1curl and libcurl 7.78.0 2 3 Public curl releases: 201 4 Command line options: 242 5 curl_easy_setopt() options: 290 6 Public functions in libcurl: 85 7 Contributors: 2459 8 9This release includes the following changes: 10 11 o curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE [118] 12 o CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax [40] 13 o hostip: make 'localhost' return fixed values [16] 14 o mbedtls: add support for cert and key blob options [11] 15 o metalink: remove all support for it [54] 16 o mqtt: add support for username and password [91] 17 18This release includes the following bugfixes: 19 20 o --socks4[a]: clarify where the host name is resolved [107] 21 o ares: always store IPv6 addresses first [20] 22 o asyn-ares: remove check for 'data' in Curl_resolver_cancel [89] 23 o bearssl: explicitly initialize all fields of Curl_ssl [1] 24 o bearssl: remove incorrect const on variable that is modified [1] 25 o build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS [155] 26 o c-hyper: abort CONNECT response reading early on non 2xx responses [75] 27 o c-hyper: add support for transfer-encoding in the request [121] 28 o c-hyper: bail on too long response headers [115] 29 o c-hyper: clear NTLM auth buffer when request is issued [23] 30 o c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL [21] 31 o c-hyper: fix NTLM on closed connection tested with test159 [4] 32 o c-hyper: fix the uploaded field in progress callbacks [78] 33 o c-hyper: handle NULL from hyper_buf_copy() [19] 34 o c-hyper: support CURLINFO_STARTTRANSFER_TIME [29] 35 o c-hyper: support CURLOPT_HEADER [32] 36 o ccsidcurl: fix the compile errors [27] 37 o CI/cirrus: install impacket from PyPI instead of FreeBSD packages [166] 38 o CI: add bearssl build [1] 39 o CI: add Circle CI [92] 40 o CI: add jobs using Zuul [86] 41 o CI: delete --enable-hsts option (it is the default now) [2] 42 o CI: remove travis details [144] 43 o cleanup: spell DoH with a lowercase o [172] 44 o cmake: add CURL_DISABLE_NTLM option [44] 45 o cmake: avoid leaking absolute paths into exported config [3] 46 o cmake: fix IoctlSocket FIONBIO check [156] 47 o cmake: fix support for UnixSockets feature on Win32 [104] 48 o cmake: remove libssh2 feature checks [122] 49 o cmake: try well-known send/recv signature for Apple [12] 50 o configure.ac: make non-executable [109] 51 o configure/cmake: remove checks for many unused functions [95] 52 o configure: add --disable-ntlm option [45] 53 o configure: disable RTSP when hyper is selected [68] 54 o configure: do not strip out debug flags [110] 55 o configure: fix nghttp2 library name for static builds [157] 56 o configure: inhibit the implicit-fallthrough warning on gcc-12 [106] 57 o configure: rename get-easy-option configure option to get-easy-options [81] 58 o conn_shutdown: if closed during CONNECT cleanup properly [59] 59 o conncache: lowercase the hash key for better match [5] 60 o cookies: track expiration in jar to optimize removals [25] 61 o copyright: add boiler-plate headers to CI config files [143] 62 o crustls: bump crustls version and use new URL [119] 63 o curl.h: <sys/select.h> is supported by VxWorks7 [102] 64 o curl.h: include sys/select.h for NuttX RTOS [100] 65 o curl: ignore blank --output-dir [57] 66 o curl_endian: remove the unused Curl_write64_le function [85] 67 o curl_multibyte: Remove local encoding fallbacks [58] 68 o Curl_ntlm_core_mk_nt_hash: fix OOM in error path [8] 69 o Curl_ssl_getsessionid: fail if no session cache exists [14] 70 o CURLOPT_WRITEFUNCTION.3: minor update of the example [80] 71 o docs/BINDINGS: fix outdated links [116] 72 o docs/examples: use curl_multi_poll() in multi examples [152] 73 o docs/INSTALL: remove mentions of configure --with-darwin-ssl [55] 74 o docs: document missing arguments to commands [160] 75 o docs: fix inconsistencies in EGDSOCKET documentation [159] 76 o docs: fix incorrect argument name reference [161] 77 o docs: Fix typos [146] 78 o docs: make docs for --etag-save match the program behaviour [169] 79 o docs: use --max-redirs instead of --max-redir [28] 80 o doh: (void)-prefix call to curl_easy_setopt 81 o doh: fix wrong DEBUGASSERT for doh private_data [62] 82 o easy: during upkeep, attach Curl_easy to connections in the cache [171] 83 o examples/multi-single: fix scan-build warning [150] 84 o examples: length-limit two sscanf() uses of %s [96] 85 o examples: safer and more proper read callback logic [127] 86 o filecheck: quietly remove test-place/*~ [39] 87 o formdata: avoid "Argument cannot be negative" warning [131] 88 o formdata: correct typecast in curl_mime_data call [137] 89 o GHA: add a linux-hyper job [52] 90 o GHA: add several libcurl tests to the hyper job 91 o GHA: run the newly fixed tests with hyper [36] 92 o github: timeout jobs on macOS after 90 minutes [42] 93 o glob: pass an 'int' as len when using printf's %*s [139] 94 o gnutls: set the preferred TLS versions in correct order [94] 95 o GOVERNANCE: add 'user', 'committer' and 'contributor' [15] 96 o hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies [105] 97 o hostip: bad CURLOPT_RESOLVE syntax now returns error [35] 98 o hsts: ignore numberical IP address hosts [17] 99 o HSTS: not experimental anymore 100 o http2: clarify 'Using HTTP2' verbose message [63] 101 o http2: init recvbuf struct for pushed streams [13] 102 o http2_connisdead: handle trailing GOAWAY better [18] 103 o http: fix crash in rate-limited upload [142] 104 o http: make the haproxy support work with unix domain sockets [99] 105 o http_proxy: deal with non-200 CONNECT response with Hyper [22] 106 o hyper: propagate errors back up from read callbacks [113] 107 o HYPER: remove mentions of deprecated development branch 108 o idn: fix libidn2 with windows unicode builds [117] 109 o infof: remove newline from format strings, always append it [149] 110 o lib: don't compare fd to FD_SETSIZE when using poll [61] 111 o lib: fix compiler warnings with CURL_DISABLE_NETRC [168] 112 o lib: fix type of len passed to *printf's %*s [133] 113 o lib: more %u for port and int for %*s fixes [132] 114 o lib: use %u instead of %ld for port number printf [134] 115 o libcurl-security.3: mention file descriptors and forks [108] 116 o libssh2: limit time a disconnect can take to 1 second [111] 117 o mbedtls: make mbedtls_strerror always work [6] 118 o mbedtls: Remove unnecessary include [175] 119 o mqtt: detect illegal and too large file size [43] 120 o mqtt: extend the error message for no topic [136] 121 o msnprintf: return number of printed characters excluding null byte [148] 122 o multi: add scan-build-6 work-around in curl_multi_fdset [88] 123 o multi: alter transfer timeout ordering [97] 124 o multi: do not switch off connect_only flag when closing [98] 125 o multi: fix crash in curl_multi_wait / curl_multi_poll [153] 126 o netrc: skip 'macdef' definitions [87] 127 o ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS [83] 128 o openssl: avoid static variable for seed flag [101] 129 o openssl: don't remove session id entry in disassociate [56] 130 o pinnedpubkey.d: fix formatting for version support lists [126] 131 o proto.d: fix formatting for paragraphs after margin changes [125] 132 o quiche: use send() instead of sendto() to avoid macOS issue [103] 133 o Revert "c-hyper: handle body on HYPER_TASK_EMPTY" [26] 134 o Revert "ftp: Expression 'ftpc->wait_data_conn' is always false" [147] 135 o runtests: also find the last test in Makefile.inc [66] 136 o runtests: enable 'hyper mode' only for HTTP tests [34] 137 o runtests: init $VERSION to avoid warnings when using -l 138 o runtests: parse data/Makefile.inc instead of using make [38] 139 o runtests: skip disabled tests unless -f is used [82] 140 o rustls: remove native_roots fallback [65] 141 o schannel: set ALPN length correctly for HTTP/2 [24] 142 o SChannel: Use '_tcsncmp()' instead [164] 143 o sectransp: check for client certs by name first, then file [167] 144 o setopt: fix incorrect comments [10] 145 o socketpair: fix potential hangs [37] 146 o socks4: scan for the IPv4 address in resolve results [124] 147 o ssl: read pending close notify alert before closing the connection [9] 148 o sws: malloc request struct instead of using stack [60] 149 o telnet: fix option parser to not send uninitialized contents [170] 150 o test1116: hyper doesn't pass through "surprise-trailers" [123] 151 o test1147: hyper doesn't allow "crazy" request headers like built-in [114] 152 o test1151: added missing CRLF to work with hyper [120] 153 o test1216: adjusted for hyper mode [73] 154 o test1218: adjusted for hyper mode [72] 155 o test1230: adjust to work in hyper mode [74] 156 o test1340/1341: adjusted for hyper mode [71] 157 o test1438/1457: add HTTP keyword to make hyper mode work [70] 158 o test1514: add a CRLF to the response to make it correct [130] 159 o test1518: adjusted to work with hyper [129] 160 o test1519: adjusted to work with hyper [128] 161 o test1594/1595/1596: fix to work in hyper mode [69] 162 o test269: disable for hyper [33] 163 o test3010: work with hyper mode [67] 164 o test328: avoid a header-looking body to make hyper mode work [53] 165 o test339: CRLFify better to work in hyper mode [51] 166 o test347: CRLFify to work in hyper mode [50] 167 o test393: make Content-Length fit within 64 bit for hyper [49] 168 o test394: hyper returns a different error [48] 169 o test395: hyper cannot work around > 64 bit content-lengths like built-in [47] 170 o test433: adjust for hyper mode [46] 171 o test434: add HTTP keyword [76] 172 o test500: adjust to work with hyper mode 173 o test566: adjust to work with hyper mode [79] 174 o test599: adjusted to work in hyper mode [77] 175 o test644: remove as duplicate of test 587 [84] 176 o tests: fix Accept-Encoding strips to work with Hyper builds [41] 177 o TLS: prevent shutdown loops to get stuck [112] 178 o tool: make _lseeki64() macro work with the PellesC compiler [163] 179 o tool_help: document that --tlspassword takes a password [162] 180 o tool_help: remove unused define [154] 181 o url.c: remove two variable assigns that are never read [90] 182 o url: (void)-prefix a curl_url_get() call [138] 183 o url: bad CURLOPT_CONNECT_TO syntax now returns error [31] 184 o version: turn version number functions into returning void [135] 185 o vtls: exit addsessionid if no cache is inited [7] 186 o vtls: fix connection reuse checks for issuer cert and case sensitivity [165] 187 o vtls: only store TIMER_APPCONNECT for non-proxy connect [93] 188 o vtls: use free() not curl_free() [140] 189 o warnless: simplify type size handling [30] 190 o Win32: fix build with Watt-32 191 o winbuild/README: VC should be set to 6 'or larger' [64] 192 o winbuild: support alternate nghttp2 static lib name [174] 193 o wolfssl: failing to set a session id is not reason to error out [151] 194 o write-out.d: clarify urlnum is not unique for de-globbed URLs [145] 195 o zuul: use the new rustls directory name [141] 196 197This release includes the following known bugs: 198 199 o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html) 200 201This release would not have looked like this without help, code, reports and 202advice from friends like these: 203 204 Albin Vass, Aleksander Mazur, Alexis Vachette, Alex Xu, Andrea Pappacoda, 205 Andrei Rybak, Bachue Zhou, Bastian Krause, Bin Lan, Bin Meng, 206 Christian Weisgerber, Christoph M. Becker, civodul on github, Dan Fandrich, 207 Daniel Gustafsson, Daniel Stenberg, David Hu, dEajL3kA on github, 208 Dmitry Karpov, Dmitry Kostjuchenko, Douglas R. Reno, Ebe Janchivdorj, 209 Fawad Mirza, Francisco Munoz, Gabriel Simmer, Gealber Morales, Gergely Nagy, 210 Gerrit Renker, Gisle Vanem, Gregor Jasny, Gregory Muchka, Harry Sintonen, 211 Hugh Macdonald, Jacob Hoffman-Andrews, Jishan Shaikh, Joel Depooter, 212 Jonathan Wernberg, Jon Rumsey, Josh Soref, Josie Huddleston, Jun-ya Kato, 213 Kevin Burke, Laurent Dufresne, Li Xinwei, MAntoniak on github, Marcel Raad, 214 Marc Hörsken, Mark Swaanenburg, Martin Howarth, Max Zettlmeißl, 215 Michael Forney, Michael Kaufmann, Mohammed Naser, nian6324 on github, 216 Nikos Mavrogiannopoulos, Paul Groke, Peter Körner, Phil E. Taylor, 217 Pierre Yager, Randolf J, Ray Satiro, Red Hat Product Security, 218 Richard Marion, Richard Whitehouse, Sergey Markelov, Shikha Sharma, 219 shithappens2016 on github, sylgal on github, Timur Artikov, Tobias Nyholm, 220 Tommy Chiang, User Sg, Vadim Grinshpun, Valentín Gutiérrez, Viktor Szakats, 221 William Desportes, Wyatt OʼDay, Xiang Xiao, Yongkang Huang, Younes El-karama, 222 Zhang Xiuhua, Борис Верховский, Коваленко Анатолий Викторович, 223 (83 contributors) 224 225References to bug reports and discussions on issues: 226 227 [1] = https://curl.se/bug/?i=7133 228 [2] = https://curl.se/bug/?i=7167 229 [3] = https://curl.se/bug/?i=7152 230 [4] = https://curl.se/bug/?i=7154 231 [5] = https://curl.se/bug/?i=7159 232 [6] = https://curl.se/bug/?i=7162 233 [7] = https://curl.se/bug/?i=7165 234 [8] = https://curl.se/bug/?i=7164 235 [9] = https://curl.se/bug/?i=7095 236 [10] = https://curl.se/bug/?i=7157 237 [11] = https://curl.se/bug/?i=7157 238 [12] = https://curl.se/bug/?i=7158 239 [13] = https://curl.se/bug/?i=7153 240 [14] = https://curl.se/bug/?i=7148 241 [15] = https://curl.se/bug/?i=7151 242 [16] = https://curl.se/bug/?i=7039 243 [17] = https://curl.se/bug/?i=7146 244 [18] = https://curl.se/mail/lib-2021-06/0001.html 245 [19] = https://curl.se/bug/?i=7143 246 [20] = https://curl.se/mail/lib-2021-06/0003.html 247 [21] = https://curl.se/bug/?i=7141 248 [22] = https://curl.se/bug/?i=7141 249 [23] = https://curl.se/bug/?i=7139 250 [24] = https://curl.se/bug/?i=7138 251 [25] = https://curl.se/bug/?i=7172 252 [26] = https://curl.se/bug/?i=7122 253 [27] = https://curl.se/bug/?i=7134 254 [28] = https://curl.se/bug/?i=7130 255 [29] = https://curl.se/bug/?i=7204 256 [30] = https://curl.se/bug/?i=7181 257 [31] = https://curl.se/bug/?i=7183 258 [32] = https://curl.se/bug/?i=7204 259 [33] = https://curl.se/bug/?i=7184 260 [34] = https://curl.se/bug/?i=7185 261 [35] = https://curl.se/bug/?i=7170 262 [36] = https://curl.se/bug/?i=7205 263 [37] = https://curl.se/bug/?i=7144 264 [38] = https://curl.se/bug/?i=7177 265 [39] = https://curl.se/bug/?i=7179 266 [40] = https://curl.se/bug/?i=7175 267 [41] = https://curl.se/bug/?i=7169 268 [42] = https://curl.se/bug/?i=7173 269 [43] = https://curl.se/bug/?i=7166 270 [44] = https://curl.se/bug/?i=7028 271 [45] = https://curl.se/bug/?i=7028 272 [46] = https://curl.se/bug/?i=7205 273 [47] = https://curl.se/bug/?i=7205 274 [48] = https://curl.se/bug/?i=7205 275 [49] = https://curl.se/bug/?i=7205 276 [50] = https://curl.se/bug/?i=7205 277 [51] = https://curl.se/bug/?i=7205 278 [52] = https://curl.se/bug/?i=7206 279 [53] = https://curl.se/bug/?i=7203 280 [54] = https://curl.se/bug/?i=7176 281 [55] = https://curl.se/mail/lib-2021-06/0008.html 282 [56] = https://curl.se/bug/?i=7222 283 [57] = https://curl.se/bug/?i=7218 284 [58] = https://curl.se/bug/?i=7257 285 [59] = https://curl.se/bug/?i=7236 286 [60] = https://curl.se/mail/lib-2021-06/0018.html 287 [61] = https://curl.se/bug/?i=7240 288 [62] = https://curl.se/bug/?i=7227 289 [63] = https://github.com/curl/curl/discussions/7255 290 [64] = https://curl.se/bug/?i=7253 291 [65] = https://curl.se/bug/?i=7250 292 [66] = https://curl.se/bug/?i=7209 293 [67] = https://curl.se/bug/?i=7209 294 [68] = https://curl.se/bug/?i=7209 295 [69] = https://curl.se/bug/?i=7209 296 [70] = https://curl.se/bug/?i=7209 297 [71] = https://curl.se/bug/?i=7209 298 [72] = https://curl.se/bug/?i=7209 299 [73] = https://curl.se/bug/?i=7209 300 [74] = https://curl.se/bug/?i=7209 301 [75] = https://curl.se/bug/?i=493 302 [76] = https://curl.se/bug/?i=7209 303 [77] = https://curl.se/bug/?i=7209 304 [78] = https://curl.se/bug/?i=7209 305 [79] = https://curl.se/bug/?i=7209 306 [80] = https://curl.se/bug/?i=7219 307 [81] = https://curl.se/bug/?i=7211 308 [82] = https://curl.se/bug/?i=7212 309 [83] = https://curl.se/bug/?i=6896 310 [84] = https://curl.se/bug/?i=7208 311 [85] = https://curl.se/bug/?i=7280 312 [86] = https://curl.se/bug/?i=7245 313 [87] = https://curl.se/bug/?i=7238 314 [88] = https://curl.se/bug/?i=7248 315 [89] = https://curl.se/bug/?i=7248 316 [90] = https://curl.se/bug/?i=7248 317 [91] = https://curl.se/bug/?i=7243 318 [92] = https://curl.se/bug/?i=7239 319 [93] = https://curl.se/bug/?i=7274 320 [94] = https://curl.se/bug/?i=7277 321 [95] = https://curl.se/bug/?i=7276 322 [96] = https://curl.se/bug/?i=7293 323 [97] = https://curl.se/bug/?i=7178 324 [98] = https://curl.se/mail/lib-2021-06/0024.html 325 [99] = https://curl.se/bug/?i=7290 326 [100] = https://curl.se/bug/?i=7287 327 [101] = https://curl.se/bug/?i=7296 328 [102] = https://curl.se/bug/?i=7285 329 [103] = https://curl.se/bug/?i=7260 330 [104] = https://curl.se/bug/?i=7034 331 [105] = https://curl.se/bug/?i=7265 332 [106] = https://curl.se/bug/?i=7295 333 [107] = https://curl.se/bug/?i=7273 334 [108] = https://curl.se/bug/?i=7270 335 [109] = https://curl.se/bug/?i=7272 336 [110] = https://curl.se/bug/?i=7216 337 [111] = https://curl.se/bug/?i=7271 338 [112] = https://curl.se/bug/?i=7271 339 [113] = https://curl.se/bug/?i=7266 340 [114] = https://curl.se/bug/?i=7349 341 [115] = https://curl.se/bug/?i=7350 342 [116] = https://curl.se/bug/?i=7301 343 [117] = https://curl.se/bug/?i=7228 344 [118] = https://curl.se/bug/?i=7073 345 [119] = https://curl.se/bug/?i=7297 346 [120] = https://curl.se/bug/?i=7350 347 [121] = https://curl.se/bug/?i=7348 348 [122] = https://curl.se/bug/?i=7343 349 [123] = https://curl.se/bug/?i=7344 350 [124] = https://curl.se/bug/?i=7345 351 [125] = https://curl.se/bug/?i=7341 352 [126] = https://curl.se/bug/?i=7340 353 [127] = https://curl.se/bug/?i=7330 354 [128] = https://curl.se/bug/?i=7333 355 [129] = https://curl.se/bug/?i=7333 356 [130] = https://curl.se/bug/?i=7334 357 [131] = https://curl.se/bug/?i=7328 358 [132] = https://curl.se/bug/?i=7329 359 [133] = https://curl.se/bug/?i=7326 360 [134] = https://curl.se/bug/?i=7325 361 [135] = https://curl.se/bug/?i=7319 362 [136] = https://curl.se/bug/?i=7316 363 [137] = https://curl.se/bug/?i=7327 364 [138] = https://curl.se/bug/?i=7320 365 [139] = https://curl.se/bug/?i=7324 366 [140] = https://curl.se/bug/?i=7318 367 [141] = https://curl.se/bug/?i=7311 368 [142] = https://curl.se/bug/?i=7308 369 [143] = https://curl.se/bug/?i=7314 370 [144] = https://curl.se/bug/?i=7313 371 [145] = https://curl.se/bug/?i=7342 372 [146] = https://curl.se/bug/?i=7370 373 [147] = https://curl.se/mail/lib-2021-07/0025.html 374 [148] = https://curl.se/bug/?i=7361 375 [149] = https://curl.se/bug/?i=7357 376 [150] = https://curl.se/bug/?i=7360 377 [151] = https://curl.se/bug/?i=7358 378 [152] = https://curl.se/bug/?i=7352 379 [153] = https://curl.se/bug/?i=7379 380 [154] = https://curl.se/bug/?i=7380 381 [155] = https://curl.se/bug/?i=7377 382 [156] = https://curl.se/bug/?i=7375 383 [157] = https://curl.se/bug/?i=7367 384 [159] = https://curl.se/bug/?i=7391 385 [160] = https://curl.se/bug/?i=7382 386 [161] = https://curl.se/bug/?i=7383 387 [162] = https://curl.se/bug/?i=7378 388 [163] = https://curl.se/bug/?i=7397 389 [164] = https://curl.se/bug/?i=7398 390 [165] = https://curl.se/docs/CVE-2021-22924.html 391 [166] = https://curl.se/bug/?i=7418 392 [167] = https://curl.se/docs/CVE-2021-22926.html 393 [168] = https://curl.se/bug/?i=7423 394 [169] = https://curl.se/bug/?i=7429 395 [170] = https://curl.se/docs/CVE-2021-22925.html 396 [171] = https://curl.se/bug/?i=7386 397 [172] = https://curl.se/bug/?i=7413 398 [174] = https://curl.se/bug/?i=7446 399 [175] = https://curl.se/bug/?i=7419 400