diff options
Diffstat (limited to 'CHANGES')
| -rw-r--r-- | CHANGES | 6563 |
1 files changed, 3388 insertions, 3175 deletions
@@ -6,6 +6,3394 @@ Changelog +Version 7.50.2 (7 Sep 2016) + +Daniel Stenberg (7 Sep 2016) +- RELEASE-NOTES: curl 7.50.2 release + +- THANKS: updated for 7.50.2 + +Jay Satiro (6 Sep 2016) +- [Gaurav Malhotra brought this change] + + openssl: fix CURLINFO_SSL_VERIFYRESULT + + CURLINFO_SSL_VERIFYRESULT does not get the certificate verification + result when SSL_connect fails because of a certificate verification + error. + + This fix saves the result of SSL_get_verify_result so that it is + returned by CURLINFO_SSL_VERIFYRESULT. + + Closes https://github.com/curl/curl/pull/995 + +Daniel Stenberg (6 Sep 2016) +- [Daniel Gustafsson brought this change] + + darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993) + + While noErr and errSecSuccess are defined as the same value, the API + documentation states that SecPKCS12Import() returns errSecSuccess if + there were no errors in importing. Ensure that a future change of the + defined value doesn't break (however unlikely) and be consistent with + the API docs. + +- [Daniel Gustafsson brought this change] + + docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994) + +- [Marcel Raad brought this change] + + openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L + + With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup + functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The + replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and + OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is + now called OpenSSL_version_num(). + + [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html + [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html + + Closes #992 + +- RELEASE-NOTES: synced with 3d4c0c8b9bc1d + +- http2: return EOF when done uploading without known size + + Fixes #982 + +- http2: skip the content-length parsing, detect unknown size + +- http2: minor white space edit + +- http2: use named define instead of magic constant in read callback + +- [Craig Davison brought this change] + + configure: make the cpp -P detection not clobber CPPFLAGS + + CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF. + + Fixes #958 + +- [Olivier Brunel brought this change] + + speed caps: not based on average speeds anymore + + Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE & + CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits + with the cumulative average speed of the entire transfer; While this + might work at times with good/constant connections, in other cases it + can result to the limits simply being "ignored" for more than "short + bursts" (as told in man page). + + Consider a download that goes on much slower than the limit for some + time (because bandwidth is used elsewhere, server is slow, whatever the + reason), then once things get better, curl would simply ignore the limit + up until the average speed (since the beginning of the transfer) reached + the limit. This could prove the limit useless to effectively avoid + using the entire bandwidth (at least for quite some time). + + So instead, we now use a "moving starting point" as reference, and every + time at least as much as the limit as been transferred, we can reset + this starting point to the current position. This gets a good limiting + effect that applies to the "current speed" with instant reactivity (in + case of sudden speed burst). + + Closes #971 + +- HISTORY.md: the multi socket was put in the wrong year! + +- [Mark Hamilton brought this change] + + tool_helpers.c: fix comment typo (#989) + +- [Mark Hamilton brought this change] + + libtest/test.h: fix typo (#988) + +- CURLMOPT_PIPELINING.3: language + +- CURLMOPT_PIPELINING.3: extended and clarified + + Especially in regards to the multiplexing part. + +Steve Holme (31 Aug 2016) +- curl_sspi.c: Updated function description comments + + * Added description to Curl_sspi_free_identity() + * Added parameter and return explanations to Curl_sspi_global_init() + * Added parameter explaination to Curl_sspi_global_cleanup() + +- README: Corrected the supported Visual Studio versions + + Missed from commit 8356022d17. + +- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README + +- KNOWN_BUGS: Expand 6.4 to include Kerberos V5 + + ...and discuss a possible solution. + +Daniel Stenberg (30 Aug 2016) +- connect: fix #ifdefs for debug versions of conn/streamclose() macros + + CURLDEBUG is for the memory debugging + + DEBUGBUILD is for the extra debug stuff + + Pointed-out-by: Steve Holme + +- KNOWN_BUGS: mention some cmake "support gaps" + +Nick Zitzmann (28 Aug 2016) +- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only + + In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead. + +Daniel Stenberg (28 Aug 2016) +- http2: return CURLE_HTTP2_STREAM for unexpected stream close + + Follow-up to c3e906e9cd0f, seems like a more appropriate error code + + Suggested-by: Jay Satiro + +- [Tatsuhiro Tsujikawa brought this change] + + http2: handle closed streams when uploading + + Fixes #986 + +- http2: make sure stream errors don't needlessly close the connection + + With HTTP/2 each transfer is made in an indivial logical stream over the + connection, making most previous errors that caused the connection to get + forced-closed now instead just kill the stream and not the connection. + + Fixes #941 + +- Curl_verify_windows_version: minor edit to avoid compiler warnings + + ... instead of if() before the switch(), add a default to the switch so + that the compilers don't warn on "warning: enumeration value + 'PLATFORM_DONT_CARE' not handled in switch" anymore. + +Steve Holme (27 Aug 2016) +- RELEASE-NOTES: Added missing fix from commit 15592143f + +Jay Satiro (26 Aug 2016) +- schannel: Disable ALPN for Wine since it is causing problems + + - Disable ALPN on Wine. + + - Don't pass input secbuffer when ALPN is disabled. + + When ALPN support was added a change was made to pass an input secbuffer + to initialize the context. When ALPN is enabled the buffer contains the + ALPN information, and when it's disabled the buffer is empty. In either + case this input buffer caused problems with Wine and connections would + not complete. + + Bug: https://github.com/curl/curl/issues/983 + Reported-by: Christian Fillion + +Kamil Dudka (26 Aug 2016) +- [Peter Wang brought this change] + + nss: work around race condition in PK11_FindSlotByName() + + Serialise the call to PK11_FindSlotByName() to avoid spurious errors in + a multi-threaded environment. The underlying cause is a race condition + in nssSlot_IsTokenPresent(). + + Bug: https://bugzilla.mozilla.org/1297397 + + Closes #985 + +- nss: refuse previously loaded certificate from file + + ... when we are not asked to use a certificate from file + +Daniel Stenberg (26 Aug 2016) +- ftp_done: remove dead code + +- TLS: random file/egd doesn't have to match for conn reuse + +- test161: add comment for the exit code + +Dan Fandrich (26 Aug 2016) +- test219: Add http as a required feature + +Daniel Stenberg (25 Aug 2016) +- [Michael Kaufmann brought this change] + + HTTP: stop parsing headers when switching to unknown protocols + + - unknown protocols probably won't send more headers (e.g. WebSocket) + - improved comments and moved them to the correct case statements + + Closes #899 + +- openssl: make build with 1.1.0 again + + synced with OpenSSL git master commit cc06906707 + +- INTERNALS: fix title + +- configure: detect zlib with our pkg-config macros + + ... instead of relying on the pkg-config autoconf macros to be present. + + Fixes #972 (again...) + +Jay Satiro (25 Aug 2016) +- http2: Remove incorrect comments + + .. also remove same from scp + +Daniel Stenberg (23 Aug 2016) +- [Ales Novak brought this change] + + ftp: fix wrong poll on the secondary socket + + When we're uploading using FTP and the server issues a tiny pause + between opening the connection to the client's secondary socket, the + client's initial poll() times out, which leads to second poll() which + does not wait for POLLIN on the secondary socket. So that poll() also + has to time out, creating a long (200ms) pause. + + This patch adds the correct flag to the secondary socket, making the + second poll() correctly wait for the connection there too. + + Signed-off-by: Ales Novak <alnovak@suse.cz> + + Closes #978 + +- RELEASE-NOTES: synced with 95ded2c56 + +- configure: make it work without PKG_CHECK_MODULES + + With commit c2f9b78 we added a new dependency on pkg-config for + developers which may be unwanted. This change make the configure script + still work as before if pkg-config isn't installed, it'll just use the + old zlib detection logic without pkg-config. + + Reported-by: Marc Hörsken + + Fixes #972 + +Marc Hoersken (21 Aug 2016) +- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6" + + This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554. + + As discussed in #835 SOCKS5 supports IPv6 proxies and destinations. + +Daniel Stenberg (21 Aug 2016) +- [Marco Deckel brought this change] + + win: Basic support for Universal Windows Platform apps + + Closes #820 + +Steve Holme (21 Aug 2016) +- sasl: Don't use GSSAPI authentication when domain name not specified + + Only choose the GSSAPI authentication mechanism when the user name + contains a Windows domain name or the user is a valid UPN. + + Fixes #718 + +- vauth: Added check for supported SSPI based authentication mechanisms + + Completing commit 00417fd66c and 2708d4259b. + +- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check + + From commit 2708d4259b. + +Marc Hoersken (20 Aug 2016) +- socks.c: display the hostname returned by the SOCKS5 proxy server + + Instead of displaying the requested hostname the one returned + by the SOCKS5 proxy server is used in case of connection error. + The requested hostname is displayed earlier in the connection sequence. + + The upper-value of the port is moved to a temporary variable and + replaced with a 0-byte to make sure the hostname is 0-terminated. + +Steve Holme (20 Aug 2016) +- urldata.h: Corrected comment for httpcode which is also populated by SMTP + + As of 7.25.0 and commit 5430007222. + +Marc Hoersken (20 Aug 2016) +- socks.c: use Curl_printable_address in SOCKS5 connection sequence + + Replace custom string formatting with Curl_printable_address. + Add additional debug and error output in case of failures. + +- socks.c: align SOCKS4 connection sequence with SOCKS5 + + Calling sscanf is not required since the raw IPv4 address is + available and the protocol can be detected using ai_family. + +Steve Holme (20 Aug 2016) +- http.c: Corrected indentation change from commit 2708d4259b + + Made by Visual Studio's auto-correct feature and missed by me in my own + code reviews! + +- http: Added calls to Curl_auth_is_<mechansism>_supported() + + Hooked up the HTTP authentication layer to query the new 'is mechanism + supported' functions when deciding what mechanism to use. + + As per commit 00417fd66c existing functionality is maintained for now. + +Marc Hoersken (20 Aug 2016) +- socks.c: improve verbose output of SOCKS5 connection sequence + +- configure.ac: add missing quotes to PKG_CHECK_MODULES + +Steve Holme (20 Aug 2016) +- sasl: Added calls to Curl_auth_is_<mechansism>_supported() + + Hooked up the SASL authentication layer to query the new 'is mechanism + supported' functions when deciding what mechanism to use. + + For now existing functionality is maintained. + +Daniel Stenberg (19 Aug 2016) +- [Miroslav Franc brought this change] + + spnego_sspi: fix memory leak in case *outlen is zero (#970) + +- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex + +Steve Holme (18 Aug 2016) +- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions + + As Windows SSPI authentication calls fail when a particular mechanism + isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5 + and Negotiate to allow both HTTP and SASL authentication the opportunity + to query support for a supported mechanism before selecting it. + + For now each function returns TRUE to maintain compatability with the + existing code when called. + +Daniel Stenberg (18 Aug 2016) +- test1144: verify HEAD with body-only response + +Steve Holme (17 Aug 2016) +- RELEASE-PROCEDURE: Added some more future release dates + + ...and removed some old ones + +Daniel Stenberg (17 Aug 2016) +- [David Woodhouse brought this change] + + curl: allow "pkcs11:" prefix for client certificates + + RFC7512 provides a standard method to reference certificates in PKCS#11 + tokens, by means of a URI starting 'pkcs11:'. + + We're working on fixing various applications so that whenever they would + have been able to use certificates from a file, users can simply insert + a PKCS#11 URI instead and expect it to work. This expectation is now a + part of the Fedora packaging guidelines, for example. + + This doesn't work with cURL because of the way that the colon is used + to separate the certificate argument from the passphrase. So instead of + + curl -E 'pkcs11:manufacturer=piv_II;id=%01' … + + I instead need to invoke cURL with the colon escaped, like this: + + curl -E 'pkcs11\:manufacturer=piv_II;id=%01' … + + This is suboptimal because we want *consistency* — the URI should be + usable in place of a filename anywhere, without having strange + differences for different applications. + + This patch therefore disables the processing in parse_cert_parameter() + when the string starts with 'pkcs11:'. It means you can't pass a + passphrase with an unescaped PKCS#11 URI, but there's no need to do so + because RFC7512 allows a PIN to be given as a 'pin-value' attribute in + the URI itself. + + Also, if users are already using RFC7512 URIs with the colon escaped as + in the above example — even providing a passphrase for cURL to handling + instead of using a pin-value attribute, that will continue to work + because their string will start 'pkcs11\:' and won't match the check. + + What *does* break with this patch is the extremely unlikely case that a + user has a file which is in the local directory and literally named + just "pkcs11", and they have a passphrase on it. If that ever happened, + the user would need to refer to it as './pkcs11:<passphrase>' instead. + +- nss: make the global variables static + +- openssl: use regular malloc instead of OPENSSL_malloc + + This allows for better memmory debugging and torture tests. + +- proxy: fix tests as follow-up to 93b0d907d5 + + This fixes tests that were added after 113f04e664b as the tests would + fail otherwise. + + We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix + regressions with old and stupid proxies, but we could possibly switch to + using it only for CONNECT or only for NTLM in a future if we want to + gradually reduce it. + + Fixes #954 + + Reported-by: János Fekete + +- Revert "Proxy-Connection: stop sending this header by default" + + This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68. + +- CURLOPT_PROXY.3: unsupported schemes cause errors now + + Follow-up to a96319ebb9 (document the new behavior) + +- tests/README: mention nghttpx for HTTP/2 tests + +- README.md: add our CII Best Practices badge + +- proxy: polished the error message for unsupported schemes + + Follow up to a96319ebb93 + +- test219: verify unsupported scheme for proxies get rejected + +- proxy: reject attempts to use unsupported proxy schemes + + I discovered some people have been using "https://example.com" style + strings as proxy and it "works" (curl doesn't complain) because curl + ignores unknown schemes and then assumes plain HTTP instead. + + I think this misleads users into believing curl uses HTTPS to proxies + when it doesn't. Now curl rejects proxy strings using unsupported + schemes instead of just ignoring and defaulting to HTTP. + +- RELEASE-NOTES: synced with b7ee5316c2fd5b + +Marc Hoersken (14 Aug 2016) +- socks.c: Correctly calculate position of port in response packet + + Third commit to fix issue #944 regarding SOCKS5 error handling. + + Reported-by: David Kalnischkies + +- socks.c: Do not modify and invalidate calculated response length + + Second commit to fix issue #944 regarding SOCKS5 error handling. + + Reported-by: David Kalnischkies + +- socks.c: Move error output after reading the whole response packet + + First commit to fix issue #944 regarding SOCKS5 error handling. + + Reported-by: David Kalnischkies + +Daniel Stenberg (13 Aug 2016) +- [Ronnie Mose brought this change] + + MANUAL: Remove invalid link to LDAP documentation (#962) + + The server developer.netscape.com does not resolve into any + ip address and can be removed. + +Jay Satiro (13 Aug 2016) +- openssl: accept subjectAltName iPAddress if no dNSName match + + Undo change introduced in d4643d6 which caused iPAddress match to be + ignored if dNSName was present but did not match. + + Also, if iPAddress is present but does not match, and dNSName is not + present, fail as no-match. Prior to this change in such a case the CN + would be checked for a match. + + Bug: https://github.com/curl/curl/issues/959 + Reported-by: wmsch@users.noreply.github.com + +Daniel Stenberg (12 Aug 2016) +- [Dambaev Alexander brought this change] + + configure.ac: add zlib search with pkg-config + + Closes #956 + +- rtsp: ignore whitespace in session id + + Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at + whitespace as well. + + Help-by: Erik Janssen + +- HTTP: retry failed HEAD requests too + + Mark's new document about HTTP Retries + (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I + spotted that we don't retry failed HEAD requests which seems totally + inconsistent and I can't see any reason for that separate treatment. + + So, no separate treatment for HEAD starting now. A HTTP request sent + over a reused connection that gets cut off before a single byte is + received will be retried on a fresh connection. + + Made-aware-by: Mark Nottingham + +- mk-ca-bundle.1: document -m, added in 1.26 + +- RELEASE-NOTES: synced with e577c43bb5 + +- [Erik Janssen brought this change] + + rtsp: accept any RTSP session id + + Makes libcurl work in communication with gstreamer-based RTSP + servers. The original code validates the session id to be in accordance + with the RFC. I think it is better not to do that: + + - For curl the actual content is a don't care. + + - The clarity of the RFC is debatable, is $ allowed or only as \$, that + is imho not clear + + - Gstreamer seems to url-encode the session id but % is not allowed by + the RFC + + - less code + + With this patch curl will correctly handle real-life lines like: + Session: biTN4Kc.8%2B1w-AF.; timeout=60 + + Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html + +- symbols-in-versions: add CURL_STRICTER + + Added in 5fce88aa8c12564 + +- [Simon Warta brought this change] + + winbuild: Allow changing C compiler via environment variable CC (#952) + + This makes it possible to use specific compilers or a cache. + + Sample use for clcache: + set CC=clcache.bat + nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no + +- LICENSE-MIXING.md: switched to markdown + +- docs-make: have markdown files use .md + +- curl.h: make CURL_NO_OLDIES define CURL_STRICTER + +- HISTORY.md: use markdown extension + +- SSLCERTS.md: renamed to markdown extension + +- INTERNALS.md: use markdown extension for markdown content + +- CONTRIBUTE.md: markdown extension + +- CONTRIBUTE: changed to markdown + +- CONTRIBUTE: refreshed + +- TODO: added an SSH section and two SFTP things to do + +- TODO: remove the 1.22 duplicated item + +- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section + +- TODO: API for URL parsing/splitting + +- TODO: move QUIC to the HTTP section + +- [Simon Warta brought this change] + + winbuild: Free name $(CC) in Makefile (#950) + + In the old line number 290, CC and CURL_CC had the same value. After + that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?). + + This gets rid of the CC variable entirely. It is a first step to make it + possible to manualyl set a CC variable in order to be able to change the + compiler. + +- TODO: Use huge HTTP/2 windows + +- [Simon Warta brought this change] + + winbuild: Avoid setting redundant CFLAGS to compile commands (#949) + + $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this, + all arguments in CURL_CFLAGS have been added twice. + +Jay Satiro (8 Aug 2016) +- cmake: Enable win32 threaded resolver by default + + - Turn on USE_THREADS_WIN32 in Windows if ares isn't on + + This change is similar to what we already do in the autotools build. + +- cmake: Enable win32 large file support by default + + All compilers used by cmake in Windows should support large files. + + - Add test SIZEOF_OFF_T + - Remove outdated test SIZEOF_CURL_OFF_T + - Turn on USE_WIN32_LARGE_FILES in Windows + - Check for 'Largefile' during the features output + +Daniel Stenberg (7 Aug 2016) +- TODO: added several ideas, removed SPDY + +- http2: always wait for readable socket + + Since the server can at any time send a HTTP/2 frame to us, we need to + wait for the socket to be readable during all transfers so that we can + act on incoming frames even when uploading etc. + + Reminded-by: Tatsuhiro Tsujikawa + +- RELEASE-NOTES: synced with 7b4bf37a44791 + +- [Thomas Glanzmann brought this change] + + mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined + + In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal + to 0. This patch also adds a comment how mbedtls must be compiled in + order to make debugging work, and explains the possible debug levels. + +- CURLOPT_TCP_NODELAY: now enabled by default + + After a few wasted hours hunting down the reason for slowness during a + TLS handshake that turned out to be because of TCP_NODELAY not being + set, I think we have enough motivation to toggle the default for this + option. We now enable TCP_NODELAY by default and allow applications to + switch it off. + + This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be + used to disable it. + + Thanks-to: Tim Rühsen + Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html + +- [Serj Kalichev brought this change] + + TFTP: Fix upload problem with piped input + + When input stream for curl is stdin and input stream is not a file but + generated by a script then curl can truncate data transfer to arbitrary + size since a partial packet is treated as end of transfer by TFTP. + + Fixes #857 + +- mk-ca-bundle.pl: -m keeps ca cert meta data in output + + Makes the script pass on comments holding meta data to the output + file. Like fingerprinters, issuer, date ranges etc. + + Closes #937 + +- multi: make Curl_expire() work with 0 ms timeouts + + Previously, passing a timeout of zero to Curl_expire() was a magic code + for clearing all timeouts for the handle. That is now instead made with + the new Curl_expire_clear() function and thus a 0 timeout is fine to set + and will trigger a timeout ASAP. + + This will help removing short delays, in particular notable when doing + HTTP/2. + +- transfer: return without select when the read loop reached maxcount + + Regression added in 790d6de48515. The was then added to avoid one + particular transfer to starve out others. But when aborting due to + reading the maxcount, the connection must be marked to be read from + again without first doing a select as for some protocols (like SFTP/SCP) + the data may already have been read off the socket. + + Reported-by: Dan Donahue + Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html + +Steve Holme (3 Aug 2016) +- [Bill Nagel brought this change] + + mbedtls: Added support for NTLM + +Daniel Stenberg (3 Aug 2016) +- [Sergei Nikulov brought this change] + + travis: removed option to rebuild autotool from source + + Fixes #943 + +- bump: start working toward 7.50.2 + +Version 7.50.1 (3 Aug 2016) + +Daniel Stenberg (3 Aug 2016) +- THANKS: 7 new contributors from the 7.50.1 release + +- RELEASE-NOTES: 7.50.1 + +- TLS: only reuse connections with the same client cert + + CVE-2016-5420 + Bug: https://curl.haxx.se/docs/adv_20160803B.html + +- TLS: switch off SSL session id when client cert is used + + CVE-2016-5419 + Bug: https://curl.haxx.se/docs/adv_20160803A.html + Reported-by: Bru Rom + Contributions-by: Eric Rescorla and Ray Satiro + +- curl_multi_cleanup: clear connection pointer for easy handles + + CVE-2016-5421 + Bug: https://curl.haxx.se/docs/adv_20160803C.html + Reported-by: Marcelo Echeverria and Fernando Muñoz + +- KNOWN_BUGS: SOCKS proxy not working via IPv6 + + Closes #835 + +- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM + + Closes #768 + +- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2 + + Closes #662 + +- TODO: Provide cmake config-file + + Closes #885 + +Patrick Monnerat (2 Aug 2016) +- os400: define BUILDING_LIBCURL in make script. + +Daniel Stenberg (1 Aug 2016) +- RELEASE-NOTES: synced with aa9f536a18b + +Jay Satiro (1 Aug 2016) +- [Thomas Glanzmann brought this change] + + mbedtls: Fix debug function name + + This patch is necessary so that curl compiles if MBEDTLS_DEBUG is + defined. + + Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html + +Daniel Stenberg (1 Aug 2016) +- [Sergei Nikulov brought this change] + + travis: fix OSX build by re-installing libtool + + Apparently due to a broken homebrew install + + fixes #934 + Closes #939 + +- [Martin Vejnár brought this change] + + win32: fix a potential memory leak in Curl_load_library + + If a call to GetSystemDirectory fails, the `path` pointer that was + previously allocated would be leaked. This makes sure that `path` is + always freed. + + Closes #938 + +- include: revert 9adf3c4 and make public types void * again + + Many applications assume the actual contents of the public types and use + that do for example forward declarations (saving them from including our + public header) which then breaks when we switch from void * to a struct + *. + + I'm not convinced we were wrong, but since this practise seems + widespread enough I'm willing to (partly) step down. + + Now libcurl uses the struct itself when it is built and it allows + applications to use the struct type if CURL_STRICTER is defined at the + time of the #include. + + Reported-by: Peter Frühberger + Fixes #926 + +Jay Satiro (28 Jul 2016) +- [Yonggang Luo brought this change] + + cmake: Fix for schannel support + + The check_library_exists_concat do not check crypt32 library properly. + So include it directly. + + Bug: https://github.com/curl/curl/pull/917 + Reported-by: Yonggang Luo + + Bug: https://github.com/curl/curl/issues/935 + Reported-by: Alain Danteny + +- Revert "travis: Install libtool for OS X builds" + + Didn't work. + + This reverts commit 50723585ed380744358de054e2a55dccee65dfd7. + +- travis: Install libtool for OS X builds + + CI is failing due to missing libtoolize, so I'm trying this. + +Daniel Stenberg (26 Jul 2016) +- [Viktor Szakats brought this change] + + TODO: minor typo in last commit + + merged #931 + +- TODO: Timeout idle connections from the pool + +Patrick Monnerat (25 Jul 2016) +- os400: minimum supported OS version: V6R1M0. + Do not log compilation informational messages. + +Jay Satiro (24 Jul 2016) +- tests: Fix for http/2 feature + + Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html + Reported-by: Paul Howarth + +Steve Holme (23 Jul 2016) +- README: Mention wolfSSL in the 'Dependencies' section + +- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO + + As SPNEGO is only defined when these pre-processor variables are defined + there is no need to query them explicitly. + +- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration + + Typo introduced in commit ad5e9bfd5d. + +Daniel Stenberg (22 Jul 2016) +- SECURITY: mention how to get windows-specific CVEs + + ... and make the distros link a proper link + +Dan Fandrich (21 Jul 2016) +- test558: fix test by stripping file paths from FD lines + +Kamil Dudka (21 Jul 2016) +- tests: distribute the http2-server.pl script, too + +- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too + +Daniel Stenberg (21 Jul 2016) +- bump: start working on 7.50.1 + +Version 7.50.0 (21 Jul 2016) + +Daniel Stenberg (21 Jul 2016) +- RELEASE-NOTES: version 7.50.0 ready + +- THANKS: 13 new contributors from the 7.50.0 release + +Jay Satiro (21 Jul 2016) +- winbuild: fix embedded manifest option + + Embedded manifest option didn't work due to typo. + + Reported-by: Stefan Kanthak + +- vauth: Fix memleak by freeing credentials if out of memory + + This is a follow up to the parent commit dcdd4be which fixes one leak + but creates another by failing to free the credentials handle if out of + memory. Also there's a second location a few lines down where we fail to + do same. This commit fixes both of those issues. + +Daniel Stenberg (20 Jul 2016) +- [Saurav Babu brought this change] + + vauth: Fixed memory leak due to function returning without free + + This patch allocates memory to "output_token" only when it is required + so that memory is not leaked if function returns. + +- test558: updated after ipv6-check move + + Follow-up commit to c50980807c5 to make this test pass. + +Jay Satiro (20 Jul 2016) +- connect: disable TFO on Linux when using SSL + + - Linux TFO + TLS is not implemented yet. + + Bug: https://github.com/curl/curl/issues/907 + +Daniel Stenberg (19 Jul 2016) +- ROADMAP: QUIC and TLS 1.3 + +- RELEASE-NOTES: synced with c50980807c5 + +Jay Satiro (18 Jul 2016) +- [Brian Prodoehl brought this change] + + curl_global_init: Check if IPv6 works + + - Curl_ipv6works() is not thread-safe until after the first call, so + call it once during global init to avoid a possible race condition. + + Bug: https://github.com/curl/curl/issues/915 + PR: https://github.com/curl/curl/pull/918 + +- [Timothy Polich brought this change] + + CURLMOPT_SOCKETFUNCTION.3: fix typo + + Closes https://github.com/curl/curl/pull/914 + +- [Miroslav Franc brought this change] + + library: Fix memory leaks found during static analysis + + Closes https://github.com/curl/curl/pull/913 + +- [Viktor Szakats brought this change] + + cookie.c: Fix misleading indentation + + Closes https://github.com/curl/curl/pull/911 + +- FAQ: Update FTP directory listing section for MLSD command + + Explain how some FTP servers support the machine readable listing + format MLSD from RFC 3659 and compare it to LIST. + + Ref: https://github.com/curl/curl/issues/906 + +Daniel Stenberg (1 Jul 2016) +- [Sergei Nikulov brought this change] + + Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING + + Closes #892 + +- TODO: 17.4 also brings more HTTP/2 support + +- TODO: try next proxy if one doesn't work + + Closes #896 + +- conn: don't free easy handle data in handler->disconnect + + Reported-by: Gou Lingfeng + Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html + +- test1244: test different proxy ports same URL + +- curl_global_init.3: improved formatting of the flags + +- curl_global_init.3: expand on the SSL and WIN32 bits purpose + + Reported-by: Richard Gray + Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html + +- [Michael Kaufmann brought this change] + + cleanup: minor code cleanup in Curl_http_readwrite_headers() + + - the expression of an 'if' was always true + - a 'while' contained a condition that was always true + - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)' + - fixed a typo + + Closes #889 + +- SFTP: set a generic error when no SFTP one exists... + + ... as otherwise we could get a 0 which would count as no error and we'd + wrongly continue and could end up segfaulting. + + Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html + Reported-by: 暖和的和暖 + +- ROADMAP: http2 tests are merged, mention http2 perf + +- docs/README.md: to render nicer pages on github + + ... as previously the README.cmake would be picked and put at the bottom + of the docs page there and it wasn't very representative! + +- README.md: change host name for the svg logo + + rawgit.com asks to use the domain cdn.rawgit.com for production + + See #900 + +- [Viktor Szakats brought this change] + + README.md: use the SVG logo + +- README.md: logo on top! + +- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some + + Closes #740 + +- RELEASE-NOTES: synced with d61c80515aa8 + +- [Michael Osipov brought this change] + + acinclude.m4: improve autodetection of CA bundle on FreeBSD + + The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle + to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the + discovery process. + + This change also removes the former FreeBSD path that has been obsolete + for 8 years since this FreeBSD ports commit: + https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953 + + Closes #894 + +- configure: don't specify .lib for libs on windows + + Another follow up for crypt32.lib linking with winssl + +- configure: fix winssl LIBS change typo + + follow-up from 120bf29e + +- TODO: "TCP Fast Open" is done, add monitor pool connections + +- configure: add crypt32.lib for winssl builds + + Necessary since 6cabd78531f + +- Makefile.vc: link with crypt32.lib for winssl builds + + Necessary since 6cabd78531f + + Fixes #853 + +- [Joel Depooter brought this change] + + VC: Add crypt32.lib to Visual Sudio project template files + + Closes #854 + +- vc: fix the build for schannel certinfo support + + Broken since 6cabd785, which adds use of the Curl_extract_certinfo + function from the x509asn1.c file. + +- typedefs: use the full structs in internal code... + + ... and save the typedef'ed names for headers and external APIs. + +- internals: rename the SessionHandle struct to Curl_easy + +- headers: forward declare CURL, CURLM and CURLSH as structs + + Instead of typedef'ing to void, typedef to their corresponding actual + struct names to allow compilers to type-check. + + Assisted-by: Reinhard Max + +Jay Satiro (22 Jun 2016) +- vtls: Only call add/getsession if session id is enabled + + Prior to this change we called Curl_ssl_getsessionid and + Curl_ssl_addsessionid regardless of whether session ID reusing was + enabled. According to comments that is in case session ID reuse was + disabled but then later enabled. + + The old way was not intuitive and probably not something users expected. + When a user disables session ID caching I'd guess they don't expect the + session ID to be cached anyway in case the caching is later enabled. + +Daniel Stenberg (22 Jun 2016) +- curl.1: the used progress meter suffix is k in lower case + + Closes #883 + +- [Sergei Nikulov brought this change] + + cmake: now using BUILD_TESTING=ON/OFF + + CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build + tests and enabling CTest integration. Options BUILD_CURL_TESTS and + BUILD_DASHBOARD_REPORTS was removed. + + Closes #882 + + Reviewed-by: Brad King + +- [Michael Kaufmann brought this change] + + cleanup: fix method names in code comments + + Closes #887 + +Kamil Dudka (21 Jun 2016) +- curl-compilers.m4: improve detection of GCC's -fvisibility= flag + + Some builds of GCC produce output on both stdout and stderr when --help + --verbose is used. The 2>&1 redirection caused them to be arbitrarily + interleaved with each other because of stream buffering. Consequently, + grep failed to match the fvisibility= string in the mixed output, even + though the string was present in GCC's standard output. + + This led to silently disabling symbol hiding in some builds of curl. + +Daniel Stenberg (19 Jun 2016) +- tests: fix the HTTP/2 tests + + The HTTP/2 tests brought with commit bf05606ef1f were using the internal + name 'http2' for the HTTP/2 server, while in fact that name was already + used for the second instance of the HTTP server. This made tests using + the second instance (like test 2050) fail after a HTTP/2 test had run. + + The server is now known as HTTP/2 internally and within the <server> + section in test cases. 1700, 1701 and 1702 were updated accordingly. + +- openssl: use more 'const' to fix build warnings with 1.1.0 branch + +- curl.1: missed 'T' in the progress unit suffixes + +- curl.1: mention the unix for the progress meter + +Patrick Monnerat (16 Jun 2016) +- os400: add new definitions to ILE/RPG binding. + +Daniel Stenberg (16 Jun 2016) +- openssl: fix cert check with non-DNS name fields present + + Regression introduced in 5f5b62635 (released in 7.48.0) + + Reported-by: Fabian Ruff + Fixes #875 + +Dan Fandrich (16 Jun 2016) +- axtls: Use Curl_wait_ms instead of the less-portable usleep + +- axtls: Fixed compile after compile 31c521b0 + +- tests: Added HTTP proxy keywords to tests 1141 & 1142 + +Jay Satiro (15 Jun 2016) +- [Sergei Nikulov brought this change] + + cmake: Fix build with winldap + + Bug: https://github.com/curl/curl/pull/874 + Reported-by: Sergei Nikulov + +- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty + + When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a + zero-byte POST. Prior to this change it was documented as sending data + from the read callback. + + This also changes the wording of what happens when empty or NULL so that + it's hopefully easier to understand for people whose primary language + isn't English. + + Bug: https://github.com/curl/curl/issues/862 + Reported-by: Askar Safin + +- [Michael Wallner brought this change] + + curl_multi_socket_action.3: Fix rewording + + - Remove some erroneous text. + + Closes https://github.com/curl/curl/pull/865 + +- [Luo Jinghua brought this change] + + resolve: enable protocol family logic for synthesized IPv6 + + - Enable protocol family logic for IPv6 resolves even when support + for synthesized addresses is enabled. + + This is a follow up to the parent commit that added support for + synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family + logic needed for IPv6 was inadvertently excluded if support for + synthesized addresses was enabled. + + Bug: https://github.com/curl/curl/issues/863 + Ref: https://github.com/curl/curl/pull/866 + Ref: https://github.com/curl/curl/pull/867 + +Daniel Stenberg (7 Jun 2016) +- [Luo Jinghua brought this change] + + resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS + + Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X. + If the current network interface doesn’t support IPv4, but supports + IPv6, NAT64, and DNS64. + + Closes #866 + Fixes #863 + +- tests: two more HTTP/2 tests + + 1701 and 1702 + +- runtests: don't display logs when http2 server fails to start + +- runtests: make stripfile work on stdout as well + + ... and have test 1700 use that to strip out the nghttpx server: headers + +- http2-tests: test1700 is the first real HTTP/2 test + + It requires that 'nghttpx' is in the PATH, and it will run the tests + using nghttpx as a front-end proxy in front of the standard HTTP/1 test + server. This uses HTTP/2 over plain TCP. + + If you like me have nghttpx installed in a custom path, you can run test 1700 + like this: + + $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700 + +- RELEASE-NOTES: synced with 34855feeb4c299 + +Steve Holme (6 Jun 2016) +- schannel: Disable ALPN on Windows < 8.1 + + Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL + fails on Windows < 8.1 so we need to disable ALPN on these OS versions. + + Inspiration provide by: Daniel Seither + + Closes #848 + Fixes #840 + +Jay Satiro (5 Jun 2016) +- checksrc: Add LoadLibrary to the banned functions list + + LoadLibrary was supplanted by Curl_load_library for security + reasons in 6df916d. + +- http: Fix HTTP/2 connection reuse + + - Change the parser to not require a minor version for HTTP/2. + + HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2 + in 8243a95 because the parser still expected a minor version. + + Bug: https://github.com/curl/curl/issues/855 + Reported-by: Andrew Robbins, Frank Gevaerts + +Steve Holme (4 Jun 2016) +- connect.c: Fixed compilation warning from commit 332e8d6164 + + connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else' + +- win32: Used centralised verify windows version function + + Closes #845 + +- win32: Added verify windows version functionality + +- win32: Introduced centralised verify windows version function + +Kamil Dudka (3 Jun 2016) +- tool_urlglob: fix off-by-one error in glob_parse() + + ... causing SIGSEGV while parsing URL with too many globs. + Minimal example: + + $ curl $(for i in $(seq 101); do printf '{a}'; done) + + Reported-by: Romain Coltel + Bug: https://bugzilla.redhat.com/1340757 + +Daniel Stenberg (1 Jun 2016) +- [Benjamin Kircher brought this change] + + libcurl-multi.3: fix small typo + + Closes #850 + +- [Viktor Szakats brought this change] + + makefile.m32: add crypt32 for winssl builds + + Dependency added by 6cabd78 + + Closes #849 + +- [Ivan Avdeev brought this change] + + vtls: fix ssl session cache race condition + + Sessionid cache management is inseparable from managing individual + session lifetimes. E.g. for reference-counted sessions (like those in + SChannel and OpenSSL engines) every session addition and removal + should be accompanied with refcount increment and decrement + respectively. Failing to do so synchronously leads to a race condition + that causes symptoms like use-after-free and memory corruption. + This commit: + - makes existing session cache locking explicit, thus allowing + individual engines to manage lock's scope. + - fixes OpenSSL and SChannel engines by putting refcount management + inside this lock's scope in relevant places. + - adds these explicit locking calls to other engines that use + sessionid cache to accommodate for this change. Note, however, + that it is unknown whether any of these engines could also have + this race. + + Bug: https://github.com/curl/curl/issues/815 + Fixes #815 + Closes #847 + +- [Andrew Kurushin brought this change] + + schannel: add CURLOPT_CERTINFO support + + Closes #822 + +- RELEASE-NOTES: synced with 142ee9fa15002315 + +- openssl: rename the private SSL_strerror + + ... to make it not look like an OpenSSL function + +- [Michael Kaufmann brought this change] + + openssl: Use correct buffer sizes for error messages + + Closes #844 + +- curl: fix -q [regression] + + This broke in 7.49.0 with commit e200034425a7625 + + Fixes #842 + +- URL parser: allow URLs to use one, two or three slashes + + Mostly in order to support broken web sites that redirect to broken URLs + that are accepted by browsers. + + Browsers are typically even more leniant than this as the WHATWG URL + spec they should allow an _infinite_ amount. I tested 8000 slashes with + Firefox and it just worked. + + Added test case 1141, 1142 and 1143 to verify the new parser. + + Closes #791 + +- [Renaud Lehoux brought this change] + + cmake: Added missing mbedTLS support + + Closes #837 + +- [Renaud Lehoux brought this change] + + mbedtls: removed unused variables + + Closes #838 + +- [Frank Gevaerts brought this change] + + http: add CURLINFO_HTTP_VERSION and %{http_version} + + Adds access to the effectively used http version to both libcurl and + curl. + + Closes #799 + +- bump: start the journey toward 7.50.0 + +- [Marcel Raad brought this change] + + openssl: fix build with OPENSSL_NO_COMP + + With OPENSSL_NO_COMP defined, there is no function + SSL_COMP_free_compression_methods + + Closes #836 + +- [Gisle Vanem brought this change] + + memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC + + Fixes #828 + +- [Jonathan brought this change] + + README.md: polish + + Closes #834 + +- RELEASE-NOTES: fix vuln link + +Version 7.49.1 (30 May 2016) + +Daniel Stenberg (30 May 2016) +- RELEASE-NOTES: 7.49.1 + +- [Steve Holme brought this change] + + loadlibrary: Only load system DLLs from the system directory + + Inspiration provided by: Daniel Stenberg and Ray Satiro + + Bug: https://curl.haxx.se/docs/adv_20160530.html + + Ref: Windows DLL hijacking with curl, CVE-2016-4802 + +- ssh: fix version number check typo + +Jay Satiro (29 May 2016) +- curl_share_setopt.3: Add min ver needed for ssl session lock + + Bug: https://github.com/curl/curl/issues/826 + Reported-by: Michael Wallner + +Daniel Stenberg (29 May 2016) +- ssh: fix build for libssh2 before 1.2.6 + + The statvfs functionality was added to libssh2 in that version, so we + switch off that functionality when built with older libraries. + + Fixes #831 + +- mbedtls: fix includes so snprintf() works + + Regression from the previous *printf() rearrangements, this file missed to + include the correct header to make sure snprintf() works universally. + + Reported-by: Moti Avrahami + Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html + +Steve Holme (23 May 2016) +- checksrc.pl: Added variants of strcat() & strncat() to banned function list + + Added support for checking the tchar, unicode and mbcs variants of + strcat() and strncat() in the banned function list. + +Daniel Stenberg (23 May 2016) +- smtp: minor ident (white space) fixes + +- THANKS: updated after script fixes + + Now giving credit properly to github user names, fixed some UTF-8 issues + and added names discovered when contrithanks was improved. + +- THANKS-filter: more name cleanups + +- contrithanks.sh: exclude existing names case insensitively + +- contrithanks.sh: use same grep pattern and -a flag as contributors.sh + +- contributors.sh: better grep pattern, use grep -a + +- THANKS-filter: fix more names + +- contrithanks.sh: do the same github fix as contributors.sh + + from 1577bfa35ba + +Jay Satiro (23 May 2016) +- contributors: Show GitHub username if real name unknown + + Prior to this change if a GitHub contributor's real name was unknown + they would be omitted from the list. + + Bug: https://github.com/curl/curl/issues/824 + +Daniel Stenberg (21 May 2016) +- RELEASE-NOTES: synced with 3caaeffbe8ded4 + +Jay Satiro (20 May 2016) +- openssl: cleanup must free compression methods + + - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak. + + Bug: https://github.com/curl/curl/issues/817 + Reported-by: jveazey@users.noreply.github.com + +Daniel Stenberg (20 May 2016) +- [Gisle Vanem brought this change] + + curl_multibyte: fix compiler error + + While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was + getting: + + f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '(' + to follow 'CURL_EXTERN' + + f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085: + 'curl_domalloc': not in formal parameter list + +- THANKS-filter: make Jan-E get proper credit + +- [Jan-E brought this change] + + winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity + + Closes #818 + +- [Alexander Traud brought this change] + + libcurl.m4: Avoid obsolete warning + + Closes #821 + +Jay Satiro (20 May 2016) +- [Michael Kaufmann brought this change] + + CURLOPT_CONNECT_TO.3: user must not free the list prematurely + + The connect-to list isn't copied so as long as the handle may be used + for a transfer the list must be valid. + + Bug: https://github.com/curl/curl/pull/819 + Reported-by: Michael Kaufmann + +Daniel Stenberg (19 May 2016) +- RELEASE-NOTES: synced with 48114a8634242c + +- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0 + + See OpenSSL commit 21e001747d4a + +- http2: use HTTP/2 in the HTTP/1.1-alike header + + ... when generating them, not "2.0" as the protocol is called just + HTTP/2 and nothing else. + +Jay Satiro (19 May 2016) +- dist: include curl_multi_socket_all.3 + + Closes https://github.com/curl/curl/pull/816 + +Steve Holme (18 May 2016) +- bump: Start work on 7.49.1 + +Daniel Stenberg (18 May 2016) +- curlbuild.h.dist: check __LP64__ as well to fix MIPS build + + The preprocessor check that sets up the 32bit defines for non-configure + builds didn't work properly for MIPS systems as __mips__ is defined for + both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit. + + Reported-by: Tomas Jakobsson + Fixes #813 + +- [Marcel Raad brought this change] + + schannel: fix compile break with MSVC XP toolset + + For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK + 7.1 is used. In this case, _USING_V110_SDK71_ is defined. + + Closes #812 + +- dist: include CHECKSRC.md + + Reported-by: Paul Howarth + Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html + +- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist + + Reported-by: Ray Satiro + Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html + +Version 7.49.0 (17 May 2016) + +Daniel Stenberg (17 May 2016) +- THANKS: 24 new names from 7.49.0 release notes + +- RELEASE-NOTES: 7.49.0 + +- mbedtls/polarssl: set "hostname" unconditionally + + ...as otherwise the TLS libs will skip the CN/SAN check and just allow + connection to any server. curl previously skipped this function when SNI + wasn't used or when connecting to an IP address specified host. + + CVE-2016-3739 + + Bug: https://curl.haxx.se/docs/adv_20160518A.html + Reported-by: Moti Avrahami + +- [Frank Gevaerts brought this change] + + CURLOPT_RESOLVE.3: fix typo + + Closes #811 + +- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE + +- KNOWN_BUGS: GnuTLS backend skips really long certificate fields + + Closes #762 + +- CURLOPT_HTTPPOST.3: the data needs to be around while in use + +- openssl: get_cert_chain: fix NULL dereference + + CID 1361815: Explicit null dereferenced (FORWARD_NULL) + +- openssl: get_cert_chain: avoid NULL dereference + + CID 1361811: Explicit null dereferenced (FORWARD_NULL) + +- dprintf_formatf: fix (false?) Coverity warning + + CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when + we run over 'workend' but the condition says <= workend and for all I + can see it should be safe. Compensating for the warning by adding a byte + margin in the buffer. + + Also, removed the extra brace level indentation in the code and made it + so that 'workend' is only assigned once within the function. + +- RELEASE-NOTES: synced with 2dcb5adc72d6 + +- THANKS-filter: fixed Jonathan Cardoso + +Jay Satiro (15 May 2016) +- ftp: fix incorrect out-of-memory code in Curl_pretransfer + + - Return value type must match function type. + + s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/ + + Caught by Travis CI + +Daniel Stenberg (15 May 2016) +- ftp wildcard: segfault due to init only in multi_perform + + The proper FTP wildcard init is now more properly done in Curl_pretransfer() + and the corresponding cleanup in Curl_close(). + + The previous place of init/cleanup code made the internal pointer to be NULL + when this feature was used with the multi_socket() API, as it was made within + the curl_multi_perform() function. + + Reported-by: Jonathan Cardoso Machado + Fixes #800 + +Jay Satiro (13 May 2016) +- libcurl-tlibcurl-thread: Update OpenSSL links + + Because the old OpenSSL link now redirects to their master documentation + (currently 1.1.0), which does not document the required actions for + OpenSSL <= 1.0.2. + +Daniel Stenberg (13 May 2016) +- [Viktor Szakats brought this change] + + darwinssl.c: fix OS X codename typo in comment + +- RELEASE-NOTES: synced with 68701e51c1f7 + + Added 8 bug fixes and 5 more contrbutors + +- [Jay Satiro brought this change] + + mprintf: Fix processing of width and prec args + + Prior to this change a width arg could be erroneously output, and also + width and precision args could not be used together without crashing. + + "%0*d%s", 2, 9, "foo" + + Before: "092" + After: "09foo" + + "%*.*s", 5, 2, "foo" + + Before: crash + After: " fo" + + Test 557 is updated to verify this and more + +- [Michael Kaufmann brought this change] + + ConnectionExists: follow-up fix for proxy re-use + + Follow-up commit to 5823179 + + Closes #648 + +- [Per Malmberg brought this change] + + darwinssl: fix certificate verification disable on OS X 10.8 + + The new way of disabling certificate verification doesn't work on + Mountain Lion (OS X 10.8) so we need to use the old way in that version + too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2 + and 10.11. + + Closes #802 + +- [Cory Benfield brought this change] + + http2: Add space between colon and header value + + curl's representation of HTTP/2 responses involves transforming the + response to a format that is similar to HTTP/1.1. Prior to this change, + curl would do this by separating header names and values with only a + colon, without introducing a space after the colon. + + While this is technically a valid way to represent a HTTP/1.1 header + block, it is much more common to see a space following the colon. This + change introduces that space, to ensure that incautious tools are safely + able to parse the header block. + + This also ensures that the difference between the HTTP/1.1 and HTTP/2 + response layout is as minimal as possible. + + Bug: https://github.com/curl/curl/issues/797 + + Closes #798 + Fixes #797 + +Kamil Dudka (12 May 2016) +- openssl: fix compile-time warning in Curl_ossl_check_cxn() + + ... introduced in curl-7_48_0-293-g2968c83: + + Error: COMPILER_WARNING: + lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’ + lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’ + may alter its value [-Wconversion] + +Jay Satiro (11 May 2016) +- openssl: stricter connection check function + + - In the case of recv error, limit returning 'connection still in place' + to EINPROGRESS, EAGAIN and EWOULDBLOCK. + + This is an improvement on the parent commit which changed the openssl + connection check to use recv MSG_PEEK instead of SSL_peek. + + Ref: https://github.com/curl/curl/commit/856baf5#comments + +Daniel Stenberg (11 May 2016) +- [Anders Bakken brought this change] + + TLS: SSL_peek is not a const operation + + Calling SSL_peek can cause bytes to be read from the raw socket which in + turn can upset the select machinery that determines whether there's data + available on the socket. + + Since Curl_ossl_check_cxn only tries to determine whether the socket is + alive and doesn't actually need to see the bytes SSL_peek seems like + the wrong function to call. + + We're able to occasionally reproduce a connect timeout due to this + bug. What happens is that Curl doesn't know to call SSL_connect again + after the peek happens since data is buffered in the SSL buffer and thus + select won't fire for this socket. + + Closes #795 + +Jay Satiro (9 May 2016) +- [Daniel Stenberg brought this change] + + TLS: move the ALPN/NPN enable bits to the connection + + Only protocols that actually have a protocol registered for ALPN and NPN + should try to get that negotiated in the TLS handshake. That is only + HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN + would wrongly be used in all handshakes if libcurl was built with it + enabled. + + Reported-by: Jay Satiro + + Fixes #789 + +Daniel Stenberg (8 May 2016) +- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl + +- [Antonio Larrosa brought this change] + + connect: fix invalid "Network is unreachable" errors + + Sometimes, in systems with both ipv4 and ipv6 addresses but where the + network doesn't support ipv6, Curl_is_connected returns an error + (intermittently) even if the ipv4 socket connects successfully. + + This happens because there's a for-loop that iterates on the sockets but + the error variable is not resetted when the ipv4 is checked and is ok. + + This patch fixes this problem by setting error to 0 when checking the + second socket and not having a result yet. + + Fixes #794 + +Jay Satiro (5 May 2016) +- FAQ: refer to thread safety guidelines + +Daniel Stenberg (3 May 2016) +- connections: non-HTTP proxies on different ports aren't reused either + + Reported-by: Oleg Pudeyev and fuchaoqun + + Fixes #648 + +- http: make sure a blank header overrides accept_decoding + + Reported-by: rcanavan + Assisted-by: Isaac Boukris + Closes #785 + +- CHECKSRC.md: clarified, explained the whitelist file + +- nroff-scan.pl: verify that references are made with \fI + +- docs: unified man page references to use \fI + +- TODO: 17.14 --fail without --location should treat 3xx as a failure + + Closes #727 + +- RELEASE-NOTES: synced with 7987f5cb14d + +- [Isaac Boukris brought this change] + + CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification + + Mention possible content-length mismatch with sum of bytes reported + by write callbacks when auto decoding is enabled. + + See #785 + +- test1140: run nroff-scan to verify man pages + +- nroff-scan.pl: verify the .BR references as well + +- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference + +- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE + +- curl_easy_pause.3: fix man page reference + +Jay Satiro (1 May 2016) +- tool_cb_hdr: Fix --remote-header-name with schemeless URL + + - Move the existing scheme check from tool_operate. + + In the case of --remote-header-name we want to parse Content-disposition + for a filename, but only if the scheme is http or https. A recent + adjustment 0dc4d8e was made to account for schemeless URLs however it's + not 100% accurate. To remedy that I've moved the scheme check to the + header callback, since at that point the library has already determined + the scheme. + + Bug: https://github.com/curl/curl/issues/760 + Reported-by: Kai Noda + +Daniel Stenberg (1 May 2016) +- tls: make setting pinnedkey option fail if not supported + + to make it obvious to users trying to use the feature with TLS backends + not supporting it. + + Discussed in #781 + Reported-by: Travis Burtrum + +- nroff-scan.pl: verifies nroff pages + + ... not used by any test yet but can be used stand-alone. + +- opts: fix broken/bad references + +- [Michael Kaufmann brought this change] + + docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3 + + Closes #786 + +- CURLOPT_ACCEPT_ENCODING.3: clarified + + As discussed in #785 + +- curl.1: --mail-rcpt can be used multiple times + + Reported-by: mgendre + Closes #784 + +- [Karlson2k brought this change] + + tests: Use 'pathhelp' for paths conversions in secureserver.pl + + Closes #675 + +- [Karlson2k brought this change] + + tests: Use 'pathhelp' for paths conversions in sshserver.pl + +- [Karlson2k brought this change] + + tests: Use 'pathhelp' for current path in runtests.pl + +- [Karlson2k brought this change] + + tests: pathhelp.pm to process paths on Msys/Cygwin + +- lib: include curl_printf.h as one of the last headers + + curl_printf.h defines printf to curl_mprintf, etc. This can cause + problems with external headers which may use + __attribute__((format(printf, ...))) markers etc. + + To avoid that they cause problems with system includes, we include + curl_printf.h after any system headers. That makes the three last + headers to always be, and we keep them in this order: + + curl_printf.h + curl_memory.h + memdebug.h + + None of them include system headers, they all do funny #defines. + + Reported-by: David Benjamin + + Fixes #743 + +- memdebug.h: remove inclusion of other headers + + Mostly because they're not needed, because memdebug.h is always included + last of all headers so the others already included the correct ones. + + But also, starting now we don't want this to accidentally include any + system headers, as the header included _before_ this header may add + defines and other fun stuff that we won't want used in system includes. + +- [Jay Satiro brought this change] + + curl -J: make it work even without http:// scheme on URL + + It does open up a miniscule risk that one of the other protocols that + libcurl could use would send back a Content-Disposition header and then + curl would act on it even if not HTTP. + + A future mitigation for this risk would be to allow the callback to ask + libcurl which protocol is being used. + + Verified with test 1312 + + Closes #760 + +- manpage-scan.pl: also verify the command line option docs + + This script now also scans src/tool_getparam.c, docs/curl.1 and + src/tool_help.c and will warn if any of them lists a command line option + not mentioned in one of the other places. + +- curl: show the long option version of -q in the -h list + +- curl: remove "--socks" as "--socks5" turned 8 + + In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated + and it has not been documented since. The more explicit socks options + (like --socks4 or --socks5) should be used. + +- curl.1: document the deprecated --ftp-ssl option + +- curl: remove --http-request + + It was mentioned as deprecated already in commit ae1912cb0d4 from + 1999. It has not been documented in this millennium. + +- curl: mention --ntlm-wb in -h list + +- curl: -h output lacked --proxy-header + +- curl.1: document --ntlm-wb + +- curl.1: document the long format of -q: --disable + +- curl.1: mention the deprecated --krb4 option + +- curl.1: document --ftp-ssl-reqd + + Even if deprecated, document it so that people will find it as old + scripts may still use it. + +- curl: use --telnet-option as documented + + The code said "telnet-options" but no documentation ever said so. It + worked fine since the code is fine with a unique match of the first + part. + +- getparam: remove support for --ftpport + + It has been deprecated and undocumented since commit ad5ead8bed7 (Dec + 2003). --ftp-port is the proper long option name. + +- curl: make --disable work as long form of -q + + To make the aliases list reflect reality. + +- aliases: remove trailing space from capath string + +- cmdline parse: only single letter options have single-letter strings + + ... moved around options so that parsing the code to find all + single-letter options easier. + +Jay Satiro (28 Apr 2016) +- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability + + Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html + Reported-by: Bru Rom + +Daniel Stenberg (28 Apr 2016) +- curl_easy_getinfo.3: remove superfluous blank lines + +- test1139: verifies libcurl option man page presence + + - checks that each option has its own man page present + + - checks that each option is mentioned in its corresponding index man + page + +- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION + + ... although it is deprecated. + +Jay Satiro (28 Apr 2016) +- mbedtls: Fix session resume + + This also fixes PolarSSL session resume. + + Prior to this change the TLS session information wasn't properly + saved and restored for PolarSSL and mbedTLS. + + Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html + Reported-by: Thomas Glanzmann + + Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html + Reported-by: Moti Avrahami + +Daniel Stenberg (27 Apr 2016) +- RELEASE-NOTES: synced with f4298fcc6d2 + +- [Michael Kaufmann brought this change] + + opts: Fix some syntax errors in example code fragments + + Fixes #779 + +- openssl: avoid BN_print a NULL bignum + + OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those + numbers so make sure the function handles this. + + Reported-by: Linus Nordberg + +- [Marcel Raad brought this change] + + CONNECT_ONLY: don't close connection on GSS 401/407 reponses + + Previously, connections were closed immediately before the user had a + chance to extract the socket when the proxy required Negotiate + authentication. + + This regression was brought in with the security fix in commit + 79b9d5f1a42578f + + Closes #655 + +- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0 + +- mbedtls.c: silly spellfix of a comment + +- KNOWN_BUGS: 1.10 Strips trailing dot from host name + + Closes #716 + +- test1322: verify stripping of trailing dot from host name + + While being debated (in #716) and a violation of RFC 7230 section 5.4, + this test verifies that the existing functionality works as intended. It + strips the dot from the host name and uses the host without dot + throughout the internals. + +- multi: accidentally used resolved host name instead of proxy + + Regression introduced in 09b5a998 + + Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html + Reported-by: BoBo + +- symbols-in-versions: added new CURLSSLBACKEND_ symbols + +- test148: fixed after the --ftp-create-dirs retry change + + follow-up commit to 3c1e84f569 as it made curl try a little harder + +- curl.h: clarify curl_sslbackend for openssl clones and renames + +- [Karlson2k brought this change] + + url.c: fixed DEBUGASSERT() for WinSock workaround + + If buffer is allocated, but nothing is received during prereceive + stage, than number of processed bytes must be zero. + + Closes #778 + +- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address + + Closes #686 for now. + +- TODO: 1.17 Add support for IRIs + + Adding support for IRIs is a mouthful, but is probably interesting at + least for areas and countries where the use of such "URLs" are growing + popularity. + + Closes #776 + +- THANKS-filter: Travis Burtrum + +- lib1517: checksrc compliance + +- [moparisthebest brought this change] + + PolarSSL: Implement public key pinning + +Patrick Monnerat (22 Apr 2016) +- os400: upgrade ILE/RPG binding + +- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string + +Daniel Stenberg (22 Apr 2016) +- contributors.sh: make --releasenotes implied + + It got too annoying to type =) + +- RELEASE-NOTES: synced with 3c1e84f5693d8093 + +- curl: make --ftp-create-dirs retry on failure + + The underlying libcurl option used for this feature is + CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir + creation, but it was never set to do that by the command line tool. + + Now it does. + + Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html + Reported-by: John Wanghui + Help-by: Leif W + +- [Henrik Gaßmann brought this change] + + winbuild: add mbedtls support + + Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL + options mutual exclusive. + + Closes #606 + +- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables" + + As of commit d9f3b365a3 + +- [Irfan Adilovic brought this change] + + configure: ac_cv_ -> curl_cv_ for write-only vars + + These configure vars are modified in a curl-specific way but never + evaluated or loaded from cache, even though they are designated as + _cv_. We could either implement proper AC_CACHE_CHECKs for them, or + remove them completely. + + Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and + AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after + the first configure run with caching. + + `ac_cv_func_strcasecmp` is curious, see #770. + + `eval "ac_cv_func_$func=yes"` can still cause problems as it works in + tandem with AC_CHECK_FUNCS and then potentially modifies its result. It + would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro, + which works the same as AC_CHECK_FUNCS but relies on caching the values + of curl_cv_func_* variables, without modifiying ac_cv_func_*. + +- [Irfan Adilovic brought this change] + + configure: ac_cv_ -> curl_cv_ for r/w vars + + These configure vars are modified in a curl-specific way and modified by + the configure process, but are never loaded from cache, even though they + are designated as _cv_. We should implement proper AC_CACHE_CHECKs for + them eventually. + +- [Irfan Adilovic brought this change] + + configure: ac_cv_func_clock_gettime -> curl_... + + This variable must not be cached in its current form, as any cached + information will prevent the next configure run from determining the + correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to + just `curl_`. + +- [Irfan Adilovic brought this change] + + configure: ac_cv_ -> curl_cv_ for all cached vars + + This was automated by: + + sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \ + ack -o 'ac_cv_.*?\b' | \ + sort -u | xargs -n1 bash -c \ + 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \ + $(git ls-files) + + This only changed the prefix for 16 variables actually checked with + AC_CACHE_CHECK. + +- openssl: builds with OpenSSL 1.1.0-pre5 + + The RSA, DSA and DH structs are now opaque and require use of new APIs + + Fixes #763 + +Steve Holme (20 Apr 2016) +- url.c: Prefer we don't use explicit NULLs in conditions + + Fixed commit fa5fa65a30 to not use NULLs in if condition. + +Daniel Stenberg (20 Apr 2016) +- [Isaac Boukris brought this change] + + NTLM: check for NULL pointer before deferencing + + At ConnectionExists, both check->proxyuser and check->proxypasswd + could be NULL, so make sure to check first. + + Fixes #765 + +- [Karlson2k brought this change] + + tests: added test1517 + + ... for checking ability to receive full HTTP response when POST request + is used with slow read callback function. + + This test checks for bug #657 and verifies the work-around from + 72d5e144fbc6. + + Closes #720 + +- [Karlson2k brought this change] + + sendf.c: added ability to call recv() before send() as workaround + + WinSock destroys recv() buffer if send() is failed. As result - server + response may be lost if server sent it while curl is still sending + request. This behavior noticeable on HTTP server short replies if + libcurl use several send() for request (usually for POST request). + To workaround this problem, libcurl use recv() before every send() and + keeps received data in intermediate buffer for further processing. + + Fixes: #657 + Closes: #668 + +Kamil Dudka (19 Apr 2016) +- connect: make sure that rc is initialized in singleipconnect() + + This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13: + + Error: CLANG_WARNING: + lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value + 1118| } + 1119| + 1120|-> if(-1 == rc) + 1121| error = SOCKERRNO; + 1122| } + +Daniel Stenberg (19 Apr 2016) +- make/checksrc: use $srcdir, not $top_srcdir + +- src/checksrc.whitelist: removed + +- tool_operate: switch to inline checksrc ignore + +- lib/checksrc.whitelist: not needed anymore + + ... as checksrc now skips comments + +- vtls.h: remove a space before semicolon + + ... that the new checksrc detected + +- darwinssl: removed commented out code + +- http_chunks: removed checksrc disable + + ... since checksrc now skips comments + +- imap: inlined checksrc disable instead of whitelist edit + +- checksrc: taught to skip comments + + ... but output non-stripped version of the line, even if that then can + make the script identify the wrong position in the line at + times. Showing the line stripped (ie without comments) is just too + surprising. + +- opts/Makefile.am: list all docs file one by one + + ... to make it easier to add lines in patches that won't just break all + other patches trying to add lines too. + +- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN + +- RELEASE-NOTES: synced with 03de4e4b219 + + (since we just merged two major features) + +- [Alessandro Ghedini brought this change] + + connect: implement TCP Fast Open for Linux + + Closes #660 + +- [Alessandro Ghedini brought this change] + + tool: add --tcp-fastopen option + +- [Alessandro Ghedini brought this change] + + connect: implement TCP Fast Open for OS X + +- [Alessandro Ghedini brought this change] + + url: add CURLOPT_TCP_FASTOPEN option + +- checksrc: pass on -D so the whitelists are found correctly + +- configure: remove check for libresolve + + 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS, + but this check is broken and most likely adds nothing useful. Removing + now. + + Reported-by: Irfan Adilovic + + Discussed in #770 + +- scripts/make: use $(EXEEXT) for executables + + Reported-by: bodop + + Fixes #771 + +- includes: avoid duplicate memory callback typdefs even harder + +- checksrc/makefile.am: use $top_srcdir to find source files + + ... to properly support out of source tree builds. + +- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5 + +- opts: fix option references missing (section) + +- [Michael Kaufmann brought this change] + + news: CURLOPT_CONNECT_TO and --connect-to + + Makes curl connect to the given host+port instead of the host+port found + in the URL. + +- makefile.vc6: use d suffix on debug object + + To allow both release and debug builds in parallel. + + Reported-by: Rod Widdowson + + Fixes #769 + +Jay Satiro (12 Apr 2016) +- http2: Use size_t type for data drain count + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- http2: Improve header parsing + + - Error if a header line is larger than supported. + + - Warn if cumulative header line length may be larger than supported. + + - Allow spaces when parsing the path component. + + - Make sure each header line ends in \r\n. This fixes an out of bounds. + + - Disallow header continuation lines until we decide what to do. + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- http2: Add Curl_http2_strerror for HTTP/2 error codes + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Don't increment drain when one header field is received + + Sicne we write header field in temporary location, not in the memory + that upper layer provides, incrementing drain should not happen. + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Ensure that http2_handle_stream_close is called + + This commit ensures that streams which was closed in on_stream_close + callback gets passed to http2_handle_stream_close. Previously, this + might not happen. To achieve this, we increment drain property to + forcibly call recv function for that stream. + + To more accurately check that we have no pending event before shutting + down HTTP/2 session, we sum up drain property into + http_conn.drain_total. We only shutdown session if that value is 0. + + With this commit, when stream was closed before reading response + header fields, error code CURLE_HTTP2_STREAM is returned even if + HTTP/2 level error is NO_ERROR. This signals the upper layer that + stream was closed by error just like TCP connection close in HTTP/1. + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Process paused data first before tear down http2 session + + This commit ensures that data from network are processed before HTTP/2 + session is terminated. This is achieved by pausing nghttp2 whenever + different stream than current easy handle receives data. + + This commit also fixes the bug that sometimes processing hangs when + multiple HTTP/2 streams are multiplexed. + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Check session closure early in http2_recv + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +- [Tatsuhiro Tsujikawa brought this change] + + http2: Add handling stream level error + + Previously, when a stream was closed with other than NGHTTP2_NO_ERROR + by RST_STREAM, underlying TCP connection was dropped. This is + undesirable since there may be other streams multiplexed and they are + very much fine. This change introduce new error code + CURLE_HTTP2_STREAM, which indicates stream error that only affects the + relevant stream, and connection should be kept open. The existing + CURLE_HTTP2 means connection error in general. + + Ref: https://github.com/curl/curl/issues/659 + Ref: https://github.com/curl/curl/pull/663 + +Daniel Stenberg (11 Apr 2016) +- http2: drain the socket better... + + ... but ignore EAGAIN if the stream has ended so that we don't end up in + a loop. This is a follow-up to c8ab613 in order to avoid the problem + d261652 was made to fix. + + Reported-by: Jay Satiro + Clues-provided-by: Tatsuhiro Tsujikawa + + Discussed in #750 + +- KNOWN_BUGS: added info for "Hangs with PolarSSL" + +- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse + + Closes #750 + +- build: include scripts/ in the dist + +Steve Holme (9 Apr 2016) +- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME + + As these two options provide identical functionality, the former for + SOCK5 proxies and the latter for HTTP proxies, merged the two options + together. + + As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of + 7.49.0. + +- urldata: Use bool for socks5_gssapi_nec as it is a flag + + This value is set to TRUE or FALSE so should be a bool and not a long. + +- url: Ternary operator code style changes + +- CODE_STYLE: Added ternary operator example to 'Space around operators' + + Following conversation on the libcurl mailing list. + +- sasl: Fixed compilation errors from commit 9d89a0387 + + ...when GSS-API or Windows SSPI are not used. + +- url: Corrected comments following 9d89a0387 + +- docs: Added clarification following commit 9d89a0387 + +- Makefile: Fixed echo of checksrc check + +- checksrc: Fix issue with the autobuilds not picking up the whitelist + +- checksrc: Added missing vauth and vtls directories + +- ftp/imap/pop3/smtp: Allow the service name to be overridden + + Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5 + authentication in FTP, IMAP, POP3 and SMTP. + +- http_negotiate: Calculate service name and proxy service name locally + + Calculate the service name and proxy service names locally, rather than + in url.c which will allow for us to support overriding the service name + for other protocols such as FTP, IMAP, POP3 and SMTP. + +- ROADMAP: Updated following the move of the authentication code + +Patrick Monnerat (8 Apr 2016) +- KNOWN_BUGS: openldap hangs. TODO: binary SASL. + +Daniel Stenberg (8 Apr 2016) +- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables + + Closes #603 + +- KNOWN_BUGS: 11.2 error buffer not set... + + Closes #544 + +- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS + + Closes #543 + +- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects + + Closes #522 + +- TODO: HTTP/2 "prior knowledge" is implemented! + +- [Damien Vielpeau brought this change] + + mbedtls: fix MBEDTLS_DEBUG builds + +- mbedtls: implement and provide *_data_pending() + + ... as otherwise we might get stuck thinking there's no more data to + handle. + + Reported-by: Damien Vielpeau + + Fixes #737 + +- mbedtls: follow-up for the previous commit + +- mbedtls.c: name space pollution fix, Use 'Curl_' + +- mbedtls.c: changed private prefix to mbed_ + + mbedtls_ is the prefix used by the mbedTLS library itself so we should + avoid using that for our private functions. + +- mbedtls.h: fix compiler warnings + +- Revert "winbuild: trying to set some files eol=crlf for git" + + This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21. + + Didn't help. Caused problems. + + Fixes #756 + +- curl.1: use example.com more + + Make (most) example snippets use the example.com domain instead of the + random ones picked and used before. Some of those were probably + legitimate sites and some not. example.com is designed for this purpose. + +- [Michael Kaufmann brought this change] + + HTTP2: Add a space character after the status code + + The space character after the status code is mandatory, even if the + reason phrase is empty (see RFC 7230 section 3.1.2) + + Closes #755 + +- [Viktor Szakats brought this change] + + URLs: change http to https in many places + + Closes #754 + +- winbuild: trying to set some files eol=crlf for git + + Thinking it might help to apply patches etc with git. + +- [Theodore Dubois brought this change] + + curl.1: change example for -F + + It's a bad idea to send your passwords anywhere, especially over HTTP. + Modified example to send a picture instead. + + Fixes #752 + +- KNOWN_BUGS: reorganized and cleaned up + + Now sorted into categories and organized in the same style we do the + TODO document. It will make each issue linked properly on the + https://curl.haxx.se/docs/knownbugs.html web page. + + The sections should make it easier to find issues and issues related to + areas of the reader's specific interest. + +Jay Satiro (6 Apr 2016) +- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments + +Steve Holme (6 Apr 2016) +- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues + +- CHECKSRC.md: Corrected some typos + +- RELEASE-NOTES: Corrected last updated + + Included a summary of the checksrc.bat updates and combined two krb5 + changes as they should have been implemented at the same time. + +- vauth: Corrected a number of typos in comments + + Reported-by: Michael Osipov + +Jay Satiro (5 Apr 2016) +- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler + + Bug: https://github.com/curl/curl/issues/536 + Reported-by: eXeC64@users.noreply.github.com + +Daniel Stenberg (5 Apr 2016) +- KNOWN_BUGS: remove 68, 70 and 72. + + Due to their age (we don't fully know if they actually remain) and lack + of detail - very few people will bother to find out what they're about + or work on them. If people truly still suffer from any of these, I + assume they will be reported again and then we'll deal with them. + + 72. "Pausing pipeline problems." + https://curl.haxx.se/mail/lib-2009-07/0214.html + + 70. Problem re-using easy handle after call to curl_multi_remove_handle + https://curl.haxx.se/mail/lib-2009-07/0249.html + + 68. "More questions about ares behavior". + https://curl.haxx.se/mail/lib-2009-08/0012.html + +- KNOWN_BUGS: remove 92 and 88, fixed + +- http2: fix connection reuse when PING comes after last DATA + + It turns out the google GFE HTTP/2 servers send a PING frame immediately + after a stream ends and its last DATA has been received by curl. So if + we don't drain that from the socket, it makes the socket readable in + subsequent checks and libcurl then (wrongly) assumes the connection is + dead when trying to reuse the connection. + + Reported-by: Joonas Kuorilehto + + Discussed in #750 + +- multi: remove trailing space in debug output + +- RELEASE-NOTES: synced with 86e97b642fb + +- CHECKSRC.md: mention cmdline options, fix the bullet list + +- docs/CHECKSRC.md: initial version + +Steve Holme (3 Apr 2016) +- checksrc.bat: Added support for the examples + +Daniel Stenberg (3 Apr 2016) +- lib/src: fix the checksrc invoke + + ... now works correctly when invoke from the root makefile + +- nw: please the stricter checksrc + +Steve Holme (3 Apr 2016) +- checksrc.bat: Re-enabled the tests directory by default + + Following the recent changes to the source in the tests directory, + re-enabled tests for the default scan. + +- checksrc.bat: Added tests/server directory support + + In addition to commit 83b174b3f0 and following the recent changes. + +- tests: Fixed header files to comply with our code style + +Daniel Stenberg (3 Apr 2016) +- make checksrc: run it in docs/examples too by default + +- docs/examples: remove spurious white spaces all over + + ... to please the new, slightly picker, checksrc.pl + +- tests: fix make checksrc in servers/ + +- tests: 'make checksrc' now checks server/ too + +- root/make: have checksrc run in include/curl too + +- tests/server: comply with our code style + +- code: style updates + +- checksrc: check for more malplaced spaces + +- unit: make unit test source code checksrc compliant + +- checksrc: run checksrc in tests when 'make checksrc' in root + +- checksrc: remove debug crap + +- lib557: allow too long lines + +- checksrc: allow ignore of specific warnings within a file (section) + +- checksrc: add warning names, explain on help output + +Steve Holme (3 Apr 2016) +- checksrc.bat: Disable tests by default until warnings are fixed + +- checksrc.bat: Added support for the tests directory + +- vauth: Removed the need for a separate GSS-API based SPN function + +- curl_sasl: Fixed potential null pointer utilisation + + Although this should never happen due to the relationship between the + 'mech' and 'resp' variables, and the way they are allocated together, + it does cause problems for code analysis tools: + + V595 The 'mech' pointer was utilized before it was verified against + nullptr. Check lines: 376, 381. curl_sasl.c 376 + + Bug: https://github.com/curl/curl/issues/745 + Reported-by: Alexis La Goutte + +- spnego: Small code tidy up + + * Prefer dereference of string pointer rather than strlen() + * Free challenge pointer in one place + * Additional comments + +- krb5: Small code tidy up + + * Prefer dereference of string pointer rather than strlen() + * Free challenge pointer in one place + * Additional comments + +- krb5_gssapi: Only process challenge when present + + This wouldn't cause a problem because of the way the function is called, + but prior to this change, we were processing the challenge message when + the credentials were NULL rather than when the challenge message was + populated. + + This also brings this part of the Kerberos 5 code in line with the + Negotiate code. + +- krb5: Fixed missing client response when mutual authentication enabled + + Although mutual authentication is currently turned off and can only be + enabled by changing libcurl source code, authentication using Kerberos + 5 has been broken since commit 79543caf90 in this use case. + +- krb5_sspi: Only process challenge when present + + This wouldn't cause a problem because of the way the function is called, + but prior to this change, we were processing the challenge message when + the credentials were NULL rather than when the challenge message was + populated. + + This also brings this part of the Kerberos 5 code in line with the + Negotiate code. + +- krb5_sspi: Only generate the output token when its not allocated + + Prior to this change, we were generating the output token when the + credentials were NULL rather than when the output token was NULL. + + This also brings this part of the Kerberos 5 code in line with the + Negotiate code. + +- krb5: Only generate a SPN when its not known + + Prior to this change, we were generating the SPN in the SSPI code when + the credentials were NULL and in the GSS-API code when the context was + empty. It is better to decouple the SPN generation from these checks + and only generate it when the SPN itself is NULL. + + This also brings this part of the Kerberos 5 code in line with the + Negotiate code. + +Daniel Stenberg (3 Apr 2016) +- tests/libtest: follow our code style guidelines better + + ... checksrc of all test code is pending. + +- checksrc.whitelist: remove fopen() uses + +- formdata: use appropriate fopen() macros + +- checksrc: improve the fopen() parser somewhat + + The quote scanner was too fragile, now look for a comma instead to find + the mode argument. + +- unit1604: fix snprintf + + follow-up to 0326b06 + + sizeof(pointer) is no good for the buffer size! + + Reported-by: Viktor Szakats + +Steve Holme (3 Apr 2016) +- unittests: Fixed compilation warnings + + warning: implicit declaration of function 'sprintf_was_used' + [-Wimplicit-function-declaration] + + Follow up to the modications made to tests/libtest in commit 55452ebdff + as we prefer not to use sprintf() now. + +Daniel Stenberg (2 Apr 2016) +- curl.1: -w filename_effective was introduced in 7.26.0 + + We never made a 7.25.1 release + +- 7.49.0: next release version + +- http2: make use of the nghttp2 error callback + + It offers extra info from nghttp2 in certain error cases. Like for + example when trying prior-knowledge http2 on a server that doesn't speak + http2 at all. The error message is passed on as a verbose message to + libcurl. + + Discussed in #722 + + The error callback was added in nghttp2 1.9.0 + +Steve Holme (2 Apr 2016) +- spnego: Renamed the context's SPN variable + + To be consistent with the Kerberos 5 context and other authentication + code. + +- krb5_gssapi: Renamed the status variables + + For consistency with the spnego code. + +- krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument + + For consistency with the spnego and oauth2 code moved the setting of + the host name outside of the Curl_auth_create_gssapi_user_messag() + function. + + This will allow us to more easily override it in the future. + +- test1119: Fixed missing CURL_DID_MEMORY_FUNC_TYPEDEFS symbol + +- RELEASE-NOTES: Removed "http_negotiate: Corrected host and proxy host name" + + As this was introduced in the recent vauth changes and not a prior + release. + +Daniel Stenberg (1 Apr 2016) +- RELEASE-NOTES: synced with 0aa8da10bbdafa + +Steve Holme (1 Apr 2016) +- http_negotiate: Corrected host and proxy host name being wrong way round + + I had accidentally used the proxy server name for the host and the host + server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst + Windows SSPI was quite happy with this, GSS-API wasn't. + + Thanks-to: Michael Osipov + +- build: Changed the Visual Studio projects warning level from 3 to 4 + + After squashing most of our compiler warnings, up'ed the default + warning level from 3 to 4 in order to increase the likelyhood of + catching future warnings. + +Daniel Stenberg (1 Apr 2016) +- [ehlertjd@gmail.com brought this change] + + IMAP: check pointer before dereferencing it + + may be null in the CURLOPT_CONNECT_ONLY case + + Fixes #747 + +Steve Holme (1 Apr 2016) +- .gitignore: Added new VC14 SQLite based program database files + +- curl_memory.h: Fixed typo in comment + + From commit 7218b52c49. + +- spnego: Corrected some typos in comments + + Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9. + +- memdebug: Ensure curl/curl.h is included before curl_memory.h + + Follow up to commit 7db9782dd6. + +Daniel Stenberg (1 Apr 2016) +- upload: missing rewind call could make libcurl hang + + When an upload is done, there are two places where that can be detected + and only one of them would rewind the input stream - which sometimes is + necessary for example when doing NTLM HTTP POSTs and more. + + This could then end up libcurl hanging. + + Figured-out-by: Isaac Boukris + Reported-by: Anatol Belski + + Fixes #741 + +- curl.h: define CURL_DID_MEMORY_FUNC_TYPEDEFS + + So that we only do the extra typedefs in curl_memory.h when we really + need to and avoid double typedefs. + + follow-up commit to 7218b52c49aeb1 + + Thanks-to: Steve Holme + +- curl/mprintf.h: remove support for _MPRINTF_REPLACE + + The define is not in our name space and is therefore not protected by + our API promises. + + It was only really used by libcurl internals but was mostly erased from + there already in 8aabbf5 (March 2015). This is supposedly the final + death blow to that define from everywhere. + + As a side-effect, making sure _MPRINTF_REPLACE is gone and not used, I + made the lib tests in tests/libtest/ use curl_printf.h for its redefine + magic and then subsequently the use of sprintf() got banned in the tests + as well (as it is in libcurl internals) and I then replaced them all + with snprintf(). + + In the unlikely event that any users is actually using this define and + gets sad by this change, it is very easily copied to the user's own + code. + +- curl_memory.h: avoid the curl/curl.h include + + Discussed in #743 + +Steve Holme (1 Apr 2016) +- url: Corrected get protocol family for FTP and LDAP + + Fixed copy/paste error from commit a5aec58726. + +Jay Satiro (31 Mar 2016) +- strerror: don't bit shift a signed integer + + Bug: https://github.com/curl/curl/issues/744 + Reported-by: Alexis La Goutte + +Daniel Stenberg (31 Mar 2016) +- http2: more documentation for prior knowledge + +- [Diego Bes brought this change] + + http2: support "prior knowledge", no upgrade from HTTP/1.1 + + Supports HTTP/2 over clear TCP + + - Optimize switching to HTTP/2 by removing calls to init and setup + before switching. Switching will eventually call setup and setup calls + init. + + - Supports new version to “force” the use of HTTP/2 over clean TCP + + - Add common line parameter “--http2-prior-knowledge” to the Curl + command line tool. + +- imap: remove duplicated function + + The list and search response functions were identical! Merged into one + now. Detected by PVS Studio. + + Reported-by: Alexis La Goutte + +- SOCKS5_gssapi_negotiate: don't assume little-endian ints + + The code copied one byte from a 32bit integer, which works fine as long + as the byte order is the same. Not a fine assumption. Reported by PVS + Studio. + + Reported-by: Alexis La Goutte + +- http: remove ((expression)) double parentheses + +- Curl_add_buffer_send: avoid possible NULL dereference + + ... as we check for a NULL pointer below, we move the derefence to after + the check. Detected by PVS Studio. + + Reported-by: Alexis La Goutte + +- file: remove duplicate checks of the same variable + + ... as it doesn't change in between. Deteced by PVS Studio. + + Reported-by: Alexis La Goutte + +Steve Holme (30 Mar 2016) +- [Marcel Raad brought this change] + + openssl: Fix compilation warnings + + When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE + && HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++ + 14 complains: + + warning C4701: potentially uninitialized local variable 'palg' used + warning C4701: potentially uninitialized local variable 'psig' used + +Daniel Stenberg (30 Mar 2016) +- multi: turn Curl_done into file local multi_done + + ... as it now is used by multi.c only. + +- multi: multi_reconnect_request is the former Curl_reconnect_request + + now a file local function in multi.c + +- multi: move Curl_do and Curl_do_done to multi.c and make static + + ... called multi_do and multi_do_done as they're file local now. + +Jay Satiro (29 Mar 2016) +- wolfssl: Use ECC supported curves extension + + https://github.com/wolfSSL/wolfssl/issues/366 + +- build-wolfssl: Allow a broader range of ciphers (Visual Studio) + + This is an update to the build-time options used to build wolfSSL in + Visual Studio for greater compatibility, and make it behave similar to + the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers + and SSLv3 are disabled by default at build time, but we can use both. + + - Enable static cipher suites TLS_ECDH_ and TLS_RSA_. + + - Enable SSLv3 hello. Though in libcurl we disable it by default at + runtime, we make it available so the user can manually select it if + necessary. + +Daniel Stenberg (29 Mar 2016) +- [Isaac Boukris brought this change] + + GSS: make Curl_gss_log_error more verbose + + Also display the GSS_C_GSS_CODE (major code) when specified instead of + only GSS_C_MECH_CODE (minor code). + + In addition, the old code was printing a colon twice after the prefix + and also miscalculated the length of the buffer in between calls to + gss_display_status (the length of ": " was missing). + + Also, gss_buffer is not guaranteed to be NULL terminated and thus need + to restrict reading by its length. + + Closes #738 + +- build: use roffit 0.11 feature + + ... load file specified as argument. + +- http2: set correct scheme in handler structs [regression] + + Since commit a5aec58 the handler schemes need to match for the + connections to be reused and for HTTP/2 multiplexing to work, reusing + connections is very important! + + Closes #736 + +- hostip.c: minor white space edit for style + +- [Viktor Szakats brought this change] + + TODO: use secure protocol in recently added URL + + Closes #733 + +- HTTP2.md: mention libressl and boringssl too + +- docs/HTTP-COOKIES: converted to markdown + +- HTTP2: s/polarssl/mbedtls + +Jay Satiro (28 Mar 2016) +- wolfssl: Add ALPN support + +- tool_operate: remove mixed declaration + + This is a follow up to the previous commit. + +Daniel Stenberg (28 Mar 2016) +- curl: warn for --capath use if not supported by libcurl + + Closes #492 + +- TODO: 2.5 Edge-triggered sockets should work + +- Makefile.am: skip the scripts dir + + Skipping the scripts dir is primarily done for 'make install' so that it + does not attempt to install the zsh completion script as we've not yet + found a proper way to do/run that at install time. + + By leaving the script dir's Makefile in place, a user can still opt to + run make install manually in there. + + Closes #620 + +- CURLMOPT_SOCKETFUNCTION.3: describe the 'what' argument + +- curl_multi_socket_action.3: mark the options properly + + ... to make them appear as links on the html version. + +Steve Holme (27 Mar 2016) +- RELEASE-NOTES: Synced with f0bdd72c10 + +- http_ntlm: Renamed from curl_ntlm.[c|h] + + Renamed the header and source files for this module as they are HTTP + specific and as such, they should use the naming convention as other + HTTP authentication source files do - this revert commit 260ee6b7bf. + + Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind + code needs separating from the HTTP protocol and migrating into the + vauth directory, thus adding support for Winbind to the SASL based + protocols such as IMAP, POP3 and SMTP. + +Daniel Stenberg (27 Mar 2016) +- [marquis-de-muesli brought this change] + + docs: curlinfo_filetime sftp support, new curlopt_quote "statvfs" + + Closes #677 + +- [marquis-de-muesli brought this change] + + SSH: new CURLOPT_QUOTE command "statvfs" + + usage: "statvfs path" + returns remote file system statistics + +- [marquis-de-muesli brought this change] + + SSH: support CURLINFO_FILETIME + +- [Karlson2k brought this change] + + sshserver.pl: use quotes for given options + + Fixed failed redirection of stderr with some options. At least on Msys2, + perl fails to redirect stderr if $value contains newline or other weird + characters. + +Jay Satiro (26 Mar 2016) +- url: don't use bad offset in tld_check_name to show error + + libidn's tld_check_lz returns an error offset of the first character + that it failed to process, however that offset is not a byte offset and + may not even be in the locale encoding therefore we can't use it to show + the user the character that failed to process. + + Bug: https://github.com/curl/curl/issues/731 + Reported-by: Karlson2k + +Steve Holme (26 Mar 2016) +- http_negotiate: Combine GSS-API and SSPI source files + + As the GSS-API and SSPI based source files are no longer library/API + specific, following the extraction of that authentication code to the + vauth directory, combine these files rather than maintain two separate + versions. + +- vauth: Moved the Negotiate authentication code to the new vauth directory + + Part 2 of 2 - Moved the GSS-API based Negotiate authentication code. + +- vauth: Moved the Negotiate authentication code to the new vauth directory + + Part 1 of 2 - Moved the SSPI based Negotiate authentication code. + +- warnless.h: Removed spurious character from commit 696bc6b9c9 + + Not picked up by checksrc or Visual Studio but my own code review, this + would haven broken Intel based Unix builds - Perhaps I should learn to + type on my laptop's keyboard before committing! + +- schannel: Fixed compilation warning from commit f8d88a4913 + + warning C4244: '=': conversion from 'int' to 'unsigned short', possible + loss of data + +- warnless?: Added some integer based conversion functions + +Daniel Stenberg (25 Mar 2016) +- [Dusty Mabe brought this change] + + docs/TODO: Add feature request for metalink in HTTP headers + + Closes #729 + Closes #728 + +Steve Holme (25 Mar 2016) +- build: Corrected typos from commit 70e56939aa + +- vauth: Refactored function names after move to new vauth directory + + Renamed all the SASL functions that moved to the new vauth directory to + include the correct module name. + +- vauth: Updated the copyright year after recent changes + + As most of this work was performed in 2015 but not pushed until 2016 + updated the copyright year to reflect the public facing changes. + +- vauth: Moved the OAuth 2.0 authentication code to the new vauth directory + +- vauth: Moved the NTLM authentication code to the new vauth directory + +- vauth: Moved the Kerberos V5 authentication code to the new vauth directory + +- digest.c: Fixed checksrc warnings + +- vauth: Moved the DIGEST authentication code to the new vauth directory + +- vauth: Moved the CRAM-MD5 authentication code to the new vauth directory + +- vauth: Moved the ClearText authentication code to the new vauth directory + +- vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files + +- checksrc.bat: Added support for checking the new vauth directory + +- build: Updated all makefiles and project files for the new vauth directory + + Updated the makefiles and Visual Studio project files to support moving + the authentication code to the new lib/vauth directory that was started + in commit 0d04e859e1. + +Daniel Stenberg (24 Mar 2016) +- [JDepooter brought this change] + + schannel: Add ALPN support + + Add ALPN support for schannel. This allows cURL to negotiate + HTTP/2.0 connections when built with schannel. + + Closes #724 + +Steve Holme (24 Mar 2016) +- http: Minor update based on CODE_STYLE guidelines + +Daniel Stenberg (23 Mar 2016) +- multi: fix "Operation timed out after" timer + + Use the local, reasonably updated, 'now' value when creating the message + string to output for the timeout condition. + + Fixes #619 + +- openssl: boringssl provides the same numbering as openssl + + ... so we don't need extra boringssl precautions for for + HAVE_ERR_REMOVE_THREAD_STATE_NOARG. + + Pointed-out-by: David Benjamin + +- openssl: fix ERR_remove_thread_state() for boringssl/libressl + + The removed arg is only done in OpenSSL + + Bug: https://twitter.com/xtraemeat/status/712564874098917376 + +- bump: work on 7.48.1 + +- RELEASE-PROCEDURE: mention the github release tag edit + + ... and update the coming release dates a bit + +Steve Holme (23 Mar 2016) +- checksrc.bat: Updated the help to be consistent with generate.bat + + Follow up to commit a8c7f0fcbf prior to release. + Version 7.48.0 (23 Mar 2016) Daniel Stenberg (23 Mar 2016) @@ -2298,3178 +5686,3 @@ Steve Holme (9 Nov 2015) When referring to OAuth 2.0 we should use the official name rather the SASL mechanism name. - -Daniel Stenberg (9 Nov 2015) -- imap: avoid freeing constant string - - The fix in 1a614c6c3 was wrong and would leed to free() of a fixed - string. - - Pointed-out-by: Kamil Dudka - -- ROADMAP: remove two items already done - -- RELEASE-NOTES: synced with 2200bf62054 - -Jay Satiro (9 Nov 2015) -- acinclude: Remove check for 16-bit curl_off_t - - Because it's illogical to check for a 16-bit curl_off_t. - - Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205 - -Dan Fandrich (8 Nov 2015) -- tool: Fixed a memory leak on OOM introduced in 19cb0c4a - -Steve Holme (8 Nov 2015) -- [Justin Ehlert brought this change] - - imap: Don't check for continuation when executing a CUSTOMREQUEST - - Bug: https://github.com/bagder/curl/issues/486 - Closes https://github.com/bagder/curl/pull/487 - -Daniel Stenberg (7 Nov 2015) -- imap: checksrc: remove space after while before paren - -- checksrc.whitelist: "missing space after close paren" - - ... when it was within a string! - -Steve Holme (7 Nov 2015) -- opts: Corrected TLS protocols list to include POP3S rather than POP3 - -- imap: Quote other 'atom-specials' and not just the space character - - Closes #517 - -- imap: Fixed double quote in LIST command when mailbox contains spaces - -Daniel Stenberg (6 Nov 2015) -- imap: fix compiler warning - - imap.c:657:13: error: assignment discards 'const' qualifier from pointer - target type [-Werror=discarded-qualifiers] - -Steve Holme (6 Nov 2015) -- imap: Don't call imap_atom() when no mailbox specified in LIST command - -Daniel Stenberg (6 Nov 2015) -- curl.1: remove the overlap --range example - - ... it is just weird to include by default even if it still works. - -- tftp tests: verify sent options too - - The tftpd test server now logs all received options and thus all TFTP - test cases need to match them exactly. - - Extended test 283 to use and verify --tftp-blksize. - -Jay Satiro (6 Nov 2015) -- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value - - - Set user info param to the socket returned by Curl_getconnectinfo, - regardless of if the socket is bad. Effectively this means the user info - param now will receive CURL_SOCKET_BAD instead of -1 on bad socket. - - - Remove incorrect comments. - - CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user - info param but prior to this change it wrote -1. - - Bug: https://github.com/bagder/curl/pull/518 - Reported-by: Marcel Raad - -Patrick Monnerat (5 Nov 2015) -- curl_ntlm_core: fix 2 curl_off_t constant overflows. - -- os400: adjust specific code to support new options. - -Daniel Stenberg (2 Nov 2015) -- [Lauri Kasanen brought this change] - - rawstr: Speed up Curl_raw_toupper by 40% - - Rationale: when starting up a curl-using app, all cookies from the jar - are checked against each other. This was causing a startup delay in the - Fifth browser. - - All tests pass. - - Signed-off-by: Lauri Kasanen <cand@gmx.com> - -- http redirects: %-encode bytes outside of ascii range - - Apparently there are sites out there that do redirects to URLs they - provide in plain UTF-8 or similar. Browsers and wget %-encode such - headers when doing a subsequent request. Now libcurl does too. - - Added test 1138 to verify. - - Closes #473 - -- RELEASE-NOTES: synced with cba5bc585410 - -- symbols-in-version: add all CURL_HTTPPOST_* symbols - -- formadd: support >2GB files on windows - - Closes #425 - -- curl.h: s/HTTPPOST_/CURL_HTTPOST_ - - Fixes a name space pollution at the cost of programs using one of these - defines will no longer compile. However, the vast majority of libcurl - programs that do multipart formposts use curl_formadd() to build this - list. - - Closes #506 - -- mbedtls: fix "Structurally dead code" - - CID 1332129 - -- mbedtls: fix "Logically dead code" - - CID 1332128 - -- Revert "openssl: engine: remove double-free" - - This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd. - - Issue #509 has all the details but it was confirmed that the crash was - not due to this, so the previous commit was wrong. - -- curl.1: -E: s/private certificate/client certificate - - ... as the certificate is strictly speaking not private. - - Reported-by: John Levon - -- openssl: engine: remove double-free - - After a successful call to SSL_CTX_use_PrivateKey(), we must not call - EVP_PKEY_free() on the key. - - Reported-by: nased0 - Closes #509 - -Jay Satiro (27 Oct 2015) -- socks: Fix incorrect port numbers in failed connect messages - -Daniel Stenberg (26 Oct 2015) -- DISTRO-DILEMMA: removed - - Out of date and not kept accurate. It was sort of a problem of the past - anyway. - -- [xiangbin li brought this change] - - MacOSX-Framework: sdk regex fix for sdk 10.10 and later - - closes #507 - -Jay Satiro (24 Oct 2015) -- build: Fix support for PKG_CONFIG - - - Allow the user to use PKG_CONFIG but not PKGCONFIG. - - Background: - - Last week in 14d5a86 a change was made to allow the user to set the - PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the - more common PKG_CONFIG as an alternative if PKGCONFIG is not set. - - Neither of those changes worked as expected because PKGCONFIG is - occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro. - Instead in this commit I take the approach that the user may set - PKG_CONFIG only. - -- build: Fix mingw ssl gdi32 order - - - If mingw ssl make sure -lgdi32 comes after ssl libs - - - Allow PKG_CONFIG to set pkg-config location and options - - Bug: https://github.com/bagder/curl/pull/501 - Reported-by: Kang Lin - -Daniel Stenberg (23 Oct 2015) -- RELEASE-NOTES: synced with 03b6e078163f - -- polarssl/mbedtls: fix name space pollution - - Global private symbols MUST start with Curl_! - -- [Dmitry S. Baikov brought this change] - - mbedTLS: THREADING_SUPPORT compilation fix - - Closes #505 - -- test1137: verify --ignore-content-length for FTP - -- curl.1: --ignore-content-length now works for FTP too - -- [Kurt Fankhauser brought this change] - - ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size - - This allows FTP transfers with growing (or shrinking) files without - causing a transfer error. - - Closes #480 - -- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too - - ... and add a little example of what the weight actually means. "Relative - proportion of bandwidth". - -- http2: add stream options to dist and curl_easy_setopt.3 - -- http2: s/priority/weight - -- http2: on_frame_recv: trust the conn/data input - - Removed wrong assert()s - - The 'conn' passed in as userdata can be used and there can be other - sessionhandles ('data') than the single one this checked for. - -- http2: added three stream prio/deps options - - CURLOPT_STREAM_DEPENDS - - CURLOPT_STREAM_DEPENDS_E - - CURLOPT_STREAM_PRIORITY - -- RELEASE-NOTES: synced with ace68fdc0cfed83d - -- [m-gardet brought this change] - - mbedtls:new profile with RSA min key len = 1024. - - Closes #502 - -- checksrc: add crude // detection - -Jay Satiro (21 Oct 2015) -- [Gisle Vanem brought this change] - - build: fix for MSDOS/djgpp - - - Add a VPATH-statement for the vtls/*.c files. - - - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS). - -Daniel Stenberg (20 Oct 2015) -- copyrights: update Gisle Vanem's email - -- vtls: fix compiler warning for TLS backends without sha256 - - ... noticed with mbedTLS. - -- [Jonas Minnberg brought this change] - - vtls: added support for mbedTLS - - closes #496 - -Jay Satiro (19 Oct 2015) -- [Javier G. Sogo brought this change] - - cmake: Fix for add_subdirectory(curl) use-case - - - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR. - - When including CURL using add_subdirectory the variables - CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths. - - Closes https://github.com/bagder/curl/pull/488 - Closes https://github.com/bagder/curl/pull/498 - -Daniel Stenberg (18 Oct 2015) -- RELEASE-NOTES: synced with 4c773bcb474e - -- tests/FILEFORMAT: mention PSL as a valid feture to check for - - For example in test 1136 - -- teste1136: only run when PSL is enabled - -- curl: slist_wc: remove curl_memory.h inclusion - - ... that's for the library only. - -- configure: add PSL to the list of features - - ... to make test 1014 work again after e77b5b7453. - -- [Daniel Hwang brought this change] - - tool: Generate easysrc with last cache linked-list - - Using a last cache linked-list improves the performance of easysrc - generation. - - Bug: https://github.com/bagder/curl/issues/444 - Ref: https://github.com/bagder/curl/issues/429 - - Closes #452 - -- [Tim Rühsen brought this change] - - cookies: Add support for Mozilla's Publix Suffix List - - Use libpsl to check the domain value of Set-Cookie headers (and cookie - jar entries) for not being a Publix Suffix. - - The configure script checks for "libpsl" by default. Disable the check - with --without-libpsl. - - Ref: https://publicsuffix.org/ - Ref: https://github.com/publicsuffix/list - Ref: https://github.com/rockdaboot/libpsl - -- [Richard Hosking brought this change] - - curlbuild.h: Fix non-configure compiling to mips and sh4 targets - -- [Anders Bakken brought this change] - - http2: Don't pass unitialized name+len pairs to nghttp2_submit_request - - bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96. - - Closes #493 - -Dan Fandrich (16 Oct 2015) -- test1601: fix compilation with --enable-debug and --disable-crypto-auth - -Daniel Stenberg (16 Oct 2015) -- multi: fix off-by-one finit[] array size - - introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it - must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST - is 19 right now. - - Reported-by: Dan Fandrich - Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html - -- fread_func: move callback pointer from set to state struct - - ... and assign it from the set.fread_func_set pointer in the - Curl_init_CONNECT function. This A) avoids that we have code that - assigns fields in the 'set' struct (which we always knew was bad) and - more importantly B) it makes it impossibly to accidentally leave the - wrong value for when the handle is re-used etc. - - Introducing a state-init functionality in multi.c, so that we can set a - specific function to get called when we enter a state. The - Curl_init_CONNECT is thus called when switching to the CONNECT state. - - Bug: https://github.com/bagder/curl/issues/346 - - Closes #346 - -Dan Fandrich (14 Oct 2015) -- test1531: case the size to fix the test on non-largefile builds - -Daniel Stenberg (13 Oct 2015) -- acinclude: remove PKGCONFIG override - - ... and allow it to get set by a caller easier. - - Reported-by: Rainer Jung - Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html - -Dan Fandrich (12 Oct 2015) -- docs/INSTALL: Updated example minimal binary sizes - -Daniel Stenberg (11 Oct 2015) -- [Erik Johansson brought this change] - - openssl: Fix set up of pkcs12 certificate verification chain - - sk_X509_pop will decrease the size of the stack which means that the loop would - end after having added only half of the certificates. - - Also make sure that the X509 certificate is freed in case - SSL_CTX_add_extra_chain_cert fails. - -- ntlm: error out without 64bit support as the code needs it - - It makes it a clearer message for developers reaching that point without - the necessary support. - - Thanks-by: Jay Satiro - - Closes #78 - -- curl_global_init: set the memory function pointers correct - - follow-up from 6f8ecea0 - -- curl_global_init_mem: set function pointers before doing init - - ... as in the polarssl TLS backend for example it uses memory functions. - -Jay Satiro (9 Oct 2015) -- http2: Fix http2_recv to return -1 if recv returned -1 - - If the underlying recv called by http2_recv returns -1 then that is the - value http2_recv returns to the caller. - -Daniel Stenberg (8 Oct 2015) -- [Svyatoslav Mishyn brought this change] - - curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET - - Closes #479 - -- [Svyatoslav Mishyn brought this change] - - curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET - -- [Svyatoslav Mishyn brought this change] - - CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET - -- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO - -- ntlm: get rid of unconditional use of long long - - ... since some compilers don't have it and instead use other types, such - as __int64. - - Reported by: gkinseyhpw - Closes #478 - -Jay Satiro (8 Oct 2015) -- [Anders Bakken brought this change] - - des: Fix header conditional for Curl_des_set_odd_parity - - Follow up to 613e502. - -Daniel Stenberg (7 Oct 2015) -- configure: build silently by default - - 'make V=1' will make the build verbose like before - -- bump: start climbing toward 7.46.0 - -- RELEASE-PROCEDURE: add the github HTTPS download step - -Version 7.45.0 (7 Oct 2015) - -Daniel Stenberg (7 Oct 2015) -- THANKS: 19 new contributors from the 7.45.0 announcement - -- RELEASE-NOTES: synced with 69ea57970080 - -Jay Satiro (4 Oct 2015) -- getinfo: Fix return code for unknown CURLINFO options - - - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION. - - Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on - unknown. That return value is contradicted by the CURLINFO option - documentation which specifies a return of CURLE_UNKNOWN_OPTION on - unknown. - -- [rouzier brought this change] - - hiperfifo: fix the pointer passed to WRITEDATA - - Closes https://github.com/bagder/curl/pull/471 - -- [Maksim Stsepanenka brought this change] - - tool_setopt: fix c_escape truncated octal - - Closes https://github.com/bagder/curl/pull/469 - -Daniel Stenberg (1 Oct 2015) -- [Orange Tsai brought this change] - - gopher: don't send NUL byte - - Closes #466 - -Jay Satiro (29 Sep 2015) -- runtests: Fix pid check in checkdied - - Because the 'not' operator has a very low precedence and as a result the - entire statement was erroneously negated and could never be true. - -Daniel Stenberg (30 Sep 2015) -- [Thorsten Schöning brought this change] - - win32: make recent Borland compilers use long long - -- RELEASE-NOTES: synced with 69b89050d4 - -Jay Satiro (28 Sep 2015) -- [Michael Kalinin brought this change] - - openssl: Fix algorithm init - - - Change algorithm init to happen after OpenSSL config load. - - Additional algorithms may be available due to the user's config so we - initialize the algorithms after the user's config is loaded. - - Bug: https://github.com/bagder/curl/issues/447 - Reported-by: Denis Feklushkin - -- [Svyatoslav Mishyn brought this change] - - docs: fix unescaped '\n' in man pages - - Closes https://github.com/bagder/curl/pull/459 - -Daniel Stenberg (27 Sep 2015) -- http2: set TCP_NODELAY unconditionally - - For a single-stream download from localhost, we managed to increase - transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of - this single fix. - -- http2: avoid superfluous Curl_expire() calls - - ... only call it when there is data arriving for another handle than the - one that is currently driving it. - - Improves single-stream download performance quite a lot. - - Thanks-to: Tatsuhiro Tsujikawa - Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html - -- readwrite_data: set a max number of loops - - ... as otherwise a really fast pipe can "lock" one transfer for some - protocols, like with HTTP/2. - -- [Sergei Nikulov brought this change] - - CI: Added AppVeyor-CI for curl - - Closes #439 - -- FTP: fix uploading ASCII with unknown size - - ... don't try to increase the supposed file size on newlines if we don't - know what file size it is! - - Patch-by: lzsiga - -- [Tatsuhiro Tsujikawa brought this change] - - build: fix failures with -Wcast-align and -Werror - - Closes #457 - -- [Tatsuhiro Tsujikawa brought this change] - - curl-confopts.m4: Add missing ')' - - ... for CURL_CHECK_OPTION_RT - - Closes #456 - -Jay Satiro (25 Sep 2015) -- curl_easy_getinfo.3: Add brief description for each CURLINFO - -Daniel Stenberg (23 Sep 2015) -- [Jakub Zakrzewski brought this change] - - CMake: Ensure discovered include dirs are considered - - ...during header checks. Otherwise some following header tests - (incorrectly) fail. - - Closes #436 - -- [Jakub Zakrzewski brought this change] - - CMake: Put "winsock2.h" before "windows.h" during configure checks - - "windows.h" includes "winsock.h" what causes many redefinition errors - if "winsock2.h" is included afterwards and can cause build to fail. - -- tests: disable 1510 due to CI-problems on github - -- [Mike Crowe brought this change] - - gnutls: Report actual GnuTLS error message for certificate errors - - If GnuTLS fails to read the certificate then include whatever reason it - provides in the failure message reported to the client. - - Signed-off-by: Mike Crowe <mac@mcrowe.com> - -- RELEASE-NOTES: synced with 6b56901b56e - -- [Mike Crowe brought this change] - - gnutls: Support CURLOPT_KEYPASSWD - - The gnutls vtls back-end was previously ignoring any password set via - CURLOPT_KEYPASSWD. Presumably this was because - gnutls_certificate_set_x509_key_file did not support encrypted keys. - - gnutls now has a gnutls_certificate_set_x509_key_file2 function that - does support encrypted keys. Let's determine at compile time whether the - available gnutls supports this new function. If it does then use it to - pass the password. If it does not then emit a helpful diagnostic if a - password is set. This is preferable to the previous behaviour of just - failing to read the certificate without giving a reason in that case. - - Signed-off-by: Mike Crowe <mac@mcrowe.com> - -- CURLINFO_TLS_SESSION: always return backend info - - ... even for those that don't support providing anything in the - 'internals' struct member since it offers a convenient way for - applications to figure this out. - -- [Daniel Hwang brought this change] - - tool: remove redundant libcurl check - - The easysrc generation is run only when --libcurl is initialized. - - Ref: https://github.com/bagder/curl/issues/429 - - Closes #448 - -- [Richard van den Berg brought this change] - - CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment - - Closes #449 - -- TODO: 5.7 More compressions - - Like for example brotli, as being implemented in Firefox now. - -Jay Satiro (21 Sep 2015) -- tool_operate: Don't call easysrc cleanup unless --libcurl - - - Review of 4d95491. - - The author changed it so easysrc only initializes when --libcurl but did - not do the same for the call to easysrc cleanup. - - Ref: https://github.com/bagder/curl/issues/429 - -Daniel Stenberg (20 Sep 2015) -- [Viktor Szakats brought this change] - - CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com - - closes #443 - -- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL" - - Closes #334 - -- KNOWN_BUGS: add link to #85 - -- tests: disable 1801 until fixed - - It is unreliable and causes CI problems on github - - Closes #380 - -- RELEASE-NOTES: synced with 4d95491636ee - -- [Daniel Lee Hwang brought this change] - - tool: generate easysrc only on --libcurl - - Code should only be generated when --libcurl is used. - - Bug: https://github.com/bagder/curl/issues/429 - Reported-by: @greafhe, Jay Satiro - - Closes #429 - Closes #442 - -Jay Satiro (19 Sep 2015) -- vtls: Change designator name for server's pubkey hash - - - Change the designator name we use to show the base64 encoded sha256 - hash of the server's public key from 'pinnedpubkey' to - 'public key hash'. - - Though the server's public key hash is only shown when comparing pinned - public key hashes, the server's hash may not match one of the pinned. - -Daniel Stenberg (19 Sep 2015) -- [Isaac Boukris brought this change] - - NTLM: Reset auth-done when using a fresh connection - - With NTLM a new connection will always require authentication. - Fixes #435 - -- [Daniel Hwang brought this change] - - ssl: add server cert's "sha256//" hash to verbose - - Add a "pinnedpubkey" section to the "Server Certificate" verbose - - Bug: https://github.com/bagder/curl/issues/410 - Reported-by: W. Mark Kubacki - - Closes #430 - Closes #410 - -- [Jakub Zakrzewski brought this change] - - openldap: only part of LDAP query results received - - Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f - - Closes #440 - -- [Alessandro Ghedini brought this change] - - openssl: don't output certinfo data - -- [Alessandro Ghedini brought this change] - - openssl: refactor certificate parsing to use OpenSSL memory BIO - - Fixes #427 - -Kamil Dudka (18 Sep 2015) -- nss: prevent NSS from incorrectly re-using a session - - Without this workaround, NSS re-uses a session cache entry despite the - server name does not match. This causes SNI host name to differ from - the actual host name. Consequently, certain servers (e.g. github.com) - respond by 400 to such requests. - - Bug: https://bugzilla.mozilla.org/1202264 - -- nss: check return values of NSS functions - -Daniel Stenberg (17 Sep 2015) -- CURLOPT_PINNEDPUBLICKEY.3: mention error code - -- openssl: build with < 0.9.8 - - ... without sha256 support and no define saying so. - - Reported-by: Rajkumar Mandal - -- libcurl-errors.3: add two missing error codes - - CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS - -Jay Satiro (14 Sep 2015) -- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example - - - Show how a certificate can be obtained using OpenSSL. - - Bug: https://github.com/bagder/curl/pull/430 - Reported-by: Daniel Hwang - -Daniel Stenberg (13 Sep 2015) -- http2: removed unused function - -- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET - -- opts: add CURLINFO_* man pages to dist - -- opts: 19 more CURLINFO_* options made into stand-alone man pages - -- RELEASE-NOTES: synced with fad9604613 - -- curl: customrequest_helper: deal with NULL custom method - -- [Svyatoslav Mishyn brought this change] - - CURLOPT_FNMATCH_FUNCTION.3: fix typo - - s => is - - Closes #428 - -- curl: point out unnecessary uses of -X in verbose mode - - It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take - down the tone a bit. - - It adds a warning for using -XHEAD on other methods becasue that may - lead to a hanging connection. - -Jay Satiro (10 Sep 2015) -- curl_sspi: fix possibly undefined CRYPT_E_REVOKED - - Bug: https://github.com/bagder/curl/pull/411 - Reported-by: Viktor Szakats - -- buildconf.bat: fix syntax error - -- [Benjamin Kircher brought this change] - - winbuild: run buildconf.bat if necessary - -- [Svyatoslav Mishyn brought this change] - - docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_* - - long => double - -Daniel Stenberg (8 Sep 2015) -- [Sergei Nikulov brought this change] - - cmake: IPv6 : disable Unix header check on Windows platform - - Closes #409 - -- parse_proxy: reject illegal port numbers - - If the port number in the proxy string ended weirdly or the number is - too large, skip it. Mostly as a means to bail out early if a "bare" IPv6 - numerical address is used without enclosing brackets. - - Also mention the bracket requirement for IPv6 numerical addresses to the - man page for CURLOPT_PROXY. - - Closes #415 - - Reported-by: Marcel Raad - -- FTP: do_more: add check for wait_data_conn in upload case - - In some timing-dependnt cases when a 4xx response immediately followed - after a 150 when a STOR was issued, this function would wrongly return - 'complete == true' while 'wait_data_conn' was still set. - - Closes #405 - - Reported-by: Patricia Muscalu - -- [Svyatoslav Mishyn brought this change] - - CURLOPT_TLSAUTH_TYPE.3: update description - - Closes #414 - Closes #413 - -- [Svyatoslav Mishyn brought this change] - - CURLOPT_PATH_AS_IS.3: fix typo - - leavit => leaveit - - closes #412 - -- [Svyatoslav Mishyn brought this change] - - CURLINFO_SSL_VERIFYRESULT.3: add short description - -- [Svyatoslav Mishyn brought this change] - - CURLINFO_SSL_ENGINES.3: add short description - -- [Svyatoslav Mishyn brought this change] - - CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency - -- [Svyatoslav Mishyn brought this change] - - CURLINFO_REDIRECT_TIME.3: remove redundant '!' - -Kamil Dudka (4 Sep 2015) -- Revert "has: generate the curl/has.h header" - - This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have - pushed by mistake. Apologies for my incompetent use of the git repo! - -- nss: do not directly access SSL_ImplementedCiphers[] - - It causes dynamic linking issues at run-time after an update of NSS. - - Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html - -- [Daniel Stenberg brought this change] - - has: generate the curl/has.h header - - changed macro name, moved and renamed script to become docs/libcurl/has.pl, - generate code that is checksrc compliant - -Daniel Stenberg (3 Sep 2015) -- gitignore: ignore more generated VC Makefiles - -- projects/Windows/.gitignore: ignore generated files for release - -- http2: don't pass on Connection: headers - - RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an - HTTP/2 message containing connection-specific header fields; any message - containing connection-specific header fields MUST be treated as - malformed" - - Closes #401 - -- curl.1: update RFC references - -- CURLOPT_POSTREDIR.3: update RFC number and section - -- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects - - and some general cleaning up - -- [Marcel Raad brought this change] - - inet_pton.c: Fix MSVC run-time check failure (2) - - This fixes another run-time check failure because of a narrowing cast on - Visual C++. - - Closes #408 - -Jay Satiro (3 Sep 2015) -- docs: Warn about any-domain cookies and multiple transfers - - - Warn that cookies without a domain are sent to any domain: - CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie - - - Note that imported Set-Cookie cookies without a domain are no longer - exported: - CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar - -Steve Holme (2 Sep 2015) -- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3 - - tool_sdecls.h:139 warning: comma at end of enumerator list - -Daniel Stenberg (2 Sep 2015) -- opts: 8 more CURLINFO* options as stand-alone man pages - -- RELEASE-NOTES: synced with c764cb4add1a8 - -- man-pages: more SEE ALSO links - -- opts: more CURLINFO_* options as stand-alone man pages - -Steve Holme (31 Aug 2015) -- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled - - Introduced in commit 59f3f92ba6 this function is only implemented when - CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define - the function in the header file either. - -- sasl: Updated SPN variables and comments for consistency - - In places the "host name" and "realm" variable was referred to as - "instance" whilst in others it was referred to as "host". - -Daniel Stenberg (30 Aug 2015) -- configure: check for HMAC_Update in openssl - - Turns out HMAC_Init is now deprecated in openssl master (and I spelled - HMAC_Init_ex wrong in previous commit) - -Steve Holme (30 Aug 2015) -- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default - - Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native - Windows builds don't use the autoconf tools. - -- des: Fixed compilation warning from commit 613e5022fe - - curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined; - assuming extern returning int - -- buildconf.bat: Fixed double blank line in 'curl manual' warning output - -- makefiles: Added our standard copyright header - - But kept the original author, when they were specified in a comment, as - the initial copyright holder. - -Jay Satiro (29 Aug 2015) -- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now - -Daniel Stenberg (29 Aug 2015) -- CURLINFO_RESPONSE_CODE.3: added short description - -- opts: 7 initial CURLINFO_* options as stand-alone man pages - -- [Nikolai Kondrashov brought this change] - - libcurl.m4: Put braces around empty if body - - Put braces around empty "if" body in libcurl.m4 check to avoid warning: - - suggest braces around empty body in an 'if' statement - - and make it work with -Werror builds. - - Closes #402 - -- [Svyatoslav Mishyn brought this change] - - curl_easy_escape.3: escape '\n' - - Closes #398 - -- [Svyatoslav Mishyn brought this change] - - curl_easy_{escape,setopt}.3: fix example - - remove redundant '}' - -- [Sergei Nikulov brought this change] - - cmake: added Windows SSL support - - Closes #399 - -- curl: point out the conflicting HTTP methods if used - - It isn't always clear to the user which options that cause the HTTP - methods to conflict so by spelling them out it should hopefully be - easier to understand why curl complains. - -- curl: clarify that users can only specify one _METHOD_ - -- [Svyatoslav Mishyn brought this change] - - curl_easy_{escape,unescape}.3: "char *" vs. "const char *" - - Closes #395 - -Patrick Monnerat (24 Aug 2015) -- os400: include new options in wrappers and update ILE/RPG binding. - -Daniel Stenberg (24 Aug 2015) -- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug - - ... since HTTP is forbidden to return any such. - -- KNOWN_BUGS: #78 zero-length files is already fixed! - -- [Razvan Cojocaru brought this change] - - getinfo: added CURLINFO_ACTIVESOCKET - - This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64 - bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable. - - Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com> - -- http2: remove dead code - - Leftovers from when we removed the private socket hash. - - Coverity CID 1317365, "Logically dead code" - -- ntlm: mark deliberate switch case fall-through - - Coverity CID 1317367, "Missing break in switch" - -- http2: on_frame_recv: get a proper 'conn' for the debug logging - - "Explicit null dereferenced (FORWARD_NULL)" - - Coverity CID 1317366 - -- RELEASE-NOTES: synced with 2acaf3c804 - -Dan Fandrich (23 Aug 2015) -- tool: fix memory leak with --proto-default option - -Jay Satiro (22 Aug 2015) -- [Nathaniel Waisbrot brought this change] - - CURLOPT_DEFAULT_PROTOCOL: added - - - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default - protocol for schemeless URLs. - - - Add new tool option --proto-default to expose - CURLOPT_DEFAULT_PROTOCOL. - - In the case of schemeless URLs libcurl will behave in this way: - - When the option is used libcurl will use the supplied default. - - When the option is not used, libcurl will follow its usual plan of - guessing from the hostname and falling back to 'http'. - -- runtests: Allow for spaces in server-verify curl custom path - -Daniel Stenberg (22 Aug 2015) -- NTLM: recent boringssl brought DES_set_odd_parity back - - ... so improve the #ifdefs for using our local implementation. - -- configure: detect latest boringssl - - Since boringssl brought back DES_set_odd_parity again, it cannot be used - to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define - seems better anyway. - - URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/ - Original-patch-by: Bertrand Simonnet - - Closes #393 - -- configure: change functions to detect openssl (clones) - - ... since boringssl moved the former ones and the check started to fail. - - URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/ - Original-patch-by: Bertrand Simonnet - -- [Alessandro Ghedini brought this change] - - openssl: handle lack of server cert when strict checking disabled - - If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER - and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server - doesn't present a certificate at all. - - Closes #392 - -- ftp: clear the do_more bit when the server has connected - - The multi state machine would otherwise go into the DO_MORE state after - DO, even for the case when the FTP state machine had already performed - those duties, which caused libcurl to get stuck in that state and fail - miserably. This occured for for active ftp uploads. - - Reported-by: Patricia Muscalu - -- [Jactry Zeng brought this change] - - travis.yml: Add OS X testbot. - -- [Rémy Léone brought this change] - - travis: Upgrading to container based build - - http://docs.travis-ci.com/user/migrating-from-legacy - - Closes #388 - -- RELEASE-NOTES: synced with 14ff86256b13e - -- [Erik Janssen brought this change] - - rtsp: stop reading empty DESCRIBE responses - - Based-on-patch-by: Jim Hollinger - -- [Erik Janssen brought this change] - - rtsp: support basic/digest authentication - -- [Sam Roth brought this change] - - CURLMOPT_PUSHFUNCTION.3: fix argument types - - Closes #389 - Closes #386 - -- [Marcel Raad brought this change] - - inet_pton.c: Fix MSVC run-time check failure - - Visual Studio complains with a message box: - - "Run-Time Check Failure #1 - A cast to a smaller data type has caused a - loss of data. If this was intentional, you should mask the source of - the cast with the appropriate bitmask. - - For example: - char c = (i & 0xFF); - - Changing the code in this way will not affect the quality of the - resulting optimized code." - - This is because only 'val' is cast to unsigned char, so the "& 0xff" has - no effect. - - Closes #387 - -Jay Satiro (18 Aug 2015) -- docs: Update the redirect protocols disabled by default - - - Clarify that FILE and SCP are disabled by default since 7.19.4 - - Add that SMB and SMBS are disabled by default since 7.40.0 - - Add CURLPROTO_SMBS to the list of protocols - -- gitignore: Sort for readability - - find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}' - -Daniel Stenberg (15 Aug 2015) -- curl_easy_getinfo.3: fix superfluous space - - ... and changed "oriented" to "related" - - Closes #378 - -- CURLOPT_HTTP_VERSION.3: connection re-use goes before version - -- [Daniel Kahn Gillmor brought this change] - - curl.1: Document weaknesses in SSLv2 and SSLv3 - - Acknowledge that SSLv3 is also widely considered to be insecure. - - Also, provide references for people who want to know more about why it's - insecure. - -Steve Holme (14 Aug 2015) -- generate.bat: Added support for generating only the prerequisite files - -- generate.bat: Only call buildconf.bat if it exists - -- generate.bat: Fixed issues when ran in directories with special chars - -Daniel Stenberg (14 Aug 2015) -- [Brad King brought this change] - - cmake: Fix CurlTests check for gethostbyname_r with 5 arguments - - Fix the check code to pass 5 arguments instead of 6. This typo was - introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in - CurlTests, 2014-10-31). - -Steve Holme (14 Aug 2015) -- * buildconf.bat: Fixed issues when ran in directories with special chars - - Bug: https://github.com/bagder/curl/pull/379 - Reported-by: Daniel Seither - -Jay Satiro (13 Aug 2015) -- curl_global_init_mem.3: Stronger thread safety warning - - Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html - Reported-by: Eric Ridge - -Daniel Stenberg (12 Aug 2015) -- [Svyatoslav Mishyn brought this change] - - curl_multi_add_handle.3: fix a typo - - "can not" => "cannot" - - closes #377 - -- [Alessandro Ghedini brought this change] - - docs: fix typos - - closes #376 - -- bump: start working toward 7.45.0 - -- THANKS: remove duplicate name - -- THANKS-filter: merge Todd's names - -- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES - -Version 7.44.0 (11 Aug 2015) - -Daniel Stenberg (11 Aug 2015) -- RELEASE-NOTES: synced with c75a1e775061 - -- [Svyatoslav Mishyn brought this change] - - curl_formget.3: correct return code - - Closes #375 - -- [Svyatoslav Mishyn brought this change] - - libcurl-tutorial.3: fix formatting - - Closes #374 - -- [Svyatoslav Mishyn brought this change] - - curl_easy_recv.3: fix formatting - -- [Anders Bakken brought this change] - - http2: discard frames with no SessionHandle - - Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the - SessionHandle. Apparently mod_h2 will sometimes send a frame for a - stream_id we're finished with. - - Use nghttp2_session_get_stream_user_data and - nghttp2_session_set_stream_user_data to identify SessionHandles instead - of a hash. - - Closes #372 - -- RELEASE-NOTES: synced with 9ee40ce2aba - -- [Viktor Szakats brought this change] - - build: refer to fixed libidn versions - - closes #371 - -- Revert "configure: disable libidn by default" - - This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3. - - ... since libidn has since been fixed. - -- [Jakub Zakrzewski brought this change] - - CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define - - Otherwise the build only pretended to use GSS-API - - Closes #370 - -- SFTP: fix range request off-by-one in size check - - Reported-by: Tim Stack - - Closes #359 - -- test46: update cookie expire time - - ... since it went old and thus was expired and caused the test to fail! - -Steve Holme (9 Aug 2015) -- generate.bat: Use buildconf.bat for prerequisite file generation - -- buildconf.bat: Tidy up of comments after recent commits - -- buildconf.bat: Added full generation of src\tool_hugehelp.c - - Added support for generating the full man page based on code from - generate.bat. - -- buildconf.bat: Added detection of groff, nroff, perl and gzip - - To allow for the full generation of tool_hugehelp.c added detection of - the required programs - based on code from generate.bat. - -- buildconf.bat: Move DOS variable clean-up code to separate function - - Rather than duplicate future variables, during clean-up of both success - and error conditions, use a common function that can be called by both. - -- RELEASE-NOTES: Synced with 39dcf352d2 - -- buildconf.bat: Added error messages on failure - -- buildconf.bat: Generate and clean files in the same order - -- buildconf.bat: Maintain compatibility with DOS based systems - - Commit f08e30d7bc broke compatibility with DOS and non Windows NT based - versions of Windows due to the use of the setlocal command. - -Jay Satiro (9 Aug 2015) -- CURLOPT_RESOLVE.3: Note removal support was added in 7.42 - - Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html - Reported-by: Inca R - -Steve Holme (8 Aug 2015) -- checksrc.bat: Fixed error when missing *.c and *.h files - - File Not Found - -- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276 - -- checksrc.bat: Fixed error when [directory] isn't a curl source directory - - The system cannot find the file specified. - -- checksrc.bat: Added check for unknown arguments - -- scripts: Added missing comments - -- scripts: Always perform setlocal and endlocal calls in pairs - - Ensure that there isn't a mismatch between setlocal and endlocal calls, - which could have happened due to setlocal being called after certain - error conditions were checked for. - -- scripts: Allow -help to be specified in any argument - - Allow the -help command line argument to be specified in any argument - and not just as the first. - -Daniel Stenberg (6 Aug 2015) -- [juef brought this change] - - curl_multi_remove_handle.3: fix formatting - - closes #366 - -Steve Holme (6 Aug 2015) -- README: Added notes about 'Running DLL based configurations' - - ...as well as a TODO for a future enhancement to the project files. - - Thanks-to: Jay Satiro - -- RELEASE-NOTES: Synced with cf8975387f - -- buildconf.bat: Synchronise no repository error with generate.bat - -- generate.bat: Added a check for the presence of a git repository - -- [Jay Satiro brought this change] - - build: Added wolfSSL configurations to VC10+ project files - - URL: https://github.com/bagder/curl/pull/174 - -- [Jay Satiro brought this change] - - build: Added wolfSSL build script for Visual Studio projects - - Added the wolfSSL build script, based on build-openssl.bat, as well as - the property sheet and header file required for the upcoming additions - to the Visual Studio project files. - -Daniel Stenberg (6 Aug 2015) -- CHANGES: refer to the online changelog - - Suggested-by: mc0e - -- [Isaac Boukris brought this change] - - NTLM: handle auth for only a single request - - Currently when the server responds with 401 on NTLM authenticated - connection (re-used) we consider it to have failed. However this is - legitimate and may happen when for example IIS is set configured to - 'authPersistSingleRequest' or when the request goes thru a proxy (with - 'via' header). - - Implemented by imploying an additional state once a connection is - re-used to indicate that if we receive 401 we need to restart - authentication. - - Closes #363 - -Steve Holme (5 Aug 2015) -- RELEASE-NOTES: Synced with 473807b95f - -- generate.bat: Use buildconf.bat for prerequisite file clean-up - -- buildconf.bat: Added support for file clean-up via -clean - -- buildconf.bat: Added progress output - -- buildconf.bat: Avoid using goto for file not in repository - -Daniel Stenberg (5 Aug 2015) -- curl_slist_append.3: add error checking to the example - -Steve Holme (5 Aug 2015) -- buildconf.bat: Added display of usage text with -help - -- buildconf.bat: Added exit codes for error handling - -- buildconf.bat: Added our standard copyright header - -- buildconf.bat: Use lower-case for commands and reserved keywords - -- generate.bat: Only clean prerequisite files when in ALL mode - -- generate.bat: Moved error messages out of sub-routines - -- generate.bat: More use of lower-case for commands and reserved keywords - -Daniel Stenberg (3 Aug 2015) -- libcurl.3: fix a single typo - - Closes #361 - -- RELEASE-NOTES: synced with c4eb10e2f06f - -- SSH: three state machine fixups - - The SSH state machine didn't clear the 'rc' variable appropriately in a - two places which prevented it from looping the way it should. And it - lacked an 'else' statement that made it possible to erroneously get - stuck in the SSH_AUTH_AGENT state. - - Reported-by: Tim Stack - - Closes #357 - -- curl_gssapi: remove 'const' to fix compiler warnings - - initialization discards 'const' qualifier from pointer target type - -- docs: formpost needs the full size at start of upload - - Closes #360 - -Steve Holme (1 Aug 2015) -- sspi: Fix typo from left over from old code which referenced NTLM - - References to NTLM in the identity generation should have been removed - in commit c469941293 but not all were. - -- win32: Fix compilation warnings from commit 40c921f8b8 - - connect.c:953:5: warning: initializer element is not computable at load - time - connect.c:953:5: warning: missing initializer for field 'dwMinorVersion' - of 'OSVERSIONINFOEX' - curl_sspi.c:97:5: warning: initializer element is not computable at load - time - curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion' - of 'OSVERSIONINFOEX' - -- schannel: Fix compilation warning from commit 7a8e861a56 - - schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion' - of 'OSVERSIONINFOEX' [-Wmissing-field-initializers - -Daniel Stenberg (31 Jul 2015) -- libcurl-thread.3: minor reformatting - -Jay Satiro (31 Jul 2015) -- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs - - Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html - Reported-by: Eric Ridge - -- libcurl-thread.3: Warn memory functions must be thread safe - - Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html - Reported-by: Eric Ridge - -Steve Holme (31 Jul 2015) -- RELEASE-NOTES: Synced with 8b1d00ac1a - -- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section - - ...as well as some rewording. - -Kamil Dudka (30 Jul 2015) -- http: move HTTP/2 cleanup code off http_disconnect() - - Otherwise it would never be called for an HTTP/2 connection, which has - its own disconnect handler. - - I spotted this while debugging <https://bugzilla.redhat.com/1248389> - where the http_disconnect() handler was called on an FTP session handle - causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *) - was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in - Curl_add_buffer_free() after printing the "Connection cache is full, - closing the oldest one." message. - - A previously working version of libcurl started to crash after it was - recompiled with the HTTP/2 support despite the HTTP/2 protocol was not - actually used. This commit makes it work again although I suspect the - root cause (reinterpreting session handle data of incompatible protocol) - still has to be fixed. Otherwise the same will happen when mixing FTP - and HTTP/2 connections and exceeding the connection cache limit. - - Reported-by: Tomas Tomecek - Bug: https://bugzilla.redhat.com/1248389 - -Daniel Stenberg (30 Jul 2015) -- [Viktor Szakats brought this change] - - ABI doc: use secure URL - -- ABI: remove the ascii logo - - and made the indent level to 1 - -- libcurl-multi.3: mention curl_multi_wait - - ... and some general rewordings to improve this docs. - - Reported-by: Tim Stack - - Closes #356 - -Steve Holme (30 Jul 2015) -- maketgz: Fixed some VC makefiles missing from the release tarball - - VC7, VC11, VC12 and VC14 makefiles were missing from the release - tarball. - -- RELEASE-NOTES: Synced with 2d7e165761 - -- build: Added VC14 project files to Makefile.am - -- build: Added VC14 project files - - Updates to Makefile.am for the generation of the project files in - the tarball to follow. - -Jay Satiro (29 Jul 2015) -- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L - -Steve Holme (28 Jul 2015) -- generate.bat: Use lower-case for commands and reserved keywords - - Whilst there are no coding standards for the batch files used in curl, - most tend to use lower-case for keywords and upper-case for variables. - -- build: Added initial VC14 support to generate.bat - - Visual Studio project files and updates to makefile.am to follow. - -- build: Fixed missing .opensdf files from VC10+ .gitignore files - -- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames - - This wasn't possible with the old curlsrc project filenames, but like - commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual - Studio macros for the output filenames. - -- build: Renamed curl src Visual Studio project files - - Following commit 957fcd9049 and in preparation for adding the VC14 - project files renamed the curl source project files. - -Daniel Stenberg (28 Jul 2015) -- [Jay Satiro brought this change] - - libcurl-thread.3: Revert to stricter handle wording - - .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS - handlers list. - -- [Jay Satiro brought this change] - - libcurl-thread.3: Consolidate thread safety info - - This is a new document to consolidate our thread safety information from - several documents (curl-www:features, libcurl.3, libcurl-tutorial.3). - Each document's section on multi-threading will now point to this one. - -Steve Holme (27 Jul 2015) -- README: Corrected formatting for 'Legacy Windows and SSL' section - - ...as well as some wording. - -- build-openssl.bat: Added support for VC14 - -Daniel Stenberg (26 Jul 2015) -- RELEASE-NOTES: synced with 0f645adc95390e8 - -- test1902: attempt to make the test more reliable - - Closes #355 - -- comment: fix comment about adding new option support - -Jay Satiro (25 Jul 2015) -- build-openssl.bat: Show syntax if required args are missing - -Daniel Stenberg (26 Jul 2015) -- TODO: improve how curl works in a windows console window - - Closes #322 for now - -- 1.11 minimize dependencies with dynamicly loaded modules - - Closes #349 for now - -Jay Satiro (25 Jul 2015) -- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS - - - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option. - - Broken by me several days ago in 172b2be. - https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b - - Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html - Reported-by: Dan Fandrich - -Daniel Stenberg (25 Jul 2015) -- configure: check if OpenSSL linking wants -ldl - - To make it easier to link with static versions of OpenSSL, the configure - script now checks if -ldl is needed for linking. - - Help-by: TJ Saunders - -- [Michael Kaufmann brought this change] - - HTTP: ignore "Content-Encoding: compress" - - Currently, libcurl rejects responses with "Content-Encoding: compress" - when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should - treat the Content-Encoding "compress" the same as other - Content-Encodings that it does not support, e.g. "bzip2". That means - just ignoring it. - -- [Marcel Raad brought this change] - - openssl: work around MSVC warning - - MSVC 12 complains: - - lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local - variable 'verstr' used It's a false positive, but as it's normally not, - I have enabled warning-as-error for that warning. - -- [Michał Fita brought this change] - - configure: add --disable-rt option - - This option disables any attempts in configure to create dependency on - stuff requiring linking to librt.so and libpthread.so, in this case this - means clock_gettime(CLOCK_MONOTONIC, &mt). - - We were in need to build curl which doesn't link libpthread.so to avoid - the following bug: - https://sourceware.org/bugzilla/show_bug.cgi?id=16628. - -Kamil Dudka (23 Jul 2015) -- http2: verify success of strchr() in http2_send() - - Detected by Coverity. - - Error: NULL_RETURNS: - lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times). - lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr". - lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf". - 1300| - 1301| hdbuf = strchr(hdbuf, 0x0a); - 1302|-> ++hdbuf; - 1303| - 1304| authority_idx = 0; - -Jay Satiro (22 Jul 2015) -- Windows: Fix VerifyVersionInfo calls - - - Fix the VerifyVersionInfo calls, which we use to test for the OS major - version, to also test for the minor version as well as the service pack - major and minor versions. - - MSDN: "If you are testing the major version, you must also test the - minor version and the service pack major and minor versions." - - https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx - - Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098 - Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com> - -- [Marcel Raad brought this change] - - schannel: Replace deprecated GetVersion with VerifyVersionInfo - -Steve Holme (21 Jul 2015) -- makefile: Added support for VC14 - -Patrick Monnerat (21 Jul 2015) -- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings. - -- libcurl: VERSIONINFO update - Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname - requires VERSIONINFO updating. - -- http2: satisfy external references even if http2 is not compiled in. - -Daniel Stenberg (20 Jul 2015) -- http2: add stream != NULL checks for reliability - - They should not trigger, but in case of internal problems we at least - avoid crashes this way. - -Jay Satiro (18 Jul 2015) -- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol - -- SSL: Add an option to disable certificate revocation checks - - New tool option --ssl-no-revoke. - New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. - - Currently this option applies only to WinSSL where we have automatic - certificate revocation checking by default. According to the - ssl-compared chart there are other backends that have automatic checking - (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at - some later point. - - Bug: https://github.com/bagder/curl/issues/264 - Reported-by: zenden2k <zenden2k@gmail.com> - -- runtests: Allow for spaces in curl custom path - - .. also fix some typos in test's FILEFORMAT spec. - -- [David Woodhouse brought this change] - - ntlm_wb: Fix theoretical memory leak - - Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix - hard-coded limit on NTLM auth packet size") introduced a potential - memory leak on an error path, because we forget to free the buffer - before returning an error. - - Fix this. - - Although actually, it never happens in practice because we never *get* - here with state == NTLMSTATE_TYPE1. The state is always zero. That - might want cleaning up in a separate patch. - - Reported-by: Terri Oda - -- strerror: Add CRYPT_E_REVOKED to SSPI error strings - -Kamil Dudka (14 Jul 2015) -- libtest: call PR_Cleanup() on exit if NSPR is used - - This prevents valgrind from reporting possibly lost memory that NSPR - uses for file descriptor cache and other globally allocated internal - data structures. - - Reported-by: Štefan Kremeň - -Jay Satiro (14 Jul 2015) -- [John Malmberg brought this change] - - openssl: VMS support for SHA256 - - setup-vms.h: More symbols for SHA256, hacks for older VAX - - openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX. - - openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to - allow building on VAX and 64 bit VMS. - -- examples: Fix typo in multi-single.c - -Daniel Stenberg (7 Jul 2015) -- [Tatsuhiro Tsujikawa brought this change] - - http2: Fix memory leak in push header array - -Dan Fandrich (2 Jul 2015) -- test2041: fixed line endings in protocol part - -- cyassl: fixed mismatched sha256sum function prototype - -Daniel Stenberg (1 Jul 2015) -- [moparisthebest brought this change] - - SSL: Pinned public key hash support - -- examples: provide <DESC> sections - -- [John Malmberg brought this change] - - OpenVMS: VMS Software, Inc now the supplier. - - setup-vms.h: Symbol case fixups submitted by Michael Steve - - build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the - supplier of new versions of VMS. The install kit needs to accept - VSI as a producer. - -Jay Satiro (30 Jun 2015) -- multi: Move http2 push function declarations to header end - - This change necessary for binary compatibility. - - Prior to this change test 1135 failed due to the order of functions. - -- symbols-in-versions: Add new http2 push symbols - - Prior to this change test 1119 failed due to the missing symbols. - -Daniel Stenberg (30 Jun 2015) -- RELEASE-NOTES: synced with e6749055d653 - -- configure: disable libidn by default - - For security reasons, until there is a fix. - - Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html - Reported-by: Gustavo Grieco, Feist Josselin - -- SSL-PROBLEMS: mention WinSSL problems in WinXP - -- CODE_OF_CONDUCT.md: added - - Just to underscore how we treat each other in this project. Nothing new - really, but could be useful for newcomers and outsiders to see our - values. - -- tool_header_cb: fflush the header stream - - Flush the header stream when -D is used so that they are sent off - earlier. - - Bug: https://github.com/bagder/curl/issues/324 - Reported-by: Cédric Connes - -- [Roger Leigh brought this change] - - tests: Distribute CMakeLists.txt files in subdirectories - -- CURLOPT_FAILONERROR.3: mention that it closes the connection - - Reported-by: bemoody - Bug: https://github.com/bagder/curl/issues/325 - -- curl_multi_setopt.3: alpha sort the options - -- curl_multi_setopt.3: add the new push options - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Use nghttp2 library error code for error return value - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Harden header validation for curl_pushheader_byname - - Since we do prefix match using given header by application code - against header name pair in format "NAME:VALUE", and VALUE part can - contain ":", we have to careful about existence of ":" in header - parameter. ":" should be allowed to match HTTP/2 pseudo-header field, - and other use of ":" in header must be treated as error, and - curl_pushheader_byname should return NULL. This commit implements - this behaviour. - -- [Tatsuhiro Tsujikawa brought this change] - - CURLMOPT_PUSHFUNCTION.3: Remove unused variable - -- CURLMOPT_PUSHFUNCTION.3: added example - -- http2: curl_pushheader_byname now takes a const char * - -- http2-serverpush.c: example code - -- http2: free all header memory after the push callback - -- http2: init the pushed transfer properly - -- http2: fixed the header accessor functions for the push callback - -- http2: setup the new pushed stream properly - -- http2: initial implementation of the push callback - -- http2: initial HTTP/2 server push types/docs - -- test1531: verify POSTFIELDSIZE set after add_handle - - Following the fix made in 903b6e05565bf. - -- pretransfer: init state.infilesize here, not in add_handle - - ... to properly support that options are set to the handle after it is - added to the multi handle. - - Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html - Reported-by: Stefan Bühler - -Jay Satiro (21 Jun 2015) -- [Lior Kaplan brought this change] - - tool_help: fix --tlsv1 help text to use >= for TLSv1 - -- INSTALL: Advise use of non-native SSL for Windows <= XP - - Advise that WinSSL in versions <= XP will not be able to connect to - servers that no longer support the legacy handshakes and algorithms used - by those versions, and to use an alternate backend like OpenSSL instead. - - Bug: https://github.com/bagder/curl/issues/253 - Reported-by: zenden2k <zenden2k@gmail.com> - -Kamil Dudka (19 Jun 2015) -- curl_easy_setopt.3: restore contents removed by mistake - - ... in commit curl-7_43_0-18-g570076e - -Daniel Stenberg (19 Jun 2015) -- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT - -Jay Satiro (18 Jun 2015) -- cookie: Fix bug in export if any-domain cookie is present - - In 3013bb6 I had changed cookie export to ignore any-domain cookies, - however the logic I used to do so was incorrect, and would lead to a - busy loop in the case of exporting a cookie list that contained - any-domain cookies. The result of that is worse though, because in that - case the other cookies would not be written resulting in an empty file - once the application is terminated to stop the busy loop. - -Dan Fandrich (18 Jun 2015) -- FTP: fixed compiling with --disable-proxy, broken in b88f980a - -Daniel Stenberg (18 Jun 2015) -- tool: always provide negotiate/kerberos options - - libcurl can still be built with it, even if the tool is not. Maintain - independence! - -- TODO: Support IDNA2008 - -- [Viktor Szakats brought this change] - - Makefile.m32: add support for CURL_LDFLAG_EXTRAS - - It is similar to existing CURL_CFLAG_EXTRAS, but for - extra linker option. - -- RTSP: removed another piece of dead code - - Coverity CID 1306668 - -- openssl: fix use of uninitialized buffer - - Make sure that the error buffer is always initialized and simplify the - use of it to make the logic easier. - - Bug: https://github.com/bagder/curl/issues/318 - Reported-by: sneis - -- examples: more descriptions - -- examples: add descriptions with <DESC> - - Using this fixed format for example descriptions, we can generate a - better list on the web site. - -- libcurl-errors.3: fix typo - -- curl_easy_setopt.3: option order doesn't matter - -- openssl: fix build with BoringSSL - - OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression - from cae43a1 - -- [Paul Howarth brought this change] - - openssl: Fix build with openssl < ~ 0.9.8f - - The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at - around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks - builds with older openssls (certainly with 0.9.8b, which is the latest - older version I have to try with). - -- FTP: do the HTTP CONNECT for data connection blocking - - ** WORK-AROUND ** - - The introduced non-blocking general behaviour for Curl_proxyCONNECT() - didn't work for the data connection establishment unless it was very - fast. The newly introduced function argument makes it operate in a more - blocking manner, more like it used to work in the past. This blocking - approach is only used when the FTP data connecting through HTTP proxy. - - Blocking like this is bad. A better fix would make it work more - asynchronously. - - Bug: https://github.com/bagder/curl/issues/278 - -- bump: start the journey toward 7.44.0 - -Jay Satiro (17 Jun 2015) -- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes - -- CURLOPT_ERRORBUFFER.3: Improve example - -Version 7.43.0 (17 Jun 2015) - -Daniel Stenberg (17 Jun 2015) -- RELEASE-NOTES: 7.43.0 release - -- THANKS: updated with 7.43.0 names - -- [Kamil Dudka brought this change] - - http: do not leak basic auth credentials on re-used connections - - CVE-2015-3236 - - This partially reverts commit curl-7_39_0-237-g87c4abb - - Reported-by: Tomas Tomecek, Kamil Dudka - Bug: http://curl.haxx.se/docs/adv_20150617A.html - -- [Kamil Dudka brought this change] - - test2040: verify basic auth on re-used connections - -- SMB: rangecheck values read off incoming packet - - CVE-2015-3237 - - Detected by Coverity. CID 1299430. - - Bug: http://curl.haxx.se/docs/adv_20150617B.html - -Jay Satiro (17 Jun 2015) -- schannel: schannel_recv overhaul - - This commit is several drafts squashed together. The changes from each - draft are noted below. If any changes are similar and possibly - contradictory the change in the latest draft takes precedence. - - Bug: https://github.com/bagder/curl/issues/244 - Reported-by: Chris Araman - - %% - %% Draft 1 - %% - - return 0 if len == 0. that will have to be documented. - - continue on and process the caches regardless of raw recv - - if decrypted data will be returned then set the error code to CURLE_OK - and return its count - - if decrypted data will not be returned and the connection has closed - (eg nread == 0) then return 0 and CURLE_OK - - if decrypted data will not be returned and the connection *hasn't* - closed then set the error code to CURLE_AGAIN --only if an error code - isn't already set-- and return -1 - - narrow the Win2k workaround to only Win2k - - %% - %% Draft 2 - %% - - Trying out a change in flow to handle corner cases. - - %% - %% Draft 3 - %% - - Back out the lazier decryption change made in draft2. - - %% - %% Draft 4 - %% - - Some formatting and branching changes - - Decrypt all encrypted cached data when len == 0 - - Save connection closed state - - Change special Win2k check to use connection closed state - - %% - %% Draft 5 - %% - - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the - connection isn't closed. - - %% - %% Draft 6 - %% - - Save the last error only if it is an unrecoverable error. - - Prior to this I saved the last error state in all cases; unfortunately - the logic to cover that in all cases would lead to some muddle and I'm - concerned that could then lead to a bug in the future so I've replaced - it by only recording an unrecoverable error and that state will persist. - - - Do not recurse on renegotiation. - - Instead we'll continue on to process any trailing encrypted data - received during the renegotiation only. - - - Move the err checks in cleanup after the check for decrypted data. - - In either case decrypted data is always returned but I think it's easier - to understand when those err checks come after the decrypted data check. - - %% - %% Draft 7 - %% - - Regardless of len value go directly to cleanup if there is an - unrecoverable error or a close_notify was already received. Prior to - this change we only acknowledged those two states if len != 0. - - - Fix a bug in connection closed behavior: Set the error state in the - cleanup, because we don't know for sure it's an error until that time. - - - (Related to above) In the case the connection is closed go "greedy" - with the decryption to make sure all remaining encrypted data has been - decrypted even if it is not needed at that time by the caller. This is - necessary because we can only tell if the connection closed gracefully - (close_notify) once all encrypted data has been decrypted. - - - Do not renegotiate when an unrecoverable error is pending. - - %% - %% Draft 8 - %% - - Don't show 'server closed the connection' info message twice. - - - Show an info message if server closed abruptly (missing close_notify). - -Daniel Stenberg (16 Jun 2015) -- [Paul Oliver brought this change] - - Fix typo in docs - - s/curret/current/ - -- [Viktor Szakats brought this change] - - docs: update URLs - -- RELEASE-NOTES: synced with f29f2cbd00dbe5f - -- [Viktor Szakats brought this change] - - README: use secure protocol for Git repository - -- [Viktor Szakats brought this change] - - HTTP2.md: use SSL/TLS IETF URLs - -- [Viktor Szakats brought this change] - - LICENSE-MIXING: update URLs - - * use SSL/TLS where available - * follow permanent redirects - -- LICENSE-MIXING: refreshed - -- curl_easy_duphandle: see also *reset - -- rtsp_do: fix DEAD CODE - - "At condition p_request, the value of p_request cannot be NULL." - - Coverity CID 1306668. - -- security:choose_mech fix DEAD CODE warning - - ... by removing the "do {} while (0)" block. - - Coverity CID 1306669 - -- curl.1: netrc is in man section 5 - -- curl.1: small format fix - - use \fI-style instead of .BR for references - -- urldata: store POST size in state.infilesize too - - ... to simplify checking when PUT _or_ POST have completed. - - Reported-by: Frank Meier - Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html - -Dan Fandrich (14 Jun 2015) -- test1530: added http to required features - -Jay Satiro (14 Jun 2015) -- [Drake Arconis brought this change] - - build: Fix typo from OpenSSL 1.0.2 version detection fix - -- [Drake Arconis brought this change] - - build: Properly detect OpenSSL 1.0.2 when using configure - -- curl_multi_info_read.3: fix example formatting - -Daniel Stenberg (13 Jun 2015) -- BINDINGS: there's a new R binding in town! - -- BINDINGS: added the Xojo binding - -Jay Satiro (11 Jun 2015) -- [Joel Depooter brought this change] - - schannel: Add support for optional client certificates - - Some servers will request a client certificate, but not require one. - This change allows libcurl to connect to such servers when using - schannel as its ssl/tls backend. When a server requests a client - certificate, libcurl will now continue the handshake without one, - rather than terminating the handshake. The server can then decide - if that is acceptable or not. Prior to this change, libcurl would - terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS - error. - -Daniel Stenberg (11 Jun 2015) -- curl_easy_cleanup.3: provide more SEE ALSO - -- debug: remove http2 debug leftovers - -- VERSIONS: now using markdown - -- RELEASE-PROCEDURE: remove ascii logo at the top of file - -- INTERNALS: absorbed docs/LIBCURL-STRUCTS - -- INTERNALS: cat lib/README* >> INTERNALS - - and a conversion to markdown. Removed the lib/README.* files. The idea - being to move toward having INTERNALS as the one and only "book" of - internals documentation. - - Added a TOC to top of the document. - -Jay Satiro (8 Jun 2015) -- openssl: LibreSSL and BoringSSL do not use TLS_client_method - - Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of - TLS_client_method LibreSSL and BoringSSL didn't and still use - SSLv23_client_method. - - Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009 - Reported-by: asavah@users.noreply.github.com - -Daniel Stenberg (9 Jun 2015) -- RELEASE-NOTES: synced with 20ac3458068 - -- CURLOPT_OPENSOCKETFUNCTION: return error at once - - When CURL_SOCKET_BAD is returned in the callback, it should be treated - as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently - created when trying to connect to a server. - - Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html - -- fopen.c: fix a few compiler warnings - -- [Ville Skyttä brought this change] - - docs: Spelling fixes - -- [Ville Skyttä brought this change] - - docs: man page indentation and syntax fixes - -Linus Nielsen (8 Jun 2015) -- help: Add --proxy-service-name and --service-name to the --help output - -Jay Satiro (7 Jun 2015) -- openssl: Fix verification of server-sent legacy intermediates - - - Try building a chain using issuers in the trusted store first to avoid - problems with server-sent legacy intermediates. - - Prior to this change server-sent legacy intermediates with missing - legacy issuers would cause verification to fail even if the client's CA - bundle contained a valid replacement for the intermediate and an - alternate chain could be constructed that would verify successfully. - - https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest - -Daniel Stenberg (5 Jun 2015) -- BINDINGS: update several URLs - - Stop linking to the curl.haxx.se anchor pages, they are usually only - themselves pointers to the real page so better point there directly - instead. - -- BINDINGS: the curl-rust binding - -- curl.h: add CURL_HTTP_VERSION_2 - - The protocol is named "HTTP/2" after all. It is an alias for the - existing CURL_HTTP_VERSION_2_0 enum. - -- openssl: removed error string #ifdef - - ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore - -- openssl: removed USERDATA_IN_PWD_CALLBACK kludge - - Code for OpenSSL 0.9.4 serves no purpose anymore! - -- openssl: remove SSL_get_session()-using code - - It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or - later. - -- openssl: remove dummy callback use from SSL_CTX_set_verify() - - The existing callback served no purpose. - -- LIBCURL-STRUCTS: clarify for multiplexing - -Jay Satiro (3 Jun 2015) -- cookie: Stop exporting any-domain cookies - - Prior to this change any-domain cookies (cookies without a domain that - are sent to any domain) were exported with domain name "unknown". - - Bug: https://github.com/bagder/curl/issues/292 - -Daniel Stenberg (3 Jun 2015) -- RELEASE-PROCEDURE: refreshed 'coming dates' - -Jay Satiro (2 Jun 2015) -- curl_setup: Change fopen text macros to use 't' for MSDOS - - Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198 - Reported-by: Gisle Vanem - -Daniel Stenberg (2 Jun 2015) -- curl_multi_timeout.3: added example - -- curl_multi_perform.3: added example - -- curl_multi_info_read.3: added example - -- checksrc: detect fopen() for text without the FOPEN_* macros - - Follow-up to e8423f9ce150 with discussionis in - https://github.com/bagder/curl/pull/258 - - This check scans for fopen() with a mode string without 'b' present, as - it may indicate that an FOPEN_* define should rather be used. - -- curl_getdate.3: update RFC reference - -Jay Satiro (1 Jun 2015) -- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT - - - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" - - This change is to explicitly specify when we need to read/write text. - Unfortunately 't' is not part of POSIX fopen so we can't specify it - directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. - - Prior to this change we had an issue on Windows if an application that - uses libcurl overrides the default file mode to binary. The default file - mode in Windows is normally text mode (translation mode) and that's what - libcurl expects. - - Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 - Reported-by: Orgad Shaneh - -Daniel Stenberg (1 Jun 2015) -- http2-upload.c: use PIPEWAIT for playing HTTP/2 better - -- http2-download: check for CURLPIPE_MULTIPLEX properly - - Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html - Reported-by: Rafayel Mkrtchyan - -- [Isaac Boukris brought this change] - - HTTP-NTLM: fail auth on connection close instead of looping - - Bug: https://github.com/bagder/curl/issues/256 - -- 5.6 Refuse "downgrade" redirects - -- README.pingpong: removed - -- ROADMAP: remove HTTP/2 multiplexing - its here now - -- HTTP2.md: formatted properly - -- HTTP2: moved docs into docs/ and make it markdown - -- README.http2: refreshed and added multiplexing info - -- dist: add the http2 examples - -- http2 examples: clean up some comments - -- examples: added two programs doing multiplexed HTTP/2 - -- scripts: moved contributors.sh and contrithanks.sh into subdir - -- RELEASE-NOTES: synced with c005790ff1c0a - -- [Daniel Melani brought this change] - - openssl: typo in comment - -Jay Satiro (27 May 2015) -- openssl: Use TLS_client_method for OpenSSL 1.1.0+ - - SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The - equivalent is TLS_client_method. - - https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557 - -Daniel Stenberg (26 May 2015) -- FAQ: How do I port libcurl to my OS? - -Jay Satiro (25 May 2015) -- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain - - Document that if Set-Cookie is used without a domain then the cookie is - sent for any domain and will not be modified. - - Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html - Reported-by: Alexander Dyagilev - -Daniel Stenberg (25 May 2015) -- [Tatsuhiro Tsujikawa brought this change] - - http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer - - Previously, after seeing upgrade to HTTP/2, we feed data followed by - upgrade response headers directly to nghttp2_session_mem_recv() in - Curl_http2_switched(). But it turns out that passed buffer, mem, is - part of stream->mem, and callbacks called by - nghttp2_session_mem_recv() will write stream specific data into - stream->mem, overwriting input data. This will corrupt input, and - most likely frame length error is detected by nghttp2 library. The - fix is first copy the passed data to HTTP/2 connection buffer, - httpc->inbuf, and call nghttp2_session_mem_recv(). - -Jay Satiro (24 May 2015) -- CURLOPT_COOKIE.3: Explain that the cookies won't be modified - - The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the - outgoing request(s)." However there seems to be some user confusion - about cookie modification. Document that the cookies set by this option - are not modified by the cookie engine. - - Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html - Reported-by: Alexander Dyagilev - -- CURLOPT_COOKIELIST.3: Add example - -Dan Fandrich (24 May 2015) -- testcurl.pl: use rel2abs to make the source directory absolute - - This function makes a platform-specific absolute path which uses - backslashes on Windows. This form works when passing it on the - command-line, as well as if the source is on another drive. - -- conncache: fixed memory leak on OOM (torture tests) - -Daniel Stenberg (24 May 2015) -- perl: remove subdir, not touched in 9 years - -- log2changes.pl: moved to scripts/ - -- [Alessandro Ghedini brought this change] - - scripts: add zsh.pl for generating zsh completion - -Dan Fandrich (23 May 2015) -- test1510: another flaky test - -Daniel Stenberg (22 May 2015) -- security: fix "Unchecked return value" from sscanf() - - By (void) prefixing it and adding a comment. Did some minor related - cleanups. - - Coverity CID 1299423. - -- security: simplify choose_mech - - Coverity CID 1299424 identified dead code because of checks that could - never equal true (if the mechanism's name was NULL). - - Simplified the function by removing a level of pointers and removing the - loop and array that weren't used. - -- RTSP: catch attempted unsupported requests better - - Replace use of assert with code that properly catches bad input at - run-time even in non-debug builds. - - This flaw was sort of detected by Coverity CID 1299425 which claimed the - "case RTSPREQ_NONE" was dead code. - -- share_init: fix OOM crash - - A failed calloc() would lead to NULL pointer use. - - Coverity CID 1299427. - -- parse_proxy: switch off tunneling if non-HTTP proxy - - non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL - - Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html - Reported-by: Sean Boudreau - -- curl: fix potential NULL dereference - - Coverity CID 1299428: Dereference after null check (FORWARD_NULL) - -- http2: on_frame_recv: return early on stream 0 - - Coverity CID 1299426 warned about possible NULL dereference otherwise, - but that would only ever happen if we get invalid HTTP/2 data with - frames for stream 0. Avoid this risk by returning early when stream 0 is - used. - -- http: removed self assignment - - Follow-up fix from b0143a2a33f0 - - Detected by coverity. CID 1299429 - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Make HTTP Upgrade work - - This commit just add implicitly opened stream 1 to streams hash. - -Jay Satiro (22 May 2015) -- strerror: Change SEC_E_ILLEGAL_MESSAGE description - - Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS - and language specific, and invariably translated to something not very - helpful like: "The message received was unexpected or badly formatted." - - Bug: https://github.com/bagder/curl/issues/267 - Reported-by: Michael Osipov - -- telnet: Fix read-callback change for Windows builds - - Refer to b0143a2 for more information on the read-callback change. - -Daniel Stenberg (21 May 2015) -- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy! - -Dan Fandrich (21 May 2015) -- testcurl.pl: allow source to be in an arbitrary directory - - This way, the build directory can be located on an entirely different - filesystem from the source code (e.g. a tmpfs). - -Daniel Stenberg (20 May 2015) -- read_callback: move to SessionHandle from connectdata - - With many easy handles using the same connection for multiplexing, it is - important we store and keep the transfer-oriented stuff in the - SessionHandle so that callbacks and callback data work fine even when - many easy handles share the same physical connection. - -- http2: show stream IDs in decimal - - It makes them easier to match output from the nghttpd test server. - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Faster http2 upload - - Previously, when we send all given buffer in data_source_callback, we - return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream - temporarily for writing. This itself is good. If this is the sole - stream in the session, nghttp2_session_want_write() returns zero, - which means that libcurl does not check writeability of the underlying - socket. This leads to very slow upload, because it seems curl only - upload 16k something per 1 second. To fix this, if we still have data - to send, call nghttp2_session_resume_data after nghttp2_session_send. - This makes nghttp2_session_want_write() returns nonzero (if connection - window still opens), and as a result, socket writeability is checked, - and upload speed becomes normal. - -- [Dmitry Eremin-Solenikov brought this change] - - gtls: don't fail on non-fatal alerts during handshake - - Stop curl from failing when non-fatal alert is received during - handshake. This e.g. fixes lots of problems when working with https - sites through proxies. - -- curl_easy_unescape.3: update RFC reference - - Reported-by: bsammon - Bug: https://github.com/bagder/curl/issues/282 - -Jay Satiro (20 May 2015) -- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape - - .. also correct some variable naming in curl_easy_escape.3 - - Bug: https://github.com/bagder/curl/issues/281 - Reported-by: bsammon@users.noreply.github.com - -Daniel Stenberg (19 May 2015) -- [Brian Prodoehl brought this change] - - openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg - - BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl - and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and - OpenSSL. - - re #275 - -Jay Satiro (19 May 2015) -- curl.1: fix missing space in section --data - -Daniel Stenberg (19 May 2015) -- transfer: remove erroneous and misleading comment - -Kamil Dudka (19 May 2015) -- http: silence compile-time warnings without USE_NGHTTP2 - - Error: CLANG_WARNING: - lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read - - Error: COMPILER_WARNING: - lib/http.c: scope_hint: In function ‘http_disconnect’ - lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable] - -Jay Satiro (19 May 2015) -- transfer: Replace __func__ instances with function name - - .. also make __func__ replacement in multi. - - Prior to this change debug builds would fail to build if the compiler - was building pre-c99 and didn't support __func__. - -Daniel Stenberg (19 May 2015) -- [Viktor Szakats brought this change] - - build: bump version in default nghttp2 paths - -- INTERNALS: we require nghttp2 1.0.0+ now - -Jay Satiro (18 May 2015) -- http: Add some include guards for the new HTTP/2 stuff - -Daniel Stenberg (18 May 2015) -- http2: store upload state per stream - - Use a curl_off_t for upload left - -- http2: fix build when NOT h2-enabled - -- http2: switch to use Curl_hash_destroy() - - as after 4883f7019d3, the *_clean() function only flushes the hash. - -- curlver: restore LIBCURL_VERSION_NUM defined as a full number - - As it breaks configure, curl-config and test 1023 if not. - -- [Anthony Avina brought this change] - - hostip: fix unintended destruction of hash table - - .. and added unit1602 for hash.c - -- curlver: introducing new version number (checking) macros - -- runtests.pl: use 'h2c' now, no -14 anymore - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Ignore if we have stream ID not in hash in on_stream_close - - We could get stream ID not in the hash in on_stream_close. For - example, if we decided to reject stream (e.g., PUSH_PROMISE), then we - don't create stream and store it in hash with its stream ID. - -- [Tatsuhiro Tsujikawa brought this change] - - Require nghttp2 v1.0.0 - - This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0, - and utilize recent version of nghttp2 to simplify the code, - - First we use nghttp2_option_set_no_recv_client_magic function to - detect nghttp2 v1.0.0. That function only exists since v1.0.0. - - Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and - validates received header field. If it found error, RST_STREAM with - PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize - this feature to simplify libcurl code. This commit does this. - - Migration from 0.7 series are done based on nghttp2 migration - document. For libcurl, we removed the code sending first 24 bytes - client magic. It is now done by nghttp2 library. - on_invalid_frame_recv callback signature changed, and is updated - accordingly. - -- http2: infof length in on_frame_send() - -- pipeline: switch some code over to functions - - ... to "compartmentalize" a bit and make it easier to change behavior - when multiplexing is used instead of good old pipelining. - -- symbols-in-versions: add CURLOPT_PIPEWAIT - -- CURLOPT_PIPEWAIT: added - - By setting this option to 1 libcurl will wait for a connection to reveal - if it is possible to pipeline/multiplex on before it continues. - -- Curl_http_readwrite_headers: minor code simplification - -- IsPipeliningPossible: fixed for http2 - -- http2: bump the h2 buffer size to 32K for speed - -- http2: remove the stream from the hash in stream_close callback - - ... and suddenly things work much better! - -- http2: if there is paused data, do not clear the drain field - -- http2: rename s/data/pausedata - -- http2: "stream %x" in all outputs to make it easier to search for - -- http2: Curl_expire() all handles with incoming traffic - - ... so that they'll get handled next in the multi loop. - -- http2: don't signal settings change for same values - -- http2: set default concurrency, fix ConnectionExists for multiplex - -- bundles: store no/default/pipeline/multiplex - - to allow code to act differently on the situation. - - Also added some more info message for the connection re-use function to - make it clearer when connections are not re-used. - -- http2: lazy init header_recvbuf - - It makes us use less memory when not doing HTTP/2 and subsequently also - makes us not have to cleanup HTTP/2 related data when not using HTTP/2! - -- http2: separate multiplex/pipelining + cleanup memory leaks - -- CURLMOPT_PIPELINE: bit 1 is for multiplexing - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Fix bug that data to be drained are overwritten by pending "paused" data - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Don't call nghttp2_session_mem_recv while it is paused by a stream - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Read data left in connection buffer after pause - - Previously when we do pause because of out of buffer, we just throw - away unread data in connection buffer. This just broke protocol - framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this - issue by remembering how much data read, and in the next iteration, we - process remaining data. - -- [Tatsuhiro Tsujikawa brought this change] - - http2: Fix streams get stuck - - This commit fixes the bug that streams get stuck if stream gets some - DATA, and stream->closed becomes true at the same time. Previously, - in this condition, after we processed DATA, we are going to try to - read data from underlying transport, but there is no data, and gets - EAGAIN. There was no code path to evaludate stream->closed. - -- http2: store incoming h2 SETTINGS - -- pipeline: move function to pipeline.c and make static - - ... as it was only used from there. - -- IsPipeliningPossible: http2 can always "pipeline" (multiplex) - -- http2: remove debug logging from on_frame_recv - -- http2: remove the closed check in http2_recv - - With the "drained" functionality we can get here slightly asynchronously - so the stream have have been closed but there is pending data left to - read. - -- http2: bump the h2 buffer to 8K - -- http2: Curl_read should not use the single buffer - - ... as it does for pipelining when we're multiplexing, as we need the - different buffers to store incoming data correctly for all streams. - -- http2: more debug outputs - -- http2: leave WAITPERFORM when conn is multiplexed - - No need to wait for our "spot" like for pipelining - -- http2: force "drainage" of streams - - ... which is necessary since the socket won't be readable but there is - data waiting in the buffer. - -- http2: move the mem+len pair to the stream struct - -- http2: more stream-oriented data, stream ID 0 is for connections - -- http2: move lots of state data to the 'stream' struct - - ... from the connection struct. The stream one being the 'struct HTTP' - which is kept in the SessionHandle struct (easy handle). - - lookup streams for incoming frames in the stream hash, hashing is based - on the stream id and we get the SessionHandle for the incoming stream - that way. - -- HTTP: partial start at fixing up hash-lookups on http2 frame receival - -- http: a stream hash for h2 multiplexing - -- http: a stream hash for h2 multiplexing - -- http2: debug log when receiving unexpected stream_id - -- http2: move stream_id to the HTTP struct (per-stream) - -- Curl_http2_setup: only do it once and enable multiplex on the server - - Once we know we are HTTP/2 enabled we know the server can multiplex. - -- http: switch on "pipelining" (multiplexing) for HTTP/2 servers - - ... and do not blacklist any. - -- README.pipelining: removed - - All the details mentioned here are better documented in man pages - -Dan Fandrich (14 May 2015) -- build: removed bundles.c from make files - - This file was removed in commit fd137786 - -Daniel Stenberg (14 May 2015) -- Curl_conncache_add_conn: fix memory leak on OOM - -- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number - -- conncache: keep bundles on host+port bases, not only host names - - Previously we counted all connections to a specific host name and that - would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example, - while servers on different port numbers are normally considered - different "origins" on the web and should thus be considered different - hosts. - -- bundles: merged into conncache.c - - All the existing Curl_bundle* functions were only ever used from within - the conncache.c file, so I moved them over and made them static (and - removed the Curl_ prefix). - -- hostcache: made all host caches use structs, not pointers - - This avoids unnecessary dynamic allocs and as this also removed the last - users of *hash_alloc() and *hash_destroy(), those two functions are now - removed. - -- multi: converted socket hash into non-allocated struct - - avoids extra dynamic allocation - -- connection cache: avoid Curl_hash_alloc() - - ... by using plain structs instead of pointers for the connection cache, - we can avoid several dynamic allocations that weren't necessary. - -- proxy: add newline to info message - -Patrick Monnerat (8 May 2015) -- FTP: fix dangling conn->ip_addr dereference on verbose EPSV. - -- FTP: Make EPSV use the control IP address rather than the original host. - This ensures an alternate address is not used. - Does not apply to proxy tunnel. - -Daniel Stenberg (8 May 2015) -- [Alessandro Ghedini brought this change] - - tool_help: fix formatting for --next option - -- [Egon Eckert brought this change] - - opts: improved the TCP keepalive examples - -Jay Satiro (8 May 2015) -- winbuild: Document the option used to statically link the CRT - - - Document option RTLIBCFG (runtime library configuration). - - Bug: https://github.com/bagder/curl/issues/254 - Reported-by: Bert Huijben - -- [Orgad Shaneh brought this change] - - netrc: Read in text mode when cygwin - - Use text mode when cygwin to eliminate trailing carriage returns. - - Bug: https://github.com/bagder/curl/pull/258 - -Patrick Monnerat (5 May 2015) -- OS400: Add SPNEGO service name options to ILE/RPG binding. - -Daniel Stenberg (4 May 2015) -- curl_multi_info_read.3: fix typo - - Reported-by: Liviu Chircu - -- MANUAL: language fix - - Reported-by: Fred Stluka - Bug: https://github.com/bagder/curl/issues/255 - -- [Alessandro Ghedini brought this change] - - gtls: properly retrieve certificate status - - Also print the revocation reason if appropriate. - -- OpenSSL: conditional check for SSL3_RT_HEADER - - The symbol is fairly new. - - Reported-by: Kamil Dudka - -- openssl: skip trace outputs for ssl_ver == 0 - - The OpenSSL trace callback is wonderfully undocumented but given a - journey in the source code, it seems the cases were ssl_ver is zero - doesn't follow the same pattern and thus turned out confusing and - misleading. For now, we skip doing any CURLINFO_TEXT logging on those - but keep sending them as CURLINFO_SSL_DATA_OUT/IN. - - Also, I added direction to the text info and I edited some functions - slightly. - - Bug: https://github.com/bagder/curl/issues/219 - Reported-by: Jay Satiro, Ashish Shukla - -Marc Hoersken (2 May 2015) -- schannel.c: Small changes - -- schannel.c: Improve code path and readability - -- schannel.c: Improve error and return code handling upon aa99a63f03 - -- [Chris Araman brought this change] - - schannel: fix regression in schannel_recv - - https://github.com/bagder/curl/issues/244 - - Commit 145c263 changed the behavior when Curl_read_plain returns - CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED - correctly. - -- Bug born in changes made several days ago 9a91e80. - - Commit: https://github.com/bagder/curl/commit/926cb9f - Reported-by: Ray Satiro - -Daniel Stenberg (30 Apr 2015) -- [Michael Osipov brought this change] - - configure: remove missing and make it autogenerate - - The missing file has not been autogenerated because a temporary fix was - employed in acinclude.m4 which blocked update. Removed that fix and a recent - version of missing is copied to build root. - -- [Michael Osipov brought this change] - - acinclude.m4: fix test for default CA cert bundle/path - - test(1) on HP-UX requires a single equals sign and fails with two. - Let's use one and make every OS happy. - -- CONTRIBUTING.md: remove the sourceforge mention - - Reported-By: Michael Osipov - -Dan Fandrich (30 Apr 2015) -- http_negotiate_sspi: added missing data variable - -Daniel Stenberg (30 Apr 2015) -- [Michael Osipov brought this change] - - configure: remove --automake from libtoolize call - - That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4. - Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility". - - This option is redundant now. - -- [Viktor Szakats brought this change] - - build: update depedency versions, urls, example makefiles - - - update default versions of dependencies (except for rare/old platforms) - - update urls - - sync examples makefiles with main ones - - remove line ending space - -- [Michael Osipov brought this change] - - configure: remove autogenerated files by autoconf - - * install-sh is always regenerated - * mkinstalldirs was already redudant years ago. Automake uses install for - that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html - -- [Anders Bakken brought this change] - - curl_multi_add_handle: next is already NULL - -Jay Satiro (30 Apr 2015) -- schannel: Fix out of bounds array - - Bug born in changes made several days ago 9a91e80. - - Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html - Reported-by: Brian Chrisman - -- docs/libcurl: gitignore libcurl-symbols.3 - - Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html - Reported-by: Michael Osipov - -- [Viktor Szakats brought this change] - - lib/makefile.m32: add arch -m32/-m64 to LDFLAGS - - This fixes using a multi-target mingw distro to build curl .dll for the - non-default target. - (mirroring the same patch present in src/makefile.m32) - -Daniel Stenberg (29 Apr 2015) -- RELEASE-NOTES: synced with cd39b944afc - - I've not mentioned the bug fixes that were shipped in 7.42.1 from the - 7_42 branch. - -- THANKS: merged from the 7.42.1 release - -- CURLOPT_HEADEROPT: default to separate - - Make the HTTP headers separated by default for improved security and - reduced risk for information leakage. - - Bug: http://curl.haxx.se/docs/adv_20150429.html - Reported-by: Yehezkel Horowitz, Oren Souroujon |