>' \
   1596   -  --tftp-no-options'[not send any TFTP options]':'Do' \
   1597      {-v,--verbose}'[Make the operation more talkative]' \
   1598   +  --ftp-skip-pasv-ip'[Skip the IP address for PASV]' \
   1599      --proxy-key'[Private key for HTTPS proxy]':'<key>' \
   1600      {-F,--form}'[Specify multipart MIME data]':'<name=content>' \
   1601      --mail-from'[Mail from this address]':'<address>' \
   1602      --oauth2-bearer'[OAuth 2 Bearer Token]':'<token>' \
   1603      --proto'[Enable/disable PROTOCOLS]':'<protocols>' \
   1604   +  --tftp-no-options'[Do not send any TFTP options]' \
   1605      --tlsauthtype'[TLS authentication type]':'<type>' \
   1606      --doh-url'[Resolve host names over DOH]':'<URL>' \
   1607      --no-sessionid'[Disable SSL session-ID reusing]' \
   1608   @@ -173,14 +174,13 @@
   1609      --ftp-ssl-ccc'[Send CCC after authenticating]' \
   1610      {-4,--ipv4}'[Resolve names to IPv4 addresses]' \
   1611      {-6,--ipv6}'[Resolve names to IPv6 addresses]' \
   1612   -  --netrc-optional'[either .netrc or URL]':'Use' \
   1613      --service-name'[SPNEGO service name]':'<name>' \
   1614      {-V,--version}'[Show version number and quit]' \
   1615      --data-ascii'[HTTP POST ASCII data]':'<data>' \
   1616      --ftp-account'[Account data string]':'<data>' \
   1617   -  --compressed-ssh'[SSH compression]':'Enable' \
   1618      --disable-eprt'[Inhibit using EPRT or LPRT]' \
   1619      --ftp-method'[Control CWD usage]':'<method>' \
   1620   +  --netrc-optional'[Use either .netrc or URL]' \
   1621      --pubkey'[SSH Public key file name]':'<key>' \
   1622      --raw'[Do HTTP "raw"; no transfer decoding]' \
   1623      --anyauth'[Pick any authentication method]' \
   1624   @@ -189,6 +189,7 @@
   1625      --no-alpn'[Disable the ALPN TLS extension]' \
   1626      --tcp-nodelay'[Use the TCP_NODELAY option]' \
   1627      {-B,--use-ascii}'[Use ASCII/text transfer]' \
   1628   +  --compressed-ssh'[Enable SSH compression]' \
   1629      --digest'[Use HTTP Digest Authentication]' \
   1630      --proxy-tlsv1'[Use TLSv1 for HTTPS proxy]' \
   1631      --engine'[Crypto engine to use]':'<name>' \
   1632 
   1633 Marcel Raad (7 Feb 2019)
   1634 - tool_operate: fix typecheck warning
   1635   
   1636   Use long for CURLOPT_HTTP09_ALLOWED to fix the following warning:
   1637   tool_operate.c: In function 'operate_do':
   1638   ../include/curl/typecheck-gcc.h:47:9: error: call to
   1639   '_curl_easy_setopt_err_long' declared with attribute warning:
   1640   curl_easy_setopt expects a long argument for this option [-Werror]
   1641   
   1642   Closes https://github.com/curl/curl/pull/3534
   1643 
   1644 Jay Satiro (6 Feb 2019)
   1645 - [Chris Araman brought this change]
   1646 
   1647   url: close TLS before removing conn from cache
   1648   
   1649   - Fix potential crashes in schannel shutdown.
   1650   
   1651   Ensure any TLS shutdown messages are sent before removing the
   1652   association between the connection and the easy handle. Reverts
   1653   @bagder's previous partial fix for #3412.
   1654   
   1655   Fixes https://github.com/curl/curl/issues/3412
   1656   Fixes https://github.com/curl/curl/issues/3505
   1657   Closes https://github.com/curl/curl/pull/3531
   1658 
   1659 Daniel Gustafsson (6 Feb 2019)
   1660 - INTERNALS.md: fix subsection depth and link
   1661   
   1662   The Kerberos subsection was mistakenly a subsubsection under FTP, and
   1663   the curlx subsection was missing an anchor for the TOC link.
   1664   
   1665   Closes #3529
   1666   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   1667 
   1668 Version 7.64.0 (6 Feb 2019)
   1669 
   1670 Daniel Stenberg (6 Feb 2019)
   1671 - RELEASE-NOTES: 7.64.0
   1672 
   1673 - RELEASE-PROCEDURE: update the release calendar
   1674 
   1675 - THANKS: 7.64.0 status
   1676 
   1677 Daniel Gustafsson (5 Feb 2019)
   1678 - ROADMAP: remove already performed item
   1679   
   1680   Commit 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 introduced support
   1681   for the draft-ietf-httpbis-cookie-alone-01 cookie draft, and while
   1682   the entry was removed from the TODO it was mistakenly left here.
   1683   Fix by removing and rewording the entry slightly.
   1684   
   1685   Closes #3530
   1686   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   1687 
   1688 - [Etienne Simard brought this change]
   1689 
   1690   CONTRIBUTE.md: Fix grammatical errors
   1691   
   1692   Fix grammatical errors making the document read better. Also fixes
   1693   a typo.
   1694   
   1695   Closes #3525
   1696   Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se>
   1697 
   1698 Daniel Stenberg (4 Feb 2019)
   1699 - [Julian Z brought this change]
   1700 
   1701   docs: use $(INSTALL_DATA) to install man page
   1702   
   1703   Fixes #3518
   1704   Closes #3522
   1705 
   1706 Jay Satiro (4 Feb 2019)
   1707 - [Ladar Levison brought this change]
   1708 
   1709   runtests.pl: Fix perl call to include srcdir
   1710   
   1711   - Use explicit include opt for perl calls.
   1712   
   1713   Prior to this change some scripts couldn't find their dependencies.
   1714   
   1715   At the top, perl is called using with the "-Isrcdir" option, and it
   1716   works:
   1717   
   1718   https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183
   1719   
   1720   But on line 3868, that option is omitted. This caused problems for me,
   1721   as the symbol-scan.pl script in particular couldn't find its
   1722   dependencies properly:
   1723   
   1724   https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868
   1725   
   1726   This patch fixes that oversight by making calls to perl sub-shells
   1727   uniform.
   1728   
   1729   Closes https://github.com/curl/curl/pull/3496
   1730 
   1731 Daniel Stenberg (4 Feb 2019)
   1732 - [Daniel Gustafsson brought this change]
   1733 
   1734   smtp: avoid risk of buffer overflow in strtol
   1735   
   1736   If the incoming len 5, but the buffer does not have a termination
   1737   after 5 bytes, the strtol() call may keep reading through the line
   1738   buffer until is exceeds its boundary. Fix by ensuring that we are
   1739   using a bounded read with a temporary buffer on the stack.
   1740   
   1741   Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
   1742   Reported-by: Brian Carpenter (Geeknik Labs)
   1743   CVE-2019-3823
   1744 
   1745 - ntlm: fix *_type3_message size check to avoid buffer overflow
   1746   
   1747   Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
   1748   Reported-by: Wenxiang Qian
   1749   CVE-2019-3822
   1750 
   1751 - NTLM: fix size check condition for type2 received data
   1752   
   1753   Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
   1754   Reported-by: Wenxiang Qian
   1755   CVE-2018-16890
   1756 
   1757 Marcel Raad (1 Feb 2019)
   1758 - [georgeok brought this change]
   1759 
   1760   spnego_sspi: add support for channel binding
   1761   
   1762   Attempt to add support for Secure Channel binding when negotiate
   1763   authentication is used. The problem to solve is that by default IIS
   1764   accepts channel binding and curl doesn't utilise them. The result was a
   1765   401 response. Scope affects only the Schannel(winssl)-SSPI combination.
   1766   
   1767   Fixes https://github.com/curl/curl/issues/3503
   1768   Closes https://github.com/curl/curl/pull/3509
   1769 
   1770 Daniel Stenberg (1 Feb 2019)
   1771 - RELEASE-NOTES: synced
   1772 
   1773 - schannel: stop calling it "winssl"
   1774   
   1775   Stick to "Schannel" everywhere. The configure option --with-winssl is
   1776   kept to allow existing builds to work but --with-schannel is added as an
   1777   alias.
   1778   
   1779   Closes #3504
   1780 
   1781 - multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
   1782   
   1783   To make sure Curl_timeleft() also thinks the timeout has been reached
   1784   when one of the EXPIRE_*TIMEOUTs expires.
   1785   
   1786   Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
   1787   Reported-by: Zhao Yisha
   1788   Closes #3501
   1789 
   1790 - [John Marshall brought this change]
   1791 
   1792   doc: use meaningless port number in CURLOPT_LOCALPORT example
   1793   
   1794   Use an ephemeral port number here; previously the example had 8080
   1795   which could be confusing as the common web server port number might
   1796   be misinterpreted as suggesting this option affects the remote port.
   1797   
   1798   URL: https://curl.haxx.se/mail/lib-2019-01/0084.html
   1799   Closes #3513
   1800 
   1801 GitHub (29 Jan 2019)
   1802 - [Gisle Vanem brought this change]
   1803 
   1804   Escape the '\'
   1805   
   1806   A backslash should be escaped in Roff / Troff.
   1807 
   1808 Jay Satiro (29 Jan 2019)
   1809 - TODO: WinSSL: 'Add option to disable client cert auto-send'
   1810   
   1811   By default WinSSL selects and send a client certificate automatically,
   1812   but for privacy and consistency we should offer an option to disable the
   1813   default auto-send behavior.
   1814   
   1815   Reported-by: Jeroen Ooms
   1816   
   1817   Closes https://github.com/curl/curl/issues/2262
   1818 
   1819 Daniel Stenberg (28 Jan 2019)
   1820 - [Jeremie Rapin brought this change]
   1821 
   1822   sigpipe: if mbedTLS is used, ignore SIGPIPE
   1823   
   1824   mbedTLS doesn't have a sigpipe management. If a write/read occurs when
   1825   the remote closes the socket, the signal is raised and kills the
   1826   application.  Use the curl mecanisms fix this behavior.
   1827   
   1828   Signed-off-by: Jeremie Rapin <j.rapin (a] overkiz.com>
   1829   
   1830   Closes #3502
   1831 
   1832 - unit1653: make it survive torture tests
   1833 
   1834 Jay Satiro (28 Jan 2019)
   1835 - [Michael Kujawa brought this change]
   1836 
   1837   timeval: Disable MSVC Analyzer GetTickCount warning
   1838   
   1839   Compiling with msvc /analyze and a recent Windows SDK warns against
   1840   using GetTickCount (Suggests to use GetTickCount64 instead.)
   1841   
   1842   Since GetTickCount is only being used when GetTickCount64 isn't
   1843   available, I am disabling that warning.
   1844   
   1845   Fixes https://github.com/curl/curl/issues/3437
   1846   Closes https://github.com/curl/curl/pull/3440
   1847 
   1848 Daniel Stenberg (26 Jan 2019)
   1849 - configure: rewrite --enable-code-coverage
   1850   
   1851   The previously used ax_code_coverage.m4 is not license compatible and
   1852   must not be used.
   1853   
   1854   Reported-by: William A. Rowe Jr
   1855   Fixes #3497
   1856   Closes #3499
   1857 
   1858 - [Felix Hdicke brought this change]
   1859 
   1860   setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
   1861   
   1862   CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
   1863   libssh as well. So accepting these options only when compiling with
   1864   libssh2 is wrong here.
   1865   
   1866   Fixes #3493
   1867   Closes #3494
   1868 
   1869 - [Felix Hdicke brought this change]
   1870 
   1871   libssh: do not let libssh create socket
   1872   
   1873   By default, libssh creates a new socket, instead of using the socket
   1874   created by curl for SSH connections.
   1875   
   1876   Pass the socket created by curl to libssh using ssh_options_set() with
   1877   SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
   1878   instead of creating a new one.
   1879   
   1880   This approach is very similar to what is done in the libssh2 code, where
   1881   the socket created by curl is passed to libssh2 when
   1882   libssh2_session_startup() is called.
   1883   
   1884   Fixes #3491
   1885   Closes #3495
   1886 
   1887 - RELEASE-NOTES: synced
   1888 
   1889 - [Archangel_SDY brought this change]
   1890 
   1891   schannel: preserve original certificate path parameter
   1892   
   1893   Fixes #3480
   1894   Closes #3487
   1895 
   1896 - KNOWN_BUGS: tests not compatible with python3
   1897   
   1898   Closes #3289
   1899   [skip ci]
   1900 
   1901 Daniel Gustafsson (20 Jan 2019)
   1902 - memcmp: avoid doing single char memcmp
   1903   
   1904   There is no real gain in performing memcmp() comparisons on single
   1905   characters, so change these to array subscript inspections which
   1906   saves a call and makes the code clearer.
   1907   
   1908   Closes #3486
   1909   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   1910   Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com>
   1911 
   1912 Daniel Stenberg (19 Jan 2019)
   1913 - COPYING: it's 2019
   1914   
   1915   [skip ci]
   1916 
   1917 - [hhb brought this change]
   1918 
   1919   configure: fix recv/send/select detection on Android
   1920   
   1921   This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9.
   1922   
   1923   The overloadable attribute is removed again starting from
   1924   NDK17. Actually they only exist in two NDK versions (15 and 16). With
   1925   overloadable, the first condition tried will succeed. Results in wrong
   1926   detection result.
   1927   
   1928   Closes #3484
   1929 
   1930 Marcel Raad (19 Jan 2019)
   1931 - [georgeok brought this change]
   1932 
   1933   ntlm_sspi: add support for channel binding
   1934   
   1935   Windows extended potection (aka ssl channel binding) is required
   1936   to login to ntlm IIS endpoint, otherwise the server returns 401
   1937   responses.
   1938   
   1939   Fixes #3280
   1940   Closes #3321
   1941 
   1942 Daniel Stenberg (18 Jan 2019)
   1943 - schannel: on connection close there might not be a transfer
   1944   
   1945   Reported-by: Marcel Raad
   1946   Fixes #3412
   1947   Closes #3483
   1948 
   1949 - [Joel Depooter brought this change]
   1950 
   1951   ssh: log the libssh2 error message when ssh session startup fails
   1952   
   1953   When a ssh session startup fails, it is useful to know why it has
   1954   failed. This commit changes the message from:
   1955      "Failure establishing ssh session"
   1956   to something like this, for example:
   1957      "Failure establishing ssh session: -5, Unable to exchange encryption keys"
   1958   
   1959   Closes #3481
   1960 
   1961 Alessandro Ghedini (16 Jan 2019)
   1962 - Fix typo in manpage
   1963 
   1964 Daniel Stenberg (16 Jan 2019)
   1965 - RELEASE-NOTES: synced
   1966 
   1967 Sergei Nikulov (16 Jan 2019)
   1968 - cmake: updated check for HAVE_POLL_FINE to match autotools
   1969 
   1970 Daniel Stenberg (16 Jan 2019)
   1971 - curl-compilers.m4: check for __ibmxl__ to detect xlclang
   1972   
   1973   Follow-up to 2fa0d57e2e3. The __xlc__ symbol is only defined there if a
   1974   particular flag is used for legacy macros.
   1975   
   1976   Fixes #3474
   1977   Closes #3479
   1978 
   1979 - openssl: fix the SSL_get_tlsext_status_ocsp_resp call
   1980   
   1981   .... to not pass in a const in the second argument as that's not how it
   1982   is supposed to be used and might cause compiler warnings.
   1983   
   1984   Reported-by: Pavel Pavlov
   1985   Fixes #3477
   1986   Closes #3478
   1987 
   1988 - curl-compilers.m4: detect xlclang
   1989   
   1990   Since it isn't totally clang compatible, we detect this IBM clang
   1991   front-end and if detected, avoids some clang specific magic.
   1992   
   1993   Reported-by: Kees Dekker
   1994   Fixes #3474
   1995   Closes #3476
   1996 
   1997 - README: add codacy code quality badge
   1998   
   1999   [skip ci]
   2000 
   2001 - extract_if_dead: follow-up to 54b201b48c90a
   2002   
   2003   extract_if_dead() dead is called from two functions, and only one of
   2004   them should get conn->data updated and now neither call path clears it.
   2005   
   2006   scan-build found a case where conn->data would be NULL dereferenced in
   2007   ConnectionExists() otherwise.
   2008   
   2009   Closes #3473
   2010 
   2011 - multi: remove "Dead assignment"
   2012   
   2013   Found by scan-build. Follow-up to 4c35574bb785ce.
   2014   
   2015   Closes #3471
   2016 
   2017 - tests: move objnames-* from lib into tests
   2018   
   2019   Since they're used purely for testing purposes, I think they should
   2020   rather be stored there.
   2021   
   2022   Closes #3470
   2023 
   2024 Sergei Nikulov (15 Jan 2019)
   2025 - travis: added cmake build for osx
   2026 
   2027 Daniel Stenberg (14 Jan 2019)
   2028 - [Frank Gevaerts brought this change]
   2029 
   2030   cookie: fix comment typo (url_path_len -> uri_path_len)
   2031   
   2032   Closes #3469
   2033 
   2034 Marcel Raad (14 Jan 2019)
   2035 - winbuild: conditionally use /DZLIB_WINAPI
   2036   
   2037   zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have
   2038   the ZLIB_WINAPI define set by default. Using them requires that define
   2039   too.
   2040   
   2041   Ref: https://zlib.net/DLL_FAQ.txt
   2042   
   2043   Fixes https://github.com/curl/curl/issues/3133
   2044   Closes https://github.com/curl/curl/pull/3460
   2045 
   2046 Daniel Stenberg (14 Jan 2019)
   2047 - src/Makefile: make 'tidy' target work for metalink builds
   2048 
   2049 - extract_if_dead: use a known working transfer when checking connections
   2050   
   2051   Make sure that this function sets a proper "live" transfer for the
   2052   connection before calling the protocol-specific connection check
   2053   function, and then clear it again afterward as a non-used connection has
   2054   no current transfer.
   2055   
   2056   Reported-by: Jeroen Ooms
   2057   Reviewed-by: Marcel Raad
   2058   Reviewed-by: Daniel Gustafsson
   2059   Fixes #3463
   2060   Closes #3464
   2061 
   2062 - openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
   2063   
   2064   OpenSSL_version() replaces OpenSSL_version_num()
   2065   
   2066   Closes #3462
   2067 
   2068 Sergei Nikulov (11 Jan 2019)
   2069 - cmake: added checks for HAVE_VARIADIC_MACROS_C99 and HAVE_VARIADIC_MACROS_GCC
   2070 
   2071 Daniel Stenberg (11 Jan 2019)
   2072 - urldata: rename easy_conn to just conn
   2073   
   2074   We use "conn" everywhere to be a pointer to the connection.
   2075   
   2076   Introduces two functions that "attaches" and "detaches" the connection
   2077   to and from the transfer.
   2078   
   2079   Going forward, we should favour using "data->conn" (since a transfer
   2080   always only has a single connection or none at all) to "conn->data"
   2081   (since a connection can have none, one or many transfers associated with
   2082   it and updating conn->data to be correct is error prone and a frequent
   2083   reason for internal issues).
   2084   
   2085   Closes #3442
   2086 
   2087 - tool_cb_prg: avoid integer overflow
   2088   
   2089   When calculating the progress bar width.
   2090   
   2091   Reported-by: Peng Li
   2092   Fixes #3456
   2093   Closes #3458
   2094 
   2095 Daniel Gustafsson (11 Jan 2019)
   2096 - travis: turn off copyright year checks in checksrc
   2097   
   2098   Invoking the maintainer intended COPYRIGHTYEAR check for everyone
   2099   in the PR pipeline is too invasive, especially at the turn of the
   2100   year when many files get affected. Remove and leave it as a tool
   2101   for maintainers to verify patches before commits.
   2102   
   2103   This reverts f7bdf4b2e1d81b2652b81b9b3029927589273b41.
   2104   
   2105   After discussion with: Daniel Stenberg
   2106 
   2107 Daniel Stenberg (10 Jan 2019)
   2108 - KNOWN_BUGS: cmake makes unusable tool_hugehelp.c with MinGW
   2109   
   2110   Closes #3125
   2111 
   2112 - KNOWN_BUGS: Improve --data-urlencode space encoding
   2113   
   2114   Closes #3229
   2115 
   2116 Patrick Monnerat (10 Jan 2019)
   2117 - os400: add a missing closing bracket
   2118   
   2119   See https://github.com/curl/curl/issues/3453#issuecomment-453054458
   2120   
   2121   Reported-by: jonrumsey on github
   2122 
   2123 - os400: fix extra parameter syntax error.
   2124   
   2125   Reported-by: jonrumsey on github
   2126   Closes #3453
   2127 
   2128 Daniel Stenberg (10 Jan 2019)
   2129 - test1558: verify CURLINFO_PROTOCOL on file:// transfer
   2130   
   2131   Attempt to reproduce issue #3444.
   2132   
   2133   Closes #3447
   2134 
   2135 - RELEASE-NOTES: synced
   2136 
   2137 - xattr: strip credentials from any URL that is stored
   2138   
   2139   Both user and password are cleared uncondtitionally.
   2140   
   2141   Added unit test 1621 to verify.
   2142   
   2143   Fixes #3423
   2144   Closes #3433
   2145 
   2146 - cookies: allow secure override when done over HTTPS
   2147   
   2148   Added test 1562 to verify.
   2149   
   2150   Reported-by: Jeroen Ooms
   2151   Fixes #3445
   2152   Closes #3450
   2153 
   2154 - multi: multiplexing improvements
   2155   
   2156   Fixes #3436
   2157   Closes #3448
   2158   
   2159    Problem 1
   2160   
   2161   After LOTS of scratching my head, I eventually realized that even when doing
   2162   10 uploads in parallel, sometimes the socket callback to the application that
   2163   tells it what to wait for on the socket, looked like it would reflect the
   2164   status of just the single transfer that just changed state.
   2165   
   2166   Digging into the code revealed that this was indeed the truth. When multiple
   2167   transfers are using the same connection, the application did not correctly get
   2168   the *combined* flags for all transfers which then could make it switch to READ
   2169   (only) when in fact most transfers wanted to get told when the socket was
   2170   WRITEABLE.
   2171   
   2172    Problem 1b
   2173   
   2174   A separate but related regression had also been introduced by me when I
   2175   cleared connection/transfer association better a while ago, as now the logic
   2176   couldn't find the connection and see if that was marked as used by more
   2177   transfers and then it would also prematurely remove the socket from the socket
   2178   hash table even in times other transfers were still using it!
   2179   
   2180    Fix 1
   2181   
   2182   Make sure that each socket stored in the socket hash has a "combined" action
   2183   field of what to ask the application to wait for, that is potentially the ORed
   2184   action of multiple parallel transfers. And remove that socket hash entry only
   2185   if there are no transfers left using it.
   2186   
   2187    Problem 2
   2188   
   2189   The socket hash entry stored an association to a single transfer using that
   2190   socket - and when curl_multi_socket_action() was called to tell libcurl about
   2191   activities on that specific socket only that transfer was "handled".
   2192   
   2193   This was WRONG, as a single socket/connection can be used by numerous parallel
   2194   transfers and not necessarily a single one.
   2195   
   2196    Fix 2
   2197   
   2198   We now store a list of handles in the socket hashtable entry and when libcurl
   2199   is told there's traffic for a particular socket, it now iterates over all
   2200   known transfers using that single socket.
   2201 
   2202 - test1561: improve test name
   2203   
   2204   [skip ci]
   2205 
   2206 - [Katsuhiko YOSHIDA brought this change]
   2207 
   2208   cookies: skip custom cookies when redirecting cross-site
   2209   
   2210   Closes #3417
   2211 
   2212 - THANKS: fixups and a dedupe
   2213   
   2214   [skip ci]
   2215 
   2216 - timediff: fix math for unsigned time_t
   2217   
   2218   Bug: https://curl.haxx.se/mail/lib-2018-12/0088.html
   2219   
   2220   Closes #3449
   2221 
   2222 - [Bernhard M. Wiedemann brought this change]
   2223 
   2224   tests: allow tests to pass by 2037-02-12
   2225   
   2226   similar to commit f508d29f3902104018
   2227   
   2228   Closes #3443
   2229 
   2230 - RELEASE-NOTES: synced
   2231 
   2232 - [Brad Spencer brought this change]
   2233 
   2234   curl_multi_remove_handle() don't block terminating c-ares requests
   2235   
   2236   Added Curl_resolver_kill() for all three resolver modes, which only
   2237   blocks when necessary, along with test 1592 to confirm
   2238   curl_multi_remove_handle() doesn't block unless it must.
   2239   
   2240   Closes #3428
   2241   Fixes #3371
   2242 
   2243 - Revert "http_negotiate: do not close connection until negotiation is completed"
   2244   
   2245   This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47.
   2246   
   2247   This also reopens PR #3275 which brought the change now reverted.
   2248   
   2249   Fixes #3384
   2250   Closes #3439
   2251 
   2252 - curl/urlapi.h: include "curl.h" first
   2253   
   2254   This allows programs to include curl/urlapi.h directly.
   2255   
   2256   Reviewed-by: Daniel Gustafsson
   2257   Reported-by: Ben Kohler
   2258   Fixes #3438
   2259   Closes #3441
   2260 
   2261 Marcel Raad (6 Jan 2019)
   2262 - VS projects: fix build warning
   2263   
   2264   Starting with Visual Studio 2017 Update 9, Visual Studio doesn't like
   2265   the MinimalRebuild option anymore and warns:
   2266   
   2267   cl : Command line warning D9035: option 'Gm' has been deprecated and
   2268   will be removed in a future release
   2269   
   2270   The option can be safely removed so that the default is used.
   2271   
   2272   Closes https://github.com/curl/curl/pull/3425
   2273 
   2274 - schannel: fix compiler warning
   2275   
   2276   When building with Unicode on MSVC, the compiler warns about freeing a
   2277   pointer to const in Curl_unicodefree. Fix this by declaring it as
   2278   non-const and casting the argument to Curl_convert_UTF8_to_tchar to
   2279   non-const too, like we do in all other places.
   2280   
   2281   Closes https://github.com/curl/curl/pull/3435
   2282 
   2283 Daniel Stenberg (4 Jan 2019)
   2284 - [Rikard Falkeborn brought this change]
   2285 
   2286   printf: introduce CURL_FORMAT_TIMEDIFF_T
   2287 
   2288 - [Rikard Falkeborn brought this change]
   2289 
   2290   printf: fix format specifiers
   2291   
   2292   Closes #3426
   2293 
   2294 - libtest/stub_gssapi: use "real" snprintf
   2295   
   2296   ... since it doesn't link with libcurl.
   2297   
   2298   Reverts the commit dcd6f81025 changes from this file.
   2299   
   2300   Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html
   2301   Reported-by: Shlomi Fish
   2302   Reviewed-by: Daniel Gustafsson
   2303   Reviewed-by: Kamil Dudka
   2304   
   2305   Closes #3434
   2306 
   2307 - INTERNALS: correct some outdated function names
   2308   
   2309   Closes #3431
   2310 
   2311 - docs/version.d: mention MultiSSL
   2312   
   2313   Reviewed-by: Daniel Gustafsson
   2314   Closes #3432
   2315 
   2316 Daniel Gustafsson (2 Jan 2019)
   2317 - [Rikard Falkeborn brought this change]
   2318 
   2319   examples: Update .gitignore
   2320   
   2321   Add a few missing examples to make `make examples` not leave the
   2322   workspace in a dirty state.
   2323   
   2324   Closes #3427
   2325   Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se>
   2326 
   2327 - THANKS: add more missing names
   2328   
   2329   Add Adrian Burcea who made the artwork for the curl://up 2018 event
   2330   which was held in Stockholm, Sweden.
   2331 
   2332 - docs: mention potential leak in curl_slist_append
   2333   
   2334   When a non-empty list is appended to, and used as the returnvalue,
   2335   the list pointer can leak in case of an allocation failure in the
   2336   curl_slist_append() call. This is correctly handled in curl code
   2337   usage but we weren't explicitly pointing it out in the API call
   2338   documentation. Fix by extending the RETURNVALUE manpage section
   2339   and example code.
   2340   
   2341   Closes #3424
   2342   Reported-by: dnivras on github
   2343   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2344 
   2345 Marcel Raad (1 Jan 2019)
   2346 - tvnow: silence conversion warnings
   2347   
   2348   MinGW-w64 defaults to targeting Windows 7 now, so GetTickCount64 is
   2349   used and the milliseconds are represented as unsigned long long,
   2350   leading to a compiler warning when implicitly converting them to long.
   2351 
   2352 Daniel Stenberg (1 Jan 2019)
   2353 - THANKS: dedupe more names
   2354   
   2355   Researched-by: Tae Wong
   2356 
   2357 Marcel Raad (1 Jan 2019)
   2358 - [Markus Moeller brought this change]
   2359 
   2360   ntlm: update selection of type 3 response
   2361   
   2362   NTLM2 did not work i.e. no NTLMv2 response was created. Changing the
   2363   check seems to work.
   2364   
   2365   Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf
   2366   
   2367   Fixes https://github.com/curl/curl/issues/3286
   2368   Closes https://github.com/curl/curl/pull/3287
   2369   Closes https://github.com/curl/curl/pull/3415
   2370 
   2371 Daniel Stenberg (31 Dec 2018)
   2372 - THANKS: added missing names from year <= 2000
   2373   
   2374   Due to a report of a missing name in THANKS I manually went through an
   2375   old CHANGES.0 file and added many previously missing names here.
   2376 
   2377 Daniel Gustafsson (30 Dec 2018)
   2378 - urlapi: fix parsing ipv6 with zone index
   2379   
   2380   The previous fix for parsing IPv6 URLs with a zone index was a paddle
   2381   short for URLs without an explicit port. This patch fixes that case
   2382   and adds a unit test case.
   2383   
   2384   This bug was highlighted by issue #3408, and while it's not the full
   2385   fix for the problem there it is an isolated bug that should be fixed
   2386   regardless.
   2387   
   2388   Closes #3411
   2389   Reported-by: GitYuanQu on github
   2390   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2391 
   2392 Daniel Stenberg (30 Dec 2018)
   2393 - THANKS: dedupe Guenter Knauf
   2394   
   2395   Reported-by: Tae Wong
   2396 
   2397 - THANKS: missing name from the 6.3.1 release!
   2398 
   2399 Daniel Gustafsson (27 Dec 2018)
   2400 - RELEASE-NOTES: synced
   2401 
   2402 - [Claes Jakobsson brought this change]
   2403 
   2404   hostip: support wildcard hosts
   2405   
   2406   This adds support for wildcard hosts in CURLOPT_RESOLVE. These are
   2407   try-last so any non-wildcard entry is resolved first. If specified,
   2408   any host not matched by another CURLOPT_RESOLVE config will use this
   2409   as fallback.
   2410   
   2411   Example send a.com to 10.0.0.1 and everything else to 10.0.0.2:
   2412     curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \
   2413          https://a.com https://b.com
   2414   
   2415   This is probably quite similar to using:
   2416     --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443
   2417   
   2418   Closes #3406
   2419   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2420 
   2421 - url: fix incorrect indentation
   2422 
   2423 Patrick Monnerat (26 Dec 2018)
   2424 - os400: upgrade ILE/RPG binding.
   2425   
   2426   - Trailer function support.
   2427   - http 0.9 option.
   2428   - curl_easy_upkeep.
   2429 
   2430 Daniel Gustafsson (25 Dec 2018)
   2431 - FAQ: remove mention of sourceforge for github
   2432   
   2433   The project bug tracker is no longer hosted at sourceforge but is now
   2434   hosted on the curl Github page. Update the FAQ to reflect.
   2435   
   2436   Closes #3410
   2437   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2438 
   2439 - openvms: fix typos in documentation
   2440 
   2441 - openvms: fix OpenSSL discovery on VAX
   2442   
   2443   The DCL code had a typo in one of the commands which would make the
   2444   OpenSSL discovery on VAX fail. The correct syntax is F$ENVIRONMENT.
   2445   
   2446   Closes #3407
   2447   Reviewed-by: Viktor Szakats <commit (a] vszakats.net>
   2448 
   2449 Daniel Stenberg (24 Dec 2018)
   2450 - [Ruslan Baratov brought this change]
   2451 
   2452   cmake: use lowercase for function name like the rest of the code
   2453   
   2454   Reviewed-by: Sergei Nikulov
   2455   
   2456   closes #3196
   2457 
   2458 - Revert "libssh: no data pointer == nothing to do"
   2459   
   2460   This reverts commit c98ee5f67f497195c9 since commit f3ce38739fa fixed the
   2461   problem in a more generic way.
   2462 
   2463 - disconnect: set conn->data for protocol disconnect
   2464   
   2465   Follow-up to fb445a1e18d: Set conn->data explicitly to point out the
   2466   current transfer when invoking the protocol-specific disconnect function
   2467   so that it can work correctly.
   2468   
   2469   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173
   2470 
   2471 Jay Satiro (23 Dec 2018)
   2472 - [Pavel Pavlov brought this change]
   2473 
   2474   timeval: Use high resolution timestamps on Windows
   2475   
   2476   - Use QueryPerformanceCounter on Windows Vista+
   2477   
   2478   There is confusing info floating around that QueryPerformanceCounter
   2479   can leap etc, which might have been true long time ago, but no longer
   2480   the case nowadays (perhaps starting from WinXP?). Also, boost and
   2481   std::chrono::steady_clock use QueryPerformanceCounter in a similar way.
   2482   
   2483   Prior to this change GetTickCount or GetTickCount64 was used, which has
   2484   lower resolution. That is still the case for <= XP.
   2485   
   2486   Fixes https://github.com/curl/curl/issues/3309
   2487   Closes https://github.com/curl/curl/pull/3318
   2488 
   2489 Daniel Stenberg (22 Dec 2018)
   2490 - libssh: no data pointer == nothing to do
   2491 
   2492 - conncache_unlock: avoid indirection by changing input argument type
   2493 
   2494 - disconnect: separate connections and easy handles better
   2495   
   2496   Do not assume/store assocation between a given easy handle and the
   2497   connection if it can be avoided.
   2498   
   2499   Long-term, the 'conn->data' pointer should probably be removed as it is a
   2500   little too error-prone. Still used very widely though.
   2501   
   2502   Reported-by: masbug on github
   2503   Fixes #3391
   2504   Closes #3400
   2505 
   2506 - libssh: free sftp_canonicalize_path() data correctly
   2507   
   2508   Assisted-by: Harry Sintonen
   2509   
   2510   Fixes #3402
   2511   Closes #3403
   2512 
   2513 - RELEASE-NOTES: synced
   2514 
   2515 - http: added options for allowing HTTP/0.9 responses
   2516   
   2517   Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose.
   2518   
   2519   For now, both the tool and library allow HTTP/0.9 by default.
   2520   docs/DEPRECATE.md lays out the plan for when to reverse that default: 6
   2521   months after the 7.64.0 release. The options are added already now so
   2522   that applications/scripts can start using them already now.
   2523   
   2524   Fixes #2873
   2525   Closes #3383
   2526 
   2527 - if2ip: remove unused function Curl_if_is_interface_name
   2528   
   2529   Closes #3401
   2530 
   2531 - http2: clear pause stream id if it gets closed
   2532   
   2533   Reported-by: Florian Pritz
   2534   
   2535   Fixes #3392
   2536   Closes #3399
   2537 
   2538 Daniel Gustafsson (20 Dec 2018)
   2539 - [David Garske brought this change]
   2540 
   2541   wolfssl: Perform cleanup
   2542   
   2543   This adds a cleanup callback for cyassl. Resolves possible memory leak
   2544   when using ECC fixed point cache.
   2545   
   2546   Closes #3395
   2547   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2548   Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se>
   2549 
   2550 Daniel Stenberg (20 Dec 2018)
   2551 - mbedtls: follow-up VERIFYHOST fix from f097669248
   2552   
   2553   Fix-by: Eric Rosenquist
   2554   
   2555   Fixes #3376
   2556   Closes #3390
   2557 
   2558 - curlver: bump to 7.64.0 for next release
   2559 
   2560 Daniel Gustafsson (19 Dec 2018)
   2561 - cookies: extend domain checks to non psl builds
   2562   
   2563   Ensure to perform the checks we have to enforce a sane domain in
   2564   the cookie request. The check for non-PSL enabled builds is quite
   2565   basic but it's better than nothing.
   2566   
   2567   Closes #2964
   2568   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2569 
   2570 Daniel Stenberg (19 Dec 2018)
   2571 - [Matus Uzak brought this change]
   2572 
   2573   smb: fix incorrect path in request if connection reused
   2574   
   2575   Follow-up to 09e401e01bf9.  If connection gets reused, then data member
   2576   will be copied, but not the proto member.  As a result, in smb_do(),
   2577   path has been set from the original proto.share data.
   2578   
   2579   Closes #3388
   2580 
   2581 - curl -J: do not append to the destination file
   2582   
   2583   Reported-by: Kamil Dudka
   2584   Fixes #3380
   2585   Closes #3381
   2586 
   2587 - mbedtls: use VERIFYHOST
   2588   
   2589   Previously, VERIFYPEER would enable/disable all checks.
   2590   
   2591   Reported-by: Eric Rosenquist
   2592   Fixes #3376
   2593   Closes #3380
   2594 
   2595 - pingpong: change default response timeout to 120 seconds
   2596   
   2597   Previously it was 30 minutes
   2598 
   2599 - pingpong: ignore regular timeout in disconnect phase
   2600   
   2601   The timeout set with CURLOPT_TIMEOUT is no longer used when
   2602   disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP,
   2603   POP3).
   2604   
   2605   Reported-by: jasal82 on github
   2606   
   2607   Fixes #3264
   2608   Closes #3374
   2609 
   2610 - TODO: Windows: set attribute 'archive' for completed downloads
   2611   
   2612   Closes #3354
   2613 
   2614 - RELEASE-NOTES: synced
   2615 
   2616 - http: minor whitespace cleanup from f464535b
   2617 
   2618 - [Ayoub Boudhar brought this change]
   2619 
   2620   http: Implement trailing headers for chunked transfers
   2621   
   2622   This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION
   2623   options that allow a callback based approach to sending trailing headers
   2624   with chunked transfers.
   2625   
   2626   The test server (sws) was updated to take into account the detection of the
   2627   end of transfer in the case of trailing headers presence.
   2628   
   2629   Test 1591 checks that trailing headers can be sent using libcurl.
   2630   
   2631   Closes #3350
   2632 
   2633 - darwinssl: accept setting max-tls with default min-tls
   2634   
   2635   Reported-by: Andrei Neculau
   2636   Fixes #3367
   2637   Closes #3373
   2638 
   2639 - gopher: fix memory leak from 9026083ddb2a9
   2640 
   2641 - [Leonardo Taccari brought this change]
   2642 
   2643   test1201: Add a trailing `?' to the selector
   2644   
   2645   This verify that the `?' in the selector is kept as is.
   2646   
   2647   Verifies the fix in #3370
   2648 
   2649 - [Leonardo Taccari brought this change]
   2650 
   2651   gopher: always include the entire gopher-path in request
   2652   
   2653   After the migration to URL API all octets in the selector after the
   2654   first `?' were interpreted as query and accidentally discarded and not
   2655   passed to the server.
   2656   
   2657   Add a gopherpath to always concatenate possible path and query URL
   2658   pieces.
   2659   
   2660   Fixes #3369
   2661   Closes #3370
   2662 
   2663 - [Leonardo Taccari brought this change]
   2664 
   2665   urlapi: distinguish possibly empty query
   2666   
   2667   If just a `?' to indicate the query is passed always store a zero length
   2668   query instead of having a NULL query.
   2669   
   2670   This permits to distinguish URL with trailing `?'.
   2671   
   2672   Fixes #3369
   2673   Closes #3370
   2674 
   2675 Daniel Gustafsson (13 Dec 2018)
   2676 - OS400: handle memory error in list conversion
   2677   
   2678   Curl_slist_append_nodup() returns NULL when it fails to create a new
   2679   item for the specified list, and since the coding here reassigned the
   2680   new list on top of the old list it would result in a dangling pointer
   2681   and lost memory. Also, in case we hit an allocation failure at some
   2682   point during the conversion, with allocation succeeding again on the
   2683   subsequent call(s) we will return a truncated list around the malloc
   2684   failure point. Fix by assigning to a temporary list pointer, which can
   2685   be checked (which is the common pattern for slist appending), and free
   2686   all the resources on allocation failure.
   2687   
   2688   Closes #3372
   2689   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2690 
   2691 - cookies: leave secure cookies alone
   2692   
   2693   Only allow secure origins to be able to write cookies with the
   2694   'secure' flag set. This reduces the risk of non-secure origins
   2695   to influence the state of secure origins. This implements IETF
   2696   Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
   2697   RFC6265.
   2698   
   2699   Closes #2956
   2700   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2701 
   2702 Daniel Stenberg (13 Dec 2018)
   2703 - docs: fix the --tls-max description
   2704   
   2705   Reported-by: Tobias Lindgren
   2706   Pointed out in #3367
   2707   
   2708   Closes #3368
   2709 
   2710 Daniel Gustafsson (12 Dec 2018)
   2711 - urlapi: Fix port parsing of eol colon
   2712   
   2713   A URL with a single colon without a portnumber should use the default
   2714   port, discarding the colon. Fix, add a testcase and also do little bit
   2715   of comment wordsmithing.
   2716   
   2717   Closes #3365
   2718   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2719 
   2720 Version 7.63.0 (12 Dec 2018)
   2721 
   2722 Daniel Stenberg (12 Dec 2018)
   2723 - RELEASE-NOTES: 7.63.0
   2724 
   2725 - THANKS: from the curl 7.62.0 cycle
   2726 
   2727 - test1519: use lib1518 and test CURLINFO_REDIRECT_URL more
   2728 
   2729 - Curl_follow: extract the Location: header field unvalidated
   2730   
   2731   ... when not actually following the redirect. Otherwise we return error
   2732   for this and an application can't extract the value.
   2733   
   2734   Test 1518 added to verify.
   2735   
   2736   Reported-by: Pavel Pavlov
   2737   Fixes #3340
   2738   Closes #3364
   2739 
   2740 - multi: convert two timeout variables to timediff_t
   2741   
   2742   The time_t type is unsigned on some systems and these variables are used
   2743   to hold return values from functions that return timediff_t
   2744   already. timediff_t is always a signed type.
   2745   
   2746   Closes #3363
   2747 
   2748 - delta: use --diff-filter on the git diff-tree invokes
   2749   
   2750   Suggested-by: Dave Reisner
   2751 
   2752 Patrick Monnerat (11 Dec 2018)
   2753 - documentation: curl_formadd field and file names are now escaped
   2754   
   2755   Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition
   2756   header without special processing: this may lead to invalid RFC 822
   2757   quoted-strings.
   2758   7.56.0 introduces escaping of backslashes and double quotes in these names:
   2759   mention it in the documentation.
   2760   
   2761   Reported-by: daboul on github
   2762   Closes #3361
   2763 
   2764 Daniel Stenberg (11 Dec 2018)
   2765 - scripts/delta: show repo delta info from last release
   2766   
   2767   ... where "last release" should be the git tag in the repo.
   2768 
   2769 Daniel Gustafsson (11 Dec 2018)
   2770 - tests: add urlapi unittest
   2771   
   2772   This adds a new unittest intended to cover the internal functions in
   2773   the urlapi code, starting with parse_port(). In order to avoid name
   2774   collisions in debug builds, parse_port() is renamed Curl_parse_port()
   2775   since it will be exported.
   2776   
   2777   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2778   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   2779 
   2780 - urlapi: fix portnumber parsing for ipv6 zone index
   2781   
   2782   An IPv6 URL which contains a zone index includes a '%%25<zode id>'
   2783   string before the ending ']' bracket. The parsing logic wasn't set
   2784   up to cope with the zone index however, resulting in a malformed url
   2785   error being returned. Fix by breaking the parsing into two stages
   2786   to correctly handle the zone index.
   2787   
   2788   Closes #3355
   2789   Closes #3319
   2790   Reported-by: tonystz on Github
   2791   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   2792   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   2793 
   2794 Daniel Stenberg (11 Dec 2018)
   2795 - [Jay Satiro brought this change]
   2796 
   2797   http: fix HTTP auth to include query in URI
   2798   
   2799   - Include query in the path passed to generate HTTP auth.
   2800   
   2801   Recent changes to use the URL API internally (46e1640, 7.62.0)
   2802   inadvertently broke authentication URIs by omitting the query.
   2803   
   2804   Fixes https://github.com/curl/curl/issues/3353
   2805   Closes #3356
   2806 
   2807 - [Michael Kaufmann brought this change]
   2808 
   2809   http: don't set CURLINFO_CONDITION_UNMET for http status code 204
   2810   
   2811   The http status code 204 (No Content) should not change the "condition
   2812   unmet" flag. Only the http status code 304 (Not Modified) should do
   2813   this.
   2814   
   2815   Closes #359
   2816 
   2817 - [Samuel Surtees brought this change]
   2818 
   2819   ldap: fix LDAP URL parsing regressions
   2820   
   2821   - Match URL scheme with LDAP and LDAPS
   2822   - Retrieve attributes, scope and filter from URL query instead
   2823   
   2824   Regression brought in 46e164069d1a5230 (7.62.0)
   2825   
   2826   Closes #3362
   2827 
   2828 - RELEASE-NOTES: synced
   2829 
   2830 - [Stefan Kanthak brought this change]
   2831 
   2832   (lib)curl.rc: fixup for minor bugs
   2833   
   2834   All resources defined in lib/libcurl.rc and curl.rc are language
   2835   neutral.
   2836   
   2837   winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
   2838   ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.
   2839   
   2840   Replace the hard-coded constants in both *.rc files with #define'd
   2841   values.
   2842   
   2843   Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
   2844   URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
   2845   Closes #3348
   2846 
   2847 - test329: verify cookie max-age=0 immediate expiry
   2848 
   2849 - cookies: expire "Max-Age=0" immediately
   2850   
   2851   Reported-by: Jeroen Ooms
   2852   Fixes #3351
   2853   Closes #3352
   2854 
   2855 - [Johannes Schindelin brought this change]
   2856 
   2857   Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
   2858   
   2859   This is a companion patch to cbea2fd2c (NTLM: force the connection to
   2860   HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
   2861   preemptively. However, with other (Negotiate) authentication it is not
   2862   clear to this developer whether there is a way to make it work with
   2863   HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
   2864   error HTTP_1_1_REQUIRED.
   2865   
   2866   Note: we will still keep the NTLM workaround, as it avoids an extra
   2867   round trip.
   2868   
   2869   Daniel Stenberg helped a lot with this patch, in particular by
   2870   suggesting to introduce the Curl_h2_http_1_1_error() function.
   2871   
   2872   Closes #3349
   2873   
   2874   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   2875 
   2876 - [Ben Greear brought this change]
   2877 
   2878   openssl: fix unused variable compiler warning with old openssl
   2879   
   2880   URL: https://curl.haxx.se/mail/lib-2018-11/0055.html
   2881   
   2882   Closes #3347
   2883 
   2884 - [Johannes Schindelin brought this change]
   2885 
   2886   NTLM: force the connection to HTTP/1.1
   2887   
   2888   Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
   2889   the capability. However, NTLM authentication only works with HTTP/1.1,
   2890   and will likely remain in that boat (for details, see
   2891   https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).
   2892   
   2893   When we just found out that we want to use NTLM, and when the current
   2894   connection runs in HTTP/2 mode, let's force the connection to be closed
   2895   and to be re-opened using HTTP/1.1.
   2896   
   2897   Fixes https://github.com/curl/curl/issues/3341.
   2898   Closes #3345
   2899   
   2900   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   2901 
   2902 - [Johannes Schindelin brought this change]
   2903 
   2904   curl_global_sslset(): id == -1 is not necessarily an error
   2905   
   2906   It is allowed to call that function with id set to -1, specifying the
   2907   backend by the name instead. We should imitate what is done further down
   2908   in that function to allow for that.
   2909   
   2910   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   2911   
   2912   Closes #3346
   2913 
   2914 Johannes Schindelin (6 Dec 2018)
   2915 - .gitattributes: make tabs in indentation a visible error
   2916   
   2917   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   2918 
   2919 Daniel Stenberg (6 Dec 2018)
   2920 - RELEASE-NOTES: synced
   2921 
   2922 - doh: fix memory leak in OOM situation
   2923   
   2924   Reviewed-by: Daniel Gustafsson
   2925   Closes #3342
   2926 
   2927 - doh: make it work for h2-disabled builds too
   2928   
   2929   Reported-by: dtmsecurity at github
   2930   Fixes #3325
   2931   Closes #3336
   2932 
   2933 - packages: remove old leftover files and dirs
   2934   
   2935   This subdir has mostly become an attic of never-used cruft from the
   2936   past.
   2937   
   2938   Closes #3331
   2939 
   2940 - [Gergely Nagy brought this change]
   2941 
   2942   openssl: do not use file BIOs if not requested
   2943   
   2944   Moves the file handling BIO calls to the branch of the code where they
   2945   are actually used.
   2946   
   2947   Closes #3339
   2948 
   2949 - [Paul Howarth brought this change]
   2950 
   2951   nss: Fix compatibility with nss versions 3.14 to 3.15
   2952 
   2953 - [Paul Howarth brought this change]
   2954 
   2955   nss: Improve info message when falling back SSL protocol
   2956   
   2957   Use descriptive text strings rather than decimal numbers.
   2958 
   2959 - [Paul Howarth brought this change]
   2960 
   2961   nss: Fall back to latest supported SSL version
   2962   
   2963   NSS may be built without support for the latest SSL/TLS versions,
   2964   leading to "SSL version range is not valid" errors when the library
   2965   code supports a recent version (e.g. TLS v1.3) but it has explicitly
   2966   been disabled.
   2967   
   2968   This change adjusts the maximum SSL version requested by libcurl to
   2969   be the maximum supported version at runtime, as long as that version
   2970   is at least as high as the minimum version required by libcurl.
   2971   
   2972   Fixes #3261
   2973 
   2974 Daniel Gustafsson (3 Dec 2018)
   2975 - travis: enable COPYRIGHTYEAR extended warning
   2976   
   2977   The extended warning for checking incorrect COPYRIGHTYEAR is quite
   2978   expensive to run, so rather than expecting every developer to do it
   2979   we ensure it's turned on locally for Travis.
   2980 
   2981 - checksrc: add COPYRIGHTYEAR check
   2982   
   2983   Forgetting to bump the year in the copyright clause when hacking has
   2984   been quite common among curl developers, but a traditional checksrc
   2985   check isn't a good fit as it would penalize anyone hacking on January
   2986   1st (among other things). This adds a more selective COPYRIGHTYEAR
   2987   check which intends to only cover the currently hacked on changeset.
   2988   
   2989   The check for updated copyright year is currently not enforced on all
   2990   files but only on files edited and/or committed locally. This is due to
   2991   the amount of files which aren't updated with their correct copyright
   2992   year at the time of their respective commit.
   2993   
   2994   To further avoid running this expensive check for every developer, it
   2995   adds a new local override mode for checksrc where a .checksrc file can
   2996   be used to turn on extended warnings locally.
   2997   
   2998   Closes #3303
   2999   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3000 
   3001 Daniel Stenberg (3 Dec 2018)
   3002 - CHECKSRC.md: document more warnings
   3003   
   3004   Closes #3335
   3005   [ci skip]
   3006 
   3007 - RELEASE-NOTES: synced
   3008 
   3009 - SECURITY-PROCESS: bountygraph shuts down
   3010   
   3011   This backpedals back the documents to the state before bountygraph.
   3012   
   3013   Closes #3311
   3014 
   3015 - curl: fix memory leak reading --writeout from file
   3016   
   3017   If another string had been set first, the writout function for reading
   3018   the syntax from file would leak the previously allocated memory.
   3019   
   3020   Reported-by: Brian Carpenter
   3021   Fixes #3322
   3022   Closes #3330
   3023 
   3024 - tool_main: rename function to make it unique and better
   3025   
   3026   ... there's already another function in the curl tool named
   3027   free_config_fields!
   3028 
   3029 Daniel Gustafsson (29 Nov 2018)
   3030 - TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry
   3031   
   3032   Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option
   3033   making it a manual code-edit operation to turn it back on. The removal
   3034   process has thus started and is now documented in docs/DEPRECATE.md so
   3035   remove from the TODO to avoid anyone looking for something to pick up
   3036   spend cycles on an already in-progress entry.
   3037   
   3038   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3039 
   3040 Jay Satiro (29 Nov 2018)
   3041 - [Sevan Janiyan brought this change]
   3042 
   3043   connect: fix building for recent versions of Minix
   3044   
   3045   EBADIOCTL doesn't exist on more recent Minix.
   3046   There have also been substantial changes to the network stack.
   3047   Fixes build on Minix 3.4rc
   3048   
   3049   Closes https://github.com/curl/curl/pull/3323
   3050 
   3051 - [Konstantin Kushnir brought this change]
   3052 
   3053   CMake: fix MIT/Heimdal Kerberos detection
   3054   
   3055   - fix syntax error in FindGSS.cmake
   3056   - correct krb5 include directory. FindGSS exports
   3057     "GSS_INCLUDE_DIR" variable.
   3058   
   3059   Closes https://github.com/curl/curl/pull/3316
   3060 
   3061 Daniel Stenberg (28 Nov 2018)
   3062 - test328: verify Content-Encoding: none
   3063   
   3064   Because of issue #3315
   3065   
   3066   Closes #3317
   3067 
   3068 - [James Knight brought this change]
   3069 
   3070   configure: include all libraries in ssl-libs fetch
   3071   
   3072   When compiling a collection of SSL libraries to link against (SSL_LIBS),
   3073   ensure all libraries are included. The call `--libs-only-l` can produce
   3074   only a subset of found in a `--libs` call (e.x. pthread may be excluded).
   3075   Adding `--libs-only-other` ensures other libraries are also included in
   3076   the list. This corrects select build environments compiling against a
   3077   static version of OpenSSL. Before the change, the following could be
   3078   observed:
   3079   
   3080       checking for openssl options with pkg-config... found
   3081       configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl "
   3082       configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
   3083       configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
   3084       checking for HMAC_Update in -lcrypto... no
   3085       checking for HMAC_Init_ex in -lcrypto... no
   3086       checking OpenSSL linking with -ldl... no
   3087       checking OpenSSL linking with -ldl and -lpthread... no
   3088       configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
   3089       configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
   3090       ...
   3091       SSL support:      no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )
   3092       ...
   3093   
   3094   And include the other libraries when compiling SSL_LIBS succeeds with:
   3095   
   3096       checking for openssl options with pkg-config... found
   3097       configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread "
   3098       configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
   3099       configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
   3100       checking for HMAC_Update in -lcrypto... yes
   3101       checking for SSL_connect in -lssl... yes
   3102       ...
   3103       SSL support:      enabled (OpenSSL)
   3104       ...
   3105   
   3106   Signed-off-by: James Knight <james.d.knight (a] live.com>
   3107   Closes #3193
   3108 
   3109 Daniel Gustafsson (26 Nov 2018)
   3110 - doh: fix typo in infof call
   3111   
   3112   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3113 
   3114 - cmdline-opts/gen.pl: define the correct varname
   3115   
   3116   The variable definition had a small typo making it declare another
   3117   variable then the intended.
   3118   
   3119   Closes #3304
   3120   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3121 
   3122 Daniel Stenberg (25 Nov 2018)
   3123 - RELEASE-NOTES: synced
   3124 
   3125 - curl_easy_perform: fix timeout handling
   3126   
   3127   curl_multi_wait() was erroneously used from within
   3128   curl_easy_perform(). It could lead to it believing there was no socket
   3129   to wait for and then instead sleep for a while instead of monitoring the
   3130   socket and then miss acting on that activity as swiftly as it should
   3131   (causing an up to 1000 ms delay).
   3132   
   3133   Reported-by: Antoni Villalonga
   3134   Fixes #3305
   3135   Closes #3306
   3136   Closes #3308
   3137 
   3138 - CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
   3139 
   3140 - cookies: create the cookiejar even if no cookies to save
   3141   
   3142   Important for when the file is going to be read again and thus must not
   3143   contain old contents!
   3144   
   3145   Adds test 327 to verify.
   3146   
   3147   Reported-by: daboul on github
   3148   Fixes #3299
   3149   Closes #3300
   3150 
   3151 - checksrc: ban snprintf use, add command line flag to override warns
   3152 
   3153 - snprintf: renamed and we now only use msnprintf()
   3154   
   3155   The function does not return the same value as snprintf() normally does,
   3156   so readers may be mislead into thinking the code works differently than
   3157   it actually does. A different function name makes this easier to detect.
   3158   
   3159   Reported-by: Tomas Hoger
   3160   Assisted-by: Daniel Gustafsson
   3161   Fixes #3296
   3162   Closes #3297
   3163 
   3164 - [Tobias Hintze brought this change]
   3165 
   3166   test: update test20/1322 for eglibc bug workaround
   3167   
   3168   The tests 20 and 1322 are using getaddrinfo of libc for resolving. In
   3169   eglibc-2.19 there is a memory leakage and invalid free bug which
   3170   surfaces in some special circumstances (PF_UNSPEC hint with invalid or
   3171   non-existent names). The valgrind runs in testing fail in these
   3172   situations.
   3173   
   3174   As the tests 20/1322 are not specific on either protocol (IPv4/IPv6)
   3175   this commit changes the hints to IPv4 protocol by passing `--ipv4` flag
   3176   on the tests' command line.  This prevents the valgrind failures.
   3177 
   3178 - [Tobias Hintze brought this change]
   3179 
   3180   host names: allow trailing dot in name resolve, then strip it
   3181   
   3182   Delays stripping of trailing dots to after resolving the hostname.
   3183   
   3184   Fixes #3022
   3185   Closes #3222
   3186 
   3187 - [UnknownShadow200 brought this change]
   3188 
   3189   CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
   3190   
   3191   Closes #3295
   3192 
   3193 Daniel Gustafsson (21 Nov 2018)
   3194 - configure: Fix typo in comment
   3195 
   3196 Michael Kaufmann (21 Nov 2018)
   3197 - openssl: support session resume with TLS 1.3
   3198   
   3199   Session resumption information is not available immediately after a TLS 1.3
   3200   handshake. The client must wait until the server has sent a session ticket.
   3201   
   3202   Use OpenSSL's "new session" callback to get the session information and put it
   3203   into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
   3204   after the server has sent a session ticket.
   3205   
   3206   The "new session" callback is invoked only if OpenSSL's session cache is
   3207   enabled, so enable it and use the "external storage" mode which lets curl manage
   3208   the contents of the session cache.
   3209   
   3210   A pointer to the connection data and the sockindex are now saved as "SSL extra
   3211   data" to make them available to the callback.
   3212   
   3213   This approach also works for old SSL/TLS versions and old OpenSSL versions.
   3214   
   3215   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3216   
   3217   Fixes #3202
   3218   Closes #3271
   3219 
   3220 - ssl: fix compilation with OpenSSL 0.9.7
   3221   
   3222   - ENGINE_cleanup() was used without including "openssl/engine.h"
   3223   - enable engine support for OpenSSL 0.9.7
   3224   
   3225   Closes #3266
   3226 
   3227 Daniel Stenberg (21 Nov 2018)
   3228 - openssl: disable TLS renegotiation with BoringSSL
   3229   
   3230   Since we're close to feature freeze, this change disables this feature
   3231   with an #ifdef. Define ALLOW_RENEG at build-time to enable.
   3232   
   3233   This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
   3234   applications opt-in this.
   3235   
   3236   Concern-raised-by: David Benjamin
   3237   Fixes #3283
   3238   Closes #3293
   3239 
   3240 - [Romain Fliedel brought this change]
   3241 
   3242   ares: remove fd from multi fd set when ares is about to close the fd
   3243   
   3244   When using c-ares for asyn dns, the dns socket fd was silently closed
   3245   by c-ares without curl being aware. curl would then 'realize' the fd
   3246   has been removed at next call of Curl_resolver_getsock, and only then
   3247   notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with
   3248   CURL_POLL_REMOVE. At this point the fd is already closed.
   3249   
   3250   By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this
   3251   patch allows curl to be notified that the fd is not longer needed
   3252   for neither for write nor read. At this point by calling
   3253   Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE
   3254   before the fd is actually closed by ares.
   3255   
   3256   In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore
   3257   since it does not allow passing a different sock_state_cb_data
   3258   
   3259   Closes #3238
   3260 
   3261 - [Romain Fliedel brought this change]
   3262 
   3263   examples/ephiperfifo: report error when epoll_ctl fails
   3264 
   3265 Daniel Gustafsson (20 Nov 2018)
   3266 - [pkubaj brought this change]
   3267 
   3268   ntlm: Remove redundant ifdef USE_OPENSSL
   3269   
   3270   lib/curl_ntlm.c had code that read as follows:
   3271   
   3272     #ifdef USE_OPENSSL
   3273     # ifdef USE_OPENSSL
   3274     # else
   3275     # ..
   3276     # endif
   3277     #endif
   3278   
   3279   Remove the redundant USE_OPENSSL along with #else (it's not possible to
   3280   reach it anyway). The removed construction is a leftover from when the
   3281   SSLeay support was removed.
   3282   
   3283   Closes #3269
   3284   Reviewed-by: Daniel Gustafsson <daniel (a] yesql.se>
   3285   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3286 
   3287 Daniel Stenberg (20 Nov 2018)
   3288 - [Han Han brought this change]
   3289 
   3290   ssl: replace all internal uses of CURLE_SSL_CACERT
   3291   
   3292   Closes #3291
   3293 
   3294 Han Han (19 Nov 2018)
   3295 - docs: add more description to unified ssl error codes
   3296 
   3297 - curle: move deprecated error code to ifndef block
   3298 
   3299 Patrick Monnerat (19 Nov 2018)
   3300 - os400: add CURLOPT_CURLU to ILE/RPG binding.
   3301 
   3302 - os400: Add curl_easy_conn_upkeep() to ILE/RPG binding.
   3303 
   3304 - os400: fix return type of curl_easy_pause() in ILE/RPG binding.
   3305 
   3306 Daniel Stenberg (19 Nov 2018)
   3307 - RELEASE-NOTES: synced
   3308 
   3309 - impacket: add LICENSE
   3310   
   3311   The license for the impacket package was not in our tree.
   3312   
   3313   Imported now from upstream's
   3314   https://github.com/SecureAuthCorp/impacket/blob/master/LICENSE
   3315   
   3316   Reported-by: infinnovation-dev on github
   3317   Fixes #3276
   3318   Closes #3277
   3319 
   3320 Daniel Gustafsson (18 Nov 2018)
   3321 - tool_doswin: Fix uninitialized field warning
   3322   
   3323   The partial struct initialization in 397664a065abffb7c3445ca9 caused
   3324   a warning on uninitialized MODULEENTRY32 struct members:
   3325   
   3326     /src/tool_doswin.c:681:3: warning: missing initializer for field
   3327     'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}'
   3328     [-Wmissing-field-initializers]
   3329   
   3330   This is sort of a bogus warning as the remaining members will be set
   3331   to zero by the compiler, as all omitted members are. Nevertheless,
   3332   remove the warning by omitting all members and setting the dwSize
   3333   members explicitly.
   3334   
   3335   Closes #3254
   3336   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   3337   Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com>
   3338 
   3339 - openssl: Remove SSLEAY leftovers
   3340   
   3341   Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't
   3342   compatible with the SSLeay library. This removes the few leftovers that
   3343   were omitted in the less frequently used platform targets.
   3344   
   3345   Closes #3270
   3346   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3347 
   3348 Daniel Stenberg (16 Nov 2018)
   3349 - [Elia Tufarolo brought this change]
   3350 
   3351   http_negotiate: do not close connection until negotiation is completed
   3352   
   3353   Fix HTTP POST using CURLAUTH_NEGOTIATE.
   3354   
   3355   Closes #3275
   3356 
   3357 - pop3: only do APOP with a valid timestamp
   3358   
   3359   Brought-by: bobmitchell1956 on github
   3360   Fixes #3278
   3361   Closes #3279
   3362 
   3363 Jay Satiro (16 Nov 2018)
   3364 - [Peter Wu brought this change]
   3365 
   3366   openssl: do not log excess "TLS app data" lines for TLS 1.3
   3367   
   3368   The SSL_CTX_set_msg_callback callback is not just called for the
   3369   Handshake or Alert protocols, but also for the raw record header
   3370   (SSL3_RT_HEADER) and the decrypted inner record type
   3371   (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
   3372   excess debug spam when using `curl -v` against a TLSv1.3-enabled server:
   3373   
   3374       * TLSv1.3 (IN), TLS app data, [no content] (0):
   3375   
   3376   (Following this message, another callback for the decrypted
   3377   handshake/alert messages will be be present anyway.)
   3378   
   3379   Closes https://github.com/curl/curl/pull/3281
   3380 
   3381 Marc Hoersken (15 Nov 2018)
   3382 - tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
   3383   
   3384   SO_EXCLUSIVEADDRUSE is on by default on Vista or newer,
   3385   but does not work together with SO_REUSEADDR being on.
   3386   
   3387   The default changes were made with stunnel 5.34 and 5.35.
   3388 
   3389 Daniel Stenberg (13 Nov 2018)
   3390 - [Kamil Dudka brought this change]
   3391 
   3392   nss: remove version selecting dead code
   3393   
   3394   Closes #3262
   3395 
   3396 - nss: set default max-tls to 1.3/1.2
   3397   
   3398   Fixes #3261
   3399 
   3400 Daniel Gustafsson (13 Nov 2018)
   3401 - tool_cb_wrt: Silence function cast compiler warning
   3402   
   3403   Commit 5bfaa86ceb3c2a9ac474a928e748c4a86a703b33 introduced a new
   3404   compiler warning on Windows cross compilation with GCC. See below
   3405   for an example of the warning from the autobuild logs (whitespace
   3406   edited to fit):
   3407   
   3408   /src/tool_cb_wrt.c:175:9: warning: cast from function call of type
   3409       'intptr_t {aka long long int}' to non-matching type 'void *'
   3410       [-Wbad-function-cast]
   3411   (HANDLE) _get_osfhandle(fileno(outs->stream)),
   3412   ^
   3413   
   3414   Store the return value from _get_osfhandle() in an intermediate
   3415   variable and cast the variable in WriteConsoleW() rather than the
   3416   function call directly to avoid a compiler warning.
   3417   
   3418   In passing, also add inspection of the MultiByteToWideChar() return
   3419   value and return failure in case an error is reported.
   3420   
   3421   Closes #3263
   3422   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   3423   Reviewed-by: Viktor Szakats <commit (a] vszakats.net>
   3424 
   3425 Daniel Stenberg (12 Nov 2018)
   3426 - nss: fix fallthrough comment to fix picky compiler warning
   3427 
   3428 - docs: expanded on some CURLU details
   3429 
   3430 - [Tim Rhsen brought this change]
   3431 
   3432   ftp: avoid two unsigned int overflows in FTP listing parser
   3433   
   3434   Curl_ftp_parselist: avoid unsigned integer overflows
   3435   
   3436   The overflow has no real world impact, just avoid it for "best
   3437   practice".
   3438   
   3439   Closes #3225
   3440 
   3441 - curl: --local-port range was not "including"
   3442   
   3443   The end port number in a given range was not included in the range used,
   3444   as it is documented to be.
   3445   
   3446   Reported-by: infinnovation-dev on github
   3447   Fixes #3251
   3448   Closes #3255
   3449 
   3450 - [Jrmy Rocher brought this change]
   3451 
   3452   openssl: support BoringSSL TLS renegotiation
   3453   
   3454   As per BoringSSL porting documentation [1], BoringSSL rejects peer
   3455   renegotiations by default.
   3456   
   3457   curl fails when trying to authenticate to server through client
   3458   certificate if it is requested by server after the initial TLS
   3459   handshake.
   3460   
   3461   Enable renegotiation by default with BoringSSL to get same behavior as
   3462   with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
   3463   which was introduced in commit 1d5ef3bb1eb9 [3].
   3464   
   3465   1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
   3466   2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
   3467   3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86
   3468   
   3469   Signed-off-by: Jrmy Rocher <rocher.jeremy (a] gmail.com>
   3470   Fixes #3258
   3471   Closes #3259
   3472 
   3473 - HISTORY: add some milestones
   3474   
   3475   Added a few of the more notable milestones in curl history that were
   3476   missing. Primarily more recent ones but I also noted some older that
   3477   could be worth mentioning.
   3478   
   3479   [ci skip]
   3480   Closes #3257
   3481 
   3482 Daniel Gustafsson (9 Nov 2018)
   3483 - KNOWN_BUGS: add --proxy-any connection issue
   3484   
   3485   Add the identified issue with --proxy-any and proxy servers which
   3486   advertise authentication schemes other than the supported one.
   3487   
   3488   Closes #876
   3489   Closes #3250
   3490   Reported-by: NTMan on Github
   3491   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3492 
   3493 Daniel Stenberg (9 Nov 2018)
   3494 - [Jim Fuller brought this change]
   3495 
   3496   setopt: add CURLOPT_CURLU
   3497   
   3498   Allows an application to pass in a pre-parsed URL via a URL handle.
   3499   
   3500   Closes #3227
   3501 
   3502 - [Gisle Vanem brought this change]
   3503 
   3504   docs: ESCape "\n" codes
   3505   
   3506   Groff / Troff will display a:
   3507    printaf("Errno: %ld\n", error);
   3508   as:
   3509     printf("Errno: %ld0, error);
   3510   
   3511   when a "\n" is not escaped. Use "\\n" instead.
   3512   
   3513   Closes #3246
   3514 
   3515 - curl: --local-port fix followup
   3516   
   3517   Regression by 52db54869e6.
   3518   
   3519   Reported-by: infinnovation-dev on github
   3520   Fixes #3248
   3521   Closes #3249
   3522 
   3523 GitHub (7 Nov 2018)
   3524 - [Gisle Vanem brought this change]
   3525 
   3526   More "\n" ESCaping
   3527 
   3528 Daniel Stenberg (7 Nov 2018)
   3529 - RELEASE-NOTES: synced
   3530 
   3531 - curl: fix --local-port integer overflow
   3532   
   3533   The tool's local port command line range parser didn't check for integer
   3534   overflows and could pass "weird" data to libcurl for this option.
   3535   libcurl however, has a strict range check for the values so it rejects
   3536   anything outside of the accepted range.
   3537   
   3538   Reported-by: Brian Carpenter
   3539   Closes #3242
   3540 
   3541 - curl: correct the switch() logic in ourWriteOut
   3542   
   3543   Follow-up to e431daf013, as I did the wrong correction for a compiler
   3544   warning. It should be a break and not a fall-through.
   3545   
   3546   Pointed-out-by: Frank Gevaerts
   3547 
   3548 - [Frank Gevaerts brought this change]
   3549 
   3550   curl: add %{stderr} and %{stdout} for --write-out
   3551   
   3552   Closes #3115
   3553 
   3554 Daniel Gustafsson (7 Nov 2018)
   3555 - winssl: be consistent in Schannel capitalization
   3556   
   3557   The productname from Microsoft is "Schannel", but in infof/failf
   3558   reporting we use "schannel". This removes different versions.
   3559   
   3560   Closes #3243
   3561   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3562 
   3563 Daniel Stenberg (7 Nov 2018)
   3564 - TODO: Have the URL API offer IDN decoding
   3565   
   3566   Similar to how URL decoding/encoding is done, we could have URL
   3567   functions to convert IDN host names to punycode.
   3568   
   3569   Suggested-by: Alexey Melnichuk
   3570   Closes #3232
   3571 
   3572 - urlapi: only skip encoding the first '=' with APPENDQUERY set
   3573   
   3574   APPENDQUERY + URLENCODE would skip all equals signs but now it only skip
   3575   encoding the first to better allow "name=content" for any content.
   3576   
   3577   Reported-by: Alexey Melnichuk
   3578   Fixes #3231
   3579   Closes #3231
   3580 
   3581 - url: a short host name + port is not a scheme
   3582   
   3583   The function identifying a leading "scheme" part of the URL considered a
   3584   few letters ending with a colon to be a scheme, making something like
   3585   "short:80" to become an unknown scheme instead of a short host name and
   3586   a port number.
   3587   
   3588   Extended test 1560 to verify.
   3589   
   3590   Also fixed test203 to use file_pwd to make it get the correct path on
   3591   windows. Removed test 2070 since it was a duplicate of 203.
   3592   
   3593   Assisted-by: Marcel Raad
   3594   Reported-by: Hagai Auro
   3595   Fixes #3220
   3596   Fixes #3233
   3597   Closes #3223
   3598   Closes #3235
   3599 
   3600 - [Sangamkar brought this change]
   3601 
   3602   libcurl: stop reading from paused transfers
   3603   
   3604   In the transfer loop it would previously not acknwledge the pause bit
   3605   and continue until drained or loop ended.
   3606   
   3607   Closes #3240
   3608 
   3609 Jay Satiro (6 Nov 2018)
   3610 - tool: add undocumented option --dump-module-paths for win32
   3611   
   3612   - Add an undocumented diagnostic option for Windows to show the full
   3613     paths of all loaded modules regardless of whether or not libcurl
   3614     initialization succeeds.
   3615   
   3616   This is needed so that in the CI we can get a list of all DLL
   3617   dependencies after initialization (when they're most likely to have
   3618   finished loading) and then package them as artifacts so that a
   3619   functioning build can be downloaded. Also I imagine it may have some use
   3620   as a diagnostic for help requests.
   3621   
   3622   Ref: https://github.com/curl/curl/pull/3103
   3623   
   3624   Closes https://github.com/curl/curl/pull/3208
   3625 
   3626 - curl_multibyte: fix a malloc overcalculation
   3627   
   3628   Prior to this change twice as many bytes as necessary were malloc'd when
   3629   converting wchar to UTF8. To allay confusion in the future I also
   3630   changed the variable name for the amount of bytes from len to bytes.
   3631   
   3632   Closes https://github.com/curl/curl/pull/3209
   3633 
   3634 Michael Kaufmann (5 Nov 2018)
   3635 - netrc: don't ignore the login name specified with "--user"
   3636   
   3637   - for "--netrc", don't ignore the login/password specified with "--user",
   3638     only ignore the login/password in the URL.
   3639     This restores the netrc behaviour of curl 7.61.1 and earlier.
   3640   - fix the documentation of CURL_NETRC_REQUIRED
   3641   - improve the detection of login/password changes when reading .netrc
   3642   - don't read .netrc if both login and password are already set
   3643   
   3644   Fixes #3213
   3645   Closes #3224
   3646 
   3647 Patrick Monnerat (5 Nov 2018)
   3648 - OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
   3649 
   3650 Daniel Stenberg (5 Nov 2018)
   3651 - [Yasuhiro Matsumoto brought this change]
   3652 
   3653   curl: fixed UTF-8 in current console code page (Windows)
   3654   
   3655   Fixes #3211
   3656   Fixes #3175
   3657   Closes #3212
   3658 
   3659 - TODO: 2.6 multi upkeep
   3660   
   3661   Closes #3199
   3662 
   3663 Daniel Gustafsson (5 Nov 2018)
   3664 - unittest: make 1652 stable across collations
   3665   
   3666   The previous coding used a format string whose output depended on the
   3667   current locale of the environment running the test. Since the gist of
   3668   the test is to have a format string, with the actual formatting being
   3669   less important, switch to a more stable formatstring with decimals.
   3670   
   3671   Reported-by: Marcel Raad
   3672   Closes #3234
   3673   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3674   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   3675 
   3676 Daniel Stenberg (5 Nov 2018)
   3677 - Revert "url: a short host name + port is not a scheme"
   3678   
   3679   This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2.
   3680   
   3681   This commit caused test failures on appveyor/windows. Work on fixing them is
   3682   in #3235.
   3683 
   3684 - symbols-in-versions: add missing CURLU_ symbols
   3685   
   3686   ...and fix symbol-scan.pl to also scan urlapi.h
   3687   
   3688   Reported-by: Alexey Melnichuk
   3689   Fixes #3226
   3690   Closes #3230
   3691 
   3692 Daniel Gustafsson (3 Nov 2018)
   3693 - infof: clearly indicate truncation
   3694   
   3695   The internal buffer in infof() is limited to 2048 bytes of payload plus
   3696   an additional byte for NULL termination. Servers with very long error
   3697   messages can however cause truncation of the string, which currently
   3698   isn't very clear, and leads to badly formatted output.
   3699   
   3700   This appends a "...\n" (or just "..." in case the format didn't with a
   3701   newline char) marker to the end of the string to clearly show
   3702   that it has been truncated.
   3703   
   3704   Also include a unittest covering infof() to try and catch any bugs
   3705   introduced in this quite important function.
   3706   
   3707   Closes #3216
   3708   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3709   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   3710 
   3711 Michael Kaufmann (3 Nov 2018)
   3712 - tool_getparam: fix some comments
   3713 
   3714 Daniel Stenberg (3 Nov 2018)
   3715 - url: a short host name + port is not a scheme
   3716   
   3717   The function identifying a leading "scheme" part of the URL considered a few
   3718   letters ending with a colon to be a scheme, making something like "short:80"
   3719   to become an unknown scheme instead of a short host name and a port number.
   3720   
   3721   Extended test 1560 to verify.
   3722   
   3723   Reported-by: Hagai Auro
   3724   Fixes #3220
   3725   Closes #3223
   3726 
   3727 - URL: fix IPv6 numeral address parser
   3728   
   3729   Regression from 46e164069d1a52. Extended test 1560 to verify.
   3730   
   3731   Reported-by: tpaukrt on github
   3732   Fixes #3218
   3733   Closes #3219
   3734 
   3735 - travis: remove curl before a normal build
   3736   
   3737   on Linux. To make sure the test suite runs with its newly build tool and
   3738   doesn't require an external one present.
   3739   
   3740   Bug: #3198
   3741   Closes #3200
   3742 
   3743 - [Tim Rhsen brought this change]
   3744 
   3745   mprintf: avoid unsigned integer overflow warning
   3746   
   3747   The overflow has no real world impact.
   3748   Just avoid it for "best practice".
   3749   
   3750   Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
   3751   Closes #3184
   3752 
   3753 - Curl_follow: accept non-supported schemes for "fake" redirects
   3754   
   3755   When not actually following the redirect and the target URL is only
   3756   stored for later retrieval, curl always accepted "non-supported"
   3757   schemes. This was a regression from 46e164069d1a5230.
   3758   
   3759   Reported-by: Brad King
   3760   Fixes #3210
   3761   Closes #3215
   3762 
   3763 Daniel Gustafsson (2 Nov 2018)
   3764 - openvms: fix example name
   3765   
   3766   Commit efc696a2e09225bfeab4 renamed persistant.c to persistent.c to
   3767   fix the typo in the name, but missed to update the OpenVMS package
   3768   files which still looked for the old name.
   3769   
   3770   Closes #3217
   3771   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3772   Reviewed-by: Viktor Szakats <commit (a] vszakats.net>
   3773 
   3774 Daniel Stenberg (1 Nov 2018)
   3775 - configure: show CFLAGS, LDFLAGS etc in summary
   3776   
   3777   To make it easier to understand other people's and remote builds etc.
   3778   
   3779   Closes #3207
   3780 
   3781 - version: bump for next cycle
   3782 
   3783 - axtls: removed
   3784   
   3785   As has been outlined in the DEPRECATE.md document, the axTLS code has
   3786   been disabled for 6 months and is hereby removed.
   3787   
   3788   Use a better supported TLS library!
   3789   
   3790   Assisted-by: Daniel Gustafsson
   3791   Closes #3194
   3792 
   3793 - [marcosdiazr brought this change]
   3794 
   3795   schannel: make CURLOPT_CERTINFO support using Issuer chain
   3796   
   3797   Closes #3197
   3798 
   3799 - travis: build with sanitize=address,undefined,signed-integer-overflow
   3800   
   3801   ... using clang
   3802   
   3803   Closes #3190
   3804 
   3805 - schannel: use Curl_ prefix for global private symbols
   3806   
   3807   Curl_verify_certificate() must use the Curl_ prefix since it is globally
   3808   available in the lib and otherwise steps outside of our namespace!
   3809   
   3810   Closes #3201
   3811 
   3812 Kamil Dudka (1 Nov 2018)
   3813 - tests: drop http_pipe.py script no longer used
   3814   
   3815   It is unused since commit f7208df7d9d5cd5e15e2d89237e828f32b63f135.
   3816   
   3817   Closes #3204
   3818 
   3819 Daniel Stenberg (31 Oct 2018)
   3820 - runtests: use the local curl for verifying
   3821   
   3822   ... revert the mistaken change brought in commit 8440616f53.
   3823   
   3824   Reported-by: Alessandro Ghedini
   3825   Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html
   3826   
   3827   Closes #3198
   3828 
   3829 Version 7.62.0 (30 Oct 2018)
   3830 
   3831 Daniel Stenberg (30 Oct 2018)
   3832 - RELEASE-NOTES: 7.62.0
   3833 
   3834 - THANKS: 7.62.0 status
   3835 
   3836 Daniel Gustafsson (30 Oct 2018)
   3837 - vtls: add MesaLink to curl_sslbackend enum
   3838   
   3839   MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the
   3840   backend was never added to the curl_sslbackend enum in curl/curl.h.
   3841   This adds the new backend to the enum and updates the relevant docs.
   3842   
   3843   Closes #3195
   3844   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3845 
   3846 Daniel Stenberg (30 Oct 2018)
   3847 - [Ruslan Baratov brought this change]
   3848 
   3849   cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable
   3850   
   3851   Closes #3191
   3852 
   3853 - test2080: verify the fix for CVE-2018-16842
   3854 
   3855 - voutf: fix bad arethmetic when outputting warnings to stderr
   3856   
   3857   CVE-2018-16842
   3858   Reported-by: Brian Carpenter
   3859   Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
   3860 
   3861 - [Tuomo Rinne brought this change]
   3862 
   3863   cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in
   3864   
   3865   Closes #3123
   3866 
   3867 - [Tuomo Rinne brought this change]
   3868 
   3869   cmake: add find_dependency call for ZLIB to CMake config file
   3870 
   3871 - [Tuomo Rinne brought this change]
   3872 
   3873   cmake: add support for transitive ZLIB target
   3874 
   3875 - unit1650: fix "null pointer passed as argument 1 to memcmp"
   3876   
   3877   Detected by UndefinedBehaviorSanitizer
   3878   
   3879   Closes #3187
   3880 
   3881 - travis: add a "make tidy" build that runs clang-tidy
   3882   
   3883   Closes #3182
   3884 
   3885 - unit1300: fix stack-use-after-scope AddressSanitizer warning
   3886   
   3887   Closes #3186
   3888 
   3889 - Curl_auth_create_plain_message: fix too-large-input-check
   3890   
   3891   CVE-2018-16839
   3892   Reported-by: Harry Sintonen
   3893   Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
   3894 
   3895 - Curl_close: clear data->multi_easy on free to avoid use-after-free
   3896   
   3897   Regression from b46cfbc068 (7.59.0)
   3898   CVE-2018-16840
   3899   Reported-by: Brian Carpenter (Geeknik Labs)
   3900   
   3901   Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
   3902 
   3903 - [randomswdev brought this change]
   3904 
   3905   system.h: use proper setting with Sun C++ as well
   3906   
   3907   system.h selects the proper Sun settings when __SUNPRO_C is defined. The
   3908   Sun compiler does not define it when compiling C++ files.  I'm adding a
   3909   check also on __SUNPRO_CC to allow curl to work properly also when used
   3910   in a C++ project on Sun Solaris.
   3911   
   3912   Closes #3181
   3913 
   3914 - rand: add comment to skip a clang-tidy false positive
   3915 
   3916 - test1651: unit test Curl_extract_certinfo()
   3917   
   3918   The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel.
   3919 
   3920 - x509asn1: always check return code from getASN1Element()
   3921 
   3922 - Makefile: add 'tidy' target that runs clang-tidy
   3923   
   3924   Available in the root, src and lib dirs.
   3925   
   3926   Closes #3163
   3927 
   3928 - RELEASE-PROCEDURE: adjust the release dates
   3929   
   3930   See: https://curl.haxx.se/mail/lib-2018-10/0107.html
   3931 
   3932 Patrick Monnerat (27 Oct 2018)
   3933 - x509asn1: suppress left shift on signed value
   3934   
   3935   Use an unsigned variable: as the signed operation behavior is undefined,
   3936   this change silents clang-tidy about it.
   3937   
   3938   Ref: https://github.com/curl/curl/pull/3163
   3939   Reported-By: Daniel Stenberg
   3940 
   3941 Michael Kaufmann (27 Oct 2018)
   3942 - multi: Fix error handling in the SENDPROTOCONNECT state
   3943   
   3944   If Curl_protocol_connect() returns an error code,
   3945   handle the error instead of switching to the next state.
   3946   
   3947   Closes #3170
   3948 
   3949 Daniel Stenberg (27 Oct 2018)
   3950 - RELEASE-NOTES: synced
   3951 
   3952 - openssl: output the correct cipher list on TLS 1.3 error
   3953   
   3954   When failing to set the 1.3 cipher suite, the wrong string pointer would
   3955   be used in the error message. Most often saying "(nil)".
   3956   
   3957   Reported-by: Ricky-Tigg on github
   3958   Fixes #3178
   3959   Closes #3180
   3960 
   3961 - docs/CIPHERS: fix the TLS 1.3 cipher names
   3962   
   3963   ... picked straight from the OpenSSL man page:
   3964   https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
   3965   
   3966   Reported-by: Ricky-Tigg on github
   3967   Bug: #3178
   3968 
   3969 Marcel Raad (27 Oct 2018)
   3970 - travis: install gnutls-bin package
   3971   
   3972   This is required for gnutls-serv, which enables a few more tests.
   3973   
   3974   Closes https://github.com/curl/curl/pull/2958
   3975 
   3976 Daniel Gustafsson (26 Oct 2018)
   3977 - ssh: free the session on init failures
   3978   
   3979   Ensure to clear the session object in case the libssh2 initialization
   3980   fails.
   3981   
   3982   It could be argued that the libssh2 error function should be called to
   3983   get a proper error message in this case. But since the only error path
   3984   in libssh2_knownhost_init() is memory a allocation failure it's safest
   3985   to avoid since the libssh2 error handling allocates memory.
   3986   
   3987   Closes #3179
   3988   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   3989 
   3990 Daniel Stenberg (26 Oct 2018)
   3991 - docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date
   3992   
   3993   ... I'm moving it up one week due to travels. The rest stays.
   3994 
   3995 - [Daniel Gustafsson brought this change]
   3996 
   3997   openssl: make 'done' a proper boolean
   3998   
   3999   Closes #3176
   4000 
   4001 - gtls: Values stored to but never read
   4002   
   4003   Detected by clang-tidy
   4004   
   4005   Closes #3176
   4006 
   4007 - [Alexey Eremikhin brought this change]
   4008 
   4009   curl.1: --ipv6 mutexes ipv4 (fixed typo)
   4010   
   4011   Fixes #3171
   4012   Closes #3172
   4013 
   4014 - tool_main: make TerminalSettings static
   4015   
   4016   Reported-by: Gisle Vanem
   4017   Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819
   4018   Closes #3161
   4019 
   4020 - curl-config.in: remove dependency on bc
   4021   
   4022   Reported-by: Dima Pasechnik
   4023   Fixes #3143
   4024   Closes #3174
   4025 
   4026 - [Gisle Vanem brought this change]
   4027 
   4028   rtmp: fix for compiling with lwIP
   4029   
   4030   Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
   4031     curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
   4032       setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
   4033       ^
   4034     curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
   4035     #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
   4036                                    ^
   4037   Closes #3155
   4038 
   4039 - configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
   4040   
   4041   Follow-up to #3166 which did the cmake part of this. This type/define is
   4042   not used.
   4043   
   4044   Closes #3168
   4045 
   4046 - [Ruslan Baratov brought this change]
   4047 
   4048   cmake: remove unused variables
   4049   
   4050   Remove variables:
   4051   * HAVE_SOCKLEN_T
   4052   * CURL_SIZEOF_CURL_SOCKLEN_T
   4053   * CURL_TYPEOF_CURL_SOCKLEN_T
   4054   
   4055   Closes #3166
   4056 
   4057 Michael Kaufmann (25 Oct 2018)
   4058 - urldata: Fix comment in header
   4059   
   4060   The "connecting" function is used by multiple protocols, not only FTP
   4061 
   4062 - netrc: free temporary strings if memory allocation fails
   4063   
   4064   - Change the inout parameters after all needed memory has been
   4065     allocated. Do not change them if something goes wrong.
   4066   - Free the allocated temporary strings if strdup() fails.
   4067   
   4068   Closes #3122
   4069 
   4070 Daniel Stenberg (24 Oct 2018)
   4071 - [Ruslan Baratov brought this change]
   4072 
   4073   config: Remove unused SIZEOF_VOIDP
   4074   
   4075   Closes #3162
   4076 
   4077 - RELEASE-NOTES: synced
   4078 
   4079 GitHub (23 Oct 2018)
   4080 - [Gisle Vanem brought this change]
   4081 
   4082   Fix for compiling with lwIP (3)
   4083   
   4084   lwIP on Windows does not have a WSAIoctl() function.
   4085   But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
   4086 
   4087 Daniel Stenberg (23 Oct 2018)
   4088 - Curl_follow: return better errors on URL problems
   4089   
   4090   ... by making the converter function global and accessible.
   4091   
   4092   Closes #3153
   4093 
   4094 - Curl_follow: remove remaining free(newurl)
   4095   
   4096   Follow-up to 05564e750e8f0c. This function no longer frees the passed-in
   4097   URL.
   4098   
   4099   Reported-by: Michael Kaufmann
   4100   Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm
   4101   ent-30985666
   4102 
   4103 Daniel Gustafsson (23 Oct 2018)
   4104 - headers: end all headers with guard comment
   4105   
   4106   Most headerfiles end with a /* <headerguard> */ comment, but it was
   4107   missing from some. The comment isn't the most important part of our
   4108   code documentation but consistency has an intrinsic value in itself.
   4109   This adds header guard comments to the files that were lacking it.
   4110   
   4111   Closes #3158
   4112   Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com>
   4113   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4114 
   4115 Jay Satiro (23 Oct 2018)
   4116 - CIPHERS.md: Mention the options used to set TLS 1.3 ciphers
   4117   
   4118   Closes https://github.com/curl/curl/pull/3159
   4119 
   4120 Daniel Stenberg (20 Oct 2018)
   4121 - docs/BUG-BOUNTY: the sponsors actually decide the amount
   4122   
   4123   Retract the previous approach as the sponsors will be the ones to set the
   4124   final amounts.
   4125   
   4126   Closes #3152
   4127   [ci skip]
   4128 
   4129 - multi: avoid double-free
   4130   
   4131   Curl_follow() no longer frees the string. Make sure it happens in the
   4132   caller function, like we normally handle allocations.
   4133   
   4134   This bug was introduced with the use of the URL API internally, it has
   4135   never been in a release version
   4136   
   4137   Reported-by: Dario Weier
   4138   Closes #3149
   4139 
   4140 - multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
   4141   
   4142   Otherwise, closing that handle can still cause surprises!
   4143   
   4144   Reported-by: Martin Ankerl
   4145   Fixes #3138
   4146   Closes #3147
   4147 
   4148 Marcel Raad (19 Oct 2018)
   4149 - VS projects: add USE_IPV6
   4150   
   4151   The Visual Studio builds didn't use IPv6. Add it to all projects since
   4152   Visual Studio 2008, which is verified to build via AppVeyor.
   4153   
   4154   Closes https://github.com/curl/curl/pull/3137
   4155 
   4156 - config_win32: enable LDAPS
   4157   
   4158   As done in the autotools and CMake builds by default.
   4159   
   4160   Closes https://github.com/curl/curl/pull/3137
   4161 
   4162 Daniel Stenberg (18 Oct 2018)
   4163 - travis: add build for "configure --disable-verbose"
   4164   
   4165   Closes #3144
   4166 
   4167 Kamil Dudka (17 Oct 2018)
   4168 - tool_cb_hdr: handle failure of rename()
   4169   
   4170   Detected by Coverity.
   4171   
   4172   Closes #3140
   4173   Reviewed-by: Jay Satiro
   4174 
   4175 Daniel Stenberg (17 Oct 2018)
   4176 - RELEASE-NOTES: synced
   4177 
   4178 - docs/SECURITY-PROCESS: the hackerone IBB program drops curl
   4179   
   4180   ... now there's only BountyGraph.
   4181 
   4182 Jay Satiro (16 Oct 2018)
   4183 - [Matthew Whitehead brought this change]
   4184 
   4185   x509asn1: Fix SAN IP address verification
   4186   
   4187   For IP addresses in the subject alternative name field, the length
   4188   of the IP address (and hence the number of bytes to perform a
   4189   memcmp on) is incorrectly calculated to be zero. The code previously
   4190   subtracted q from name.end. where in a successful case q = name.end
   4191   and therefore addrlen equalled 0. The change modifies the code to
   4192   subtract name.beg from name.end to calculate the length correctly.
   4193   
   4194   The issue only affects libcurl with GSKit SSL, not other SSL backends.
   4195   The issue is not a security issue as IP verification would always fail.
   4196   
   4197   Fixes #3102
   4198   Closes #3141
   4199 
   4200 Daniel Gustafsson (15 Oct 2018)
   4201 - INSTALL: mention mesalink in TLS section
   4202   
   4203   Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the
   4204   MesaLink vtls backend, but missed updating the TLS section containing
   4205   supported backends in the docs.
   4206   
   4207   Closes #3134
   4208   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4209 
   4210 Marcel Raad (14 Oct 2018)
   4211 - nonblock: fix unused parameter warning
   4212   
   4213   If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
   4214   used.
   4215 
   4216 Michael Kaufmann (13 Oct 2018)
   4217 - Curl_follow: Always free the passed new URL
   4218   
   4219   Closes #3124
   4220 
   4221 Viktor Szakats (12 Oct 2018)
   4222 - replace rawgit links [ci skip]
   4223   
   4224   Ref: https://rawgit.com/ "RawGit has reached the end of its useful life"
   4225   Ref: https://news.ycombinator.com/item?id=18202481
   4226   Closes https://github.com/curl/curl/pull/3131
   4227 
   4228 Daniel Stenberg (12 Oct 2018)
   4229 - docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018
   4230   
   4231   [ci skip]
   4232 
   4233 - travis: make distcheck scan for BOM markers
   4234   
   4235   and remove BOM from projects/wolfssl_override.props
   4236   
   4237   Closes #3126
   4238 
   4239 Marcel Raad (11 Oct 2018)
   4240 - CMake: remove BOM
   4241   
   4242   Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea.
   4243   
   4244   Reported-by: Viktor Szakats
   4245   Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136
   4246 
   4247 Daniel Gustafsson (10 Oct 2018)
   4248 - transfer: fix typo in comment
   4249 
   4250 Michael Kaufmann (10 Oct 2018)
   4251 - docs: add "see also" links for SSL options
   4252   
   4253   - link TLS 1.2 and TLS 1.3 options
   4254   - link proxy and non-proxy options
   4255   
   4256   Closes #3121
   4257 
   4258 Marcel Raad (10 Oct 2018)
   4259 - AppVeyor: remove BDIR variable that sneaked in again
   4260   
   4261   Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added
   4262   again in 9f3be5672dc4dda30ab43e0152e13d714a84d762.
   4263 
   4264 - CMake: disable -Wpedantic-ms-format
   4265   
   4266   As done in the autotools build. This is required for MinGW, which
   4267   supports only %I64 for printing 64-bit values, but warns about it.
   4268   
   4269   Closes https://github.com/curl/curl/pull/3120
   4270 
   4271 Viktor Szakats (9 Oct 2018)
   4272 - ldap: show precise LDAP call in error message on Windows
   4273   
   4274   Also add a unique but common text ('bind via') to make it
   4275   easy to grep this specific failure regardless of platform.
   4276   
   4277   Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
   4278   Closes https://github.com/curl/curl/pull/3118
   4279   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4280   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   4281 
   4282 Daniel Stenberg (9 Oct 2018)
   4283 - docs/DEPRECATE: minor reformat to render nicer on web
   4284 
   4285 Daniel Gustafsson (9 Oct 2018)
   4286 - CURLOPT_SSL_VERIFYSTATUS: Fix typo
   4287   
   4288   Changes s/OSCP/OCSP/ and bumps the copyright year due to the change.
   4289 
   4290 Marcel Raad (9 Oct 2018)
   4291 - curl_setup: define NOGDI on Windows
   4292   
   4293   This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
   4294   on MinGW.
   4295   
   4296   Closes https://github.com/curl/curl/pull/3113
   4297 
   4298 - Windows: fixes for MinGW targeting Windows Vista
   4299   
   4300   Classic MinGW has neither InitializeCriticalSectionEx nor
   4301   GetTickCount64, independent of the target Windows version.
   4302   
   4303   Closes https://github.com/curl/curl/pull/3113
   4304 
   4305 Daniel Stenberg (8 Oct 2018)
   4306 - TODO: fixed 'API for URL parsing/splitting'
   4307 
   4308 Daniel Gustafsson (8 Oct 2018)
   4309 - KNOWN_BUGS: Fix various typos
   4310   
   4311   Closes #3112
   4312   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4313 
   4314 Viktor Szakats (8 Oct 2018)
   4315 - spelling fixes [ci skip]
   4316   
   4317   as detected by codespell 1.14.0
   4318   
   4319   Closes https://github.com/curl/curl/pull/3114
   4320   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   4321 
   4322 Daniel Stenberg (8 Oct 2018)
   4323 - RELEASE-NOTES: synced
   4324 
   4325 - curl_ntlm_wb: check aprintf() return codes
   4326   
   4327   ... when they return NULL we're out of memory and MUST return failure.
   4328   
   4329   closes #3111
   4330 
   4331 - docs/BUG-BOUNTY: proposed additional docs
   4332   
   4333   Bug bounty explainer. See https://bountygraph.com/programs/curl
   4334   
   4335   Closes #3067
   4336 
   4337 - [Rick Deist brought this change]
   4338 
   4339   hostip: fix check on Curl_shuffle_addr return value
   4340   
   4341   Closes #3110
   4342 
   4343 - FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
   4344   
   4345   Now FILE transfers send headers to the header callback like HTTP and
   4346   other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
   4347   work for FILE in the callbacks.
   4348   
   4349   Makes "curl -i file://.." and "curl -I file://.." work like before
   4350   again. Applied the bold header logic to them too.
   4351   
   4352   Regression from c1c2762 (7.61.0)
   4353   
   4354   Reported-by: Shaun Jackman
   4355   Fixes #3083
   4356   Closes #3101
   4357 
   4358 Daniel Gustafsson (7 Oct 2018)
   4359 - gskit: make sure to terminate version string
   4360   
   4361   In case a very small buffer was passed to the version function, it could
   4362   result in the buffer not being NULL-terminated since strncpy() doesn't
   4363   guarantee a terminator on an overflowed buffer. Rather than adding code
   4364   to terminate (and handle zero-sized buffers), move to using snprintf()
   4365   instead like all the other vtls backends.
   4366   
   4367   Closes #3105
   4368   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4369   Reviewed-by: Viktor Szakats <commit (a] vszakats.net>
   4370 
   4371 - TODO: add LD_PRELOAD support on macOS
   4372   
   4373   Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394.
   4374 
   4375 - runtests: skip ld_preload tests on macOS
   4376   
   4377   The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests
   4378   requiring it.
   4379   
   4380   Fixes #2394
   4381   Closes #3106
   4382   Reported-by: Github user @jakirkham
   4383   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4384 
   4385 Marcel Raad (7 Oct 2018)
   4386 - AppVeyor: use Debug builds to run tests
   4387   
   4388   This enables more tests.
   4389   
   4390   Closes https://github.com/curl/curl/pull/3104
   4391 
   4392 - AppVeyor: add HTTP_ONLY build
   4393   
   4394   Closes https://github.com/curl/curl/pull/3104
   4395 
   4396 - AppVeyor: add WinSSL builds
   4397   
   4398   Use the oldest and latest Windows SDKs for them.
   4399   Also, remove all but one OpenSSL build.
   4400   
   4401   Closes https://github.com/curl/curl/pull/3104
   4402 
   4403 - AppVeyor: add remaining Visual Studio versions
   4404   
   4405   This adds Visual Studio 9 and 10 builds.
   4406   There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32
   4407   build. Also, VC9 cannot be used for running the test suite.
   4408   
   4409   Closes https://github.com/curl/curl/pull/3104
   4410 
   4411 - AppVeyor: break long line
   4412   
   4413   Closes https://github.com/curl/curl/pull/3104
   4414 
   4415 - AppVeyor: remove unused BDIR variable
   4416   
   4417   Closes https://github.com/curl/curl/pull/3104
   4418 
   4419 Daniel Stenberg (6 Oct 2018)
   4420 - test2100: test DoH using IPv4-only
   4421   
   4422   To make it only send one DoH request and avoid the race condition that
   4423   could lead to the requests getting sent in reversed order and thus
   4424   making it hard to compare in the test case.
   4425   
   4426   Fixes #3107
   4427   Closes #3108
   4428 
   4429 - tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> too
   4430   
   4431   [ci skip]
   4432 
   4433 - RELEASE-NOTES: synced
   4434 
   4435 - [Dmitry Kostjuchenko brought this change]
   4436 
   4437   timeval: fix use of weak symbol clock_gettime() on Apple platforms
   4438   
   4439   Closes #3048
   4440 
   4441 - doh: keep the IPv4 address in (original) network byte order
   4442   
   4443   Ideally this will fix the reversed order shown in SPARC tests:
   4444   
   4445     resp 8: Expected 127.0.0.1 got 1.0.0.127
   4446   
   4447   Closes #3091
   4448 
   4449 Jay Satiro (5 Oct 2018)
   4450 - INTERNALS.md: wrap lines longer than 79
   4451 
   4452 Daniel Gustafsson (5 Oct 2018)
   4453 - INTERNALS: escape reference to parameter
   4454   
   4455   The parameter reference <string> was causing rendering issues in the
   4456   generated HTML page, as <string> isn't a valid HTML tag. Fix by back-
   4457   tick escaping it.
   4458   
   4459   Closes #3099
   4460   Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com>
   4461   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4462 
   4463 - checksrc: handle zero scoped ignore commands
   4464   
   4465   If a !checksrc! disable command specified to ignore zero errors, it was
   4466   still added to the ignore block even though nothing was ignored. While
   4467   there were no blocks ignored that shouldn't be ignored, the processing
   4468   ended with with a warning:
   4469   
   4470   <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
   4471    /* !checksrc! disable LONGLINE 0 */
   4472                       ^
   4473   Fix by instead treating a zero ignore as a a badcommand and throw a
   4474   warning for that one.
   4475   
   4476   Closes #3096
   4477   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4478 
   4479 - checksrc: enable strict mode and warnings
   4480   
   4481   Enable strict and warnings mode for checksrc to ensure we aren't missing
   4482   anything due to bugs in the checking code. This uncovered a few things
   4483   which are all fixed in this commit:
   4484   
   4485   * several variables were used uninitialized
   4486   * several variables were not defined in the correct scope
   4487   * the whitelist filehandle was read even if the file didn't exist
   4488   * the enable_warn() call when a disable counter had expired was passing
   4489     incorrect variables, but since the checkwarn() call is unlikely to hit
   4490     (the counter is only decremented to zero on actual ignores) it didn't
   4491     manifest a problem.
   4492   
   4493   Closes #3090
   4494   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4495   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   4496 
   4497 Marcel Raad (5 Oct 2018)
   4498 - CMake: suppress MSVC warning C4127 for libtest
   4499   
   4500   It's issued by older Windows SDKs (prior to version 8.0).
   4501 
   4502 Sergei Nikulov (5 Oct 2018)
   4503 - Merge branch 'dmitrykos-fix_missing_CMake_defines'
   4504 
   4505 - [Dmitry Kostjuchenko brought this change]
   4506 
   4507   cmake: test and set missed defines during configuration
   4508   
   4509   Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.
   4510   
   4511   Closes #3097
   4512 
   4513 Marcel Raad (5 Oct 2018)
   4514 - AppVeyor: disable test 500
   4515   
   4516   It almost always results in
   4517   "starttransfer vs total: 0.000001 0.000000".
   4518   I cannot reproduce this locally, so disable it for now.
   4519   
   4520   Closes https://github.com/curl/curl/pull/3100
   4521 
   4522 - AppVeyor: set custom install prefix
   4523   
   4524   CMake's default has spaces and in 32-bit mode parentheses, which result
   4525   in syntax errors in curl-config.
   4526   
   4527   Closes https://github.com/curl/curl/pull/3100
   4528 
   4529 - AppVeyor: Remove non-SSL non-test builds
   4530   
   4531   They don't add much value.
   4532   
   4533   Closes https://github.com/curl/curl/pull/3100
   4534 
   4535 - AppVeyor: run test suite
   4536   
   4537   Use the preinstalled MSYS2 bash for that.
   4538   Disable test 1139 as the CMake build doesn't generate curl.1.
   4539   
   4540   Ref: https://github.com/curl/curl/issues/3070#issuecomment-425922224
   4541   Closes https://github.com/curl/curl/pull/3100
   4542 
   4543 - AppVeyor: use in-tree build
   4544   
   4545   Required to run the tests.
   4546   
   4547   Closes https://github.com/curl/curl/pull/3100
   4548 
   4549 Daniel Stenberg (4 Oct 2018)
   4550 - doh: make sure TTL isn't re-inited by second (discarded?) response
   4551   
   4552   Closes #3092
   4553 
   4554 - test320: strip out more HTML when comparing
   4555   
   4556   To make the test case work with different gnutls-serv versions better.
   4557   
   4558   Reported-by: Kamil Dudka
   4559   Fixes #3093
   4560   Closes #3094
   4561 
   4562 Marcel Raad (4 Oct 2018)
   4563 - runtests: use Windows paths for Windows curl
   4564   
   4565   curl generated by CMake's Visual Studio generator has "Windows" in the
   4566   version number.
   4567 
   4568 Daniel Stenberg (4 Oct 2018)
   4569 - [Colin Hogben brought this change]
   4570 
   4571   tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
   4572   
   4573   Fix problems caused by differences in treatment of bytes objects between
   4574   python2 and python3.
   4575   
   4576   Fixes #2929
   4577   Closes #3080
   4578 
   4579 Daniel Gustafsson (3 Oct 2018)
   4580 - memory: ensure to check allocation results
   4581   
   4582   The result of a memory allocation should always be checked, as we may
   4583   run under memory pressure where even a small allocation can fail. This
   4584   adds checking and error handling to a few cases where the allocation
   4585   wasn't checked for success. In the ftp case, the freeing of the path
   4586   variable is moved ahead of the allocation since there is little point
   4587   in keeping it around across the strdup, and the separation makes for
   4588   more readable code. In nwlib, the lock is aslo freed in the error path.
   4589   
   4590   Also bumps the copyright years on affected files.
   4591   
   4592   Closes #3084
   4593   Reviewed-by: Jay Satiro <raysatiro (a] yahoo.com>
   4594   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4595 
   4596 - comment: Fix multiple typos in function parameters
   4597   
   4598   Ensure that the parameters in the comment match the actual names in the
   4599   prototype.
   4600   
   4601   Closes #3079
   4602   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4603 
   4604 - CURLOPT_SSLVERSION.3: fix typos and consistent spelling
   4605   
   4606   Use TLS vX.Y throughout the document, instead of TLS X.Y, as that was
   4607   already done in all but a few cases. Also fix a few typos.
   4608   
   4609   Closes #3076
   4610   Reviewed-by: Marcel Raad <Marcel.Raad (a] teamviewer.com>
   4611   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4612 
   4613 - SECURITY-PROCESS: make links into hyperlinks
   4614   
   4615   Use proper Markdown hyperlink format for the Bountygraph links in order
   4616   for the generated website page to be more user friendly. Also link to
   4617   the sponsors to give them a little extra credit.
   4618   
   4619   Closes #3082
   4620   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   4621 
   4622 Jay Satiro (3 Oct 2018)
   4623 - CURLOPT_HEADER.3: fix typo
   4624 
   4625 - nss: fix nssckbi module loading on Windows
   4626   
   4627   - Use .DLL extension instead of .so to load modules on Windows.
   4628   
   4629   Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
   4630   Reported-by: Maxime Legros
   4631   
   4632   Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442
   4633   
   4634   Closes https://github.com/curl/curl/pull/3086
   4635 
   4636 - data-binary.d: clarify default content-type is x-www-form-urlencoded
   4637   
   4638   - Advise user that --data-binary sends a default content type of
   4639     x-www-form-urlencoded, and to have the data treated as arbitrary
   4640     binary data by the server set the content-type header to octet-stream.
   4641   
   4642   Ref: https://github.com/curl/curl/pull/2852#issuecomment-426465094
   4643   
   4644   Closes https://github.com/curl/curl/pull/3085
   4645 
   4646 Marcel Raad (2 Oct 2018)
   4647 - test1299: use single quotes around asterisk
   4648   
   4649   Ref: https://github.com/curl/curl/issues/1751#issuecomment-321522580
   4650 
   4651 Daniel Stenberg (2 Oct 2018)
   4652 - docs/CIPHERS: mention the colon separation for OpenSSL
   4653   
   4654   Bug: #3077
   4655 
   4656 - runtests: ignore disabled even when ranges are given
   4657   
   4658   runtests.pl support running a range of tests, like "44 to 127". Starting
   4659   now, the code makes sure that even such given ranges will ignore tests
   4660   that are marked as disabled.
   4661   
   4662   Disabled tests can still be run by explictly specifying that test
   4663   number.
   4664   
   4665   Closes #3075
   4666 
   4667 - urlapi: starting with a drive letter on win32 is not an abs url
   4668   
   4669   ... and libcurl doesn't support any single-letter URL schemes (if there
   4670   even exist any) so it should be fairly risk-free.
   4671   
   4672   Reported-by: Marcel Raad
   4673   
   4674   Fixes #3070
   4675   Closes #3071
   4676 
   4677 Marcel Raad (2 Oct 2018)
   4678 - doh: fix curl_easy_setopt argument type
   4679   
   4680   CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
   4681   MinGW.
   4682 
   4683 Daniel Stenberg (2 Oct 2018)
   4684 - RELEASE-NOTES: synced
   4685 
   4686 Jay Satiro (1 Oct 2018)
   4687 - [Ruslan Baratov brought this change]
   4688 
   4689   CMake: Improve config installation
   4690   
   4691   Use 'GNUInstallDirs' standard module to set destinations of installed
   4692   files.
   4693   
   4694   Use uppercase "CURL" names instead of lowercase "curl" to match standard
   4695   'FindCURL.cmake' CMake module:
   4696   * https://cmake.org/cmake/help/latest/module/FindCURL.html
   4697   
   4698   Meaning:
   4699   * Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
   4700   * User should call 'find_package(CURL)' instead of 'find_package(curl)'
   4701   
   4702   Use 'configure_package_config_file' function to generate
   4703   'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
   4704   file smaller and handle components better.  E.g.  current configuration
   4705   report no error if user specified unknown components (note: new
   4706   configuration expects no components, report error if user will try to
   4707   specify any).
   4708   
   4709   Closes https://github.com/curl/curl/pull/2849
   4710 
   4711 Daniel Stenberg (1 Oct 2018)
   4712 - test1650: make it depend on http/2
   4713   
   4714   Follow-up to 570008c99da0ccbb as it gets link errors.
   4715   
   4716   Reported-by: Michael Kaufmann
   4717   Closes #3068
   4718 
   4719 - [Nate Prewitt brought this change]
   4720 
   4721   MANUAL: minor grammar fix
   4722   
   4723   Noticed a typo reading through the docs.
   4724   
   4725   Closes #3069
   4726 
   4727 - doh: only build if h2 enabled
   4728   
   4729   The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
   4730   of HTTP for use with DoH".
   4731   
   4732   Reported-by: Marcel Raad
   4733   Closes #3066
   4734 
   4735 - test2100: require http2 to run
   4736   
   4737   Reported-by: Marcel Raad
   4738   Fixes #3064
   4739   Closes #3065
   4740 
   4741 - multi: fix memory leak in content encoding related error path
   4742   
   4743   ... a missing multi_done() call.
   4744   
   4745   Credit to OSS-Fuzz
   4746   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
   4747   Closes #3063
   4748 
   4749 - travis: bump the Secure Transport build to use xcode 10
   4750   
   4751   Due to an issue with travis
   4752   (https://github.com/travis-ci/travis-ci/issues/9956) we've been using
   4753   Xcode 9.2 for darwinssl builds for a while. Now xcode 10 is offered as
   4754   an alternative and as it builds curl+darwinssl fine that seems like a
   4755   better choice.
   4756   
   4757   Closes #3062
   4758 
   4759 - [Rich Turner brought this change]
   4760 
   4761   curl: enabled Windows VT Support and UTF-8 output
   4762   
   4763   Enabled Console VT support (if running OS supports VT) in tool_main.c.
   4764   
   4765   Fixes #3008
   4766   Closes #3011
   4767 
   4768 - multi: fix location URL memleak in error path
   4769   
   4770   Follow-up to #3044 - fix a leak OSS-Fuzz detected
   4771   Closes #3057
   4772 
   4773 Sergei Nikulov (28 Sep 2018)
   4774 - cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...)
   4775 
   4776 - [Brad King brought this change]
   4777 
   4778   cmake: Backport to work with CMake 3.0 again
   4779   
   4780   Changes in commit 7867aaa9a0 (cmake: link curl to the OpenSSL targets
   4781   instead of lib absolute paths, 2018-07-17) and commit f826b4ce98 (cmake:
   4782   bumped minimum version to 3.4, 2018-07-19) required CMake 3.4 to fix
   4783   issue #2746.  This broke support for users on older versions of CMake
   4784   even if they just want to build curl and do not care whether transitive
   4785   dependencies work.
   4786   
   4787   Backport the logic to work with CMake 3.0 again by implementing the
   4788   fix only when the version of CMake is at least 3.4.
   4789 
   4790 Marcel Raad (27 Sep 2018)
   4791 - curl_threads: fix classic MinGW compile break
   4792   
   4793   Classic MinGW still has _beginthreadex's return type as unsigned long
   4794   instead of uintptr_t [0]. uintptr_t is not even defined because of [1].
   4795   
   4796   [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
   4797   [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90
   4798   
   4799   Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
   4800   Closes https://github.com/curl/curl/pull/3051
   4801 
   4802 Daniel Stenberg (26 Sep 2018)
   4803 - configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
   4804   
   4805   fix a few leftovers
   4806   
   4807   Fixes #3006
   4808   Closes #3049
   4809 
   4810 - [Doron Behar brought this change]
   4811 
   4812   example/htmltidy: fix include paths of tidy libraries
   4813   
   4814   Closes #3050
   4815 
   4816 - RELEASE-NOTES: synced
   4817 
   4818 - Curl_http2_done: fix memleak in error path
   4819   
   4820   Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
   4821   early failures.
   4822   
   4823   Detected by OSS-Fuzz
   4824   
   4825   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
   4826   Closes #3046
   4827 
   4828 - http: fix memleak in rewind error path
   4829   
   4830   If the rewind would fail, a strdup() would not get freed.
   4831   
   4832   Detected by OSS-Fuzz
   4833   
   4834   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
   4835   Closes #3044
   4836 
   4837 Viktor Szakats (24 Sep 2018)
   4838 - test320: fix regression in [ci skip]
   4839   
   4840   The value in question is coming directly from `gnutls-serv`, so it cannot
   4841   be modified freely.
   4842   
   4843   Reported-by: Marcel Raad
   4844   Ref: https://github.com/curl/curl/commit/6ae6b2a533e8630afbb21f570305bd4ceece6348#commitcomment-30621004
   4845 
   4846 Daniel Stenberg (24 Sep 2018)
   4847 - Curl_retry_request: fix memory leak
   4848   
   4849   Detected by OSS-Fuzz
   4850   
   4851   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
   4852   Closes #3042
   4853 
   4854 - openssl: load built-in engines too
   4855   
   4856   Regression since 38203f1
   4857   
   4858   Reported-by: Jean Fabrice
   4859   Fixes #3023
   4860   Closes #3040
   4861 
   4862 - [Christian Heimes brought this change]
   4863 
   4864   OpenSSL: enable TLS 1.3 post-handshake auth
   4865   
   4866   OpenSSL 1.1.1 requires clients to opt-in for post-handshake
   4867   authentication.
   4868   
   4869   Fixes: https://github.com/curl/curl/issues/3026
   4870   Signed-off-by: Christian Heimes <christian (a] python.org>
   4871   
   4872   Closes https://github.com/curl/curl/pull/3027
   4873 
   4874 - [Even Rouault brought this change]
   4875 
   4876   Curl_dedotdotify(): always nul terminate returned string.
   4877   
   4878   This fixes potential out-of-buffer access on "file:./" URL
   4879   
   4880   $ valgrind curl "file:./"
   4881   ==24516== Memcheck, a memory error detector
   4882   ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
   4883   ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
   4884   ==24516== Command: /home/even/install-curl-git/bin/curl file:./
   4885   ==24516==
   4886   ==24516== Conditional jump or move depends on uninitialised value(s)
   4887   ==24516==    at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   4888   ==24516==    by 0x4EBB315: seturl (urlapi.c:801)
   4889   ==24516==    by 0x4EBB568: parseurl (urlapi.c:861)
   4890   ==24516==    by 0x4EBC509: curl_url_set (urlapi.c:1199)
   4891   ==24516==    by 0x4E644C6: parseurlandfillconn (url.c:2044)
   4892   ==24516==    by 0x4E67AEF: create_conn (url.c:3613)
   4893   ==24516==    by 0x4E68A4F: Curl_connect (url.c:4119)
   4894   ==24516==    by 0x4E7F0A4: multi_runsingle (multi.c:1440)
   4895   ==24516==    by 0x4E808E5: curl_multi_perform (multi.c:2173)
   4896   ==24516==    by 0x4E7558C: easy_transfer (easy.c:686)
   4897   ==24516==    by 0x4E75801: easy_perform (easy.c:779)
   4898   ==24516==    by 0x4E75868: curl_easy_perform (easy.c:798)
   4899   
   4900   Was originally spotted by
   4901   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
   4902   Credit to OSS-Fuzz
   4903   
   4904   Closes #3039
   4905 
   4906 Viktor Szakats (23 Sep 2018)
   4907 - update URLs in tests
   4908   
   4909   - and one in docs/MANUAL as well
   4910   
   4911   Closes https://github.com/curl/curl/pull/3038
   4912 
   4913 - whitespace fixes
   4914   
   4915   - replace tabs with spaces where possible
   4916   - remove line ending spaces
   4917   - remove double/triple newlines at EOF
   4918   - fix a non-UTF-8 character
   4919   - cleanup a few indentations/line continuations
   4920     in manual examples
   4921   
   4922   Closes https://github.com/curl/curl/pull/3037
   4923 
   4924 Daniel Stenberg (23 Sep 2018)
   4925 - http: add missing return code check
   4926   
   4927   Detected by Coverity. CID 1439610.
   4928   
   4929   Follow-up from 46e164069d1a523
   4930   
   4931   Closes #3034
   4932 
   4933 - ftp: don't access pointer before NULL check
   4934   
   4935   Detected by Coverity. CID 1439611.
   4936   
   4937   Follow-up from 46e164069d1a523
   4938 
   4939 - unit1650: fix out of boundary access
   4940   
   4941   Fixes #2987
   4942   Closes #3035
   4943 
   4944 Viktor Szakats (23 Sep 2018)
   4945 - docs/examples: URL updates
   4946   
   4947   - also update two URLs outside of docs/examples
   4948   - fix spelling of filename persistant.c
   4949   - fix three long lines that started failing checksrc.pl
   4950   
   4951   Closes https://github.com/curl/curl/pull/3036
   4952 
   4953 - examples/Makefile.m32: sync with core [ci skip]
   4954   
   4955   also:
   4956   - fix two warnings in synctime.c (one of them Windows-specific)
   4957   - upgrade URLs in synctime.c and remove a broken one
   4958   
   4959   Closes https://github.com/curl/curl/pull/3033
   4960 
   4961 Daniel Stenberg (22 Sep 2018)
   4962 - examples/parseurl.c: show off the URL API a bit
   4963   
   4964   Closes #3030
   4965 
   4966 - SECURITY-PROCESS: mention the bountygraph program [ci skip]
   4967   
   4968   Closes #3032
   4969 
   4970 - url: use the URL API internally as well
   4971   
   4972   ... to make it a truly unified URL parser.
   4973   
   4974   Closes #3017
   4975 
   4976 Viktor Szakats (22 Sep 2018)
   4977 - URL and mailmap updates, remove an obsolete directory [ci skip]
   4978   
   4979   Closes https://github.com/curl/curl/pull/3031
   4980 
   4981 Daniel Stenberg (22 Sep 2018)
   4982 - RELEASE-NOTES: synced
   4983 
   4984 - configure: force-use -lpthreads on HPUX
   4985   
   4986   When trying to detect pthreads use on HPUX the checks will succeed
   4987   without the correct -l option but then end up failing at run-time.
   4988   
   4989   Reported-by: Eason-Yu on github
   4990   Fixes #2697
   4991   Closes #3025
   4992 
   4993 - [Erik Minekus brought this change]
   4994 
   4995   Curl_saferealloc: Fixed typo in docblock
   4996   
   4997   Closes #3029
   4998 
   4999 - urlapi: fix support for address scope in IPv6 numerical addresses
   5000   
   5001   Closes #3024
   5002 
   5003 - [Loganaden Velvindron brought this change]
   5004 
   5005   GnutTLS: TLS 1.3 support
   5006   
   5007   Closes #2971
   5008 
   5009 - TODO: c-ares and CURLOPT_OPENSOCKETFUNCTION
   5010   
   5011   Removed DoH.
   5012   
   5013   Closes #2734
   5014 
   5015 Jay Satiro (20 Sep 2018)
   5016 - vtls: fix ssl version "or later" behavior change for many backends
   5017   
   5018   - Treat CURL_SSLVERSION_MAX_NONE the same as
   5019     CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
   5020     the minimum version also as the maximum.
   5021   
   5022   This is a follow-up to 6015cef which changed the behavior of setting
   5023   the SSL version so that the requested version would only be the minimum
   5024   and not the maximum. It appears it was (mostly) implemented in OpenSSL
   5025   but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
   5026   mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.
   5027   
   5028   - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.
   5029   
   5030   Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
   5031   erroneously treated as always TLS 1.3, and would cause an error if
   5032   OpenSSL was built without TLS 1.3 support.
   5033   
   5034   Co-authored-by: Daniel Gustafsson
   5035   
   5036   Fixes https://github.com/curl/curl/issues/2969
   5037   Closes https://github.com/curl/curl/pull/3012
   5038 
   5039 Daniel Stenberg (20 Sep 2018)
   5040 - certs: generate tests certs with sha256 digest algorithm
   5041   
   5042   As OpenSSL 1.1.1 starts to complain and fail on sha1 CAs:
   5043   
   5044   "SSL certificate problem: CA signature digest algorithm too weak"
   5045   
   5046   Closes #3014
   5047 
   5048 - urlapi: document the error codes, remove two unused ones
   5049   
   5050   Assisted-by: Daniel Gustafsson
   5051   Closes #3019
   5052 
   5053 - urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance
   5054   
   5055   In order for this API to fully work for libcurl itself, it now offers a
   5056   CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
   5057   name prefix just like libcurl always did. If there's no known prefix, it
   5058   will guess "http://".
   5059   
   5060   Separately, it relaxes the check of the host name so that IDN host names
   5061   can be passed in as well.
   5062   
   5063   Both these changes are necessary for libcurl itself to use this API.
   5064   
   5065   Assisted-by: Daniel Gustafsson
   5066   Closes #3018
   5067 
   5068 Kamil Dudka (19 Sep 2018)
   5069 - nss: try to connect even if libnssckbi.so fails to load
   5070   
   5071   One can still use CA certificates stored in NSS database.
   5072   
   5073   Reported-by: Maxime Legros
   5074   Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
   5075   
   5076   Closes #3016
   5077 
   5078 Daniel Gustafsson (19 Sep 2018)
   5079 - urlapi: don't set value which is never read
   5080   
   5081   In the CURLUPART_URL case, there is no codepath which invokes url
   5082   decoding so remove the assignment of the urldecode variable. This
   5083   fixes the deadstore bug-report from clang static analysis.
   5084   
   5085   Closes #3015
   5086   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5087 
   5088 - todo: Update reference to already done item
   5089   
   5090   TODO item 1.1 was implemented in commit 946ce5b61f, update reference
   5091   to it with instead referencing the implemented option.
   5092   
   5093   Closes #3013
   5094   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5095 
   5096 Daniel Stenberg (18 Sep 2018)
   5097 - RELEASE-NOTES: synced
   5098 
   5099 - [slodki brought this change]
   5100 
   5101   cmake: don't require OpenSSL if USE_OPENSSL=OFF
   5102   
   5103   User must have OpenSSL installed even if not used by libcurl at all
   5104   since 7.61.1 release.  Broken at
   5105   7867aaa9a01decf93711428462335be8cef70212
   5106   
   5107   Reviewed-by: Sergei Nikulov
   5108   Closes #3001
   5109 
   5110 - curl_multi_wait: call getsock before figuring out timeout
   5111   
   5112   .... since getsock may update the expiry timer.
   5113   
   5114   Fixes #2996
   5115   Closes #3000
   5116 
   5117 - examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
   5118   
   5119   Closes #3004
   5120 
   5121 Daniel Gustafsson (18 Sep 2018)
   5122 - darwinssl: Fix realloc memleak
   5123   
   5124   The reallocation was using the input pointer for the return value, which
   5125   leads to a memory leak on reallication failure. Fix by instead use the
   5126   safe internal API call Curl_saferealloc().
   5127   
   5128   Closes #3005
   5129   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5130   Reviewed-by: Nick Zitzmann <nickzman (a] gmail.com>
   5131 
   5132 - [Kruzya brought this change]
   5133 
   5134   examples: Fix memory leaks from realloc errors
   5135   
   5136   Make sure to not overwrite the reallocated pointer in realloc() calls
   5137   to avoid a memleak on memory errors.
   5138 
   5139 - memory: add missing curl_printf header
   5140   
   5141   ftp_send_command() was using vsnprintf() without including the libcurl
   5142   *rintf() replacement header. Fix by including curl_printf.h and also
   5143   add curl_memory.h while at it since memdebug.h depends on it.
   5144   
   5145   Closes #2999
   5146   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5147 
   5148 Daniel Stenberg (16 Sep 2018)
   5149 - [Si brought this change]
   5150 
   5151   curl: update --tlsv* descriptions in --help output
   5152   
   5153   Closes #2994
   5154 
   5155 - http: made Curl_add_buffer functions take a pointer-pointer
   5156   
   5157   ... so that they can clear the original pointer on failure, which makes
   5158   the error-paths and their cleanups easier.
   5159   
   5160   Closes #2992
   5161 
   5162 - http2: fix memory leaks on error-path
   5163 
   5164 - [Rikard Falkeborn brought this change]
   5165 
   5166   libtest: Add chkdecimalpoint to .gitignore
   5167   
   5168   Closes #2998
   5169 
   5170 Viktor Szakats (14 Sep 2018)
   5171 - secure Openwall URLs
   5172 
   5173 Daniel Stenberg (14 Sep 2018)
   5174 - openssl: show "proper" version number for libressl builds
   5175   
   5176   Closes #2989
   5177 
   5178 - [Rainer Jung brought this change]
   5179 
   5180   openssl: assume engine support in 0.9.8 or later
   5181   
   5182   Fixes #2983
   5183   Closes #2988
   5184 
   5185 Daniel Gustafsson (13 Sep 2018)
   5186 - sendf: use failf() rather than Curl_failf()
   5187   
   5188   The failf() macro is the name used for invoking Curl_failf(). While
   5189   there isn't a way to turn off failf like there is for infof, but it's
   5190   still a good idea to use the macro.
   5191   
   5192   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5193 
   5194 - sendf: Fix whitespace in infof/failf concatenation
   5195   
   5196   Strings broken on multiple rows in the .c file need to have appropriate
   5197   whitespace padding on either side of the concatenation point to render
   5198   a correct amalgamated string. Fix by adding a space at the occurrences
   5199   found.
   5200   
   5201   Closes #2986
   5202   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5203 
   5204 - krb5: fix memory leak in krb_auth
   5205   
   5206   The FTP command allocated by aprintf() must be freed after usage.
   5207   
   5208   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5209 
   5210 - ftp: include command in Curl_ftpsend sendbuffer
   5211   
   5212   Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed
   5213   the actual command to be sent from the send buffer in a refactoring.
   5214   Add back copying the command into the buffer. Also add more guards
   5215   against malformed input while at it.
   5216   
   5217   Closes #2985
   5218   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5219 
   5220 - ntlm_wb: Fix memory leaks in ntlm_wb_response
   5221   
   5222   When erroring out on a request being too large, the existing buffer was
   5223   leaked. Fix by explicitly freeing on the way out.
   5224   
   5225   Closes #2966
   5226   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5227 
   5228 Daniel Stenberg (13 Sep 2018)
   5229 - [Yiming Jing brought this change]
   5230 
   5231   travis: build the MesaLink vtls backend with MesaLink 0.7.1
   5232 
   5233 - [Yiming Jing brought this change]
   5234 
   5235   runtests.pl: run tests against the MesaLink vtls backend
   5236 
   5237 - [Yiming Jing brought this change]
   5238 
   5239   vtls: add a MesaLink vtls backend
   5240   
   5241   Closes #2984
   5242 
   5243 - [Yiming Jing brought this change]
   5244 
   5245   configure.ac: add a MesaLink vtls backend
   5246 
   5247 - [Dave Reisner brought this change]
   5248 
   5249   curl_url_set.3: properly escape \n in example code
   5250   
   5251   This yields
   5252   
   5253     "the scheme is %s\n"
   5254   
   5255   instead of
   5256   
   5257     "the scheme is %s0
   5258   
   5259   Closes #2970
   5260 
   5261 - [Dave Reisner brought this change]
   5262 
   5263   curl_url_set.3: fix typo in reference to CURLU_APPENDQUERY
   5264 
   5265 - urlglob: improve error message
   5266   
   5267   to help user understand what the problem is
   5268   
   5269   Reported-by: Daniel Shahaf
   5270   
   5271   Fixes #2763
   5272   Closes #2977
   5273 
   5274 - [Yiming Jing brought this change]
   5275 
   5276   tests/certs: rebuild certs with 2048-bit RSA keys
   5277   
   5278   The previous test certificates contained RSA keys of only 1024 bits.
   5279   However, RSA claims that 1024-bit RSA keys are likely to become
   5280   crackable some time before 2010. The NIST recommends at least 2048-bit
   5281   keys for RSA for now.
   5282   
   5283   Better use full 2048 also for testing.
   5284   
   5285   Closes #2973
   5286 
   5287 Daniel Gustafsson (12 Sep 2018)
   5288 - TODO: fix typo in item
   5289   
   5290   Closes #2968
   5291   Reviewed-by: Daniel Stenberg <daniel (a] haxx.se>
   5292 
   5293 Marcel Raad (12 Sep 2018)
   5294 - anyauthput: fix compiler warning on 64-bit Windows
   5295   
   5296   On Windows, the read function from <io.h> is used, which has its byte
   5297   count parameter as unsigned int instead of size_t.
   5298   
   5299   Closes https://github.com/curl/curl/pull/2972
   5300 
   5301 Viktor Szakats (12 Sep 2018)
   5302 - lib: fix gcc8 warning on Windows
   5303   
   5304   Closes https://github.com/curl/curl/pull/2979
   5305 
   5306 Jay Satiro (12 Sep 2018)
   5307 - openssl: fix gcc8 warning
   5308   
   5309   - Use memcpy instead of strncpy to copy a string without termination,
   5310     since gcc8 warns about using strncpy to copy as many bytes from a
   5311     string as its length.
   5312   
   5313   Suggested-by: Viktor Szakats
   5314   
   5315   Closes https://github.com/curl/curl/issues/2980
   5316 
   5317 Daniel Stenberg (10 Sep 2018)
   5318 - libcurl-url.3: overview man page for the URL API
   5319   
   5320   Closes #2967
   5321 
   5322 - example/asiohiper: insert warning comment about its status
   5323   
   5324   This example is simply not working correctly but there's nobody around
   5325   with the skills and energy to fix it.
   5326   
   5327   Closes #2407
   5328 
   5329 Kamil Dudka (10 Sep 2018)
   5330 - docs/cmdline-opts: update the documentation of --tlsv1.0
   5331   
   5332   ... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
   5333   
   5334   Closes #2955
   5335 
   5336 - docs/examples: do not wait when no transfers are running
   5337   
   5338   Closes #2948
   5339 
   5340 Daniel Stenberg (10 Sep 2018)
   5341 - [Daniel Gustafsson brought this change]
   5342 
   5343   cookies: Move failure case label to end of function
   5344   
   5345   Rather than jumping backwards to where failure cleanup happens
   5346   to be performed, move the failure case to end of the function
   5347   where it is expected per existing coding convention.
   5348   
   5349   Closes #2965
   5350 
   5351 - [Daniel Gustafsson brought this change]
   5352 
   5353   misc: fix typos in comments
   5354   
   5355   Closes #2963
   5356 
   5357 - [Daniel Gustafsson brought this change]
   5358 
   5359   cookies: fix leak when writing cookies to file
   5360   
   5361   If the formatting fails, we error out on a fatal error and
   5362   clean up on the way out. The array was however freed within
   5363   the wrong scope and was thus never freed in case the cookies
   5364   were written to a file instead of STDOUT.
   5365   
   5366   Closes #2957
   5367 
   5368 - [Daniel Gustafsson brought this change]
   5369 
   5370   cookies: Remove redundant expired check
   5371   
   5372   Expired cookies have already been purged at a later expiration time
   5373   before this check, so remove the redundant check.
   5374   
   5375   closes #2962
   5376 
   5377 - ntlm_wb: bail out if the response gets overly large
   5378   
   5379   Exit the realloc() loop if the response turns out ridiculously large to
   5380   avoid worse problems.
   5381   
   5382   Reported-by: Harry Sintonen
   5383   Closes #2959
   5384 
   5385 - [Daniel Gustafsson brought this change]
   5386 
   5387   url.c: fix comment typo and indentation
   5388   
   5389   Closes #2960
   5390 
   5391 - urlapi: avoid derefencing a possible NULL pointer
   5392   
   5393   Coverity CID 1439134
   5394 
   5395 - RELEASE-NOTES: synced
   5396 
   5397 Marcel Raad (8 Sep 2018)
   5398 - test324: fix after 3f3b26d6feb0667714902e836af608094235fca2
   5399   
   5400   The expected error code is now 60. 51 is dead.
   5401 
   5402 Daniel Stenberg (8 Sep 2018)
   5403 - curl_url_set.3: correct description
   5404 
   5405 - curl_url-docs: fix AVAILABILITY as Added in curl 7.62.0
   5406 
   5407 - URL-API
   5408   
   5409   See header file and man pages for API. All documented API details work
   5410   and are tested in the 1560 test case.
   5411   
   5412   Closes #2842
   5413 
   5414 - curl_easy_upkeep: removed 'conn' from the name
   5415   
   5416   ... including the associated option.
   5417   
   5418   Fixes #2951
   5419   Closes #2952
   5420 
   5421 - [Max Dymond brought this change]
   5422 
   5423   upkeep: add a connection upkeep API: curl_easy_conn_upkeep()
   5424   
   5425   Add functionality so that protocols can do custom keepalive on their
   5426   connections, when an external API function is called.
   5427   
   5428   Add docs for the new options in 7.62.0
   5429   
   5430   Closes #1641
   5431 
   5432 - [Philipp Waehnert brought this change]
   5433 
   5434   configure: add option to disable automatic OpenSSL config loading
   5435   
   5436   Sometimes it may be considered a security risk to load an external
   5437   OpenSSL configuration automatically inside curl_global_init(). The
   5438   configuration option --disable-ssl-auto-load-config disables this
   5439   automatism. The Windows build scripts winbuild/Makefile.vs provide a
   5440   corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
   5441   value.
   5442   
   5443   Setting neither of these options corresponds to the previous behavior
   5444   loading the external OpenSSL configuration automatically.
   5445   
   5446   Fixes #2724
   5447   Closes #2791
   5448 
   5449 - doh: minor edits to please Coverity
   5450   
   5451   The gcc typecheck macros and coverity combined made it warn on the 2nd
   5452   argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it.
   5453   
   5454   Coverity CID 1439115 and CID 1439114.
   5455 
   5456 - schannel: avoid switch-cases that go to default anyway
   5457   
   5458   SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of
   5459   mingw and would require an ifdef otherwise.
   5460   
   5461   Reported-by: Thomas Glanzmann
   5462   Approved-by: Marc Hrsken
   5463   Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html
   5464   Closes #2950
   5465 
   5466 - [Nicklas Avn brought this change]
   5467 
   5468   imap: change from "FETCH" to "UID FETCH"
   5469   
   5470   ... and add "MAILINDEX".
   5471   
   5472   As described in #2789, this is a suggested solution.  Changing UID=xx to
   5473   actually get mail with UID xx and add "MAILINDEX" to get a mail with a
   5474   special index in the mail box (old behavior).  So MAILINDEX=1 gives the
   5475   first non deleted mail in the mail box.
   5476   
   5477   Fixes #2789
   5478   Closes #2815
   5479 
   5480 - CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
   5481   
   5482   This is step 3 of #2888.
   5483   
   5484   Fixes #2888
   5485   Closes #2896
   5486 
   5487 - travis: add the DOH tests to the torture testing
   5488 
   5489 - DOH: add test case 1650 and 2100
   5490 
   5491 - curl: --doh-url added
   5492 
   5493 - setopt: add CURLOPT_DOH_URL
   5494   
   5495   Closes #2668
   5496 
   5497 - [Han Han brought this change]
   5498 
   5499   ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
   5500   
   5501   Long live CURLE_PEER_FAILED_VERIFICATION
   5502 
   5503 - [Han Han brought this change]
   5504 
   5505   x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
   5506   
   5507   CURLE_PEER_FAILED_VERIFICATION makes more sense because Curl_parseX509
   5508   does not allocate memory internally as its first argument is a pointer
   5509   to the certificate structure. The same error code is also returned by
   5510   Curl_verifyhost when its call to Curl_parseX509 fails so the change
   5511   makes error handling more consistent.
   5512 
   5513 - [Han Han brought this change]
   5514 
   5515   openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
   5516   
   5517   Failure to extract the issuer name from the server certificate should
   5518   return a more specific error code like on other TLS backends.
   5519 
   5520 - [Han Han brought this change]
   5521 
   5522   schannel: unified error code handling
   5523   
   5524   Closes #2901
   5525 
   5526 - [Han Han brought this change]
   5527 
   5528   darwinssl: more specific and unified error codes
   5529   
   5530   Closes #2901
   5531 
   5532 - CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
   5533   
   5534   Disable the CURLOPT_DNS_USE_GLOBAL_CACHE option and mark it for
   5535   deprecation and complete removal in six months.
   5536   
   5537   Bug: https://curl.haxx.se/mail/lib-2018-09/0010.html
   5538   Closes #2942
   5539 
   5540 - url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
   5541   
   5542   Closes #2709
   5543 
   5544 - multiplex: enable by default
   5545   
   5546   Starting 7.62.0, multiplexing is enabled by default in multi handles.
   5547 
   5548 - [Jim Fuller brought this change]
   5549 
   5550   tests: add unit tests for url.c
   5551   
   5552   Approved-by: Daniel Gustafsson
   5553   Closes #2937
   5554 
   5555 - test1452: mark as flaky
   5556   
   5557   makes it not run in the CI builds
   5558   
   5559   Closes #2941
   5560 
   5561 - pipelining: deprecated
   5562   
   5563   Transparently. The related curl_multi_setopt() options all still returns
   5564   OK when pipelining is selected.
   5565   
   5566   To re-enable the support, the single line change in lib/multi.c needs to
   5567   be reverted.
   5568   
   5569   See docs/DEPRECATE.md
   5570   
   5571   Closes #2705
   5572 
   5573 - RELEASE-NOTES: start working on 7.62.0
   5574 
   5575 Version 7.61.1 (4 Sep 2018)
   5576 
   5577 Daniel Stenberg (4 Sep 2018)
   5578 - THANKS: 7.61.1 status
   5579 
   5580 - RELEASE-NOTES: 7.61.1
   5581 
   5582 - Curl_getoff_all_pipelines: ignore unused return values
   5583   
   5584   Since scan-build would warn on the dead "Dead store/Dead increment"
   5585 
   5586 Viktor Szakats (4 Sep 2018)
   5587 - sftp: fix indentation
   5588 
   5589 Daniel Stenberg (4 Sep 2018)
   5590 - [Przemysaw Tomaszewski brought this change]
   5591 
   5592   sftp: don't send post-qoute sequence when retrying a connection
   5593   
   5594   Fixes #2939
   5595   Closes #2940
   5596 
   5597 Kamil Dudka (3 Sep 2018)
   5598 - url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work
   5599   
   5600   This is a follow-up to PR #2607 and PR #2926.
   5601   
   5602   Closes #2936
   5603 
   5604 Daniel Stenberg (3 Sep 2018)
   5605 - [Jay Satiro brought this change]
   5606 
   5607   tool_operate: Add http code 408 to transient list for --retry
   5608   
   5609   - Treat 408 request timeout as transient so that curl will retry the
   5610     request if --retry was used.
   5611   
   5612   Closes #2925
   5613 
   5614 - [Jay Satiro brought this change]
   5615 
   5616   openssl: Fix setting TLS 1.3 cipher suites
   5617   
   5618   The flag indicating TLS 1.3 cipher support in the OpenSSL backend was
   5619   missing.
   5620   
   5621   Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187
   5622   Reported-by: Kamil Dudka
   5623   
   5624   Closes #2926
   5625 
   5626 - Curl_ntlm_core_mk_nt_hash: return error on too long password
   5627   
   5628   ... since it would cause an integer overflow if longer than (max size_t
   5629   / 2).
   5630   
   5631   This is CVE-2018-14618
   5632   
   5633   Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
   5634   Closes #2756
   5635   Reported-by: Zhaoyang Wu
   5636 
   5637 - [Rikard Falkeborn brought this change]
   5638 
   5639   http2: Use correct format identifier for stream_id
   5640   
   5641   Closes #2928
   5642 
   5643 Marcel Raad (2 Sep 2018)
   5644 - test1148: fix precheck output
   5645   
   5646   "precheck command error" is not very helpful.
   5647 
   5648 Daniel Stenberg (1 Sep 2018)
   5649 - all: s/int/size_t cleanup
   5650   
   5651   Assisted-by: Rikard Falkeborn
   5652   
   5653   Closes #2922
   5654 
   5655 - ssh-libssh: use FALLTHROUGH to silence gcc8
   5656 
   5657 Jay Satiro (31 Aug 2018)
   5658 - tool_operate: Fix setting proxy TLS 1.3 ciphers
   5659 
   5660 Daniel Stenberg (31 Aug 2018)
   5661 - [Daniel Gustafsson brought this change]
   5662 
   5663   cookies: support creation-time attribute for cookies
   5664   
   5665   According to RFC6265 section 5.4, cookies with equal path lengths
   5666   SHOULD be sorted by creation-time (earlier first). This adds a
   5667   creation-time record to the cookie struct in order to make cookie
   5668   sorting more deterministic. The creation-time is defined as the
   5669   order of the cookies in the jar, the first cookie read fro the
   5670   jar being the oldest. The creation-time is thus not serialized
   5671   into the jar. Also remove the strcmp() matching in the sorting as
   5672   there is no lexicographic ordering in RFC6265. Existing tests are
   5673   updated to match.
   5674   
   5675   Closes #2524
   5676 
   5677 Marcel Raad (31 Aug 2018)
   5678 - Don't use Windows path %PWD for SSH tests
   5679   
   5680   All these tests failed on Windows because something like
   5681   sftp://%HOSTIP:%SSHPORT%PWD/
   5682   expanded to
   5683   sftp://127.0.0.1:1234c:/msys64/home/bla/curl
   5684   and then curl complained about the port number ending with a letter.
   5685   
   5686   Use the original POSIX path instead of the Windows path created in
   5687   checksystem to fix this.
   5688   
   5689   Closes https://github.com/curl/curl/pull/2920
   5690 
   5691 Jay Satiro (29 Aug 2018)
   5692 - CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warning
   5693   
   5694   Reported-by: Daniel Stenberg
   5695   
   5696   Closes https://github.com/curl/curl/issues/2916
   5697 
   5698 Daniel Stenberg (28 Aug 2018)
   5699 - THANKS-filter: dedup Daniel Jeliski
   5700 
   5701 - RELEASE-NOTES: synced
   5702 
   5703 - CURLOPT_ACCEPT_ENCODING.3: list them comma-separated [ci skip]
   5704 
   5705 - CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip]
   5706   
   5707   Added a warning!
   5708   
   5709   Closes #2915
   5710 
   5711 - curl: fix time-of-check, time-of-use race in dir creation
   5712   
   5713   Patch-by: Jay Satiro
   5714   Detected by Coverity
   5715   Fixes #2739
   5716   Closes #2912
   5717 
   5718 - cmdline-opts/page-footer: fix edit mistake
   5719   
   5720   There was a missing newline.
   5721   
   5722   follow-up to a7ba60bb7250
   5723 
   5724 - docs: clarify NO_PROXY env variable functionality
   5725   
   5726   Reported-by: Kirill Marchuk
   5727   Fixes #2773
   5728   Closes #2911
   5729 
   5730 Marcel Raad (24 Aug 2018)
   5731 - lib1522: fix curl_easy_setopt argument type
   5732   
   5733   CURLOPT_POSTFIELDSIZE is a long option.
   5734 
   5735 - curl_threads: silence bad-function-cast warning
   5736   
   5737   As uintptr_t and HANDLE are always the same size, this warning is
   5738   harmless. Just silence it using an intermediate uintptr_t variable.
   5739   
   5740   Closes https://github.com/curl/curl/pull/2908
   5741 
   5742 Daniel Stenberg (24 Aug 2018)
   5743 - README: add appveyor build badge [ci skip]
   5744   
   5745   Closes #2913
   5746 
   5747 - [Ihor Karpenko brought this change]
   5748 
   5749   schannel: client certificate store opening fix
   5750   
   5751   1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG )
   5752   while opening certificate store would be sufficient in this scenario and
   5753   less-demanding in sense of required user credentials ( for example,
   5754   IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore
   5755   call without any of flags mentioned above ),
   5756   
   5757   2) as 'cert_store_name' is a DWORD, attempt to format its value like a
   5758   string ( in "Failed to open cert store" error message ) will throw null
   5759   pointer exception
   5760   
   5761   3) adding GetLastError(), in my opinion, will make error message more
   5762   useful.
   5763   
   5764   Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html
   5765   
   5766   Closes #2909
   5767 
   5768 - [Leonardo Taccari brought this change]
   5769 
   5770   gopher: Do not translate `?' to `%09'
   5771   
   5772   Since GOPHER support was added in curl `?' character was automatically
   5773   translated to `%09' (`\t').
   5774   
   5775   However, this behaviour does not seems documented in RFC 4266 and for
   5776   search selectors it is documented to directly use `%09' in the URL.
   5777   Apart that several gopher servers in the current gopherspace have CGI
   5778   support where `?' is used as part of the selector and translating it to
   5779   `%09' often leads to surprising results.
   5780   
   5781   Closes #2910
   5782 
   5783 Marcel Raad (23 Aug 2018)
   5784 - cookie tests: treat files as text
   5785   
   5786   Fixes test failures because of wrong line endings on Windows.
   5787 
   5788 Daniel Stenberg (23 Aug 2018)
   5789 - libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
   5790   
   5791   Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to
   5792   avoid the risk of getting a SIGPIPE.
   5793   
   5794   Either way, a multi-threaded application that uses libcurl/openssl needs
   5795   to have a signhandler for or ignore SIGPIPE on its own.
   5796   
   5797   Based on discussions in #2800
   5798   Closes #2904
   5799 
   5800 - RELEASE-NOTES: synced
   5801 
   5802 Marcel Raad (22 Aug 2018)
   5803 - Tests: fixes for Windows
   5804   
   5805   - test 1268 requires unix sockets
   5806   - test 2072 must be disabled also for MSYS/MinGW
   5807 
   5808 Daniel Stenberg (22 Aug 2018)
   5809 - http2: abort the send_callback if not setup yet
   5810   
   5811   When Curl_http2_done() gets called before the http2 data is setup all
   5812   the way, we cannot send anything and this should just return an error.
   5813   
   5814   Detected by OSS-Fuzz
   5815   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012
   5816 
   5817 - http2: remove four unused nghttp2 callbacks
   5818   
   5819   Closes #2903
   5820 
   5821 - x509asn1: use FALLTHROUGH
   5822   
   5823   ... as no other comments are accepted since 014ed7c22f51463
   5824 
   5825 Marcel Raad (21 Aug 2018)
   5826 - test1148: disable if decimal separator is not point
   5827   
   5828   Modifying the locale with environment variables doesn't work for native
   5829   Windows applications. Just disable the test in this case if the decimal
   5830   separator is something different than a point. Use a precheck with a
   5831   small C program to achieve that.
   5832   
   5833   Closes https://github.com/curl/curl/pull/2786
   5834 
   5835 - Enable more GCC warnings
   5836   
   5837   This enables the following additional warnings:
   5838   -Wold-style-definition
   5839   -Warray-bounds=2 instead of the default 1
   5840   -Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not
   5841    respected for older versions
   5842   -Wunused-const-variable, which enables level 2 instead of the default 1
   5843   -Warray-bounds also in debug mode through -ftree-vrp
   5844   -Wnull-dereference also in debug mode through
   5845    -fdelete-null-pointer-checks
   5846   
   5847   Closes https://github.com/curl/curl/pull/2747
   5848 
   5849 - curl-compilers: enable -Wimplicit-fallthrough=4 for GCC
   5850   
   5851   This enables level 4 instead of the default level 3, which of the
   5852   currently used comments only allows /* FALLTHROUGH */ to silence the
   5853   warning.
   5854   
   5855   Closes https://github.com/curl/curl/pull/2747
   5856 
   5857 - curl-compilers: enable -Wbad-function-cast on GCC
   5858   
   5859   This warning used to be enabled only for clang as it's a bit stricter
   5860   on GCC. Silence the remaining occurrences and enable it on GCC too.
   5861   
   5862   Closes https://github.com/curl/curl/pull/2747
   5863 
   5864 - configure: conditionally enable pedantic-errors
   5865   
   5866   Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5,
   5867   pedantic-errors was synonymous to -Werror=pedantic [0], which is still
   5868   the case for clang [1]. With GCC 5, it became complementary [2].
   5869   
   5870   Also fix a resulting error in acinclude.m4 as main's return type was
   5871   missing, which is illegal in C99.
   5872   
   5873   [0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html
   5874   [1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages
   5875   [2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html
   5876   
   5877   Closes https://github.com/curl/curl/pull/2747
   5878 
   5879 - Remove unused definitions
   5880   
   5881   Closes https://github.com/curl/curl/pull/2747
   5882 
   5883 Daniel Stenberg (21 Aug 2018)
   5884 - x509asn1: make several functions static
   5885   
   5886   and remove the private SIZE_T_MAX define and use the generic one.
   5887   
   5888   Closes #2902
   5889 
   5890 - INTERNALS: require GnuTLS >= 2.11.3
   5891   
   5892   Since the public pinning support was brought in e644866caf4. GnuTLS
   5893   2.11.3 was released in October 2010.
   5894   
   5895   Figured out in #2890
   5896 
   5897 - http2: avoid set_stream_user_data() before stream is assigned
   5898   
   5899   ... before the stream is started, we have it set to -1.
   5900   
   5901   Fixes #2894
   5902   Closes #2898
   5903 
   5904 - SSLCERTS: improve the openssl command line
   5905   
   5906   ... for extracting certs from a live HTTPS server to make a cacerts.pem
   5907   from them.
   5908 
   5909 - docs/SECURITY-PROCESS: now we name the files after the CVE id
   5910 
   5911 - RELEASE-NOTES: synced
   5912 
   5913 - upload: change default UPLOAD_BUFSIZE to 64KB
   5914   
   5915   To make uploads significantly faster in some circumstances.
   5916   
   5917   Part 2 of #2888
   5918   Closes #2892
   5919 
   5920 - upload: allocate upload buffer on-demand
   5921   
   5922   Saves 16KB on the easy handle for operations that don't need that
   5923   buffer.
   5924   
   5925   Part 1 of #2888
   5926 
   5927 - [Laurent Bonnans brought this change]
   5928 
   5929   vtls: reinstantiate engine on duplicated handles
   5930   
   5931   Handles created with curl_easy_duphandle do not use the SSL engine set
   5932   up in the original handle. This fixes the issue by storing the engine
   5933   name in the internal url state and setting the engine from its name
   5934   inside curl_easy_duphandle.
   5935   
   5936   Reported-by: Anton Gerasimov
   5937   Signed-of-by: Laurent Bonnans
   5938   Fixes #2829
   5939   Closes #2833
   5940 
   5941 - http2: make sure to send after RST_STREAM
   5942   
   5943   If this is the last stream on this connection, the RST_STREAM might not
   5944   get pushed to the wire otherwise.
   5945   
   5946   Fixes #2882
   5947   Closes #2887
   5948   Researched-by: Michael Kaufmann
   5949 
   5950 - test1268: check the stderr output as "text"
   5951   
   5952   Follow-up to 099f37e9c57
   5953   
   5954   Pointed-out-by: Marcel Raad
   5955 
   5956 - urldata: remove unused pipe_broke struct field
   5957   
   5958   This struct field is never set TRUE in any existing code path. This
   5959   change removes the field completely.
   5960   
   5961   Closes #2871
   5962 
   5963 - curl: warn the user if a given file name looks like an option
   5964   
   5965   ... simply because this is usually a sign of the user having omitted the
   5966   file name and the next option is instead "eaten" by the parser as a file
   5967   name.
   5968   
   5969   Add test1268 to verify
   5970   
   5971   Closes #2885
   5972 
   5973 - http2: check nghttp2_session_set_stream_user_data return code
   5974   
   5975   Might help bug #2688 debugging
   5976   
   5977   Closes #2880
   5978 
   5979 - travis: revert back to gcc-7 for coverage builds
   5980   
   5981   ... since the gcc-8 ones seem to fail frequently.
   5982   
   5983   Follow-up from b85207199544ca
   5984   
   5985   Closes #2886
   5986 
   5987 - RELEASE-NOTES: synced
   5988   
   5989   ... and now listed in alphabetical order!
   5990 
   5991 - [Adrien brought this change]
   5992 
   5993   CMake: CMake config files are defining CURL_STATICLIB for static builds
   5994   
   5995   This change allows to use the CMake config files generated by Curl's
   5996   CMake scripts for static builds of the library.
   5997   The symbol CURL_STATIC lib must be defined to compile downstream,
   5998   thus the config package is the perfect place to do so.
   5999   
   6000   Fixes #2817
   6001   Closes #2823
   6002   Reported-by: adnn on github
   6003   Reviewed-by: Sergei Nikulov
   6004 
   6005 - TODO: host name sections in config files
   6006 
   6007 Kamil Dudka (14 Aug 2018)
   6008 - ssh-libssh: fix infinite connect loop on invalid private key
   6009   
   6010   Added test 656 (based on test 604) to verify the fix.
   6011   
   6012   Bug: https://bugzilla.redhat.com/1595135
   6013   
   6014   Closes #2879
   6015 
   6016 - ssh-libssh: reduce excessive verbose output about pubkey auth
   6017   
   6018   The verbose message "Authentication using SSH public key file" was
   6019   printed each time the ssh_userauth_publickey_auto() was called, which
   6020   meant each time a packet was transferred over network because the API
   6021   operates in non-blocking mode.
   6022   
   6023   This patch makes sure that the verbose message is printed just once
   6024   (when the authentication state is entered by the SSH state machine).
   6025 
   6026 Daniel Stenberg (14 Aug 2018)
   6027 - travis: disable h2 torture tests for "coverage"
   6028   
   6029   Since they started to fail almost 100% since a few days.
   6030   
   6031   Closes #2876
   6032 
   6033 Marcel Raad (14 Aug 2018)
   6034 - travis: update to GCC 8
   6035   
   6036   Closes https://github.com/curl/curl/pull/2869
   6037 
   6038 Daniel Stenberg (13 Aug 2018)
   6039 - http: fix for tiny "HTTP/0.9" response
   6040   
   6041   Deal with tiny "HTTP/0.9" (header-less) responses by checking the
   6042   status-line early, even before a full "HTTP/" is received to allow
   6043   detecting 0.9 properly.
   6044   
   6045   Test 1266 and 1267 added to verify.
   6046   
   6047   Fixes #2420
   6048   Closes #2872
   6049 
   6050 Kamil Dudka (13 Aug 2018)
   6051 - docs: add disallow-username-in-url.d and haproxy-protocol.d on the list
   6052   
   6053   ... to make make the files appear in distribution tarballs
   6054   
   6055   Closes #2856
   6056 
   6057 - .travis.yml: verify that man pages can be regenerated
   6058   
   6059   ... when curl is built from distribution tarball
   6060   
   6061   Closes #2856
   6062 
   6063 Marcel Raad (11 Aug 2018)
   6064 - Split non-portable part off test 1133
   6065   
   6066   Split off testing file names with double quotes into new test 1158.
   6067   Disable it for MSYS using a precheck as it doesn't support file names
   6068   with double quotes (but Cygwin does, for example).
   6069   
   6070   Fixes https://github.com/curl/curl/issues/2796
   6071   Closes https://github.com/curl/curl/pull/2854
   6072 
   6073 Jay Satiro (11 Aug 2018)
   6074 - projects: Improve Windows perl detection in batch scripts
   6075   
   6076   - Determine if perl is in the user's PATH by running perl.exe.
   6077   
   6078   Prior to this change detection was done by checking the PATH for perl/
   6079   but that did not work in all cases (eg git install includes perl but
   6080   not in perl/ path).
   6081   
   6082   Bug: https://github.com/curl/curl/pull/2865
   6083   Reported-by: Daniel Jeliski
   6084 
   6085 - [Michael Kaufmann brought this change]
   6086 
   6087   docs: Improve the manual pages of some callbacks
   6088   
   6089   - CURLOPT_HEADERFUNCTION: add newlines
   6090   - CURLOPT_INTERLEAVEFUNCTION: fix the description of 'userdata'
   6091   - CURLOPT_READDATA: mention crashes, same as in CURLOPT_WRITEDATA
   6092   - CURLOPT_READFUNCTION: rename 'instream' to 'userdata' and explain
   6093     how to set it
   6094   
   6095   Closes https://github.com/curl/curl/pull/2868
   6096 
   6097 Marcel Raad (11 Aug 2018)
   6098 - GCC: silence -Wcast-function-type uniformly
   6099   
   6100   Pointed-out-by: Rikard Falkeborn
   6101   Closes https://github.com/curl/curl/pull/2860
   6102 
   6103 - Silence GCC 8 cast-function-type warnings
   6104   
   6105   On Windows, casting between unrelated function types is fine and
   6106   sometimes even necessary, so just use an intermediate cast to
   6107   (void (*) (void)) to silence the warning as described in [0].
   6108   
   6109   [0] https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html
   6110   
   6111   Closes https://github.com/curl/curl/pull/2860
   6112 
   6113 Daniel Stenberg (11 Aug 2018)
   6114 - CURLINFO_SIZE_UPLOAD: fix missing counter update
   6115   
   6116   Adds test 1522 for verification.
   6117   
   6118   Reported-by: cjmsoregan
   6119   Fixes #2847
   6120   Closes #2864
   6121 
   6122 - [Daniel Jelinski brought this change]
   6123 
   6124   Documentation: fix CURLOPT_SSH_COMPRESSION copy/paste bug
   6125   
   6126   Closes #2867
   6127 
   6128 - RELEASE-NOTES: synced
   6129 
   6130 - openssl: fix potential NULL pointer deref in is_pkcs11_uri
   6131   
   6132   Follow-up to 298d2565e
   6133   Coverity CID 1438387
   6134 
   6135 Marcel Raad (10 Aug 2018)
   6136 - travis: execute "set -eo pipefail" for coverage build
   6137   
   6138   Follow-up to 2de63ab179eb78630ee039ad94fb2a5423df522d and
   6139   0b87c963252d3504552ee0c8cf4402bd65a80af5.
   6140   
   6141   Closes https://github.com/curl/curl/pull/2862
   6142 
   6143 Daniel Stenberg (10 Aug 2018)
   6144 - lib1502: fix memory leak in torture test
   6145   
   6146   Reported-by: Marcel Raad
   6147   Fixes #2861
   6148   Closes #2863
   6149 
   6150 - docs: mention NULL is fine input to several functions
   6151   
   6152   Fixes #2837
   6153   Closes #2858
   6154   Reported-by: Markus Elfring
   6155 
   6156 - [Bas van Schaik brought this change]
   6157 
   6158   README.md: add LGTM.com code quality grade for C/C++
   6159   
   6160   Closes #2857
   6161 
   6162 - [Rikard Falkeborn brought this change]
   6163 
   6164   test1531: Add timeout
   6165   
   6166   Previously, the macro TEST_HANG_TIMEOUT was unused, but since there is
   6167   looping going on, we might as well add timing instead of removing it.
   6168   
   6169   Closes #2853
   6170 
   6171 - [Rikard Falkeborn brought this change]
   6172 
   6173   test1540: Remove unused macro TEST_HANG_TIMEOUT
   6174   
   6175   The macro has never been used, and it there is not really any place
   6176   where it would make sense to add timing checks.
   6177   
   6178   Closes #2852
   6179 
   6180 - [Rikard Falkeborn brought this change]
   6181 
   6182   asyn-thread: Remove unused macro
   6183   
   6184   The macro seems to never have been used.
   6185   
   6186   Closes #2852
   6187 
   6188 - [Rikard Falkeborn brought this change]
   6189 
   6190   http_proxy: Remove unused macro SELECT_TIMEOUT
   6191   
   6192   Usage was removed in 5113ad0424044458ac497fa1458ebe0101356b22.
   6193   
   6194   Closes #2852
   6195 
   6196 - [Rikard Falkeborn brought this change]
   6197 
   6198   formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
   6199   
   6200   Its usage was removed in
   6201   84ad1fd3047815f9c6e78728bb351b828eac10b1.
   6202   
   6203   Closes #2852
   6204 
   6205 - [Rikard Falkeborn brought this change]
   6206 
   6207   telnet: Remove unused macros TELOPTS and TELCMDS
   6208   
   6209   Their usage was removed in 3a145180cc754a5959ca971ef3cd243c5c83fc51.
   6210   
   6211   Closes #2852
   6212 
   6213 - [Daniel Jelinski brought this change]
   6214 
   6215   openssl: fix debug messages
   6216   
   6217   Fixes #2806
   6218   Closes #2843
   6219 
   6220 - configure: fix for -lpthread detection with OpenSSL and pkg-config
   6221   
   6222   ... by making sure it uses the -I provided by pkg-config!
   6223   
   6224   Reported-by: pszemus on github
   6225   Fixes #2848
   6226   Closes #2850
   6227 
   6228 - RELEASE-NOTES: synced
   6229 
   6230 - windows: follow up to the buffer-tuning 1ba1dba7
   6231   
   6232   Somehow I didn't include the amended version of the previous fix. This
   6233   is the missing piece.
   6234   
   6235   Pointed-out-by: Viktor Szakats
   6236 
   6237 - [Daniel Jelinski brought this change]
   6238 
   6239   windows: implement send buffer tuning
   6240   
   6241   Significantly enhances upload performance on modern Windows versions.
   6242   
   6243   Bug: https://curl.haxx.se/mail/lib-2018-07/0080.html
   6244   Closes #2762
   6245   Fixes #2224
   6246 
   6247 - [Anderson Toshiyuki Sasaki brought this change]
   6248 
   6249   ssl: set engine implicitly when a PKCS#11 URI is provided
   6250   
   6251   This allows the use of PKCS#11 URI for certificates and keys without
   6252   setting the corresponding type as "ENG" and the engine as "pkcs11"
   6253   explicitly. If a PKCS#11 URI is provided for certificate, key,
   6254   proxy_certificate or proxy_key, the corresponding type is set as "ENG"
   6255   if not provided and the engine is set to "pkcs11" if not provided.
   6256   
   6257   Acked-by: Nikos Mavrogiannopoulos
   6258   Closes #2333
   6259 
   6260 - [Ruslan Baratov brought this change]
   6261 
   6262   CMake: Respect BUILD_SHARED_LIBS
   6263   
   6264   Use standard CMake variable BUILD_SHARED_LIBS instead of introducing
   6265   custom option CURL_STATICLIB.
   6266   
   6267   Use '-DBUILD_SHARED_LIBS=%SHARED%' in appveyor.yml.
   6268   
   6269   Reviewed-by: Sergei Nikulov
   6270   Closes #2755
   6271 
   6272 - [John Butterfield brought this change]
   6273 
   6274   cmake: bumped minimum version to 3.4
   6275   
   6276   Closes #2753
   6277 
   6278 - [John Butterfield brought this change]
   6279 
   6280   cmake: link curl to the OpenSSL targets instead of lib absolute paths
   6281   
   6282   Reviewed-by: Jakub Zakrzewski
   6283   Reviewed-by: Sergei Nikulov
   6284   Closes #2753
   6285 
   6286 - travis: build darwinssl on macos 10.12
   6287   
   6288   ... as building on 10.13.x before 10.13.4 leads to link errors.
   6289   
   6290   Assisted-by: Nick Zitzmann
   6291   Fixes #2835
   6292   Closes #2845
   6293 
   6294 - DEPRECATE: remove release date from 7.62.0
   6295   
   6296   Since it will slip and the version is the important part there, not the
   6297   date.
   6298 
   6299 - lib/Makefile: only do symbol hiding if told to
   6300   
   6301   This restores the ability to build a static lib with
   6302   --disable-symbol-hiding to keep non-curl_ symbols.
   6303   
   6304   Researched-by: Dan Fandrich
   6305   Reported-by: Ran Mozes
   6306   Fixes #2830
   6307   Closes #2831
   6308 
   6309 Marcel Raad (2 Aug 2018)
   6310 - hostip: fix unused variable warning
   6311   
   6312   addresses is only used in an infof call, which is a macro expanding to
   6313   nothing if CURL_DISABLE_VERBOSE_STRINGS is set.
   6314 
   6315 Daniel Stenberg (2 Aug 2018)
   6316 - test1307: disabled
   6317   
   6318   Turns out that since we're using the native fnmatch function now when
   6319   available, and they simply disagree on a huge number of test patterns
   6320   that make it hard to test this function like this...
   6321   
   6322   Fixes #2825
   6323 
   6324 - smb: don't mark it done in smb_do
   6325   
   6326   Follow-up to 09e401e01bf9. The SMB protocol handler needs to use its
   6327   doing function too, which requires smb_do() to not mark itself as
   6328   done...
   6329   
   6330   Closes #2822
   6331 
   6332 - [Rikard Falkeborn brought this change]
   6333 
   6334   general: fix printf specifiers
   6335   
   6336   Closes #2818
   6337 
   6338 - RELEASE-NOTES: synced
   6339 
   6340 - mailmap: Daniel Jelinski
   6341 
   6342 - [Harry Sintonen brought this change]
   6343 
   6344   HTTP: Don't attempt to needlessly decompress redirect body
   6345   
   6346   This change fixes a regression where redirect body would needlessly be
   6347   decompressed even though it was to be ignored anyway. As it happens this
   6348   causes secondary issues since there appears to be a bug in apache2 that
   6349   it in certain conditions generates a corrupt zlib response. The
   6350   regression was created by commit:
   6351   dbcced8e32b50c068ac297106f0502ee200a1ebd
   6352   
   6353   Discovered-by: Harry Sintonen
   6354   Closes #2798
   6355 
   6356 - curl: use Content-Disposition before the "URL end" for -OJ
   6357   
   6358   Regression introduced in 7.61.0
   6359   
   6360   Reported-by: Thomas Klausner
   6361   Fixes #2783
   6362   Closes #2813
   6363 
   6364 - [Daniel Jelinski brought this change]
   6365 
   6366   retry: return error if rewind was necessary but didn't happen
   6367   
   6368   Fixes #2801
   6369   Closes #2812
   6370 
   6371 - http2: clear the drain counter in Curl_http2_done
   6372   
   6373   Reported-by: Andrei Virtosu
   6374   Fixes #2800
   6375   Closes #2809
   6376 
   6377 - smb: fix memory leak on early failure
   6378   
   6379   ... by making sure connection related data (->share) is stored in the
   6380   connection and not in the easy handle.
   6381   
   6382   Detected by OSS-fuzz
   6383   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
   6384   Fixes #2769
   6385   Closes #2810
   6386 
   6387 - travis: run a 'make checksrc' too
   6388   
   6389   ... to make sure the examples are all checked.
   6390   
   6391   Closes #2811
   6392 
   6393 Jay Satiro (29 Jul 2018)
   6394 - examples/ephiperfifo: checksrc compliance
   6395 
   6396 - [Michael Kaufmann brought this change]
   6397 
   6398   sws: handle EINTR when calling select()
   6399   
   6400   Closes https://github.com/curl/curl/pull/2808
   6401 
   6402 Daniel Stenberg (29 Jul 2018)
   6403 - test1157: follow-up to 35ecffb9
   6404   
   6405   Ignore the user-agent line.
   6406   Pointed-out-by: Marcel Raad
   6407 
   6408 Michael Kaufmann (29 Jul 2018)
   6409 - tests/http_pipe.py: Use /usr/bin/env to find python
   6410 
   6411 Daniel Stenberg (28 Jul 2018)
   6412 - TODO: Support Authority Information Access certificate extension (AIA)
   6413   
   6414   Closes #2793
   6415 
   6416 - conn_free: updated comment to clarify
   6417   
   6418   Let's call it disassociate instead of disconnect since the latter term
   6419   is used so much for (TCP) connections already.
   6420 
   6421 - test1157: test -H from empty file
   6422   
   6423   Verifies bugfix #2797
   6424 
   6425 - [Tobias Blomberg brought this change]
   6426 
   6427   curl: Fix segfault when -H @headerfile is empty
   6428   
   6429   The curl binary would crash if the -H command line option was given a
   6430   filename to read using the @filename syntax but that file was empty.
   6431   
   6432   Closes #2797
   6433 
   6434 - mime: check Curl_rand_hex's return code
   6435   
   6436   Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html
   6437   Reported-by: Jeffrey Walton
   6438   Closes #2795
   6439 
   6440 - [Josh Bialkowski brought this change]
   6441 
   6442   docs/examples: add hiperfifo example using linux epoll/timerfd
   6443   
   6444   Closes #2804
   6445 
   6446 - [Daro Here brought this change]
   6447 
   6448   docs/INSTALL.md: minor formatting fixes
   6449   
   6450   Closes #2794
   6451 
   6452 - [Christopher Head brought this change]
   6453 
   6454   docs/CURLOPT_URL: fix indentation
   6455   
   6456   The statement, The application does not have to keep the string around
   6457   after setting this option, appears to be indented under the RTMP
   6458   paragraph. It actually applies to all protocols, not just RTMP.
   6459   Eliminate the extra indentation.
   6460   
   6461   Closes #2788
   6462 
   6463 - [Christopher Head brought this change]
   6464 
   6465   docs/CURLOPT_WRITEFUNCTION: size is always 1
   6466   
   6467   For compatibility with `fwrite`, the `CURLOPT_WRITEFUNCTION` callback is
   6468   passed two `size_t` parameters which, when multiplied, designate the
   6469   number of bytes of data passed in. In practice, CURL always sets the
   6470   first parameter (`size`) to 1.
   6471   
   6472   This practice is also enshrined in documentation and cannot be changed
   6473   in future. The documentation states that the default callback is
   6474   `fwrite`, which means `fwrite` must be a suitable function for this
   6475   purpose. However, the documentation also states that the callback must
   6476   return the number of *bytes* it successfully handled, whereas ISO C
   6477   `fwrite` returns the number of items (each of size `size`) which it
   6478   wrote. The only way these numbers can be equal is if `size` is 1.
   6479   
   6480   Since `size` is 1 and can never be changed in future anyway, document
   6481   that fact explicitly and let users rely on it.
   6482   
   6483   Closes #2787
   6484 
   6485 - [Carie Pointer brought this change]
   6486 
   6487   wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random
   6488   
   6489   RNG structure must be freed by call to FreeRng after its use in
   6490   Curl_cyassl_random. This call fixes Valgrind failures when running the
   6491   test suite with wolfSSL.
   6492   
   6493   Closes #2784
   6494 
   6495 - [Even Rouault brought this change]
   6496 
   6497   reuse_conn(): free old_conn->options
   6498   
   6499   This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with
   6500   connection reuse.
   6501   
   6502   I found this with oss-fuzz on GDAL and curl master:
   6503   https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582
   6504   I couldn't reproduce with the oss-fuzz original test case, but looking
   6505   at curl source code pointed to this well reproducable leak.
   6506   
   6507   Closes #2790
   6508 
   6509 Marcel Raad (25 Jul 2018)
   6510 - [Daniel Jelinski brought this change]
   6511 
   6512   system_win32: fix version checking
   6513   
   6514   In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false
   6515   when run on windows 10.0. This patch addresses that error.
   6516   
   6517   Closes https://github.com/curl/curl/pull/2792
   6518 
   6519 Daniel Stenberg (24 Jul 2018)
   6520 - [Johannes Schindelin brought this change]
   6521 
   6522   auth: pick Bearer authentication whenever a token is available
   6523   
   6524   So far, the code tries to pick an authentication method only if
   6525   user/password credentials are available, which is not the case for
   6526   Bearer authentictation...
   6527   
   6528   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   6529   Closes #2754
   6530 
   6531 - [Johannes Schindelin brought this change]
   6532 
   6533   auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer token
   6534   
   6535   The Bearer authentication was added to cURL 7.61.0, but there is a
   6536   problem: if CURLAUTH_ANY is selected, and the server supports multiple
   6537   authentication methods including the Bearer method, we strongly prefer
   6538   that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer
   6539   authentication fails, we will never even try to attempt any other
   6540   method.
   6541   
   6542   This is particularly unfortunate when we already know that we do not
   6543   have any Bearer token to work with.
   6544   
   6545   Such a scenario happens e.g. when using Git to push to Visual Studio
   6546   Team Services (which supports Basic and Bearer authentication among
   6547   other methods) and specifying the Personal Access Token directly in the
   6548   URL (this aproach is frequently taken by automated builds).
   6549   
   6550   Let's make sure that we have a Bearer token to work with before we
   6551   select the Bearer authentication among the available authentication
   6552   methods.
   6553   
   6554   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   6555   Closes #2754
   6556 
   6557 Marcel Raad (22 Jul 2018)
   6558 - test320: treat curl320.out file as binary
   6559   
   6560   Otherwise, LF line endings are converted to CRLF on Windows,
   6561   but no conversion is done for the reply, so the test case fails.
   6562   
   6563   Closes https://github.com/curl/curl/pull/2776
   6564 
   6565 Daniel Stenberg (22 Jul 2018)
   6566 - vtls: set conn->data when closing TLS
   6567   
   6568   Follow-up to 1b76c38904f0. The VTLS backends that close down the TLS
   6569   layer for a connection still needs a Curl_easy handle for the session_id
   6570   cache etc.
   6571   
   6572   Fixes #2764
   6573   Closes #2771
   6574 
   6575 Marcel Raad (21 Jul 2018)
   6576 - tests: fixes for Windows line endlings
   6577   
   6578   Set mode="text" when line endings depend on the system representation.
   6579   
   6580   Closes https://github.com/curl/curl/pull/2772
   6581 
   6582 - test214: disable MSYS2's POSIX path conversion for URL
   6583   
   6584   By default, the MSYS2 bash converts all backslashes to forward slashes
   6585   in URLs. Disable this with MSYS2_ARG_CONV_EXCL for the test to pass.
   6586   
   6587   Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces
   6588 
   6589 Daniel Stenberg (20 Jul 2018)
   6590 - http2: several cleanups
   6591   
   6592   - separate easy handle from connections better
   6593   - added asserts on a number of places
   6594   - added sanity check of pipelines for debug builds
   6595   
   6596   Closes #2751
   6597 
   6598 - smb_getsock: always wait for write socket too
   6599   
   6600   ... the protocol is doing read/write a lot, so it needs to write often
   6601   even when downloading. A more proper fix could check for eactly when it
   6602   wants to write and only ask for it then.
   6603   
   6604   Without this fix, an SMB download could easily get stuck when the event-driven
   6605   API was used.
   6606   
   6607   Closes #2768
   6608 
   6609 Marcel Raad (20 Jul 2018)
   6610 - test1143: disable MSYS2's POSIX path conversion
   6611   
   6612   By default, the MSYS2 bash interprets http:/%HOSTIP:%HTTPPORT/want/1143
   6613   as a POSIX file list and converts it to a Windows file list.
   6614   Disable this with MSYS2_ARG_CONV_EXCL for the test to pass.
   6615   
   6616   Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces
   6617   Closes https://github.com/curl/curl/pull/2765
   6618 
   6619 Daniel Stenberg (18 Jul 2018)
   6620 - RELEASE-NOTES: sync
   6621   
   6622   ... and work toward 7.61.1
   6623 
   6624 - [Ruslan Baratov brought this change]
   6625 
   6626   CMake: Update scripts to use consistent style
   6627   
   6628   Closes #2727
   6629   Reviewed-by: Sergei Nikulov
   6630 
   6631 - header output: switch off all styles, not just unbold
   6632   
   6633   ... the "unbold" sequence doesn't work on the mac Terminal.
   6634   
   6635   Reported-by: Zero King
   6636   Fixes #2736
   6637   Closes #2738
   6638 
   6639 Nick Zitzmann (14 Jul 2018)
   6640 - [Rodger Combs brought this change]
   6641 
   6642   darwinssl: add support for ALPN negotiation
   6643 
   6644 Marcel Raad (14 Jul 2018)
   6645 - test1422: add required file feature
   6646   
   6647   curl configured with --enable-debug --disable-file currently complains
   6648   on test1422:
   6649   Info: Protocol "file" not supported or disabled in libcurl
   6650   
   6651   Make test1422 dependend on enabled FILE protocol to fix this.
   6652   
   6653   Fixes https://github.com/curl/curl/issues/2741
   6654   Closes https://github.com/curl/curl/pull/2742
   6655 
   6656 Patrick Monnerat (12 Jul 2018)
   6657 - content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
   6658   
   6659   Some servers issue raw deflate data that may be followed by an undocumented
   6660   trailer. This commit makes curl tolerate such a trailer of up to 4 bytes
   6661   before considering the data is in error.
   6662   
   6663   Reported-by: clbr on github
   6664   Fixes #2719
   6665 
   6666 Daniel Stenberg (12 Jul 2018)
   6667 - smb: fix memory-leak in URL parse error path
   6668   
   6669   Detected by OSS-Fuzz
   6670   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
   6671   Closes #2740
   6672 
   6673 Marcel Raad (12 Jul 2018)
   6674 - schannel: enable CALG_TLS1PRF for w32api >= 5.1
   6675   
   6676   The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
   6677   https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5
   6678 
   6679 Daniel Stenberg (12 Jul 2018)
   6680 - docs/SECURITY-PROCESS: mention bounty, drop pre-notify
   6681   
   6682   + The hackerone bounty and its process
   6683   
   6684   - We don't and can't handle pre-notification
   6685 
   6686 - multi: always do the COMPLETED procedure/state
   6687   
   6688   It was previously erroneously skipped in some situations.
   6689   
   6690   libtest/libntlmconnect.c wrongly depended on wrong behavior (that it
   6691   would get a zero timeout) when no handles are "running" in a multi
   6692   handle. That behavior is no longer present with this fix. Now libcurl
   6693   will always return a -1 timeout when all handles are completed.
   6694   
   6695   Closes #2733
   6696 
   6697 - Curl_getoff_all_pipelines: improved for multiplexed
   6698   
   6699   On multiplexed connections, transfers can be removed from anywhere not
   6700   just at the head as for pipelines.
   6701 
   6702 - ares: check for NULL in completed-callback
   6703 
   6704 - conn: remove the boolean 'inuse' field
   6705   
   6706   ... as the usage needs to be counted.
   6707 
   6708 - [Paul Howarth brought this change]
   6709 
   6710   openssl: assume engine support in 1.0.0 or later
   6711   
   6712   Commit 38203f1585da changed engine detection to be version-based,
   6713   with a baseline of openssl 1.0.1. This does in fact break builds
   6714   with openssl 1.0.0, which has engine support - the configure script
   6715   detects that ENGINE_cleanup() is available - but <openssl/engine.h>
   6716   doesn't get included to declare it.
   6717   
   6718   According to upstream documentation, engine support was added to
   6719   mainstream openssl builds as of version 0.9.7:
   6720   https://github.com/openssl/openssl/blob/master/README.ENGINE
   6721   
   6722   This commit drops the version test down to 1.0.0 as version 1.0.0d
   6723   is the oldest version I have to test with.
   6724   
   6725   Closes #2732
   6726 
   6727 Marcel Raad (11 Jul 2018)
   6728 - schannel: fix MinGW compile break
   6729   
   6730   Original MinGW's w32api has a sytax error in its definition of
   6731   CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
   6732   until this bug [1] is fixed.
   6733   
   6734   [0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h
   6735   [1] https://osdn.net/projects/mingw/ticket/38391
   6736   
   6737   Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043
   6738   Closes https://github.com/curl/curl/pull/2728
   6739 
   6740 Daniel Stenberg (11 Jul 2018)
   6741 - examples/crawler.c: move #ifdef to column 0
   6742   
   6743   Apparently the C => HTML converter on the web site doesn't quite like it
   6744   otherwise.
   6745   
   6746   Reported-by: Jeroen Ooms
   6747 
   6748 Version 7.61.0 (11 Jul 2018)
   6749 
   6750 Daniel Stenberg (11 Jul 2018)
   6751 - release: 7.61.0
   6752 
   6753 - TODO: Configurable loading of OpenSSL configuration file
   6754   
   6755   Closes #2724
   6756 
   6757 - post303.d: clarify that this is an RFC violation
   6758   
   6759   ... and not the other way around, which this previously said.
   6760   
   6761   Reported-by: Vasiliy Faronov
   6762   Fixes #2723
   6763   Closes #2726
   6764 
   6765 - [Ruslan Baratov brought this change]
   6766 
   6767   CMake: remove redundant and old end-of-block syntax
   6768   
   6769   Reviewed-by: Jakub Zakrzewski
   6770   Closes #2715
   6771 
   6772 Jay Satiro (9 Jul 2018)
   6773 - lib/curl_setup.h: remove unicode character
   6774   
   6775   Follow-up to 82ce416.
   6776   
   6777   Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818
   6778 
   6779 Daniel Stenberg (9 Jul 2018)
   6780 - lib/curl_setup.h: remove unicode bom from 8272ec50f02
   6781 
   6782 Marcel Raad (9 Jul 2018)
   6783 - schannel: fix -Wsign-compare warning
   6784   
   6785   MinGW warns:
   6786   /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
   6787   conditional expression [-Wsign-compare]
   6788   
   6789   Fix this by casting the ptrdiff_t to size_t as we know it's positive.
   6790   
   6791   Closes https://github.com/curl/curl/pull/2721
   6792 
   6793 - schannel: workaround for wrong function signature in w32api
   6794   
   6795   Original MinGW's w32api has CryptHashData's second parameter as BYTE *
   6796   instead of const BYTE *.
   6797   
   6798   Closes https://github.com/curl/curl/pull/2721
   6799 
   6800 - schannel: make more cipher options conditional
   6801   
   6802   They are not defined in the original MinGW's <wincrypt.h>.
   6803   
   6804   Closes https://github.com/curl/curl/pull/2721
   6805 
   6806 - curl_setup: include <winerror.h> before <windows.h>
   6807   
   6808   Otherwise, only part of it gets pulled in through <windows.h> on
   6809   original MinGW.
   6810   
   6811   Fixes https://github.com/curl/curl/issues/2361
   6812   Closes https://github.com/curl/curl/pull/2721
   6813 
   6814 - examples: fix -Wformat warnings
   6815   
   6816   When size_t is not a typedef for unsigned long (as usually the case on
   6817   Windows), GCC emits -Wformat warnings when using lu and lx format
   6818   specifiers with size_t. Silence them with explicit casts to
   6819   unsigned long.
   6820   
   6821   Closes https://github.com/curl/curl/pull/2721
   6822 
   6823 Daniel Stenberg (9 Jul 2018)
   6824 - smtp: use the upload buffer size for scratch buffer malloc
   6825   
   6826   ... not the read buffer size, as that can be set smaller and thus cause
   6827   a buffer overflow! CVE-2018-0500
   6828   
   6829   Reported-by: Peter Wu
   6830   Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
   6831 
   6832 - [Dave Reisner brought this change]
   6833 
   6834   scripts: include _curl as part of CLEANFILES
   6835   
   6836   Closes #2718
   6837 
   6838 - [Nick Zitzmann brought this change]
   6839 
   6840   darwinssl: allow High Sierra users to build the code using GCC
   6841   
   6842   ...but GCC users lose out on TLS 1.3 support, since we can't weak-link
   6843   enumeration constants.
   6844   
   6845   Fixes #2656
   6846   Closes #2703
   6847 
   6848 - [Ruslan Baratov brought this change]
   6849 
   6850   CMake: Remove unused 'output_var' from 'collect_true'
   6851   
   6852   Variable 'output_var' is not used and can be removed.
   6853   Function 'collect_true' renamed to 'count_true'.
   6854 
   6855 - [Ruslan Baratov brought this change]
   6856 
   6857   CMake: Remove unused functions
   6858   
   6859   Closes #2711
   6860 
   6861 - KNOWN_BUGS: Stick to same family over SOCKS proxy
   6862 
   6863 - libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE
   6864   
   6865   ... because otherwise not everything get closed down correctly.
   6866   
   6867   Fixes #2708
   6868   Closes #2712
   6869 
   6870 - libssh: include line number in state change debug messages
   6871   
   6872   Closes #2713
   6873 
   6874 - KNOWN_BUGS: Borland support is dropped, AIX problem is too old
   6875 
   6876 - [Jeroen Ooms brought this change]
   6877 
   6878   example/crawler.c: simple crawler based on libxml2
   6879   
   6880   Closes #2706
   6881 
   6882 - RELEASE-NOTES: synced
   6883 
   6884 - DEPRECATE: include year when specifying date
   6885 
   6886 - DEPRECATE: linkified
   6887 
   6888 - DEPRECATE: mention the PR that disabled axTLS
   6889 
   6890 - docs/DEPRECATE.md: spelling and minor formatting
   6891 
   6892 - DEPRECATE: new doc describing planned item removals
   6893   
   6894   Closes #2704
   6895 
   6896 - [Gisle Vanem brought this change]
   6897 
   6898   telnet: fix clang warnings
   6899   
   6900   telnet.c(1401,28): warning: cast from function call of type 'int' to
   6901   non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast]
   6902   
   6903   Fixes #2696
   6904   Closes #2700
   6905 
   6906 - docs: fix missed option name markups
   6907 
   6908 - [Gaurav Malhotra brought this change]
   6909 
   6910   openssl: Remove some dead code
   6911   
   6912   Closes #2698
   6913 
   6914 - openssl: make the requested TLS version the *minimum* wanted
   6915   
   6916   The code treated the set version as the *exact* version to require in
   6917   the TLS handshake, which is not what other TLS backends do and probably
   6918   not what most people expect either.
   6919   
   6920   Reported-by: Andreas Olsson
   6921   Assisted-by: Gaurav Malhotra
   6922   Fixes #2691
   6923   Closes #2694
   6924 
   6925 - RELEASE-NOTES: synced
   6926 
   6927 - openssl: allow TLS 1.3 by default
   6928   
   6929   Reported-by: Andreas Olsson
   6930   Fixes #2692
   6931   Closes #2693
   6932 
   6933 - [Adrian Peniak brought this change]
   6934 
   6935   CURLINFO_TLS_SSL_PTR.3: improve the example
   6936   
   6937   The previous example was a little bit confusing, because SSL* structure
   6938   (or other "in use" SSL connection pointer) is not accessible after the
   6939   transfer is completed, therefore working with the raw TLS library
   6940   specific pointer needs to be done during transfer.
   6941   
   6942   Closes #2690
   6943 
   6944 - travis: add a build using the synchronous name resolver
   6945   
   6946   ... since default uses the threaded one and we test the c-ares build
   6947   already.
   6948   
   6949   Closes #2689
   6950 
   6951 - configure: remove CURL_CHECK_NI_WITHSCOPEID too
   6952   
   6953   Since it isn't used either and requires the getnameinfo check
   6954   
   6955   Follow-up to 0aeca41702d2
   6956 
   6957 - getnameinfo: not used
   6958   
   6959   Closes #2687
   6960 
   6961 - easy_perform: use *multi_timeout() to get wait times
   6962   
   6963   ... and trim the threaded Curl_resolver_getsock() to return zero
   6964   millisecond wait times during the first three milliseconds so that
   6965   localhost or names in the OS resolver cache gets detected and used
   6966   faster.
   6967   
   6968   Closes #2685
   6969 
   6970 Max Dymond (27 Jun 2018)
   6971 - configure: Add dependent libraries after crypto
   6972   
   6973   The linker is pretty dumb and processes things left to right, keeping a
   6974   tally of symbols it hasn't resolved yet. So, we need -ldl to appear
   6975   after -lcrypto otherwise the linker won't find the dl functions.
   6976   
   6977   Closes #2684
   6978 
   6979 Daniel Stenberg (27 Jun 2018)
   6980 - GOVERNANCE: linkify, changed some titles
   6981 
   6982 - GOVERNANCE: add maintainer details/duties
   6983 
   6984 - url: check Curl_conncache_add_conn return code
   6985   
   6986   ... it was previously unchecked in two places and thus errors could
   6987   remain undetected and cause trouble.
   6988   
   6989   Closes #2681
   6990 
   6991 - include/README: remove "hacking" advice, not the right place
   6992 
   6993 - RELEASE-NOTES: synced
   6994 
   6995 - CURLOPT_SSL_VERIFYPEER.3: fix syntax mistake
   6996   
   6997   Follow-up to b6a16afa0aa5
   6998 
   6999 - netrc: use a larger buffer
   7000   
   7001   ... to work with longer passwords etc. Grow it from a 256 to a 4096
   7002   bytes buffer.
   7003   
   7004   Reported-by: Dario Nieuwenhuis
   7005   Fixes #2676
   7006   Closes #2680
   7007 
   7008 - [Patrick Schlangen brought this change]
   7009 
   7010   CURLOPT_SSL_VERIFYPEER.3: Add performance note
   7011   
   7012   Closes #2673
   7013 
   7014 - [Javier Blazquez brought this change]
   7015 
   7016   multi: fix crash due to dangling entry in connect-pending list
   7017   
   7018   Fixes #2677
   7019   Closes #2679
   7020 
   7021 - ConnectionExists: make sure conn->data is set when "taking" a connection
   7022   
   7023   Follow-up to 2c15693.
   7024   
   7025   Bug #2674
   7026   Closes #2675
   7027 
   7028 - [Kevin R. Bulgrien brought this change]
   7029 
   7030   system.h: fix for gcc on 32 bit OpenServer
   7031   
   7032   Bug: https://curl.haxx.se/mail/lib-2018-06/0100.html
   7033 
   7034 - [Raphael Gozzo brought this change]
   7035 
   7036   cmake: allow multiple SSL backends
   7037   
   7038   This will make possible to select the SSL backend (using
   7039   curl_global_sslset()) even when the libcurl is built using CMake
   7040   
   7041   Closes #2665
   7042 
   7043 - url: fix dangling conn->data pointer
   7044   
   7045   By masking sure to use the *current* easy handle with extracted
   7046   connections from the cache, and make sure to NULLify the ->data pointer
   7047   when the connection is put into the cache to make this mistake easier to
   7048   detect in the future.
   7049   
   7050   Reported-by: Will Dietz
   7051   Fixes #2669
   7052   Closes #2672
   7053 
   7054 - CURLOPT_INTERFACE.3: interface names not supported on Windows
   7055 
   7056 - travis: run more tests for coverage check
   7057   
   7058   ... run a few more tortured based and run all tests event-based.
   7059   
   7060   Closes #2664
   7061 
   7062 - multi: fix memory leak when stopped during name resolve
   7063   
   7064   When the application just started the transfer and then stops it while
   7065   the name resolve in the background thread hasn't completed, we need to
   7066   wait for the resolve to complete and then cleanup data accordingly.
   7067   
   7068   Enabled test 1553 again and added test 1590 to also check when the host
   7069   name resolves successfully.
   7070   
   7071   Detected by OSS-fuzz.
   7072   Closes #1968
   7073 
   7074 Viktor Szakats (15 Jun 2018)
   7075 - maketgz: delete .bak files, fix indentation
   7076   
   7077   Ref: https://github.com/curl/curl/pull/2660
   7078   
   7079   Closes https://github.com/curl/curl/pull/2662
   7080 
   7081 Daniel Stenberg (15 Jun 2018)
   7082 - runtests.pl: remove debug leftover from bb9a340c73f3
   7083 
   7084 - curl-confopts.m4: fix typo from ed224f23d5beb
   7085   
   7086   Fixes my local configure to detect a custom installed c-ares without
   7087   pkgconfig.
   7088 
   7089 - docs/RELEASE-PROCEDURE.md: renamed to use .md extension
   7090   
   7091   Closes #2663
   7092 
   7093 - RELEASE-PROCEDURE: gpg sign the tags
   7094 
   7095 - RELEASE-NOTES: synced
   7096 
   7097 - CURLOPT_HTTPAUTH.3: CURLAUTH_BEARER was added in 7.61.0
   7098 
   7099 - [Mamta Upadhyay brought this change]
   7100 
   7101   maketgz: fix sed issues on OSX
   7102   
   7103   maketgz creates release tarballs and removes the -DEV string in curl
   7104   version (e.g. 7.58.0-DEV), else -DEV shows up on command line when curl
   7105   is run. maketgz works fine on linux but fails on OSX. Problem is with
   7106   the sed commands that use option -i without an extension. Maketgz
   7107   expects GNU sed instead of BSD and this simply won't work on OSX. Adding
   7108   a backup extension .bak after -i fixes this issue
   7109   
   7110   Running the script as if on OSX gives this error:
   7111   
   7112   sed: -e: No such file or directory
   7113   
   7114   Adding a .bak extension resolves it
   7115   
   7116   Closes #2660
   7117 
   7118 - configure: enhance ability to detect/build with static openssl
   7119   
   7120   Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for
   7121   building with static libs without pkg-config.
   7122   
   7123   Reported-by: Marcel Raad
   7124   Fixes #2199
   7125   Closes #2659
   7126 
   7127 - configure: use pkg-config for c-ares detection
   7128   
   7129   First check if there's c-ares information given as pkg-config info and use
   7130   that as first preference.
   7131   
   7132   Reported-by: pszemus on github
   7133   Fixes #2203
   7134   Closes #2658
   7135 
   7136 - GOVERNANCE.md: explains how this project is run
   7137   
   7138   Closes #2657
   7139 
   7140 - KNOWN_BUGS: NTLM doen't support password with  character
   7141   
   7142   Closes #2120
   7143 
   7144 - KNOWN_BUGS: slow connect to localhost on Windows
   7145   
   7146   Closes #2281
   7147 
   7148 - [Matteo Bignotti brought this change]
   7149 
   7150   mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
   7151   
   7152   certdata.txt should be deleted also when the process is interrupted by
   7153   "same certificate downloaded, exiting"
   7154   
   7155   The certdata.txt is currently kept on disk even if you give the -u
   7156   option
   7157   
   7158   Closes #2655
   7159 
   7160 - progress: remove a set of unused defines
   7161   
   7162   Reported-by: Peter Wu
   7163   Closes #2654
   7164 
   7165 - TODO: "Option to refuse usernames in URLs" done
   7166   
   7167   Implemented by Bjrn in 946ce5b61f
   7168 
   7169 - [Lyman Epp brought this change]
   7170 
   7171   Curl_init_do: handle NULL connection pointer passed in
   7172   
   7173   Closes #2653
   7174 
   7175 - runtests: support variables in <strippart>
   7176   
   7177   ... and make use of that to make 1455 work better without using a fixed
   7178   local port number.
   7179   
   7180   Fixes #2649
   7181   Closes #2650
   7182 
   7183 - Curl_debug: remove dead printhost code
   7184   
   7185   The struct field is never set (since 5e0d9aea3) so remove the use of it
   7186   and remove the connectdata pointer from the prototype.
   7187   
   7188   Reported-by: Tejas
   7189   Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html
   7190   Closes #2647
   7191 
   7192 Viktor Szakats (12 Jun 2018)
   7193 - schannel: avoid incompatible pointer warning
   7194   
   7195   with clang-6.0:
   7196   ```
   7197   vtls/schannel_verify.c: In function 'add_certs_to_store':
   7198   vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types]
   7199                                 &cert_context)) {
   7200                                 ^
   7201   In file included from /usr/share/mingw-w64/include/schannel.h:10:0,
   7202                    from /usr/share/mingw-w64/include/schnlsp.h:9,
   7203                    from vtls/schannel.h:29,
   7204                    from vtls/schannel_verify.c:40:
   7205   /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}'
   7206      WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags,
   7207                             ^~~~~~~~~~~~~~~~
   7208   ```
   7209   Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264
   7210   
   7211   Closes https://github.com/curl/curl/pull/2648
   7212 
   7213 Daniel Stenberg (12 Jun 2018)
   7214 - [Robert Prag brought this change]
   7215 
   7216   schannel: support selecting ciphers
   7217   
   7218   Given the contstraints of SChannel, I'm exposing these as the algorithms
   7219   themselves instead; while replicating the ciphersuite as specified by
   7220   OpenSSL would have been preferable, I found no way in the SChannel API
   7221   to do so.
   7222   
   7223   To use this from the commandline, you need to pass the names of contants
   7224   defining the desired algorithms. For example, curl --ciphers
   7225   "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM"
   7226   https://github.com The specific names come from wincrypt.h
   7227   
   7228   Closes #2630
   7229 
   7230 - [Bernhard M. Wiedemann brought this change]
   7231 
   7232   test 46: make test pass after 2025
   7233   
   7234   shifting the expiry date to 2037 for now
   7235   to be before the possibly problematic year 2038
   7236   
   7237   similar in spirit to commit e6293cf8764e9eecb
   7238   
   7239   Closes #2646
   7240 
   7241 - [Marian Klymov brought this change]
   7242 
   7243   cppcheck: fix warnings
   7244   
   7245   - Get rid of variable that was generating false positive warning
   7246   (unitialized)
   7247   
   7248   - Fix issues in tests
   7249   
   7250   - Reduce scope of several variables all over
   7251   
   7252   etc
   7253   
   7254   Closes #2631
   7255 
   7256 - openssl: assume engine support in 1.0.1 or later
   7257   
   7258   Previously it was checked for in configure/cmake, but that would then
   7259   leave other build systems built without engine support.
   7260   
   7261   While engine support probably existed prior to 1.0.1, I decided to play
   7262   safe. If someone experience a problem with this, we can widen the
   7263   version check.
   7264   
   7265   Fixes #2641
   7266   Closes #2644
   7267 
   7268 - RELEASE-NOTES: synced
   7269 
   7270 - RELEASE-PROCEDURE: update the release calendar for 2019
   7271 
   7272 - [Gisle Vanem brought this change]
   7273 
   7274   boringssl + schannel: undef X509_NAME in lib/schannel.h
   7275   
   7276   Fixes the build problem when both boringssl and schannel are enabled.
   7277   
   7278   Fixes #2634
   7279   Closes #2643
   7280 
   7281 - [Vladimir Kotal brought this change]
   7282 
   7283   mk-ca-bundle.pl: leave certificate name untouched in decode()
   7284   
   7285   Closes #2640
   7286 
   7287 - [Rikard Falkeborn brought this change]
   7288 
   7289   tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES
   7290   
   7291   This removes the generated lib1521.c when running make clean.
   7292   
   7293   Closes #2633
   7294 
   7295 - [Rikard Falkeborn brought this change]
   7296 
   7297   tests/libtest: Add lib1521 to nodist_SOURCES
   7298   
   7299   Since 467da3af0, lib1521.c is generated instead of checked in. According
   7300   to the commit message, the intention was to remove it from the tarball
   7301   as well. However, it is still present when running make dist. To remove
   7302   it, add it to nodist_lib1521_SOURCES. This also means there is no need
   7303   for the manually added dist-rule in the Makefile.
   7304   
   7305   Also update CMakelists.txt to handle the fact that we now may have
   7306   nodist_SOURCES.
   7307 
   7308 - [Stephan Mhlstrasser brought this change]
   7309 
   7310   system.h: add support for IBM xlc C compiler
   7311   
   7312   Added a section to system.h guarded with __xlc__ for the IBM xml C
   7313   compiler. Before this change the section titled 'generic "safe guess" on
   7314   old 32 bit style' was used, which resulted in a wrong definition of
   7315   CURL_TYPEOF_CURL_SOCKLEN_T, and for 64-bit also CURL_TYPEOF_CURL_OFF_T
   7316   was wrong.
   7317   
   7318   Compilation warnings fixed with this change:
   7319   
   7320     CC       libcurl_la-ftp.lo
   7321   "ftp.c", line 290.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7322   "ftp.c", line 293.48: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7323   "ftp.c", line 1070.49: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7324   "ftp.c", line 1154.53: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7325   "ftp.c", line 1187.51: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7326     CC       libcurl_la-connect.lo
   7327   "connect.c", line 448.56: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7328   "connect.c", line 516.66: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7329   "connect.c", line 687.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7330   "connect.c", line 696.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7331     CC       libcurl_la-tftp.lo
   7332   "tftp.c", line 1115.33: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
   7333   
   7334   Closes #2637
   7335 
   7336 - cmdline-opts/cert-type.d: mention "p12" as a recognized type as well
   7337 
   7338 Viktor Szakats (3 Jun 2018)
   7339 - spelling fixes
   7340   
   7341   Detected using the `codespell` tool (version 1.13.0).
   7342   
   7343   Also secure and fix an URL.
   7344 
   7345 Daniel Stenberg (2 Jun 2018)
   7346 - axtls: follow-up spell fix of comment
   7347 
   7348 - axTLS: not considered fit for use
   7349   
   7350   URL: https://curl.haxx.se/mail/lib-2018-06/0000.html
   7351   
   7352   This is step one. It adds #error statements that require source edits to
   7353   make curl build again if asked to use axTLS. At a later stage we might
   7354   remove the axTLS specific code completely.
   7355   
   7356   Closes #2628
   7357 
   7358 - build: remove the Borland specific makefiles
   7359   
   7360   According to the user survey 2018, not even one out of 670 users use
   7361   them. Nobody on the mailing list spoke up for them either.
   7362   
   7363   Closes #2629
   7364 
   7365 - curl_addrinfo: use same #ifdef conditions in source as header
   7366   
   7367   ... for curl_dofreeaddrinfo
   7368 
   7369 - multi: remove a DEBUGF()
   7370   
   7371   ... it might call infof() with a NULL first argument that isn't harmful
   7372   but makes it not do anything. The infof() line is not very useful
   7373   anymore, it has served it purpose. Good riddance!
   7374   
   7375   Fixes #2627
   7376 
   7377 - [Alibek.Jorajev brought this change]
   7378 
   7379   CURLOPT_RESOLVE: always purge old entry first
   7380   
   7381   If there's an existing entry using the selected name.
   7382   
   7383   Closes #2622
   7384 
   7385 - fnmatch: use the system one if available
   7386   
   7387   If configure detects fnmatch to be available, use that instead of our
   7388   custom one for FTP wildcard pattern matching. For standard compliance,
   7389   to reduce our footprint and to use already well tested and well
   7390   exercised code.
   7391   
   7392   A POSIX fnmatch behaves slightly different than the internal function
   7393   for a few test patterns currently and the macOS one yet slightly
   7394   different. Test case 1307 is adjusted for these differences.
   7395   
   7396   Closes #2626
   7397 
   7398 Patrick Monnerat (31 May 2018)
   7399 - os400: add new option in ILE/RPG binding
   7400   
   7401   Follow-up to commit 946ce5b
   7402 
   7403 Daniel Stenberg (31 May 2018)
   7404 - tests/libtest/.gitignore: follow-up fix to ignore lib5* too
   7405 
   7406 - KNOWN_BUGS: CURL_GLOBAL_SSL
   7407   
   7408   Closes #2276
   7409 
   7410 - [Bernhard Walle brought this change]
   7411 
   7412   configure: check for declaration of getpwuid_r
   7413   
   7414   On our x86 Android toolchain, getpwuid_r is implemented but the header
   7415   is missing:
   7416   
   7417    netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration]
   7418   
   7419   Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved
   7420   the prototype to curl_setup.h.
   7421   
   7422   Signed-off-by: Bernhard Walle <bernhard (a] bwalle.de>
   7423   Closes #2609
   7424 
   7425 - [Rikard Falkeborn brought this change]
   7426 
   7427   tests: update .gitignore for libtests
   7428   
   7429   Closes #2624
   7430 
   7431 - [Rikard Falkeborn brought this change]
   7432 
   7433   strictness: correct {infof, failf} format specifiers
   7434   
   7435   Closes #2623
   7436 
   7437 - [Bjrn Stenberg brought this change]
   7438 
   7439   option: disallow username in URL
   7440   
   7441   Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes
   7442   libcurl reject URLs with a username in them.
   7443   
   7444   Closes #2340
   7445 
   7446 - libcurl-security.3: improved layout for two rememdy lists
   7447 
   7448 - libcurl-security.3: refer to URL instead of in-source markdown file
   7449 
   7450 Viktor Szakats (30 May 2018)
   7451 - curl.rc: embed manifest for correct Windows version detection
   7452   
   7453   * enable it in `src/Makefile.m32`
   7454   * enable it in `winbuild/MakefileBuild.vc` if a custom manifest is
   7455     _not_ enabled via the existing `EMBED_MANIFEST` option
   7456   * enable it for all Windows CMake builds (also disable the built-in
   7457     minimal manifest, added by CMake by default.)
   7458   
   7459   For other build systems, add the `-DCURL_EMBED_MANIFEST` option to
   7460   the list of RC (Resource Compiler) flags to enable the manifest
   7461   included in `src/curl.rc`. This may require to disable whatever
   7462   automatic or other means in which way another manifest is added to
   7463   `curl.exe`.
   7464   
   7465   Notice that Borland C doesn't support this method due to a
   7466   long-pending resource compiler bug. Watcom C may also not handle
   7467   it correctly when the `-zm` `wrc` option is used (this option may
   7468   be unnecessary though) and regardless of options in certain earlier
   7469   revisions of the 2.0 beta version.
   7470   
   7471   Closes https://github.com/curl/curl/pull/1221
   7472   Fixes https://github.com/curl/curl/issues/2591
   7473 
   7474 Patrick Monnerat (30 May 2018)
   7475 - os400: sync EBCDIC wrappers and ILE/RPG binding with latest options
   7476 
   7477 - os400: implement mime api EBCDIC wrappers
   7478   
   7479   Also sync ILE/RPG binding to define the new functions.
   7480 
   7481 Daniel Stenberg (29 May 2018)
   7482 - setopt: add TLS 1.3 ciphersuites
   7483   
   7484   Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.
   7485   
   7486   curl: added --tls13-ciphers and --proxy-tls13-ciphers
   7487   
   7488   Fixes #2435
   7489   Reported-by: zzq1015 on github
   7490   Closes #2607
   7491 
   7492 - configure: override AR_FLAGS to silence warning
   7493   
   7494   The automake default ar flags are 'cru', but the 'u' flag in there
   7495   causes warnings on many modern Linux distros. Removing 'u' may have a
   7496   minor performance impact on older distros but should not cause harm.
   7497   
   7498   Explained on the automake mailing list already back in April 2015:
   7499   
   7500   https://www.mail-archive.com/automake-patches@gnu.org/msg07705.html
   7501   
   7502   Reported-by: elephoenix on github
   7503   Fixes #2617
   7504   Closes #2619
   7505 
   7506 Sergei Nikulov (29 May 2018)
   7507 - cmake: fixed comments in compile checks code
   7508 
   7509 Daniel Stenberg (29 May 2018)
   7510 - INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
   7511   
   7512   ... the older description doesn't work
   7513   
   7514   Reported-by: Peter Varga
   7515   Fixes #2615
   7516   Closes #2616
   7517 
   7518 - [Will Dietz brought this change]
   7519 
   7520   KNOWN_BUGS: restore text regarding #2101.
   7521   
   7522   This was added earlier but appears to have been removed accidentally.
   7523   
   7524   AFAICT this is very much still an issue.
   7525   
   7526   -----
   7527   
   7528   I say "accidentally" because the text seems to have harmlessly snuck
   7529   into [1] (which makes no mention of it).  [1] was later reverted for
   7530   unspecified reasons in [2], presumably because the mentioned issue was
   7531   fixed or invalid.
   7532   
   7533   [1] de9fac00c40db321d44fa6fbab6eb62ec4c83998
   7534   [2] 16d1f369403cbb04bd7b085eabbeebf159473fc2
   7535   
   7536   Closes #2618
   7537 
   7538 - fnmatch: insist on escaped bracket to match
   7539   
   7540   A non-escaped bracket ([) is for a character group - as documented. It
   7541   will *not* match an individual bracket anymore. Test case 1307 updated
   7542   accordingly to match.
   7543   
   7544   Problem detected by OSS-Fuzz, although this fix is probably not a final
   7545   fix for the notorious timeout issues.
   7546   
   7547   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525
   7548   Closes #2614
   7549 
   7550 Patrick Monnerat (28 May 2018)
   7551 - psl: use latest psl and refresh it periodically
   7552   
   7553   The latest psl is cached in the multi or share handle. It is refreshed
   7554   before use after 72 hours.
   7555   New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing.
   7556   If the latest psl is not available, the builtin psl is used.
   7557   
   7558   Reported-by: Yaakov Selkowitz
   7559   Fixes #2553
   7560   Closes #2601
   7561 
   7562 Daniel Stenberg (28 May 2018)
   7563 - [Fabrice Fontaine brought this change]
   7564 
   7565   configure: fix ssh2 linking when built with a static mbedtls
   7566   
   7567   The ssh2 pkg-config file could contain the following lines when build
   7568   with a static version of mbedtls:
   7569      Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
   7570      Libs.private: /xxx/libmbedcrypto.a
   7571   
   7572   This static mbedtls library must be used to correctly detect ssh2
   7573   support and this library must be copied in libcurl.pc otherwise
   7574   compilation of any application (such as upmpdcli) with libcurl will fail
   7575   when trying to found mbedtls functions included in libssh2.  So, replace
   7576   pkg-config --libs-only-l by pkg-config --libs.
   7577   
   7578   Fixes:
   7579    - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a
   7580   
   7581   Signed-off-by: Fabrice Fontaine <fontaine.fabrice (a] gmail.com>
   7582   Closes #2613
   7583 
   7584 - RELEASE-NOTES: synced
   7585 
   7586 - [Bernhard Walle brought this change]
   7587 
   7588   cmake: check for getpwuid_r
   7589   
   7590   The autotools-based build system does it, so we do it also in CMake.
   7591   
   7592   Bug: #2609
   7593   Signed-off-by: Bernhard Walle <bernhard (a] bwalle.de>
   7594 
   7595 - cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
   7596 
   7597 - [Frank Gevaerts brought this change]
   7598 
   7599   curl.1: Fix cmdline-opts reference errors.
   7600   
   7601   --data, --form, and --ntlm were declared to be mutually exclusive with
   7602   non-existing options. --data and --form referred to --upload (which is
   7603   short for --upload-file and therefore did work, so this one was merely
   7604   a bit confusing), --ntlm referred to --negotiated instead of --negotiate.
   7605   
   7606   Closes #2612
   7607 
   7608 - [Frank Gevaerts brought this change]
   7609 
   7610   docs: fix cmdline-opts metadata headers case consistency.
   7611   
   7612   Almost all headers start with an uppercase letter, but some didn't.
   7613 
   7614 - mailmap: Max Savenkov
   7615 
   7616 Sergei Nikulov (28 May 2018)
   7617 - [Max Savenkov brought this change]
   7618 
   7619   Fix the test for fsetxattr and strerror_r tests in CMake to work without compiling
   7620 
   7621 Daniel Stenberg (27 May 2018)
   7622 - mailmap: a Richard Alcock fixup
   7623 
   7624 - [Richard Alcock brought this change]
   7625 
   7626   schannel: add failf calls for client certificate failures
   7627   
   7628   Closes #2604
   7629 
   7630 - [Richard Alcock brought this change]
   7631 
   7632   winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
   7633   
   7634   Change requirement from $(DISTDIR) to $(DIRDIST)
   7635   
   7636   closes #2603
   7637 
   7638 - [Richard Alcock brought this change]
   7639 
   7640   winbuild: only delete OUTFILE if it exists
   7641   
   7642   This removes the slightly annoying "Could not file LIBCURL_OBJS.inc" and
   7643   "Could not find CURL_OBJS.inc.inc" message when building into a clean
   7644   folder.
   7645   
   7646   closes #2602
   7647 
   7648 - [Alejandro R. Sedeo brought this change]
   7649 
   7650   content_encoding: handle zlib versions too old for Z_BLOCK
   7651   
   7652   Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available.
   7653   
   7654   Fixes #2606
   7655   Closes #2608
   7656 
   7657 - multi: provide a socket to wait for in Curl_protocol_getsock
   7658   
   7659   ... even when there's no protocol specific handler setup.
   7660   
   7661   Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html
   7662   Reported-by: Sean Miller
   7663   Closes #2600
   7664 
   7665 - [Linus Lewandowski brought this change]
   7666 
   7667   httpauth: add support for Bearer tokens
   7668   
   7669   Closes #2102
   7670 
   7671 - TODO: CURLINFO_PAUSE_STATE
   7672   
   7673   Closes #2588
   7674 
   7675 Sergei Nikulov (24 May 2018)
   7676 - cmake: set -d postfix for debug builds if not specified
   7677          using -DCMAKE_DEBUG_POSTFIX explicitly
   7678   
   7679          fixes #2121, obsoletes #2384
   7680 
   7681 Daniel Stenberg (23 May 2018)
   7682 - configure: add basic test of --with-ssl prefix
   7683   
   7684   When given a prefix, the $PREFIX_OPENSSL/lib/openssl.pc or
   7685   $PREFIX_OPENSSL/include/openssl/ssl.h files must be present or cause an
   7686   error. Helps users detect when giving configure the wrong path.
   7687   
   7688   Reported-by: Oleg Pudeyev
   7689   Assisted-by: Per Malmberg
   7690   Fixes #2580
   7691 
   7692 Patrick Monnerat (22 May 2018)
   7693 - http resume: skip body if http code 416 (range error) is ignored.
   7694   
   7695   This avoids appending error data to already existing good data.
   7696   
   7697   Test 92 is updated to match this change.
   7698   New test 1156 checks all combinations of --range/--resume, --fail,
   7699   Content-Range header and http status code 200/416.
   7700   
   7701   Fixes #1163
   7702   Reported-By: Ithubg on github
   7703   Closes #2578
   7704 
   7705 Daniel Stenberg (22 May 2018)
   7706 - tftp: make sure error is zero terminated before printfing it
   7707 
   7708 - configure: add missing m4/ax_compile_check_sizeof.m4
   7709   
   7710   follow-up to mistake in 6876ccf90b4
   7711 
   7712 Jay Satiro (22 May 2018)
   7713 - [Johannes Schindelin brought this change]
   7714 
   7715   schannel: make CAinfo parsing resilient to CR/LF
   7716   
   7717   OpenSSL has supported --cacert for ages, always accepting LF-only line
   7718   endings ("Unix line endings") as well as CR/LF line endings ("Windows
   7719   line endings").
   7720   
   7721   When we introduced support for --cacert also with Secure Channel (or in
   7722   cURL speak: "WinSSL"), we did not take care to support CR/LF line
   7723   endings, too, even if we are much more likely to receive input in that
   7724   form when using Windows.
   7725   
   7726   Let's fix that.
   7727   
   7728   Happily, CryptQueryObject(), the function we use to parse the ca-bundle,
   7729   accepts CR/LF input already, and the trailing LF before the END
   7730   CERTIFICATE marker catches naturally any CR/LF line ending, too. So all
   7731   we need to care about is the BEGIN CERTIFICATE marker. We do not
   7732   actually need to verify here that the line ending is CR/LF. Just
   7733   checking for a CR or an LF is really plenty enough.
   7734   
   7735   Signed-off-by: Johannes Schindelin <johannes.schindelin (a] gmx.de>
   7736   
   7737   Closes https://github.com/curl/curl/pull/2592
   7738 
   7739 Daniel Stenberg (22 May 2018)
   7740 - CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
   7741 
   7742 - RELEASE-NOTES: synced
   7743 
   7744 - KNOWN_BUGS: mention the -O with %-encoded file names
   7745   
   7746   Closes #2573
   7747 
   7748 - checksrc: make sure sizeof() is used *with* parentheses
   7749   
   7750   ... and unify the source code to adhere.
   7751   
   7752   Closes #2563
   7753 
   7754 - curl: added --styled-output
   7755   
   7756   It is enabled by default, so --no-styled-output will switch off the
   7757   detection/use of bold headers.
   7758   
   7759   Closes #2538
   7760 
   7761 - curl: show headers in bold
   7762   
   7763   The feature is only enabled if the output is believed to be a tty.
   7764   
   7765   -J: There's some minor differences and improvements in -J handling, as
   7766   now J should work with -i and it actually creates a file first using the
   7767   initial name and then *renames* that to the one found in
   7768   Content-Disposition (if any).
   7769   
   7770   -i: only shows headers for HTTP transfers now (as documented).
   7771   Previously it would also show for pieces of the transfer that were HTTP
   7772   (for example when doing FTP over a HTTP proxy).
   7773   
   7774   -i: now shows trailers as well. Previously they were not shown at all.
   7775   
   7776   --libcurl: the CURLOPT_HEADER is no longer set, as the header output is
   7777   now done in the header callback.
   7778 
   7779 - configure: compile-time SIZEOF checks
   7780   
   7781   ... instead of exeucting code to get the size. Removes the use of
   7782   LD_LIBRARY_PATH for this.
   7783   
   7784   Fixes #2586
   7785   Closes #2589
   7786   Reported-by: Bernhard Walle
   7787 
   7788 - configure: replace AC_TRY_RUN with CURL_RUN_IFELSE
   7789   
   7790   ... and export LD_LIBRARY_PATH properly. This is a follow-up from
   7791   2d4c215.
   7792   
   7793   Fixes #2586
   7794   Reported-by: Bernhard Walle
   7795 
   7796 - docs: clarify CURLOPT_HTTPGET somewhat
   7797   
   7798   Reported-by: bsammon on github
   7799   Fixes #2590
   7800 
   7801 - curl_fnmatch: only allow two asterisks for matching
   7802   
   7803   The previous limit of 5 can still end up in situation that takes a very
   7804   long time and consumes a lot of CPU.
   7805   
   7806   If there is still a rare use case for this, a user can provide their own
   7807   fnmatch callback for a version that allows a larger set of wildcards.
   7808   
   7809   This commit was triggered by yet another OSS-Fuzz timeout due to this.
   7810   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369
   7811   
   7812   Closes #2587
   7813 
   7814 - checksrc: fix too long line
   7815   
   7816   follow-up to e05ad5d
   7817 
   7818 - [Aleks brought this change]
   7819 
   7820   docs: mention HAproxy protocol "version 1"
   7821   
   7822   ...as there's also a version 2.
   7823   
   7824   Closes #2579
   7825 
   7826 - examples/progressfunc: make it build on older libcurls
   7827   
   7828   This example was changed in ce2140a8c1 to use the new microsecond based
   7829   getinfo option. This change makes it conditionally keep using the older
   7830   option so that the example still builds with older libcurl versions.
   7831   
   7832   Closes #2584
   7833 
   7834 - stub_gssapi: fix numerous 'unused parameter' warnings
   7835   
   7836   follow-up to d9e92fd9fd1d
   7837 
   7838 - [Philip Prindeville brought this change]
   7839 
   7840   getinfo: add microsecond precise timers for various intervals
   7841   
   7842   Provide a set of new timers that return the time intervals using integer
   7843   number of microseconds instead of floats.
   7844   
   7845   The new info names are as following:
   7846   
   7847   CURLINFO_APPCONNECT_TIME_T
   7848   CURLINFO_CONNECT_TIME_T
   7849   CURLINFO_NAMELOOKUP_TIME_T
   7850   CURLINFO_PRETRANSFER_TIME_T
   7851   CURLINFO_REDIRECT_TIME_T
   7852   CURLINFO_STARTTRANSFER_TIME_T
   7853   CURLINFO_TOTAL_TIME_T
   7854   
   7855   Closes #2495
   7856 
   7857 - openssl: acknowledge --tls-max for default version too
   7858   
   7859   ... previously it only used the max setting if a TLS version was also
   7860   explicitly asked for.
   7861   
   7862   Reported-by: byte_bucket
   7863   Fixes #2571
   7864   Closes #2572
   7865 
   7866 - bump: start working on the pending 7.61.0
   7867 
   7868 - [Dagobert Michelsen brought this change]
   7869 
   7870   tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
   7871   
   7872   The warning flag leads e.g. Sun Studio compiler to bail out.
   7873   
   7874   Closes #2576
   7875 
   7876 - schannel_verify: fix build for non-schannel
   7877 
   7878 Jay Satiro (16 May 2018)
   7879 - rand: fix typo
   7880 
   7881 - schannel: disable manual verify if APIs not available
   7882   
   7883   .. because original MinGW and old compilers do not have the Windows API
   7884   definitions needed to support manual verification.
   7885 
   7886 - [Archangel_SDY brought this change]
   7887 
   7888   schannel: disable client cert option if APIs not available
   7889   
   7890   Original MinGW targets Windows 2000 by default, which lacks some APIs and
   7891   definitions for this feature. Disable it if these APIs are not available.
   7892   
   7893   Closes https://github.com/curl/curl/pull/2522
   7894 
   7895 Version 7.60.0 (15 May 2018)
   7896 
   7897 Daniel Stenberg (15 May 2018)
   7898 - RELEASE-NOTES: 7.60.0 release
   7899 
   7900 - THANKS: added people from the curl 7.60.0 release
   7901 
   7902 - docs/libcurl/index.html: removed
   7903   
   7904   The HTML files are long gone from the dist, now remove the last HTML
   7905   file pointing to those missing files.
   7906   
   7907   d
   7908 
   7909 - [steini2000 brought this change]
   7910 
   7911   http2: remove unused variable
   7912   
   7913   Closes #2570
   7914 
   7915 - [steini2000 brought this change]
   7916 
   7917   http2: use easy handle of stream for logging
   7918 
   7919 - gcc: disable picky gcc-8 function pointer warnings in two places
   7920   
   7921   Reported-by: Rikard Falkeborn
   7922   Bug: #2560
   7923   Closes #2569
   7924 
   7925 - http2: use the correct function pointer typedef
   7926   
   7927   Fixes gcc-8 picky compiler warnings
   7928   Reported-by: Rikard Falkeborn
   7929   Bug: #2560
   7930   Closes #2568
   7931 
   7932 - CODE_STYLE: mention return w/o parens, but sizeof with
   7933   
   7934   ... and remove the github markdown syntax so that it renders better on
   7935   the web site. Also, don't use back-ticks inlined to allow the CSS to
   7936   highlight source code better.
   7937 
   7938 - [Rikard Falkeborn brought this change]
   7939 
   7940   examples: Fix format specifiers
   7941   
   7942   Closes #2561
   7943 
   7944 - [Rikard Falkeborn brought this change]
   7945 
   7946   tool: Fix format specifiers
   7947 
   7948 - [Rikard Falkeborn brought this change]
   7949 
   7950   ntlm: Fix format specifiers
   7951 
   7952 - [Rikard Falkeborn brought this change]
   7953 
   7954   tests: Fix format specifiers
   7955 
   7956 - [Rikard Falkeborn brought this change]
   7957 
   7958   lib: Fix format specifiers
   7959 
   7960 - contributors.sh: use "on github", not at
   7961 
   7962 - http2: getsock fix for uploads
   7963   
   7964   When there's an upload in progress, make sure to wait for the socket to
   7965   become writable.
   7966   
   7967   Detected-by: steini2000 on github
   7968   Bug: #2520
   7969   Closes #2567
   7970 
   7971 - pingpong: fix response cache memcpy overflow
   7972   
   7973   Response data for a handle with a large buffer might be cached and then
   7974   used with the "closure" handle when it has a smaller buffer and then the
   7975   larger cache will be copied and overflow the new smaller heap based
   7976   buffer.
   7977   
   7978   Reported-by: Dario Weisser
   7979   CVE: CVE-2018-1000300
   7980   Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
   7981 
   7982 - http: restore buffer pointer when bad response-line is parsed
   7983   
   7984   ... leaving the k->str could lead to buffer over-reads later on.
   7985   
   7986   CVE: CVE-2018-1000301
   7987   Assisted-by: Max Dymond
   7988   
   7989   Detected by OSS-Fuzz.
   7990   Bug: https://curl.haxx.se/docs/adv_2018-b138.html
   7991   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
   7992 
   7993 Patrick Monnerat (13 May 2018)
   7994 - cookies: do not take cookie name as a parameter
   7995   
   7996   RFC 6265 section 4.2.1 does not set restrictions on cookie names.
   7997   This is a follow-up to commit 7f7fcd0.
   7998   Also explicitly check proper syntax of cookie name/value pair.
   7999   
   8000   New test 1155 checks that cookie names are not reserved words.
   8001   
   8002   Reported-By: anshnd at github
   8003   Fixes #2564
   8004   Closes #2566
   8005 
   8006 Daniel Stenberg (12 May 2018)
   8007 - smb: reject negative file sizes
   8008   
   8009   Assisted-by: Max Dymond
   8010   
   8011   Detected by OSS-Fuzz
   8012   Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
   8013