_ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | | (__| |_| | _ <| |___ \___|\___/|_| \_\_____| Changelog Version 7.65.3 (19 Jul 2019) Daniel Stenberg (19 Jul 2019) - RELEASE-NOTES: 7.65.3 - THANKS: 7.65.3 status - progress: make the progress meter appear again Fix regression caused by 21080e1 Reported-by: Chih-Hsuan Yen Fixes #4122 Closes #4124 - version: bump to 7.65.3 - RELEASE-NOTES: Contributors or now 1990 Version 7.65.2 (17 Jul 2019) Daniel Stenberg (17 Jul 2019) - RELEASE-NOTES: 7.65.2 - THANKS: add contributors from 7.65.2 Jay Satiro (17 Jul 2019) - [aasivov brought this change] cmake: Fix finding Brotli on case-sensitive file systems - Find package "Brotli" instead of "BROTLI" since the former is the casing used for CMake/FindBrotli.cmake, and otherwise find_package may fail on a case-sensitive file system. Fixes https://github.com/curl/curl/issues/4117 - CURLOPT_RANGE.3: Caution against using it for HTTP PUT AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've cautioned against using it for that purpose and included a workaround. Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html Reported-by: Christopher Head Closes https://github.com/curl/curl/issues/3814 - [Stefano Simonelli brought this change] CURLOPT_SEEKDATA.3: fix variable name Closes https://github.com/curl/curl/pull/4118 - [georgeok brought this change] CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH If the SSL backend is Schannel and the user specifies an Schannel CALG_ that is not supported by the protocol or the server then curl returns CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. Fixes https://github.com/curl/curl/issues/3389 Closes https://github.com/curl/curl/pull/4106 - [Daniel Gustafsson brought this change] nss: inspect returnvalue of token check PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out. Closes https://github.com/curl/curl/pull/4110 - docs: Explain behavior change in --tlsv1. options since 7.54 Since 7.54 --tlsv1. options use the specified version or later, however older versions of curl documented it as using just the specified version which may or may not have happened depending on the TLS library. Document this discrepancy to allay confusion for users familiar with the old documentation that expect just the specified version. Fixes https://github.com/curl/curl/issues/4097 Closes https://github.com/curl/curl/pull/4119 - libcurl: Restrict redirect schemes (follow-up) - Allow FTPS on redirect. - Update default allowed redirect protocols in documentation. Follow-up to 6080ea0. Ref: https://github.com/curl/curl/pull/4094 Closes https://github.com/curl/curl/pull/4115 Daniel Stenberg (16 Jul 2019) - test1173: make it also check all libcurl option man pages ... and adjust those that cause errors Closes #4116 - curl: only accept COLUMNS less than 10000 ... as larger values would rather indicate something silly (and could potentially cause buffer problems). Reported-by: pendrek at hackerone Closes #4114 - dist: add manpage-syntax.pl follow-up to 7fb66c403 - test1173: detect some basic man page format mistakes Triggered by PR #4111 Closes #4113 Jay Satiro (15 Jul 2019) - [Bjarni Ingi Gislason brought this change] docs: Fix missing lines caused by undefined macros - Escape apostrophes at line start. Some lines begin with a "'" (apostrophe, single quote), which is then interpreted as a control character in *roff. Such lines are interpreted as being a call to a macro, and if undefined, the lines are removed from the output. Bug: https://bugs.debian.org/926352 Signed-off-by: Bjarni Ingi Gislason Submitted-by: Alessandro Ghedini Closes https://github.com/curl/curl/pull/4111 Daniel Stenberg (14 Jul 2019) - libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults follow-up to 6080ea098 - [Linos Giannopoulos brought this change] libcurl: Add testcase for gopher redirects The testcase ensures that redirects to CURLPROTO_GOPHER won't be allowed, by default, in the future. Also, curl is being used for convenience while keeping the testcases DRY. The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is redirected to CURLPROTO_GOPHER Signed-off-by: Linos Giannopoulos - [Linos Giannopoulos brought this change] libcurl: Restrict redirect schemes All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos Closes #4094 - [Zenju brought this change] openssl: define HAVE_SSL_GET_SHUTDOWN based on version number Closes #4100 - [Peter Simonyi brought this change] http: allow overriding timecond with custom header With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. If-Modified-Since). Allow this to be replaced or suppressed with CURLOPT_HTTPHEADER. Fixes #4103 Closes #4109 Jay Satiro (11 Jul 2019) - [Juergen Hoetzel brought this change] smb: Use the correct error code for access denied on file open - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. Closes https://github.com/curl/curl/pull/4095 - [Daniel Gustafsson brought this change] DEPRECATE: fixup versions and spelling Correctly set the July 17 version to 7.65.2, and update spelling to be consistent. Also fix a typo. Closes https://github.com/curl/curl/pull/4107 - [Gisle Vanem brought this change] system_win32: fix clang warning - Declare variable in header as extern. Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 Daniel Gustafsson (10 Jul 2019) - headers: Remove no longer exported functions There were a leftover few prototypes of Curl_ functions that we used to export but no longer do, this removes those prototypes and cleans up any comments still referring to them. Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. For the remainder, I didn't trawl the Git logs hard enough to capture their exact time of deletion, but they were all gone: Curl_splayprint(), Curl_http2_send_request(), Curl_global_host_cache_dtor(), Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), Curl_http_auth_stage() and Curl_close_connections(). Closes #4096 Reviewed-by: Daniel Stenberg - CMake: fix typos and spelling - [Kyle Edwards brought this change] CMake: Convert errant elseif() to else() CMake interprets an elseif() with no arguments as elseif(FALSE), resulting in the elseif() block not being executed. That is not what was intended here. Change the empty elseif() to an else() as it was intended. Closes #4101 Reported-by: Artalus Reviewed-by: Daniel Gustafsson - buildconf: fix header filename The header file inclusion had a typo, it should be .h and not .hd. Fix by renaming. Fixes #4102 Reported-by: AceCrow on Github - [Jan Chren brought this change] configure: fix --disable-code-coverage This fixes the case when --disable-code-coverage supplied to ./configure would result in coverage="yes" being set. Closes #4099 Reviewed-by: Daniel Gustafsson - cleanup: fix typo in comment - RELEASE-NOTES: synced Jay Satiro (6 Jul 2019) - [Daniel Gustafsson brought this change] nss: support using libnss on macOS The file suffix for dynamically loadable objects on macOS is .dylib, which need to be added for the module definitions in order to get the NSS TLS backend to work properly on macOS. Closes https://github.com/curl/curl/pull/4046 - [Daniel Gustafsson brought this change] nss: don't set unused parameter The value of the maxPTDs parameter to PR_Init() has since at least NSPR 2.1, which was released sometime in 1998, been marked ignored as is accordingly not used in the initialization code. Setting it to a value when calling PR_Init() is thus benign, but indicates an intent which may be misleading. Reset the value to zero to improve clarity. Closes https://github.com/curl/curl/pull/4054 - [Daniel Gustafsson brought this change] nss: only cache valid CRL entries Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053 - [Gergely Nagy brought this change] lib: Use UTF-8 encoding in comments Some editors and IDEs assume that source files use UTF-8 file encodings. It also fixes the build with MSVC when /utf-8 command line option is used (this option is mandatory for some other open-source projects, this is useful when using the same options is desired for building all libraries of a project). Closes https://github.com/curl/curl/pull/4087 - [Caleb Raitto brought this change] CURLOPT_HEADEROPT.3: Fix example Fix an issue where example builds a curl_slist, but fails to actually use it, or free it. Closes https://github.com/curl/curl/pull/4090 - [Shankar Jadhavar brought this change] winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - Also removed some ^M chars from file. Prior to this change while building on Windows platform even if we pass the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. Closes https://github.com/curl/curl/pull/4086 Daniel Stenberg (4 Jul 2019) - doh-url.d: added in 7.62.0 Jay Satiro (30 Jun 2019) - docs: Fix links to OpenSSL docs OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg Daniel Stenberg (26 Jun 2019) - [Gaël PORTAY brought this change] curl_multi_wait.3: escape backslash in example The backslash in the character Line Feed must be escaped. The current man-page outputs the code as following: fprintf(stderr, "curl_multi failed, code %d.0, mc); The commit fixes it as follow: fprintf(stderr, "curl_multi failed, code %d\n", mc); Closes #4079 - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077 - test1521: adapt to SLISTPOINT The header now has the slist-using options marked as SLISTPOINT so this makes sure test 1521 understands that. Follow-up to ae99b4de1c443ae989 Closes #4074 - win32: make DLL loading a no-op for UWP Reported-by: Michael Brehm Fixes #4060 Closes #4072 - [1ocalhost brought this change] configure: fix typo '--disable-http-uath' Closes #4076 - [Niklas Hambüchen brought this change] docs: fix string suggesting HTTP/2 is not the default Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the man page that new default is mentioned, but the section at the top contradicted it until now. Also remove claim that setting the HTTP version is not sensible. Closes #4075 - RELEASE-NOTES: synced - [Stephan Szabo brought this change] tests: update fixed IP for hostip/clientip split These tests give differences for me on linux when using a hostip pointing to the external ip address for the local machine. Closes #4070 Daniel Gustafsson (24 Jun 2019) - http: clarify header buffer size calculation The header buffer size calculation can from static analysis seem to overlow as it performs an addition between two size_t variables and stores the result in a size_t variable. Overflow is however guarded against elsewhere since the input to the addition is regulated by the maximum read buffer size. Clarify this with a comment since the question was asked. Reviewed-by: Daniel Stenberg Daniel Stenberg (24 Jun 2019) - KNOWN_BUGS: Don't clear digest for single realm Closes #3267 - KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname Closes #3284 - http2: call done_sending on end of upload To make sure a HTTP/2 stream registers the end of stream. Bug #4043 made me find this problem but this fix doesn't correct the reported issue. Closes #4068 - [James Brown brought this change] c-ares: honor port numbers in CURLOPT_DNS_SERVERS By using ares_set_servers_ports_csv on new enough c-ares. Fixes #4066 Closes #4067 Daniel Gustafsson (24 Jun 2019) - CURLMOPT_SOCKETFUNCTION.3: fix typo Daniel Stenberg (24 Jun 2019) - [Koen Dergent brought this change] curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds Closes #4061 - test153: fix content-length to avoid occasional hang Closes #4065 - RELEASE-NOTES: synced - multi: enable multiplexing by default (again) It was originally made default in d7c4213bd0c (7.62.0) but mistakenly reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. Closes #4051 - typecheck: add 3 missing strings and a callback data pointer Closes #4050 - tests: add disable-scan.pl to dist follow-up from 29177f422a5 Closes #4059 - http2: don't call stream-close on already closed streams Closes #4055 Marcel Raad (20 Jun 2019) - travis: enable alt-svc for coverage build Closes - travis: enable libssh2 for coverage build It was enabled by default before commit c92d2e14cfb. Disable torture tests 600 and 601 because of https://github.com/curl/curl/issues/1678. Closes - travis: disable threaded resolver for coverage build This enables more tests. Closes - travis: enable brotli for all xenial jobs There's no need for a separate job, and no need to build it from source with Xenial. Closes - travis: enable warnings-as-errors for coverage build Closes GitHub (20 Jun 2019) - [Gisle Vanem brought this change] system_win32: fix typo Daniel Stenberg (20 Jun 2019) - typecheck: CURLOPT_CONNECT_TO takes an slist too Additionally, add an alias in curl.h for slist-using options so that we can grep/parse those out at will. Closes #4042 - [Stephan Szabo brought this change] tests: support non-localhost HOSTIP for dict/smb servers smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for binding the server which when we were running the tests with a separate HOSTIP and CLIENTIP had failures verifying the server from the device we were testing. This changes them to take the address from runtests.py and default to localhost/127.0.0.1 if none is given. Closes #4048 - test1523: basic test of CURLOPT_LOW_SPEED_LIMIT - configure: --disable-progress-meter Builds libcurl without support for the built-in progress meter. Closes #4023 - curl: improved skip-setopt-options when built with disabled features Reduces #ifdefs in src/tool_operate.c Follow-up from 4e86f2fc4e6 Closes #3936 Steve Holme (18 Jun 2019) - netrc: Return the correct error code when out of memory Introduced in 763c5178. Closes #4036 Daniel Stenberg (18 Jun 2019) - config-os400: add getpeername and getsockname defines Reported-by: jonrumsey on github Fixes #4037 Closes #4039 - runtests: keep logfiles around by default Make '-k' a no-op. The singletest function now clears the log directory BEFORE each individual test and not after, which makes it possible to always keep the logfiles around after a test has been run. No need to specify -k anymore. Keeping the option parsing around to work with users of old habits. Some tests also didn't work properly when -k was used (since the old logs would be kep when a new test starts) which this change also fixes. Closes #4035 - [Gergely Nagy brought this change] openssl: fix pubkey/signature algorithm detection in certinfo Certinfo gives the same result for all OpenSSL versions. Also made printing RSA pubkeys consistent with older versions. Reported-by: Michael Wallner Fixes #3706 Closes #4030 - conn_maxage: move the check to prune_dead_connections() ... and avoid the locking issue. Reported-by: Kunal Ekawde Fixes #4029 Closes #4032 - tests: have runtests figure out disabled features ... so that runtests can skip individual test cases that test features that are explicitly disabled in this build. This new logic is intended for disabled features that aren't otherwise easily visible through the curl_version_info() or other API calls. tests/server/disabled is a newly built executable that will output a list of disabled features. Outputs nothing for a default build. Closes #3950 - test188/189: fix Content-Length This cures the flaky test results Closes #4034 - [Thomas Gamper brought this change] winbuild: use WITH_PREFIX if given Closes #4031 Daniel Gustafsson (17 Jun 2019) - openssl: remove outdated comment OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), which is why we switched to CONF_modules_load_file() and introduced a comment stating why. This behavior was however changed in OpenSSL commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now outdated and incorrect comment. The mentioned commit also declares OPENSSL_config() deprecated so keep the current coding. Closes #4033 Reviewed-by: Daniel Stenberg Daniel Stenberg (16 Jun 2019) - RELEASE-NOTES: synced Patrick Monnerat (16 Jun 2019) - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. Use it in curl_easy_setopt_ccsid(). Reported-by: jonrumsey on github Fixes #3833 Closes #4028 Daniel Stenberg (15 Jun 2019) - runtests: report single test time + total duration ... after each successful test. Closes #4027 - multi: fix the transfer hash function Follow-up from 8b987cc7eb Reported-by: Tom van der Woerdt Fixes #4018 Closes #4024 - unit1654: cleanup on memory failure ... to make it handle torture tests properly. Reported-by: Marcel Raad Fixes #4021 Closes #4022 Marcel Raad (13 Jun 2019) - krb5: fix compiler warning Even though the variable was used in a DEBUGASSERT, GCC 8 warned in debug mode: krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] Just suppress the warning and declare the variable unconditionally instead of only for DEBUGBUILD (which also missed the check for HAVE_ASSERT_H). Closes https://github.com/curl/curl/pull/4020 Daniel Stenberg (13 Jun 2019) - quote.d: asterisk prefix works for SFTP as well Reported-by: Ben Voris Fixes #4017 Closes #4019 - multi: fix the transfer hashes in the socket hash entries - The transfer hashes weren't using the correct keys so removing entries failed. - Simplified the iteration logic over transfers sharing the same socket and they now simply are set to expire and thus get handled in the "regular" timer loop instead. Reported-by: Tom van der Woerdt Fixes #4012 Closes #4014 Jay Satiro (12 Jun 2019) - [Cliff Crosland brought this change] url: Fix CURLOPT_MAXAGE_CONN time comparison Old connections are meant to expire from the connection cache after CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x that value. This occurs because a time value measured in milliseconds is accidentally divided by 1M instead of by 1,000. Closes https://github.com/curl/curl/pull/4013 Daniel Stenberg (11 Jun 2019) - test1165: verify that CURL_DISABLE_ symbols are in sync between configure.ac and source code. They should be possible to switch on/off in configure AND be used in source code. - configure: remove CURL_DISABLE_TLS_SRP It isn't used by code so stop providing the define. Closes #4010 - Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. Apparently several of the appveyor windows builds broke. - [sergey-raevskiy brought this change] cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified Reviewed-by: Jakub Zakrzewski Closes #3770 - RELEASE-NOTES: synced - http2: remove CURL_DISABLE_TYPECHECK define ... in http2-less builds as it served no use. - configure: more --disable switches to toggle off individual features ... actual support in the code for disabling these has already landed. Closes #4009 - wolfssl: fix key pinning build error follow-up from deb9462ff2de8 - CURLMOPT_SOCKETFUNCTION.3: clarified Moved away the callback explanation from curl_multi_socket_action.3 and expanded it somewhat. Closes #4006 - wolfssl: fixup for SNI use follow-up from deb9462ff2de8 Closes #4007 - CURLOPT_CAINFO.3: polished wording Clarify the functionality when built to use Schannel and Secure Transport and stop calling it the "recommended" or "preferred" way and instead rather call it the default. Removed the reference to the ssl comparison table as it isn't necessary. Reported-by: Richard Alcock Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html Closes #4005 GitHub (10 Jun 2019) - [Daniel Stenberg brought this change] SECURITY.md: created Brief security policy description for use/display on github. Daniel Gustafsson (10 Jun 2019) - tool_cb_prg: Fix integer overflow in progress bar Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar width calculation to avoid integer overflow, but failed to account for the fact that initial_size is initialized to -1 when the file size is retrieved from the remote on an upload, causing another signed integer overflow. Fix by separately checking for this case before the width calculation. Closes #3984 Reported-by: Brian Carpenter (Geeknik Labs) Reviewed-by: Daniel Stenberg Daniel Stenberg (10 Jun 2019) - wolfssl: refer to it as wolfSSL only Remove support for, references to and use of "cyaSSL" from the source and docs. wolfSSL is the current name and there's no point in keeping references to ancient history. Assisted-by: Daniel Gustafsson Closes #3903 - RELEASE-NOTES: synced - bindlocal: detect and avoid IP version mismatches in bind() Reported-by: Alex Grebenschikov Fixes #3993 Closes #4002 - multi: make sure 'data' can present in several sockhash entries Since more than one socket can be used by each transfer at a given time, each sockhash entry how has its own hash table with transfers using that socket. In addition, the sockhash entry can now be marked 'blocked = TRUE'" which then makes the delete function just set 'removed = TRUE' instead of removing it "for real", as a way to not rip out the carpet under the feet of a parent function that iterates over the transfers of that same sockhash entry. Reported-by: Tom van der Woerdt Fixes #3961 Fixes #3986 Fixes #3995 Fixes #4004 Closes #3997 - [Sorcus brought this change] libcurl-tutorial.3: Fix small typo (mutipart -> multipart) Fixed-by: MrSorcus on github Closes #4000 - unpause: trigger a timeout for event-based transfers ... so that timeouts or other state machine actions get going again after a changing pause state. For example, if the last delivery was paused there's no pending socket activity. Reported-by: sstruchtrup on github Fixes #3994 Closes #4001 Marcel Raad (9 Jun 2019) - travis: use xenial LLVM package for scan-build I missed that in commit 99a49d6. - travis: update scan-build job to xenial Closes https://github.com/curl/curl/pull/3999 Daniel Stenberg (8 Jun 2019) - bump: start working on 7.65.2 Marcel Raad (5 Jun 2019) - examples/htmltitle: use C++ casts between pointer types Compilers and static analyzers warn about using C-style casts here. Closes https://github.com/curl/curl/pull/3975 - examples/fopen: fix comparison As want is size_t, (file->buffer_pos - want) is unsigned, so checking if it's less than zero makes no sense. Check if file->buffer_pos is less than want instead to avoid the unsigned integer wraparound. Closes https://github.com/curl/curl/pull/3975 - build: fix Codacy warnings Reduce variable scopes and remove redundant variable stores. Closes https://github.com/curl/curl/pull/3975 - sws: remove unused variables Unused since commit 2f44e94. Closes https://github.com/curl/curl/pull/3975 Version 7.65.1 (4 Jun 2019) Daniel Stenberg (4 Jun 2019) - RELEASE-NOTES: 7.65.1 - THANKS: new contributors from 7.65.1 Steve Holme (4 Jun 2019) - [Frank Gevaerts brought this change] ssl: Update outdated "openssl-only" comments for supported backends These are for features that used to be openssl-only but were expanded over time to support other SSL backends. Closes #3985 Daniel Stenberg (4 Jun 2019) - curl_share_setopt.3: improve wording [ci ship] Reported-by: Carlos ORyan Steve Holme (4 Jun 2019) - tool_parsecfg: Use correct return type for GetModuleFileName() GetModuleFileName() returns a DWORD which is a typedef of an unsigned long and not an int. Closes #3980 Daniel Stenberg (3 Jun 2019) - TODO: "at least N milliseconds between requests" [ci skip] Suggested-by: dkwolfe4 on github Closes #3920 Steve Holme (2 Jun 2019) - tests/server/.gitignore: Add socksd to the ignore list Missed in 04fd6755. Closes #3978 - tool_parsecfg: Fix control flow issue (DEADCODE) Follow-up to 8144ba38. Detected by Coverity CID 1445663 Closes #3976 Daniel Stenberg (2 Jun 2019) - [Sergey Ogryzkov brought this change] NTLM: reset proxy "multipass" state when CONNECT request is done Closes #3972 - test334: verify HTTP 204 response with chunked coding header Verifies that a bodyless response don't parse this content-related header. - [Michael Kaufmann brought this change] http: don't parse body-related headers bodyless responses Responses with status codes 1xx, 204 or 304 don't have a response body. For these, don't parse these headers: - Content-Encoding - Content-Length - Content-Range - Last-Modified - Transfer-Encoding This change ensures that HTTP/2 upgrades work even if a "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. Co-authored-by: Daniel Stenberg Closes #3702 Fixes #3968 Closes #3977 - tls13-docs: mention it is only for OpenSSL >= 1.1.1 Reported-by: Jay Satiro Co-authored-by: Jay Satiro Fixes #3938 Closes #3946 - dump-header.d: spell out that no headers == empty file [ci skip] Reported-by: wesinator at github Fixes #3964 Closes #3974 - singlesocket: use separate variable for inner loop An inner loop within the singlesocket() function wrongly re-used the variable for the outer loop which then could cause an infinite loop. Change to using a separate variable! Reported-by: Eric Wu Fixes #3970 Closes #3973 - RELEASE-NOTES: synced - [Josie Huddleston brought this change] http2: Stop drain from being permanently set on Various functions called within Curl_http2_done() can have the side-effect of setting the Easy connection into drain mode (by calling drain_this()). However, the last time we unset this for a transfer (by calling drained_transfer()) is at the beginning of Curl_http2_done(). If the Curl_easy is reused for another transfer, it is then stuck in drain mode permanently, which in practice makes it unable to write any data in the new transfer. This fix moves the last call to drained_transfer() to later in Curl_http2_done(), after the functions that could potentially call for a drain. Fixes #3966 Closes #3967 Reported-by: Josie-H Steve Holme (29 May 2019) - conncache: Remove the DEBUGASSERT on length check We trust the calling code as this is an internal function. Closes #3962 Jay Satiro (29 May 2019) - [Gisle Vanem brought this change] system_win32: fix function prototype - Change if_nametoindex parameter type from char * to const char *. Follow-up to 09eef8af from this morning. Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 Marcel Raad (29 May 2019) - appveyor: add Visual Studio solution build Closes https://github.com/curl/curl/pull/3941 - appveyor: add support for other build systems Introduce BUILD_SYSTEM variable, which is currently always CMake. Closes https://github.com/curl/curl/pull/3941 Steve Holme (29 May 2019) - url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows This fixes the static dependency on iphlpapi.lib and allows curl to build for targets prior to Windows Vista. This partially reverts 170bd047. Fixes #3960 Closes #3958 Daniel Stenberg (29 May 2019) - http: fix "error: equality comparison with extraneous parentheses" - parse_proxy: make sure portptr is initialized Reported-by: Benbuck Nason fixes #3959 - url: default conn->port to the same as conn->remote_port ... so that it has a sensible value when ConnectionExists() is called which needs it set to differentiate host "bundles" correctly on port number! Also, make conncache:hashkey() use correct port for bundles that are proxy vs host connections. Probably a regression from 7.62.0 Reported-by: Tom van der Woerdt Fixes #3956 Closes #3957 - conncache: make "bundles" per host name when doing proxy tunnels Only HTTP proxy use where multiple host names can be used over the same connection should use the proxy host name for bundles. Reported-by: Tom van der Woerdt Fixes #3951 Closes #3955 - multi: track users of a socket better They need to be removed from the socket hash linked list with more care. When sh_delentry() is called to remove a sockethash entry, remove all individual transfers from the list first. To enable this, each Curl_easy struct now stores a pointer to the sockethash entry to know how to remove itself. Reported-by: Tom van der Woerdt and Kunal Ekawde Fixes #3952 Fixes #3904 Closes #3953 Steve Holme (28 May 2019) - curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version Microsoft added support for Unix Domain Sockets in Windows 10 1803 (RS4). Rather than expect the user to enable Unix Domain Sockets by uncommenting the #define that was added in 0fd6221f we use the RS4 pre-processor variable that is present in newer versions of the Windows SDK. Closes #3939 Daniel Stenberg (28 May 2019) - [Jonas Vautherin brought this change] cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables Closes #3945 Marcel Raad (27 May 2019) - HAProxy tests: add keywords Add the proxy and haproxy keywords in order to be able to exclude or run these specific tests. Closes https://github.com/curl/curl/pull/3949 Daniel Stenberg (27 May 2019) - [Maksim Stsepanenka brought this change] tests: make test 1420 and 1406 work with rtsp-disabled libcurl Closes #3948 Kamil Dudka (27 May 2019) - [Hubert Kario brought this change] nss: allow to specify TLS 1.3 ciphers if supported by NSS Closes #3916 Daniel Stenberg (26 May 2019) - RELEASE-NOTES: synced - [Jay Satiro brought this change] Revert all SASL authzid (new feature) commits - Revert all commits related to the SASL authzid feature since the next release will be a patch release, 7.65.1. Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined for the next release, assuming it would be a feature release 7.66.0. However instead the next release will be a patch release, 7.65.1 and will not contain any new features. After the patch release after the reverted commits can be restored by using cherry-pick: git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 Details for all reverted commits: Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. Revert "tests: Fix the line endings for the SASL alt-auth tests" This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. - [dbrowndan brought this change] FAQ: more minor updates and spelling fixes Closes #3937 - RELEASE-NOTES: synced - sectransp: handle errSSLPeerAuthCompleted from SSLRead() Reported-by: smuellerDD on github Fixes #3932 Closes #3933 GitHub (24 May 2019) - [Gisle Vanem brought this change] Fix typo. Daniel Stenberg (23 May 2019) - tool_setopt: for builds with disabled-proxy, skip all proxy setopts() Reported-by: Marcel Raad Fixes #3926 Closes #3929 Steve Holme (23 May 2019) - winbuild: Use two space indentation Closes #3930 GitHub (23 May 2019) - [Gisle Vanem brought this change] tool_parse_cfg: Avoid 2 fopen() for WIN32 Using the memdebug.h mem-leak feature, I noticed 2 calls like: FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. Daniel Stenberg (23 May 2019) - md4: include the mbedtls config.h to get the MD4 info - md4: build correctly with openssl without MD4 Reported-by: elsamuko at github Fixes #3921 Closes #3922 Patrick Monnerat (23 May 2019) - os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). Daniel Stenberg (23 May 2019) - .github/FUNDING: mention our opencollective "home" [ci skip] Marcel Raad (23 May 2019) - [Zenju brought this change] config-win32: add support for if_nametoindex and getsockname Closes https://github.com/curl/curl/pull/3923 Jay Satiro (23 May 2019) - tests: Fix the line endings for the SASL alt-auth tests - Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to a9499ff from today which added the tests. Ref: https://github.com/curl/curl/pull/3790 Daniel Stenberg (23 May 2019) - url: fix bad #ifdef Regression since e91e48161235272ff485. Reported-by: Tom Greenslade Fixes #3924 Closes #3925 - Revert "progress: CURL_DISABLE_PROGRESS_METER" This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + CURLOPT_LOW_SPEED_TIME Reported-by: Dave Reisner Fixes #3927 Closes #3928 Steve Holme (22 May 2019) - examples: Added SASL PLAIN authorisation identity (authzid) examples - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixed #3653 Closes #3790 Marc Hoersken (22 May 2019) - tests: add support to test against OpenSSH for Windows Testing against OpenSSH for Windows requires v7.7.0.0 or newer due to the use of AllowUsers and DenyUsers. For more info see: https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config Daniel Stenberg (22 May 2019) - bump: start on the next release Marcel Raad (22 May 2019) - examples: fix "clarify calculation precedence" warnings Closes https://github.com/curl/curl/pull/3919 - hiperfifo: remove unused variable Closes https://github.com/curl/curl/pull/3919 - examples: remove dead variable stores Closes https://github.com/curl/curl/pull/3919 - examples: reduce variable scopes Closes https://github.com/curl/curl/pull/3919 - http2-download: fix format specifier Closes https://github.com/curl/curl/pull/3919 Daniel Stenberg (22 May 2019) - PolarSSL: deprecate support step 1. Removed from configure. Also removed mentions from most docs. Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html Closes #3888 - configure/cmake: check for if_nametoindex() - adds the check to cmake - fixes the configure check to work for cross-compiled windows builds Closes #3917 - parse_proxy: use the IPv6 zone id if given If the proxy string is given as an IPv6 numerical address with a zone id, make sure to use that for the connect to the proxy. Reported-by: Edmond Yu Fixes #3482 Closes #3918 Version 7.65.0 (22 May 2019) Daniel Stenberg (22 May 2019) - RELEASE-NOTES: 7.65.0 release - THANKS: from the 7.65.0 release-notes - url: convert the zone id from a IPv6 URL to correct scope id Reported-by: GitYuanQu on github Fixes #3902 Closes #3914 - configure: detect getsockname and getpeername on windows too Made detection macros for these two functions in the same style as other functions possibly in winsock in the hope this will work better to detect these functions when cross-compiling for Windows. Follow-up to e91e4816123 Fixes #3913 Closes #3915 Marcel Raad (21 May 2019) - examples: remove unused variables Fixes Codacy/CppCheck warnings. Closes Daniel Gustafsson (21 May 2019) - udpateconninfo: mark variable unused When compiling without getpeername() or getsockname(), the sockfd paramter to Curl_udpateconninfo() became unused after commit e91e481612 added ifdef guards. Closes #3910 Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 Reviewed-by: Marcel Raad, Daniel Stenberg - ftp: move ftp_ccc in under featureflag Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under the FTP featureflag in the UserDefined struct, but vtls callsites were still using it unprotected. Closes #3912 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 Reviewed-by: Daniel Stenberg, Marcel Raad Daniel Stenberg (20 May 2019) - curl: report error for "--no-" on non-boolean options Reported-by: Olen Andoni Fixes #3906 Closes #3907 - [Guy Poizat brought this change] mbedtls: enable use of EC keys Closes #3892 - lib1560: add tests for parsing URL with too long scheme Ref: #3905 - [Omar Ramadan brought this change] urlapi: increase supported scheme length to 40 bytes The longest currently registered URI scheme at IANA is 36 bytes long. Closes #3905 Closes #3900 Marcel Raad (20 May 2019) - lib: reduce variable scopes Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872 - tool_formparse: remove redundant assignment Just initialize word_begin with the correct value. Closes https://github.com/curl/curl/pull/3873 - ssh: move variable declaration to where it's used This way, we need only one call to free. Closes https://github.com/curl/curl/pull/3873 - ssh-libssh: remove unused variable sock was only used to be assigned to fd_read. Closes https://github.com/curl/curl/pull/3873 Daniel Stenberg (20 May 2019) - test332: verify the blksize fix - tftp: use the current blksize for recvfrom() bug: https://curl.haxx.se/docs/CVE-2019-5436.html Reported-by: l00p3r on hackerone CVE-2019-5436 Daniel Gustafsson (19 May 2019) - version: make ssl_version buffer match for multi_ssl When running a multi TLS backend build the version string needs more buffer space. Make the internal ssl_buffer stack buffer match the one in Curl_multissl_version() to allow for the longer string. For single TLS backend builds there is no use in extended to buffer. This is a fallout from #3863 which fixes up the multi_ssl string generation to avoid a buffer overflow when the buffer is too small. Closes #3875 Reviewed-by: Daniel Stenberg Steve Holme (18 May 2019) - http_ntlm_wb: Handle auth for only a single request Currently when the server responds with 401 on NTLM authenticated connection (re-used) we consider it to have failed. However this is legitimate and may happen when for example IIS is set configured to 'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header). Implemented by imploying an additional state once a connection is re-used to indicate that if we receive 401 we need to restart authentication. Missed in fe6049f0. - http_ntlm_wb: Cleanup handshake after clean NTLM failure Missed in 50b87c4e. - http_ntlm_wb: Return the correct error on receiving an empty auth message Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. Closes #3894 Daniel Stenberg (18 May 2019) - curl: make code work with protocol-disabled libcurl Closes #3844 - libcurl: #ifdef away more code for disabled features/protocols - progress: CURL_DISABLE_PROGRESS_METER - hostip: CURL_DISABLE_SHUFFLE_DNS - netrc: CURL_DISABLE_NETRC Viktor Szakats (16 May 2019) - docs: Markdown and misc improvements [ci skip] Approved-by: Daniel Stenberg Closes #3896 - docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 Approved-by: Daniel Stenberg Closes #3895 Daniel Stenberg (16 May 2019) - travis: add an osx http-only build Closes #3887 - cleanup: remove FIXME and TODO comments They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883 - curl: don't set FTP options for FTP-disabled builds ... since libcurl has started to be totally unaware of options for disabled protocols they now return error. Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 Reported-by: Marcel Raad Closes #3886 Steve Holme (16 May 2019) - http_ntlm_wb: Move the type-2 message processing into a dedicated function This brings the code inline with the other HTTP authentication mechanisms. Closes #3890 Daniel Stenberg (15 May 2019) - RELEASE-NOTES: synced - docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] Reported-by: Roy Bellingan Bug: #3885 - parse_proxy: use the URL parser API As we treat a given proxy as a URL we should use the unified URL parser to extract the parts out of it. Closes #3878 Steve Holme (15 May 2019) - http_negotiate: Move the Negotiate state out of the negotiatedata structure Given that this member variable is not used by the SASL based protocols there is no need to have it here. Closes #3882 - http_ntlm: Move the NTLM state out of the ntlmdata structure Given that this member variable is not used by the SASL based protocols there is no need to have it here. - url: Move the negotiate state type into a dedicated enum - url: Remove duplicate clean up of the winbind variables in conn_shutdown() Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior to calling conn_shutdown() and it in turn performs this, there is no need to perform the same action in conn_shutdown(). Closes #3881 Daniel Stenberg (14 May 2019) - urlapi: require a non-zero host name length when parsing URL Updated test 1560 to verify. Closes #3880 - configure: error out if OpenSSL wasn't detected when asked for If --with-ssl is used and configure still couldn't enable SSL this creates an error instead of just silently ignoring the fact. Suggested-by: Isaiah Norton Fixes #3824 Closes #3830 Daniel Gustafsson (14 May 2019) - imap: Fix typo in comment Steve Holme (14 May 2019) - url: Remove unnecessary initialisation from allocate_conn() No need to set variables to zero as calloc() does this for us. Closes #3879 Daniel Stenberg (14 May 2019) - CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] Clues-provided-by: Jay Satiro Clues-provided-by: Jeroen Ooms Fixes #3711 Closes #3874 Daniel Gustafsson (13 May 2019) - vtls: fix potential ssl_buffer stack overflow In Curl_multissl_version() it was possible to overflow the passed in buffer if the generated version string exceeded the size of the buffer. Fix by inverting the logic, and also make sure to not exceed the local buffer during the string generation. Closes #3863 Reported-by: nevv on HackerOne/curl Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg Daniel Stenberg (13 May 2019) - RELEASE-NOTES: synced - appveyor: also build "/ci" branches like travis - pingpong: disable more when no pingpong enabled - proxy: acknowledge DISABLE_PROXY more - parsedate: CURL_DISABLE_PARSEDATE - sasl: only enable if there's a protocol enabled using it - mime: acknowledge CURL_DISABLE_MIME - wildcard: disable from build when FTP isn't present - http: CURL_DISABLE_HTTP_AUTH - base64: build conditionally if there are users - doh: CURL_DISABLE_DOH Steve Holme (12 May 2019) - auth: Rename the various authentication clean up functions For consistency and to a avoid confusion. Closes #3869 Daniel Stenberg (12 May 2019) - [Jay Satiro brought this change] docs/INSTALL: fix broken link [ci skip] Reported-by: Joombalaya on github Fixes #3818 Marcel Raad (12 May 2019) - easy: fix another "clarify calculation precedence" warning I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. - build: fix "clarify calculation precedence" warnings Codacy/CppCheck warns about this. Consistently use parentheses as we already do in some places to silence the warning. Closes https://github.com/curl/curl/pull/3866 - cmake: restore C89 compatibility of CurlTests.c I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and 97de97daefc2ed084c91eff34af2426f2e55e134. Reported-by: Viktor Szakats Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 Closes https://github.com/curl/curl/pull/3868 Steve Holme (11 May 2019) - http_ntlm: Corrected the name of the include guard Missed in f0bdd72c. Closes #3867 - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled Closes #3861 - http_negotiate: Don't expose functions when HTTP is disabled Daniel Stenberg (11 May 2019) - SECURITY-PROCESS: fix links [ci skip] Marcel Raad (11 May 2019) - CMake: suppress unused variable warnings I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. Daniel Stenberg (11 May 2019) - doh: disable DOH for the cases it doesn't work Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for DOH resolves. This fix disables DOH for those. Limitation added to KNOWN_BUGS. Fixes #3850 Closes #3857 Jay Satiro (11 May 2019) - checksrc.bat: Ignore snprintf warnings in docs/examples .. because we allow snprintf use in docs/examples. Closes https://github.com/curl/curl/pull/3862 Steve Holme (10 May 2019) - vauth: Fix incorrect function description for Curl_auth_user_contains_domain() ...and misalignment of these comments. From a78c61a4. Closes #3860 Jay Satiro (10 May 2019) - Revert "multi: support verbose conncache closure handle" This reverts commit b0972bc. - No longer show verbose output for the conncache closure handle. The offending commit was added so that the conncache closure handle would inherit verbose mode from the user's easy handle. (Note there is no way for the user to set options for the closure handle which is why that was necessary.) Other debug settings such as the debug function were not also inherited since we determined that could lead to crashes if the user's per-handle private data was used on an unexpected handle. The reporter here says he has a debug function to capture the verbose output, and does not expect or want any output to stderr; however because the conncache closure handle does not inherit the debug function the verbose output for that handle does go to stderr. There are other plausible scenarios as well such as the user redirects stderr on their handle, which is also not inherited since it could lead to crashes when used on an unexpected handle. Short of allowing the user to set options for the conncache closure handle I don't think there's much we can safely do except no longer inherit the verbose setting. Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html Reported-by: Kristoffer Gleditsch Ref: https://github.com/curl/curl/pull/3598 Ref: https://github.com/curl/curl/pull/3618 Closes https://github.com/curl/curl/pull/3856 Steve Holme (10 May 2019) - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() From 6012fa5a. Closes #3858 Daniel Stenberg (9 May 2019) - BUG-BOUNTY: minor formatting fixes [ci skip] - RELEASE-NOTES: synced - BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] Closes #3839 Kamil Dudka (9 May 2019) - http_negotiate: do not treat failure of gss_init_sec_context() as fatal Fixes #3726 Closes #3849 - spnego_gssapi: fix return code on gss_init_sec_context() failure Fixes #3726 Closes #3849 Steve Holme (9 May 2019) - gen_resp_file.bat: Removed unnecessary @ from all but the first command There is need to use @ on every command once echo has been turned off. Closes #3854 Jay Satiro (8 May 2019) - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to the destination host. We already do something similar for HTTPS proxies by not sending h2. [1] Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would incorrectly use HTTP/2 to talk to the proxy, which is not something we support (yet?). Also it's debatable whether or not that setting should apply to HTTP/2 proxies. [1]: https://github.com/curl/curl/commit/17c5d05 Bug: https://github.com/curl/curl/issues/3570 Bug: https://github.com/curl/curl/issues/3832 Closes https://github.com/curl/curl/pull/3853 Marcel Raad (8 May 2019) - travis: update mesalink build to xenial Closes https://github.com/curl/curl/pull/3842 Daniel Stenberg (8 May 2019) - [Ricky Leverence brought this change] OpenSSL: Report -fips in version if OpenSSL is built with FIPS Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Closes #3771 Kamil Dudka (7 May 2019) - [Frank Gevaerts brought this change] nss: allow fifos and character devices for certificates. Currently you can do things like --cert <(cat ./cert.crt) with (at least) the openssl backend, but that doesn't work for nss because is_file rejects fifos. I don't actually know if this is sufficient, nss might do things internally (like seeking back) that make this not work, so actual testing is needed. Closes #3807 Daniel Gustafsson (6 May 2019) - test2100: Fix typos in test description Daniel Stenberg (6 May 2019) - ssh: define USE_SSH if SSH is enabled (any backend) Closes #3846 Steve Holme (5 May 2019) - winbuild: Add our standard copyright header to the winbuild batch files - makedebug: Fix ERRORLEVEL detection after running where.exe Closes #3838 Daniel Stenberg (5 May 2019) - urlapi: add CURLUPART_ZONEID to set and get The zoneid can be used with IPv6 numerical addresses. Updated test 1560 to verify. Closes #3834 - [Taiyu Len brought this change] WRITEFUNCTION: add missing set_in_callback around callback Closes #3837 - RELEASE-NOTES: synced - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] Reported-by: Ricardo Gomes Bug: #3537 Closes #3836 - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value The time field in the curl_fileinfo struct will always be zero. No code was ever implemented to actually convert the date string to a time_t. Fixes #3829 Closes #3835 - OS400/ccsidcurl.c: code style fixes - OS400/ccsidcurl: replace use of Curl_vsetopt (and make the code style comply) Fixes #3833 - urlapi: strip off scope id from numerical IPv6 addresses ... to make the host name "usable". Store the scope id and put it back when extracting a URL out of it. Also makes curl_url_set() syntax check CURLUPART_HOST. Fixes #3817 Closes #3822 - RELEASE-NOTES: synced - multiif.h: remove unused protos ... for functions related to pipelining. Those functions were removed in 2f44e94efb3df. Closes #3828 - [Yiming Jing brought this change] travis: mesalink: temporarily disable test 3001 ... due to SHA-1 signatures in test certs - [Yiming Jing brought this change] travis: upgrade the MesaLink TLS backend to v1.0.0 Closes #3823 Closes #3776 - ConnectionExists: improve non-multiplexing use case - better log output - make sure multiplex is enabled for it to be used - multi: provide Curl_multiuse_state to update information As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state. - process_pending_handles: mark queued transfers as previously pending With transfers being queued up, we only move one at a a time back to the CONNECT state but now we mark moved transfers so that when a moved transfer is confirmed "successful" (it connected) it will trigger the move of another pending transfer. Previously, it would otherwise wait until the transfer was done before doing this. This makes queued up pending transfers get processed (much) faster. - http: mark bundle as not for multiuse on < HTTP/2 response Fixes #3813 Closes #3815 Daniel Gustafsson (1 May 2019) - cookie: Guard against possible NULL ptr deref In case the name pointer isn't set (due to memory pressure most likely) we need to skip the prefix matching and reject with a badcookie to avoid a possible NULL pointer dereference. Closes #3820 #3821 Reported-by: Jonathan Moerman Reviewed-by: Daniel Stenberg Patrick Monnerat (30 Apr 2019) - os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings Kamil Dudka (29 Apr 2019) - nss: provide more specific error messages on failed init Closes #3808 Daniel Stenberg (29 Apr 2019) - [Reed Loden brought this change] docs: minor polish to the bug bounty / security docs Closes #3811 - CURL_MAX_INPUT_LENGTH: largest acceptable string input size This limits all accepted input strings passed to libcurl to be less than CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: curl_easy_setopt() and curl_url_set(). The 8000000 number is arbitrary picked and is meant to detect mistakes or abuse, not to limit actual practical use cases. By limiting the acceptable string lengths we also reduce the risk of integer overflows all over. NOTE: This does not apply to `CURLOPT_POSTFIELDS`. Test 1559 verifies. Closes #3805 - [Tseng Jun brought this change] curlver.h: use parenthesis in CURL_VERSION_BITS macro Closes #3809 Marcel Raad (27 Apr 2019) - [Simon Warta brought this change] cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP Closes https://github.com/curl/curl/pull/3769 Steve Holme (23 Apr 2019) - ntlm: Missed pre-processor || (or) during rebase for cd15acd0 - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 Just like we do for mbed TLS, use our local implementation of MD4 when OpenSSL doesn't support it. This allows a type-3 message to include the NT response. Daniel Gustafsson (23 Apr 2019) - INTERNALS: fix misindentation of ToC item Kerberos was incorrectly indented as a subsection under FTP, which is incorrect as they are both top level sections. A fix for this was first attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that was a few paddles short of being complete. - [Aron Bergman brought this change] INTERNALS: Add structs to ToC Add the subsections under "Structs in libcurl" to the table of contents. Reviewed-by: Daniel Stenberg Reviewed-by: Daniel Gustafsson - [Aron Bergman brought this change] INTERNALS: Add code highlighting Make all struct members under the Curl_handler section print in monospace font. Closes #3801 Reviewed-by: Daniel Stenberg Reviewed-by: Daniel Gustafsson Daniel Stenberg (22 Apr 2019) - docs/BUG-BOUNTY: bug bounty time [skip ci] Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. Assisted-by: Daniel Gustafsson Closes #3488 Steve Holme (22 Apr 2019) - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 RFC 4616 specifies the authzid is optional in the client authentication message and that the server will derive the authorisation identity (authzid) from the authentication identity (authcid) when not specified by the client. Jay Satiro (22 Apr 2019) - [Gisle Vanem brought this change] memdebug: fix variable name Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. Ref: https://github.com/curl/curl/commit/76b6348#r33259088 Steve Holme (21 Apr 2019) - vauth/cleartext: Don't send the authzid if it is empty Follow up to 762a292f. Daniel Stenberg (21 Apr 2019) - test 196,197,198: add 'retry' keyword [skip ci] - RELEASE-NOTES: synced - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse ... and disconnect too old ones instead of trying to reuse. Default max age is set to 118 seconds. Ref: #3722 Closes #3782 Daniel Gustafsson (20 Apr 2019) - [Po-Chuan Hsieh brought this change] altsvc: Fix building with cookies disables ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is disabled. Fix by splitting out the function into a separate file which can be included where needed. Closes #3717 Reviewed-by: Daniel Gustafsson Reviewed-by: Marcel Raad Daniel Stenberg (20 Apr 2019) - test1002: correct the name [skip ci] - test660: verify CONNECT_ONLY with IMAP which basically just makes sure LOGOUT is *not* issued on disconnect - Curl_disconnect: treat all CONNECT_ONLY connections as "dead" Since the connection has been used by the "outside" we don't know the state of it anymore and curl should not use it anymore. Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html Closes #3795 - multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) The list of names must be in sync with the defined states in the header file! Steve Holme (16 Apr 2019) - openvms: Remove pre-processors for Windows as VMS cannot support them - openvms: Remove pre-processor for SecureTransport as VMS cannot support it Fixes #3768 Closes #3785 Jay Satiro (16 Apr 2019) - TODO: Add issue link to an existing entry Daniel Stenberg (16 Apr 2019) - RELEASE-NOTES: synced Jay Satiro (16 Apr 2019) - tool_help: Warn if curl and libcurl versions do not match .. because functionality may be affected if the versions differ. This commit implements TODO 18.7 "warning if curl version is not in sync with libcurl version". Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 Closes https://github.com/curl/curl/pull/3774 Steve Holme (16 Apr 2019) - md5: Update the function signature following d84da52d - md5: Forgot to update the code alignment in d84da52d - md5: Return CURLcode from the internally accessible functions Following 28f826b3 to return CURLE_OK instead of numeric 0. Daniel Gustafsson (15 Apr 2019) - tests: Run global cleanup at end of tests Make sure to run curl_global_cleanup() when shutting down the test suite to release any resources allocated in the SSL setup. This is clearly visible when running tests with PolarSSL where the thread lock calloc() memory which isn't released when not running cleanup. Below is an excerpt from the autobuild logs: ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup (polarssl_threadlock.c:54) ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) ==12368== by 0x118B4C: global_init (easy.c:158) ==12368== by 0x118BF5: curl_global_init (easy.c:221) ==12368== by 0x118D0B: curl_easy_init (easy.c:299) ==12368== by 0x114E96: test (lib1906.c:32) ==12368== by 0x115495: main (first.c:174) Closes #3783 Reviewed-by: Marcel Raad Reviewed-by: Daniel Stenberg Marcel Raad (15 Apr 2019) - travis: use mbedtls from Xenial No need to build it from source anymore. Closes https://github.com/curl/curl/pull/3779 - travis: use libpsl from Xenial This makes building libpsl and libidn2 from source unnecessary and removes the need for the autopoint and libunistring-dev packages. Closes https://github.com/curl/curl/pull/3779 Daniel Stenberg (15 Apr 2019) - runtests: start socksd like other servers ... without a $srcdir prefix. Triggered by the failures in several autobuilds. Closes #3781 Daniel Gustafsson (14 Apr 2019) - socksd: Fix typos Reviewed-by: Daniel Stenberg - socksd: Properly decorate static variables Mark global variables static to avoid compiler warning in Clang when using -Wmissing-variable-declarations. Closes #3778 Reviewed-by: Daniel Stenberg Steve Holme (14 Apr 2019) - md(4|5): Fixed indentation oddities with the importation of replacement code The indentation from 211d5329 and 57d6d253 was a little strange as parts didn't align correctly, uses 4 spaces rather than 2. Checked the indentation of the original source so it aligns, albeit, using curl style. - md5: Code style to return CURLE_OK rather than numeric 0 - md5: Corrected code style for some pointer arguments Marcel Raad (13 Apr 2019) - travis: update some builds to xenial Xenial comes with more up-to-date software versions and more available packages, some of which we currently build from source. Unfortunately, some builds would fail with Xenial because of assertion failures in Valgrind when using OpenSSL, so leave these at Trusty. Closes https://github.com/curl/curl/pull/3777 Daniel Stenberg (13 Apr 2019) - test: make tests and test scripts use socksd for SOCKS Make all SOCKS tests use socksd instead of ssh. - socksd: new SOCKS 4+5 server for tests Closes #3752 - singleipconnect: show port in the verbose "Trying ..." message To aid debugging better. - [tmilburn brought this change] CURLOPT_ADDRESS_SCOPE: fix range check and more Commit 9081014 fixed most of the confusing issues between scope id and scope however 844896d added bad limits checking assuming that the scope is being set and not the scope id. I have fixed the documentation so it all refers to scope ids. In addition Curl_if2ip refered to the scope id as remote_scope_id which is incorrect, so I renamed it to local_scope_id. Adjusted-by: Daniel Stenberg Closes #3655 Closes #3765 Fixes #3713 - urlapi: stricter CURLUPART_PORT parsing Only allow well formed decimal numbers in the input. Document that the number MUST be between 1 and 65535. Add tests to test 1560 to verify the above. Ref: https://github.com/curl/curl/issues/3753 Closes #3762 Jay Satiro (13 Apr 2019) - [Jan Ehrhardt brought this change] winbuild: Support MultiSSL builds - Remove the lines in winbuild/Makefile.vc that generate an error with multiple SSL backends. - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL backends are set. Closes https://github.com/curl/curl/pull/3772 Daniel Stenberg (12 Apr 2019) - travis: remove mesalink builds (temporarily?) Since the mesalink build started to fail on travis, even though we build a fixed release version, we disable it to prevent it from blocking progress. Closes #3767 - openssl: mark connection for close on TLS close_notify Without this, detecting and avoid reusing a closed TLS connection (without a previous GOAWAY) when doing HTTP/2 is tricky. Reported-by: Tom van der Woerdt Fixes #3750 Closes #3763 - RELEASE-NOTES: synced Steve Holme (11 Apr 2019) - vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 Functionally this doesn't change anything as we still use the username for both the authorisation identity and the authentication identity. Closes #3757 Daniel Stenberg (11 Apr 2019) - test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage Based-on-code-by: Poul T Lomholt - url: always clone the CUROPT_CURLU handle Since a few code paths actually update that data. Fixes #3753 Closes #3761 Reported-by: Poul T Lomholt - CURLOPT_DNS_USE_GLOBAL_CACHE: remove Remove the code too. The functionality has been disabled in code since 7.62.0. Setting this option will from now on simply be ignored and have no function. Closes #3654 Marcel Raad (11 Apr 2019) - travis: install libgnutls28-dev only for --with-gnutls build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install libnss3-dev only for --with-nss build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install libssh2-dev only for --with-libssh2 build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install libssh-dev only for --with-libssh build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install krb5-user only for --with-gssapi build Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install lcov only for the coverage job Reduces the time needed for the other jobs a little. Closes https://github.com/curl/curl/pull/3721 - travis: install clang only when needed This reduces the GCC job runtimes a little and it's needed to selectively update clang builds to xenial. Closes https://github.com/curl/curl/pull/3721 - AppVeyor: enable testing for WinSSL build Closes https://github.com/curl/curl/pull/3725 - build: fix Codacy/CppCheck warnings - remove unused variables - declare conditionally used variables conditionally - suppress unused variable warnings in the CMake tests - remove dead variable stores - consistently use WIN32 macro to detect Windows Closes https://github.com/curl/curl/pull/3739 - polarssl_threadlock: remove conditionally unused code Make functions no-ops if neither both USE_THREADS_POSIX and HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are defined. Previously, if only one of them was defined, there was either code compiled that did nothing useful or the wrong header included for the functions used. Also, move POLARSSL_MUTEX_T define to implementation file as it's not used externally. Closes https://github.com/curl/curl/pull/3739 - lib557: initialize variables These variables are only conditionally initialized. Closes https://github.com/curl/curl/pull/3739 - lib509: add missing include for strdup Closes https://github.com/curl/curl/pull/3739 - README.md: fix no-consecutive-blank-lines Codacy warning Consistently use one blank line between blocks. Closes https://github.com/curl/curl/pull/3739 - tests/server/util: fix Windows Unicode build Always use the ANSI version of FormatMessage as we don't have the curl_multibyte gear available here. Closes https://github.com/curl/curl/pull/3758 Daniel Stenberg (11 Apr 2019) - curl_easy_getinfo.3: fix minor formatting mistake Daniel Gustafsson (11 Apr 2019) - xattr: skip unittest on unsupported platforms The stripcredentials unittest fails to compile on platforms without xattr support, for example the Solaris member in the buildfarm which fails with the following: CC unit1621-unit1621.o CC ../libtest/unit1621-first.o CCLD unit1621 Undefined first referenced symbol in file stripcredentials unit1621-unit1621.o goto problem 2 ld: fatal: symbol referencing errors. No output written to .libs/unit1621 collect2: error: ld returned 1 exit status gmake[2]: *** [Makefile:996: unit1621] Error 1 Fix by excluding the test on such platforms by using the reverse logic from where stripcredentials() is defined. Closes #3759 Reviewed-by: Daniel Stenberg Steve Holme (11 Apr 2019) - emailL Added reference to RFC8314 for implicit TLS - README: Schannel, stop calling it "winssl" Stick to "Schannel" everywhere - follow up to 180501cb. Jakub Zakrzewski (10 Apr 2019) - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use This fixes GSSAPI builds with the libraries in a non-standard location. The testing for recv() were failing because it failed to link the Kerberos libraries, which are not needed for this or subsequent tests. fixes #3743 closes #3744 - cmake: avoid linking executable for some tests with cmake 3.6+ With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() (which is used by check_c_source_compiles()) will build static library instead of executable. This avoids linking additional libraries in and thus speeds up those checks a little. This commit also avoids #3743 (GSSAPI build errors) on itself with cmake 3.6 or above. That issue was fixed separately for all versions. Ref: #3744 - cmake: minor cleanup - Remove nneeded include_regular_expression. It was setting what is already a default. - Remove duplicated include. - Don't check for pre-3.0.0 CMake version. We already require at least 3.0.0, so it's just clutter. Ref: #3744 Steve Holme (8 Apr 2019) - build-openssl.bat: Fixed support for OpenSSL v1.1.0+ - build-openssl.bat: Perfer the use of if statements rather than goto (where possible) - build-openssl.bat: Perform the install for each build type directly after the build - build-openssl.bat: Split the install of static and shared build types - build-openssl.bat: Split the building of static and shared build types - build-openssl.bat: Move the installation into a separate function - build-openssl.bat: Move the build step into a separate function - build-openssl.bat: Move the OpenSSL configuration into a separate function - build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised Should the parent environment set this variable then the build might not be performed as the user intended. Daniel Stenberg (8 Apr 2019) - socks: fix error message - config.d: clarify that initial : and = might need quoting [skip ci] Fixes #3738 Closes #3749 - RELEASE-NOTES: synced bumped to 7.65.0 for next release - socks5: user name and passwords must be shorter than 256 bytes... since the protocol needs to store the length in a single byte field. Reported-by: XmiliaH on github Fixes #3737 Closes #3740 - [Jakub Zakrzewski brought this change] test: urlapi: urlencode characters above 0x7f correctly - [Jakub Zakrzewski brought this change] urlapi: urlencode characters above 0x7f correctly fixes #3741 Closes #3742 - [Even Rouault brought this change] multi_runsingle(): fix use-after-free Fixes #3745 Closes #3746 The following snippet ``` int main() { CURL* hCurlHandle = curl_easy_init(); curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); curl_easy_perform(hCurlHandle); curl_easy_cleanup(hCurlHandle); return 0; } ``` triggers the following Valgrind warning ``` ==4125== Invalid read of size 8 ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) ==4125== by 0x4E766A0: easy_transfer (easy.c:625) ==4125== by 0x4E76915: easy_perform (easy.c:719) ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) ==4125== by 0x4008BE: main (in /home/even/curl/test) ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) ==4125== by 0x4E62C36: conn_free (url.c:756) ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) ==4125== by 0x4E766A0: easy_transfer (easy.c:625) ==4125== by 0x4E76915: easy_perform (easy.c:719) ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) ==4125== by 0x4008BE: main (in /home/even/curl/test) ==4125== Block was alloc'd at ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) ==4125== by 0x4E6438E: allocate_conn (url.c:1654) ==4125== by 0x4E685B4: create_conn (url.c:3496) ==4125== by 0x4E6968F: Curl_connect (url.c:4023) ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) ==4125== by 0x4E766A0: easy_transfer (easy.c:625) ==4125== by 0x4E76915: easy_perform (easy.c:719) ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) ==4125== by 0x4008BE: main (in /home/even/curl/test) ``` This has been bisected to commit 2f44e94 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 Credit to OSS Fuzz - pipelining: removed As previously planned and documented in DEPRECATE.md, all pipelining code is removed. Closes #3651 - [cclauss brought this change] tests: make Impacket (SMB server) Python 3 compatible Closes #3731 Fixes #3289 Marcel Raad (6 Apr 2019) - [Simon Warta brought this change] cmake: set SSL_BACKENDS This groups all SSL backends into the feature "SSL" and sets the SSL_BACKENDS analogue to configure.ac Closes https://github.com/curl/curl/pull/3736 - [Simon Warta brought this change] cmake: don't run SORT on empty list In case of an empty list, SORTing leads to the cmake error "list sub-command SORT requires list to be present." Closes https://github.com/curl/curl/pull/3736 Daniel Gustafsson (5 Apr 2019) - [Eli Schwartz brought this change] configure: fix default location for fish completions Fish defines a vendor completions directory for completions that are not installed as part of the fish project itself, and the vendor completions are preferred if they exist. This prevents trying to overwrite the builtin curl.fish completion (or creating file conflicts in distro packaging). Prefer the pkg-config defined location exported by fish, if it can be found, and fall back to the correct directory defined by most systems. Closes #3723 Reviewed-by: Daniel Gustafsson Marcel Raad (5 Apr 2019) - ftplistparser: fix LGTM alert "Empty block without comment" Removing the block is consistent with line 954/957. Closes https://github.com/curl/curl/pull/3732 - transfer: fix LGTM alert "Comparison is always true" Just remove the redundant condition, which also makes it clear that k->buf is always 0-terminated if this break is not hit. Closes https://github.com/curl/curl/pull/3732 Jay Satiro (4 Apr 2019) - [Rikard Falkeborn brought this change] smtp: fix compiler warning - Fix clang string-plus-int warning. Clang 8 warns about adding a string to an int does not append to the string. Indeed it doesn't, but that was not the intention either. Use array indexing as suggested to silence the warning. There should be no functional changes. (In other words clang warns about "foo"+2 but not &"foo"[2] so use the latter.) smtp.c:1221:29: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] eob = strdup(SMTP_EOB + 2); ~~~~~~~~~~~~~~~~^~~~ Closes https://github.com/curl/curl/pull/3729 Marcel Raad (4 Apr 2019) - VS projects: use Unicode for VC10+ All Windows APIs have been natively UTF-16 since Windows 2000 and the non-Unicode variants are just wrappers around them. Only Windows 9x doesn't understand Unicode without the UnicoWS DLL. As later Visual Studio versions cannot target Windows 9x anyway, using the ANSI API doesn't really have any benefit there. This avoids issues like KNOWN_BUGS 6.5. Ref: https://github.com/curl/curl/issues/2120 Closes https://github.com/curl/curl/pull/3720 Daniel Gustafsson (3 Apr 2019) - RELEASE-NOTES: synced Bump the version in progress to 7.64.2, if we merge any "change" before the cut-off date we can update the version. - [Tim Rühsen brought this change] documentation: Fix several typos Closes #3724 Reviewed-by: Jakub Zakrzewski Reviewed-by: Daniel Gustafsson Jay Satiro (2 Apr 2019) - [Mert Yazıcıoğlu brought this change] vauth/oauth2: Fix OAUTHBEARER token generation OAUTHBEARER tokens were incorrectly generated in a format similar to XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the RFC7628. Fixes: #2487 Reported-by: Paolo Mossino Closes https://github.com/curl/curl/pull/3377 Marcel Raad (2 Apr 2019) - tool_cb_wrt: fix bad-function-cast warning Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. Extend fhnd's scope and reuse that variable instead of calling _get_osfhandle a second time to fix the warning again. Closes https://github.com/curl/curl/pull/3718 - VC15 project: remove MinimalRebuild Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the library project, but I forgot the tool project template. Now also removed for that. Dan Fandrich (1 Apr 2019) - cirrus: Customize the disabled tests per FreeBSD version Try to run as many test cases as possible on each OS version. 12.0 passes 13 more tests than the older versions, so we might as well run them. Daniel Stenberg (1 Apr 2019) - tool_help: include for strcasecmp Reported-by: Wyatt O'Day Fixes #3715 Closes #3716 Daniel Gustafsson (31 Mar 2019) - scripts: fix typos Dan Fandrich (28 Mar 2019) - travis: allow builds on branches named "ci" This allows a way to test changes other than through PRs. Daniel Stenberg (27 Mar 2019) - [Brad Spencer brought this change] resolve: apply Happy Eyeballs philosophy to parallel c-ares queries Closes #3699 - multi: improved HTTP_1_1_REQUIRED handling Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error on first flight. Reported-by: niner on github Fixes #3696 Closes #3707 - [Leonardo Taccari brought this change] configure: avoid unportable `==' test(1) operator Closes #3709 Version 7.64.1 (27 Mar 2019) Daniel Stenberg (27 Mar 2019) - RELEASE: 7.64.1 - Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. Fixes #3708 - [Christian Schmitz brought this change] ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set Closes #3704 Jay Satiro (26 Mar 2019) - tool_cb_wrt: fix writing to Windows null device NUL - Improve console detection. Prior to this change WriteConsole could be called to write to a handle that may not be a console, which would cause an error. This issue is limited to character devices that are not also consoles such as the null device NUL. Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 Reported-by: Gisle Vanem - CURLMOPT_PIPELINING.3: fix typo Daniel Stenberg (25 Mar 2019) - TODO: config file parsing Closes #3698 Jay Satiro (24 Mar 2019) - os400: Disable Alt-Svc by default since it's experimental Follow-up to 520f0b4 which added Alt-Svc support and enabled it by default for OS400. Since the feature is experimental, it should be disabled by default. Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html Closes https://github.com/curl/curl/pull/3688 Dan Fandrich (24 Mar 2019) - tests: Fixed XML validation errors in some test files. - tests: Fix some incorrect precheck error messages. [ci skip] Daniel Stenberg (22 Mar 2019) - curl_url.3: this is not experimental anymore - travis: bump the used wolfSSL version to 4.0.0 Test 311 is now fine, leaving only 313 (CRL) disabled. Test 313 details can be found here: https://github.com/wolfSSL/wolfssl/issues/1546 Closes #3697 Daniel Gustafsson (22 Mar 2019) - lib: Fix typos in comments David Woodhouse (20 Mar 2019) - openssl: if cert type is ENG and no key specified, key is ENG too Fixes #3692 Closes #3692 Daniel Stenberg (20 Mar 2019) - sectransp: tvOS 11 is required for ALPN support Reported-by: nianxuejie on github Assisted-by: Nick Zitzmann Assisted-by: Jay Satiro Fixes #3689 Closes #3690 - test1541: threaded connection sharing The threaded-shared-conn.c example turned into test case. Only works if pthread was detected. An attempt to detect future regressions such as e3a53e3efb942a5 Closes #3687 Patrick Monnerat (17 Mar 2019) - os400: alt-svc support. Although experimental, enable it in the platform config file. Upgrade ILE/RPG binding. Daniel Stenberg (17 Mar 2019) - conncache: use conn->data to know if a transfer owns it - make sure an already "owned" connection isn't returned unless multiplexed. - clear ->data when returning the connection to the cache again Regression since 7.62.0 (probably in commit 1b76c38904f0) Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html Closes #3686 - RELEASE-NOTES: synced - [Chris Young brought this change] configure: add --with-amissl AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. It also requires all programs using it to use bsdsocket.library directly, rather than accessing socket functions through clib, which libcurl was not necessarily doing previously. Configure will now check for the headers and ensure they are included if found. Closes #3677 - [Chris Young brought this change] vtls: rename some of the SSL functions ... in the SSL structure as AmiSSL is using macros for the socket API functions. - [Chris Young brought this change] tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr - [Chris Young brought this change] tool_operate: build on AmigaOS - makefile: make checksrc and hugefile commands "silent" ... to match the style already used for compiling, linking etc. Acknowledges 'make V=1' to enable verbose. Closes #3681 - curl.1: --user and --proxy-user are hidden from ps output Suggested-by: Eric Curtin Improved-by: Dan Fandrich Ref: #3680 Closes #3683 - curl.1: mark the argument to --cookie as From a discussion in #3676 Suggested-by: Tim Rühsen Closes #3682 Dan Fandrich (14 Mar 2019) - fuzzer: Only clone the latest fuzzer code, for speed. Daniel Stenberg (14 Mar 2019) - [Dominik Hölzl brought this change] Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975 - [Marc Schlatter brought this change] http: send payload when (proxy) authentication is done The check that prevents payload from sending in case of authentication doesn't check properly if the authentication is done or not. They're cases where the proxy respond "200 OK" before sending authentication challenge. This change takes care of that. Fixes #2431 Closes #3669 - file: fix "Checking if unsigned variable 'readcount' is less than zero." Pointed out by codacy Closes #3672 - memdebug: log pointer before freeing its data Coverity warned for two potentional "Use after free" cases. Both are false positives because the memory wasn't used, it was only the actual pointer value that was logged. The fix still changes the order of execution to avoid the warnings. Coverity CID 1443033 and 1443034 Closes #3671 - RELEASE-NOTES: synced Marcel Raad (12 Mar 2019) - travis: actually use updated compiler versions For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the new GCC versions were only used for the coverage build and for building nghttp2, while the new clang version was not used at all. BoringSSL needs to use the default GCC as it respects CC, but not CXX, so it would otherwise pass gcc 8 options to g++ 4.8 and fail. Also remove GCC 7, it's not needed anymore. Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning Closes https://github.com/curl/curl/pull/3670 - travis: update clang to version 7 Closes https://github.com/curl/curl/pull/3670 Jay Satiro (11 Mar 2019) - [Andre Guibert de Bruet brought this change] examples/externalsocket: add missing close socket calls .. and for Windows also call WSACleanup since we call WSAStartup. The example is to demonstrate handling the socket independently of libcurl. In this case libcurl is not responsible for creating, opening or closing the socket, it is handled by the application (our example). Fixes https://github.com/curl/curl/pull/3663 Daniel Stenberg (11 Mar 2019) - multi: removed unused code for request retries This code was once used for the non multi-interface using code path, but ever since easy_perform was turned into a wrapper around the multi interface, this code path never runs. Closes #3666 Jay Satiro (11 Mar 2019) - doh: inherit some SSL options from user's easy handle - Inherit SSL options for the doh handle but not SSL client certs, SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, SSL pinned public key, SSL ciphers, SSL id cache setting, SSL kerberos or SSL gss-api settings. - Fix inheritance of verbose setting. - Inherit NOSIGNAL. There is no way for the user to set options for the doh (DNS-over-HTTPS) handles and instead we inherit some options from the user's easy handle. My thinking for the SSL options not inherited is they are most likely not intended by the user for the DOH transfer. I did inherit insecure because I think that should still be in control of the user. Prior to this change doh did not work for me because CAINFO was not inherited. Also verbose was set always which AFAICT was a bug (#3660). Fixes https://github.com/curl/curl/issues/3660 Closes https://github.com/curl/curl/pull/3661 Daniel Stenberg (9 Mar 2019) - test331: verify set-cookie for dotless host name Reproduced bug #3649 Closes #3659 - Revert "cookies: extend domain checks to non psl builds" This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. Regression shipped in 7.64.0 Fixes #3649 - memdebug: make debug-specific functions use curl_dbg_ prefix To not "collide" or use up the regular curl_ name space. Also makes them easier to detect in helper scripts. Closes #3656 - cmdline-opts/proxytunnel.d: the option tunnnels all protocols Clarify the language and simplify. Reported-by: Daniel Lublin Closes #3658 - KNOWN_BUGS: Client cert (MTLS) issues with Schannel Closes #3145 - ROADMAP: updated to some more current things to work on - tests: fix multiple may be used uninitialized warnings - RELEASE-NOTES: synced - source: fix two 'nread' may be used uninitialized warnings Both seem to be false positives but we don't like warnings. Closes #3646 - gopher: remove check for path == NULL Since it can't be NULL and it makes Coverity believe we lack proper NULL checks. Verified by test 659, landed in commit 15401fa886b. Pointed out by Coverity CID 1442746. Assisted-by: Dan Fandrich Fixes #3617 Closes #3642 - examples: only include That's the only public curl header we should encourage use of. Reviewed-by: Marcel Raad Closes #3645 - ssh: loop the state machine if not done and not blocking If the state machine isn't complete, didn't fail and it didn't return due to blocking it can just as well loop again. This addresses the problem with SFTP directory listings where we would otherwise return back to the parent and as the multi state machine doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the doing phase isn't complete, it would return out when in reality there was more data to deal with. Fixes #3506 Closes #3644 Jay Satiro (5 Mar 2019) - multi: support verbose conncache closure handle - Change closure handle to receive verbose setting from the easy handle most recently added via curl_multi_add_handle. The closure handle is a special easy handle used for closing cached connections. It receives limited settings from the easy handle most recently added to the multi handle. Prior to this change that did not include verbose which was a problem because on connection shutdown verbose mode was not acknowledged. Ref: https://github.com/curl/curl/pull/3598 Co-authored-by: Daniel Stenberg Closes https://github.com/curl/curl/pull/3618 Daniel Stenberg (4 Mar 2019) - CURLU: fix NULL dereference when used over proxy Test 659 verifies Also fixed the test 658 name Closes #3641 - altsvc_out: check the return code from Curl_gmtime Pointed out by Coverity, CID 1442956. Closes #3640 - docs/ALTSVC.md: docs describing the approach Closes #3498 - alt-svc: add a travis build - alt-svc: add test 355 and 356 to verify with command line curl - alt-svc: the curl command line bits - alt-svc: the libcurl bits - travis: add build using gnutls Closes #3637 - RELEASE-NOTES: synced - [Simon Legner brought this change] scripts/completion.pl: also generate fish completion file This is the renamed script formerly known as zsh.pl Closes #3545 - gnutls: remove call to deprecated gnutls_compression_get_name It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636 Jay Satiro (2 Mar 2019) - system_win32: move win32_init here from easy.c .. since system_win32 is a more appropriate location for the functions and to extern the globals. Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 Reported-by: Gisle Vanem Closes https://github.com/curl/curl/pull/3625 Daniel Stenberg (1 Mar 2019) - curl_easy_duphandle.3: clarify that a duped handle has no shares Reported-by: Sara Golemon Fixes #3592 Closes #3634 - 10-at-a-time.c: fix too long line - [Arnaud Rebillout brought this change] examples: various fixes in ephiperfifo.c The main change here is the timer value that was wrong, it was given in usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * 1000). This resulted in the callback being invoked WAY TOO OFTEN. As a quick check you can run this command before and after applying this commit: # shell 1 ./ephiperfifo 2>&1 | tee ephiperfifo.log # shell 2 echo http://hacking.elboulangero.com > hiper.fifo Then just compare the size of the logs files. Closes #3633 Fixes #3632 Signed-off-by: Arnaud Rebillout - urldata: simplify bytecounters - no need to have them protocol specific - no need to set pointers to them with the Curl_setup_transfer() call - make Curl_setup_transfer() operate on a transfer pointer, not connection - switch some counters from long to the more proper curl_off_t type Closes #3627 - examples/10-at-a-time.c: improve readability and simplify - use better variable names to explain their purposes - convert logic to curl_multi_wait() - threaded-resolver: shutdown the resolver thread without error message When a transfer is done, the resolver thread will be brought down. That could accidentally generate an error message in the error buffer even though this is not an error situationand the transfer would still return OK. An application that still reads the error buffer could find a "Could not resolve host: [host name]" message there and get confused. Reported-by: Michael Schmid Fixes #3629 Closes #3630 - [Ԝеѕ brought this change] docs: update max-redirs.d phrasing clarify redir - "in absurdum" doesn't seem to make sense in this context Closes #3631 - ssh: fix Condition '!status' is always true in the same sftp_done function in both SSH backends. Simplify them somewhat. Pointed out by Codacy. Closes #3628 - test578: make it read data from the correct test - Curl_easy: remove req.maxfd - never used! Introduced in 8b6314ccfb, but not used anymore in current code. Unclear since when. Closes #3626 - http: set state.infilesize when sending formposts Without it set, we would unwillingly triger the "HTTP error before end of send, stop sending" condition even if the entire POST body had been sent (since it wouldn't know the expected size) which would unnecessarily log that message and close the connection when it didn't have to. Reported-by: Matt McClure Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html Closes #3624 - INSTALL: refer to the current TLS library names and configure options - FAQ: minor updates and spelling fixes - GOVERNANCE.md: minor spelling fixes - Secure Transport: no more "darwinssl" Everyone calls it Secure Transport, now we do too. Reviewed-by: Nick Zitzmann Closes #3619 Marcel Raad (27 Feb 2019) - AppVeyor: add classic MinGW build But use the MSYS2 shell rather than the default MSYS shell because of POSIX path conversion issues. Classic MinGW is only available on the Visual Studio 2015 image. Closes https://github.com/curl/curl/pull/3623 - AppVeyor: add MinGW-w64 build Add a MinGW-w64 build using CMake's MSYS Makefiles generator. Use the Visual Studio 2015 image as it has GCC 8, while the Visual Studio 2017 image only has GCC 7.2. Closes https://github.com/curl/curl/pull/3623 Daniel Stenberg (27 Feb 2019) - cookies: only save the cookie file if the engine is enabled Follow-up to 8eddb8f4259. If the cookieinfo pointer is NULL there really is nothing to save. Without this fix, we got a problem when a handle was using shared object with cookies and is told to "FLUSH" it to file (which worked) and then the share object was removed and when the easy handle was closed just afterwards it has no cookieinfo and no cookies so it decided to save an empty jar (overwriting the file just flushed). Test 1905 now verifies that this works. Assisted-by: Michael Wallner Assisted-by: Marcel Raad Closes #3621 - [DaVieS brought this change] cacertinmem.c: use multiple certificates for loading CA-chain Closes #3421 - urldata: convert bools to bitfields and move to end This allows the compiler to pack and align the structs better in memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. Removed an unused struct field. No functionality changes. Closes #3610 - [Don J Olmstead brought this change] curl.h: use __has_declspec_attribute for shared builds Closes #3616 - curl: display --version features sorted alphabetically Closes #3611 - runtests: detect "schannel" as an alias for "winssl" Follow-up to 180501cb02 Reported-by: Marcel Raad Fixes #3609 Closes #3620 Marcel Raad (26 Feb 2019) - AppVeyor: update to Visual Studio 2017 Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a moving target anymore as the last update, Update 9, has been released. Closes https://github.com/curl/curl/pull/3606 - AppVeyor: switch VS 2015 builds to VS 2017 image The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. Closes https://github.com/curl/curl/pull/3606 - AppVeyor: explicitly select worker image Currently, we're using the default Visual Studio 2015 image for everything. Closes https://github.com/curl/curl/pull/3606 Daniel Stenberg (26 Feb 2019) - strerror: make the strerror function use local buffers Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612 - [Michael Wallner brought this change] cookies: fix NULL dereference if flushing cookies with no CookieInfo set Regression brought by a52e46f3900fb0 (shipped in 7.63.0) Closes #3613 Marcel Raad (26 Feb 2019) - AppVeyor: re-enable test 500 It's passing now. Closes https://github.com/curl/curl/pull/3615 - AppVeyor: remove redundant builds Remove the Visual Studio 2012 and 2013 builds as they add little value. Ref: https://github.com/curl/curl/pull/3606 Closes https://github.com/curl/curl/pull/3614 Daniel Stenberg (25 Feb 2019) - RELEASE-NOTES: synced - [Bernd Mueller brought this change] OpenSSL: add support for TLS ASYNC state Closes #3591 Jay Satiro (25 Feb 2019) - [Michael Felt brought this change] acinclude: add additional libraries to check for LDAP support - Add an additional check for LDAP that also checks for OpenSSL since on AIX those libraries may be required to link LDAP properly. Fixes https://github.com/curl/curl/issues/3595 Closes https://github.com/curl/curl/pull/3596 - [georgeok brought this change] schannel: support CALG_ECDH_EPHEM algorithm Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608 Daniel Stenberg (24 Feb 2019) - multi: call multi_done on connect timeouts Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get updated correctly and could end up getting reported to the application completely wrong (way too small). Reported-by: accountantM on github Fixes #3602 Closes #3605 - examples: remove recursive calls to curl_multi_socket_action From within the timer callbacks. Recursive is problematic for several reasons. They should still work, but this way the examples and the documentation becomes simpler. I don't think we need to encourage recursive calls. Discussed in #3537 Closes #3601 Marcel Raad (23 Feb 2019) - configure: remove CURL_CHECK_FUNC_FDOPEN call The macro itself has been removed in commit 11974ac859c5d82def59e837e0db56fef7f6794e. Closes https://github.com/curl/curl/pull/3604 Daniel Stenberg (23 Feb 2019) - wolfssl: stop custom-adding curves since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in wolfSSL 3.10.2 and later) it sends these curves by default already. Pointed-out-by: David Garske Closes #3599 - configure: remove the unused fdopen macro and the two remaining #ifdefs for it Closes #3600 Jay Satiro (22 Feb 2019) - url: change conn shutdown order to unlink data as last step - Split off connection shutdown procedure from Curl_disconnect into new function conn_shutdown. - Change the shutdown procedure to close the sockets before disassociating the transfer. Prior to this change the sockets were closed after disassociating the transfer so SOCKETFUNCTION wasn't called since the transfer was already disassociated. That likely came about from recent work started in Jan 2019 (#3442) to separate transfers from connections. Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html Reported-by: Pavel Löbl Closes https://github.com/curl/curl/issues/3597 Closes https://github.com/curl/curl/pull/3598 Marcel Raad (22 Feb 2019) - Fix strict-prototypes GCC warning As seen in the MinGW autobuilds. Caused by commit f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. Dan Fandrich (21 Feb 2019) - tests: Fixed XML validation errors in some test files. Daniel Stenberg (20 Feb 2019) - TODO: Allow SAN names in HTTP/2 server push Suggested-by: Nicolas Grekas - RELEASE-NOTES: synced - curl: remove MANUAL from -M output ... and remove it from the dist tarball. It has served its time, it barely gets updated anymore and "everything curl" is now convering all this document once tried to include, and does it more and better. In the compressed scenario, this removes ~15K data from the binary, which is 25% of the -M output. It remains in the git repo for now for as long as the web site builds a page using that as source. It renders poorly on the site (especially for mobile users) so its not even good there. Closes #3587 - http2: verify :athority in push promise requests RFC 7540 says we should verify that the push is for an "authoritative" server. We make sure of this by only allowing push with an :athority header that matches the host that was asked for in the URL. Fixes #3577 Reported-by: Nicolas Grekas Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html Closes #3581 - singlesocket: fix the 'sincebefore' placement The variable wasn't properly reset within the loop and thus could remain set for sockets that hadn't been set before and miss notifying the app. This is a follow-up to 4c35574 (shipped in curl 7.64.0) Reported-by: buzo-ffm on github Detected-by: Jan Alexander Steffens Fixes #3585 Closes #3589 - connection: never reuse CONNECT_ONLY conections and make CONNECT_ONLY conections never reuse any existing ones either. Reported-by: Pavel Löbl Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html Closes #3586 Patrick Monnerat (19 Feb 2019) - cli tool: fix mime post with --disable-libcurl-option configure option Reported-by: Marcel Raad Fixes #3576 Closes #3583 Daniel Stenberg (19 Feb 2019) - x509asn1: cleanup and unify code layout - rename 'n' to buflen in functions, and use size_t for them. Don't pass in negative buffer lengths. - move most function comments to above the function starts like we use to - remove several unnecessary typecasts (especially of NULL) Reviewed-by: Patrick Monnerat Closes #3582 - curl_multi_remove_handle.3: use at any time, just not from within callbacks [ci skip] - http: make adding a blank header thread-safe Previously the function would edit the provided header in-place when a semicolon is used to signify an empty header. This made it impossible to use the same set of custom headers in multiple threads simultaneously. This approach now makes a local copy when it needs to edit the string. Reported-by: d912e3 on github Fixes #3578 Closes #3579 - unit1651: survive curl_easy_init() fails - [Frank Gevaerts brought this change] rand: Fix a mismatch between comments in source and header. Reported-by: Björn Stenberg Closes #3584 Patrick Monnerat (18 Feb 2019) - x509asn1: replace single char with an array Although safe in this context, using a single char as an array may cause invalid accesses to adjacent memory locations. Detected by Coverity. Daniel Stenberg (18 Feb 2019) - examples/http2-serverpush: add some sensible error checks To avoid NULL pointer dereferences etc in the case of problems. Closes #3580 Jay Satiro (18 Feb 2019) - easy: fix win32 init to work without CURL_GLOBAL_WIN32 - Change the behavior of win32_init so that the required initialization procedures are not affected by CURL_GLOBAL_WIN32 flag. libcurl via curl_global_init supports initializing for win32 with an optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop Winsock initialization. It did so internally by skipping win32_init() when that flag was set. Since then win32_init() has been expanded to include required initialization routines that are separate from Winsock and therefore must be called in all cases. This commit fixes it so that CURL_GLOBAL_WIN32 only controls the optional win32 initialization (which is Winsock initialization, according to our doc). The only users affected by this change are those that don't pass CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the risk of a potential crash. Ref: https://github.com/curl/curl/pull/3573 Fixes https://github.com/curl/curl/issues/3313 Closes https://github.com/curl/curl/pull/3575 Daniel Gustafsson (17 Feb 2019) - cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg - mbedtls: release sessionid resources on error If mbedtls_ssl_get_session() fails, it may still have allocated memory that needs to be freed to avoid leaking. Call the library API function to release session resources on this errorpath as well as on Curl_ssl_addsessionid() errors. Closes: #3574 Reported-by: Michał Antoniak Reviewed-by: Daniel Stenberg Patrick Monnerat (16 Feb 2019) - cli tool: refactor encoding conversion sequence for switch case fallthrough. - version.c: silent scan-build even when librtmp is not enabled Daniel Stenberg (15 Feb 2019) - RELEASE-NOTES: synced - Curl_now: figure out windows version in win32_init ... and avoid use of static variables that aren't thread safe. Fixes regression from e9ababd4f5a (present in the 7.64.0 release) Reported-by: Paul Groke Fixes #3572 Closes #3573 Marcel Raad (15 Feb 2019) - unit1307: just fail without FTP support I missed to check this in with commit 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. This fixes the actual linker error. Closes https://github.com/curl/curl/pull/3568 Daniel Stenberg (15 Feb 2019) - travis: enable valgrind for the iconv tests too Closes #3571 - travis: add scan-build Closes #3564 - examples/sftpuploadresume: Value stored to 'result' is never read Detected by scan-build - examples/http2-upload: cleaned up Fix scan-build warnings, no globals, no silly handle scan. Also remove handles from the multi before cleaning up. - examples/http2-download: cleaned up To avoid scan-build warnings and global variables. - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' Detected by scan-build - examples/httpcustomheader: Value stored to 'res' is never read Detected by scan-build - examples: remove superfluous null-pointer checks in ftpget, ftpsget and sftpget, so that scan-build stops warning for potential NULL pointer dereference below! Detected by scan-build - strip_trailing_dot: make sure NULL is never used for strlen scan-build warning: Null pointer passed as an argument to a 'nonnull' parameter - [Jay Satiro brought this change] connection_check: restore original conn->data after the check - Save the original conn->data before it's changed to the specified data transfer for the connection check and then restore it afterwards. This is a follow-up to 38d8e1b 2019-02-11. History: It was discovered a month ago that before checking whether to extract a dead connection that that connection should be associated with a "live" transfer for the check (ie original conn->data ignored and set to the passed in data). A fix was landed in 54b201b which did that and also cleared conn->data after the check. The original conn->data was not restored, so presumably it was thought that a valid conn->data was no longer needed. Several days later it was discovered that a valid conn->data was needed after the check and follow-up fix was landed in bbae24c which partially reverted the original fix and attempted to limit the scope of when conn->data was changed to only when pruning dead connections. In that case conn->data was not cleared and the original conn->data not restored. A month later it was discovered that the original fix was somewhat correct; a "live" transfer is needed for the check in all cases because original conn->data could be null which could cause a bad deref at arbitrary points in the check. A fix was landed in 38d8e1b which expanded the scope to all cases. conn->data was not cleared and the original conn->data not restored. A day later it was discovered that not restoring the original conn->data may lead to busy loops in applications that use the event interface, and given this observation it's a pretty safe assumption that there is some code path that still needs the original conn->data. This commit is the follow-up fix for that, it restores the original conn->data after the connection check. Assisted-by: tholin@users.noreply.github.com Reported-by: tholin@users.noreply.github.com Fixes https://github.com/curl/curl/issues/3542 Closes #3559 - memdebug: bring back curl_mark_sclose Used by debug builds with NSS. Reverted from 05b100aee247bb Patrick Monnerat (14 Feb 2019) - transfer.c: do not compute length of undefined hex buffer. On non-ascii platforms, the chunked hex header was measured for char code conversion length, even for chunked trailers that do not have an hex header. In addition, the efective length is already known: use it. Since the hex length can be zero, only convert if needed. Reported by valgrind. Daniel Stenberg (14 Feb 2019) - KNOWN_BUGS: Cannot compile against a static build of OpenLDAP Closes #2367 Patrick Monnerat (14 Feb 2019) - x509asn1: "Dereference of null pointer" Detected by scan-build (false positive). Daniel Stenberg (14 Feb 2019) - configure: show features as well in the final summary Closes #3569 - KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 Closes #2905 - KNOWN_BUGS: Deflate error after all content was received Closes #2719 - gssapi: fix deprecated header warnings Heimdal includes on FreeBSD spewed out lots of them. Less so now. Closes #3566 - TODO: Upgrade to websockets Closes #3523 - TODO: cmake test suite improvements Closes #3109 Patrick Monnerat (13 Feb 2019) - curl: "Dereference of null pointer" Rephrase to satisfy scan-build. Marcel Raad (13 Feb 2019) - unit1307: require FTP support This test doesn't link without FTP support after fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch unavailable without FTP support. Closes https://github.com/curl/curl/pull/3565 Daniel Stenberg (13 Feb 2019) - TODO: TFO support on Windows Nobody works on this now. Closes #3378 - multi: Dereference of null pointer Mostly a false positive, but this makes the code easier to read anyway. Detected by scan-build. Closes #3563 - urlglob: Argument with 'nonnull' attribute passed null Detected by scan-build. Jay Satiro (12 Feb 2019) - schannel: restore some debug output but only for debug builds Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy debug output in DEBUGF but omitted a few lines. Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - examples/crawler: Fix the Accept-Encoding setting - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default supported encodings. Prior to this change the specific encodings of gzip and deflate were set but there's no guarantee they'd be supported by the user's libcurl. Daniel Stenberg (12 Feb 2019) - mime: put the boundary buffer into the curl_mime struct ... instead of allocating it separately and point to it. It is fixed-size and always used for each part. Closes #3561 - schannel: be quiet Convert numerous infof() calls into debug-build only messages since they are annoyingly verbose for regular applications. Removed a few. Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html Reported-by: Volker Schmid Closes #3552 - [Romain Geissler brought this change] Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning Closes #3562 - http2: multi_connchanged() moved from multi.c, only used for h2 Closes #3557 - curl: "Function call argument is an uninitialized value" Follow-up to cac0e4a6ad14b42471eb Detected by scan-build Closes #3560 - pretransfer: don't strlen() POSTFIELDS set for GET requests ... since that data won't be used in the request anyway. Fixes #3548 Reported-by: Renaud Allard Close #3549 - multi: remove verbose "Expire in" ... messages Reported-by: James Brown Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html Closes #3558 - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set Reported-by: MAntoniak on github Fixes #3553 Closes #3556 Daniel Gustafsson (12 Feb 2019) - non-ascii.c: fix typos in comments Fix two occurrences of s/convers/converts/ spotted while reading code. Daniel Stenberg (12 Feb 2019) - fnmatch: disable if FTP is disabled Closes #3551 - curl_path: only enabled for SSH builds - [Frank Gevaerts brought this change] tests: add stderr comparison to the test suite The code is more or less copied from the stdout comparison code, maybe some better reuse is possible. test 1457 is adjusted to make the output actually match (by using --silent) test 506 used without actually needing it, so that block is removed Closes #3536 Patrick Monnerat (11 Feb 2019) - cli tool: do not use mime.h private structures. Option -F generates an intermediate representation of the mime structure that is used later to create the libcurl mime structure and generate the --libcurl statements. Reported-by: Daniel Stenberg Fixes #3532 Closes #3546 Daniel Stenberg (11 Feb 2019) - curlver: bump to 7.64.1-dev - RELEASE-NOTES: synced and bump the version in progress to 7.64.1. If we merge any "change" before the cut-off date, we update again. Daniel Gustafsson (11 Feb 2019) - curl: follow-up to 3f16990ec84 Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was inadvertently introducing a new bug in the ternary expression. Close #3555 Reviewed-by: Daniel Stenberg - dns: release sharelock as soon as possible There is no benefit to holding the data sharelock when freeing the addrinfo in case it fails, so ensure releaseing it as soon as we can rather than holding on to it. This also aligns the code with other consumers of sharelocks. Closes #3516 Reviewed-by: Daniel Stenberg Daniel Stenberg (11 Feb 2019) - curl: follow-up to b49652ac66cc0 On FreeBSD, return non-zero on error otherwise zero. Reported-by: Marcel Raad - multi: (void)-prefix when ignoring return values ... and added braces to two function calls which fixes warnings if they are replace by empty macros at build-time. - curl: fix FreeBSD compiler warning in the --xattr code Closes #3550 - connection_check: set ->data to the transfer doing the check The http2 code for connection checking needs a transfer to use. Make sure a working one is set before handler->connection_check() is called. Reported-by: jnbr on github Fixes #3541 Closes #3547 - hostip: make create_hostcache_id avoid alloc + free Closes #3544 - scripts/singleuse: script to use to track single-use functions That is functions that are declared global but are not used from outside of the file in which it is declared. Such functions should be made static or even at times be removed. It also verifies that all used curl_ prefixed functions are "blessed" Closes #3538 - cleanup: make local functions static urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static Dan Fandrich (10 Feb 2019) - cirrus: Added FreeBSD builds using Cirrus CI. The build logs will be at https://cirrus-ci.com/github/curl/curl Some tests are currently failing and so disabled for now. The SSH server isn't starting for the SSH tests due to unsupported options used in its config file. The DICT server also is failing on startup. Daniel Stenberg (9 Feb 2019) - url/idnconvert: remove scan for <= 32 ascii values The check was added back in fa939220df before the URL parser would catch these problems and therefore these will never trigger now. Closes #3539 - urlapi: reduce variable scope, remove unreachable 'break' Both nits pointed out by codacy.com Closes #3540 Alessandro Ghedini (7 Feb 2019) - zsh.pl: escape ':' character ':' is interpreted as separator by zsh, so if used as part of the argument or option's description it needs to be escaped. The problem can be reproduced as follows: % curl --reso % curl -E Bug: https://bugs.debian.org/921452 - zsh.pl: update regex to better match curl -h output The current regex fails to match '<...>' arguments properly (e.g. those with spaces in them), which causes an completion script with wrong descriptions for some options. Here's a diff of the generated completion script, comparing the previous version to the one with this fix: --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 +++ _curl 2019-02-05 20:57:29.453349040 +0000 @@ -9,48 +9,48 @@ _arguments -C -S \ --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ + --resolve'[Resolve the host+port to this address]':'' \ {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ {-D,--dump-header}'[Write the received headers to ]':'':_files \ {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ {-E,--cert}'[Client certificate file and password]':'' \ --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ --local-port'[Force use of RANGE for local port numbers]':'' \ --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - --location-trusted'[--location, and send auth to other hosts]':'Like' \ + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ {-O,--remote-name}'[Write output to a file named as the remote file]' \ + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ --trace-ascii'[Like --trace, but without hex output]':'':_files \ --connect-timeout'[Maximum time allowed for connection]':'' \ --expect100-timeout'[How long to wait for 100-continue]':'' \ {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - --ignore-content-length'[the size of the remote resource]':'Ignore' \ {-k,--insecure}'[Allow insecure server connections when using SSL]' \ + --location-trusted'[Like --location, and send auth to other hosts]' \ --mail-auth'[Originator address of the original email]':'
' \ --noproxy'[List of hosts which do not use proxy]':'' \ --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ @@ -62,18 +62,19 @@ --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ --cacert'[CA certificate to verify peer against]':'':_files \ {-H,--header}'[Pass custom header(s) to server]':'
' \ + --ignore-content-length'[Ignore the size of the remote resource]' \ {-i,--include}'[Include protocol response headers in the output]' \ --proxy-header'[Pass custom header(s) to proxy]':'
' \ --unix-socket'[Connect through this Unix domain socket]':'' \ {-w,--write-out}'[Use output FORMAT after completion]':'' \ - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ {-o,--output}'[Write to file instead of stdout]':'':_files \ - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ --socks4a'[SOCKS4a proxy on given host + port]':'' \ {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ {-z,--time-cond}'[Transfer based on a time condition]':'