diff --git a/bin/curl/BUILD-HOMEPAGE.url b/bin/curl/BUILD-HOMEPAGE.url new file mode 100644 index 0000000..36278f8 --- /dev/null +++ b/bin/curl/BUILD-HOMEPAGE.url @@ -0,0 +1,2 @@ +[InternetShortcut] +URL=https://github.com/curl/curl-for-win diff --git a/bin/curl/BUILD-README.txt b/bin/curl/BUILD-README.txt new file mode 100644 index 0000000..de1f20a --- /dev/null +++ b/bin/curl/BUILD-README.txt @@ -0,0 +1,3 @@ +Visit the project page for details about these builds and the list of changes: + + https://github.com/curl/curl-for-win diff --git a/bin/curl/CHANGES.txt b/bin/curl/CHANGES.txt new file mode 100644 index 0000000..0715ca0 --- /dev/null +++ b/bin/curl/CHANGES.txt @@ -0,0 +1,7904 @@ + _ _ ____ _ + ___| | | | _ \| | + / __| | | | |_) | | + | (__| |_| | _ <| |___ + \___|\___/|_| \_\_____| + + Changelog + +Version 7.65.0 (22 May 2019) + +Daniel Stenberg (22 May 2019) +- RELEASE-NOTES: 7.65.0 release + +- THANKS: from the 7.65.0 release-notes + +- url: convert the zone id from a IPv6 URL to correct scope id + + Reported-by: GitYuanQu on github + Fixes #3902 + Closes #3914 + +- configure: detect getsockname and getpeername on windows too + + Made detection macros for these two functions in the same style as other + functions possibly in winsock in the hope this will work better to + detect these functions when cross-compiling for Windows. + + Follow-up to e91e4816123 + + Fixes #3913 + Closes #3915 + +Marcel Raad (21 May 2019) +- examples: remove unused variables + + Fixes Codacy/CppCheck warnings. + + Closes + +Daniel Gustafsson (21 May 2019) +- udpateconninfo: mark variable unused + + When compiling without getpeername() or getsockname(), the sockfd + paramter to Curl_udpateconninfo() became unused after commit e91e481612 + added ifdef guards. + + Closes #3910 + Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 + Reviewed-by: Marcel Raad, Daniel Stenberg + +- ftp: move ftp_ccc in under featureflag + + Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under + the FTP featureflag in the UserDefined struct, but vtls callsites were + still using it unprotected. + + Closes #3912 + Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 + Reviewed-by: Daniel Stenberg, Marcel Raad + +Daniel Stenberg (20 May 2019) +- curl: report error for "--no-" on non-boolean options + + Reported-by: Olen Andoni + Fixes #3906 + Closes #3907 + +- [Guy Poizat brought this change] + + mbedtls: enable use of EC keys + + Closes #3892 + +- lib1560: add tests for parsing URL with too long scheme + + Ref: #3905 + +- [Omar Ramadan brought this change] + + urlapi: increase supported scheme length to 40 bytes + + The longest currently registered URI scheme at IANA is 36 bytes long. + + Closes #3905 + Closes #3900 + +Marcel Raad (20 May 2019) +- lib: reduce variable scopes + + Fixes Codacy/CppCheck warnings. + + Closes https://github.com/curl/curl/pull/3872 + +- tool_formparse: remove redundant assignment + + Just initialize word_begin with the correct value. + + Closes https://github.com/curl/curl/pull/3873 + +- ssh: move variable declaration to where it's used + + This way, we need only one call to free. + + Closes https://github.com/curl/curl/pull/3873 + +- ssh-libssh: remove unused variable + + sock was only used to be assigned to fd_read. + + Closes https://github.com/curl/curl/pull/3873 + +Daniel Stenberg (20 May 2019) +- test332: verify the blksize fix + +- tftp: use the current blksize for recvfrom() + + bug: https://curl.haxx.se/docs/CVE-2019-5436.html + Reported-by: l00p3r on hackerone + CVE-2019-5436 + +Daniel Gustafsson (19 May 2019) +- version: make ssl_version buffer match for multi_ssl + + When running a multi TLS backend build the version string needs more + buffer space. Make the internal ssl_buffer stack buffer match the one + in Curl_multissl_version() to allow for the longer string. For single + TLS backend builds there is no use in extended to buffer. This is a + fallout from #3863 which fixes up the multi_ssl string generation to + avoid a buffer overflow when the buffer is too small. + + Closes #3875 + Reviewed-by: Daniel Stenberg + +Steve Holme (18 May 2019) +- http_ntlm_wb: Handle auth for only a single request + + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). + + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. + + Missed in fe6049f0. + +- http_ntlm_wb: Cleanup handshake after clean NTLM failure + + Missed in 50b87c4e. + +- http_ntlm_wb: Return the correct error on receiving an empty auth message + + Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. + + Closes #3894 + +Daniel Stenberg (18 May 2019) +- curl: make code work with protocol-disabled libcurl + + Closes #3844 + +- libcurl: #ifdef away more code for disabled features/protocols + +- progress: CURL_DISABLE_PROGRESS_METER + +- hostip: CURL_DISABLE_SHUFFLE_DNS + +- netrc: CURL_DISABLE_NETRC + +Viktor Szakats (16 May 2019) +- docs: Markdown and misc improvements [ci skip] + + Approved-by: Daniel Stenberg + Closes #3896 + +- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] + + Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 + Approved-by: Daniel Stenberg + Closes #3895 + +Daniel Stenberg (16 May 2019) +- travis: add an osx http-only build + + Closes #3887 + +- cleanup: remove FIXME and TODO comments + + They serve very little purpose and mostly just add noise. Most of them + have been around for a very long time. I read them all before removing + or rephrasing them. + + Ref: #3876 + Closes #3883 + +- curl: don't set FTP options for FTP-disabled builds + + ... since libcurl has started to be totally unaware of options for + disabled protocols they now return error. + + Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 + + Reported-by: Marcel Raad + Closes #3886 + +Steve Holme (16 May 2019) +- http_ntlm_wb: Move the type-2 message processing into a dedicated function + + This brings the code inline with the other HTTP authentication mechanisms. + + Closes #3890 + +Daniel Stenberg (15 May 2019) +- RELEASE-NOTES: synced + +- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] + +- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] + + Reported-by: Roy Bellingan + Bug: #3885 + +- parse_proxy: use the URL parser API + + As we treat a given proxy as a URL we should use the unified URL parser + to extract the parts out of it. + + Closes #3878 + +Steve Holme (15 May 2019) +- http_negotiate: Move the Negotiate state out of the negotiatedata structure + + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. + + Closes #3882 + +- http_ntlm: Move the NTLM state out of the ntlmdata structure + + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. + +- url: Move the negotiate state type into a dedicated enum + +- url: Remove duplicate clean up of the winbind variables in conn_shutdown() + + Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior + to calling conn_shutdown() and it in turn performs this, there is no + need to perform the same action in conn_shutdown(). + + Closes #3881 + +Daniel Stenberg (14 May 2019) +- urlapi: require a non-zero host name length when parsing URL + + Updated test 1560 to verify. + + Closes #3880 + +- configure: error out if OpenSSL wasn't detected when asked for + + If --with-ssl is used and configure still couldn't enable SSL this + creates an error instead of just silently ignoring the fact. + + Suggested-by: Isaiah Norton + Fixes #3824 + Closes #3830 + +Daniel Gustafsson (14 May 2019) +- imap: Fix typo in comment + +Steve Holme (14 May 2019) +- url: Remove unnecessary initialisation from allocate_conn() + + No need to set variables to zero as calloc() does this for us. + + Closes #3879 + +Daniel Stenberg (14 May 2019) +- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] + + Clues-provided-by: Jay Satiro + Clues-provided-by: Jeroen Ooms + Fixes #3711 + Closes #3874 + +Daniel Gustafsson (13 May 2019) +- vtls: fix potential ssl_buffer stack overflow + + In Curl_multissl_version() it was possible to overflow the passed in + buffer if the generated version string exceeded the size of the buffer. + Fix by inverting the logic, and also make sure to not exceed the local + buffer during the string generation. + + Closes #3863 + Reported-by: nevv on HackerOne/curl + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (13 May 2019) +- RELEASE-NOTES: synced + +- appveyor: also build "/ci" branches like travis + +- pingpong: disable more when no pingpong enabled + +- proxy: acknowledge DISABLE_PROXY more + +- parsedate: CURL_DISABLE_PARSEDATE + +- sasl: only enable if there's a protocol enabled using it + +- mime: acknowledge CURL_DISABLE_MIME + +- wildcard: disable from build when FTP isn't present + +- http: CURL_DISABLE_HTTP_AUTH + +- base64: build conditionally if there are users + +- doh: CURL_DISABLE_DOH + +Steve Holme (12 May 2019) +- auth: Rename the various authentication clean up functions + + For consistency and to a avoid confusion. + + Closes #3869 + +Daniel Stenberg (12 May 2019) +- [Jay Satiro brought this change] + + docs/INSTALL: fix broken link [ci skip] + + Reported-by: Joombalaya on github + Fixes #3818 + +Marcel Raad (12 May 2019) +- easy: fix another "clarify calculation precedence" warning + + I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + +- build: fix "clarify calculation precedence" warnings + + Codacy/CppCheck warns about this. Consistently use parentheses as we + already do in some places to silence the warning. + + Closes https://github.com/curl/curl/pull/3866 + +- cmake: restore C89 compatibility of CurlTests.c + + I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and + 97de97daefc2ed084c91eff34af2426f2e55e134. + + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 + Closes https://github.com/curl/curl/pull/3868 + +Steve Holme (11 May 2019) +- http_ntlm: Corrected the name of the include guard + + Missed in f0bdd72c. + + Closes #3867 + +- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled + + Closes #3861 + +- http_negotiate: Don't expose functions when HTTP is disabled + +Daniel Stenberg (11 May 2019) +- SECURITY-PROCESS: fix links [ci skip] + +Marcel Raad (11 May 2019) +- CMake: suppress unused variable warnings + + I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. + +Daniel Stenberg (11 May 2019) +- doh: disable DOH for the cases it doesn't work + + Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for + DOH resolves. This fix disables DOH for those. + + Limitation added to KNOWN_BUGS. + + Fixes #3850 + Closes #3857 + +Jay Satiro (11 May 2019) +- checksrc.bat: Ignore snprintf warnings in docs/examples + + .. because we allow snprintf use in docs/examples. + + Closes https://github.com/curl/curl/pull/3862 + +Steve Holme (10 May 2019) +- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() + + ...and misalignment of these comments. From a78c61a4. + + Closes #3860 + +Jay Satiro (10 May 2019) +- Revert "multi: support verbose conncache closure handle" + + This reverts commit b0972bc. + + - No longer show verbose output for the conncache closure handle. + + The offending commit was added so that the conncache closure handle + would inherit verbose mode from the user's easy handle. (Note there is + no way for the user to set options for the closure handle which is why + that was necessary.) Other debug settings such as the debug function + were not also inherited since we determined that could lead to crashes + if the user's per-handle private data was used on an unexpected handle. + + The reporter here says he has a debug function to capture the verbose + output, and does not expect or want any output to stderr; however + because the conncache closure handle does not inherit the debug function + the verbose output for that handle does go to stderr. + + There are other plausible scenarios as well such as the user redirects + stderr on their handle, which is also not inherited since it could lead + to crashes when used on an unexpected handle. + + Short of allowing the user to set options for the conncache closure + handle I don't think there's much we can safely do except no longer + inherit the verbose setting. + + Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html + Reported-by: Kristoffer Gleditsch + + Ref: https://github.com/curl/curl/pull/3598 + Ref: https://github.com/curl/curl/pull/3618 + + Closes https://github.com/curl/curl/pull/3856 + +Steve Holme (10 May 2019) +- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() + + From 6012fa5a. + + Closes #3858 + +Daniel Stenberg (9 May 2019) +- BUG-BOUNTY: minor formatting fixes [ci skip] + +- RELEASE-NOTES: synced + +- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] + + Closes #3839 + +Kamil Dudka (9 May 2019) +- http_negotiate: do not treat failure of gss_init_sec_context() as fatal + + Fixes #3726 + Closes #3849 + +- spnego_gssapi: fix return code on gss_init_sec_context() failure + + Fixes #3726 + Closes #3849 + +Steve Holme (9 May 2019) +- gen_resp_file.bat: Removed unnecessary @ from all but the first command + + There is need to use @ on every command once echo has been turned off. + + Closes #3854 + +Jay Satiro (8 May 2019) +- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + + - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to + the destination host. + + We already do something similar for HTTPS proxies by not sending h2. [1] + + Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would + incorrectly use HTTP/2 to talk to the proxy, which is not something we + support (yet?). Also it's debatable whether or not that setting should + apply to HTTP/2 proxies. + + [1]: https://github.com/curl/curl/commit/17c5d05 + + Bug: https://github.com/curl/curl/issues/3570 + Bug: https://github.com/curl/curl/issues/3832 + + Closes https://github.com/curl/curl/pull/3853 + +Marcel Raad (8 May 2019) +- travis: update mesalink build to xenial + + Closes https://github.com/curl/curl/pull/3842 + +Daniel Stenberg (8 May 2019) +- [Ricky Leverence brought this change] + + OpenSSL: Report -fips in version if OpenSSL is built with FIPS + + Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS + define. It uses this define to determine whether to publish -fips at + the end of the version displayed. Applications that utilize the version + reported by OpenSSL will see a mismatch if they compare it to what curl + reports, as curl is not modifying the version in the same way. This + change simply adds a check to see if OPENSSL_FIPS is defined, and will + alter the reported version to match what OpenSSL itself provides. This + only appears to be applicable in versions of OpenSSL <1.1.1 + + Closes #3771 + +Kamil Dudka (7 May 2019) +- [Frank Gevaerts brought this change] + + nss: allow fifos and character devices for certificates. + + Currently you can do things like --cert <(cat ./cert.crt) with (at least) the + openssl backend, but that doesn't work for nss because is_file rejects fifos. + + I don't actually know if this is sufficient, nss might do things internally + (like seeking back) that make this not work, so actual testing is needed. + + Closes #3807 + +Daniel Gustafsson (6 May 2019) +- test2100: Fix typos in test description + +Daniel Stenberg (6 May 2019) +- ssh: define USE_SSH if SSH is enabled (any backend) + + Closes #3846 + +Steve Holme (5 May 2019) +- winbuild: Add our standard copyright header to the winbuild batch files + +- makedebug: Fix ERRORLEVEL detection after running where.exe + + Closes #3838 + +Daniel Stenberg (5 May 2019) +- urlapi: add CURLUPART_ZONEID to set and get + + The zoneid can be used with IPv6 numerical addresses. + + Updated test 1560 to verify. + + Closes #3834 + +- [Taiyu Len brought this change] + + WRITEFUNCTION: add missing set_in_callback around callback + + Closes #3837 + +- RELEASE-NOTES: synced + +- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] + + Reported-by: Ricardo Gomes + + Bug: #3537 + Closes #3836 + +- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + + The time field in the curl_fileinfo struct will always be zero. No code + was ever implemented to actually convert the date string to a time_t. + + Fixes #3829 + Closes #3835 + +- OS400/ccsidcurl.c: code style fixes + +- OS400/ccsidcurl: replace use of Curl_vsetopt + + (and make the code style comply) + + Fixes #3833 + +- urlapi: strip off scope id from numerical IPv6 addresses + + ... to make the host name "usable". Store the scope id and put it back + when extracting a URL out of it. + + Also makes curl_url_set() syntax check CURLUPART_HOST. + + Fixes #3817 + Closes #3822 + +- RELEASE-NOTES: synced + +- multiif.h: remove unused protos + + ... for functions related to pipelining. Those functions were removed in + 2f44e94efb3df. + + Closes #3828 + +- [Yiming Jing brought this change] + + travis: mesalink: temporarily disable test 3001 + + ... due to SHA-1 signatures in test certs + +- [Yiming Jing brought this change] + + travis: upgrade the MesaLink TLS backend to v1.0.0 + + Closes #3823 + Closes #3776 + +- ConnectionExists: improve non-multiplexing use case + + - better log output + + - make sure multiplex is enabled for it to be used + +- multi: provide Curl_multiuse_state to update information + + As soon as a TLS backend gets ALPN conformation about the specific HTTP + version it can now set the multiplex situation for the "bundle" and + trigger moving potentially queued up transfers to the CONNECT state. + +- process_pending_handles: mark queued transfers as previously pending + + With transfers being queued up, we only move one at a a time back to the + CONNECT state but now we mark moved transfers so that when a moved + transfer is confirmed "successful" (it connected) it will trigger the + move of another pending transfer. Previously, it would otherwise wait + until the transfer was done before doing this. This makes queued up + pending transfers get processed (much) faster. + +- http: mark bundle as not for multiuse on < HTTP/2 response + + Fixes #3813 + Closes #3815 + +Daniel Gustafsson (1 May 2019) +- cookie: Guard against possible NULL ptr deref + + In case the name pointer isn't set (due to memory pressure most likely) + we need to skip the prefix matching and reject with a badcookie to avoid + a possible NULL pointer dereference. + + Closes #3820 #3821 + Reported-by: Jonathan Moerman + Reviewed-by: Daniel Stenberg + +Patrick Monnerat (30 Apr 2019) +- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings + +Kamil Dudka (29 Apr 2019) +- nss: provide more specific error messages on failed init + + Closes #3808 + +Daniel Stenberg (29 Apr 2019) +- [Reed Loden brought this change] + + docs: minor polish to the bug bounty / security docs + + Closes #3811 + +- CURL_MAX_INPUT_LENGTH: largest acceptable string input size + + This limits all accepted input strings passed to libcurl to be less than + CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: + curl_easy_setopt() and curl_url_set(). + + The 8000000 number is arbitrary picked and is meant to detect mistakes + or abuse, not to limit actual practical use cases. By limiting the + acceptable string lengths we also reduce the risk of integer overflows + all over. + + NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + + Test 1559 verifies. + + Closes #3805 + +- [Tseng Jun brought this change] + + curlver.h: use parenthesis in CURL_VERSION_BITS macro + + Closes #3809 + +Marcel Raad (27 Apr 2019) +- [Simon Warta brought this change] + + cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP + + Closes https://github.com/curl/curl/pull/3769 + +Steve Holme (23 Apr 2019) +- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + +- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 + + Just like we do for mbed TLS, use our local implementation of MD4 when + OpenSSL doesn't support it. This allows a type-3 message to include the + NT response. + +Daniel Gustafsson (23 Apr 2019) +- INTERNALS: fix misindentation of ToC item + + Kerberos was incorrectly indented as a subsection under FTP, which is + incorrect as they are both top level sections. A fix for this was first + attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that + was a few paddles short of being complete. + +- [Aron Bergman brought this change] + + INTERNALS: Add structs to ToC + + Add the subsections under "Structs in libcurl" to the table of contents. + + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson + +- [Aron Bergman brought this change] + + INTERNALS: Add code highlighting + + Make all struct members under the Curl_handler section + print in monospace font. + + Closes #3801 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson + +Daniel Stenberg (22 Apr 2019) +- docs/BUG-BOUNTY: bug bounty time [skip ci] + + Introducing the curl bug bounty program on hackerone. We now recommend + filing security issues directly in the hackerone ticket system which + only is readable to curl security team members. + + Assisted-by: Daniel Gustafsson + + Closes #3488 + +Steve Holme (22 Apr 2019) +- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 + + RFC 4616 specifies the authzid is optional in the client authentication + message and that the server will derive the authorisation identity + (authzid) from the authentication identity (authcid) when not specified + by the client. + +Jay Satiro (22 Apr 2019) +- [Gisle Vanem brought this change] + + memdebug: fix variable name + + Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + + Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + +Steve Holme (21 Apr 2019) +- vauth/cleartext: Don't send the authzid if it is empty + + Follow up to 762a292f. + +Daniel Stenberg (21 Apr 2019) +- test 196,197,198: add 'retry' keyword [skip ci] + +- RELEASE-NOTES: synced + +- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse + + ... and disconnect too old ones instead of trying to reuse. + + Default max age is set to 118 seconds. + + Ref: #3722 + Closes #3782 + +Daniel Gustafsson (20 Apr 2019) +- [Po-Chuan Hsieh brought this change] + + altsvc: Fix building with cookies disables + + ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if + check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is + disabled. Fix by splitting out the function into a separate file which can + be included where needed. + + Closes #3717 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Marcel Raad + +Daniel Stenberg (20 Apr 2019) +- test1002: correct the name [skip ci] + +- test660: verify CONNECT_ONLY with IMAP + + which basically just makes sure LOGOUT is *not* issued on disconnect + +- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + + Since the connection has been used by the "outside" we don't know the + state of it anymore and curl should not use it anymore. + + Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html + + Closes #3795 + +- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) + + The list of names must be in sync with the defined states in the header + file! + +Steve Holme (16 Apr 2019) +- openvms: Remove pre-processors for Windows as VMS cannot support them + +- openvms: Remove pre-processor for SecureTransport as VMS cannot support it + + Fixes #3768 + Closes #3785 + +Jay Satiro (16 Apr 2019) +- TODO: Add issue link to an existing entry + +Daniel Stenberg (16 Apr 2019) +- RELEASE-NOTES: synced + +Jay Satiro (16 Apr 2019) +- tool_help: Warn if curl and libcurl versions do not match + + .. because functionality may be affected if the versions differ. + + This commit implements TODO 18.7 "warning if curl version is not in sync + with libcurl version". + + Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + + Closes https://github.com/curl/curl/pull/3774 + +Steve Holme (16 Apr 2019) +- md5: Update the function signature following d84da52d + +- md5: Forgot to update the code alignment in d84da52d + +- md5: Return CURLcode from the internally accessible functions + + Following 28f826b3 to return CURLE_OK instead of numeric 0. + +Daniel Gustafsson (15 Apr 2019) +- tests: Run global cleanup at end of tests + + Make sure to run curl_global_cleanup() when shutting down the test + suite to release any resources allocated in the SSL setup. This is + clearly visible when running tests with PolarSSL where the thread + lock calloc() memory which isn't released when not running cleanup. + Below is an excerpt from the autobuild logs: + + ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 + ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) + ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) + ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup + (polarssl_threadlock.c:54) + ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) + ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) + ==12368== by 0x118B4C: global_init (easy.c:158) + ==12368== by 0x118BF5: curl_global_init (easy.c:221) + ==12368== by 0x118D0B: curl_easy_init (easy.c:299) + ==12368== by 0x114E96: test (lib1906.c:32) + ==12368== by 0x115495: main (first.c:174) + + Closes #3783 + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg + +Marcel Raad (15 Apr 2019) +- travis: use mbedtls from Xenial + + No need to build it from source anymore. + + Closes https://github.com/curl/curl/pull/3779 + +- travis: use libpsl from Xenial + + This makes building libpsl and libidn2 from source unnecessary and + removes the need for the autopoint and libunistring-dev packages. + + Closes https://github.com/curl/curl/pull/3779 + +Daniel Stenberg (15 Apr 2019) +- runtests: start socksd like other servers + + ... without a $srcdir prefix. Triggered by the failures in several + autobuilds. + + Closes #3781 + +Daniel Gustafsson (14 Apr 2019) +- socksd: Fix typos + + Reviewed-by: Daniel Stenberg + +- socksd: Properly decorate static variables + + Mark global variables static to avoid compiler warning in Clang when + using -Wmissing-variable-declarations. + + Closes #3778 + Reviewed-by: Daniel Stenberg + +Steve Holme (14 Apr 2019) +- md(4|5): Fixed indentation oddities with the importation of replacement code + + The indentation from 211d5329 and 57d6d253 was a little strange as + parts didn't align correctly, uses 4 spaces rather than 2. Checked + the indentation of the original source so it aligns, albeit, using + curl style. + +- md5: Code style to return CURLE_OK rather than numeric 0 + +- md5: Corrected code style for some pointer arguments + +Marcel Raad (13 Apr 2019) +- travis: update some builds to xenial + + Xenial comes with more up-to-date software versions and more available + packages, some of which we currently build from source. Unfortunately, + some builds would fail with Xenial because of assertion failures in + Valgrind when using OpenSSL, so leave these at Trusty. + + Closes https://github.com/curl/curl/pull/3777 + +Daniel Stenberg (13 Apr 2019) +- test: make tests and test scripts use socksd for SOCKS + + Make all SOCKS tests use socksd instead of ssh. + +- socksd: new SOCKS 4+5 server for tests + + Closes #3752 + +- singleipconnect: show port in the verbose "Trying ..." message + + To aid debugging better. + +- [tmilburn brought this change] + + CURLOPT_ADDRESS_SCOPE: fix range check and more + + Commit 9081014 fixed most of the confusing issues between scope id and + scope however 844896d added bad limits checking assuming that the scope + is being set and not the scope id. + + I have fixed the documentation so it all refers to scope ids. + + In addition Curl_if2ip refered to the scope id as remote_scope_id which + is incorrect, so I renamed it to local_scope_id. + + Adjusted-by: Daniel Stenberg + + Closes #3655 + Closes #3765 + Fixes #3713 + +- urlapi: stricter CURLUPART_PORT parsing + + Only allow well formed decimal numbers in the input. + + Document that the number MUST be between 1 and 65535. + + Add tests to test 1560 to verify the above. + + Ref: https://github.com/curl/curl/issues/3753 + Closes #3762 + +Jay Satiro (13 Apr 2019) +- [Jan Ehrhardt brought this change] + + winbuild: Support MultiSSL builds + + - Remove the lines in winbuild/Makefile.vc that generate an error with + multiple SSL backends. + + - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL + backends are set. + + Closes https://github.com/curl/curl/pull/3772 + +Daniel Stenberg (12 Apr 2019) +- travis: remove mesalink builds (temporarily?) + + Since the mesalink build started to fail on travis, even though we build + a fixed release version, we disable it to prevent it from blocking + progress. + + Closes #3767 + +- openssl: mark connection for close on TLS close_notify + + Without this, detecting and avoid reusing a closed TLS connection + (without a previous GOAWAY) when doing HTTP/2 is tricky. + + Reported-by: Tom van der Woerdt + Fixes #3750 + Closes #3763 + +- RELEASE-NOTES: synced + +Steve Holme (11 Apr 2019) +- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 + + Functionally this doesn't change anything as we still use the username + for both the authorisation identity and the authentication identity. + + Closes #3757 + +Daniel Stenberg (11 Apr 2019) +- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage + + Based-on-code-by: Poul T Lomholt + +- url: always clone the CUROPT_CURLU handle + + Since a few code paths actually update that data. + + Fixes #3753 + Closes #3761 + + Reported-by: Poul T Lomholt + +- CURLOPT_DNS_USE_GLOBAL_CACHE: remove + + Remove the code too. The functionality has been disabled in code since + 7.62.0. Setting this option will from now on simply be ignored and have + no function. + + Closes #3654 + +Marcel Raad (11 Apr 2019) +- travis: install libgnutls28-dev only for --with-gnutls build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 + +- travis: install libnss3-dev only for --with-nss build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 + +- travis: install libssh2-dev only for --with-libssh2 build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 + +- travis: install libssh-dev only for --with-libssh build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 + +- travis: install krb5-user only for --with-gssapi build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 + +- travis: install lcov only for the coverage job + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 + +- travis: install clang only when needed + + This reduces the GCC job runtimes a little and it's needed to + selectively update clang builds to xenial. + + Closes https://github.com/curl/curl/pull/3721 + +- AppVeyor: enable testing for WinSSL build + + Closes https://github.com/curl/curl/pull/3725 + +- build: fix Codacy/CppCheck warnings + + - remove unused variables + - declare conditionally used variables conditionally + - suppress unused variable warnings in the CMake tests + - remove dead variable stores + - consistently use WIN32 macro to detect Windows + + Closes https://github.com/curl/curl/pull/3739 + +- polarssl_threadlock: remove conditionally unused code + + Make functions no-ops if neither both USE_THREADS_POSIX and + HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are + defined. Previously, if only one of them was defined, there was either + code compiled that did nothing useful or the wrong header included for + the functions used. + + Also, move POLARSSL_MUTEX_T define to implementation file as it's not + used externally. + + Closes https://github.com/curl/curl/pull/3739 + +- lib557: initialize variables + + These variables are only conditionally initialized. + + Closes https://github.com/curl/curl/pull/3739 + +- lib509: add missing include for strdup + + Closes https://github.com/curl/curl/pull/3739 + +- README.md: fix no-consecutive-blank-lines Codacy warning + + Consistently use one blank line between blocks. + + Closes https://github.com/curl/curl/pull/3739 + +- tests/server/util: fix Windows Unicode build + + Always use the ANSI version of FormatMessage as we don't have the + curl_multibyte gear available here. + + Closes https://github.com/curl/curl/pull/3758 + +Daniel Stenberg (11 Apr 2019) +- curl_easy_getinfo.3: fix minor formatting mistake + +Daniel Gustafsson (11 Apr 2019) +- xattr: skip unittest on unsupported platforms + + The stripcredentials unittest fails to compile on platforms without + xattr support, for example the Solaris member in the buildfarm which + fails with the following: + + CC unit1621-unit1621.o + CC ../libtest/unit1621-first.o + CCLD unit1621 + Undefined first referenced + symbol in file + stripcredentials unit1621-unit1621.o + goto problem 2 + ld: fatal: symbol referencing errors. No output written to .libs/unit1621 + collect2: error: ld returned 1 exit status + gmake[2]: *** [Makefile:996: unit1621] Error 1 + + Fix by excluding the test on such platforms by using the reverse + logic from where stripcredentials() is defined. + + Closes #3759 + Reviewed-by: Daniel Stenberg + +Steve Holme (11 Apr 2019) +- emailL Added reference to RFC8314 for implicit TLS + +- README: Schannel, stop calling it "winssl" + + Stick to "Schannel" everywhere - follow up to 180501cb. + +Jakub Zakrzewski (10 Apr 2019) +- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use + + This fixes GSSAPI builds with the libraries in a non-standard location. + The testing for recv() were failing because it failed to link + the Kerberos libraries, which are not needed for this or subsequent + tests. + + fixes #3743 + closes #3744 + +- cmake: avoid linking executable for some tests with cmake 3.6+ + + With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() + (which is used by check_c_source_compiles()) will build static library + instead of executable. This avoids linking additional libraries in and thus + speeds up those checks a little. + + This commit also avoids #3743 (GSSAPI build errors) on itself with cmake + 3.6 or above. That issue was fixed separately for all versions. + + Ref: #3744 + +- cmake: minor cleanup + + - Remove nneeded include_regular_expression. + It was setting what is already a default. + + - Remove duplicated include. + + - Don't check for pre-3.0.0 CMake version. + We already require at least 3.0.0, so it's just clutter. + + Ref: #3744 + +Steve Holme (8 Apr 2019) +- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ + +- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) + +- build-openssl.bat: Perform the install for each build type directly after the build + +- build-openssl.bat: Split the install of static and shared build types + +- build-openssl.bat: Split the building of static and shared build types + +- build-openssl.bat: Move the installation into a separate function + +- build-openssl.bat: Move the build step into a separate function + +- build-openssl.bat: Move the OpenSSL configuration into a separate function + +- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised + + Should the parent environment set this variable then the build might + not be performed as the user intended. + +Daniel Stenberg (8 Apr 2019) +- socks: fix error message + +- config.d: clarify that initial : and = might need quoting [skip ci] + + Fixes #3738 + Closes #3749 + +- RELEASE-NOTES: synced + + bumped to 7.65.0 for next release + +- socks5: user name and passwords must be shorter than 256 + + bytes... since the protocol needs to store the length in a single byte field. + + Reported-by: XmiliaH on github + Fixes #3737 + Closes #3740 + +- [Jakub Zakrzewski brought this change] + + test: urlapi: urlencode characters above 0x7f correctly + +- [Jakub Zakrzewski brought this change] + + urlapi: urlencode characters above 0x7f correctly + + fixes #3741 + Closes #3742 + +- [Even Rouault brought this change] + + multi_runsingle(): fix use-after-free + + Fixes #3745 + Closes #3746 + + The following snippet + ``` + + int main() + { + CURL* hCurlHandle = curl_easy_init(); + curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); + curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); + curl_easy_perform(hCurlHandle); + curl_easy_cleanup(hCurlHandle); + return 0; + } + ``` + triggers the following Valgrind warning + + ``` + ==4125== Invalid read of size 8 + ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) + ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) + ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd + ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) + ==4125== by 0x4E62C36: conn_free (url.c:756) + ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) + ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) + ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Block was alloc'd at + ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) + ==4125== by 0x4E6438E: allocate_conn (url.c:1654) + ==4125== by 0x4E685B4: create_conn (url.c:3496) + ==4125== by 0x4E6968F: Curl_connect (url.c:4023) + ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ``` + + This has been bisected to commit 2f44e94 + + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 + Credit to OSS Fuzz + +- pipelining: removed + + As previously planned and documented in DEPRECATE.md, all pipelining + code is removed. + + Closes #3651 + +- [cclauss brought this change] + + tests: make Impacket (SMB server) Python 3 compatible + + Closes #3731 + Fixes #3289 + +Marcel Raad (6 Apr 2019) +- [Simon Warta brought this change] + + cmake: set SSL_BACKENDS + + This groups all SSL backends into the feature "SSL" and sets the + SSL_BACKENDS analogue to configure.ac + + Closes https://github.com/curl/curl/pull/3736 + +- [Simon Warta brought this change] + + cmake: don't run SORT on empty list + + In case of an empty list, SORTing leads to the cmake error "list + sub-command SORT requires list to be present." + + Closes https://github.com/curl/curl/pull/3736 + +Daniel Gustafsson (5 Apr 2019) +- [Eli Schwartz brought this change] + + configure: fix default location for fish completions + + Fish defines a vendor completions directory for completions that are not + installed as part of the fish project itself, and the vendor completions + are preferred if they exist. This prevents trying to overwrite the + builtin curl.fish completion (or creating file conflicts in distro + packaging). + + Prefer the pkg-config defined location exported by fish, if it can be + found, and fall back to the correct directory defined by most systems. + + Closes #3723 + Reviewed-by: Daniel Gustafsson + +Marcel Raad (5 Apr 2019) +- ftplistparser: fix LGTM alert "Empty block without comment" + + Removing the block is consistent with line 954/957. + + Closes https://github.com/curl/curl/pull/3732 + +- transfer: fix LGTM alert "Comparison is always true" + + Just remove the redundant condition, which also makes it clear that + k->buf is always 0-terminated if this break is not hit. + + Closes https://github.com/curl/curl/pull/3732 + +Jay Satiro (4 Apr 2019) +- [Rikard Falkeborn brought this change] + + smtp: fix compiler warning + + - Fix clang string-plus-int warning. + + Clang 8 warns about adding a string to an int does not append to the + string. Indeed it doesn't, but that was not the intention either. Use + array indexing as suggested to silence the warning. There should be no + functional changes. + + (In other words clang warns about "foo"+2 but not &"foo"[2] so use the + latter.) + + smtp.c:1221:29: warning: adding 'int' to a string does not append to the + string [-Wstring-plus-int] + eob = strdup(SMTP_EOB + 2); + ~~~~~~~~~~~~~~~~^~~~ + + Closes https://github.com/curl/curl/pull/3729 + +Marcel Raad (4 Apr 2019) +- VS projects: use Unicode for VC10+ + + All Windows APIs have been natively UTF-16 since Windows 2000 and the + non-Unicode variants are just wrappers around them. Only Windows 9x + doesn't understand Unicode without the UnicoWS DLL. As later Visual + Studio versions cannot target Windows 9x anyway, using the ANSI API + doesn't really have any benefit there. + + This avoids issues like KNOWN_BUGS 6.5. + + Ref: https://github.com/curl/curl/issues/2120 + Closes https://github.com/curl/curl/pull/3720 + +Daniel Gustafsson (3 Apr 2019) +- RELEASE-NOTES: synced + + Bump the version in progress to 7.64.2, if we merge any "change" + before the cut-off date we can update the version. + +- [Tim Rühsen brought this change] + + documentation: Fix several typos + + Closes #3724 + Reviewed-by: Jakub Zakrzewski + Reviewed-by: Daniel Gustafsson + +Jay Satiro (2 Apr 2019) +- [Mert Yazıcıoğlu brought this change] + + vauth/oauth2: Fix OAUTHBEARER token generation + + OAUTHBEARER tokens were incorrectly generated in a format similar to + XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the + RFC7628. + + Fixes: #2487 + Reported-by: Paolo Mossino + + Closes https://github.com/curl/curl/pull/3377 + +Marcel Raad (2 Apr 2019) +- tool_cb_wrt: fix bad-function-cast warning + + Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the + warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. + Extend fhnd's scope and reuse that variable instead of calling + _get_osfhandle a second time to fix the warning again. + + Closes https://github.com/curl/curl/pull/3718 + +- VC15 project: remove MinimalRebuild + + Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the + library project, but I forgot the tool project template. Now also + removed for that. + +Dan Fandrich (1 Apr 2019) +- cirrus: Customize the disabled tests per FreeBSD version + + Try to run as many test cases as possible on each OS version. + 12.0 passes 13 more tests than the older versions, so we might as well + run them. + +Daniel Stenberg (1 Apr 2019) +- tool_help: include for strcasecmp + + Reported-by: Wyatt O'Day + Fixes #3715 + Closes #3716 + +Daniel Gustafsson (31 Mar 2019) +- scripts: fix typos + +Dan Fandrich (28 Mar 2019) +- travis: allow builds on branches named "ci" + + This allows a way to test changes other than through PRs. + +Daniel Stenberg (27 Mar 2019) +- [Brad Spencer brought this change] + + resolve: apply Happy Eyeballs philosophy to parallel c-ares queries + + Closes #3699 + +- multi: improved HTTP_1_1_REQUIRED handling + + Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error + on first flight. + + Reported-by: niner on github + Fixes #3696 + Closes #3707 + +- [Leonardo Taccari brought this change] + + configure: avoid unportable `==' test(1) operator + + Closes #3709 + +Version 7.64.1 (27 Mar 2019) + +Daniel Stenberg (27 Mar 2019) +- RELEASE: 7.64.1 + +- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" + + This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. + + Fixes #3708 + +- [Christian Schmitz brought this change] + + ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set + + Closes #3704 + +Jay Satiro (26 Mar 2019) +- tool_cb_wrt: fix writing to Windows null device NUL + + - Improve console detection. + + Prior to this change WriteConsole could be called to write to a handle + that may not be a console, which would cause an error. This issue is + limited to character devices that are not also consoles such as the null + device NUL. + + Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 + Reported-by: Gisle Vanem + +- CURLMOPT_PIPELINING.3: fix typo + +Daniel Stenberg (25 Mar 2019) +- TODO: config file parsing + + Closes #3698 + +Jay Satiro (24 Mar 2019) +- os400: Disable Alt-Svc by default since it's experimental + + Follow-up to 520f0b4 which added Alt-Svc support and enabled it by + default for OS400. Since the feature is experimental, it should be + disabled by default. + + Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 + Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html + + Closes https://github.com/curl/curl/pull/3688 + +Dan Fandrich (24 Mar 2019) +- tests: Fixed XML validation errors in some test files. + +- tests: Fix some incorrect precheck error messages. + + [ci skip] + +Daniel Stenberg (22 Mar 2019) +- curl_url.3: this is not experimental anymore + +- travis: bump the used wolfSSL version to 4.0.0 + + Test 311 is now fine, leaving only 313 (CRL) disabled. + + Test 313 details can be found here: + https://github.com/wolfSSL/wolfssl/issues/1546 + + Closes #3697 + +Daniel Gustafsson (22 Mar 2019) +- lib: Fix typos in comments + +David Woodhouse (20 Mar 2019) +- openssl: if cert type is ENG and no key specified, key is ENG too + + Fixes #3692 + Closes #3692 + +Daniel Stenberg (20 Mar 2019) +- sectransp: tvOS 11 is required for ALPN support + + Reported-by: nianxuejie on github + Assisted-by: Nick Zitzmann + Assisted-by: Jay Satiro + Fixes #3689 + Closes #3690 + +- test1541: threaded connection sharing + + The threaded-shared-conn.c example turned into test case. Only works if + pthread was detected. + + An attempt to detect future regressions such as e3a53e3efb942a5 + + Closes #3687 + +Patrick Monnerat (17 Mar 2019) +- os400: alt-svc support. + + Although experimental, enable it in the platform config file. + Upgrade ILE/RPG binding. + +Daniel Stenberg (17 Mar 2019) +- conncache: use conn->data to know if a transfer owns it + + - make sure an already "owned" connection isn't returned unless + multiplexed. + + - clear ->data when returning the connection to the cache again + + Regression since 7.62.0 (probably in commit 1b76c38904f0) + + Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + + Closes #3686 + +- RELEASE-NOTES: synced + +- [Chris Young brought this change] + + configure: add --with-amissl + + AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. + It also requires all programs using it to use bsdsocket.library + directly, rather than accessing socket functions through clib, which + libcurl was not necessarily doing previously. Configure will now check + for the headers and ensure they are included if found. + + Closes #3677 + +- [Chris Young brought this change] + + vtls: rename some of the SSL functions + + ... in the SSL structure as AmiSSL is using macros for the socket API + functions. + +- [Chris Young brought this change] + + tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + +- [Chris Young brought this change] + + tool_operate: build on AmigaOS + +- makefile: make checksrc and hugefile commands "silent" + + ... to match the style already used for compiling, linking + etc. Acknowledges 'make V=1' to enable verbose. + + Closes #3681 + +- curl.1: --user and --proxy-user are hidden from ps output + + Suggested-by: Eric Curtin + Improved-by: Dan Fandrich + Ref: #3680 + + Closes #3683 + +- curl.1: mark the argument to --cookie as + + From a discussion in #3676 + + Suggested-by: Tim Rühsen + + Closes #3682 + +Dan Fandrich (14 Mar 2019) +- fuzzer: Only clone the latest fuzzer code, for speed. + +Daniel Stenberg (14 Mar 2019) +- [Dominik Hölzl brought this change] + + Negotiate: fix for HTTP POST with Negotiate + + * Adjusted unit tests 2056, 2057 + * do not generally close connections with CURLAUTH_NEGOTIATE after every request + * moved negotiatedata from UrlState to connectdata + * Added stream rewind logic for CURLAUTH_NEGOTIATE + * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC + * Consider authproblem state for CURLAUTH_NEGOTIATE + * Consider reuse_forbid for CURLAUTH_NEGOTIATE + * moved and adjusted negotiate authentication state handling from + output_auth_headers into Curl_output_negotiate + * Curl_output_negotiate: ensure auth done is always set + * Curl_output_negotiate: Set auth done also if result code is + GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may + also indicate the last challenge request (only works with disabled + Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) + * Consider "Persistent-Auth" header, detect if not present; + Reset/Cleanup negotiate after authentication if no persistent + authentication + * apply changes introduced with #2546 for negotiate rewind logic + + Fixes #1261 + Closes #1975 + +- [Marc Schlatter brought this change] + + http: send payload when (proxy) authentication is done + + The check that prevents payload from sending in case of authentication + doesn't check properly if the authentication is done or not. + + They're cases where the proxy respond "200 OK" before sending + authentication challenge. This change takes care of that. + + Fixes #2431 + Closes #3669 + +- file: fix "Checking if unsigned variable 'readcount' is less than zero." + + Pointed out by codacy + + Closes #3672 + +- memdebug: log pointer before freeing its data + + Coverity warned for two potentional "Use after free" cases. Both are false + positives because the memory wasn't used, it was only the actual pointer + value that was logged. + + The fix still changes the order of execution to avoid the warnings. + + Coverity CID 1443033 and 1443034 + + Closes #3671 + +- RELEASE-NOTES: synced + +Marcel Raad (12 Mar 2019) +- travis: actually use updated compiler versions + + For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the + new GCC versions were only used for the coverage build and for building + nghttp2, while the new clang version was not used at all. + + BoringSSL needs to use the default GCC as it respects CC, but not CXX, + so it would otherwise pass gcc 8 options to g++ 4.8 and fail. + + Also remove GCC 7, it's not needed anymore. + + Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + + Closes https://github.com/curl/curl/pull/3670 + +- travis: update clang to version 7 + + Closes https://github.com/curl/curl/pull/3670 + +Jay Satiro (11 Mar 2019) +- [Andre Guibert de Bruet brought this change] + + examples/externalsocket: add missing close socket calls + + .. and for Windows also call WSACleanup since we call WSAStartup. + + The example is to demonstrate handling the socket independently of + libcurl. In this case libcurl is not responsible for creating, opening + or closing the socket, it is handled by the application (our example). + + Fixes https://github.com/curl/curl/pull/3663 + +Daniel Stenberg (11 Mar 2019) +- multi: removed unused code for request retries + + This code was once used for the non multi-interface using code path, but + ever since easy_perform was turned into a wrapper around the multi + interface, this code path never runs. + + Closes #3666 + +Jay Satiro (11 Mar 2019) +- doh: inherit some SSL options from user's easy handle + + - Inherit SSL options for the doh handle but not SSL client certs, + SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, + SSL pinned public key, SSL ciphers, SSL id cache setting, + SSL kerberos or SSL gss-api settings. + + - Fix inheritance of verbose setting. + + - Inherit NOSIGNAL. + + There is no way for the user to set options for the doh (DNS-over-HTTPS) + handles and instead we inherit some options from the user's easy handle. + + My thinking for the SSL options not inherited is they are most likely + not intended by the user for the DOH transfer. I did inherit insecure + because I think that should still be in control of the user. + + Prior to this change doh did not work for me because CAINFO was not + inherited. Also verbose was set always which AFAICT was a bug (#3660). + + Fixes https://github.com/curl/curl/issues/3660 + Closes https://github.com/curl/curl/pull/3661 + +Daniel Stenberg (9 Mar 2019) +- test331: verify set-cookie for dotless host name + + Reproduced bug #3649 + Closes #3659 + +- Revert "cookies: extend domain checks to non psl builds" + + This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. + + Regression shipped in 7.64.0 + Fixes #3649 + +- memdebug: make debug-specific functions use curl_dbg_ prefix + + To not "collide" or use up the regular curl_ name space. Also makes them + easier to detect in helper scripts. + + Closes #3656 + +- cmdline-opts/proxytunnel.d: the option tunnnels all protocols + + Clarify the language and simplify. + + Reported-by: Daniel Lublin + Closes #3658 + +- KNOWN_BUGS: Client cert (MTLS) issues with Schannel + + Closes #3145 + +- ROADMAP: updated to some more current things to work on + +- tests: fix multiple may be used uninitialized warnings + +- RELEASE-NOTES: synced + +- source: fix two 'nread' may be used uninitialized warnings + + Both seem to be false positives but we don't like warnings. + + Closes #3646 + +- gopher: remove check for path == NULL + + Since it can't be NULL and it makes Coverity believe we lack proper NULL + checks. Verified by test 659, landed in commit 15401fa886b. + + Pointed out by Coverity CID 1442746. + + Assisted-by: Dan Fandrich + Fixes #3617 + Closes #3642 + +- examples: only include + + That's the only public curl header we should encourage use of. + + Reviewed-by: Marcel Raad + Closes #3645 + +- ssh: loop the state machine if not done and not blocking + + If the state machine isn't complete, didn't fail and it didn't return + due to blocking it can just as well loop again. + + This addresses the problem with SFTP directory listings where we would + otherwise return back to the parent and as the multi state machine + doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the + doing phase isn't complete, it would return out when in reality there + was more data to deal with. + + Fixes #3506 + Closes #3644 + +Jay Satiro (5 Mar 2019) +- multi: support verbose conncache closure handle + + - Change closure handle to receive verbose setting from the easy handle + most recently added via curl_multi_add_handle. + + The closure handle is a special easy handle used for closing cached + connections. It receives limited settings from the easy handle most + recently added to the multi handle. Prior to this change that did not + include verbose which was a problem because on connection shutdown + verbose mode was not acknowledged. + + Ref: https://github.com/curl/curl/pull/3598 + + Co-authored-by: Daniel Stenberg + + Closes https://github.com/curl/curl/pull/3618 + +Daniel Stenberg (4 Mar 2019) +- CURLU: fix NULL dereference when used over proxy + + Test 659 verifies + + Also fixed the test 658 name + + Closes #3641 + +- altsvc_out: check the return code from Curl_gmtime + + Pointed out by Coverity, CID 1442956. + + Closes #3640 + +- docs/ALTSVC.md: docs describing the approach + + Closes #3498 + +- alt-svc: add a travis build + +- alt-svc: add test 355 and 356 to verify with command line curl + +- alt-svc: the curl command line bits + +- alt-svc: the libcurl bits + +- travis: add build using gnutls + + Closes #3637 + +- RELEASE-NOTES: synced + +- [Simon Legner brought this change] + + scripts/completion.pl: also generate fish completion file + + This is the renamed script formerly known as zsh.pl + + Closes #3545 + +- gnutls: remove call to deprecated gnutls_compression_get_name + + It has been deprecated by GnuTLS since a year ago and now causes build + warnings. + + Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f + Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + + Closes #3636 + +Jay Satiro (2 Mar 2019) +- system_win32: move win32_init here from easy.c + + .. since system_win32 is a more appropriate location for the functions + and to extern the globals. + + Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 + Reported-by: Gisle Vanem + + Closes https://github.com/curl/curl/pull/3625 + +Daniel Stenberg (1 Mar 2019) +- curl_easy_duphandle.3: clarify that a duped handle has no shares + + Reported-by: Sara Golemon + + Fixes #3592 + Closes #3634 + +- 10-at-a-time.c: fix too long line + +- [Arnaud Rebillout brought this change] + + examples: various fixes in ephiperfifo.c + + The main change here is the timer value that was wrong, it was given in + usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * + 1000). This resulted in the callback being invoked WAY TOO OFTEN. + + As a quick check you can run this command before and after applying this + commit: + + # shell 1 + ./ephiperfifo 2>&1 | tee ephiperfifo.log + # shell 2 + echo http://hacking.elboulangero.com > hiper.fifo + + Then just compare the size of the logs files. + + Closes #3633 + Fixes #3632 + Signed-off-by: Arnaud Rebillout + +- urldata: simplify bytecounters + + - no need to have them protocol specific + + - no need to set pointers to them with the Curl_setup_transfer() call + + - make Curl_setup_transfer() operate on a transfer pointer, not + connection + + - switch some counters from long to the more proper curl_off_t type + + Closes #3627 + +- examples/10-at-a-time.c: improve readability and simplify + + - use better variable names to explain their purposes + - convert logic to curl_multi_wait() + +- threaded-resolver: shutdown the resolver thread without error message + + When a transfer is done, the resolver thread will be brought down. That + could accidentally generate an error message in the error buffer even + though this is not an error situationand the transfer would still return + OK. An application that still reads the error buffer could find a + "Could not resolve host: [host name]" message there and get confused. + + Reported-by: Michael Schmid + Fixes #3629 + Closes #3630 + +- [Ԝеѕ brought this change] + + docs: update max-redirs.d phrasing + + clarify redir - "in absurdum" doesn't seem to make sense in this context + + Closes #3631 + +- ssh: fix Condition '!status' is always true + + in the same sftp_done function in both SSH backends. Simplify them + somewhat. + + Pointed out by Codacy. + + Closes #3628 + +- test578: make it read data from the correct test + +- Curl_easy: remove req.maxfd - never used! + + Introduced in 8b6314ccfb, but not used anymore in current code. Unclear + since when. + + Closes #3626 + +- http: set state.infilesize when sending formposts + + Without it set, we would unwillingly triger the "HTTP error before end + of send, stop sending" condition even if the entire POST body had been + sent (since it wouldn't know the expected size) which would + unnecessarily log that message and close the connection when it didn't + have to. + + Reported-by: Matt McClure + Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html + Closes #3624 + +- INSTALL: refer to the current TLS library names and configure options + +- FAQ: minor updates and spelling fixes + +- GOVERNANCE.md: minor spelling fixes + +- Secure Transport: no more "darwinssl" + + Everyone calls it Secure Transport, now we do too. + + Reviewed-by: Nick Zitzmann + + Closes #3619 + +Marcel Raad (27 Feb 2019) +- AppVeyor: add classic MinGW build + + But use the MSYS2 shell rather than the default MSYS shell because of + POSIX path conversion issues. Classic MinGW is only available on the + Visual Studio 2015 image. + + Closes https://github.com/curl/curl/pull/3623 + +- AppVeyor: add MinGW-w64 build + + Add a MinGW-w64 build using CMake's MSYS Makefiles generator. + Use the Visual Studio 2015 image as it has GCC 8, while the + Visual Studio 2017 image only has GCC 7.2. + + Closes https://github.com/curl/curl/pull/3623 + +Daniel Stenberg (27 Feb 2019) +- cookies: only save the cookie file if the engine is enabled + + Follow-up to 8eddb8f4259. + + If the cookieinfo pointer is NULL there really is nothing to save. + + Without this fix, we got a problem when a handle was using shared object + with cookies and is told to "FLUSH" it to file (which worked) and then + the share object was removed and when the easy handle was closed just + afterwards it has no cookieinfo and no cookies so it decided to save an + empty jar (overwriting the file just flushed). + + Test 1905 now verifies that this works. + + Assisted-by: Michael Wallner + Assisted-by: Marcel Raad + + Closes #3621 + +- [DaVieS brought this change] + + cacertinmem.c: use multiple certificates for loading CA-chain + + Closes #3421 + +- urldata: convert bools to bitfields and move to end + + This allows the compiler to pack and align the structs better in + memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 + makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. + + Removed an unused struct field. + + No functionality changes. + + Closes #3610 + +- [Don J Olmstead brought this change] + + curl.h: use __has_declspec_attribute for shared builds + + Closes #3616 + +- curl: display --version features sorted alphabetically + + Closes #3611 + +- runtests: detect "schannel" as an alias for "winssl" + + Follow-up to 180501cb02 + + Reported-by: Marcel Raad + Fixes #3609 + Closes #3620 + +Marcel Raad (26 Feb 2019) +- AppVeyor: update to Visual Studio 2017 + + Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a + moving target anymore as the last update, Update 9, has been released. + + Closes https://github.com/curl/curl/pull/3606 + +- AppVeyor: switch VS 2015 builds to VS 2017 image + + The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + + Closes https://github.com/curl/curl/pull/3606 + +- AppVeyor: explicitly select worker image + + Currently, we're using the default Visual Studio 2015 image for + everything. + + Closes https://github.com/curl/curl/pull/3606 + +Daniel Stenberg (26 Feb 2019) +- strerror: make the strerror function use local buffers + + Instead of using a fixed 256 byte buffer in the connectdata struct. + + In my build, this reduces the size of the connectdata struct by 11.8%, + from 2160 to 1904 bytes with no functionality or performance loss. + + This also fixes a bug in schannel's Curl_verify_certificate where it + called Curl_sspi_strerror when it should have called Curl_strerror for + string from GetLastError. the only effect would have been no text or the + wrong text being shown for the error. + + Co-authored-by: Jay Satiro + + Closes #3612 + +- [Michael Wallner brought this change] + + cookies: fix NULL dereference if flushing cookies with no CookieInfo set + + Regression brought by a52e46f3900fb0 (shipped in 7.63.0) + + Closes #3613 + +Marcel Raad (26 Feb 2019) +- AppVeyor: re-enable test 500 + + It's passing now. + + Closes https://github.com/curl/curl/pull/3615 + +- AppVeyor: remove redundant builds + + Remove the Visual Studio 2012 and 2013 builds as they add little value. + + Ref: https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3614 + +Daniel Stenberg (25 Feb 2019) +- RELEASE-NOTES: synced + +- [Bernd Mueller brought this change] + + OpenSSL: add support for TLS ASYNC state + + Closes #3591 + +Jay Satiro (25 Feb 2019) +- [Michael Felt brought this change] + + acinclude: add additional libraries to check for LDAP support + + - Add an additional check for LDAP that also checks for OpenSSL since + on AIX those libraries may be required to link LDAP properly. + + Fixes https://github.com/curl/curl/issues/3595 + Closes https://github.com/curl/curl/pull/3596 + +- [georgeok brought this change] + + schannel: support CALG_ECDH_EPHEM algorithm + + Add support for Ephemeral elliptic curve Diffie-Hellman key exchange + algorithm option when selecting ciphers. This became available on the + Win10 SDK. + + Closes https://github.com/curl/curl/pull/3608 + +Daniel Stenberg (24 Feb 2019) +- multi: call multi_done on connect timeouts + + Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get + updated correctly and could end up getting reported to the application + completely wrong (way too small). + + Reported-by: accountantM on github + Fixes #3602 + Closes #3605 + +- examples: remove recursive calls to curl_multi_socket_action + + From within the timer callbacks. Recursive is problematic for several + reasons. They should still work, but this way the examples and the + documentation becomes simpler. I don't think we need to encourage + recursive calls. + + Discussed in #3537 + Closes #3601 + +Marcel Raad (23 Feb 2019) +- configure: remove CURL_CHECK_FUNC_FDOPEN call + + The macro itself has been removed in commit + 11974ac859c5d82def59e837e0db56fef7f6794e. + + Closes https://github.com/curl/curl/pull/3604 + +Daniel Stenberg (23 Feb 2019) +- wolfssl: stop custom-adding curves + + since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in + wolfSSL 3.10.2 and later) it sends these curves by default already. + + Pointed-out-by: David Garske + + Closes #3599 + +- configure: remove the unused fdopen macro + + and the two remaining #ifdefs for it + + Closes #3600 + +Jay Satiro (22 Feb 2019) +- url: change conn shutdown order to unlink data as last step + + - Split off connection shutdown procedure from Curl_disconnect into new + function conn_shutdown. + + - Change the shutdown procedure to close the sockets before + disassociating the transfer. + + Prior to this change the sockets were closed after disassociating the + transfer so SOCKETFUNCTION wasn't called since the transfer was already + disassociated. That likely came about from recent work started in + Jan 2019 (#3442) to separate transfers from connections. + + Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html + Reported-by: Pavel Löbl + + Closes https://github.com/curl/curl/issues/3597 + Closes https://github.com/curl/curl/pull/3598 + +Marcel Raad (22 Feb 2019) +- Fix strict-prototypes GCC warning + + As seen in the MinGW autobuilds. Caused by commit + f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. + +Dan Fandrich (21 Feb 2019) +- tests: Fixed XML validation errors in some test files. + +Daniel Stenberg (20 Feb 2019) +- TODO: Allow SAN names in HTTP/2 server push + + Suggested-by: Nicolas Grekas + +- RELEASE-NOTES: synced + +- curl: remove MANUAL from -M output + + ... and remove it from the dist tarball. It has served its time, it + barely gets updated anymore and "everything curl" is now convering all + this document once tried to include, and does it more and better. + + In the compressed scenario, this removes ~15K data from the binary, + which is 25% of the -M output. + + It remains in the git repo for now for as long as the web site builds a + page using that as source. It renders poorly on the site (especially for + mobile users) so its not even good there. + + Closes #3587 + +- http2: verify :athority in push promise requests + + RFC 7540 says we should verify that the push is for an "authoritative" + server. We make sure of this by only allowing push with an :athority + header that matches the host that was asked for in the URL. + + Fixes #3577 + Reported-by: Nicolas Grekas + Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html + Closes #3581 + +- singlesocket: fix the 'sincebefore' placement + + The variable wasn't properly reset within the loop and thus could remain + set for sockets that hadn't been set before and miss notifying the app. + + This is a follow-up to 4c35574 (shipped in curl 7.64.0) + + Reported-by: buzo-ffm on github + Detected-by: Jan Alexander Steffens + Fixes #3585 + Closes #3589 + +- connection: never reuse CONNECT_ONLY conections + + and make CONNECT_ONLY conections never reuse any existing ones either. + + Reported-by: Pavel Löbl + Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html + Closes #3586 + +Patrick Monnerat (19 Feb 2019) +- cli tool: fix mime post with --disable-libcurl-option configure option + + Reported-by: Marcel Raad + Fixes #3576 + Closes #3583 + +Daniel Stenberg (19 Feb 2019) +- x509asn1: cleanup and unify code layout + + - rename 'n' to buflen in functions, and use size_t for them. Don't pass + in negative buffer lengths. + + - move most function comments to above the function starts like we use + to + + - remove several unnecessary typecasts (especially of NULL) + + Reviewed-by: Patrick Monnerat + Closes #3582 + +- curl_multi_remove_handle.3: use at any time, just not from within callbacks + + [ci skip] + +- http: make adding a blank header thread-safe + + Previously the function would edit the provided header in-place when a + semicolon is used to signify an empty header. This made it impossible to + use the same set of custom headers in multiple threads simultaneously. + + This approach now makes a local copy when it needs to edit the string. + + Reported-by: d912e3 on github + Fixes #3578 + Closes #3579 + +- unit1651: survive curl_easy_init() fails + +- [Frank Gevaerts brought this change] + + rand: Fix a mismatch between comments in source and header. + + Reported-by: Björn Stenberg + Closes #3584 + +Patrick Monnerat (18 Feb 2019) +- x509asn1: replace single char with an array + + Although safe in this context, using a single char as an array may + cause invalid accesses to adjacent memory locations. + + Detected by Coverity. + +Daniel Stenberg (18 Feb 2019) +- examples/http2-serverpush: add some sensible error checks + + To avoid NULL pointer dereferences etc in the case of problems. + + Closes #3580 + +Jay Satiro (18 Feb 2019) +- easy: fix win32 init to work without CURL_GLOBAL_WIN32 + + - Change the behavior of win32_init so that the required initialization + procedures are not affected by CURL_GLOBAL_WIN32 flag. + + libcurl via curl_global_init supports initializing for win32 with an + optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop + Winsock initialization. It did so internally by skipping win32_init() + when that flag was set. Since then win32_init() has been expanded to + include required initialization routines that are separate from + Winsock and therefore must be called in all cases. This commit fixes + it so that CURL_GLOBAL_WIN32 only controls the optional win32 + initialization (which is Winsock initialization, according to our doc). + + The only users affected by this change are those that don't pass + CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the + risk of a potential crash. + + Ref: https://github.com/curl/curl/pull/3573 + + Fixes https://github.com/curl/curl/issues/3313 + Closes https://github.com/curl/curl/pull/3575 + +Daniel Gustafsson (17 Feb 2019) +- cookie: Add support for cookie prefixes + + The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes + and how they should affect cookie initialization, which has been + adopted by the major browsers. This adds support for the two prefixes + defined, __Host- and __Secure, and updates the testcase with the + supplied examples from the draft. + + Closes #3554 + Reviewed-by: Daniel Stenberg + +- mbedtls: release sessionid resources on error + + If mbedtls_ssl_get_session() fails, it may still have allocated + memory that needs to be freed to avoid leaking. Call the library + API function to release session resources on this errorpath as + well as on Curl_ssl_addsessionid() errors. + + Closes: #3574 + Reported-by: Michał Antoniak + Reviewed-by: Daniel Stenberg + +Patrick Monnerat (16 Feb 2019) +- cli tool: refactor encoding conversion sequence for switch case fallthrough. + +- version.c: silent scan-build even when librtmp is not enabled + +Daniel Stenberg (15 Feb 2019) +- RELEASE-NOTES: synced + +- Curl_now: figure out windows version in win32_init + + ... and avoid use of static variables that aren't thread safe. + + Fixes regression from e9ababd4f5a (present in the 7.64.0 release) + + Reported-by: Paul Groke + Fixes #3572 + Closes #3573 + +Marcel Raad (15 Feb 2019) +- unit1307: just fail without FTP support + + I missed to check this in with commit + 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. + This fixes the actual linker error. + + Closes https://github.com/curl/curl/pull/3568 + +Daniel Stenberg (15 Feb 2019) +- travis: enable valgrind for the iconv tests too + + Closes #3571 + +- travis: add scan-build + + Closes #3564 + +- examples/sftpuploadresume: Value stored to 'result' is never read + + Detected by scan-build + +- examples/http2-upload: cleaned up + + Fix scan-build warnings, no globals, no silly handle scan. Also remove + handles from the multi before cleaning up. + +- examples/http2-download: cleaned up + + To avoid scan-build warnings and global variables. + +- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' + + Detected by scan-build + +- examples/httpcustomheader: Value stored to 'res' is never read + + Detected by scan-build + +- examples: remove superfluous null-pointer checks + + in ftpget, ftpsget and sftpget, so that scan-build stops warning for + potential NULL pointer dereference below! + + Detected by scan-build + +- strip_trailing_dot: make sure NULL is never used for strlen + + scan-build warning: Null pointer passed as an argument to a 'nonnull' + parameter + +- [Jay Satiro brought this change] + + connection_check: restore original conn->data after the check + + - Save the original conn->data before it's changed to the specified + data transfer for the connection check and then restore it afterwards. + + This is a follow-up to 38d8e1b 2019-02-11. + + History: + + It was discovered a month ago that before checking whether to extract a + dead connection that that connection should be associated with a "live" + transfer for the check (ie original conn->data ignored and set to the + passed in data). A fix was landed in 54b201b which did that and also + cleared conn->data after the check. The original conn->data was not + restored, so presumably it was thought that a valid conn->data was no + longer needed. + + Several days later it was discovered that a valid conn->data was needed + after the check and follow-up fix was landed in bbae24c which partially + reverted the original fix and attempted to limit the scope of when + conn->data was changed to only when pruning dead connections. In that + case conn->data was not cleared and the original conn->data not + restored. + + A month later it was discovered that the original fix was somewhat + correct; a "live" transfer is needed for the check in all cases + because original conn->data could be null which could cause a bad deref + at arbitrary points in the check. A fix was landed in 38d8e1b which + expanded the scope to all cases. conn->data was not cleared and the + original conn->data not restored. + + A day later it was discovered that not restoring the original conn->data + may lead to busy loops in applications that use the event interface, and + given this observation it's a pretty safe assumption that there is some + code path that still needs the original conn->data. This commit is the + follow-up fix for that, it restores the original conn->data after the + connection check. + + Assisted-by: tholin@users.noreply.github.com + Reported-by: tholin@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/3542 + Closes #3559 + +- memdebug: bring back curl_mark_sclose + + Used by debug builds with NSS. + + Reverted from 05b100aee247bb + +Patrick Monnerat (14 Feb 2019) +- transfer.c: do not compute length of undefined hex buffer. + + On non-ascii platforms, the chunked hex header was measured for char code + conversion length, even for chunked trailers that do not have an hex header. + In addition, the efective length is already known: use it. + Since the hex length can be zero, only convert if needed. + + Reported by valgrind. + +Daniel Stenberg (14 Feb 2019) +- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP + + Closes #2367 + +Patrick Monnerat (14 Feb 2019) +- x509asn1: "Dereference of null pointer" + + Detected by scan-build (false positive). + +Daniel Stenberg (14 Feb 2019) +- configure: show features as well in the final summary + + Closes #3569 + +- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 + + Closes #2905 + +- KNOWN_BUGS: Deflate error after all content was received + + Closes #2719 + +- gssapi: fix deprecated header warnings + + Heimdal includes on FreeBSD spewed out lots of them. Less so now. + + Closes #3566 + +- TODO: Upgrade to websockets + + Closes #3523 + +- TODO: cmake test suite improvements + + Closes #3109 + +Patrick Monnerat (13 Feb 2019) +- curl: "Dereference of null pointer" + + Rephrase to satisfy scan-build. + +Marcel Raad (13 Feb 2019) +- unit1307: require FTP support + + This test doesn't link without FTP support after + fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch + unavailable without FTP support. + + Closes https://github.com/curl/curl/pull/3565 + +Daniel Stenberg (13 Feb 2019) +- TODO: TFO support on Windows + + Nobody works on this now. + + Closes #3378 + +- multi: Dereference of null pointer + + Mostly a false positive, but this makes the code easier to read anyway. + + Detected by scan-build. + + Closes #3563 + +- urlglob: Argument with 'nonnull' attribute passed null + + Detected by scan-build. + +Jay Satiro (12 Feb 2019) +- schannel: restore some debug output but only for debug builds + + Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy + debug output in DEBUGF but omitted a few lines. + + Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 + +- examples/crawler: Fix the Accept-Encoding setting + + - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default + supported encodings. + + Prior to this change the specific encodings of gzip and deflate were set + but there's no guarantee they'd be supported by the user's libcurl. + +Daniel Stenberg (12 Feb 2019) +- mime: put the boundary buffer into the curl_mime struct + + ... instead of allocating it separately and point to it. It is + fixed-size and always used for each part. + + Closes #3561 + +- schannel: be quiet + + Convert numerous infof() calls into debug-build only messages since they + are annoyingly verbose for regular applications. Removed a few. + + Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html + Reported-by: Volker Schmid + Closes #3552 + +- [Romain Geissler brought this change] + + Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning + + Closes #3562 + +- http2: multi_connchanged() moved from multi.c, only used for h2 + + Closes #3557 + +- curl: "Function call argument is an uninitialized value" + + Follow-up to cac0e4a6ad14b42471eb + + Detected by scan-build + Closes #3560 + +- pretransfer: don't strlen() POSTFIELDS set for GET requests + + ... since that data won't be used in the request anyway. + + Fixes #3548 + Reported-by: Renaud Allard + Close #3549 + +- multi: remove verbose "Expire in" ... messages + + Reported-by: James Brown + Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html + Closes #3558 + +- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set + + Reported-by: MAntoniak on github + Fixes #3553 + Closes #3556 + +Daniel Gustafsson (12 Feb 2019) +- non-ascii.c: fix typos in comments + + Fix two occurrences of s/convers/converts/ spotted while reading code. + +Daniel Stenberg (12 Feb 2019) +- fnmatch: disable if FTP is disabled + + Closes #3551 + +- curl_path: only enabled for SSH builds + +- [Frank Gevaerts brought this change] + + tests: add stderr comparison to the test suite + + The code is more or less copied from the stdout comparison code, maybe + some better reuse is possible. + + test 1457 is adjusted to make the output actually match (by using --silent) + test 506 used without actually needing it, so that block is removed + + Closes #3536 + +Patrick Monnerat (11 Feb 2019) +- cli tool: do not use mime.h private structures. + + Option -F generates an intermediate representation of the mime structure + that is used later to create the libcurl mime structure and generate + the --libcurl statements. + + Reported-by: Daniel Stenberg + Fixes #3532 + Closes #3546 + +Daniel Stenberg (11 Feb 2019) +- curlver: bump to 7.64.1-dev + +- RELEASE-NOTES: synced + + and bump the version in progress to 7.64.1. If we merge any "change" + before the cut-off date, we update again. + +Daniel Gustafsson (11 Feb 2019) +- curl: follow-up to 3f16990ec84 + + Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was + inadvertently introducing a new bug in the ternary expression. + + Close #3555 + Reviewed-by: Daniel Stenberg + +- dns: release sharelock as soon as possible + + There is no benefit to holding the data sharelock when freeing the + addrinfo in case it fails, so ensure releaseing it as soon as we can + rather than holding on to it. This also aligns the code with other + consumers of sharelocks. + + Closes #3516 + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (11 Feb 2019) +- curl: follow-up to b49652ac66cc0 + + On FreeBSD, return non-zero on error otherwise zero. + + Reported-by: Marcel Raad + +- multi: (void)-prefix when ignoring return values + + ... and added braces to two function calls which fixes warnings if they + are replace by empty macros at build-time. + +- curl: fix FreeBSD compiler warning in the --xattr code + + Closes #3550 + +- connection_check: set ->data to the transfer doing the check + + The http2 code for connection checking needs a transfer to use. Make + sure a working one is set before handler->connection_check() is called. + + Reported-by: jnbr on github + Fixes #3541 + Closes #3547 + +- hostip: make create_hostcache_id avoid alloc + free + + Closes #3544 + +- scripts/singleuse: script to use to track single-use functions + + That is functions that are declared global but are not used from outside + of the file in which it is declared. Such functions should be made + static or even at times be removed. + + It also verifies that all used curl_ prefixed functions are "blessed" + + Closes #3538 + +- cleanup: make local functions static + + urlapi: turn three local-only functions into statics + + conncache: make conncache_find_first_connection static + + multi: make detach_connnection static + + connect: make getaddressinfo static + + curl_ntlm_core: make hmac_md5 static + + http2: make two functions static + + http: make http_setup_conn static + + connect: make tcpnodelay static + + tests: make UNITTEST a thing to mark functions with, so they can be static for + normal builds and non-static for unit test builds + + ... and mark Curl_shuffle_addr accordingly. + + url: make up_free static + + setopt: make vsetopt static + + curl_endian: make write32_le static + + rtsp: make rtsp_connisdead static + + warnless: remove unused functions + + memdebug: remove one unused function, made another static + +Dan Fandrich (10 Feb 2019) +- cirrus: Added FreeBSD builds using Cirrus CI. + + The build logs will be at https://cirrus-ci.com/github/curl/curl + + Some tests are currently failing and so disabled for now. The SSH server + isn't starting for the SSH tests due to unsupported options used in its + config file. The DICT server also is failing on startup. + +Daniel Stenberg (9 Feb 2019) +- url/idnconvert: remove scan for <= 32 ascii values + + The check was added back in fa939220df before the URL parser would catch + these problems and therefore these will never trigger now. + + Closes #3539 + +- urlapi: reduce variable scope, remove unreachable 'break' + + Both nits pointed out by codacy.com + + Closes #3540 + +Alessandro Ghedini (7 Feb 2019) +- zsh.pl: escape ':' character + + ':' is interpreted as separator by zsh, so if used as part of the argument + or option's description it needs to be escaped. + + The problem can be reproduced as follows: + + % curl --reso + % curl -E + + Bug: https://bugs.debian.org/921452 + +- zsh.pl: update regex to better match curl -h output + + The current regex fails to match '<...>' arguments properly (e.g. those + with spaces in them), which causes an completion script with wrong + descriptions for some options. + + Here's a diff of the generated completion script, comparing the previous + version to the one with this fix: + + --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 + +++ _curl 2019-02-05 20:57:29.453349040 +0000 + @@ -9,48 +9,48 @@ + + _arguments -C -S \ + --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ + + --resolve'[Resolve the host+port to this address]':'' \ + {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ + {-D,--dump-header}'[Write the received headers to ]':'':_files \ + {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ + --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ + - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ + {-E,--cert}'[Client certificate file and password]':'' \ + --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ + --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ + - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ + --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ + --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ + - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ + - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ + + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ + --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ + --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ + + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ + --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ + + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ + {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ + --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ + --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ + - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ + --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ + --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ + - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ + {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ + --local-port'[Force use of RANGE for local port numbers]':'' \ + --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ + {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ + - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ + - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ + - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ + - --location-trusted'[--location, and send auth to other hosts]':'Like' \ + + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ + --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ + {-O,--remote-name}'[Write output to a file named as the remote file]' \ + + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ + + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ + --trace-ascii'[Like --trace, but without hex output]':'':_files \ + --connect-timeout'[Maximum time allowed for connection]':'' \ + --expect100-timeout'[How long to wait for 100-continue]':'' \ + {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ + + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ + {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ + --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ + --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ + - --ignore-content-length'[the size of the remote resource]':'Ignore' \ + {-k,--insecure}'[Allow insecure server connections when using SSL]' \ + + --location-trusted'[Like --location, and send auth to other hosts]' \ + --mail-auth'[Originator address of the original email]':'
' \ + --noproxy'[List of hosts which do not use proxy]':'' \ + --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ + @@ -62,18 +62,19 @@ + --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ + --cacert'[CA certificate to verify peer against]':'':_files \ + {-H,--header}'[Pass custom header(s) to server]':'
' \ + + --ignore-content-length'[Ignore the size of the remote resource]' \ + {-i,--include}'[Include protocol response headers in the output]' \ + --proxy-header'[Pass custom header(s) to proxy]':'
' \ + --unix-socket'[Connect through this Unix domain socket]':'' \ + {-w,--write-out}'[Use output FORMAT after completion]':'' \ + - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ + {-o,--output}'[Write to file instead of stdout]':'':_files \ + - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ + + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ + --socks4a'[SOCKS4a proxy on given host + port]':'' \ + {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ + {-z,--time-cond}'[Transfer based on a time condition]':'