1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Changelog 8 9Version 7.67.0 (5 Nov 2019) 10 11Daniel Stenberg (5 Nov 2019) 12- RELEASE-NOTES: synced 13 14 The 7.67.0 release 15 16- THANKS: add new names from 7.67.0 17 18- configure: only say ipv6 enabled when the variable is set 19 20 Previously it could say "IPv6: enabled" at the end of the configure run 21 but the define wasn't set because of a missing getaddrinfo(). 22 23 Reported-by: Marcel Raad 24 Fixes #4555 25 Closes #4560 26 27Marcel Raad (2 Nov 2019) 28- certs/Server-localhost-lastSAN-sv: regenerate with sha256 29 30 All other certificates were regenerated in commit ba782baac30, but 31 this one was missed. 32 Fixes test3001 on modern systems. 33 34 Closes https://github.com/curl/curl/pull/4551 35 36Daniel Stenberg (2 Nov 2019) 37- [Vilhelm Prytz brought this change] 38 39 copyrights: update all copyright notices to 2019 on files changed this year 40 41 Closes #4547 42 43- [Bastien Bouclet brought this change] 44 45 mbedtls: add error message for cert validity starting in the future 46 47 Closes #4552 48 49Jay Satiro (1 Nov 2019) 50- schannel_verify: Fix concurrent openings of CA file 51 52 - Open the CA file using FILE_SHARE_READ mode so that others can read 53 from it as well. 54 55 Prior to this change our schannel code opened the CA file without 56 sharing which meant concurrent openings (eg an attempt from another 57 thread or process) would fail during the time it was open without 58 sharing, which in curl's case would cause error: 59 "schannel: failed to open CA file". 60 61 Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html 62 Reported-by: Richard Alcock 63 64Daniel Stenberg (31 Oct 2019) 65- gtls: make gnutls_bye() not wait for response on shutdown 66 67 ... as it can make it wait there for a long time for no good purpose. 68 69 Patched-by: Jay Satiro 70 Reported-by: Bylon2 on github 71 Adviced-by: Nikos Mavrogiannopoulos 72 73 Fixes #4487 74 Closes #4541 75 76- [Michał Janiszewski brought this change] 77 78 appveyor: publish artifacts on appveyor 79 80 This allows obtaining upstream builds of curl directly from appveyor for 81 all the available configurations 82 83 Closes #4509 84 85- url: make Curl_close() NULLify the pointer too 86 87 This is the common pattern used in the code and by a unified approach we 88 avoid mistakes. 89 90 Closes #4534 91 92- [Trivikram Kamat brought this change] 93 94 INSTALL: add missing space for configure commands 95 96 Closes #4539 97 98- url: Curl_free_request_state() should also free doh handles 99 100 ... or risk DoH memory leaks. 101 102 Reported-by: Paul Dreik 103 Fixes #4463 104 Closes #4527 105 106- examples: remove the "this exact code has not been verified" 107 108 ... as really confuses the reader to not know what to believe! 109 110- [Trivikram Kamat brought this change] 111 112 HTTP3: fix typo somehere1 > somewhere1 113 114 Closes #4535 115 116Jay Satiro (28 Oct 2019) 117- [Javier Blazquez brought this change] 118 119 HTTP3: fix invalid use of sendto for connected UDP socket 120 121 On macOS/BSD, trying to call sendto on a connected UDP socket fails 122 with a EISCONN error. Because the singleipconnect has already called 123 connect on the socket when we're trying to use it for QUIC transfers 124 we need to use plain send instead. 125 126 Fixes #4529 127 Closes https://github.com/curl/curl/pull/4533 128 129Daniel Stenberg (28 Oct 2019) 130- RELEASE-NOTES: synced 131 132- [Javier Blazquez brought this change] 133 134 HTTP3: fix Windows build 135 136 The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv 137 in order to perform nonblocking operations. On Windows this flag does 138 not exist. Instead, the socket must be set to nonblocking mode via 139 ioctlsocket. 140 141 This change sets the nonblocking flag on UDP sockets used for QUIC on 142 all platforms so the use of MSG_DONTWAIT is not needed. 143 144 Fixes #4531 145 Closes #4532 146 147Marcel Raad (27 Oct 2019) 148- appveyor: add --disable-proxy autotools build 149 150 This would have caught issue #3926. 151 152 Also make formatting more consistent. 153 154 Closes https://github.com/curl/curl/pull/4526 155 156Daniel Stenberg (25 Oct 2019) 157- appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 158 159 ... and invoke "curl -V" once done 160 161 Co-Authored-By: Jay Satiro 162 163 Closes #4523 164 165- [Francois Rivard brought this change] 166 167 schannel: reverse the order of certinfo insertions 168 169 Fixes #4518 170 Closes #4519 171 172Marcel Raad (24 Oct 2019) 173- test1591: fix spelling of http feature 174 175 The test never got run because the feature name is `http` in lowercase. 176 177 Closes https://github.com/curl/curl/pull/4520 178 179Daniel Stenberg (23 Oct 2019) 180- [Michał Janiszewski brought this change] 181 182 appveyor: Use two parallel compilation on appveyor with CMake 183 184 Appveyor provides 2 CPUs for each builder[1], make sure to use parallel 185 compilation, when running with CMake. CMake learned this new option in 186 version 3.12[2] and the version provided by appveyor is fresh enough. 187 188 Curl doesn't really take that long to build and it is using the slowest 189 builder available, msbuild, so expect only a moderate improvement in 190 build times. 191 192 [1] https://www.appveyor.com/docs/build-environment/ 193 [2] https://cmake.org/cmake/help/v3.12/release/3.12.html 194 195 Closes #4508 196 197- conn-reuse: requests wanting NTLM can reuse non-NTLM connections 198 199 Added test case 338 to verify. 200 201 Reported-by: Daniel Silverstone 202 Fixes #4499 203 Closes #4514 204 205Marcel Raad (23 Oct 2019) 206- tests: add missing proxy features 207 208Daniel Stenberg (22 Oct 2019) 209- RELEASE-NOTES: synced 210 211Marcel Raad (21 Oct 2019) 212- tests: use %FILE_PWD for file:// URLs 213 214 This way, we always have exactly one slash after the host name, making 215 the tests pass when curl is compiled with the MSYS GCC. 216 217 Closes https://github.com/curl/curl/pull/4512 218 219- tests: add `connect to non-listen` keywords 220 221 These tests try to connect to ports nothing is listening on. 222 223 Closes https://github.com/curl/curl/pull/4511 224 225- runtests: get textaware info from curl instead of perl 226 227 The MSYS system on Windows can run the test suite for curl built with 228 any toolset. When built with the MSYS GCC, curl uses Unix line endings, 229 while it uses Windows line endings when built with the MinGW GCC, and 230 `^O` reports 'msys' in both cases. Use the curl executable itself to 231 determine the line endings instead, which reports 'x86_64-pc-msys' when 232 built with the MSYS GCC. 233 234 Closes https://github.com/curl/curl/pull/4506 235 236Daniel Stenberg (20 Oct 2019) 237- [Michał Janiszewski brought this change] 238 239 appveyor: Add MSVC ARM64 build 240 241 Closes #4507 242 243- http2_recv: a closed stream trumps pause state 244 245 ... and thus should return 0, not EAGAIN. 246 247 Reported-by: Tom van der Woerdt 248 Fixes #4496 249 Closes #4505 250 251- http2: expire a timeout at end of stream 252 253 To make sure that transfer is being dealt with. Streams without 254 Content-Length need a final read to notice the end-of-stream state. 255 256 Reported-by: Tom van der Woerdt 257 Fixes #4496 258 259Dan Fandrich (18 Oct 2019) 260- travis: Add an ARM64 build 261 262 Test 323 is failing for some reason, so disable it there for now. 263 264Marcel Raad (18 Oct 2019) 265- examples/sslbackend: fix -Wchar-subscripts warning 266 267 With the `isdigit` implementation that comes with MSYS2, the argument 268 is used as an array subscript, resulting in a -Wchar-subscripts 269 warning. `isdigit`'s behavior is undefined if the argument is negative 270 and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable 271 to `unsigned char` to avoid that. 272 273 [0] https://en.cppreference.com/w/c/string/byte/isdigit 274 275 Closes https://github.com/curl/curl/pull/4503 276 277Daniel Stenberg (18 Oct 2019) 278- configure: remove all cyassl references 279 280 In particular, this removes the case where configure would find an old 281 cyall installation rather than a wolfssl one if present. The library is 282 named wolfssl in modern days so there's no real need to keep support for 283 the former. 284 285 Reported-by: Jacob Barthelmeh 286 Closes #4502 287 288Marcel Raad (17 Oct 2019) 289- test1162: disable MSYS2's POSIX path conversion 290 291 This avoids MSYS2 converting the backslasb in the URL to a slash, 292 causing the test to fail. 293 294Daniel Stenberg (17 Oct 2019) 295- RELEASE-NOTES: synced 296 297Jay Satiro (16 Oct 2019) 298- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time 299 300 Prior to this change some users did not understand that the "request" 301 starts when the handle is added to the multi handle, or probably they 302 did not understand that some of those transfers may be queued and that 303 time is included in timeout. 304 305 Reported-by: Jeroen Ooms 306 307 Fixes https://github.com/curl/curl/issues/4486 308 Closes https://github.com/curl/curl/pull/4489 309 310- [Stian Soiland-Reyes brought this change] 311 312 tool_operate: Fix retry sleep time shown to user when Retry-After 313 314 - If server header Retry-After is being used for retry sleep time then 315 show that value to the user instead of the normal retry sleep time. 316 317 This is a follow-up to 640b973 (7.66.0) which changed curl tool so that 318 the value from Retry-After header overrides other retry timing options. 319 320 Closes https://github.com/curl/curl/pull/4498 321 322Daniel Stenberg (16 Oct 2019) 323- url: normalize CURLINFO_EFFECTIVE_URL 324 325 The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as 326 input in most cases, which made it not get a scheme prefixed like before 327 if the URL was given without one, and it didn't remove dotdot sequences 328 etc. 329 330 Added test case 1907 to verify that this now works as intended and as 331 before 7.62.0. 332 333 Regression introduced in 7.62.0 334 335 Reported-by: Christophe Dervieux 336 Fixes #4491 337 Closes #4493 338 339Marcel Raad (16 Oct 2019) 340- tests: line ending fixes for Windows 341 342 Mark some files as text. 343 344 Closes https://github.com/curl/curl/pull/4490 345 346- tests: use proxy feature 347 348 This makes the tests succeed when using --disable-proxy. 349 350 Closes https://github.com/curl/curl/pull/4488 351 352- smbserver: fix Python 3 compatibility 353 354 Python 2's `ConfigParser` module is spelled `configparser` in Python 3. 355 356 Closes https://github.com/curl/curl/pull/4484 357 358- security: silence conversion warning 359 360 With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, 361 while `read` expects a 32 bit signed integer. 362 Use `sread` instead of `read` to use the correct parameter type. 363 364 Closes https://github.com/curl/curl/pull/4483 365 366- connect: silence sign-compare warning 367 368 With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the 369 result of `sizeof` is unsigned. 370 371 Closes https://github.com/curl/curl/pull/4483 372 373Daniel Stenberg (13 Oct 2019) 374- TODO: Handle growing SFTP files 375 376 Closes #4344 377 378- KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" 379 380 The curl_formadd() function is deprecated and shouldn't be used so the 381 real fix for applications is to switch to the curl_mime_* API. 382 383- KNOWN_BUGS: "LDAP on Windows does authentication wrong" 384 385 Closes #3116 386 387- appveyor: add a winbuild that uses VS2017 388 389 Closes #4482 390 391- [Harry Sintonen brought this change] 392 393 socketpair: fix include and define for older TCP header systems 394 395 fixed build for systems that need netinet/in.h for IPPROTO_TCP and are 396 missing INADDR_LOOPBACK 397 398 Closes #4480 399 400- socketpair: fix double-close in error case 401 402 Follow-up to bc2dbef0afc08 403 404- gskit: use the generic Curl_socketpair 405 406- asyn-thread: make use of Curl_socketpair() where available 407 408- socketpair: an implemention for Windows and more 409 410 Curl_socketpair() is designed to be used and work everywhere if there's 411 no native version or the native version isn't good enough. 412 413 Closes #4466 414 415- RELEASE-NOTES: synced 416 417- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT 418 419 Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no 420 matter what errno said. 421 422 This makes for example --retry work on these transfer failures. 423 424 Reported-by: Nathaniel J. Smith 425 Fixes #4461 426 Clsoes #4462 427 428- cirrus: switch off blackhole status on the freebsd CI machines 429 430- tests: use port 2 instead of 60000 for a safer non-listening port 431 432 ... when the tests want "connection refused". 433 434- KNOWN_BUGS: IDN tests failing on Windows 435 436 Closes #3747 437 438Dan Fandrich (9 Oct 2019) 439- cirrus: Increase the git clone depth. 440 441 If more commits are submitted to master between the time of triggering 442 the first Cirrus build and the time the final build gets started, the 443 desired commit is no longer at HEAD and the build will error out. 444 [skip ci] 445 446Daniel Stenberg (9 Oct 2019) 447- docs: make sure the --no-progress-meter docs file is in dist too 448 449- docs: document it as --no-progress-meter instead of the reverse 450 451 Follow-up to 93373a960c3bb4 452 453 Reported-by: infinnovation-dev on github 454 Fixes #4474 455 Closes #4475 456 457Dan Fandrich (9 Oct 2019) 458- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. 459 460 Also, select the images using image_family to get the latest snapshots 461 automatically. 462 [skip ci] 463 464Daniel Stenberg (8 Oct 2019) 465- curl: --no-progress-meter 466 467 New option that allows a user to ONLY switch off curl's progress meter 468 and leave everything else in "talkative" mode. 469 470 Reported-by: Piotr Komborski 471 Fixes #4422 472 Closes #4470 473 474- TODO: Consult %APPDATA% also for .netrc 475 476 Closes #4016 477 478- CURLOPT_TIMEOUT.3: remove the mention of "minutes" 479 480 ... just say that limiting operations risk aborting otherwise fine 481 working transfers. If that means seconds, minutes or hours, we leave to 482 the user. 483 484 Reported-by: Martin Gartner 485 Closes #4469 486 487- [Andrei Valeriu BICA brought this change] 488 489 docs: added multi-event.c example 490 491 Similar to multi-uv.c but using libevent 2. This is a simpler libevent 492 integration example then hiperfifo.c. 493 494 Closes #4471 495 496Jay Satiro (5 Oct 2019) 497- [Nicolas brought this change] 498 499 ldap: fix OOM error on missing query string 500 501 - Allow missing queries, don't return NO_MEMORY error in such a case. 502 503 It is acceptable for there to be no specified query string, for example: 504 505 curl ldap://ldap.forumsys.com 506 507 A regression bug in 1b443a7 caused this issue. 508 509 This is a partial fix for #4261. 510 511 Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 512 Reported-by: Jojojov@users.noreply.github.com 513 Analyzed-by: Samuel Surtees 514 515 Closes https://github.com/curl/curl/pull/4467 516 517- [Paul B. Omta brought this change] 518 519 build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines 520 521 Closes https://github.com/curl/curl/pull/4460 522 523Daniel Stenberg (5 Oct 2019) 524- RELEASE-NOTES: synced 525 526- [Stian Soiland-Reyes brought this change] 527 528 curl: ensure HTTP 429 triggers --retry 529 530 This completes #3794. 531 532 Also make sure the new tests from #4195 are enabled 533 534 Closes #4465 535 536Marcel Raad (4 Oct 2019) 537- [apique brought this change] 538 539 winbuild: add ENABLE_UNICODE option 540 541 Fixes https://github.com/curl/curl/issues/4308 542 Closes https://github.com/curl/curl/pull/4309 543 544Daniel Stenberg (4 Oct 2019) 545- ngtcp2: adapt to API change 546 547 Closes #4457 548 549- cookies: change argument type for Curl_flush_cookies 550 551 The second argument is really a 'bool' so use that and pass in TRUE/FALSE 552 to make it clear. 553 554 Closes #4455 555 556- http2: move state-init from creation to pre-transfer 557 558 To make sure that the HTTP/2 state is initialized correctly for 559 duplicated handles. It would otherwise easily generate "spurious" 560 PRIORITY frames to get sent over HTTP/2 connections when duplicated easy 561 handles were used. 562 563 Reported-by: Daniel Silverstone 564 Fixes #4303 565 Closes #4442 566 567- urlapi: fix use-after-free bug 568 569 Follow-up from 2c20109a9b5d04 570 571 Added test 663 to verify. 572 573 Reported by OSS-Fuzz 574 Bug: https://crbug.com/oss-fuzz/17954 575 576 Closes #4453 577 578- [Paul Dreik brought this change] 579 580 cookie: avoid harmless use after free 581 582 This fix removes a use after free which can be triggered by 583 the internal cookie fuzzer, but otherwise is probably 584 impossible to trigger from an ordinary application. 585 586 The following program reproduces it: 587 588 curl_global_init(CURL_GLOBAL_DEFAULT); 589 CURL* handle=curl_easy_init(); 590 CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); 591 curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); 592 Curl_flush_cookies(handle, true); 593 Curl_cookie_cleanup(info); 594 curl_easy_cleanup(handle); 595 curl_global_cleanup(); 596 597 This was found through fuzzing. 598 599 Closes #4454 600 601- [Denis Chaplygin brought this change] 602 603 docs: add note on failed handles not being counted by curl_multi_perform 604 605 Closes #4446 606 607- CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo 608 609- [Niall brought this change] 610 611 ESNI: initial build/setup 612 613 Closes #4011 614 615- RELEASE-NOTES: synced 616 617- redirect: when following redirects to an absolute URL, URL encode it 618 619 ... to make it handle for example (RFC violating) embeded spaces. 620 621 Reported-by: momala454 on github 622 Fixes #4445 623 Closes #4447 624 625- urlapi: fix URL encoding when setting a full URL 626 627- tool_operate: rename functions to make more sense 628 629- curl: create easy handles on-demand and not ahead of time 630 631 This should again enable crazy-large download ranges of the style 632 [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 633 when this new handle allocating scheme was introduced. 634 635 Reported-by: Peter Sumatra 636 Fixes #4393 637 Closes #4438 638 639- [Kunal Ekawde brought this change] 640 641 CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt 642 643 Closes #4410 644 645- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error 646 647 Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the 648 response is chunked-encoded. 649 650 Reported-by: Ilya Kosarev 651 Fixes #4310 652 Closes #4449 653 654Marcel Raad (1 Oct 2019) 655- checksrc: fix uninitialized variable warning 656 657 The loop doesn't need to be executed without a file argument. 658 659 Closes https://github.com/curl/curl/pull/4444 660 661- urlapi: fix unused variable warning 662 663 `dest` is only used with `ENABLE_IPV6`. 664 665 Closes https://github.com/curl/curl/pull/4444 666 667- lib: silence conversion warnings 668 669 Closes https://github.com/curl/curl/pull/4444 670 671- AppVeyor: add 32-bit MinGW-w64 build 672 673 With WinSSL and testing enabled so that it would have detected most of 674 the warnings fixed in [0] and [1]. 675 676 [0] https://github.com/curl/curl/pull/4398 677 [1] https://github.com/curl/curl/pull/4415 678 679 Closes https://github.com/curl/curl/pull/4433 680 681- AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild 682 683 It's only used for MSYS2 with MinGW. 684 685 Closes 686 687Daniel Stenberg (30 Sep 2019) 688- [Emil Engler brought this change] 689 690 git: add tests/server/disabled to .gitignore 691 692 Closes #4441 693 694- altsvc: accept quoted ma and persist values 695 696 As mandated by the spec. Test 1654 is extended to verify. 697 698 Closes #4443 699 700- mailmap: a Lucas fix 701 702Alessandro Ghedini (29 Sep 2019) 703- [Lucas Pardue brought this change] 704 705 quiche: update HTTP/3 config creation to new API 706 707Daniel Stenberg (29 Sep 2019) 708- BINDINGS: PureBasic, Net::Curl for perl and Nim 709 710- BINDINGS: Kapito is an Erlang library, basically a binding 711 712- BINDINGS: added clj-curl 713 714 Reported-by: Lucas Severo 715 716- [Jay Satiro brought this change] 717 718 docs: disambiguate CURLUPART_HOST is for host name (ie no port) 719 720 Closes #4424 721 722- cookies: using a share with cookies shouldn't enable the cookie engine 723 724 The 'share object' only sets the storage area for cookies. The "cookie 725 engine" still needs to be enabled or activated using the normal cookie 726 options. 727 728 This caused the curl command line tool to accidentally use cookies 729 without having been told to, since curl switched to using shared cookies 730 in 7.66.0. 731 732 Test 1166 verifies 733 734 Updated test 506 735 736 Fixes #4429 737 Closes #4434 738 739- setopt: handle ALTSVC set to NULL 740 741- RELEASE-NOTES: synced 742 743- [grdowns brought this change] 744 745 INSTALL: add vcpkg installation instructions 746 747 Closes #4435 748 749- [Zenju brought this change] 750 751 FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs 752 753 Add libtest 661 754 755 Closes #4417 756 757- [Zenju brought this change] 758 759 FTP: url-decode path before evaluation 760 761 Closes #4428 762 763Marcel Raad (27 Sep 2019) 764- tests: fix narrowing conversion warnings 765 766 `timediff_t` is 64 bits wide also on 32-bit systems since 767 commit b1616dad8f0. 768 769 Closes https://github.com/curl/curl/pull/4415 770 771Jay Satiro (27 Sep 2019) 772- [julian brought this change] 773 774 vtls: Fix comment typo about macosx-version-min compiler flag 775 776 Closes https://github.com/curl/curl/pull/4425 777 778Daniel Stenberg (26 Sep 2019) 779- [Yechiel Kalmenson brought this change] 780 781 README: minor grammar fix 782 783 Closes #4431 784 785- [Spezifant brought this change] 786 787 HTTP3: fix prefix parameter for ngtcp2 build 788 789 Closes #4430 790 791- quiche: don't close connection at end of stream! 792 793- quiche: set 'drain' when returning without having drained the queues 794 795- Revert "FTP: url-decode path before evaluation" 796 797 This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. 798 799- HTTP3: merged and simplified the two 'running' sections 800 801- HTTP3: show an --alt-svc using example too 802 803- [Zenju brought this change] 804 805 FTP: url-decode path before evaluation 806 807 Closes #4423 808 809- openssl: use strerror on SSL_ERROR_SYSCALL 810 811 Instead of showing the somewhat nonsensical errno number, use strerror() 812 to provide a more relatable error message. 813 814 Closes #4411 815 816- HTTP3: update quic.aiortc.org + add link to server list 817 818 Reported-by: Jeremy Lainé 819 820Jay Satiro (26 Sep 2019) 821- url: don't set appconnect time for non-ssl/non-ssh connections 822 823 Prior to this change non-ssl/non-ssh connections that were reused set 824 TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH 825 handshake took place. 826 827 [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in 828 libcurl and %{time_appconnect} in the curl tool. It is documented as 829 "the time until the SSL/SSH handshake is completed". 830 831 Reported-by: Marcel Hernandez 832 833 Ref: https://github.com/curl/curl/issues/3760 834 835 Closes https://github.com/curl/curl/pull/3773 836 837Daniel Stenberg (25 Sep 2019) 838- ngtcp2: remove fprintf() calls 839 840 - convert some of them to H3BUF() calls to infof() 841 - remove some of them completely 842 - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now 843 844 Closes #4421 845 846- [Jay Satiro brought this change] 847 848 url: fix the NULL hostname compiler warning case 849 850 Closes #4403 851 852- [Jay Satiro brought this change] 853 854 travis: move the go install to linux-only 855 856 ... to repair the build again 857 Closes #4403 858 859- altsvc: correct the #ifdef for the ngtcp2 backend 860 861- altsvc: save h3 as h3-23 862 863 Follow-up to d176a2c7e5 864 865- urlapi: question mark within fragment is still fragment 866 867 The parser would check for a query part before fragment, which caused it 868 to do wrong when the fragment contains a question mark. 869 870 Extended test 1560 to verify. 871 872 Reported-by: Alex Konev 873 Fixes #4412 874 Closes #4413 875 876- [Alex Samorukov brought this change] 877 878 HTTP3.md: move -p for mkdir, remove -j for make 879 880 - mkdir on OSX/Darwin requires `-p` argument before dir 881 882 - portabbly figuring out number of cores is an exercise for somewhere 883 else 884 885 Closes #4407 886 887Patrick Monnerat (24 Sep 2019) 888- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, 889 890 As libcurl now uses these 2 system functions, wrappers are needed on os400 891 to convert returned AF_UNIX sockaddrs to ascii. 892 893 This is a follow-up to commit 7fb54ef. 894 See also #4037. 895 Closes #4214 896 897Jay Satiro (24 Sep 2019) 898- [Lucas Pardue brought this change] 899 900 strcase: fix raw lowercasing the letter X 901 902 Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to 903 this change. 904 905 Follow-up to 0023fce which added the function several days ago. 906 907 Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 908 909 Closes https://github.com/curl/curl/pull/4408 910 911Daniel Stenberg (23 Sep 2019) 912- http2: Expression 'stream->stream_id != - 1' is always true 913 914 PVS-Studio warning 915 Fixes #4402 916 917- http2: A value is being subtracted from the unsigned variable 918 919 PVS-Studio warning 920 Fixes #4402 921 922- libssh: part of conditional expression is always true: !result 923 924 PVS-Studio warning 925 Fixed #4402 926 927- libssh: part of conditional expression is always true 928 929 PVS-Studio warning 930 Fixes #4402 931 932- libssh: The expression is excessive or contains a misprint 933 934 PVS-Studio warning 935 Fixes #4402 936 937- quiche: The expression must be surrounded by parentheses 938 939 PVS-Studio warning 940 Fixes #4402 941 942- vauth: The parameter 'status' must be surrounded by parentheses 943 944 PVS-Studio warning 945 Fixes #4402 946 947- [Paul Dreik brought this change] 948 949 doh: allow only http and https in debug mode 950 951 Otherwise curl may be told to use for instance pop3 to 952 communicate with the doh server, which most likely 953 is not what you want. 954 955 Found through fuzzing. 956 957 Closes #4406 958 959- [Paul Dreik brought this change] 960 961 doh: return early if there is no time left 962 963 Closes #4406 964 965- [Barry Pollard brought this change] 966 967 http: lowercase headernames for HTTP/2 and HTTP/3 968 969 Closes #4401 970 Fixes #4400 971 972Marcel Raad (23 Sep 2019) 973- vtls: fix narrowing conversion warnings 974 975 Curl_timeleft returns `timediff_t`, which is 64 bits wide also on 976 32-bit systems since commit b1616dad8f0. 977 978 Closes https://github.com/curl/curl/pull/4398 979 980Daniel Stenberg (23 Sep 2019) 981- [Joel Depooter brought this change] 982 983 winbuild: Add manifest to curl.exe for proper OS version detection 984 985 This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 986 in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to 987 CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is 988 overwritten. The fix is to append values to CURL_RC_FLAGS instead of 989 overwriting 990 991 Closes #4399 992 993- RELEASE-NOTES: synced 994 995Marcel Raad (22 Sep 2019) 996- openssl: fix compiler warning with LibreSSL 997 998 It was already fixed for BoringSSL in commit a0f8fccb1e0. 999 LibreSSL has had the second argument to SSL_CTX_set_min_proto_version 1000 as uint16_t ever since the function was added in [0]. 1001 1002 [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda 1003 1004 Closes https://github.com/curl/curl/pull/4397 1005 1006Daniel Stenberg (22 Sep 2019) 1007- curl: exit the create_transfers loop on errors 1008 1009 When looping around the ranges and given URLs to create transfers, all 1010 errors should exit the loop and return. Previously it would keep 1011 looping. 1012 1013 Reported-by: SumatraPeter on github 1014 Bug: #4393 1015 Closes #4396 1016 1017Jay Satiro (21 Sep 2019) 1018- socks: Fix destination host shown on SOCKS5 error 1019 1020 Prior to this change when a server returned a socks5 connect error then 1021 curl would parse the destination address:port from that data and show it 1022 to the user as the destination: 1023 1024 curld -v --socks5 10.0.3.1:1080 http://google.com:99 1025 * SOCKS5 communication to google.com:99 1026 * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) 1027 * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) 1028 curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) 1029 1030 That's incorrect because the address:port included in the connect error 1031 is actually a bind address:port (typically unused) and not the 1032 destination address:port. This fix changes curl to show the destination 1033 information that curl sent to the server instead: 1034 1035 curld -v --socks5 10.0.3.1:1080 http://google.com:99 1036 * SOCKS5 communication to google.com:99 1037 * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) 1038 * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) 1039 curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) 1040 1041 curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 1042 * SOCKS5 communication to google.com:99 1043 * SOCKS5 connect to google.com:99 (remotely resolved) 1044 * Can't complete SOCKS5 connection to google.com:99. (1) 1045 curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) 1046 1047 Ref: https://tools.ietf.org/html/rfc1928#section-6 1048 1049 Closes https://github.com/curl/curl/pull/4394 1050 1051Daniel Stenberg (21 Sep 2019) 1052- travis: enable ngtcp2 h3-23 builds 1053 1054- altsvc: both backends run h3-23 now 1055 1056 Closes #4395 1057 1058- http: fix warning on conversion from int to bit 1059 1060 Follow-up from 03ebe66d70 1061 1062- urldata: use 'bool' for the bit type on MSVC compilers 1063 1064 Closes #4387 1065 Fixes #4379 1066 1067- appveyor: upgrade VS2017 to VS2019 1068 1069 Closes #4383 1070 1071- [Zenju brought this change] 1072 1073 FTP: FTPFILE_NOCWD: avoid redundant CWDs 1074 1075 Closes #4382 1076 1077- cookie: pass in the correct cookie amount to qsort() 1078 1079 As the loop discards cookies without domain set. This bug would lead to 1080 qsort() trying to sort uninitialized pointers. We have however not found 1081 it a security problem. 1082 1083 Reported-by: Paul Dreik 1084 Closes #4386 1085 1086- [Paul Dreik brought this change] 1087 1088 urlapi: avoid index underflow for short ipv6 hostnames 1089 1090 If the input hostname is "[", hlen will underflow to max of size_t when 1091 it is subtracted with 2. 1092 1093 hostname[hlen] will then cause a warning by ubsanitizer: 1094 1095 runtime error: addition of unsigned offset to 0x<snip> overflowed to 1096 0x<snip> 1097 1098 I think that in practice, the generated code will work, and the output 1099 of hostname[hlen] will be the first character "[". 1100 1101 This can be demonstrated by the following program (tested in both clang 1102 and gcc, with -O3) 1103 1104 int main() { 1105 char* hostname=strdup("["); 1106 size_t hlen = strlen(hostname); 1107 1108 hlen-=2; 1109 hostname++; 1110 printf("character is %d\n",+hostname[hlen]); 1111 free(hostname-1); 1112 } 1113 1114 I found this through fuzzing, and even if it seems harmless, the proper 1115 thing is to return early with an error. 1116 1117 Closes #4389 1118 1119- [Tatsuhiro Tsujikawa brought this change] 1120 1121 ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 1122 1123 Closes #4392 1124 1125- THANKS-filter: deal with my typos 'Jat' => 'Jay' 1126 1127- travis: use go master 1128 1129 ... as the boringssl builds needs a very recent version 1130 1131 Co-authored-by: Jat Satiro 1132 Closes #4361 1133 1134- tool_operate: removed unused variable 'done' 1135 1136 Fixes warning detected by PVS-Studio 1137 Fixes #4374 1138 1139- tool_operate: Expression 'config->resume_from' is always true 1140 1141 Fixes warning detected by PVS-Studio 1142 Fixes #4374 1143 1144- tool_getparam: remove duplicate switch case 1145 1146 Fixes warning detected by PVS-Studio 1147 Fixes #4374 1148 1149- libssh2: part of conditional expression is always true: !result 1150 1151 Fixes warning detected by PVS-Studio 1152 Fixes #4374 1153 1154- urlapi: Expression 'storep' is always true 1155 1156 Fixes warning detected by PVS-Studio 1157 Fixes #4374 1158 1159- urlapi: 'scheme' is always true 1160 1161 Fixes warning detected by PVS-Studio 1162 Fixes #4374 1163 1164- urlapi: part of conditional expression is always true: (relurl[0] == '/') 1165 1166 Fixes warning detected by PVS-Studio 1167 Fixes #4374 1168 1169- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly 1170 1171 Fixes bug detected by PVS-Studio 1172 Fixes #4374 1173 1174- mime: make Curl_mime_duppart() assert if called without valid dst 1175 1176 Fixes warning detected by PVS-Studio 1177 Fixes #4374 1178 1179- http_proxy: part of conditional expression is always true: !error 1180 1181 Fixes warning detected by PVS-Studio 1182 Fixes #4374 1183 1184- imap: merged two case-branches performing the same action 1185 1186 Fixes warning detected by PVS-Studio 1187 Fixes #4374 1188 1189- multi: value '2L' is assigned to a boolean 1190 1191 Fixes warning detected by PVS-Studio 1192 Fixes #4374 1193 1194- easy: part of conditional expression is always true: !result 1195 1196 Fixes warning detected by PVS-Studio 1197 Fixes #4374 1198 1199- netrc: part of conditional expression is always true: !done 1200 1201 Fixes warning detected by PVS-Studio 1202 Fixes #4374 1203 1204- version: Expression 'left > 1' is always true 1205 1206 Fixes warning detected by PVS-Studio 1207 Fixes #4374 1208 1209- url: remove dead code 1210 1211 Fixes warning detected by PVS-Studio 1212 Fixes #4374 1213 1214- url: part of expression is always true: (bundle->multiuse == 0) 1215 1216 Fixes warning detected by PVS-Studio 1217 Fixes #4374 1218 1219- ftp: the conditional expression is always true 1220 1221 ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! 1222 1223 Fixes warning detected by PVS-Studio 1224 Fixes #4374 1225 1226- ftp: Expression 'ftpc->wait_data_conn' is always false 1227 1228 Fixes warning detected by PVS-Studio 1229 Fixes #4374 1230 1231- ftp: Expression 'ftpc->wait_data_conn' is always true 1232 1233 Fixes warning detected by PVS-Studio 1234 Fixes #4374 1235 1236- ftp: part of conditional expression is always true: !result 1237 1238 Fixes warning detected by PVS-Studio 1239 Fixes #4374 1240 1241- http: fix Expression 'http->postdata' is always false 1242 1243 Fixes warning detected by PVS-Studio 1244 Fixes #4374 1245 Reported-by: Valerii Zapodovnikov 1246 1247- [Niall O'Reilly brought this change] 1248 1249 doh: avoid truncating DNS QTYPE to lower octet 1250 1251 Closes #4381 1252 1253- [Jens Finkhaeuser brought this change] 1254 1255 urlapi: CURLU_NO_AUTHORITY allows empty authority/host part 1256 1257 CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not 1258 "file:///") to override cURL's default demand that an authority exists. 1259 1260 Closes #4349 1261 1262- version: next release will be 7.67.0 1263 1264- RELEASE-NOTES: synced 1265 1266- url: only reuse TLS connections with matching pinning 1267 1268 If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the 1269 connection should not be reused. 1270 1271 Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html 1272 Reported-by: Sebastian Haglund 1273 1274 Closes #4347 1275 1276- README: add OSS-Fuzz badge [skip ci] 1277 1278 Closes #4380 1279 1280Michael Kaufmann (18 Sep 2019) 1281- http: merge two "case" statements 1282 1283Daniel Stenberg (18 Sep 2019) 1284- [Zenju brought this change] 1285 1286 FTP: remove trailing slash from path for LIST/MLSD 1287 1288 Closes #4348 1289 1290- mime: when disabled, avoid C99 macro 1291 1292 Closes #4368 1293 1294- url: cleanup dangling DOH request headers too 1295 1296 Follow-up to 9bc44ff64d9081 1297 1298 Credit to OSS-Fuzz 1299 Bug: https://crbug.com/oss-fuzz/17269 1300 1301 Closes #4372 1302 1303- [Christoph M. Becker brought this change] 1304 1305 http2: relax verification of :authority in push promise requests 1306 1307 If the :authority pseudo header field doesn't contain an explicit port, 1308 we assume it is valid for the default port, instead of rejecting the 1309 request for all ports. 1310 1311 Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html 1312 1313 Closes #4365 1314 1315- doh: clean up dangling DOH handles and memory on easy close 1316 1317 If you set the same URL for target as for DoH (and it isn't a DoH 1318 server), like "https://example.com" in both, the easy handles used for 1319 the DoH requests could be left "dangling" and end up not getting freed. 1320 1321 Reported-by: Paul Dreik 1322 Closes #4366 1323 1324- unit1655: make it C90 compliant 1325 1326 Unclear why this was not detected in the CI. 1327 1328 Follow-up to b7666027296a 1329 1330- smb: check for full size message before reading message details 1331 1332 To avoid reading of uninitialized data. 1333 1334 Assisted-by: Max Dymond 1335 Bug: https://crbug.com/oss-fuzz/16907 1336 Closes #4363 1337 1338- quiche: persist connection details 1339 1340 ... like we do for other protocols at connect time. This makes "curl -I" 1341 and other things work. 1342 1343 Reported-by: George Liu 1344 Fixes #4358 1345 Closes #4360 1346 1347- openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version 1348 1349 Follow-up to ffe34b7b59 1350 Closes #4359 1351 1352- [Paul Dreik brought this change] 1353 1354 doh: fix undefined behaviour and open up for gcc and clang optimization 1355 1356 The undefined behaviour is annoying when running fuzzing with 1357 sanitizers. The codegen is the same, but the meaning is now not up for 1358 dispute. See https://cppinsights.io/s/516a2ff4 1359 1360 By incrementing the pointer first, both gcc and clang recognize this as 1361 a bswap and optimizes it to a single instruction. See 1362 https://godbolt.org/z/994Zpx 1363 1364 Closes #4350 1365 1366- [Paul Dreik brought this change] 1367 1368 doh: fix (harmless) buffer overrun 1369 1370 Added unit test case 1655 to verify. 1371 Close #4352 1372 1373 the code correctly finds the flaws in the old code, 1374 if one temporarily restores doh.c to the old version. 1375 1376Alessandro Ghedini (15 Sep 2019) 1377- docs: remove trailing ':' from section names in CURLOPT_TRAILER* man 1378 1379- docs: fix typo in CURLOPT_HTTP_VERSION man 1380 1381GitHub (14 Sep 2019) 1382- [Daniel Stenberg brought this change] 1383 1384 CI: inintial github action job 1385 1386 First shot at a CI build on github actions 1387 1388Daniel Stenberg (13 Sep 2019) 1389- appveyor: add a winbuild 1390 1391 Assisted-by: Marcel Raad 1392 Assisted-by: Jay Satiro 1393 1394 Closes #4324 1395 1396- FTP: allow "rubbish" prepended to the SIZE response 1397 1398 This is a protocol violation but apparently there are legacy proprietary 1399 servers doing this. 1400 1401 Added test 336 and 337 to verify. 1402 1403 Reported-by: Philippe Marguinaud 1404 Closes #4339 1405 1406- [Zenju brought this change] 1407 1408 FTP: skip CWD to entry dir when target is absolute 1409 1410 Closes #4332 1411 1412Kamil Dudka (13 Sep 2019) 1413- curl: fix memory leaked by parse_metalink() 1414 1415 This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. 1416 Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind 1417 and libmetalink enabled. 1418 1419 Closes #4326 1420 1421Daniel Stenberg (13 Sep 2019) 1422- parsedate: still provide the name arrays when disabled 1423 1424 If FILE or FTP are enabled, since they also use them! 1425 1426 Reported-by: Roland Hieber 1427 Fixes #4325 1428 Closes #4343 1429 1430- [Gilles Vollant brought this change] 1431 1432 curl:file2string: load large files much faster 1433 1434 ... by using a more efficient realloc scheme. 1435 1436 Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html 1437 Closes #4336 1438 1439- openssl: close_notify on the FTP data connection doesn't mean closure 1440 1441 For FTPS transfers, curl gets close_notify on the data connection 1442 without that being a signal to close the control connection! 1443 1444 Regression since 3f5da4e59a556fc (7.65.0) 1445 1446 Reported-by: Zenju on github 1447 Reviewed-by: Jay Satiro 1448 Fixes #4329 1449 Closes #4340 1450 1451- [Jimmy Gaussen brought this change] 1452 1453 docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag 1454 1455 Closes #4338 1456 1457- RELEASE-NOTES: synced 1458 1459- curlver: bump to 7.66.1 1460 1461- [Zenju brought this change] 1462 1463 setopt: make it easier to add new enum values 1464 1465 ... by using the *_LAST define names better. 1466 1467 Closes #4321 1468 1469- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris 1470 1471 Reported-by: Dagobert Michelsen 1472 Fixes #4328 1473 Closes #4333 1474 1475- [Bernhard Walle brought this change] 1476 1477 winbuild/MakefileBuild.vc: Add vssh 1478 1479 Without that modification, the Windows build using the makefiles doesn't 1480 work. 1481 1482 Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu> 1483 1484 Fixes #4322 1485 Closes #4323 1486 1487Bernhard Walle (11 Sep 2019) 1488- winbuild/MakefileBuild.vc: Fix line endings 1489 1490 The file had mixed line endings. 1491 1492 Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu> 1493 1494Jay Satiro (11 Sep 2019) 1495- ldap: Stop using wide char version of ldapp_err2string 1496 1497 Despite ldapp_err2string being documented by MS as returning a 1498 PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and 1499 returns PWCHAR (wchar_t *). 1500 1501 We have lots of code that expects ldap_err2string to return char *, 1502 most of it failf used like this: 1503 1504 failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); 1505 1506 Closes https://github.com/curl/curl/pull/4272 1507 1508Version 7.66.0 (10 Sep 2019) 1509 1510Daniel Stenberg (10 Sep 2019) 1511- RELEASE-NOTES: curl 7.66.0 1512 1513- THANKS: from the 7.66.0 release 1514 1515- curl: make sure the parallel transfers do them all 1516 1517 The logic could erroneously break the loop too early before all 1518 transfers had been transferred. 1519 1520 Reported-by: Tom van der Woerdt 1521 Fixes #4316 1522 Closes #4317 1523 1524- urlapi: one colon is enough for the strspn() input (typo) 1525 1526- urlapi: verify the IPv6 numerical address 1527 1528 It needs to parse correctly. Otherwise it could be tricked into letting 1529 through a-f using host names that libcurl would then resolve. Like 1530 '[ab.be]'. 1531 1532 Reported-by: Thomas Vegas 1533 Closes #4315 1534 1535- [Clément Notin brought this change] 1536 1537 openssl: use SSL_CTX_set_<min|max>_proto_version() when available 1538 1539 OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use 1540 when available. Existing code is preserved for older versions of 1541 OpenSSL. 1542 1543 Closes #4304 1544 1545- [Clément Notin brought this change] 1546 1547 openssl: indent, re-organize and add comments 1548 1549- [migueljcrum brought this change] 1550 1551 sspi: fix memory leaks 1552 1553 Closes #4299 1554 1555- travis: disable ngtcp2 builds (again) 1556 1557- Curl_fillreadbuffer: avoid double-free trailer buf on error 1558 1559 Reviewed-by: Jay Satiro 1560 Reported-by: Thomas Vegas 1561 1562 Closes #4307 1563 1564- tool_setopt: handle a libcurl build without netrc support 1565 1566 Reported-by: codesniffer13 on github 1567 Fixes #4302 1568 Closes #4305 1569 1570- security:read_data fix bad realloc() 1571 1572 ... that could end up a double-free 1573 1574 CVE-2019-5481 1575 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html 1576 1577- [Thomas Vegas brought this change] 1578 1579 tftp: Alloc maximum blksize, and use default unless OACK is received 1580 1581 Fixes potential buffer overflow from 'recvfrom()', should the server 1582 return an OACK without blksize. 1583 1584 Bug: https://curl.haxx.se/docs/CVE-2019-5482.html 1585 CVE-2019-5482 1586 1587- [Thomas Vegas brought this change] 1588 1589 tftp: return error when packet is too small for options 1590 1591- KNOWN_BUGS/TODO: cleanup and remove outdated issues 1592 1593- RELEASE-NOTES: synced 1594 1595- netrc: free 'home' on error 1596 1597 Follow-up to f9c7ba9096ec2 1598 1599 Coverity CID 1453474 1600 1601 Closes #4291 1602 1603- urldata: avoid 'generic', use dedicated pointers 1604 1605 For the 'proto' union within the connectdata struct. 1606 1607 Closes #4290 1608 1609- cleanup: move functions out of url.c and make them static 1610 1611 Closes #4289 1612 1613- smtp: check for and bail out on too short EHLO response 1614 1615 Otherwise, a three byte response would make the smtp_state_ehlo_resp() 1616 function misbehave. 1617 1618 Credit to OSS-Fuzz 1619 Bug: https://crbug.com/oss-fuzz/16918 1620 1621 Assisted-by: Max Dymond 1622 1623 Closes #4287 1624 1625- smb: init *msg to NULL in smb_send_and_recv() 1626 1627 ... it might otherwise return OK from this function leaving that pointer 1628 uninitialized. 1629 1630 Bug: https://crbug.com/oss-fuzz/16907 1631 1632 Closes #4286 1633 1634- ROADMAP: updated after recent user poll 1635 1636 In rough prio order 1637 1638- THANKS: remove duplicate 1639 1640- Curl_addr2string: take an addrlen argument too 1641 1642 This allows the function to figure out if a unix domain socket has a 1643 file name or not associated with it! When a socket is created with 1644 socketpair(), as done in the fuzzer testing, the path struct member is 1645 uninitialized and must not be accessed. 1646 1647 Bug: https://crbug.com/oss-fuzz/16699 1648 1649 Closes #4283 1650 1651- [Rolf Eike Beer brought this change] 1652 1653 CMake: remove needless newlines at end of gss variables 1654 1655- [Rolf Eike Beer brought this change] 1656 1657 CI: remove duplicate configure flag for LGTM.com 1658 1659- [Rolf Eike Beer brought this change] 1660 1661 CMake: use platform dependent name for dlopen() library 1662 1663 Closes #4279 1664 1665- quiche: expire when poll returned data 1666 1667 ... to make sure we continue draining the queue until empty 1668 1669 Closes #4281 1670 1671- quiche: decrease available buffer size, don't assign it! 1672 1673 Found-by: Jeremy Lainé 1674 1675- RELEASE-NOTES: synced 1676 1677- [Kyohei Kadota brought this change] 1678 1679 curl: fix include conditions 1680 1681- [Kyohei Kadota brought this change] 1682 1683 plan9: fix installation instructions 1684 1685 Closes #4276 1686 1687- ngtcp2: on h3 stream close, call expire 1688 1689 ... to trigger a new read to detect the stream close! 1690 1691 Closes #4275 1692 1693- [Tatsuhiro Tsujikawa brought this change] 1694 1695 ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl 1696 1697 Closes #4278 1698 1699- ngtcp2: set flow control window to stream buffer size 1700 1701 Closes #4274 1702 1703- [Christopher Head brought this change] 1704 1705 CURLOPT_HEADERFUNCTION.3: clarify 1706 1707 Closes #4273 1708 1709- CURLINFO docs: mention that in redirects times are added 1710 1711 Suggested-by: Brandon Dong 1712 Fixes #4250 1713 Closes #4269 1714 1715- travis: enable ngtcp2 builds again 1716 1717 Switched to the openssl-quic-draft-22 openssl branch. 1718 1719 Closes #4271 1720 1721- HTTP3: switched openssl branch to use 1722 1723- [Tatsuhiro Tsujikawa brought this change] 1724 1725 ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl 1726 1727 Closes #4270 1728 1729- http2: when marked for closure and wanted to close == OK 1730 1731 It could otherwise return an error even when closed correctly if GOAWAY 1732 had been received previously. 1733 1734 Reported-by: Tom van der Woerdt 1735 Fixes #4267 1736 Closes #4268 1737 1738- RELEASE-NOTES: synced 1739 1740- build-openssl: fix build with Visual Studio 2019 1741 1742 Reviewed-by: Marcel Raad 1743 Contributed-by: osabc on github 1744 Fixes #4188 1745 Closes #4266 1746 1747Kamil Dudka (26 Aug 2019) 1748- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure 1749 1750 This is a follow-up to https://github.com/curl/curl/pull/3864 . 1751 1752 Closes #4224 1753 1754Daniel Stenberg (26 Aug 2019) 1755- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows 1756 1757 Closes #4040 1758 1759- quiche: send the HTTP body correctly on callback uploads 1760 1761 Closes #4265 1762 1763- travis: disable ngtcp2 builds (temporarily) 1764 1765 Just too many API changes right now 1766 1767 Closes #4264 1768 1769- ngtcp2: add support for SSLKEYLOGFILE 1770 1771 Closes #4260 1772 1773- ngtcp2: improve h3 response receiving 1774 1775 Closes #4259 1776 1777- ngtcp2: use nghttp3_version() 1778 1779- ngtcp2: sync with upstream API changes 1780 1781 Assisted-by: Tatsuhiro Tsujikawa 1782 1783- [Kyle Abramowitz brought this change] 1784 1785 scp: fix directory name length used in memcpy 1786 1787 Fix read off end of array due to bad pointer math in getworkingpath for 1788 SCP home directory case. 1789 1790 Closes #4258 1791 1792- http: the 'closed' struct field is used by both ngh2 and ngh3 1793 1794 and remove 'header_recvbuf', not used for anything 1795 1796 Reported-by: Jeremy Lainé 1797 1798 Closes #4257 1799 1800- ngtcp2: accept upload via callback 1801 1802 Closes #4256 1803 1804- defines: avoid underscore-prefixed defines 1805 1806 Double-underscored or underscore plus uppercase letter at least. 1807 1808 ... as they're claimed to be reserved. 1809 1810 Reported-by: patnyb on github 1811 1812 Fixes #4254 1813 Closes #4255 1814 1815- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) 1816 1817 Runs no tests 1818 1819 Closes #4253 1820 1821- travis: bump to using nghttp2 version 1.39.2 1822 1823 Closes #4252 1824 1825- [Gisle Vanem brought this change] 1826 1827 docs/examples/curlx: fix errors 1828 1829 Initialise 'mimetype' and require the -p12 arg. 1830 1831 Closes #4248 1832 1833- cleanup: remove DOT_CHAR completely 1834 1835 Follow-up to f9c7ba9096ec 1836 1837 The use of DOT_CHAR for ".ssh" was probably a mistake and is removed 1838 now. 1839 1840 Pointed-out-by: Gisle Vanem 1841 Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 1842 1843 Closes #4247 1844 1845- spnego_sspi: add typecast to fix build warning 1846 1847 Reported in build "Win32 target on Debian Stretch (64-bit) - 1848 i686-w64-mingw32 - gcc-20170516" 1849 1850 Closes #4245 1851 1852- openssl: build warning free with boringssl 1853 1854 Closes #4244 1855 1856- curl: make --libcurl use CURL_HTTP_VERSION_3 1857 1858 Closes #4243 1859 1860- ngtcp2: make postfields-set posts work 1861 1862 Closes #4242 1863 1864- http: remove chunked-encoding and expect header use for HTTP/3 1865 1866- [Alessandro Ghedini brought this change] 1867 1868 configure: use pkg-config to detect quiche 1869 1870 This removes the need to hard-code the quiche target path in 1871 configure.ac. 1872 1873 This depends on https://github.com/cloudflare/quiche/pull/128 1874 1875 Closes #4237 1876 1877- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 1878 1879 For a long time (since 7.28.1) we've returned error when setting the 1880 value to 1 to make applications notice that we stopped supported the old 1881 behavior for 1. Starting now, we treat 1 and 2 exactly the same. 1882 1883 Closes #4241 1884 1885- curl: use .curlrc (with a dot) on Windows as well 1886 1887 Fall-back to _curlrc if the dot-version is missing. 1888 1889 Co-Authored-By: Steve Holme 1890 1891 Closes #4230 1892 1893- netrc: make the code try ".netrc" on Windows as well 1894 1895 ... but fall back and try "_netrc" too if the dot version didn't work. 1896 1897 Co-Authored-By: Steve Holme 1898 1899- ngtcp2: use ngtcp2_version() to get the run-time version 1900 1901 ... which of course doesn't have to be the same used at build-time. 1902 1903 Function just recently merged in ngtcp2. 1904 1905- ngtcp2: move the h3 initing to immediately after the rx key 1906 1907 To fix a segfault and to better deal with 0-RTT 1908 1909 Assisted-by: Tatsuhiro Tsujikawa 1910 1911- [Alessandro Ghedini brought this change] 1912 1913 quiche: register debug callback once and earlier 1914 1915 The quiche debug callback is global and can only be initialized once, so 1916 make sure we don't do it multiple times (e.g. if multiple requests are 1917 executed). 1918 1919 In addition this initializes the callback before the connection is 1920 created, so we get logs for the handshake as well. 1921 1922 Closes #4236 1923 1924- ssh: add a generic Curl_ssh_version function for SSH backends 1925 1926 Closes #4235 1927 1928- base64: check for SSH, not specific SSH backends 1929 1930- vssh: move ssh init/cleanup functions into backend code 1931 1932- vssh: create directory for SSH backend code 1933 1934- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 1935 1936 HTTP3 is now already in full progress 1937 1938 Downgrade redirects can be achived almost exactly like that by setting 1939 CURLOPT_REDIR_PROTOCOLS. 1940 1941- RELEASE-NOTES: synced 1942 1943- travis: add a quiche build 1944 1945 Closes #4207 1946 1947- http: fix use of credentials from URL when using HTTP proxy 1948 1949 When a username and password are provided in the URL, they were wrongly 1950 removed from the stored URL so that subsequent uses of the same URL 1951 wouldn't find the crendentials. This made doing HTTP auth with multiple 1952 connections (like Digest) mishave. 1953 1954 Regression from 46e164069d1a5230 (7.62.0) 1955 1956 Test case 335 added to verify. 1957 1958 Reported-by: Mike Crowe 1959 1960 Fixes #4228 1961 Closes #4229 1962 1963- [Mike Crowe brought this change] 1964 1965 tests: Replace outdated test case numbering documentation 1966 1967 Tests are no longer grouped by numeric range[1]. Let's stop saying that 1968 and provide some alternative advice for numbering tests. 1969 1970 [1] https://curl.haxx.se/mail/lib-2019-08/0043.html 1971 1972 Closes #4227 1973 1974- travis: reduce number of torture tests in 'coverage' 1975 1976 ... to make it complete in time. This cut seems not almost not affect 1977 the coverage percentage and yet completes within 35 minutes on travis 1978 where the previous runs recently always timed out after 50. 1979 1980 Closes #4223 1981 1982- [Igor Makarov brought this change] 1983 1984 configure: use -lquiche to link to quiche 1985 1986 Closes #4226 1987 1988- ngtcp2: provide the callbacks as a static struct 1989 1990 ... instead of having them in quicsocket 1991 1992- [Tatsuhiro Tsujikawa brought this change] 1993 1994 ngtcp2: add missing nghttp3_conn_add_write_offset call 1995 1996 Closes #4225 1997 1998- [Tatsuhiro Tsujikawa brought this change] 1999 2000 ngtcp2: deal with stream close 2001 2002- [Tatsuhiro Tsujikawa brought this change] 2003 2004 ngtcp2: Consume QUIC STREAM data properly 2005 2006- [Tatsuhiro Tsujikawa brought this change] 2007 2008 ngtcp2: don't reinitialize SSL on Retry 2009 2010- multi: getsock improvements for QUIC connecting 2011 2012- connect: connections are persistent by default for HTTP/3 2013 2014- quiche: happy eyeballs 2015 2016 Closes #4220 2017 2018- ngtcp2: do QUIC connections happy-eyeballs friendly 2019 2020- curl_version: bump string buffer size to 250 2021 2022 With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which 2023 causes a truncated output). 2024 2025- CURLOPT_ALTSVC.3: use a "" file name to not load from a file 2026 2027Jay Satiro (14 Aug 2019) 2028- vauth: Use CURLE_AUTH_ERROR for auth function errors 2029 2030 - Add new error code CURLE_AUTH_ERROR. 2031 2032 Prior to this change auth function errors were signaled by 2033 CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was 2034 technically correct. 2035 2036 Ref: https://github.com/curl/curl/pull/3848 2037 2038 Co-authored-by: Dominik Hölzl 2039 2040 Closes https://github.com/curl/curl/pull/3864 2041 2042Daniel Stenberg (13 Aug 2019) 2043- curl_version_info: make the quic_version a const 2044 2045 Follow-up from 1a2df1518ad8653f 2046 2047 Closes #4222 2048 2049- examples: add http3.c, altsvc.c and http3-present.c 2050 2051 Closes #4221 2052 2053Peter Wu (13 Aug 2019) 2054- nss: use TLSv1.3 as default if supported 2055 2056 SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported 2057 range in NSS 3.45. It looks like the intention is to raise the minimum 2058 version rather than lowering the maximum, so adjust accordingly. Note 2059 that the caller (nss_setup_connect) initializes the version range to 2060 (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. 2061 2062 Closes #4187 2063 Reviewed-by: Daniel Stenberg 2064 Reviewed-by: Kamil Dudka 2065 2066Daniel Stenberg (13 Aug 2019) 2067- quic.h: remove unused proto 2068 2069- curl_version_info.3: mentioned ALTSVC and HTTP3 2070 2071 ... and sorted the list alphabetically 2072 2073- lib/quic.c: unused - removed 2074 2075- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED 2076 2077 Follow-up to 98c3f148 that removed it from the header file 2078 2079- [Junho Choi brought this change] 2080 2081 docs/HTTP3: simplify quiche build instruction 2082 2083 Use --recursive to get boringssl in one line 2084 2085 Closes #4219 2086 2087- altsvc: make it use h3-22 with ngtcp2 as well 2088 2089- ngtcp2: initial h3 request work 2090 2091 Closes #4217 2092 2093- curl_version_info: offer quic (and h3) library info 2094 2095 Closes #4216 2096 2097- HTTP3: use ngtcp2's draft-22 branch 2098 2099- RELEASE-NOTES: synced 2100 2101- CURLOPT_READFUNCTION.3: provide inline example 2102 2103 ... instead of mentioning one in another place 2104 2105- [Tatsuhiro Tsujikawa brought this change] 2106 2107 ngtcp2: send HTTP/3 request with nghttp3 2108 2109 This commit makes sending HTTP/3 request with nghttp3 work. It 2110 minimally receives HTTP response and calls nghttp3 callbacks, but no 2111 processing is made at the moment. 2112 2113 Closes #4215 2114 2115- nghttp3: initial h3 template code added 2116 2117- nghttp3: required when ngtcp2 is used for QUIC 2118 2119 - checked for by configure 2120 - updated docs/HTTP3.md 2121 - shown in the version string 2122 2123 Closes #4210 2124 2125- [Eric Wong brought this change] 2126 2127 asyn-thread: issue CURL_POLL_REMOVE before closing socket 2128 2129 This avoids EBADF errors from EPOLL_CTL_DEL operations in the 2130 ephiperfifo.c example. EBADF is dangerous in multi-threaded 2131 applications where I rely on epoll_ctl to operate on the same 2132 epoll description from different threads. 2133 2134 Follow-up to eb9a604f8d7db8 2135 2136 Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html 2137 Closes #4211 2138 2139- [Carlo Marcelo Arenas Belón brought this change] 2140 2141 configure: avoid undefined check_for_ca_bundle 2142 2143 instead of using a "greater than 0" test, check for variable being 2144 set, as it is always set to 1, and could be left unset if non of 2145 OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. 2146 2147 Closes #4213 2148 2149- [Tatsuhiro Tsujikawa brought this change] 2150 2151 ngtcp2: Send ALPN h3-22 2152 2153 Closes #4212 2154 2155- [Tatsuhiro Tsujikawa brought this change] 2156 2157 ngtcp2: use ngtcp2_settings_default and specify initial_ts 2158 2159- curl_global_init_mem.3: mention it was added in 7.12.0 2160 2161- [Tatsuhiro Tsujikawa brought this change] 2162 2163 ngtcp2: make the QUIC handshake work 2164 2165 Closes #4209 2166 2167- [Alex Mayorga brought this change] 2168 2169 HTTP3.md: Update quiche build instructions 2170 2171 Added cloning for quiche and BoringSSL and modified the build 2172 instructions so they work on a clean folder. 2173 2174 Closes #4208 2175 2176- CURLOPT_H3: removed 2177 2178 There's no use for this anymore and it was never in a release. 2179 2180 Closes #4206 2181 2182- http3: make connection reuse work 2183 2184 Closes #4204 2185 2186- quiche: add SSLKEYLOGFILE support 2187 2188- cleanup: s/curl_debug/curl_dbg_debug in comments and docs 2189 2190 Leftovers from the function rename back in 76b63489495 2191 2192 Reported-by: Gisle Vanem 2193 Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com 2194 mitcomment-34601751 2195 2196 Closes #4203 2197 2198- RELEASE-NOTES: synced 2199 2200- alt-svc: add protocol version selection masking 2201 2202 So that users can mask in/out specific HTTP versions when Alt-Svc is 2203 used. 2204 2205 - Removed "h2c" and updated test case accordingly 2206 - Changed how the altsvc struct is laid out 2207 - Added ifdefs to make the unittest run even in a quiche-tree 2208 2209 Closes #4201 2210 2211- http3: fix the HTTP/3 in the request, make alt-svc set right versions 2212 2213 Closes #4200 2214 2215- alt-svc: send Alt-Used: in redirected requests 2216 2217 RFC 7838 section 5: 2218 2219 When using an alternative service, clients SHOULD include an Alt-Used 2220 header field in all requests. 2221 2222 Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus 2223 this is deemed ok). 2224 2225 You can disable sending this header just like you disable any other HTTP 2226 header in libcurl. 2227 2228 Closes #4199 2229 2230- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly 2231 2232 Even though it cannot fall-back to a lower HTTP version automatically. The 2233 safer way to upgrade remains via CURLOPT_ALTSVC. 2234 2235 CURLOPT_H3 no longer has any bits that do anything and might be removed 2236 before we remove the experimental label. 2237 2238 Updated the curl tool accordingly to use "--http3". 2239 2240 Closes #4197 2241 2242- docs/ALTSVC: remove what works and the experimental explanation 2243 2244 Also, put the TODO items at the bottom. 2245 2246 Closes #4198 2247 2248- docs/EXPERIMENTAL: explain what it means and what's experimental now 2249 2250- curl: make use of CURLINFO_RETRY_AFTER when retrying 2251 2252 If a Retry-After: header was used in the response, that value overrides 2253 other retry timing options. 2254 2255 Fixes #3794 2256 Closes #4195 2257 2258- curl: use CURLINFO_PROTOCOL to check for HTTP(s) 2259 2260 ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. 2261 2262- CURLINFO_RETRY_AFTER: parse the Retry-After header value 2263 2264 This is only the libcurl part that provides the information. There's no 2265 user of the parsed value. This change includes three new tests for the 2266 parser. 2267 2268 Ref: #3794 2269 2270- docs/ALTSVC.md: first basic file format description 2271 2272- curl: have -w's 'http_version' show '3' for HTTP/3 2273 2274 Closes #4196 2275 2276- curl.h: add CURL_HTTP_VERSION_3 to the version enum 2277 2278 It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with 2279 CURLINFO_HTTP_VERSION. 2280 2281- quiche: make use of the connection timeout API properly 2282 2283- quiche: make POSTFIELDS posts work 2284 2285- quiche: improved error handling and memory cleanups 2286 2287- quiche: flush egress in h3_stream_recv() too 2288 2289- RELEASE-NOTES: synced 2290 2291Jay Satiro (6 Aug 2019) 2292- [Patrick Monnerat brought this change] 2293 2294 os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). 2295 2296 Ref: https://github.com/curl/curl/issues/3653 2297 Ref: https://github.com/curl/curl/pull/3790 2298 2299 NOTE: This commit was cherry-picked and is part of a series of commits 2300 that added the authzid feature for upcoming 7.66.0. The series was 2301 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x 2302 patch release. 2303 2304 Closes https://github.com/curl/curl/pull/4186 2305 2306- tests: Fix the line endings for the SASL alt-auth tests 2307 2308 - Change data and protocol sections to CRLF line endings. 2309 2310 Prior to this change the tests would fail or hang, which is because 2311 certain sections such as protocol require CRLF line endings. 2312 2313 Follow-up to grandparent commit which added the tests. 2314 2315 Ref: https://github.com/curl/curl/issues/3653 2316 Ref: https://github.com/curl/curl/pull/3790 2317 2318 NOTE: This commit was cherry-picked and is part of a series of commits 2319 that added the authzid feature for upcoming 7.66.0. The series was 2320 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x 2321 patch release. 2322 2323 Closes https://github.com/curl/curl/pull/4186 2324 2325- [Steve Holme brought this change] 2326 2327 examples: Added SASL PLAIN authorisation identity (authzid) examples 2328 2329 Ref: https://github.com/curl/curl/issues/3653 2330 Ref: https://github.com/curl/curl/pull/3790 2331 2332 NOTE: This commit was cherry-picked and is part of a series of commits 2333 that added the authzid feature for upcoming 7.66.0. The series was 2334 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x 2335 patch release. 2336 2337 Closes https://github.com/curl/curl/pull/4186 2338 2339- [Steve Holme brought this change] 2340 2341 curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool 2342 2343 Ref: https://github.com/curl/curl/issues/3653 2344 Ref: https://github.com/curl/curl/pull/3790 2345 2346 NOTE: This commit was cherry-picked and is part of a series of commits 2347 that added the authzid feature for upcoming 7.66.0. The series was 2348 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x 2349 patch release. 2350 2351 Closes https://github.com/curl/curl/pull/4186 2352 2353- [Steve Holme brought this change] 2354 2355 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID 2356 2357 Added the ability for the calling program to specify the authorisation 2358 identity (authzid), the identity to act as, in addition to the 2359 authentication identity (authcid) and password when using SASL PLAIN 2360 authentication. 2361 2362 Fixes #3653 2363 Closes #3790 2364 2365 NOTE: This commit was cherry-picked and is part of a series of commits 2366 that added the authzid feature for upcoming 7.66.0. The series was 2367 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x 2368 patch release. 2369 2370 Closes https://github.com/curl/curl/pull/4186 2371 2372Daniel Stenberg (6 Aug 2019) 2373- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested 2374 2375- [Yiming Jing brought this change] 2376 2377 mesalink: implement client authentication 2378 2379 Closes #4184 2380 2381- curl_multi_poll: a sister to curl_multi_wait() that waits more 2382 2383 Repeatedly we see problems where using curl_multi_wait() is difficult or 2384 just awkward because if it has no file descriptor to wait for 2385 internally, it returns immediately and leaves it to the caller to wait 2386 for a small amount of time in order to avoid occasional busy-looping. 2387 2388 This is often missed or misunderstood, leading to underperforming 2389 applications. 2390 2391 This change introduces curl_multi_poll() as a replacement drop-in 2392 function that accepts the exact same set of arguments. This function 2393 works identically to curl_multi_wait() - EXCEPT - for the case when 2394 there's nothing to wait for internally, as then this function will by 2395 itself wait for a "suitable" short time before it returns. This 2396 effectiely avoids all risks of busy-looping and should also make it less 2397 likely that apps "over-wait". 2398 2399 This also changes the curl tool to use this funtion internally when 2400 doing parallel transfers and changes curl_easy_perform() to use it 2401 internally. 2402 2403 Closes #4163 2404 2405- quiche:h3_stream_recv return 0 at end of stream 2406 2407 ... and remove some verbose messages we don't need. Made transfers from 2408 facebook.com work better. 2409 2410- altsvc: make quiche use h3-22 now 2411 2412- quiche: show the actual version number 2413 2414- quiche: first working HTTP/3 request 2415 2416 - enable debug log 2417 - fix use of quiche API 2418 - use download buffer 2419 - separate header/body 2420 2421 Closes #4193 2422 2423- http09: disable HTTP/0.9 by default in both tool and library 2424 2425 As the plan has been laid out in DEPRECATED. Update docs accordingly and 2426 verify in test 1174. Now requires the option to be set to allow HTTP/0.9 2427 responses. 2428 2429 Closes #4191 2430 2431- quiche: initial h3 request send/receive 2432 2433- lib/Makefile.am: make checksrc run in vquic too 2434 2435- altsvc: fix removal of expired cache entry 2436 2437 Closes #4192 2438 2439- RELEASE-NOTES: synced 2440 2441Steve Holme (4 Aug 2019) 2442- md4: Use our own MD4 implementation when no crypto libraries are available 2443 2444 Closes #3780 2445 2446- md4: No need to include Curl_md4.h for each TLS library 2447 2448- md4: No need for the NTLM code to call Curl_md4it() for each TLS library 2449 2450 As the NTLM code no longer calls any of TLS libraries' specific MD4 2451 functions, there is no need to call this function for each #ifdef. 2452 2453- md4: Move the mbed TLS MD4 implementation out of the NTLM code 2454 2455- md4: Move the WinCrypt implementation out of the NTLM code 2456 2457- md4: Move the SecureTransport implementation out of the NTLM code 2458 2459- md4: Use the Curl_md4it() function for OpenSSL based NTLM 2460 2461- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code 2462 2463- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code 2464 2465Jay Satiro (4 Aug 2019) 2466- OS400: Add CURLOPT_H3 symbols 2467 2468 Follow-up to 3af0e76 which added experimental H3 support. 2469 2470 Closes https://github.com/curl/curl/pull/4185 2471 2472Daniel Stenberg (3 Aug 2019) 2473- url: make use of new HTTP version if alt-svc has one 2474 2475- url: set conn->transport to default TCP at init time 2476 2477- altsvc: with quiche, use the quiche h3 alpn string 2478 2479 Closes #4183 2480 2481- alt-svc: more liberal ALPN name parsing 2482 2483 Allow pretty much anything to be part of the ALPN identifier. In 2484 particular minus, which is used for "h3-20" (in-progress HTTP/3 2485 versions) etc. 2486 2487 Updated test 356. 2488 Closes #4182 2489 2490- quiche: use the proper HTTP/3 ALPN 2491 2492- quiche: add failf() calls for two error cases 2493 2494 To aid debugging 2495 2496 Closes #4181 2497 2498- mailmap: added Kyohei Kadota 2499 2500Kamil Dudka (1 Aug 2019) 2501- http_negotiate: improve handling of gss_init_sec_context() failures 2502 2503 If HTTPAUTH_GSSNEGOTIATE was used for a POST request and 2504 gss_init_sec_context() failed, the POST request was sent 2505 with empty body. This commit also restores the original 2506 behavior of `curl --fail --negotiate`, which was changed 2507 by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. 2508 2509 Add regression tests 2077 and 2078 to cover this. 2510 2511 Fixes #3992 2512 Closes #4171 2513 2514Daniel Stenberg (1 Aug 2019) 2515- mailmap: added 4 more names 2516 2517 Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli 2518 2519- mailmap: add Giorgos Oikonomou 2520 2521- src/makefile: fix uncompressed hugehelp.c generation 2522 2523 Regression from 5cf5d57ab9 (7.64.1) 2524 2525 Fixed-by: Lance Ware 2526 Fixes #4176 2527 Closes #4177 2528 2529- appveyor: pass on -k to make 2530 2531- timediff: make it 64 bit (if possible) even with 32 bit time_t 2532 2533 ... to make it hold microseconds too. 2534 2535 Fixes #4165 2536 Closes #4168 2537 2538- ROADMAP: parallel transfers are merged now 2539 2540- getenv: support up to 4K environment variable contents on windows 2541 2542 Reported-by: Michal Čaplygin 2543 Fixes #4174 2544 Closes #4175 2545 2546- [Kyohei Kadota brought this change] 2547 2548 plan9: add support for running on Plan 9 2549 2550 Closes #3701 2551 2552- [Kyohei Kadota brought this change] 2553 2554 ntlm: explicit type casting 2555 2556- [Justin brought this change] 2557 2558 curl.h: fix outdated comment 2559 2560 Closes #4167 2561 2562- curl: remove outdated comment 2563 2564 Turned bad with commit b8894085000 2565 2566 Reported-by: niallor on github 2567 Fixes #4172 2568 Closes #4173 2569 2570- cleanup: remove the 'numsocks' argument used in many places 2571 2572 It was used (intended) to pass in the size of the 'socks' array that is 2573 also passed to these functions, but was rarely actually checked/used and 2574 the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries 2575 that should be used instead. 2576 2577 Closes #4169 2578 2579- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp 2580 2581 Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) 2582 2583 Reported-by: Jonathan Cardoso Machado 2584 Assisted-by: Jay Satiro 2585 2586 Fixes #4136 2587 Closes #4162 2588 2589- mailmap: Amit Katyal 2590 2591- asyn-thread: removed unused variable 2592 2593 Follow-up to eb9a604f. Mistake caused by me when I edited the commit 2594 before push... 2595 2596- RELEASE-NOTES: synced 2597 2598- [Amit Katyal brought this change] 2599 2600 asyn-thread: create a socketpair to wait on 2601 2602 Closes #4157 2603 2604- curl: cap the maximum allowed values for retry time arguments 2605 2606 ... to avoid integer overflows later when multiplying with 1000 to 2607 convert seconds to milliseconds. 2608 2609 Added test 1269 to verify. 2610 2611 Reported-by: Jason Lee 2612 Closes #4166 2613 2614- progress: reset download/uploaded counter 2615 2616 ... to make CURLOPT_MAX_RECV_SPEED_LARGE and 2617 CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that 2618 reuse the same handle. 2619 2620 Fixed-by: Ironbars13 on github 2621 Fixes #4084 2622 Closes #4161 2623 2624- http2_recv: trigger another read when the last data is returned 2625 2626 ... so that end-of-stream is detected properly. 2627 2628 Reported-by: Tom van der Woerdt 2629 Fixes #4043 2630 Closes #4160 2631 2632- curl: avoid uncessary libcurl timeouts (in parallel mode) 2633 2634 When curl_multi_wait() returns OK without file descriptors to wait for, 2635 it might already have done a long timeout. 2636 2637 Closes #4159 2638 2639- [Balazs Kovacsics brought this change] 2640 2641 HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown 2642 2643 If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, 2644 automatically add a Transfer-Encoding: chunked header, same as it is 2645 already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update 2646 test 1514 according to the new behaviour. 2647 2648 Closes #4138 2649 2650Jay Satiro (29 Jul 2019) 2651- [Daniel Stenberg brought this change] 2652 2653 winbuild: add vquic to list of build directories 2654 2655 This fixes the winbuild build method which broke several days ago 2656 when experimental quic support was added in 3af0e76. 2657 2658 Reported-by: Michael Lee 2659 2660 Fixes https://github.com/curl/curl/issues/4158 2661 2662- easy: resize receive buffer on easy handle reset 2663 2664 - In curl_easy_reset attempt to resize the receive buffer to its default 2665 size. If realloc fails then continue using the previous size. 2666 2667 Prior to this change curl_easy_reset did not properly handle resetting 2668 the receive buffer (data->state.buffer). It reset the variable holding 2669 its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) 2670 but then did not actually resize the buffer. If a user resized the 2671 buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the 2672 default, later called curl_easy_reset and attempted to reuse the handle 2673 then a heap overflow would very likely occur during that handle's next 2674 transfer. 2675 2676 Reported-by: Felix Hädicke 2677 2678 Fixes https://github.com/curl/curl/issues/4143 2679 Closes https://github.com/curl/curl/pull/4145 2680 2681- [Brad Spencer brought this change] 2682 2683 examples: Avoid reserved names in hiperfifo examples 2684 2685 - Trade in __attribute__((unused)) for the classic (void)x to silence 2686 unused symbols. 2687 2688 Because the classic way is not gcc specific. Also because the prior 2689 method mapped to symbol _Unused, which starts with _ and a capital 2690 letter which is reserved. 2691 2692 Assisted-by: The Infinnovation team 2693 2694 Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 2695 2696 Closes https://github.com/curl/curl/pull/4153 2697 2698Daniel Stenberg (25 Jul 2019) 2699- RELEASE-NOTES: synced 2700 2701- [Felix Hädicke brought this change] 2702 2703 ssh-libssh: do not specify O_APPEND when not in append mode 2704 2705 Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not 2706 make much sense. And this combination of flags is not accepted by all 2707 SFTP servers (at least not Apache SSHD). 2708 2709 Fixes #4147 2710 Closes #4148 2711 2712- [Gergely Nagy brought this change] 2713 2714 multi: call detach_connection before Curl_disconnect 2715 2716 Curl_disconnect bails out if conn->easyq is not empty, detach_connection 2717 needs to be called first to remove the current easy from the queue. 2718 2719 Fixes #4144 2720 Closes #4151 2721 2722Jay Satiro (23 Jul 2019) 2723- tool_operate: fix implicit call to easysrc_cleanup 2724 2725 easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not 2726 defined, and prior to this change would be called regardless. 2727 2728 Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 2729 Reported-by: Marcel Raad 2730 2731 Closes https://github.com/curl/curl/pull/4142 2732 2733Daniel Stenberg (22 Jul 2019) 2734- curl:create_transfers check return code from curl_easy_setopt 2735 2736 From commit b8894085 2737 2738 Pointed out by Coverity CID 1451703 2739 2740 Closes #4134 2741 2742- HTTP3: initial (experimental) support 2743 2744 USe configure --with-ngtcp2 or --with-quiche 2745 2746 Using either option will enable a HTTP3 build. 2747 Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> 2748 2749 Closes #3500 2750 2751- curl: remove dead code 2752 2753 The loop never loops (since b889408500), pointed out by Coverity (CID 2754 1451702) 2755 2756 Closes #4133 2757 2758- docs/PARALLEL-TRANSFERS: correct the version number 2759 2760- docs/PARALLEL-TRANSFERS: added 2761 2762- curl: support parallel transfers 2763 2764 This is done by making sure each individual transfer is first added to a 2765 linked list as then they can be performed serially, or at will, in 2766 parallel. 2767 2768 Closes #3804 2769 2770- docs/MANUAL.md: converted to markdown from plain text 2771 2772 ... will make it render as a nicer web page. 2773 2774 Closes #4131 2775 2776- curl_version_info: provide nghttp2 details 2777 2778 Introducing CURLVERSION_SIXTH with nghttp2 info. 2779 2780 Closes #4121 2781 2782- bump: start working on 7.66.0 2783 2784- source: remove names from source comments 2785 2786 Several reasons: 2787 2788 - we can't add everyone who's helping out so its unfair to just a few 2789 selected ones. 2790 - we already list all helpers in THANKS and in RELEASE-NOTES for each 2791 release 2792 - we don't want to give the impression that some parts of the code is 2793 "owned" or "controlled" by specific persons 2794 2795 Assisted-by: Daniel Gustafsson 2796 Closes #4129 2797 2798Version 7.65.3 (19 Jul 2019) 2799 2800Daniel Stenberg (19 Jul 2019) 2801- RELEASE-NOTES: 7.65.3 2802 2803- THANKS: 7.65.3 status 2804 2805- progress: make the progress meter appear again 2806 2807 Fix regression caused by 21080e1 2808 2809 Reported-by: Chih-Hsuan Yen 2810 Fixes #4122 2811 Closes #4124 2812 2813- version: bump to 7.65.3 2814 2815- RELEASE-NOTES: Contributors or now 1990 2816 2817Version 7.65.2 (17 Jul 2019) 2818 2819Daniel Stenberg (17 Jul 2019) 2820- RELEASE-NOTES: 7.65.2 2821 2822- THANKS: add contributors from 7.65.2 2823 2824Jay Satiro (17 Jul 2019) 2825- [aasivov brought this change] 2826 2827 cmake: Fix finding Brotli on case-sensitive file systems 2828 2829 - Find package "Brotli" instead of "BROTLI" since the former is the 2830 casing used for CMake/FindBrotli.cmake, and otherwise find_package 2831 may fail on a case-sensitive file system. 2832 2833 Fixes https://github.com/curl/curl/issues/4117 2834 2835- CURLOPT_RANGE.3: Caution against using it for HTTP PUT 2836 2837 AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've 2838 cautioned against using it for that purpose and included a workaround. 2839 2840 Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html 2841 Reported-by: Christopher Head 2842 2843 Closes https://github.com/curl/curl/issues/3814 2844 2845- [Stefano Simonelli brought this change] 2846 2847 CURLOPT_SEEKDATA.3: fix variable name 2848 2849 Closes https://github.com/curl/curl/pull/4118 2850 2851- [Giorgos Oikonomou brought this change] 2852 2853 CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH 2854 2855 If the SSL backend is Schannel and the user specifies an Schannel CALG_ 2856 that is not supported by the protocol or the server then curl returns 2857 CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. 2858 2859 Fixes https://github.com/curl/curl/issues/3389 2860 Closes https://github.com/curl/curl/pull/4106 2861 2862- [Daniel Gustafsson brought this change] 2863 2864 nss: inspect returnvalue of token check 2865 2866 PK11_IsPresent() checks for the token for the given slot is available, 2867 and sets needlogin flags for the PK11_Authenticate() call. Should it 2868 return false, we should however treat it as an error and bail out. 2869 2870 Closes https://github.com/curl/curl/pull/4110 2871 2872- docs: Explain behavior change in --tlsv1. options since 7.54 2873 2874 Since 7.54 --tlsv1. options use the specified version or later, however 2875 older versions of curl documented it as using just the specified version 2876 which may or may not have happened depending on the TLS library. 2877 Document this discrepancy to allay confusion for users familiar with the 2878 old documentation that expect just the specified version. 2879 2880 Fixes https://github.com/curl/curl/issues/4097 2881 Closes https://github.com/curl/curl/pull/4119 2882 2883- libcurl: Restrict redirect schemes (follow-up) 2884 2885 - Allow FTPS on redirect. 2886 2887 - Update default allowed redirect protocols in documentation. 2888 2889 Follow-up to 6080ea0. 2890 2891 Ref: https://github.com/curl/curl/pull/4094 2892 2893 Closes https://github.com/curl/curl/pull/4115 2894 2895Daniel Stenberg (16 Jul 2019) 2896- test1173: make it also check all libcurl option man pages 2897 2898 ... and adjust those that cause errors 2899 2900 Closes #4116 2901 2902- curl: only accept COLUMNS less than 10000 2903 2904 ... as larger values would rather indicate something silly (and could 2905 potentially cause buffer problems). 2906 2907 Reported-by: pendrek at hackerone 2908 Closes #4114 2909 2910- dist: add manpage-syntax.pl 2911 2912 follow-up to 7fb66c403 2913 2914- test1173: detect some basic man page format mistakes 2915 2916 Triggered by PR #4111 2917 2918 Closes #4113 2919 2920Jay Satiro (15 Jul 2019) 2921- [Bjarni Ingi Gislason brought this change] 2922 2923 docs: Fix missing lines caused by undefined macros 2924 2925 - Escape apostrophes at line start. 2926 2927 Some lines begin with a "'" (apostrophe, single quote), which is then 2928 interpreted as a control character in *roff. 2929 2930 Such lines are interpreted as being a call to a macro, and if 2931 undefined, the lines are removed from the output. 2932 2933 Bug: https://bugs.debian.org/926352 2934 Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is> 2935 2936 Submitted-by: Alessandro Ghedini 2937 2938 Closes https://github.com/curl/curl/pull/4111 2939 2940Daniel Stenberg (14 Jul 2019) 2941- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults 2942 2943 follow-up to 6080ea098 2944 2945- [Linos Giannopoulos brought this change] 2946 2947 libcurl: Add testcase for gopher redirects 2948 2949 The testcase ensures that redirects to CURLPROTO_GOPHER won't be 2950 allowed, by default, in the future. Also, curl is being used 2951 for convenience while keeping the testcases DRY. 2952 2953 The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is 2954 redirected to CURLPROTO_GOPHER 2955 2956 Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> 2957 2958- [Linos Giannopoulos brought this change] 2959 2960 libcurl: Restrict redirect schemes 2961 2962 All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS 2963 counterpart were allowed for redirect. This vastly broadens the 2964 exploitation surface in case of a vulnerability such as SSRF [1], where 2965 libcurl-based clients are forced to make requests to arbitrary hosts. 2966 2967 For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based 2968 protocol by URL-encoding a payload in the URI. Gopher will open a TCP 2969 connection and send the payload. 2970 2971 Only HTTP/HTTPS and FTP are allowed. All other protocols have to be 2972 explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. 2973 2974 [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ 2975 2976 Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> 2977 2978 Closes #4094 2979 2980- [Zenju brought this change] 2981 2982 openssl: define HAVE_SSL_GET_SHUTDOWN based on version number 2983 2984 Closes #4100 2985 2986- [Peter Simonyi brought this change] 2987 2988 http: allow overriding timecond with custom header 2989 2990 With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. 2991 If-Modified-Since). Allow this to be replaced or suppressed with 2992 CURLOPT_HTTPHEADER. 2993 2994 Fixes #4103 2995 Closes #4109 2996 2997Jay Satiro (11 Jul 2019) 2998- [Juergen Hoetzel brought this change] 2999 3000 smb: Use the correct error code for access denied on file open 3001 3002 - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. 3003 3004 Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. 3005 3006 Closes https://github.com/curl/curl/pull/4095 3007 3008- [Daniel Gustafsson brought this change] 3009 3010 DEPRECATE: fixup versions and spelling 3011 3012 Correctly set the July 17 version to 7.65.2, and update spelling to 3013 be consistent. Also fix a typo. 3014 3015 Closes https://github.com/curl/curl/pull/4107 3016 3017- [Gisle Vanem brought this change] 3018 3019 system_win32: fix clang warning 3020 3021 - Declare variable in header as extern. 3022 3023 Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 3024 3025Daniel Gustafsson (10 Jul 2019) 3026- headers: Remove no longer exported functions 3027 3028 There were a leftover few prototypes of Curl_ functions that we used to 3029 export but no longer do, this removes those prototypes and cleans up any 3030 comments still referring to them. 3031 3032 Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() 3033 Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() 3034 were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. 3035 Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. 3036 3037 For the remainder, I didn't trawl the Git logs hard enough to capture 3038 their exact time of deletion, but they were all gone: Curl_splayprint(), 3039 Curl_http2_send_request(), Curl_global_host_cache_dtor(), 3040 Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), 3041 Curl_http_auth_stage() and Curl_close_connections(). 3042 3043 Closes #4096 3044 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 3045 3046- CMake: fix typos and spelling 3047 3048- [Kyle Edwards brought this change] 3049 3050 CMake: Convert errant elseif() to else() 3051 3052 CMake interprets an elseif() with no arguments as elseif(FALSE), 3053 resulting in the elseif() block not being executed. That is not what 3054 was intended here. Change the empty elseif() to an else() as it was 3055 intended. 3056 3057 Closes #4101 3058 Reported-by: Artalus <artalus-mail@yandex.ru> 3059 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> 3060 3061- buildconf: fix header filename 3062 3063 The header file inclusion had a typo, it should be .h and not .hd. 3064 Fix by renaming. 3065 3066 Fixes #4102 3067 Reported-by: AceCrow on Github 3068 3069- [Jan Chren brought this change] 3070 3071 configure: fix --disable-code-coverage 3072 3073 This fixes the case when --disable-code-coverage supplied to ./configure 3074 would result in coverage="yes" being set. 3075 3076 Closes #4099 3077 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> 3078 3079- cleanup: fix typo in comment 3080 3081- RELEASE-NOTES: synced 3082 3083Jay Satiro (6 Jul 2019) 3084- [Daniel Gustafsson brought this change] 3085 3086 nss: support using libnss on macOS 3087 3088 The file suffix for dynamically loadable objects on macOS is .dylib, 3089 which need to be added for the module definitions in order to get the 3090 NSS TLS backend to work properly on macOS. 3091 3092 Closes https://github.com/curl/curl/pull/4046 3093 3094- [Daniel Gustafsson brought this change] 3095 3096 nss: don't set unused parameter 3097 3098 The value of the maxPTDs parameter to PR_Init() has since at least 3099 NSPR 2.1, which was released sometime in 1998, been marked ignored 3100 as is accordingly not used in the initialization code. Setting it 3101 to a value when calling PR_Init() is thus benign, but indicates an 3102 intent which may be misleading. Reset the value to zero to improve 3103 clarity. 3104 3105 Closes https://github.com/curl/curl/pull/4054 3106 3107- [Daniel Gustafsson brought this change] 3108 3109 nss: only cache valid CRL entries 3110 3111 Change the logic around such that we only keep CRLs that NSS actually 3112 ended up caching around for later deletion. If CERT_CacheCRL() fails 3113 then there is little point in delaying the freeing of the CRL as it 3114 is not used. 3115 3116 Closes https://github.com/curl/curl/pull/4053 3117 3118- [Gergely Nagy brought this change] 3119 3120 lib: Use UTF-8 encoding in comments 3121 3122 Some editors and IDEs assume that source files use UTF-8 file encodings. 3123 It also fixes the build with MSVC when /utf-8 command line option is 3124 used (this option is mandatory for some other open-source projects, this 3125 is useful when using the same options is desired for building all 3126 libraries of a project). 3127 3128 Closes https://github.com/curl/curl/pull/4087 3129 3130- [Caleb Raitto brought this change] 3131 3132 CURLOPT_HEADEROPT.3: Fix example 3133 3134 Fix an issue where example builds a curl_slist, but fails to actually 3135 use it, or free it. 3136 3137 Closes https://github.com/curl/curl/pull/4090 3138 3139- [Shankar Jadhavar brought this change] 3140 3141 winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG 3142 3143 - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. 3144 3145 - Also removed some ^M chars from file. 3146 3147 Prior to this change while building on Windows platform even if we pass 3148 the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does 3149 not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. 3150 3151 Closes https://github.com/curl/curl/pull/4086 3152 3153Daniel Stenberg (4 Jul 2019) 3154- doh-url.d: added in 7.62.0 3155 3156Jay Satiro (30 Jun 2019) 3157- docs: Fix links to OpenSSL docs 3158 3159 OpenSSL changed their manual locations and does not redirect to the new 3160 locations. 3161 3162 Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html 3163 Reported-by: Daniel Stenberg 3164 3165Daniel Stenberg (26 Jun 2019) 3166- [Gaël PORTAY brought this change] 3167 3168 curl_multi_wait.3: escape backslash in example 3169 3170 The backslash in the character Line Feed must be escaped. 3171 3172 The current man-page outputs the code as following: 3173 3174 fprintf(stderr, "curl_multi failed, code %d.0, mc); 3175 3176 The commit fixes it as follow: 3177 3178 fprintf(stderr, "curl_multi failed, code %d\n", mc); 3179 3180 Closes #4079 3181 3182- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined 3183 3184 ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is 3185 built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for 3186 UWP (with "VC-WIN32-UWP"). 3187 3188 Reported-by: Vasily Lobaskin 3189 Fixes #4073 3190 Closes #4077 3191 3192- test1521: adapt to SLISTPOINT 3193 3194 The header now has the slist-using options marked as SLISTPOINT so this 3195 makes sure test 1521 understands that. 3196 3197 Follow-up to ae99b4de1c443ae989 3198 3199 Closes #4074 3200 3201- win32: make DLL loading a no-op for UWP 3202 3203 Reported-by: Michael Brehm 3204 Fixes #4060 3205 Closes #4072 3206 3207- [1ocalhost brought this change] 3208 3209 configure: fix typo '--disable-http-uath' 3210 3211 Closes #4076 3212 3213- [Niklas Hambüchen brought this change] 3214 3215 docs: fix string suggesting HTTP/2 is not the default 3216 3217 Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the 3218 man page that new default is mentioned, but the section at the top 3219 contradicted it until now. 3220 3221 Also remove claim that setting the HTTP version is not sensible. 3222 3223 Closes #4075 3224 3225- RELEASE-NOTES: synced 3226 3227- [Stephan Szabo brought this change] 3228 3229 tests: update fixed IP for hostip/clientip split 3230 3231 These tests give differences for me on linux when using a hostip 3232 pointing to the external ip address for the local machine. 3233 3234 Closes #4070 3235 3236Daniel Gustafsson (24 Jun 2019) 3237- http: clarify header buffer size calculation 3238 3239 The header buffer size calculation can from static analysis seem to 3240 overlow as it performs an addition between two size_t variables and 3241 stores the result in a size_t variable. Overflow is however guarded 3242 against elsewhere since the input to the addition is regulated by 3243 the maximum read buffer size. Clarify this with a comment since the 3244 question was asked. 3245 3246 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 3247 3248Daniel Stenberg (24 Jun 2019) 3249- KNOWN_BUGS: Don't clear digest for single realm 3250 3251 Closes #3267 3252 3253- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname 3254 3255 Closes #3284 3256 3257- http2: call done_sending on end of upload 3258 3259 To make sure a HTTP/2 stream registers the end of stream. 3260 3261 Bug #4043 made me find this problem but this fix doesn't correct the 3262 reported issue. 3263 3264 Closes #4068 3265 3266- [James Brown brought this change] 3267 3268 c-ares: honor port numbers in CURLOPT_DNS_SERVERS 3269 3270 By using ares_set_servers_ports_csv on new enough c-ares. 3271 3272 Fixes #4066 3273 Closes #4067 3274 3275Daniel Gustafsson (24 Jun 2019) 3276- CURLMOPT_SOCKETFUNCTION.3: fix typo 3277 3278Daniel Stenberg (24 Jun 2019) 3279- [Koen Dergent brought this change] 3280 3281 curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds 3282 3283 Closes #4061 3284 3285- test153: fix content-length to avoid occasional hang 3286 3287 Closes #4065 3288 3289- RELEASE-NOTES: synced 3290 3291- multi: enable multiplexing by default (again) 3292 3293 It was originally made default in d7c4213bd0c (7.62.0) but mistakenly 3294 reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. 3295 3296 Closes #4051 3297 3298- typecheck: add 3 missing strings and a callback data pointer 3299 3300 Closes #4050 3301 3302- tests: add disable-scan.pl to dist 3303 3304 follow-up from 29177f422a5 3305 3306 Closes #4059 3307 3308- http2: don't call stream-close on already closed streams 3309 3310 Closes #4055 3311 3312Marcel Raad (20 Jun 2019) 3313- travis: enable alt-svc for coverage build 3314 3315 Closes 3316 3317- travis: enable libssh2 for coverage build 3318 3319 It was enabled by default before commit c92d2e14cfb. 3320 3321 Disable torture tests 600 and 601 because of 3322 https://github.com/curl/curl/issues/1678. 3323 3324 Closes 3325 3326- travis: disable threaded resolver for coverage build 3327 3328 This enables more tests. 3329 3330 Closes 3331 3332- travis: enable brotli for all xenial jobs 3333 3334 There's no need for a separate job, and no need to build it from source 3335 with Xenial. 3336 3337 Closes 3338 3339- travis: enable warnings-as-errors for coverage build 3340 3341 Closes 3342 3343GitHub (20 Jun 2019) 3344- [Gisle Vanem brought this change] 3345 3346 system_win32: fix typo 3347 3348Daniel Stenberg (20 Jun 2019) 3349- typecheck: CURLOPT_CONNECT_TO takes an slist too 3350 3351 Additionally, add an alias in curl.h for slist-using options so that 3352 we can grep/parse those out at will. 3353 3354 Closes #4042 3355 3356- [Stephan Szabo brought this change] 3357 3358 tests: support non-localhost HOSTIP for dict/smb servers 3359 3360 smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for 3361 binding the server which when we were running the tests with a separate 3362 HOSTIP and CLIENTIP had failures verifying the server from the device we 3363 were testing. 3364 3365 This changes them to take the address from runtests.py and default to 3366 localhost/127.0.0.1 if none is given. 3367 3368 Closes #4048 3369 3370- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT 3371 3372- configure: --disable-progress-meter 3373 3374 Builds libcurl without support for the built-in progress meter. 3375 3376 Closes #4023 3377 3378- curl: improved skip-setopt-options when built with disabled features 3379 3380 Reduces #ifdefs in src/tool_operate.c 3381 3382 Follow-up from 4e86f2fc4e6 3383 Closes #3936 3384 3385Steve Holme (18 Jun 2019) 3386- netrc: Return the correct error code when out of memory 3387 3388 Introduced in 763c5178. 3389 3390 Closes #4036 3391 3392Daniel Stenberg (18 Jun 2019) 3393- config-os400: add getpeername and getsockname defines 3394 3395 Reported-by: jonrumsey on github 3396 Fixes #4037 3397 Closes #4039 3398 3399- runtests: keep logfiles around by default 3400 3401 Make '-k' a no-op. The singletest function now clears the log directory 3402 BEFORE each individual test and not after, which makes it possible to 3403 always keep the logfiles around after a test has been run. No need to 3404 specify -k anymore. Keeping the option parsing around to work with users 3405 of old habits. 3406 3407 Some tests also didn't work properly when -k was used (since the old 3408 logs would be kep when a new test starts) which this change also fixes. 3409 3410 Closes #4035 3411 3412- [Gergely Nagy brought this change] 3413 3414 openssl: fix pubkey/signature algorithm detection in certinfo 3415 3416 Certinfo gives the same result for all OpenSSL versions. 3417 Also made printing RSA pubkeys consistent with older versions. 3418 3419 Reported-by: Michael Wallner 3420 Fixes #3706 3421 Closes #4030 3422 3423- conn_maxage: move the check to prune_dead_connections() 3424 3425 ... and avoid the locking issue. 3426 3427 Reported-by: Kunal Ekawde 3428 Fixes #4029 3429 Closes #4032 3430 3431- tests: have runtests figure out disabled features 3432 3433 ... so that runtests can skip individual test cases that test features 3434 that are explicitly disabled in this build. This new logic is intended 3435 for disabled features that aren't otherwise easily visible through the 3436 curl_version_info() or other API calls. 3437 3438 tests/server/disabled is a newly built executable that will output a 3439 list of disabled features. Outputs nothing for a default build. 3440 3441 Closes #3950 3442 3443- test188/189: fix Content-Length 3444 3445 This cures the flaky test results 3446 3447 Closes #4034 3448 3449- [Thomas Gamper brought this change] 3450 3451 winbuild: use WITH_PREFIX if given 3452 3453 Closes #4031 3454 3455Daniel Gustafsson (17 Jun 2019) 3456- openssl: remove outdated comment 3457 3458 OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), 3459 which is why we switched to CONF_modules_load_file() and introduced 3460 a comment stating why. This behavior was however changed in OpenSSL 3461 commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now 3462 outdated and incorrect comment. The mentioned commit also declares 3463 OPENSSL_config() deprecated so keep the current coding. 3464 3465 Closes #4033 3466 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 3467 3468Daniel Stenberg (16 Jun 2019) 3469- RELEASE-NOTES: synced 3470 3471Patrick Monnerat (16 Jun 2019) 3472- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. 3473 3474 Use it in curl_easy_setopt_ccsid(). 3475 3476 Reported-by: jonrumsey on github 3477 Fixes #3833 3478 Closes #4028 3479 3480Daniel Stenberg (15 Jun 2019) 3481- runtests: report single test time + total duration 3482 3483 ... after each successful test. 3484 3485 Closes #4027 3486 3487- multi: fix the transfer hash function 3488 3489 Follow-up from 8b987cc7eb 3490 3491 Reported-by: Tom van der Woerdt 3492 Fixes #4018 3493 Closes #4024 3494 3495- unit1654: cleanup on memory failure 3496 3497 ... to make it handle torture tests properly. 3498 3499 Reported-by: Marcel Raad 3500 Fixes #4021 3501 Closes #4022 3502 3503Marcel Raad (13 Jun 2019) 3504- krb5: fix compiler warning 3505 3506 Even though the variable was used in a DEBUGASSERT, GCC 8 warned in 3507 debug mode: 3508 krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] 3509 3510 Just suppress the warning and declare the variable unconditionally 3511 instead of only for DEBUGBUILD (which also missed the check for 3512 HAVE_ASSERT_H). 3513 3514 Closes https://github.com/curl/curl/pull/4020 3515 3516Daniel Stenberg (13 Jun 2019) 3517- quote.d: asterisk prefix works for SFTP as well 3518 3519 Reported-by: Ben Voris 3520 Fixes #4017 3521 Closes #4019 3522 3523- multi: fix the transfer hashes in the socket hash entries 3524 3525 - The transfer hashes weren't using the correct keys so removing entries 3526 failed. 3527 3528 - Simplified the iteration logic over transfers sharing the same socket and 3529 they now simply are set to expire and thus get handled in the "regular" 3530 timer loop instead. 3531 3532 Reported-by: Tom van der Woerdt 3533 Fixes #4012 3534 Closes #4014 3535 3536Jay Satiro (12 Jun 2019) 3537- [Cliff Crosland brought this change] 3538 3539 url: Fix CURLOPT_MAXAGE_CONN time comparison 3540 3541 Old connections are meant to expire from the connection cache after 3542 CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x 3543 that value. This occurs because a time value measured in milliseconds is 3544 accidentally divided by 1M instead of by 1,000. 3545 3546 Closes https://github.com/curl/curl/pull/4013 3547 3548Daniel Stenberg (11 Jun 2019) 3549- test1165: verify that CURL_DISABLE_ symbols are in sync 3550 3551 between configure.ac and source code. They should be possible to switch 3552 on/off in configure AND be used in source code. 3553 3554- configure: remove CURL_DISABLE_TLS_SRP 3555 3556 It isn't used by code so stop providing the define. 3557 3558 Closes #4010 3559 3560- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" 3561 3562 This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. 3563 3564 Apparently several of the appveyor windows builds broke. 3565 3566- [sergey-raevskiy brought this change] 3567 3568 cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified 3569 3570 Reviewed-by: Jakub Zakrzewski 3571 Closes #3770 3572 3573- RELEASE-NOTES: synced 3574 3575- http2: remove CURL_DISABLE_TYPECHECK define 3576 3577 ... in http2-less builds as it served no use. 3578 3579- configure: more --disable switches to toggle off individual features 3580 3581 ... actual support in the code for disabling these has already landed. 3582 3583 Closes #4009 3584 3585- wolfssl: fix key pinning build error 3586 3587 follow-up from deb9462ff2de8 3588 3589- CURLMOPT_SOCKETFUNCTION.3: clarified 3590 3591 Moved away the callback explanation from curl_multi_socket_action.3 and 3592 expanded it somewhat. 3593 3594 Closes #4006 3595 3596- wolfssl: fixup for SNI use 3597 3598 follow-up from deb9462ff2de8 3599 3600 Closes #4007 3601 3602- CURLOPT_CAINFO.3: polished wording 3603 3604 Clarify the functionality when built to use Schannel and Secure 3605 Transport and stop calling it the "recommended" or "preferred" way and 3606 instead rather call it the default. 3607 3608 Removed the reference to the ssl comparison table as it isn't necessary. 3609 3610 Reported-by: Richard Alcock 3611 Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html 3612 Closes #4005 3613 3614GitHub (10 Jun 2019) 3615- [Daniel Stenberg brought this change] 3616 3617 SECURITY.md: created 3618 3619 Brief security policy description for use/display on github. 3620 3621Daniel Gustafsson (10 Jun 2019) 3622- tool_cb_prg: Fix integer overflow in progress bar 3623 3624 Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar 3625 width calculation to avoid integer overflow, but failed to account for 3626 the fact that initial_size is initialized to -1 when the file size is 3627 retrieved from the remote on an upload, causing another signed integer 3628 overflow. Fix by separately checking for this case before the width 3629 calculation. 3630 3631 Closes #3984 3632 Reported-by: Brian Carpenter (Geeknik Labs) 3633 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 3634 3635Daniel Stenberg (10 Jun 2019) 3636- wolfssl: refer to it as wolfSSL only 3637 3638 Remove support for, references to and use of "cyaSSL" from the source 3639 and docs. wolfSSL is the current name and there's no point in keeping 3640 references to ancient history. 3641 3642 Assisted-by: Daniel Gustafsson 3643 3644 Closes #3903 3645 3646- RELEASE-NOTES: synced 3647 3648- bindlocal: detect and avoid IP version mismatches in bind() 3649 3650 Reported-by: Alex Grebenschikov 3651 Fixes #3993 3652 Closes #4002 3653 3654- multi: make sure 'data' can present in several sockhash entries 3655 3656 Since more than one socket can be used by each transfer at a given time, 3657 each sockhash entry how has its own hash table with transfers using that 3658 socket. 3659 3660 In addition, the sockhash entry can now be marked 'blocked = TRUE'" 3661 which then makes the delete function just set 'removed = TRUE' instead 3662 of removing it "for real", as a way to not rip out the carpet under the 3663 feet of a parent function that iterates over the transfers of that same 3664 sockhash entry. 3665 3666 Reported-by: Tom van der Woerdt 3667 Fixes #3961 3668 Fixes #3986 3669 Fixes #3995 3670 Fixes #4004 3671 Closes #3997 3672 3673- [Sorcus brought this change] 3674 3675 libcurl-tutorial.3: Fix small typo (mutipart -> multipart) 3676 3677 Fixed-by: MrSorcus on github 3678 Closes #4000 3679 3680- unpause: trigger a timeout for event-based transfers 3681 3682 ... so that timeouts or other state machine actions get going again 3683 after a changing pause state. For example, if the last delivery was 3684 paused there's no pending socket activity. 3685 3686 Reported-by: sstruchtrup on github 3687 Fixes #3994 3688 Closes #4001 3689 3690Marcel Raad (9 Jun 2019) 3691- travis: use xenial LLVM package for scan-build 3692 3693 I missed that in commit 99a49d6. 3694 3695- travis: update scan-build job to xenial 3696 3697 Closes https://github.com/curl/curl/pull/3999 3698 3699Daniel Stenberg (8 Jun 2019) 3700- bump: start working on 7.65.2 3701 3702Marcel Raad (5 Jun 2019) 3703- examples/htmltitle: use C++ casts between pointer types 3704 3705 Compilers and static analyzers warn about using C-style casts here. 3706 3707 Closes https://github.com/curl/curl/pull/3975 3708 3709- examples/fopen: fix comparison 3710 3711 As want is size_t, (file->buffer_pos - want) is unsigned, so checking 3712 if it's less than zero makes no sense. 3713 Check if file->buffer_pos is less than want instead to avoid the 3714 unsigned integer wraparound. 3715 3716 Closes https://github.com/curl/curl/pull/3975 3717 3718- build: fix Codacy warnings 3719 3720 Reduce variable scopes and remove redundant variable stores. 3721 3722 Closes https://github.com/curl/curl/pull/3975 3723 3724- sws: remove unused variables 3725 3726 Unused since commit 2f44e94. 3727 3728 Closes https://github.com/curl/curl/pull/3975 3729 3730Version 7.65.1 (4 Jun 2019) 3731 3732Daniel Stenberg (4 Jun 2019) 3733- RELEASE-NOTES: 7.65.1 3734 3735- THANKS: new contributors from 7.65.1 3736 3737Steve Holme (4 Jun 2019) 3738- [Frank Gevaerts brought this change] 3739 3740 ssl: Update outdated "openssl-only" comments for supported backends 3741 3742 These are for features that used to be openssl-only but were expanded 3743 over time to support other SSL backends. 3744 3745 Closes #3985 3746 3747Daniel Stenberg (4 Jun 2019) 3748- curl_share_setopt.3: improve wording [ci ship] 3749 3750 Reported-by: Carlos ORyan 3751 3752Steve Holme (4 Jun 2019) 3753- tool_parsecfg: Use correct return type for GetModuleFileName() 3754 3755 GetModuleFileName() returns a DWORD which is a typedef of an unsigned 3756 long and not an int. 3757 3758 Closes #3980 3759 3760Daniel Stenberg (3 Jun 2019) 3761- TODO: "at least N milliseconds between requests" [ci skip] 3762 3763 Suggested-by: dkwolfe4 on github 3764 Closes #3920 3765 3766Steve Holme (2 Jun 2019) 3767- tests/server/.gitignore: Add socksd to the ignore list 3768 3769 Missed in 04fd6755. 3770 3771 Closes #3978 3772 3773- tool_parsecfg: Fix control flow issue (DEADCODE) 3774 3775 Follow-up to 8144ba38. 3776 3777 Detected by Coverity CID 1445663 3778 Closes #3976 3779 3780Daniel Stenberg (2 Jun 2019) 3781- [Sergey Ogryzkov brought this change] 3782 3783 NTLM: reset proxy "multipass" state when CONNECT request is done 3784 3785 Closes #3972 3786 3787- test334: verify HTTP 204 response with chunked coding header 3788 3789 Verifies that a bodyless response don't parse this content-related 3790 header. 3791 3792- [Michael Kaufmann brought this change] 3793 3794 http: don't parse body-related headers bodyless responses 3795 3796 Responses with status codes 1xx, 204 or 304 don't have a response body. For 3797 these, don't parse these headers: 3798 3799 - Content-Encoding 3800 - Content-Length 3801 - Content-Range 3802 - Last-Modified 3803 - Transfer-Encoding 3804 3805 This change ensures that HTTP/2 upgrades work even if a 3806 "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. 3807 3808 Co-authored-by: Daniel Stenberg 3809 Closes #3702 3810 Fixes #3968 3811 Closes #3977 3812 3813- tls13-docs: mention it is only for OpenSSL >= 1.1.1 3814 3815 Reported-by: Jay Satiro 3816 Co-authored-by: Jay Satiro 3817 Fixes #3938 3818 Closes #3946 3819 3820- dump-header.d: spell out that no headers == empty file [ci skip] 3821 3822 Reported-by: wesinator at github 3823 Fixes #3964 3824 Closes #3974 3825 3826- singlesocket: use separate variable for inner loop 3827 3828 An inner loop within the singlesocket() function wrongly re-used the 3829 variable for the outer loop which then could cause an infinite 3830 loop. Change to using a separate variable! 3831 3832 Reported-by: Eric Wu 3833 Fixes #3970 3834 Closes #3973 3835 3836- RELEASE-NOTES: synced 3837 3838- [Josie Huddleston brought this change] 3839 3840 http2: Stop drain from being permanently set on 3841 3842 Various functions called within Curl_http2_done() can have the 3843 side-effect of setting the Easy connection into drain mode (by calling 3844 drain_this()). However, the last time we unset this for a transfer (by 3845 calling drained_transfer()) is at the beginning of Curl_http2_done(). 3846 If the Curl_easy is reused for another transfer, it is then stuck in 3847 drain mode permanently, which in practice makes it unable to write any 3848 data in the new transfer. 3849 3850 This fix moves the last call to drained_transfer() to later in 3851 Curl_http2_done(), after the functions that could potentially call for a 3852 drain. 3853 3854 Fixes #3966 3855 Closes #3967 3856 Reported-by: Josie-H 3857 3858Steve Holme (29 May 2019) 3859- conncache: Remove the DEBUGASSERT on length check 3860 3861 We trust the calling code as this is an internal function. 3862 3863 Closes #3962 3864 3865Jay Satiro (29 May 2019) 3866- [Gisle Vanem brought this change] 3867 3868 system_win32: fix function prototype 3869 3870 - Change if_nametoindex parameter type from char * to const char *. 3871 3872 Follow-up to 09eef8af from this morning. 3873 3874 Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 3875 3876Marcel Raad (29 May 2019) 3877- appveyor: add Visual Studio solution build 3878 3879 Closes https://github.com/curl/curl/pull/3941 3880 3881- appveyor: add support for other build systems 3882 3883 Introduce BUILD_SYSTEM variable, which is currently always CMake. 3884 3885 Closes https://github.com/curl/curl/pull/3941 3886 3887Steve Holme (29 May 2019) 3888- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows 3889 3890 This fixes the static dependency on iphlpapi.lib and allows curl to 3891 build for targets prior to Windows Vista. 3892 3893 This partially reverts 170bd047. 3894 3895 Fixes #3960 3896 Closes #3958 3897 3898Daniel Stenberg (29 May 2019) 3899- http: fix "error: equality comparison with extraneous parentheses" 3900 3901- parse_proxy: make sure portptr is initialized 3902 3903 Reported-by: Benbuck Nason 3904 3905 fixes #3959 3906 3907- url: default conn->port to the same as conn->remote_port 3908 3909 ... so that it has a sensible value when ConnectionExists() is called which 3910 needs it set to differentiate host "bundles" correctly on port number! 3911 3912 Also, make conncache:hashkey() use correct port for bundles that are proxy vs 3913 host connections. 3914 3915 Probably a regression from 7.62.0 3916 3917 Reported-by: Tom van der Woerdt 3918 Fixes #3956 3919 Closes #3957 3920 3921- conncache: make "bundles" per host name when doing proxy tunnels 3922 3923 Only HTTP proxy use where multiple host names can be used over the same 3924 connection should use the proxy host name for bundles. 3925 3926 Reported-by: Tom van der Woerdt 3927 Fixes #3951 3928 Closes #3955 3929 3930- multi: track users of a socket better 3931 3932 They need to be removed from the socket hash linked list with more care. 3933 3934 When sh_delentry() is called to remove a sockethash entry, remove all 3935 individual transfers from the list first. To enable this, each Curl_easy struct 3936 now stores a pointer to the sockethash entry to know how to remove itself. 3937 3938 Reported-by: Tom van der Woerdt and Kunal Ekawde 3939 3940 Fixes #3952 3941 Fixes #3904 3942 Closes #3953 3943 3944Steve Holme (28 May 2019) 3945- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version 3946 3947 Microsoft added support for Unix Domain Sockets in Windows 10 1803 3948 (RS4). Rather than expect the user to enable Unix Domain Sockets by 3949 uncommenting the #define that was added in 0fd6221f we use the RS4 3950 pre-processor variable that is present in newer versions of the 3951 Windows SDK. 3952 3953 Closes #3939 3954 3955Daniel Stenberg (28 May 2019) 3956- [Jonas Vautherin brought this change] 3957 3958 cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables 3959 3960 Closes #3945 3961 3962Marcel Raad (27 May 2019) 3963- HAProxy tests: add keywords 3964 3965 Add the proxy and haproxy keywords in order to be able to exclude or 3966 run these specific tests. 3967 3968 Closes https://github.com/curl/curl/pull/3949 3969 3970Daniel Stenberg (27 May 2019) 3971- [Maksim Stsepanenka brought this change] 3972 3973 tests: make test 1420 and 1406 work with rtsp-disabled libcurl 3974 3975 Closes #3948 3976 3977Kamil Dudka (27 May 2019) 3978- [Hubert Kario brought this change] 3979 3980 nss: allow to specify TLS 1.3 ciphers if supported by NSS 3981 3982 Closes #3916 3983 3984Daniel Stenberg (26 May 2019) 3985- RELEASE-NOTES: synced 3986 3987- [Jay Satiro brought this change] 3988 3989 Revert all SASL authzid (new feature) commits 3990 3991 - Revert all commits related to the SASL authzid feature since the next 3992 release will be a patch release, 7.65.1. 3993 3994 Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined 3995 for the next release, assuming it would be a feature release 7.66.0. 3996 However instead the next release will be a patch release, 7.65.1 and 3997 will not contain any new features. 3998 3999 After the patch release after the reverted commits can be restored by 4000 using cherry-pick: 4001 4002 git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 4003 4004 Details for all reverted commits: 4005 4006 Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." 4007 4008 This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. 4009 4010 Revert "tests: Fix the line endings for the SASL alt-auth tests" 4011 4012 This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. 4013 4014 Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" 4015 4016 This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. 4017 4018 Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" 4019 4020 This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. 4021 4022 Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" 4023 4024 This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. 4025 4026- [dbrowndan brought this change] 4027 4028 FAQ: more minor updates and spelling fixes 4029 4030 Closes #3937 4031 4032- RELEASE-NOTES: synced 4033 4034- sectransp: handle errSSLPeerAuthCompleted from SSLRead() 4035 4036 Reported-by: smuellerDD on github 4037 Fixes #3932 4038 Closes #3933 4039 4040GitHub (24 May 2019) 4041- [Gisle Vanem brought this change] 4042 4043 Fix typo. 4044 4045Daniel Stenberg (23 May 2019) 4046- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() 4047 4048 Reported-by: Marcel Raad 4049 Fixes #3926 4050 Closes #3929 4051 4052Steve Holme (23 May 2019) 4053- winbuild: Use two space indentation 4054 4055 Closes #3930 4056 4057GitHub (23 May 2019) 4058- [Gisle Vanem brought this change] 4059 4060 tool_parse_cfg: Avoid 2 fopen() for WIN32 4061 4062 Using the memdebug.h mem-leak feature, I noticed 2 calls like: 4063 FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") 4064 FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") 4065 4066 No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. 4067 4068Daniel Stenberg (23 May 2019) 4069- md4: include the mbedtls config.h to get the MD4 info 4070 4071- md4: build correctly with openssl without MD4 4072 4073 Reported-by: elsamuko at github 4074 Fixes #3921 4075 Closes #3922 4076 4077Patrick Monnerat (23 May 2019) 4078- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). 4079 4080Daniel Stenberg (23 May 2019) 4081- .github/FUNDING: mention our opencollective "home" [ci skip] 4082 4083Marcel Raad (23 May 2019) 4084- [Zenju brought this change] 4085 4086 config-win32: add support for if_nametoindex and getsockname 4087 4088 Closes https://github.com/curl/curl/pull/3923 4089 4090Jay Satiro (23 May 2019) 4091- tests: Fix the line endings for the SASL alt-auth tests 4092 4093 - Change data and protocol sections to CRLF line endings. 4094 4095 Prior to this change the tests would fail or hang, which is because 4096 certain sections such as protocol require CRLF line endings. 4097 4098 Follow-up to a9499ff from today which added the tests. 4099 4100 Ref: https://github.com/curl/curl/pull/3790 4101 4102Daniel Stenberg (23 May 2019) 4103- url: fix bad #ifdef 4104 4105 Regression since e91e48161235272ff485. 4106 4107 Reported-by: Tom Greenslade 4108 Fixes #3924 4109 Closes #3925 4110 4111- Revert "progress: CURL_DISABLE_PROGRESS_METER" 4112 4113 This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. 4114 4115 Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + 4116 CURLOPT_LOW_SPEED_TIME 4117 4118 Reported-by: Dave Reisner 4119 4120 Fixes #3927 4121 Closes #3928 4122 4123Steve Holme (22 May 2019) 4124- examples: Added SASL PLAIN authorisation identity (authzid) examples 4125 4126- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool 4127 4128- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID 4129 4130 Added the ability for the calling program to specify the authorisation 4131 identity (authzid), the identity to act as, in addition to the 4132 authentication identity (authcid) and password when using SASL PLAIN 4133 authentication. 4134 4135 Fixed #3653 4136 Closes #3790 4137 4138Marc Hoersken (22 May 2019) 4139- tests: add support to test against OpenSSH for Windows 4140 4141 Testing against OpenSSH for Windows requires v7.7.0.0 or newer 4142 due to the use of AllowUsers and DenyUsers. For more info see: 4143 https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config 4144 4145Daniel Stenberg (22 May 2019) 4146- bump: start on the next release 4147 4148Marcel Raad (22 May 2019) 4149- examples: fix "clarify calculation precedence" warnings 4150 4151 Closes https://github.com/curl/curl/pull/3919 4152 4153- hiperfifo: remove unused variable 4154 4155 Closes https://github.com/curl/curl/pull/3919 4156 4157- examples: remove dead variable stores 4158 4159 Closes https://github.com/curl/curl/pull/3919 4160 4161- examples: reduce variable scopes 4162 4163 Closes https://github.com/curl/curl/pull/3919 4164 4165- http2-download: fix format specifier 4166 4167 Closes https://github.com/curl/curl/pull/3919 4168 4169Daniel Stenberg (22 May 2019) 4170- PolarSSL: deprecate support step 1. Removed from configure. 4171 4172 Also removed mentions from most docs. 4173 4174 Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html 4175 4176 Closes #3888 4177 4178- configure/cmake: check for if_nametoindex() 4179 4180 - adds the check to cmake 4181 4182 - fixes the configure check to work for cross-compiled windows builds 4183 4184 Closes #3917 4185 4186- parse_proxy: use the IPv6 zone id if given 4187 4188 If the proxy string is given as an IPv6 numerical address with a zone 4189 id, make sure to use that for the connect to the proxy. 4190 4191 Reported-by: Edmond Yu 4192 4193 Fixes #3482 4194 Closes #3918 4195 4196Version 7.65.0 (22 May 2019) 4197 4198Daniel Stenberg (22 May 2019) 4199- RELEASE-NOTES: 7.65.0 release 4200 4201- THANKS: from the 7.65.0 release-notes 4202 4203- url: convert the zone id from a IPv6 URL to correct scope id 4204 4205 Reported-by: GitYuanQu on github 4206 Fixes #3902 4207 Closes #3914 4208 4209- configure: detect getsockname and getpeername on windows too 4210 4211 Made detection macros for these two functions in the same style as other 4212 functions possibly in winsock in the hope this will work better to 4213 detect these functions when cross-compiling for Windows. 4214 4215 Follow-up to e91e4816123 4216 4217 Fixes #3913 4218 Closes #3915 4219 4220Marcel Raad (21 May 2019) 4221- examples: remove unused variables 4222 4223 Fixes Codacy/CppCheck warnings. 4224 4225 Closes 4226 4227Daniel Gustafsson (21 May 2019) 4228- udpateconninfo: mark variable unused 4229 4230 When compiling without getpeername() or getsockname(), the sockfd 4231 paramter to Curl_udpateconninfo() became unused after commit e91e481612 4232 added ifdef guards. 4233 4234 Closes #3910 4235 Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 4236 Reviewed-by: Marcel Raad, Daniel Stenberg 4237 4238- ftp: move ftp_ccc in under featureflag 4239 4240 Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under 4241 the FTP featureflag in the UserDefined struct, but vtls callsites were 4242 still using it unprotected. 4243 4244 Closes #3912 4245 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 4246 Reviewed-by: Daniel Stenberg, Marcel Raad 4247 4248Daniel Stenberg (20 May 2019) 4249- curl: report error for "--no-" on non-boolean options 4250 4251 Reported-by: Olen Andoni 4252 Fixes #3906 4253 Closes #3907 4254 4255- [Guy Poizat brought this change] 4256 4257 mbedtls: enable use of EC keys 4258 4259 Closes #3892 4260 4261- lib1560: add tests for parsing URL with too long scheme 4262 4263 Ref: #3905 4264 4265- [Omar Ramadan brought this change] 4266 4267 urlapi: increase supported scheme length to 40 bytes 4268 4269 The longest currently registered URI scheme at IANA is 36 bytes long. 4270 4271 Closes #3905 4272 Closes #3900 4273 4274Marcel Raad (20 May 2019) 4275- lib: reduce variable scopes 4276 4277 Fixes Codacy/CppCheck warnings. 4278 4279 Closes https://github.com/curl/curl/pull/3872 4280 4281- tool_formparse: remove redundant assignment 4282 4283 Just initialize word_begin with the correct value. 4284 4285 Closes https://github.com/curl/curl/pull/3873 4286 4287- ssh: move variable declaration to where it's used 4288 4289 This way, we need only one call to free. 4290 4291 Closes https://github.com/curl/curl/pull/3873 4292 4293- ssh-libssh: remove unused variable 4294 4295 sock was only used to be assigned to fd_read. 4296 4297 Closes https://github.com/curl/curl/pull/3873 4298 4299Daniel Stenberg (20 May 2019) 4300- test332: verify the blksize fix 4301 4302- tftp: use the current blksize for recvfrom() 4303 4304 bug: https://curl.haxx.se/docs/CVE-2019-5436.html 4305 Reported-by: l00p3r on hackerone 4306 CVE-2019-5436 4307 4308Daniel Gustafsson (19 May 2019) 4309- version: make ssl_version buffer match for multi_ssl 4310 4311 When running a multi TLS backend build the version string needs more 4312 buffer space. Make the internal ssl_buffer stack buffer match the one 4313 in Curl_multissl_version() to allow for the longer string. For single 4314 TLS backend builds there is no use in extended to buffer. This is a 4315 fallout from #3863 which fixes up the multi_ssl string generation to 4316 avoid a buffer overflow when the buffer is too small. 4317 4318 Closes #3875 4319 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 4320 4321Steve Holme (18 May 2019) 4322- http_ntlm_wb: Handle auth for only a single request 4323 4324 Currently when the server responds with 401 on NTLM authenticated 4325 connection (re-used) we consider it to have failed. However this is 4326 legitimate and may happen when for example IIS is set configured to 4327 'authPersistSingleRequest' or when the request goes thru a proxy (with 4328 'via' header). 4329 4330 Implemented by imploying an additional state once a connection is 4331 re-used to indicate that if we receive 401 we need to restart 4332 authentication. 4333 4334 Missed in fe6049f0. 4335 4336- http_ntlm_wb: Cleanup handshake after clean NTLM failure 4337 4338 Missed in 50b87c4e. 4339 4340- http_ntlm_wb: Return the correct error on receiving an empty auth message 4341 4342 Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. 4343 4344 Closes #3894 4345 4346Daniel Stenberg (18 May 2019) 4347- curl: make code work with protocol-disabled libcurl 4348 4349 Closes #3844 4350 4351- libcurl: #ifdef away more code for disabled features/protocols 4352 4353- progress: CURL_DISABLE_PROGRESS_METER 4354 4355- hostip: CURL_DISABLE_SHUFFLE_DNS 4356 4357- netrc: CURL_DISABLE_NETRC 4358 4359Viktor Szakats (16 May 2019) 4360- docs: Markdown and misc improvements [ci skip] 4361 4362 Approved-by: Daniel Stenberg 4363 Closes #3896 4364 4365- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] 4366 4367 Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 4368 Approved-by: Daniel Stenberg 4369 Closes #3895 4370 4371Daniel Stenberg (16 May 2019) 4372- travis: add an osx http-only build 4373 4374 Closes #3887 4375 4376- cleanup: remove FIXME and TODO comments 4377 4378 They serve very little purpose and mostly just add noise. Most of them 4379 have been around for a very long time. I read them all before removing 4380 or rephrasing them. 4381 4382 Ref: #3876 4383 Closes #3883 4384 4385- curl: don't set FTP options for FTP-disabled builds 4386 4387 ... since libcurl has started to be totally unaware of options for 4388 disabled protocols they now return error. 4389 4390 Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 4391 4392 Reported-by: Marcel Raad 4393 Closes #3886 4394 4395Steve Holme (16 May 2019) 4396- http_ntlm_wb: Move the type-2 message processing into a dedicated function 4397 4398 This brings the code inline with the other HTTP authentication mechanisms. 4399 4400 Closes #3890 4401 4402Daniel Stenberg (15 May 2019) 4403- RELEASE-NOTES: synced 4404 4405- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] 4406 4407- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] 4408 4409 Reported-by: Roy Bellingan 4410 Bug: #3885 4411 4412- parse_proxy: use the URL parser API 4413 4414 As we treat a given proxy as a URL we should use the unified URL parser 4415 to extract the parts out of it. 4416 4417 Closes #3878 4418 4419Steve Holme (15 May 2019) 4420- http_negotiate: Move the Negotiate state out of the negotiatedata structure 4421 4422 Given that this member variable is not used by the SASL based protocols 4423 there is no need to have it here. 4424 4425 Closes #3882 4426 4427- http_ntlm: Move the NTLM state out of the ntlmdata structure 4428 4429 Given that this member variable is not used by the SASL based protocols 4430 there is no need to have it here. 4431 4432- url: Move the negotiate state type into a dedicated enum 4433 4434- url: Remove duplicate clean up of the winbind variables in conn_shutdown() 4435 4436 Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior 4437 to calling conn_shutdown() and it in turn performs this, there is no 4438 need to perform the same action in conn_shutdown(). 4439 4440 Closes #3881 4441 4442Daniel Stenberg (14 May 2019) 4443- urlapi: require a non-zero host name length when parsing URL 4444 4445 Updated test 1560 to verify. 4446 4447 Closes #3880 4448 4449- configure: error out if OpenSSL wasn't detected when asked for 4450 4451 If --with-ssl is used and configure still couldn't enable SSL this 4452 creates an error instead of just silently ignoring the fact. 4453 4454 Suggested-by: Isaiah Norton 4455 Fixes #3824 4456 Closes #3830 4457 4458Daniel Gustafsson (14 May 2019) 4459- imap: Fix typo in comment 4460 4461Steve Holme (14 May 2019) 4462- url: Remove unnecessary initialisation from allocate_conn() 4463 4464 No need to set variables to zero as calloc() does this for us. 4465 4466 Closes #3879 4467 4468Daniel Stenberg (14 May 2019) 4469- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] 4470 4471 Clues-provided-by: Jay Satiro 4472 Clues-provided-by: Jeroen Ooms 4473 Fixes #3711 4474 Closes #3874 4475 4476Daniel Gustafsson (13 May 2019) 4477- vtls: fix potential ssl_buffer stack overflow 4478 4479 In Curl_multissl_version() it was possible to overflow the passed in 4480 buffer if the generated version string exceeded the size of the buffer. 4481 Fix by inverting the logic, and also make sure to not exceed the local 4482 buffer during the string generation. 4483 4484 Closes #3863 4485 Reported-by: nevv on HackerOne/curl 4486 Reviewed-by: Jay Satiro 4487 Reviewed-by: Daniel Stenberg 4488 4489Daniel Stenberg (13 May 2019) 4490- RELEASE-NOTES: synced 4491 4492- appveyor: also build "/ci" branches like travis 4493 4494- pingpong: disable more when no pingpong enabled 4495 4496- proxy: acknowledge DISABLE_PROXY more 4497 4498- parsedate: CURL_DISABLE_PARSEDATE 4499 4500- sasl: only enable if there's a protocol enabled using it 4501 4502- mime: acknowledge CURL_DISABLE_MIME 4503 4504- wildcard: disable from build when FTP isn't present 4505 4506- http: CURL_DISABLE_HTTP_AUTH 4507 4508- base64: build conditionally if there are users 4509 4510- doh: CURL_DISABLE_DOH 4511 4512Steve Holme (12 May 2019) 4513- auth: Rename the various authentication clean up functions 4514 4515 For consistency and to a avoid confusion. 4516 4517 Closes #3869 4518 4519Daniel Stenberg (12 May 2019) 4520- [Jay Satiro brought this change] 4521 4522 docs/INSTALL: fix broken link [ci skip] 4523 4524 Reported-by: Joombalaya on github 4525 Fixes #3818 4526 4527Marcel Raad (12 May 2019) 4528- easy: fix another "clarify calculation precedence" warning 4529 4530 I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. 4531 4532- build: fix "clarify calculation precedence" warnings 4533 4534 Codacy/CppCheck warns about this. Consistently use parentheses as we 4535 already do in some places to silence the warning. 4536 4537 Closes https://github.com/curl/curl/pull/3866 4538 4539- cmake: restore C89 compatibility of CurlTests.c 4540 4541 I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and 4542 97de97daefc2ed084c91eff34af2426f2e55e134. 4543 4544 Reported-by: Viktor Szakats 4545 Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 4546 Closes https://github.com/curl/curl/pull/3868 4547 4548Steve Holme (11 May 2019) 4549- http_ntlm: Corrected the name of the include guard 4550 4551 Missed in f0bdd72c. 4552 4553 Closes #3867 4554 4555- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled 4556 4557 Closes #3861 4558 4559- http_negotiate: Don't expose functions when HTTP is disabled 4560 4561Daniel Stenberg (11 May 2019) 4562- SECURITY-PROCESS: fix links [ci skip] 4563 4564Marcel Raad (11 May 2019) 4565- CMake: suppress unused variable warnings 4566 4567 I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. 4568 4569Daniel Stenberg (11 May 2019) 4570- doh: disable DOH for the cases it doesn't work 4571 4572 Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for 4573 DOH resolves. This fix disables DOH for those. 4574 4575 Limitation added to KNOWN_BUGS. 4576 4577 Fixes #3850 4578 Closes #3857 4579 4580Jay Satiro (11 May 2019) 4581- checksrc.bat: Ignore snprintf warnings in docs/examples 4582 4583 .. because we allow snprintf use in docs/examples. 4584 4585 Closes https://github.com/curl/curl/pull/3862 4586 4587Steve Holme (10 May 2019) 4588- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() 4589 4590 ...and misalignment of these comments. From a78c61a4. 4591 4592 Closes #3860 4593 4594Jay Satiro (10 May 2019) 4595- Revert "multi: support verbose conncache closure handle" 4596 4597 This reverts commit b0972bc. 4598 4599 - No longer show verbose output for the conncache closure handle. 4600 4601 The offending commit was added so that the conncache closure handle 4602 would inherit verbose mode from the user's easy handle. (Note there is 4603 no way for the user to set options for the closure handle which is why 4604 that was necessary.) Other debug settings such as the debug function 4605 were not also inherited since we determined that could lead to crashes 4606 if the user's per-handle private data was used on an unexpected handle. 4607 4608 The reporter here says he has a debug function to capture the verbose 4609 output, and does not expect or want any output to stderr; however 4610 because the conncache closure handle does not inherit the debug function 4611 the verbose output for that handle does go to stderr. 4612 4613 There are other plausible scenarios as well such as the user redirects 4614 stderr on their handle, which is also not inherited since it could lead 4615 to crashes when used on an unexpected handle. 4616 4617 Short of allowing the user to set options for the conncache closure 4618 handle I don't think there's much we can safely do except no longer 4619 inherit the verbose setting. 4620 4621 Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html 4622 Reported-by: Kristoffer Gleditsch 4623 4624 Ref: https://github.com/curl/curl/pull/3598 4625 Ref: https://github.com/curl/curl/pull/3618 4626 4627 Closes https://github.com/curl/curl/pull/3856 4628 4629Steve Holme (10 May 2019) 4630- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() 4631 4632 From 6012fa5a. 4633 4634 Closes #3858 4635 4636Daniel Stenberg (9 May 2019) 4637- BUG-BOUNTY: minor formatting fixes [ci skip] 4638 4639- RELEASE-NOTES: synced 4640 4641- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] 4642 4643 Closes #3839 4644 4645Kamil Dudka (9 May 2019) 4646- http_negotiate: do not treat failure of gss_init_sec_context() as fatal 4647 4648 Fixes #3726 4649 Closes #3849 4650 4651- spnego_gssapi: fix return code on gss_init_sec_context() failure 4652 4653 Fixes #3726 4654 Closes #3849 4655 4656Steve Holme (9 May 2019) 4657- gen_resp_file.bat: Removed unnecessary @ from all but the first command 4658 4659 There is need to use @ on every command once echo has been turned off. 4660 4661 Closes #3854 4662 4663Jay Satiro (8 May 2019) 4664- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies 4665 4666 - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to 4667 the destination host. 4668 4669 We already do something similar for HTTPS proxies by not sending h2. [1] 4670 4671 Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would 4672 incorrectly use HTTP/2 to talk to the proxy, which is not something we 4673 support (yet?). Also it's debatable whether or not that setting should 4674 apply to HTTP/2 proxies. 4675 4676 [1]: https://github.com/curl/curl/commit/17c5d05 4677 4678 Bug: https://github.com/curl/curl/issues/3570 4679 Bug: https://github.com/curl/curl/issues/3832 4680 4681 Closes https://github.com/curl/curl/pull/3853 4682 4683Marcel Raad (8 May 2019) 4684- travis: update mesalink build to xenial 4685 4686 Closes https://github.com/curl/curl/pull/3842 4687 4688Daniel Stenberg (8 May 2019) 4689- [Ricky Leverence brought this change] 4690 4691 OpenSSL: Report -fips in version if OpenSSL is built with FIPS 4692 4693 Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS 4694 define. It uses this define to determine whether to publish -fips at 4695 the end of the version displayed. Applications that utilize the version 4696 reported by OpenSSL will see a mismatch if they compare it to what curl 4697 reports, as curl is not modifying the version in the same way. This 4698 change simply adds a check to see if OPENSSL_FIPS is defined, and will 4699 alter the reported version to match what OpenSSL itself provides. This 4700 only appears to be applicable in versions of OpenSSL <1.1.1 4701 4702 Closes #3771 4703 4704Kamil Dudka (7 May 2019) 4705- [Frank Gevaerts brought this change] 4706 4707 nss: allow fifos and character devices for certificates. 4708 4709 Currently you can do things like --cert <(cat ./cert.crt) with (at least) the 4710 openssl backend, but that doesn't work for nss because is_file rejects fifos. 4711 4712 I don't actually know if this is sufficient, nss might do things internally 4713 (like seeking back) that make this not work, so actual testing is needed. 4714 4715 Closes #3807 4716 4717Daniel Gustafsson (6 May 2019) 4718- test2100: Fix typos in test description 4719 4720Daniel Stenberg (6 May 2019) 4721- ssh: define USE_SSH if SSH is enabled (any backend) 4722 4723 Closes #3846 4724 4725Steve Holme (5 May 2019) 4726- winbuild: Add our standard copyright header to the winbuild batch files 4727 4728- makedebug: Fix ERRORLEVEL detection after running where.exe 4729 4730 Closes #3838 4731 4732Daniel Stenberg (5 May 2019) 4733- urlapi: add CURLUPART_ZONEID to set and get 4734 4735 The zoneid can be used with IPv6 numerical addresses. 4736 4737 Updated test 1560 to verify. 4738 4739 Closes #3834 4740 4741- [Taiyu Len brought this change] 4742 4743 WRITEFUNCTION: add missing set_in_callback around callback 4744 4745 Closes #3837 4746 4747- RELEASE-NOTES: synced 4748 4749- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] 4750 4751 Reported-by: Ricardo Gomes 4752 4753 Bug: #3537 4754 Closes #3836 4755 4756- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value 4757 4758 The time field in the curl_fileinfo struct will always be zero. No code 4759 was ever implemented to actually convert the date string to a time_t. 4760 4761 Fixes #3829 4762 Closes #3835 4763 4764- OS400/ccsidcurl.c: code style fixes 4765 4766- OS400/ccsidcurl: replace use of Curl_vsetopt 4767 4768 (and make the code style comply) 4769 4770 Fixes #3833 4771 4772- urlapi: strip off scope id from numerical IPv6 addresses 4773 4774 ... to make the host name "usable". Store the scope id and put it back 4775 when extracting a URL out of it. 4776 4777 Also makes curl_url_set() syntax check CURLUPART_HOST. 4778 4779 Fixes #3817 4780 Closes #3822 4781 4782- RELEASE-NOTES: synced 4783 4784- multiif.h: remove unused protos 4785 4786 ... for functions related to pipelining. Those functions were removed in 4787 2f44e94efb3df. 4788 4789 Closes #3828 4790 4791- [Yiming Jing brought this change] 4792 4793 travis: mesalink: temporarily disable test 3001 4794 4795 ... due to SHA-1 signatures in test certs 4796 4797- [Yiming Jing brought this change] 4798 4799 travis: upgrade the MesaLink TLS backend to v1.0.0 4800 4801 Closes #3823 4802 Closes #3776 4803 4804- ConnectionExists: improve non-multiplexing use case 4805 4806 - better log output 4807 4808 - make sure multiplex is enabled for it to be used 4809 4810- multi: provide Curl_multiuse_state to update information 4811 4812 As soon as a TLS backend gets ALPN conformation about the specific HTTP 4813 version it can now set the multiplex situation for the "bundle" and 4814 trigger moving potentially queued up transfers to the CONNECT state. 4815 4816- process_pending_handles: mark queued transfers as previously pending 4817 4818 With transfers being queued up, we only move one at a a time back to the 4819 CONNECT state but now we mark moved transfers so that when a moved 4820 transfer is confirmed "successful" (it connected) it will trigger the 4821 move of another pending transfer. Previously, it would otherwise wait 4822 until the transfer was done before doing this. This makes queued up 4823 pending transfers get processed (much) faster. 4824 4825- http: mark bundle as not for multiuse on < HTTP/2 response 4826 4827 Fixes #3813 4828 Closes #3815 4829 4830Daniel Gustafsson (1 May 2019) 4831- cookie: Guard against possible NULL ptr deref 4832 4833 In case the name pointer isn't set (due to memory pressure most likely) 4834 we need to skip the prefix matching and reject with a badcookie to avoid 4835 a possible NULL pointer dereference. 4836 4837 Closes #3820 #3821 4838 Reported-by: Jonathan Moerman 4839 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 4840 4841Patrick Monnerat (30 Apr 2019) 4842- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings 4843 4844Kamil Dudka (29 Apr 2019) 4845- nss: provide more specific error messages on failed init 4846 4847 Closes #3808 4848 4849Daniel Stenberg (29 Apr 2019) 4850- [Reed Loden brought this change] 4851 4852 docs: minor polish to the bug bounty / security docs 4853 4854 Closes #3811 4855 4856- CURL_MAX_INPUT_LENGTH: largest acceptable string input size 4857 4858 This limits all accepted input strings passed to libcurl to be less than 4859 CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: 4860 curl_easy_setopt() and curl_url_set(). 4861 4862 The 8000000 number is arbitrary picked and is meant to detect mistakes 4863 or abuse, not to limit actual practical use cases. By limiting the 4864 acceptable string lengths we also reduce the risk of integer overflows 4865 all over. 4866 4867 NOTE: This does not apply to `CURLOPT_POSTFIELDS`. 4868 4869 Test 1559 verifies. 4870 4871 Closes #3805 4872 4873- [Tseng Jun brought this change] 4874 4875 curlver.h: use parenthesis in CURL_VERSION_BITS macro 4876 4877 Closes #3809 4878 4879Marcel Raad (27 Apr 2019) 4880- [Simon Warta brought this change] 4881 4882 cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP 4883 4884 Closes https://github.com/curl/curl/pull/3769 4885 4886Steve Holme (23 Apr 2019) 4887- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 4888 4889- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 4890 4891 Just like we do for mbed TLS, use our local implementation of MD4 when 4892 OpenSSL doesn't support it. This allows a type-3 message to include the 4893 NT response. 4894 4895Daniel Gustafsson (23 Apr 2019) 4896- INTERNALS: fix misindentation of ToC item 4897 4898 Kerberos was incorrectly indented as a subsection under FTP, which is 4899 incorrect as they are both top level sections. A fix for this was first 4900 attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that 4901 was a few paddles short of being complete. 4902 4903- [Aron Bergman brought this change] 4904 4905 INTERNALS: Add structs to ToC 4906 4907 Add the subsections under "Structs in libcurl" to the table of contents. 4908 4909 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 4910 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> 4911 4912- [Aron Bergman brought this change] 4913 4914 INTERNALS: Add code highlighting 4915 4916 Make all struct members under the Curl_handler section 4917 print in monospace font. 4918 4919 Closes #3801 4920 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 4921 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> 4922 4923Daniel Stenberg (22 Apr 2019) 4924- docs/BUG-BOUNTY: bug bounty time [skip ci] 4925 4926 Introducing the curl bug bounty program on hackerone. We now recommend 4927 filing security issues directly in the hackerone ticket system which 4928 only is readable to curl security team members. 4929 4930 Assisted-by: Daniel Gustafsson 4931 4932 Closes #3488 4933 4934Steve Holme (22 Apr 2019) 4935- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 4936 4937 RFC 4616 specifies the authzid is optional in the client authentication 4938 message and that the server will derive the authorisation identity 4939 (authzid) from the authentication identity (authcid) when not specified 4940 by the client. 4941 4942Jay Satiro (22 Apr 2019) 4943- [Gisle Vanem brought this change] 4944 4945 memdebug: fix variable name 4946 4947 Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. 4948 4949 Ref: https://github.com/curl/curl/commit/76b6348#r33259088 4950 4951Steve Holme (21 Apr 2019) 4952- vauth/cleartext: Don't send the authzid if it is empty 4953 4954 Follow up to 762a292f. 4955 4956Daniel Stenberg (21 Apr 2019) 4957- test 196,197,198: add 'retry' keyword [skip ci] 4958 4959- RELEASE-NOTES: synced 4960 4961- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse 4962 4963 ... and disconnect too old ones instead of trying to reuse. 4964 4965 Default max age is set to 118 seconds. 4966 4967 Ref: #3722 4968 Closes #3782 4969 4970Daniel Gustafsson (20 Apr 2019) 4971- [Po-Chuan Hsieh brought this change] 4972 4973 altsvc: Fix building with cookies disables 4974 4975 ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if 4976 check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is 4977 disabled. Fix by splitting out the function into a separate file which can 4978 be included where needed. 4979 4980 Closes #3717 4981 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> 4982 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> 4983 4984Daniel Stenberg (20 Apr 2019) 4985- test1002: correct the name [skip ci] 4986 4987- test660: verify CONNECT_ONLY with IMAP 4988 4989 which basically just makes sure LOGOUT is *not* issued on disconnect 4990 4991- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" 4992 4993 Since the connection has been used by the "outside" we don't know the 4994 state of it anymore and curl should not use it anymore. 4995 4996 Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html 4997 4998 Closes #3795 4999 5000- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) 5001 5002 The list of names must be in sync with the defined states in the header 5003 file! 5004 5005Steve Holme (16 Apr 2019) 5006- openvms: Remove pre-processors for Windows as VMS cannot support them 5007 5008- openvms: Remove pre-processor for SecureTransport as VMS cannot support it 5009 5010 Fixes #3768 5011 Closes #3785 5012 5013Jay Satiro (16 Apr 2019) 5014- TODO: Add issue link to an existing entry 5015 5016Daniel Stenberg (16 Apr 2019) 5017- RELEASE-NOTES: synced 5018 5019Jay Satiro (16 Apr 2019) 5020- tool_help: Warn if curl and libcurl versions do not match 5021 5022 .. because functionality may be affected if the versions differ. 5023 5024 This commit implements TODO 18.7 "warning if curl version is not in sync 5025 with libcurl version". 5026 5027 Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 5028 5029 Closes https://github.com/curl/curl/pull/3774 5030 5031Steve Holme (16 Apr 2019) 5032- md5: Update the function signature following d84da52d 5033 5034- md5: Forgot to update the code alignment in d84da52d 5035 5036- md5: Return CURLcode from the internally accessible functions 5037 5038 Following 28f826b3 to return CURLE_OK instead of numeric 0. 5039 5040Daniel Gustafsson (15 Apr 2019) 5041- tests: Run global cleanup at end of tests 5042 5043 Make sure to run curl_global_cleanup() when shutting down the test 5044 suite to release any resources allocated in the SSL setup. This is 5045 clearly visible when running tests with PolarSSL where the thread 5046 lock calloc() memory which isn't released when not running cleanup. 5047 Below is an excerpt from the autobuild logs: 5048 5049 ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 5050 ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) 5051 ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) 5052 ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup 5053 (polarssl_threadlock.c:54) 5054 ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) 5055 ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) 5056 ==12368== by 0x118B4C: global_init (easy.c:158) 5057 ==12368== by 0x118BF5: curl_global_init (easy.c:221) 5058 ==12368== by 0x118D0B: curl_easy_init (easy.c:299) 5059 ==12368== by 0x114E96: test (lib1906.c:32) 5060 ==12368== by 0x115495: main (first.c:174) 5061 5062 Closes #3783 5063 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> 5064 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 5065 5066Marcel Raad (15 Apr 2019) 5067- travis: use mbedtls from Xenial 5068 5069 No need to build it from source anymore. 5070 5071 Closes https://github.com/curl/curl/pull/3779 5072 5073- travis: use libpsl from Xenial 5074 5075 This makes building libpsl and libidn2 from source unnecessary and 5076 removes the need for the autopoint and libunistring-dev packages. 5077 5078 Closes https://github.com/curl/curl/pull/3779 5079 5080Daniel Stenberg (15 Apr 2019) 5081- runtests: start socksd like other servers 5082 5083 ... without a $srcdir prefix. Triggered by the failures in several 5084 autobuilds. 5085 5086 Closes #3781 5087 5088Daniel Gustafsson (14 Apr 2019) 5089- socksd: Fix typos 5090 5091 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 5092 5093- socksd: Properly decorate static variables 5094 5095 Mark global variables static to avoid compiler warning in Clang when 5096 using -Wmissing-variable-declarations. 5097 5098 Closes #3778 5099 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 5100 5101Steve Holme (14 Apr 2019) 5102- md(4|5): Fixed indentation oddities with the importation of replacement code 5103 5104 The indentation from 211d5329 and 57d6d253 was a little strange as 5105 parts didn't align correctly, uses 4 spaces rather than 2. Checked 5106 the indentation of the original source so it aligns, albeit, using 5107 curl style. 5108 5109- md5: Code style to return CURLE_OK rather than numeric 0 5110 5111- md5: Corrected code style for some pointer arguments 5112 5113Marcel Raad (13 Apr 2019) 5114- travis: update some builds to xenial 5115 5116 Xenial comes with more up-to-date software versions and more available 5117 packages, some of which we currently build from source. Unfortunately, 5118 some builds would fail with Xenial because of assertion failures in 5119 Valgrind when using OpenSSL, so leave these at Trusty. 5120 5121 Closes https://github.com/curl/curl/pull/3777 5122 5123Daniel Stenberg (13 Apr 2019) 5124- test: make tests and test scripts use socksd for SOCKS 5125 5126 Make all SOCKS tests use socksd instead of ssh. 5127 5128- socksd: new SOCKS 4+5 server for tests 5129 5130 Closes #3752 5131 5132- singleipconnect: show port in the verbose "Trying ..." message 5133 5134 To aid debugging better. 5135 5136- [tmilburn brought this change] 5137 5138 CURLOPT_ADDRESS_SCOPE: fix range check and more 5139 5140 Commit 9081014 fixed most of the confusing issues between scope id and 5141 scope however 844896d added bad limits checking assuming that the scope 5142 is being set and not the scope id. 5143 5144 I have fixed the documentation so it all refers to scope ids. 5145 5146 In addition Curl_if2ip refered to the scope id as remote_scope_id which 5147 is incorrect, so I renamed it to local_scope_id. 5148 5149 Adjusted-by: Daniel Stenberg 5150 5151 Closes #3655 5152 Closes #3765 5153 Fixes #3713 5154 5155- urlapi: stricter CURLUPART_PORT parsing 5156 5157 Only allow well formed decimal numbers in the input. 5158 5159 Document that the number MUST be between 1 and 65535. 5160 5161 Add tests to test 1560 to verify the above. 5162 5163 Ref: https://github.com/curl/curl/issues/3753 5164 Closes #3762 5165 5166Jay Satiro (13 Apr 2019) 5167- [Jan Ehrhardt brought this change] 5168 5169 winbuild: Support MultiSSL builds 5170 5171 - Remove the lines in winbuild/Makefile.vc that generate an error with 5172 multiple SSL backends. 5173 5174 - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL 5175 backends are set. 5176 5177 Closes https://github.com/curl/curl/pull/3772 5178 5179Daniel Stenberg (12 Apr 2019) 5180- travis: remove mesalink builds (temporarily?) 5181 5182 Since the mesalink build started to fail on travis, even though we build 5183 a fixed release version, we disable it to prevent it from blocking 5184 progress. 5185 5186 Closes #3767 5187 5188- openssl: mark connection for close on TLS close_notify 5189 5190 Without this, detecting and avoid reusing a closed TLS connection 5191 (without a previous GOAWAY) when doing HTTP/2 is tricky. 5192 5193 Reported-by: Tom van der Woerdt 5194 Fixes #3750 5195 Closes #3763 5196 5197- RELEASE-NOTES: synced 5198 5199Steve Holme (11 Apr 2019) 5200- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 5201 5202 Functionally this doesn't change anything as we still use the username 5203 for both the authorisation identity and the authentication identity. 5204 5205 Closes #3757 5206 5207Daniel Stenberg (11 Apr 2019) 5208- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage 5209 5210 Based-on-code-by: Poul T Lomholt 5211 5212- url: always clone the CUROPT_CURLU handle 5213 5214 Since a few code paths actually update that data. 5215 5216 Fixes #3753 5217 Closes #3761 5218 5219 Reported-by: Poul T Lomholt 5220 5221- CURLOPT_DNS_USE_GLOBAL_CACHE: remove 5222 5223 Remove the code too. The functionality has been disabled in code since 5224 7.62.0. Setting this option will from now on simply be ignored and have 5225 no function. 5226 5227 Closes #3654 5228 5229Marcel Raad (11 Apr 2019) 5230- travis: install libgnutls28-dev only for --with-gnutls build 5231 5232 Reduces the time needed for the other jobs a little. 5233 5234 Closes https://github.com/curl/curl/pull/3721 5235 5236- travis: install libnss3-dev only for --with-nss build 5237 5238 Reduces the time needed for the other jobs a little. 5239 5240 Closes https://github.com/curl/curl/pull/3721 5241 5242- travis: install libssh2-dev only for --with-libssh2 build 5243 5244 Reduces the time needed for the other jobs a little. 5245 5246 Closes https://github.com/curl/curl/pull/3721 5247 5248- travis: install libssh-dev only for --with-libssh build 5249 5250 Reduces the time needed for the other jobs a little. 5251 5252 Closes https://github.com/curl/curl/pull/3721 5253 5254- travis: install krb5-user only for --with-gssapi build 5255 5256 Reduces the time needed for the other jobs a little. 5257 5258 Closes https://github.com/curl/curl/pull/3721 5259 5260- travis: install lcov only for the coverage job 5261 5262 Reduces the time needed for the other jobs a little. 5263 5264 Closes https://github.com/curl/curl/pull/3721 5265 5266- travis: install clang only when needed 5267 5268 This reduces the GCC job runtimes a little and it's needed to 5269 selectively update clang builds to xenial. 5270 5271 Closes https://github.com/curl/curl/pull/3721 5272 5273- AppVeyor: enable testing for WinSSL build 5274 5275 Closes https://github.com/curl/curl/pull/3725 5276 5277- build: fix Codacy/CppCheck warnings 5278 5279 - remove unused variables 5280 - declare conditionally used variables conditionally 5281 - suppress unused variable warnings in the CMake tests 5282 - remove dead variable stores 5283 - consistently use WIN32 macro to detect Windows 5284 5285 Closes https://github.com/curl/curl/pull/3739 5286 5287- polarssl_threadlock: remove conditionally unused code 5288 5289 Make functions no-ops if neither both USE_THREADS_POSIX and 5290 HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are 5291 defined. Previously, if only one of them was defined, there was either 5292 code compiled that did nothing useful or the wrong header included for 5293 the functions used. 5294 5295 Also, move POLARSSL_MUTEX_T define to implementation file as it's not 5296 used externally. 5297 5298 Closes https://github.com/curl/curl/pull/3739 5299 5300- lib557: initialize variables 5301 5302 These variables are only conditionally initialized. 5303 5304 Closes https://github.com/curl/curl/pull/3739 5305 5306- lib509: add missing include for strdup 5307 5308 Closes https://github.com/curl/curl/pull/3739 5309 5310- README.md: fix no-consecutive-blank-lines Codacy warning 5311 5312 Consistently use one blank line between blocks. 5313 5314 Closes https://github.com/curl/curl/pull/3739 5315 5316- tests/server/util: fix Windows Unicode build 5317 5318 Always use the ANSI version of FormatMessage as we don't have the 5319 curl_multibyte gear available here. 5320 5321 Closes https://github.com/curl/curl/pull/3758 5322 5323Daniel Stenberg (11 Apr 2019) 5324- curl_easy_getinfo.3: fix minor formatting mistake 5325 5326Daniel Gustafsson (11 Apr 2019) 5327- xattr: skip unittest on unsupported platforms 5328 5329 The stripcredentials unittest fails to compile on platforms without 5330 xattr support, for example the Solaris member in the buildfarm which 5331 fails with the following: 5332 5333 CC unit1621-unit1621.o 5334 CC ../libtest/unit1621-first.o 5335 CCLD unit1621 5336 Undefined first referenced 5337 symbol in file 5338 stripcredentials unit1621-unit1621.o 5339 goto problem 2 5340 ld: fatal: symbol referencing errors. No output written to .libs/unit1621 5341 collect2: error: ld returned 1 exit status 5342 gmake[2]: *** [Makefile:996: unit1621] Error 1 5343 5344 Fix by excluding the test on such platforms by using the reverse 5345 logic from where stripcredentials() is defined. 5346 5347 Closes #3759 5348 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 5349 5350Steve Holme (11 Apr 2019) 5351- emailL Added reference to RFC8314 for implicit TLS 5352 5353- README: Schannel, stop calling it "winssl" 5354 5355 Stick to "Schannel" everywhere - follow up to 180501cb. 5356 5357Jakub Zakrzewski (10 Apr 2019) 5358- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use 5359 5360 This fixes GSSAPI builds with the libraries in a non-standard location. 5361 The testing for recv() were failing because it failed to link 5362 the Kerberos libraries, which are not needed for this or subsequent 5363 tests. 5364 5365 fixes #3743 5366 closes #3744 5367 5368- cmake: avoid linking executable for some tests with cmake 3.6+ 5369 5370 With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() 5371 (which is used by check_c_source_compiles()) will build static library 5372 instead of executable. This avoids linking additional libraries in and thus 5373 speeds up those checks a little. 5374 5375 This commit also avoids #3743 (GSSAPI build errors) on itself with cmake 5376 3.6 or above. That issue was fixed separately for all versions. 5377 5378 Ref: #3744 5379 5380- cmake: minor cleanup 5381 5382 - Remove nneeded include_regular_expression. 5383 It was setting what is already a default. 5384 5385 - Remove duplicated include. 5386 5387 - Don't check for pre-3.0.0 CMake version. 5388 We already require at least 3.0.0, so it's just clutter. 5389 5390 Ref: #3744 5391 5392Steve Holme (8 Apr 2019) 5393- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ 5394 5395- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) 5396 5397- build-openssl.bat: Perform the install for each build type directly after the build 5398 5399- build-openssl.bat: Split the install of static and shared build types 5400 5401- build-openssl.bat: Split the building of static and shared build types 5402 5403- build-openssl.bat: Move the installation into a separate function 5404 5405- build-openssl.bat: Move the build step into a separate function 5406 5407- build-openssl.bat: Move the OpenSSL configuration into a separate function 5408 5409- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised 5410 5411 Should the parent environment set this variable then the build might 5412 not be performed as the user intended. 5413 5414Daniel Stenberg (8 Apr 2019) 5415- socks: fix error message 5416 5417- config.d: clarify that initial : and = might need quoting [skip ci] 5418 5419 Fixes #3738 5420 Closes #3749 5421 5422- RELEASE-NOTES: synced 5423 5424 bumped to 7.65.0 for next release 5425 5426- socks5: user name and passwords must be shorter than 256 5427 5428 bytes... since the protocol needs to store the length in a single byte field. 5429 5430 Reported-by: XmiliaH on github 5431 Fixes #3737 5432 Closes #3740 5433 5434- [Jakub Zakrzewski brought this change] 5435 5436 test: urlapi: urlencode characters above 0x7f correctly 5437 5438- [Jakub Zakrzewski brought this change] 5439 5440 urlapi: urlencode characters above 0x7f correctly 5441 5442 fixes #3741 5443 Closes #3742 5444 5445- [Even Rouault brought this change] 5446 5447 multi_runsingle(): fix use-after-free 5448 5449 Fixes #3745 5450 Closes #3746 5451 5452 The following snippet 5453 ``` 5454 5455 int main() 5456 { 5457 CURL* hCurlHandle = curl_easy_init(); 5458 curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); 5459 curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); 5460 curl_easy_perform(hCurlHandle); 5461 curl_easy_cleanup(hCurlHandle); 5462 return 0; 5463 } 5464 ``` 5465 triggers the following Valgrind warning 5466 5467 ``` 5468 ==4125== Invalid read of size 8 5469 ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) 5470 ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) 5471 ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) 5472 ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) 5473 ==4125== by 0x4E766A0: easy_transfer (easy.c:625) 5474 ==4125== by 0x4E76915: easy_perform (easy.c:719) 5475 ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) 5476 ==4125== by 0x4008BE: main (in /home/even/curl/test) 5477 ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd 5478 ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) 5479 ==4125== by 0x4E62C36: conn_free (url.c:756) 5480 ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) 5481 ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) 5482 ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) 5483 ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) 5484 ==4125== by 0x4E766A0: easy_transfer (easy.c:625) 5485 ==4125== by 0x4E76915: easy_perform (easy.c:719) 5486 ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) 5487 ==4125== by 0x4008BE: main (in /home/even/curl/test) 5488 ==4125== Block was alloc'd at 5489 ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) 5490 ==4125== by 0x4E6438E: allocate_conn (url.c:1654) 5491 ==4125== by 0x4E685B4: create_conn (url.c:3496) 5492 ==4125== by 0x4E6968F: Curl_connect (url.c:4023) 5493 ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) 5494 ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) 5495 ==4125== by 0x4E766A0: easy_transfer (easy.c:625) 5496 ==4125== by 0x4E76915: easy_perform (easy.c:719) 5497 ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) 5498 ==4125== by 0x4008BE: main (in /home/even/curl/test) 5499 ``` 5500 5501 This has been bisected to commit 2f44e94 5502 5503 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 5504 Credit to OSS Fuzz 5505 5506- pipelining: removed 5507 5508 As previously planned and documented in DEPRECATE.md, all pipelining 5509 code is removed. 5510 5511 Closes #3651 5512 5513- [cclauss brought this change] 5514 5515 tests: make Impacket (SMB server) Python 3 compatible 5516 5517 Closes #3731 5518 Fixes #3289 5519 5520Marcel Raad (6 Apr 2019) 5521- [Simon Warta brought this change] 5522 5523 cmake: set SSL_BACKENDS 5524 5525 This groups all SSL backends into the feature "SSL" and sets the 5526 SSL_BACKENDS analogue to configure.ac 5527 5528 Closes https://github.com/curl/curl/pull/3736 5529 5530- [Simon Warta brought this change] 5531 5532 cmake: don't run SORT on empty list 5533 5534 In case of an empty list, SORTing leads to the cmake error "list 5535 sub-command SORT requires list to be present." 5536 5537 Closes https://github.com/curl/curl/pull/3736 5538 5539Daniel Gustafsson (5 Apr 2019) 5540- [Eli Schwartz brought this change] 5541 5542 configure: fix default location for fish completions 5543 5544 Fish defines a vendor completions directory for completions that are not 5545 installed as part of the fish project itself, and the vendor completions 5546 are preferred if they exist. This prevents trying to overwrite the 5547 builtin curl.fish completion (or creating file conflicts in distro 5548 packaging). 5549 5550 Prefer the pkg-config defined location exported by fish, if it can be 5551 found, and fall back to the correct directory defined by most systems. 5552 5553 Closes #3723 5554 Reviewed-by: Daniel Gustafsson 5555 5556Marcel Raad (5 Apr 2019) 5557- ftplistparser: fix LGTM alert "Empty block without comment" 5558 5559 Removing the block is consistent with line 954/957. 5560 5561 Closes https://github.com/curl/curl/pull/3732 5562 5563- transfer: fix LGTM alert "Comparison is always true" 5564 5565 Just remove the redundant condition, which also makes it clear that 5566 k->buf is always 0-terminated if this break is not hit. 5567 5568 Closes https://github.com/curl/curl/pull/3732 5569 5570Jay Satiro (4 Apr 2019) 5571- [Rikard Falkeborn brought this change] 5572 5573 smtp: fix compiler warning 5574 5575 - Fix clang string-plus-int warning. 5576 5577 Clang 8 warns about adding a string to an int does not append to the 5578 string. Indeed it doesn't, but that was not the intention either. Use 5579 array indexing as suggested to silence the warning. There should be no 5580 functional changes. 5581 5582 (In other words clang warns about "foo"+2 but not &"foo"[2] so use the 5583 latter.) 5584 5585 smtp.c:1221:29: warning: adding 'int' to a string does not append to the 5586 string [-Wstring-plus-int] 5587 eob = strdup(SMTP_EOB + 2); 5588 ~~~~~~~~~~~~~~~~^~~~ 5589 5590 Closes https://github.com/curl/curl/pull/3729 5591 5592Marcel Raad (4 Apr 2019) 5593- VS projects: use Unicode for VC10+ 5594 5595 All Windows APIs have been natively UTF-16 since Windows 2000 and the 5596 non-Unicode variants are just wrappers around them. Only Windows 9x 5597 doesn't understand Unicode without the UnicoWS DLL. As later Visual 5598 Studio versions cannot target Windows 9x anyway, using the ANSI API 5599 doesn't really have any benefit there. 5600 5601 This avoids issues like KNOWN_BUGS 6.5. 5602 5603 Ref: https://github.com/curl/curl/issues/2120 5604 Closes https://github.com/curl/curl/pull/3720 5605 5606Daniel Gustafsson (3 Apr 2019) 5607- RELEASE-NOTES: synced 5608 5609 Bump the version in progress to 7.64.2, if we merge any "change" 5610 before the cut-off date we can update the version. 5611 5612- [Tim Rühsen brought this change] 5613 5614 documentation: Fix several typos 5615 5616 Closes #3724 5617 Reviewed-by: Jakub Zakrzewski 5618 Reviewed-by: Daniel Gustafsson 5619 5620Jay Satiro (2 Apr 2019) 5621- [Mert Yazıcıoğlu brought this change] 5622 5623 vauth/oauth2: Fix OAUTHBEARER token generation 5624 5625 OAUTHBEARER tokens were incorrectly generated in a format similar to 5626 XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the 5627 RFC7628. 5628 5629 Fixes: #2487 5630 Reported-by: Paolo Mossino 5631 5632 Closes https://github.com/curl/curl/pull/3377 5633 5634Marcel Raad (2 Apr 2019) 5635- tool_cb_wrt: fix bad-function-cast warning 5636 5637 Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the 5638 warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. 5639 Extend fhnd's scope and reuse that variable instead of calling 5640 _get_osfhandle a second time to fix the warning again. 5641 5642 Closes https://github.com/curl/curl/pull/3718 5643 5644- VC15 project: remove MinimalRebuild 5645 5646 Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the 5647 library project, but I forgot the tool project template. Now also 5648 removed for that. 5649 5650Dan Fandrich (1 Apr 2019) 5651- cirrus: Customize the disabled tests per FreeBSD version 5652 5653 Try to run as many test cases as possible on each OS version. 5654 12.0 passes 13 more tests than the older versions, so we might as well 5655 run them. 5656 5657Daniel Stenberg (1 Apr 2019) 5658- tool_help: include <strings.h> for strcasecmp 5659 5660 Reported-by: Wyatt O'Day 5661 Fixes #3715 5662 Closes #3716 5663 5664Daniel Gustafsson (31 Mar 2019) 5665- scripts: fix typos 5666 5667Dan Fandrich (28 Mar 2019) 5668- travis: allow builds on branches named "ci" 5669 5670 This allows a way to test changes other than through PRs. 5671 5672Daniel Stenberg (27 Mar 2019) 5673- [Brad Spencer brought this change] 5674 5675 resolve: apply Happy Eyeballs philosophy to parallel c-ares queries 5676 5677 Closes #3699 5678 5679- multi: improved HTTP_1_1_REQUIRED handling 5680 5681 Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error 5682 on first flight. 5683 5684 Reported-by: niner on github 5685 Fixes #3696 5686 Closes #3707 5687 5688- [Leonardo Taccari brought this change] 5689 5690 configure: avoid unportable `==' test(1) operator 5691 5692 Closes #3709 5693 5694Version 7.64.1 (27 Mar 2019) 5695 5696Daniel Stenberg (27 Mar 2019) 5697- RELEASE: 7.64.1 5698 5699- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" 5700 5701 This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. 5702 5703 Fixes #3708 5704 5705- [Christian Schmitz brought this change] 5706 5707 ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set 5708 5709 Closes #3704 5710 5711Jay Satiro (26 Mar 2019) 5712- tool_cb_wrt: fix writing to Windows null device NUL 5713 5714 - Improve console detection. 5715 5716 Prior to this change WriteConsole could be called to write to a handle 5717 that may not be a console, which would cause an error. This issue is 5718 limited to character devices that are not also consoles such as the null 5719 device NUL. 5720 5721 Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 5722 Reported-by: Gisle Vanem 5723 5724- CURLMOPT_PIPELINING.3: fix typo 5725 5726Daniel Stenberg (25 Mar 2019) 5727- TODO: config file parsing 5728 5729 Closes #3698 5730 5731Jay Satiro (24 Mar 2019) 5732- os400: Disable Alt-Svc by default since it's experimental 5733 5734 Follow-up to 520f0b4 which added Alt-Svc support and enabled it by 5735 default for OS400. Since the feature is experimental, it should be 5736 disabled by default. 5737 5738 Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 5739 Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html 5740 5741 Closes https://github.com/curl/curl/pull/3688 5742 5743Dan Fandrich (24 Mar 2019) 5744- tests: Fixed XML validation errors in some test files. 5745 5746- tests: Fix some incorrect precheck error messages. 5747 5748 [ci skip] 5749 5750Daniel Stenberg (22 Mar 2019) 5751- curl_url.3: this is not experimental anymore 5752 5753- travis: bump the used wolfSSL version to 4.0.0 5754 5755 Test 311 is now fine, leaving only 313 (CRL) disabled. 5756 5757 Test 313 details can be found here: 5758 https://github.com/wolfSSL/wolfssl/issues/1546 5759 5760 Closes #3697 5761 5762Daniel Gustafsson (22 Mar 2019) 5763- lib: Fix typos in comments 5764 5765David Woodhouse (20 Mar 2019) 5766- openssl: if cert type is ENG and no key specified, key is ENG too 5767 5768 Fixes #3692 5769 Closes #3692 5770 5771Daniel Stenberg (20 Mar 2019) 5772- sectransp: tvOS 11 is required for ALPN support 5773 5774 Reported-by: nianxuejie on github 5775 Assisted-by: Nick Zitzmann 5776 Assisted-by: Jay Satiro 5777 Fixes #3689 5778 Closes #3690 5779 5780- test1541: threaded connection sharing 5781 5782 The threaded-shared-conn.c example turned into test case. Only works if 5783 pthread was detected. 5784 5785 An attempt to detect future regressions such as e3a53e3efb942a5 5786 5787 Closes #3687 5788 5789Patrick Monnerat (17 Mar 2019) 5790- os400: alt-svc support. 5791 5792 Although experimental, enable it in the platform config file. 5793 Upgrade ILE/RPG binding. 5794 5795Daniel Stenberg (17 Mar 2019) 5796- conncache: use conn->data to know if a transfer owns it 5797 5798 - make sure an already "owned" connection isn't returned unless 5799 multiplexed. 5800 5801 - clear ->data when returning the connection to the cache again 5802 5803 Regression since 7.62.0 (probably in commit 1b76c38904f0) 5804 5805 Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html 5806 5807 Closes #3686 5808 5809- RELEASE-NOTES: synced 5810 5811- [Chris Young brought this change] 5812 5813 configure: add --with-amissl 5814 5815 AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. 5816 It also requires all programs using it to use bsdsocket.library 5817 directly, rather than accessing socket functions through clib, which 5818 libcurl was not necessarily doing previously. Configure will now check 5819 for the headers and ensure they are included if found. 5820 5821 Closes #3677 5822 5823- [Chris Young brought this change] 5824 5825 vtls: rename some of the SSL functions 5826 5827 ... in the SSL structure as AmiSSL is using macros for the socket API 5828 functions. 5829 5830- [Chris Young brought this change] 5831 5832 tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr 5833 5834- [Chris Young brought this change] 5835 5836 tool_operate: build on AmigaOS 5837 5838- makefile: make checksrc and hugefile commands "silent" 5839 5840 ... to match the style already used for compiling, linking 5841 etc. Acknowledges 'make V=1' to enable verbose. 5842 5843 Closes #3681 5844 5845- curl.1: --user and --proxy-user are hidden from ps output 5846 5847 Suggested-by: Eric Curtin 5848 Improved-by: Dan Fandrich 5849 Ref: #3680 5850 5851 Closes #3683 5852 5853- curl.1: mark the argument to --cookie as <data|filename> 5854 5855 From a discussion in #3676 5856 5857 Suggested-by: Tim Rühsen 5858 5859 Closes #3682 5860 5861Dan Fandrich (14 Mar 2019) 5862- fuzzer: Only clone the latest fuzzer code, for speed. 5863 5864Daniel Stenberg (14 Mar 2019) 5865- [Dominik Hölzl brought this change] 5866 5867 Negotiate: fix for HTTP POST with Negotiate 5868 5869 * Adjusted unit tests 2056, 2057 5870 * do not generally close connections with CURLAUTH_NEGOTIATE after every request 5871 * moved negotiatedata from UrlState to connectdata 5872 * Added stream rewind logic for CURLAUTH_NEGOTIATE 5873 * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC 5874 * Consider authproblem state for CURLAUTH_NEGOTIATE 5875 * Consider reuse_forbid for CURLAUTH_NEGOTIATE 5876 * moved and adjusted negotiate authentication state handling from 5877 output_auth_headers into Curl_output_negotiate 5878 * Curl_output_negotiate: ensure auth done is always set 5879 * Curl_output_negotiate: Set auth done also if result code is 5880 GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may 5881 also indicate the last challenge request (only works with disabled 5882 Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) 5883 * Consider "Persistent-Auth" header, detect if not present; 5884 Reset/Cleanup negotiate after authentication if no persistent 5885 authentication 5886 * apply changes introduced with #2546 for negotiate rewind logic 5887 5888 Fixes #1261 5889 Closes #1975 5890 5891- [Marc Schlatter brought this change] 5892 5893 http: send payload when (proxy) authentication is done 5894 5895 The check that prevents payload from sending in case of authentication 5896 doesn't check properly if the authentication is done or not. 5897 5898 They're cases where the proxy respond "200 OK" before sending 5899 authentication challenge. This change takes care of that. 5900 5901 Fixes #2431 5902 Closes #3669 5903 5904- file: fix "Checking if unsigned variable 'readcount' is less than zero." 5905 5906 Pointed out by codacy 5907 5908 Closes #3672 5909 5910- memdebug: log pointer before freeing its data 5911 5912 Coverity warned for two potentional "Use after free" cases. Both are false 5913 positives because the memory wasn't used, it was only the actual pointer 5914 value that was logged. 5915 5916 The fix still changes the order of execution to avoid the warnings. 5917 5918 Coverity CID 1443033 and 1443034 5919 5920 Closes #3671 5921 5922- RELEASE-NOTES: synced 5923 5924Marcel Raad (12 Mar 2019) 5925- travis: actually use updated compiler versions 5926 5927 For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the 5928 new GCC versions were only used for the coverage build and for building 5929 nghttp2, while the new clang version was not used at all. 5930 5931 BoringSSL needs to use the default GCC as it respects CC, but not CXX, 5932 so it would otherwise pass gcc 8 options to g++ 4.8 and fail. 5933 5934 Also remove GCC 7, it's not needed anymore. 5935 5936 Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning 5937 5938 Closes https://github.com/curl/curl/pull/3670 5939 5940- travis: update clang to version 7 5941 5942 Closes https://github.com/curl/curl/pull/3670 5943 5944Jay Satiro (11 Mar 2019) 5945- [Andre Guibert de Bruet brought this change] 5946 5947 examples/externalsocket: add missing close socket calls 5948 5949 .. and for Windows also call WSACleanup since we call WSAStartup. 5950 5951 The example is to demonstrate handling the socket independently of 5952 libcurl. In this case libcurl is not responsible for creating, opening 5953 or closing the socket, it is handled by the application (our example). 5954 5955 Fixes https://github.com/curl/curl/pull/3663 5956 5957Daniel Stenberg (11 Mar 2019) 5958- multi: removed unused code for request retries 5959 5960 This code was once used for the non multi-interface using code path, but 5961 ever since easy_perform was turned into a wrapper around the multi 5962 interface, this code path never runs. 5963 5964 Closes #3666 5965 5966Jay Satiro (11 Mar 2019) 5967- doh: inherit some SSL options from user's easy handle 5968 5969 - Inherit SSL options for the doh handle but not SSL client certs, 5970 SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, 5971 SSL pinned public key, SSL ciphers, SSL id cache setting, 5972 SSL kerberos or SSL gss-api settings. 5973 5974 - Fix inheritance of verbose setting. 5975 5976 - Inherit NOSIGNAL. 5977 5978 There is no way for the user to set options for the doh (DNS-over-HTTPS) 5979 handles and instead we inherit some options from the user's easy handle. 5980 5981 My thinking for the SSL options not inherited is they are most likely 5982 not intended by the user for the DOH transfer. I did inherit insecure 5983 because I think that should still be in control of the user. 5984 5985 Prior to this change doh did not work for me because CAINFO was not 5986 inherited. Also verbose was set always which AFAICT was a bug (#3660). 5987 5988 Fixes https://github.com/curl/curl/issues/3660 5989 Closes https://github.com/curl/curl/pull/3661 5990 5991Daniel Stenberg (9 Mar 2019) 5992- test331: verify set-cookie for dotless host name 5993 5994 Reproduced bug #3649 5995 Closes #3659 5996 5997- Revert "cookies: extend domain checks to non psl builds" 5998 5999 This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. 6000 6001 Regression shipped in 7.64.0 6002 Fixes #3649 6003 6004- memdebug: make debug-specific functions use curl_dbg_ prefix 6005 6006 To not "collide" or use up the regular curl_ name space. Also makes them 6007 easier to detect in helper scripts. 6008 6009 Closes #3656 6010 6011- cmdline-opts/proxytunnel.d: the option tunnnels all protocols 6012 6013 Clarify the language and simplify. 6014 6015 Reported-by: Daniel Lublin 6016 Closes #3658 6017 6018- KNOWN_BUGS: Client cert (MTLS) issues with Schannel 6019 6020 Closes #3145 6021 6022- ROADMAP: updated to some more current things to work on 6023 6024- tests: fix multiple may be used uninitialized warnings 6025 6026- RELEASE-NOTES: synced 6027 6028- source: fix two 'nread' may be used uninitialized warnings 6029 6030 Both seem to be false positives but we don't like warnings. 6031 6032 Closes #3646 6033 6034- gopher: remove check for path == NULL 6035 6036 Since it can't be NULL and it makes Coverity believe we lack proper NULL 6037 checks. Verified by test 659, landed in commit 15401fa886b. 6038 6039 Pointed out by Coverity CID 1442746. 6040 6041 Assisted-by: Dan Fandrich 6042 Fixes #3617 6043 Closes #3642 6044 6045- examples: only include <curl/curl.h> 6046 6047 That's the only public curl header we should encourage use of. 6048 6049 Reviewed-by: Marcel Raad 6050 Closes #3645 6051 6052- ssh: loop the state machine if not done and not blocking 6053 6054 If the state machine isn't complete, didn't fail and it didn't return 6055 due to blocking it can just as well loop again. 6056 6057 This addresses the problem with SFTP directory listings where we would 6058 otherwise return back to the parent and as the multi state machine 6059 doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the 6060 doing phase isn't complete, it would return out when in reality there 6061 was more data to deal with. 6062 6063 Fixes #3506 6064 Closes #3644 6065 6066Jay Satiro (5 Mar 2019) 6067- multi: support verbose conncache closure handle 6068 6069 - Change closure handle to receive verbose setting from the easy handle 6070 most recently added via curl_multi_add_handle. 6071 6072 The closure handle is a special easy handle used for closing cached 6073 connections. It receives limited settings from the easy handle most 6074 recently added to the multi handle. Prior to this change that did not 6075 include verbose which was a problem because on connection shutdown 6076 verbose mode was not acknowledged. 6077 6078 Ref: https://github.com/curl/curl/pull/3598 6079 6080 Co-authored-by: Daniel Stenberg 6081 6082 Closes https://github.com/curl/curl/pull/3618 6083 6084Daniel Stenberg (4 Mar 2019) 6085- CURLU: fix NULL dereference when used over proxy 6086 6087 Test 659 verifies 6088 6089 Also fixed the test 658 name 6090 6091 Closes #3641 6092 6093- altsvc_out: check the return code from Curl_gmtime 6094 6095 Pointed out by Coverity, CID 1442956. 6096 6097 Closes #3640 6098 6099- docs/ALTSVC.md: docs describing the approach 6100 6101 Closes #3498 6102 6103- alt-svc: add a travis build 6104 6105- alt-svc: add test 355 and 356 to verify with command line curl 6106 6107- alt-svc: the curl command line bits 6108 6109- alt-svc: the libcurl bits 6110 6111- travis: add build using gnutls 6112 6113 Closes #3637 6114 6115- RELEASE-NOTES: synced 6116 6117- [Simon Legner brought this change] 6118 6119 scripts/completion.pl: also generate fish completion file 6120 6121 This is the renamed script formerly known as zsh.pl 6122 6123 Closes #3545 6124 6125- gnutls: remove call to deprecated gnutls_compression_get_name 6126 6127 It has been deprecated by GnuTLS since a year ago and now causes build 6128 warnings. 6129 6130 Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f 6131 Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html 6132 6133 Closes #3636 6134 6135Jay Satiro (2 Mar 2019) 6136- system_win32: move win32_init here from easy.c 6137 6138 .. since system_win32 is a more appropriate location for the functions 6139 and to extern the globals. 6140 6141 Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 6142 Reported-by: Gisle Vanem 6143 6144 Closes https://github.com/curl/curl/pull/3625 6145 6146Daniel Stenberg (1 Mar 2019) 6147- curl_easy_duphandle.3: clarify that a duped handle has no shares 6148 6149 Reported-by: Sara Golemon 6150 6151 Fixes #3592 6152 Closes #3634 6153 6154- 10-at-a-time.c: fix too long line 6155 6156- [Arnaud Rebillout brought this change] 6157 6158 examples: various fixes in ephiperfifo.c 6159 6160 The main change here is the timer value that was wrong, it was given in 6161 usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * 6162 1000). This resulted in the callback being invoked WAY TOO OFTEN. 6163 6164 As a quick check you can run this command before and after applying this 6165 commit: 6166 6167 # shell 1 6168 ./ephiperfifo 2>&1 | tee ephiperfifo.log 6169 # shell 2 6170 echo http://hacking.elboulangero.com > hiper.fifo 6171 6172 Then just compare the size of the logs files. 6173 6174 Closes #3633 6175 Fixes #3632 6176 Signed-off-by: Arnaud Rebillout <arnaud.rebillout@collabora.com> 6177 6178- urldata: simplify bytecounters 6179 6180 - no need to have them protocol specific 6181 6182 - no need to set pointers to them with the Curl_setup_transfer() call 6183 6184 - make Curl_setup_transfer() operate on a transfer pointer, not 6185 connection 6186 6187 - switch some counters from long to the more proper curl_off_t type 6188 6189 Closes #3627 6190 6191- examples/10-at-a-time.c: improve readability and simplify 6192 6193 - use better variable names to explain their purposes 6194 - convert logic to curl_multi_wait() 6195 6196- threaded-resolver: shutdown the resolver thread without error message 6197 6198 When a transfer is done, the resolver thread will be brought down. That 6199 could accidentally generate an error message in the error buffer even 6200 though this is not an error situationand the transfer would still return 6201 OK. An application that still reads the error buffer could find a 6202 "Could not resolve host: [host name]" message there and get confused. 6203 6204 Reported-by: Michael Schmid 6205 Fixes #3629 6206 Closes #3630 6207 6208- [Ԝеѕ brought this change] 6209 6210 docs: update max-redirs.d phrasing 6211 6212 clarify redir - "in absurdum" doesn't seem to make sense in this context 6213 6214 Closes #3631 6215 6216- ssh: fix Condition '!status' is always true 6217 6218 in the same sftp_done function in both SSH backends. Simplify them 6219 somewhat. 6220 6221 Pointed out by Codacy. 6222 6223 Closes #3628 6224 6225- test578: make it read data from the correct test 6226 6227- Curl_easy: remove req.maxfd - never used! 6228 6229 Introduced in 8b6314ccfb, but not used anymore in current code. Unclear 6230 since when. 6231 6232 Closes #3626 6233 6234- http: set state.infilesize when sending formposts 6235 6236 Without it set, we would unwillingly triger the "HTTP error before end 6237 of send, stop sending" condition even if the entire POST body had been 6238 sent (since it wouldn't know the expected size) which would 6239 unnecessarily log that message and close the connection when it didn't 6240 have to. 6241 6242 Reported-by: Matt McClure 6243 Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html 6244 Closes #3624 6245 6246- INSTALL: refer to the current TLS library names and configure options 6247 6248- FAQ: minor updates and spelling fixes 6249 6250- GOVERNANCE.md: minor spelling fixes 6251 6252- Secure Transport: no more "darwinssl" 6253 6254 Everyone calls it Secure Transport, now we do too. 6255 6256 Reviewed-by: Nick Zitzmann 6257 6258 Closes #3619 6259 6260Marcel Raad (27 Feb 2019) 6261- AppVeyor: add classic MinGW build 6262 6263 But use the MSYS2 shell rather than the default MSYS shell because of 6264 POSIX path conversion issues. Classic MinGW is only available on the 6265 Visual Studio 2015 image. 6266 6267 Closes https://github.com/curl/curl/pull/3623 6268 6269- AppVeyor: add MinGW-w64 build 6270 6271 Add a MinGW-w64 build using CMake's MSYS Makefiles generator. 6272 Use the Visual Studio 2015 image as it has GCC 8, while the 6273 Visual Studio 2017 image only has GCC 7.2. 6274 6275 Closes https://github.com/curl/curl/pull/3623 6276 6277Daniel Stenberg (27 Feb 2019) 6278- cookies: only save the cookie file if the engine is enabled 6279 6280 Follow-up to 8eddb8f4259. 6281 6282 If the cookieinfo pointer is NULL there really is nothing to save. 6283 6284 Without this fix, we got a problem when a handle was using shared object 6285 with cookies and is told to "FLUSH" it to file (which worked) and then 6286 the share object was removed and when the easy handle was closed just 6287 afterwards it has no cookieinfo and no cookies so it decided to save an 6288 empty jar (overwriting the file just flushed). 6289 6290 Test 1905 now verifies that this works. 6291 6292 Assisted-by: Michael Wallner 6293 Assisted-by: Marcel Raad 6294 6295 Closes #3621 6296 6297- [DaVieS brought this change] 6298 6299 cacertinmem.c: use multiple certificates for loading CA-chain 6300 6301 Closes #3421 6302 6303- urldata: convert bools to bitfields and move to end 6304 6305 This allows the compiler to pack and align the structs better in 6306 memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 6307 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. 6308 6309 Removed an unused struct field. 6310 6311 No functionality changes. 6312 6313 Closes #3610 6314 6315- [Don J Olmstead brought this change] 6316 6317 curl.h: use __has_declspec_attribute for shared builds 6318 6319 Closes #3616 6320 6321- curl: display --version features sorted alphabetically 6322 6323 Closes #3611 6324 6325- runtests: detect "schannel" as an alias for "winssl" 6326 6327 Follow-up to 180501cb02 6328 6329 Reported-by: Marcel Raad 6330 Fixes #3609 6331 Closes #3620 6332 6333Marcel Raad (26 Feb 2019) 6334- AppVeyor: update to Visual Studio 2017 6335 6336 Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a 6337 moving target anymore as the last update, Update 9, has been released. 6338 6339 Closes https://github.com/curl/curl/pull/3606 6340 6341- AppVeyor: switch VS 2015 builds to VS 2017 image 6342 6343 The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. 6344 6345 Closes https://github.com/curl/curl/pull/3606 6346 6347- AppVeyor: explicitly select worker image 6348 6349 Currently, we're using the default Visual Studio 2015 image for 6350 everything. 6351 6352 Closes https://github.com/curl/curl/pull/3606 6353 6354Daniel Stenberg (26 Feb 2019) 6355- strerror: make the strerror function use local buffers 6356 6357 Instead of using a fixed 256 byte buffer in the connectdata struct. 6358 6359 In my build, this reduces the size of the connectdata struct by 11.8%, 6360 from 2160 to 1904 bytes with no functionality or performance loss. 6361 6362 This also fixes a bug in schannel's Curl_verify_certificate where it 6363 called Curl_sspi_strerror when it should have called Curl_strerror for 6364 string from GetLastError. the only effect would have been no text or the 6365 wrong text being shown for the error. 6366 6367 Co-authored-by: Jay Satiro 6368 6369 Closes #3612 6370 6371- [Michael Wallner brought this change] 6372 6373 cookies: fix NULL dereference if flushing cookies with no CookieInfo set 6374 6375 Regression brought by a52e46f3900fb0 (shipped in 7.63.0) 6376 6377 Closes #3613 6378 6379Marcel Raad (26 Feb 2019) 6380- AppVeyor: re-enable test 500 6381 6382 It's passing now. 6383 6384 Closes https://github.com/curl/curl/pull/3615 6385 6386- AppVeyor: remove redundant builds 6387 6388 Remove the Visual Studio 2012 and 2013 builds as they add little value. 6389 6390 Ref: https://github.com/curl/curl/pull/3606 6391 Closes https://github.com/curl/curl/pull/3614 6392 6393Daniel Stenberg (25 Feb 2019) 6394- RELEASE-NOTES: synced 6395 6396- [Bernd Mueller brought this change] 6397 6398 OpenSSL: add support for TLS ASYNC state 6399 6400 Closes #3591 6401 6402Jay Satiro (25 Feb 2019) 6403- [Michael Felt brought this change] 6404 6405 acinclude: add additional libraries to check for LDAP support 6406 6407 - Add an additional check for LDAP that also checks for OpenSSL since 6408 on AIX those libraries may be required to link LDAP properly. 6409 6410 Fixes https://github.com/curl/curl/issues/3595 6411 Closes https://github.com/curl/curl/pull/3596 6412 6413- [Giorgos Oikonomou brought this change] 6414 6415 schannel: support CALG_ECDH_EPHEM algorithm 6416 6417 Add support for Ephemeral elliptic curve Diffie-Hellman key exchange 6418 algorithm option when selecting ciphers. This became available on the 6419 Win10 SDK. 6420 6421 Closes https://github.com/curl/curl/pull/3608 6422 6423Daniel Stenberg (24 Feb 2019) 6424- multi: call multi_done on connect timeouts 6425 6426 Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get 6427 updated correctly and could end up getting reported to the application 6428 completely wrong (way too small). 6429 6430 Reported-by: accountantM on github 6431 Fixes #3602 6432 Closes #3605 6433 6434- examples: remove recursive calls to curl_multi_socket_action 6435 6436 From within the timer callbacks. Recursive is problematic for several 6437 reasons. They should still work, but this way the examples and the 6438 documentation becomes simpler. I don't think we need to encourage 6439 recursive calls. 6440 6441 Discussed in #3537 6442 Closes #3601 6443 6444Marcel Raad (23 Feb 2019) 6445- configure: remove CURL_CHECK_FUNC_FDOPEN call 6446 6447 The macro itself has been removed in commit 6448 11974ac859c5d82def59e837e0db56fef7f6794e. 6449 6450 Closes https://github.com/curl/curl/pull/3604 6451 6452Daniel Stenberg (23 Feb 2019) 6453- wolfssl: stop custom-adding curves 6454 6455 since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in 6456 wolfSSL 3.10.2 and later) it sends these curves by default already. 6457 6458 Pointed-out-by: David Garske 6459 6460 Closes #3599 6461 6462- configure: remove the unused fdopen macro 6463 6464 and the two remaining #ifdefs for it 6465 6466 Closes #3600 6467 6468Jay Satiro (22 Feb 2019) 6469- url: change conn shutdown order to unlink data as last step 6470 6471 - Split off connection shutdown procedure from Curl_disconnect into new 6472 function conn_shutdown. 6473 6474 - Change the shutdown procedure to close the sockets before 6475 disassociating the transfer. 6476 6477 Prior to this change the sockets were closed after disassociating the 6478 transfer so SOCKETFUNCTION wasn't called since the transfer was already 6479 disassociated. That likely came about from recent work started in 6480 Jan 2019 (#3442) to separate transfers from connections. 6481 6482 Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html 6483 Reported-by: Pavel Löbl 6484 6485 Closes https://github.com/curl/curl/issues/3597 6486 Closes https://github.com/curl/curl/pull/3598 6487 6488Marcel Raad (22 Feb 2019) 6489- Fix strict-prototypes GCC warning 6490 6491 As seen in the MinGW autobuilds. Caused by commit 6492 f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. 6493 6494Dan Fandrich (21 Feb 2019) 6495- tests: Fixed XML validation errors in some test files. 6496 6497Daniel Stenberg (20 Feb 2019) 6498- TODO: Allow SAN names in HTTP/2 server push 6499 6500 Suggested-by: Nicolas Grekas 6501 6502- RELEASE-NOTES: synced 6503 6504- curl: remove MANUAL from -M output 6505 6506 ... and remove it from the dist tarball. It has served its time, it 6507 barely gets updated anymore and "everything curl" is now convering all 6508 this document once tried to include, and does it more and better. 6509 6510 In the compressed scenario, this removes ~15K data from the binary, 6511 which is 25% of the -M output. 6512 6513 It remains in the git repo for now for as long as the web site builds a 6514 page using that as source. It renders poorly on the site (especially for 6515 mobile users) so its not even good there. 6516 6517 Closes #3587 6518 6519- http2: verify :athority in push promise requests 6520 6521 RFC 7540 says we should verify that the push is for an "authoritative" 6522 server. We make sure of this by only allowing push with an :athority 6523 header that matches the host that was asked for in the URL. 6524 6525 Fixes #3577 6526 Reported-by: Nicolas Grekas 6527 Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html 6528 Closes #3581 6529 6530- singlesocket: fix the 'sincebefore' placement 6531 6532 The variable wasn't properly reset within the loop and thus could remain 6533 set for sockets that hadn't been set before and miss notifying the app. 6534 6535 This is a follow-up to 4c35574 (shipped in curl 7.64.0) 6536 6537 Reported-by: buzo-ffm on github 6538 Detected-by: Jan Alexander Steffens 6539 Fixes #3585 6540 Closes #3589 6541 6542- connection: never reuse CONNECT_ONLY conections 6543 6544 and make CONNECT_ONLY conections never reuse any existing ones either. 6545 6546 Reported-by: Pavel Löbl 6547 Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html 6548 Closes #3586 6549 6550Patrick Monnerat (19 Feb 2019) 6551- cli tool: fix mime post with --disable-libcurl-option configure option 6552 6553 Reported-by: Marcel Raad 6554 Fixes #3576 6555 Closes #3583 6556 6557Daniel Stenberg (19 Feb 2019) 6558- x509asn1: cleanup and unify code layout 6559 6560 - rename 'n' to buflen in functions, and use size_t for them. Don't pass 6561 in negative buffer lengths. 6562 6563 - move most function comments to above the function starts like we use 6564 to 6565 6566 - remove several unnecessary typecasts (especially of NULL) 6567 6568 Reviewed-by: Patrick Monnerat 6569 Closes #3582 6570 6571- curl_multi_remove_handle.3: use at any time, just not from within callbacks 6572 6573 [ci skip] 6574 6575- http: make adding a blank header thread-safe 6576 6577 Previously the function would edit the provided header in-place when a 6578 semicolon is used to signify an empty header. This made it impossible to 6579 use the same set of custom headers in multiple threads simultaneously. 6580 6581 This approach now makes a local copy when it needs to edit the string. 6582 6583 Reported-by: d912e3 on github 6584 Fixes #3578 6585 Closes #3579 6586 6587- unit1651: survive curl_easy_init() fails 6588 6589- [Frank Gevaerts brought this change] 6590 6591 rand: Fix a mismatch between comments in source and header. 6592 6593 Reported-by: Björn Stenberg <bjorn@haxx.se> 6594 Closes #3584 6595 6596Patrick Monnerat (18 Feb 2019) 6597- x509asn1: replace single char with an array 6598 6599 Although safe in this context, using a single char as an array may 6600 cause invalid accesses to adjacent memory locations. 6601 6602 Detected by Coverity. 6603 6604Daniel Stenberg (18 Feb 2019) 6605- examples/http2-serverpush: add some sensible error checks 6606 6607 To avoid NULL pointer dereferences etc in the case of problems. 6608 6609 Closes #3580 6610 6611Jay Satiro (18 Feb 2019) 6612- easy: fix win32 init to work without CURL_GLOBAL_WIN32 6613 6614 - Change the behavior of win32_init so that the required initialization 6615 procedures are not affected by CURL_GLOBAL_WIN32 flag. 6616 6617 libcurl via curl_global_init supports initializing for win32 with an 6618 optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop 6619 Winsock initialization. It did so internally by skipping win32_init() 6620 when that flag was set. Since then win32_init() has been expanded to 6621 include required initialization routines that are separate from 6622 Winsock and therefore must be called in all cases. This commit fixes 6623 it so that CURL_GLOBAL_WIN32 only controls the optional win32 6624 initialization (which is Winsock initialization, according to our doc). 6625 6626 The only users affected by this change are those that don't pass 6627 CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the 6628 risk of a potential crash. 6629 6630 Ref: https://github.com/curl/curl/pull/3573 6631 6632 Fixes https://github.com/curl/curl/issues/3313 6633 Closes https://github.com/curl/curl/pull/3575 6634 6635Daniel Gustafsson (17 Feb 2019) 6636- cookie: Add support for cookie prefixes 6637 6638 The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes 6639 and how they should affect cookie initialization, which has been 6640 adopted by the major browsers. This adds support for the two prefixes 6641 defined, __Host- and __Secure, and updates the testcase with the 6642 supplied examples from the draft. 6643 6644 Closes #3554 6645 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 6646 6647- mbedtls: release sessionid resources on error 6648 6649 If mbedtls_ssl_get_session() fails, it may still have allocated 6650 memory that needs to be freed to avoid leaking. Call the library 6651 API function to release session resources on this errorpath as 6652 well as on Curl_ssl_addsessionid() errors. 6653 6654 Closes: #3574 6655 Reported-by: Michał Antoniak <M.Antoniak@posnet.com> 6656 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 6657 6658Patrick Monnerat (16 Feb 2019) 6659- cli tool: refactor encoding conversion sequence for switch case fallthrough. 6660 6661- version.c: silent scan-build even when librtmp is not enabled 6662 6663Daniel Stenberg (15 Feb 2019) 6664- RELEASE-NOTES: synced 6665 6666- Curl_now: figure out windows version in win32_init 6667 6668 ... and avoid use of static variables that aren't thread safe. 6669 6670 Fixes regression from e9ababd4f5a (present in the 7.64.0 release) 6671 6672 Reported-by: Paul Groke 6673 Fixes #3572 6674 Closes #3573 6675 6676Marcel Raad (15 Feb 2019) 6677- unit1307: just fail without FTP support 6678 6679 I missed to check this in with commit 6680 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. 6681 This fixes the actual linker error. 6682 6683 Closes https://github.com/curl/curl/pull/3568 6684 6685Daniel Stenberg (15 Feb 2019) 6686- travis: enable valgrind for the iconv tests too 6687 6688 Closes #3571 6689 6690- travis: add scan-build 6691 6692 Closes #3564 6693 6694- examples/sftpuploadresume: Value stored to 'result' is never read 6695 6696 Detected by scan-build 6697 6698- examples/http2-upload: cleaned up 6699 6700 Fix scan-build warnings, no globals, no silly handle scan. Also remove 6701 handles from the multi before cleaning up. 6702 6703- examples/http2-download: cleaned up 6704 6705 To avoid scan-build warnings and global variables. 6706 6707- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' 6708 6709 Detected by scan-build 6710 6711- examples/httpcustomheader: Value stored to 'res' is never read 6712 6713 Detected by scan-build 6714 6715- examples: remove superfluous null-pointer checks 6716 6717 in ftpget, ftpsget and sftpget, so that scan-build stops warning for 6718 potential NULL pointer dereference below! 6719 6720 Detected by scan-build 6721 6722- strip_trailing_dot: make sure NULL is never used for strlen 6723 6724 scan-build warning: Null pointer passed as an argument to a 'nonnull' 6725 parameter 6726 6727- [Jay Satiro brought this change] 6728 6729 connection_check: restore original conn->data after the check 6730 6731 - Save the original conn->data before it's changed to the specified 6732 data transfer for the connection check and then restore it afterwards. 6733 6734 This is a follow-up to 38d8e1b 2019-02-11. 6735 6736 History: 6737 6738 It was discovered a month ago that before checking whether to extract a 6739 dead connection that that connection should be associated with a "live" 6740 transfer for the check (ie original conn->data ignored and set to the 6741 passed in data). A fix was landed in 54b201b which did that and also 6742 cleared conn->data after the check. The original conn->data was not 6743 restored, so presumably it was thought that a valid conn->data was no 6744 longer needed. 6745 6746 Several days later it was discovered that a valid conn->data was needed 6747 after the check and follow-up fix was landed in bbae24c which partially 6748 reverted the original fix and attempted to limit the scope of when 6749 conn->data was changed to only when pruning dead connections. In that 6750 case conn->data was not cleared and the original conn->data not 6751 restored. 6752 6753 A month later it was discovered that the original fix was somewhat 6754 correct; a "live" transfer is needed for the check in all cases 6755 because original conn->data could be null which could cause a bad deref 6756 at arbitrary points in the check. A fix was landed in 38d8e1b which 6757 expanded the scope to all cases. conn->data was not cleared and the 6758 original conn->data not restored. 6759 6760 A day later it was discovered that not restoring the original conn->data 6761 may lead to busy loops in applications that use the event interface, and 6762 given this observation it's a pretty safe assumption that there is some 6763 code path that still needs the original conn->data. This commit is the 6764 follow-up fix for that, it restores the original conn->data after the 6765 connection check. 6766 6767 Assisted-by: tholin@users.noreply.github.com 6768 Reported-by: tholin@users.noreply.github.com 6769 6770 Fixes https://github.com/curl/curl/issues/3542 6771 Closes #3559 6772 6773- memdebug: bring back curl_mark_sclose 6774 6775 Used by debug builds with NSS. 6776 6777 Reverted from 05b100aee247bb 6778 6779Patrick Monnerat (14 Feb 2019) 6780- transfer.c: do not compute length of undefined hex buffer. 6781 6782 On non-ascii platforms, the chunked hex header was measured for char code 6783 conversion length, even for chunked trailers that do not have an hex header. 6784 In addition, the efective length is already known: use it. 6785 Since the hex length can be zero, only convert if needed. 6786 6787 Reported by valgrind. 6788 6789Daniel Stenberg (14 Feb 2019) 6790- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP 6791 6792 Closes #2367 6793 6794Patrick Monnerat (14 Feb 2019) 6795- x509asn1: "Dereference of null pointer" 6796 6797 Detected by scan-build (false positive). 6798 6799Daniel Stenberg (14 Feb 2019) 6800- configure: show features as well in the final summary 6801 6802 Closes #3569 6803 6804- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 6805 6806 Closes #2905 6807 6808- KNOWN_BUGS: Deflate error after all content was received 6809 6810 Closes #2719 6811 6812- gssapi: fix deprecated header warnings 6813 6814 Heimdal includes on FreeBSD spewed out lots of them. Less so now. 6815 6816 Closes #3566 6817 6818- TODO: Upgrade to websockets 6819 6820 Closes #3523 6821 6822- TODO: cmake test suite improvements 6823 6824 Closes #3109 6825 6826Patrick Monnerat (13 Feb 2019) 6827- curl: "Dereference of null pointer" 6828 6829 Rephrase to satisfy scan-build. 6830 6831Marcel Raad (13 Feb 2019) 6832- unit1307: require FTP support 6833 6834 This test doesn't link without FTP support after 6835 fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch 6836 unavailable without FTP support. 6837 6838 Closes https://github.com/curl/curl/pull/3565 6839 6840Daniel Stenberg (13 Feb 2019) 6841- TODO: TFO support on Windows 6842 6843 Nobody works on this now. 6844 6845 Closes #3378 6846 6847- multi: Dereference of null pointer 6848 6849 Mostly a false positive, but this makes the code easier to read anyway. 6850 6851 Detected by scan-build. 6852 6853 Closes #3563 6854 6855- urlglob: Argument with 'nonnull' attribute passed null 6856 6857 Detected by scan-build. 6858 6859Jay Satiro (12 Feb 2019) 6860- schannel: restore some debug output but only for debug builds 6861 6862 Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy 6863 debug output in DEBUGF but omitted a few lines. 6864 6865 Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 6866 6867- examples/crawler: Fix the Accept-Encoding setting 6868 6869 - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default 6870 supported encodings. 6871 6872 Prior to this change the specific encodings of gzip and deflate were set 6873 but there's no guarantee they'd be supported by the user's libcurl. 6874 6875Daniel Stenberg (12 Feb 2019) 6876- mime: put the boundary buffer into the curl_mime struct 6877 6878 ... instead of allocating it separately and point to it. It is 6879 fixed-size and always used for each part. 6880 6881 Closes #3561 6882 6883- schannel: be quiet 6884 6885 Convert numerous infof() calls into debug-build only messages since they 6886 are annoyingly verbose for regular applications. Removed a few. 6887 6888 Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html 6889 Reported-by: Volker Schmid 6890 Closes #3552 6891 6892- [Romain Geissler brought this change] 6893 6894 Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning 6895 6896 Closes #3562 6897 6898- http2: multi_connchanged() moved from multi.c, only used for h2 6899 6900 Closes #3557 6901 6902- curl: "Function call argument is an uninitialized value" 6903 6904 Follow-up to cac0e4a6ad14b42471eb 6905 6906 Detected by scan-build 6907 Closes #3560 6908 6909- pretransfer: don't strlen() POSTFIELDS set for GET requests 6910 6911 ... since that data won't be used in the request anyway. 6912 6913 Fixes #3548 6914 Reported-by: Renaud Allard 6915 Close #3549 6916 6917- multi: remove verbose "Expire in" ... messages 6918 6919 Reported-by: James Brown 6920 Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html 6921 Closes #3558 6922 6923- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set 6924 6925 Reported-by: MAntoniak on github 6926 Fixes #3553 6927 Closes #3556 6928 6929Daniel Gustafsson (12 Feb 2019) 6930- non-ascii.c: fix typos in comments 6931 6932 Fix two occurrences of s/convers/converts/ spotted while reading code. 6933 6934Daniel Stenberg (12 Feb 2019) 6935- fnmatch: disable if FTP is disabled 6936 6937 Closes #3551 6938 6939- curl_path: only enabled for SSH builds 6940 6941- [Frank Gevaerts brought this change] 6942 6943 tests: add stderr comparison to the test suite 6944 6945 The code is more or less copied from the stdout comparison code, maybe 6946 some better reuse is possible. 6947 6948 test 1457 is adjusted to make the output actually match (by using --silent) 6949 test 506 used <stderr> without actually needing it, so that <stderr> block is removed 6950 6951 Closes #3536 6952 6953Patrick Monnerat (11 Feb 2019) 6954- cli tool: do not use mime.h private structures. 6955 6956 Option -F generates an intermediate representation of the mime structure 6957 that is used later to create the libcurl mime structure and generate 6958 the --libcurl statements. 6959 6960 Reported-by: Daniel Stenberg 6961 Fixes #3532 6962 Closes #3546 6963 6964Daniel Stenberg (11 Feb 2019) 6965- curlver: bump to 7.64.1-dev 6966 6967- RELEASE-NOTES: synced 6968 6969 and bump the version in progress to 7.64.1. If we merge any "change" 6970 before the cut-off date, we update again. 6971 6972Daniel Gustafsson (11 Feb 2019) 6973- curl: follow-up to 3f16990ec84 6974 6975 Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was 6976 inadvertently introducing a new bug in the ternary expression. 6977 6978 Close #3555 6979 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 6980 6981- dns: release sharelock as soon as possible 6982 6983 There is no benefit to holding the data sharelock when freeing the 6984 addrinfo in case it fails, so ensure releaseing it as soon as we can 6985 rather than holding on to it. This also aligns the code with other 6986 consumers of sharelocks. 6987 6988 Closes #3516 6989 Reviewed-by: Daniel Stenberg <daniel@haxx.se> 6990 6991Daniel Stenberg (11 Feb 2019) 6992- curl: follow-up to b49652ac66cc0 6993 6994 On FreeBSD, return non-zero on error otherwise zero. 6995 6996 Reported-by: Marcel Raad 6997 6998- multi: (void)-prefix when ignoring return values 6999 7000 ... and added braces to two function calls which fixes warnings if they 7001 are replace by empty macros at build-time. 7002 7003- curl: fix FreeBSD compiler warning in the --xattr code 7004 7005 Closes #3550 7006 7007- connection_check: set ->data to the transfer doing the check 7008 7009 The http2 code for connection checking needs a transfer to use. Make 7010 sure a working one is set before handler->connection_check() is called. 7011 7012 Reported-by: jnbr on github 7013 Fixes #3541 7014 Closes #3547 7015 7016- hostip: make create_hostcache_id avoid alloc + free 7017 7018 Closes #3544 7019 7020- scripts/singleuse: script to use to track single-use functions 7021 7022 That is functions that are declared global but are not used from outside 7023 of the file in which it is declared. Such functions should be made 7024 static or even at times be removed. 7025 7026 It also verifies that all used curl_ prefixed functions are "blessed" 7027 7028 Closes #3538 7029 7030- cleanup: make local functions static 7031 7032 urlapi: turn three local-only functions into statics 7033 7034 conncache: make conncache_find_first_connection static 7035 7036 multi: make detach_connnection static 7037 7038 connect: make getaddressinfo static 7039 7040 curl_ntlm_core: make hmac_md5 static 7041 7042 http2: make two functions static 7043 7044 http: make http_setup_conn static 7045 7046 connect: make tcpnodelay static 7047 7048 tests: make UNITTEST a thing to mark functions with, so they can be static for 7049 normal builds and non-static for unit test builds 7050 7051 ... and mark Curl_shuffle_addr accordingly. 7052 7053 url: make up_free static 7054 7055 setopt: make vsetopt static 7056 7057 curl_endian: make write32_le static 7058 7059 rtsp: make rtsp_connisdead static 7060 7061 warnless: remove unused functions 7062 7063 memdebug: remove one unused function, made another static 7064 7065Dan Fandrich (10 Feb 2019) 7066- cirrus: Added FreeBSD builds using Cirrus CI. 7067 7068 The build logs will be at https://cirrus-ci.com/github/curl/curl 7069 7070 Some tests are currently failing and so disabled for now. The SSH server 7071 isn't starting for the SSH tests due to unsupported options used in its 7072 config file. The DICT server also is failing on startup. 7073 7074Daniel Stenberg (9 Feb 2019) 7075- url/idnconvert: remove scan for <= 32 ascii values 7076 7077 The check was added back in fa939220df before the URL parser would catch 7078 these problems and therefore these will never trigger now. 7079 7080 Closes #3539 7081 7082- urlapi: reduce variable scope, remove unreachable 'break' 7083 7084 Both nits pointed out by codacy.com 7085 7086 Closes #3540 7087 7088Alessandro Ghedini (7 Feb 2019) 7089- zsh.pl: escape ':' character 7090 7091 ':' is interpreted as separator by zsh, so if used as part of the argument 7092 or option's description it needs to be escaped. 7093 7094 The problem can be reproduced as follows: 7095 7096 % curl --reso<TAB> 7097 % curl -E <TAB> 7098 7099 Bug: https://bugs.debian.org/921452 7100