diff options
| author | shadchin <shadchin@yandex-team.ru> | 2022-04-28 12:56:06 +0300 |
|---|---|---|
| committer | shadchin <shadchin@yandex-team.ru> | 2022-04-28 12:56:06 +0300 |
| commit | 9a78ea94eb210d4fe778c0d71d6e364e3bbc6c7d (patch) | |
| tree | 03f5fa0bcc9a882f49567726171c8951bd8974ef | |
| parent | d43b7ece11f69b40ce622932ca5984037e746f0d (diff) | |
| download | ydb-9a78ea94eb210d4fe778c0d71d6e364e3bbc6c7d.tar.gz | |
Remove CHANGES from curl
ref:1e8497e3de108dc50a13b25f42f3cdbe913fda5d
| -rw-r--r-- | contrib/libs/curl/CHANGES | 7732 |
1 files changed, 0 insertions, 7732 deletions
diff --git a/contrib/libs/curl/CHANGES b/contrib/libs/curl/CHANGES deleted file mode 100644 index 2e6456681a..0000000000 --- a/contrib/libs/curl/CHANGES +++ /dev/null @@ -1,7732 +0,0 @@ - _ _ ____ _ - ___| | | | _ \| | - / __| | | | |_) | | - | (__| |_| | _ <| |___ - \___|\___/|_| \_\_____| - - Changelog - -Version 7.82.0 (5 Mar 2022) - -Daniel Stenberg (5 Mar 2022) -- RELEASE-NOTES: synced - - The 7.82.0 release - -- THANKS: updates from the 7.82.0 release notes - -- misc: update copyright year ranges - -Jay Satiro (5 Mar 2022) -- unit1610: init SSL library before calling SHA256 functions - - The SSL library must be initialized (via global initialization) because - libcurl's SHA256 functions may call SHA256 functions in the SSL library. - - Reported-by: Gisle Vanem - - Fixes https://github.com/curl/curl/issues/8538 - Closes https://github.com/curl/curl/pull/8540 - -- examples/curlx: support building with OpenSSL 1.1.0+ - - - Access members of X509_STORE_CTX in OpenSSL 1.1.0+ by using API - functions. - - The X509_STORE_CTX struct has been opaque since OpenSSL 1.1.0. - - Ref: https://curl.se/mail/lib-2022-03/0004.html - - Closes https://github.com/curl/curl/pull/8529 - -- h2h3: fix typo - - Bug: https://github.com/curl/curl/issues/8381#issuecomment-1055440241 - Reported-by: Michael Kaufmann - -- [Farzin brought this change] - - CURLOPT_XFERINFOFUNCTION.3: fix example struct assignment - - Closes https://github.com/curl/curl/pull/8519 - -Daniel Stenberg (26 Feb 2022) -- azure-pipelines: add a build on Windows with libssh - - Closes #8511 - -- runtests: make 'oldlibssh' be before 0.9.5 - - Closes #8511 - -- libssh: fix include files and defines use for Windows builds - - Reported-by: 梦终无痕 - Bug: https://curl.se/mail/lib-2022-02/0131.html - Closes #8511 - -- RELEASE-NOTES: synced - -- [illusory-dream brought this change] - - winbuild: add parameter WITH_SSH - - For building with libssh - Closes #8514 - -- configure: change output for cross-compiled alt-svc support - - It said 'no', while it actually is 'yes' - - Closes #8512 - -- gha: add a macOS CI job with libssh - - Closes #8513 - -- TODO: remove "Bring back libssh tests on Travis" - - The job was added to Circle CI in d8ddd0e7536 - -- TODO: remove "better persistency for HTTP/1.0" - - Let's not bother. - -- TODO: remove "Option to ignore private IP" - - ... as curl ignores the IP entirely by default these days. - -- TODO: remove "hardcode the "localhost" addresses" - - This is implmented since 1a0ebf6632f88 - -- TODO: 1.24 was a dupe of 1.1 - -- TODO: remove "Typesafe curl_easy_setopt()" - - I don't consider this a serious TODO item - -- KNOWN_BUGS: remove "Uploading HTTP/3 files gets interrupted" - - This works now - -- KNOWN_BUGS: remove "HTTP/3 multipart POST with quiche fails" - - It works now - -- quiche: remove two leftover debug infof() outputs - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: Reset dynbuf when it is fully drained - - Reported-by: vl409 on github - Fixes #7351 - Closes #8504 - -- [Stewart Gebbie brought this change] - - hostip: avoid unused parameter error in Curl_resolv_check - - When built without DNS-over-HTTP and without asynchronous resolvers, - neither the dns nor the data parameters are used. - - That is Curl_resolv_check appears to call - Curl_resolver_is_resolved(data, dns). But, - with CURL_DISABLE_DOH without CURLRES_ASYNCH, the call is actually - elided via a macro definition. - - This fix resolves the resultant: "unused parameter 'data'" error. - - Closes #8505 - -- http2: move two infof calls to debug-h2-only - - and remove a superflous one - - Ref: https://github.com/curl/curl/discussions/8498 - Closes #8502 - -- [Jean-Philippe Menil brought this change] - - quiche: fix upload for bigger content-length - - Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com> - Closes #8421 - -Jay Satiro (23 Feb 2022) -- [Farzin brought this change] - - CURLOPT_PROGRESSFUNCTION.3: fix example struct assignment - - Closes https://github.com/curl/curl/pull/8500 - -Daniel Stenberg (22 Feb 2022) -- [Rob Boeckermann brought this change] - - OS400/README: clarify compilation steps - - Closes #8494 - -- [Rob Boeckermann brought this change] - - OS400: fix typos in rpg include file - - This resolves issues compiling rpg code that includes the curl header - file. - - Closes #8494 - -- [Michał Antoniak brought this change] - - vtls: fix socket check conditions - - fix condition to check the second socket during associate and - disassociate connection - - Closes #8493 - -- libssh2: don't typecast socket to int for libssh2_session_handshake - - Since libssh2_socket_t uses SOCKET on windows which can be larger than - int. - - Closes #8492 - -- RELEASE-NOTES: fix typo and make one desc shorter - -- RELEASE-NOTES: synced - -- CURLOPT_XFERINFOFUNCTION.3: fix typo in example - - Reported-by: coralw on github - Fixes #8487 - Closes #8488 - -- README: disable linkchecks for the sponsor links - - Closes #8489 - -Jay Satiro (21 Feb 2022) -- openssl: check if sessionid flag is enabled before retrieving session - - Ideally, Curl_ssl_getsessionid should not be called unless sessionid - caching is enabled. There is a debug assertion in the function to help - ensure that. Therefore, the pattern in all vtls is basically: - - if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();} - - There was one instance in openssl.c where sessionid was not checked - beforehand and this change fixes that. - - Prior to this change an assertion would occur in openssl debug builds - during connection stage if session caching was disabled. - - Reported-by: Jim Beveridge - - Fixes https://github.com/curl/curl/issues/8472 - Closes https://github.com/curl/curl/pull/8484 - -- multi: allow user callbacks to call curl_multi_assign - - Several years ago a change was made to block user callbacks from calling - back into the API when not supported (recursive calls). One of the calls - blocked was curl_multi_assign. Recently the blocking was extended to the - multi interface API, however curl_multi_assign may need to be called - from within those user callbacks (eg CURLMOPT_SOCKETFUNCTION). - - I can't think of any callback where it would be unsafe to call - curl_multi_assign so I removed the restriction entirely. - - Reported-by: Michael Wallner - - Ref: https://github.com/curl/curl/commit/b46cfbc - Ref: https://github.com/curl/curl/commit/340bb19 - - Fixes https://github.com/curl/curl/issues/8480 - Closes https://github.com/curl/curl/pull/8483 - -Daniel Stenberg (21 Feb 2022) -- [Michał Antoniak brought this change] - - ssl: reduce allocated space for ssl backend when FTP is disabled - - Add assert() for the backend pointer in many places - - Closes #8471 - -- [Michał Antoniak brought this change] - - checkprefix: remove strlen calls - - Closes #8481 - -Jay Satiro (20 Feb 2022) -- [1337vt brought this change] - - curl.h: fix typo - - Closes https://github.com/curl/curl/pull/8482 - -- [Jan Venekamp brought this change] - - sectransp: mark a 3DES cipher as weak - - - Change TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA strength to weak. - - All other 3DES ciphers are already marked as weak. - - Closes https://github.com/curl/curl/pull/8479 - -- [Jan Venekamp brought this change] - - bearssl: fix EXC_BAD_ACCESS on incomplete CA cert - - - Do not create trust anchor object for a CA certificate until after it - is processed. - - Prior to this change the object was created at state BR_PEM_BEGIN_OBJ - (certificate processing begin state). An incomplete certificate (for - example missing a newline at the end) never reaches BR_PEM_END_OBJ - (certificate processing end state) and therefore the trust anchor data - was not set in those objects, which caused EXC_BAD_ACCESS. - - Ref: https://github.com/curl/curl/pull/8106 - - Closes https://github.com/curl/curl/pull/8476 - -- [Jan Venekamp brought this change] - - bearssl: fix connect error on expired cert and no verify - - - When peer verification is disabled use the x509_decode engine instead - of the x509_minimal engine to parse and extract the public key from - the first cert of the chain. - - Prior to this change in such a case no key was extracted and that caused - CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if - any validity check fails but the x509_decode won't. - - Ref: https://github.com/curl/curl/pull/8106 - - Closes https://github.com/curl/curl/pull/8475 - -- [Jan Venekamp brought this change] - - bearssl: fix session resumption (session id) - - Prior to this change br_ssl_client_reset was mistakenly called with - resume_session param set to 0, which disabled session resumption. - - Ref: https://github.com/curl/curl/pull/8106 - - Closes https://github.com/curl/curl/pull/8474 - -Daniel Stenberg (18 Feb 2022) -- [Michał Antoniak brought this change] - - openssl: fix build for version < 1.1.0 - - Closes #8470 - -- [Joel Depooter brought this change] - - schannel: move the algIds array out of schannel.h - - This array is only used by the SCHANNEL_CRED struct in the - schannel_acquire_credential_handle function. It can therefore be kept as - a local variable. This is a minor update to - bbb71507b7bab52002f9b1e0880bed6a32834511. - - This change also updates the NUM_CIPHERS value to accurately count the - number of ciphers options listed in schannel.c, which is 47 instead of - 45. It is unlikely that anyone tries to set all 47 values, but if they - had tried, the last two would not have been set. - - Closes #8469 - -- [Alejandro R. Sedeño brought this change] - - configure.ac: use user-specified gssapi dir when using pkg-config - - Using the system pkg-config path in the face of a user-specified - library path is asking to link the wrong library. - - Reported-by: Michael Kaufmann - Fixes #8289 - Closes #8456 - -- [Kevin Adler brought this change] - - os400: Add link to QADRT devkit to README.OS400 - - Closes #8455 - -- [Kevin Adler brought this change] - - os400: Add function wrapper for system command - - The wrapper will exit if the system command failed instead of blindly - continuing on. - - In addition, only copy docs which exist, since now the copy failure will - cause the build to stop. - - Closes #8455 - -- [Kevin Adler brought this change] - - os400: Default build to target current release - - V6R1M0 is not available as a target release since IBM i 7.2. To keep - from having to keep this up to date in git, default to the current - release. Users can configure this to whatever release they want to - actually build for. - - Closes #8455 - -- docs/INTERNALS.md: clean up, refer to the book - - The explanatory parts are now in the everything curl book (which can - also use images etc). This document now refers to that resource and only - leaves listings of supported versions of libs, tools and operating - systems. See https://everything.curl.dev/internals - - Closes #8467 - -Marcel Raad (17 Feb 2022) -- des: fix compile break for OpenSSL without DES - - When `USE_OPENSSL` was defined but OpenSSL had no DES support and a - different crypto library was used for that, `Curl_des_set_odd_parity` - was called but not defined. This could for example happen on Windows - and macOS when using OpenSSL v3 with deprecated features disabled. - - Use the same condition for the function definition as used at the - caller side, but leaving out the OpenSSL part to avoid including - OpenSSL headers. - - Closes https://github.com/curl/curl/pull/8459 - -Daniel Stenberg (17 Feb 2022) -- RELEASE-NOTES: synced - -- docs/DEPRECATE: remove NPN support in August 2022 - - Closes #8458 - -- ftp: provide error message for control bytes in path - - Closes #8460 - -- http: fix "unused parameter ‘conn’" warning - - Follow-up from 7d600ad1c395 - - Spotted on appveyor - - Closes #8465 - -Jay Satiro (17 Feb 2022) -- [Alejandro R. Sedeño brought this change] - - sha256: Fix minimum OpenSSL version - - - Change the minimum OpenSSL version for using their SHA256 - implementation from 0.9.7 to 0.9.8. - - EVP_sha256() does not appear in the OpenSSL source before 0.9.7h, and - does not get built by default until 0.9.8, so trying to use it for all - 0.9.7 is wrong, and before 0.9.8 is unreliable. - - Closes https://github.com/curl/curl/pull/8464 - -Daniel Stenberg (16 Feb 2022) -- KNOWN_BUGS: remove "slow connect to localhost on Windows" - - localhost is not resolved anymore since 1a0ebf6632f88 - -- KNOWN_BUGS: remove "HTTP/3 download is 5x times slower than HTTP/2" - - It's not actually a bug. More like room for improvement. - -- KNOWN_BUGS: remove "HTTP/3 download with quiche halts after a while" - - Follow-up to 96f85a0fef694 - -- KNOWN_BUGS: remove "pulseUI vpn" as a problem - - We haven't heard about this for a long time and rumours have it they - might have fixed it. - -- urldata: remove conn->bits.user_passwd - - The authentication status should be told by the transfer and not the - connection. - - Reported-by: John H. Ayad - Fixes #8449 - Closes #8451 - -- [Kevin Adler brought this change] - - gskit: Convert to using Curl_poll - - As mentioned in 32766cb, gskit was the last user of Curl_select which is - now gone. Convert to using Curl_poll to allow build to work on IBM i. - - Closes #8454 - -- [Kevin Adler brought this change] - - gskit: Fix initialization of Curl_ssl_gskit struct - - In c30bf22, Curl_ssl_getsock was factored out in to a member of - struct Curl_ssl but the gskit initialization was not updated to reflect - this new member. - - Closes #8454 - -- [Kevin Adler brought this change] - - gskit: Fix errors from Curl_strerror refactor - - 2f0bb864c1 replaced sterror with Curl_strerror, but the strerror buffer - shadows the set_buffer "buffer" parameter. To keep consistency with the - other functions that use Curl_strerror, rename the parameter. - - In addition, strerror.h is needed for the definition of STRERROR_LEN. - - Closes #8454 - -Marcel Raad (15 Feb 2022) -- ntlm: remove unused feature defines - - They're not used anymore and always supported. - - Closes https://github.com/curl/curl/pull/8453 - -Daniel Stenberg (15 Feb 2022) -- [Kantanat Wannapaka brought this change] - - README.md: fix link and layout - - replace <a></a> tags and <img></img> tags - - Closes #8448 - -- KNOWN_BUGS: fix typo "libpsl" - -Jay Satiro (14 Feb 2022) -- h2h3: fix compiler warning due to function prototype mismatch - - - Add missing const qualifier in Curl_pseudo_headers declaration. - -Daniel Stenberg (14 Feb 2022) -- [Stefan Eissing brought this change] - - urlapi: handle "redirects" smarter - - - avoid one malloc when setting a new url via curl_url_set() - and CURLUPART_URL. - - extract common pattern into a new static function. - - Closes #8450 - -- cijobs: pick up circleci configure lines better - -- circleci: add a job using wolfSSH - - Build only, no tests. - - Closes #8445 - -- scripts/ciconfig.pl: show used options not available - -- circleci: add a job using libssh - - Closes #8444 - -- runtests: set 'oldlibssh' for libssh versions before 0.9.6 - - ... and make test 1459 check for the different return code then. - - Closes #8444 - -Jay Satiro (13 Feb 2022) -- Makefile.am: Generate VS 2022 projects - - Follow-up to f13d4d0 which added VS 2022 project support. - - Ref: https://github.com/curl/curl/pull/8438 - -- [Daniel Stenberg brought this change] - - projects: remove support for MSVC before VC10 (Visual Studio 2010) - - - Remove Visual Studio project files for VC6, VC7, VC7.1, VC8 and VC9. - - Those versions are too old to be maintained any longer. - - Closes https://github.com/curl/curl/pull/8442 - -- [Stav Nir brought this change] - - projects: add support for Visual Studio 17 (2022) - - Closes https://github.com/curl/curl/pull/8438 - -Daniel Stenberg (13 Feb 2022) -- RELEASE-NOTES: synced - -- connect: follow-up fix the copyright year - -- [Michał Antoniak brought this change] - - misc: remove unused data when IPv6 is not supported - - Closes #8430 - -- scripts/ciconfig: show CI job config info - - Closes #8446 - -- quiche: handle stream reset - - A stream reset now causes a CURLE_PARTIAL_FILE error. I'm not convinced - this is the right action nor the right error code. - - Reported-by: Lucas Pardue - Fixes #8437 - Closes #8440 - -- mime: use a define instead of the magic number 24 - - MIME_BOUNDARY_DASHES is now the number of leading dashes in the - generated boundary string. - - Closes #8441 - -- [Henrik Holst brought this change] - - hostcheck: reduce strlen calls on chained certificates - - Closes #8428 - -- [Patrick Monnerat brought this change] - - mime: some more strlen() call removals. - - Closes #8423 - -- scripts/cijobs.pl: detect zuul cmake jobs better - -- url: exclude zonefrom_url when no ipv6 is available - - Closes #8439 - -- if2ip: make Curl_ipv6_scope a blank macro when IPv6-disabled - - Closes #8439 - -- [Henrik Holst brought this change] - - mprintf: remove strlen calls on empty strings in dprintf_formatf - - Turns out that in dprintf_formatf we did a strlen on empty strings, a - bit strange is how common this actually is, 24 alone when doing a simple - GET from https://curl.se - - Closes #8427 - -- wolfssl: return CURLE_AGAIN for the SSL_ERROR_NONE case - - Closes #8431 - -- wolfssl: when SSL_read() returns zero, check the error - - Returning zero indicates end of connection, so if there's no data read - but the connection is alive, it needs to return -1 with CURLE_AGAIN. - - Closes #8431 - -- quiche: after leaving h3_recving state, poll again - - This could otherwise easily leave libcurl "hanging" after the entire - transfer is done but without noticing the end-of-transfer signal. - - Assisted-by: Lucas Pardue - Closes #8436 - -- quiche: when *recv_body() returns data, drain it before polling again - - Assisted-by: Lucas Pardue - - Closes #8429 - -- [gaoxingwang on github brought this change] - - configure: fix '--enable-code-coverage' typo - - Fixes #8425 - Closes #8426 - -- lib/h2h3: #ifdef on ENABLE_QUIC, not the wrong define - - Otherwise the build fails when H3 is enabled but the build doesn't - include nghttp2. - - Closes #8424 - -- hostcheck: pass in pattern length too, to avoid a strlen call - - Removes one strlen() call per SAN name in a cert-check. - - Closes #8418 - -- [Henrik Holst brought this change] - - misc: remove strlen for Curl_checkheaders + Curl_checkProxyheaders - - Closes #8409 - -- configure: requires --with-nss-deprecated to build with NSS - - Add deprecation plans to docs/DEPRECATE.md - - Closes #8395 - -- mqtt: free 'sendleftovers' in disconnect - - Fix a memory-leak - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43646 - Closes #8415 - -- [Patrick Monnerat brought this change] - - openldap: pass string length arguments to client_write() - - This uses the new STRCONST() macro and saves 2 strlen() calls on short - string constants per LDIF output line. - - Closes #8404 - -- [Henrik Holst brought this change] - - misc: reduce strlen() calls with Curl_dyn_add() - - Use STRCONST() to switch from Curl_dyn_add() to Curl_dyn_addn() for - string literals. - - Closes #8398 - -- http2: fix the array copy to nghttp2_nv - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44517 - Follow-up to 9f985a11e794 - Closes #8414 - -- RELEASE-NOTES: synced - -- scripts/cijobs.pl: output data about all currect CI jobs - - This script parses the config files for all the CI services currently in - use and output the information in a uniform way. The idea is that the - output from this script should be possible to massage into informational - tables or graphs to help us visualize what they are all testing and NOT - testing. - - Closes #8408 - -- maketgz: return error if 'make dist' fails - - To better detect this problem in CI jobs - - Reported-by: Marcel Raad - Bug: https://curl.se/mail/lib-2022-02/0070.html - Closes #8402 - -- h2h3: pass correct argument types to infof() - - Detected by Coverity. CID 1497993 - - Closes #8401 - -- lib/Makefile: remove config-tpf.h from the dist - - Follow-up from da15443dddea2bfb. Missed before because the 'distcheck' - CI job was not working as intended. - - Reported-by: Marcel Raad - Bug: https://curl.se/mail/lib-2022-02/0070.html - Closes #8403 - -- configure: remove support for "embedded ares" - - In March 2010 (commit 4259d2df7dd) we removed the embedded 'ares' - directory from the curl source tree but we have since supported - especially detecting and using that build directory. The time has come - to remove that kludge and ask users to specify the c-ares dir correctly - with --enable-ares. - - Closes #8397 - -- [Sebastian Sterk brought this change] - - github/workflows/mbedtls: fix indent & remove unnecessary line breaks - - Closes #8399 - -- CI: move the NSS job from zuul to GHA - - Closes #8396 - -- tests/unit/Makefile.am: add NSS_LIBS to build with NSS fine - - Closes #8396 - -Marcel Raad (7 Feb 2022) -- curl-openssl: fix SRP check for OpenSSL 3.0 - - When OpenSSL 3.0 is built with `--api=3.0` and `no-deprecated`, the SRP - functions exist in the library, but are disabled for user code. Check - if they are actually usable instead of only if they exist. Also, check - for the functions actually required for TLS-SRP. - - TLS-SRP support is still enabled if OpenSSL is configured with just - `--api=3.0` or with `--api=1.1.1 no-deprecated`. - - Closes https://github.com/curl/curl/pull/8394 - -Daniel Stenberg (7 Feb 2022) -- [Henrik Holst brought this change] - - http: make Curl_compareheader() take string length arguments too - - Also add STRCONST, a macro that returns a string literal and it's length - for functions that take "string,len" - - Removes unnecesary calls to strlen(). - - Closes #8391 - -- vquic/vquic.h: removed the unused H3 psuedo defines - -- ngtcp2: use Curl_pseudo_headers - -- quiche: use Curl_pseudo_headers - -- http2: use Curl_pseudo_headers - -- h2h3: added Curl_pseudo_headers() - - For use with both http2 and http3 requests. - -- ngtcp2/quiche: make :scheme possible to set - -- http2: allow CURLOPT_HTTPHEADER change ":scheme" - - The only h2 psuedo header that wasn't previously possible to change by a - user. This change also makes it impossible to send a HTTP/1 header that - starts with a colon, which I don't think anyone does anyway. - - The other pseudo headers are possible to change indirectly by doing the - rightly crafted request. - - Reported-by: siddharthchhabrap on github - Fixes #8381 - Closes #8393 - -- h2/h3: provide and refer to pseudo headers as defines - - ... and do sizeof() on the defines to use constants better. - - Closes #8389 - -- [Michał Antoniak brought this change] - - smb: passing a socket for writing and reading data instead of FIRSTSOCKET - - Closes #8383 - -- x509asn1: toggle off functions not needed for diff tls backends - - ... and clean the header file from private defines/structs (move to C - file) and unused function prototypes. - - Closes #8386 - -- lib: move hostcheck and x509sn1 sources to vtls/ - - ... since they are used strictly by TLS code. - - Closes #8386 - -Marcel Raad (4 Feb 2022) -- version_win32: fix warning for `CURL_WINDOWS_APP` - - The build version is not supported by the UWP code. - - Closes https://github.com/curl/curl/pull/8385 - -Daniel Stenberg (4 Feb 2022) -- tests/disable-scan.pl: properly detect multiple symbols per line - - Test 1165 would fail on some systems because it didn't detect - CURL_DISABLE_* symbols that were used to the right of another one on the - same line! The script would only detect and extract the first one. - - Reported-by: Marcel Raad - Fixes #8384 - Closes #8388 - -Jay Satiro (4 Feb 2022) -- config.d: Clarify _curlrc filename is still valid on Windows - - Recent changes added support for filename .curlrc on Windows, and - when it's not found curl falls back on the original Windows filename - _curlrc. _curlrc was removed from the doc, however it is still valid. - - Closes https://github.com/curl/curl/pull/8382 - -Daniel Stenberg (4 Feb 2022) -- lib: remove support for CURL_DOES_CONVERSIONS - - TPF was the only user and support for that was dropped. - - Closes #8378 - -- TPF: drop support - - There has been no TPF related changes done since September 2010 (commit - 7e1a45e224e57) and since this is a platform that is relatively different - than many others (== needs attention), I draw the conclusion that this - build is broken since a long time. - - Closes #8378 - -- scripts/delta: check the file delta for current branch - - ... also polish the output style a little bit - -Jay Satiro (3 Feb 2022) -- [Fabian Keil brought this change] - - runtests.pl: tolerate test directories without Makefile.inc - - Silences the following warnings when using a Makefile.inc-free - TESTDIR using the "-o" argument: - - readline() on closed filehandle D at ./runtests.pl line 592. - Use of uninitialized value $disttests in pattern match (m//) at - ./runtests.pl line 3602. - - Closes https://github.com/curl/curl/pull/8379 - -Daniel Stenberg (3 Feb 2022) -- [Henrik Holst brought this change] - - setopt: do bounds-check before strdup - - Curl_setstropt() allocated memory for the string before checking if the - string was within bounds. The bounds check should be done first. - - Closes #8377 - -- [Michał Antoniak brought this change] - - mbedtls: enable use of mbedtls without filesystem functions support - - Closes #8376 - -- [Bernhard Walle brought this change] - - configure: support specification of a nghttp2 library path - - This enables using --with-nghttp2=<dir> on systems without pkg-config. - - Closes #8375 - -- scripts/release-notes.pl: remove leftover debug output - -- RELEASE-NOTES: synced - -- scripts/release-notes.pl: fix number extraction for full URLs - -- [Leah Neukirchen brought this change] - - scripts/completion.pl: improve zsh completion - - - Detect all spellings of <file>, <file name> etc as well as <path>. - - Only complete directories for <dir>. - - Complete URLs for <URL>. - - Complete --request and --ftp-method. - - Closes #8363 - -- [Davide Cassioli brought this change] - - configure: use correct CFLAGS for threaded resolver with xlC on AIX - - Fixes #8276 - Closes #8374 - -- mailmap: Henrik Holst - -Jay Satiro (2 Feb 2022) -- build: fix ngtcp2 crypto library detection - - - Change library link check for ngtcp2_crypto_{gnutls,openssl} to - to use function ngtcp2_crypto_recv_client_initial_cb instead of - ngtcp2_crypto_ctx_initial. - - The latter function is no longer external since two days ago in - ngtcp2/ngtcp2@533451f. curl HTTP/3 CI builds have been failing since - then because they would not link to the ngtcp2 crypto library. - - Ref: https://github.com/ngtcp2/ngtcp2/pull/356 - - Closes https://github.com/curl/curl/pull/8372 - -- [Henrik Holst brought this change] - - urlapi: remove an unnecessary call to strlen - - - Use strcpy instead of strlen+memcpy to copy the url path. - - Ref: https://curl.se/mail/lib-2022-02/0006.html - - Closes https://github.com/curl/curl/pull/8370 - -Daniel Stenberg (1 Feb 2022) -- scripts/copyright.pl: fix for handling removed files better - -- vxworks: drop support - - No changes or fixes in vxworks related code since 2009 leads me to - believe that this doesn't work anymore. - - Closes #8362 - -- [Henrik Holst brought this change] - - base64: remove an unnecessary call to strlen - - Closes #8369 - -- tool_getparam: initial --json support - - Adds these test cases: - - 383 - simple single command line option - 384 - reading it from stdin - 385 - getting two --json options on command line - 386 - --next works after --json - - Closes #8314 - -- [Bjarni Ingi Gislason brought this change] - - curl_getdate.3: remove pointless .PP line - - mandoc: WARNING: skipping paragraph macro: PP empty - - Reported-by: Samuel Henrique - Closes #8365 - -- [Sebastian Sterk brought this change] - - multi: grammar fix in comment - - After 'must', the verb is used without 'to'. Correct: "must" or "have - to" - - Closes #8368 - -- openldap: fix compiler warning when built without SSL support - - openldap.c:841:52: error: unused parameter ‘data’ [-Werror=unused-parameter] - - Closes #8367 - -- [Samuel Henrique brought this change] - - CURLSHOPT_LOCKFUNC.3: fix typo "relased" -> "released" - - Found when packaging 7.81.0 for Debian. - - Closes #8364 - -- netware: remove support - - There are no current users and no Netware related changes done in the - code for over 13 years is a clear sign this is abandoned. - - Closes #8358 - -- CI: move two jobs from Zuul to Circle CI - - - openssl-no-verbose - - openssl-no-proxy - - Closes #8359 - -- cirlceci: also run a c-ares job on arm with debug enabled - - Closes #8357 - -- ci: move the OpenSSL + c-ares job from Zuul to Circle CI - - Closes #8357 - -- mailmap: Jan-Piet Mens - -- [luminixinc on github brought this change] - - multi: remember connection_id before returning connection to pool - - Fix a bug that does not require a new CVE as discussed on hackerone.com. - Previously `connection_id` was accessed after returning connection to - the shared pool. - - Bug: https://hackerone.com/reports/1463013 - Closes #8355 - -Jay Satiro (31 Jan 2022) -- write-out.d: Fix num_headers formatting - -- [Jan-Piet Mens brought this change] - - docs: capitalize the name 'Netscape' - - Closes https://github.com/curl/curl/pull/8354 - -Daniel Stenberg (30 Jan 2022) -- RELEASE-NOTES: synced - -- [Antoine Pietri brought this change] - - docs: grammar proofread, typo fixes - - (Partially automated) proofread of most of the documentation, leading to - various typo fixes. - - Closes #8353 - -- urldata: CONN_IS_PROXIED replaces bits.close when proxy can be disabled - - To remove run-time checks for such builds. - - Closes #8350 - -- setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds - - Closes #8350 - -- conncache: make conncache_add_bundle return the pointer - - Simplifies the logic a little and avoids a ternary operator. - - Ref: #8346 - Closes #8349 - -- mailmap: neutric on github - -Jay Satiro (30 Jan 2022) -- [neutric on github brought this change] - - docs/TheArtOfHttpScripting: fix example POST URL - - Closes https://github.com/curl/curl/pull/8352 - -Daniel Stenberg (28 Jan 2022) -- nss: handshake callback during shutdown has no conn->bundle - - The callback gets called because of the call to PR_Recv() done to - attempt to avoid RST on the TCP connection. The conn->bundle pointer is - already cleared at this point so avoid dereferencing it. - - Reported-by: Eric Musser - Fixes #8341 - Closes #8342 - -- [Michał Antoniak brought this change] - - mbedtls: remove #include <mbedtls/certs.h> - - mbedtls/certs.h file contains only certificates example (all definitions - is beginning by mbedtls_test_*). None of them is used so we can avoid - include the file. - - Closes #8343 - -- [Michał Antoniak brought this change] - - mbedtls: enable use of mbedtls without CRL support - - Closes #8344 - -- [Bernhard Walle brought this change] - - configure: set CURL_LIBRARY_PATH for nghttp2 - - To execute the test program, we might need the library path so that the - lib is found at runtime. - - Closes #8340 - -Jay Satiro (28 Jan 2022) -- schannel: restore debug message in schannel_connect_step2 - - This is a follow-up to recent commit 2218c3a which removed the debug - message to avoid an unused variable warning. The message has been - reworked to avoid the warning. - - Ref: https://github.com/curl/curl/pull/8320#issuecomment-1022957904 - - Closes https://github.com/curl/curl/pull/8336 - -- test3021: disable all msys2 path transformation - - - Disable all MSYS2 path transformation in test3021 and test3022. - - Prior to this change path transformation in those tests was disabled - only for arguments that start with forward slashes. However arguments - that are in base64 contain forward slashes at any position and caused - unwanted translations. - - == Info: Denied establishing ssh session: mismatch sha256 fingerprint. - Remote +/EYG2YDzDGm6yiwepEMSuExgRRMoTi8Di1UN3kixZw= is not equal to - +C:/msys64/EYG2YDzDGm6yiwepEMSuExgRRMoTi8Di1UN3kixZw - - In the above example an argument containing a base64 sha256 fingerprint - was passed to curl after MSYS2 translated +/ into +C:/msys64/, and then - the fingerprint didn't match what was expected. - - Ref: https://www.msys2.org/wiki/Porting/ - - Fixes https://github.com/curl/curl/issues/8084 - Closes https://github.com/curl/curl/pull/8325 - -Daniel Stenberg (27 Jan 2022) -- CI: move scan-build job from Zuul to Azure Pipelines - - Closes #8338 - -Marcel Raad (27 Jan 2022) -- openssl: fix `ctx_option_t` for OpenSSL v3+ - - The options have been changed to `uint64_t` in - https://github.com/openssl/openssl/commit/56bd17830f2d5855b533d923d4e0649d3ed61d11. - - Closes https://github.com/curl/curl/pull/8331 - -Daniel Stenberg (27 Jan 2022) -- CI: move 'distcheck' job from zuul to azure pipelines - - Assisted-by: Kushal Das - - Closes #8334 - -- vtls: pass on the right SNI name - - The TLS backends convert the host name to SNI name and need to use that. - This involves cutting off any trailing dot and lowercasing. - - Co-authored-by: Jay Satiro - Closes #8320 - -- url: revert the removal of trailing dot from host name - - Reverts 5de8d84098db1bd24e (May 2014, shipped in 7.37.0) and the - follow-up changes done afterward. - - Keep the dot in names for everything except the SNI to make curl behave - more similar to current browsers. This means 'name' and 'name.' send the - same SNI for different 'Host:' headers. - - Updated test 1322 accordingly - - Fixes #8290 - Reported-by: Charles Cazabon - Closes #8320 - -- [neutric on github brought this change] - - docs/TheArtOfHttpScripting: fix capitalization - - Closes #8333 - -- tests/memanalyze.pl: also count and show "total allocations" - - This is the total number of bytes allocated, increasing for new - allocations and never reduced when freed. The existing "Maximum - allocated" is the high water mark. - - Closes #8330 - -- mailmap: spellfix githuh => github - -- RELEASE-NOTES: synced - -- hostcheck: fixed to not touch used input strings - - Avoids the need to clone the strings before check, thus avoiding - mallocs, which for cases where there are many SAN names in a cert could - end up numerous. - - Closes #8321 - -- ngtcp2: adapt to changed end of headers callback proto - - Closes #8322 - -- [Xiaoke Wang brought this change] - - openssl: check SSL_get_ex_data to prevent potential NULL dereference - - Closes #8268 - -Jay Satiro (23 Jan 2022) -- md5: check md5_init_func return value - - Prior to this change the md5_init_func (my_md5_init) return value was - ignored. - - Closes https://github.com/curl/curl/pull/8319 - -- md5: refactor for standard compliance - - - Wrap OpenSSL / wolfSSL MD5 functions instead of taking their function - addresses during static initialization. - - Depending on how curl was built the old way may have used a dllimport - function address during static initialization, which is not standard - compliant, resulting in Visual Studio warning C4232 (nonstandard - extension). Instead the function pointers now point to the wrappers - which call the MD5 functions. - - This change only affects OpenSSL and wolfSSL because calls to other SSL - libraries' md5 functions were already wrapped. Also sha256.c already - does this for all SSL libraries. - - Ref: https://github.com/curl/curl/pull/8298 - - Closes https://github.com/curl/curl/pull/8318 - -Daniel Stenberg (21 Jan 2022) -- [Lucas Pardue brought this change] - - docs: update IETF links to use datatracker - - The tools.ietf.org domain has been deprecated a while now, with the - links being redirected to datatracker.ietf.org. - - Rather than make people eat that redirect time, this change switches the - URL to a more canonical source. - - Closes #8317 - -- [Harry Sarson brought this change] - - CI: test building wolfssl with --enable-opensslextra - - Closes #8315 - -- [Harry Sarson brought this change] - - misc: allow curl to build with wolfssl --enable-opensslextra - - put all #include of openssl files behind wolfssl ifdefs so that we can - use the wolfssl/ prefixed include paths. Without these curl only builds - when wolfssl is built with enable-all. - - Fixes #8292 - Closes #8315 - -- [Lucas Pardue brought this change] - - quiche: change qlog file extension to `.sqlog` - - quiche has just switched it's qlog serialization format to JSON-SEQ by - default . The spec says this SHOULD use `.sqlog` extension. - - I believe ngtcp2 also supports JSON-SEQ by default as of - https://github.com/ngtcp2/ngtcp2/commit/9baf06fc3f352a1d062b6953ae1de22cae30639d - - Let's update curl so that tools know what format we are using! - - Closes #8316 - -Jay Satiro (21 Jan 2022) -- projects: Fix Visual Studio wolfSSL configurations - - - Change build-wolfssl.bat to disable SSLv3, enable TLSv1.3, enable - wolfSSL_DES_ecb_encrypt (needed by NTLM) and enable alt cert chains. - - - Disable warning C4214 'bit field types other than int'. - - - Add include directory wolfssl\wolfssl. - - wolfSSL offers OpenSSL API compatibility that libcurl uses, and some - recent change in libcurl included an include file for wolfSSL like - openssl/foo.h, which has a path like wolfssl\wolfssl\openssl\foo.h. - - The include directory issue was reported in #8292 but it's currently - unclear whether this type of change is needed for other build systems. - - Bug: https://github.com/curl/curl/issues/8292 - Reported-by: Harry Sarson - - Closes https://github.com/curl/curl/pull/8298 - -Daniel Stenberg (21 Jan 2022) -- openssl: return error if TLS 1.3 is requested when not supported - - Previously curl would just silently ignore it if the necessary defines - are not present at build-time. - - Reported-by: Stefan Eissing - Fixes #8309 - Closes #8310 - -- TODO: Passing NOTIFY option to CURLOPT_MAIL_RCPT - - Closes #8232 - -- [pheiduck on github brought this change] - - workflows/wolfssl: install impacket - - needed Python Package for SMB tests - - Closes #8307 - -- url: make Curl_disconnect return void - - 1. The function would only ever return CURLE_OK anyway - 2. Only one caller actually used the return code - 3. Most callers did (void)Curl_disconnect() - - Closes #8303 - -- docs: document HTTP/2 not insisting on TLS 1.2 - - Both for --http2 and CURLOPT_HTTP_VERSION. - - Reported-by: jhoyla on github - Fixes #8235 - Closes #8300 - -- cmdline-opts/gen.pl: fix option matching to improve references - - Previously it could mistakenly match partial names when there are - options that start with the same prefix, leading to the wrong references - used. - - Closes #8299 - -- TODO: Less memory massaging with Schannel - -- [Patrick Monnerat brought this change] - - runtests.pl: disable debuginfod - - Valgrind and gdb implement this feature: as this highly slows down tests, - disable it. - - Closes #8291 - -- RELEASE-NOTES: synced - -- CURLMOPT_TIMERFUNCTION/DATA.3: fix the examples - - ... to not call libcurl recursively back. - - Closes #8286 - -- multi: set in_callback for multi interface callbacks - - This makes most libcurl functions return error if called from within a - callback using the same multi handle. For example timer or socket - callbacks calling curl_multi_socket_action. - - Reported-by: updatede on github - Fixes #8282 - Closes #8286 - -- docs/HISTORY.md: mention alt-svc and HSTS - -- misc: remove the final watcom references - - Follow-up to bbf8cae44dedc495e6 - - We removed support for the watcom builds files back in September - 2020. This removes all remaining watcom references and ifdefs. - - Closes #8287 - -- misc: remove BeOS code and references - - There has not been a mention of this OS in any commit since December - 2004 (58f4af7973e3d2). The OS is also long gone. - - Closes #8288 - -- tool_getparam: DNS options that need c-ares now fail without it - - Just silently accepting the options and then not having any effect is - not good. - - Ref: #8283 - Closes #8285 - -- curl: remove "separators" (when using globbed URLs) - - Unless muted (with -s) When doing globbing, curl would output mime-like - separators between the separate transfers. This is not documented - anywhere, surprises users and clobbers the output. Gone now. - - Updated test 18 and 1235 - - Reported-by: jonny112 on github - Bug: https://github.com/curl/curl/discussions/8257 - Closes #8278 - -Jay Satiro (15 Jan 2022) -- [Niels Martignène brought this change] - - mbedtls: fix CURLOPT_SSLCERT_BLOB (again) - - - Increase the buffer length passed to mbedtls_x509_crt_parse to account - for the null byte appended to the temporary blob. - - Follow-up to 867ad1c which uses a null terminated copy of the - certificate blob, because mbedtls_x509_crt_parse requires PEM data - to be null terminated. - - Ref: https://github.com/curl/curl/commit/867ad1c#r63439893 - Ref: https://github.com/curl/curl/pull/8146 - - Closes https://github.com/curl/curl/pull/8260 - -Daniel Stenberg (15 Jan 2022) -- [Alessandro Ghedini brought this change] - - quiche: verify the server cert on connect - - Similarly to c148f0f551f9bea0e3d0, make quiche correctly acknowledge - `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. - - Fixes #8173 - Closes #8275 - -- [Ikko Ashimine brought this change] - - checksrc: fix typo in comment - - enfore -> enforce - - Closes #8281 - -- curl-openssl: remove the OpenSSL headers and library versions check - - It is more work to maintain that check than the (any?) benefit it - brings. - - Fixes #8279 - Reported-by: Satadru Pramanik - Closes #8280 - -- mqtt: free any leftover when done - - Oss-fuzz found an issue when the "sendleftovers" pointer could leak memory. - Fix this by always freeing it (if still assigned) in the done function. - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43515 - Closes #8274 - -- formdata: avoid size_t => long typecast overflows - - Typically a problem for platforms with 32 bit long and 64 bit size_t - - Reported-by: Fabian Yamaguchi - Bug: https://hackerone.com/reports/1444539 - Closes #8272 - -- RELEASE-NOTES: synced - - bump next release to become 7.82.0 - -Marcel Raad (13 Jan 2022) -- build: enable -Warith-conversion - - This makes the behavior consistent between GCC 10 and earlier versions. - - Closes https://github.com/curl/curl/pull/8271 - -- build: fix -Wenum-conversion handling - - Don't enable that warning when warnings are disabled. - Also add it to CMake. - - Closes https://github.com/curl/curl/pull/8271 - -- appveyor: use VS 2017 image for the autotools builds - - The newer images don't have all required MSYS2 packages. - - Fixes https://github.com/curl/curl/issues/8248 - Closes https://github.com/curl/curl/pull/8265 - -- appveyor: update images from VS 2019 to 2022 - - Closes https://github.com/curl/curl/pull/8265 - -Daniel Stenberg (12 Jan 2022) -- [Michał Antoniak brought this change] - - mbedtls: return CURLcode result instead of a mbedtls error code - - ... when a certificate fails to be loaded from a blob - - Closes #8266 - -- curl_multi_socket.3: remove callback and typical usage descriptions - - 1. The callback is better described in the option for setting it. Having - it in a single place reduces the risk that one of them is wrong. - - 2. The "typical usage" is wrong since the functions described in this - man page are both deprecated so they cannot be used in any "typical" way - anymore. - - Closes #8262 - -- curl-functions.m4: revert DYLD_LIBRARY_PATH tricks in CURL_RUN_IFELSE - - Mostly reverts ba0657c343f, but now instead just run the plain macro on - darwin. The approach as used on other platforms is simply not necessary - on macOS. - - Fixes #8229 - Reported-by: Ryan Schmidt - Closes #8247 - -- [Patrick Monnerat brought this change] - - openldap: implement SASL authentication - - As credentials can be quite different depending on the mechanism used, - there are no default mechanisms for LDAP and simple bind with a DN is - then used. - - The caller has to provide mechanism(s) using CURLOPT_LOGIN_OPTIONS to - enable SASL authentication and disable simple bind. - - Closes #8152 - -Jay Satiro (10 Jan 2022) -- [Cameron Will brought this change] - - CURLOPT_RESOLVE.3: change example port to 443 - - 83cc966 changed documentation from using http to https. However, - CURLOPT_RESOLVE being set to port 80 in the documentation means that it - isn't valid for the new URL. Update to 443. - - Closes https://github.com/curl/curl/pull/8258 - -Daniel Stenberg (10 Jan 2022) -- [Fabian Keil brought this change] - - test374: gif data without new line at the end - - Closes #8239 - -- [Fabian Keil brought this change] - - runtests.pl: support the nonewline attribute for the data part - - Added to FILEFORMAT - - Closes #8239 - -- [Patrick Monnerat brought this change] - - curl tool: erase some more sensitive command line arguments - - As the ps command may reveal sensitive command line info, obfuscate - options --tlsuser, --tlspasswd, --proxy-tlsuser, --proxy-tlspassword and - --oauth2-bearer arguments. - - Reported-by: Stephen Boost <s.booth@epcc.ed.ac.uk> - - Closes #7964 - -- mesalink: remove support - - Mesalink has ceased development. We can no longer encourage use of it. - It seems to be continued under the name TabbySSL, but no attempts have - (yet) been to make curl support it. - - Fixes #8188 - Closes #8191 - -- ldap: return CURLE_URL_MALFORMAT for bad URL - - For consistency, use the same return code for URL malformats, - independently of what scheme that is used. Previously this would return - CURLE_LDAP_INVALID_URL, but starting now that error cannot be returned. - - Closes #8170 - -- docs/cmdline-opts: add "mutexed" options for more http versions - - Update four http version man page sections. - - Closes #8254 - -- [Stephen M. Coakley brought this change] - - rustls: add CURLOPT_CAINFO_BLOB support - - Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the - rustls TLS backend. Multiple certificates in a single PEM string are - supported just like OpenSSL does with this option. - - This is compatible at least with rustls-ffi 0.8+ which is our new - minimum version anyway. - - I was able to build and run this on Windows, pulling trusted certs from - the system and then add them to rustls by setting - `CURLOPT_CAINFO_BLOB`. Handy! - - Closes #8255 - -- scripts/copyright.pl: ignore missing files - -- RELEASE-NOTES: synced - -- data/DISABLED: disable test 313 for wolfssl builds - - It was previously disabled only in the CI jobs yaml - - Closes #8252 - -- runtests: make 'wolfssl' a testable feature - - Closes #8252 - -- GHA: install stunnel in the medbtls + wolfssl CI jobs - - Closes #8252 - -- CI: move the rustls CI job to GHA from Zuul - - Closes #8251 - -- DISABLE: disable a dozen tests in the rustls build - - Disables tests that don't yet work with the rustls backend. - - Fixes #8004 - Closes #8250 - -- runtests: make 'rustls' a testable feature - -- remote-header-name.d: clarify - - - it strips off the path from the server provided name - - it saves in current directory or --output-dir - - Ref: https://curl.se/mail/archive-2022-01/0032.html - Closes #8249 - -- url: given a user in the URL, find pwd for that user in netrc - - Add test 380 and 381 to verify, edited test 133 - - Reported-by: Manfred Schwarb - Fixes #8241 - Closes #8243 - -- [Niels Martignène brought this change] - - mbedtls: Fix ssl_init error with mbedTLS 3.1.0+ - - Since mbedTLS 3.1.0, mbedtls_ssl_setup() fails if the provided - config struct is not valid. - - mbedtls_ssl_config_defaults() needs to be called before the config - struct is passed to mbedtls_ssl_setup(). - - Closes #8238 - -- [Filip Lundgren brought this change] - - cmake: fix iOS CMake project generation error - - Closes #8244 - -- ngtcp2: fix declaration of ‘result’ shadows a previous local - - Follow-up to 8fbd6feddfa587cfd3 - - Closes #8245 - -- openssl.h: avoid including OpenSSL headers here - - ... by instead using the struct version of the typedef'ed pointer. To - fix build errors when both Schannel and OpenSSL are enabled. - - Fixes #8240 - Reported-by: Jan Ehrhardt - Closes #8246 - -- curl_url_set.3: mention when CURLU_ALLOW_SPACE was added - -- tool_findfile: free mem properly - - Follow-up to 764e4f066d5 - - Closes #8242 - -- tool_findfile: check ~/.config/curlrc too - - ... after the initial checks for .curlrc and if XDG_CONFIG_HOME is not - set, use $HOME and $CURL_HOME to check if ~/.config/curlrc is present. - - Add test 436 to verify - - Reported-by: Sandro Jaeckel - Fixes #8208 - Closes #8213 - -- runtests: allow client/file to specify multiple directories - - ... and make sure to mkdir them all - -- scripts/copyright.pl: support many provided file names on the cmdline - -- [Fabian Keil brought this change] - - tests/FILEFORMAT.md: fix typo - -- [Fabian Keil brought this change] - - Add test373: multiple chunks with binary zeros - -- [Fabian Keil brought this change] - - Add test372: binary zero in data element - -- [Fabian Keil brought this change] - - tests/server/getpart.c: properly deal with binary data containing NUL bytes - -- [Fabian Keil brought this change] - - runtests.pl: properly print the test if it contains binary zeros - -- mailmap: Xiaoke Wang - -- openssl: copyright year update - - Follow-up to 30aea2b1ede - -- scripts/copyright.pl: hush unless -v (for verbose) is used - -- [Xiaoke Wang brought this change] - - openssl: check the return value of BIO_new_mem_buf() - - Closes #8233 - -- examples/multi-app.c: call curl_multi_remove_handle as well - - Fixes #8234 - Reported-by: Melroy van den Berg - Closes #8236 - -- COPYING: bump copyright year range - -- RELEASE-NOTES: synced - - and bump curlver after release - -- docs: fix mandoc -T lint formatting complaints - - Closes #8228 - -- next.d. remove .fi/.nf as they are handled by gen.pl - - Closes #8228 - -- gen.pl: terminate "example" sections better - - If the example (section that is prefixed with spaces) ends the - description gen.pl would previously miss to output the terminating .fi - - Closes #8228 - -- [Satadru Pramanik brought this change] - - curl-functions.m4: fix LIBRARY_PATH adjustment to avoid eval - - $$ usage in a m4 file introduces the PID in linux. - Instead, just duplicate previous working code with a case switch. - - Fixes #8229 - Closes #8230 - -Version 7.81.0 (5 Jan 2022) - -Daniel Stenberg (5 Jan 2022) -- RELEASE-NOTES: synced - - curl 7.81.0 release - -- THANKS: add names from 7.81.0 release - -- curl_multi_init.3: fix the copyright year range - -- test719-721: require "proxy" feature present to run - - Bug: https://github.com/curl/curl/pull/8223#issuecomment-1005188696 - Reported-by: Marc Hörsken - - Closes #8226 - -- test719: require ipv6 support to run - - Follow-up to effd2bd7ba2a5fd244 - Reported-by: Marc Hörsken - Bug: https://github.com/curl/curl/pull/8217#issuecomment-1004681145 - - Closes #8223 - -- test719-721: verify SOCKS details - - Using the new verify/socks details - -- runtests: add verify/socks check - - If used, this data is compared with the data in log/socksd-request.log - which the socksd server logs. - - Added to FILEFORMAT.md - -- server/socksd: log atyp + address in a separate log - - To allow the test suite to verify that the right data arrived - -- socks5: use appropriate ATYP for numerical IP address host names - - When not resolving the address locallly (known as socks5h). - - Add test 719 and 720 to verify. - - Reported-by: Peter Piekarski - Fixes #8216 - Closes #8217 - -Jay Satiro (3 Jan 2022) -- curl_multi_init.3: fix EXAMPLE formatting - -Daniel Stenberg (3 Jan 2022) -- RELEASE-NOTES: synced - -- libtest: avoid "assignment within conditional expression" - - In lib530, lib540 and lib582 - - Closes #8218 - -- ftp: disable warning 4706 in MSVC - - Follow-up to 21248e052d - - Disabling "assignment within conditional expression" for MSVC needs to - be done before the function starts, for it to take effect. - - Closes #8218 - -- tool_operate: warn if too many output arguments were found - - More output instructions than URLs is likely a user error. - - Add test case 371 to verify - - Closes #8210 - -- .github/workflows/mbedtls.yml: bump to mbedtls 3.1.0 - - Closes #8215 - -- zuul: remove the mbedtls jobs - - Now running as github workflows - - Closes #8215 - -- github/workflows: add mbedtls and mbedtls-clang - - Closes #8215 - -- [Valentin Richter brought this change] - - mbedtls: fix private member designations for v3.1.0 - - "As a last resort, you can access the field foo of a structure bar by - writing bar.MBEDTLS_PRIVATE(foo). Note that you do so at your own risk, - since such code is likely to break in a future minor version of Mbed - TLS." - - https://github.com/ARMmbed/mbedtls/blob/f2d1199edc5834df4297f247f213e614f7782d1d/docs/3.0-migration-guide.md - - That future minor version is v3.1.0. I set the >= to == for the version - checks because v3.1.0 is a release, and I am not sure when the private - designation was reverted after v3.0.0. - - Closes #8214 - -- [Valentin Richter brought this change] - - cmake: prevent dev warning due to mismatched arg - - -- curl version=[7.81.0-DEV] - CMake Warning (dev) at /usr/share/cmake-3.22.1/Modules/FindPackageHandleStandardArgs.cmake:438 (message): - The package name passed to `find_package_handle_standard_args` (MBEDTLS) - does not match the name of the calling package (MbedTLS). This can lead to - problems in calling code that expects `find_package` result variables - (e.g., `_FOUND`) to follow a certain pattern. - Call Stack (most recent call first): - deps/curl/CMake/FindMbedTLS.cmake:31 (find_package_handle_standard_args) - deps/curl/CMakeLists.txt:473 (find_package) - This warning is for project developers. Use -Wno-dev to suppress it. - - Closes #8207 - -- urlapi: if possible, shorten given numerical IPv6 addresses - - Extended test 1560 to verify - - Closes #8206 - -- [Michał Antoniak brought this change] - - url: reduce ssl backend count for CURL_DISABLE_PROXY builds - - Closes #8212 - -- KNOWN_BUGS: "Trying local ports fails on Windows" - - Reported-by: gclinch on github - Closes #8112 - -- misc: update copyright year range - -- zuul: remove the wolfssl even more - - Follow-up to 1914465cf180d32b3d - -- examples/multi-single.c: remove WAITMS() - - As it isn't used. - - Reported-by: Melroy van den Berg - Fixes #8200 - Closes #8201 - -- gtls: add gnutls include for the session type - - Follow-up to 8fbd6feddfa5 to make it build more universally - -- m4/curl-compilers: tell clang -Wno-pointer-bool-conversion - - To hush compiler warnings we don't care for: error: address of function - 'X' will always evaluate to 'true' - - Fixes #8197 - Closes #8198 - -- http_proxy: don't close the socket (too early) - - ... and double-check in the OpenSSL shutdown that the socket is actually - still there before it is used. - - Fixes #8193 - Closes #8195 - - Reported-by: Leszek Kubik - -- ngtcp2: verify the server certificate for the gnutls case - - Closes #8178 - -- ngtcp2: verify the server cert on connect (quictls) - - Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and - `CURLOPT_SSL_VERIFYHOST`. - - The name check now uses a function from lib/vtls/openssl.c which will - need attention for when TLS is not done by OpenSSL or is disabled while - QUIC is enabled. - - Possibly the servercert() function in openssl.c should be adjusted to be - able to use for both regular TLS and QUIC. - - Ref: #8173 - Closes #8178 - -- zuul: remove the wolfssl build - -- github workflow: add wolfssl - - Closes #8196 - -- [Nicolas Sterchele brought this change] - - zuul: fix quiche build pointing to wrong Cargo - - Fixes #8184 - Closes #8189 - -- checksrc: detect more kinds of NULL comparisons we avoid - - Co-authored-by: Jay Satiro - Closes #8180 - -- RELEASE-NOTES: synced - -- mesalink: remove the BACKEND define kludge - - Closes #8183 - -- schannel: remove the BACKEND define kludge - - Closes #8182 - -- gtls: check return code for gnutls_alpn_set_protocols - - Closes #8181 - -- [Stefan Huber brought this change] - - README: label the link to the support document - - Closes #8185 - -- docs/HTTP3: describe how to setup a h3 reverse-proxy for testing - - Assisted-by: Matt Holt - - Closes #8177 - -- libcurl-multi.3: "SOCKS proxy handshakes" are not blocking - - Since 4a4b63daaa0 - -- [Vladimir Panteleev brought this change] - - tests: Add test for CURLOPT_HTTP200ALIASES - -- [Vladimir Panteleev brought this change] - - http: Fix CURLOPT_HTTP200ALIASES - - The httpcode < 100 check was also triggered when none of the fields were - parsed, thus making the if(!nc) block unreachable. - - Closes #8171 - -- RELEASE-NOTES: synced - -- language: "email" - - Missed three occurrences. - - Follow-up to 7a92f86 - -- nss:set_cipher don't clobber the cipher list - - The string is set by the user and needs to remain intact for proper - connection reuse etc. - - Reported-by: Eric Musser - Fixes #8160 - Closes #8161 - -- misc: s/e-mail/email - - Consistency is king. Following the lead in everything curl. - - Closes #8159 - -- [Tobias Nießen brought this change] - - docs: fix typo in OpenSSL 3 build instructions - - Closes #8162 - -- linkcheck.yml: add CI job that checks markdown links - - Closes #8158 - -- RELEASE-PROCEDURE.md: remove ICAL link and old release dates - -- BINDINGS.md: "markdown-link-check-disable" - - It feels a bit unfortunate to litter an ugly tag for this functionality, - but if we get link scans of all markdown files, this might be worth the - price. - -- docs: fix dead links, remove ECH.md - -Jay Satiro (16 Dec 2021) -- openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+ - - Prior to this change OpenSSL_version was only detected in configure - builds. For other builds the old version parsing code was used which - would result in incorrect versioning for OpenSSL 3: - - Before: - - curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.0a zlib/1.2.11 - WinIDN libssh2/1.9.0 - - After: - - curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.1 zlib/1.2.11 - WinIDN libssh2/1.9.0 - - Reported-by: lllaffer@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/8154 - Closes https://github.com/curl/curl/pull/8155 - -Daniel Stenberg (16 Dec 2021) -- [James Fuller brought this change] - - docs: add known bugs list to HTTP3.md - - Closes #8156 - -Dan Fandrich (15 Dec 2021) -- BINDINGS: add one from Everything curl and update a link - -- libcurl-security.3: mention address and URL mitigations - - The new CURLOPT_PREREQFUNCTION callback is another way to sanitize - addresses. - Using the curl_url API is a way to mitigate against attacks relying on - URL parsing differences. - -Daniel Stenberg (15 Dec 2021) -- RELEASE-NOTES: synced - -- x509asn1: return early on errors - - Overhaul to make sure functions that detect errors bail out early with - error rather than trying to continue and risk hiding the problem. - - Closes #8147 - -- [Patrick Monnerat brought this change] - - openldap: several minor improvements - - - Early check proper LDAP URL syntax. Reject URLs with a userinfo part. - - Use dynamic memory for ldap_init_fd() URL rather than a - stack-allocated buffer. - - Never chase referrals: supporting it would require additional parallel - connections and alternate authentication credentials. - - Do not wait 1 microsecond while polling/reading query response data. - - Store last received server code for retrieval with CURLINFO_RESPONSE_CODE. - - Closes #8140 - -- [Michał Antoniak brought this change] - - misc: remove unused doh flags when CURL_DISABLE_DOH is defined - - Closes #8148 - -- mbedtls: fix CURLOPT_SSLCERT_BLOB - - The memory passed to mbedTLS for this needs to be null terminated. - - Reported-by: Florian Van Heghe - Closes #8146 - -- asyn-ares: ares_getaddrinfo needs no happy eyeballs timer - - Closes #8142 - -- mailmap: add Yongkang Huang - - From #8141 - -- [Yongkang Huang brought this change] - - check ssl_config when re-use proxy connection - -- mbedtls: do a separate malloc for ca_info_blob - - Since the mbedTLS API requires the data to the null terminated. - - Follow-up to 456c53730d21b1fad0c7f72c1817 - - Fixes #8139 - Closes #8145 - -Marc Hoersken (14 Dec 2021) -- CI: build examples for additional code verification - - Some CIs already build them, let's do it on more of them. - - Reviewed-by: Daniel Stenberg - - Follow up to #7690 and 77311f420a541a0de5b3014e0e40ff8b4205d4af - Replaces #7591 - Closes #7922 - -- docs/examples: workaround broken -Wno-pedantic-ms-format - - Avoid CURL_FORMAT_CURL_OFF_T by using unsigned long instead. - Improve size_t to long conversion in imap-append.c example. - - Ref: https://github.com/curl/curl/issues/6079 - Ref: https://github.com/curl/curl/pull/6082 - Assisted-by: Jay Satiro - Reviewed-by: Daniel Stenberg - - Preparation of #7922 - -- tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256 - - Ref: https://www.msys2.org/wiki/Porting/#filesystem-namespaces - - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro - - Fixes #8084 - Closes #8138 - -Daniel Stenberg (13 Dec 2021) -- [Patrick Monnerat brought this change] - - openldap: simplify ldif generation code - - and take care of zero-length values, avoiding conversion to base64 - and/or trailing spaces. - - Closes #8136 - -- example/progressfunc: remove code for old libcurls - - 7.61.0 is over three years old now, remove all #ifdefs for handling - ancient libcurl versions so that the example gets easier to read and - understand - - Closes #8137 - -- [Xiaoke Wang brought this change] - - sha256/md5: return errors when init fails - - Closes #8133 - -- TODO: 13.3 Defeat TLS fingerprinting - - Closes #8119 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - openldap: process search query response messages one by one - - Upon receiving large result sets, this reduces memory consumption and - allows starting to output results while the transfer is still in - progress. - - Closes #8101 - -- hash: lazy-alloc the table in Curl_hash_add() - - This makes Curl_hash_init() infallible which saves error paths. - - Closes #8132 - -- multi: cleanup the socket hash when destroying it - - Since each socket hash entry may themselves have a hash table in them, - the destroying of the socket hash needs to make sure all the subhashes - are also correctly destroyed to avoid leaking memory. - - Fixes #8129 - Closes #8131 - -- test1156: fixup the stdout check for Windows - - It is not text mode. - - Follow-up to 6f73e68d182 - - Closes #8134 - -- test1528: enable for hyper - - Closes #8128 - -- test1527: enable for hyper - - Closes #8128 - -- test1526: enable for hyper - - Closes #8128 - -- test1525: slightly tweaked for hyper - - Closes #8128 - -- test1156: enable for hyper - - Minor reorg of the lib1156 code and it works fine for hyper. - - Closes #8127 - -- test661: enable for hyper - - Closes #8126 - -- docs: fix proselint nits - - - remove a lot of exclamation marks - - use consistent spaces (1, not 2) - - use better words at some places - - Closes #8123 - -- [RekGRpth brought this change] - - BINDINGS.md: add cURL client for PostgreSQL - - Closes #8125 - -- [RekGRpth brought this change] - - CURLSHOPT_USERDATA.3: fix copy-paste mistake - - Closes #8124 - -- docs: fix minor nroff format nits - - Repairs test 1140 - - Follow-up to 436cdf82041 - -- docs/URL-SYNTAX.md: space is not fine in a given URL - -- curl_multi_perform/socket_action.3: clarify what errors mean - - An error returned from one of these funtions mean that ALL still ongoing - transfers are to be considered failed. - - Ref: #8114 - Closes #8120 - -- libcurl-errors.3: add CURLM_ABORTED_BY_CALLBACK - - Follow-up to #8089 (2b3dd01) - - Closes #8116 - -- hash: add asserts to help detect bad usage - - For example trying to add entries after the hash has been "cleaned up" - - Closes #8115 - -- lib530: abort on curl_multi errors - - This makes torture tests run more proper. - - Also add an assert to trap situations where it would end up with no - sockets to wait for. - - Closes #8121 - -- FAQ: we never pronounced it "see URL", we say "kurl" - -- RELEASE-NOTES: synced - -- CURLOPT_RESOLVE.3: minor polish - - Minor rephrasing for some explanations. - - Put the format strings in stand-alone lines with .nf/.fi to be easier to spot. - - Move "added in" to AVAILABILITY - - Closed #8110 - -- test1556: adjust for hyper - - Closes #8105 - -- test1554: adjust for hyper - - Closes #8104 - -- retry-all-errors.d: make the example complete - - ... as it needs --retry too to work - -- TODO: 5.7 Require HTTP version X or higher - - Closes #7980 - -- CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL - - This is the exact same limitation already documented for - CURLOPT_WRITEDATA but should be clarified here. It also has a different - work-around. - - Reported-by: Stephane Pellegrino - Bug: https://github.com/curl/curl/issues/8102 - Closes #8103 - -- multi: handle errors returned from socket/timer callbacks - - The callbacks were partially documented to support this. Now the - behavior is documented and returning error from either of these - callbacks will effectively kill all currently ongoing transfers. - - Added test 530 to verify - - Reported-by: Marcelo Juchem - Fixes #8083 - Closes #8089 - -- http2:set_transfer_url() return early on OOM - - If curl_url() returns NULL this should return early to avoid mistakes - - even if right now the subsequent function invokes are all OK. - - Coverity (wrongly) pointed out this as a NULL deref. - - Closes #8100 - -- tool_parsecfg: use correct free() call to free memory - - Detected by Coverity. CID 1494642. - Follow-up from 2be1aa619bca - - Closes #8099 - -- tool_operate: fix potential memory-leak - - A 'CURLU *' would leak if url_proto() is called with no URL. - - Detected by Coverity. CID 1494643. - Follow-up to 18270893abdb19 - Closes #8098 - -- [Patrick Monnerat brought this change] - - openldap: implement STARTTLS - - As this introduces use of CURLOPT_USE_SSL option for LDAP, also check - this option in ldap.c as it is not supported by this backend. - - Closes #8065 - -- [Jun Tseng brought this change] - - curl_easy_unescape.3: call curl_easy_cleanup in example - - Closes #8097 - -- [Jun Tseng brought this change] - - curl_easy_escape.3: call curl_easy_cleanup in example - - Closes #8097 - -- tool_listhelp: sync - - Follow-up to 172068b76f - -- [Damien Walsh brought this change] - - request.d: refer to 'method' rather than 'command' - - Closes #8094 - -- RELEASE-NOTES: synced - -- writeout: fix %{http_version} for HTTP/3 - - Output "3" properly when HTTP/3 was used. - - Reported-by: Bernat Mut - Fixes #8072 - Closes #8092 - -- urlapi: accept port number zero - - This is a regression since 7.62.0 (fb30ac5a2d). - - Updated test 1560 accordingly - - Reported-by: Brad Fitzpatrick - Fixes #8090 - Closes #8091 - -- [Mark Dodgson brought this change] - - lift: ignore is a deprecated config option, use ignoreRules - - Closes #8082 - -- [Alessandro Ghedini brought this change] - - HTTP3: update quiche build instructions - - The repo repo was re-organized a bit, so the build instructions need to - be updated. - - Closes #8076 - -- CURLMOPT_TIMERFUNCTION.3: call it expire time, not interval - - Since we say it is a non-repating timer - -- [Florian Van Heghe brought this change] - - mbedTLS: include NULL byte in blob data length for CURLOPT_CAINFO_BLOB - - Fixes #8079 - Closes #8081 - -Jay Satiro (2 Dec 2021) -- [Wyatt O'Day brought this change] - - version_win32: Check build number and platform id - - Prior to this change the build number was not checked during version - comparison, and the platform id was supposed to be checked but wasn't. - - Checking the build number is required for enabling "evergreen" - Windows 10/11 features (like TLS 1.3). - - Ref: https://github.com/curl/curl/pull/7784 - - Closes https://github.com/curl/curl/pull/7824 - Closes https://github.com/curl/curl/pull/7867 - -- libssh2: fix error message for sha256 mismatch - - - On mismatch error show sha256 fingerprint in base64 format. - - Prior to this change the fingerprint was mistakenly printed in binary. - -Daniel Stenberg (1 Dec 2021) -- [Xiaoke Wang brought this change] - - openssl: check the return value of BIO_new() - - Closes #8078 - -Dan Fandrich (30 Nov 2021) -- docs: Update the Reducing Size section - - Add many more options that can reduce the size of the binary that were - added since the last update. Update the sample minimal binary size for - version 7.80.0. - -- tests: Add some missing keywords to tests - - These are needed to skip some tests when configure options have disabled - certain features. - -Daniel Stenberg (30 Nov 2021) -- [Florian Van Heghe brought this change] - - mbedTLS: add support for CURLOPT_CAINFO_BLOB - - Closes #8071 - -- [Glenn Strauss brought this change] - - digest: compute user:realm:pass digest w/o userhash - - https://datatracker.ietf.org/doc/html/rfc7616#section-3.4.4 - ... the client MUST calculate a hash of the username after - any other hash calculation ... - - Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> - Closes #8066 - -- config.d: update documentation to match the path search - - Assisted-by: Jay Satiro - -- tool_findfile: search for a file in the homedir - - The homedir() function is now renamed into findfile() and iterates over - all the environment variables trying to access the file in question - until it finds it. Last resort is then getpwuid() if - available. Previously it would first try to find a home directory and if - that was set, insist on checking only that directory for the file. This - now returns the full file name it finds. - - The Windows specific checks are now done differently too and in this - order: - - 1 - %USERPROFILE% - 2 - %APPDATA% - 3 - %USERPROFILE%\\Application Data - - The windows order is modified to match how the Windows 10 ssh tool works - when it searches for .ssh/known_hosts. - - Reported-by: jeffrson on github - Co-authored-by: Jay Satiro - Fixes #8033 - Closes #8035 - -- docs: consistent manpage SYNOPSIS - - Make all libcurl related options use .nf (no fill) for the SYNOPSIS - section - for consistent look. roffit then renders that section using - <pre> (monospace font) in html for the website. - - Extended manpage-syntax (test 1173) with a basic check for it. - - Closes #8062 - -- RELEASE-NOTES: synced - -- [Patrick Monnerat brought this change] - - openldap: handle connect phase with a state machine - - Closes #8054 - -- docs: address proselint nits - - - avoid exclamation marks - - use consistent number of spaces after periods: one - - avoid clichés - - avoid using 'very' - - Closes #8060 - -- [Bruno Baguette brought this change] - - FAQ: typo fix : "yout" ➤ "your" - - Closes #8059 - -- [Bruno Baguette brought this change] - - docs/INSTALL.md: typo fix : added missing "get" verb - - Closes #8058 - -- insecure.d: detail its use for SFTP and SCP as well - - Closes #8056 - -Viktor Szakats (25 Nov 2021) -- Makefile.m32: rename -winssl option to -schannel and tidy up - - - accept `-schannel` as an alternative to `CFG` option `-winssl` - (latter still accepted, but deprecated) - - rename internal variable `WINSSL` to `SCHANNEL` - - make the `CFG` option evaluation shorter, without repeating the option - name - - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - Closes #8053 - -Daniel Stenberg (25 Nov 2021) -- KNOWN_BUGS: 5.6 make distclean loops forever - - Reported-by: David Bohman - Closes #7716 - -- KNOWN_BUGS: add one, remove one - - - 5.10 SMB tests fail with Python 2 - - Just use python 3. - - + 5.10 curl hangs on SMB upload over stdin - - Closes #7896 - -- urlapi: provide more detailed return codes - - Previously, the return code CURLUE_MALFORMED_INPUT was used for almost - 30 different URL format violations. This made it hard for users to - understand why a particular URL was not acceptable. Since the API cannot - point out a specific position within the URL for the problem, this now - instead introduces a number of additional and more fine-grained error - codes to allow the API to return more exactly in what "part" or section - of the URL a problem was detected. - - Also bug-fixes curl_url_get() with CURLUPART_ZONEID, which previously - returned CURLUE_OK even if no zoneid existed. - - Test cases in 1560 have been adjusted and extended. Tests 1538 and 1559 - have been updated. - - Updated libcurl-errors.3 and curl_url_strerror() accordingly. - - Closes #8049 - -- urlapi: make Curl_is_absolute_url always use MAX_SCHEME_LEN - - Instad of having all callers pass in the maximum length, always use - it. The passed in length is instead used only as the length of the - target buffer for to storing the scheme name in, if used. - - Added the scheme max length restriction to the curl_url_set.3 man page. - - Follow-up to 45bcb2eaa78c79 - - Closes #8047 - -- [Jay Satiro brought this change] - - cmake: warn on use of the now deprecated symbols - - Follow-up to 9108da2c26d - - Closes #8052 - -- [Kevin Burke brought this change] - - tests/CI.md: add more information on CI environments - - Fixes #8012 - Closes #8022 - -- cmake: private identifiers use CURL_ instead of CMAKE_ prefix - - Since the 'CMAKE_' prefix is reserved for cmake's own private use. - Ref: https://cmake.org/cmake/help/latest/manual/cmake-variables.7.html - - Reported-by: Boris Rasin - Fixes #7988 - Closes #8044 - -- urlapi: reject short file URLs - - file URLs that are 6 bytes or shorter are not complete. Return - CURLUE_MALFORMED_INPUT for those. Extended test 1560 to verify. - - Triggered by #8041 - Closes #8042 - -- curl: improve error message for --head with -J - - ... it now focuses on the "output of headers" combined with the - --remote-header-name option, as that is actually the problem. Both - --head and --include can output headers. - - Reported-by: nimaje on github - Fixes #7987 - Closes #8045 - -- RELEASE-NOTES: synced - -- [Stefan Eissing brought this change] - - urlapi: cleanup scheme parsing - - Makea Curl_is_absolute_url() always leave a defined 'buf' and avoids - copying on urls that do not start with a scheme. - - Closes #8043 - -- tool_operate: only set SSH related libcurl options for SSH URLs - - For example, this avoids trying to find and set the known_hosts file (or - warn for its absence) if SFTP or SCP are not used. - - Closes #8040 - -- [Jacob Hoffman-Andrews brought this change] - - rustls: remove comment about checking handshaking - - The comment is incorrect in two ways: - - It says the check needs to be last, but the check is actually first. - - is_handshaking actually starts out true. - - Closes #8038 - -Marcel Raad (20 Nov 2021) -- openssl: use non-deprecated API to read key parameters - - With OpenSSL 3.0, the parameters are read directly from the `EVP_PKEY` - using `EVP_PKEY_get_bn_param`. - - Closes https://github.com/curl/curl/pull/7893 - -- openssl: reduce code duplication - - `BN_print`'s `BIGNUM` parameter has been `const` since OpenSSL 0.9.4. - - Closes https://github.com/curl/curl/pull/7893 - -- openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable - - The flag has been deprecated without replacement in OpenSSL 3.0. - - Closes https://github.com/curl/curl/pull/7893 - -- openssl: remove usage of deprecated `SSL_get_peer_certificate` - - The function name was changed to `SSL_get1_peer_certificate` in OpenSSL - 3.0. - - Closes https://github.com/curl/curl/pull/7893 - -Daniel Stenberg (19 Nov 2021) -- page-footer: fix typo - - Closes #8036 - -- http: enable haproxy support for hyper backend - - This is done by having native code do the haproxy header output before - hyper issues its request. The little downside with this approach is that - we need the entire Curl_buffer_send() function built, which is otherwise - not used for hyper builds. - - If hyper ends up getting native support for the haproxy protocols we can - backpedal on this. - - Enables test 1455 and 1456 - - Closes #8034 - -- [Bernhard Walle brought this change] - - configure: fix runtime-lib detection on macOS - - With a non-standard installation of openssl we get this error: - - checking run-time libs availability... failed - configure: error: one or more libs available at link-time are not available run-time. Libs used at link-time: -lnghttp2 -lssl -lcrypto -lssl -lcrypto -lz - - There's already code to set LD_LIBRARY_PATH on Linux, so set - DYLD_LIBRARY_PATH equivalent on macOS. - - Closes #8028 - -- [Don J Olmstead brought this change] - - cmake: don't set _USRDLL on a static Windows build - - Closes #8030 - -- page-footer: document more environment variables - - ... that curl might use. - - Closes #8027 - -- netrc.d: edit the .netrc example to look nicer - - Works nicely thanks to d1828b470f43d - - Closes #8025 - -- tftp: mark protocol as not possible to do over CONNECT - - ... and make connect_init() refusing trying to tunnel protocols marked - as not working. Avoids a double-free. - - Reported-by: Even Rouault - Fixes #8018 - Closes #8020 - -- docs/cmdline-opts: do not say "protocols: all" - - Remove the lines saying "protocols: all". It makes the output in the - manpage look funny, and the expectation is probably by default that if - not anything is mentioned about protocols the option apply to them all. - - Closes #8021 - -- curl.1: require "see also" for every documented option - - gen.pl now generates a warning if the "See Also" field is not filled in for a - command line option - - All command line options now provide one or more related options. 167 - "See alsos" added! - - Closes #8019 - -- insecure.d: expand and clarify - - Closes #8017 - -- gen.pl: improve example output format - - Treat consecutive lines that start with a space to be "examples". They - are output enclosed by .nf and .fi - - Updated form.d to use this new fanciness - - Closes #8016 - -- Revert "form-escape.d: double the back-slashes for proper man page output" - - This reverts commit a2d8eac04a4eb1d5a98cf24b4e5cec5cec565d27. - - silly me, it was intended to be one backslash! - -- form-escape.d: double the back-slashes for proper man page output - -- page-footer: add a mention of how to report bugs to the man page - -- RELEASE-NOTES: synced - - and bump to 7.81.0-DEV - -- [Patrick Monnerat brought this change] - - mime: use percent-escaping for multipart form field and file names - - Until now, form field and file names where escaped using the - backslash-escaping algorithm defined for multipart mails. This commit - replaces this with the percent-escaping method for URLs. - - As this may introduce incompatibilities with server-side applications, a - new libcurl option CURLOPT_MIME_OPTIONS with bitmask - CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of - backslash-escaping. This is controlled by new cli tool option - --form-escape. - - New tests and documentation are provided for this feature. - - Reported by: Ryan Sleevi - Fixes #7789 - Closes #7805 - -- [Kevin Burke brought this change] - - zuul.d: update rustls-ffi to version 0.8.2 - - This version fixes errors with ALPN negotiation in rustls, which is - necessary for HTTP/2 support. For more information see the rustls-ffi - changelog. - - Closes #8013 - -- configure: better diagnostics if hyper is built wrong - - If hyper is indeed present in the specified directory but couldn't be - used to find the correct symbol, then offer a different error message to - better help the user understand the issue. - - Suggested-by: Jacob Hoffman-Andrews - Fixes #8001 - Closes #8005 - -- test1939: require proxy support to run - - Follow-up to f0b7099a10d1a - - Closes #8011 - -- test302[12]: run only with the libssh2 backend - - ... as the others don't support --hostpubsha256 - - Reported-by: Paul Howarth - Fixes #8009 - Closes #8010 - -- runtests: make the SSH library a testable feature - - libssh2, libssh and wolfssh - -- [Jacob Hoffman-Andrews brought this change] - - rustls: read of zero bytes might be okay - - When we're reading out plaintext from rustls' internal buffers, we might - get a read of zero bytes (meaning a clean TCP close, including - close_notify). However, we shouldn't return immediately when that - happens, since we may have already copied out some plaintext bytes. - Break out of the loop when we get a read of zero bytes, and figure out - which path we're dealing with. - - Acked-by: Kevin Burke - - Closes #8003 - -- [Jacob Hoffman-Andrews brought this change] - - rustls: remove incorrect EOF check - - The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify. - From the CHANGELOG: - - > Handling of unclean close and the close_notify TLS alert. Mirroring - > upstream changes, a rustls_connection now tracks TCP closed state like - > so: rustls_connection_read_tls considers a 0-length read from its - > callback to mean "TCP stream was closed by peer." If that happens - > before the peer sent close_notify, rustls_connection_read will return - > RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are - > exhausted. This is useful to protect against truncation attacks. Note: - > some TLS implementations don't send close_notify. If you are already - > getting length information from your protocol (e.g. Content-Length in - > HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of - > plaintext bytes was as expected. - - That means we don't need to check for unclean EOF in `cr_recv()`, - because `process_new_packets()` will give us an error if appropriate. - - Closes #8003 - -- lib1939: make it endure torture tests - - Follow-up to f0b7099a10d1a - - Closes #8007 - -- azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper - - The configure line would previously depend on a configure mistake using - --without-openssl that is fixed and now this configure line needs - adjusting to use --without-ssl. - - Follow-up to b589696f0312d - - Closes #8006 - -- [Jacob Hoffman-Andrews brought this change] - - configure: add -lm to configure for rustls build. - - Note: The list of libraries that rustc tells us we need to include is - longer, but also includes some more platform-specific libraries that I - am not sure how to effectively incorporate. Adding just -lm seems to - solve an immediate problem, so I'm adding just that. - - Closes #8002 - -- curl_share_setopt.3: refer to CURLSHOPT_USERDATA(3) properly - -- curl_share_setopt.3: split out options into their own manpages - - CURLSHOPT_LOCKFUNC.3 - CURLSHOPT_SHARE.3 - CURLSHOPT_UNLOCKFUNC.3 - CURLSHOPT_UNSHARE.3 - CURLSHOPT_USERDATA.3 - - Closes #7998 - -- http_proxy: make Curl_connect_done() work for proxy disabled builds - - ... by making it an empty macro then. - - Follow-up to f0b7099a10d1a - Reported-by: Vincent Grande - Fixes #7995 - Closes #7996 - -- Curl_connect_done: handle being called twice - - Follow-up to f0b7099a10d1a7c - - When torture testing 1021, it turns out the Curl_connect_done function - might be called twice and that previously then wrongly cleared the HTTP - pointer in the second invoke. - - Closes #7999 - -- [Stan Hu brought this change] - - configure: don't enable TLS when --without-* flags are used - - Previously specifying `--without-gnutls` would unexpectedly attempt to - compile with GnuTLS, effectively interpreting this as - `--with-gnutls`. This caused a significant amount of confusion when - `libcurl` was built with SSL disabled since GnuTLS wasn't present. - - 68d89f24 dropped the `--without-*` options from the configure help, but - `AC_ARG_WITH` still defines these flags automatically. As - https://www.gnu.org/software/autoconf/manual/autoconf-2.60/html_node/External-Software.html - describes, the `action-if-given` is called when the user specifies - `--with-*` or `--without-*` options. - - To prevent this confusion, we make the `--without` flag do the right - thing by ignoring the value if it set to "no". - - Closes #7994 - -- [Rikard Falkeborn brought this change] - - docs/checksrc: Add documentation for STRERROR - - Closes #7991 - -- vtls/rustls: adapt to the updated rustls_version proto - - Closes #7956 - -- [Kevin Burke brought this change] - - vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY - - Previously we'd return CURLE_READ_ERROR if we received this, instead - of triggering the error handling logic that's present in the next if - block down. - - After this change, curl requests to https://go.googlesource.com using - HTTP/2 complete successfully. - - Fixes #7949 - Closes #7948 - -- [Kevin Burke brought this change] - - zuul: update build environment for rustls-ffi 0.8.0 - -- [Kevin Burke brought this change] - - vtls/rustls: update to compile with rustls-ffi v0.8.0 - - Some method names, as well as the generated library name, were changed - in a recent refactoring. - - Further, change the default configuration instructions to check for - Hyper in either "target/debug" or "target/release" - the latter - contains an optimized build configuration. - - Fixes #7947 - Closes #7948 - -- RELEASE-NOTES: synced - - and bump the version to 7.80.1 - -- multi: shut down CONNECT in Curl_detach_connnection - - ... to prevent a lingering pointer that would lead to a double-free. - - Added test 1939 to verify. - - Reported-by: Stephen M. Coakley - Fixes #7982 - Closes #7986 - -- curl_easy_cleanup.3: remove from multi handle first - - Easy handles that are used by the multi interface should be removed from - the multi handle before they are cleaned up. - - Reported-by: Stephen M. Coakley - Ref: #7982 - Closes #7983 - -- url.c: fix the SIGPIPE comment for Curl_close - - Closes #7984 - -Version 7.80.0 (10 Nov 2021) - -Daniel Stenberg (10 Nov 2021) -- RELEASE-NOTES: synced - - for curl 7.80.0 - -- THANKS: add contributors from the 7.80.0 cycle - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: advertise h3 as well as h3-29 - - Advertise h3 as well as h3-29 since some servers out there require h3 - for QUIC v1. - - Closes #7979 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: use QUIC v1 consistently - - Since we switched to v1 quic_transport_parameters codepoint in #7960 - with quictls, lets use QUIC v1 consistently. - - Closes #7979 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: compile with the latest nghttp3 - - Closes #7978 - -Marc Hoersken (9 Nov 2021) -- tests: add Schannel-specific tests and disable unsupported ones - - Adds Schannel variants of SSLpinning tests that include the option - --ssl-revoke-best-effort to ignore certificate revocation check - failures which is required due to our custom test CA certificate. - - Disable the original variants if the Schannel backend is enabled. - - Also skip all IDN tests which are broken while using an msys shell. - - This is a step to simplify test exclusions for Windows and MinGW. - - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg - Closes #7968 - -Daniel Stenberg (8 Nov 2021) -- docs: NAME fixes in easy option man pages - - Closes #7975 - -- [Roger Young brought this change] - - ftp: make the MKD retry to retry once per directory - - Reported-by: Roger Young - Fixes #7967 - Closes #7976 - -- tool_operate: reorder code to avoid compiler warning - - tool_operate.c(889) : warning C4701: potentially uninitialized local - variable 'per' use - - Follow-up to cc71d352651a0d95 - Reported-by: Marc Hörsken - Bug: https://github.com/curl/curl/pull/7922#issuecomment-963042676 - Closes #7971 - -- curl_easy_perform.3: add a para about recv and send data - - Reported-by: Godwin Stewart - Fixes #7973 - Closes #7974 - -- tool_operate: fclose stream only if fopened - - Fixes torture test failures - Follow-up to cc71d352651 - - Closes #7972 - -- libcurl-easy.3: language polish - -- limit-rate.d: this is average over several seconds - - Closes #7970 - -- docs: reduce/avoid English contractions - - You're => You are - Hasn't => Has not - Doesn't => Does not - Don't => Do not - You'll => You will - etc - - Closes #7930 - -- tool_operate: fix torture leaks with etags - - Spotted by torture testing 343 344 345 347. - - Follow-up from cc71d352651a0 - Pointed-out-by: Dan Fandrich - - Closes #7969 - -- [Amaury Denoyelle brought this change] - - ngtcp2: support latest QUIC TLS RFC9001 - - QUIC Transport Parameters Extension has been changed between draft-29 - and latest RFC9001. Most notably, its identifier has been updated from - 0xffa5 to 0x0039. The version is selected through the QUIC TLS library - via the legacy codepoint. - - Disable the usage of legacy codepoint in curl to switch to latest - RFC9001. This is required to be able to keep up with latest QUIC - implementations. - - Acked-by: Tatsuhiro Tsujikawa - Closes #7960 - -- test1173: make manpage-syntax.pl spot \n errors in examples - -- man pages: fix backslash-n in examples - - ... to be proper backslash-backslash-n sequences to render nicely in man - and on website. - - Follow-up to 24155569d8a - Reported-by: Sergey Markelov - - Fixes https://github.com/curl/curl-www/issues/163 - Closes #7962 - -- scripts/release-notes.pl: use out of repo links verbatim in refs - -- tool_operate: a failed etag save now only fails that transfer - - When failing to create the output file for saving an etag, only fail - that particular single transfer and allow others to follow. - - In a serial transfer setup, if no transfer at all is done due to them - all being skipped because of this error, curl will output an error - message and return exit code 26. - - Added test 369 and 370 to verify. - - Reported-by: Earnestly on github - Ref: #7942 - Closes #7945 - -- [Kevin Burke brought this change] - - .github: retry macos "brew install" command on failure - - Previously we saw errors attempting to run "brew install", see - https://github.com/curl/curl/runs/4095721123?check_suite_focus=true for - an example, since this command is idempotent, it is safe to run again. - - Closes #7955 - -- CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred - - Ref: https://github.com/curl/curl/discussions/7954 - - Closes #7957 - -- RELEASE-NOTES: synced - -- zuul: pin the quiche build to use an older cmake-rs - - The latest cmake-rs assumes cmake's --parallel works. That was added in - cmake 3.12, but a lot of our CI builds run on Ubuntu Bionic which only - has cmake 3.10. - - Fixes #7927 - Closes #7952 - -- [Marc Hoersken brought this change] - - Revert "src/tool_filetime: disable -Wformat on mingw for this file" - - This reverts commit 7c88fe375b15c44d77bccc9ab733b8069d228e6f. - - Follow up to #6535 as the pragma is obsolete with warnf - - Closes #7941 - -Jay Satiro (2 Nov 2021) -- schannel: fix memory leak due to failed SSL connection - - - Call schannel_shutdown if the SSL connection fails. - - Prior to this change schannel_shutdown (which shuts down the SSL - connection as well as memory cleanup) was not called when the SSL - connection failed (eg due to failed handshake). - - Co-authored-by: Gisle Vanem - - Fixes https://github.com/curl/curl/issues/7877 - Closes https://github.com/curl/curl/pull/7878 - -Daniel Stenberg (2 Nov 2021) -- Curl_updateconninfo: store addresses for QUIC connections too - - So that CURLINFO_PRIMARY_IP etc work for HTTP/3 like for other HTTP - versions. - - Reported-by: Jerome Mao - Fixes #7939 - Closes #7944 - -- [Sergio Durigan Junior brought this change] - - curl.1: fix typos in the manpage - - s/transfering/transferring/ - s/transfered/transferred/ - - Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net> - Closes #7937 - -Marc Hoersken (1 Nov 2021) -- tests/smbserver.py: fix compatibility with impacket 0.9.23+ - - impacket now performs sanity checks if the requested and to - be served file path actually is inside the real share path. - - Ref: https://github.com/SecureAuthCorp/impacket/pull/1066 - - Fixes #7924 - Closes #7935 - -Daniel Stenberg (1 Nov 2021) -- docs: reduce use of "very" - - "Very" should be avoided in most texts. If intensifiers are needed, try - find better words instead. - - Closes #7936 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: specify the missing required callback functions - - Closes #7929 - -- CURLOPT_[PROXY]_SSL_CIPHER_LIST.3: bold instead of quote - - Bold the example ciphers instead of using single quotes, which then also - avoids the problem of how to use single quotes when first in a line. - - Also rephrased the pages a little. - - Reported-by: Sergio Durigan Junior - Ref: #7928 - Closes #7934 - -- gen.pl: replace leading single quotes with \(aq - - ... and allow single quotes to be used "normally" in the .d files. - - Makes the output curl.1 use better nroff. - - Reported-by: Sergio Durigan Junior - Ref: #7928 - Closes #7933 - -Marc Hoersken (1 Nov 2021) -- tests: kill some test servers afterwards to avoid locked logfiles - - Reviewed-by: Daniel Stenberg - Closes #7925 - -Daniel Stenberg (1 Nov 2021) -- smooth-gtk-thread.c: enhance the mutex lock use - - Reported-by: ryancaicse on github - Fixes #7926 - Closes #7931 - -Marc Hoersken (31 Oct 2021) -- CI/runtests.pl: restore -u flag, but remove it from CI runs - - This makes it possible to use -u again for local testing, - but removes the flag from CI config files and make targets. - - Reviewed-by: Daniel Stenberg - - Partially reverts #7841 - Closes #7921 - -Daniel Stenberg (29 Oct 2021) -- [Jonathan Cardoso Machado brought this change] - - CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required - - Closes #7923 - -- [Axel Morawietz brought this change] - - imap: display quota information - - Show response to "GETQUOTAROOT INBOX" command. - - Closes #6973 - -- RELEASE-NOTES: synced - -- [Boris Rasin brought this change] - - cmake: fix error getting LOCATION property on non-imported target - - Closes #7885 - -- [Xiaoke Wang brought this change] - - url: check the return value of curl_url() - - Closes #7917 - -- [Roy Li brought this change] - - configure.ac: replace krb5-config with pkg-config - - The rationale is that custom *-config tools don't work well when - cross-compiling or using sysroots (such as when using Yocto project) and - require custom fixing for each of them; pkg-config on the other hand - works similarly everywhere. - - Signed-off-by: Roy Li <rongqing.li@windriver.com> - Signed-off-by: Alexander Kanavin <alex@linutronix.de> - - Closes #7916 - -- test1160: edited to work with hyper - - Closes #7912 - -- data/DISABLED: enable tests that now work with hyper - - Closes #7911 - -- test559: add 'HTTP' in keywords - - Makes it run fine with hyper - - Closes #7911 - -- test552: updated to work with hyper - - Closes #7911 - -Marc Hoersken (27 Oct 2021) -- github: fix incomplete permission to label PRs for Hacktoberfest - - Unfortunately the GitHub API requires a token with write permission - for both issues and pull-requests to edit labels on even just PRs. - - Follow up to #7897 - -Daniel Stenberg (27 Oct 2021) -- opt-manpages: use 'Added in' instead of 'Since' - - Closes #7913 - -Marc Hoersken (27 Oct 2021) -- github: fix missing permission to label PRs for Hacktoberfest - - Follow up to #7897 - - Test references to see if permissions are now sufficient: - - Closes #7832 - Closes #7897 - -- CI: more use of test-ci make target and verbose output - - Replace test-nonflaky with test-ci and enable verbose output - in all remaining CIs except Zuul which is customized a lot. - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - - Follow up to #7785 - Closes #7832 - -- github: add support for Hacktoberfest using labels - - Automatically add hacktoberfest-accepted label to PRs opened between - September 30th and November 1st once a commit with a close reference - to it is pushed onto the master branch. - - With this workflow we can participate in Hacktoberfest while not - relying on GitHub to identify PRs as merged due to our rebasing. - - Requires hacktoberfest-accepted labels to exist for PRs on the - participating repository. Also requires hacktoberfest topic on - the participating repository to avoid applying to forked repos. - - Reviewed-by: Daniel Stenberg - - Fixes #7865 - Closes #7897 - -Daniel Stenberg (27 Oct 2021) -- http: reject HTTP response codes < 100 - - ... which then also includes negative ones as test 1430 uses. - - This makes native + hyper backend act identically on this and therefore - test 1430 can now be enabled when building with hyper. Adjust test 1431 - as well. - - Closes #7909 - -- [Kerem Kat brought this change] - - docs: fix typo in CURLOPT_TRAILERFUNCTION example - - Closes #7910 - -- docs/HYPER: remove some remaining issues, add HTTP/0.9 limitation - -- configure: when hyper is selected, deselect nghttp2 - - Closes #7908 - -- [Patrick Monnerat brought this change] - - sendf: accept zero-length data in Curl_client_write() - - Historically, Curl_client_write() used a length value of 0 as a marker - for a null-terminated data string. This feature has been removed in - commit f4b85d2. To detect leftover uses of the feature, a DEBUGASSERT - statement rejecting a length with value 0 was introduced, effectively - precluding use of this function with zero-length data. - - The current commit removes the DEBUGASSERT and makes the function to - return immediately if length is 0. - - A direct effect is to fix trying to output a zero-length distinguished - name in openldap. - - Another DEBUGASSERT statement is also rephrased for better readability. - - Closes #7898 - -- hyper: disable test 1294 since hyper doesn't allow such crazy headers - - Closes #7905 - -- c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work - - Verified by the enabled test 1288 - - Closes #7905 - -- test1287: make work on hyper - - Closes #7905 - -- test1266/1267: disabled on hyper: no HTTP/0.9 support - - Closes #7905 - -Viktor Szakats (25 Oct 2021) -- Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options - - Previously, -libssh2/-rtmp options assumed that OpenSSL is also enabled - (and then failed with an error when not finding expected OpenSSL headers), - but this isn't necessarly true, e.g. when building both libssh2 and curl - against Schannel. This patch makes sure to only enable the OpenSSL backend - with -libssh2/-rtmp, when there was no SSL option explicitly selected. - - - Re-implement the logic as a single block of script. - - Also fix an indentation while there. - - Assisted-by: Jay Satiro - - Closes #7895 - -Daniel Stenberg (25 Oct 2021) -- docs: consistent use of "Added in" - - Make them all say "Added in [version]" without using 'curl' or 'libcurl' - in that phrase. - -- man pages: require all to use the same section header order - - This is the same order we already enforce among the options' man pages: - consistency is good. Add lots of previously missing examples. - - Adjust the manpage-syntax script for this purpose, used in test 1173. - - Closes #7904 - -- [David Hu brought this change] - - docs/HTTP3: improve build instructions - - 1. If writing to a system path if the command is not prefixed with - `sudo` it will cause a permission denied error - - 2. The patched OpenSSL branch has been updated to `openssl-3.0.0+quic` - to match upstream OpenSSL version. - - 3. We should not disable GnuTLS docs. - - Updated some commands about `make install` - - Closes #7842 - -- [Ricardo Martins brought this change] - - CMake: restore support for SecureTransport on iOS - - Restore support for building curl for iOS with SecureTransport enabled. - - Closes #7501 - -- tests: enable more tests with hyper - - Adjusted 1144, 1164 and 1176. - - Closes #7900 - -- docs: provide "RETURN VALUE" section for more func manpages - - Three were missing, one used a non-standard name for the header. - - Closes #7902 - -Jay Satiro (25 Oct 2021) -- curl_multi_socket_action.3: add a "RETURN VALUE" section - - .. because it may not be immediately clear to the user what - curl_multi_socket_action returns. - - Ref: https://curl.se/mail/lib-2021-10/0035.html - - Closes https://github.com/curl/curl/pull/7901 - -Daniel Stenberg (24 Oct 2021) -- RELEASE-NOTES: synced - -- [Samuel Henrique brought this change] - - tests: use python3 in test 1451 - - This is a continuation of commit ec91b5a69000bea0794bbb3 in which - changing this test was missed. There are no other python2 leftovers - now. - - Based on a Debian patch originally written by Alessandro Ghedini - <ghedo@debian.org> - - Closes #7899 - -- [Eddie Lumpkin brought this change] - - lib: fixing comment spelling typos in lib files - - Closes #7894 - Signed-off-by: ewlumpkin <ewlumpkin@gmail.com> - -- openssl: if verifypeer is not requested, skip the CA loading - - It was previously done mostly to show a match/non-match in the verbose - output even when verification was not asked for. This change skips the - loading of the CA certs unless verifypeer is set to save memory and CPU. - - Closes #7892 - -- curl-confopts.m4: remove --enable/disable-hidden-symbols - - These configure options have been saying "deprecated" since 9e24b9c7af - (April 2012). It was about time we remove them. - - Closes #7891 - -- c-hyper: don't abort CONNECT responses early when auth-in-progress - - ... and make sure to stop ignoring the body once the CONNECT is done. - - This should make test 206 work proper again and not be flaky. - - Closes #7889 - -- hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING - - Simply because hyper doesn't have this ability. Mentioned in docs now. - - Skip test 326 then - - Closes #7889 - -- test262: don't attempt with hyper - - This test verifies that curl works with binary zeroes in HTTP response - headers and hyper refuses such. They're not kosher http. - - Closes #7889 - -- c-hyper: make test 217 run - - Closes #7889 - -- DISABLED: enable test 209+213 for hyper - - Follow-up to 823d3ab855c - - Closes #7889 - -- test207: accept a different error code for hyper - - It returns HYPERE_UNEXPECTED_EOF for this case which we convert to the - somewhat generic CURLE_RECV_ERROR. - - Closes #7889 - -- [Érico Nogueira brought this change] - - INSTALL: update symbol hiding option - - --enable-hidden-symbols was deprecated in - 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224. - - Closes #7890 - -- http_proxy: multiple CONNECT with hyper done better - - Enabled test 206 - - Closes #7888 - -- hyper: pass the CONNECT line to the debug callback - - Closes #7887 - -- mailmap: Malik Idrees Hasan Khan - -Jay Satiro (21 Oct 2021) -- [Malik Idrees Hasan Khan brought this change] - - build: fix typos - - Closes https://github.com/curl/curl/pull/7886 - -- URL-SYNTAX: add IMAP UID SEARCH example - - - Explain the difference between IMAP search via URL (which returns - message sequence numbers) and IMAP search via custom request (which - can return UID numbers if prefixed with UID, eg "UID SEARCH ..."). - - Bug: https://github.com/curl/curl/issues/7626 - Reported-by: orycho@users.noreply.github.com - - Ref: https://github.com/curl/curl/issues/2789 - - Closes https://github.com/curl/curl/pull/7881 - -Daniel Stenberg (20 Oct 2021) -- manpage: adjust the asterisk in some SYNOPSIS sections - - Closes #7884 - -- curl_multi_perform.3: polish wording - - - simplify the example by using curl_multi_poll - - - mention curl_multi_add_handle in the text - - - cut out the description of pre-7.20.0 return code behavior - that version - is now more than eleven years old and is basically no longer out there - - - adjust the "typical usage" to mention curl_multi_poll - - Closes #7883 - -- docs/THANKS: removed on request - -- FAQ: polish the explanation of libcurl - -- curl_easy_perform.3: minor wording tweak - -- [Erik Stenlund brought this change] - - mime: mention CURL_DISABLE_MIME in comment - - CURL_DISABLE_MIME is not mentioned in the comment describing the if else - preprocessor directive. - - Closes #7882 - -- tls: remove newline from three infof() calls - - Follow-up to e7416cf - - Reported-by: billionai on github - Fixes #7879 - Closes #7880 - -- RELEASE-NOTES: synced - -- curl_gssapi: fix build warnings by removing const - - Follow-up to 20e980f85b0ea6 - - In #7875 these inits were modified but I get two warnings that these new - typecasts are necessary for. - - Closes #7876 - -- [Bo Anderson brought this change] - - curl_gssapi: fix link error on macOS Monterey - - Fixes #7657 - Closes #7875 - -- test1185: verify checksrc - - Closes #7866 - -- checksrc: improve the SPACESEMICOLON error message - - and adjust the MULTISPACE one to use plural - - Closes #7866 - -- url: set "k->size" -1 at start of request - - The size of the transfer is unknown at that point. - - Fixes #7871 - Closes #7872 - -Daniel Gustafsson (18 Oct 2021) -- doh: remove experimental code for DoH with GET - - The code for sending DoH requests with GET was never enabled in a way - such that it could be used or tested. As there haven't been requests - for this feature, and since it at this is effectively dead, remove it - and favor reimplementing the feature in case anyone is interested. - - Closes #7870 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (18 Oct 2021) -- cirrus: remove FreeBSD 11.4 from the matrix - - It has reached End-Of-Life and causes some LDAP CI issues. - - Closes #7869 - -- cirrus: switch to openldap24-client - - ... as it seems openldap-client doesn't exist anymore. - - Reported-by: Jay Satiro - Fixes #7868 - Closes #7869 - -- checksrc: ignore preprocessor lines - - In order to check the actual code better, checksrc now ignores - everything that look like preprocessor instructions. It also means - that code in macros are now longer checked. - - Note that some rules then still don't need to be followed when code is - exactly below a cpp instruction. - - Removes two checksrc exceptions we needed previously because of - preprocessor lines being checked. - - Reported-by: Marcel Raad - Fixes #7863 - Closes #7864 - -- urlapi: skip a strlen(), pass in zero - - ... to let curl_easy_escape() itself do the strlen. This avoids a (false - positive) Coverity warning and it avoids us having to store the strlen() - return value in an int variable. - - Reviewed-by: Daniel Gustafsson - Closes #7862 - -- misc: update copyright years - -- examples/htmltidy: correct wrong printf() use - - ... and update the includes to match how current htmltidy wants them - used. - - Reported-by: Stathis Kapnidis - Fixes #7860 - Closes #7861 - -Jay Satiro (15 Oct 2021) -- http: set content length earlier - - - Make content length (ie download size) accessible to the user in the - header callback, but only after all headers have been processed (ie - only in the final call to the header callback). - - Background: - - For a long time the content length could be retrieved in the header - callback via CURLINFO_CONTENT_LENGTH_DOWNLOAD_T as soon as it was parsed - by curl. - - Changes were made in 8a16e54 (precedes 7.79.0) to ignore content length - if any transfer encoding is used. A side effect of that was that - content length was not set by libcurl until after the header callback - was called the final time, because until all headers are processed it - cannot be determined if content length is valid. - - This change keeps the same intention --all headers must be processed-- - but now the content length is available before the final call to the - header function that indicates all headers have been processed (ie - a blank header). - - Bug: https://github.com/curl/curl/commit/8a16e54#r57374914 - Reported-by: sergio-nsk@users.noreply.github.com - - Co-authored-by: Daniel Stenberg - - Fixes https://github.com/curl/curl/issues/7804 - Closes https://github.com/curl/curl/pull/7803 - -Daniel Stenberg (15 Oct 2021) -- [Abhinav Singh brought this change] - - aws-sigv4: make signature work when post data is binary - - User sets the post fields size for binary data. Hence, we should not be - using strlen on it. - - Added test 1937 and 1938 to verify. - - Closes #7844 - -- [a1346054 brought this change] - - MacOSX-Framework: remove redundant ';' - - Closes #7859 - -- RELEASE-NOTES: synced - -- openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway - - One reason we know it can fail is if a provider is used that doesn't do - a proper job or is wrongly configured. - - Reported-by: Michael Baentsch - Fixes #7840 - Closes #7856 - -Marcel Raad (14 Oct 2021) -- [Ryan Mast brought this change] - - cmake: add CURL_ENABLE_SSL option and make CMAKE_USE_* SSL backend options depend on it - - Closes https://github.com/curl/curl/pull/7822 - -Daniel Stenberg (14 Oct 2021) -- http: remove assert that breaks hyper - - Reported-by: Jay Satiro - Fixes #7852 - Closes #7855 - -- http_proxy: fix one more result assign for hyper - - and remove the bad assert again, since it was run even with no error! - - Closes #7854 - -Jay Satiro (14 Oct 2021) -- sws: fix memory leak on exit - - - Free the allocated http request struct on cleanup. - - Prior to this change if sws was built with leak sanitizer it would - report a memory leak error during testing. - - Closes https://github.com/curl/curl/pull/7849 - -Daniel Stenberg (14 Oct 2021) -- c-hyper: make Curl_http propagate errors better - - Pass on better return codes when errors occur within Curl_http instead - of insisting that CURLE_OUT_OF_MEMORY is the only possible one. - - Pointed-out-by: Jay Satiro - Closes #7851 - -- http_proxy: make hyper CONNECT() return the correct error code - - For every 'goto error', make sure the result variable holds the error - code for what went wrong. - - Reported-by: Rafał Mikrut - Fixes #7825 - Closes #7846 - -- docs/Makefile.am: repair 'make html' - - by removing index.html which isn't around anymore - - Closes #7853 - -- [Борис Верховский brought this change] - - curl: correct grammar in generated libcurl code - - Closes #7802 - -- tests: disable test 2043 - - It uses revoked.badssl.com which now is expired and therefor this now - permafails. We should not use external sites for tests, this test should - be converted to use our own infra. - - Closes #7845 - -- runtests: split out ignored tests - - Report ignore tests separately from the actual fails. - - Don't exit non-zero if test servers couldn't get killed. - - Assisted-by: Jay Satiro - - Fixes #7818 - Closes #7841 - -- http2: make getsock not wait for write if there's no remote window - - While uploading, check for remote window availability in the getsock - function so that we don't wait for a writable socket if no data can be - sent. - - Reported-by: Steini2000 on github - Fixes #7821 - Closes #7839 - -- test368: verify dash is appended for "-r [num]" - - Follow-up to 8758a26f8878 - -- [Борис Верховский brought this change] - - curl: actually append "-" to --range without number only - - Closes #7837 - -- RELEASE-NOTES: synced - -- urlapi: URL decode percent-encoded host names - - The host name is stored decoded and can be encoded when used to extract - the full URL. By default when extracting the URL, the host name will not - be URL encoded to work as similar as possible as before. When not URL - encoding the host name, the '%' character will however still be encoded. - - Getting the URL with the CURLU_URLENCODE flag set will percent encode - the host name part. - - As a bonus, setting the host name part with curl_url_set() no longer - accepts a name that contains space, CR or LF. - - Test 1560 has been extended to verify percent encodings. - - Reported-by: Noam Moshe - Reported-by: Sharon Brizinov - Reported-by: Raul Onitza-Klugman - Reported-by: Kirill Efimov - Fixes #7830 - Closes #7834 - -Marc Hoersken (8 Oct 2021) -- CI/makefiles: introduce dedicated test target - - Make it easy to use the same set of test flags - throughout all current and future CI builds. - - Reviewed-by: Jay Satiro - - Follow up to #7690 - Closes #7785 - -Daniel Stenberg (8 Oct 2021) -- maketgz: redirect updatemanpages.pl output to /dev/null - -- CURLOPT_HTTPHEADER.3: add descripion for specific headers - - Settting Host: or Transfer-Encoding: chunked actually have special - meanings to libcurl. This change tries to document them - - Closes #7829 - -- c-hyper: use hyper_request_set_uri_parts to make h2 better - - and make sure to not send Host: over h2. - - Fixes #7679 - Reported-by: David Cook - Closes #7827 - -- [Michael Afanasiev brought this change] - - curl-openssl.m4: modify library order for openssl linking - - lcrypto may depend on lz, and configure corrently fails with when - statically linking as the order is "-lz -lcrypto". This commit switches - the order to "-lcrypto -lz". - - Closes #7826 - -Marcel Raad (7 Oct 2021) -- sha256: use high-level EVP interface for OpenSSL - - Available since OpenSSL 0.9.7. The low-level SHA256 interface is - deprecated in OpenSSL v3, and its usage was discouraged even before. - - Closes https://github.com/curl/curl/pull/7808 - -- curl_ntlm_core: use OpenSSL only if DES is available - - This selects another SSL backend then if available, or otherwise at - least gives a meaningful error message. - - Closes https://github.com/curl/curl/pull/7808 - -- md5: fix compilation with OpenSSL 3.0 API - - Only use OpenSSL's MD5 code if it's available. - - Also fix wolfSSL build with `NO_MD5`, in which case neither the - wolfSSL/OpenSSL implementation nor the fallback implementation was - used. - - Closes https://github.com/curl/curl/pull/7808 - -Daniel Stenberg (7 Oct 2021) -- print_category: printf %*s needs an int argument - - ... not a size_t! - - Detected by Coverity: CID 1492331. - Closes #7823 - -Jay Satiro (7 Oct 2021) -- version_win32: use actual version instead of manifested version - - - Use RtlVerifyVersionInfo instead of VerifyVersionInfo, when possible. - - Later versions of Windows have normal version functions that compare and - return versions based on the way the application is manifested, instead - of the actual version of Windows the application is running on. We - prefer the actual version of Windows so we'll now call the Rtl variant - of version functions (RtlVerifyVersionInfo) which does a proper - comparison of the actual version. - - Reported-by: Wyatt O'Day - - Ref: https://github.com/curl/curl/pull/7727 - - Fixes https://github.com/curl/curl/issues/7742 - Closes https://github.com/curl/curl/pull/7810 - -Daniel Stenberg (6 Oct 2021) -- RELEASE-NOTES: synced - -- http: fix Basic auth with empty name field in URL - - Add test 367 to verify. - - Reported-by: Rick Lane - Fixes #7819 - Closes #7820 - -- [Jeffrey Tolar brought this change] - - CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse - - ... and close connections that are too old instead of reusing them. - - By default, this behavior is disabled. - - Bug: https://curl.se/mail/lib-2021-09/0058.html - Closes #7751 - -Daniel Gustafsson (6 Oct 2021) -- docs/examples: add missing binaries to gitignore - - Commit f65d7889b added getreferrer, and commit ae8e11ed5 multi-legacy, - both of which missed adding .gitignore clauses for the built binaries. - - Closes #7817 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (5 Oct 2021) -- [Josip Medved brought this change] - - HTTP3: fix the HTTP/3 Explained book link - - Closes #7813 - -- [Lucas Holt brought this change] - - misc: fix a few issues on MidnightBSD - - Closes #7812 - -Daniel Gustafsson (4 Oct 2021) -- [8U61ife brought this change] - - tool_main: fix typo in comment - - Closes: #7811 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -Daniel Stenberg (4 Oct 2021) -- [Ryan Mast brought this change] - - BINDINGS: URL updates - - For cpr, BBHTTP, Eiffel, Harbour, Haskell, Mono, and Rust - - Closes #7809 - -- scripts/delta: hide a git error message we don't care about - - fatal: path 'src/tool_listhelp.c' exists on disk, but not in [tag] - -- [Patrick Monnerat brought this change] - - sasl: binary messages - - Capabilities of sasl module are extended to exchange messages in binary - as an alternative to base64. - - If http authentication flags have been set, those are used as sasl - default preferred mechanisms. - - Closes #6930 - -- [Hayden Roche brought this change] - - wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity - - Prior to this commit, OpenSSL could be used for all these functions, but - not wolfSSL. This commit makes it so wolfSSL will be used if USE_WOLFSSL - is defined. - - Closes #7806 - -- scripts/delta: count command line options in the new file - - ... which makes the shown delta number wrong until next release. - -- RELEASE-NOTES: synced - -- print_category: print help descriptions aligned - - Adjust the description position to make an aligned column when doing - help listings, which is more pleasing to the eye. - - Suggested-by: Gisle Vanem - Closes #7792 - -- lib/mk-ca-bundle.pl: skip certs passed Not Valid After date - - With this change applied, the now expired 'DST Root CA X3' cert will no - longer be included in the output. - - Details: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ - - Closes #7801 - -- tool_listhelp: easier to generate with gen.pl - - tool_listhelp.c is now a separate file with only the command line --help - output, exactly as generated by gen.pl. This makes it easier to generate - updates according to what's in the docs/cmdline-opts docs. - - cd $srcroot/docs/cmdline-opts - ./gen.pl listhelp *.d > $srcroot/src/tool_listhelp.c - - With a configure build, this also works: - - make -C src listhelp - - Closes #7787 - -- [Anthony Hu brought this change] - - wolfssl: allow setting of groups/curves - - In particular, the quantum safe KEM and hybrid curves if wolfSSL is - built to support them. - - Closes #7728 - -- [Jan Mazur brought this change] - - connnect: use sysaddr_un fron sys/un.h or custom-defined for windows - - Closes #7737 - -Jay Satiro (30 Sep 2021) -- [Rikard Falkeborn brought this change] - - hostip: Move allocation to clarify there is no memleak - - By just glancing at the code, it looks like there is a memleak if the - call to Curl_inet_pton() fails. Looking closer, it is clear that the - call to Curl_inet_pton() can not fail, so the code will never leak - memory. However, we can make this obvious by moving the allocation - after the if-statement. - - Closes https://github.com/curl/curl/pull/7796 - -Daniel Stenberg (30 Sep 2021) -- gen.pl: make the output date format work better - - Follow-up to 15910dfd143dd - - The previous strftime format used didn't work correctly on Windows, so - change to %B %d %Y which today looks like "September 29 2021". - - Reported-by: Gisle Vanem - Bug: #7782 - Closes #7793 - -- typecheck-gcc.h: add CURLOPT_PREREQDATA awareness - - Follow-up to a517378de58358a - - To make test 1912 happy again - - Closes #7799 - -Marcel Raad (29 Sep 2021) -- configure: remove `HAVE_WINSOCK_H` definition - - It's not used anymore. - - Closes https://github.com/curl/curl/pull/7795 - -- CMake: remove `HAVE_WINSOCK_H` definition - - It's not used anymore. - - Closes https://github.com/curl/curl/pull/7795 - -- config: remove `HAVE_WINSOCK_H` definition - - It's not used anymore. - - Closes https://github.com/curl/curl/pull/7795 - -- lib: remove `HAVE_WINSOCK_H` usage - - WinSock v1 is not supported anymore. Exclusively use `HAVE_WINSOCK2_H` - instead. - - Closes https://github.com/curl/curl/pull/7795 - -Daniel Stenberg (29 Sep 2021) -- easyoptions: add the two new PRE* options - - Follow-up to a517378de58358a - - Also fix optiontable.pl to do the correct remainder on the entry. - - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/a517378de58358a85b7cfe9efecb56051268f629#commitcomment-57224830 - Closes #7791 - -- Revert "build: remove checks for WinSock 1" - - Due to CI issues - - This reverts commit c2ea04f92b00b6271627cb218647527b5a50f2fc. - - Closes #7790 - -Daniel Gustafsson (29 Sep 2021) -- lib: avoid fallthrough cases in switch statements - - Commit b5a434f7f0ee4d64857f8592eced5b9007d83620 inhibits the warning - on implicit fallthrough cases, since the current coding of indicating - fallthrough with comments is falling out of fashion with new compilers. - This attempts to make the issue smaller by rewriting fallthroughs to no - longer fallthrough, via either breaking the cases or turning switch - statements into if statements. - - lib/content_encoding.c: the fallthrough codepath is simply copied - into the case as it's a single line. - lib/http_ntlm.c: the fallthrough case skips a state in the state- - machine and fast-forwards to NTLMSTATE_LAST. Do this before the - switch statement instead to set up the states that we actually - want. - lib/http_proxy.c: the fallthrough is just falling into exiting the - switch statement which can be done easily enough in the case. - lib/mime.c: switch statement rewritten as if statement. - lib/pop3.c: the fallthrough case skips to the next state in the - statemachine, do this explicitly instead. - lib/urlapi.c: switch statement rewritten as if statement. - lib/vssh/wolfssh.c: the fallthrough cases fast-forwards the state - machine, do this by running another iteration of the switch - statement instead. - lib/vtls/gtls.c: switch statement rewritten as if statement. - lib/vtls/nss.c: the fallthrough codepath is simply copied into the - case as it's a single line. Also twiddle a comment to not be - inside a non-brace if statement. - - Closes: #7322 - See-also: #7295 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Marcel Raad (28 Sep 2021) -- config-win32ce: enable WinSock 2 - - WinSock 2.2 is supported by Windows CE .NET 4.1 (from 2002, out of - support since 2013). - - Ref: https://docs.microsoft.com/en-us/previous-versions/windows/embedded/ms899586(v=msdn.10) - - Closes https://github.com/curl/curl/pull/7778 - -- externalsocket: use WinSock 2.2 - - That's the only version we support. - - Closes https://github.com/curl/curl/pull/7778 - -- build: remove checks for WinSock 1 - - It's not supported anymore. - - Closes https://github.com/curl/curl/pull/7778 - -Daniel Stenberg (28 Sep 2021) -- scripts/copyright: .muse is .lift now - - And update 5 files with old copyright year range - -- cmdline-opts: made the 'Added:' field mandatory - - Since "too old" versions are no longer included in the generated man - page, this field is now mandatory so that it won't be forgotten and then - not included in the documentation. - - Closes #7786 - -- curl.1: remove mentions of really old version changes - - To make the man page more readable, this change removes all references - to changes in support/versions etc that happened before 7.30.0 from the - curl.1 output file. 7.30.0 was released on Apr 12 2013. This particular - limit is a bit arbitrary but was fairly easy to grep for. - - It is handled like this: the 'Added' keyword is only used in output if - it refers to 7.30.0 or later. All occurances of "(Added in $VERSION)" in - description will be stripped out if the mentioned $VERSION is from - before 7.30.0. It is therefore important that the "Added in..." - references are always written exactly like that - and on a single line, - not split over two. - - This change removes about 80 version number references from curl.1, down - to 138 from 218. - - Closes #7786 - -- RELEASE-NOTES: synced - -- tool_cb_prg: make resumed upload progress bar show better - - This is a regression that was *probably* injected in the larger progress - bar overhaul in 2018. - - Reported-by: beslick5 on github - Fixes #7760 - Closes #7777 - -- gen.pl: insert the current date and version in generated man page - - Reported-by: Gisle Vanem - Ref: #7780 - Closes #7782 - -- NTLM: use DES_set_key_unchecked with OpenSSL - - ... as the previously used function DES_set_key() will in some cases - reject using a key that it deems "weak" which will cause curl to - continue using the unitialized buffer content as key instead. - - Assisted-by: Harry Sintonen - Fixes #7779 - Closes #7781 - -Marc Hoersken (27 Sep 2021) -- CI: align make and test flags in various config files - - 1. Use Makefile target to run tests in autotools builds on AppVeyor. - 2. Disable testing of SCP protocol on native Windows environments. - 3. Remove redundant parameters -a -p from target test-nonflaky. - 4. Don't use -vc parameter which is reserved for debugging. - - Replaces #7591 - Closes #7690 - -Daniel Stenberg (27 Sep 2021) -- mailmap: unify Max! - -- [Max Dymond brought this change] - - CURLOPT_PREREQFUNCTION: add new callback - - Triggered before a request is made but after a connection is set up - - Changes: - - - callback: Update docs and callback for pre-request callback - - Add documentation for CURLOPT_PREREQDATA and CURLOPT_PREREQFUNCTION, - - Add redirect test and callback failure test - - Note that the function may be called multiple times on a redirection - - Disable new 2086 test due to Windows weirdness - - Closes #7477 - -- KNOWN_BUGS: HTTP/2 connections through HTTPS proxy frequently stall - - Closes #6936 - -- TODO: make configure use --cache-file more and better - - Closes #7753 - -- [Sergey Markelov brought this change] - - urlapi: support UNC paths in file: URLs on Windows - - - file://host.name/path/file.txt is a valid UNC path - \\host.name\path\files.txt to a non-local file transformed into URI - (RFC 8089 Appendix E.3) - - - UNC paths on other OSs must be smb: URLs - - Closes #7366 - -- [Gleb Ivanovsky brought this change] - - urlapi: add curl_url_strerror() - - Add curl_url_strerror() to convert CURLUcode into readable string and - facilitate easier troubleshooting in programs using URL API. - Extend CURLUcode with CURLU_LAST for iteration in unit tests. - Update man pages with a mention of new function. - Update example code and tests with new functionality where it fits. - - Closes #7605 - -- RELEASE-NOTES: synced - -- [Mats Lindestam brought this change] - - libssh2: add SHA256 fingerprint support - - Added support for SHA256 fingerprint in command line curl and in - libcurl. - - Closes #7646 - -- libcurl.rc: switch out the copyright symbol for plain ASCII - - Reported-by: Vitaly Varyvdin - Assisted-by: Viktor Szakats - Fixes #7765 - Closes #7776 - -- [Jun-ya Kato brought this change] - - ngtcp2: fix QUIC transport parameter version - - fix inappropriate version setting for QUIC transport parameters. - this patch keeps curl with ngtcp2 uses QUIC draft version (h3-29). - - Closes #7771 - -- examples/imap-append: fix end-of-data check - - Reported-by: Alexander Chuykov - Fixes #7774 - Closes #7775 - -Michael Kaufmann (24 Sep 2021) -- vtls: Fix a memory leak if an SSL session cannot be added to the cache - - On connection shutdown, a new TLS session ticket may arrive after the - SSL session cache has already been destructed. In this case, the new - SSL session cannot be added to the SSL session cache. - - The callers of Curl_ssl_addsessionid() need to know whether the SSL - session has been added to the cache. If it has not been added, the - reference counter of the SSL session must not be incremented, or memory - used by the SSL session must be freed. This is now possible with the new - output parameter "added" of Curl_ssl_addsessionid(). - - Fixes #7683 - Closes #7752 - -Daniel Stenberg (24 Sep 2021) -- [Momoka Yamamoto brought this change] - - HTTP3.md: use 'autoreconf -fi' instead of buildconf - - buildconf is not used since #5853 - - Closes #7746 - -- GIT-INFO: rephrase to adapt to s/buildconf/autoreconf - -- [h1zzz brought this change] - - llist: remove redundant code, branch will not be executed - - Closes #7770 - -- [tlahn brought this change] - - HTTP-COOKIES.md: remove duplicate 'each' - - Closes #7772 - -Jay Satiro (24 Sep 2021) -- [Joel Depooter brought this change] - - libssh2: Get the version at runtime if possible - - Previously this code used a compile time constant, meaning that libcurl - always reported the libssh2 version that libcurl was built with. This - could differ from the libssh2 version actually being used. The new code - uses the CURL_LIBSSH2_VERSION macro, which is defined in ssh.h. The - macro calls the libssh2_version function if it is available, otherwise - it falls back to the compile time version. - - Closes https://github.com/curl/curl/pull/7768 - -- [Joel Depooter brought this change] - - schannel: fix typo - - Closes https://github.com/curl/curl/pull/7769 - -Daniel Stenberg (23 Sep 2021) -- cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED - - To avoid the "... is deprecated" warnings brought by OpenSSL v3. - (We need to address the underlying code at some point of course.) - - Assisted-by: Jakub Zakrzewski - Closes #7767 - -- curl-openssl: pass argument to sed single-quoted - - ... instead of using an escaped double-quote. This is an attempt to make - this work better with ksh that otherwise would insist on a double - escape! - - Reported-by: Randall S. Becker - Fixes #7758 - Closes #7764 - -- RELEASE-NOTES: synced - - Bumped curlver to 7.80.0-dev - -- [a1346054 brought this change] - - misc: fix typos in docs and comments - - No user facing output from curl/libcurl is changed by this, just - comments. - - Closes #7747 - -- [Thomas M. DuBuisson brought this change] - - ci: update Lift config to match requirements of curl build - - Also renamed Muse -> Lift, the new tool name. - - Closes #7761 - -- [Rikard Falkeborn brought this change] - - cleanup: constify unmodified static structs - - Constify a number of static structs that are never modified. Make them - const to show this. - - Closes #7759 - -Version 7.79.1 (22 Sep 2021) - -Daniel Stenberg (22 Sep 2021) -- RELEASE-NOTES: synced - - curl 7.79.1 release - -- THANKS: added names from the 7.79.1 release - -- test897: verify delivery of IMAP post-body header content - - The "content" is delivered as "body" by curl, but the envelope continues - after the body and the rest of it should be delivered as header. - - The IMAP server can now get 'POSTFETCH' set to include more data to - include after the body and test 897 is done to verify that such "extra" - header data is in fact delivered by curl as header. - - Ref: #7284 but fails to reproduce the issue - - Closes #7748 - -- KNOWN_BUGS: connection migration doesn't work - - Closes #7695 - -- RELEASE-NOTES: synced - -- http: fix the broken >3 digit response code detection - - When the "reason phrase" in the HTTP status line starts with a digit, - that was treated as the forth response code digit and curl would claim - the response to be non-compliant. - - Added test 1466 to verify this case. - - Regression brought by 5dc594e44f73b17 - Reported-by: Glenn de boer - Fixes #7738 - Closes #7739 - -Jay Satiro (17 Sep 2021) -- strerror: use sys_errlist instead of strerror on Windows - - - Change Curl_strerror to use sys_errlist[errnum] instead of strerror to - retrieve the error message on Windows. - - Windows' strerror writes to a static buffer and is not thread-safe. - - Follow-up to 2f0bb86 which removed most instances of strerror in favor - of calling Curl_strerror (which calls strerror_r for other platforms). - - Ref: https://github.com/curl/curl/pull/7685 - Ref: https://github.com/curl/curl/commit/2f0bb86 - - Closes https://github.com/curl/curl/pull/7735 - -Daniel Stenberg (16 Sep 2021) -- dist: provide lib/.checksrc in the tarball - - So that debug builds work (checksrc really) - - Reported-by: Marcel Raad - Reported-by: tawmoto on github - Fixes #7733 - Closes #7734 - -- TODO: Improve documentation about fork safety - - Closes #6968 - -- hsts: CURLSTS_FAIL from hsts read callback should fail transfer - - ... and have CURLE_ABORTED_BY_CALLBACK returned. - - Extended test 1915 to verify. - - Reported-by: Jonathan Cardoso - Fixes #7726 - Closes #7729 - -- test1184: disable - - The test should be fine and it works for me repeated when run manually, - but clearly it causes CI failures and it needs more research. - - Reported-by: RiderALT on github - Fixes #7725 - Closes #7732 - -- Curl_http2_setup: don't change connection data on repeat invokes - - Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved - transfer oriented inits to before the check but also erroneously moved a - few connection oriented ones, which causes problems. - - Reported-by: Evangelos Foutras - Fixes #7730 - Closes #7731 - -- RELEASE-NOTES: synced - - and bump to 7.79.1 - -Kamil Dudka (16 Sep 2021) -- tests/sshserver.pl: make it work with openssh-8.7p1 - - ... by not using options with no argument where an argument is required: - - === Start of file tests/log/ssh_server.log - curl_sshd_config line 6: no argument after keyword "DenyGroups" - curl_sshd_config line 7: no argument after keyword "AllowGroups" - curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2 - curl_sshd_config line 29: Deprecated option KeyRegenerationInterval - curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication - curl_sshd_config line 40: Deprecated option RSAAuthentication - curl_sshd_config line 41: Deprecated option ServerKeyBits - curl_sshd_config line 45: Deprecated option UseLogin - curl_sshd_config line 56: no argument after keyword "AcceptEnv" - curl_sshd_config: terminating, 3 bad configuration options - === End of file tests/log/ssh_server.log - - === Start of file log/sftp_server.log - curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication" - curl_sftp_config line 34: Unsupported option "rsaauthentication" - curl_sftp_config line 52: no argument after keyword "sendenv" - curl_sftp_config: terminating, 1 bad configuration options - Connection closed. - Connection closed - === End of file log/sftp_server.log - - Closes #7724 - -Daniel Stenberg (15 Sep 2021) -- hsts: handle unlimited expiry - - When setting a blank expire string, meaning unlimited, curl would pass - TIME_T_MAX to getime_r() when creating the output, while on 64 bit - systems such a large value cannot be convetered to a tm struct making - curl to exit the loop with an error instead. It can't be converted - because the year it would represent doesn't fit in the 'int tm_year' - field! - - Starting now, unlimited expiry is instead handled differently by using a - human readable expiry date spelled out as "unlimited" instead of trying - to use a distant actual date. - - Test 1660 and 1915 have been updated to help verify this change. - - Reported-by: Jonathan Cardoso - Fixes #7720 - Closes #7721 - -- curl_multi_fdset: make FD_SET() not operate on sockets out of range - - The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was - built to use select(), even though the curl_multi_fdset() function - always and unconditionally uses FD_SET and needs the check. - - Reported-by: 0xee on github - Fixes #7718 - Closes #7719 - -- FAQ: add GOPHERS + curl works on data, not files - -Version 7.79.0 (14 Sep 2021) - -Daniel Stenberg (14 Sep 2021) -- RELEASE-NOTES: synced - - For the 7.79.0 release - -- THANKS: add contributors from 7.79.0 release cycle - -- FAQ: add two dev related questions - - 8.1 Why does curl use C89? - 8.2 Will curl be rewritten? - - Spell-checked-by: Paul Johnson - Closes #7715 - -- zuul.d/jobs: disable three tests for *-openssl-disable-proxy - - ... as they mysteriously seem to permfail without being related to - proxy. - - Closes #7714 - -- [Patrick Monnerat brought this change] - - ftp,imap,pop3,smtp: reject STARTTLS server response pipelining - - If a server pipelines future responses within the STARTTLS response, the - former are preserved in the pingpong cache across TLS negotiation and - used as responses to the encrypted commands. - - This fix detects pipelined STARTTLS responses and rejects them with an - error. - - CVE-2021-22947 - - Bug: https://curl.se/docs/CVE-2021-22947.html - -- [Patrick Monnerat brought this change] - - ftp,imap,pop3: do not ignore --ssl-reqd - - In imap and pop3, check if TLS is required even when capabilities - request has failed. - - In ftp, ignore preauthentication (230 status of server greeting) if TLS - is required. - - Bug: https://curl.se/docs/CVE-2021-22946.html - - CVE-2021-22946 - -- [z2_ on hackerone brought this change] - - mqtt: clear the leftovers pointer when sending succeeds - - CVE-2021-22945 - - Bug: https://curl.se/docs/CVE-2021-22945.html - -- zuul: bump the rustls job to use v0.7.2 - - ... and add -lm when using a rust library. - - Closes #7701 - -- RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023 - -- SECURITY-PROCESS: tweak a little to match current practices - - Closes #7713 - -- http_proxy: fix the User-Agent inclusion in CONNECT - - It should not refer to the uagent string that is allocated and created - for the end server http request, as that pointer may be cleared on - subsequent CONNECT requests. - - Added test case 1184 to verify. - - Reported-by: T200proX7 on github - Fixes #7705 - Closes #7707 - -- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited - - Reported-by: Jonathan Cardoso - Fixes #7710 - Closes #7711 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: fix build with ngtcp2 and nghttp3 - - ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros. - Check the wrapped functions instead. - - ngtcp2_stream_close callback now takes flags parameter. - - Closes #7709 - -- write-out.d: clarify size_download/upload - - They show the number of "body" bytes transfered. - Fixes #7702 - Closes #7706 - -- http2: Curl_http2_setup needs to init stream data in all invokes - - Thus function was written to avoid doing multiple connection data - initializations, which is fine, but since it also initiates stream - related data it is crucial that it doesn't skip those even if called - again for the same connection. Solved by moving the stream - initializations before the "doing-it-again" check. - - Reported-by: Inho Oh - Fixes #7630 - Closes #7692 - -- url: fix compiler warning in no-verbose builds - - Follow-up from 2f0bb864c12 - - Closes #7700 - -- non-ascii: fix build errors from strerror fix - - Follow-up to 2f0bb864c12 - - Closes #7697 - -- parse_args: redo the warnings for --remote-header-name combos - - ... to avoid the memory leak risk pointed out by scan-build. - - Follow-up from 7a3e981781d6c18a - - Closes #7698 - -- ngtcp2: adapt to new size defintions upstream - - Reviewed-by: Tatsuhiro Tsujikawa - Closes #7699 - -- rustls: add strerror.h include - - Follow-up to 2f0bb864c12 - -- docs: the security list is reached at security at curl.se now - - Also update the FAQ section a bit to encourage users to rather submit - security issues on hackerone than sending email. - - Closes #7689 - -Marc Hoersken (9 Sep 2021) -- runtests: add option -u to error on server unexpectedly alive - - Let's try to actually handle the server unexpectedly alive - case by first making them visible on CI builds as failures. - - This is needed to detect issues with killing of the test - servers completely including nested process chains with - multiple PIDs per test server (including bash and perl). - - On Windows/cygwin platforms this is especially helpful with - debugging PID mixups due to cygwin using its own PID space. - - Reviewed-by: Daniel Stenberg - Closes #7180 - -Daniel Stenberg (9 Sep 2021) -- opts docs: unify phrasing in NAME header - - - avoid writing "set ..." or "enable/disable ..." or "specify ..." - *All* options for curl_easy_setopt() are about setting or enabling - things and most of the existing options didn't use that way of - description. - - - start with lowercase letter, unless abbreviation. For consistency. - - - Some additional touch-ups - - Closes #7688 - -- strerror.h: remove the #include from files not using it - -- lib: don't use strerror() - - We have and provide Curl_strerror() internally for a reason: strerror() - is not necessarily thread-safe so we should always try to avoid it. - - Extended checksrc to warn for this, but feature the check disabled by - default and only enable it in lib/ - - Closes #7685 - -Daniel Gustafsson (8 Sep 2021) -- cirrus: Add FreeBSD 13.0 job and disable sanitizer build - - As alluded to the in the now removed comment, a 13.0 image became - available and is now ready to be used. - - The sanitizer builds were running on the 12.1 image which since has - been removed from the config, leaving the builds not running at all. - When enabled it turns out that they don't actually work due to very - long timeouts in executing the tests, so keep the disabled for now - but a bit more controlled. - - Closes #7592 - -Daniel Stenberg (8 Sep 2021) -- copyrights: update copyright year ranges - -- RELEASE-NOTES: synced - -- INTERNALS: c-ares has a new home: c-ares.org - -- docs: remove experimental mentions from HSTS and MQTT - - Reported-by: Jonathan Cardoso - Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863 - Closes #7681 - -- [Cao ZhenXiang brought this change] - - curl: add warning for incompatible parameters usage - - --continue-at - and --remote-header-name are known incompatible parameters - - Closes #7674 - -- [git-bruh brought this change] - - examples/*hiperfifo.c: fix calloc arguments to match function proto - - Closes #7678 - -- INTERNALS: bump c-ares requirement to 1.16.0 - - Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0 - -- curl: stop retry if Retry-After: is longer than allowed - - If Retry-After: specifies a period that is longer than what fits within - --retry-max-time, then stop retrying immediately. - - Added test 366 to verify. - - Reported-by: Kari Pahula - Fixes #7675 - Closes #7676 - -- [Michał Antoniak brought this change] - - mbedtls: avoid using a large buffer on the stack - - Use dynamic memory allocation for the buffer used in checking "pinned - public key". The PUB_DER_MAX_BYTES parameter with default settings is - set to a value greater than 2kB. - - Co-authored-by: Daniel Stenberg - Closes #7586 - -- configure: make --disable-hsts work - - The AC_ARG_ENABLE() macro itself uses a variable called - 'enable_[option]', so when our script also used a variable with that - name for the purpose of storing what the user wants, it also - accidentally made it impossible to switch off the feature with - --disable-hsts. Fix this by renaming our variable. - - Reported-by: Michał Antoniak - Fixes #7669 - Closes #7672 - -Jay Satiro (5 Sep 2021) -- config.d: note that curlrc is used even when --config - - Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751 - Reported-by: Viktor Szakats - - Closes https://github.com/curl/curl/pull/7667 - -Daniel Stenberg (4 Sep 2021) -- RELEASE-NOTES: synced - -- test1173: check references to libcurl options - - ... that they refer to actual existing libcurl options. - - Reviewed-by: Daniel Gustafsson - Closes #7656 - -- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also - - Closes #7656 - -- opt-docs: verify man page sections + order - - In every libcurl option man page there are now 8 mandatory sections that - must use the right name in the correct order and test 1173 verifies - this. Only 14 man pages needed adjustments. - - The sections and the order is as follows: - - - NAME - - SYNOPSIS - - DESCRIPTION - - PROTOCOLS - - EXAMPLE - - AVAILABILITY - - RETURN VALUE - - SEE ALSO - - Reviewed-by: Daniel Gustafsson - Closes #7656 - -- opt-docs: make sure all man pages have examples - - Extended manpage-syntax.pl (run by test 1173) to check that every man - page for a libcurl option has an EXAMPLE section that is more than two - lines. Then fixed all errors it found and added examples. - - Reviewed-by: Daniel Gustafsson - Closes #7656 - -- get.d: provide more useful examples - - Closes #7668 - -- page-header: add GOPHERS, simplify wording in the 1st para - - Closes #7665 - -- connect: get local port + ip also when reusing connections - - Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage - (connection + easy handle), so this info needs be extracted again even - for re-used connections. - - Add test 435 to verify - - Reported-by: Max Dymond - Fixes #7660 - Closes #7662 - -Marcel Raad (2 Sep 2021) -- multi: fix compiler warning with `CURL_DISABLE_WAKEUP` - - `use_wakeup` is unused in this case. - - Closes https://github.com/curl/curl/pull/7661 - -Daniel Stenberg (1 Sep 2021) -- tests: adjust the tftpd output to work with hyper mode - - By making them look less like http headers, the hyper mode "tweak" - doesn't interfere. - - Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated - but should be enabled). - - Closes #7658 - -Daniel Gustafsson (1 Sep 2021) -- [Gisle Vanem brought this change] - - openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA - - This adds support for the previously unhandled supplemental data which - in -v output was printed like: - - TLSv1.2 (IN), TLS header, Unknown (23): - - These will now be printed with proper annotation: - - TLSv1.2 (OUT), TLS header, Supplemental data (23): - - Closes #7652 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (1 Sep 2021) -- curl.1: provide examples for each option - - The file format for each option now features a "Example:" header that - can provide one or more examples that get rendered appropriately in the - output. All options MUST have at least one example or gen.pl complains - at build-time. - - This fix also does a few other minor format and consistency cleanups. - - Closes #7654 - -- progress: make trspeed avoid floats - - and compiler warnings for data conversions. - - Reported-by: Michał Antoniak - Fixes #7645 - Closes #7653 - -- test365: verify response with chunked AND Content-Length headers - -- http: ignore content-length if any transfer-encoding is used - - Fixes #7643 - Closes #7649 - -- RELEASE-NOTES: synced - -- Revert "http2: skip immediate parsing of payload following protocol switch" - - This reverts commit 455a63c66f188598275e87d32de2c4e8e26b80cb. - - Reported-by: Tk Xiong - Fixes #7633 - Closes #7648 - -- KNOWN_BUGS: HTTP/3 doesn't support client certs - - Closes #7625 - -- mailing lists: move from cool.haxx.se to lists.haxx.se - -- http_proxy: only wait for writable socket while sending request - - Otherwise it would wait socket writability even after the entire CONNECT - request has sent and make curl basically busy-loop while waiting for a - response to come back. - - The previous fix attempt in #7484 (c27a70a591a4) was inadequate. - - Reported-by: zloi-user on github - Reported-by: Oleguer Llopart - Fixes #7589 - Closes #7647 - -- http: disallow >3-digit response codes - - Make the built-in HTTP parser behave similar to hyper and reject any - HTTP response using more than 3 digits for the response code. - - Updated test 1432 accordingly. - Enabled test 1432 in the hyper builds. - - Closes #7641 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: stop buffering crypto data - - Stop buffering crypto data because libngtcp2 now buffers submitted - crypto data. - - Closes #7637 - -- test1280: CRLFify the response to please hyper - - Closes #7639 - -- tests: enable test 1129 for hyper builds - - Closes #7638 - -- curl: better error message when -O fails to get a good name - - Due to how this currently works internally, it needs a working initial - file name to store contents in, so it may still fail even with -J is - used (and thus accepting a name from content-disposition:) if the file - name part of the URL isn't "good enough". - - Fixes #7628 - Closes #7635 - -- curl_easy_setopt: tweak the string copy wording - - Reported-by: Yaobin Wen - Fixes #7632 - Closes #7634 - -- RELEASE-NOTES: synced - -- [Don J Olmstead brought this change] - - cmake: sync CURL_DISABLE options - - Adds the full listing of CURL_DISABLE options to the CMake build. Moves - all option code, except for CURL_DISABLE_OPENSSL_AUTO_LOA_CONFIG which - resides near OpenSSL configuration, to the same block of code. Also - sorts the options here and in the cmake config header. - - Additionally sorted the CURL-DISABLE listing and fixed the - CURL_DISABLE_POP3 option. - - Closes #7624 - -Jay Satiro (25 Aug 2021) -- KNOWN_BUGS: FTPS upload data loss with TLS 1.3 - - Bug: https://github.com/curl/curl/issues/6149 - Reported-by: Bylon2@users.noreply.github.com - - Closes https://github.com/curl/curl/pull/7623 - -Daniel Stenberg (24 Aug 2021) -- cmake: avoid poll() on macOS - - ... like we do in configure builds. Since poll() on macOS is not - reliable enough. - - Reported-by: marc-groundctl - Fixes #7595 - Closes #7619 - -- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection - - Enable test 1074 - - Closes #7617 - -- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS - - Enable test 1130 and 1131 - - Closes #7616 - -- [a1346054 brought this change] - - tests: be explicit about using 'python3' instead of 'python' - - This fixes running tests in virtualenvs (or on distros) that no longer - have a symlink from python to python2 or python3. - - Closes #7602 - -- [a1346054 brought this change] - - scripts: invoke interpreters through /usr/bin/env - - Closes #7602 - -- DISABLED: enable 11 more tests for hyper builds - - Closes #7612 - -- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper - - Since this option is also used for FTP, it needs to work to set for - applications even if hyper doesn't support it for HTTP. Verified by test - 1137. - - Updated docs to specify that the option doesn't work for HTTP when using - the hyper backend. - - Closes #7614 - -- test1138: remove trailing space to make work with hyper - - Closes #7613 - -- libcurl-errors.3: clarify two CURLUcode errors - - CURLUE_BAD_HANDLE and CURLUE_BAD_PARTPOINTER should be for "bad" or - wrong pointers in a generic sense, not just for NULL pointers. - - Reviewed-by: Jay Satiro - - Ref: #7605 - Closes #7611 - -Jay Satiro (23 Aug 2021) -- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version - - ... and also change the 'Removed' column name to 'Last' since that - column is for the last version to contain the symbol. - - Closes https://github.com/curl/curl/pull/7609 - -Daniel Stenberg (23 Aug 2021) -- urlapi.c:seturl: assert URL instead of using if-check - - There's no code flow possible where this can happen. The assert makes - sure it also won't be introduced undetected in the future. - - Closes #7610 - -- curl-openssl.m4: show correct output for OpenSSL v3 - - Using 3.0.0 versions configure should now show this: - - checking for OpenSSL headers version... 3.0.0 - 0x300 - checking for OpenSSL library version... 3.0.0 - checking for OpenSSL headers and library versions matching... yes - - This output doesn't actually change what configure generates but is only - "cosmetic". - - Reported-by: Randall S. Becker - Fixes #7606 - Closes #7608 - -Jay Satiro (22 Aug 2021) -- mksymbolsmanpage.pl: Fix showing symbol's last used version - - Prior to this change the symbol's deprecated version was erroneously - shown as its last used version. - - Bug: https://github.com/curl/curl/commit/4e53b94#commitcomment-55239509 - Reported-by: i-ky@users.noreply.github.com - -Daniel Stenberg (21 Aug 2021) -- mksymbolsmanpage.pl: match symbols case insenitively - - Follow-up to 4e53b9430c750 which made this bug show. - - Reported-by: i-ky - Bug: https://github.com/curl/curl/commit/4e53b9430c7504de8984796e2a2091ec16f27136#commitcomment-55239253 - Closes #7607 - -- asyn-ares: call ares_freeaddrinfo() to clean up addrinfo results - - As this leaks memory otherwise - - Follow-up to ba904db0705c931 - - Closes #7599 - -- [Ehren Bendler brought this change] - - wolfssl: clean up wolfcrypt error queue - - If wolfSSL is built in certain ways (OPENSSL_EXTRA or Debug), the error - queue gets added on to for each session and never freed. Fix it by - calling ERR_clear_error() like in vtls/openssl when needed. This func is - a no-op in wolfcrypt if the error queue is not enabled. - - Closes #7594 - -- man pages: remove trailing whitespaces - - Extended test 1173 (via the manpage-syntax.pl script) to detect and warn - for them. - - Ref: #7602 - Reported-by: a1346054 on github - Closes #7604 - -- mailmap: add Gleb Ivanovsky - -- config.d: escape the backslash properly - - Closes #7603 - -- [Don J Olmstead brought this change] - - curl_setup.h: sync values for HTTP_ONLY - - The values for HTTP_ONLY differed between CMakeLists.txt and - curl_setup.h. Sync them and sort the values in curl_setup.h to make it - easier to spot differences. - - Closes #7601 - -Jay Satiro (21 Aug 2021) -- configure: set classic mingw minimum OS version to XP - - - If the user has not specified a minimum OS version (via WINVER or - _WIN32_WINNT macros) then set it to Windows XP. - - Prior to this change classic MinGW defaulted the minimum OS version - to Windows NT 4.0 which is way too old. At least Windows XP is needed - for getaddrinfo (which resolves hostnames to IPv6 addresses). - - Ref: https://github.com/curl/curl/issues/7483#issuecomment-891597034 - - Closes https://github.com/curl/curl/pull/7581 - -- schannel: Work around typo in classic mingw macro - - - Define ALG_CLASS_DHASH (the typo from the include) to ALG_CLASS_HASH. - - Prior to this change there was an incomplete fix to ignore the - CALG_TLS1PRF macro on those versions of MinGW where it uses the - ALG_CLASS_DHASH typoed macro. - - Ref: 48cf45c - Ref: https://osdn.net/projects/mingw/ticket/38391 - Ref: https://github.com/curl/curl/issues/2924 - - Closes https://github.com/curl/curl/pull/7580 - -Daniel Stenberg (20 Aug 2021) -- RELEASE-NOTES: synced - -- http_proxy: fix user-agent and custom headers for CONNECT with hyper - - Enable test 287 - - Closes #7598 - -- c-hyper: initial support for "dumping" 1xx HTTP responses - - With the use hyper_request_on_informational() - - Enable test 155 and 158 - - Closes #7597 - -Marc Hoersken (18 Aug 2021) -- tests/*server.pl: flush output before executing subprocess - - Also avoid shell processes staying around by using exec. - This is necessary to avoid output data being buffering - inside the process chain of Perl, Bash/Shell and our - test server binaries. On non-Windows systems the exec - will also make the subprocess replace the intermediate - shell, but on Windows it will at least bind the processes - together since there is no real fork or exec available. - - See: https://cygwin.com/cygwin-ug-net/highlights.html - and: https://docs.microsoft.com/cpp/c-runtime-library/exec-wexec-functions - Ref: https://github.com/curl/curl/pull/7530#issuecomment-900949010 - - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - Closes #7530 - -- CI: use GitHub Container Registry instead of Docker Hub - - Avoid limits on Docker Hub and improve image pull/download speed. - - Closes #7587 - -Daniel Stenberg (18 Aug 2021) -- openssl: when creating a new context, there cannot be an old one - - Remove the previous handling that would call SSL_CTX_free(), and instead - add an assert that halts a debug build if there ever is a context - already set at this point. - - Closes #7585 - -Jay Satiro (18 Aug 2021) -- KNOWN_BUGS: Renegotiate from server may cause hang for OpenSSL backend - - Closes https://github.com/curl/curl/issues/6785 - -Viktor Szakats (17 Aug 2021) -- docs/BINDINGS: URL update - -Marc Hoersken (17 Aug 2021) -- tests/server/*.c: align handling of portfile argument and file - - 1. Call the internal variable portname (like pidname) everywhere. - 2. Have a variable wroteportfile (like wrotepidfile) everywhere. - 3. Make sure the file is cleaned up on exit (like pidfile). - 4. Add parameter --portfile to usage outputs everywhere. - - Reviewed-by: Daniel Stenberg - - Replaces #7523 - Closes #7574 - -Daniel Gustafsson (17 Aug 2021) -- KNOWN_BUGS: Fix a number of typos in KNOWN_BUGS - - Fixes a set of typos found in section 11.3. - -Daniel Stenberg (17 Aug 2021) -- getparameter: fix the --local-port number parser - - It could previously get tricked into parsing the uninitialized stack - based buffer. - - Reported-by: Brian Carpenter - Closes #7582 - -- KNOWN_BUGS: Can't use Secure Transport with Crypto Token Kit - - Closes #7048 - -- [Jan Verbeek brought this change] - - curl: add warning for ignored data after quoted form parameter - - In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc` - is ignored. This adds a warning if the ignored data isn't all - whitespace. - - Closes #7394 - -Jay Satiro (17 Aug 2021) -- codeql: fix error "Resource not accessible by integration" - - - Enable codeql writing security-events. - - GitHub set the default permissions to read, apparently since earlier - this year. - - Ref: https://github.com/github/codeql-action/issues/464 - Ref: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ - - Fixes https://github.com/curl/curl/issues/7575 - Closes https://github.com/curl/curl/pull/7576 - -- tool_operate: Fix --fail-early with parallel transfers - - - Abort via progress callback to fail early during parallel transfers. - - When a critical error occurs during a transfer (eg --fail-early - constraint) then other running transfers will be aborted via progress - callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this - case, the callback error does not become the most recent error and a - custom error message is used for those transfers: - - curld --fail --fail-early --parallel - https://httpbin.org/status/404 https://httpbin.org/delay/10 - - curl: (22) The requested URL returned error: 404 - curl: (42) Transfer aborted due to critical error in another transfer - - > echo %ERRORLEVEL% - 22 - - Fixes https://github.com/curl/curl/issues/6939 - Closes https://github.com/curl/curl/pull/6984 - -Daniel Stenberg (17 Aug 2021) -- [Sergey Markelov brought this change] - - sectransp: support CURLINFO_CERTINFO - - Fixes #4130 - Closes #7372 - -- ngtcp2: remove the acked_crypto_offset struct field init - - ... as it is gone from the API upstream. - - Closes #7578 - -- misc: update incorrect copyright year ranges - - Closes #7577 - -- KNOWN_BUGS: HTTP/3 quiche upload large file fails - - Closes #7532 - -- KNOWN_BUGS: CMake build with MIT Kerberos does not work - - Closes #6904 - -- TODO: add asynch getaddrinfo support - - Closes #6746 - -- RELEASE-NOTES: synced - -- [Artur Sinila brought this change] - - http2: revert call the handle-closed function correctly on closed stream - - Reverts 252790c5335a221 - - Assisted-by: Gergely Nagy - Fixes #7400 - Closes #7525 - -- [Patrick Monnerat brought this change] - - auth: do not append zero-terminator to authorisation id in kerberos - - RFC4752 Section 3.1 states "The authorization identity is not terminated - with a zero-valued (%x00) octet". Although a comment in code said it may - be needed anyway, nothing confirms it. In addition, servers may consider - it as part of the identity, causing a failure. - - Closes #7008 - -- [Patrick Monnerat brought this change] - - auth: use sasl authzid option in kerberos - - ... instead of deriving it from active ticket. - Closes #7008 - -- [Patrick Monnerat brought this change] - - auth: we do not support a security layer after kerberos authentication - - Closes #7008 - -- [Patrick Monnerat brought this change] - - auth: properly handle byte order in kerberos security message - - Closes #7008 - -- [z2_ brought this change] - - x509asn1: fix heap over-read when parsing x509 certificates - - Assisted-by: Patrick Monnerat - Closes #7536 - -- KNOWN_BUGS: Disconnects don't do verbose - - Closes #6995 - -- mailmap: fixup Michał Antoniak - -- [Michał Antoniak brought this change] - - build: fix compiler warnings - - For when CURL_DISABLE_VERBOSE_STRINGS and DEBUGBUILD flags are both - active. - - - socks.c : warning C4100: 'lineno': unreferenced formal parameter - (co-authored by Daniel Stenberg) - - - mbedtls.c: warning C4189: 'port': local variable is initialized but - not referenced - - - schannel.c: warning C4189: 'hostname': local variable is initialized - but not referenced - - Cloes #7528 - -- [Gleb Ivanovsky brought this change] - - CODE_STYLE-md: fix bold font style - - Markdown gets confused with abundance of asterisks, so use underscores - instead. - - Reviewed-by: Daniel Gustafsson - Closes #7569 - -- [Gleb Ivanovsky brought this change] - - CODE_STYLE-md: add missing comma - - Reviewed-by: Daniel Gustafsson - Closes #7570 - -- [Daniel Gustafsson brought this change] - - examples/ephiperfifo.c: simplify signal handler - - The signal handler registered for SIGINT is only handling SIGINT - so there isn't much need for inspecting the signo. While there, - rename the handler to be more specific. - - g_should_exit should really be of sig_atomic_t type, but relying - on autoconf in the examples seems like a bad idea so keep that - for now. - - Reviewed-by: Daniel Stenberg - Closes #7310 - -- c-hyper: initial step for 100-continue support - - Enabled test 154 - - Closes #7568 - -- [Ikko Ashimine brought this change] - - vtls: fix typo in schannel_verify.c - - occurence -> occurrence - - Closes #7566 - -- [Emil Engler brought this change] - - curl_url_get.3: clarify about path and query - - The current man-page lacks some details regarding the obtained path and - query. - - Closes #7563 - -- c-hyper: fix header value passed to debug callback - - Closes #7567 - -Viktor Szakats (12 Aug 2021) -- cleanup: URL updates - - - replace broken URL with the one it was most probably pointing to - when added (lib/tftp.c) - - replace broken URL with archive.org link (lib/curl_ntlm_wb.c) - - delete unnecessary protocol designator from archive.org URL - (docs/BINDINGS.md) - - Closes #7562 - -Daniel Stenberg (12 Aug 2021) -- [April King brought this change] - - DEPRECATE.md: linkify curl-library mailing list - - Closes #7561 - -- [Barry Pollard brought this change] - - output.d: add method to suppress response bodies - - Closes #7560 - -- TODO: remove 'c-ares deviates on http://1346569778' - - Fixed since 56a037cc0ad1b2 (7.77.0) - -- [Colin O'Dell brought this change] - - BINDINGS.md: update links to use https where available - - Closes #7558 - -- asyn-ares.c: move all version number checks to the top - - ... and use #ifdef [feature] in the code as per our guidelines. - -- ares: use ares_getaddrinfo() - - ares_getaddrinfo() is the getaddrinfo() cloned provided by c-ares, introduced - in version 1.16.0. - - With older c-ares versions, curl invokes ares_gethostbyname() twice - once for - IPv4 and once for IPv6 to resolve both addresses, and then combines the - returned results. - - Reported-by: jjandesmet - Fixes #7364 - Closes #7552 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: utilize crypto API functions to simplify - - Closes #7551 - -- [megatronking brought this change] - - ngtcp2: reset the oustanding send buffer again when drained - - Closes #7538 - -Michael Kaufmann (10 Aug 2021) -- progress: fix a compile warning on some systems - - lib/progress.c:380:40: warning: conversion to 'long double' from - 'curl_off_t {aka long long int}' may alter its value [-Wconversion] - - Closes #7549 - -Daniel Stenberg (10 Aug 2021) -- RELEASE-NOTES: synced - -- http: consider cookies over localhost to be secure - - Updated test31. - Added test 392 to verify secure cookies used for http://localhost - - Reviewed-by: Daniel Gustafsson - Fixes #6733 - Closes #7263 - -- TODO: erase secrets from heap/stack after use - - Closes #7268 - -Jay Satiro (10 Aug 2021) -- hostip: Make Curl_ipv6works function independent of getaddrinfo - - - Do not assume IPv6 is not working when getaddrinfo is not present. - - The check to see if IPv6 actually works is now independent of whether - there is any resolver that can potentially resolve a hostname to IPv6. - - Prior to this change if getaddrinfo() was not found at compile time then - Curl_ipv6works() would be defined as a macro that returns FALSE. - - When getaddrinfo is not found then libcurl is built with CURLRES_IPV4 - defined instead of CURLRES_IPV6, meaning that it cannot do IPv6 lookups - in the traditional way. With this commit if libcurl is built with IPv6 - support (ENABLE_IPV6) but without getaddrinfo (CURLRES_IPV6), and the - IPv6 stack is actually working, then it is possible for libcurl to - resolve IPv6 addresses by using DoH. - - Ref: https://github.com/curl/curl/issues/7483#issuecomment-890765378 - - Closes https://github.com/curl/curl/pull/7529 - -- test1565: fix windows build errors - - - Use our wait_ms() instead of sleep() since Windows doesn't have the - latter. - - - Use a separate variable to keep track of whether the pthread_t thread - id is valid. - - On Windows pthread_t is not an integer type. pthread offers no macro for - invalid pthread_t thread id, so validity is kept track of separately. - - Closes https://github.com/curl/curl/pull/7527 - -- [Jeremy Falcon brought this change] - - winbuild/README.md: clarify GEN_PDB option - - - Document that GEN_PDB option creates an external database. - - Ref: https://github.com/curl/curl/issues/7502 - -Daniel Stenberg (9 Aug 2021) -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read - - Closes #7546 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream - - Rework the return value handling of ngtcp2_conn_writev_stream and treat - NGTCP2_ERR_STREAM_SHUT_WR separately. - - Closes #7546 - -- configure: error out if both ngtcp2 and quiche are specified - - Reported-by: Vincent Grande - See #7539 - Closes #7545 - -- [Jeff Mears brought this change] - - easy: use a custom implementation of wcsdup on Windows - - ... so that malloc/free overrides from curl_global_init are used for - wcsdup correctly. - - Closes #7540 - -- zuul: add an mbedtls3 CI job - - Closes #7544 - -- [Benau brought this change] - - mbedTLS: initial 3.0.0 support - - Closes #7428 - -- RELEASE-NOTES: synced - -- configure.ac: revert bad nghttp2 library detection improvements - - This reverts commit b4b34db65f9f8, 673753344c5f and 29c7cf79e8b. - - The logic is now back to assuming that the nghttp2 lib is called nghttp2 and - nothing else. - - Reported-by: Rui Pinheiro - Reported-by: Alex Crichton - Fixes #7514 - Closes #7515 - -- happy-eyeballs-timeout-ms.d: polish the wording - - Reported-by: Josh Soref - Fixes #7433 - Closes #7542 - -- [modbw brought this change] - - mbedtls_threadlock: fix unused variable warning - - Closes #7393 - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: compile with the latest ngtcp2 and nghttp3 - - Closes #7541 - -Marc Hoersken (31 Jul 2021) -- CI/cirrus: reduce compile time with increased parallism - - Cirrus CI VMs have 2 CPUs, let's use them also for Windows builds. - - Reviewed-by: Daniel Stenberg - Closes #7505 - -Daniel Stenberg (30 Jul 2021) -- [Bin Lan brought this change] - - tool/tests: fix potential year 2038 issues - - The length of 'long' in a 32-bit system is 32 bits, which cannot be used - to save timestamps after 2038. Most operating systems have extended - time_t to 64 bits. - - Remove the castings to long. - - Closes #7466 - -- compressed.d: it's a request, not an order - - Clarified - - Reported-by: Dan Jacobson - Reviewed-by: Daniel Gustafsson - Fixes #7516 - Closes #7517 - -- [Bernhard M. Wiedemann brought this change] - - tests: make three tests pass until 2037 - - after 2038 something in test1915 fails on 32-bit OSes - - Closes #7512 - -Daniel Gustafsson (30 Jul 2021) -- connect: remove superfluous conditional - - Commit dbd16c3e2 cleaned up the logic for traversing the addrinfos, - but the move left a conditional on ai which no longer is needed as - the while loop reevaluation will cover it. - - Closes #7511 - Reviewed-by: Carlo Marcelo Arenas Belón - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Daniel Stenberg (29 Jul 2021) -- RELEASE-NOTES: synced - - and bump curlver to 7.79.0 for next release - -Marc Hoersken (29 Jul 2021) -- tests/*server.py: remove pidfile on server termination - - Avoid pidfile leaking/laying around after server already exited. - - Reviewed-by: Daniel Stenberg - Closes #7506 - -Daniel Gustafsson (27 Jul 2021) -- tool_main: fix typo in comment - - The referred to library is NSPR, so fix the switched around characters. - -Daniel Stenberg (28 Jul 2021) -- [Aleksandr Krotov brought this change] - - bearssl: support CURLOPT_CAINFO_BLOB - - Closes #7468 - -- curl.1: mention "global" flags - - Mention options that are "global". A global command line option is one - that doesn't get reset at --next uses and therefore don't need to be - used again. - - Reported-by: Josh Soref - - Fixes #7457 - Closes #7510 - -- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited - - Reported-by: Daniel Woelfel - Fixes #7441 - Closes #7509 - -- KNOWN_BUGS: add more HTTP/3 problems - - Closes #7351 - Closes #7339 - Closes #7125 - -Marc Hoersken (27 Jul 2021) -- CI/azure: reduce compile time with increased parallism - - Azure Pipelines CI VMs have 2 CPUs, let's use them. - - Closes #7489 - -Jay Satiro (27 Jul 2021) -- [Josh Soref brought this change] - - docs: fix grammar - - Fixes https://github.com/curl/curl/issues/7444 - Fixes https://github.com/curl/curl/issues/7451 - Fixes https://github.com/curl/curl/issues/7465 - Closes https://github.com/curl/curl/pull/7495 - -- mail-rcpt.d: fix grammar - - Remove confusing sentence that says to specify an e-mail address for - mail transfer, since that's implied. - - Reported-by: Josh Soref - - Fixes https://github.com/curl/curl/issues/7452 - Closes https://github.com/curl/curl/pull/7495 - -Daniel Stenberg (27 Jul 2021) -- c-hyper: remove the hyper_executor_poll() loop from Curl_http - - 1. it's superfluous - 2. it didn't work identically to the Curl_hyper_stream one which could - cause problems like #7486 - - Pointed-out-by: David Cook - Closes #7499 - -- curl-openssl.m4: check lib64 for the pkg-config file - - OpenSSL recently started putting the libs in $prefix/lib64 on 'make - install', so we check that directory for pkg-config data if the 'lib' - check fails. - - Closes #7503 - -- CURLOPT_SSL_CTX_*.3: tidy up the example - - Use the proper code style. Don't store return codes that aren't read. - Copy the same example into CURLOPT_SSL_CTX_FUNCTION.3 as well. - - Closes #7500 - -- example/cookie_interface: fix scan-build printf warning - - Follow-up to 4b79c4fb565 - - Fixes #7497 - Closes #7498 - -- [Josh Soref brought this change] - - limit-rate.d: clarify base unit - - Fixes #7439 - Closes #7494 - -- [Carlo Marcelo Arenas Belón brought this change] - - examples/cookie_interface: avoid printfing time_t directly - - time_t representation is undefined and varies on bitsize and signedness, - and as of C11 could be even non integer. - - instead of casting to unsigned long (which would truncate in systems - with a 32bit long after 2106) use difftime to get the elapsed time as a - double and print that (without decimals) instead. - - alternatively a cast to curl_off_t and its corresponding print - formatting could have been used (at least in POSIX) but portability and - curl agnostic code was prioritized. - - Closes #7490 - -Marc Hoersken (25 Jul 2021) -- tests/servers: remove obsolete pid variable - - Variable is not used since pidfile handling moved to util.[ch] - - Reviewed-by: Jay Satiro - Closes #7482 - -- tests/servers: use our platform-aware pid for server verification - - The pid used for server verification is later stored as pid2 in - the hash of running test servers and therefore used for shutdown. - - The pid used for shutdown must be the platform-aware (Win32) pid - to avoid leaking test servers while running them using Cygwin/msys. - - Reviewed-by: Jay Satiro - Closes #7481 - -- tests/runtests.pl: cleanup copy&paste mistakes and unused code - - Reviewed-by: Jay Satiro - Part of #7481 - -Daniel Stenberg (25 Jul 2021) -- RELEASE-NOTES: synced - - bumped to 7.78.1 for next release - -- http_proxy: clear 'sending' when the outgoing request is sent - - ... so that Curl_connect_getsock() will know how to wait for the socket - to become readable and not writable after the entire CONNECT request has - been issued. - - Regression added in 7.77.0 - - Reported-by: zloi-user on github - Assisted-by: Jay Satiro - Fixes #7155 - Closes #7484 - -Jay Satiro (25 Jul 2021) -- [Josh Soref brought this change] - - openssl: fix grammar - - Closes https://github.com/curl/curl/pull/7480 - -- configure.ac: tweak nghttp2 library name fix again - - - Change extraction to handle multiple library names returned by - pkg-config (eg a possible scenario with pkg-config --static). - - Ref: https://github.com/curl/curl/pull/7472 - - Closes https://github.com/curl/curl/pull/7485 - -Dan Fandrich (23 Jul 2021) -- Get rid of the unused HAVE_SIG_ATOMIC_T et. al. - - It was added in 2006 but I see no evidence it was ever used. - -Jay Satiro (23 Jul 2021) -- docs: change max-filesize caveat again - - - Add protocols field to max-filesize.d. - - - Revert wording on unknown file size caveat and do not discuss specific - protocols in that section. - - Partial revert of ecf0225. All max-filesize options now have the list of - protocols and it's clearer just to have that list without discussing - specific protocols in the caveat. - - Reported-by: Josh Soref - - Ref: https://github.com/curl/curl/issues/7453#issuecomment-884128762 - -Daniel Stenberg (22 Jul 2021) -- [Christian Weisgerber brought this change] - - configure: tweak nghttp2 library name fix - - commit 29c7cf79e8b44cf (shipped in 7.78.0) introduced a problem by - assuming that LIB_H2 does not have any leading whitespace. At least - OpenBSD's native pkg-config can produce such whitespace, though: - - $ pkg-config --libs-only-l libnghttp2 - -lnghttp2 - - As a result, the configure check for libnghttp2 will erroneously fail. - - Bug: https://curl.se/mail/lib-2021-07/0050.html - Closes #7472 - -- [Bastian Krause brought this change] - - docs/MQTT: update state of username/password support - - PR #7243 implemented username/password support for MQTT, so let's drop - these items from the caveats. - - Signed-off-by: Bastian Krause <bst@pengutronix.de> - - Closes #7474 - -- [Oleg Pudeyev brought this change] - - CURLMOPT_TIMERFUNCTION.3: remove misplaced "time" - - Closes #7470 - -Version 7.78.0 (21 Jul 2021) - -Daniel Stenberg (21 Jul 2021) -- RELEASE-NOTES: synced - - curl 7.78.0 release - -- winbuild/MakefileBuild.vc: bump copyright year - -Jay Satiro (21 Jul 2021) -- docs: mention max-filesize options also apply to MQTT transfers - - Also make it clearer that the caveat 'if the file size is unknown it - the option will have no effect' may apply to protocols other than FTP - and HTTP. - - Reported-by: Josh Soref - - Fixes https://github.com/curl/curl/issues/7453 - -- [Josh Soref brought this change] - - docs/cmdline: fix grammar and typos - -- [Josh Soref brought this change] - - dump-header.d: Drop suggestion to use for cookie storage - - Since --cookie-jar is the preferred way to store cookies, no longer - suggest using --dump-header to do so. - - Co-authored-by: Daniel Stenberg - - Closes https://github.com/curl/curl/issues/7414 - -- [Josh Soref brought this change] - - doc/cmdline: fix grammar and typos - - Closes https://github.com/curl/curl/pull/7454 - Closes https://github.com/curl/curl/pull/7455 - Closes https://github.com/curl/curl/pull/7456 - Closes https://github.com/curl/curl/pull/7459 - Closes https://github.com/curl/curl/pull/7460 - Closes https://github.com/curl/curl/pull/7461 - Closes https://github.com/curl/curl/pull/7462 - Closes https://github.com/curl/curl/pull/7463 - -Daniel Stenberg (20 Jul 2021) -- vtls: fix connection reuse checks for issuer cert and case sensitivity - - CVE-2021-22924 - - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2021-22924.html - -- sectransp: check for client certs by name first, then file - - CVE-2021-22926 - - Bug: https://curl.se/docs/CVE-2021-22926.html - - Assisted-by: Daniel Gustafsson - Reported-by: Harry Sintonen - -- telnet: fix option parser to not send uninitialized contents - - CVS-2021-22925 - - Reported-by: Red Hat Product Security - Bug: https://curl.se/docs/CVE-2021-22925.html - -Jay Satiro (20 Jul 2021) -- connect: fix wrong format specifier in connect error string - - 0842175 (not in any release) used the wrong format specifier (long int) - for timediff_t. On an OS such as Windows libcurl's timediff_t (usually - 64-bit) is bigger than long int (32-bit). In 32-bit Windows builds the - upper 32-bits of the timediff_t were erroneously then used by the next - format specifier. Usually since the timeout isn't larger than 32-bits - this would result in null as a pointer to the string with the reason for - the connection failing. On other OSes or maybe other compilers it could - probably result in garbage values (ie crash on deref). - - Before: - Failed to connect to localhost port 12345 after 1201 ms: (nil) - - After: - Failed to connect to localhost port 12345 after 1203 ms: Connection refused - - Closes https://github.com/curl/curl/pull/7449 - -- winbuild: support alternate nghttp2 static lib name - - - Support both nghttp2.lib and nghttp2_static.lib for static nghttp2. - - nghttp2 briefly changed its static lib name to nghttp2_static, but then - made the _static suffix optional. - - Ref: https://github.com/nghttp2/nghttp2/pull/1394 - Ref: https://github.com/nghttp2/nghttp2/pull/1418 - Ref: https://github.com/nghttp2/nghttp2/issues/1466 - - Reported-by: Pierre Yager - - Fixes https://github.com/curl/curl/issues/7446 - Closes https://github.com/curl/curl/pull/7447 - -- [Josh Soref brought this change] - - docs/cmdline: fix grammar and typos - - Closes https://github.com/curl/curl/pull/7432 - Closes https://github.com/curl/curl/pull/7436 - Closes https://github.com/curl/curl/pull/7438 - Closes https://github.com/curl/curl/pull/7440 - Closes https://github.com/curl/curl/pull/7445 - -- [Josh Soref brought this change] - - delegation.d: mention what happens when used multiple times - - Closes https://github.com/curl/curl/pull/7408 - -- [Josh Soref brought this change] - - create-file-mode.d: mention what happens when used multiple times - - Closes https://github.com/curl/curl/pull/7407 - -- [Josh Soref brought this change] - - config.d: split comments and option-per line - - Closes https://github.com/curl/curl/pull/7405 - -Daniel Stenberg (19 Jul 2021) -- misc: copyright year range updates - -- mailmap: add Tobias and Timur - -Daniel Gustafsson (18 Jul 2021) -- [Josh Soref brought this change] - - docs: spell out directories instead of dirs in create-dirs - - Write out directories rather than using the dirs abbrevation. Also - use plural form consistently, even if the code in the end might just - create a single directory. - - Closes #7406 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- [Tobias Nyholm brought this change] - - docs: correct spelling errors and a broken link - - Update grammar and spelling in docs and source code comments. - - Closes: #7427 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -Marc Hoersken (18 Jul 2021) -- CI/cirrus: install impacket from PyPI instead of FreeBSD packages - - Availability of impacket as FreeBSD package is too flaky. - - Stick to legacy version of cryptography which still - supports OpenSSL version 1.0.2 due to FreeBSD 11. - - Reviewed-by: Daniel Stenberg - - Closes #7418 - -Daniel Stenberg (18 Jul 2021) -- [Josh Soref brought this change] - - docs/cmdline: mention what happens when used multiple times - - For --dns-ipv4-addr, --dns-ipv6-addr and --dns-servers - - Closes #7410 - Closes #7411 - Closes #7412 - -- [Michał Antoniak brought this change] - - lib: fix compiler warnings with CURL_DISABLE_NETRC - - warning C4189: 'netrc_user_changed': local variable is initialized but - not referenced - - warning C4189: 'netrc_passwd_changed': local variable is initialized but - not referenced - - Closes #7423 - -- disable-epsv.d: remove duplicate "(FTP)" - - ... since the tooling adds that to the output based on the "Protocols:" - tag. - -- [Max Zettlmeißl brought this change] - - docs: make the documentation for --etag-save match the program behaviour - - When using curl with the option `--etag-save` I expected it to save the - ETag without its surrounding quotes, as stated by the documentation in - the repository and by the generated man pages. - - My first endeavour was to fix the program, but while investigating the - history of the relevant parts, I discovered that curl once saved the - ETag without the quotes. This was undone by Daniel Stenberg in commit - `98c94596f5928840177b6bd3c7b0f0dd03a431af`, therefore I decided that in - this case the documentation should be adjusted to match the behaviour of - curl. - - The changed save behaviour also made parts of the `--etag-compare` - documentation wrong or superfluous, so I adjusted those accordingly. - - Closes #7429 - -- [Josh Soref brought this change] - - write-out.d: add missing periods - - Closes #7404 - -- [Josie Huddleston brought this change] - - easy: during upkeep, attach Curl_easy to connections in the cache - - During the protocol-specific parts of connection upkeep, some code - assumes that the data->conn pointer already is set correctly. However, - there's currently no guarantee of that in the code. - - This fix temporarily attaches each connection to the Curl_easy object - before performing the protocol-specific connection check on it, in a - similar manner to the connection checking in extract_if_dead(). - - Fixes #7386 - Closes #7387 - Reported-by: Josie Huddleston - -- [Josh Soref brought this change] - - cleanup: spell DoH with a lowercase o - - Signed-off-by: Josh Soref <jsoref@users.noreply.github.com> - - Closes #7413 - -- [Josh Soref brought this change] - - TheArtOfHttpScripting: polish - - - add missing backticks and comma - - - fix proxy description: - - * example proxy isn't local - * locally doesn't really make sense - - Closes #7416 - -- [Josh Soref brought this change] - - form.d: add examples of `,`/`;` for file[name] - - Fixes #7415 - Closes #7417 - -- [Michał Antoniak brought this change] - - mbedtls: Remove unnecessary include - - - curl_setup.h: all references to mbedtls_md4* functions and structures - are in the md4.c. This file already includes the <mbedtls/md4.h> file - along with the file existence control (defined (MBEDTLS_MD4_C)) - - - curl_ntlm_core.c: unnecessary include - repeated below - - Closes #7419 - -- RELEASE-NOTES: synced - -Jay Satiro (16 Jul 2021) -- [User Sg brought this change] - - multi: fix crash in curl_multi_wait / curl_multi_poll - - Appears to have been caused by 51c0ebc (precedes 7.77.0) which added a - VALID_SOCK check to one of the loops through the sockets but not the - other. - - Reported-by: sylgal@users.noreply.github.com - Authored-by: sylgal@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/7379 - Closes https://github.com/curl/curl/pull/7389 - -- [Daniel Gustafsson brought this change] - - tool_help: remove unused define - - The PRINT_LINES_PAUSE macro is no longer used, and has been mostly - cleaned out but one occurrence remained. - - Closes https://github.com/curl/curl/pull/7380 - -- [Sergey Markelov brought this change] - - build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS - - fix compiler warnings about unused variables and parameters when - built with --disable-verbose. - - Closes https://github.com/curl/curl/pull/7377 - -- [Andrea Pappacoda brought this change] - - build: fix IoctlSocket FIONBIO check - - Prior to this change HAVE_IOCTLSOCKET_CAMEL_FIONBIO mistakenly checked - for (lowercase) ioctlsocket when it should have checked for IoctlSocket. - - Closes https://github.com/curl/curl/pull/7375 - -- [Timur Artikov brought this change] - - configure: fix nghttp2 library name for static builds - - Don't hardcode the nghttp2 library name, - because it can vary, be "nghttp2_static" for example. - - Fixes https://github.com/curl/curl/issues/7367 - Closes https://github.com/curl/curl/pull/7368 - -Gisle Vanem (16 Jul 2021) -- [PellesC] fix _lseeki64() macro - -- [SChannel] Use '_tcsncmp()' instead - - Revert previous change for PellesC. - - Instead replace all use of `_tcsnccmp()` with `_tcsncmp()`. - -- [PellesC] missing '_tcsnccmp' - - PellesC compiler does not have this macro in it's `<tchar.h>` - -Daniel Gustafsson (14 Jul 2021) -- TODO: add mention of mbedTLS 3 incompatibilities - - Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible - and curl no longer builds with it. Document the need to fix our support - until so has been done. - - Closes #7390 - Fixes #7385 - Reported-by: Wyatt OʼDay - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -- docs: fix inconsistencies in EGDSOCKET documentation - - Only the OpenSSL backend actually use the EGDSOCKET, and also use - TLS consistently rather than mixing SSL and TLS. While there, also - fix a minor spelling nit. - - Closes: #7391 - Reviewed-by: Jay Satiro <raysatiro@yahoo.com> - -- [Борис Верховский brought this change] - - docs: document missing arguments to commands - - This is a followup to commit f410b9e538129e77607fef1 fixing a few - more commands which takes arguments. - - Closes #7382 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- [Randolf J brought this change] - - docs: fix incorrect argument name reference - - The documentation for the read callback was erroneously referencing - the nitems argument by nmemb. The error was introduced in commit - ce0881edee3c7. - - Closes #7383 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -- [Борис Верховский brought this change] - - tool_help: Document that --tlspassword takes a password - - Closes #7378 - Reviewed-by: Daniel Stenberg <daniel@haxx.se> - -- scripts: Fix typo in release-notes instructions - - The command to run had a typo in the pathname which prevented copy - pasting it to work, which has annoyed me enough to fix this now. - -- RELEASE-NOTES: synced - -Jay Satiro (10 Jul 2021) -- write-out.d: Clarify urlnum is not unique for de-globbed URLs - - Reported-by: Коваленко Анатолий Викторович - - Fixes https://github.com/curl/curl/issues/7342 - Closes https://github.com/curl/curl/pull/7369 - -Daniel Gustafsson (3 Jul 2021) -- [William Desportes brought this change] - - docs: Fix typos - - Closes: #7370 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -Daniel Stenberg (8 Jul 2021) -- [Jonathan Wernberg brought this change] - - Revert "ftp: Expression 'ftpc->wait_data_conn' is always false" - - The reverted commit introduced a logic error in code that was - correct. - - The client using libcurl would notice the error since FTP file - uploads in active transfer mode would somtimes complete with - success despite no transfer having been performed and the - "uploaded" file thus not being on the remote server afterwards. - - The FTP server would notice the error because it receives a - RST on the data connection it has established with the client - before any data was transferred at all. - - The logic error happens if the STOR response from the server have - arrived by the time ftp_multi_statemach() in the affected code path - is called, but the incoming data connection have not arrived yet. - In that case, the processing of the STOR response will cause - 'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment - in the code. Since 'complete' will also be set, later logic would - believe the transfer was done. - - In most cases, the STOR response will not have arrived yet when - the affected code path is executed, or the incoming connection will - also have arrived, and thus the error would not express itself. - But if the speed difference of the device using libcurl and the - FTP server is exactly right, the error may happen as often as in - one out of hundred file transfers. - - This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab. - - Bug: https://curl.se/mail/lib-2021-07/0025.html - Closes #7362 - -- msnprintf: return number of printed characters excluding null byte - - ... even when the output is "capped" by the maximum length argument. - - Clarified in the docs. - - Closes #7361 - -- infof: remove newline from format strings, always append it - - - the data needs to be "line-based" anyway since it's also passed to the - debug callback/application - - - it makes infof() work like failf() and consistency is good - - - there's an assert that triggers on newlines in the format string - - - Also removes a few instances of "..." - - - Removes the code that would append "..." to the end of the data *iff* - it was truncated in infof() - - Closes #7357 - -- examples/multi-single: fix scan-build warning - - warning: Value stored to 'mc' during its initialization is never read - - Follow-up to ae8e11ed5fd2ce - - Closes #7360 - -- wolfssl: failing to set a session id is not reason to error out - - ... as it is *probably* just timed out. - - Reported-by: Francisco Munoz - - Closes #7358 - -- docs/examples: use curl_multi_poll() in multi examples - - The API is soon two years old and deserves being shown as the primary - way to drive multi code as it makes it much easier to write code. - - multi-poll: removed - - multi-legacy: add to show how we did multi API use before - curl_multi_wait/poll. - - Closes #7352 - -- KNOWN_BUGS: flaky Windows CI builds - - Closes #6972 - -- RELEASE-NOTES: synced - -- test1147: hyper doesn't allow "crazy" request headers like built-in - - ... so strip that from the test. - - Closes #7349 - -- c-hyper: bail on too long response headers - - To match with built-in behaviors. Makes test 1154 work. - - Closes #7350 - -- test1151: added missing CRLF to work with hyper - - Closes #7350 - -- c-hyper: add support for transfer-encoding in the request - - Closes #7348 - -- [Andrea Pappacoda brought this change] - - cmake: remove libssh2 feature checks - - libssh2 features are detected based on version since commit - 9dbbba997608f7c3c5de1c627c77c8cd2aa85b73 - - Closes #7343 - -- test1116: hyper doesn't pass through "surprise-trailers" - - Closes #7344 - -- socks4: scan for the IPv4 address in resolve results - - Follow-up to 84d2839740 which changed the resolving to always resolve - both address families, but since SOCKS4 only supports IPv4 it should - scan for and use the first available IPv4 address. - - Reported-by: shithappens2016 on github - Fixes #7345 - Closes #7346 - -Jay Satiro (5 Jul 2021) -- proto.d: fix formatting for paragraphs after margin changes - - Closes https://github.com/curl/curl/pull/7341 - -- pinnedpubkey.d: fix formatting for version support lists - - Closes https://github.com/curl/curl/pull/7340 - -Daniel Stenberg (2 Jul 2021) -- TODO: "Support in-memory certs/ca certs/keys" done - - Has been suppored for a while now with the *BLOB options. - -- examples: safer and more proper read callback logic - - The same callback code is used in: - - imap-append.c - smtp-authzid.c - smtp-mail.c - smtp-multi.c - smtp-ssl.c - smtp-tls.c - - It should not assume that it can copy full lines into the buffer as it - will encourage sloppy coding practices. Instead use byte-wise logic and - check/acknowledge the buffer size appropriately. - - Reported-by: Harry Sintonen - Fixes #7330 - Closes #7331 - -- test1519: adjusted to work with hyper - - Closes #7333 - -- test1518: adjusted to work with hyper - - ... by making sure the stdout output doesn't look like HTTP headers. - - Closes #7333 - -- test1514: add a CRLF to the response to make it correct - - Makes hyper accept it fine instead returning HYPERE_UNEXPECTED_EOF on - us. - - Closes #7334 - -- formdata: avoid "Argument cannot be negative" warning - - ... when converting a curl_off_t to size_t, by using - CURL_ZERO_TERMINATED before passing the argument to the function. - - Detected by Coverity CID 1486590. - - Closes #7328 - Assisted-by: Daniel Gustafsson - -- lib: more %u for port and int for %*s fixes - - Detected by Coverity - - Closes #7329 - -- doh: (void)-prefix call to curl_easy_setopt - -- lib: fix type of len passed to *printf's %*s - - ... it needs to be 'int'. Detected by Coverity CID 1486611 (etc) - - Closes #7326 - -- lib: use %u instead of %ld for port number printf - - Follow-up to 764c6bd3bf which changed the type of some port number - fields. Detected by Coverity (CID 1486624) etc. - - Closes #7325 - -- version: turn version number functions into returning void - - ... as we never use the return codes from them. - - Reviewed-by: Daniel Gustafsson - Closes #7319 - -- mqtt: extend the error message for no topic - - ... and mention that it needs URL encoding. - - Reported-by: Peter Körner - Fixes #7316 - Closes #7317 - -- formdata: correct typecast in curl_mime_data call - - Coverity pointed out it the mismatch. CID 1486590 - - Closes #7327 - -- url: (void)-prefix a curl_url_get() call - - Coverity (CID 1486645) pointed out a use of curl_url_get() in the - parse_proxy function where the return code wasn't checked. A - (void)-prefix makes the intention obvious. - - Closes #7320 - -- glob: pass an 'int' as len when using printf's %*s - - Detected by Coverity CID 1486629. - - Closes #7324 - -- vtls: use free() not curl_free() - - curl_free() is provided for users of the API to free returned data, - there's no need to use it internally. - - Closes #7318 - -- zuul: use the new rustls directory name - - Follow-up to 6d972c8b1cbb3 which missed updating this directory name. - - Also no longer call it crustls in the docs and bump to rusttls-ffi 0.7.1 - - Closes #7311 - -Jay Satiro (29 Jun 2021) -- http: fix crash in rate-limited upload - - - Don't set the size of the piece of data to send to the rate limit if - that limit is larger than the buffer size that will hold the piece. - - Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE - (curl tool: --limit-rate) was set then it was possible that a temporary - buffer used for uploading could be written to out of bounds. A likely - scenario for this would be a non-trivial amount of post data combined - with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k). - - The bug was introduced in 24e469f which is in releases since 7.76.0. - - perl -e "print '0' x 200000" > tmp - curl --limit-rate 128k -d @tmp httpbin.org/post - - Reported-by: Richard Marion - - Fixes https://github.com/curl/curl/issues/7308 - Closes https://github.com/curl/curl/pull/7315 - -Daniel Stenberg (29 Jun 2021) -- copyright: add boiler-plate headers to CI config files - - And whitelist .zuul.ignore - - Closes #7314 - -- CI: remove travis details - - Rename still used leftovers to "zuul" as that's now the CI using them. - - Closes #7313 - -- RELEASE-NOTES: synced - -- openssl: avoid static variable for seed flag - - Avoid the race condition risk by instead storing the "seeded" flag in - the multi handle. Modern OpenSSL versions handle the seeding itself so - doing the seeding once per multi-handle instead of once per process is - less of an issue. - - Reported-by: Gerrit Renker - Fixes #7296 - Closes #7306 - -- configure: inhibit the implicit-fallthrough warning on gcc-12 - - ... since it no longer acknowledges the comment markup we use for that - purpose. - - Reported-by: Younes El-karama - Fixes #7295 - Closes #7307 - -Daniel Gustafsson (28 Jun 2021) -- [Andrei Rybak brought this change] - - misc: fix typos in comments which repeat a word - - Fix typos in code comments which repeat various words. In trivial - cases, just delete the repeated word. Reword the affected sentence in - "lib/url.c" for it to make sense. - - Closes #7303 - Reviewed-by: Daniel Gustafsson <daniel@yesql.se> - -Daniel Stenberg (27 Jun 2021) -- lib677: make it survive torture testing - - Follow-up to a5ab72d5edd7 - - Closes #7300 - -- [Tommy Chiang brought this change] - - docs/BINDINGS: fix outdated links - - * luacurl page is now not accessible, fix it with wayback machine page - * Scheme one seems not providing https now, change it back to http one - - Closes #7301 - -- [Jacob Hoffman-Andrews brought this change] - - curstls: bump crustls version and use new URL - - crustls moved to https://github.com/rustls/rustls-ffi. This also bumps - the expected version to 0.7.0. - - Closes #7297 - -- RELEASE-NOTES: synced - -- examples: length-limit two sscanf() uses of %s - - Reported-by: Jishan Shaikh - Fixes #7293 - Closes #7294 - -- [Richard Whitehouse brought this change] - - multi: alter transfer timeout ordering - - - Check whether a connection has succeded before checking whether it's - timed out. - - This means if we've connected quickly, but subsequently been - descheduled, we allow the connection to succeed. Note, if we timeout, - but between checking the timeout, and connecting to the server the - connection succeeds, we will allow it to go ahead. This is viewed as - an acceptable trade off. - - - Add additional failf logging around failed connection attempts to - propogate the cause up to the caller. - - Co-Authored-by: Martin Howarth - Closes #7178 - -- test677: IMAP CONNECT_ONLY, custom command and then exit - - Adjusted ftpserver.pl to add support for the IMAP IDLE command - - Adjusted test 660 to sync with the fix - -- multi: do not switch off connect_only flag when closing - - ... as it made protocol specific disconnect commands wrongly get used. - - Bug: https://curl.se/mail/lib-2021-06/0024.html - Reported-by: Aleksander Mazur - Closes #7288 - -- http: make the haproxy support work with unix domain sockets - - ... it should then pass on "PROXY UNKNOWN" since it doesn't know the - involved IP addresses. - - Reported-by: Valentín Gutiérrez - Fixes #7290 - Closes #7291 - -- [Xiang Xiao brought this change] - - curl.h: include sys/select.h for NuttX RTOS - - Closes #7287 - -- [Bin Meng brought this change] - - curl.h: remove the execution bit - - The execution bit of curl.h file was wrongly added: - - commit 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7") - - and should be removed. - - Follow-up to 2621025d6f96 ("curl.h: <sys/select.h> is supported by VxWorks7") - Signed-off-by: Bin Meng <bmeng.cn@gmail.com> - Closes #7286 - -- [Bin Lan brought this change] - - curl.h: <sys/select.h> is supported by VxWorks7 - - Closes #7285 - -- [Bachue Zhou brought this change] - - quiche: use send() instead of sendto() to avoid macOS issue - - sendto() always returns "Socket is already connected" error on macos - - Closes #7260 - -- [Li Xinwei brought this change] - - cmake: fix support for UnixSockets feature on Win32 - - Move the definition of sockaddr_un struct from config-win32.h to - curl_setup.h, so that it could be shared by all build systems. - - Add ADDRESS_FAMILY typedef for old mingw, now old mingw can also use - unix sockets. - - Also fix the build of tests/server/sws.c on Win32 when USE_UNIX_SOCKETS - is defined. - - Closes #7034 - -- [Gregory Muchka brought this change] - - hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies - - From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A - dictionary of key-value pairs that represent the current internet proxy - settings, or NULL if no proxy settings have been defined or if an error - occurred. You must release the returned value." - - Failure to release the returned value of SCDynamicStoreCopyProxies can - result in a memory leak. - - Source: https://developer.apple.com/documentation/systemconfiguration/1517088-scdynamicstorecopyproxies - - Closes #7265 - -- RELEASE-NOTES: synced - -Jay Satiro (21 Jun 2021) -- vtls: fix warning due to function prototype mismatch - - b09c8ee changed the function prototype. Caught by Visual Studio. - -- curl_multibyte: Remove local encoding fallbacks - - - If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then - no longer fall back to assuming the string is in a local encoding. - - Background: - - Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to - pass to the Windows CRT API wide-character functions since in Windows - UTF-8 is not a valid locale (or at least 99% of the time right now). - - Prior to this change if the Unicode encoding conversion failed then - libcurl would assume, for backwards compatibility with applications that - may have written their code for non-Unicode builds, attempt to convert - the string from local encoding to UTF-16. - - That type of "best effort" could theoretically cause some type of - security or other problem if a string that was locally encoded was also - valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion - could occur. - - Ref: https://github.com/curl/curl/pull/7246 - - Closes https://github.com/curl/curl/pull/7257 - -Daniel Stenberg (20 Jun 2021) -- curl_endian: remove the unused Curl_write64_le function - - The last usage was removed in cca455a36 - - Closes #7280 - -- vtls: only store TIMER_APPCONNECT for non-proxy connect - - Introducing a 'isproxy' argument to the connect function so that it - knows wether to store the time stamp or not. - - Reported-by: Yongkang Huang - Fixes #7274 - Closes #7274 - -- gnutls: set the preferred TLS versions in correct order - - Regression since 781864bedbc57 (curl 7.77.0) - - Reported-by: civodul on github - Assisted-by: Nikos Mavrogiannopoulos - Fixes #7277 - Closes #7278 - -- [Gergely Nagy brought this change] - - configure/cmake: remove checks for unused gethostbyaddr and gethostbyaddr_r - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove checks for unused inet_ntoa and inet_ntoa_r - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove unused define HAVE_PERROR - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure: remove unused check for gai_strerror - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove unused define HAVE_FREEIFADDRS - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove unused define HAVE_FORK - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove unused define HAVE_FDOPEN - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove checks for unused sgtty.h - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove remaining checks for rsa.h - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove remaining checks for err.h - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove remaining checks for crypto.h - - Closes #7276 - -- [Gergely Nagy brought this change] - - configure/cmake: remove checks for unused getservbyport_r - - Closes #7276 - -- --socks4[a]: clarify where the host name is resolved - - Closes #7273 - -- libcurl-security.3: mention file descriptors and forks - - ... and move the security report section last. - - Reported-by: Harry Sintonen - Closes #7270 - -- [Alex Xu (Hello71) brought this change] - - configure.ac: make non-executable - - it needs to be processed by autoconf or autoreconf, and doesn't have a - suitable shebang to be directly executed. other projects normally set - configure.ac -x. - - Closes #7272 - -- configure: do not strip out debug flags - - To allow users to set them when invoking configure without using - --with-debug. - - Reported-by: Alex Xu - Fixes #7216 - Closes #7267 - -- libssh2: limit time a disconnect can take to 1 second - - Closes #7271 - -- TLS: prevent shutdown loops to get stuck - - ... by making sure the loops are only allowed to read the shutdown - traffic a limited number of times. - - Reported-by: Harry Sintonen - Closes #7271 - -- hyper: propagate errors back up from read callbacks - - Makes test 513 work with hyper - - Closes #7266 - -- KNOWN_BUGS: Negotiate on Windows fails - - Closes #5881 - -- KNOWN_BUGS: renames instead of locking for atomic operations - - Closes #6882 - Closes #6884 - -- zuul: add two missing CI jobs - - ... that were configured, just not run - - Closes #7261 - -Viktor Szakats (15 Jun 2021) -- idn: fix libidn2 with windows unicode builds - - Unicode Windows builds use UTF-8 strings internally in libcurl, - so make sure to call the UTF-8 flavour of the libidn2 API. Also - document that Windows builds with libidn2 and UNICODE do expect - CURLOPT_URL as an UTF-8 string. - - Reported-by: dEajL3kA on github - Assisted-by: Jay Satiro - Reviewed-by: Marcel Raad - Closes #7246 - Fixes #7228 - -Daniel Stenberg (15 Jun 2021) -- curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE - - They were never officially allowed and slipped in only due to sloppy - parsing. Spaces (ascii 32) should be correctly encoded (to %20) before - being part of a URL. - - The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl - allow spaces. - - Updated test 1560 to verify. - - Closes #7073 - -- RELEASE-NOTES: synced - - ... and bump to version 7.78.0 for the next planned release. - -Jay Satiro (15 Jun 2021) -- docs: Remove outdated curl tool limitation - - - Document that HTTP/2 multiplexing is supported by the curl tool when - parallel transfers are used. - - Supported since 7.66.0 via --parallel, but the doc wasn't updated. - - Closes https://github.com/curl/curl/pull/7259 - -- http2: Clarify 'Using HTTP2' verbose message - - - Change phrasing from multi-use to multiplexing since the former may - not be as well understood. - - Before: * Using HTTP2, server supports multi-use - - After: * Using HTTP2, server supports multiplexing - - Bug: https://github.com/curl/curl/discussions/7255 - Reported-by: David Hu - - Closes https://github.com/curl/curl/pull/7258 - -Daniel Stenberg (14 Jun 2021) -- winbuild/README: VC should be set to 6 'or larger' - - Previously it listed all versions up to 15 (missing 16) but this new - phrasing is more open ended. - - Reported-by: Hugh Macdonald - Fixes #7253 - Closes #7254 - -- [Jacob Hoffman-Andrews brought this change] - - rustls: remove native_roots fallback - - For the commandline tool, we expect to be passed - SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of - trusted roots (like in other TLS backends). - - This also removes a dependency on Security.framework when building on - macOS. - - Closes #7250 - -- [Albin Vass brought this change] - - travis: remove jobs that have migrated to zuul - - Closes #7245 - -- [Mohammed Naser brought this change] - - CI: add jobs using Zuul - - It also includes a few changes to get the builds going: - - Added autoconf to common dependencies - - Added automake to common dependencies - - Added libtool to common dependencies - - Added libssl-dev to common dependencies - - Co-authored-by: Albin Vass - - Closes #7245 - -- netrc: skip 'macdef' definitions - - Add test 494 to verify - - Reported-by: Harry Sintonen - Fixes #7238 - Closes #7244 - -- multi: add scan-build-6 work-around in curl_multi_fdset - - scan-build-6 otherwise warns, saying: warning: The left operand of '>=' - is a garbage value otherwise, which is false. - - Later scan-builds don't claim this on the same code. - - Closes #7248 |