Lines Matching +full:ipv4 +full:- +full:config +full:- +full:causing +full:- +full:fallback +full:- +full:to +full:- +full:tcp
13 - RELEASE-NOTES: synced
17 - THANKS: new contributors from 8.5.0
21 - cd2nroff: use perl 'strict' and 'warnings'
23 - Use strict and warnings pragmas.
25 - If open() fails then show the reason.
27 - Set STDIN io layer :crlf so that input is properly read on Windows.
29 - When STDIN is used as input, the filename $f is now set to "STDIN".
38 - cd2nroff: fix duplicate output issue
40 Assisted-by: Jay Satiro
41 Fixes https://github.com/curl/curl-www/issues/321
44 - lib: error out on multissl + http3
51 Assisted-by: Viktor Szakats
52 Assisted-by: Gisle Vanem
58 - OS400: sync ILE/RPG binding
66 - build: delete/replace 3 more clang warning pragmas
68 - tool_msgs: delete redundant `-Wformat-nonliteral` suppression pragma.
70 - whitespace formatting in `mprintf.h`, lib518, lib537.
72 - lib518: fix wrong variable in `sizeof()`.
74 - lib518: bump variables to `rlim_t`.
75 Follow-up to e2b394106d543c4615a60795b7fdce04bd4e5090 #1469
77 - lib518: sync error message with lib537
78 Follow-up to 365322b8bcf9efb6a361473d227b70f2032212ce
80 - lib518, lib537: replace `-Wformat-nonliteral` suppression pragmas
83 Follow-up to 5b286c250829e06a135a6ba998e80beb7f43a734 #12812
84 Follow-up to aee4ebe59161d0a5281743f96e7738ad97fe1cd4 #12803
85 Follow-up to 09230127589eccc7e01c1a7217787ef8e64f3328 #12540
86 Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489
88 Reviewed-by: Daniel Stenberg
93 - cmake: freshen up docs/INSTALL.cmake
95 - Turn docs/INSTALL.cmake into a proper markdown file,
96 docs/INSTALL-CMAKE.md
97 - Move things around to divide the description into configuration,
99 - Mention the more modern cmake options to configure, build and install,
106 - build: delete/replace clang warning pragmas
108 - delete redundant warning suppressions for `-Wformat-nonliteral`.
111 as a corner-case here.
113 - replace two pragmas with code changes to avoid the warnings.
115 Follow-up to aee4ebe59161d0a5281743f96e7738ad97fe1cd4 #12803
116 Follow-up to 09230127589eccc7e01c1a7217787ef8e64f3328 #12540
117 Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489
119 Reviewed-by: Daniel Stenberg
124 - RELEASE-NOTES: synced
126 - http: only act on 101 responses when they are HTTP/1.1
128 For 101 responses claiming to be any other protocol, bail out. This
131 Add test 1704 to verify.
133 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66184
138 - _VARIABLES.md: add missing 'be' into the sentence
144 - mqtt, remove remaining use of data->state.buffer
150 - x509asn1: switch from malloc to dynbuf
154 - x509asn1: make utf8asn1str() use dynbuf instead of malloc + memcpy
158 - x509asn1: reduce malloc in Curl_extract_certinfo
166 - THANKS: add Alexander Bartel and Brennan Kinney
174 - krb5: add prototype to silence clang warnings on mvsnprintf()
178 Follow-up to 09230127589eccc7 which made the warning appear
180 Assisted-by: Viktor Szakats
183 - x509asn1: remove code for WANT_VERIFYHOST
187 Follow-up to 78d6232f1f326b9ab4d
191 - socks: reduce the buffer size to 600 (from 8K)
200 - file+ftp: use stack buffers instead of data->state.buffer
204 - vtls: receive max buffer
206 - do not only receive one TLS record, but try to fill
208 - consider <4K remaning space is "filled".
214 - docs: do not start lines/sentences with So, But nor And
218 - docs: remove spurious ampersands from markdown
222 Follow-up to eefcc1bda4bccd800f5a5
228 - sasl: make login option string override http auth
230 - Use http authentication mechanisms as a default, not a preset.
232 Consider http authentication options which are mapped to SASL options as
236 Prior to this change, if some HTTP auth options were given, sasl mapped
237 http authentication options to sasl ones but merged them with the login
241 CURLAUTH_BEARER as a side-effect of --oauth2-bearer, because this flag
242 maps to more than one sasl mechanisms and the latter cannot be cleared
252 - socks: use own buffer instead of data->state.buffer
258 - socks: fix generic output string to say SOCKS instead of SOCKS4
264 - test742: test SOCKS5 with max length user, password and hostname
266 Adjusted the socksd server accordingly to allow for configuring that
273 - ssh: use stack scratch buffer for seeks
275 - instead of data->state.buffer
281 - krb5: access the response buffer correctly
285 Folllow-up to c2d973627bab12ab
286 Pointed-out-by: Stefan Eissing
291 - mqtt: use stack scratch buffer for recv+publish
293 - instead of data->state.buffer
297 - telnet, use stack scratch buffer for do
299 - instead of data->state.buffer
303 - http, use stack scratch buffer
305 - instead of data->state.buffer
309 - ntlm_wb: do not use data->state.buf any longer
313 - gitignore: the generated `libcurl-symbols.md`
319 - tool: fix the listhelp generation command
321 The previous command line to generate the tool_listhelp.c source file
325 comment in the file to mention the right procedure.
329 - http: check for "Host:" case insensitively
331 When checking if the user wants to replace the header, the check should
334 Adding test 461 to verify
336 Found-by: Dan Fandrich
342 - configure: add libngtcp2_crypto_boringssl detection
344 If OpenSSL is found to be BoringSSL or AWS-LC, and ngtcp2 is requested,
345 try to detect libngtcp2_crypto_boringssl.
347 Reported-by: ウさん
353 - http: remove comment reference to a removed solution
355 Follow-up to 58974d25d
361 - pytest: Scorecard tracking CPU and RSS
367 - GHA: bump ngtcp2, gnutls, mod_h2, quiche
369 - ngtcp2 to v1.2.0
370 - gnutls to 3.8.3
371 - mod_h2 to 2.0.26
372 - quiche to 0.20.0
381 - ftpserver.pl: send 213 SIZE response without spurious newline
383 - pingpong: stop using the download buffer
389 final line is left first in the recvbuf for the protocols to parse at
395 - gen.pl: remove bold from .IP used for ##
397 Reported-by: Viktor Szakats
403 - cmake: rework options to enable curl and libcurl docs
407 - rename `ENABLE_MANUAL` to `ENABLE_CURL_MANUAL`, meaning:
408 to build man page and built-in manual for curl tool.
410 - rename `BUILD_DOCS` to `BUILD_LIBCURL_DOCS`, meaning:
411 to build man pages for libcurl.
413 - `BUILD_LIBCURL_DOCS` now works without having to enable
416 - drop support for existing CMake-level `USE_MANUAL` option to avoid
417 confusion. (It used to work with the effect of current
420 Assisted-by: Richard Levitte
426 - urlapi: remove assert
434 Follow-up to 4cfa5bcc9a
436 Reported-by: promptfuzz_ on hackerone
441 - tests: avoid int/size_t conversion size/sign warnings
447 - GHA: add a job scanning for "bad words" in markdown
449 This means words, phrases or things we have decided not to use - words that
450 are spelled right according to the dictionary but we want to avoid. In the
457 - cmake: speed up curldown processing, enable by default
459 - cmake: enable `BUILD_DOCS` by default (this controls converting and
462 - cmake: speed up generating `.3` files by using a single command per
465 in resulting in 500 -one per file- external `-E touch_nocreate` calls.)
467 - cd2nroff: add ability to process multiple input files.
469 - cd2nroff: add `-k` option to use the source filename to form the
470 output filename. (instead of the default in-file `Title:` line.)
472 Follow-up to 3f08d80b2244524646ce86915c585509ac54fb4c
473 Follow-up to ea0b575dab86a3c44dd1d547dc500276266aa382 #12753
474 Follow-up to eefcc1bda4bccd800f5a56a0fe17a2f44a96e88b #12730
480 - docs: install curl.1 with cmake as well
486 - osslq: remove the TLS library from the version output
493 Reported-by: Viktor Szakats
498 - CI: remove unnecessary OpenSSL 3 option `enable-tls1_3`
500 .. and switch OpenSSL 3 libdir from lib64 to lib for consistency.
504 - GHA: bump nghttp2 version to v1.59.0
506 - Switch to v1.59.0 for GHA CI jobs that use a specific nghttp2-version.
512 - RELEASE-NOTES: synced
514 - docs/cmdline: change to .md for cmdline docs
516 - switch all invidual files documenting command line options into .md,
517 as the documentation is now markdown-looking.
519 - made the parser treat 4-space indents as quotes
521 - switch to building the curl.1 manpage using the "mainpage.idx" file,
522 which lists the files to include to generate it, instead of using the
523 previous page-footer/headers. Also, those files are now also .md
524 ones, using the same format. I gave them underscore prefixes to make
531 - updated test cases accordingly
537 - CI: bump actions/cache from 3 to 4
539 Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4.
540 - [Release notes](https://github.com/actions/cache/releases)
541 - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
542 - [Commits](https://github.com/actions/cache/compare/v3...v4)
544 ---
545 updated-dependencies:
546 - dependency-name: actions/cache
547 dependency-type: direct:production
548 update-type: version-update:semver-major
551 Signed-off-by: dependabot[bot] <support@github.com>
556 - openssl: when verifystatus fails, remove session id from cache
558 To prevent that it gets used in a subsequent transfer that skips the
562 Reported-by: Hiroki Kurosawa
567 - cmake: add option to disable building docs
571 - cmake: use curldown to build man pages
573 This throws away the previous HTML and PDF producers, to mimic what
580 - mksymbolsmanpage.pl: provide references to where the symbol is used
582 - docs: introduce "curldown" for libcurl man page format
587 - Each file has a set of leading headers with meta-data
588 - Supports a small subset of markdown
589 - Uses .md file extensions for editors/IDE/GitHub to treat them nicely
590 - Generates man pages very similar to the previous ones
591 - Generates man pages that still convert nicely to HTML on the website
592 - Detects and highlights mentions of curl symbols automatically (when
597 - cd2nroff: converts from curldown to nroff man page
598 - nroff2cd: convert an (old) nroff man page to curldown
599 - cdall: convert many nroff pages to curldown versions
600 - cd2cd: verifies and updates a curldown to latest curldown
615 - libssh2: use `libssh2_session_callback_set2()` with v1.11.1
617 To avoid a local hack to pass function pointers and to avoid
621 ted: since libssh2 1.11.1. Use libssh2_session_callback_set2() [-Wdeprecated-
624 ted: since libssh2 1.11.1. Use libssh2_session_callback_set2() [-Wdeprecated-
627 Ref: https://github.com/curl/curl-for-win/actions/runs/7609484879/job/2072082
633 Reviewed-by: Daniel Stenberg
638 - transfer: make the select_bits_paused condition check both directions
642 Reported-by: Sergey Bronnikov
643 Bug: https://curl.se/mail/lib-2024-01/0049.html
648 - http3: initial support for OpenSSL 3.2 QUIC stack
650 - HTTP/3 for curl using OpenSSL's own QUIC stack together
652 - configure with `--with-openssl-quic` to enable curl to
654 - implementation with the following restrictions:
655 * macOS has to use an unconnected UDP socket due to an
658 This makes connections to non-reponsive servers hang.
661 in processing delays or Transfer-Encodings on proxied
665 (we have not figured out to pry that from OpenSSL).
671 - cmake: fix `ENABLE_MANUAL` option
673 Fix the `ENABLE_MANUAL` option. Set it to default to `OFF`.
675 Before this patch `ENABLE_MANUAL=ON` was a no-op, even though it was the
676 option designed to enable building and using the built-in curl manual.
679 Ref: https://github.com/curl/curl/pull/12730#issuecomment-1902572409
684 - TODO: update broken link to ratelimit-headers draft
690 - cmake: when USE_MANUAL=YES, build the curl.1 man page
696 - cmdline-opts/write-out.d: remove spurious double quotes
700 - rtsp: Convert assertion into debug log
702 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65934
704 - write excess bytes to the client where the standard excess bytes
712 - headers: remove assert from Curl_headers_push
714 The fuzzer managed to reach the function without a terminating CR or LF
717 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65839
721 - curl_easy_getinfo.3: remove the wrong time value count
730 - mbedtls: fix `-Wnull-dereference` and `-Wredundant-decls`
732 - Silence warning in mbedTLS v3.5.1 public headers:
734 ./mbedtls/_x64-linux-musl/usr/include/psa/crypto_extra.h:489:14: warning: r
735 edundant redeclaration of 'psa_set_key_domain_parameters' [-Wredundant-decls]
736 ./mbedtls/_x64-linux-musl/usr/include/psa/crypto_struct.h:354:14: note: pre
743 - Fix compiler warnings seen with gcc 9.2.0 + cmake unity:
746 ./curl/lib/vtls/mbedtls.c:189:11: warning: null pointer dereference [-Wnull
747 -dereference]
748 189 | nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &res
753 ./curl/lib/vtls/mbedtls.c:168:14: warning: null pointer dereference [-Wnull
754 -dereference]
755 168 | nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &
761 - delete stray `#else`.
767 - docs: cleanup nroff format use
769 - remove use of .BI for code snippet
770 - stop using .br, just do a blank line
771 - remove use of .PP
772 - remove use for .sp
773 - remove backslash in .IP
774 - use .IP instead of .TP
780 - test2307: fix expected failure code after ws refactoring
787 - cf-socket: show errno in tcpkeepalive error messages
789 - If the socket keepalive options (TCP_KEEPIDLE, etc) cannot be set
792 Ref: https://github.com/curl/curl/discussions/12715#discussioncomment-8151652
796 - tool_getparam: stop supporting `@filename` style for --cookie
798 The `@filename` style was never documented for --cookie <data|filename>
799 but prior to this change curl would accept it anyway and always treat a
803 documented to be interpreted as a cookie string and not a filename.
807 `--cookie @foo=bar`
813 Other curl options with a data/filename option-value use the `@filename`
814 to distinguish filenames which is probably how this happened. The
815 --cookie option has never been documented that way.
817 Ref: https://curl.se/docs/manpage.html#-b
823 - websockets: refactor decode chain
825 - use client writer stack for decoding frames
826 - move websocket protocol handler to ws.c
830 - websockets: check for negative payload lengths
832 - in en- and decoding, check the websocket frame payload lengths for
834 - add test 2307 to verify
840 - docs: mention env vars not used by schannel
844 Co-authored-by: Jay Satiro <raysatiro@yahoo.com>
848 - tool_operate: make --remove-on-error only remove "real" files
850 Reported-by: Harry Sintonen
851 Assisted-by: Dan Fandrich
857 - url: don't set default CA paths for Secure Transport backend
865 - asyn-ares: with modern c-ares, use its default timeout
871 - tool_operate: stop setting the file comment on Amiga
873 - the URL is capped at 80 cols, which ruins it if longer
874 - it does not strip off URL credentials
875 - it is done unconditonally, not on --xattr
876 - we don't have Amiga in the CI which makes fixing it blindly fragile
881 Reported-by: Harry Sintonen
886 - rtsp: deal with borked server responses
888 - enforce a response body length of 0, if the
889 response has no Content-lenght. This is according
890 to the RTSP spec.
891 - excess bytes in a response body are forwarded to
895 Follow-up to d7b6ce6
901 - version: show only the libpsl version, not its dependencies
907 Ref: https://github.com/curl/curl-for-win/issues/63
912 - curl.h: CURLOPT_DNS_SERVERS is only available with c-ares
918 - cmdline-opts/gen.pl: error on initital blank line
920 After the "---" separator, there should be no blank line and this script
926 - cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper
928 Follow-up to 693cd1679361828a which was incomplete
933 - curl_multi_fdset.3: remove mention of null pointer support
939 Reported-by: sfan5 on github
944 - docs/cmdline: remove unnecessary line breaks
950 - transfer: remove warning: Value stored to 'blen' is never read
952 Detected by scan-build
954 Follow-up from 1cd2f0072f
960 - lib: replace readwrite with write_resp
967 they refer to the connect or the client/application side of a
976 - CURLcode (*readwrite)(struct Curl_easy *data, struct connectdata *conn,
977 - const char *buf, size_t blen,
978 - size_t *pconsumed, bool *readmore);
984 The name was changed to clarify that this writes reponse data to the
987 * `conn` removed as it always operates on `data->conn`
988 * `pconsumed` removed as the method needs to handle all data on success
991 response (end-of-stream).
992 * `done` TRUE on return iff the transfer response is to be treated as
1002 body. `Curl_http_write_resp_hds()` is used internally to parse the
1009 writers to verify that they are in a valid end state. The chunked
1032 All raw response data needs to pass through this function. Which also
1040 - RELEASE-NOTES: synced
1042 - TODO: TFTP doesn't convert LF to CRLF for mode=netascii
1047 - gen: do italics/bold for a range of letters, not just single word
1049 Previously it would match only on a sequence of non-space, which made it
1050 miss to highlight for example "public suffix list".
1052 Updated the recent cookie.d edit from 5da57193b732 to use bold instead
1057 - docs: describe and highlight super cookies
1059 Reported-by: Yadhu Krishna M
1063 - configure: when enabling QUIC, check that TLS supports QUIC
1067 BoringSSL, libressl, AWS-LC and quictls do.
1076 - vquic: extract TLS setup into own source
1078 - separate ngtcp2 specific parts out
1079 - provide callback during init to allow ngtcp2 to apply its defaults
1085 - multi: remove total timer reset in file_do() while fetching file://
1090 timer. Otherwise, the total time is always less than the pre-transfer
1097 - http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT
1099 Extended test 80 to verify this.
1101 Reported-by: Stefan Eissing
1105 - sectransp: do verify_cert without memdup for blobs
1112 - hsts: remove assert for zero length domain
1117 Follow-up from cfe7902111ae547873
1119 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65661
1123 - headers: make sure the trailing newline is not stored
1125 extended test1940 to verify blank header fields too
1127 Bug: https://curl.se/mail/lib-2024-01/0019.html
1128 Reported-by: Dmitry Karpov
1131 - curl_easy_header.3: tiny language fix
1135 - examples/range.c: add
1139 - examples/netrc.c: add
1143 - examples/ipv6.c: new example showing IPv6-only internet transfer
1147 - examples/address-scope.c: renamed from ipv6.c
1155 - multi: pollset adjust, init with FIRSTSOCKET during connect
1157 - `conn->sockfd` is set by `Curl_setup_transfer()`, but that
1159 - use `conn->sock[FIRSTSOCKET]` instead
1161 Follow-up to a0f94800d507de
1166 - WEBSOCKET.md: remove dead link
1168 - CI: spellcheck/appveyor: invoke configure --without-libpsl
1170 Follow-up to 2998874bb61ac6
1172 - cmdline/docs/*.d: switch to using ## instead of .IP
1174 To make the editing easier. To write and to read.
1178 - gen.pl: support ## for doing .IP in table-like lists
1186 - cookie.d: Document use of empty string to enable cookie engine
1188 - Explain that --cookie "" can be used to enable the cookie engine
1195 Bug: https://github.com/curl/curl/issues/12643#issuecomment-1879844420
1196 Reported-by: janko-js@users.noreply.github.com
1202 - setopt: use memdup0 when cloning COPYPOSTFIELDS
1206 - telnet: use dynbuf instad of malloc for escape buffer
1213 - CI: install libpsl or configure --without-libpsl in builds
1215 As a follow-up to the stricted libpsl check in configure
1217 - configure: make libpsl detection failure cause error
1219 To force users to explictily disable it if they really don't want it
1220 used and make it harder to accidentally miss it.
1222 --without-libpsl is the option to use if PSL is not wanted.
1226 - RELEASE-NOTES: synced
1228 - pop3: replace calloc + memcpy with memdup0
1230 ... and make sure to return error on out of memory.
1234 - lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
1238 - mime: use memdup0 instead of malloc + memcpy
1242 - tool_getparam: move the --rate logic into set_rate()
1244 - tool_getparam: switch to an enum for every option
1246 To make the big switch much easier to read/understand and to make it
1247 easier to add new options.
1249 - tool_getparam: build post data using dynbuf (more)
1251 - tool_getparam: replace malloc + copy by dynbuf for --data
1253 - tool_getparam: make data_urlencode avoid direct malloc
1257 - tool_getparam: move the --url-query logic into url_query()
1261 - tool_getparam: move the --data logic into set_data()
1263 - tool_getparam: unify the cmdline switch() into a single one
1265 - easier to follow, easier to modify, easier to extend, possibly slightly
1268 - each case now has the long option as a comment
1270 - tool_getparam: bsearch cmdline options
1272 - the option names are now alpha sorted and lookup is a lot faster
1274 - use case sensitive matching. It was previously case insensitive, but that
1277 - remove "partial match" feature. It was not documented, not tested and
1281 - lookup short options via a table
1287 - COPYING: update copyright year
1293 - url: init conn->sockfd and writesockfd to CURL_SOCKET_BAD
1295 Also add more tracing to test 19
1297 Follow-up to a0f9480
1304 - connect: remove margin from eyeballer alloc
1310 - ftp: only consider entry path if it has a length
1312 Follow-up from 8edcfedc1a144f438bd1cdf814a0016cb
1314 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65631
1322 - transfer: adjust_pollset improvements
1324 - let `multi_getsock()` initialize the pollset in what the
1325 transfer state requires in regards to SEND/RECV
1326 - change connection filters `adjust_pollset()` implementation
1327 to react on the presence of POLLIN/-OUT in the pollset and
1329 - cf-socket will no longer add POLLIN on its own
1330 - http2 and http/3 filters will only do adjustments if the
1331 passed pollset wants to POLLIN/OUT for the transfer on
1332 the socket. This is similar to the HTTP/2 proxy filter
1339 - ftp: use memdup0 to store the OS from a SYST 215 response
1345 - ftp: use dynbuf to store entrypath
1353 - wolfssl: load certificate *chain* for PEM client certs
1359 - http: adjust_pollset fix
1361 do not add a socket for POLLIN when the transfer does not want to send
1364 Follow-up to 47f5b1a
1366 Reported-by: bubbleguuum on github
1372 - tool: make parser reject blank arguments if not supported
1380 - build(deps): bump github/codeql-action from 2 to 3
1382 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2
1383 to 3.
1384 - [Release notes](https://github.com/github/codeql-action/releases)
1385 - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
1386 - [Commits](https://github.com/github/codeql-action/compare/v2...v3)
1388 ---
1389 updated-dependencies:
1390 - dependency-name: github/codeql-action
1391 dependency-type: direct:production
1392 update-type: version-update:semver-major
1395 Signed-off-by: dependabot[bot] <support@github.com>
1399 - build(deps): bump actions/checkout from 3 to 4
1401 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
1402 - [Release notes](https://github.com/actions/checkout/releases)
1403 - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
1404 - [Commits](https://github.com/actions/checkout/compare/v3...v4)
1406 ---
1407 updated-dependencies:
1408 - dependency-name: actions/checkout
1409 dependency-type: direct:production
1410 update-type: version-update:semver-major
1413 Signed-off-by: dependabot[bot] <support@github.com>
1417 - build(deps): bump actions/upload-artifact from 3 to 4
1419 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) f
1420 rom 3 to 4.
1421 - [Release notes](https://github.com/actions/upload-artifact/releases)
1422 - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)
1424 ---
1425 updated-dependencies:
1426 - dependency-name: actions/upload-artifact
1427 dependency-type: direct:production
1428 update-type: version-update:semver-major
1431 Signed-off-by: dependabot[bot] <support@github.com>
1435 - build(deps): bump actions/download-artifact from 3 to 4
1437 Bumps [actions/download-artifact](https://github.com/actions/download-artifac
1438 t) from 3 to 4.
1439 - [Release notes](https://github.com/actions/download-artifact/releases)
1440 - [Commits](https://github.com/actions/download-artifact/compare/v3...v4)
1442 ---
1443 updated-dependencies:
1444 - dependency-name: actions/download-artifact
1445 dependency-type: direct:production
1446 update-type: version-update:semver-major
1449 Signed-off-by: dependabot[bot] <support@github.com>
1455 - http3/quiche: fix result code on a stream reset
1457 - fixes pytest failures in test 07_22
1458 - aligns CURLcode values on stream reset with ngtcp2
1464 - setopt: clear mimepost when formp is freed
1466 A precaution to avoid a possibly dangling pointer left behind.
1468 Reported-by: Thomas Ferguson
1474 - CI: Add dependabot.yml
1476 This will cause dependabot to open a PR when various actions are
1483 - content_encoding: change return code to typedef'ed enum
1485 ... to work around a clang ubsan warning.
1492 - tool: prepend output_dir in header callback
1494 When Content-Disposition parsing is used and an output dir is prepended,
1495 make sure to store that new file name correctly so that it can be used
1496 for setting the file timestamp when --remote-time is used.
1498 Extended test 3012 to verify.
1500 Co-Authored-by: Jay Satiro
1501 Reported-by: hgdagon on github
1505 - test1254: fix typo in name plus shorten it
1507 - RELEASE-NOTES: synced
1511 - schannel: fix `-Warith-conversion` gcc 13 warning
1514 lib/vtls/schannel.c:1201:22: warning: conversion to 'unsigned int' from 'int'
1515 may change the sign of the result [-Warith-conversion]
1522 - asyn-thread: silence `-Wcast-align` warning for Windows
1526 lib/asyn-thread.c:310:5: warning: cast from 'PCHAR' (aka 'char *') to 'struct
1527 thread_sync_data *' increases required alignment from 1 to 8 [-Wcast-align]
1532 .../llvm-mingw/aarch64-w64-mingw32/include/winnt.h:717:48: note: expanded fro
1535 ss) - (ULONG_PTR)(&((type *)0)->field)))
1540 Follow-up to a6bbc87f9e9ffb46a1801dfb983e7534825ed56b #12482
1542 Ref: https://github.com/curl/curl/pull/12482#issuecomment-1873017261
1547 - tool_listhelp: regenerate after recent .d updates
1553 - test1478: verify src/tool_listhelp.c
1555 Verify that the source file on disk is identical to the output of gen.pl
1560 - testutil: make runtests support %include
1567 - runtests: for mode="text" on <stdout>, fix newlines on both parts
1573 - quiche: return CURLE_HTTP3 on send to invalid stream
1575 Prior to this change if a send failed on a stream in an invalid state
1576 (according to quiche) and not marked as closed (according to libcurl)
1579 We already have similar code for ngtcp2 to return CURLE_HTTP3 in this
1589 - cmdline-opts: update availability for the *-ca-native options
1595 - openldap: fix STARTTLS
1599 Also do not attempt to recover from a failing TLS negotiation with
1606 - haproxy-clientip.d: document the arg
1614 - configure: fix no default int compile error in ipv6 detection
1620 - CI: Fix use of any-glob-to-all-files in the labeler
1622 Despite its name, this atom acts like one-glob-to-all-files and a
1623 different syntax with braces must be used to get
1624 any-glob-to-all-files semantics. Unfortunately, this makes the file
1631 - CURLOPT_AUTOREFERER.3: mention CURLINFO_REFERER
1633 - CURLINFO_REFERER.3: clarify that it is the *request* header
1641 - system_win32: fix a function pointer assignment warning
1643 - Use CURLX_FUNCTION_CAST to suppress a function pointer assignment
1648 about that as breaking strict-aliasing rules so this PR changes those
1649 assignments to use CURLX_FUNCTION_CAST.
1651 Bug: https://github.com/curl/curl/pull/12581#issuecomment-1869804317
1652 Reported-by: Marcel Raad
1656 - verify-examples.pl: fail verification on unescaped backslash
1658 - Check that all backslashes in EXAMPLE are properly escaped.
1662 This is because the manpage requires we always double blackslash to show
1663 a single backslash. Prior to this change an erroneous single backslash
1667 Co-authored-by: Daniel Stenberg
1673 - vtls: fix missing multissl version info
1675 - Fix erroneous buffer copy logic from ff74cef5.
1677 Prior to this change the MultiSSL version info returned to the user
1684 - KNOWN_BUGS: [RTSP] Some methods do not support response bodies
1690 - openldap: fix an LDAP crash
1692 Reported-by: Ozan Cansel
1698 - getinfo: CURLINFO_QUEUE_TIME_T
1703 etc due to set conditions and limits imposed by the application.
1708 - RELEASE-NOTES: synced
1712 - examples/sendrecv: fix comment line length
1718 - CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example
1720 - Escape inner quotes with two backslashes.
1731 - appveyor: tidy-ups
1733 - replace two remaining backslashes with forward slashes.
1734 - tidy up the way we form and pass `TFLAGS`.
1736 Follow-up to 2d4d0c1fd32f5cc3f946c407c8eccd5477b287df #12572
1742 - transfer: fix upload rate limiting, add test cases
1744 - add test cases for rate limiting uploads for all
1746 - fix transfer loop handling of limits. Signal a re-receive
1748 - fix `data->state.selectbits` forcing re-receive to also
1749 set re-sending when transfer is doing this.
1751 Reported-by: Karthikdasari0423 on github
1757 - mbedtls: free the entropy when threaded
1759 The entropy_free was never done for threaded builds, causing a small
1762 Reported-by: RevaliQaQ on github
1768 - http2: improved on_stream_close/data_done handling
1770 - there seems to be a code path that cleans up easy handles without
1771 triggering DONE or DETACH events to the connection filters. This
1773 - add GOOD check to easy handle used in on_close_callback to
1775 - NULL the stream user data early before submitting RST
1776 - add checks in on_stream_close() to identify UNGOOD easy handles
1778 Reported-by: Hans-Christian Egtvedt
1784 - mprintf: overhaul and bugfixes
1787 %-codes per call, this version is around 30% faster than previous
1791 given unknown %-sequences. Fixing that flaw required a different take on
1792 the problem, which resulted in the new two-arrays model.
1794 lib557: extended - Verify the #12561 fix and test more printf features
1804 - appveyor: replace PowerShell with bash + parallel autotools
1807 it stuck and kept causing unresolvable usability issues: With
1812 has been improved in 7.2 (2021-Nov), but fixed versions aren't running
1818 - use `-j2` with autotools tests, making them finish 5-15 minutes per
1820 - omit `POSIX_PATH_PREFIX`.
1821 - use `WINDIR`.
1822 - prefer forward slashes.
1824 Follow-up to: 75078a415d9c769419aed4153d3d525a8eba95af #11999
1832 - asyn-thread: use GetAddrInfoExW on >= Windows 8
1842 - strerror: repair get_winsock_error()
1844 It would try to read longer than the provided string and crash.
1846 Follow-up to ff74cef5d4a0cf60106517a1c7384
1847 Reported-by: calvin2021y on github
1851 - CURLOPT_SSH_*_KEYFILE: clarify
1857 - ngtcp2: put h3 at the front of alpn
1863 - test460: verify a command line using --expand with no argument
1867 - tool_getparam: do not try to expand without an argument
1869 This would lead to a segfault.
1872 Reported-by: Geeknik Labs
1875 - RELEASE-NOTES: synced
1877 Bumped version to 8.6.0 because of changes
1879 - Makefile.am: fix the MSVC project generation
1885 Reported-by: iAroc on github
1891 - altsvc: free 'as' when returning error
1895 Signed-off-by: zengwei <zengwei1@uniontech.com>
1899 - build: fix `-Wconversion`/`-Wsign-conversion` warnings
1904 Silence a toolchain issue causing warnings in `FD_SET()` calls with
1905 older Cygwin/MSYS2 builds. Likely fixed on 2020-08-03 by:
1906 https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=5717262b8ecfed0f7f
1909 Follow-up to 2dbe75bd7f3c36837aa06fd87a442bdf3fb7faef #12492
1913 - build: fix some `-Wsign-conversion`/`-Warith-conversion` warnings
1915 - enable `-Wsign-conversion` warnings, but also setting them to not
1917 - fix `-Warith-conversion` warnings seen in CI.
1918 These are triggered by `-Wsign-converion` and causing errors unless
1919 explicitly silenced. It makes more sense to fix them, there just a few
1921 - fix some `-Wsign-conversion` warnings.
1922 - hide `-Wsign-conversion` warnings with a `#pragma`.
1923 - add macro `CURL_WARN_SIGN_CONVERSION` to unhide them on a per-build
1925 - update a CI job to unhide them with the above macro:
1926 https://github.com/curl/curl/actions/workflows/linux.yml -> OpenSSL -O3
1930 - cmake: tidy-up `OtherTests.cmake`
1932 - make more obvious which detection uses which prep steps.
1933 - merge and streamline conditions.
1934 - these should not alter detection results.
1941 - appveyor: switch to out-of-tree builds
1949 - DEPRECATE.md: mention that NTLM_WB no longer works
1954 - CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add
1956 Proposed-by: Yifei Kong
1957 Ref: https://curl.se/mail/lib-2023-11/0023.html
1962 - build: more `-Wformat` fixes
1964 - memdebug: update to not trigger `-Wformat-nonliteral` warnings.
1965 - imap: mark `imap_sendf()` with `CURL_PRINTF()`.
1966 - tool_msgs: mark static function with `CURL_PRINTF()`.
1968 Follow-up to 3829759bd042c03225ae862062560f568ba1a231 #12489
1972 - windows: delete redundant headers
1982 - cmake: prefill/cache `HAVE_STRUCT_SOCKADDR_STORAGE`
1984 Also add missing include to `OtherTests.cmake`. It didn't cause an issue
1991 - runner.pm: fix perl warning when running tests
1996 Follow-up from 3dcf301752a09d9
2000 - runtests: support -gl. Like -g but for lldb.
2002 Follow-up to 63b5748
2009 - curl.h: add CURLE_TOO_LARGE
2011 A new error code to be used when an internal field grows too large, like
2018 - CI/circleci: disable MQTT in the HTTP-only build
2026 - tests: respect $TMPDIR when creating unix domain sockets
2029 failed, since the server config tried creating sockets in /tmp, without
2030 checking the temp dir config. Use the TMPDIR variable that makes it find
2039 - ssh: fix namespace of two local macros
2044 Follow-up to 413a0fedd02c8c6df1d294534b8c6e306fcca7a2 #12346
2046 Reviewed-by: Daniel Stenberg
2049 - cmake: whitespace tidy-up in `OtherTests.cmake`
2055 - cmake: fix generation for system name iOS
2058 the `CMAKE_SYSTEM_NAME` set to `iOS` and not `Darwin`. This value is
2060 (thanks to @vszakats) is to use `APPLE` which contains all the Apple
2064 `vcpkg install curl:arm64-ios` and `vcpkg install curl:x64-ios` failed
2067 CMake Error: try_run() invoked in cross-compiling mode, please set the follow
2071 After this fix, I was able to compile the compile the binary without
2074 In addition to that fix, this PR also contains an simplification to
2077 Co-authored-by: Viktor Szakats
2082 - RELEASE-NOTES: synced
2086 - gnutls: fix build with --disable-verbose
2088 infof() parameters must be defined event with --disable-verbose since
2108 - build: delete unused `HAVE_{GSSHEIMDAL,GSSMIT,HEIMDAL}`
2113 Reviewed-by: Daniel Stenberg
2116 - build: remove redundant `CURL_PULL_*` settings
2118 These macros were not propagated to the source code from CMake.
2120 autotools set only one of them (`CURL_PULL_SYS_POLL_H`), initially to
2122 [2] without the logic it enabled. A subsequent fix [3] re-added the
2126 [1] 2012-11-23: 665adcd4b7bcdb7deb638cdc499fbe71f8d777f2
2127 [2] 2017-03-29: 9506d01ee50d5908138ebad0fd9fbd39b66bd64d #1373
2128 [3] 2017-08-25: 8a84fcc4b59e8b78d2acc6febf44a43d6bc81b59 #1828 #1833
2130 Reviewed-by: Daniel Stenberg
2133 - system.h: sync mingw `CURL_TYPEOF_CURL_SOCKLEN_T` with other compilers
2137 makes it unnecessary to make a mingw-specific trick and pull all Windows
2138 headers early just for this type definition. This type is specific to
2139 Windows, not to the compiler. mingw-w64's Windows header maps it to
2144 [ The official solution is to use `socklen_t` for all Windows compilers.
2145 In this case we may want to update `curl/curl.h` to pull in Windows
2148 Reviewed-by: Daniel Stenberg
2149 Reviewed-by: Jay Satiro
2152 - windows: simplify detecting and using system headers
2154 - autotools, cmake: assume that if we detect Windows, `windows.h`,
2156 - lib: fix 3 outlier `#if` conditions to use `USE_WINSOCK` instead of
2158 - autotools: merge 3 Windows check methods into one.
2159 - move Watt-32 and lwIP socket support to `setup-win32.h` from
2160 `config-win32.h`. It opens up using these with all build tools. Also
2162 - fix to assume Windows sockets with the mingw32ce toolchain.
2163 Follow-up to: 2748c64d605b19fb419ae56810ad8da36487a2d4
2164 - cmake: delete unused variable `signature_call_conv` since
2166 - autotools: simplify `CURL_CHECK_WIN32_LARGEFILE` detection.
2167 - examples/externalsocket: fix header order.
2168 - cmake/OtherTests.cmake: delete Windows-specific `_source_epilogue`
2170 - cmake/OtherTests.cmake: set `WIN32_LEAN_AND_MEAN` for test
2173 After this patch curl universally uses `_WIN32` to guard
2174 Windows-specific logic. It guards Windows Sockets-specific logic with
2177 Reviewed-by: Jay Satiro
2180 - build: enable missing OpenSSF-recommended warnings, with fixes
2182 https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening
2183 -Guide-for-C-and-C++.html
2184 as of 2023-11-29 [1].
2186 Enable new recommended warnings (except `-Wsign-conversion`):
2188 - enable `-Wformat=2` for clang (in both cmake and autotools).
2189 - add `CURL_PRINTF()` internal attribute and mark functions accepting
2191 `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible
2193 https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94
2194 - fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for
2195 mingw-w64 and enable it on this platform.
2196 - enable `-Wimplicit-fallthrough`.
2197 - enable `-Wtrampolines`.
2198 - add `-Wsign-conversion` commented with a FIXME.
2199 - cmake: enable `-pedantic-errors` the way we do it with autotools.
2200 Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747
2201 - lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format
2202 checks. Previously it was always disabled due to the internal `printf`
2207 - fix bug where an `set_ipv6_v6only()` call was missed in builds with
2208 `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`.
2209 - add internal `FALLTHROUGH()` macro.
2210 - replace obsolete fall-through comments with `FALLTHROUGH()`.
2211 - fix fallthrough markups: Delete redundant ones (showing up as
2213 - silence `-Wformat-nonliteral` warnings with llvm/clang.
2214 - fix one `-Wformat-nonliteral` warning.
2215 - fix new `-Wformat` and `-Wformat-security` warnings.
2216 - fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its
2217 definition to `lib/curl_setup.h` allowing use in `tests/server`.
2218 - lib: fix two wrongly passed string arguments in log outputs.
2219 Co-authored-by: Jay Satiro
2220 - fix new `-Wformat` warnings on mingw-w64.
2222 [1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895b
2223 fc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-
2224 Hardening-Guide-for-C-and-C%2B%2B.md
2228 - Makefile.mk: drop Windows support
2230 And DLL-support with it. This leaves `Makefile.mk` for MS-DOS and Amiga.
2235 Ref: https://github.com/curl/curl/pull/12221#issuecomment-1783761806
2236 Reviewed-by: Daniel Stenberg
2241 - cmdline-docs: use .IP consistently
2243 Remove use of .TP and some .B. The idea is to reduce nroff syntax as
2244 much as possible and to use it consistently. Ultimately, we should be
2245 able to introduce our own easier-to-use-and-read syntax/formatting and
2252 - http: fix off-by-one error in request method length check
2260 - curl: show ipfs and ipns as supported "protocols"
2262 They are accepted schemes in URLs passed to curl (the tool, not the
2265 Also makes curl-config show the same list.
2267 Co-Authored-by: Jay Satiro
2268 Reported-by: Chara White
2269 Bug: https://curl.se/mail/archive-2023-12/0026.html
2272 - Revert "urldata: move async resolver state from easy handle to connectdata"
2276 We want the c-ares channel to be held in the easy handle, not per
2277 connection - for performance.
2283 - openssl: re-match LibreSSL deinit with init
2285 Earlier we switched to use modern initialization with LibreSSL v2.7.0
2290 [1] https://github.com/curl/curl/pull/11611#issuecomment-1668654014
2292 Reported-by: Mike Hommey
2293 Reviewed-by: Daniel Stenberg
2299 - libssh: supress warnings without version check
2303 Follow-up from d21bd2190c46ad7fa
2307 - hostip: return error immediately when Curl_ip2addr() fails
2313 - libssh: improve the deprecation warning dismissal
2318 libssh provides a way to disable the deprecation warnings for libssh only, an
2322 This commit uses that, to prevent the erroneous hiding of potential, unrelate
2331 - test1474: removed
2336 - readwrite_data: loop less
2338 This function is made to loop in order to drain incoming data
2344 - it might call the progress callback much more seldom. Especially if
2347 - rate limiting becomes less exact
2349 - a single transfer might "starve out" other parallel transfers
2351 - QUIC timers for other connections can't be maintained correctly
2353 The long term fix should be to remove the loop and optimize coming back
2354 to avoid the transfer speed penalty.
2356 This fix lower the max loop count to reduce the starvation problem, and
2357 avoids the loop completely for when rate-limiting is in progress.
2360 Ref: https://curl.se/mail/lib-2023-12/0012.html
2365 - lib: eliminate `conn->cselect_bits`
2367 - use `data->state.dselect_bits` everywhere instead
2368 - remove `bool *comeback` parameter as non-zero
2369 `data->state.dselect_bits` will indicate that IO is
2374 - connect: refactor `Curl_timeleft()`
2376 - less local vars, "better" readability
2377 - added documentation
2383 - cookie: avoid fopen with empty file name
2389 - tests/server: delete workaround for old-mingw
2391 mingw-w64 1.0 comes with w32api v3.12, thus doesn't need this.
2393 Follow-up to 38029101e2d78ba125732b3bab6ec267b80a0e72 #11625
2395 Reviewed-by: Jay Satiro
2398 - cmake: delete obsolete TODOs more [ci skip]
2400 - manual completed: 898b012a9bf388590c4be7f526815b5ab74feca1 #1288
2401 - soname completed: 5de6848f104d7cb0017080e31216265ac19d0dde #10023
2402 - bunch of others that are completed
2403 - `NTLM_WB_ENABLED` is implemented in a basic form, and now also
2406 And this 'to-check' item:
2408 Q: "The cmake build selected to run gcc with -fPIC on my box while the
2420 autotools supports the double-pass mode only, and in that case
2421 CMake seems to match PIC behaviour now (as tested on Linux with gcc.)
2423 Follow-up to 5d5dfdbd1a6c40bd75e982b66f49e1fa3a7eeae7 #12500
2425 Reviewed-by: Jay Satiro
2430 - CLIENT-WRITERS: design and use documentation
2436 - cmake: delete obsolete TODO items [ci skip]
2438 There is always room for improvement, but CMake is up to par now with
2439 autotools, so there is no longer a good reason to keep around these
2444 Q: "The gcc command line use neither -g nor any -O options. As a
2445 developer, I also treasure our configure scripts's --enable-debug
2448 A: CMake offers the `CMAKE_BUILD_TYPE` variable to control debug info
2450 - `Release` = `-O3` + no debug info
2451 - `MinSizeRel` = `-Os` + no debug info
2452 - `Debug` = `-O0` + debug info
2454 https://stackoverflow.com/questions/48754619/what-are-cmake-build-type-deb
2455 ug-release-relwithdebinfo-and-minsizerel/59314670#59314670
2456 https://cmake.org/cmake/help/latest/manual/cmake-buildsystem.7.html#defaul
2457 t-and-custom-configurations
2466 - CONNECTION-FILTERS: update documentation
2472 - lib: reduce use of strncpy
2474 - bearssl: select cipher without buffer copies
2475 - http_aws_sigv4: avoid strncpy, require exact timestamp length
2476 - http_aws_sigv4: use memcpy isntead of strncpy
2477 - openssl: avoid strncpy calls
2478 - schannel: check for 1.3 algos without buffer copies
2479 - strerror: avoid strncpy calls
2480 - telnet: avoid strncpy, return error on too long inputs
2481 - vtls: avoid strncpy in multissl_version()
2485 - CI/distcheck: run full tests
2487 To be able to detect missing files better, this now runs the full CI
2493 - docs: clean up Protocols: for cmdline options
2499 - cmdline/gen: fix the sorting of the man page options
2502 extension, making "data" get placed after "data-binary" etc. Making the
2505 Reported-by: Boris Verkhovskiy
2506 Bug: https://curl.se/mail/archive-2023-12/0014.html
2511 - doh: remove unused local variable
2520 - build: fix Windows ADDRESS_FAMILY detection
2522 - Include winsock2.h for Windows ADDRESS_FAMILY detection.
2524 Prior to this change cmake detection didn't work because it included
2527 Prior to this change autotools detection didn't work because it did not
2533 Co-authored-by: Viktor Szakats
2539 - lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
2548 - convsrctest.pl: removed: not used, not shipped in tarballs
2550 - tests: rename tests scripts to the test number
2552 It is hard to name the scripts sensibly. Lots of them are similarly
2555 The new approach is rather to name them based on the test number that
2559 - badsymbols.pl -> test1167.pl
2560 - check-deprecated.pl -> test1222.pl
2561 - check-translatable-options.pl -> test1544.pl
2562 - disable-scan.pl -> test1165.pl
2563 - error-codes.pl -> test1175.pl
2564 - errorcodes.pl -> test1477.pl
2565 - extern-scan.pl -> test1135.pl
2566 - manpage-scan.pl -> test1139.pl
2567 - manpage-syntax.pl -> test1173.pl
2568 - markdown-uppercase.pl -> test1275.pl
2569 - mem-include-scan.pl -> test1132.pl
2570 - nroff-scan.pl -> test1140.pl
2571 - option-check.pl -> test1276.pl
2572 - options-scan.pl -> test971.pl
2573 - symbol-scan.pl -> test1119.pl
2574 - version-scan.pl -> test1177.pl
2580 - sendf: fix compiler warning with CURL_DISABLE_HEADERS_API
2583 referenced - when CURL_DISABLE_HEADERS_API is defined.
2589 - tidy-up: whitespace
2595 - test_02_download: fix paramters to test_02_27
2597 - it is a special client that only ever uses http/2
2603 - vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY
2609 - lib: strndup/memdup instead of malloc, memcpy and null-terminate
2611 - bufref: use strndup
2612 - cookie: use strndup
2613 - formdata: use strndup
2614 - ftp: use strndup
2615 - gtls: use aprintf instead of malloc + strcpy * 2
2616 - http: use strndup
2617 - mbedtls: use strndup
2618 - md4: use memdup
2619 - ntlm: use memdup
2620 - ntlm_sspi: use strndup
2621 - pingpong: use memdup
2622 - rtsp: use strndup instead of malloc, memcpy and null-terminate
2623 - sectransp: use strndup
2624 - socks_gssapi.c: use memdup
2625 - vtls: use dynbuf instead of malloc, snprintf and memcpy
2626 - vtls: use strdup instead of malloc + memcpy
2627 - wolfssh: use strndup
2631 - strdup: remove the memchr check from Curl_strndup
2633 It makes it possible to clone a binary chunk of data.
2637 - ftp: handle the PORT parsing without allocation
2643 - RELEASE-NOTES: synced
2645 Bumped to 8.5.1
2647 - url: for disabled protocols, mention if found in redirect
2649 To help users better understand where the URL (and denied scheme) comes
2664 Reported-by: Mauricio Scheffer
2670 - sectransp_ make TLSCipherNameForNumber() available in non-verbose config
2672 Reported-by: Cajus Pollmeier
2678 - lib: fix variable undeclared error caused by `infof` changes
2680 `--disable-verbose` yields `CURL_DISABLE_VERBOSE_STRINGS` defined.
2683 Follow-up to dac293c
2689 - tidy-up: fix yamllint whitespace issues in labeler.yml
2691 Follow-up to bda212911457c6fadfbba50be61afc4ca513fa56 #12466
2693 Reviewed-by: Dan Fandrich
2696 - tidy-up: fix yamllint whitespace issues
2702 - cmake: fix typo
2704 Follow-up to aace27b
2709 - dist: add tests/errorcodes.pl to the tarball
2713 Reported-by: Xi Ruoyao
2714 Follow-up to 0ca3a4ec9a7
2720 - github/labeler: update a missed key in the v5 upgrade
2722 Follow-up to ce03fe3ba
2728 - RELEASE-NOTES: synced
2734 - github/labeler: switch from the beta to labeler v5
2742 - DEPRECATE: remove NTLM_WB in June 2024
2744 Ref: https://curl.se/mail/lib-2023-12/0010.html
2748 Jacob Hoffman-Andrews (4 Dec 2023)
2750 - rustls: implement connect_blocking
2756 - examples/rtsp-options.c: add
2759 CURLOPT_RTSP_REQUEST set to CURL_RTSPREQ_OPTIONS.
2765 - ngtcp2: ignore errors on unknown streams
2767 - expecially in is_alive checks on connections, we might
2769 leading to errors reported by nghttp3. Ignore those.
2775 - docs: make all examples in all libcurl man pages compile
2779 - checksrc.pl: support #line instructions
2783 - GHA/man-examples: verify libcurl man page examples
2785 - verify-examples.pl: verify that all man page examples compile clean
2787 - RELEASE-NOTES: synced
2791 - http3: bump ngtcp2 and nghttp3 versions
2800 - CI/quiche: use `3.1.4+quic` consistently in CI workflows
2806 - test1545: disable deprecation warnings
2817 .0. Use curl_mime_init() [-Werror=deprecated-declarations]
2823 Follow-up to 07a3cd83e0456ca17dfd8c3104af7cf45b7a1ff5 #12421
2830 - INSTALL: update list of ports and CPU archs
2832 - symbols-in-versions: the CLOSEPOLICY options are deprecated
2838 - build: fix builds that disable protocols but not digest auth
2840 - Build base64 functions if digest auth is not disabled.
2842 Prior to this change if some protocols were disabled but not digest auth
2843 then a build error would occur due to missing base64 functions.
2850 - connect: reduce number of transportation providers
2852 Use only the ones necessary - the ones that are built-in. Saves a few
2859 - vtls: consistently use typedef names for OpenSSL structs
2867 just to be explicit.
2876 - libcurl-security.3: fix typo
2884 - ngtcp2: fix races in stream handling
2886 - fix cases where ngtcp2 invokes callbacks on streams that
2894 - tool_writeout_json: fix JSON encoding of non-ascii bytes
2897 on the platform according to the C standard; in most platforms, they are
2902 were also signed negative, they were getting extended with 1s causing
2903 '\xe2' to be expanded to \uffffffe2, for example:
2905 $ curl --variable 'v=“' --expand-write-out '{{v:json}}\n' file:///dev/nul
2914 Reported-by: iconoclasthero
2919 - cf-socket: TCP trace output local address used in connect
2925 - CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation
2927 - Change CURLINFO_PRETRANSFER_TIME_T explanation to say that it
2928 includes protocol-specific instructions that trigger a transfer.
2930 Prior to this change it explicitly said that it did not include those
2936 Reported-by: eeverettrbx@users.noreply.github.com
2943 - multi: during ratelimit multi_getsock should return no sockets
2945 ... as there is nothing to wait for then, it just waits. Otherwise, this
2949 Ref: https://curl.se/mail/lib-2023-11/0056.html
2954 - transfer: abort pause send when connection is marked for closing
2956 This handles cases of some bi-directional "upgrade" scenarios
2965 - RELEASE-NOTES: synced
2967 - openssl: when a session-ID is reused, skip OCSP stapling
2970 Reported-by: Alexey Larikov
2973 - test1545: test doing curl_formadd twice with missing file
2979 - Curl_http_body: cleanup properly when Curl_getformdata errors
2981 Reported-by: yushicheng7788 on github
2982 Based-on-work-by: yushicheng7788 on github
2986 - test1477: verify that libcurl-errors.3 and public headers are synced
2994 - libcurl-errors.3: sync with current public headers
3000 - test459: fix for parallel runs
3002 - change warniing message to work better with varying filename
3004 - adapt test output check to new formatting
3006 Follow-up to 97ccc4479f77ba3191c6
3011 - tool_cb_prg: make the carriage return fit for wide progress bars
3014 function attempted to generate its output buffer too long so that the
3023 Reported-by: Tim Hill
3027 - tool_parsecfg: make warning output propose double-quoting
3029 When the config file parser detects a word that *probably* should be
3030 quoted, mention double-quotes as a possible remedy.
3034 Proposed-by: Jiehong on github
3040 - curl.rc: switch out the copyright symbol for plain ASCII
3044 libcurl.rc copyright symbol used to cause a "non-ascii 8-bit codepoint"
3045 warning so it was switched to ascii.
3047 Ref: https://github.com/curl/curl/commit/1ca62bb5#commitcomment-133474972
3049 Suggested-by: Robert Southee
3055 - conncache: use the closure handle when disconnecting surplus connections
3061 taint meta-data in the data handle.
3070 Reported-by: ohyeaah on github
3074 - RELEASE-NOTES: synced
3078 - quic: make eyeballers connect retries stop at weird replies
3080 - when a connect immediately goes into DRAINING state, do
3083 - When eyeballing, interpret CURLE_WEIRD_SERVER_REPLY as an
3086 - refs #11832 where connects were retried indefinitely until
3093 - CI: verify libcurl function SYNPOSIS sections
3095 With the .github/scripits/verify-synopsis.pl script
3099 - docs/libcurl: SYNSOPSIS cleanup
3101 - use the correct include file
3102 - make sure they are declared as in the header file
3103 - fix minor nroff syntax mistakes (missing .fi)
3105 These are verified by verify-synopsis.pl, which extracts the SYNPOSIS
3110 - sendf: fix comment typo
3112 - fopen: allocate the dir after fopen
3114 Move the allocation of the directory name down to after the fopen() call
3115 to allow that shortcut code path to avoid a superfluous malloc+free
3118 Follow-up to 73b65e94f35311
3124 - transfer: cleanup done+excess handling
3126 - add `SingleRequest->download_done` as indicator that
3128 - remove `stop_reading` bool from readwrite functions
3129 - move excess body handling into client download writer
3135 - fopen: create new file using old file's mode
3137 Because the function renames the temp file to the target name as a last
3142 Reported-by: Loïc Yhuel
3146 - test1476: require proxy
3148 Follow-up from 323df4261c3542
3152 - fopen: create short(er) temporary file name
3155 appending characters to the final file name.
3157 Reported-by: Maksymilian Arciemowicz
3163 - tests: git ignore generated second-hsts.txt file
3167 Follow-up to 7cb03229d9e9c5
3173 - openssl: enable `infof_certstack` for 1.1 and LibreSSL 3.6
3175 Lower the barrier to enable `infof_certstack()` from OpenSSL 3 to
3181 Follow-up to b6e6d4ff8f253c8b8055bab9d4d6a10f9be109f3 #12030
3183 Reviewed-by: Daniel Stenberg
3188 - urldata: fix typo in comment
3190 - CI: codespell
3192 The list of words to ignore is in the file
3193 .github/scripts/codespell-ignore.txt
3197 - lib: fix comment typos
3203 - test1476: verify cookie PSL mixed case
3205 - cookie: lowercase the domain names before PSL checks
3207 Reported-by: Harry Sintonen
3213 - openssl: fix building with v3 `no-deprecated` + add CI test
3215 - build quictls with `no-deprecated` in CI to have test coverage for
3218 - don't call `OpenSSL_add_all_algorithms()`, `OpenSSL_add_all_digests()`.
3221 if built with option `no-deprecated`, causing build errors:
3223 vtls/openssl.c:4097:3: error: call to undeclared function 'OpenSSL_add_all_
3225 s [-Wimplicit-function-declaration]
3226 vtls/openssl.c:4098:3: error: call to undeclared function 'OpenSSL_add_all_
3228 -Wimplicit-function-declaration]
3230 Ref: https://ci.appveyor.com/project/curlorg/curl-for-win/builds/48587418?f
3234 Bug: https://github.com/curl/curl/issues/12380#issuecomment-1822944669
3235 Reviewed-by: Alex Bozarth
3237 - vquic/curl_ngtcp2: fix using `SSL_get_peer_certificate` with
3238 `no-deprecated` quictls 3 builds.
3240 to `vtls/openssl.h` and adjusting caller code.
3243 et_peer_certificate'; did you mean 'SSL_get1_peer_certificate'? [-Wimplicit
3244 -function-declaration]
3249 - curl_ntlm_core: fix `-Wunused-parameter`, `-Wunused-variable` and
3250 `-Wunused-function` when trying to build curl with NTLM enabled but
3255 - curl.h: delete Symbian OS references
3258 via #5989. Delete references to it from public headers, because there
3259 is no fresh release to use those headers with.
3261 Reviewed-by: Dan Fandrich
3262 Reviewed-by: Jay Satiro
3265 - windows: use built-in `_WIN32` macro to detect Windows
3268 or build env defines `WIN32`, or we have to take care of it. The
3269 agreement seems to be that `_WIN32` is the preferred practice here.
3270 Make the source code rely on that to detect we're building for Windows.
3273 Windows detection, next to the official `_WIN32`. After this patch it
3277 compilers that fail to define `_WIN32`. I'm not aware of any obsolete
3279 solution is to define this macro manually.
3281 grepping for `WIN32` remains useful to discover Windows-specific code.
3285 - extend `checksrc` to ensure we're not using `WIN32` anymore.
3287 - apply minor formatting here and there.
3289 - delete unnecessary checks for `!MSDOS` when `_WIN32` is present.
3291 Co-authored-by: Jay Satiro
3292 Reviewed-by: Daniel Stenberg
3298 - url: ConnectionExists revisited
3300 - have common pattern of `if not match, continue`
3301 - revert pages long if()s to return early
3302 - move dead connection check to later since it may
3304 - check multiuse also when NOT building with NGHTTP2
3305 - for MULTIUSE bundles, verify that the inspected
3313 - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
3321 - urldata: make maxconnects a 32 bit value
3323 "2^32 idle connections ought to be enough for anybody"
3327 - FEATURES: update the URL phrasing
3334 - wolfssh: remove redundant static prototypes
3336 vssh/wolfssh.c:346:18: error: redundant redeclaration of ‘wscp_recv’ [-We
3337 rror=redundant-decls]
3341 - setopt: remove superfluous use of ternary expressions
3345 - mime: store "form escape" as a single bit
3349 - setopt: check CURLOPT_TFTP_BLKSIZE range on set
3351 ... instead of later when the transfer is about to happen.
3357 - build: add more picky warnings and fix them
3363 `-Wunused-macros` was too noisy to keep around, but fixed a few issues
3366 - autotools: reflect the more precisely-versioned clang warnings.
3367 Follow-up to 033f8e2a08eb1d3102f08c4d8c8e85470f8b460e #12324
3368 - autotools: sync between clang and gcc the way we set `no-multichar`.
3369 - autotools: avoid setting `-Wstrict-aliasing=3` twice.
3370 - autotools: disable `-Wmissing-noreturn` for MSYS gcc targets [2].
3371 It triggers in libtool-generated stub code.
3373 - lib/timeval: delete a redundant `!MSDOS` guard from a `WIN32` branch.
3375 - lib/curl_setup.h: delete duplicate declaration for `fileno`.
3377 (1999-12-29). This suggests this may not be needed anymore, but if
3378 it does, we may restore this for those specific (non-Windows) systems.
3379 - lib: delete unused macro `FTP_BUFFER_ALLOCSIZE` since
3381 - lib: delete unused macro `isxdigit_ascii` since
3383 - lib/mqtt: delete unused macro `MQTT_HEADER_LEN`.
3384 - lib/multi: delete unused macro `SH_READ`/`SH_WRITE`.
3385 - lib/hostip: add `noreturn` function attribute via new `CURL_NORETURN`
3387 - lib/mprintf: delete duplicate declaration for `Curl_dyn_vprintf`.
3388 - lib/rand: fix `-Wunreachable-code` and related fallouts [3].
3389 - lib/setopt: fix `-Wunreachable-code-break`.
3390 - lib/system_win32 and lib/timeval: fix double declarations for
3392 - lib/warnless: fix double declarations in CMake UNITY mode [5].
3393 This was due to force-disabling the header guard of `warnless.h` to
3394 to reapply it to source code coming after `warnless.c` in UNITY
3395 builds. This reapplied declarations too, causing the warnings.
3397 to be reapplied.
3398 - lib/vauth/digest: fix `-Wunreachable-code-break` [6].
3399 - lib/vssh/libssh2: fix `-Wunreachable-code-break` and delete redundant
3401 - lib/vtls/sectransp: fix `-Wunreachable-code-break` [7].
3402 - lib/vtls/sectransp: suppress `-Wunreachable-code`.
3404 known at compile-time, e.g.
3406 if(SecCertificateCopySubjectSummary) /* -> true */
3408 Likely fixable as a separate micro-project, but given SecureTransport
3410 - src/tool_help: delete duplicate declaration for `helptext`.
3411 - src/tool_xattr: fix `-Wunreachable-code`.
3412 - tests: delete duplicate declaration for `unitfail` [8].
3413 - tests: delete duplicate declaration for `strncasecompare`.
3414 - tests/libtest: delete duplicate declaration for `gethostname`.
3416 (2010-08-02).
3420 - tests/lib2305: delete duplicate declaration for
3422 - tests/h2-download: fix `-Wunreachable-code-break`.
3447 - transfer: avoid unreachable expression
3454 Follow-up to 1cd2f0072fa482e25baa2
3460 - transfer: readwrite improvements
3462 - changed header/chunk/handler->readwrite prototypes to accept `buf`,
3463 `blen` and a `pconsumed` pointer. They now get the buffer to work on
3465 - eliminated `k->str` in SingleRequest
3466 - improved excess data handling to properly calculate with any body data
3468 - eliminated `k->badheader` enum to only be a bool
3474 - RELEASE-NOTES: synced
3478 - transfer: avoid calling the read callback again after EOF
3482 Bug: https://curl.se/mail/lib-2023-11/0017.html
3488 - doh: provide better return code for responses w/o addresses
3494 Reported-by: lRoccoon on github
3501 - HTTP/2, HTTP/3: handle detach of onoing transfers
3503 - refs #12356 where a UAF is reported when closing a connection
3505 - handle DETACH events same as DONE events in h2/h3 filters
3508 Reported-by: Paweł Wegner
3513 - autotools: stop setting `-std=gnu89` with `--enable-warnings`
3515 Do not alter the C standard when building with `--enable-warnings` when
3518 On one hand this alters warning results compared to a default build.
3521 Also fix new warnings that appeared after removing `-std=gnu89`:
3523 - include: fix public curl headers to use the correct printf mask for
3524 `CURL_FORMAT_CURL_OFF_T` and `CURL_FORMAT_CURL_OFF_TU` with mingw-w64
3528 - conncache: fix printf format string [2].
3530 - http2: fix potential null pointer dereference [3].
3533 - libssh: fix printf format string in SFTP code [4].
3536 - libssh2: fix printf format string in SFTP code for MSVC.
3539 - unit1395: fix `argument is null` and related issues [5]:
3540 - stop calling `strcmp()` with NULL to avoid undefined behaviour.
3541 - fix checking results if some of them were NULL.
3542 - do not pass NULL to printf `%s`.
3544 - ci: keep a build job with `-std=gnu89` to continue testing for
3545 C89-compliance. We can apply this to other gcc jobs as needed.
3546 Ref: b23ce2cee7329bbf425f18b49973b7a5f23dfcb4 (2022-09-23) #9542
3549 ogs&jobId=ccf9cc6d-2ef1-5cf2-2c09-30f0c14f923b
3561 - autotools: fix/improve gcc and Apple clang version detection
3563 - Before this patch we expected `n.n` `-dumpversion` output, but Ubuntu
3564 may return `n-win32` (also with `-dumpfullversion`). Causing these
3565 errors and failing to enable picky warnings:
3572 Fix that by stripping any dash-suffix and handling a dotless (major-only)
3575 `9.3-posix`, `9.3-win32`, `6`, `9.3.0`, `11`, `11.2`, `11.2.0`
3578 - fix Apple clang version detection for releases between
3580 version was under-detected as 3.7 llvm/clang equivalent.
3582 - fix Apple clang version detection for 'Apple clang version 11.0.0'
3586 - display detected clang/gcc/icc compiler version.
3589 - https://github.com/libssh2/libssh2/commit/00a3b88c51cdb407fbbb347a2e38c5c7d
3592 - https://github.com/libssh2/libssh2/commit/89ccc83c7da73e7ca3a112e3500081319
3598 - autotools: delete LCC compiler support bits
3600 Follow-up to fd7ef00f4305a2919e6950def1cf83d0110a4acd #12222
3604 - cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API`
3606 - tests: verify CMake `DISABLE` options.
3608 Make an exception for 2 CMake-only ones, and one more that's
3611 - cmake: add support for `CURL_DISABLE_HEADERS_API`.
3613 Suggested-by: Daniel Stenberg
3614 Ref: https://github.com/curl/curl/pull/12345#pullrequestreview-1736238641
3618 Jacob Hoffman-Andrews (20 Nov 2023)
3620 - hyper: temporarily remove HTTP/2 support
3625 from a protocol perspective. That in turn causes servers to send GOAWAY
3626 frames, effectively degrading performance to "no connection reuse" in
3631 redesign of the Hyper integration in order to make things work.
3637 - schannel: fix unused variable warning
3639 Bug: https://github.com/curl/curl/pull/12349#issuecomment-1818000846
3640 Reported-by: Viktor Szakats
3646 - url: find scheme with a "perfect hash"
3648 Instead of a loop to scan over the potentially 30+ scheme names, this
3651 is made to only make a single scheme index per table entry.
3657 - scripts: add schemetable.c
3659 This tool generates a scheme-matching table.
3662 to find the hash algorithm that needs the smallest possible table.
3664 The generated hash function, table and table size then needs to be used
3669 - vtls/vquic, keep peer name information together
3671 - add `struct ssl_peer` to keep hostname, dispname and sni
3673 - allocate `sni` for use in VTLS backend
3674 - eliminate `Curl_ssl_snihost()` and its use of the download buffer
3675 - use ssl_peer in SSL and QUIC filters
3681 - build: always revert `#pragma GCC diagnostic` after use
3685 these options spilled over to the remainder of the source code,
3691 Reviewed-by: Marcel Raad
3694 - tidy-up: casing typos, delete unused Windows version aliases
3696 - cmake: fix casing of `UnixSockets` to match the rest of the codebase.
3698 - curl-compilers.m4: fix casing in a comment.
3700 - setup-win32: delete unused Windows version constant aliases.
3702 Reviewed-by: Marcel Raad
3705 - keylog: disable if unused
3711 - cmake: add `CURL_DISABLE_BINDLOCAL` option
3713 To match similar autotools option.
3717 Reviewed-by: Daniel Stenberg
3720 - url: fix `-Wzero-length-array` with no protocols
3725 -Wc2x-extensions]
3728 ./lib/url.c:178:56: warning: zero size arrays are an extension [-Wzero-length
3729 -array]
3734 - url: fix builds with `CURL_DISABLE_HTTP`
3739 456 | Curl_mime_cleanpart(data->state.formp);
3747 - http: fix `-Wunused-parameter` with no auth and no proxy
3750 lib/http.c:734:26: warning: unused parameter 'proxy' [-Wunused-parameter]
3755 Reviewed-by: Marcel Raad
3760 - TODO: Some TLS options are not offered for HTTPS proxies
3765 - RELEASE-NOTES: synced
3767 - duphandle: make dupset() not return with pointers to old alloced data
3769 As the blob pointers are to be duplicated, the function must not return
3770 mid-function with lingering pointers to the old handle's allocated data,
3771 as that would lead to double-free in OOM situations.
3773 Make sure to clear all destination pointers first to avoid this risk.
3779 - http: fix `-Wunused-variable` compiler warning
3785 `CURL_DISABLE_NTLM` on non-Windows.
3788 ./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variabl
3792 ./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunus
3793 ed-but-set-variable]
3796 ./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunuse
3797 d-but-set-variable]
3809 - tool: support bold headers in Windows
3811 - If virtual terminal processing is enabled in Windows then use ANSI
3812 escape codes Esc[1m and Esc[22m to turn bold on and off.
3814 Suggested-by: Gisle Vanem
3822 - build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`
3824 Builds with libssh2 + `-DCURL_DISABLE_DIGEST_AUTH=ON` +
3825 `-DCURL_DISABLE_AWS=ON` in combination with either Schannel on Windows,
3826 or `-DCURL_DISABLE_NTLM=ON` on other operating systems failed while
3827 compiling due to a missing HMAC declaration.
3831 building for libssh2 v1.8.2 (2019-05-25) or older.
3833 Make sure to compile the HMAC bits for a successful build.
3841 In file included from ./curl/_x64-win-ucrt-cmake-llvm-bld/lib/CMakeFiles/libc
3859 - duphandle: also free 'outcurl->cookies' in error path
3861 Fixes memory-leak when OOM mid-function
3872 - config-win32: set `HAVE_SNPRINTF` for mingw-w64
3874 It's available in all mingw-w64 releases. We already pre-fill this
3879 - sasl: fix `-Wunused-function` compiler warning
3884 lib/curl_sasl.c:266:17: warning: unused function 'get_server_message' [-Wunus
3885 ed-function]
3893 Reviewed-by: Daniel Stenberg
3896 - build: picky warning updates
3898 - cmake: sync some picky gcc warnings with autotools.
3899 - cmake, autotools: add `-Wold-style-definition` for clang too.
3900 - cmake: more precise version info for old clang options.
3901 - cmake: use `IN LISTS` syntax in `foreach()`.
3903 Reviewed-by: Daniel Stenberg
3904 Reviewed-by: Marcel Raad
3909 - urldata: move cookielist from UserDefined to UrlState
3914 first copied and an error happens (think out of memory mid-function),
3915 the function would easily free the list *before* it was deep-copied,
3916 which could lead to a double-free.
3922 - autotools: avoid passing `LDFLAGS` twice to libcurl
3926 customization, it added `LDFLAGS` to the custom flags. This resulted in
3927 passing `LDFLAGS` _twice_ to the `libtool` command.
3936 libtool: link: clang-15 --target=aarch64-unknown-linux-musl [...] /usr/lib/a
3937 arch64-linux-musl/crt1.o [...] /usr/lib/aarch64-linux-musl/crt1.o [...]
3938 ld.lld-15: error: duplicate symbol: _start
3940 >>> /usr/lib/aarch64-linux-musl/crt1.o:(.text+0x0)
3942 >>> /usr/lib/aarch64-linux-musl/crt1.o:(.text+0x0)
3944 clang: error: linker command failed with exit code 1 (use -v to see invocatio
3949 (2013-07-23) as a fix for bug https://curl.haxx.se/bug/view.cgi?id=1217.
3950 The patch was a works-for-me hack that ended up merged in curl:
3954 Perhaps the SUNPro 12 linker was sensitive to `-L` `-l` order, requiring
3955 `-L` first? This would be unusual and suggests a bug in either the
3960 command line, but it's the job of `libtool` to ensure that even
3962 autotools passes `LDFLAGS` last, making it hardly possible to pass
3974 - autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`
3976 To allow passing `LDFLAGS` specific to libcurl (`CURL_LDFLAGS_LIB`) and
3979 This makes it possible to build libcurl and curl with a single
3980 invocation with lib- and tool-specific custom linker flags.
3984 `-static-libtool-libs`) while building both shared and static libcurl.
3986 curl-for-win uses the above and some more.
3988 These options are already supported in `Makefile.mk`. CMake has built-in
3995 - tool_cb_hdr: add an additional parsing check
3997 - Don't dereference the past-the-end element when parsing the server's
3998 Content-disposition header.
4000 As 'p' is advanced it can point to the past-the-end element and prior
4001 to this change 'p' could be dereferenced in that case.
4003 Technically the past-the-end element is not out of bounds because dynbuf
4004 (which manages the header line) automatically adds a null terminator to
4005 every buffer and that is not included in the buffer length passed to
4012 - .cirrus.yml: freebsd 14
4020 - easy: in duphandle, init the cookies for the new handle
4026 - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
4028 Previously it would unconditionally use the size, which is set to -1
4031 Updated test 544 to verify.
4035 - RELEASE-NOTES: synced
4037 - curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped
4041 - urldata: move hstslist from 'set' to 'state'
4043 To make it work properly with curl_easy_duphandle(). This, because
4045 'hstslist' is a linked curl_list of file names. This would lead to a
4046 double-free when the second of the two involved easy handles were
4051 - test1900: verify duphandle with HSTS using multiple files
4057 - http: allow longer HTTP/2 request method names
4059 - Increase the maximum request method name length from 11 to 23.
4063 limit (DYN_HTTP_REQUEST). Prior to fc2f1e54 HTTP/2 was treated the same
4066 According to Internet Assigned Numbers Authority (IANA) the longest
4074 Ref: https://www.iana.org/assignments/http-methods/http-methods.xhtml
4080 - CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does
4082 - Add an explanation of the CURL_BLOB_COPY flag to CURLOPT_CAINFO_BLOB
4091 - tidy-up: dedupe Windows system libs in cmake
4093 Reviewed-by: Daniel Stenberg
4098 - ci: test with latest quiche release (0.19.0)
4102 - quiche: use quiche_conn_peer_transport_params()
4113 - Makefile: generate the VC 14.20 project files at dist-time
4115 Follow-up to 28287092cc5a6d6ef8 (#12282)
4121 - misc: fix -Walloc-size warnings
4123 GCC 14 introduces a new -Walloc-size included in -Wextra which gives:
4128 r type ‘struct per_transfer’ with size ‘480’ [-Walloc-size]
4133 �struct var’ with size ‘32’ [-Walloc-size]
4143 So, just swap the number of members and size arguments to match the
4151 - IPFS: bugfixes
4153 - Fixed endianness bug in gateway file parsing
4154 - Use IPFS_PATH in tests where IPFS_DATA was used
4155 - Fixed typos from traling -> trailing
4156 - Fixed broken link in IPFS.md
4158 Follow-up to 859e88f6533f9e
4160 Reported-by: Michael Kaufmann
4161 Bug: https://github.com/curl/curl/pull/12152#issuecomment-1798214137
4166 - VULN-DISCLOSURE-POLIC: remove broken link to hackerone
4174 - schannel: add CA cache support for files and memory blobs
4176 - Support CA bundle and blob caching.
4184 - RELEASE-NOTES: synced
4188 - cmake: option to disable install & drop `curlu` target when unused
4191 - adds the option `CURL_DISABLE_INSTALL` - to disable 'install' targets.
4192 - Removes the target `curlu` when the option `BUILD_TESTING` is set to
4193 `OFF` - to prevent it from being loaded in Visual Studio.
4199 - cmake: fix multiple include of CURL package
4209 Test to reproduce:
4216 find_package(CURL CONFIG REQUIRED)
4217 find_package(CURL CONFIG REQUIRED) # fails
4223 Ref: https://cmake.org/cmake/help/latest/release/3.18.html#other-changes
4226 Assisted-by: Harry Mallon
4231 - tidy-up: use `OPENSSL_VERSION_NUMBER`
4233 Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
4237 define any version number in these implementations: BoringSSL, AWS-LC,
4238 LibreSSL, wolfSSL. (Only in mainline OpenSSL/quictls). Switch that to
4239 `opensslv.h`. This wasn't causing a deeper problem because the code is
4242 According to https://github.com/openssl/openssl/issues/17517, the macro
4243 `OPENSSL_VERSION_NUMBER` is safe to use and not deprecated.
4245 Reviewed-by: Marcel Raad
4250 - resolve.d: drop a multi use-sentence
4254 Reported-by: 積丹尼 Dan Jacobson
4258 - content_encoding: make Curl_all_content_encodings allocless
4260 - Fixes a memory leak pointed out by Coverity
4261 - Also found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?
4263 - Avoids unncessary allocations
4265 Follow-up ad051e1cbec68b2456a22661b
4271 - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
4283 - Makefile.am: drop vc10, vc11 and vc12 projects from dist
4292 - projects: add VC14.20 project files
4296 this is missing. Updated the templates to produce a VC14.20 project.
4303 - curl: move IPFS code into src/tool_ipfs.[ch]
4305 - convert ensure_trailing into ensure_trailing_slash
4306 - strdup the URL string to own it proper
4307 - use shorter variable names
4308 - combine some expressions
4309 - simplify error handling in ipfs_gateway()
4310 - add MAX_GATEWAY_URL_LEN + proper bailout if maximum is reached
4311 - ipfs-gateway.d polish and simplification
4312 - shorten ipfs error message + make them "synthetic"
4318 - build: delete support bits for obsolete Windows compilers
4320 - Pelles C: Unclear status, failed to obtain a fresh copy a few months
4321 ago. Possible website is HTTP-only. ~10 years ago I left this compiler
4324 - LCC: Last stable release in September 2002.
4325 - Salford C: Misses winsock2 support, possibly abandoned? Last mentioned
4327 - Borland C++: We dropped Borland C++ support in 2018.
4328 - MS Visual C++ 6.0: Released in 1998. curl already requires VS 2010
4333 - build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`
4342 `HAVE_STDINT_H` to use `stdint.h` unconditionally. Also stop using
4344 anywhere else, allowing to delete this feature check as well.
4350 - tool_operate: do not mix memory models
4352 Make sure 'inputpath' only points to memory allocated by libcurl so that
4357 Follow-up to 859e88f6533f9e1f890
4363 - lib: client writer, part 2, accounting + logging
4367 Renaming of unencode_* to cwriter, e.g. client writers
4368 - documentation of sendf.h functions
4369 - move max decode stack checks back to content_encoding.c
4370 - define writer phase which was used as order before
4371 - introduce phases for monitoring inbetween decode phases
4372 - offering default implementations for init/write/close
4374 Add type paramter to client writer's do_write()
4375 - always pass all writes through the writer stack
4376 - writers who only care about BODY data will pass other writes unchanged
4379 - RAW used for Curl_debug() logging of CURLINFO_DATA_IN
4380 - PROTOCOL used for updates to data->req.bytecount, max_filesize checks and
4382 - remove all updates of data->req.bytecount and calls to
4384 - adjust test457 expected output to no longer see the excess write
4390 - VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw
4396 - rand: fix build error with autotools + LibreSSL
4399 into dependency libs. One dependency, LibreSSL, happens to publish an
4401 lib as of v3.8.2). When trying to use this function in `lib/rand.c`,
4402 its protoype is missing. To fix that, curl included a prototype, but
4403 that used a C99 type without including `stdint.h`, causing:
4413 limiting `arc4random` use for non-OpenSSL builds. OpenSSL builds provide
4416 The better fix would be to teach autotools to not link dependency libs
4419 LibreSSL publishing a non-namespaced `arc4random` tracked here:
4424 Reviewed-by: Daniel Stenberg
4430 - RELEASE-NOTES: synced
4432 - strdup: do Curl_strndup without strncpy
4434 To avoid (false positive) gcc-13 compiler warnings.
4436 Follow-up to 4855debd8a2c1cb
4438 Assisted-by: Jay Satiro
4439 Reported-by: Viktor Szakats
4444 - HTTP: fix empty-body warning
4446 This change fixes a compiler warning with gcc-12.2.0 when
4447 `-DCURL_DISABLE_BEARER_AUTH=ON` is used.
4451 ty body in an 'else' statement [-Wempty-body]
4459 - openssl: identify the "quictls" backend correctly
4462 users to identify the correct OpenSSL fork in version output. The best
4463 (crude) way to do that right now seems to be to check if ngtcp2 support
4470 - curl: improved IPFS and IPNS URL support
4475 This patch allows paths and query arguments to be used too.
4476 Making this work according to normal http semantics:
4493 Lastly, a load of test cases have been added to verify the above.
4495 Reported-by: Steven Allen
4501 - docs: KNOWN_BUGS cleanup
4503 * Remove other mention of hyper memory-leaks from `KNOWN_BUGS`.
4506 * Remove mention of aws-sigv4 sort query string from `KNOWN_BUGS`.
4509 * Remove mention of aws-sigv4 query empty value problems
4511 * Remove mention of aws-sigv4 missing amz-content-sha256
4514 - http_aws_sigv4: canonicalise valueless query params
4521 - docs: preserve the modification date when copying the prebuilt man page
4528 Reviewed-by: Dan Fandrich
4529 Reviewed-by: Daniel Stenberg
4535 - docs: remove bold from some man page SYNOPSIS sections
4541 - openssl: two multi pointer checks should probably rather be asserts
4551 - docs: add supported version for the json write-out
4559 - appveyor: make VS2008-built curl tool runnable
4568 - url: proxy ssl connection reuse fix
4570 - tunnel https proxy used for http: transfers does
4571 no check if proxy-ssl configuration matches
4572 - test cases added, test_10_12 fails on 8.4.0
4578 - curl_sspi: support more revocation error names in error messages
4580 - Add these revocation errors to sspi error list:
4584 Prior to this change those error codes were not matched to their macro
4590 Unknown error (0x80092013) - The revocation function was
4591 unable to check revocation because the revocation server was offline.
4596 CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was
4597 unable to check revocation because the revocation server was offline.
4600 Reported-by: Niracler Li
4604 - strdup: don't allow Curl_strndup to read past a null terminator
4606 - Use malloc + strncpy instead of Curl_memdup to dupe the string before
4609 Prior to this change if Curl_strndup was passed a length longer than
4613 commit and currently none of the calls to it pass a length that would
4614 cause it to read past the allocated length of the input.
4616 Follow-up to d3b3ba35.
4622 - lib: add and use Curl_strndup()
4624 The Curl_strndup() function is similar to memdup(), but copies 'n' bytes
4629 - CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
4633 - pytest: use lower count in repeat tests
4635 - lower large iteration counts in some tests somewhat for
4642 - RELEASE-NOTES: synced
4644 - docs: clarify that curl passes on input unfiltered
4648 Reported-by: Ophir Lojkine
4652 - urlapi: when URL encoding the fragment, pass in the right length
4662 - vtls: late clone of connection ssl config
4664 - perform connection cache matching against `data->set.ssl.primary`
4666 - fully clone connection ssl config only when connection is used
4670 - msh3: error when built with CURL_DISABLE_SOCKETPAIR set
4672 Reported-by: Gisle Vanem
4678 - hsts: skip single-dot hostname
4680 Reported-by: Maksymilian Arciemowicz
4684 - vtls: fix build without proxy
4686 Follow-up to bf0e278a3c54bc7fee7360da17c
4690 - docs/example/keepalive.c: show TCP keep-alive options
4694 - lib1560: verify appending blank URL encoded query string
4696 - urlapi: skip appending NULL pointer query
4698 Reported-by: kirbyn17 on hackerone
4702 - lib1560: verify setting host to "" with and without URL encode
4704 - urlapi: avoid null deref if setting blank host to url encode
4706 Reported-by: kirbyn17 on hackerone
4710 - dynbuf: assert for NULL pointer inputs
4716 - HTTP3: ngtcp2 builds are no longer experimental
4724 - vtls: cleanup SSL config management
4726 - remove `Curl_ssl_get_config()`, no longer needed
4732 - libcurl-thread.3: simplify the TLS section
4739 - configure: better --disable-http
4741 - disable HTTPS-proxy as well, since it can't work without HTTP
4743 - curl_setup: when HTTP is disabled, also disable all features that are
4744 HTTP-only
4746 - version: HTTPS-proxy only exists if HTTP support exists
4750 - http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine
4752 Finding a 'Content-Range:' in the response changed the handling.
4754 Add test case 1475 to verify -C - with 416 and Content-Range: header,
4755 which is almost exactly like test 194 which instead uses a fixed -C
4756 offset. Adjusted test 194 to also be considered fine.
4759 Reported-by: Smackd0wn
4761 Reported-by: Anubhav Rai
4766 - GHA: fix checkout of quictls repository to use correct branch name
4768 Follow-up to c868b0e30f10cd0ac7
4774 - docs/example/localport.c: show off CURLOPT_LOCALPORT
4778 - docs/examples/interface.c: show CURLOPT_INTERFACE use
4786 - build: fix compiler warning with auths disabled
4790 [-Wunused-function]
4796 Follow-up to e92edfbef64448ef461117769881f3ed776dec4e #11490
4800 - build: require Windows XP or newer
4808 Ref: https://github.com/curl/curl/pull/12221#issuecomment-1783761806
4811 - appveyor: bump one job to OpenSSL 3.1 (was 1.1.1)
4817 1.1.1 is EOL since 2023-09-11:
4818 https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
4821 - add missing SSL-backend to job descriptions.
4822 - tidy up CPU in job descriptions.
4828 - RELEASE-NOTES: synced
4830 - GHA: bump ngtcp2, nghttp3, nghttp2 and quictls versions
4843 - wolfssl: add default case for wolfssl_connect_step1 switch
4849 - curl_setup: disallow Windows IPv6 builds missing getaddrinfo
4851 - On Windows if IPv6 is enabled but getaddrinfo is missing then #error
4855 ability to resolve hosts to IPv6 addresses (HAVE_GETADDRINFO). On
4859 Such a bad configuration has already given us a bug that was hard to
4869 - openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
4871 - If CURLSSLOPT_NATIVE_CA on Windows then import from intermediate CA
4874 This change allows curl to work in situations where a server does not
4884 Prior to this change CURLSSLOPT_NATIVE_CA only imported "ROOT" certs.
4891 - Makefile.mk: fix `-rtmp` option for non-Windows [ci skip]
4895 - asyn-ares: handle no connection in the addrinfo callback
4897 To avoid crashing.
4899 Follow-up from 56a4db2
4904 - hostip6: fix DEBUG_ADDRINFO builds
4906 - Removed unused and incorrect parameter from dump_addrinfo().
4908 Bug: https://github.com/curl/curl/commit/56a4db2e#commitcomment-131050442
4909 Reported-by: Gisle Vanem
4915 - Makefile.mk: restore `_mingw.h` for default `_WIN32_WINNT`
4917 In 8.4.0 we deleted `_mingw.h` as part of purging old-mingw support.
4918 Turns out `_mingw.h` had the side-effect of setting a default
4919 `_WIN32_WINNT` value expected by `lib/config-win32.h` to enable
4920 `getaddrinfo` support in `Makefile.mk` mingw-w64 builds. This caused
4923 Restore this header and update its comment to tell why we continue
4924 to need it.
4931 Reported-by: zhengqwe on github
4932 Helped-by: Nico Rieck
4937 - hostip: silence compiler warning `-Wparentheses-equality`
4942 hostip.c:1336:22: warning: equality comparison with extraneous parentheses [-
4943 Wparentheses-equality]
4944 1336 | (a->ai_family == PF_INET)) {
4948 1336 | (a->ai_family == PF_INET)) {
4950 hostip.c:1336:22: note: use '=' to turn this equality comparison into an assi
4952 1336 | (a->ai_family == PF_INET)) {
4958 Follow-up to b651aba0962bb31353f55de4dc35f745952a1b10 #12145
4960 Reviewed-by: Daniel Stenberg
4965 - doh: use PIPEWAIT when HTTP/2 is attempted
4971 - setopt: remove outdated cookie comment
4977 - cfilter: provide call to tell connection to forget a socket
4979 - fixed libssh.c workaround for a socket being closed by
4981 - eliminate the terrible hack in cf-socket.c to guess when
4983 - fixes race in eyeballing when socket could have failed to
4988 - url: protocol handler lookup tidy-up
4990 - rename lookup to what it does
4991 - use ARRAYSIZE instead of NULL check for end
4992 - offer alternate lookup for 0-terminated strings
4998 - build: variadic macro tidy-ups
5000 - delete unused `HAVE_VARIADIC_MACROS_C99/GCC` feature checks.
5002 - delete duplicate `NULL` check in `Curl_trc_cf_infof()`.
5003 - fix compiler warning in `CURL_DISABLE_VERBOSE_STRINGS` builds.
5005 ./lib/cf-socket.c:122:41: warning: unused parameter 'data' [-Wunused-parame
5010 - fix `#ifdef` comments in `lib/curl_trc.{c,h}`.
5011 - fix indentation in some `infof()` calls.
5013 Follow-up to dac293cfb7026b1ca4175d88b80f1432d3d3c684 #12167
5015 Cherry-picked from #12105
5018 - cmake: speed up threads setup for Windows
5021 (with `ENABLE_THREADED_RESOLVER`). CMake built-in thread detection
5022 logic has this condition hard-coded for Windows as well (since at least
5027 built-in thread support when building for Windows.
5029 This saves 1-3 slow CMake configuration steps.
5031 Reviewed-by: Daniel Stenberg
5034 - cmake: speed up zstd detection
5036 Before this patch we detected the presence of a specific zstd API to
5038 stable release: v1.0.0 (2016-08-31).
5052 ab1b7427 (2016-08-12, committed)
5053 Ref: https://github.com/facebook/zstd/releases/tag/v0.8.1 (2016-08-18, first
5057 Reviewed-by: Daniel Stenberg
5062 - openssl: fix infof() to avoid compiler warning for %s with null
5065 ../lib/curl_trc.h:120:10: error: ‘%s’ directive argument is null [-Werror
5066 =format-overflow=]
5076 Follow-up to b6e6d4ff8f253c8b8055bab
5081 - lib: apache style infof and trace macros/functions
5083 - test for a simplified C99 variadic check
5084 - args to infof() in --disable-verbose are no longer disregarded but
5094 - RELEASE-NOTES: synced
5098 - urldata: move async resolver state from easy handle to connectdata
5100 - resolving is done for a connection, not for every transfer
5101 - save create/dup/free of a cares channel for each transfer
5102 - check values of setopt calls against a local channel if no
5109 - CURLOPT_WRITEFUNCTION.3: clarify what libcurl returns for CURL_WRITEFUNC_ERRO
5114 Reported-by: enWILLYado on github
5120 - autotools: update references to deleted `crypt-auth` option
5122 Delete leftovers of the `crypt-auth` `./configure` option and
5125 Follow-up to e92edfbef64448ef461117769881f3ed776dec4e #11490
5127 Reviewed-by: Daniel Stenberg
5132 - lib: introduce struct easy_poll_set for poll information
5137 return sockets to monitor and flag if this shall be done for POLLIN
5140 Due to this design, sockets and flags could only be added, not
5141 removed. This led to problems in filters like HTTP/2 where flow control
5143 window. The general transfer loop wants to write, adds POLLOUT, the
5146 This leads to cpu busy loops. To prevent that, HTTP/2 did set the
5154 up to `MAX_SOCKSPEREASYHANDLE` sockets and their `POLLIN|POLLOUT`
5159 they want, the `easy_pollset` is *always* passed to the filters. Filters
5161 not-yet-connection one. Each filter may add sockets and/or change
5167 * transfer wants to send, adds POLLOUT
5171 * h2-proxy filter also has a flow control block on its tunnel stream,
5183 The most affected filters are http/2, ngtcp2, quiche and h2-proxy. TLS
5184 filters needed to be adjusted for the connecting handshake read/write
5194 - tests/README: SOCKS tests are not using OpenSSH, it has its own server
5196 Follow-up to 04fd67555cc
5200 Jacob Hoffman-Andrews (25 Oct 2023)
5202 - tets: make test documentation more user-friendly
5204 Put the instructions to run tests right at the top of tests/README.md.
5206 Give instructions to read the runtests.1 man page for information
5210 Add a mention in README.md of the important parallelism flag, to make
5222 - cmake: pre-fill rest of detection values for Windows
5224 The goal of this patch is to avoid unnecessary feature detection work
5225 when doing Windows builds with CMake. Do this by pre-filling well-known
5226 detection results for Windows and specifically for mingw-w64 and MSVC
5227 compilers. Also limit feature checks to platforms where the results are
5230 - pre-fill remaining detection values in Windows CMake builds.
5234 `lib/config-win32.h`.
5236 This brings down CMake configuration time from 58 to 14 seconds on the
5239 On AppVeyor CI this translates to:
5240 - 128 seconds -> 50 seconds VS2022 MSVC with OpenSSL (per CMake job):
5245 - 62 seconds -> 16 seconds VS2017 MINGW (per CMake job):
5251 The formula is about 1-3 seconds delay for each detection. Almost all
5252 of these trigger a full compile-link cycle behind the scenes, slow
5253 even today, both cross and native, mingw-w64 and apparently MSVC too.
5257 - stop detecting `idn2.h` if idn2 was deselected.
5260 - stop detecting `idn2.h` if idn2 was not found.
5264 - limit `ADDRESS_FAMILY` detection to Windows.
5266 - normalize `HAVE_WIN32_WINNT` value to lowercase `0x0a12` format.
5268 - pre-fill `HAVE_WIN32_WINNT`-dependent detection results.
5269 Saving 4 (slow) feature-detections in most builds: `getaddrinfo`,
5272 - fix pre-filled `HAVE_SYS_TIME_H`, `HAVE_SYS_PARAM_H`,
5273 `HAVE_GETTIMEOFDAY` for mingw-w64.
5278 - limit `HAVE_CLOCK_GETTIME_MONOTONIC_RAW` and
5279 `HAVE_CLOCK_GETTIME_MONOTONIC` detections to non-Windows.
5282 - reduce compiler warning noise in CMake internal logs:
5283 - fix to include `winsock2.h` before `windows.h`.
5284 Apply it to autotools test snippets too.
5285 - delete previous `-D_WINSOCKAPI_=` hack that aimed to fix the above.
5286 - cleanup `CMake/CurlTests.c` to emit less warnings.
5288 - delete redundant `HAVE_MACRO_SIGSETJMP` feature check.
5291 - delete 'experimental' marking from `CURL_USE_OPENSSL`.
5293 - show CMake version via `CMakeLists.txt`.
5294 Credit to the `zlib-ng` project for the idea:
5295 https://github.com/zlib-ng/zlib-ng/blob/61e181c8ae93dbf56040336179c9954078b
5298 - make `CMake/CurlTests.c` pass `checksrc`.
5300 - `CMake/WindowsCache.cmake` tidy-ups.
5302 - replace `WIN32` guard with `_WIN32` in `CMake/CurlTests.c`.
5308 - page-footer: clarify exit code 25
5310 - Clarify that curl tool exit code 25 means an upload failed to start.
5312 Exit code 25 is equivalent to CURLE_UPLOAD_FAILED (25). Prior to this
5315 Reported-by: Emanuele Torre
5317 Ref: https://github.com/curl/curl/blob/curl-8_4_0/docs/libcurl/libcurl-errors
5318 .3#L113-L115
5325 - scripts/cijobs.pl: adjust for appveyor
5327 Follow-up to a1d73a6bb
5331 - OpenSSL: Include SIG and KEM algorithms in verbose
5337 important with the fast growing research into new quantum-safe
5341 to use a new function that will be included in OpenSSL 3.2 that was
5344 Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
5349 - http2: provide an error callback and failf the message
5353 header is used - as that header is then not displayed by curl itself.
5365 - BINDINGS: add V binding
5371 - configure: check for the fseeko declaration too
5376 build-time even when not actually available in run-time.
5378 Assisted-by: Viktor Szakats
5379 Reported-by: 12932 on github
5385 - cmake: fix OpenSSL quic detection in quiche builds
5387 An orphan call to `CheckQuicSupportInOpenSSL()` remained after a recent
5388 update when checking QUIC for quiche. Move back QUIC detection to
5389 a function and fixup callers to use that. Also make sure that quiche
5395 Reported-by: Casey Bodley <cbodley@redhat.com>
5401 - RELEASE-NOTES: synced
5403 bump to 8.5.0 for pending release
5407 - test3103: add missing quotes around a test tag attribute
5411 - tool: fix --capath when proxy support is disabled
5413 After 95e8515ca0, --capath always sets CURLOPT_PROXY_CAPATH, which fails
5420 - openldap: move the alloc of ldapconninfo to *connect()
5430 - openldap: set the callback argument in oldap_do
5432 ... to make sure it has the current 'data' pointer and not a stale old
5435 Reported-by: Dan Fandrich
5438 - gnutls: support CURLSSLOPT_NATIVE_CA
5440 Remove the CURL_CA_FALLBACK logic. That build option was added to allow
5441 primarily OpenSSL to use the default paths for loading the CA certs. For
5442 GnuTLS it was instead made to load the "system certs", which is
5447 Follow-up to 7b55279d1d856
5449 Co-authored-by: Jay Satiro
5455 - RTSP: improved RTP parser
5457 - fix HTTP header parsing to report incomplete
5459 - re-implement the RTP parser for interleave RTP
5462 - RTSP protocol handler "readwrite" implementation
5466 allows it to know when non-RTP bytes are "junk"
5468 - tested with #12035 and various small receive
5473 - http2: header conversion tightening
5475 - fold the code to convert dynhds to the nghttp2 structs
5477 - saves code duplication
5478 - pacifies compiler analyzers
5484 - curl_ntlm_wb: fix elif typo
5486 Reported-by: Manfred Schwarb
5487 Follow-up to d4314cdf65ae
5493 - test1683: remove commented-out check alternatives
5496 Since these are not used and perl is guaranteed to be available to run
5501 - hostip: show the list of IPs when resolving is done
5510 * IPv4: 151.101.193.91, 151.101.1.91, 151.101.65.91, 151.101.129.91
5512 Co-authored-by: Jay Satiro
5517 - docs: fix function typo in curl_easy_option_next.3
5523 - vssh: remove the #ifdef for Curl_ssh_init, use empty macro
5527 - easy: remove duplicate wolfSSH init call
5533 - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
5536 Reported-by: Ammar Faizi
5539 - urldata: move the 'internal' boolean to the state struct
5545 - url: don't touch the multi handle when closing internal handles
5547 Reported-by: Maksymilian Arciemowicz
5552 - getenv: PlayStation doesn't have getenv()
5558 - transfer: only reset the FTP wildcard engine in CLEAR state
5560 To avoid the state machine to start over and redownload all the files
5563 Reported-by: lkordos on github
5565 Bisect-by: Dan Fandrich
5571 - GHA: move mod_h2 version in CI to v2.0.25
5577 - ntlm_wb: use pipe instead of socketpair when possible
5581 - RELEASE-NOTES: synced
5583 - asyn-thread: use pipe instead of socketpair for IPC when available
5587 Helped-by: Viktor Szakats
5592 - tests: Fix Windows test helper tool search & use it for handle64
5595 Windows due to hard-coding the UNIX PATH separator character and not
5601 With this fixed, they can be used to detect the handle64.exe program
5602 before attempting to use it. When handle64.exe was called
5603 unconditionally without it existing, it caused perl to abort the test
5607 "ErrorActionPreference" or common parameter is set to Stop:
5614 - multi: use pipe instead of socketpair to *wakeup()
5622 - build: fix 'threadsafe' feature detection for older gcc
5624 - Add 'threadsafe' to the feature list shown during build if POSIX
5627 This is a follow-up to 5adb6000 which added support for building a
5628 thread-safe libcurl with older versions of gcc where atomic is not
5631 Reported-by: Dan Fandrich
5632 Co-authored-by: Dan Fandrich
5639 - test729: verify socks4a with excessive proxy user name length
5641 - socks: better buffer size checks for socks4a user and hostname
5643 Also limit the proxy user name to 255 bytes, which is the same limit as
5646 Reported-by: sd0 on hackerone
5649 - curl.h: on FreeBSD include sys/param.h instead of osreldate.h
5654 Reported-by: Faraz Fallahi
5659 - tool_operate: fix links in ipfs errors
5668 - cmake: replace `check_library_exists_concat()`
5671 optional component and adds it to the list of libs that we also use in
5675 CMake offers the `CMAKE_REQUIRED_LIBRARIES` variable to set libs used
5682 list we use when linking build targets. And special logic to handle the
5696 - tool_cb_wrt: fix write output for very old Windows versions
5698 - Pass missing parameter for 'lpNumberOfCharsWritten' to WriteConsoleW()
5706 Prior to this change, on those versions if parameter is NULL then the
5711 Ref: https://github.com/MicrosoftDocs/Console-Docs/issues/299
5718 - tool_urlglob: fix build for old gcc versions
5720 - Don't use __builtin_mul_overflow for GCC 4 and earlier.
5724 Ref: https://gcc.gnu.org/gcc-5/changes.html
5726 Reported-by: Dan Fandrich
5733 - docs/libcurl: fix three minor man page format mistakes
5735 Reported-by: Samuel Henrique
5741 - tests/server: add more SOCKS5 handshake error checking
5743 - Add additional checking for missing and too-short SOCKS5 handshake
5746 Prior to this change the SOCKS5 test server did not check that all parts
5750 This issue was discovered in CI job 'memory-sanitizer' test results.
5751 Test 2055 was failing due to the SOCKS5 test server not running. It was
5753 during Test 728. Test 728 connects to the SOCKS5 test server on a
5757 Reported-by: Dan Fandrich
5764 - RELEASE-NOTES: synced
5768 - tool_getparam: limit --rate to be smaller than number of ms
5770 Currently, curl allows users to specify absurd request rates that might
5771 be higher than the number of milliseconds in the unit (ex: curl --rate
5783 - opts: fix two minor man page format mistakes
5787 - curl_trc: remove a bad assertion
5789 - Remove DEBUGASSERT that an internal handle must not have user
5792 This is a follow-up to 0dc40b2a. The user can distinguish their easy
5797 Bug: https://github.com/curl/curl/pull/12060#issuecomment-1754594697
5798 Reported-by: Daniel Stenberg
5804 - test613: stop showing an error on missing output file
5807 the log post-processing step, but the message was not captured by the
5813 - quic: manage connection idle timeouts
5815 - configure a 120s idle timeout on our side of the connection
5816 - track the timestamp when actual socket IO happens
5817 - check IO timestamp to our *and* the peer's idle timeouts
5820 Reported-by: calvin2021y on github
5826 - CI: ignore test 286 on Appveyor gcc 9 build
5828 This test fails sometimes with a super fast retry loop due to what may
5830 where it occurs because there seems to be nothing we can do to fix it.
5837 - lib: fix gcc warning in printf call
5839 Do not pass NULL to printf %s.
5843 .../curl/lib/connect.c:696:27: warning: '%s' directive argument is null [-Wfo
5844 rmat-overflow=]
5846 Ref: https://github.com/curl/curl-for-win/actions/runs/6476161689/job/1758442
5850 Co-authored-by: Jay Satiro
5855 - http2: safer invocation of populate_binsettings
5859 updated to handle this change in its contract.
5861 The way populate_binsettings had been used prior to this change the huge
5862 positive values -- due to signed->unsigned conversion of the potentially
5864 values on error -- are not possible. But only because http2.c currently
5867 verification logic were to change or if http2.c started passing in more
5869 reachable, and libcurl/curl might start leaking memory contents to
5876 - openssl: avoid BN_num_bits() NULL pointer derefs
5878 Reported-by: icy17 on github
5882 - wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA
5886 disabled and wolfSSL versions before 5.5.2 - which introduced this API
5891 - tool_urlglob: make multiply() bail out on negative values
5893 - Does not work correctly with negative values
5894 - use __builtin_mul_overflow() on gcc
5896 Reported-by: Torben Dury
5901 - cmake: fix CURL_DISABLE_GETOPTIONS
5903 - Add CURL_DISABLE_GETOPTIONS to curl_config.h.cmake.
5905 Prior to this change the option had no effect because it was missing
5910 - easy_lock: add a pthread_mutex_t fallback
5912 This allows to keep the init threadsafe with gcc < 4.9.0 (no C11
5919 - CI: add autotools, out-of-tree, debug build to distro check job
5922 autotools, out-of-tree, in debug mode.
5929 - http: avoid Expect: 100-continue if Upgrade: is used
5931 Reported-by: Daniel Jelinski
5937 - docs: use SOURCE_DATE_EPOCH for generated manpages
5945 - RELEASE-NOTES: synced
5947 Bumped to 8.4.1
5951 - cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection
5953 Fix `HAVE_H_ERRNO_ASSIGNABLE` to not run, only compile its test snippet,
5955 cross-builds and also actually detects this feature. It affected systems
5958 We used this detection result to enable `HAVE_GETADDRINFO_THREADSAFE`.
5960 Follow-up to 04a3a377d83fd72c4cf7a96c9cb6d44785e33264 #11979
5962 Ref: #11964 (effort to sync cmake detections with autotools)
5964 Reported-by: Kartatz on Github
5965 Assisted-by: Kartatz on Github
5969 - build: add `src/.checksrc` to source tarball
5973 Bug: https://github.com/curl/curl/pull/11958#issuecomment-1757079071
5974 Reported-by: Romain Geissler
5982 - RELEASE-NOTES: synced
5984 - THANKS: add contributors from 8.4.0
5988 - socks: return error if hostname too long for remote resolve
5990 Prior to this change the state machine attempted to change the remote
5991 resolve to a local resolve if the hostname was longer than 255
5995 Bug: https://curl.se/docs/CVE-2023-38545.html
5999 - CI: remove slowed-network tests
6001 - remove these tests as they are currently not reliable in our CI
6004 curl handles the test cases, but CI sometimes fails on these due to
6006 will be added in the future that is specific to them.
6012 - libcurl-env-dbg.3: move debug variables from libcurl-env.3
6014 - Move documentation of libcurl environment variables used only in debug
6015 builds from libcurl-env into a separate document libcurl-env-dbg.
6017 - Document more debug environment variables.
6030 - test670: increase the test timeout
6032 This should make it more immune to loaded servers.
6038 - MQTT: improve receive of ACKs
6040 - add `mq->recvbuf` to provide buffering of incomplete
6042 - continue ACK reading until sufficient bytes available
6043 - fixes test failures on low network receives
6049 - quic: fix BoringSSL build
6053 Bug: https://github.com/curl/curl/pull/12065#issuecomment-1752171885
6055 Follow-up to aa9a6a177017e4b74d33cdf85a3594900f4a7f81
6057 Co-authored-by: Jay Satiro
6058 Reviewed-by: Daniel Stenberg
6063 - test1540: improve reliability
6065 - print that bytes have been received on pausing, but not how many
6069 - test2302: improve reliability
6071 - make result print collected write data, unless
6073 - will show same result even when data arrives via
6080 - curl_easy_pause: set "in callback" true on exit if true
6085 Reported-by: Jay Satiro
6091 - h3: add support for ngtcp2 with AWS-LC builds
6094 curl 8.4.0-DEV (x86_64-apple-darwin) libcurl/8.4.0-DEV (SecureTransport) AWS-
6096 Release-Date: [unreleased]
6099 Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile Multi
6106 Reviewed-by: Daniel Stenberg
6109 - build: do not publish `HAVE_BORINGSSL`, `HAVE_AWSLC` macros
6113 Source code uses the built-in `OPENSSL_IS_AWSLC` and
6114 `OPENSSL_IS_BORINSSL` macros to detect BoringSSL and AWS-LC. No help is
6117 The one use of `HAVE_BORINGSSL` in the source turned out to be no longer
6118 necessary for warning-free BoringSSL + Schannel builds. Ref: #1610 #2634
6121 CMake detects this to decide whether to use the BoringSSL-specific
6122 crypto lib with ngtcp2. It detects AWS-LC, but doesn't use the detection
6127 Reviewed-by: Daniel Stenberg
6128 Reviewed-by: Jay Satiro
6133 - CI: move distcheck job from Azure Pipelines to GitHub Actions
6140 Assisted-by: Philip Heiduck
6145 - url: fall back to http/https proxy env-variable if ws/wss not set
6147 Reported-by: Craig Andrews
6153 - cf-socket: simulate slow/blocked receives in debug
6155 add 2 env variables for non-UDP sockets:
6162 - http2: refused stream handling for retry
6164 - answer HTTP/2 streams refused via a GOAWAY from the server to
6165 respond with CURLE_RECV_ERROR in order to trigger a retry
6168 Reported-by: black-desk on github
6174 - CURLOPT_DEBUGFUNCTION.3: warn about internal handles
6176 - Warn that the user's debug callback may be called with the handle
6177 parameter set to an internal handle.
6183 This is a follow-up to f8cee8cc which changed DoH handles to inherit
6185 those handles are now passed to the user's debug callback function.
6189 - url: fix typo
6193 - test458: verify --expand-output, expanding a file name accepting option
6197 - tool_getparam: accept variable expansion on file names too
6199 Reported-by: PBudmark on github
6203 - RELEASE-NOTES: synced
6205 - multi: do CURLM_CALL_MULTI_PERFORM at two more places
6211 Reported-by: Dan Fandrich.
6217 - GHA/linux: mbedtls 3.5.0 + minor dep bumps
6223 - CI: bump OpenLDAP package version on FreeBSD
6229 - docs/libcurl/opts/Makefile.inc: add missing manpage files
6235 - tests: fix a race condition in ftp server disconnect
6238 had a chance to respond, the protocol message/ack (ping/pong) sequence
6239 got out of sync, causing messages sent to the old client to be delivered
6240 to the new. A disconnect must now be acknowledged and intermediate
6250 - appveyor: bump mingw-w64 job to gcc 13 (was: 8)
6253 Adding a modern gcc version to the tests.
6255 (The gcc 8 job used to take around 50 minutes. The new image with gcc 13
6258 It also adds a modern CMake version and OS env to our mingw-w64 builds.
6264 - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
6267 inconvenient) accessor. Use it to remain compatible if it becomes opaque
6274 - curl_easy_pause.3: mention it works within callbacks
6276 Reported-by: Maxim Dzhura
6277 Bug: https://curl.se/mail/lib-2023-10/0010.html
6280 - curl_easy_pause.3: mention h2/h3 buffering
6282 Asked-by: Maxim Dzhura
6283 Ref: https://curl.se/mail/lib-2023-10/0011.html
6289 - cmake: re-add missed C89 headers for specific detections
6293 missed to re-add these headers to the specific functions which need
6294 them to be detected [2]. Fix this omission in this patch.
6296 [1] Follow-up to 3795fcde995d96db641ddbcc8a04f9f0f03bef9f #11951
6297 [2] Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
6303 - multi: set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE
6305 Since there is nothing to wait for there. Avoids the test 1233 hang
6308 Reported-by: Dan Fandrich
6313 - test1903: actually verify the cookies after the test
6317 resulting cookie file to ensure the cookies are still there.
6321 - test: add missing <feature>s
6325 - test1906: set a lower timeout since it's hit on Windows
6328 lower the timeout from 5 minutes to 5 seconds to reduce test time.
6335 - RELEASE-NOTES: synced
6339 - idn: fix WinIDN null ptr deref on bad host
6341 - Return CURLE_URL_MALFORMAT if IDN hostname cannot be converted from
6342 UTF-8 to UTF-16.
6344 Prior to this change a failed conversion erroneously returned CURLE_OK
6345 which meant 'decoded' pointer (what would normally point to the
6346 punycode) would not be written to, remain NULL and be dereferenced
6347 causing an access violation.
6353 - tests: close the shell used to start sshd
6362 - base64: also build for curl
6365 needs to build also when the tool needs it. Starting now, the tool build
6366 defines BULDING_CURL to allow lib-side code to use it.
6368 Follow-up to 2e160c9c6525
6374 - tests: Fix zombie processes left behind by FTP tests.
6377 but forgets to wait for the shell used to spawn them.
6387 - github/labeler: improve labeler matches
6389 - test574: add a timeout to the test
6392 logs to be seen when it does.
6396 - tests: propagate errors in libtests
6398 Use the test macros to automatically propagate some errors, and check
6402 - tests: set --expect100-timeout to improve test reliability
6405 the test server having a chance to respond with the expected headers,
6406 causing tests to fail. Increase the 1 second timeout to 99 seconds so
6413 - CI: ignore the "flaky" and "timing-dependent" test results in CMake
6416 Test 1086 actually causes the test harness to crash with:
6418 Warning: unable to close filehandle DWRITE properly: Broken pipe at C:/projec
6424 Follow-up to 589dca761
6430 - cmake: improve OpenLDAP builds
6432 - cmake: detect OpenLDAP based on function `ldap_init_fd`.
6435 doesn't use this value. (it might need to be remove-listed in
6436 `scripts/cmp-config.pl` for future OpenLDAP test builds.)
6437 This also deletes existing self-declaration method via the
6438 CMake-specific `CURL_USE_OPENLDAP` configuration.
6440 - cmake: define `LDAP_DEPRECATED=1` for OpenLDAP.
6444 s not defined, evaluates to 0 [-Wundef]
6447 - cmake: delete LDAP TODO comment no longer relevant.
6451 - autotools: replace domain name `dummy` with `0.0.0.0` in LDAP feature
6454 Ref: #11964 (effort to sync cmake detections with autotools)
6458 - cmake: fix unity builds for more build combinations
6463 - OpenLDAP combined with any SSH backend.
6465 - MultiSSL with mbedTLS, OpenSSL, wolfSSL, SecureTransport.
6471 - tests: remove leading spaces from some tags
6483 - GHA: bump actions/checkout
6485 Follow-up to 2e0fa50fc16b9339f51e0a7bfff0352829323acb #11964
6486 Follow-up to c39585d9b7ef3cbfc1380812dec60e7b275b6af3 #12000
6490 - spelling: fix codespell 2.2.6 typos
6496 - GHA: add workflow to compare configure vs cmake outputs
6498 Uses scripts/cmp-config.pl two compare two curl_config.h files,
6507 - appveyor: enable test 571
6509 Follow-up from 8a940fd55c175f7 / #12013
6515 - build: alpha-sort source files for lib and src
6519 - cmake: delete old `HAVE_LDAP_URL_PARSE` logic
6523 Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006
6525 Ref: #11964 (effort to sync cmake detections with autotools)
6531 - tests: increase lib571 timeout from 3s to 30s
6533 - 3s is too short for our CI, making this test fail occasionally
6534 - test usually experiences no delay run locally, so 30s wont hurt
6540 - cmake: fix unity with Windows Unicode + TrackMemory
6545 We must make sure that the `memdebug.h` header doesn't apply to
6547 builds all headers apply to all sources, including `curl_multibyte.c`.
6552 CI job to keep it tested. Also delete the earlier workaround that
6555 Follow-up to d82b080f6374433ce7c98241329189ad2d3976f8 #12005
6556 Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095
6560 - cmake: disable unity mode with Windows Unicode + TrackMemory
6563 aka `-DCURLDEBUG`).
6567 without any command-line option. Interestingly this doesn't happen under
6573 a TODO to find and fix the root cause and drop this workaround.
6581 Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095
6586 - cmake: tidy-up `NOT_NEED_LBER_H` detection
6588 Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006
6590 - appveyor: rewrite batch in PowerShell + CI improvements
6594 - rewrite MS-DOS batch build script in PowerShell.
6595 - move some bash operations into native PowerShell.
6596 - fixups for PowerShell insisting on failure when a command outputs
6597 something to stderr.
6598 - fix to actually run `curl -V` after every build.
6600 - also say why we skipped `curl -V` if we had to skip.
6601 - fix CMake warnings about unused configuration variables, by adapting
6603 - dedupe OpenSSL path into a variable.
6604 - disable `test1451` failing with a warning anyway due to missing python
6605 impacket. (after trying and failing to install impacket)
6606 PowerShell promotes these warnings to errors by PowerShell. We can also
6607 suppress they wholesale if they start causing issues in the future,
6608 like we already to with `autoreconf` and `./configure`.
6610 PowerShell is better than MS-DOS batches, so the hope is this makes it
6611 easier to extend and maintain the AppVeyor build logic. POSIX/bash isn't
6613 to keep it in an external script, so it's also an option.
6617 - enable tests for a "unity" build job.
6618 - speed-up CI initialization by using shallow clones of the curl repo.
6619 - speed-up CMake MSVC jobs with `TrackFileAccess=false`.
6620 - enable parallelism in `VisualStudioSolution` builds.
6621 - display CMake version before builds.
6622 - always show the CPU in job names.
6623 - tell which jobs are build-only in job names.
6624 - move `TESTING:` value next to `DISABLED_TESTS:` in two jobs.
6625 - add `config.log` (autotools) to dumped logs (need to enable manually).
6629 - use single-quotes in YAML like we do in other CI YAML files.
6630 It also allows to drop quoting characters and lighter to write/read.
6635 - cmake: fix `HAVE_LDAP_SSL`, `HAVE_LDAP_URL_PARSE` on non-Windows
6637 - set `HAVE_LDAP_URL_PARSE` if `ldap_url_parse` function exists.
6642 - always set `HAVE_LDAP_SSL` if an LDAP backend is detected and
6647 - enable LDAP[S] for a CMake macOS CI job. Target OS X 10.9 (Mavericks)
6648 to avoid deprecation warnings for LDAP API.
6650 - always detect `HAVE_LDAP_SSL_H`, even with LDAPS explicitly disabled.
6651 This doesn't make much sense, but let's do it to sync behaviour with
6654 - fix benign typo in variable name.
6656 Ref: #11964 (effort to sync cmake detections with autotools)
6660 - autotools: restore `HAVE_IOCTL_*` detections
6664 c3456652a0c72d1845d08df9769667db7e159949 (2022-08), because the
6673 Ref: #11964 (effort to sync cmake detections with autotools)
6679 - RELEASE-PROCEDURE.md: updated coming release dates
6681 - RELEASE-NOTES: synced
6685 - cmake: pre-cache `HAVE_POLL_FINE` on Windows
6692 - gha: bump actions to latest versions
6694 - actions@checkout@v4 (from v3 and v2)
6696 - fsfe/reuse-action@v2 (from v1)
6702 - h2: testcase and fix for pausing h2 streams
6704 - refs #11982 where it was noted that paused transfers may
6706 - made sample poc into tests/http/client/h2-pausing.c and
6707 added test_02_27 to reproduce
6711 Reported-by: Harry Sintonen
6715 - cmake: validate `CURL_DEFAULT_SSL_BACKEND` config value
6718 runtime as-is. This patch make sure that the selected default backend
6724 Follow-up to 26c7feb8b9d51a57fab3325571b4bbfa03b11af0 #11774
6728 - autotools: adjust `CURL_CA_PATH` value to CMake
6731 slash. Delete the ending slash to match configurations.
6733 Ref: #11964 (effort to sync cmake detections with autotools)
6737 - cmake: detect `sys/wait.h` and `netinet/udp.h`
6739 Ref: #11964 (effort to sync cmake detections with autotools)
6745 - lib: provide and use Curl_hexencode
6751 - configure: check for the capath by default
6758 Assisted-by: Viktor Szakats
6761 - wolfssl: ignore errors in CA path
6768 behaves more similar to what OpenSSL does by default.
6773 Assisted-by: Juliusz Sosinowicz
6774 Assisted-by: Michael Osipov
6778 - create-dirs.d: clarify it also uses --output-dirs
6780 Reported-by: Robert Simpson
6786 - appveyor: fix yamlint issues, indent
6789 - use double quotes in all batch if statements.
6793 - cmake: detect `HAVE_CLOCK_GETTIME_MONOTONIC_RAW`
6797 Ref: #11964 (effort to sync cmake detections with autotools)
6801 - cmake: detect `HAVE_GETADDRINFO_THREADSAFE`
6809 autotools always runs all 3 probes for non-fast-tracked systems and
6810 enables this feature if any one of them was successful. To save
6813 OpenBSD is not fast-tracked and then gets blocklisted as a generic BSD
6814 system. I haven't double-checked if this is correct, but looks odd.
6816 Ref: #11964 (effort to sync cmake detections with autotools)
6820 - cmake: fix `HAVE_WRITABLE_ARGV` detection
6825 Ref: #11964 (effort to sync cmake detections with autotools)
6829 - appveyor: minor improvements
6831 - run `curl -V` after builds to see if they run and with what features.
6835 - copy libcurl DLL next to curl tool and tests binaries in shared mode.
6836 This makes it possible to run the tests. (We don't run tests after
6839 - list the DLLs and EXEs present after the builds.
6841 - add `DEBUG` variable for CMake builds to allow disabling it, for
6842 testing non-debug builds. (currently enabled for all)
6844 - add commented lines that dump CMake configuration logs for debugging
6845 build/auto-detection issues.
6847 - add gcc version to jobs where missing.
6849 - switch a job to the native MSYS2 mingw-w64 toolchain. This adds gcc 9
6850 to the build mix.
6852 - make `SHARED=OFF` and `OPENSSL=OFF` defaults global.
6854 - delete a duplicate backslash.
6858 - configure: replace adhoc domain with `localhost` in tests
6860 Reviewed-by: Daniel Stenberg
6863 - tidy-up: use more example domains
6868 Reviewed-by: Daniel Stenberg
6873 - runtests: display the test status if tests appear hung
6880 running to help in debugging the problem.
6883 is fine because without parallel testing it's usually easy to tell what
6888 - github/labeler: remove workaround for labeler
6890 This was added due to what seemed to be a bug regarding the sync-labels:
6891 config option, but it looks like it wasn't necessary.
6893 Follow-up to b2b0534e7
6897 - docs: upgrade an URL to HTTPS in `BINDINGS.md` [ci skip]
6901 - docs: replace made up domains with example.com
6905 - example.com was made for this purpose.
6907 - reduces the risk that one of those domains suddenly start hosting
6908 something nasty and we provide links to them
6914 - acinclude.m4: Document proper system truststore on FreeBSD
6927 - FAQ: How do I upgrade curl.exe in Windows?
6929 This is a growing question, better answer it here to get somewhere to
6930 point users to.
6936 - cmake: pre-cache `HAVE_BASENAME` for mingw-w64 and MSVC
6938 `basename` is present in mingw-w64, missing from MSVC. Pre-cache
6939 accordingly to make configure faster.
6942 mingw-w64:
6944 b/curl_setup.h#L820-L825
6950 - cmake: add missing checks
6952 - check for arc4random. To make rand.c use it accordingly.
6953 - check for fcntl
6954 - fix fseek detection
6955 - add SIZEOF_CURL_SOCKET_T
6956 - fix USE_UNIX_SOCKETS
6957 - define HAVE_SNPRINTF to 1
6958 - check for fnmatch
6959 - check for sched_yield
6960 - remove HAVE_GETPPID duplicate from curl_config.h
6961 - add HAVE_SENDMSG
6965 Co-authored-by: Viktor Szakats
6968 - configure: remove unused checks
6970 - for sys/uio.h
6971 - for fork
6972 - for connect
6978 - lib: remove TIME_WITH_SYS_TIME
6985 - docs: update curl man page references
6987 Detected by the manpage-syntax update
6991 - manpage-syntax: verify curl man page references
6993 1. References to curl symbols are now checked that they indeed exist as
6999 2. References to curl symbols that lack section now causes warning, since tha
7003 3. Check for "bare" references to curl functions and warn, they should be
7008 - cmake: add check for suseconds_t
7017 - tidy-up: whitespace fixes
7021 - cmake: detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS
7023 With new option `CURL_DISABLE_SRP=ON` to force-disable it.
7024 To match existing option and detection logic in autotools.
7027 - fix detecting GnuTLS.
7029 - add CMake GnuTLS CI job.
7030 - bump AppVeyor CMake OpenSSL MSVC job to OpenSSL 1.1.1 (from 1.0.2)
7031 TLS-SRP fails to detect with 1.0.2 due to an OpenSSL header bug.
7032 - fix compiler warning when building with GnuTLS and disabled TLS-SRP.
7033 - fix comment typos, whitespace.
7039 - tool: use our own stderr variable
7041 Earlier this year we changed our own stderr variable to use the standard
7042 name `stderr` (to avoid bugs where someone is using `stderr` instead of
7043 the curl-tool specific variable). This solution needed to override the
7045 well with unity builds and caused curl tool to crash or stay silent due
7046 to an uninitialized stderr. This was a hard to find issue, fixed by
7049 To avoid two these two tricks, this patch implements a different
7051 leave `stderr` as-is. To avoid using `stderr` by mistake, add a
7053 that detects any `stderr` use in `src` and points to using our own
7056 Follow-up to 06133d3e9b8aeb9e9ca0b3370c246bdfbfc8619e
7057 Follow-up to 2f17a9b654121dd1ecf4fc043c6d08a9da3522db
7063 - connect: only start the happy eyeballs timer when needed
7072 - tool_operate: free 'gateway' correctly
7082 - lib: move handling of `data->req.writer_stack` into Curl_client_write()
7084 - move definitions from content_encoding.h to sendf.h
7085 - move create/cleanup/add code into sendf.c
7086 - installed content_encoding writers will always be called
7088 - Curl_client_cleanup() frees writers and tempbuffers from
7095 - multi: round the timeout up to prevent early wakeups
7097 Curl_timediff rounds down to the millisecond, so curl_multi_perform can
7102 platform to wake up too early.
7108 - RELEASE-NOTES: spell out that IPFS is via gateway
7110 - RELEASE-NOTES: synced
7112 - tool_operate: avoid strlen() -1 on zero length content from file
7114 Follow-up to 65b563a96a226649ba12cb1e
7118 - tool_operate: fix memory mixups
7120 Switch to plain getenv() from curl_getenv() to avoid the allocation and
7121 having to keep track of which free() or curl_free() that need to be
7126 Follow-up to 65b563a96a226649ba12cb1e
7132 - curl-functions.m4: fixup recent bad edits
7134 Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
7140 - curl-functions.m4: fix include line
7143 CI because it graciously falled back to using legacy functions instead!
7145 Follow-up to 96c29900bcec (#11940)
7149 - inet_ntop: add typecast to silence Coverity
7154 const" (8 bits, unsigned) is promoted in "src[i] << (1 - i % 2 << 3)" to
7155 type "int" (32 bits, signed), then sign-extended to type "unsigned long"
7156 (64 bits, unsigned). If "src[i] << (1 - i % 2 << 3)" is greater than
7159 111 words[i/2] |= (src[i] << ((1 - (i % 2)) << 3));
7164 Also, switch to ints here instead of longs. The values stored are 16 bit
7165 so at least no need to use 64 bit variables. Also, longs are 32 bit on
7166 some platforms so this logic still needs to work with 32 bits.
7170 - docs: adapt SEE ALSO sections to new requirements
7172 To please manpage-syntax.pl used by test 1173
7176 - manpage-syntax.pl: verify SEE ALSO syntax
7178 - Enforce a single reference per .BR line
7179 - Skip the quotes around the section number for example (3)
7180 - Insist on trailing commas on all lines except the last
7181 - Error on comma on the last SEE ALSO entry
7183 - List the entries alpha-sorted, not enforced just recommended
7187 - connect: expire the timeout when trying next
7190 addresses to connect to. Otherwise it might unnecessarily wait for a
7194 Reported-by: Loïc Yhuel
7197 - http: remove wrong comment for http_should_fail
7199 Reported-by: Christian Schmitz
7205 - tool_setopt: remove unused function tool_setopt_flags
7207 This function is identical to tool_setopt_bitmask except that it treats
7214 - cmake: add feature checks for `memrchr` and `getifaddrs`
7216 - `HAVE_MEMRCHR` for `memrchr`.
7217 - `HAVE_GETIFADDRS` for `getifaddrs`.
7221 To match existing autotools feature checks.
7225 - cmake: move global headers to specific checks
7227 Before this patch we added standard headers unconditionally to the
7230 these headers to each feature check where they are actually needed.
7233 I've used autotools' `m4/curl-functions.m4` to figure out these
7243 - src/mkhelp: make generated code pass `checksrc`
7247 - tests: show which curl tool `runtests.pl` is using
7249 To help debugging when there is issue finding or running it.
7253 - CI/azure: make `MAKEFLAGS` global to parallelize all jobs
7257 th -j3)
7261 - CI/azure: migrate old mingw MSYS1 jobs to MSYS2
7265 Follow-up to 38029101e2d78ba125732b3bab6ec267b80a0e72
7271 - docs: add see also curl_multi_get_handles to some man pages
7273 Assisted-by: Jay Satiro
7279 - cmake: assume `_fseeki64` and no `fseeko` on Windows
7281 `_fseeki64` is present in mingw-w64 1.0 (2011-09-26) headers, and
7286 (mingw-w64 1.0 also offers `fseeko64`.)
7288 [1] https://github.com/curl/curl/pull/11944#issuecomment-1734995004
7290 Follow-up to 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 #11918
7294 - build: delete checks for C89 standard headers
7303 Follow-up to 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 #11918 (for `stdio.h` i
7310 - multiif.h: remove Curl_multi_dump declaration
7312 Follow-up to d850eea2 which removed the Curl_multi_dump definition.
7318 - config-win32: define HAVE__FSEEKI64
7320 Follow-up to 9c7165e9 which added an fseeko wrapper to the lib that
7325 - docs: explain how PINNEDPUBLICKEY is independent of VERIFYPEER
7327 - Explain that peer verification via CURLOPT_PINNEDPUBLICKEY takes place
7332 Bug: https://github.com/curl/curl/issues/2935#issuecomment-418371872
7333 Reported-by: claudiusaiz@users.noreply.github.com
7336 Reported-by: Hakan Sunay Halil
7342 - openssl: improve ssl shutdown handling
7344 - If SSL shutdown is not finished then make an additional call to
7345 SSL_read to gather additional tracing.
7347 - Fix http2 and h2-proxy filters to forward do_close() calls to the next
7354 Curl_conn_close -> cf_hc_close -> Curl_conn_cf_discard_chain ->
7359 Curl_conn_close -> cf_hc_close -> cf_h2_close -> cf_setup_close ->
7363 closure handle. Refer to discussion in #11878.
7371 - multi: fix small timeouts
7373 Since Curl_timediff rounds down to the millisecond, timeouts which
7382 - cmake: fix stderr initialization in unity builds
7388 Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719
7393 - cmake: fix missing `zlib.h` when compiling `libcurltool`
7396 it didn't come up in earlier tests with similar config.
7398 `CURL_LIBS` to the `curltool` target, CMake doesn't seem to add detected
7399 dependency headers to the compiler command.
7403 cd .../curl/bld-cmake-llvm-x64/src && /usr/local/opt/llvm/bin/clang
7404 --target=x86_64-w64-mingw32 --sysroot=/usr/local/opt/mingw-w64/toolchain-x8
7406 -DCURLDEBUG -DCURL_STATICLIB -DHAVE_CONFIG_H -DUNICODE -DUNITTESTS -D_UNICO
7408 -I.../curl/include -I.../curl/lib -I.../curl/bld-cmake-llvm-x64/lib
7409 -I.../curl/bld-cmake-llvm-x64/include -I.../curl/src -Wno-unused-command-li
7410 ne-argument
7411 -D_UCRT -DDEBUGBUILD -DHAS_ALPN -DUSE_MANUAL=1 -fuse-ld=lld -Wl,-s -static
7412 -libgcc
7413 -lucrt [...] -O3 -DNDEBUG -municode -MD
7414 -MT src/CMakeFiles/curltool.dir/tool_hugehelp.c.obj
7415 -MF CMakeFiles/curltool.dir/tool_hugehelp.c.obj.d
7416 -o CMakeFiles/curltool.dir/tool_hugehelp.c.obj -c .../curl/bld-cmake-llvm-x
7418 .../curl/bld-cmake-llvm-x64/src/tool_hugehelp.c:6:10: fatal error: 'zlib.h' f
7424 Follow-up to 39e7c22bb459c2e818f079984989a26a09741860
7428 - cmake: fix duplicate symbols when linking tests
7430 The linker resolves this automatically in non-unity builds. In unity
7442 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_convert_UTF8_to_wch
7446 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
7448 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_convert_wchar_to_UT
7452 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
7454 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_open':
7457 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
7459 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_fopen':
7462 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
7464 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_stat':
7484 with config:
7486 -DCMAKE_UNITY_BUILD=ON \
7487 -DENABLE_DEBUG=ON -DBUILD_TESTING=ON -DCMAKE_C_FLAGS=-DDEBUGBUILD \
7488 -DBUILD_SHARED_LIBS=ON \
7489 -DBUILD_STATIC_LIBS=OFF
7494 - cmake: lib `CURL_STATICLIB` fixes (Windows)
7496 - always define `CURL_STATICLIB` when building libcurl for Windows.
7507 - fix to omit `libcurl.def` when not hiding private symbols.
7511 - fix `ENABLED_DEBUG=ON` + shared curl tool Windows builds by also
7516 - delete `INTERFACE_COMPILE_DEFINITIONS "CURL_STATICLIB"` for "objects"
7519 Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3
7521 - delete duplicate `BUILDING_LIBCURL` definitions.
7523 - fix `HIDES_CURL_PRIVATE_SYMBOLS` to not overwrite earlier build settings.
7525 Follow-up to 1199308dbc902c52be67fc805c72dd2582520d30
7531 - RELEASE-NOTES: synced
7535 - tests: fix log directory path in IPFS tests
7537 Hard-coding the log directory name fails with parallel tests.
7539 Follow-up to 65b563a96
7545 - curl_multi_get_handles: get easy handles from a multi handle
7551 - http: h1/h2 proxy unification
7553 - use shared code for setting up the CONNECT request
7555 - eliminate use of Curl_buffer_send() and other manipulations
7556 of `data->req` or `data->state.ulbuf`
7562 - lib: use wrapper for curl_mime_data fseek callback
7565 to undefined behavior when calling the callback and caused failure on
7568 Use a wrapper to solve this and use fseeko which uses off_t instead of
7571 Thanks to the nice people at Libera IRC #musl for helping finding this
7578 - configure: sort AC_CHECK_FUNCS
7584 - warnless: remove unused functions
7590 - GHA/linux: run singleuse to detect single-use global functions
7592 Use --unit for configure --enable-debug builds
7596 - singleuse: add scan for use in other source codes
7598 This should reduce false-positive to almost zero. Checks for presence in
7599 unit tests if --unit is specified, which is intended for debug builds
7604 - multi: remove Curl_multi_dump
7606 A debug-only function that is basically never used. Removed to ease the
7607 use of the singleuse script to detect non-static functions not used
7614 - tests: fix compiler warnings
7620 for non-static variable 'logdir' [-Wmissing-variable-declarations]
7624 s not intended to be used outside of this translation unit
7628 for non-static variable 'loglockfile' [-Wmissing-variable-declarations]
7632 s not intended to be used outside of this translation unit
7636 ion for non-static variable 'logdir' [-Wmissing-variable-declarations]
7640 e is not intended to be used outside of this translation unit
7644 here [-Wcomma]
7647 .../curl/src/tool_doswin.c:350:5: note: cast expression to void to silence wa
7656 > 2147483647 is always false [-Wtautological-type-limit-compare]
7662 'long' > 2147483647 is always false [-Wtautological-type-limit-compare]
7669 > 2147483647 is always false [-Wtautological-type-limit-compare]
7675 2147483647 is always false [-Wtautological-type-limit-compare]
7685 'int', but argument has type 'size_t' (aka 'unsigned long') [-Wformat]
7696 - url: fix netrc info message
7698 - Fix netrc info message to use the generic ".netrc" filename if the
7701 - Update --netrc doc to add that recent versions of curl on Windows
7714 - wolfssh: do cleanup in Curl_ssh_cleanup
7720 - tool_listhelp: regenerated
7722 Polished the --ipfs-gateway description
7724 Fixed the --trace-config description
7732 - Makefile.mk: always set `CURL_STATICLIB` for lib (Windows)
7734 Also fix to export all symbols in Windows debug builds, making
7735 `-debug-dyn` builds work with `-DCURL_STATICLIB` set.
7743 - quic: set ciphers/curves the same way regular TLS does
7748 Reported-by: Karthikdasari0423 on github
7749 Assisted-by: Jay Satiro
7752 - test457: verify --max-filesize with chunked encoding
7754 - lib: let the max filesize option stop too big transfers too
7757 known to be too big then.
7762 Reported-by: Elliot Killick
7763 Assisted-by: Jay Satiro
7768 - mingw: delete support for legacy mingw.org toolchain
7772 Its homepage used to be http://mingw.org/ [no HTTPS], and broken now.
7774 implib set, often causing issues. It also misses most modern Windows
7778 curl now relies on toolchains based on the mingw-w64 project:
7779 https://www.mingw-w64.org/ https://sourceforge.net/projects/mingw-w64/
7781 https://github.com/mstorsjo/llvm-mingw
7788 - curl: add support for the IPFS protocols:
7790 - ipfs://<cid>
7791 - ipns://<cid>
7805 - bufq: remove Curl_bufq_skip_and_shift (unused)
7809 - scripts/singleuse.pl: add curl_global_trace
7813 - cmake: fix unity symbol collisions in h2 builds
7817 Reviewed-by: Daniel Stenberg
7818 Reviewed-by: Jay Satiro
7823 - RELEASE-NOTES: synced
7827 - github/labeler: improve the match patterns
7835 - upload-file.d: describe the file name slash/backslash handling
7841 - libssh: cap SFTP packet size sent
7843 Due to libssh limitations
7845 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
7851 - curl.h: mark CURLSSLBACKEND_NSS as deprecated since 8.3.0
7855 - mailmap: unify Michael Osipov under a single email
7859 - docs: use CURLSSLBACKEND_NONE
7861 [ssl] use CURLSSLBACKEND_NONE instead of (curl_sslbackend)-1 in
7864 Signed-off-by: Ted Lyngmo <ted@lyncon.se>
7870 - github/labeler: give the sync-labels config item a default value
7877 Follow-up to dd12b452a
7880 - github/labeler: fix up more the labeler config format
7885 Follow-up to dd12b452a
7888 - github/labeler: fix indenting to try to appease labeller
7890 Follow-up to dd12b452a
7894 - libssh2: fix error message on failed pubkey-from-file
7896 - If libssh2_userauth_publickey_fromfile_ex returns -1 then show error
7897 message "SSH public key authentication failed: Reason unknown (-1)".
7899 When libssh2_userauth_publickey_fromfile_ex returns -1 it does so as a
7903 Prior to this change libcurl retrieved the last set error message which
7907 Bug: https://github.com/curl/curl/issues/11837#issue-1891827355
7908 Reported-by: consulion@users.noreply.github.com
7914 - pytest: exclude test_03_goaway in CI runs due to timing dependency
7918 - lib: disambiguate Curl_client_write flag semantics
7920 - use CLIENTWRITE_BODY *only* when data is actually body data
7921 - add CLIENTWRITE_INFO for meta data that is *not* a HEADER
7922 - debug assertions that BODY/INFO/HEADER is not used mixed
7923 - move `data->set.include_header` check into Curl_client_write
7924 so protocol handlers no longer have to care
7925 - add special in FTP for `data->set.include_header` for historic,
7927 - move unpausing of client writes from easy.c to sendf.c, so that
7934 - tftpd: always use curl's own tftp.h
7937 and reports a stringop-overread warning:
7941 rom a region of size 0 [-Wstringop-overread]
7942 485 | return write(test->ofile, writebuf, count);
7950 This occurs because writebuf points to this field and the latter
7952 the last field in the structure. Thus it is bound to its declared
7966 - test1474: make precheck more robust on non-Solaris systems
7968 If uname -r returns something odd, perl could return an error code and
7971 Followup to 08f9b2148
7973 - github/labeler: switch to the 5 beta version
7975 This version adds an important feature that will allow more PRs to be
7976 labelled. Rather than being limited to labeling PRs with files that
7982 - lib: enable hmac for digest as well
7984 Previously a build that disabled NTLM and aws-sigv4 would fail to build
7987 Follow-up to e92edfbef64448ef
7990 Reported-by: Aleksander Mazur
7993 - idn: if idn2_check_version returns NULL, return error
7997 Reported-by: s0urc3_ on hackerone
8000 - http: fix CURL_DISABLE_BEARER_AUTH breakage
8005 Follow-up to e92edfbef64448ef461
8007 Reported-by: Aleksander Mazur
8012 - wolfssl: allow capath with CURLOPT_CAINFO_BLOB
8019 - wolfssl: use ssl_cafile/ssl_capath variables consistent with openssl.c
8025 - test1474: disable test on NetBSD, OpenBSD and Solaris 10
8028 large block, invalidating the assumptions of the test and causing it to
8031 Assisted-by: Christian Weisgerber
8032 Ref: https://curl.se/mail/lib-2023-09/0021.html
8037 - cmake, configure: also link with CoreServices
8040 apparently required to avoid an NSInvalidArgumentException in software
8048 - CI/azure: remove pip, wheel, cryptography, pyopenssl and impacket
8052 Ref: https://github.com/mback2k/curl-docker-winbuildenv/commit/2607a31bcab544
8059 - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
8062 Reported-by: Michael Osipov
8065 - RELEASE-NOTES: synced
8067 - test3103: CURLOPT_COOKIELIST test
8069 - cookie: set ->running in cookie_init even if data is NULL
8076 Reported-by: wangp on github
8079 - test498: total header size for all redirects is larger than accepted
8081 - http: use per-request counter to check too large headers
8085 Follow-up to 3ee79c1674fd6
8091 Reported-by: Joshix-1 on github
8096 - THANKS: add Eric Murphy
8098 He reported #11850 (quiche build error) but I forgot to add a
8099 'reported-by' entry in the fix 267e14f1.
8103 - h2-proxy: remove left-over mistake in drain_tunnel()
8105 Left-over from 331b89a319
8107 Reported-by: 南宫雪珊
8113 - lib: failf/infof compiler warnings
8119 - rand: fix 'alnum': array is too small to include a terminating null character
8121 It was that small on purpose, but this change now adds the null byte to
8124 Follow-up to 3aa3cc9b052353b1
8126 Reported-by: Dan Fandrich
8132 - cmake: fix the help text to the static build option in CMakeLists.txt
8138 - MANUAL.md: change domain to example.com
8144 - doh: inherit DEBUGFUNCTION/DATA
8151 Reported-by: calvin2021y on github
8157 - http_aws_sigv4: fix sorting with empty parts
8159 When comparing with an empty part, the non-empty one is always
8160 considered greater-than. Previously, the two would be considered equal
8161 which would randomly place empty parts amongst non-empty ones. This
8168 - CI: ignore the "flaky" and "timing-dependent" test results
8171 fail. The relevant tests are ones that are sensitive to timing or
8172 have edge conditions that make them more likely to fail on CI servers,
8175 This change only adds two additional tests to be ignored, since the
8180 - runtests: eliminate a warning on old perl versions
8182 The warning "Use of implicit split to @_ is deprecated" showed between
8185 - tests: log the test result code after each libtest
8187 This makes it easier to determine the test status. Also, capitalize
8188 FAILURE and ABORT messages in log lines to make them easier to spot.
8192 - misc: better random strings
8196 Prior this change curl used to create random hex strings. This was
8200 The MIME multipart boundary used to be mere 64-bits of randomness due
8201 to being 16 hex chars. With these changes the boundary is 22
8208 - cookie: reduce variable scope, add const
8210 - cookie: do not store the expire or max-age strings
8212 Convert it to an expire time at once and save memory.
8216 - cookie: remove unnecessary struct fields
8218 Plus: reduce the hash table size from 256 to 63. It seems unlikely to
8224 - RELEASE-NOTES: synced
8226 Bumped to 8.4.0, the next presumed version
8230 - test2600: remove special case handling for USE_ALARM_TIMEOUT
8232 This was originally added to handle platforms that supported only 1
8236 The need for this special-case was removed in commit 8627416, which
8237 increased the connect timeout in all cases to well above 1 second.
8244 - SECURITY-PROCESS.md. call it vulnerability disclosure policy
8246 SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md
8255 - quiche: fix build error with --with-ca-fallback
8257 - Fix build error when curl is built with --with-quiche
8258 and --with-ca-fallback.
8260 - Add --with-ca-fallback to the quiche CI job.
8267 - escape: replace Curl_isunreserved with ISUNRESERVED
8269 - Use the ALLCAPS version of the macro so that it is clear a macro is
8272 - Also capitalize macro isurlpuntcs => ISURLPUNTCS since it evaluates
8275 This is a follow-up to 291d225a which changed Curl_isunreserved into an
8277 identified as a macro by the caller, which could lead to a bug.
8286 - tests: increase the default server logs lock timeout
8288 This timeout is used to wait for the server to finish writing its logs
8291 the timeout to 5 seconds.
8296 - tests: increase TEST_HANG_TIMEOUT in two tests
8298 These tests had a 5 second timeout compared to 60 seconds for all other
8300 heavily-loaded machines.
8304 - test1056: disable on Windows
8306 This test relies on the IPv6 scope field being ignored when connecting to
8307 ipv6-localhost (i.e. [::1%259999] is treated as [::1]). Maybe this is a bit
8313 - test587: add a slight delay after test
8315 This test is designed to connect to the server, then immediately send a
8317 server, this doesn't give the server enough time to write its lock file
8318 before its existence is checked. The test harness then fails to find the
8321 enough time to write its lock file which gives itself more time to write
8326 - tests: stop overriding the lock timeout
8334 - tests: add some --expect100-timeout to reduce timing dependencies
8337 server didn't get a chance to complete before the client's one second
8338 100-continue timeout triggered. Increase that 1 second to 999 seconds so
8343 - test661: return from test early in case of curl error
8345 - tests: add the timing-dependent keyword on several tests
8347 These are ones likely to fail on heavily-loaded machines that alter the
8349 since this condition makes them more likely to fail on CI.
8351 - test1592: greatly increase the maximum test timeout
8353 It was too short to be reliable on heavily loaded CI machines, and
8354 as a fail-safe only, it didn't need to be short.
8358 - test: minor test cleanups
8363 - tests: quadruple the %FTPTIME2 and %FTPTIME3 timeouts
8370 - tests: improve SLOWDOWN test reliability by reducing sent data
8374 320 kernel calls) just to get through the long welcome banner. On an
8377 on, causing them to fail. Reducing the size of the welcome banner drops
8379 than half, which reduces the opportunity for test-breaking slowdowns by
8384 - test650: fix an end tag typo
8388 - tool_cb_wrt: fix debug assertion
8390 - Fix off-by-one out-of-bounds array index in Windows debug assertion.
8393 Reported-by: Gisle Vanem
8397 - ctype: add ISUNRESERVED()
8408 - RELEASE-NOTES: syn ced
8412 - THANKS: contributors from 8.3.0
8416 - cmake: set SIZEOF_LONG_LONG in curl_config.h
8418 in order to support 32bit builds regarding wolfssl CTC_SETTINGS
8424 - curl_ngtcp2: fix error message
8426 - http_aws_sigv4: handle no-value user header entries
8428 - Handle user headers in format 'name:' and 'name;' with no value.
8430 The former is used when the user wants to remove an internal libcurl
8431 header and the latter is used when the user actually wants to send a
8432 no-value header in the format 'name:' (note the semi-colon is converted
8433 by libcurl to a colon).
8435 Prior to this change the AWS header import code did not special case
8438 Reported-by: apparentorder@users.noreply.github.com
8440 Ref: https://curl.se/docs/manpage.html#-H
8447 - CI: run pytest with the -v option
8455 - HTTP3: the msquic backend is not functional
8463 - aws_sigv4: the query canon code miscounted URL encoded input
8465 Added some extra ampersands to test 439 to verify "blank" query parts
8467 Follow-up to fc76a24c53b08cdf
8473 - quic: don't set SNI if hostname is an IP address
8477 RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
8480 Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3
8487 - RELEASE-NOTES: synced
8491 - configure: fix `HAVE_TIME_T_UNSIGNED` check
8501 - THANKS-filter: pszlazak on github
8505 - include.d: explain headers not printed with --fail before 7.75.0
8507 Prior to 7.75.0 response headers were not printed if -f/--fail was used
8515 - http_aws_sigv4: skip the op if the query pair is zero bytes
8517 Follow-up to fc76a24c53b08cdf
8519 Spotted by OSS-Fuzz
8521 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
8524 - cmdline-docs: use present tense, not future
8530 - cmdline-docs: make sure to phrase it as "added in ...."
8532 References to things that were added or changed in a specific version
8535 1 - consistency
8537 2 - to allow gen.pl to strip them out if deemed referring to too old
8544 - docs: mark --ssl-revoke-best-effort as Schannel specific
8550 - schannel: fix ordering of cert chain info
8552 - Use CERT_CONTEXT's pbCertEncoded to determine chain order.
8555 end-entity/server certificate in pbCertEncoded. We can use this pointer
8556 to determine the order of certificates when enumerating hCertStore using
8559 This change is to help ensure that the ordering of the certificate chain
8563 Prior to this change Schannel certificate order was reversed in 8986df80
8573 - digest: Use hostname to generate spn instead of realm
8575 In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2
8577 digest-uri-value should be serv-type "/" host , where host is:
8580 DNS host name must be the fully-qualified canonical name of the
8582 processing of the digest-uri.
8586 Note this change only affects the non-SSPI digest code. The digest code
8587 used by SSPI builds already uses the hostname to generate the spn.
8595 - docs: remove use of the word 'very'
8601 - curl_multi_remove_handle.3: clarify what happens with connection
8605 - RELEASE-NOTES: synced
8607 - test439: verify query canonization for aws-sigv4
8609 - tool_operate: make aws-sigv4 not require TLS to be used
8613 - http_aws_sigv4: canonicalize the query
8615 Percent encoding needs to be done using uppercase, and most
8616 non-alphanumerical must be percent-encoded.
8619 Reported-by: John Walker
8624 - lib: add ability to disable auths individually
8632 - ngtcp2: fix handling of large requests
8634 - requests >64K are send in parts to the filter
8635 - fix parsing of the request to assemble it correctly
8637 - open a QUIC stream only when the complete request has
8642 - openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
8644 - we delay loading the x509 store to shorten the handshake time.
8646 may need to have the store loaded and try to manipulate it.
8647 - load the x509 store before invoking the app callback
8650 Reported-by: guoxinvmware on github
8655 - krb5: fix "implicit conversion loses integer precision" warnings
8657 conversions to/from enum and unsigned chars
8663 - pytest: improvements
8665 - set CURL_CI for pytest runs in CI environments
8666 - exclude timing sensitive tests from CI runs
8667 - for failed results, list only the log and stat of
8670 - fix type in http.c comment
8674 - CI: move on to ngtcp2 v0.19.1
8680 - CI: run Circle macOS builds on x86 for now
8683 warnings e-mails to be sent to some PR pushers.
8689 - http3: adjust cast for ngtcp2 v0.19.0
8697 teger precision: 'uint32_t' (aka 'unsigned int') to 'uint8_t' (aka 'unsigned
8698 char') [-Wimplicit-int-conversion]
8703 Also bump ngtcp2, nghttp3 and nghttp2 to their latest versions in our
8713 - http: fix sending of large requests
8715 - refs #11342 where errors with git https interactions
8717 - problem was caused by 1st sends of size larger than 64KB
8719 - limit sending of 1st block to 64KB
8720 - adjust h2/h3 filters to cope with parsing the HTTP/1.1
8723 - introducing Curl_nwrite() as companion to Curl_write()
8729 - pytest: fix check for slow_network skips to only apply when intended
8735 - curl_url_get/set.3: add missing semicolon in SYNOPSIS
8737 - CURLOPT_URL.3: explain curl_url_set() uses the same parser
8739 - CURLOPT_URL.3: add two URL API calls in the see-also section
8743 - CI: add a 32-bit i686 Linux build
8745 This is done by cross-compiling under regular x86_64 Linux. Since the
8751 - tests: fix a type warning on 32-bit x86
8755 - tests: delete stray `.orig` file
8757 Follow-up to 331b89a319d0067fa1e6441719307cfef9c7960f
8762 - RELEASE-NOTES: synced
8766 - lib: silence compiler warning in inet_ntop6
8770 e [-Wcomma]
8773 ./curl/lib/inet_ntop.c:121:9: note: cast expression to void to silence warnin
8784 - transfer: also stop the sending on closed connection
8787 also still sending (like a request-body) when disconnected and neither
8791 Reported-by: Oleg Jukovec
8796 - docs: change `sub-domain` to `subdomain`
8804 - multi: more efficient pollfd count for poll
8806 - do not use separate pollfds for sockets that have POLLIN+POLLOUT
8810 - http2: polish things around POST
8812 - added test cases for various code paths
8813 - fixed handling of blocked write when stream had
8815 - re-enabled DEBUGASSERT on send with smaller data size
8817 - in debug builds, environment variables can be set to simulate a slow
8818 network when sending data. cf-socket.c and vquic.c support
8820 answered with a EAGAIN. TCP/UNIX sockets.
8823 to the network. TCP/UNIX sockets.
8825 This is applied to every send.
8834 - docs: add curl_global_trace to some SEE ALSO sections
8838 - os400: fix checksrc nits
8844 - hyper: remove `hyptransfer->endtask`
8846 `Curl_hyper_stream` needs to distinguish between two kinds of
8849 address of any `foreach` task in `hyptransfer->endtask` before pushing
8856 returned back to the user with `hyper_executor_poll`". That wording is a
8862 This commit instead uses `hyper_task_set_userdata` to mark the `foreach`
8864 removing the need for `hyptransfer->endtask`. This makes the code look
8872 - ws: fix spelling mistakes in examples and tests
8878 - tool_filetime: make -z work with file dates before 1970
8881 Reported-by: Harry Sintonen
8886 - build: fix portability of mancheck and checksrc targets
8890 in a subshell to avoid this. This problem caused the Cirrus FreeBSD
8891 build to fail when parallel make jobs were enabled.
8893 - CI: adjust labeler match patterns for new & obsolete files
8895 - configure: trust pkg-config when it's used for zlib
8897 The library flags retrieved from pkg-config were later thrown out and
8898 harded-coded, which negates the whole reason to use pkg-config.
8899 Also, previously, the assumption was made that --libs-only-l and
8900 --libs-only-L are the full decomposition of --libs, which is untrue and
8902 better in that it uses --libs, although only if --libs-only-l returns
8905 Bug: https://curl.se/mail/lib-2023-08/0081.html
8906 Reported-by: Randall
8911 - CI/ngtcp2: clear wolfssl for when cache is ignored
8917 - RELEASE-NOTES: synced
8921 - hyper: fix a progress upload counter bug
8929 -Progress callback called with UL 8 out of 0[LF]
8930 -Progress callback called with UL 16 out of 0[LF]
8931 -Progress callback called with UL 26 out of 0[LF]
8932 -Progress callback called with UL 61 out of 0[LF]
8933 -Progress callback called with UL 66 out of 0[LF]
8936 to this:
8939 -Progress callback called with UL 8 out of 0[LF]
8940 -Progress callback called with UL 16 out of 0[LF]
8941 -Progress callback called with UL 26 out of 0[LF]
8942 -Progress callback called with UL 61 out of 0[LF]
8943 -Progress callback called with UL 66 out of 0[LF]
8952 - awssiv4: avoid freeing the date pointer on error
8956 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61908
8958 Follow-up to b137634ba3adb
8964 - CI: ngtcp2-linux: use separate caches for tls libraries
8970 - replace `master` as wolfssl-version with recent commit
8972 - wolfssl, use master again in CI
8974 - with the shared session update fix landed in master, it
8975 is time to use that in our CI again
8979 - tests: fix formatting errors in `FILEFORMAT.md`.
8988 - cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
8993 `cmake [...] -DCURL_DEFAULT_SSL_BACKEND=mbedtls`
8996 schannel, secure-transport, wolfssl
8999 The value is case-insensitive.
9001 We added a similar option to autotools in 2017 via
9004 TODO: Convert to lowercase to improve reproducibility.
9008 - sectransp: fix compiler warnings
9010 https://github.com/curl/curl-for-win/actions/runs/6037489221/job/16381860220#
9013 /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:2435:1
9014 4: warning: unused variable 'success' [-Wunused-variable]
9017 /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:3300:4
9018 4: warning: unused parameter 'sha256len' [-Wunused-parameter]
9025 - tidy-up: mostly whitespace nits
9027 - delete completed TODO from `./CMakeLists.txt`.
9028 - convert a C++ comment to C89 in `./CMake/CurlTests.c`.
9029 - delete duplicate EOLs from EOF.
9030 - add missing EOL at EOF.
9031 - delete whitespace at EOL (except from expected test results).
9032 - convert tabs to spaces.
9033 - convert CRLF EOLs to LF in GHA yaml.
9034 - text casing fixes in `./CMakeLists.txt`.
9035 - fix a codespell typo in `packages/OS400/initscript.sh`.
9041 - CI: remove Windows builds from Cirrus, without replacement
9045 as before. The Windows builds will need be moved to another service to
9050 - CI: switch macOS ARM build from Cirrus to Circle CI
9058 directing all these builds to x86_64 hardware, despite them requesting
9059 ARM. This is because ARM nodes are scheduled to be available on the
9064 - CI: use the right variable for BSD make
9069 - CI: drop the FreeBSD 12.X build
9075 - CI: move the Alpine build from Cirrus to GHA
9077 Cirrus is reducing their free tier to next to nothing, so we must move
9082 - test_07_upload.py: fix test_07_34 curl args
9084 - Pass correct filename to --data-binary.
9086 Prior to this change --data-binary was passed an incorrect filename due
9087 to a missing separator in the arguments list. Since aacbeae7 curl will
9095 - tests: document which tests fail due to hyper's lack of trailer support.
9099 - docs: removing "pausing transfers" from HYPER.md.
9101 It's a reference to #8600, which was fixed by #9070.
9107 - os400: handle CURL_TEMP_PRINTF() while building bind source
9111 - os400: build test servers
9113 Also fix a non-compliant main prototype in disabled.c.
9117 - tests: fix compilation error for os400
9126 - os400: make programs and command name configurable
9130 - os400: move build configuration parameters to a separate script
9137 - os400: implement CLI tool
9139 This is provided as a QADRT (ascii) program, a link to it in the IFS and
9146 - lib: fix aws-sigv4 having date header twice in some cases
9148 When the user was providing the header X-XXX-Date, the header was
9149 re-added during signature computation, and we had it twice in the
9152 Reported-by: apparentorder@users.noreply.github.com
9154 Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
9161 - multi: remove 'processing: <url>' debug message
9163 - Remove debug message added by e024d566.
9167 - ftp: fix temp write of ipv6 address
9169 - During the check to differentiate between a port and IPv6 address
9170 without brackets, write the binary IPv6 address to an in6_addr.
9172 Prior to this change the binary IPv6 address was erroneously written to
9173 a sockaddr_in6 'sa6' when it should have been written to its in6_addr
9179 - tool: change some fopen failures from warnings to errors
9181 - Error on missing input file for --data, --data-binary,
9182 --data-urlencode, --header, --variable, --write-out.
9184 Prior to this change if a user of the curl tool specified an input file
9187 POST using `--data @filenametypo` would cause a zero length POST which
9192 - hostip: fix typo
9196 - tool: avoid including leading spaces in the Location hyperlink
9198 Co-authored-by: Dan Fandrich <dan@coneharvesters.com>
9204 - SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline
9208 - connect: stop halving the remaining timeout when less than 600 ms left
9210 When curl wants to connect to a host, it always has a TIMEOUT. The
9211 maximum time it is allowed to spend until a connect is confirmed.
9213 curl will try to connect to each of the IP adresses returned for the
9216 During the connect loop, while curl has more than one IP address left to
9218 left/2) for *this* connect attempt. This, to not get stuck on the
9219 initial addresses in case the timeout but still allow later addresses to
9226 This change stop doing the divided-by-two if the total time left is
9231 - asyn-ares: reduce timeout to 2000ms
9234 lower timeout is used by @c-ares itself by default starting next
9241 - misc: remove duplicate words
9247 - RELEASE-NOTES: synced
9249 - wolfSSL: avoid the OpenSSL compat API when not needed
9257 - lib: fix null ptr derefs and uninitialized vars (h2/h3)
9261 Assisted-by: Jay Satiro
9262 Assisted-by: Stefan Eissing
9267 - secureserver.pl: fix stunnel version parsing
9269 - Allow the stunnel minor-version version part to be zero.
9271 Prior to this change with the stunnel version scheme of <major>.<minor>
9272 if either part was 0 then version parsing would fail, causing
9273 secureserver.pl to fail with error "No stunnel", causing tests that use
9274 the SSL protocol to be skipped. As a practical matter this bug can only
9275 be caused by a minor-version part of 0, since the major-version part is
9280 - secureserver.pl: fix stunnel path quoting
9282 - Store the stunnel path in the private variable $stunnel unquoted and
9285 Prior to this change the quoted stunnel path was passed to perl's file
9289 if(-x $stunnel or -x "$stunnel")
9300 - altsvc: accept and parse IPv6 addresses in response headers
9302 Store numerical IPv6 addresses in the alt-svc file with the brackets
9308 Reported-by: oliverpool on github
9311 - libtest: use curl_free() to free libcurl allocated data
9318 Reported-by: Nicholas Nethercote
9323 - disable.d: explain --disable not implemented prior to 7.50.0
9325 Option -q/--disable was added in 5.0 but only -q was actually
9326 implemented. Later --disable was implemented in e200034 (precedes
9329 Reported-by: pszlazak@users.noreply.github.com
9336 - hyper: fix ownership problems
9339 `start_CONNECT`, which are similar, and adding things to them that are
9343 - In `start_CONNECT`, add a missing `hyper_clientconn_free` call on the
9345 - In `start_CONNECT`, add a missing `hyper_request_free` on the error
9347 - In `bodysend`, add a missing `hyper_body_free` on an early-exit path.
9348 - In `bodysend`, remove an unnecessary `hyper_body_free` on a different
9349 error path that would cause a double-free.
9362 - multi.h: the 'revents' field of curl_waitfd is supported
9366 Reported-by: Nicolás Ojeda Bär
9372 - tool_paramhlp: improve str2num(): avoid unnecessary call to strlen()
9378 - docs: mention critical files in same directories as curl saves
9382 Co-authored-by: Jay Satiro
9383 Reported-by: Harry Sintonen
9389 - OpenSSL: clear error queue after SSL_shutdown
9405 Co-authored-by: Satana de Sant'Ana <satana@skylittlesystem.org>
9411 - tests: update cookie expiry dates to far in the future
9413 This allows testing Y2038 with system time set to after that, so that
9421 - misc: fix spelling
9427 - cmdline-opts/page-header: clarify stronger that !opt == URL
9430 argument to an option) is treated as a URL.
9434 - tests/runner: fix %else handling
9439 Follow-up to 3d089c41ea9
9445 - docs: Remove mention of #10803 from `KNOWN_BUGS`.
9449 - c-hyper: fix another memory leak in `Curl_http`.
9459 - c-hyper: fix a memory leak in `Curl_http`.
9464 This is not terrifically clear from the hyper docs --
9466 not going to send it on a client" -- but a perusal of the hyper code
9469 This commit adds a `hyper_request_free` to the `error:` path in
9479 - RELEASE-NOTES: synced
9483 - misc: spellfixes
9489 - tests: add support for nested %if conditions
9491 Provides more flexiblity to test cases.
9499 - time-cond.d: mention what happens on a missing file
9505 - docs/cmdline-opts: match the current output
9513 - lib: minor comment corrections
9515 - docs: rewrite to present tense
9520 + stick to "reuse" not "re-use"
9525 - urlapi: setting a blank URL ("") is not an ok URL
9529 Reported-by: ad0p on github
9532 - spelling: use 'reuse' not 're-use' in code and elsewhere
9540 - system.h: add CURL_OFF_T definitions on HP-UX with HP aCC
9542 HP-UX on IA64 provides two modes: 32 and 64 bit while 32 bit being the
9550 - tests: don't call HTTP errors OK in test cases
9555 - http: close the connection after a late 417 is received
9560 Assisted-by: Jay Satiro
9564 - runtests: slightly increase the longest log file displayed
9566 The new limit provides enough space for a 64 KiB data block to be logged
9568 happens to be the amount of data sent at a time in a PUT request.
9570 - tests: add delay command to the HTTP server
9576 - cirrus: install everthing with pkg, avoid pip
9578 Assisted-by: Sevan Janiyan
9582 - curl_url*.3: update function descriptions
9584 - expand and clarify several descriptions
9585 - avoid using future tense all over
9589 - RELEASE-NOTES: synced
9593 - CI/cirrus: disable python install on FreeBSD
9595 - python cryptography package does not build build FreeBSD
9596 - install just mentions "error"
9597 - this gets the build and the main test suite going again
9601 - test2600: fix flakiness on low cpu
9603 - refs #11355 where failures to to low cpu resources in CI
9605 - vastly extend CURLOPT_CONNECTTIMEOUT_MS and max durations
9606 to test cases
9607 - trigger Curl_expire() in test filter to allow re-checks before
9614 - tool_urlglob: use the correct format specifier for curl_off_t in msnprintf
9620 - test687/688: two more basic --xattr tests
9624 - cmdline-opts/docs: mentioned the negative option part
9626 ... for --no-alpn and --no-buffer in the same style done for other --no-
9635 - tool/var: also error when expansion result starts with NUL
9637 Expansions whose output starts with NUL were being expanded to the empty
9645 - tests: add 'large-time' as a testable feature
9647 This allows test cases to require this feature to run and to be used in
9654 - tests/Makefile: add check-translatable-options.pl to tarball
9658 Follow-up to ae806395abc8c
9660 - gen.pl: fix a long version generation mistake
9665 Follow-up to 439ff2052e219
9667 Reported-by: Lukas Tribus
9671 - lib: move mimepost data from ->req.p.http to ->state
9675 entire transfer and not only per single HTTP request. This re-enables
9679 The request struct is per-request data only.
9681 Extend test 650 to verify.
9684 Reported-by: yushicheng7788 on github
9689 - os400: do not check translatable options at build time
9696 - test1554: check translatable string options in OS400 wrapper
9707 - unit3200: skip testing if function is not present
9709 Fake a successful run since we have no easy mechanism to skip this test
9712 - unit2600: fix build warning if built without verbose messages
9714 - test1608: make it build and get skipped without shuffle DNS support
9716 - lib: --disable-bindlocal builds curl without local binding support
9718 - test1304: build and skip without netrc support
9720 - lib: build fixups when built with most things disabled
9724 - workflows/macos.yml: disable zstd and alt-svc in the http-only build
9730 - bearssl: handshake fix, provide proper get_select_socks() implementation
9732 - bring bearssl handshake times down from +200ms down to other TLS backends
9733 - vtls: improve generic get_select_socks() implementation
9734 - tests: provide Apache with a suitable ssl session cache
9738 - tests: TLS session sharing test
9740 - test TLS session sharing with special test client
9741 - expect failure with wolfSSL
9742 - disable flaky wolfSSL test_02_07b
9748 - CURLOPT_*TIMEOUT*: extend and clarify
9752 - urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails
9757 Pointed-out-by: Jacob Mealey
9762 - cmake: add GnuTLS option
9764 - Option to use GNUTLS was missing. Hence was not able to use GNUTLS
9771 - RELEASE-NOTES: synced
9773 - http: remove the p_pragma struct field
9781 - CURLINFO_CERTINFO.3: better explain curl_certinfo struct
9785 - CURLINFO_TLS_SSL_PTR.3: clarify a recommendation
9787 - Remove the out-of-date SSL backend list supported by
9790 It makes more sense to just refer to that document instead of having
9791 a separate list that has to be kept in sync.
9795 - write-out.d: clarify %{time_starttransfer}
9801 - transfer: don't set TIMER_STARTTRANSFER on first send
9806 Reported-by: JazJas on github
9809 trrui-huawei (15 Aug 2023)
9811 - quiche: enable quiche to handle timeout events
9814 interface for the application to invoke upon timer
9816 Connection is crucial to ensure seamless functionality of quiche with
9821 - quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
9823 Set the `QUIC_IDLE_TIMEOUT` parameter to match ngtcp2 for consistency.
9827 - KNOWN_BUGS: LDAPS requests to ActiveDirectory server hang
9831 - imap: add a check for failing strdup()
9833 - imap: remove the only sscanf() call in the IMAP code
9839 - imap: use a dynbuf in imap_atom
9847 - http: do not require a user name when using CURLAUTH_NEGOTIATE
9849 In order to get Negotiate (SPNEGO) authentication to work in HTTP you
9850 used to be required to provide a (fake) user name (this concerned both
9854 curl -u : --negotiate https://example.com/
9856 This commit leverages the `struct auth` want member to figure out if the
9860 Signed-off-by: Marin Hannache <git@mareo.fr>
9861 Reported-by: Enrico Scholz
9868 - build: streamline non-UWP wincrypt detections
9870 - with CMake, use the variable `WINDOWS_STORE` to detect an UWP build
9871 and disable our non-UWP-compatible use the Windows crypto API. This
9872 allows to drop two dynamic feature checks.
9879 - with autotools, drop the separate feature check for `wincrypt.h`. On
9881 it from year 2000), on the other we used the check result solely to
9886 Reviewed-by: Marcel Raad
9891 - docs/HYPER.md: update hyper build instructions
9893 Nightly Rust and `-Z unstable-options` are not needed.
9903 - RELEASE-NOTES: synced
9905 - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
9907 Asssisted-by: Jay Satiro
9910 - spellcheck: adapt to backslashed minuses
9912 As the curl.1 has more backslashed minus, the cleanup sed lines xneed to
9917 Follow-up to 439ff2052e
9921 - gen: escape more minus
9923 Detected since it was still hard to search for option names using dashes
9928 - cookie-jar.d: enphasize that this option is ONLY writing cookies
9930 Reported-by: Dan Jacobson
9931 Tweaked-by: Jay Satiro
9937 - docs/HYPER.md: document a workaround for a link error
9943 - schannel: verify hostname independent of verify cert
9945 Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off
9953 Assisted-by: Daniel Stenberg
9955 Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html
9956 Reported-by: Martin Galvan
9965 - curl_quiche: remove superfluous NULL check
9967 'stream' is always non-NULL at this point
9973 - curl/urlapi.h: tiny typo
9975 - github/labeler: make HYPER.md set Hyper and not TLS
9977 - docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0
9980 to specify version changes for earlier releases in the generated output.
9990 - bug_report: require reporters to specify curl and os versions
9992 - Change curl version and os sections from single-line input to
9993 multi-line textarea.
9995 - Require curl version and os sections to be filled out before report
10002 - gen.pl: replace all single quotes with aq
10004 - this prevents man from using a unicode sequence for them
10005 - which then allows search to work properly
10011 - cmake: fix to use variable for the curl namespace
10013 Replace (wrong) literal with a variable to specify the curl
10016 Follow-up to 1199308dbc902c52be67fc805c72dd2582520d30 #11505
10018 Reported-by: balikalina on Github
10023 - cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms
10028 The above automatically enabled for Windows builds, with an option to
10031 This patch extend this feature to all platforms as a manual option.
10039 - cmake: assume `wldap32` availability on Windows
10042 install for some older releases (according to [1]). The import library
10047 To manually disable `wldap32`, you can use the `USE_WIN32_LDAP=OFF`
10052 Reviewed-by: Jay Satiro
10057 - page-header: move up a URL paragraph from GLOBBING to URL
10059 - variable.d: output the function names table style
10065 - haproxy-clientip.d: remove backticks
10069 Follow-up to 0a75964d0d94a4
10073 - RELEASE-NOTES: synced
10075 - gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens
10077 Reported-by: FC Stegerman
10081 - cmdline-opts/page-header: reorder, clean up
10083 - removed some unnecessary blurb to focus
10084 - moved up the more important URL details
10085 - put "globbing" into its own subtitle and moved down a little
10086 - mention the online man page in the version section
10090 - c-hyper: adjust the hyper to curlcode conversion
10094 - test2306: make it use a persistent connection
10102 - list-only.d: mention SFTP as supported protocol
10108 - request.d: use .TP for protocol "labels"
10110 To render the section nicer in man page.
10114 - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
10120 Reported-by: Markus Sommer
10124 - page-footer: QLOGDIR works with ngtcp2 and quiche
10133 - http3: quiche, handshake optimization, trace cleanup
10135 - load x509 store after clienthello
10136 - cleanup of tracing
10142 - ngtcp2: remove dead code
10152 - openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
10155 popular forks (yet). Use the macro itself to detect its presence,
10156 replacing the hard-wired fork-specific conditions.
10161 Follow-up to 94241a9e78397a2aaf89a213e6ada61e7de7ee02 #6721
10163 Reviewed-by: Jay Satiro
10166 - openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1
10168 LibreSSL 3.4.1 (2021-10-14) added support for
10171 Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt
10173 Reviewed-by: Jay Satiro
10176 - openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0
10178 LibreSSL 3.5.0 (2022-02-24) added support for
10181 Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt
10183 Reviewed-by: Jay Satiro
10186 - cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks
10188 - `HAVE_LIBWINMM` was detected but unused. The `winmm` system library is
10190 Change the logic to always add `winmm` when `USE_LIBRTMP` is set. This
10193 - `HAVE_LIBWS2_32` detected `ws2_32` lib on Windows. This lib is present
10203 - crypto: ensure crypto initialization works
10205 Make sure that context initialization during hash setup works to avoid
10208 Reported-by: Philippe Antoine on HackerOne
10209 Assisted-by: Jay Satiro
10210 Assisted-by: Daniel Stenberg
10216 - openssl: switch to modern init for LibreSSL 2.7.0+
10218 LibreSSL 2.7.0 (2018-03-21) introduced automatic initialization,
10220 method, as seen in OpenSSL 1.1.0. Switch to the modern method when
10223 Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.0-relnotes.txt
10225 Reviewed-by: Daniel Stenberg
10230 - gskit: remove
10234 - This is a niche TLS library, only running on some IBM systems
10235 - no regular curl contributors use this backend
10236 - no CI builds use or verify this backend
10237 - gskit, or the curl adaption for it, lacks many modern TLS features
10239 - build breakages in this code take weeks or more to get detected
10240 - fixing gskit code is mostly done "flying blind"
10243 been mentioned on the curl-library mailing list.
10250 - RELEASE-NOTES: synced
10254 - THANKS-filter: add a name typo
10258 - http3/ngtcp2: shorten handshake, trace cleanup
10260 - shorten handshake timing by delayed x509 store load (OpenSSL)
10262 - cleanup of trace output, align with HTTP/2 output
10268 - headers: accept leading whitespaces on first response header
10273 Add test 1473 to verify and adjust test 2306.
10275 Reported-by: junsik on github
10279 - include/curl/mprintf.h: add __attribute__ for the prototypes
10281 - if gcc or clang is used
10282 - if __STDC_VERSION__ >= 199901L, which means greater than C90
10283 - if not using mingw
10284 - if CURL_NO_FMT_CHECKS is not defined
10288 - tests: fix bad printf format flags in test code
10290 - tests: fix header scan tools for attribute edits in mprintf.h
10292 - cf-socket: log successful interface bind
10300 - CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled
10305 - CURLOPT_SSL_VERIFYPEER.3: add two more see also options
10311 - KNOWN_BUGS: aws-sigv4 does not behave well with AWS VPC Lattice
10317 - CI: use openssl 3.0.10+quic, nghttp3 0.14.0, ngtcp2 0.18.0
10323 - TODO: add *5* entries for aws-sigv4
10331 - TODO: LDAP Certificate-Based Authentication
10337 - http2: cleanup trace messages
10339 - more compact format with bracketed stream id
10340 - all frames traced in and out
10346 - tests/tftpd+mqttd: make variables static to silence picky warnings
10350 - docs/cmdline: remove repeated working for negotiate + ntlm
10356 - docs/cmdline: add small "warning" to verbose options
10364 - RELEASE-NOTES: synced
10366 - pingpong: don't use *bump_headersize
10370 Follow-up to 3ee79c1674fd6
10374 - urldata: remove spurious parenthesis to unbreak no-proxy build
10376 Follow-up to e12b39e13382
10380 - easy: don't call Curl_trc_opt() in disabled-verbose builds
10382 Follow-up to e12b39e133822c6a0
10386 - http: use %u for printfing int
10388 Follow-up to 3ee79c1674fd6f99e8efca5
10394 - vquic: show stringified messages for errno
10400 - trace: make tracing available in non-debug builds
10402 Add --trace-config to curl
10404 Add curl_global_trace() to libcurl
10410 - TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"
10414 - TODO: add "WebSocket read callback"
10416 remove "Upgrade to websockets" as we already have this
10420 - test497: verify rejecting too large incoming headers
10422 - http: return error when receiving too large header set
10424 To avoid abuse. The limit is set to 300 KB for the accumulated size of
10426 suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
10433 - http2: upgrade tests and add fix for non-existing stream
10435 - check in h2 filter recv that stream actually exists
10437 - add test for parallel, extreme h2 upgrades that fail if
10439 - add h2 upgrade upload test just for completeness
10445 - tests: ensure `libcurl.def` contains all exports
10447 Add `test1279` to verify that `libcurl.def` lists all exported API
10452 - extend test suite XML `stdout` tag with the `loadfile` attribute.
10454 - fix `tests/extern-scan.pl` and `test1135` to include websocket API.
10456 - use all headers (sorted) in `test1135` instead of a manual list.
10458 - add options `--sort`, `--heading=` to `tests/extern-scan.pl`.
10460 - add `libcurl.def` to the auto-labeler GHA task.
10462 Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3
10468 - url: change default value for CURLOPT_MAXREDIRS to 30
10472 use case, I figure it is more likely to actually save users from loops.
10476 - lib: fix a few *printf() flag mistakes
10478 Reported-by: Gisle Vanem
10484 - openssl: make aws-lc version support OCSP
10492 - tool: make the length argument an int for printf()-.* flags
10496 - tool_operate: fix memory leak when SSL_CERT_DIR is used
10500 Follow-up to 29bce9857a12b6cfa726a5
10504 - tool/var: free memory on OOM
10508 Follow-up to 2e160c9c652504e
10514 - gha: bump libressl and mbedtls versions
10520 - schannel: fix user-set legacy algorithms in Windows 10 & 11
10522 - If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
10523 use the SCHANNEL_CRED legacy structure to pass the list to Schannel.
10525 - If the user set both a legacy algorithm list and a TLS 1.3 cipher list
10530 limits the user to earlier versions of TLS.
10532 Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
10535 Reported-by: zhihaoy@users.noreply.github.com
10542 - variable.d: setting a variable again overwrites it
10544 Reported-by: Niall McGee
10550 - CURLOPT_PROXY_SSL_OPTIONS.3: sync formatting
10552 - Re-wrap CURLSSLOPT_ALLOW_BEAST description.
10556 - RELEASE-NOTES: synced
10558 - resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
10563 Reported-by: Joseph Tharayil
10567 - docs: link to the website versions instead of markdowns
10569 ... to make the links work when the markdown is converted to webpages on
10572 Reported-by: Maurício Meneghini Fauth
10573 Fixes https://github.com/curl/curl-www/issues/272
10578 - cmake: cache more config and delete unused ones
10580 - cache more Windows config results for faster initialization.
10582 - delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.
10584 - delete dead references to `sys/utsname.h`.
10588 - egd: delete feature detection and related source code
10590 EGD is Entropy Gathering Daemon, a socket-based entropy source supported
10591 by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
10598 source snippet, and the `--with-egd-socket=` `./configure` option.
10604 - tests: fix h3 server check and parallel instances
10606 - fix check for availability of nghttpx server
10607 - add `tcp` frontend config for same port as quic, as
10615 - docs/cmdline-opts: spellfixes, typos and polish
10617 To make them accepted by the spell checker
10621 - CI/spellcheck: build curl.1 and spellcheck it
10629 - misc: fix various typos
10635 - http2: avoid too early connection re-use/multiplexing
10637 HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
10641 Lots-of-debgging-by: Stefan Eissing
10642 Reported-by: Richard W.M. Jones
10643 Bug: https://curl.se/mail/lib-2023-07/0045.html
10646 - Revert "KNOWN_BUGS: build for iOS simulator on macOS 13.2 with Xcode 14"
10650 It's a user error for supplying incomplete information to the build system.
10652 Reported-by: Ryan Schmidt
10653 Ref: https://github.com/curl/curl/issues/11215#issuecomment-1658729367
10657 - cmake: add support for single libcurl compilation pass
10659 Before this patch CMake builds used two separate compilation passes to
10660 build the shared and static libcurl respectively. This patch allows to
10661 reduce that to a single pass if the target platform and build settings
10665 libcurl at the same time, making these dual builds an almost zero-cost
10673 Also update `Makefile.mk` to use `libcurl.def` to export libcurl API
10675 in curl-for-win, which generated a `libcurl.def` from `.h` files using
10679 libcurl API symbols up-to-date. This list seldom changes, so the cost
10684 - cmake: detect `SSL_set0_wbio` in OpenSSL
10689 Follow-up to f39472ea9f4f4e12cfbc0500c4580a8d52ce4a59