diff options
Diffstat (limited to 'CHANGES')
| -rw-r--r-- | CHANGES | 7393 |
1 files changed, 3771 insertions, 3622 deletions
@@ -6,5321 +6,5470 @@ Changelog -Version 7.40.0 (7 Jan 2015) +Version 7.48.0 (23 Mar 2016) -Daniel Stenberg (7 Jan 2015) -- RELEASE-NOTES: version 7.40.0 +Daniel Stenberg (23 Mar 2016) +- RELEASE-NOTES: curl 7.48.0 -- darwinssl: fix session ID keys to only reuse identical sessions - - ...to avoid a session ID getting cached without certificate checking and - then after a subsequent _enabling_ of the check libcurl could still - re-use the session done without cert checks. - - Bug: http://curl.haxx.se/docs/adv_20150108A.html - Reported-by: Marc Hesse +- THANKS: 15 new contributors from 7.48.0 release -- tests: make sure CRLFs can't be used in URLs passed to proxy +Jay Satiro (23 Mar 2016) +- CURLINFO_TLS_SSL_PTR.3: Warn about limitations - Bug: http://curl.haxx.se/docs/adv_20150108B.html + Bug: https://github.com/curl/curl/issues/685 -- url-parsing: reject CRLFs within URLs +Daniel Stenberg (22 Mar 2016) +- Revert "sshserver: remove use of AuthorizedKeysFile2" - Bug: http://curl.haxx.se/docs/adv_20150108B.html - Reported-by: Andrey Labunets - -Steve Holme (7 Jan 2015) -- ldap: Convert attribute output to UTF-8 when Unicode - -- ldap: Convert DN output to UTF-8 when Unicode - -Daniel Stenberg (7 Jan 2015) -- hostip: remove 'stale' argument from Curl_fetch_addr proto + It seems we may have some autobuild problems after this commit went + in. Trying to see if a revert helps to get them back. - Also, remove the log output of the resolved name is NOT in the cache in - the spirit of only telling when something is actually happening. + This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642. -Steve Holme (7 Jan 2015) -- ldap/imap: Fixed spelling mistake in comments and variable names +- maketgz: add -j to make dist - Reported-by: Michael Osipov + ... makes it a lot faster -Daniel Stenberg (7 Jan 2015) -- RELEASE-NOTES: updated with ./contributors.sh output +- libcurl-thread.3: minor nroff format fix -Dan Fandrich (5 Jan 2015) -- curl_multibyte.h: Eliminated some trailing whitespace +- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix -Steve Holme (4 Jan 2015) -- RELEASE-NOTES: Synced with ea93252ef1 - -- ldap: Fixed Unicode usage for all Win32 builds +- CODE_STYLE: indend example code - Otherwise, the fixes in the previous commits would only be applicable - to IDN and SSPI based builds and not others such as OpenSSL with LDAP - enabled. - -- ldap: Fixed memory leak from commit efb64fdf80 + ... to make it look nicer in markdown outputa -- ldap: Fix memory leak from commit 3a805c5cc1 +Jay Satiro (22 Mar 2016) +- build-wolfssl: Update VS properties for wolfSSL v3.9.0 + + - Do not use wolfSSL's sample user-setting files. + + wolfSSL starting in v3.9.0 has added their own sample user settings that + are applied by default, but we don't use them because we have our own + settings. + + - Do not use wolfSSL's Visual Studio Unicode character setting. + + wolfSSL Visual Studio projects use the Unicode character set however our + settings and options imitate mingw build which does not use the Unicode + character set. This does not appear to have any effect at the moment but + better safe than sorry. + + + These changes are backwards compatible with earlier versions. -- ldap: Fixed attribute variable warnings when Unicode is enabled +Steve Holme (22 Mar 2016) +- hostip6: Fixed compilation warnings when verbose strings disabled + + warning C4189: 'data': local variable is initialized but not referenced - Use 'TCHAR *' for local attribute variable rather than 'char *'. + ...and some minor formatting/spacing changes. -- ldap: Fixed DN variable warnings when Unicode is enabled +Daniel Stenberg (21 Mar 2016) +- sshserver: remove use of AuthorizedKeysFile2 - Use 'TCHAR *' for local DN variable rather than 'char *'. + Support for the (undocumented) AuthorizedKeysFile2 was removed in + OpenSSH 5.9, released in September 2011 + + Closes #715 -- ldap: Remove the unescape_elements() function +Steve Holme (20 Mar 2016) +- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled - Due to the recent modifications this function is no longer used. + warning C4189: 'data': local variable is initialized but not referenced -- ldap.c: Fixed compilation warning +- openssl: Fixed compilation warning when /Wall enabled - ldap.c:98: warning: extra tokens at end of #endif directive + warning C4706: assignment within conditional expression -- ldap: Fixed support for Unicode filter in Win32 search call +- CODE_STYLE: Use boolean conditions + + Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions. + + Additionally, corrected some example code to adhere to the recommended + coding style. -- ldap.c: Fixed compilation warning +- inet_pton.c: Fixed compilation warnings - ldap.c:802: warning: comparison between signed and unsigned integer - expressions + warning: conversion to 'unsigned char' from 'int' may alter its value -- ldap: Fixed support for Unicode attributes in Win32 search call +Daniel Stenberg (19 Mar 2016) +- RELEASE-NOTES: synced with 80851028efc2fa9 -- ldap: Fixed memory leak from commit efb64fdf80 +- mbedtls: fix compiler warning - The unescapped DN was not freed after a successful character conversion. + vtls/mbedtls.h:67:36: warning: implicit declaration of function + ‘mbedtls_sha256’ [-Wimplicit-function-declaration] -- ldap.c: Fixed compilation error +Steve Holme (19 Mar 2016) +- easy: Minor coding standard and style updates - ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes - just 1 + Following commit c5744340db. Additionally removes the need for a second + 'result code' variable as well. -- ldap.c: Fixed compilation warning +Jay Satiro (19 Mar 2016) +- easy: Remove poll failure check in easy_transfer + + .. because curl_multi_wait can no longer signal poll failure. - ldap.c:89: warning: extra tokens at end of #endif directive + follow-up to 77e1726 + + Bug: https://github.com/curl/curl/issues/707 -- ldap: Fixed support for Unicode DN in Win32 search call +Steve Holme (19 Mar 2016) +- build: Added missing Visual Studio filter files for VC10 onwards + + As these files don't need to contain references to the source files, + although typically do, added basic files which only include three + filters and don't require the project file generator to be modified. + + These files allow the source code to be viewed in the Solution Explorer + in versions of Visual Studio from 2010 onwards in the same manner as + previous versions did rather than one large view of files. -- ldap: Fixed Unicode user and password in Win32 bind calls +- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled + + warning C4706: assignment within conditional expression -- ldap: Fixed Unicode host name in Win32 initialisation calls +- config-w32.h: Fixed compilation warning when /Wall enabled + + warning C4668: 'USE_IPV6' is not defined as a preprocessor macro, + replacing with '0' for '#if/#elif' -- ldap: Use host.dispname for infof() connection failure messages +- imap.c: Fixed compilation warning with /Wall enabled + + warning C4701: potentially uninitialized local variable 'size' used - As host.name may be encoded use dispname for infof() failure messages. + Technically this can't happen, as the usage of 'size' is protected by + 'if(parsed)' and 'parsed' is only set after 'size' has been parsed. + + Anyway, lets keep the compiler happy. -- ldap: Prefer 'CURLcode result' for curl result codes +- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms -- ldap: Pass write length in all Curl_client_write() calls - - As we get the length for the DN and attribute variables, and we know - the length for the line terminator, pass the length values rather than - zero as this will save Curl_client_write() from having to perform an - additional strlen() call. +Daniel Stenberg (18 Mar 2016) +- bump: the coming release is 7.48.0 -- ldap: Fixed attribute memory leaks on failed client write +- configure: use cpp -P when needed - Fixed memory leaks from commit 086ad79970 as was noted in the commit - comments. - -- ldap: Fixed DN memory leaks on failed client write + Since gcc 5, the processor output can get split up on multiple lines + that made the configure script fail to figure out values from + definitions. The fix is to use cpp -P, and this fix now first checks if + cpp -P is necessary and then if cpp -P works before it uses that to + extract defined values. - Fixed memory leaks from commit 086ad79970 as was noted in the commit - comments. + Fixes #719 -- curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d +Steve Holme (18 Mar 2016) +- formdata.c: Fixed compilation warning - curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char - [8]') to parameter of type 'char *' converts - between pointers to integer types with different - sign - -- ntlm: Use extend_key_56_to_64() for all cryptography engines + formdata.c:390: warning: cast from pointer to integer of different size + + Introduced in commit ca5f9341ef this happens because a char*, which is + 32-bits wide in 32-bit land, is being cast to a curl_off_t which is + 64-bits wide where 64-bit integers are supported by the compiler. - Rather than duplicate the code in setup_des_key() for OpenSSL and in - extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is - the same, use extend_key_56_to_64() for all engines. + This doesn't happen in 64-bit land as a pointer is the same size as a + curl_off_t. + + This fix doesn't address the fact that a 64-bit value cannot be used + for CURLFORM_CONTENTLEN when set in a form array and compiled on a + 32-bit platforms, it does at least suppress the compilation warning. -- RELEASE-NOTES: Synced with 34f0bd110f +Daniel Stenberg (18 Mar 2016) +- FAQ: 2.5 Install libcurl for both 32bit and 64bit? -- curl_ntlm_core.c: Fixed compilation warning - - curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined - but not used +- [Gisle Vanem brought this change] -- endian: Fixed bit-shift in 64-bit integer read functions + openssl: adapt to API breakage in ERR_remove_thread_state() - From commit 43792592ca and 4bb5a351b2. + The OpenSSL API change that broke this is "Convert ERR_STATE to new + multi-threading API": openssl commit 8509dcc. - Reported-by: Michael Osipov + Closes #713 -- smb: Use endian functions for reading NBT and message size values +- version: init moved to private name space, added protos + + follow-up to 80015cdd52145 -- endian: Added big endian read functions +- openssl: verbose: show matching SAN pattern + + ... to allow users to see which specfic wildcard that matched when such + is used. + + Also minor logic cleanup to simplify the code, and I removed all tabs + from verbose strings. -- endian: Added 64-bit integer read function +Jay Satiro (16 Mar 2016) +- version: thread safety -- COPYING: Bumped copyright year to 2015 +Steve Holme (16 Mar 2016) +- transfer: Removed redundant HTTP authentication include files + + It would also seem that share.h is not required here either as there + are no references to the Curl_share structure or functions. -- version: Bump copyright year to 2015 +- easy: Removed redundant HTTP authentication include files -- smb.c: Fixed compilation warnings +Jay Satiro (15 Mar 2016) +- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support - smb.c:780: warning: passing 'char *' to parameter of type 'unsigned - char *' converts between pointers to integer types with - different sign - smb.c:781: warning: passing 'char *' to parameter of type 'unsigned - char *' converts between pointers to integer types with - different sign - smb.c:804: warning: passing 'char *' to parameter of type 'unsigned - char *' converts between pointers to integer types with - different sign + Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html + Reported-by: Oliver Graute -- smb: Use endian functions for reading length and offset values +Steve Holme (15 Mar 2016) +- curl_sasl: Minor code indent fixes -- endian: Added 16-bit integer write function +Daniel Stenberg (14 Mar 2016) +- runtests: mention when run event-based -- endian: Fixed Linux compilation issues +- easy: add check to malloc() when running event-based - Having files named endian.[c|h] seemed to cause issues under Linux so - renamed them both to have the curl_ prefix in the filenames. + ... to allow torture tests then too. + +- memdebug: skip logging the limit countdown, fflush when reached -- [Julien Nabet brought this change] +- CODE_STYLE: Space around operators + + As just discussed on the mailing list, also document how we prefer + spacing in expressions. - lib1900.c: Fixed cppcheck error +- curl: glob_range: no need to check unsigned variable for negative - lib1900.c:182: (style) Array index 'handlenum' is used before limits - check + cppcheck warned: - Bug: https://github.com/bagder/curl/pull/133 + [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n' + is less than zero. -- endian: Added standard function descriptions +- CODE_STYLE: add example for indent style as well -- endian: Renamed functions for curl API naming convention +- CODE_STYLE: mention braces for functions too -- endian: Moved write functions to new module +- docs/Makefile.am: include CODE_STYLE in tarball too -- endian: Moved read functions to new module +- CONTRIBUTE: moved out code style to a separate document -- endian: Introduced endian module +- CODE_STYLE: initial version - To allow the little endian functions, currently used in two of the NTLM - source files, to be used by other modules such as the SMB module. - -- sepheaders.c: Applied curl oding standards + Ripped out from CONTRIBUTE into its own document, but also extended from + there. -- [Julien Nabet brought this change] +- curl_sasl.c: minor code indent fixes - sepheaders.c: Fixed resource leak on failure - -- vtls: Use '(void) arg' for unused parameters +- multi: simplified singlesocket - Prefer void for unused parameters, rather than assigning an argument to - itself as a) unintelligent compilers won't optimize it out, b) it can't - be used for const parameters, c) it will cause compilation warnings for - clang with -Wself-assign and d) is inconsistent with other areas of the - curl source code. + Since sh_getentry() now checks for invalid sockets itself and by + narrowing the scope of the remove_sock_from_hash variable. -- smb.c: Fixed compilation warning +- multi: introduce sh_getentry() for looking up sockets in the sockhash - smb.c:586: warning: conversion to 'short unsigned int' from 'int' may - alter its value + Simplify the code by using a single entry that looks for a socket in the + socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD + at some point and that is ineffective/wrong and this makes it easier to + avoid that. -- [Bill Nagel brought this change] +- [Jaime Fullaondo brought this change] - smb: Use the connection's upload buffer + multi hash: ensure modulo performed on curl_socket_t - Use the connection's upload buffer instead of allocating our own send - buffer. + Closes #712 -- RELEASE-NOTES: Synced with 1933f9d33c +Steve Holme (13 Mar 2016) +- base64: Minor coding standard and style updates -- schannel: Moved the ISC return flag definitions to the SSPI module - - Moved our Initialize Security Context return attribute definitions to - the SSPI module, as a) these can be used by other SSPI based providers - and b) the ISC required attributes are defined there. +- base64: Use 'CURLcode result' for curl result codes -- [Bill Nagel brought this change] +- negotiate: Use 'CURLcode result' for curl result codes - smb: Close the connection after a failed client write +Daniel Stenberg (13 Mar 2016) +- [Maksim Kuzevanov brought this change] -- darwinssl: Fixed compilation warning + multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT - vtls.c:683:43: warning: unused parameter 'data' + Closes #703 -- sockfilt.c: Fixed compilation warnings - - sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter - its value - sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter - its value - sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter - its value - sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter - its value +- TODO: Use the RFC6265 test suite -- test1509: Fixed compilation warning - - lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may - alter its value +Steve Holme (13 Mar 2016) +- checksrc.bat: Added the ability to scan src and lib source independently -- test556: Fixed compilation warning +- digest: Use boolean based success code for Curl_sasl_digest_get_pair() - lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may - alter its value + Rather than use a 0 and 1 integer base result code use a TRUE / FALSE + based success code. -- sasl_gssapi: Fixed use of dummy username with real username +- digest: Corrected some typos in comments -- vtls: Fixed compilation warning and an ignored return code - - curl_schannel.h:123: warning: right-hand operand of comma expression - has no effect - - Some instances of the curlssl_close_all() function were declared with a - void return type whilst others as int. The schannel version returned - CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the - return code was ignored by the calling function Curl_ssl_close_all(). - - For the time being and to keep the internal API consistent, changed all - declarations to use a void return type. - - To reduce code we might want to consider removing the unimplemented - versions and use a void #define like schannel does. +- krb5: Corrected some typos in function descriptions -Daniel Stenberg (28 Dec 2014) -- TODO: 2.3 Better support for same name resolves +- ntlm: Corrected some typos in function descriptions -Steve Holme (28 Dec 2014) -- test1520: Fixed initial teething problems +- url: Corrected indentation when calling idna_to_ascii_lz() + +- idn_win32: Use boolean based success codes - * Missing initialisation of upload status caused a seg fault - * Missing data termination caused corrupt data to be uploaded - * Data verification should be performed in <upload> element - * Added missing recipient list cleanup + Rather than use 0 and 1 integer base result codes use a FALSE / TRUE + based success code. -- test1520: Fixed compilation errors +Daniel Stenberg (10 Mar 2016) +- idn_win32.c: warning: Trailing whitespace -- tests: Added test for bug #1456 +Steve Holme (10 Mar 2016) +- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291 + + warning C4267: 'function': conversion from 'size_t' to 'int', + possible loss of data -- checksrc.bat: Fixed a problem opening files with spaces in the filename +Daniel Stenberg (10 Mar 2016) +- THANKS-filter: unify Michael König -- openldap: Prefer use of 'CURLcode result' +- RELEASE-NOTES: synced with 863c5766dd -- openldap: Use 'LDAPMessage *msg' for messages +- ftp: remove a check for NULL(!) - This frees up the 'result' variable for CURLcode based result codes. + ... as it implies we need to check for that on all the other variable + references as well (as Coverity otherwise warns us for missing NULL + checks), and we're alredy making sure that the pointer is never NULL. -- nss: Don't ignore Curl_extract_certinfo() OOM failure - -- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure - -- nss: Use 'CURLcode result' for curl result codes +- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters + + RFC 6265 section 4.1.1 spells out that the first name/value pair in the + header is the actual cookie name and content, while the following are + the parameters. + + libcurl previously had a more liberal approach which causes significant + problems when introducing new cookie parameters, like the suggested new + cookie priority draft. - ...and don't use CURLE_OK in failure/success comparisons. + The previous logic read all n/v pairs from left-to-right and the first + name used that wassn't a known parameter name would be used as the + cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be + a cookie named 'person' while an RFC 6265 compliant parser should + consider that to be a cookie named 'Max-Age' with an (unknown) parameter + 'person'. + + Fixes #709 -- getinfo: Code style policing +- krb5: improved type handling to avoid clang compiler warnings -- getinfo: Use 'CURLcode result' for curl result codes +- url.c: fix clang warning: no newline at end of file -- darwinssl: Use 'CURLcode result' for curl result codes +- curl_multi_wait: never return -1 in 'numfds' + + Such a return value isn't documented but could still happen, and the + curl tool code checks for it. It would happen when the underlying + Curl_poll() function returns an error. Starting now we mask that error + as a user of curl_multi_wait() would have no way to handle it anyway. + + Reported-by: Jay Satiro + Closes #707 -- polarssl: Use 'CURLcode result' for curl result codes +- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link -- docs: Updated following the addition of SASL GSSAPI via GSS-API libraries - - As this feature has been implemented for 7.40.0. +- curl_multi_wait.3: add example -- asiohiper.cpp: No need to initialise members of ConnInfo +Steve Holme (8 Mar 2016) +- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused - ...as calloc() automatically clears the area of memory with zeros. - -- asiohiper.cpp: Updated for curl coding standards + Regression since commit 710f14edba. - ...with the exception of the start of block statement curly brackets. + Bug: https://github.com/curl/curl/issues/422 + Reported-by: Justin Ehlert -- code/docs: Use correct case for IPv4 and IPv6 +Jay Satiro (8 Mar 2016) +- opt-docs: fix heading macros - For consistency, as we seem to have a bit of a mixed bag, changed all - instances of ipv4 and ipv6 in comments and documentations to use the - correct case. - -- runtests: Fixed detection of Unix Sockets feature + ..SH should be .SH - ...following change in curl --version output. + Bug: https://github.com/curl/curl/issues/705 + Reported-by: Eric S. Raymond + +Kamil Dudka (8 Mar 2016) +- [Tim Rühsen brought this change] -- code/docs: Use Unix rather than UNIX to avoid use of the trademark + cookie: do not refuse cookies for localhost - Use Unix when generically writing about Unix based systems as UNIX is - the trademark and should only be used in a particular product's name. + Closes #658 -- ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported +Daniel Stenberg (8 Mar 2016) +- ftp_done: clear tunnel_state when secondary socket closes - if2ip.c:119: warning: unused parameter 'remote_scope_id' + Introducing a function for closing the secondary connection to make this + bug less likely to happen again. - ...and some minor code style policing in the same function. + Reported-by: daboul + Closes #701 -- vtls: Don't set cert info count until memory allocation is successful - - Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs - member variable to the requested count, which could then be used - incorrectly as libcurl closes down. +- [Gisle Vanem brought this change] + + openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages + +- HTTP2.md: HTTP/2 by default for curl's HTTPS connections -- vtls: Use CURLcode for Curl_ssl_init_certinfo() return type +- [Anders Bakken brought this change] + + pipeline: Sanity check pipeline pointer before accessing it. - The return type for this function was 0 on success and 1 on error. This - was then examined by the calling functions and, in most cases, used to - return CURLE_OUT_OF_MEMORY. + I got a crash with this stack: - Instead use CURLcode for the return type and return the out of memory - error directly, propagating it up the call stack. - -- configure: Use camel case for UNIX sockets feature output + curl/lib/url.c:2873 (Curl_removeHandleFromPipeline) + curl/lib/url.c:2919 (Curl_getoff_all_pipelines) + curl/lib/multi.c:561 (curl_multi_remove_handle) + curl/lib/url.c:415 (Curl_close) + curl/lib/easy.c:859 (curl_easy_cleanup) - To match the curl --version output. + Closes #704 -Marc Hoersken (26 Dec 2014) -- sockfilt.c: Reduce the number of individual memory allocations +- HTTP2.md: mention the disable ALPN and NPN options + +- TODO: 17.12 keep running, read instructions from pipe/socket - Merge multiple internal arrays into one, even if some variables - will not not be used. They are all created with the number of - file descriptors as their size. + And delete trailing whitespace + And rename section 17 to "command line tool" from "client" - Also fix possible thread handle leak in CloseHandle-loop. + Closes #702 -- sockfilt.c: Replace 100ms sleep with thread throttle - - Improves performance of test cases 574 and 575 by 50%. +- README.md: linkified - A value of zero causes the thread to relinquish the remainder - of its time slice to any other thread of equal priority that is - ready to run. If there are no other threads of equal priority - ready to run, the function returns immediately, and the thread - continues execution. + It also makes it less readable as plain text, so let's keep this + primarily for github use. - http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx + Removed the top ascii art logo, as it looks weird when markdownified. -Steve Holme (25 Dec 2014) -- tool_help: Use camel case for UNIX sockets feature output +- README.md: markdown version of README - In line with the other features listed in the --version output, - capitalise the UNIX socket feature. + Attempt to make it look more appealing on github -- vtls: Use bool for Curl_ssl_getsessionid() return type - - The return type of this function is a boolean value, and even uses a - bool internally, so use bool in the function declaration as well as - the variables that store the return value, to avoid any confusion. +Jay Satiro (6 Mar 2016) +- mprintf: update trio project link -- schannel: Minor code style policing for casts +Daniel Stenberg (6 Mar 2016) +- CURLOPT_ACCEPTTIMEOUT_MS.3: added example -- schannel: Prefer 'CURLcode result' for curl result codes +- CURLOPT_ACCEPT_ENCODING.3: added example -- cyassl: Prefer 'CURLcode result' for curl result codes +- CURLOPT_APPEND.3: added example -- tool_xattr: Use 'CURLcode result' for curl result codes +- CURLOPT_NOPROGRESS.3: added example, conform to stardard style -- curl_ntlm_core.c: Fixed compilation warnings +Steve Holme (6 Mar 2016) +- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path - curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of - 'CryptImportKey' differ in signedness - curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from - incompatible pointer type - curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam' - from incompatible pointer type + Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order + in which Perl was added to the PATH. -- RELEASE-NOTES: Synced with 8830df8b66 +Daniel Stenberg (6 Mar 2016) +- opts: added two examples -- gtls: Use preferred 'CURLcode result' +- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example -- openldap: Use standard naming for setup connection function +- CURLOPT_SSL_CTX_FUNCTION.3: added example - Renamed ldap_setup() to ldap_setup_connection() to follow more widely - used function naming. + and removed erroneous reference to test case lib509 -- rtmp: Use standard naming for setup connection function - - Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely - used function naming. +- curlx.c: use more curl style code -- smb: Use standard naming for setup connection function +- test46: change cookie expiry date + + Since two of the cookies would now otherwise expire and cause the test + to fail after commit 20de9b4f09 - Renamed smb_setup() to smb_setup_connection() to follow more widely - used function naming. + Discussed in #697 -- config-win32.h: Fixed line length > 79 columns +Jay Satiro (5 Mar 2016) +- [Viktor Szakats brought this change] -- openssl: Prefer we don't use NULL in comparisons + makefile.m32: add missing libs for static -winssl-ssh2 builds + + Bug: https://github.com/curl/curl/pull/693 -- build: Removed WIN32 definition from the Visual Studio projects +- mbedtls: fix user-specified SSL protocol version - As this pre-processor definition is defined in curl_setup.h there is no - need to include it in the Visual Studio project files. + Prior to this change when a single protocol CURL_SSLVERSION_ was + specified by the user that version was set only as the minimum version + but not as the maximum version as well. + +Steve Holme (5 Mar 2016) +- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14 + +- build-openssl.bat: Fixed cannot find perl if installed but not in path + +- checksrc.bat: Fixed cannot find perl if installed but not in path -- build: Removed WIN64 definition from the libcurl Visual Studio projects +Jay Satiro (5 Mar 2016) +- [Viktor Szakats brought this change] + + makefile.m32: fix to allow -ssh2-winssl combination - Removed the WIN64 pre-processor definition from the libcurl project - files as: + In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl + (OpenSSL) option, with no way to override it with -winssl. Since both + libssh2 and curl support using Windows's built-in SSL backend, modify + the logic to allow that combination. + +- cookie: Don't expire session cookies in remove_expired - * WIN64 is not used in our source code - * The curl projects files don't define it - * It isn't required by or used in the platform SDK - * For backwards compatability curl_setup.h defines WIN32 - * The compiler automatically defines _WIN64 for x64 builds + Prior to this change cookies with an expiry date that failed parsing + and were converted to session cookies could be purged in remove_expired. - Historically Visual Studio projects have defined WIN32, in addition to - the compiler defined _WIN32 definition, and I had incorrectly changed - that to WIN64 for the x64 libcurl builds but not in the curl projects. + Bug: https://github.com/curl/curl/issues/697 + Reported-by: Seth Mos + +Daniel Stenberg (3 Mar 2016) +- cookie: remove redundant check - As such, it is questionable whether this should be defined or not. For - more information see the following cache of a discussion that took - place on the microsoft.public.vc.mfc newsgroup: + ... as it was already checked previously within the function. - http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html + Reported-by: Dmitry-Me + Closes #695 + +Jay Satiro (1 Mar 2016) +- [Anders Bakken brought this change] -- openssl.c Fix for compilation errors with older versions of OpenSSL + url: if Curl_done is premature then pipeline not in use - openssl.c:1408: error: 'TLS1_1_VERSION' undeclared - openssl.c:1411: error: 'TLS1_2_VERSION' undeclared + Prevent a crash if 2 (or more) requests are made to the same host and + pipelining is enabled and the connection does not complete. + + Bug: https://github.com/curl/curl/pull/690 -Daniel Stenberg (22 Dec 2014) -- [John Malmberg brought this change] +- [Viktor Szakats brought this change] - Fix comment edit in vms/backup_gnv_curl_src.com + makefile.m32: allow to pass .dll/.exe-specific LDFLAGS + + using envvars `CURL_LDFLAG_EXTRAS_DLL` and + `CURL_LDFLAG_EXTRAS_EXE` respectively. This + is useful f.e. to pass ASLR-related extra + options, that are required to make this + feature work when using the mingw toolchain. + + Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985 - packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port. + Closes https://github.com/curl/curl/pull/689 -- curl: show size of inhibited data when using -v +Daniel Stenberg (29 Feb 2016) +- formpost: fix memory leaks in AddFormData error branches - To offer some more info and yet it doesn't use more lines. + Reported-by: Dmitry-Me + Fixes #688 -- openssl: fix SSL/TLS versions in verbose output +Jay Satiro (28 Feb 2016) +- getinfo: Fix syntax error when mbedTLS + + The assignment of the mbedTLS TLS session info in the parent commit was + incorrect. Change the assignment to a pointer to the session structure. -- openssl: make it compile against openssl 1.1.0-DEV master branch +- getinfo: Add support for mbedTLS TLS session info + + .. and preprocessor check TLS session info is defined for all backends. -Marc Hoersken (22 Dec 2014) -- sshserver.pl: clarify and streamline variable names +Daniel Stenberg (26 Feb 2016) +- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on -Daniel Stenberg (21 Dec 2014) -- openssl: warn for SRP set if SSLv3 is used, not for TLS version +- file: try reading from files with no size + + Some systems have special files that report as 0 bytes big, but still + contain data that can be read (for example /proc/cpuinfo on + Linux). Starting now, a zero byte size is considered "unknown" size and + will be read as far as possible anyway. - ... as it requires TLS and it was was left to warn on the default from - when default was SSL... + Reported-by: Jesse Tan + + Closes #681 + +Jay Satiro (25 Feb 2016) +- configure: warn on invalid ca bundle or path + + - Warn if --with-ca-bundle file does not exist. + + - Warn if --with-ca-path directory does not contain certificates. + + - Improve help messages for both. + + Example configure output: + + ca cert bundle: /some/file (warning: certs not found) + ca cert path: /some/dir (warning: certs not found) + + Bug: https://github.com/curl/curl/issues/404 + Reported-by: Jeffrey Walton -- smb: use memcpy() instead of strncpy() +Daniel Stenberg (24 Feb 2016) +- Curl_read: check for activated HTTP/1 pipelining, not only requested - ... as it never copies the trailing zero anyway and always just the four - bytes so let's not mislead anyone into thinking it is actually treated - as a string. + ... as when pipelining is used, we read things into a unified buffer and + we don't do that with HTTP/2. This could then easily make programs that + set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data + intermixed or plain broken between HTTP/2 streams. - Coverity CID: 1260214 + Reported-by: Anders Bakken -- [John E. Malmberg brought this change] +Patrick Monnerat (24 Feb 2016) +- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS - VMS: Updates for 0740-0D1220 +Jay Satiro (23 Feb 2016) +- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION - lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help. - More defines to set symbols to uppercase. + The two options are almost the same, except in the case of OpenSSL: - src/tool_main.c : Fix parameter to vms_special_exit() call. + CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *. - packages/vms/ : - backup_gnv_curl_src.com : Fix the error message to have the correct package. + CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *. - build_curl-config_script.com : Rewrite to be more accurate. + For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to + return an SSL pointer for OpenSSL. - build_libcurl_pc.com : Use tool_version.h now. + Also, add support for the 'internals' member to point to SSL object for + the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and + wolfSSL. - build_vms.com : Fix to handle lib/vtls directory. + Bug: https://github.com/curl/curl/issues/234 + Reported-by: dkjjr89@users.noreply.github.com - curl_gnv_build_steps.txt : Updated build procedure documentation. + Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html + Reported-by: Michael König + +Daniel Stenberg (23 Feb 2016) +- multi_remove_handle: keep the timeout list until after disconnect + + The internal Curl_done() function uses Curl_expire() at times and that + uses the timeout list. Better clean up the list once we're done using + it. This caused a segfault. + + Reported-by: 蔡文凱 + Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html + +Kamil Dudka (23 Feb 2016) +- tests/sshserver.pl: use RSA instead of DSA for host auth - generate_config_vms_h_curl.com : - * VAX does not support 64 bit ints, so no NTLM support for now. - * VAX HP SSL port is ancient, needs some help. - * Disable NGHTTP2 for now, not ported to VMS. - * Disable UNIX_SOCKETS, not available on VMS yet. - * HP GSSAPI port does not have gss_nt_service_name. + DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP + test cases to be skipped. Using RSA for host authentication works with + both old and new versions of OpenSSH. - gnv_link_curl.com : Update for new curl structure. + Reported-by: Karlson2k - pcsi_product_gnv_curl.com : Set up to optionally do a complete build. + Closes #676 -Marc Hoersken (21 Dec 2014) -- sockfilt.c: use non-Ex functions that are available before WinXP +Jay Satiro (23 Feb 2016) +- TFTP: add option to suppress TFTP option requests (Part 2) + + - Add tests. + + - Add an example to CURLOPT_TFTP_NO_OPTIONS.3. + + - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS. - It was initially reported by Guenter that GetFileSizeEx - requires (_WIN32_WINNT >= 0x0500) to be true. + Bug: https://github.com/curl/curl/issues/481 -- tests: use Cygwin-style paths in SSH, SSHD and SFTP config files +- [Michael Koenig brought this change] + + TFTP: add option to suppress TFTP option requests (Part 1) - Second patch to enable Windows support using Cygwin-based OpenSSH. + Some TFTP server implementations ignore the "TFTP Option extension" + (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing + problems with libcurl. Another switch for curl_easy_setopt + "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from + sending TFTP option requests to a server, avoiding many problems caused + by faulty implementations. - Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7. + Bug: https://github.com/curl/curl/issues/481 + +Daniel Stenberg (22 Feb 2016) +- [Karlson2k brought this change] -- tests: support spaces in paths to SSH, SSHD and SFTP binaries + runtests: Fixed usage of %PWD on MinGW64 - First patch to enable Windows support using Cygwin-based OpenSSH. + Closes #672 + +Jay Satiro (20 Feb 2016) +- CURLOPT_DEBUGFUNCTION.3: Fix example + +- [Viktor Szakats brought this change] -Steve Holme (20 Dec 2014) -- non-ascii: Reduce variable usage + src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support - Removed 'next' variable in Curl_convert_form(). Rather than setting it - from 'form->next' and using that to set 'form' after the conversion - just use 'form = form->next' instead. + Sync with lib/Makefile.m32 which already uses those variables. + + Bug: https://github.com/curl/curl/pull/670 + +Dan Fandrich (20 Feb 2016) +- Enabled test 1437 after the bug fix in commit 3fa220a6 + +Jay Satiro (19 Feb 2016) +- [Emil Lerner brought this change] -- non-ascii: Prefer while loop rather than a do loop + curl_sasl: Fix memory leak in digest parser - This also removes the need to check that the 'form' argument is valid. + If any parameter in a HTTP DIGEST challenge message is present multiple + times, memory allocated for all but the last entry should be freed. + + Bug: https://github.com/curl/curl/pull/667 -- non-ascii: Reduce variable scope +Dan Fandrich (19 Feb 2016) +- Added test 1437 to verify a memory leak - As 'result' isn't used out side the conversion callback code and - previously caused variable shadowing in the libiconv based code. + Reported-by: neex@users.noreply.github.com -- non-ascii: We prefer 'CURLcode result' +Jay Satiro (18 Feb 2016) +- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style - This also fixes a variable shadowing issue when HAVE_ICONV is defined - as rc was declared for the result code of libiconv based functions. + Bug: https://github.com/curl/curl/issues/666 + Reported-by: baumanj@users.noreply.github.com -Marc Hoersken (19 Dec 2014) -- secureserver.pl: clean up formatting of config and fix verbose output +- curl.1: HTTP headers for --cookie must be Set-Cookie style - Verbose output was not matching the actual configuration file, - because FIPS and Windows conditions were ignored. + Bug: https://github.com/curl/curl/issues/666 + Reported-by: baumanj@users.noreply.github.com + +Daniel Stenberg (18 Feb 2016) +- curl.1: add a missing dash -- secureserver.pl: update Windows detection and fix path conversion +- CONTRIBUTING.md: fix links -- secureserver.pl: make OpenSSL CApath and cert absolute path values +- ISSUE_TEMPLATE: github issue template - Recent stunnel versions (5.08) seem to have trouble with relative - paths on Windows. This turns the relative paths into absolute ones. + First version, try this out! -Patrick Monnerat (18 Dec 2014) -- if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code. +- CONTRIBUTING.md: move into .github + + To hide github specific files somewhat from the rest. -- [Kyle J. McKay brought this change] +- opts: add references - parseurlandfillconn(): fix improper non-numeric scope_id stripping. - Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/ +- examples/make: add 'checksrc' target -- IPV6: address scope != scope id - There was a confusion between these: this commit tries to disambiguate them. - - Scope can be computed from the address itself. - - Scope id is scope dependent: it is currently defined as 1-based local - interface index for link-local scoped addresses, and as a site index(?) for - (obsolete) site-local addresses. Linux only supports it for link-local - addresses. - The URL parser properly parses a scope id as an interface index, but stores it - in a field named "scope": confusion. The field has been renamed into "scope_id". - Curl_if2ip() used the scope id as it was a scope. This caused failures - to bind to an interface. - Scope is now computed from the addresses and Curl_if2ip() matches them. - If redundantly specified in the URL, scope id is check for mismatch with - the interface index. - - This commit should fix SF bug #1451. +- 10-at-a-time: typecast the argument passed to sleep() -- connect: singleipconnect(): properly try other address families after failure +- externalsocket.c: fix compiler warning for fwrite return type -Daniel Stenberg (16 Dec 2014) -- SFTP: work-around servers that return zero size on STAT +- anyauthput.c: fix compiler warnings + +- simplessl.c: warning: while with space + +- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function - Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html - Pathed-by: Marc Renault + Reported-By: Gisle Vanem -- glob_next_url: make the loop count upwards +- http2: don't decompress gzip decoding automatically + + At one point during the development of HTTP/2, the commit 133cdd29ea0 + introduced automatic decompression of Content-Encoding as that was what + the spec said then. Now however, HTTP/2 should work the same way as + HTTP/1 in this regard. - As the former contruct apparently caused a compiler warning, mentioned - in d8efde07e556c. + Reported-by: Kazuho Oku + + Closes #661 -- tool_operate: we prefer 'CURLcode result' +Jay Satiro (16 Feb 2016) +- [Tatsuhiro Tsujikawa brought this change] -- tool_urlglob: unify return codes to use CURLcode + http: Don't break the header into chunks if HTTP/2 - There was a mix of GlobCode, CURLcode and ints and they were mostly - passing around CURLcode errors. This change makes the functions use only - CURLcode and removes the GlobCode type completely. - -- tool_urlglob.c: partly reverse dc19789444 + nghttp2 callback deals with TLS layer and therefore the header does not + need to be broken into chunks. - The loop in glob_next_url() needs to be done backwards to maintain the - logic. dc19789444 caused test 1235 to fail. + Bug: https://github.com/curl/curl/issues/659 + Reported-by: Kazuho Oku -- KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME +Daniel Stenberg (16 Feb 2016) +- [Viktor Szakats brought this change] -- [Jay Satiro brought this change] + openssl: use macro to guard the opaque EVP_PKEY branch - opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS +- [Viktor Szakats brought this change] + + openssl: avoid direct PKEY access with OpenSSL 1.1.0 - Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and - CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one - that will be used. + by using API instead of accessing an internal structure. + This is required starting OpenSSL 1.1.0-pre3. - Prior to this change that behavior was only noted in the - CURLOPT_TIMEOUT_MS doc. + Closes #650 -Nick Zitzmann (15 Dec 2014) -- darwinssl: fix incorrect usage of aprintf() - - Commit b13923f changed an snprintf() to use aprintf(), but the API usage - wasn't correct, and was causing a crash to occur. This fixes it. +- RELEASE-NOTES: synced with ede0bfc079da -Steve Holme (14 Dec 2014) -- copyright: Updated the copyright year following recent updates +- [Clint Clayton brought this change] -Daniel Stenberg (14 Dec 2014) -- tool_urlglob.c: reverse two loops + CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option - By counting from 0 and up instead of backwards like before, we remove - the need for the "funny" check of the unsigned variable when decreased - passed zero. Easier to read and less risk for compiler warnings. + Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use + CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT. + + Closes #653 -Marc Hoersken (14 Dec 2014) -- tool_urlglob.c: Added braces to clarify the conditions +- opt-docs: add more references -- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop - - The >= 0 is actually not required, since i underflows and - the for-loop is stopped using the < condition, but this - makes the VS2012 compiler and code analysis happy. +- [David Byron brought this change] -- tool_binmode.c: Explicitly ignore the return code of setmode + SCP: use libssh2_scp_recv2 to support > 2GB files on windows - Fixes code analysis warning C6031: - return value ignored: <function> could return unexpected value - -- lib: Fixed multiple code analysis warnings if SAL are available + libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any + day now. - warning C28252: Inconsistent annotation for function: - parameter has another annotation on this instance + Closes #451 + +Jay Satiro (13 Feb 2016) +- [Shine Fan brought this change] -Steve Holme (14 Dec 2014) -- smb.c: Fixed code analysis warning + gtls: fix for builds lacking encrypted key file support - smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted, - then cast to 64-bit value. Result may not be an expected - value + Bug: https://github.com/curl/curl/pull/651 -Marc Hoersken (14 Dec 2014) -- tool_util.c: Use GetTickCount64 if it is available +Dan Fandrich (13 Feb 2016) +- test1604: Add to Makefile.inc so it gets run -Steve Holme (14 Dec 2014) -- smb: Use HAVE_PROCESS_H for process.h inclusion +Jay Satiro (12 Feb 2016) +- generate.bat: Fix comment bug by removing old comments - Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H - pre-processor define when including process.h. - -Daniel Stenberg (14 Dec 2014) -- darwinssl: aprintf() to allocate the session key + Remove NOTES section, it's no longer needed since we aren't setting the + errorlevel and more importantly the recently updated URL in the comments + is causing some unusual behavior that breaks the script. - ... to avoid using a fixed memory size that risks being too large or too - small. + Closes https://github.com/curl/curl/issues/649 -Marc Hoersken (14 Dec 2014) -- curl_schannel: Improvements to memory re-allocation strategy +Kamil Dudka (12 Feb 2016) +- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts - - do not grow memory by doubling its size - - do not leak previously allocated memory if reallocation fails - - replace while-loop with a single check to make sure - that the requested amount of data fits into the buffer + The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man + pages since curl-7_12_3~131. This patch makes it clear in the curl.1 + man page, too. - Bug: http://curl.haxx.se/bug/view.cgi?id=1450 - Reported-by: Warren Menzer + Bug: https://bugzilla.redhat.com/1305970 -Steve Holme (14 Dec 2014) -- asyn-ares: We prefer use of 'CURLcode result' +Daniel Stenberg (12 Feb 2016) +- dist: ship buildconf.bat too + + As the winbuild/* stuff uses it! -Marc Hoersken (14 Dec 2014) -- curl_schannel.c: Data may be available before connection shutdown +- curlx_tvdiff: handle 32bit time_t overflows + + On 32bit systems, make sure we don't overflow and return funky values + for very large time differences. + + Reported-by: Anders Bakken + + Closes #646 -Steve Holme (14 Dec 2014) -- http2: Use 'CURLcode result' for curl result codes +- examples: fix some compiler warnings -- asyn-thread: We prefer 'CURLcode result' +- simplessl.c: fix my breakage -- smb: Fixed unnecessary initialisation of struct member variables +- examples: adhere to curl code style - There is no need to set the 'state' and 'result' member variables to - SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc() - as calloc() initialises the contents to zero. + All plain C examples now (mostly) adhere to the curl code style. While + they are only examples, they had diverted so much and contained all + sorts of different mixed code styles by now. Having them use a unified + style helps users and readability. Also, as they get copy-and-pasted + widely by users, making sure they're clean and nice is a good idea. + + 573 checksrc warnings were addressed. -- ntlm: Fixed return code for bad type-2 Target Info +- examples/cookie_interface.c: add cleanup call + + cleaning up handles is a good idea as we leak memory otherwise - Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security - buffers just like we do for bad decodes. + Also, line wrapped before 80 columns. -- ntlm: Remove unnecessary casts in readshort_le() +Kamil Dudka (10 Feb 2016) +- nss: search slash in forward direction in dup_nickname() - I don't think both of my fix ups from yesterday were needed to fix the - compilation warning, so remove the one that I think is unnecessary and - let the next Android autobuild prove/disprove it. + It is wasteful to search it backwards if we look for _any_ slash. -- curl_ntlm_msgs.c: Another attempt to fix compilation warning +- nss: do not count enabled cipher-suites - curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from - 'int' may alter its value + We only care if at least one cipher-suite is enabled, so it does + not make any sense to iterate till the end and count all enabled + cipher-suites. -Guenter Knauf (13 Dec 2014) -- synctime.c: added own user-agent string. +Daniel Stenberg (10 Feb 2016) +- contributors.sh: make 79 the max column width (from 80) -Steve Holme (13 Dec 2014) -- smb.c: Fixed line longer than 79 columns +- RELEASE-NOTES: synced with c276aefee3995 -- curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11 - - curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from - 'int' may alter its value +- mbedtls.c: re-indent to better match curl standards -Guenter Knauf (13 Dec 2014) -- mk-ca-bundle.pl: restored forced run again. +- [Rafael Antonio brought this change] -- synctime.c: removed another timeserver URL. + mbedtls: fix memory leak when destroying SSL connection data - worldtimeserver.com seems also no longer available. + Closes #626 -- synctime.c: fixed timeserver URLs. +- mbedtls: fix ALPN usage segfault - For getting the date header its not necessary to access special - pages or even CGI scripts - all pages including the main index - reply with the date header, therefore shortened URLs to domain. - Removed worldtime.com; added pool.ntp.org. - -Steve Holme (13 Dec 2014) -- ftp.c: Fixed compilation warning when no verbose string support + Since we didn't keep the input argument around after having called + mbedtls, it could end up accessing the wrong memory when figuring out + the ALPN protocols. - ftp.c:819: warning: unused parameter 'lineno' + Closes #642 -- smb: Added state change functions to assist with debugging - - For debugging purposes, and as per other protocols within curl, added - state change functions rather than changing the states directly. +Jay Satiro (9 Feb 2016) +- [Timotej Lazar brought this change] -- ntlm: Use short integer when decoding 16-bit values + opts: update references to renamed options -- RELEASE-NOTES: Synced with 6291a16b20 +- KNOWN_BUGS: Update #92 - Windows device prefix -- smtp.c: Fixed compilation warnings - - smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string - does not append to the string - smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string - does not append to the string - smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string - does not append to the string +- tool_doswin: Support for literal path prefix \\?\ - Used array index notation instead. + For example something like --output \\?\C:\foo -- smb: Disable SMB when 64-bit integers are not supported - - This fixes compilation issues with compilers that don't support 64-bit - integers through long long or __int64. +Daniel Stenberg (9 Feb 2016) +- configure: state "BoringSSL" in summary when that was detected -- ntlm: Disable NTLM v2 when 64-bit integers are not supported - - This fixes compilation issues with compilers that don't support 64-bit - integers through long long or __int64 which was introduced in commit - 07b66cbfa4. +- [David Benjamin brought this change] -- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined + openssl: remove most BoringSSL #ifdefs. - Previously USE_NTLM2SESSION would only be defined automatically when - USE_NTRESPONSES wasn't already defined. Separated the two definitions - so that the user can manually set USE_NTRESPONSES themselves but - USE_NTLM2SESSION is defined automatically if they don't define it. - -- smtp.c: Fixed line longer than 79 columns - -- config-win32.h: Don't enable Windows Crypt API if using OpenSSL + As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of + BoringSSL #ifdefs in cURL should be unnecessary: - As the OpenSSL and NSS Crypto engines are prefered by the core NTLM - routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT - automatically when either OpenSSL or NSS are in use - doing so would - disable NTLM2Session responses in NTLM type-3 messages. - -- smtp: Fixed inappropriate free of the scratch buffer + - BoringSSL provides no-op stubs for compatibility which replaces most + #ifdefs. - If the scratch buffer was allocated in a previous call to - Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent - call and no action taken by that call, then an attempt would be made to - try and free the buffer which, by now, would be part of the data->state - structure. + - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove + the compatibility codepath. - This bug was introduced in commit 4bd860a001. - -- smtp: Fixed dot stuffing when EOL characters were at end of input buffers + - With a small tweak to an extend_key_56_to_64 call, the NTLM code + builds fine. - Fixed a problem with the CRLF. detection when multiple buffers were - used to upload an email to libcurl and the line ending character(s) - appeared at the end of each buffer. This meant any lines which started - with . would not be escaped into .. and could be interpreted as the end - of transmission string instead. + - Switch OCSP-related #ifdefs to the more generally useful + OPENSSL_NO_OCSP. - This only affected libcurl based applications that used a read function - and wasn't reproducible with the curl command-line tool. + The only #ifdefs which remain are Curl_ossl_version and the #undefs to + work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves + that to the consumer. The in-header workaround makes things sensitive to + include order.) - Bug: http://curl.haxx.se/bug/view.cgi?id=1456 - Assisted-by: Patrick Monnerat + This change errs on the side of removing conditionals despite many of + the restored codepaths being no-ops. (BoringSSL generally adds no-op + compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are + bad enough!) + + Closes #640 -Daniel Stenberg (11 Dec 2014) -- telnet: fix "cast increases required alignment of target type" +Jay Satiro (8 Feb 2016) +- KNOWN_BUGS: Windows device prefix is required for devices -- ntlm_wb_response: fix "statement not reached" +- tool_urlglob: Allow reserved dos device names (Windows) - ... and I could use a break instead of a goto to end the loop. + Allow --output to reserved dos device names without the device prefix + for backwards compatibility. - Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html - Reported-by: Tor Arntsen - -Steve Holme (10 Dec 2014) -- RELEASE-NOTES: Synced with 1cc5194337 + Example: --output NUL can be used instead of --output \\.\NUL - Added some bug fixes that I had missed in previous synchronisations. + Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863 + Reported-by: Gisle Vanem -Daniel Stenberg (10 Dec 2014) -- Curl_unix2addr: avoid using the variable name 'sun' +Daniel Stenberg (8 Feb 2016) +- cookies: allow spaces in cookie names, cut of trailing spaces - I suspect this causes compile failures on Solaris: + It turns out Firefox and Chrome both allow spaces in cookie names and + there are sites out there using that. - Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html - -Steve Holme (10 Dec 2014) -- url.c: Fixed compilation warning when USE_NTLM is not defined - - url.c:3078: warning: variable 'credentialsMatch' set but not used - -- parsedate.c: Fixed compilation warning + Turned out the code meant to strip off trailing space from cookie names + didn't work. Fixed now. - parsedate.c:548: warning: 'parsed' may be used uninitialized in this - function + Test case 8 modified to verify both these changes. - As curl_getdate() returns -1 when parsedate() fails we can initialise - parsed to -1. + Closes #639 -Daniel Stenberg (10 Dec 2014) -- TODO: Cache negative name resolves - - Worth exploring +Patrick Monnerat (8 Feb 2016) +- Merge branch 'master' of github.com:curl/curl -- ldap: check Curl_client_write() return codes - - There might be one or two memory leaks left in the error paths. +- os400: sync ILE/RPG definitions with latest public header files. -- ldap: rename variables to comply to curl standards +Daniel Stenberg (8 Feb 2016) +- [Ludwig Nussel brought this change] -Dan Fandrich (10 Dec 2014) -- sws.c: Fixed 'rc' may be used uninitialized warning + SSLCERTS: update wrt SSL CA certificate store -- cookies: Improved OOM handling in cookies - - This fixes the test 506 torture test. The internal cookie API really - ought to be improved to separate cookie parsing errors (which may be - ignored) with OOM errors (which should be fatal). +- [Ludwig Nussel brought this change] -Guenter Knauf (9 Dec 2014) -- synctime.c: fixed user-agent setting. + configure: --with-ca-fallback: use built-in TLS CA fallback - Some websites meanwhile refuse to reply to requests from ancient - browsers like IE6, therefore I've comment out this setting, but - also fixed the string to now fake IE8 if someone enables it. + When trying to verify a peer without having any root CA certificates + set, this makes libcurl use the TLS library's built in default as + fallback. + + Closes #569 -Daniel Stenberg (9 Dec 2014) -- smb: fix unused return code warning +- Proxy-Connection: stop sending this header by default + + RFC 7230 says we should stop. Firefox already stopped. + + Bug: https://github.com/curl/curl/issues/633 + Reported-By: Brad Fitzpatrick + + Closes #633 -Patrick Monnerat (9 Dec 2014) -- Curl_client_write() & al.: chop long data, convert data only once. +- bump: work toward the next release -Guenter Knauf (9 Dec 2014) -- VC build: added sspi define for winssl-zlib builds. +- THANKS: 2 contributors from the 7.47.1 release -Daniel Stenberg (9 Dec 2014) -- schannel_recv: return the correct code +- RELEASE-PROCEDURE: remove the github upload part - Bug: http://curl.haxx.se/bug/view.cgi?id=1462 - Reported-by: Tae Hyoung Ahn + ... as we're HTTPS on the main site now, there's no point in that + extra step -- http2: avoid logging neg "failure" if h2 was not requested +Version 7.47.1 (8 Feb 2016) -- openldap: do not ignore Curl_client_write() return codes +Daniel Stenberg (8 Feb 2016) +- RELEASE-NOTES: curl 7.47.1 time! -- compile: warn on unused return code from Curl_client_write() +Jay Satiro (8 Feb 2016) +- tool_operhlp: Check for backslashes in get_url_file_name + + Extract the filename from the last slash or backslash. Prior to this + change backslashes could be part of the filename. + + This change needed for the curl tool built for Cygwin. Refer to the + CYGWIN addendum in advisory 20160127B. + + Bug: https://curl.haxx.se/docs/adv_20160127B.html -Patrick Monnerat (8 Dec 2014) -- SMB: Fix a data size mismatch that broke SMB on big-endian platforms +Daniel Stenberg (7 Feb 2016) +- RELEASE-NOTES: synced with d6a8869ea34 -Steve Holme (7 Dec 2014) -- smb: Fixed Windows autoconf builds following commit eb88d778e7 +Jay Satiro (6 Feb 2016) +- openssl: Fix signed/unsigned mismatch warning in X509V3_ext - As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO - either explicitly through --enable-win32-cypto or automatically on - _WIN32 based platforms, subsequent builds broke with the following - error message: + sk_X509_EXTENSION_num may return an unsigned integer, however the value + will fit in an int. - "Can't compile NTLM support without a crypto library." + Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896 + Reported-by: Gisle Vanem -- RELEASE-NOTES: Synced with 526603ff05 +Daniel Stenberg (7 Feb 2016) +- TODO: 17.11 -w output to stderr -- [Bill Nagel brought this change] +Jay Satiro (6 Feb 2016) +- [Michael Kaufmann brought this change] - smb: Build with SSPI enabled + idn_win32: Better error checking + + .. also fix a conversion bug in the unused function + curl_win32_ascii_to_idn(). - Build SMB/CIFS protocol support when SSPI is enabled. + And remove wprintfs on error (Jay). + + Bug: https://github.com/curl/curl/pull/637 -- [Bill Nagel brought this change] +- [Gisle Vanem brought this change] - ntlm: Use Windows Crypt API + examples/asiohiper: Avoid function name collision on Windows - Allow the use of the Windows Crypt API for NTLMv1 functions. - -Dan Fandrich (7 Dec 2014) -- cookie.c: Refactored cleanup code to simplify + closesocket => close_socket + Winsock already has the former. - Also, fixed the outdated comments on the cookie API. + Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html -- get_url_file_name: Fixed crash on OOM on debug build - - This caused a null-pointer dereference which caused a few dozen - torture tests to fail. +- [Gisle Vanem brought this change] -Steve Holme (6 Dec 2014) -- sws.c: Fixed compilation warning + examples/htmltitle: Use _stricmp on Windows - sws.c:2191 warning: 'rc' may be used uninitialized in this function + Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html -- ftp.c: Fixed compilation warnings when proxy support disabled +Daniel Stenberg (6 Feb 2016) +- COPYING: clarify that Daniel is not the sole author - ftp.c:1827 warning: unused parameter 'newhost' - ftp.c:1827 warning: unused parameter 'newport' + ... done on request and as it is a fair point. + +Jay Satiro (5 Feb 2016) +- unit1604: Fix unit setup return code + +- tool_doswin: Use type SANITIZEcode in sanitize_file_name -- smb: Fixed a problem with large file transfers +- tool_doswin: Improve sanitization processing - Fixed an issue with the message size calculation where the raw bytes - from the buffer were interpreted as signed values rather than unsigned - values. + - Add unit test 1604 to test the sanitize_file_name function. - Reported-by: Gisle Vanem - Assisted-by: Bill Nagel + - Use -DCURL_STATICLIB when building libcurltool for unit testing. + + - Better detection of reserved DOS device names. + + - New flags to modify sanitize behavior: + + SANITIZE_ALLOW_COLONS: Allow colons + SANITIZE_ALLOW_PATH: Allow path separators and colons + SANITIZE_ALLOW_RESERVED: Allow reserved device names + SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename + + - Restore sanitization of banned characters from user-specified outfile. + + Prior to this commit sanitization of a user-specified outfile was + temporarily disabled in 2b6dadc because there was no way to allow path + separators and colons through while replacing other banned characters. + Now in such a case we call the sanitize function with + SANITIZE_ALLOW_PATH which allows path separators and colons to pass + through. + + + Closes https://github.com/curl/curl/issues/624 + Reported-by: Octavio Schroeder -- smb: Moved the URL decoding into a separate function +- [Viktor Szakats brought this change] -- smb: Fixed URL encoded URLs not working + URLs: change more http to https + +- sasl_sspi: Fix memory leak in domain populate + + Free an existing domain before replacing it. + + Bug: https://github.com/curl/curl/issues/635 + Reported-by: silveja1@users.noreply.github.com -- Makefile.inc: Added our standard header and updated file formatting +Daniel Stenberg (4 Feb 2016) +- [Viktor Szakats brought this change] -- Makefile.inc: Updated file formatting + URLs: follow GitHub project rename (also Travis CI) - Aligned continuation character and used space as the separator - character as per other makefile files. + Closes #632 -- curl_md4.h: Updated copyright year following recent edit +- CHANGES.o: fix references to curl.haxx.nu - ...and minor layout adjustment. + I removed the scheme prefix from the URLs references this host name, as + we don't own/run that anymore but the name is kept for historic reasons. -Patrick Monnerat (5 Dec 2014) -- SMB: Fix big endian problems. Make it OS/400 aware. +- HISTORY: add some info about when we used which host names -- OS400: enable NTLM authentication +Jay Satiro (2 Feb 2016) +- [Viktor Szakats brought this change] -Steve Holme (5 Dec 2014) -- multi.c: Fixed compilation warning - - multi.c:2695: warning: declaration of `exp' shadows a global declaration + URLs: change more http to https -Guenter Knauf (5 Dec 2014) -- build: updated dependencies in makefiles. +Dan Fandrich (3 Feb 2016) +- URLs: Change more haxx.se URLs from http: to https: -Steve Holme (5 Dec 2014) -- sasl: Corrected formatting of function descriptions +Daniel Stenberg (3 Feb 2016) +- RELEASE-NOTES: synced with 4af40b364 -- sasl_gssapi: Added missing function description +- URLs: change all http:// URLs to https:// -- RELEASE-NOTES: Provided better descriptions +- configure: update the copyright year range in output + +- dotdot: allow an empty input string too + + It isn't used by the code in current conditions but for safety it seems + sensible to at least not crash on such input. - As it is often difficult to choose the best description for a single - feature when it spans many commits, updated the descriptions for the - recent SMB/CIFS protocol and GSS-API additions. + Extended unit test 1395 to verify this too as well as a plain "/" input. -- sasl_sspi: Corrected some typos +- HTTPS: update a bunch of URLs from HTTP to HTTPS -- sasl_sspi: Don't use hard coded sizes in Kerberos V5 security data +- [Sergei Nikulov brought this change] + + AppVeyor: updated to handle OpenSSL/WinSSL builds - Don't use a hard coded size of 4 for the security layer and buffer size - in Curl_sasl_create_gssapi_security_message(), instead, use sizeof() as - we have done in the sasl_gssapi module. + Closes #621 -- sasl_sspi: Free the Kerberos V5 challenge as soon as we're done with it +Jay Satiro (1 Feb 2016) +- tool_operate: Don't sanitize --output path (Windows) + + Due to path separators being incorrectly sanitized in --output + pathnames, eg -o c:\foo => c__foo - Reduced the amount of free's required for the decoded challenge message - in Curl_sasl_create_gssapi_security_message() as a result of coding it - differently in the sasl_gssapi module. + This is a partial revert of 3017d8a until I write a proper fix. The + remote-name will continue to be sanitized, but if the user specified an + --output with string replacement (#1, #2, etc) that data is unsanitized + until I finish a fix. + + Bug: https://github.com/bagder/curl/issues/624 + Reported-by: Octavio Schroeder -- gssapi: Corrected typo in comments +- curl.1: Explain remote-name behavior if file already exists + + .. also warn about letting the server pick the filename. -- sasl_gssapi: Added body to Curl_sasl_create_gssapi_security_message() +- [Gisle Vanem brought this change] -Daniel Stenberg (4 Dec 2014) -- [Stefan Bühler brought this change] + urldata: Error on missing SSL backend-specific connect info - http_perhapsrewind: don't abort CONNECT requests - - ...they never have a body +Daniel Stenberg (28 Jan 2016) +- bump: towards the next (7.47.1 ?) -- [Stefan Bühler brought this change] +- [Sergei Nikulov brought this change] - HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request + cmake: fixed when OpenSSL enabled on Windows and schannel detected - Sending NTLM/Negotiate header again after successful authentication - breaks the connection with certain Proxies and request types (POST to MS - Forefront). + Closes #617 -- [Stefan Bühler brought this change] +Jay Satiro (28 Jan 2016) +- [Sergei Nikulov brought this change] - HTTP: don't abort connections with pending Negotiate authentication + urldata: moved common variable out of ifdef - ... similarly to how NTLM works as Negotiate is in fact often NTLM with - another name. - -- [Stefan Bühler brought this change] + Closes https://github.com/bagder/curl/pull/618 - fix gdb libtool invocation path +- [Viktor Szakats brought this change] -Steve Holme (4 Dec 2014) -- sasl_gssapi: Fixed missing include from commit d3cca934ee - -Daniel Stenberg (4 Dec 2014) -- [Jay Satiro brought this change] + tool_doswin: silence unused function warning + + tool_doswin.c:185:14: warning: 'msdosify' defined but not used + [-Wunused-function] + + Closes https://github.com/bagder/curl/pull/616 - examples: remove sony.com from 10-at-a-time +Daniel Stenberg (27 Jan 2016) +- getredirect.c: fix variable name - Prior to this change the 10-at-a-time example showed CURLE_RECV_ERROR - for the sony website because it ends the connection when the request is - missing a user agent. + Reported-by: Bernard Spil -Steve Holme (4 Dec 2014) -- sasl_gssapi: Fixed missing decoding debug failure message +Version 7.47.0 (27 Jan 2016) -- sasl_gssapi: Fixed honouring of no mutual authentication +Daniel Stenberg (27 Jan 2016) +- examples/Makefile.inc: specify programs without .c! -- sasl_sspi: Added more Kerberos V5 decoding debug failure messages +- THANKS: 6 new contributors from 7.47.0 release notes -Daniel Stenberg (4 Dec 2014) -- [Anthon Pang brought this change] +- [Isaac Boukris brought this change] - docs: Fix FAILONERROR typos + NTLM: Fix ConnectionExists to compare Proxy credentials - It returns error for >= 400 HTTP responses. + Proxy NTLM authentication should compare credentials when + re-using a connection similar to host authentication, as it + authenticate the connection. - Bug: https://github.com/bagder/curl/pull/129 - -- [Peter Wu brought this change] - - tool: fix CURLOPT_UNIX_SOCKET_PATH in --libcurl output + Example: + curl -v -x http://proxy:port http://host/ -U good_user:good_pwd + --proxy-ntlm --next -x http://proxy:port http://host/ + [-U fake_user:fake_pwd --proxy-ntlm] - Mark CURLOPT_UNIX_SOCKET_PATH as string to ensure that it ends up as - option in the file generated by --libcurl. + CVE-2016-0755 - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Bug: http://curl.haxx.se/docs/adv_20160127A.html -- [Peter Wu brought this change] +- [Ray Satiro brought this change] - opts: fix CURLOPT_UNIX_SOCKET_PATH formatting + curl: avoid local drive traversal when saving file (Windows) + + curl does not sanitize colons in a remote file name that is used as the + local file name. This may lead to a vulnerability on systems where the + colon is a special path character. Currently Windows/DOS is the only OS + where this vulnerability applies. - Add .nf and .fi such that the code gets wrapped in a pre on the web. - Fixed grammar, fixed formatting of the "See also" items. + CVE-2016-0754 - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Bug: http://curl.haxx.se/docs/adv_20160127B.html -Patrick Monnerat (4 Dec 2014) -- OS400: enable Unix sockets. +- RELEASE-NOTES: 7.47.0 -Daniel Stenberg (3 Dec 2014) -- RELEASE-NOTES: synced with b216427e73b5e9 +- FAQ: language fix in 4.19 -- opts: added CURLOPT_UNIX_SOCKET_PATH to Makefile.am +- [paulehoffman brought this change] -- updateconninfo: clear destination struct before getsockname() + FAQ: Update to point to GitHub - Otherwise we may read uninitialized bytes later in the unix-domain - sockets case. + Current FAQ didn't make it clear where the main repo is. + + Closes #612 -- curl.1: added --unix-socket +- maketgz: generate date stamp with LC_TIME=C + + bug: http://curl.haxx.se/mail/lib-2016-01/0123.html -- [Peter Wu brought this change] +- curl_multi_socket_action.3: line wrap - tool: add --unix-socket option - - Signed-off-by: Peter Wu <peter@lekensteyn.nl> +- RELEASE-NOTES: synced with d58ba66eeceb -- [Peter Wu brought this change] +Steve Holme (21 Jan 2016) +- TODO: "Create remote directories" for SMB - libcurl: add UNIX domain sockets support +Jay Satiro (18 Jan 2016) +- mbedtls: Fix pinned key return value on fail - The ability to do HTTP requests over a UNIX domain socket has been - requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a - discussion happened, no patch seems to get through. I decided to give it - a go since I need to test a nginx HTTP server which listens on a UNIX - domain socket. + - Switch from verifying a pinned public key in a callback during the + certificate verification to inline after the certificate verification. - One patch [3] seems to make it possible to use the - CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket. - Another person wrote a Go program which can do HTTP over a UNIX socket - for Docker[4] which uses a special URL scheme (though the name contains - cURL, it has no relation to the cURL library). + The callback method had three problems: - This patch considers support for UNIX domain sockets at the same level - as HTTP proxies / IPv6, it acts as an intermediate socket provider and - not as a separate protocol. Since this feature affects network - operations, a new feature flag was added ("unix-sockets") with a - corresponding CURL_VERSION_UNIX_SOCKETS macro. + 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH + was not returned. - A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This - option enables UNIX domain sockets support for all requests on the - handle (replacing IP sockets and skipping proxies). + 2. If peer certificate verification was disabled the pinned key + verification did not take place as it should. - A new configure option (--enable-unix-sockets) and CMake option - (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I - deliberately did not mark this feature as advanced, this is a - feature/component that should easily be available. + 3. (related to #2) If there was no certificate of depth 0 the callback + would not have checked the pinned public key. - [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html - [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/ - [2]: http://sourceforge.net/p/curl/feature-requests/53/ - [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html - [4]: https://github.com/Soulou/curl-unix-socket + Though all those problems could have been fixed it would have made the + code more complex. Instead we now verify inline after the certificate + verification in mbedtls_connect_step2. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html + Ref: https://github.com/bagder/curl/pull/601 -- [Peter Wu brought this change] +- tests: Add a test for pinnedpubkey fail even when insecure + + Because disabling the peer verification (--insecure) must not disable + the public key pinning check (--pinnedpubkey). + +- [Daniel Schauenberg brought this change] - tests: add two HTTP over UNIX socket tests + CURLINFO_RESPONSE_CODE.3: add example + +Kamil Dudka (15 Jan 2016) +- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL - test1435: a simple test that checks whether a HTTP request can be - performed over the UNIX socket. The hostname/port are interpreted - by sws and should be ignored by cURL. + The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle + empty strings specially since curl-7_25_0-31-g05a443a but the behavior + was unintentionally removed in curl-7_38_0-47-gfa7d04f. - test1436: test for the ability to do two requests to the same host, - interleaved with one to a different hostname. + This commit restores the original behavior and clarifies it in the + documentation that NULL and "" have both the same meaning when passed + to CURLOPT_SSH_PUBLIC_KEYFILE. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html -- [Peter Wu brought this change] +Daniel Stenberg (14 Jan 2016) +- RELEASE-NOTES: synced with 35083ca60ed035a - tests: add HTTP UNIX socket server testing support - - The variable `$ipvnum` can now contain "unix" besides the integers 4 - and 6 since the variable. Functions which receive this parameter - have their `$port` parameter renamed to `$port_or_path` to support a - path to the UNIX domain socket (as a "port" is only meaningful for TCP). +- openssl: improved error detection/reporting - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL + 1.1.0+ returned a new func number of another cerfificate fail so this + required a fix and this is the better way to catch this error anyway. -- [Peter Wu brought this change] +- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own - sws: try to remove socket and retry bind +- CURLOPT_RESOLVE.3: minor language polish + +- configure: assume IPv6 works when cross-compiled + + The configure test uses AC_TRY_RUN to figure out if an ipv6 socket + works, and testing like that doesn't work for cross-compiles. These days + IPv6 support is widespread so a blind guess is probably more likely to + be 'yes' than 'no' now. - If sws is killed it might leave a stale socket file on the filesystem - which would cause an EADDRINUSE error. After this patch, it is checked - whether the socket is really stale and if so, the socket file gets - removed and another bind is executed. + Further: anyone who cross-compiles can use configure's --disable-ipv6 to + explicitly disable IPv6 and that also works for cross-compiles. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Made happen after discussions in issue #594 -- [Peter Wu brought this change] +- TODO: "Try to URL encode given URL" + + Closes #514 - sws: add UNIX domain socket support +- ConnectionExists: only do pipelining/multiplexing when asked - This extends sws with a --unix-socket option which causes the port to - be ignored (as the server now listens on the path specified by - --unix-socket). This feature will be available in the following patch - that enables checking for UNIX domain socket support. + When an HTTP/2 upgrade request fails (no protocol switch), it would + previously detect that as still possible to pipeline on (which is + acorrect) and do that when PIPEWAIT was enabled even if pipelining was + not explictily enabled. - Proxy support (CONNECT) is not considered nor tested. It does not make - sense anyway, first connecting through a TCP proxy, then let that TCP - proxy connect to a UNIX socket. + It should only pipelined if explicitly asked to. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Closes #584 -- [Peter Wu brought this change] +- [Mohammad AlSaleh brought this change] - sws: restrict TCP_NODELAY to IP sockets + lib: Prefix URLs with lower-case protocol names/schemes - TCP_NODELAY does not make sense for Unix sockets, so enable it only if - the socket is using IP. + Before this patch, if a URL does not start with the protocol + name/scheme, effective URLs would be prefixed with upper-case protocol + names/schemes. This behavior might not be expected by library users or + end users. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> - -Dan Fandrich (3 Dec 2014) -- [Dave Reisner brought this change] + For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the + URL is "hostname/path". The effective URL would be + "HTTPS://hostname/path" instead of "https://hostname/path". + + After this patch, effective URLs would be prefixed with a lower-case + protocol name/scheme. + + Closes #597 + + Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com> - curl.1: fix trivial typo +- [Alessandro Ghedini brought this change] -Steve Holme (3 Dec 2014) -- sasl_gssapi: Added body to Curl_sasl_create_gssapi_user_message() + scripts: don't generate and install zsh completion when cross-compiling -- sasl_gssapi: Added body to Curl_sasl_gssapi_cleanup() +- [Alessandro Ghedini brought this change] -- sasl_gssapi: Added Curl_sasl_build_gssapi_spn() function + scripts: fix zsh completion generation - Added helper function for returning a GSS-API compatible SPN. + The script should use the just-built curl, not the system one. This fixes + zsh completion generation when no system curl is installed. -Daniel Stenberg (3 Dec 2014) -- NSS: enable the CAPATH option - - Bug: http://curl.haxx.se/bug/view.cgi?id=1457 - Patch-by: Tomasz Kojm +- [Alessandro Ghedini brought this change] -Steve Holme (3 Dec 2014) -- sasl_gssapi: Enable USE_KERBEROS5 for GSS-API based builds + zsh.pl: fail if no curl is found + + Instead of generation a broken completion file. -- sasl_gssapi: Added GSS-API based Kerberos V5 variables +- [Michael Kaufmann brought this change] -- sws.c: Fixed compilation warning when IPv6 is disabled + IDN host names: Remove the port number before converting to ACE - sws.c:69: warning: comma at end of enumerator list + Closes #596 -- sasl_gssapi: Made log_gss_error() a common GSS-API function +Jay Satiro (10 Jan 2016) +- runtests: Add mbedTLS to the SSL backends - Made log_gss_error() a common function so that it can be used in both - the http_negotiate code as well as the curl_sasl_gssapi code. + .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL. + +Daniel Stenberg (10 Jan 2016) +- [Thomas Glanzmann brought this change] + + mbedtls: implement CURLOPT_PINNEDPUBLICKEY + +Jay Satiro (9 Jan 2016) +- [Tatsuhiro Tsujikawa brought this change] + + url: Fix compile error with --enable-werror + +- [Tatsuhiro Tsujikawa brought this change] -- sasl_gssapi: Introduced GSS-API based SASL module + http2: Ensure that http2_handle_stream_close is called + + Previously, when HTTP/2 is enabled and used, and stream has content + length known, Curl_read was not called when there was no bytes left to + read. Because of this, we could not make sure that + http2_handle_stream_close was called for every stream. Since we use + http2_handle_stream_close to emit trailer fields, they were + effectively ignored. This commit changes the code so that Curl_read is + called even if no bytes left to read, to ensure that + http2_handle_stream_close is called for every stream. - Added the initial version of curl_sasl_gssapi.c and updated the project - files in preparation for adding GSS-API based Kerberos V5 support. + Discussed in https://github.com/bagder/curl/pull/564 -- smb: Don't try to connect with empty credentials +Daniel Stenberg (8 Jan 2016) +- http2: handle the received SETTINGS frame - On some platforms curl would crash if no credentials were used. As such - added detection of such a use case to prevent this from happening. + This regression landed in 5778e6f5 and made libcurl not act on received + settings and instead stayed with its internal defaults. - Reported-by: Gisle Vanem + Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html + Reported-by: Bankde -- smb.c: Coding policing of pointer usage +- Revert "multiplex: allow only once HTTP/2 is actually used" + + This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36. + + Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html -- configure: Fixed inclusion of SMB when no crypto engines available +Jay Satiro (8 Jan 2016) +- [Tatsuhiro Tsujikawa brought this change] -Guenter Knauf (1 Dec 2014) -- build: in Makefile.m32 simplified autodetection. + http2: Fix PUSH_PROMISE headers being treated as trailers + + Discussed in https://github.com/bagder/curl/pull/564 -Daniel Stenberg (30 Nov 2014) -- [Peter Wu brought this change] +Daniel Stenberg (8 Jan 2016) +- [Michael Kaufmann brought this change] - sws: move away from IPv4/IPv4-only assumption + connection reuse: IDN host names fixed - Instead of depending the socket domain type on use_ipv6, specify the - domain type (AF_INET / AF_INET6) as variable. An enum is used here with - switch to avoid compiler warnings in connect_to, complaining that rc - is possibly undefined (which is not possible as socket_domain is - always set). + Use the ACE form of IDN hostnames as key in the connection cache. Add + new tests. - Besides abstracting the socket type, make the debugging messages be - independent on IP (introduce location_str which points to "port XXXXX"). - Rename "ipv_inuse" to "socket_type" and tighten the scope (main). - - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Closes #592 -- [Peter Wu brought this change] +- tests: mark IPv6 FTP and FTPS tests with the FTP keyword - lib/connect: restrict IP/TCP options to said sockets +Jay Satiro (7 Jan 2016) +- mbedtls: Fix ALPN support + + - Fix ALPN reply detection. - This patch prepares for adding UNIX domain sockets support. + - Wrap nghttp2 code in ifdef USE_NGHTTP2. - TCP_NODELAY and TCP_KEEPALIVE are specific to TCP/IP sockets, so do not - apply these to other socket types. bindlocal only works for IP sockets - (independent of TCP/UDP), so filter that out too for other types. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS. -- smb.c: use size_t as input argument types for msg sizes +- http2: Fix client write for trailers on stream close - This fixes warnings about conversions to int + Check that the trailer buffer exists before attempting a client write + for trailers on stream close. + + Refer to comments in https://github.com/bagder/curl/pull/564 -Steve Holme (30 Nov 2014) -- version: The next release will become 7.40.0 +Daniel Stenberg (7 Jan 2016) +- COPYING: update general copyright year range -- [Bill Nagel brought this change] +- ConnectionExists: add missing newline in infof() call + + Mistake from commit a464f33843ee1 - docs: Updated for the SMB protocol +- multiplex: allow only once HTTP/2 is actually used - This patch updates the documentation for the SMB/CIFS protocol. + To make sure curl doesn't allow multiplexing before a connection is + upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the + connection uses HTTP/2 as well and not only check what's wanted. + + Closes #584 + + Patch-by: c0ff -- curl tool: Exclude SMB from the protocol redirect +Jay Satiro (4 Jan 2016) +- curl_global_init.3: Add Windows-specific info for init via DLL - As local files could be accessed through \\localhost\c$. + - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows + that initializing libcurl via a DLL's DllMain or static initializer + could cause a deadlock. + + Bug: https://github.com/bagder/curl/issues/586 + Reported-by: marc-groundctl@users.noreply.github.com -- [Bill Nagel brought this change] +Daniel Stenberg (4 Jan 2016) +- FAQ: clarify who to mail about ECCN clarifications - curl tool: Enable support for the SMB protocol - - This patch enables SMB/CIFS support in the curl command-line tool. +- progressfunc.c: spellfix description -- smb.c: Fixed compilation warnings - - smb.c:398: warning: comparison of integers of different signs: - 'ssize_t' (aka 'long') and 'unsigned long' - smb.c:443: warning: comparison of integers of different signs: - 'ssize_t' (aka 'long') and 'unsigned long' +- docs/examples/multi-app.c: fix bad desc formatting -- libcurl: Exclude SMB from the protocol redirect - - As local files could be accessed through \\localhost\c$. +- examples: added descriptions -- [Bill Nagel brought this change] +- example/simple.c: add description - libcurl: Enable support for the SMB protocol - - This patch enables SMB/CIFS support in libcurl. +- getredirect.c: a new example -- smb.c: Fixed compilation warnings - - smb.c:322: warning: conversion to 'short unsigned int' from 'unsigned - int' may alter its value - smb.c:323: warning: conversion to 'short unsigned int' from 'unsigned - int' may alter its value - smb.c:482: warning: conversion to 'short unsigned int' from 'int' may - alter its value - smb.c:521: warning: conversion to 'unsigned int' from 'curl_off_t' may - alter its value - smb.c:549: warning: conversion to 'unsigned int' from 'curl_off_t' may - alter its value - smb.c:550: warning: conversion to 'short unsigned int' from 'int' may - alter its value - -- smb.c: Renamed SMB command message variables to avoid compiler warnings - - smb.c:489: warning: declaration of 'close' shadows a global declaration - smb.c:511: warning: declaration of 'read' shadows a global declaration - smb.c:528: warning: declaration of 'write' shadows a global declaration +Marc Hoersken (27 Dec 2015) +- RELEASE-NOTES: add 5e0e81a9c4e35f04ca -- smb.c: Fixed compilation warnings +Daniel Stenberg (26 Dec 2015) +- RELEASE-NOTES: synced with 2aec4359db1088b10d + +Marc Hoersken (26 Dec 2015) +- test 1515: add data check + +- test 1515: add MSYS support by passing a relative path - smb.c:212: warning: unused parameter 'done' - smb.c:380: warning: ISO C does not allow extra ';' outside of a function - smb.c:812: warning: unused parameter 'premature' - smb.c:822: warning: unused parameter 'dead' + MSYS would otherwise turn a /-style path into a C:\-style path. -- smb.c: Fixed compilation warnings +- test 539: use datacheck mode text for ASCII-mode LISTings - smb.c:311: warning: conversion from 'unsigned __int64' to 'u_short', - possible loss of data - smb.c:425: warning: conversion from '__int64' to 'unsigned short', - possible loss of data - smb.c:452: warning: conversion from '__int64' to 'unsigned short', - possible loss of data + While still using datacheck mode binary for the inline reply data. -- smb.c: Fixed compilation warnings +- runtests.pl: check up to 5 data parts with different text modes - smb.c:162: error: comma at end of enumerator list - smb.c:469: warning: conversion from 'size_t' to 'unsigned short', - possible loss of data - smb.c:517: warning: conversion from 'curl_off_t' to 'unsigned int', - possible loss of data - smb.c:545: warning: conversion from 'curl_off_t' to 'unsigned int', - possible loss of data + Move the text-mode conversion for reply/replycheck from the verify + section into the load section and add support for 4 more check parts. -- [Bill Nagel brought this change] +Daniel Stenberg (24 Dec 2015) +- CURLOPT_RANGE: for HTTP servers, range support is optional - smb: Added initial SMB functionality - - Initial implementation of the SMB/CIFS protocol. +Marc Hoersken (24 Dec 2015) +- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings -- [Bill Nagel brought this change] +- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings - smb: Added SMB handler interfaces - - Added the SMB and SMBS handler interface structures and associated - functions required for SMB/CIFS operation. +- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings -- transfer: Code style policing +- sockfilt.c: fix calculation of sleep timeout on Windows - Prefer ! rather than NULL in if statements, added comments and updated - function spacing, argument spacing and line spacing to be more readble. + Not converting to double caused small timeouts to be skipped. -- transfer: Fixed existing scratch buffer being checked for NULL twice +- tests first.c: fix calculation of sleep timeout on Windows - If the scratch buffer already existed when the CRLF conversion was - performed then the buffer pointer would be checked twice for NULL. This - second check is only necessary if the call to malloc() was performed by - the first check. + Not converting to double caused small timeouts to be skipped. -- smtp: Fixed dot stuffing being performed when no new data read +- test 573: add more debug output + +- ftplistparser.c: fix handling of file LISTings using Windows EOL - Whilst I had moved the dot stuffing code from being performed before - CRLF conversion takes place to after it, in commit 4bd860a001, I had - moved it outside the 'when something read' block of code when meant - it could perform the dot stuffing twice on partial send if nread - happened to contain the right values. It also meant the function could - potentially read past the end of buffer. This was highlighted by the - following warning: + Previously file.txt[CR][LF] would have been returned as file.tx + (without the last t) if filetype is symlink. Now the t is + included and the internal item_length includes the zero byte. - warning: `nread' might be used uninitialized in this function + Spotted using test 576 on Windows. -Daniel Stenberg (29 Nov 2014) -- smb.h: fixed picky compiler warning +- test 16: fix on Linux (and Windows) by using plain ASCII characters - smb.h:30:16: error: comma at end of enumerator list [-Werror=pedantic] + Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel. -Steve Holme (29 Nov 2014) -- tests: Disable test 1013 until SMB is fully added +- tftpd server: add Windows support by writing files in binary mode -- [Bill Nagel brought this change] +- tests 252-255: use datacheck mode text for ASCII-mode LISTings - smb: Added SMB protocol and port definitions - - Added the necessary protocol and port definitions in order to support - SMB/CIFS. +- test 16: fix on Windows by converting data file from ANSI to UTF-8 -- [Bill Nagel brought this change] - - smb: Added internal SMB definitions and structures +Daniel Stenberg (23 Dec 2015) +- Makefile.inc: s/curl_SOURCES/CURL_FILES - Added the internal definitions and structures necessary for SMB/CIFS - support. - -- [Bill Nagel brought this change] - - smb: Added SMB connection structure + This allows the root Makefile.am to include the Makefile.inc without + causing automake to warn on it (variables named *_SOURCES are + magic). curl_SOURCES is then instead assigned properly in + src/Makefile.am only. - Added the connection structure that will be required in urldata.h for - SMB/CIFS based connections. + Closes #577 -- [Bill Nagel brought this change] +- [Anders Bakken brought this change] - smb: Added initial source files for SMB + ConnectionExists: with *PIPEWAIT, wait for connections - Added the initial source files and updated the relevant project files in - order to support SMB/CIFS. - -- [Bill Nagel brought this change] - - smb: Added configuration options for SMB + Try harder to prevent libcurl from opening up an additional socket when + CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS + handshakes complete first before the decision is made. - Added --enable-smb and --disable-smb configuration options for the - upcoming SMB/CIFS protocol support. + Closes #575 -Daniel Stenberg (28 Nov 2014) -- [Peter Wu brought this change] +- [Anders Bakken brought this change] - runtests.pl: fix startup of IPv6 servers + Add .dir-locals and set c-basic-offset to 2. - Commit curl-7_23_1-143-g8218064 changed the parameter of - responsive_http_server to accept types other than IPv6 (converting - from a boolean to a string), but only considered the lower-case "ipv6" - and not the "IPv6" variant. This caused all servers to start in IPv4 - mode instead. + This makes it easier for emacs users to automatically get the right + 2-space indentation when they edit curl source files. - This patch converts the remaining cases to "ipv6". While not strictly - necessary for the run*server variants, these got also converted for - consistency and to prevent future errors. + c++-mode is in there as well because Emacs can't easily know if + something is a C or C++ header. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Closes #574 -- [Peter Wu brought this change] +- [Johannes Schindelin brought this change] - runtests.pl: fix warning message, remove duplicate value + configure: detect IPv6 support on Windows + + This patch was "nicked" from the MINGW-packages project by Daniel. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007 + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> -Steve Holme (27 Nov 2014) -- http.c: Fixed compilation warnings from features being disabled +- configure: allow static builds on mingw - warning: unused variable 'data' - warning: variable 'addcookies' set but not used + This patch is adopted from the MINGW-packages project. It makes it + possible to build curl both shared and static again. - ...and some very minor coding style policing. + URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl -- RELEASE-NOTES: Synced with c5399c827d +Marc Hoersken (17 Dec 2015) +- test 1326: fix file check since curl is outputting binary data -- tests: Added SMTP with --crlf test case +- test 1326: fix getting stuck on Windows due to incomplete request + + The request needs to be read and send in binary mode in order to use + CRLF instead of LF. Adding --upload-file - causes curl to read stdin + in binary mode. -- docs: Updated for commit 4bd860a001 and SMTP Unix line ending conversion +Daniel Stenberg (17 Dec 2015) +- RELEASE-NOTES: command line option recount -- smtp: Fixed const'ness of nread parameter in Curl_smtp_escape_eob() - - ...and some comment typos! +Dan Fandrich (16 Dec 2015) +- scripts/Makefile: build zsh script even in an out-of-tree build -- smtp: Added support for the conversion of Unix newlines during mail send - - Added support for the automatic conversion of Unix newlines to CRLF - during mail uploads. - - Feature: http://curl.haxx.se/bug/view.cgi?id=1456 +Marc Hoersken (16 Dec 2015) +- sockfilt.c: added some debug output to select_ws -- CURLOPT_CRLF.3: Fixed inclusion of SMTP in listed protocols +- sockfilt.c: keep lines shorter than 80 chars -Daniel Stenberg (25 Nov 2014) -- curl*3: added small examples +- sockfilt.c: do not wait on unreliable file or pipe handle - and some minor edits + The previous implementation caused issues on modern MSYS2 runtimes. -- libcurl.3: fix formatting +Daniel Stenberg (16 Dec 2015) +- cyassl: deal with lack of *get_peer_certificate + + The function is only present in wolfssl/cyassl if it was built with + --enable-opensslextra. With these checks added, pinning support is disabled + unless the TLS lib has that function available. - refer to functions with the man page section properly + Also fix the mistake in configure that checks for the wrong lib name. + + Closes #566 -- man pages: SEE ALSO curl_multi_wait +- wolfssl: handle builds without SSLv3 support -- curl_multi_wait.3: clarify numfds being used if not NULL +- [Tatsuhiro Tsujikawa brought this change] -- multi-single.c: switch to use curl_multi_wait + http2: Support trailer fields - Makes the example much easier and straight-forward! - -- testcurl: bump the version of this script! - -- testcurl: skip reading the setup file if given enough cmdline info + This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked + encoding must be used to send trialer fields. HTTP/2 deprecated any + trandfer-encoding, including chunked. But trailer fields are now + always available. - This makes it much easier to run multiple tests in the same directory, - just altering the command lines used. - -- select.c: fix compilation for VxWorks + Since trailer fields are relatively rare these days (gRPC uses them + extensively though), allocating buffer for trailer fields is done when + we detect that HEADERS frame containing trailer fields is started. We + use Curl_add_buffer_* functions to buffer all trailers, just like we + do for regular header fields. And then deliver them when stream is + closed. We have to be careful here so that all data are delivered to + upper layer before sending trailers to the application. - Reported-by: Brian - Bug: http://curl.haxx.se/bug/view.cgi?id=1455 - -Patrick Monnerat (24 Nov 2014) -- [moparisthebest brought this change] + We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE + mechanism, but current method is far more simple. + + Another possibility is use chunked encoding internally for HTTP/2 + traffic. I have not tested it, but it could add another overhead. + + Closes #564 - SSL: Add PEM format support for public key pinning +- RELEASE-NOTES: synced with 6c2c019654e658a -Kamil Dudka (24 Nov 2014) -- Revert "repository: ignore patch files generated by git" +Jay Satiro (15 Dec 2015) +- x509asn1: Fix host altname verification - This reverts commit 217024a687ce86eb6d2317822ed81c7e5abc4b61. + - In Curl_verifyhost check all altnames in the certificate. - Bug: https://github.com/bagder/curl/commit/217024a6#commitcomment-8693738 - -Steve Holme (23 Nov 2014) -- multi.c: Fixed compilation warnings when no verbose string support + Prior to this change only the first altname was checked. Only the GSKit + SSL backend was affected by this bug. - warning: variable 'connection_id' set but not used - warning: unused parameter 'lineno' + Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html + Reported-by: John Kohl -- RELEASE-NOTES: Synced with 1450712e76 +Daniel Stenberg (15 Dec 2015) +- curl --expect100-timeout: added + + This is the new command line option to set the value for the existing + libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS -- sasl: Tidied up some parameter comments +- cyassl: fix compiler warning on type conversion -- sasl: Reduced the need for two sets of NTLM functions +- curlver: the pending release will become 7.47.0 -- ntlm: Moved NSS initialisation to base decode function +- [Anders Bakken brought this change] -- http_ntlm: Fixed additional NSS initialisation call when decoding type-2 + setstropt: const-correctness - After commit 48d19acb7c the HTTP code would call Curl_nss_force_init() - twice when decoding a NTLM type-2 message, once directly and the other - through the call to Curl_sasl_decode_ntlm_type2_message(). + Closes #565 -- ntlm: Fixed static'ness of local decode function +- ROADMAP: implemented HTTP2 for HTTPS-only -- ntlm: Corrected some parameter names and comments +- HTTP2.md: spell fix and remove TODO now implemented -- runtests.pl: Re-aligned feature support comments +- libressl: the latest openssl x509 funcs are not in libressl -- runtests.pl: Use Kerberos and SPNEGO as proxies for the crypto feature +- curl: use 2TLS by default - In addition to NTLM, use Kerberos and SPNEGO as proxies to the crypto - feature. + Make this the default for the curl tool (if built with HTTP/2 powers + enabled) unless a specific HTTP version is requested on the command + line. - ...and converted tab characters, from commit 4b4e8a5853, to spaces. + This should allow more users to get HTTP/2 powers without having to + change anything. -- runtests.pl: Added support for SPNEGO - -- runtests.pl: Added Kerberos detection +- http: add libcurl option to allow HTTP/2 for HTTPS only + + ... and stick to 1.1 for HTTP. This is in line with what browsers do and + should have very little risk. -- runtests.pl: Added GSS-API detection +- openssl: adapt to openssl >= 1.1.0 X509 opaque structs + + Closes #491 -- FILEFORMAT: Added SSPI, GSS-API and Kerberos to the features list +- openssl: avoid BIO_reset() warnings since it returns a value -- FILEFORMAT: Added test requires feature not present information - - Such as !SSPI as we do for the NTLM and Digest tests. +- openssl: adapt to 1.1.0+ name changes -Daniel Stenberg (20 Nov 2014) -- http.c: log if it notices HTTP 1.1 after a upgrade to http2 +- scripts/makefile: add standard header -- test1801: first real http2 test case +- scripts/Makefile: fix GNUism and survive no perl + + Closes #555 + + Reported-by: Thomas Klausner -- sws: initial tiny steps toward http2 support +- fix b6d5cb40d7038fe -- FILEFORMAT: mention the new upgrade support +- [Tatsuhiro Tsujikawa brought this change] -- test1800: first plain-text http2 test case + http2: Fix hanging paused stream - Verifies the upgrade request, but gets a plain 1.1 response + When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we + might not process DATA frame fully. Calling nghttp2_session_mem_recv() + again will continue to process DATA frame, but if there is no incoming + frames, then we have to call it again with 0-length data. Without this, + on_stream_close callback will not be called, and stream could be hanged. + + Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html + Reported-by: Francisco Moraes -- [Tatsuhiro Tsujikawa brought this change] +- [Christian Stewart brought this change] - http: Disable pipelining for HTTP/2 and upgraded connections + build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS - This commit disables pipelining for HTTP/2 or upgraded connections. For - HTTP/2, we do not support multiplexing. In general, requests cannot be - pipelined in an upgraded connection, since it is now different protocol. + With curl disable verbose strings in http.c the compilation fails due to + the data variable being undefined later on in the function. + + Closes #558 -- [Brad Harder brought this change] +Jay Satiro (7 Dec 2015) +- [Gisle Vanem brought this change] - CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option + config-win32: Fix warning HAVE_WINSOCK2_H undefined -Steve Holme (19 Nov 2014) -- multi-uv.c: Updated for curl coding standards +- [Gisle Vanem brought this change] -- conncache: Fixed specifiers in infof() for long and size_t variables + openssl: BoringSSL doesn't have CONF_modules_free -- [Peter Wu brought this change] +- [Gisle Vanem brought this change] - cmake: add Kerberos to the supported features + lwip: Fix compatibility issues with later versions - Updated following commit eda919f and a4b7f71. + The name of the header guard in lwIP's <lwip/opt.h> has changed from + '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015). - Acked-by: Brad King <brad.king@kitware.com> - Signed-off-by: Peter Wu <peter@lekensteyn.nl> - -- [Peter Wu brought this change] - - cmake: fix NTLM detection when CURL_DISABLE_HTTP defined + Other fixes: + + - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is + used. + + - In memdebug.h, the 'socket' should be undefined first due to lwIP's + lwip_socket() macro. + + - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need + special handling because they were undef'ed in memdebug.h. - Updated following changes in commit f0d860d. + - In select.c we can't use preprocessor conditionals inside select if + MSVC and select is a macro, as it is with lwIP. - Acked-by: Brad King <brad.king@kitware.com> - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + http://curl.haxx.se/mail/lib-2015-12/0023.html + http://curl.haxx.se/mail/lib-2015-12/0024.html -Daniel Stenberg (19 Nov 2014) -- RELEASE-NOTES: synced with cb13fad733e +Patrick Monnerat (7 Dec 2015) +- os400: define CURL_VERSION_PSL in ILE/RPG binding -- [Jay Satiro brought this change] +Jay Satiro (7 Dec 2015) +- [Gisle Vanem brought this change] - examples: Wait recommended 100ms when no file descriptors are ready + version: Add flag CURL_VERSION_PSL for libpsl + +- formdata: Check if length is too large for memory - Prior to this change when no file descriptors were ready on platforms - other than Windows the multi examples would sleep whatever was in - timeout, which may or may not have been less than the minimum - recommended value [1] of 100ms. + - If the size of the length type (curl_off_t) is greater than the size + of the size_t type then check before allocating memory to make sure the + value of length will fit in a size_t without overflow. If it doesn't + then return CURLE_BAD_FUNCTION_ARGUMENT. - [1]: http://curl.haxx.se/libcurl/c/curl_multi_fdset.html + Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679 + Reported-by: Steve Holme -- [Waldek Kozba brought this change] +Steve Holme (3 Dec 2015) +- tests: Corrected copy and pasted comments from commit e643c5c908 - multi-uv.c: close the file handle after download +Daniel Stenberg (3 Dec 2015) +- curl: remove keepalive #ifdef checks done on libcurl's behalf + + They didn't match the ifdef logic used within libcurl anyway so they + could indeed warn for the wrong case - plus the tool cannot know how the + lib actually performs at that level. -- [Jon Spencer brought this change] +Steve Holme (2 Dec 2015) +- test947: Corrected typo in test name - multi: inform about closed sockets before they are closed +- tests: Disable the OAUTHBEARER tests when using a non-default port number - When the connection code decides to close a socket it informs the multi - system via the Curl_multi_closed function. The multi system may, in - turn, invoke the CURLMOPT_SOCKETFUNCTION function with - CURL_POLL_REMOVE. This happens after the socket has already been - closed. Reorder the code so that CURL_POLL_REMOVE is called before the - socket is closed. + Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail + if a custom port number is specified via the -b option of runtests.pl. + + Suggested by: Kamil Dudka + Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html -Guenter Knauf (19 Nov 2014) -- build: in Makefile.m32 moved target autodetection. +Daniel Stenberg (2 Dec 2015) +- bump: towards next release - Moved target autodetection block after defining CC macro. + for all we know now, it might be called 7.46.1 -- build: in Makefile.m32 simplify platform flags. +Version 7.46.0 (1 Dec 2015) -- build: in Makefile.m32 try to detect 64bit target. +Daniel Stenberg (1 Dec 2015) +- RELEASE-NOTES: updated contributor count for 7.46.0 -Daniel Stenberg (19 Nov 2014) -- [Brad King brought this change] +- THANKS: new contributors from the 7.46.0 release - CMake: Simplify if() conditions on check result variables - - Remove use of an old hack that takes advantage of the auto-dereference - behavior of the if() command to detect if a variable is defined. The - hack has the form: - - if("${VAR} MATCHES "^${VAR}$") +- THANKS-filter: single Tim Rühsen spelling + +- docs/examples: gitignore some more built examples + +- RELEASE-NOTES; this bug was never released + +- RELEASE-NOTES: synced with e55f15454efacb0 + +- [Flavio Medeiros brought this change] + + Curl_read_plain: clean up ifdefs that break statements - where "${VAR}" is a macro argument reference. Use if(DEFINED) instead. - This also avoids warnings for CMake Policy CMP0054 in CMake 3.1. + Closes #546 -- TODO-RELEASE: removed +- http2: convert some verbose output into debug-only output -- [Carlo Wood brought this change] +- http2 push: add missing inits of new stream + + - set the correct stream_id for pushed streams + - init maxdownload and size properly - debug: added new connection cache output, plus fixups +- http2 push: set weight for new stream - Debug output 'typo' fix. + give the new stream the old one's stream_weight internally to avoid + sending a PRIORITY frame unless asked for it + +- curl_setup.h: undef freeaddrinfo in c-ares block to fix build - Don't print an extra "0x" in - * Pipe broke: handle 0x0x2546d88, url = / + Fixes warnings 78c25c854a added. + +- nonblock: fix setting non-blocking mode for Amiga - Add debug output. - Print the number of connections in the connection cache when - adding one, and not only when one is removed. + IoctlSocket() apparently wants a pointer to a long, passed as a char * + in its third parameter. This bug was introduced already back in commit + c5fdeef41d from October 1 2001! - Fix typos in comments. + Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html + Reported-by: Norbert Kett -- multi: move the ending condition into the loop as well +- zsh install: fix DESTDIR support - ... as it was before I changed the loop in commit e04ccbd50. It caused - test 2030 and 2032 to fail. + Reported-by: Mohammad AlSaleh -Steve Holme (18 Nov 2014) -- multi: Prefer we don't use CURLE_OK and NULL in comparisons +Dan Fandrich (27 Nov 2015) +- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available -Daniel Stenberg (18 Nov 2014) -- multi_runsingle: use 'result' for local CURLcode storage +Steve Holme (27 Nov 2015) +- tool_paramhlp: Fixed display of URL index in password prompt for --next - ... and assign data->result only at the end. Makes the code more compact - (easier to read) and more similar to other code. + Commit f3bae6ed73 added the URL index to the password prompt when using + --next. Unfortunately, because the size_t specifier (%zu) is not + supported by all sprintf() implementations we use the curl_off_t format + specifier instead. The display of an incorrect value arises on platforms + where size_t and curl_off_t are of a different size. -- multi_runsingle: rename result to rc +Daniel Stenberg (25 Nov 2015) +- timecond: do not add if-modified-since without timecondition - save 'result' for CURLcode types - -- multi: make multi_runsingle loop internally + The RTSP code path didn't skip adding the if-modified-since for certain + RTSP code paths, even if CURLOPT_TIMECONDITION was set to + CURL_TIMECOND_NONE. + + Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals + CURL_TIMECOND_IFMODSINCE. - simplifies the use of this function at little cost. + Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header -- [Carlo Wood brought this change] +- RELEASE-NOTES: synced with 99d17a5e2ba77e58 - multi: when leaving for timeout, close accordingly +- examples/README: cut out the incomplete list - Fixes the problem when a transfer in a pipeline times out. + ... and add a generic explanation for them instead. Each example file + should contain its own description these days. -Guenter Knauf (18 Nov 2014) -- build: in Makefile.m32 add -m32 flag for 32bit. +- test1513: make sure the callback is only called once -- mk-ca-bundle.vbs: update copyright year. +- [Daniel Shahaf brought this change] -- build: in Makefile.m32 pass -F flag to windres. - -Steve Holme (17 Nov 2014) -- config-win32: Fixed build targets for the VS2012+ Windows XP toolset + build: Install zsh completion - Even though commit 23e70e1cc6 mentioned the v110_xp toolset, I had - forgotten to include the relevant pre-processor definitions. - -- sasl_sspi: Removed note about the NTLM functions being a wrapper + Fixes #534 + Closes #537 -- connect.c: Fixed compilation warning when no verbose string support +- done: make sure the final progress update is made - warning: unused parameter 'reason' - -- easy.c: Fixed compilation warning when no verbose string support + It would previously be skipped if an existing error was returned, but + would lead to a previous value being left there and later used. + CURLINFO_TOTAL_TIME for example. - warning: unused parameter 'easy' - -- win32: Updated some legacy APIs to use the newer extended versions + Still it avoids that final progress update if we reached DONE as the + result of a callback abort to avoid another callback to be called after + an abort-by-callback. - Updated the usage of some legacy APIs, that are preventing curl from - compiling for Windows Store and Windows Phone build targets. + Reported-by: Lukas Ruzicka - Suggested-by: Stefan Neis - Feature: http://sourceforge.net/p/curl/feature-requests/82/ + Closes #538 -- config-win32: Introduce build targets for VS2012+ +- curl: expanded the -XHEAD warning text - Visual Studio 2012 introduced support for Windows Store apps as well as - supporting Windows Phone 8. Introduced build targets that allow more - modern APIs to be used as certain legacy ones are not available on these - new platforms. + ... to also mention the specific options used. -- sasl_sspi: Fixed compilation warnings when no verbose string support - -- sasl_sspi: Added base64 decoding debug failure messages +- Revert "cleanup: general removal of TODO (and similar) comments" + + This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. - Just like in the NTLM code, added infof() failure messages for - DIGEST-MD5 and GSSAPI authentication when base64 decoding fails. + Feedback-by: Dan Fandrich + URL: http://curl.haxx.se/mail/lib-2015-11/0062.html -- ntlm: Moved the SSPI based Type-3 message generation into the SASL module +- CURLOPT_HEADERFUNCTION.3: fix typo + + Refer to _HEADERDATA not _WRITEDATA. + + Reported-by: Michał Piechowski -- ntlm: Moved the SSPI based Type-2 message decoding into the SASL module +- TODO: TCP Fast Open -- ntlm: Moved the SSPI based Type-1 message generation into the SASL module +Steve Holme (22 Nov 2015) +- examples: Added website parse-able descriptions to the e-mail examples -- [Michael Osipov brought this change] +- TODO: Added another 'multi-interface' idea - kerberos: Use symbol qualified with _KERBEROS5 +- smb.c: Fixed compilation warnings - For consistency renamed USE_KRB5 to USE_KERBEROS5. + smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may + alter its value + smb.c:146:42: warning: conversion to 'unsigned int' from 'long long + unsigned int' may alter its value + smb.c:146:65: warning: conversion to 'unsigned int' from 'long long + unsigned int' may alter its value -Daniel Stenberg (15 Nov 2014) -- [Jay Satiro brought this change] +- schannel: Corrected copy/paste error in commit 8d17117683 - examples: Don't call select() to sleep on windows - - Windows does not support using select() for sleeping without a dummy - socket. Instead use Windows' Sleep() and sleep for 100ms which is the - minimum suggested value in the curl_multi_fdset() doc. +- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available - Prior to this change the multi examples would exit prematurely since - select() would error instead of sleeping when called without an fd. - - Reported-by: Johan Lantz - Bug: http://curl.haxx.se/mail/lib-2014-11/0221.html + Regression from commit 7a8e861a5 as highlighted in the msys autobuilds. -- [Tatsuhiro Tsujikawa brought this change] - - http2: Don't send Upgrade headers when we already do HTTP/2 - -Steve Holme (15 Nov 2014) -- sasl: Corrected Curl_sasl_build_spn() function description +- examples: Fixed compilation warnings - There was a mismatch in function parameter names. + pop3-multi.c:96:5: warning: implicit declaration of function 'memset' + imap-multi.c:96:5: warning: implicit declaration of function 'memset' + http2-download.c:226:5: warning: implicit declaration of function 'memset' + http2-upload.c:290:5: warning: implicit declaration of function 'memset' + http2-upload.c:290:5: warning: implicit declaration of function 'memset' -- tool: Removed krb4 from the supported features +- Makefile.inc: Fixed test run error - Although libcurl would never return CURL_VERSION_KERBEROS4 after 7.33, - so would not be output with --version, removed krb4 from the supported - features output. - -- [Michael Osipov brought this change] + test845 not present in tests/data/Makefile.inc - tool: Use Kerberos for supported features +Daniel Stenberg (20 Nov 2015) +- TODO: remove duplicated title -- urldata: Don't define sec_complete when no GSS-API support present +- TODO: added two more libcurl ideas - This variable is only used with HAVE_GSSAPI is defined by the FTP code - so let's place the definition with the other GSS-API based variables. + Moved some ideas from "next major" to just ordinary ideas since we can + always add new things while keeping the old without doing a "next + major". -- [Michael Osipov brought this change] +Steve Holme (20 Nov 2015) +- tests: Re-enabled tests 889 and 890 following POP3 fix - docs: Use consistent naming for Kerberos +- pop3: Differentiate between success and continuation responses -- TODO: Lets support QOP options in GSSAPI authentication +- pop3: Added clarity on some server response codes -- sasl_sspi: Corrected a couple of comment typos +Daniel Stenberg (20 Nov 2015) +- [Daniel Shahaf brought this change] -- sasl: Moved Curl_sasl_gssapi_cleanup() definition into header file + build: Fix theoretical infinite loops - Rather than define the function as extern in the source files that use - it, moved the function declaration into the SASL header file just like - the Digest and NTLM clean-up functions. + Add error-checking to 'cd' in a few cases where omitting the checks + might result in an infinite loop. - Additionally, added a function description comment block. + Closes #535 -- sasl_sspi: Added missing RFC reference for HTTP Digest authentication +Patrick Monnerat (19 Nov 2015) +- curl.h: s/#defien/#define/ -- ntlm: Clean-up and standardisation of base64 decoding +- os400: synchronize ILE/RPG header file -- ntlm: We prefer 'CURLcode result' +- os400: Provide options for libssh2 use in compile scripts. Adjust README. -Daniel Stenberg (13 Nov 2014) -- [Brad King brought this change] +Daniel Stenberg (19 Nov 2015) +- [danielsh@apache.org brought this change] - CMake: Restore order-dependent library checks - - Revert commit 2257deb502 (Cmake: Avoid cycle directory dependencies, - 2014-08-22) and add a comment explaining the purpose of the original - code. + zsh completion: Preserve single quotes in output - The check_library_exists_concat macro is intended to be called multiple - times on a sequence of possibly dependent libraries. Later libraries - may depend on earlier libraries when they are static. They cannot be - safely linked in reverse order on some platforms. + When an option's help string contains literal single quotes, those + single quotes would be stripped from the option's description in the + completion output (unless the zsh RC_QUOTES option were set while the + completion function was being sourced, which is not the default). This + patch makes the completion output contain single quotes where the --help + output does. - Signed-off-by: Brad King <brad.king@kitware.com> + Closes #532 -- [Brad King brought this change] +Jay Satiro (18 Nov 2015) +- [MaxGiting brought this change] - CMake: Restore order-dependent header checks - - Revert commit 1269df2e3b (Cmake: Don't check for all headers each - time, 2014-08-15) and add a comment explaining the purpose of the - original code. - - The check_include_file_concat macro is intended to be called multiple - times on a sequence of possibly dependent headers. Later headers - may depend on earlier headers to provide declarations. They cannot - be safely included independently on some platforms. - - For example, many POSIX APIs document including sys/types.h before some - other headers. Also on some OS X versions sys/socket.h must be included - before net/if.h or the check for the latter will fail. + FAQ: Grammar changes - Signed-off-by: Brad King <brad.king@kitware.com> + Closes https://github.com/bagder/curl/pull/533 -- [Peter Wu brought this change] - - test22: expand a backtick command +Daniel Stenberg (17 Nov 2015) +- http2: http_done: don't free already-freed push headers - This is the only user of the backtick operator in the command. As the - commands will soon not be executed by a shell anymore (but by perl), - replace the command with its output. + The push headers are freed after the push callback has been invoked, + meaning this code should only free the headers if the callback was never + invoked and thus the headers weren't freed at that time. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> - -- RELEASE-NOTES: synced with 2ee3c63b13 - -- http2: fix switched macro when http2 is not enabled + Reported-by: Davey Shafik -- [Tatsuhiro Tsujikawa brought this change] +- [Anders Bakken brought this change] - http2: Deal with HTTP/2 data inside response header buffer + getconnectinfo: Don't call recv(2) if socket == -1 - Previously if HTTP/2 traffic is appended to HTTP Upgrade response header - (thus they are in the same buffer), the trailing HTTP/2 traffic is not - processed and lost. The appended data is most likely SETTINGS frame. - If it is lost, nghttp2 library complains server does not obey the HTTP/2 - protocol and issues GOAWAY frame and curl eventually drops connection. - This commit fixes this problem and now trailing data is processed. + Closes #528 -Steve Holme (11 Nov 2014) -- configure: Fixed inclusion of krb5 when CURL_DISABLE_CRYPTO_AUTH is defined +- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header - Commit fe0f8967bf fixed a problem with krb5 not being defined as a - supported feature when HAVE_GSSAPI is defined, however, it should - only be included if CURL_DISABLE_CRYPTO_AUTH is not set, like when - SPNEGO is listed as a feature. + ... if there are more than one using the same name -Daniel Stenberg (10 Nov 2014) -- multi: removed Curl_multi_set_easy_connection - - It isn't used anywhere! - - Reported-by: Carlo Wood +- http2: minor comment typo + +- sasl; fix checksrc warnings -- [Peter Wu brought this change] +Steve Holme (15 Nov 2015) +- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity - symbol-scan.pl: do not require autotools +- tests: Disabled 889 and 890 until we support POP3 continuation responses - Makes test1119 pass when building with cmake. + As POP3 final and continuation responses both begin with a + character, + and both the finalcode and contcode variables in SASLprotoc are set as + such, we cannot tell the difference between them when we are expecting + an optional continuation from the server such as the following: - configurehelp.pm is generated by configure (autotools). As cmake does - not provide a separate variable for the C preprocessor, default to cpp. - Before commit ef24ecde68a5f577a7f0f423a767620f09a0ab16 ("symbol-scan: - use configure script knowledge about how to run the C preprocessor"), - this tool would also use 'cpp'. + + something else from the server + +OK final response - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Disabled these tests until such a time we can tell the responses apart. -- [Peter Wu brought this change] +- tests: Corrected typos from commit ba4d8f7eba - cmake: add ENABLE_THREADED_RESOLVER, rename ARES - - Fix detection of the AsynchDNS feature which not just depends on - pthreads support, but also on whether USE_POSIX_THREADS is set or not. - Caught by test 1014. - - This patch adds a new ENABLE_THREADED_RESOLVER option (corresponding to - --enable-threaded-resolver of autotools) which also needs a check for - HAVE_PTHREAD_H. +- tests: Added OAUTHBEARER failure response tests + +- oauth2: Support OAUTHBEARER failures sent as continuation responses - For symmetry with autotools, CURL_USE_ARES is renamed to ENABLE_ARES - (--enable-ares). Checks that test for the availability actually use - USE_ARES instead as that is the result of whether a-res is available or - not (in practice this does not matter as CARES is marked as required - package, but nevertheless it is better to write the intent). + According to RFC7628 a failure message may be sent by the server in a + base64 encoded JSON string as a continuation response. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Currently only implemented for OAUTHBEARER and not XAUTH2. -- [Peter Wu brought this change] +Daniel Stenberg (15 Nov 2015) +- RELEASE-NOTES: synced with 808a17ee675 - cmake: build libhostname for test suite - - Used by some test cases via LD_PRELOAD in order to fake the host name. - - Signed-off-by: Peter Wu <peter@lekensteyn.nl> +Steve Holme (14 Nov 2015) +- tests: Renamed existing OAuth 2.0 (XOAUTH) tests -- [Peter Wu brought this change] +- tests: Added OAuth 2.0 (OAUTHBEARER) tests - cmake: fix HAVE_GETHOSTNAME definition +- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP - Otherwise Curl_gethostname always fails. Windows has gethostname - since Vista according to - http://msdn.microsoft.com/en-us/library/ms738527%28VS.85%29.aspx, but - accordings to byte_bucket's VC 2005 documentation, it is available even - in Windows 95. (possibly after installing a Platform SDK, the - Windows Server 2003 SP1 Platform SDK should be sufficient). - - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + OAUTHBEARER is now the official "registered" SASL mechanism name for + OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some + servers won't support the new mechanism yet. -- [Peter Wu brought this change] +Daniel Stenberg (13 Nov 2015) +- RELEASE-NOTES: recounted curl_easy_setopt() options - tests: fix libhostname visibility - - I noticed that a patched cmake build would pass tests with a fake local - hostname, but the autotools build skips them: +- typecheck-gcc.h: add missing slist-using options - got unexpected host name back, LD_PRELOAD failed + CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing - It turns out that -fvisibility=hidden hides the symbol, and since the - tests are not part of libcurl, it fails too. Just remove the LIBCURL - guard. - - Broken since cURL 7.30 (commit 83a42ee20ea7fc25abb61c0b7ef56ebe712d7093, - "curl.h: stricter CURL_EXTERN linkage decorations logic"). + Also sorted the list. + +- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + ... and sorted curl_is_cb_data_option alphabetically -- [Peter Wu brought this change] +Jay Satiro (13 Nov 2015) +- [Sebastian Pohlschmidt brought this change] - tests: fix memleak in server/resolve.c + openssl: Free modules on cleanup - This makes LeakSanitizer happy. - - Signed-off-by: Peter Wu <peter@lekensteyn.nl> - -- configure: assume krb5 when gss-api works + Curl_ossl_init calls OPENSSL_load_builtin_modules() but + Curl_ossl_cleanup doesn't make a call to free these modules. - To please test 1014 while we work out if this is truly the a correct - assumption. + Bug: https://github.com/bagder/curl/issues/526 -Steve Holme (9 Nov 2014) -- vtls.h: Fixed compiler warning when compiled without SSL +Steve Holme (13 Nov 2015) +- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias - vtls.c:185:46: warning: unused parameter 'data' + ...following commit aba281e762 to fix test 1119. -- RELEASE-NOTES: Synced with 2fbf23875f +Daniel Stenberg (13 Nov 2015) +- curl: mark two more options strings for --libcurl output -- ntlm: Added separate SSPI based functions +- typecheck-gcc.h: add some missing string types - In preparation for moving the NTLM message code into the SASL module, - and separating the native code from the SSPI code, added functions that - simply call the functions in curl_ntlm_msg.c. + Also sorted that list alphabetically -- http_ntlm: Use the SASL functions instead +- curl.h: introducing the STRINGPOINT alias - In preparation for moving the NTLM message code into the SASL module - use the SASL functions in the HTTP code instead. + As an alias for OBJECTPOINT. Provided to allow us to grep for all string + options easier. -Daniel Stenberg (9 Nov 2014) -- libssh2: detect features based on version, not configure checks +- cleanup: general removal of TODO (and similar) comments - ... so that non-configure builds get the correct functions too based on - the libssh2 version used. + They tend to never get updated anyway so they're frequently inaccurate + and we never go back to revisit them anyway. We document issues to work + on properly in KNOWN_BUGS and TODO instead. -- [Nobuhiro Ban brought this change] +- ftplistparser: remove empty function - SSH: use the port number as well for known_known checks - - ... if the libssh2 version is new enough. +- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key + +- openssl: all supported versions have X509_STORE_set_flags - Bug: http://curl.haxx.se/bug/view.cgi?id=1448 + Simplify by removing #ifdefs and macros -Steve Holme (9 Nov 2014) -- INSTALL: Updated pre-processor references to the old VC6 project files +- openssl: remove 0.9.3 check + +- openssl: remove #ifdefs for < 0.9.5 support - Reworked the two sections that discuss modifying the Visual Studio pre- - processor settings, and vc6libcurl.dsw/vc6libcurl.dsp, to remove the - project files references as they have been superseded by a more thorough - set of project files for VC6 through VC12, but to also give the correct - reference to this setting in later versions of Visual Studio. + We only support >= 0.9.7 -- INSTALL: Added email protocols to the "Disabling in Win32 builds" section +- lib/vtls/openssl: remove unused traces of yassl ifdefs -- configure: Fixed NTLM missing from features when CURL_DISABLE_HTTP defined +Dan Fandrich (12 Nov 2015) +- [dfandrich brought this change] -- build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined - - USE_NTLM would only be defined if: HTTP support was enabled, NTLM and - cryptography weren't disabled, and either a supporting cryptography - library or Windows SSPI was being compiled against. + unit1603: Demote hash mismatch failure to a warning - This means it was not possible to build libcurl without HTTP support - and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather - than introduce a new SASL pre-processor definition, removed the HTTP - prerequisite just like USE_SPNEGO and USE_KRB5. - - Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP - as it is only available to HTTP at present. - - This bug dates back to August 2011 when I started to add support for - NTLM to SMTP. + The hashes can vary between architectures (e.g. Sparc differs from x86_64). + This is not a fatal problem but just reduces the coverage of these white-box + tests, as the assumptions about into which hash bucket each key falls are no + longer valid. -- ntlm: Removed an unnecessary free of native Target Info - - Due to commit 40ee1ba0dc the free in Curl_ntlm_decode_type2_target() is - longer required. +- [dfandrich brought this change] -- ntlm: Moved the native Target Info clean-up from HTTP specific function + unit1603: Added unit tests for hash functions -- ntlm: Moved SSPI clean-up code into SASL module +- [dfandrich brought this change] -- Makefile.dist: Added support for WinIDN + unit1602: Fixed failure in torture test -- Makefile.vc6: Added support for WinIDN +Steve Holme (12 Nov 2015) +- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism + + Following the fix in commit d6d58dd558 it is necessary to re-introduce + XOAUTH2 in the default enabled authentication mechanism, which was + removed in commit 7b2012f262, otherwise users will have to specify + AUTH=XOAUTH2 in the URL. + + Note: OAuth 2.0 will only be used when the bearer is specified. -- Makefile.dist: Added some missing SSPI configurations +- [Stefan Bühler brought this change] -- Makefile.dist: Separated the groups of SSL configurations from each other + sasl_sspi: fix identity memory leak in digest authentication -- Makefile.dist: Grouped the x64 configurations next to their x86 counterparts +- [Stefan Bühler brought this change] -- curl.h: Tidy up of CURL_VERSION_* flags + sasl_sspi: fixed unicode build for digest authentication - As the list has gotten a little messy and hard to read, especially with - the introduction of deprecated items, aligned the values and comments - into clean columns and reworked some of the comments in the process. + Closes #525 -- curl_tool: Added krb5 to the supported features +- oauth2: Re-factored OAuth 2.0 state variable -- configure: Added krb5 to the supported features - -- version info: Added Kerberos V5 to the supported features +- sasl: Don't choose OAuth 2.0 if mechanism not advertised + + Regression from commit 9e8ced9890 which meant if --oauth2-bearer was + specified but the SASL mechanism wasn't supported by the server then + the mechanism would be chosen. -Guenter Knauf (7 Nov 2014) -- mk-ca-bundle.vbs: switch to new certdata.txt url. +Daniel Stenberg (12 Nov 2015) +- runtests: more compact "System characteristics" output + + - no point in repeating curl features that is already listed as features + from the curl -V output + + - remove the port numbers/unix domain path from the output unless + verbose is used, as that is rarely interesting to users. -Steve Holme (7 Nov 2014) -- RELEASE-NOTES: Synced with dcad09e125 +- runtests: rename conditional curl-features to $has_[name] -- http_digest: Fixed some memory leaks introduced in commit 6f8d8131b1 +Steve Holme (11 Nov 2015) +- oauth2: Introduced support for host and port details - Fixed a couple of memory leaks as a result of moving code that used to - populate allocuserpwd and relied on it's clean up. + Added support to the OAuth 2.0 message function for host and port, in + order to accommodate the official OAUTHBEARER SASL mechanism which is + to be added shortly. -- docs: Updated following the addition of SSPI based HTTP digest auth +- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined -- sasl_sspi: Tidy up of the existing digest code +- cmake: Add missing feature macros in config header (Part 2) - Following the addition of SSPI support for HTTP digest, synchronised - elements of the email digest code with that of the new HTTP code. + In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols. -- http_digest: Post SSPI support tidy up +Daniel Stenberg (10 Nov 2015) +- [Douglas Creager brought this change] + + cmake: Add missing feature macros in config header + + The curl_config.h file can be generated either from curl_config.h.cmake + or curl_config.h.in, depending on whether you're building using CMake or + the autotools. The CMake template header doesn't include entries for + all of the protocols that you can disable, which (I think) means that + you can't actually disable those protocols when building via CMake. - Post tidy up to ensure commonality of code style and variable names. + Closes #523 -Dan Fandrich (6 Nov 2014) -- test552: Don't run HTTP digest tests for SSPI based builds +- [Douglas Creager brought this change] + + BoringSSL: Work with stricter BIO_get_mem_data() + + BoringSSL implements `BIO_get_mem_data` as a function, instead of a + macro, and expects the output pointer to be a `char **`. We have to add + an explicit cast to grab the pointer as a `const char **`. - Technical difficulties prevented this from going into the - previous commit. + Closes #524 -Steve Holme (6 Nov 2014) -- tests: Don't run HTTP digest tests for SSPI based builds +- http2: rectify the http2 version #if check - Added !SSPI to the features list of the HTTP digest tests, as SSPI - based builds now use the Windows SSPI messaging API rather than the - internal functions, and we can't control the random numbers that get - used as part of the digest. + We need 1.0.0 or later. Also verified by configure. -Daniel Stenberg (6 Nov 2014) -- curl.1: show zone index use in a URL +Steve Holme (9 Nov 2015) +- oauth2: Don't use XAUTH2 in OAuth 2.0 function name -Steve Holme (6 Nov 2014) -- http_digest: Fixed auth retry loop when SSPI based authentication fails +- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables -- http_digest: Reworked the SSPI based input token storage +- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments - Reworked the input token (challenge message) storage as what is passed - to the buf and desc in the response generation are typically blobs of - data rather than strings, so this is more in keeping with other areas - of the SSPI code, such as the NTLM message functions. + When referring to OAuth 2.0 we should use the official name rather the + SASL mechanism name. -- sasl_sspi: Fixed compilation warning from commit 2d2a62e3d9 +Daniel Stenberg (9 Nov 2015) +- imap: avoid freeing constant string - Added void reference to unused 'data' parameter back to fix compilation - warning. + The fix in 1a614c6c3 was wrong and would leed to free() of a fixed + string. + + Pointed-out-by: Kamil Dudka -- sspi: Align definition values to even columns as we use 2 char spacing +- ROADMAP: remove two items already done -- sspi: Fixed missing definition of ISC_REQ_USE_HTTP_STYLE - - Some versions of Microsoft's sspi.h don't define this. +- RELEASE-NOTES: synced with 2200bf62054 -- sasl: Removed non-SSPI Digest functions and defines from SSPI based builds +Jay Satiro (9 Nov 2015) +- acinclude: Remove check for 16-bit curl_off_t + + Because it's illogical to check for a 16-bit curl_off_t. - Introduced in commit 7e6d51a73c these functions and definitions are only - required by the internal challenge-response functions now. + Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205 -- sasl_sspi: Added HTTP digest response generation code +Dan Fandrich (8 Nov 2015) +- tool: Fixed a memory leak on OOM introduced in 19cb0c4a -- http_digest: Added SSPI based challenge decoding code +Steve Holme (8 Nov 2015) +- [Justin Ehlert brought this change] -- http_digest: Added SSPI based clean-up code + imap: Don't check for continuation when executing a CUSTOMREQUEST + + Bug: https://github.com/bagder/curl/issues/486 + Closes https://github.com/bagder/curl/pull/487 + +Daniel Stenberg (7 Nov 2015) +- imap: checksrc: remove space after while before paren -- http_digest: Added SSPI based authentication functions +- checksrc.whitelist: "missing space after close paren" - This temporarily breaks HTTP digest authentication in SSPI based builds, - causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will - resume normal operation. + ... when it was within a string! -- http_digest: Added required SSPI based variables to digest structure +Steve Holme (7 Nov 2015) +- opts: Corrected TLS protocols list to include POP3S rather than POP3 + +- imap: Quote other 'atom-specials' and not just the space character + + Closes #517 -Daniel Stenberg (6 Nov 2014) -- [Frank Gevaerts brought this change] +- imap: Fixed double quote in LIST command when mailbox contains spaces - contributors.sh: --releasenotes reads in names from RELEASE-NOTES +Daniel Stenberg (6 Nov 2015) +- imap: fix compiler warning - This is very handy when updating the RELEASE-NOTES as then we sometimes - have names added manually in the existing list and we use this script to - update the set. + imap.c:657:13: error: assignment discards 'const' qualifier from pointer + target type [-Werror=discarded-qualifiers] -- RELEASE-NOTES: synced with 68542e72a9 +Steve Holme (6 Nov 2015) +- imap: Don't call imap_atom() when no mailbox specified in LIST command -- curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY +Daniel Stenberg (6 Nov 2015) +- curl.1: remove the overlap --range example - Reported-by: Christian Hägele - Bug: http://curl.haxx.se/mail/lib-2014-11/0078.html + ... it is just weird to include by default even if it still works. -Steve Holme (5 Nov 2014) -- build: Fixed Visual Studio project file generation of strdup.[c|h] +- tftp tests: verify sent options too - As the curl command-line tool now includes it's own version of strdup(), - for platforms that don't have it, fixed up the git respository Visual - Studio project file generator to not include the version from lib in the - tool project files, rather than having both lib\strdup.[c|h] and - src\tool_strdup.[c|h] present. + The tftpd test server now logs all received options and thus all TFTP + test cases need to match them exactly. + + Extended test 283 to use and verify --tftp-blksize. -Daniel Stenberg (5 Nov 2014) -- tool_strdup.c: include the tool strdup.h +Jay Satiro (6 Nov 2015) +- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value + + - Set user info param to the socket returned by Curl_getconnectinfo, + regardless of if the socket is bad. Effectively this means the user info + param now will receive CURL_SOCKET_BAD instead of -1 on bad socket. + + - Remove incorrect comments. + + CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user + info param but prior to this change it wrote -1. - ... not the lib/ one that the tool no longer uses! + Bug: https://github.com/bagder/curl/pull/518 + Reported-by: Marcel Raad -- THANKS-filter: added another Michał Górny version we've used +Patrick Monnerat (5 Nov 2015) +- curl_ntlm_core: fix 2 curl_off_t constant overflows. -- contributors.sh: split lists using " and " - - ... and require the space after the filtering to make the filter able to - remove names. +- os400: adjust specific code to support new options. -Steve Holme (5 Nov 2014) -- http_digest: Fixed memory leaks from commit 6f8d8131b1 +Daniel Stenberg (2 Nov 2015) +- [Lauri Kasanen brought this change] -- sasl: Fixed compilation warning from commit 25264131e2 + rawstr: Speed up Curl_raw_toupper by 40% - Added forward declaration of digestdata to overcome the following - compilation warning: + Rationale: when starting up a curl-using app, all cookies from the jar + are checked against each other. This was causing a startup delay in the + Fifth browser. - warning: 'struct digestdata' declared inside parameter list + All tests pass. - Additionally made the ntlmdata forward declaration dependent on - USE_NTLM similar to how digestdata and kerberosdata are. + Signed-off-by: Lauri Kasanen <cand@gmx.com> -- sasl: Fixed HTTP digest challenges with spaces between auth parameters +- http redirects: %-encode bytes outside of ascii range - Broken as part of the rework, in commit 7e6d51a73c, to assist with the - addition of HTTP digest via Windows SSPI. - -- http_digest: Fixed compilation errors from commit 6f8d8131b1 + Apparently there are sites out there that do redirects to URLs they + provide in plain UTF-8 or similar. Browsers and wget %-encode such + headers when doing a subsequent request. Now libcurl does too. + + Added test 1138 to verify. - error: invalid operands to binary - warning: pointer targets in assignment differ in signedness + Closes #473 -- http_digest: Moved response generation into SASL module +- RELEASE-NOTES: synced with cba5bc585410 -- http_digest: Moved challenge decoding into SASL module +- symbols-in-version: add all CURL_HTTPPOST_* symbols -- http_digest: Moved clean-up function into SASL module +- formadd: support >2GB files on windows + + Closes #425 -- http_digest: Moved algorithm definitions to SASL module +- curl.h: s/HTTPPOST_/CURL_HTTPOST_ + + Fixes a name space pollution at the cost of programs using one of these + defines will no longer compile. However, the vast majority of libcurl + programs that do multipart formposts use curl_formadd() to build this + list. + + Closes #506 -- [Gisle Vanem brought this change] +- mbedtls: fix "Structurally dead code" + + CID 1332129 - ssh: Fixed build on platforms where R_OK is not defined +- mbedtls: fix "Logically dead code" - Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html - Reported-by: Jan Ehrhardt + CID 1332128 -- strdup: Removed irrelevant comment +- Revert "openssl: engine: remove double-free" - ...as Curl_memdup() duplicates an area of fix size memory, that may be - binary, and not a null terminated string. + This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd. + + Issue #509 has all the details but it was confirmed that the crash was + not due to this, so the previous commit was wrong. -- url.c: Fixed compilation warning +- curl.1: -E: s/private certificate/client certificate + + ... as the certificate is strictly speaking not private. - conversion from 'curl_off_t' to 'size_t', possible loss of data + Reported-by: John Levon -- http_digest: Use CURLcode instead of CURLdigest +- openssl: engine: remove double-free - To provide consistent behaviour between the various HTTP authentication - functions use CURLcode based error codes for Curl_input_digest() - especially as the calling code doesn't use the specific error code just - that it failed. + After a successful call to SSL_CTX_use_PrivateKey(), we must not call + EVP_PKEY_free() on the key. + + Reported-by: nased0 + Closes #509 + +Jay Satiro (27 Oct 2015) +- socks: Fix incorrect port numbers in failed connect messages -Daniel Stenberg (5 Nov 2014) -- contributors.sh: filter common alternative name spellings +Daniel Stenberg (26 Oct 2015) +- DISTRO-DILEMMA: removed - docs/THANKS-filter is a new filter file for converting contributor names - we get or have recorded in alternative formats to the one we already use - in THANKS. To help us show individual contributors using a single - presentation of their names. + Out of date and not kept accurate. It was sort of a problem of the past + anyway. -- THANKS: added missing contributor from 2012 +- [xiangbin li brought this change] -- [Frank Gevaerts brought this change] + MacOSX-Framework: sdk regex fix for sdk 10.10 and later + + closes #507 - Remove duplicate names. +Jay Satiro (24 Oct 2015) +- build: Fix support for PKG_CONFIG - The removed names also appear as: - Andrés García, François Charlier, Gökhan Şengün, Michał Górny, Sébastien - Willemijns, Christopher Conroy, John E. Malmberg, Luca Altea, Peter Su, - S. Moonesamy, Samuel Listopad, Yasuharu Yamada, Karl Moerder + - Allow the user to use PKG_CONFIG but not PKGCONFIG. + + Background: + + Last week in 14d5a86 a change was made to allow the user to set the + PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the + more common PKG_CONFIG as an alternative if PKGCONFIG is not set. + + Neither of those changes worked as expected because PKGCONFIG is + occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro. + Instead in this commit I take the approach that the user may set + PKG_CONFIG only. -Steve Holme (5 Nov 2014) -- sspi: Define authentication package name constants +- build: Fix mingw ssl gdi32 order + + - If mingw ssl make sure -lgdi32 comes after ssl libs - These were previously hard coded, and whilst defined in security.h, - they may or may not be present in old header files given that these - defines were never used in the original code. + - Allow PKG_CONFIG to set pkg-config location and options - Not only that, but there appears to be some ambiguity between the ANSI - and UNICODE NTLM definition name in security.h. + Bug: https://github.com/bagder/curl/pull/501 + Reported-by: Kang Lin -Patrick Monnerat (5 Nov 2014) -- Adjust OS400-specific support to last release +Daniel Stenberg (23 Oct 2015) +- RELEASE-NOTES: synced with 03b6e078163f -Daniel Stenberg (5 Nov 2014) -- THANKS: added two missing names and removed a duplicate +- polarssl/mbedtls: fix name space pollution - ./contributors.sh found these extra ones that somehow had fallen - through the cracks and never gotten added here. - - Reported-by: Frank Gevaerts + Global private symbols MUST start with Curl_! -- bump: towards next release +- [Dmitry S. Baikov brought this change] + + mbedTLS: THREADING_SUPPORT compilation fix + + Closes #505 -- THANKS: added names from 7.39.0 release notes +- test1137: verify --ignore-content-length for FTP -Version 7.39.0 (5 Nov 2014) +- curl.1: --ignore-content-length now works for FTP too -Daniel Stenberg (5 Nov 2014) -- RELEASE-NOTES: 7.39.0 release (commit b3875606925) +- [Kurt Fankhauser brought this change] -- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds - - When duplicating a handle, the data to post was duplicated using - strdup() when it could be binary and contain zeroes and it was not even - zero terminated! This caused read out of bounds crashes/segfaults. + ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size - Since the lib/strdup.c file no longer is easily shared with the curl - tool with this change, it now uses its own version instead. + This allows FTP transfers with growing (or shrinking) files without + causing a transfer error. - Bug: http://curl.haxx.se/docs/adv_20141105.html - CVE: CVE-2014-3707 - Reported-By: Symeon Paraschoudis + Closes #480 -- lib544.c: use duphandle for test 545 +- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too - To verify that curl_easy_duphandle() works fine on a handle that has - gotten data stored with *_COPYPOSTFIELDS. + ... and add a little example of what the weight actually means. "Relative + proportion of bandwidth". -- tests: add new feature 'SSLpinning' - - ... and make test 2034 and 2035 require it, and have it set when built - with OpenSSL or GnuTLS. +- http2: add stream options to dist and curl_easy_setopt.3 -- buildconf: update copyright year +- http2: s/priority/weight -Steve Holme (4 Nov 2014) -- INSTALL: Consistent spacing in section headings, paragraphs and examples +- http2: on_frame_recv: trust the conn/data input + + Removed wrong assert()s + + The 'conn' passed in as userdata can be used and there can be other + sessionhandles ('data') than the single one this checked for. -Daniel Stenberg (4 Nov 2014) -- buildconf: stop checking for libtool +- http2: added three stream prio/deps options + + CURLOPT_STREAM_DEPENDS - As we only use libtoolize, only check for that! + CURLOPT_STREAM_DEPENDS_E + + CURLOPT_STREAM_PRIORITY -Steve Holme (4 Nov 2014) -- INSTALL: Corrected MIT Kerberos and Heimdal package names +- RELEASE-NOTES: synced with ace68fdc0cfed83d -- README: Corrected inconsistent use of --help +- [m-gardet brought this change] -- INSTALL: Use GSS-API rather than GSSAPI - - As implementations are refereed to GSS-API libraries as per the RFC and - GSSAPI typically refers to the SASL authentication mechanism. + mbedtls:new profile with RSA min key len = 1024. - ...and minor rewording on the same paragraph. + Closes #502 -- README: Added note about using Visual Studio projects out of git repository +- checksrc: add crude // detection -Daniel Stenberg (4 Nov 2014) -- [K. R. Walker brought this change] +Jay Satiro (21 Oct 2015) +- [Gisle Vanem brought this change] - cmake: fix ZLIB_INCLUDE_DIRS use + build: fix for MSDOS/djgpp - CMake 2.8's FindZLIB.cmake documents ZLIB_INCLUDE_DIRS, see - http://www.cmake.org/cmake/help/v2.8.0/cmake.html#module:FindZLIB + - Add a VPATH-statement for the vtls/*.c files. - Bug: https://github.com/bagder/curl/pull/123 + - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS). -- [Jay Satiro brought this change] +Daniel Stenberg (20 Oct 2015) +- copyrights: update Gisle Vanem's email - SSL: PolarSSL default min SSL version TLS 1.0 +- vtls: fix compiler warning for TLS backends without sha256 - - Prior to this change no SSL minimum version was set by default at - runtime for PolarSSL. Therefore in most cases PolarSSL would probably - have defaulted to a minimum version of SSLv3 which is no longer secure. + ... noticed with mbedTLS. -- opts-Makefile: put more man pages into dist and make hmtl+pdf +- [Jonas Minnberg brought this change] -- curl_multi_setopt.3: refer to stand-alone pages + vtls: added support for mbedTLS - ... instead of duplicating info. + closes #496 -- opts: more multi options as stand-alone man pages +Jay Satiro (19 Oct 2015) +- [Javier G. Sogo brought this change] -- Makefile.am: two cmake files are gone + cmake: Fix for add_subdirectory(curl) use-case - 8cb010144 removed the CurlCheckCSourceCompiles.cmake and - CurlCheckCSourceRuns.cmake files - -- opts: made stand-alone man-pages for several multi options + - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR. + + When including CURL using add_subdirectory the variables + CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths. + + Closes https://github.com/bagder/curl/pull/488 + Closes https://github.com/bagder/curl/pull/498 -- [Carlo Wood brought this change] +Daniel Stenberg (18 Oct 2015) +- RELEASE-NOTES: synced with 4c773bcb474e - Curl_single_getsock: fix hold/pause sock handling +- tests/FILEFORMAT: mention PSL as a valid feture to check for - The previous condition that checked if the socket was marked as readable - when also adding a writable one, was incorrect and didn't take the pause - bits properly into account. + For example in test 1136 -- [Peter Wu brought this change] +- teste1136: only run when PSL is enabled - cmake: fix struct sockaddr_storage check - - CHECK_TYPE_SIZE_PREINCLUDE is an internal, undocumented variable which - was removed in cmake 2.8.1. According to the MSDN docs[1], inclusion - of winsock2.h is sufficient. WIN32_LEAN_AND_MEAN does not really seem - to affect the tests, so remove it too[2]. - - For the non-windows case, remove inet headers as POSIX only requires - sys/socket.h. +- curl: slist_wc: remove curl_memory.h inclusion - [1]: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740504%28v=vs.85%29.aspx - [2]: http://stackoverflow.com/questions/11040133/what-does-defining-win32-lean-and-mean-exclude-exactly + ... that's for the library only. + +- configure: add PSL to the list of features - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + ... to make test 1014 work again after e77b5b7453. -- [Peter Wu brought this change] +- [Daniel Hwang brought this change] - cmake: clean OtherTests, fixing -Werror + tool: Generate easysrc with last cache linked-list - There were several -Wunused warnings and one duplicate macro definition. - The EXTRA_DEFINES variable of the CurlCheckCSources macro was being - abused ("__unused1\n#undef inline\n#define __unused2", seriously?) to - insert extra C code. Avoid this broken abstraction and use cmake's - check_c_source_compiles directly (works fine with CMake 2.8, maybe - even cmake 2.6). + Using a last cache linked-list improves the performance of easysrc + generation. - After cleaning up all related variables (EXTRA_DEFINES, - HEADER_INCLUDES, auxiliary headers_hack), also remove a duplicate - add_headers_include macro and remove duplicate header additions before - the struct timeval check. + Bug: https://github.com/bagder/curl/issues/444 + Ref: https://github.com/bagder/curl/issues/429 - Oh, and now the code is converted to use CheckCSourceRuns and - CheckCSourceCompiles, the two curl-specific helpers can be removed. - Unfortunately, the cmake output is now slightly more verbose. Before: + Closes #452 + +- [Tim Rühsen brought this change] + + cookies: Add support for Mozilla's Publix Suffix List - Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) - Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) - Failed + Use libpsl to check the domain value of Set-Cookie headers (and cookie + jar entries) for not being a Publix Suffix. - Since check_c_source_compiles prints the varname, now you see: + The configure script checks for "libpsl" by default. Disable the check + with --without-libpsl. - Performing Test curl_cv_func_send_test - Performing Test curl_cv_func_send_test - Failed - Tested: int send(int, const void *, size_t, int) + Ref: https://publicsuffix.org/ + Ref: https://github.com/publicsuffix/list + Ref: https://github.com/rockdaboot/libpsl + +- [Richard Hosking brought this change] + + curlbuild.h: Fix non-configure compiling to mips and sh4 targets + +- [Anders Bakken brought this change] + + http2: Don't pass unitialized name+len pairs to nghttp2_submit_request - Compared cmake output with each other using vimdiff, no functional - differences were found. Tested with GCC 4.9.1 and Clang 3.5.0. + bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Closes #493 -- [Peter Wu brought this change] +Dan Fandrich (16 Oct 2015) +- test1601: fix compilation with --enable-debug and --disable-crypto-auth - cmake: fix gethostby{addr,name}_r in CurlTests +Daniel Stenberg (16 Oct 2015) +- multi: fix off-by-one finit[] array size - This patch cleans up the automatically-generated (?) code and fixes one - case that will always fail due to syntax error. + introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it + must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST + is 19 right now. - HAVE_GETHOSTBYADDR_R_5_REENTRANT always failed because of a trailing - character ("int length;q"). Several parameter type and unused variable - warnings popped up. This causes a detection failure with -Werror. + Reported-by: Dan Fandrich + Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html + +- fread_func: move callback pointer from set to state struct - Observe that the REENTRANT cases are exactly the same as their - non-REENTRANT cases except for a `_REENTRANT` macro definition. - Merge all these pieces and build one big main function with different - cases, but reusing variables where logical. + ... and assign it from the set.fread_func_set pointer in the + Curl_init_CONNECT function. This A) avoids that we have code that + assigns fields in the 'set' struct (which we always knew was bad) and + more importantly B) it makes it impossibly to accidentally leave the + wrong value for when the handle is re-used etc. - For the cases where the parameters where NULL, I looked at - lib/hostip4.c to get an idea of the parameters types. + Introducing a state-init functionality in multi.c, so that we can set a + specific function to get called when we enter a state. The + Curl_init_CONNECT is thus called when switching to the CONNECT state. - void-cast variables such as 'rc' to avoid -Wuninitialized errors. + Bug: https://github.com/bagder/curl/issues/346 - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Closes #346 -- [Peter Wu brought this change] +Dan Fandrich (14 Oct 2015) +- test1531: case the size to fix the test on non-largefile builds - cmake: drop _BSD_SOURCE macro usage +Daniel Stenberg (13 Oct 2015) +- acinclude: remove PKGCONFIG override - autotools does not use features.h nor _BSD_SOURCE. As this macro - triggers warnings since glibc 2.20, remove it. It should not have - functional differences. + ... and allow it to get set by a caller easier. - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Reported-by: Rainer Jung + Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html -Steve Holme (2 Nov 2014) -- RELEASE-NOTES: Synced with d71ea7c01e - - Additionally, updated "GSSAPI" to "GSS-API" for a Cmake related change - as GSSAPI can be confused with the authentication mechanism rather than - a GSS-API implementation library such as MIT or Heimdal. +Dan Fandrich (12 Oct 2015) +- docs/INSTALL: Updated example minimal binary sizes -- build: Added WinIDN build configuration options - - Added support for WinIDN build configurations to the VC6 project files. +Daniel Stenberg (11 Oct 2015) +- [Erik Johansson brought this change] -- build: Added WinIDN build configuration options + openssl: Fix set up of pkcs12 certificate verification chain - Added support for WinIDN build configurations to the VC7 and VC7.1 - project files. + sk_X509_pop will decrease the size of the stack which means that the loop would + end after having added only half of the certificates. + + Also make sure that the X509 certificate is freed in case + SSL_CTX_add_extra_chain_cert fails. -- build: Fixed the pre-processor separator in Visual Studio project files +- ntlm: error out without 64bit support as the code needs it - A left over from the VC6 project files, so mainly cosmetic in Visual - Studio .NET as it can handle both comma and semi-colon characters for - separating multiple pre-processor definitions. + It makes it a clearer message for developers reaching that point without + the necessary support. - However, the IDE uses semi-colons if the value is edited, and as such, - this may cause problems in future for anyone updating the files or - merging patches. + Thanks-by: Jay Satiro - Used the Visual Studio IDE to correct the separator character. + Closes #78 -- build: Added optional specific version generation of VC project files +- curl_global_init: set the memory function pointers correct - ..when working from the git repository. This is particularly useful - for single development environments where the project files for all - supported versions of Visual Studio may not be required. + follow-up from 6f8ecea0 -- [Jay Satiro brought this change] - - build-openssl.bat: Fix x64 release build +- curl_global_init_mem: set function pointers before doing init - Prior to this change if x64 release was specified a failed attempt was - made to build x86 release instead. - -- CURLOPT_XOAUTH2_BEARER.3: Corrected the OAuth version number + ... as in the polarssl TLS backend for example it uses memory functions. -- CURLOPT_SASL_IR.3: Added supported mechanism information +Jay Satiro (9 Oct 2015) +- http2: Fix http2_recv to return -1 if recv returned -1 - ...and removed duplication of what protocols are supported from the - description text. + If the underlying recv called by http2_recv returns -1 then that is the + value http2_recv returns to the caller. -- opts: Use common wording for MAIL related names +Daniel Stenberg (8 Oct 2015) +- [Svyatoslav Mishyn brought this change] -- opts: Use common wording for TLS user/password option names + curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET - ...and revised the proxy wording a little as well. + Closes #479 -- CURLOPT_MAXCONNECTS.3: Reworked the description to be less confusing - - ...and corrected a related typo in curl_easy_setopt.3. +- [Svyatoslav Mishyn brought this change] -Guenter Knauf (2 Nov 2014) -- RELEASE-NOTES: removed obsolete entry; fixed entry. + curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET -Steve Holme (2 Nov 2014) -- RELEASE-NOTES: Synced with e7da67f5d3 +- [Svyatoslav Mishyn brought this change] -- docs: Added mention of Kerberos for CURL_VERSION_SSPI - - As this has been present for SOCKSv5 proxy since v7.19.4 and for IMAP, - POP3 and SMTP authentication since v7.38.0. + CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET -- CURL_VERSION_KERBEROS4: Mark as deprecated - - Support for Kerberos V4 was removed in v7.33.0. +- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO -- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used +- ntlm: get rid of unconditional use of long long - Typically the USE_WINDOWS_SSPI definition would not be used when the - CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build - configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication - data structures and functions would incorrectly be used when they - shouldn't be. + ... since some compilers don't have it and instead use other types, such + as __int64. - Introduced a new USE_KRB5 definition that takes into account the use of - CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do. + Reported by: gkinseyhpw + Closes #478 -- openssl: Use 'CURLcode result' - - More CURLcode fixes. +Jay Satiro (8 Oct 2015) +- [Anders Bakken brought this change] -Daniel Stenberg (1 Nov 2014) -- resume: consider a resume from [content-length] to be OK - - Basically since servers often then don't respond well to this and - instead send the full contents and then libcurl would instead error out - with the assumption that the server doesn't support resume. As the data - is then already transfered, this is now considered fine. + des: Fix header conditional for Curl_des_set_odd_parity - Test case 1434 added to verify this. Test case 1042 slightly modified. - - Reported-by: hugo - Bug: http://curl.haxx.se/bug/view.cgi?id=1443 + Follow up to 613e502. -Steve Holme (1 Nov 2014) -- openssl: Use 'CURLcode result' +Daniel Stenberg (7 Oct 2015) +- configure: build silently by default - More standardisation of CURLcode usage and coding style. + 'make V=1' will make the build verbose like before -- openssl: Use 'CURLcode result' - - ...and some minor code style changes. +- bump: start climbing toward 7.46.0 + +- RELEASE-PROCEDURE: add the github HTTPS download step + +Version 7.45.0 (7 Oct 2015) -- ftplistparser: We prefer 'CURLcode result' +Daniel Stenberg (7 Oct 2015) +- THANKS: 19 new contributors from the 7.45.0 announcement -- opts: Use common wording for user/password option names +- RELEASE-NOTES: synced with 69ea57970080 -- CURLOPT_CONNECT_ONLY.3: Removed "This option is implemented for..." text +Jay Satiro (4 Oct 2015) +- getinfo: Fix return code for unknown CURLINFO options - As this is covered by the PROTOCOLS section and saves having to update - two parts of the document with the same information in future. + - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION. + + Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on + unknown. That return value is contradicted by the CURLINFO option + documentation which specifies a return of CURLE_UNKNOWN_OPTION on + unknown. + +- [rouzier brought this change] -- CURLOPT_GSSAPI_DELEGATION.3: Use GSS-API rather than GSSAPI + hiperfifo: fix the pointer passed to WRITEDATA - As implementations are refereed to GSS-API libraries as per the RFC and - GSSAPI typically refers to an authentication mechanism. + Closes https://github.com/bagder/curl/pull/471 -- CURLOPT_CONNECT_ONLY.3: Fixed incomplete protocol list +- [Maksim Stsepanenka brought this change] + + tool_setopt: fix c_escape truncated octal - Added missing IMAP to the protocol list. + Closes https://github.com/bagder/curl/pull/469 -- code cleanup: Use 'CURLcode result' +Daniel Stenberg (1 Oct 2015) +- [Orange Tsai brought this change] -- curl_easy_setopt.3: Fixed lots of typos + gopher: don't send NUL byte + + Closes #466 -- curl_easy_setopt.3: Moved CURLOPT_DIRLISTONLY into PROTOCOL OPTIONS +Jay Satiro (29 Sep 2015) +- runtests: Fix pid check in checkdied - ...as this option affects more that just FTP. + Because the 'not' operator has a very low precedence and as a result the + entire statement was erroneously negated and could never be true. -Guenter Knauf (30 Oct 2014) -- build: added Watcom support to build with WinSSL. +Daniel Stenberg (30 Sep 2015) +- [Thorsten Schöning brought this change] -Daniel Stenberg (30 Oct 2014) -- CURLOPT_PINNEDPUBLICKEY.3: added details + win32: make recent Borland compilers use long long -Steve Holme (30 Oct 2014) -- CURLOPT_CUSTOMREQUEST.3: Fixed incomplete protocol list - - Whilst the description included information about SMTP, the protocol - list only showed "TTP, FTP, IMAP, POP3". +- RELEASE-NOTES: synced with 69b89050d4 -- CURLOPT_DIRLISTONLY.3: Added information about the usage in POP3 +Jay Satiro (28 Sep 2015) +- [Michael Kalinin brought this change] -Daniel Stenberg (29 Oct 2014) -- openssl: enable NPN separately from ALPN + openssl: Fix algorithm init - ... and allow building with nghttp2 but completely without NPN and ALPN, - as nghttp2 can still be used for plain-text HTTP. + - Change algorithm init to happen after OpenSSL config load. - Reported-by: Lucas Pardue - -- configure.ac: remove checks for OpenSSL NPN/ALPN funcs again + Additional algorithms may be available due to the user's config so we + initialize the algorithms after the user's config is loaded. - ... since the conditional in the code are now based on OpenSSL versions - instead to better support non-configure builds. - -- opts: added some "SEE ALSO" references + Bug: https://github.com/bagder/curl/issues/447 + Reported-by: Denis Feklushkin -Steve Holme (29 Oct 2014) -- RELEASE-NOTES: Synced with 32913182dc +- [Svyatoslav Mishyn brought this change] -- vtls.c: Fixed compilation warning + docs: fix unescaped '\n' in man pages - conversion from 'size_t' to 'unsigned int', possible loss of data + Closes https://github.com/bagder/curl/pull/459 -- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure +Daniel Stenberg (27 Sep 2015) +- http2: set TCP_NODELAY unconditionally - Return a more appropriate error, rather than CURLE_OUT_OF_MEMORY when - acquiring the credentials handle fails. This is then consistent with - the code prior to commit f7e24683c4 when log-in credentials were empty. + For a single-stream download from localhost, we managed to increase + transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of + this single fix. -- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials +- http2: avoid superfluous Curl_expire() calls - Fixed the ability to use the current log-in credentials with DIGEST-MD5. - I had previously disabled this functionality in commit 607883f13c as I - couldn't get this to work under Windows 8, however, from testing HTTP - Digest authentication through Windows SSPI and then further testing of - this code I have found it works in Windows 7. + ... only call it when there is data arriving for another handle than the + one that is currently driving it. - Some further investigation is required to see what the differences are - between Windows 7 and 8, but for now enable this functionality as the - code will return an error when AcquireCredentialsHandle() fails. - -Kamil Dudka (29 Oct 2014) -- transfer: drop the code handling the ssl_connect_retry flag + Improves single-stream download performance quite a lot. - Its last use has been removed by the previous commit. + Thanks-to: Tatsuhiro Tsujikawa + Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html -- nss: drop the code for libcurl-level downgrade to SSLv3 +- readwrite_data: set a max number of loops - This code was already deactivated by commit - ec783dc142129d3860e542b443caaa78a6172d56. + ... as otherwise a really fast pipe can "lock" one transfer for some + protocols, like with HTTP/2. -- openssl: fix a line length warning +- [Sergei Nikulov brought this change] -Guenter Knauf (29 Oct 2014) -- Added NetWare support to build with nghttp2. + CI: Added AppVeyor-CI for curl + + Closes #439 -- Fixed error message since we require ALPN support. +- FTP: fix uploading ASCII with unknown size + + ... don't try to increase the supposed file size on newlines if we don't + know what file size it is! + + Patch-by: lzsiga -- Check for ALPN via OpenSSL version number. +- [Tatsuhiro Tsujikawa brought this change] + + build: fix failures with -Wcast-align and -Werror - This check works also with to non-configure platforms. + Closes #457 -Steve Holme (28 Oct 2014) -- sasl_sspi: Fixed typo in comment +- [Tatsuhiro Tsujikawa brought this change] -- code cleanup: We prefer 'CURLcode result' + curl-confopts.m4: Add missing ')' + + ... for CURL_CHECK_OPTION_RT + + Closes #456 -Daniel Stenberg (28 Oct 2014) -- TODO: consider supporting STAT +Jay Satiro (25 Sep 2015) +- curl_easy_getinfo.3: Add brief description for each CURLINFO -- mk-ca-bundle: spell fix "version" +Daniel Stenberg (23 Sep 2015) +- [Jakub Zakrzewski brought this change] -- HTTP: return larger than 3 digit response codes too + CMake: Ensure discovered include dirs are considered - HTTP 1.1 is clearly specified to only allow three digit response codes, - and libcurl used sscanf("%3d") for that purpose. This made libcurl - support smaller numbers but not larger. It does now, but we will not - make any specific promises nor document this further since it is going - outside of what HTTP is. + ...during header checks. Otherwise some following header tests + (incorrectly) fail. - Bug: http://curl.haxx.se/bug/view.cgi?id=1441 - Reported-by: Balaji + Closes #436 -- src/: remove version.h.dist from gitignore - - It has not been used since commit f7bfdbab in 2011 +- [Jakub Zakrzewski brought this change] -Steve Holme (26 Oct 2014) -- ntlm: We prefer 'CURLcode result' + CMake: Put "winsock2.h" before "windows.h" during configure checks - Continuing commit 0eb3d15ccb more return code variable name changes. + "windows.h" includes "winsock.h" what causes many redefinition errors + if "winsock2.h" is included afterwards and can cause build to fail. -Guenter Knauf (26 Oct 2014) -- Cosmetics: lowercase non-special subroutine names. +- tests: disable 1510 due to CI-problems on github -Steve Holme (26 Oct 2014) -- RELEASE-NOTES: Synced with 07ac29a058 +- [Mike Crowe brought this change] -- http_negotiate: We prefer 'CURLcode result' + gnutls: Report actual GnuTLS error message for certificate errors + + If GnuTLS fails to read the certificate then include whatever reason it + provides in the failure message reported to the client. - Continuing commit 0eb3d15ccb more return code variable name changes. + Signed-off-by: Mike Crowe <mac@mcrowe.com> -- http_negotiate: Fixed missing check for USE_SPNEGO +- RELEASE-NOTES: synced with 6b56901b56e -- sspi: Synchronization of cleanup code between auth mechanisms +- [Mike Crowe brought this change] -- sspi: Renamed max token length variables + gnutls: Support CURLOPT_KEYPASSWD + + The gnutls vtls back-end was previously ignoring any password set via + CURLOPT_KEYPASSWD. Presumably this was because + gnutls_certificate_set_x509_key_file did not support encrypted keys. - Code cleanup to try and synchronise code between the different SSPI - based authentication mechanisms. + gnutls now has a gnutls_certificate_set_x509_key_file2 function that + does support encrypted keys. Let's determine at compile time whether the + available gnutls supports this new function. If it does then use it to + pass the password. If it does not then emit a helpful diagnostic if a + password is set. This is preferable to the previous behaviour of just + failing to read the certificate without giving a reason in that case. + + Signed-off-by: Mike Crowe <mac@mcrowe.com> -- sspi: Renamed expiry time stamp variables +- CURLINFO_TLS_SESSION: always return backend info - Code cleanup to try and synchronise code between the different SSPI - based authentication mechanisms. + ... even for those that don't support providing anything in the + 'internals' struct member since it offers a convenient way for + applications to figure this out. + +- [Daniel Hwang brought this change] -- sspi: Only call CompleteAuthToken() when complete is needed + tool: remove redundant libcurl check - Don't call CompleteAuthToken() after InitializeSecurityContext() has - returned SEC_I_CONTINUE_NEEDED as this return code only indicates the - function should be called again after receiving a response back from - the server. + The easysrc generation is run only when --libcurl is initialized. - This only affected the Digest and NTLM authentication code. - -Dan Fandrich (26 Oct 2014) -- Added the "flaky" keyword to a number of tests + Ref: https://github.com/bagder/curl/issues/429 - Each shows evidence of flakiness on at least one platform on - the autobuilds. Users can use this keyword to skip these tests - if desired. + Closes #448 + +- [Richard van den Berg brought this change] -Steve Holme (26 Oct 2014) -- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash() + CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment - For consistency with other areas of the NTLM code propagate all errors - from Curl_ntlm_core_mk_nt_hash() up the call stack rather than just - CURLE_OUT_OF_MEMORY. + Closes #449 -- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash() +- TODO: 5.7 More compressions + + Like for example brotli, as being implemented in Firefox now. -- ntlm: Use 'CURLcode result' +Jay Satiro (21 Sep 2015) +- tool_operate: Don't call easysrc cleanup unless --libcurl + + - Review of 4d95491. - Continuing commit 0eb3d15ccb more return code variable name changes. + The author changed it so easysrc only initializes when --libcurl but did + not do the same for the call to easysrc cleanup. + + Ref: https://github.com/bagder/curl/issues/429 -- ntlm: Only define ntlm data structure when USE_NTLM is defined +Daniel Stenberg (20 Sep 2015) +- [Viktor Szakats brought this change] -- ntlm: Changed handles to be dynamic like other SSPI handles + CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com - Code cleanup to try and synchronise code between the different SSPI - based authentication mechanisms. + closes #443 -- ntlm: Renamed handle variables to match other SSPI structures +- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL" - Code cleanup to try and synchronise code between the different SSPI - based authentication mechanisms. + Closes #334 -- ntlm: Renamed SSPI based input token variables - - Code cleanup to try and synchronise code between the different SSPI - based authentication mechanisms. +- KNOWN_BUGS: add link to #85 -- ntlm: We prefer 'CURLcode result' +- tests: disable 1801 until fixed - Continuing commit 0eb3d15ccb more return code variable name changes. + It is unreliable and causes CI problems on github + + Closes #380 + +- RELEASE-NOTES: synced with 4d95491636ee -- build: Added WinIDN build configuration options +- [Daniel Lee Hwang brought this change] + + tool: generate easysrc only on --libcurl + + Code should only be generated when --libcurl is used. - Added support for WinIDN build configurations to the VC8 and VC9 - project files. + Bug: https://github.com/bagder/curl/issues/429 + Reported-by: @greafhe, Jay Satiro + + Closes #429 + Closes #442 -Nick Zitzmann (24 Oct 2014) -- darwinssl: detect possible future removal of SSLv3 from the framework +Jay Satiro (19 Sep 2015) +- vtls: Change designator name for server's pubkey hash + + - Change the designator name we use to show the base64 encoded sha256 + hash of the server's public key from 'pinnedpubkey' to + 'public key hash'. - If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3. + Though the server's public key hash is only shown when comparing pinned + public key hashes, the server's hash may not match one of the pinned. -Patrick Monnerat (24 Oct 2014) -- gskit.c: remove SSLv3 from SSL default. +Daniel Stenberg (19 Sep 2015) +- [Isaac Boukris brought this change] -- gskit.c: use 'CURLcode result' + NTLM: Reset auth-done when using a fresh connection + + With NTLM a new connection will always require authentication. + Fixes #435 -Daniel Stenberg (24 Oct 2014) -- [Jay Satiro brought this change] +- [Daniel Hwang brought this change] - SSL: Remove SSLv3 from SSL default due to POODLE attack + ssl: add server cert's "sha256//" hash to verbose - - Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, - openssl effectively making the default TLS 1.x. axTLS is not affected - since it supports only TLS, and gnutls is not affected since it already - defaults to TLS 1.x. + Add a "pinnedpubkey" section to the "Server Certificate" verbose - - Update CURLOPT_SSLVERSION doc - -- pipelining: only output "is not blacklisted" in debug builds + Bug: https://github.com/bagder/curl/issues/410 + Reported-by: W. Mark Kubacki + + Closes #430 + Closes #410 -- *.3: add/extend "SEE ALSO" sections +- [Jakub Zakrzewski brought this change] -- curl_easy_pause.3: minor wording edit + openldap: only part of LDAP query results received + + Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f + + Closes #440 -- curl_getdate.3: provide a "SEE ALSO" section +- [Alessandro Ghedini brought this change] -- curl_global_init.3: minor formatting fix, add version info + openssl: don't output certinfo data -- url.c: use 'CURLcode result' +- [Alessandro Ghedini brought this change] -- code cleanup: we prefer 'CURLcode result' + openssl: refactor certificate parsing to use OpenSSL memory BIO - ... for the local variable name in functions holding the return - code. Using the same name universally makes code easier to read and - follow. - - Also, unify code for checking for CURLcode errors with: - - if(result) or if(!result) + Fixes #427 + +Kamil Dudka (18 Sep 2015) +- nss: prevent NSS from incorrectly re-using a session - instead of + Without this workaround, NSS re-uses a session cache entry despite the + server name does not match. This causes SNI host name to differ from + the actual host name. Consequently, certain servers (e.g. github.com) + respond by 400 to such requests. - if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK) + Bug: https://bugzilla.mozilla.org/1202264 -- Curl_add_timecondition: skip superfluous varible assignment - - Detected by cppcheck. +- nss: check return values of NSS functions -- Curl_pp_flushsend: skip superfluous assignment - - Detected by cppcheck. +Daniel Stenberg (17 Sep 2015) +- CURLOPT_PINNEDPUBLICKEY.3: mention error code -- Curl_pp_readresp: remove superfluous assignment +- openssl: build with < 0.9.8 + + ... without sha256 support and no define saying so. - Variable already assigned a few lines up. + Reported-by: Rajkumar Mandal + +- libcurl-errors.3: add two missing error codes - Detected by cppcheck. + CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS -- Curl_proxyCONNECT: remove superfluous statement +Jay Satiro (14 Sep 2015) +- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example - The variable is already assigned, skip the duplicate assignment. + - Show how a certificate can be obtained using OpenSSL. - Pointed out by cppcheck. + Bug: https://github.com/bagder/curl/pull/430 + Reported-by: Daniel Hwang -Guenter Knauf (24 Oct 2014) -- Added MinGW support to build with nghttp2. +Daniel Stenberg (13 Sep 2015) +- http2: removed unused function -- Added VC ssh2 target to main Makefile. +- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET -- Some cosmetics and simplifies. +- opts: add CURLINFO_* man pages to dist -- Remove dependency on openssl and cut. - - Prefer usage of Perl modules for sha1 calculation since there - might be systems where openssl is not installed or not in path. - If openssl is used for sha1 calculation then dont rely on cut - since it is usually not available on other systems than Linux. +- opts: 19 more CURLINFO_* options made into stand-alone man pages -Daniel Stenberg (23 Oct 2014) -- RELEASE-NOTES: synced with e116d0a62 +- RELEASE-NOTES: synced with fad9604613 -- CURLOPT_RESOLVE.3: add an example +- curl: customrequest_helper: deal with NULL custom method -- gnutls: removed dead code - - Bug: http://curl.haxx.se/bug/view.cgi?id=1437 - Reported-by: Julien +- [Svyatoslav Mishyn brought this change] -- Curl_rand: Uninitialized variable: r + CURLOPT_FNMATCH_FUNCTION.3: fix typo - This is not actually used uninitialized but we silence warnings. + s => is - Bug: http://curl.haxx.se/bug/view.cgi?id=1437 - Reported-by: Julien + Closes #428 -- opts: provide more and updated examples +- curl: point out unnecessary uses of -X in verbose mode + + It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take + down the tone a bit. + + It adds a warning for using -XHEAD on other methods becasue that may + lead to a hanging connection. -- CURLOPT_RANGE.3: works for SFTP as well +Jay Satiro (10 Sep 2015) +- curl_sspi: fix possibly undefined CRYPT_E_REVOKED - ... and added a small example + Bug: https://github.com/bagder/curl/pull/411 + Reported-by: Viktor Szakats -- curl.1: edited for clarity +- buildconf.bat: fix syntax error -- CURLOPT_SSLVERSION.3: provide an example +- [Benjamin Kircher brought this change] -- docs/libcurl/ABI: more markdown friendly + winbuild: run buildconf.bat if necessary -- docs: edited lots of libcurl docs for clarity +- [Svyatoslav Mishyn brought this change] -- opts: added examples + docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_* + + long => double -- HISTORY: two glimpses in 2014 +Daniel Stenberg (8 Sep 2015) +- [Sergei Nikulov brought this change] -Kamil Dudka (20 Oct 2014) -- nss: reset SSL handshake state machine - - ... when the handshake succeeds + cmake: IPv6 : disable Unix header check on Windows platform - This fixes a connection failure when FTPS handle is reused. + Closes #409 -Daniel Stenberg (20 Oct 2014) -- [Peter Wu brought this change] - - cmake: generate pkg-config and curl-config +- parse_proxy: reject illegal port numbers - Initial work to generate a pkg-config and curl-config script. Static - linking (`curl-config --static-libs` and `pkg-config --shared --libs - libcurl`) is broken and therefore disabled. + If the port number in the proxy string ended weirdly or the number is + too large, skip it. Mostly as a means to bail out early if a "bare" IPv6 + numerical address is used without enclosing brackets. - CONFIGURE_OPTIONS does not make sense for CMake, use an empty string - for now. + Also mention the bracket requirement for IPv6 numerical addresses to the + man page for CURLOPT_PROXY. - At least `curl-config --features` and `curl-config --protocols` work - which is needed by runtests.pl. + Closes #415 - Signed-off-by: Peter Wu <peter@lekensteyn.nl> - -- [Peter Wu brought this change] + Reported-by: Marcel Raad - cmake: use LIBCURL_VERSION from curlver.h +- FTP: do_more: add check for wait_data_conn in upload case + + In some timing-dependnt cases when a 4xx response immediately followed + after a 150 when a STOR was issued, this function would wrongly return + 'complete == true' while 'wait_data_conn' was still set. - This matches the behavior from autotools. The auxiliary major, minor - and patch components are not needed anymore and therefore removed. + Closes #405 - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Reported-by: Patricia Muscalu -- [Peter Wu brought this change] +- [Svyatoslav Mishyn brought this change] - cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS - - For compatibility with autoconf, it will be used later for curl-config - and pkg-config. Not all features and or protocols can be enabled as - these are missing additional checks (see new TODOs). - - SUPPORT_PROTOCOLS is partially scripted (grep for SUPPORT_PROTOCOLS=) - and manually verified/modified. SUPPORT_FEATURES is manually added. + CURLOPT_TLSAUTH_TYPE.3: update description - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + Closes #414 + Closes #413 -- cmake: add CMake/Macros.cmake to the release tarball +- [Svyatoslav Mishyn brought this change] -- test545: make it not use a trailing zero + CURLOPT_PATH_AS_IS.3: fix typo - CURLOPT_COPYPOSTFIELDS with a given CURLOPT_POSTFIELDSIZE does not - require a trailing zero of the data and by making sure this test doesn't - use one we know it works (combined with valgrind). - -Steve Holme (16 Oct 2014) -- ntlm: Fixed empty type-2 decoded message info text + leavit => leaveit - Updated the info text when the base-64 decode of the type-2 message - returns a null buffer to be more specific. + closes #412 -- ntlm: Fixed empty/bad base-64 decoded buffer return codes +- [Svyatoslav Mishyn brought this change] -- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token + CURLINFO_SSL_VERIFYRESULT.3: add short description -Daniel Stenberg (16 Oct 2014) -- httpcustomheader.c: make use of more CURLOPT_HTTPHEADER features - - ... and only do a single request for clarity. +- [Svyatoslav Mishyn brought this change] -Steve Holme (15 Oct 2014) -- sasl_sspi: Fixed some typos + CURLINFO_SSL_ENGINES.3: add short description -- sasl_sspi: Fixed Kerberos response buffer not being allocated when using SSO +- [Svyatoslav Mishyn brought this change] -Daniel Stenberg (15 Oct 2014) -- [Bruno Thomsen brought this change] + CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency - mk-ca-bundle: added SHA-384 signature algorithm - - Certificates based on SHA-1 are being phased out[1]. - So we should expect a rise in certificates based on SHA-2. - Adding SHA-384 as a valid signature algorithm. - - [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ - - Signed-off-by: Bruno Thomsen <bth@kamstrup.dk> - -Patrick Monnerat (14 Oct 2014) -- OS400: fix bugs in curl_*escape_ccsid() and reduce variables scope - -- Implement pinned public key in GSKit backend +- [Svyatoslav Mishyn brought this change] -Daniel Stenberg (14 Oct 2014) -- CURLOPT_TLSAUTH_*.3: fix reference typos + CURLINFO_REDIRECT_TIME.3: remove redundant '!' -- cleanups: reduce variable scope +Kamil Dudka (4 Sep 2015) +- Revert "has: generate the curl/has.h header" - cppcheck pointed these out. + This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have + pushed by mistake. Apologies for my incompetent use of the git repo! -- singleipconnect: remove dead assignment never used +- nss: do not directly access SSL_ImplementedCiphers[] - cppcheck pointed this out. - -- pinning: minor code style policing - -Patrick Monnerat (13 Oct 2014) -- Factorize pinned public key code into generic file handling and backend specific + It causes dynamic linking issues at run-time after an update of NSS. + + Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html -- vtls: remove QsoSSL +- [Daniel Stenberg brought this change] -- gskit: supply dummy randomization function + has: generate the curl/has.h header + + changed macro name, moved and renamed script to become docs/libcurl/has.pl, + generate code that is checksrc compliant -- vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation +Daniel Stenberg (3 Sep 2015) +- gitignore: ignore more generated VC Makefiles -Daniel Stenberg (13 Oct 2014) -- [Peter Wu brought this change] +- projects/Windows/.gitignore: ignore generated files for release - tests: move TESTCASES to Makefile.inc, add show for cmake - - This change allows runtests.pl to be run from the CMake builddir: +- http2: don't pass on Connection: headers - export srcdir=/tmp/curl/tests; - perl -I$srcdir $srcdir/runtests.pl -l + RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an + HTTP/2 message containing connection-specific header fields; any message + containing connection-specific header fields MUST be treated as + malformed" - In order to make this possible, all test cases have been moved from - Makefile.am to Makefile.inc. + Closes #401 + +- curl.1: update RFC references + +- CURLOPT_POSTREDIR.3: update RFC number and section + +- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + and some general cleaning up -- [Peter Wu brought this change] +- [Marcel Raad brought this change] - cmake: enable IPv6 by default if available + inet_pton.c: Fix MSVC run-time check failure (2) - ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a - Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if - struct sockaddr_in6 is not found in netinet/in.h. + This fixes another run-time check failure because of a narrowing cast on + Visual C++. - Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more - platform checks even though POSIX requires a thread-safe getaddrinfo. + Closes #408 + +Jay Satiro (3 Sep 2015) +- docs: Warn about any-domain cookies and multiple transfers - Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7. + - Warn that cookies without a domain are sent to any domain: + CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + - Note that imported Set-Cookie cookies without a domain are no longer + exported: + CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar -- [Peter Wu brought this change] - - cmake: build tool_hugehelp (ENABLE_MANUAL) - - Rather than always outputting an empty manual page for the '-M' option, - generate a full manual page as done by autotools. For simplicity in - CMake, always generate the gzipped page as it will not be used anyway - when zlib is not available. +Steve Holme (2 Sep 2015) +- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3 - Signed-off-by: Peter Wu <peter@lekensteyn.nl> + tool_sdecls.h:139 warning: comma at end of enumerator list -- [Peter Wu brought this change] +Daniel Stenberg (2 Sep 2015) +- opts: 8 more CURLINFO* options as stand-alone man pages - tests/http_pipe.py: Python 3 support - - The 2to3 tool converted socketserver (which I manually fixed up with an - import fallback) and the print(e) line. The xrange option was converted - to range, but it seems better to use the '*' operator here for - simplicity. - - Signed-off-by: Peter Wu <peter@lekensteyn.nl> +- RELEASE-NOTES: synced with c764cb4add1a8 -- SECURITY: slightly nicer markdown format +- man-pages: more SEE ALSO links -- RELEASE-PROCEDURE: better markdown, more content +- opts: more CURLINFO_* options as stand-alone man pages -- RELEASE-NOTES: synced with 6637b237e6eb +Steve Holme (31 Aug 2015) +- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled - ... and bumped the planned release version. + Introduced in commit 59f3f92ba6 this function is only implemented when + CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define + the function in the header file either. -- vtls: have vtls.h include the backend header files +- sasl: Updated SPN variables and comments for consistency - It turned out some features were not enabled in the build since for - example url.c #ifdefs on features that are defined on a per-backend - basis but vtls.h didn't include the backend headers. - - CURLOPT_CERTINFO was one such feature that was accidentally disabled. + In places the "host name" and "realm" variable was referred to as + "instance" whilst in others it was referred to as "host". -- test2036: verify -O with no slash at all in the URL +Daniel Stenberg (30 Aug 2015) +- configure: check for HMAC_Update in openssl - Similar to test 76 but that test's URL has a slash just no file name - part. + Turns out HMAC_Init is now deprecated in openssl master (and I spelled + HMAC_Init_ex wrong in previous commit) -- get_url_file_name: make no slash equal empty string +Steve Holme (30 Aug 2015) +- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default + + Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native + Windows builds don't use the autoconf tools. -- get_url_file_name: never return a NULL string *and* OK +- des: Fixed compilation warning from commit 613e5022fe - Change 987a4a73 assumes that as it simplifies life in the calling - function. + curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined; + assuming extern returning int + +- buildconf.bat: Fixed double blank line in 'curl manual' warning output + +- makefiles: Added our standard copyright header - Reported-by: Fabian Keil + But kept the original author, when they were specified in a comment, as + the initial copyright holder. -- [Jakub Zakrzewski brought this change] +Jay Satiro (29 Aug 2015) +- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now + +Daniel Stenberg (29 Aug 2015) +- CURLINFO_RESPONSE_CODE.3: added short description + +- opts: 7 initial CURLINFO_* options as stand-alone man pages + +- [Nikolai Kondrashov brought this change] - Cmake: Build with GSSAPI (MIT or Heimdal) + libcurl.m4: Put braces around empty if body - It tries hard to recognise SDK's on different platforms. On windows MIT - Kerberos installs SDK with other things and puts path into registry. - Heimdal have separate zip archive. On linux pkg-config is tried, then - krb5-config script and finally old-style libs and headers detection. + Put braces around empty "if" body in libcurl.m4 check to avoid warning: - Command line args: - * CMAKE_USE_GSSAPI - enables GSSAPI detection - * GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation - (the one with include and lib directories) + suggest braces around empty body in an 'if' statement + + and make it work with -Werror builds. + + Closes #402 -- [Jakub Zakrzewski brought this change] +- [Svyatoslav Mishyn brought this change] - Cmake: Got rid of setup_curl_dependencies + curl_easy_escape.3: escape '\n' - There is no need for such function. Include_directories propagate by - themselves and having a function with one simple link statement makes - little sense. + Closes #398 -- [Jakub Zakrzewski brought this change] +- [Svyatoslav Mishyn brought this change] - Cmake: Avoid cycle directory dependencies. + curl_easy_{escape,setopt}.3: fix example - Because we prepended libraries to list, CMake had troubles resolving - link directory order as it detected some cycles. Appending to list ensures - that dependencies will preceed dependees. + remove redundant '}' -- [Jakub Zakrzewski brought this change] +- [Sergei Nikulov brought this change] - Cmake: Fix library list provided to cURL tests. + cmake: added Windows SSL support - The list must be set after those nice CMake tests as we mess with - CMAKE_REQUIRED_LIBRARIES there. - -- [Jakub Zakrzewski brought this change] + Closes #399 - Cmake: Check for OpenSSL before OpenLDAP. +- curl: point out the conflicting HTTP methods if used - OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first - may result in undefined symbols. Of course, the found OpenSSL libraries - must also be linked whenever OpenLDAP is. + It isn't always clear to the user which options that cause the HTTP + methods to conflict so by spelling them out it should hopefully be + easier to understand why curl complains. -- curl_multi_fdset.3: improved the formatting slightly +- curl: clarify that users can only specify one _METHOD_ -- curl_multi_fdset: explain the fd_set arguments +- [Svyatoslav Mishyn brought this change] -Kamil Dudka (8 Oct 2014) -- nss: do not fail if a CRL is already cached + curl_easy_{escape,unescape}.3: "char *" vs. "const char *" - This fixes a copy-paste mistake from commit 2968f957. + Closes #395 -Patrick Monnerat (8 Oct 2014) -- OS400: upgrade interface for pinned public key (no implementation yet) +Patrick Monnerat (24 Aug 2015) +- os400: include new options in wrappers and update ILE/RPG binding. -Daniel Stenberg (8 Oct 2014) -- FormAdd: precaution against memdup() of NULL pointer +Daniel Stenberg (24 Aug 2015) +- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug - Coverity CID 252518. This function is in general far too complicated for - its own good and really should be broken down into several smaller - funcitons instead - but I'm adding this protection here now since it - seems there's a risk the code flow can end up here and dereference a - NULL pointer. + ... since HTTP is forbidden to return any such. -- operate: avoid NULL dereference - - Coverity CID 1241948. dumpeasysrc() would get called with - config->current set to NULL which could be dereferenced by a warnf() - call. +- KNOWN_BUGS: #78 zero-length files is already fixed! + +- [Razvan Cojocaru brought this change] -- do_sec_send: remove dead code + getinfo: added CURLINFO_ACTIVESOCKET - Coverity CID 1241951. The condition 'len >= 0' would always be true at - that point and thus not necessary to check for. + This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64 + bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable. + + Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> -- krb5_encode: remove unused argument +- http2: remove dead code + + Leftovers from when we removed the private socket hash. - Coverity CID 1241957. Removed the unused argument. As this struct and - pointer now are used only for krb5, there's no need to keep unused - function arguments around. + Coverity CID 1317365, "Logically dead code" -- operate_do: skip superfluous check for NULL pointer +- ntlm: mark deliberate switch case fall-through - Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL - file name pointer so skip the check for that - it tricks coverity into - believing it can happen and it then warns later on when we use 'outfile' - without checking for NULL. + Coverity CID 1317367, "Missing break in switch" -- curl_easy_getinfo.3: spell-fix +- http2: on_frame_recv: get a proper 'conn' for the debug logging - Reported-By: Luan Cestari + "Explicit null dereferenced (FORWARD_NULL)" + + Coverity CID 1317366 -- [moparisthebest brought this change] +- RELEASE-NOTES: synced with 2acaf3c804 - GnuTLS: Implement public key pinning +Dan Fandrich (23 Aug 2015) +- tool: fix memory leak with --proto-default option -- [moparisthebest brought this change] +Jay Satiro (22 Aug 2015) +- [Nathaniel Waisbrot brought this change] - SSL: implement public key pinning + CURLOPT_DEFAULT_PROTOCOL: added + + - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default + protocol for schemeless URLs. - Option --pinnedpubkey takes a path to a public key in DER format and - only connect if it matches (currently only implemented with OpenSSL). + - Add new tool option --proto-default to expose + CURLOPT_DEFAULT_PROTOCOL. - Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). + In the case of schemeless URLs libcurl will behave in this way: - Extract a public RSA key from a website like so: - openssl s_client -connect google.com:443 2>&1 < /dev/null | \ - sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ - | openssl rsa -pubin -outform DER > google.com.der + When the option is used libcurl will use the supplied default. + + When the option is not used, libcurl will follow its usual plan of + guessing from the hostname and falling back to 'http'. + +- runtests: Allow for spaces in server-verify curl custom path -- multi_runsingle: fix possible memory leak +Daniel Stenberg (22 Aug 2015) +- NTLM: recent boringssl brought DES_set_odd_parity back - Coverity CID 1202837. 'newurl' can in fact be allocated even when - Curl_retry_request() returns failure so free it if need be. + ... so improve the #ifdefs for using our local implementation. -- ares::Curl_resolver_cancel: skip checking for NULL conn +- configure: detect latest boringssl + + Since boringssl brought back DES_set_odd_parity again, it cannot be used + to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define + seems better anyway. - Coverity CID 1243581. 'conn' will never be NULL here, and if it would be - the subsequent statement would dereference it! + URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/ + Original-patch-by: Bertrand Simonnet + + Closes #393 -- parseconfig: skip a NULL check +- configure: change functions to detect openssl (clones) + + ... since boringssl moved the former ones and the check started to fail. - Coverity CID 1154198. This NULL check implies that the pointer _can_ be - NULL at this point, which it can't. Thus it is dead code. It tricks - static analyzers to warn about dereferencing the pointer since the code - seems to imply it can be NULL. + URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/ + Original-patch-by: Bertrand Simonnet -- [Waldek Kozba brought this change] +- [Alessandro Ghedini brought this change] - multi-uv.c: call curl_multi_info_read() better + openssl: handle lack of server cert when strict checking disabled - Improves it for low-latency cases (like the communication with - localhost) - -- tool_go_sleep: use (void) to spell out we ignore the return value + If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER + and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server + doesn't present a certificate at all. - Coverity CID 1222080. + Closes #392 -- ssh_statemach_act: split out assignment from check +- ftp: clear the do_more bit when the server has connected - just a minor code style thing to make the code clearer - -Marc Hoersken (4 Oct 2014) -- curl_schannel.c: Fixed possible memory or handle leak + The multi state machine would otherwise go into the DO_MORE state after + DO, even for the case when the FTP state machine had already performed + those duties, which caused libcurl to get stuck in that state and fail + miserably. This occured for for active ftp uploads. - First try to fix possible memory leaks, in this case: - Only connssl->ctxt xor onnssl->cred being initialized. + Reported-by: Patricia Muscalu -Daniel Stenberg (4 Oct 2014) -- getparameter: remove dead code - - Coverity CID 1061126. 'parse' will always be non-NULL here. +- [Jactry Zeng brought this change] -- getparameter: comment a switch FALLTHROUGH - - Coverity CID 1061118. Point out that it is on purpose. + travis.yml: Add OS X testbot. -- choose_mech: fix return code - - Coverity CID 1241950. The pointer is never NULL but it might point to - NULL. +- [Rémy Léone brought this change] -- Curl_sec_read_msg: spell out that we ignore return code + travis: Upgrading to container based build - Coverity CID 1241947. Since if sscanf() fails, the previously set value - remains set. - -- nonblock: call with (void) to show we ignore the return code + http://docs.travis-ci.com/user/migrating-from-legacy - Coverity pointed out several of these. + Closes #388 -- parse_proxy: remove dead code. - - Coverity CID 982331. +- RELEASE-NOTES: synced with 14ff86256b13e -- Curl_debug: document switch fallthroughs +- [Erik Janssen brought this change] -- curl_multi_remove_handle: remove dead code + rtsp: stop reading empty DESCRIBE responses - Coverify CID 1157776. Removed a superfluous if() that always evaluated - true (and an else clause that never ran), and then re-indented the - function accordingly. + Based-on-patch-by: Jim Hollinger -- Curl_pipeline_server_blacklisted: handle a NULL server name - - Coverity CID 1215284. The server name is extracted with - Curl_copy_header_value() and passed in to this function, and - copy_header_value can actually can fail and return NULL. +- [Erik Janssen brought this change] -- ssh: comment "fallthrough" in switch statement + rtsp: support basic/digest authentication -- [Jeremy Lin brought this change] +- [Sam Roth brought this change] - ssh: improve key file search - - For private keys, use the first match from: user-specified key file - (if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa + CURLMOPT_PUSHFUNCTION.3: fix argument types - Note that the previous code only looked for id_dsa files. id_rsa is - now generally preferred, as it supports larger key sizes. - - For public keys, use the user-specified key file, if provided. - Otherwise, try to extract the public key from the private key file. - This means that passing --pubkey is typically no longer required, - and makes the key-handling behavior more like OpenSSH. + Closes #389 + Closes #386 -- CURLOPT_HTTPHEADER.3: libcurl doesn't copy the whole list +- [Marcel Raad brought this change] -- detect_proxy: fix possible single-byte memory leak + inet_pton.c: Fix MSVC run-time check failure - Coverity CID 1202836. If the proxy environment variable returned an empty - string, it would be leaked. While an empty string is not really a proxy, other - logic in this function already allows a blank string to be returned so allow - that here to avoid the leak. - -- multi_runsingle: fix memory leak + Visual Studio complains with a message box: - Coverity CID 1202837. There's a potential risk that 'newurl' gets - overwritten when it was already pointing to allocated memory. - -- pop3_perform_authentication: fix memory leak + "Run-Time Check Failure #1 - A cast to a smaller data type has caused a + loss of data. If this was intentional, you should mask the source of + the cast with the appropriate bitmask. - Coverity CID 1215287. There's a potential risk for a memory leak in - here, and moving the free call to be unconditional seems like a cheap - price to remove the risk. - -- imap_perform_authentication: fix memory leak + For example: + char c = (i & 0xFF); - Coverity CID 1215296. There's a potential risk for a memory leak in - here, and moving the free call to be unconditional seems like a cheap - price to remove the risk. - -- wait_or_timeout: return failure when Curl_poll() fails + Changing the code in this way will not affect the quality of the + resulting optimized code." + + This is because only 'val' is cast to unsigned char, so the "& 0xff" has + no effect. - Coverity detected this. CID 1241954. When Curl_poll() returns a negative value - 'mcode' was uninitialized. Pretty harmless since this is debug code only and - would at worst cause an error to _not_ be returned... + Closes #387 -- curl.1: mention quoting in the URL section +Jay Satiro (18 Aug 2015) +- docs: Update the redirect protocols disabled by default - and separate the example URLs with newlines + - Clarify that FILE and SCP are disabled by default since 7.19.4 + - Add that SMB and SMBS are disabled by default since 7.40.0 + - Add CURLPROTO_SMBS to the list of protocols -Steve Holme (30 Sep 2014) -- [Bill Nagel brought this change] +- gitignore: Sort for readability + + find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}' - smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error +Daniel Stenberg (15 Aug 2015) +- curl_easy_getinfo.3: fix superfluous space - This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that - sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL - appears to require the same pointer on a write that follows a retry - (CURLE_AGAIN) as discussed here: + ... and changed "oriented" to "related" - http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr + Closes #378 + +- CURLOPT_HTTP_VERSION.3: connection re-use goes before version -Daniel Stenberg (30 Sep 2014) -- RELEASE-NOTES: synced with 53cbea22310f15 +- [Daniel Kahn Gillmor brought this change] -- file: reject paths using embedded %00 + curl.1: Document weaknesses in SSLv2 and SSLv3 - Mostly because we use C strings and they end at a binary zero so we know - we can't open a file name using an embedded binary zero. + Acknowledge that SSLv3 is also widely considered to be insecure. - Reported-by: research@g0blin.co.uk - -Dan Fandrich (26 Sep 2014) -- test506: Fixed a couple of memory leaks in test + Also, provide references for people who want to know more about why it's + insecure. -Daniel Stenberg (25 Sep 2014) -- [Yousuke Kimoto brought this change] +Steve Holme (14 Aug 2015) +- generate.bat: Added support for generating only the prerequisite files - CURLOPT_COOKIELIST: Added "RELOAD" command +- generate.bat: Only call buildconf.bat if it exists -- [Michael Wallner brought this change] +- generate.bat: Fixed issues when ran in directories with special chars - CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303 +Daniel Stenberg (14 Aug 2015) +- [Brad King brought this change] -- threaded-resolver: revert Curl_expire_latest() switch - - The switch to using Curl_expire_latest() in commit cacdc27f52b was a - mistake and was against the advice even mentioned in that commit. The - comparison in asyn-thread.c:Curl_resolver_is_resolved() makes - Curl_expire() the suitable function to use. + cmake: Fix CurlTests check for gethostbyname_r with 5 arguments - Bug: http://curl.haxx.se/bug/view.cgi?id=1426 - Reported-By: graysky + Fix the check code to pass 5 arguments instead of 6. This typo was + introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in + CurlTests, 2014-10-31). -- libcurl docs: improvements all over +Steve Holme (14 Aug 2015) +- * buildconf.bat: Fixed issues when ran in directories with special chars + + Bug: https://github.com/bagder/curl/pull/379 + Reported-by: Daniel Seither -Steve Holme (19 Sep 2014) -- build: Added WinIDN build configuration options +Jay Satiro (13 Aug 2015) +- curl_global_init_mem.3: Stronger thread safety warning - Added initial support for WinIDN build configurations to the VC10+ - project files. + Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html + Reported-by: Eric Ridge -Daniel Stenberg (19 Sep 2014) -- tutorial: signals aren't used for the threaded resolver +Daniel Stenberg (12 Aug 2015) +- [Svyatoslav Mishyn brought this change] -- FAQ: update the pronunciation section + curl_multi_add_handle.3: fix a typo - As we weren't using the correct phonetic description and doing it correctly - involves funny letters that I'm sure will cause problems for people in a text - document so I instead rephrased it and link to a WAV file with a person - actually saying 'curl'. + "can not" => "cannot" - Reported-By: Dimitar Boevski + closes #377 -- CURLOPT_COOKIE*: added more cross-references +- [Alessandro Ghedini brought this change] -- BINDINGS: add node-libcurl + docs: fix typos - Reported-By: Jonathan Cardoso Machado - URL: http://curl.haxx.se/mail/lib-2014-09/0102.html + closes #376 -- README.http2: updated to reflect current status +- bump: start working toward 7.45.0 -- formdata: removed unnecessary USE_SSLEAY use +- THANKS: remove duplicate name -- curlssl: make tls backend symbols use curlssl in the name +- THANKS-filter: merge Todd's names -- url: let the backend decide CURLOPT_SSL_CTX_ support - - ... to further remove specific TLS backend knowledge from url.c +- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES -- vtls: have the backend tell if it supports CERTINFO +Version 7.44.0 (11 Aug 2015) -- [Catalin Patulea brought this change] +Daniel Stenberg (11 Aug 2015) +- RELEASE-NOTES: synced with c75a1e775061 - configure: allow --with-ca-path with PolarSSL too - - Missed this in af45542c. - - Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> +- [Svyatoslav Mishyn brought this change] -- CURLOPT_CAPATH: return failure if set without backend support + curl_formget.3: correct return code + + Closes #375 -- [Tatsuhiro Tsujikawa brought this change] +- [Svyatoslav Mishyn brought this change] - http2: Fix busy loop when EOF is encountered + libcurl-tutorial.3: fix formatting - Previously we did not handle EOF from underlying transport socket and - wrongly just returned error code CURL_AGAIN from http2_recv, which - caused busy loop since socket has been closed. This patch adds the - code to handle EOF situation and tells the upper layer that we got - EOF. + Closes #374 -Steve Holme (13 Sep 2014) -- build: Added batch wrapper to checksrc.pl +- [Svyatoslav Mishyn brought this change] -- RELEASE-NOTES: Synced with bd3df5ec6d + curl_easy_recv.3: fix formatting -- [Marcel Raad brought this change] +- [Anders Bakken brought this change] - sasl_sspi: Fixed Unicode build + http2: discard frames with no SessionHandle - Bug: http://curl.haxx.se/bug/view.cgi?id=1422 - Verified-by: Steve Holme - -Daniel Stenberg (12 Sep 2014) -- libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelines + Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the + SessionHandle. Apparently mod_h2 will sometimes send a frame for a + stream_id we're finished with. - The former link was turned into a 404 at some point. + Use nghttp2_session_get_stream_user_data and + nghttp2_session_set_stream_user_data to identify SessionHandles instead + of a hash. - Reported-By: Askar Safin + Closes #372 -- contributors.sh: split list of names at comma - - ... to support a list of names provided in a commit message. +- RELEASE-NOTES: synced with 9ee40ce2aba -Steve Holme (12 Sep 2014) -- [Ulrich Telle brought this change] +- [Viktor Szakats brought this change] - ntlm: Fixed HTTP proxy authentication when using Windows SSPI + build: refer to fixed libidn versions - Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix - bug in NTLM handshake for HTTP proxy authentication. + closes #371 + +- Revert "configure: disable libidn by default" - NTLM handshake for HTTP proxy authentication failed with error - SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy - servers on generating the NTLM Type-3 message. + This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3. - The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according - to the observations and suggestions made in a bug report for the - QT project (https://bugreports.qt-project.org/browse/QTBUG-17322). + ... since libidn has since been fixed. + +- [Jakub Zakrzewski brought this change] + + CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define - Removing all the flags solved the problem. + Otherwise the build only pretended to use GSS-API - Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html - Reported-by: Ulrich Telle - Assisted-by: Steve Holme, Daniel Stenberg - -Daniel Stenberg (12 Sep 2014) -- [Ray Satiro brought this change] + Closes #370 - newlines: fix mixed newlines to LF-only +- SFTP: fix range request off-by-one in size check - I use the curl repo mainly on Windows with the typical Windows git - checkout which converts the LF line endings in the curl repo to CRLF - automatically on checkout. The automatic conversion is not done on files - in the repo with mixed line endings. I recently noticed some weird - output with projects/build-openssl.bat that I traced back to mixed line - endings, so I scanned the repo and there are files (excluding the - test data) that have mixed line endings. + Reported-by: Tim Stack - I used this command below to do the scan. Unfortunately it's not as easy - as git grep, at least not on Windows. This gets the names of all the - files in the repo's HEAD, gets each of those files raw from HEAD, checks - for mixed line endings of both LF and CRLF, and prints the name if - mixed. I excluded path tests/data/test* because those can have mixed - line endings if I understand correctly. + Closes #359 + +- test46: update cookie expire time - for f in `git ls-tree --name-only --full-tree -r HEAD`; - do if [ -n "${f##tests/data/test*}" ]; - then git show "HEAD:$f" | \ - perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/'; - if [ $? -ne 0 ]; - then echo "$f"; - fi; - fi; - done + ... since it went old and thus was expired and caused the test to fail! -- [Viktor Szakáts brought this change] +Steve Holme (9 Aug 2015) +- generate.bat: Use buildconf.bat for prerequisite file generation - mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spaces +- buildconf.bat: Tidy up of comments after recent commits -- ROADMAP: markdown eats underscores +- buildconf.bat: Added full generation of src\tool_hugehelp.c - It interprets them as italic indictors unless we backtick the word. + Added support for generating the full man page based on code from + generate.bat. -- ROADMAP: tiny formatting edit for nicer web output +- buildconf.bat: Added detection of groff, nroff, perl and gzip + + To allow for the full generation of tool_hugehelp.c added detection of + the required programs - based on code from generate.bat. -Steve Holme (10 Sep 2014) -- ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additions +- buildconf.bat: Move DOS variable clean-up code to separate function + + Rather than duplicate future variables, during clean-up of both success + and error conditions, use a common function that can be called by both. -- INTERNALS: Added email and updated Kerberos details +- RELEASE-NOTES: Synced with 39dcf352d2 -- FEATURES: Updated Kerberos details - - Added support for Kerberos 5 to the email protocols following the recent - additions in 7.38.0. - - Removed Kerberos 4 as this has been gone for a while now. +- buildconf.bat: Added error messages on failure -Daniel Stenberg (10 Sep 2014) -- [Paul Howarth brought this change] +- buildconf.bat: Generate and clean files in the same order - openssl: build fix for versions < 0.9.8e +- buildconf.bat: Maintain compatibility with DOS based systems - Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html + Commit f08e30d7bc broke compatibility with DOS and non Windows NT based + versions of Windows due to the use of the setlocal command. -- mk-ca-bundle.pl: first, try downloading HTTPS with curl - - As a sort of step forward, this script will now first try to get the - data from the HTTPS URL using curl, and only if that fails it will - switch back to the HTTP transfer using perl's native LWP functionality. - To reduce the risk of this script being tricked. - - Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so - we can't really ever completely disable HTTP, but chances are that most - users already have a ca cert bundle that trusts the mozilla.org site - that this script downloads from. +Jay Satiro (9 Aug 2015) +- CURLOPT_RESOLVE.3: Note removal support was added in 7.42 - A future version of this script will probably switch to require a - dedicated "insecure" command line option to allow downloading over HTTP - (or unverified HTTPS). + Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html + Reported-by: Inca R -- LICENSE-MIXING: removed krb4 info +Steve Holme (8 Aug 2015) +- checksrc.bat: Fixed error when missing *.c and *.h files - krb4 has been dropped since a while now + File Not Found -- bump: on the 7.38.1-DEV train now! +- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276 -- SSLCERTS: minor updates +- checksrc.bat: Fixed error when [directory] isn't a curl source directory - Edited format to look better on the web, added a "it is about trust" - section. + The system cannot find the file specified. -Version 7.38.0 (10 Sep 2014) +- checksrc.bat: Added check for unknown arguments -Daniel Stenberg (10 Sep 2014) -- dist: two cmake files are no more - - CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c117b - -- RELEASE-NOTES: final update for 7.38.0 +- scripts: Added missing comments -- cookies: reject incoming cookies set for TLDs - - Test 61 was modified to verify this. - - CVE-2014-3620 +- scripts: Always perform setlocal and endlocal calls in pairs - Reported-by: Tim Ruehsen - URL: http://curl.haxx.se/docs/adv_20140910B.html + Ensure that there isn't a mismatch between setlocal and endlocal calls, + which could have happened due to setlocal being called after certain + error conditions were checked for. -- [Tim Ruehsen brought this change] - - cookies: only use full host matches for hosts used as IP address - - By not detecting and rejecting domain names for partial literal IP - addresses properly when parsing received HTTP cookies, libcurl can be - fooled to both send cookies to wrong sites and to allow arbitrary sites - to set cookies for others. +- scripts: Allow -help to be specified in any argument - CVE-2014-3613 - - Bug: http://curl.haxx.se/docs/adv_20140910A.html - -- HISTORY: fix the 1998 title position + Allow the -help command line argument to be specified in any argument + and not just as the first. -- HISTORY: extended and now markdown +Daniel Stenberg (6 Aug 2015) +- [juef brought this change] -- SSLCERTS: converted to markdown + curl_multi_remove_handle.3: fix formatting - Only minor edits to make it generate nice HTML output using markdown, as - this document serves both in source release tarballs as on the web site. - - URL: http://curl.haxx.se/docs/sslcerts.html + closes #366 -- ftp-wildcard.c: spell fix +Steve Holme (6 Aug 2015) +- README: Added notes about 'Running DLL based configurations' + + ...as well as a TODO for a future enhancement to the project files. - Reported-By: Frank Gevaerts + Thanks-to: Jay Satiro -- RELEASE-NOTES: synced with 921a0c22a6f +- RELEASE-NOTES: Synced with cf8975387f -- THANKS: synced with RELEASE-NOTES for 921a0c22a6f +- buildconf.bat: Synchronise no repository error with generate.bat -- polarassl: avoid memset() when clearing the first byte is enough +- generate.bat: Added a check for the presence of a git repository -- [Catalin Patulea brought this change] +- [Jay Satiro brought this change] - polarssl: support CURLOPT_CAPATH / --capath + build: Added wolfSSL configurations to VC10+ project files - Signed-off-by: Catalin Patulea <cat@vv.carleton.ca> + URL: https://github.com/bagder/curl/pull/174 -- SECURITY: eh, make more sense! +- [Jay Satiro brought this change] -- SECURITY: how to join the curl-security list + build: Added wolfSSL build script for Visual Studio projects + + Added the wolfSSL build script, based on build-openssl.bat, as well as + the property sheet and header file required for the upcoming additions + to the Visual Studio project files. -- RELEASE-NOTES: fix the required nghttp2 version typo +Daniel Stenberg (6 Aug 2015) +- CHANGES: refer to the online changelog + + Suggested-by: mc0e -- [Brandon Casey brought this change] +- [Isaac Boukris brought this change] - Ensure progress.size_dl/progress.size_ul are always >= 0 - - Historically the default "unknown" value for progress.size_dl and - progress.size_ul has been zero, since these values are initialized - implicitly by the calloc that allocates the curl handle that these - variables are a part of. Users of curl that install progress - callbacks may expect these values to always be >= 0. + NTLM: handle auth for only a single request - Currently it is possible for progress.size_dl and progress.size_ul - to by set to a value of -1, if Curl_pgrsSetDownloadSize() or - Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few - places currently do, and a following patch will add more). So - lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize() - so they make sure that these variables always contain a value that - is >= 0. + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). - Updates test579 and test599. + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. - Signed-off-by: Brandon Casey <drafnel@gmail.com> + Closes #363 -Steve Holme (7 Sep 2014) -- tests: Added test1420 to the makefile +Steve Holme (5 Aug 2015) +- RELEASE-NOTES: Synced with 473807b95f -- test1420: Removed unnecessary CURLOPT setting +- generate.bat: Use buildconf.bat for prerequisite file clean-up -- tests: Added more "Clear Text" authentication keywords +- buildconf.bat: Added support for file clean-up via -clean -- tests: Updated "based on" text due to email test renumbering +- buildconf.bat: Added progress output -- tests: For consistency added --libcurl to test name +- buildconf.bat: Avoid using goto for file not in repository -- tests: Added --libcurl for IMAP test case +Daniel Stenberg (5 Aug 2015) +- curl_slist_append.3: add error checking to the example -- multi.c: Avoid invalid memory read after free() from commit 3c8c873252 - - As the current element in the list is free()d by Curl_llist_remove(), - when the associated connection is pending, reworked the loop to avoid - accessing the next element through e->next afterward. +Steve Holme (5 Aug 2015) +- buildconf.bat: Added display of usage text with -help -- multi.c: Fixed compilation warning from commit 3c8c873252 - - warning: implicit conversion from enumeration type 'CURLMcode' to - different enumeration type 'CURLcode' +- buildconf.bat: Added exit codes for error handling -- url.c: Use CURLAUTH_NONE constant rather than 0 - - Small follow up to commit 898808fa8c to use auth constants rather than - hard code value when clearing picked authentication mechanism. +- buildconf.bat: Added our standard copyright header -- RELEASE-NOTES: Synced with fd1ce3856a +- buildconf.bat: Use lower-case for commands and reserved keywords -Nick Zitzmann (4 Sep 2014) -- [Vilmos Nebehaj brought this change] +- generate.bat: Only clean prerequisite files when in ALL mode - darwinssl: Use CopyCertSubject() to check CA cert. - - SecCertificateCopyPublicKey() is not available on iPhone. Use - CopyCertSubject() instead to see if the certificate returned by - SecCertificateCreateWithData() is valid. - - Reported-by: Toby Peterson - -Steve Holme (4 Sep 2014) -- RELEASE-NOTES: Clarify email Kerberos support is currently via Windows SSPI +- generate.bat: Moved error messages out of sub-routines -Daniel Stenberg (4 Sep 2014) -- MAIL-ETIQUETTE: "1.8 I posted, now what?" +- generate.bat: More use of lower-case for commands and reserved keywords -- CURLOPT_CA*: better refering between *CAINFO and *CAPATH +Daniel Stenberg (3 Aug 2015) +- libcurl.3: fix a single typo - ... and a minor wording edit + Closes #361 -- THANKS: added Dennis Clarke - - Dennis Clarke from Blastwave.org for ensuring that nightly builds run - smooth on Solaris! +- RELEASE-NOTES: synced with c4eb10e2f06f -- curl_multi_cleanup: remove superfluous NULL assigns +- SSH: three state machine fixups - ... as the struct is free()d in the end anyway. It was first pointed out - to me that one of the ->msglist assignments were supposed to have been - ->pending but was a copy and paste mistake when I realized none of the - clearing of pointers had to be there. - -- multi: convert CURLM_STATE_CONNECT_PEND handling to a list + The SSH state machine didn't clear the 'rc' variable appropriately in a + two places which prevented it from looping the way it should. And it + lacked an 'else' statement that made it possible to erroneously get + stuck in the SSH_AUTH_AGENT state. - ... instead of scanning through all handles, stash only the actual - handles that are in that state in the new ->pending list and scan that - list only. It should be mostly empty or very short. And only used for - pipelining. + Reported-by: Tim Stack - This avoids a rather hefty slow-down especially notable if you add many - handles to the same multi handle. Regression introduced in commit - 0f147887 (version 7.30.0). + Closes #357 + +- curl_gssapi: remove 'const' to fix compiler warnings - Bug: http://curl.haxx.se/mail/lib-2014-07/0206.html - Reported-by: David Meyer + initialization discards 'const' qualifier from pointer target type -- RELEASE-NOTES: synced with e608324f9f9 +- docs: formpost needs the full size at start of upload + + Closes #360 -- [Andre Heinecke brought this change] +Steve Holme (1 Aug 2015) +- sspi: Fix typo from left over from old code which referenced NTLM + + References to NTLM in the identity generation should have been removed + in commit c469941293 but not all were. - polarssl: implement CURLOPT_SSLVERSION +- win32: Fix compilation warnings from commit 40c921f8b8 - Forwards the setting as minimum ssl version (if set) to polarssl. If - the server does not support the requested version the SSL Handshake will - fail. + connect.c:953:5: warning: initializer element is not computable at load + time + connect.c:953:5: warning: missing initializer for field 'dwMinorVersion' + of 'OSVERSIONINFOEX' + curl_sspi.c:97:5: warning: initializer element is not computable at load + time + curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion' + of 'OSVERSIONINFOEX' + +- schannel: Fix compilation warning from commit 7a8e861a56 - Bug: http://curl.haxx.se/bug/view.cgi?id=1419 + schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion' + of 'OSVERSIONINFOEX' [-Wmissing-field-initializers + +Daniel Stenberg (31 Jul 2015) +- libcurl-thread.3: minor reformatting -nickzman (1 Sep 2014) -- Merge pull request #115 from ldx/darwinsslfixpr +Jay Satiro (31 Jul 2015) +- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs - darwinssl: now accepts cacert bundles in PEM format in addition to single certs + Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html + Reported-by: Eric Ridge -Vilmos Nebehaj (1 Sep 2014) -- Check CA certificate in curl_darwinssl.c. +- libcurl-thread.3: Warn memory functions must be thread safe - SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even - if the buffer holds an invalid or corrupt certificate. Call - SecCertificateCopyPublicKey() to make sure cacert is a valid - certificate. + Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html + Reported-by: Eric Ridge -Daniel Stenberg (31 Aug 2014) -- low-speed-limit: avoid timeout flood +Steve Holme (31 Jul 2015) +- RELEASE-NOTES: Synced with 8b1d00ac1a + +- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section - Introducing Curl_expire_latest(). To be used when we the code flow only - wants to get called at a later time that is "no later than X" so that - something can be checked (and another timeout be added). + ...as well as some rewording. + +Kamil Dudka (30 Jul 2015) +- http: move HTTP/2 cleanup code off http_disconnect() - The low-speed logic for example could easily be made to set very many - expire timeouts if it would be called faster or sooner than what it had - set its own timer and this goes for a few other timers too that aren't - explictiy checked for timer expiration in the code. + Otherwise it would never be called for an HTTP/2 connection, which has + its own disconnect handler. - If there's no condition the code that says if(time-passed >= TIME), then - Curl_expire_latest() is preferred to Curl_expire(). + I spotted this while debugging <https://bugzilla.redhat.com/1248389> + where the http_disconnect() handler was called on an FTP session handle + causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *) + was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in + Curl_add_buffer_free() after printing the "Connection cache is full, + closing the oldest one." message. - If there exists such a condition, it is on the other hand important that - Curl_expire() is used and not the other. + A previously working version of libcurl started to crash after it was + recompiled with the HTTP/2 support despite the HTTP/2 protocol was not + actually used. This commit makes it work again although I suspect the + root cause (reinterpreting session handle data of incompatible protocol) + still has to be fixed. Otherwise the same will happen when mixing FTP + and HTTP/2 connections and exceeding the connection cache limit. - Bug: http://curl.haxx.se/mail/lib-2014-06/0235.html - Reported-by: Florian Weimer + Reported-by: Tomas Tomecek + Bug: https://bugzilla.redhat.com/1248389 -- [Michael Wallner brought this change] +Daniel Stenberg (30 Jul 2015) +- [Viktor Szakats brought this change] - resolve: cache lookup for async resolvers - - While waiting for a host resolve, check if the host cache may have - gotten the name already (by someone else), for when the same name is - resolved by several simultanoues requests. + ABI doc: use secure URL + +- ABI: remove the ascii logo - The resolver thread occasionally gets stuck in getaddrinfo() when the - DNS or anything else is crappy or slow, so when a host is found in the - DNS cache, leave the thread alone and let itself cleanup the mess. + and made the indent level to 1 -Vilmos Nebehaj (30 Aug 2014) -- Fix CA certificate bundle handling in darwinssl. +- libcurl-multi.3: mention curl_multi_wait + + ... and some general rewordings to improve this docs. - If the --cacert option is used with a CA certificate bundle that - contains multiple CA certificates, iterate through it, adding each - certificate as a trusted root CA. + Reported-by: Tim Stack + + Closes #356 -Daniel Stenberg (29 Aug 2014) -- [Askar Safin brought this change] +Steve Holme (30 Jul 2015) +- maketgz: Fixed some VC makefiles missing from the release tarball + + VC7, VC11, VC12 and VC14 makefiles were missing from the release + tarball. - getinfo-times: Typo fixed +- RELEASE-NOTES: Synced with 2d7e165761 -- [Askar Safin brought this change] +- build: Added VC14 project files to Makefile.am - libcurl.3: Typo fixed +- build: Added VC14 project files + + Updates to Makefile.am for the generation of the project files in + the tarball to follow. -- curl_formadd.3: setting CURLFORM_CONTENTSLENGTH 0 zero means strlen +Jay Satiro (29 Jul 2015) +- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L -- curl.1: add an example for -H +Steve Holme (28 Jul 2015) +- generate.bat: Use lower-case for commands and reserved keywords + + Whilst there are no coding standards for the batch files used in curl, + most tend to use lower-case for keywords and upper-case for variables. -- FAQ: mention -w in the 4.20 answer as well +- build: Added initial VC14 support to generate.bat + + Visual Studio project files and updates to makefile.am to follow. -- FAQ: 4.20 curl doesn't return error for HTTP non-200 responses +- build: Fixed missing .opensdf files from VC10+ .gitignore files -- CURLOPT_NOBODY.3: clarify this option is for downloads - - When enabling CURLOPT_NOBODY, libcurl effectively switches off upload - mode and will do a download (without a body). This is now better - explained in this man page. +- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames - Bug: http://curl.haxx.se/mail/lib-2014-08/0236.html - Reported-by: John Coffey + This wasn't possible with the old curlsrc project filenames, but like + commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual + Studio macros for the output filenames. -- INTERNALS: nghttp2 must be 0.6.0 or later +- build: Renamed curl src Visual Studio project files + + Following commit 957fcd9049 and in preparation for adding the VC14 + project files renamed the curl source project files. -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (28 Jul 2015) +- [Jay Satiro brought this change] - Compile with latest nghttp2 + libcurl-thread.3: Revert to stricter handle wording + + .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS + handlers list. -Dan Fandrich (26 Aug 2014) -- THANKS: removed a few more duplicates +- [Jay Satiro brought this change] -Daniel Stenberg (26 Aug 2014) -- RELEASE-NOTES: synced with 007242257683a + libcurl-thread.3: Consolidate thread safety info - ... and bumped the contributor amount after recount + This is a new document to consolidate our thread safety information from + several documents (curl-www:features, libcurl.3, libcurl-tutorial.3). + Each document's section on multi-threading will now point to this one. -- THANKS: added 52 missing contributors +Steve Holme (27 Jul 2015) +- README: Corrected formatting for 'Legacy Windows and SSL' section - I re-ran contributors.sh on all changes since 7.10 and I found these - contributors who are mentioned in the commits but never were added to - THANKS before! - - I also removed a couple of duplicates (mostly due to different - spellings). + ...as well as some wording. -- contributors: grep and sort case insensitively +- build-openssl.bat: Added support for VC14 -- [Michael Osipov brought this change] +Daniel Stenberg (26 Jul 2015) +- RELEASE-NOTES: synced with 0f645adc95390e8 - configure.ac: Add support for recent GSS-API implementations for HP-UX +- test1902: attempt to make the test more reliable - By default, configure script assumes that libcurl will use the - HP-supplied GSS-API implementation which does not have krb5-config. - If a dev needs a more recent version which has that config script, - the change will allow to pass an appropriate GSSAPI_ROOT. + Closes #355 -- CONNECT: close proxy connections that fail to CONNECT - - This is usually due to failed auth. There's no point in us keeping such - a connection alive since it shouldn't be re-used anyway. - - Bug: http://curl.haxx.se/bug/view.cgi?id=1381 - Reported-by: Marcel Raad - -- RELEASE-NOTES: added two missing HTTP/2 bug fixes - - And renamed all http2 references to HTTP/2 in this file +- comment: fix comment about adding new option support -- RELEASE-NOTES: synced with f646e9075f47 +Jay Satiro (25 Jul 2015) +- build-openssl.bat: Show syntax if required args are missing -- [Jakub Zakrzewski brought this change] +Daniel Stenberg (26 Jul 2015) +- TODO: improve how curl works in a windows console window + + Closes #322 for now - Cmake: Possibility to use OpenLDAP, OpenSSL, LibSSH2 on windows +- 1.11 minimize dependencies with dynamicly loaded modules - At this point I can build libcurl on windows. It provides at least the same - list of protocols as for linux build and works with our software. + Closes #349 for now -- [Jakub Zakrzewski brought this change] +Jay Satiro (25 Jul 2015) +- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS + + - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option. + + Broken by me several days ago in 172b2be. + https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b + + Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html + Reported-by: Dan Fandrich - Cmake: Removed repeated content from ending blocks +Daniel Stenberg (25 Jul 2015) +- configure: check if OpenSSL linking wants -ldl - They are unnecesary in modern CMake and removing them improves readability. + To make it easier to link with static versions of OpenSSL, the configure + script now checks if -ldl is needed for linking. + + Help-by: TJ Saunders -- [Jakub Zakrzewski brought this change] +- [Michael Kaufmann brought this change] - Cmake: Removed some useless empty SET statements. + HTTP: ignore "Content-Encoding: compress" - Undefined variables resolve to empty strings and we do not ever test if - the variable is defined thus those SETs are superfluous. + Currently, libcurl rejects responses with "Content-Encoding: compress" + when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should + treat the Content-Encoding "compress" the same as other + Content-Encodings that it does not support, e.g. "bzip2". That means + just ignoring it. -- [Jakub Zakrzewski brought this change] +- [Marcel Raad brought this change] - Cmake: Removed useless comments from CMakeLists.txt + openssl: work around MSVC warning - They look like some relics after changes. - -- [Jakub Zakrzewski brought this change] + MSVC 12 complains: + + lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local + variable 'verstr' used It's a false positive, but as it's normally not, + I have enabled warning-as-error for that warning. - Cmake: Don't check for all headers each time - - One header at a time is the right way. Apart from that the output on - windows goes from: - ... - -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h - -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h - - found - -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins - ock2.h - -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins - ock2.h - found - -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi - o.h - -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi - o.h - found - -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind - ows.h - -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind - ows.h - found - -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins - ock.h - -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins - ock.h - found - -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ - filio.h - -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ - filio.h - not found - -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ - ioctl.h - -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ - ioctl.h - not found - -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/ - resource.h - ... - - To much nicer: - ... - -- Looking for ws2tcpip.h - -- Looking for ws2tcpip.h - found - -- Looking for winsock2.h - -- Looking for winsock2.h - found - -- Looking for stdio.h - -- Looking for stdio.h - found - -- Looking for windows.h - -- Looking for windows.h - found - -- Looking for winsock.h - -- Looking for winsock.h - found - -- Looking for sys/filio.h - -- Looking for sys/filio.h - not found - -- Looking for sys/ioctl.h - -- Looking for sys/ioctl.h - not found - -- Looking for sys/resource.h +- [Michał Fita brought this change] -- [Jakub Zakrzewski brought this change] + configure: add --disable-rt option + + This option disables any attempts in configure to create dependency on + stuff requiring linking to librt.so and libpthread.so, in this case this + means clock_gettime(CLOCK_MONOTONIC, &mt). + + We were in need to build curl which doesn't link libpthread.so to avoid + the following bug: + https://sourceware.org/bugzilla/show_bug.cgi?id=16628. - Cmake: Append OpenSSL include directory to search path +Kamil Dudka (23 Jul 2015) +- http2: verify success of strchr() in http2_send() - At this point I can build libcurl with OpenSSL, OpenLDAP and LibSSH2. - Supported protocols are at least: - HTTP, HTTPS, FTP, SFTP, TFTP, LDAP, LDAPS, POP3, SMTP - (those are the ones we have regression tests for - in our product's testsuite) + Detected by Coverity. + + Error: NULL_RETURNS: + lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times). + lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr". + lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf". + 1300| + 1301| hdbuf = strchr(hdbuf, 0x0a); + 1302|-> ++hdbuf; + 1303| + 1304| authority_idx = 0; -- [Jakub Zakrzewski brought this change] +Jay Satiro (22 Jul 2015) +- Windows: Fix VerifyVersionInfo calls + + - Fix the VerifyVersionInfo calls, which we use to test for the OS major + version, to also test for the minor version as well as the service pack + major and minor versions. + + MSDN: "If you are testing the major version, you must also test the + minor version and the service pack major and minor versions." + + https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx + + Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098 + Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com> - Cmake: Search for liblber, LDAP SSL headers, swith for using OpenLDAP code. +- [Marcel Raad brought this change] -- [Jakub Zakrzewski brought this change] + schannel: Replace deprecated GetVersion with VerifyVersionInfo - Cmake: LibSSH2 detection and use. +Steve Holme (21 Jul 2015) +- makefile: Added support for VC14 -- [Jakub Zakrzewski brought this change] +Patrick Monnerat (21 Jul 2015) +- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings. - Cmake: Moved macros out of the main CMakeLists.txt +- libcurl: VERSIONINFO update + Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname + requires VERSIONINFO updating. -- [Jakub Zakrzewski brought this change] +- http2: satisfy external references even if http2 is not compiled in. - Cmake: Added missing protocol-disable switches +Daniel Stenberg (20 Jul 2015) +- http2: add stream != NULL checks for reliability - They already have their defines in config.h. This makes it possible to - disable the protocols from command line during configure step. + They should not trigger, but in case of internal problems we at least + avoid crashes this way. -- [Jakub Zakrzewski brought this change] +Jay Satiro (18 Jul 2015) +- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol - Cmake: Made boolean defines be defined to "1" instead of "ON" +- SSL: Add an option to disable certificate revocation checks - It's by convention, for compatibility and because the comments say so. - Just mabe someone have written a test like "#if HAVE_XX==1" - -- [Jakub Zakrzewski brought this change] + New tool option --ssl-no-revoke. + New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. + + Currently this option applies only to WinSSL where we have automatic + certificate revocation checking by default. According to the + ssl-compared chart there are other backends that have automatic checking + (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at + some later point. + + Bug: https://github.com/bagder/curl/issues/264 + Reported-by: zenden2k <zenden2k@gmail.com> - Cmake: Require at least CMake 2.8. +- runtests: Allow for spaces in curl custom path - CMake 2.6 is already a bit old. Many bugs have been fixed since - its release. We use 2.8 in our company and we have no intention - of polluting our environment with old software, so 2.6 would - not be tested. This shouldn't be a problem since all one need - to build CMake from source is C and C++ compiler. + .. also fix some typos in test's FILEFORMAT spec. -- disconnect: don't touch easy-related state on disconnects +- [David Woodhouse brought this change] + + ntlm_wb: Fix theoretical memory leak - This was done to make sure NTLM state that is bound to a connection - doesn't survive and gets used for the subsequent request - but - disconnects can also be done to for example make room in the connection - cache and thus that connection is not strictly related to the easy - handle's current operation. + Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix + hard-coded limit on NTLM auth packet size") introduced a potential + memory leak on an error path, because we forget to free the buffer + before returning an error. - The http authentication state is still kept in the easy handle since all - http auth _except_ NTLM is connection independent and thus survive over - multiple connections. + Fix this. - Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html - Reported-by: Paras S - -- curl.1: clarify --limit-rate's effect on both directions + Although actually, it never happens in practice because we never *get* + here with state == NTLMSTATE_TYPE1. The state is always zero. That + might want cleaning up in a separate patch. - Bug: http://curl.haxx.se/bug/view.cgi?id=1414 - Reported-by: teo8976 + Reported-by: Terri Oda -- curl.1: mention the --post30x options within the --location desc +- strerror: Add CRYPT_E_REVOKED to SSPI error strings -Dan Fandrich (22 Aug 2014) -- sasl: Fixed a memory leak on OOM +Kamil Dudka (14 Jul 2015) +- libtest: call PR_Cleanup() on exit if NSPR is used + + This prevents valgrind from reporting possibly lost memory that NSPR + uses for file descriptor cache and other globally allocated internal + data structures. + + Reported-by: Štefan Kremeň -Daniel Stenberg (22 Aug 2014) -- [Frank Meier brought this change] +Jay Satiro (14 Jul 2015) +- [John Malmberg brought this change] - NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth + openssl: VMS support for SHA256 - Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed - since NTLM requires multiple requests that re-use the same connection - for the authentication to work + setup-vms.h: More symbols for SHA256, hacks for older VAX - Solution: Ignore the forbid reuse flag in case the NTLM authentication - handshake is in progress, according to the NTLM state flag. + openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX. - Fixed known bug #77. + openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to + allow building on VAX and 64 bit VMS. -Steve Holme (22 Aug 2014) -- openssl.c: Fixed longer than 79 columns +- examples: Fix typo in multi-single.c -- openssl.c: Fixed compilation warning - - warning: declaration of 'minor' shadows a global declaration +Daniel Stenberg (7 Jul 2015) +- [Tatsuhiro Tsujikawa brought this change] + + http2: Fix memory leak in push header array + +Dan Fandrich (2 Jul 2015) +- test2041: fixed line endings in protocol part + +- cyassl: fixed mismatched sha256sum function prototype + +Daniel Stenberg (1 Jul 2015) +- [moparisthebest brought this change] + + SSL: Pinned public key hash support -Daniel Stenberg (21 Aug 2014) -- [Haris Okanovic brought this change] +- examples: provide <DESC> sections - win32: Fixed WinSock 2 #if +- [John Malmberg brought this change] + + OpenVMS: VMS Software, Inc now the supplier. - A conditionally compiled block in connect.c references WinSock 2 - symbols, but used `#ifdef HAVE_WINSOCK_H` instead of `#ifdef - HAVE_WINSOCK2_H`. + setup-vms.h: Symbol case fixups submitted by Michael Steve - Bug: http://curl.haxx.se/mail/lib-2014-08/0155.html + build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the + supplier of new versions of VMS. The install kit needs to accept + VSI as a producer. -- Curl_disconnect: don't free the URL +Jay Satiro (30 Jun 2015) +- multi: Move http2 push function declarations to header end - The URL is not a property of the connection so it should not be freed in - the connection disconnect but in the Curl_close() that frees the easy - handle. + This change necessary for binary compatibility. - Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html - Reported-by: Paras S + Prior to this change test 1135 failed due to the order of functions. -- help output: minor whitespace edits +- symbols-in-versions: Add new http2 push symbols - Should've been amended in the previous commit but wasn't due to a - mistake. + Prior to this change test 1119 failed due to the missing symbols. -- [Zearin brought this change] +Daniel Stenberg (30 Jun 2015) +- RELEASE-NOTES: synced with e6749055d653 - help output: use ≥2 spaces between option and description +- configure: disable libidn by default - ... and some other cleanups - -- FAQ: some actually sometimes get paid... + For security reasons, until there is a fix. + + Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html + Reported-by: Gustavo Grieco, Feist Josselin -Steve Holme (17 Aug 2014) -- sasl_sspi: Fixed a memory leak with the GSSAPI base-64 decoded challenge +- SSL-PROBLEMS: mention WinSSL problems in WinXP -- sasl_sspi: Renamed GSSAPI mutual authentication parameter +- CODE_OF_CONDUCT.md: added - ...From "mutual" to "mutual_auth" which better describes what it is. + Just to underscore how we treat each other in this project. Nothing new + really, but could be useful for newcomers and outsiders to see our + values. -- sasl_sspi: Corrected some of the GSSAPI security message error codes +- tool_header_cb: fflush the header stream - Corrected a number of the error codes that can be returned from the - Curl_sasl_create_gssapi_security_message() function when things go - wrong. + Flush the header stream when -D is used so that they are sent off + earlier. - It makes more sense to return CURLE_BAD_CONTENT_ENCODING when the - inbound security challenge can't be decoded correctly or doesn't - contain the KERB_WRAP_NO_ENCRYPT flag and CURLE_OUT_OF_MEMORY when - EncryptMessage() fails. Unfortunately the previous error code of - CURLE_RECV_ERROR was a copy and paste mistakes on my part and should - have been correct in commit 4b491c675f :( + Bug: https://github.com/bagder/curl/issues/324 + Reported-by: Cédric Connes -- docs: Escaped single backslash +- [Roger Leigh brought this change] -- TODO: Updated following GSSAPI (Kerberos V5) additions - - Updated "FTP 4.6 GSSAPI via Windows SSPI" and "SASL 14.1 Other - authentication mechanisms" following recent additions. - - Added SASL 14.2 GSSAPI via GSS-API libraries. + tests: Distribute CMakeLists.txt files in subdirectories -- CURLOPT_USERNAME.3: Added Kerberos V5 and NTLM domain information +- CURLOPT_FAILONERROR.3: mention that it closes the connection - This repeats what has already been documented in both the curl manpage - and CURLOPT_USERPWD documentation but is provided here for completeness - as someone may not especially read the latter when using libcurl. + Reported-by: bemoody + Bug: https://github.com/bagder/curl/issues/325 -- CURLOPT_USERPWD.3: Updated following Kerberos V5 SSPI changes - - Added information about Kerberos V5 requiring the domain part in the - user name. +- curl_multi_setopt.3: alpha sort the options + +- curl_multi_setopt.3: add the new push options + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Use nghttp2 library error code for error return value + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Harden header validation for curl_pushheader_byname - Mentioned that the user name can be specified in UPN format, and not - just in Down-Level Logon Name format, following the information - added in commit 7679cb3fa8 reworking the exisitng information in the - process. + Since we do prefix match using given header by application code + against header name pair in format "NAME:VALUE", and VALUE part can + contain ":", we have to careful about existence of ":" in header + parameter. ":" should be allowed to match HTTP/2 pseudo-header field, + and other use of ":" in header must be treated as error, and + curl_pushheader_byname should return NULL. This commit implements + this behaviour. -- docs: Added Kerberos V5 and NTLM domain information to --user +- [Tatsuhiro Tsujikawa brought this change] -- docs: Added Kerberos V5 to the --user SSPI current credentials usage + CURLMOPT_PUSHFUNCTION.3: Remove unused variable -- sasl_sspi: Tell the server we don't support a GSSAPI receive buffer +- CURLMOPT_PUSHFUNCTION.3: added example -- smtp: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI +- http2: curl_pushheader_byname now takes a const char * -- pop3: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI +- http2-serverpush.c: example code -- imap: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI +- http2: free all header memory after the push callback -- email: Added mutual authentication flag +- http2: init the pushed transfer properly -Daniel Stenberg (15 Aug 2014) -- RELEASE-NOTES: synced with 0187c9e11d079 +- http2: fixed the header accessor functions for the push callback -- http: fix the Content-Range: parser - - ... to handle "*/[total]". Also, removed the strange hack that made - CURLOPT_FAILONERROR on a 416 response after a *RESUME_FROM return - CURLE_OK. - - Reported-by: Dimitrios Siganos - Bug: http://curl.haxx.se/mail/lib-2014-06/0221.html +- http2: setup the new pushed stream properly -Steve Holme (14 Aug 2014) -- email: Introduced the GSSAPI states +- http2: initial implementation of the push callback -- curl_sasl_sspi.c: Fixed more compilation warnings from commit 4b491c675f - - warning: unused variable 'resp' +- http2: initial HTTP/2 server push types/docs + +- test1531: verify POSTFIELDSIZE set after add_handle - warning: no previous prototype for 'Curl_sasl_gssapi_cleanup' + Following the fix made in 903b6e05565bf. -- SHA-1: 61c93383b7f6cf79d12ff99e9dced1d1cc2a7064 +- pretransfer: init state.infilesize here, not in add_handle - * curl_sasl_sspi.c: Fixed compilation warning from commit 4b491c675f + ... to properly support that options are set to the handle after it is + added to the multi handle. - warning: declaration of 'result' shadows a previous local + Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html + Reported-by: Stefan Bühler + +Jay Satiro (21 Jun 2015) +- [Lior Kaplan brought this change] -- curl_sasl.h: Fixed compilation error from commit 4b491c675f + tool_help: fix --tlsv1 help text to use >= for TLSv1 + +- INSTALL: Advise use of non-native SSL for Windows <= XP - warning: 'struct kerberos5data' declared inside parameter list + Advise that WinSSL in versions <= XP will not be able to connect to + servers that no longer support the legacy handshakes and algorithms used + by those versions, and to use an alternate backend like OpenSSL instead. - Due to missing forward declaration. + Bug: https://github.com/bagder/curl/issues/253 + Reported-by: zenden2k <zenden2k@gmail.com> -- urldata.h: Fixed compilation warnings from commit 3ec253532e +Kamil Dudka (19 Jun 2015) +- curl_easy_setopt.3: restore contents removed by mistake - warning: extra tokens at end of #endif directive + ... in commit curl-7_43_0-18-g570076e -- sasl_sspi: Added GSSAPI message functions +Daniel Stenberg (19 Jun 2015) +- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT -- urldata: Introduced a GSSAPI (Kerberos V5) data structure +Jay Satiro (18 Jun 2015) +- cookie: Fix bug in export if any-domain cookie is present - Added a kerberos5data structure which is similar in nature to the - ntlmdata and negotiatedata structures. + In 3013bb6 I had changed cookie export to ignore any-domain cookies, + however the logic I used to do so was incorrect, and would lead to a + busy loop in the case of exporting a cookie list that contained + any-domain cookies. The result of that is worse though, because in that + case the other cookies would not be written resulting in an empty file + once the application is terminated to stop the busy loop. + +Dan Fandrich (18 Jun 2015) +- FTP: fixed compiling with --disable-proxy, broken in b88f980a -- sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module +Daniel Stenberg (18 Jun 2015) +- tool: always provide negotiate/kerberos options - In preparation for the upcoming SSPI implementation of GSSAPI - authentication, moved the definition of KERB_WRAP_NO_ENCRYPT from - socks_sspi.c to curl_sspi.h allowing it to be shared amongst other - SSPI based code. + libcurl can still be built with it, even if the tool is not. Maintain + independence! -Daniel Stenberg (13 Aug 2014) -- mk-ca-bundle.pl: add missing $ +- TODO: Support IDNA2008 -- mk-ca-bundle.pl: switched to using hg.mozilla.org +- [Viktor Szakats brought this change] + + Makefile.m32: add support for CURL_LDFLAG_EXTRAS - ... as mxr.mozilla.org is due to be retired. + It is similar to existing CURL_CFLAG_EXTRAS, but for + extra linker option. + +- RTSP: removed another piece of dead code - The new host doesn't support If-Modified-Since nor ETags, meaning that - the script will now defer to download and do a post-transfer checksum - check to see if a new output is to be generated. The new output format - will hold the SHA1 checksum of the source file for that purpose. + Coverity CID 1306668 + +- openssl: fix use of uninitialized buffer - We call this version 1.22 + Make sure that the error buffer is always initialized and simplify the + use of it to make the logic easier. - Reported-by: Ed Morley - Bug: http://curl.haxx.se/bug/view.cgi?id=1409 + Bug: https://github.com/bagder/curl/issues/318 + Reported-by: sneis -- [Jose Alf brought this change] +- examples: more descriptions - openssl: fix version report for the 0.9.8 branch +- examples: add descriptions with <DESC> - Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8, - starting from openssl-0.9.8za. + Using this fixed format for example descriptions, we can generate a + better list on the web site. -- [Frank Meier brought this change] +- libcurl-errors.3: fix typo - create_conn: prune dead connections - - Bringing back the old functionality that was mistakenly removed when the - connection cache was remade. When creating a new connection, all the - existing ones are checked and those that are known to be dead get - disconnected for real and removed from the connection cache. It helps - the cache from holding on to very many stale connections and aids in - keeping down the number of system sockets in wait states. - - Help-by: Jonatan Vela <jonatan.vela@ergon.ch> - - Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html +- curl_easy_setopt.3: option order doesn't matter -Kamil Dudka (11 Aug 2014) -- docs/SSLCERTS: update the section about NSS database +- openssl: fix build with BoringSSL - Bug: http://curl.haxx.se/mail/lib-2014-07/0335.html - Reported-by: David Shaw + OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression + from cae43a1 -Daniel Stenberg (11 Aug 2014) -- [Peter Wang brought this change] +- [Paul Howarth brought this change] - Curl_poll + Curl_wait_ms: fix timeout return value + openssl: Fix build with openssl < ~ 0.9.8f - Curl_poll and Curl_wait_ms require the fix applied to Curl_socket_check - in commits b61e8b8 and c771968: + The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at + around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks + builds with older openssls (certainly with 0.9.8b, which is the latest + older version I have to try with). + +- FTP: do the HTTP CONNECT for data connection blocking + + ** WORK-AROUND ** + + The introduced non-blocking general behaviour for Curl_proxyCONNECT() + didn't work for the data connection establishment unless it was very + fast. The newly introduced function argument makes it operate in a more + blocking manner, more like it used to work in the past. This blocking + approach is only used when the FTP data connecting through HTTP proxy. + + Blocking like this is bad. A better fix would make it work more + asynchronously. - When poll or select are interrupted and coincides with the timeout - elapsing, the functions return -1 indicating an error instead of 0 for - the timeout. + Bug: https://github.com/bagder/curl/issues/278 -Steve Holme (10 Aug 2014) -- config-tpf.h: Fixed up line lengths > 79 characters +- bump: start the journey toward 7.44.0 -- config-symbian.h: Fixed up line lengths > 79 characters +Jay Satiro (17 Jun 2015) +- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes -- tool_hugehelp.c.cvs: Added copyright - - Added copyright due to warning from checksrc.pl. +- CURLOPT_ERRORBUFFER.3: Improve example -- RELEASE-NOTES: Synced with cd6ecf6a89 +Version 7.43.0 (17 Jun 2015) -- sasl_sspi: Fixed hard coded buffer for response generation - - Given the SSPI package info query indicates a token size of 4096 bytes, - updated to use a dynamic buffer for the response message generation - rather than a fixed buffer of 1024 bytes. +Daniel Stenberg (17 Jun 2015) +- RELEASE-NOTES: 7.43.0 release -- sasl_sspi: Fixed missing free of challenge buffer on SPN failure +- THANKS: updated with 7.43.0 names -- http_negotiate_sspi: Tidy up to remove the get_gss_name() function - - Due to the reduction of code in commit 3b924b29 of get_gss_name() the - function isn't necessary anymore. +- [Kamil Dudka brought this change] -- http_negotiate_sspi: Use a dynamic buffer for SPN generation + http: do not leak basic auth credentials on re-used connections + + CVE-2015-3236 - Updated to use a dynamic buffer for the SPN generation via the recently - introduced Curl_sasl_build_spn() function rather than a fixed buffer of - 1024 characters, which should have been more than enough, but by using - the new function removes the need for another variable sname to do the - wide character conversion in Unicode builds. + This partially reverts commit curl-7_39_0-237-g87c4abb + + Reported-by: Tomas Tomecek, Kamil Dudka + Bug: http://curl.haxx.se/docs/adv_20150617A.html -- sasl: Tidy up to rename SPN variable from URI +- [Kamil Dudka brought this change] -- sasl: Use a dynamic buffer for SPN generation - - Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer - for the SPN generation via the recently introduced Curl_sasl_build_spn() - function rather than a fixed buffer of 128 characters. + test2040: verify basic auth on re-used connections -- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds +- SMB: rangecheck values read off incoming packet - Curl_sasl_create_digest_md5_message() would simply cast the SPN variable - to a TCHAR when calling InitializeSecurityContext(). This meant that, - under Unicode builds, it would not be valid wide character string. + CVE-2015-3237 - Updated to use the recently introduced Curl_sasl_build_spn() function - which performs the correct conversion for us. + Detected by Coverity. CID 1299430. + + Bug: http://curl.haxx.se/docs/adv_20150617B.html -- sasl: Introduced Curl_sasl_build_spn() for building a SPN +Jay Satiro (17 Jun 2015) +- schannel: schannel_recv overhaul - Various parts of the libcurl source code build a SPN for inclusion in - authentication data. This information is either used by our own native - generation routines or passed to authentication functions in third-party - libraries such as SSPI. However, some of these instances use fixed - buffers rather than dynamically allocated ones and not all of those that - should, convert to wide character strings in Unicode builds. + This commit is several drafts squashed together. The changes from each + draft are noted below. If any changes are similar and possibly + contradictory the change in the latest draft takes precedence. - Implemented a common function that generates a SPN and performs the - wide character conversion where necessary. - -- sasl_sspi: Fixed memory leak with not releasing Package Info struct + Bug: https://github.com/bagder/curl/issues/244 + Reported-by: Chris Araman - Curl_sasl_create_digest_md5_message() wouldn't free the Package Info - structure after QuerySecurityPackageInfo() had allocated it. - -- [Michael Osipov brought this change] - - docs: Update SPNEGO and GSS-API related doc sections + %% + %% Draft 1 + %% + - return 0 if len == 0. that will have to be documented. + - continue on and process the caches regardless of raw recv + - if decrypted data will be returned then set the error code to CURLE_OK + and return its count + - if decrypted data will not be returned and the connection has closed + (eg nread == 0) then return 0 and CURLE_OK + - if decrypted data will not be returned and the connection *hasn't* + closed then set the error code to CURLE_AGAIN --only if an error code + isn't already set-- and return -1 + - narrow the Win2k workaround to only Win2k - Reflect recent changes in SPNEGO and GSS-API code in the docs. - Update them with appropriate namings and remove visible spots for - GSS-Negotiate. - -- sspi: Minor code tidy up to standardise coding style + %% + %% Draft 2 + %% + - Trying out a change in flow to handle corner cases. - Following the recent changes and in attempt to align the SSPI based - authentication code performed the following: + %% + %% Draft 3 + %% + - Back out the lazier decryption change made in draft2. - * Use NULL and SECBUFFVERSION rather than hard coded constants. - * Avoid comparison of zero in if statements. - * Standardised the buf and desc setup code. - -- schannel: Fixed compilation warning in vtls.c + %% + %% Draft 4 + %% + - Some formatting and branching changes + - Decrypt all encrypted cached data when len == 0 + - Save connection closed state + - Change special Win2k check to use connection closed state - vtls.c:688:43: warning: unused parameter 'data' - -- tool_getparam.c: Fixed compilation warning + %% + %% Draft 5 + %% + - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the + connection isn't closed. - warning: `orig_opt' might be used uninitialized in this function - -- RELEASE-NOTES: Synced with 159c3aafd8 - -Daniel Stenberg (8 Aug 2014) -- curl_ntlm_msgs: make < 80 columns wide - -Steve Holme (8 Aug 2014) -- ntlm: Fixed hard coded buffer for SSPI based auth packet generation + %% + %% Draft 6 + %% + - Save the last error only if it is an unrecoverable error. + + Prior to this I saved the last error state in all cases; unfortunately + the logic to cover that in all cases would lead to some muddle and I'm + concerned that could then lead to a bug in the future so I've replaced + it by only recording an unrecoverable error and that state will persist. + + - Do not recurse on renegotiation. + + Instead we'll continue on to process any trailing encrypted data + received during the renegotiation only. + + - Move the err checks in cleanup after the check for decrypted data. + + In either case decrypted data is always returned but I think it's easier + to understand when those err checks come after the decrypted data check. + + %% + %% Draft 7 + %% + - Regardless of len value go directly to cleanup if there is an + unrecoverable error or a close_notify was already received. Prior to + this change we only acknowledged those two states if len != 0. + + - Fix a bug in connection closed behavior: Set the error state in the + cleanup, because we don't know for sure it's an error until that time. + + - (Related to above) In the case the connection is closed go "greedy" + with the decryption to make sure all remaining encrypted data has been + decrypted even if it is not needed at that time by the caller. This is + necessary because we can only tell if the connection closed gracefully + (close_notify) once all encrypted data has been decrypted. - Given the SSPI package info query indicates a token size of 2888 bytes, - and as with the Winbind code and commit 9008f3d56, use a dynamic buffer - for the Type-1 and Type-3 message generation rather than a fixed buffer - of 1024 bytes. + - Do not renegotiate when an unrecoverable error is pending. + + %% + %% Draft 8 + %% + - Don't show 'server closed the connection' info message twice. + + - Show an info message if server closed abruptly (missing close_notify). -- ntlm: Added support for SSPI package info query +Daniel Stenberg (16 Jun 2015) +- [Paul Oliver brought this change] + + Fix typo in docs - Just as with the SSPI implementations of Digest and Negotiate added a - package info query so that libcurl can a) return a more appropriate - error code when the NTLM package is not supported and b) it can be of - use later to allocate a dynamic buffer for the Type-1 and Type-3 - output tokens rather than use a fixed buffer of 1024 bytes. + s/curret/current/ -Daniel Stenberg (7 Aug 2014) -- http2: added some more logging for debugging stream problems +- [Viktor Szakats brought this change] -- [Tatsuhiro Tsujikawa brought this change] + docs: update URLs - HTTP/2: Reset promised stream, not its associated stream. +- RELEASE-NOTES: synced with f29f2cbd00dbe5f -- [Tatsuhiro Tsujikawa brought this change] +- [Viktor Szakats brought this change] - HTTP/2: Move :authority before non-pseudo header fields + README: use secure protocol for Git repository -- http2: show the received header for better debugging +- [Viktor Szakats brought this change] -- openssl: replace call to OPENSSL_config - - OPENSSL_config() is "strongly recommended" to use but unfortunately that - function makes an exit() call on wrongly formatted config files which - makes it hard to use in some situations. OPENSSL_config() itself calls - CONF_modules_load_file() and we use that instead and we ignore its - return code! - - Reported-by: Jan Ehrhardt - Bug: http://curl.haxx.se/bug/view.cgi?id=1401 + HTTP2.md: use SSL/TLS IETF URLs -Dan Fandrich (7 Aug 2014) -- [Fabian Keil brought this change] +- [Viktor Szakats brought this change] - runtests.pl: Pad test case numbers with up to three zeroes + LICENSE-MIXING: update URLs - Test case numbers with four digits have been available for a - while now. - -Steve Holme (7 Aug 2014) -- docs: Added Negotiate to the SSPI current credentials usage description + * use SSL/TLS where available + * follow permanent redirects -- TODO: HTTP Digest via Windows SSPI +- LICENSE-MIXING: refreshed -- TODO: FTP GSSAPI via Windows SSPI +- curl_easy_duphandle: see also *reset -- http_negotiate_sspi: Fixed specific username and password not working +- rtsp_do: fix DEAD CODE - Bug: http://curl.haxx.se/mail/lib-2014-06/0224.html - Reported-by: Leonardo Rosati - -- http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8 + "At condition p_request, the value of p_request cannot be NULL." - If the server rejects our authentication attempt and curl hasn't - called CompleteAuthToken() then the status variable will be - SEC_I_CONTINUE_NEEDED and not SEC_E_OK. + Coverity CID 1306668. + +- security:choose_mech fix DEAD CODE warning - As such the existing detection mechanism for determining whether or not - the authentication process has finished is not sufficient. + ... by removing the "do {} while (0)" block. - However, the WWW-Authenticate: Negotiate header line will not contain - any data when the server has exhausted the negotiation, so we can use - that coupled with the already allocated context pointer. - -Daniel Stenberg (5 Aug 2014) -- RELEASE-NOTES: synced with 5b37db44a3eb - -Dan Fandrich (5 Aug 2014) -- parsedate.c: fix the return code for an overflow edge condition + Coverity CID 1306669 -Daniel Stenberg (5 Aug 2014) -- [Toby Peterson brought this change] +- curl.1: netrc is in man section 5 - darwinssl: don't use strtok() +- curl.1: small format fix - The GetDarwinVersionNumber() function uses strtok, which is not - thread-safe. + use \fI-style instead of .BR for references -- Curl_ossl_version: adapted to detect BoringSSL +- urldata: store POST size in state.infilesize too - This seems to be the way it should work. Right now we can't build with - BoringSSL and try this out properly due to a minor API breakage. - -- Curl_ossl_version: detect and show libressl + ... to simplify checking when PUT _or_ POST have completed. - LibreSSL is otherwise OpenSSL API compliant (so far) + Reported-by: Frank Meier + Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html -- [Tatsuhiro Tsujikawa brought this change] +Dan Fandrich (14 Jun 2015) +- test1530: added http to required features - HTTP/2: Fix infinite loop in readwrite_data() - - To prevent infinite loop in readwrite_data() function when stream is - reset before any response body comes, reset closed flag to false once - it is evaluated to true. +Jay Satiro (14 Jun 2015) +- [Drake Arconis brought this change] -Dan Fandrich (3 Aug 2014) -- gtls: only define Curl_gtls_seed if Nettle is not being used + build: Fix typo from OpenSSL 1.0.2 version detection fix -- ssl: provide Curl_ssl_backend even if no SSL library is available +- [Drake Arconis brought this change] -Daniel Stenberg (2 Aug 2014) -- [Tatsuhiro Tsujikawa brought this change] + build: Properly detect OpenSSL 1.0.2 when using configure - HTTP2: Support expect: 100-continue - - "Expect: 100-continue", which was once deprecated in HTTP/2, is now - resurrected in HTTP/2 draft 14. This change adds its support to - HTTP/2 code. This change also includes stricter header field - checking. +- curl_multi_info_read.3: fix example formatting -- CURLOPT_SSL_VERIFYPEER.3. add a warning about disabling it +Daniel Stenberg (13 Jun 2015) +- BINDINGS: there's a new R binding in town! -- FEATURES: minor update +- BINDINGS: added the Xojo binding -- openssl: make ossl_send return CURLE_OK better - - Previously it only returned a CURLcode for errors, which is when it - returns a different size than what was passed in to it. +Jay Satiro (11 Jun 2015) +- [Joel Depooter brought this change] + + schannel: Add support for optional client certificates - The http2 code only checked the curlcode and thus failed. + Some servers will request a client certificate, but not require one. + This change allows libcurl to connect to such servers when using + schannel as its ssl/tls backend. When a server requests a client + certificate, libcurl will now continue the handshake without one, + rather than terminating the handshake. The server can then decide + if that is acceptable or not. Prior to this change, libcurl would + terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS + error. -- RELEASE-NOTES: synced with 7bb4c8cadb5d0 +Daniel Stenberg (11 Jun 2015) +- curl_easy_cleanup.3: provide more SEE ALSO -- [Michael Wallner brought this change] +- debug: remove http2 debug leftovers - CURLOPT_HEADEROPT.3: typo: do -> to +- VERSIONS: now using markdown -- [Marcel Raad brought this change] +- RELEASE-PROCEDURE: remove ascii logo at the top of file + +- INTERNALS: absorbed docs/LIBCURL-STRUCTS - schannel: use CryptGenRandom for random numbers +- INTERNALS: cat lib/README* >> INTERNALS - This function is available for every Windows version since Windows 95/NT. + and a conversion to markdown. Removed the lib/README.* files. The idea + being to move toward having INTERNALS as the one and only "book" of + internals documentation. - reference: - http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx + Added a TOC to top of the document. -- curl_version_info.3: 'ssl_version_num' is always 0 +Jay Satiro (8 Jun 2015) +- openssl: LibreSSL and BoringSSL do not use TLS_client_method - ... and has been so since 2005 - -- ssl: generalize how the ssl backend identifier is set + Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of + TLS_client_method LibreSSL and BoringSSL didn't and still use + SSLv23_client_method. - Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS - one which was missing previously. + Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009 + Reported-by: asavah@users.noreply.github.com -Dan Fandrich (31 Jul 2014) -- axtls: define curlssl_random using axTLS's PRNG +Daniel Stenberg (9 Jun 2015) +- RELEASE-NOTES: synced with 20ac3458068 -- cyassl: fix the test for ASN_NO_SIGNER_E +- CURLOPT_OPENSOCKETFUNCTION: return error at once + + When CURL_SOCKET_BAD is returned in the callback, it should be treated + as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently + created when trying to connect to a server. - It's an enum so a macro test won't work. The CyaSSL changelog doesn't - say exactly when this error code was introduced, but it's likely - to be 2.7.0. + Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html -- cyassl: use RNG_GenerateBlock to generate a good random number +- fopen.c: fix a few compiler warnings -- opts: fixed some typos +- [Ville Skyttä brought this change] -- smtp: fixed a segfault during test 1320 torture test - - Under these circumstances, the connection hasn't been fully established - and smtp_connect hasn't been called, yet smtp_done still calls the state - machine which dereferences the NULL conn pointer in struct pingpong. + docs: Spelling fixes -Daniel Stenberg (30 Jul 2014) -- vtls: repair build without TLS support - - ... by defining Curl_ssl_random() properly +- [Ville Skyttä brought this change] -- polarssl: provide a (weak) random function - - This now provides a weak random function since PolarSSL doesn't have a - quick and easy way to provide a good one. It does however provide the - framework to make one so it _can_ and _should_ be done... + docs: man page indentation and syntax fixes -- [Michael Wallner brought this change] +Linus Nielsen (8 Jun 2015) +- help: Add --proxy-service-name and --service-name to the --help output - curl_tlsinfo -> curl_tlssessioninfo +Jay Satiro (7 Jun 2015) +- openssl: Fix verification of server-sent legacy intermediates + + - Try building a chain using issuers in the trusted store first to avoid + problems with server-sent legacy intermediates. + + Prior to this change server-sent legacy intermediates with missing + legacy issuers would cause verification to fail even if the client's CA + bundle contained a valid replacement for the intermediate and an + alternate chain could be constructed that would verify successfully. + + https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest -- cyassl: use the default (weeker) random +Daniel Stenberg (5 Jun 2015) +- BINDINGS: update several URLs - I couldn't find any dedicated function in its API to get a "good" random - with. + Stop linking to the curl.haxx.se anchor pages, they are usually only + themselves pointers to the real page so better point there directly + instead. + +- BINDINGS: the curl-rust binding -- cyassl: made it compile with version 2.0.6 again +- curl.h: add CURL_HTTP_VERSION_2 - ASN_NO_SIGNER_E didn't exist back then! + The protocol is named "HTTP/2" after all. It is an alias for the + existing CURL_HTTP_VERSION_2_0 enum. -- vtls: make the random function mandatory in the TLS backend +- openssl: removed error string #ifdef - To force each backend implementation to really attempt to provide proper - random. If a proper random function is missing, then we can explicitly - make use of the default one we use when TLS support is missing. + ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore + +- openssl: removed USERDATA_IN_PWD_CALLBACK kludge - This commit makes sure it works for darwinssl, gnutls, nss and openssl. + Code for OpenSSL 0.9.4 serves no purpose anymore! -- libcurl.m4: include the standard source header +- openssl: remove SSL_get_session()-using code - ... with permission from David Shaw + It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or + later. -Kamil Dudka (28 Jul 2014) -- nss: do not check the version of NSS at run time +- openssl: remove dummy callback use from SSL_CTX_set_verify() - The minimal required version of NSS is 3.14.x so it does not make sense - to check for NSS 3.12.0+ at run time. + The existing callback served no purpose. -Daniel Stenberg (28 Jul 2014) -- [Anthon Pang brought this change] +- LIBCURL-STRUCTS: clarify for multiplexing - curl.h: bring back CURLE_OBSOLETE16 +Jay Satiro (3 Jun 2015) +- cookie: Stop exporting any-domain cookies - Removing defines, even obsolete ones that haven't been used for a very - long time, still break a lot of applications. + Prior to this change any-domain cookies (cookies without a domain that + are sent to any domain) were exported with domain name "unknown". - Bug: https://github.com/bagder/curl/pull/106 + Bug: https://github.com/bagder/curl/issues/292 -Dan Fandrich (26 Jul 2014) -- [Fabian Keil brought this change] +Daniel Stenberg (3 Jun 2015) +- RELEASE-PROCEDURE: refreshed 'coming dates' - tests: Fix a couple of incomplete response lines +Jay Satiro (2 Jun 2015) +- curl_setup: Change fopen text macros to use 't' for MSDOS + + Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198 + Reported-by: Gisle Vanem -- [Fabian Keil brought this change] +Daniel Stenberg (2 Jun 2015) +- curl_multi_timeout.3: added example - runtests.pl: Remove filteroff() which hasn't been used since 2001 +- curl_multi_perform.3: added example -- [Fabian Keil brought this change] +- curl_multi_info_read.3: added example - runtests.pl: Don't expect $TESTDIR/DISABLED to exist +- checksrc: detect fopen() for text without the FOPEN_* macros - If a non-standard $TESTDIR is used the file may not be necessary. + Follow-up to e8423f9ce150 with discussionis in + https://github.com/bagder/curl/pull/258 - Previously a "missing" file resulted in the warning: - readline() on closed filehandle D at ./runtests.pl line 4940. - -- [Fabian Keil brought this change] + This check scans for fopen() with a mode string without 'b' present, as + it may indicate that an FOPEN_* define should rather be used. - getpart.pm: Fix a comment typo +- curl_getdate.3: update RFC reference -Daniel Stenberg (25 Jul 2014) -- c-ares: fix build without IPv6 support +Jay Satiro (1 Jun 2015) +- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT - Bug: http://curl.haxx.se/mail/lib-2014-07/0337.html - Reported-by: Spork Schivago + - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" + - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" + + This change is to explicitly specify when we need to read/write text. + Unfortunately 't' is not part of POSIX fopen so we can't specify it + directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. + + Prior to this change we had an issue on Windows if an application that + uses libcurl overrides the default file mode to binary. The default file + mode in Windows is normally text mode (translation mode) and that's what + libcurl expects. + + Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 + Reported-by: Orgad Shaneh -- Curl_base64url_encode: unit-tested in 1302 +Daniel Stenberg (1 Jun 2015) +- http2-upload.c: use PIPEWAIT for playing HTTP/2 better -- base64: added Curl_base64url_encode() - - This is now used by the http2 code. It has two different symbols at the - end of the base64 table to make the output "url safe". +- http2-download: check for CURLPIPE_MULTIPLEX properly - Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62 + Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html + Reported-by: Rafayel Mkrtchyan -- [Marcel Raad brought this change] +- [Isaac Boukris brought this change] - SSPI Negotiate: Fix 3 memory leaks + HTTP-NTLM: fail auth on connection close instead of looping - Curl_base64_decode allocates the output string by itself and two other - strings were not freed either. + Bug: https://github.com/bagder/curl/issues/256 -- symbols: CURL_VERSION_GSSNEGOTIATE is deprecated +- 5.6 Refuse "downgrade" redirects -- test1013.pl: GSS-Negotiate doesn't exist as a feature anymore +- README.pingpong: removed -- [Sergey Nikulov brought this change] +- ROADMAP: remove HTTP/2 multiplexing - its here now - libtest: fixed duplicated line in Makefile - - Bug: https://github.com/bagder/curl/pull/105 +- HTTP2.md: formatted properly -Patrick Monnerat (23 Jul 2014) -- GSSAPI: remove useless *_MECHANISM defines. +- HTTP2: moved docs into docs/ and make it markdown -Daniel Stenberg (23 Jul 2014) -- findprotocol: show unsupported protocol within quotes - - ... to aid when for example prefixed with a space or other weird - character. +- README.http2: refreshed and added multiplexing info -Patrick Monnerat (23 Jul 2014) -- GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date. +- dist: add the http2 examples -Daniel Stenberg (23 Jul 2014) -- [Marcel Raad brought this change] +- http2 examples: clean up some comments + +- examples: added two programs doing multiplexed HTTP/2 + +- scripts: moved contributors.sh and contrithanks.sh into subdir + +- RELEASE-NOTES: synced with c005790ff1c0a - conncache: fix compiler warning +- [Daniel Melani brought this change] + + openssl: typo in comment + +Jay Satiro (27 May 2015) +- openssl: Use TLS_client_method for OpenSSL 1.1.0+ - warning C4267: '=' : conversion from 'size_t' to 'long', possible loss - of data + SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The + equivalent is TLS_client_method. - The member connection_id of struct connectdata is a long (always a - 32-bit signed integer on Visual C++) and the member next_connection_id - of struct conncache is a size_t, so one of them should be changed to - match the other. + https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557 + +Daniel Stenberg (26 May 2015) +- FAQ: How do I port libcurl to my OS? + +Jay Satiro (25 May 2015) +- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain - This patch the size_t in struct conncache to long (the less invasive - change as that variable is only ever used in a single code line). + Document that if Set-Cookie is used without a domain then the cookie is + sent for any domain and will not be modified. - Bug: http://curl.haxx.se/bug/view.cgi?id=1399 + Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html + Reported-by: Alexander Dyagilev -- RELEASE-NOTES: synced with 81cd24adb8b +Daniel Stenberg (25 May 2015) +- [Tatsuhiro Tsujikawa brought this change] -- http2: more and better error checking - - 1 - fixes the warnings when built without http2 support + http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer - 2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2 - basically when they are about http2 specific things. + Previously, after seeing upgrade to HTTP/2, we feed data followed by + upgrade response headers directly to nghttp2_session_mem_recv() in + Curl_http2_switched(). But it turns out that passed buffer, mem, is + part of stream->mem, and callbacks called by + nghttp2_session_mem_recv() will write stream specific data into + stream->mem, overwriting input data. This will corrupt input, and + most likely frame length error is detected by nghttp2 library. The + fix is first copy the passed data to HTTP/2 connection buffer, + httpc->inbuf, and call nghttp2_session_mem_recv(). -Dan Fandrich (23 Jul 2014) -- cyassl.c: return the correct error code on no CA cert +Jay Satiro (24 May 2015) +- CURLOPT_COOKIE.3: Explain that the cookies won't be modified + + The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the + outgoing request(s)." However there seems to be some user confusion + about cookie modification. Document that the cookies set by this option + are not modified by the cookie engine. - CyaSSL 3.0.0 returns a unique error code if no CA cert is available, - so translate that into CURLE_SSL_CACERT_BADFILE when peer verification - is requested. + Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html + Reported-by: Alexander Dyagilev -Daniel Stenberg (23 Jul 2014) -- symbols-in-versions: new SPNEGO/GSS-API symbols in 7.38.0 +- CURLOPT_COOKIELIST.3: Add example -- test1013.pl: remove SPNEGO/GSS-API tweaks +Dan Fandrich (24 May 2015) +- testcurl.pl: use rel2abs to make the source directory absolute - No longer necessary after Michael Osipov's rework + This function makes a platform-specific absolute path which uses + backslashes on Windows. This form works when passing it on the + command-line, as well as if the source is on another drive. -- http_negotiate: remove unused variable +- conncache: fixed memory leak on OOM (torture tests) -- [Michael Osipov brought this change] - - docs: Improve inline GSS-API naming in code documentation +Daniel Stenberg (24 May 2015) +- perl: remove subdir, not touched in 9 years -- [Michael Osipov brought this change] +- log2changes.pl: moved to scripts/ - curl.h/features: Deprecate GSS-Negotiate macros due to bad naming - - - Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE - - CURL_VERSION_GSSNEGOTIATE is deprecated which - is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and - CURUL_VERSION_SPNEGO now. - - Remove display of feature 'GSS-Negotiate' +- [Alessandro Ghedini brought this change] -- [Michael Osipov brought this change] + scripts: add zsh.pl for generating zsh completion - configure/features: Add feature and version info for GSS-API and SPNEGO +Dan Fandrich (23 May 2015) +- test1510: another flaky test -- [Michael Osipov brought this change] +Daniel Stenberg (22 May 2015) +- security: fix "Unchecked return value" from sscanf() + + By (void) prefixing it and adding a comment. Did some minor related + cleanups. + + Coverity CID 1299423. - HTTP: Remove checkprefix("GSS-Negotiate") +- security: simplify choose_mech - That auth mech has never existed neither on MS nor on Unix side. - There is only Negotiate over SPNEGO. + Coverity CID 1299424 identified dead code because of checks that could + never equal true (if the mechanism's name was NULL). + + Simplified the function by removing a level of pointers and removing the + loop and array that weren't used. -- [Michael Osipov brought this change] +- RTSP: catch attempted unsupported requests better + + Replace use of assert with code that properly catches bad input at + run-time even in non-debug builds. + + This flaw was sort of detected by Coverity CID 1299425 which claimed the + "case RTSPREQ_NONE" was dead code. - curl_gssapi: Add macros for common mechs and pass them appropriately +- share_init: fix OOM crash - Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from - HTTP, FTP and SOCKS on Unix + A failed calloc() would lead to NULL pointer use. + + Coverity CID 1299427. -- CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 design +- parse_proxy: switch off tunneling if non-HTTP proxy - This reverts commit cb3e6dfa3511 and instead fixes the problem - differently. + non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL - The reverted commit addressed a test failure in test 1021 by simplifying - and generalizing the code flow in a way that damaged the - performance. Now we modify the flow so that Curl_proxyCONNECT() again - does as much as possible in one go, yet still do test 1021 with and - without valgrind. It failed due to mistakes in the multi state machine. + Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html + Reported-by: Sean Boudreau + +- curl: fix potential NULL dereference - Bug: http://curl.haxx.se/bug/view.cgi?id=1397 - Reported-by: Paul Saab + Coverity CID 1299428: Dereference after null check (FORWARD_NULL) -- [Marcel Raad brought this change] +- http2: on_frame_recv: return early on stream 0 + + Coverity CID 1299426 warned about possible NULL dereference otherwise, + but that would only ever happen if we get invalid HTTP/2 data with + frames for stream 0. Avoid this risk by returning early when stream 0 is + used. - url.c: use the preferred symbol name: *READDATA +- http: removed self assignment - with CURL_NO_OLDIES defined, it doesn't compile because this deprecated - symbol (*INFILE) is used + Follow-up fix from b0143a2a33f0 - Bug: http://curl.haxx.se/bug/view.cgi?id=1398 - -Dan Fandrich (19 Jul 2014) -- [Alessandro Ghedini brought this change] + Detected by coverity. CID 1299429 - CURLOPT_CHUNK_BGN_FUNCTION: fix typo +- [Tatsuhiro Tsujikawa brought this change] -Kamil Dudka (18 Jul 2014) -- [Alessandro Ghedini brought this change] + http2: Make HTTP Upgrade work + + This commit just add implicitly opened stream 1 to streams hash. - build: link curl to NSS libraries when NSS support is enabled +Jay Satiro (22 May 2015) +- strerror: Change SEC_E_ILLEGAL_MESSAGE description - This fixes a build failure on Debian caused by commit - 24c3cdce88f39731506c287cb276e8bf4a1ce393. + Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS + and language specific, and invariably translated to something not very + helpful like: "The message received was unexpected or badly formatted." - Bug: http://curl.haxx.se/mail/lib-2014-07/0209.html + Bug: https://github.com/bagder/curl/issues/267 + Reported-by: Michael Osipov -Steve Holme (17 Jul 2014) -- build: Removed unnecessary XML Documentation file directive from VC8 to VC12 - - The curl tool project files for VC8 to VC12 would set this setting to - $(IntDir) which is the Visual Studio default value. To avoid confusion - when viewing settings from within Visual Studio and for consistency - with the libcurl project files removed this setting. +- telnet: Fix read-callback change for Windows builds - Conflicts: - projects/Windows/VC10/src/curlsrc.tmpl - projects/Windows/VC11/src/curlsrc.tmpl - projects/Windows/VC12/src/curlsrc.tmpl - projects/Windows/VC8/src/curlsrc.tmpl - projects/Windows/VC9/src/curlsrc.tmpl + Refer to b0143a2 for more information on the read-callback change. -- build: Removed unnecessary Precompiled Header file directive in VC7 to VC12 +Daniel Stenberg (21 May 2015) +- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy! + +Dan Fandrich (21 May 2015) +- testcurl.pl: allow source to be in an arbitrary directory - The curl tool project files for VC7 to VC12 would set this settings to - $(IntDir)$(TargetName).pch which is the Visual Studio default value. To - avoid confusion when viewing settings from within Visual Studio and for - consistency with the libcurl project files removed this setting. + This way, the build directory can be located on an entirely different + filesystem from the source code (e.g. a tmpfs). + +Daniel Stenberg (20 May 2015) +- read_callback: move to SessionHandle from connectdata - Conflicts: - projects/Windows/VC10/src/curlsrc.tmpl - projects/Windows/VC11/src/curlsrc.tmpl - projects/Windows/VC12/src/curlsrc.tmpl - projects/Windows/VC8/src/curlsrc.tmpl - projects/Windows/VC9/src/curlsrc.tmpl + With many easy handles using the same connection for multiplexing, it is + important we store and keep the transfer-oriented stuff in the + SessionHandle so that callbacks and callback data work fine even when + many easy handles share the same physical connection. -- build: Removed unnecessary ASM and Object file directives in VC7 to VC12 +- http2: show stream IDs in decimal - The curl tool project files for VC7 to VC12 would set these settings to - $(IntDir) which is the Visual Studio default value. To avoid confusion - when viewing settings from within Visual Studio and for consistency - with the libcurl project files removed these two settings. + It makes them easier to match output from the nghttpd test server. -Daniel Stenberg (17 Jul 2014) -- [Dave Reisner brought this change] +- [Tatsuhiro Tsujikawa brought this change] - src/Makefile.am: add .DELETE_ON_ERROR + http2: Faster http2 upload - This prevents targets like tool_hugehelp.c from leaving around - half-constructed files if the rule fails with GNU make. + Previously, when we send all given buffer in data_source_callback, we + return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream + temporarily for writing. This itself is good. If this is the sole + stream in the session, nghttp2_session_want_write() returns zero, + which means that libcurl does not check writeability of the underlying + socket. This leads to very slow upload, because it seems curl only + upload 16k something per 1 second. To fix this, if we still have data + to send, call nghttp2_session_resume_data after nghttp2_session_send. + This makes nghttp2_session_want_write() returns nonzero (if connection + window still opens), and as a result, socket writeability is checked, + and upload speed becomes normal. + +- [Dmitry Eremin-Solenikov brought this change] + + gtls: don't fail on non-fatal alerts during handshake - Reported-by: Rafaël Carré <funman@videolan.org> + Stop curl from failing when non-fatal alert is received during + handshake. This e.g. fixes lots of problems when working with https + sites through proxies. -- THANKS: added new contributors from 7.37.1 announcement +- curl_easy_unescape.3: update RFC reference + + Reported-by: bsammon + Bug: https://github.com/bagder/curl/issues/282 -Dan Fandrich (17 Jul 2014) -- testcurl.pl: log the value of --runtestopts in the test header +Jay Satiro (20 May 2015) +- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape + + .. also correct some variable naming in curl_easy_escape.3 + + Bug: https://github.com/bagder/curl/issues/281 + Reported-by: bsammon@users.noreply.github.com -Daniel Stenberg (16 Jul 2014) -- RELEASE-NOTES: cleared, working towards next release +Daniel Stenberg (19 May 2015) +- [Brian Prodoehl brought this change] -- curl_gssapi.c: make line shorter than 80 columns + openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg + + BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl + and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and + OpenSSL. + + re #275 -- [David Woodhouse brought this change] +Jay Satiro (19 May 2015) +- curl.1: fix missing space in section --data - Fix negotiate auth to proxies to track correct state +Daniel Stenberg (19 May 2015) +- transfer: remove erroneous and misleading comment -- [David Woodhouse brought this change] +Kamil Dudka (19 May 2015) +- http: silence compile-time warnings without USE_NGHTTP2 + + Error: CLANG_WARNING: + lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read + + Error: COMPILER_WARNING: + lib/http.c: scope_hint: In function ‘http_disconnect’ + lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable] - Don't abort Negotiate auth when the server has a response for us +Jay Satiro (19 May 2015) +- transfer: Replace __func__ instances with function name - It's wrong to assume that we can send a single SPNEGO packet which will - complete the authentication. It's a *negotiation* — the clue is in the - name. So make sure we handle responses from the server. + .. also make __func__ replacement in multi. - Curl_input_negotiate() will already handle bailing out if it thinks the - state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps - talking to us, so we should avoid endless loops that way. + Prior to this change debug builds would fail to build if the compiler + was building pre-c99 and didn't support __func__. -- [David Woodhouse brought this change] +Daniel Stenberg (19 May 2015) +- [Viktor Szakats brought this change] - Don't clear GSSAPI state between each exchange in the negotiation - - GSSAPI doesn't work very well if we forget everything ever time. + build: bump version in default nghttp2 paths + +- INTERNALS: we require nghttp2 1.0.0+ now + +Jay Satiro (18 May 2015) +- http: Add some include guards for the new HTTP/2 stuff + +Daniel Stenberg (18 May 2015) +- http2: store upload state per stream - XX: Is Curl_http_done() the right place to do the final cleanup? + Use a curl_off_t for upload left -- [David Woodhouse brought this change] +- http2: fix build when NOT h2-enabled - Use SPNEGO for HTTP Negotiate +- http2: switch to use Curl_hash_destroy() - This is the correct way to do SPNEGO. Just ask for it + as after 4883f7019d3, the *_clean() function only flushes the hash. + +- curlver: restore LIBCURL_VERSION_NUM defined as a full number - Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket - isn't available. Of course, we bail out when the server responds with the - challenge packet, since we don't expect that. But I'll fix that bug next... + As it breaks configure, curl-config and test 1023 if not. -- [David Woodhouse brought this change] +- [Anthony Avina brought this change] - Remove all traces of FBOpenSSL SPNEGO support + hostip: fix unintended destruction of hash table - This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which - allows client and server to negotiate the underlying mechanism which will - actually be used to authenticate. This is *often* Kerberos, and can also - be NTLM and other things. And to complicate matters, there are various - different OIDs which can be used to specify the Kerberos mechanism too. + .. and added unit1602 for hash.c + +- curlver: introducing new version number (checking) macros + +- runtests.pl: use 'h2c' now, no -14 anymore + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Ignore if we have stream ID not in hash in on_stream_close - A SPNEGO exchange will identify *which* GSSAPI mechanism is being used, - and will exchange GSSAPI tokens which are appropriate for that mechanism. + We could get stream ID not in the hash in on_stream_close. For + example, if we decided to reject stream (e.g., PUSH_PROMISE), then we + don't create stream and store it in hash with its stream ID. + +- [Tatsuhiro Tsujikawa brought this change] + + Require nghttp2 v1.0.0 - But this SPNEGO implementation just strips the incoming SPNEGO packet - and extracts the token, if any. And completely discards the information - about *which* mechanism is being used. Then we *assume* it was Kerberos, - and feed the token into gss_init_sec_context() with the default - mechanism (GSS_S_NO_OID for the mech_type argument). + This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0, + and utilize recent version of nghttp2 to simplify the code, - Furthermore... broken as this code is, it was never even *used* for input - tokens anyway, because higher layers of curl would just bail out if the - server actually said anything *back* to us in the negotiation. We assume - that we send a single token to the server, and it accepts it. If the server - wants to continue the exchange (as is required for NTLM and for SPNEGO - to do anything useful), then curl was broken anyway. + First we use nghttp2_option_set_no_recv_client_magic function to + detect nghttp2 v1.0.0. That function only exists since v1.0.0. - So the only bit which actually did anything was the bit in - Curl_output_negotiate(), which always generates an *initial* SPNEGO - token saying "Hey, I support only the Kerberos mechanism and this is its - token". + Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and + validates received header field. If it found error, RST_STREAM with + PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize + this feature to simplify libcurl code. This commit does this. - You could have done that by manually just prefixing the Kerberos token - with the appropriate bytes, if you weren't going to do any proper SPNEGO - handling. There's no need for the FBOpenSSL library at all. + Migration from 0.7 series are done based on nghttp2 migration + document. For libcurl, we removed the code sending first 24 bytes + client magic. It is now done by nghttp2 library. + on_invalid_frame_recv callback signature changed, and is updated + accordingly. + +- http2: infof length in on_frame_send() + +- pipeline: switch some code over to functions - The sane way to do SPNEGO is just to *ask* the GSSAPI library to do - SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context() - is for. And then it should all Just Work™. + ... to "compartmentalize" a bit and make it easier to change behavior + when multiplexing is used instead of good old pipelining. + +- symbols-in-versions: add CURLOPT_PIPEWAIT + +- CURLOPT_PIPEWAIT: added - That 'sane way' will be added in a subsequent patch, as will bug fixes - for our failure to handle any exchange other than a single outbound - token to the server which results in immediate success. + By setting this option to 1 libcurl will wait for a connection to reveal + if it is possible to pipeline/multiplex on before it continues. -- [David Woodhouse brought this change] +- Curl_http_readwrite_headers: minor code simplification - ntlm_wb: Avoid invoking ntlm_auth helper with empty username +- IsPipeliningPossible: fixed for http2 -- [David Woodhouse brought this change] +- http2: bump the h2 buffer size to 32K for speed - ntlm_wb: Fix hard-coded limit on NTLM auth packet size +- http2: remove the stream from the hash in stream_close callback - Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit - a hard limit once let's just make it cope by reallocating as necessary. + ... and suddenly things work much better! + +- http2: if there is paused data, do not clear the drain field -Version 7.37.1 (16 Jul 2014) +- http2: rename s/data/pausedata -Daniel Stenberg (16 Jul 2014) -- RELEASE-NOTES: synced with 4cb2521595 +- http2: "stream %x" in all outputs to make it easier to search for -- test506: verify aa6884845168 +- http2: Curl_expire() all handles with incoming traffic - After the fixed cookie lock deadlock, this test now passes and it - detects double-locking and double-unlocking of mutexes. + ... so that they'll get handled next in the multi loop. -- [Yousuke Kimoto brought this change] +- http2: don't signal settings change for same values - cookie: avoid mutex deadlock +- http2: set default concurrency, fix ConnectionExists for multiplex + +- bundles: store no/default/pipeline/multiplex - ... by removing the extra mutex locks around th call to - Curl_flush_cookies() which takes care of the locking itself already. + to allow code to act differently on the situation. - Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html + Also added some more info message for the connection re-use function to + make it clearer when connections are not re-used. -- gnutls: fix compiler warning +- http2: lazy init header_recvbuf - conversion to 'int' from 'long int' may alter its value + It makes us use less memory when not doing HTTP/2 and subsequently also + makes us not have to cleanup HTTP/2 related data when not using HTTP/2! -Dan Fandrich (15 Jul 2014) -- test320: strip off the actual negotiated cipher width - - It's irrelevant to the test, and will change depending on which SSL - library is being used by libcurl. +- http2: separate multiplex/pipelining + cleanup memory leaks + +- CURLMOPT_PIPELINE: bit 1 is for multiplexing + +- [Tatsuhiro Tsujikawa brought this change] -- gnutls: detect lack of SRP support in GnuTLS at run-time and try without + http2: Fix bug that data to be drained are overwritten by pending "paused" data + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Don't call nghttp2_session_mem_recv while it is paused by a stream + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Read data left in connection buffer after pause - Reported-by: David Woodhouse + Previously when we do pause because of out of buffer, we just throw + away unread data in connection buffer. This just broke protocol + framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this + issue by remembering how much data read, and in the next iteration, we + process remaining data. -Daniel Stenberg (14 Jul 2014) -- [Michał Górny brought this change] +- [Tatsuhiro Tsujikawa brought this change] - configure: respect host tool prefix for krb5-config + http2: Fix streams get stuck - Use ${host_alias}-krb5-config if available. This improves cross- - compilation support and fixes multilib on Gentoo (at least). + This commit fixes the bug that streams get stuck if stream gets some + DATA, and stream->closed becomes true at the same time. Previously, + in this condition, after we processed DATA, we are going to try to + read data from underlying transport, but there is no data, and gets + EAGAIN. There was no code path to evaludate stream->closed. -- [David Woodhouse brought this change] +- http2: store incoming h2 SETTINGS - gnutls: handle IP address in cert name check +- pipeline: move function to pipeline.c and make static - Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function - didn't actually check IP addresses in SubjectAltName, even though it was - explicitly documented as doing so. So do it ourselves... + ... as it was only used from there. -Dan Fandrich (14 Jul 2014) -- build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_r +- IsPipeliningPossible: http2 can always "pipeline" (multiplex) -Daniel Stenberg (14 Jul 2014) -- RELEASE-NOTES: next one is called 7.37.1 +- http2: remove debug logging from on_frame_recv -Dan Fandrich (13 Jul 2014) -- gnutls: improved error message if setting cipher list fails +- http2: remove the closed check in http2_recv - Reported-by: David Woodhouse + With the "drained" functionality we can get here slightly asynchronously + so the stream have have been closed but there is pending data left to + read. -- netrc: fixed thread safety problem by using getpwuid_r if available - - The old way using getpwuid could cause problems in programs that enable - reading from netrc files simultaneously in multiple threads. +- http2: bump the h2 buffer to 8K + +- http2: Curl_read should not use the single buffer - Reported-by: David Woodhouse + ... as it does for pipelining when we're multiplexing, as we need the + different buffers to store incoming data correctly for all streams. -- RELEASE-NOTES: add the reporter of the previous bug fix +- http2: more debug outputs -- netrc: treat failure to find home dir same as missing netrc file +- http2: leave WAITPERFORM when conn is multiplexed - This previously caused a fatal error (with a confusing error code, at - that). + No need to wait for our "spot" like for pipelining + +- http2: force "drainage" of streams - Reported by: Glen A Johnson Jr. + ... which is necessary since the socket won't be readable but there is + data waiting in the buffer. -Steve Holme (12 Jul 2014) -- RELEASE-NOTES: Synced with aaaf9e50ec +- http2: move the mem+len pair to the stream struct -- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions - - Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html - Reported-by: David Woodhouse +- http2: more stream-oriented data, stream ID 0 is for connections -- build: Fixed overridden compiler PDB settings in VC7 to VC12 +- http2: move lots of state data to the 'stream' struct - The curl tool project files for VC7 to VC12 would override the default - setting with the output filename being the same as the linker PDB file. - As such the compiler file would be overwritten with the linker file - for all debug builds. + ... from the connection struct. The stream one being the 'struct HTTP' + which is kept in the SessionHandle struct (easy handle). - To avoid this overwrite and for consistency with the libcurl project - files, removed the setting to force the default filename to be used. + lookup streams for incoming frames in the stream hash, hashing is based + on the stream id and we get the SessionHandle for the incoming stream + that way. -Dan Fandrich (12 Jul 2014) -- tests: added globbing keyword to URL globbing tests +- HTTP: partial start at fixing up hash-lookups on http2 frame receival -- Fixed some "statement not reached" warnings +- http: a stream hash for h2 multiplexing -- gnutls: fixed a couple of uninitialized variable references +- http: a stream hash for h2 multiplexing -- gnutls: fixed compilation against versions < 2.12.0 - - The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but - the code path in which they're referenced here is only ever used for - somewhat older GnuTLS versions. This caused undeclared identifier errors - when compiling against those. - -- gnutls: explicitly added SRP to the priority string - - This seems to have become necessary for SRP support to work starting - with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS - before the function that takes this priority string, there should be no - issue with backward compatibility. +- http2: debug log when receiving unexpected stream_id -- tests: adjust for capitalization differences in newer gnutls-serv +- http2: move stream_id to the HTTP struct (per-stream) -- test320/1/2/4: fix the port number substitution variables +- Curl_http2_setup: only do it once and enable multiplex on the server - These tests have been broken since commit 1958fe57 in Oct. 2011 + Once we know we are HTTP/2 enabled we know the server can multiplex. -- tests: document more test identifiers and variables - -- gnutls: ignore invalid certificate dates with VERIFYPEER disabled +- http: switch on "pipelining" (multiplexing) for HTTP/2 servers - This makes the behaviour consistent with what happens if a date can - be extracted from the certificate but is expired. - -Steve Holme (10 Jul 2014) -- CURLOPT_UPLOAD: Corrected argument type + ... and do not blacklist any. -Daniel Stenberg (9 Jul 2014) -- FAQ: expand the thread-safe section +- README.pipelining: removed - ... with a mention of *NOSIGNAL, based on talk in bug #1386 + All the details mentioned here are better documented in man pages -Dan Fandrich (9 Jul 2014) -- url.c: Fixed memory leak on OOM +Dan Fandrich (14 May 2015) +- build: removed bundles.c from make files - This showed itself on some systems with torture failures - in tests 1060 and 1061 + This file was removed in commit fd137786 -- Update instances of some obsolete CURLOPTs to their new names +Daniel Stenberg (14 May 2015) +- Curl_conncache_add_conn: fix memory leak on OOM -Daniel Stenberg (5 Jul 2014) -- [Marcel Raad brought this change] +- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number - compiler warnings: potentially uninitialized variables - - ... pointed out by MSVC2013 +- conncache: keep bundles on host+port bases, not only host names - Bug: http://curl.haxx.se/bug/view.cgi?id=1391 + Previously we counted all connections to a specific host name and that + would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example, + while servers on different port numbers are normally considered + different "origins" on the web and should thus be considered different + hosts. -Kamil Dudka (4 Jul 2014) -- nss: make the list of CRL items global +- bundles: merged into conncache.c - Otherwise NSS could use an already freed item for another connection. + All the existing Curl_bundle* functions were only ever used from within + the conncache.c file, so I moved them over and made them static (and + removed the Curl_ prefix). -- nss: fix a memory leak when CURLOPT_CRLFILE is used - -- nss: make crl_der allocated on heap +- hostcache: made all host caches use structs, not pointers - ... and spell it as crl_der instead of crlDER - -- nss: let nss_{cache,load}_crl return CURLcode + This avoids unnecessary dynamic allocs and as this also removed the last + users of *hash_alloc() and *hash_destroy(), those two functions are now + removed. -- tool: oops, forgot to include <plarenas.h> +- multi: converted socket hash into non-allocated struct - ... that contains the declaration of PL_ArenaFinish() + avoids extra dynamic allocation -- tool: call PL_ArenaFinish() on exit if NSPR is used +- connection cache: avoid Curl_hash_alloc() - This prevents valgrind from reporting still reachable memory allocated - by NSPR arenas (mainly the freelist). - - Reported-by: Hubert Kario - -Daniel Stenberg (3 Jul 2014) -- [Dimitrios Siganos brought this change] + ... by using plain structs instead of pointers for the connection cache, + we can avoid several dynamic allocations that weren't necessary. - example: use correct type (long) for CURLOPT_FOLLOWLOCATION +- proxy: add newline to info message -- [Dimitrios Siganos brought this change] +Patrick Monnerat (8 May 2015) +- FTP: fix dangling conn->ip_addr dereference on verbose EPSV. - Document type of argument for CURLOPT_FOLLOWLOCATION. +- FTP: Make EPSV use the control IP address rather than the original host. + This ensures an alternate address is not used. + Does not apply to proxy tunnel. -- [Dimitrios Siganos brought this change] +Daniel Stenberg (8 May 2015) +- [Alessandro Ghedini brought this change] - Document type of argument for CURLOPT_ERRORBUFFER. + tool_help: fix formatting for --next option -- [Dimitrios Siganos brought this change] +- [Egon Eckert brought this change] - Document type of argument for CURLOPT_COPYPOSTFIELDS. + opts: improved the TCP keepalive examples -- [Dimitrios Siganos brought this change] +Jay Satiro (8 May 2015) +- winbuild: Document the option used to statically link the CRT + + - Document option RTLIBCFG (runtime library configuration). + + Bug: https://github.com/bagder/curl/issues/254 + Reported-by: Bert Huijben - Document type of argument for CURLOPT_ADDRESS_SCOPE. +- [Orgad Shaneh brought this change] -- curl.1: minor language fix + netrc: Read in text mode when cygwin + + Use text mode when cygwin to eliminate trailing carriage returns. - Bug: http://curl.haxx.se/mail/archive-2014-07/0006.html + Bug: https://github.com/bagder/curl/pull/258 -- [Ray Satiro brought this change] +Patrick Monnerat (5 May 2015) +- OS400: Add SPNEGO service name options to ILE/RPG binding. - progress callback: skip last callback update on errors - - When an error has been detected, skip the final forced call to the - progress callback by making sure to pass the current return code - variable in the Curl_done() call in the CURLM_STATE_DONE state. +Daniel Stenberg (4 May 2015) +- curl_multi_info_read.3: fix typo - This avoids the "extra" callback that could occur even if you returned - error from the progress callback. + Reported-by: Liviu Chircu + +- MANUAL: language fix - Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html - Reported by: Jonathan Cardoso Machado + Reported-by: Fred Stluka + Bug: https://github.com/bagder/curl/issues/255 -Dan Fandrich (2 Jul 2014) -- opts: fixed some CURLOPT references so they get turned into links +- [Alessandro Ghedini brought this change] -Kamil Dudka (2 Jul 2014) -- tool: call PR_Cleanup() on exit if NSPR is used + gtls: properly retrieve certificate status - This prevents valgrind from reporting possibly lost memory that NSPR - uses for file descriptor cache and other globally allocated internal - data structures. + Also print the revocation reason if appropriate. -- nss: make the fallback to SSLv3 work again +- OpenSSL: conditional check for SSL3_RT_HEADER - This feature was unintentionally disabled by commit ff92fcfb. + The symbol is fairly new. + + Reported-by: Kamil Dudka -- nss: do not abort on connection failure +- openssl: skip trace outputs for ssl_ver == 0 + + The OpenSSL trace callback is wonderfully undocumented but given a + journey in the source code, it seems the cases were ssl_ver is zero + doesn't follow the same pattern and thus turned out confusing and + misleading. For now, we skip doing any CURLINFO_TEXT logging on those + but keep sending them as CURLINFO_SSL_DATA_OUT/IN. - ... due to calling SSL_VersionRangeGet() with NULL file descriptor + Also, I added direction to the text info and I edited some functions + slightly. - reported-by: upstream tests 305 and 404 + Bug: https://github.com/bagder/curl/issues/219 + Reported-by: Jay Satiro, Ashish Shukla -Dan Fandrich (1 Jul 2014) -- opts: Document the socket callback function parameters +Marc Hoersken (2 May 2015) +- schannel.c: Small changes -Steve Holme (28 Jun 2014) -- opts: Fixed some typos +- schannel.c: Improve code path and readability -Dan Fandrich (25 Jun 2014) -- curl_easy_setopt.3: fixed the error code for an unsupported option +- schannel.c: Improve error and return code handling upon aa99a63f03 -- opts: added some DEFAULT and RETURN VALUE sections +- [Chris Araman brought this change] -Daniel Stenberg (21 Jun 2014) -- libcurl docs: man page edits + schannel: fix regression in schannel_recv - mainly to improve how the web versions render - -Dan Fandrich (21 Jun 2014) -- curl_easy_setopt.3: fixed some typos - -Daniel Stenberg (21 Jun 2014) -- lib man pages: update easy setopt option references + https://github.com/bagder/curl/issues/244 - ... by using the "\fIopt(3)\fP" syntax they will be linked properly when - the web version of the page is generated. + Commit 145c263 changed the behavior when Curl_read_plain returns + CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED + correctly. -- opts: the CURLOPT_SSL_ENABLE_*PN options are enabled by default - -- [Colin Hogben brought this change] - - lib: documentation updates in README.hostip +- Bug born in changes made several days ago 9a91e80. - c-ares now does support IPv6; - avoid implying threaded resolver is Windows-only; - two referenced source files were renamed in 7de2f92 + Commit: https://github.com/bagder/curl/commit/926cb9f + Reported-by: Ray Satiro -- curl_easy_setopt.3: CURLOPT_POSTFIELDS is the exception - - ... to the always-copy-char *-argument. - - And fix some minor mistakes. +Daniel Stenberg (30 Apr 2015) +- [Michael Osipov brought this change] -- curl_easy_setopt.3: refer to the individual man pages + configure: remove missing and make it autogenerate - With all the new individual option man pages created, this now refers to - each separate one instead of duplicaing the info. Also makes this page - easier to overview. + The missing file has not been autogenerated because a temporary fix was + employed in acinclude.m4 which blocked update. Removed that fix and a recent + version of missing is copied to build root. -Dan Fandrich (21 Jun 2014) -- opts: fixed mancheck for out-of-tree builds +- [Michael Osipov brought this change] -Daniel Stenberg (21 Jun 2014) -- curl_easy_setopt.3: shorten + acinclude.m4: fix test for default CA cert bundle/path - shorten descriptions, mostly refer to the separate descriptions - -- CURLOPT_DNS_LOCAL_IP4.3: better short desc + test(1) on HP-UX requires a single equals sign and fails with two. + Let's use one and make every OS happy. -Dan Fandrich (20 Jun 2014) -- opts: document CURLE_OUT_OF_MEMORY among other return values +- CONTRIBUTING.md: remove the sourceforge mention + + Reported-By: Michael Osipov -- opts: fixed some typos +Dan Fandrich (30 Apr 2015) +- http_negotiate_sspi: added missing data variable -Daniel Stenberg (20 Jun 2014) -- opts: various corrections +Daniel Stenberg (30 Apr 2015) +- [Michael Osipov brought this change] -- opts: add the rest of the options + configure: remove --automake from libtoolize call - ... and fixed mancheck to ignore obsolete options - -- opts: the final bunch of options as man pages + That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4. + Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility". - Now all current options have their own man pages. - -- opts: 37 additional man pages + This option is redundant now. -- CURLOPT_URL: move up the text from "Notes" +- [Viktor Szakats brought this change] -- ROADMAP: removed, now ROADMAP.md + build: update depedency versions, urls, example makefiles + + - update default versions of dependencies (except for rare/old platforms) + - update urls + - sync examples makefiles with main ones + - remove line ending space -- ROADMAP.md: make it markdown formatted +- [Michael Osipov brought this change] -- ROADMAP: initial commit of "curl the next few years" + configure: remove autogenerated files by autoconf - To be further discussed, debated and edited + * install-sh is always regenerated + * mkinstalldirs was already redudant years ago. Automake uses install for + that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html -- opts: more man pages +- [Anders Bakken brought this change] -- CURLOPT_UNRESTRICTED_AUTH.3: added missing 'T' + curl_multi_add_handle: next is already NULL -- opts: makefile now includes all current man pages +Jay Satiro (30 Apr 2015) +- schannel: Fix out of bounds array + + Bug born in changes made several days ago 9a91e80. + + Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html + Reported-by: Brian Chrisman -- opts: 11 more man pages +- docs/libcurl: gitignore libcurl-symbols.3 + + Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html + Reported-by: Michael Osipov -Dan Fandrich (18 Jun 2014) -- opts: document CURLE_OUT_OF_MEMORY as RETURN VALUE +- [Viktor Szakats brought this change] -- opts: fixed a couple of typos + lib/makefile.m32: add arch -m32/-m64 to LDFLAGS + + This fixes using a multi-target mingw distro to build curl .dll for the + non-default target. + (mirroring the same patch present in src/makefile.m32) -Patrick Monnerat (18 Jun 2014) -- OS400: make it compilable again. Make RPG binding up to date. +Daniel Stenberg (29 Apr 2015) +- RELEASE-NOTES: synced with cd39b944afc + + I've not mentioned the bug fixes that were shipped in 7.42.1 from the + 7_42 branch. -- buildconf: do not search tools in current directory. +- THANKS: merged from the 7.42.1 release -Dan Fandrich (18 Jun 2014) -- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx +- CURLOPT_HEADEROPT: default to separate - This is consistent with the existing obsolete error code naming - convention. - -Daniel Stenberg (18 Jun 2014) -- opts: 16 more man pages + Make the HTTP headers separated by default for improved security and + reduced risk for information leakage. + + Bug: http://curl.haxx.se/docs/adv_20150429.html + Reported-by: Yehezkel Horowitz, Oren Souroujon |