| _ _ ____ _ |
| ___| | | | _ \| | |
| / __| | | | |_) | | |
| | (__| |_| | _ <| |___ |
| \___|\___/|_| \_\_____| |
| |
| Changelog |
| |
| Version 7.67.0 (5 Nov 2019) |
| |
| Daniel Stenberg (5 Nov 2019) |
| - RELEASE-NOTES: synced |
| |
| The 7.67.0 release |
| |
| - THANKS: add new names from 7.67.0 |
| |
| - configure: only say ipv6 enabled when the variable is set |
| |
| Previously it could say "IPv6: enabled" at the end of the configure run |
| but the define wasn't set because of a missing getaddrinfo(). |
| |
| Reported-by: Marcel Raad |
| Fixes #4555 |
| Closes #4560 |
| |
| Marcel Raad (2 Nov 2019) |
| - certs/Server-localhost-lastSAN-sv: regenerate with sha256 |
| |
| All other certificates were regenerated in commit ba782baac30, but |
| this one was missed. |
| Fixes test3001 on modern systems. |
| |
| Closes https://github.com/curl/curl/pull/4551 |
| |
| Daniel Stenberg (2 Nov 2019) |
| - [Vilhelm Prytz brought this change] |
| |
| copyrights: update all copyright notices to 2019 on files changed this year |
| |
| Closes #4547 |
| |
| - [Bastien Bouclet brought this change] |
| |
| mbedtls: add error message for cert validity starting in the future |
| |
| Closes #4552 |
| |
| Jay Satiro (1 Nov 2019) |
| - schannel_verify: Fix concurrent openings of CA file |
| |
| - Open the CA file using FILE_SHARE_READ mode so that others can read |
| from it as well. |
| |
| Prior to this change our schannel code opened the CA file without |
| sharing which meant concurrent openings (eg an attempt from another |
| thread or process) would fail during the time it was open without |
| sharing, which in curl's case would cause error: |
| "schannel: failed to open CA file". |
| |
| Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html |
| Reported-by: Richard Alcock |
| |
| Daniel Stenberg (31 Oct 2019) |
| - gtls: make gnutls_bye() not wait for response on shutdown |
| |
| ... as it can make it wait there for a long time for no good purpose. |
| |
| Patched-by: Jay Satiro |
| Reported-by: Bylon2 on github |
| Adviced-by: Nikos Mavrogiannopoulos |
| |
| Fixes #4487 |
| Closes #4541 |
| |
| - [Michał Janiszewski brought this change] |
| |
| appveyor: publish artifacts on appveyor |
| |
| This allows obtaining upstream builds of curl directly from appveyor for |
| all the available configurations |
| |
| Closes #4509 |
| |
| - url: make Curl_close() NULLify the pointer too |
| |
| This is the common pattern used in the code and by a unified approach we |
| avoid mistakes. |
| |
| Closes #4534 |
| |
| - [Trivikram Kamat brought this change] |
| |
| INSTALL: add missing space for configure commands |
| |
| Closes #4539 |
| |
| - url: Curl_free_request_state() should also free doh handles |
| |
| ... or risk DoH memory leaks. |
| |
| Reported-by: Paul Dreik |
| Fixes #4463 |
| Closes #4527 |
| |
| - examples: remove the "this exact code has not been verified" |
| |
| ... as really confuses the reader to not know what to believe! |
| |
| - [Trivikram Kamat brought this change] |
| |
| HTTP3: fix typo somehere1 > somewhere1 |
| |
| Closes #4535 |
| |
| Jay Satiro (28 Oct 2019) |
| - [Javier Blazquez brought this change] |
| |
| HTTP3: fix invalid use of sendto for connected UDP socket |
| |
| On macOS/BSD, trying to call sendto on a connected UDP socket fails |
| with a EISCONN error. Because the singleipconnect has already called |
| connect on the socket when we're trying to use it for QUIC transfers |
| we need to use plain send instead. |
| |
| Fixes #4529 |
| Closes https://github.com/curl/curl/pull/4533 |
| |
| Daniel Stenberg (28 Oct 2019) |
| - RELEASE-NOTES: synced |
| |
| - [Javier Blazquez brought this change] |
| |
| HTTP3: fix Windows build |
| |
| The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv |
| in order to perform nonblocking operations. On Windows this flag does |
| not exist. Instead, the socket must be set to nonblocking mode via |
| ioctlsocket. |
| |
| This change sets the nonblocking flag on UDP sockets used for QUIC on |
| all platforms so the use of MSG_DONTWAIT is not needed. |
| |
| Fixes #4531 |
| Closes #4532 |
| |
| Marcel Raad (27 Oct 2019) |
| - appveyor: add --disable-proxy autotools build |
| |
| This would have caught issue #3926. |
| |
| Also make formatting more consistent. |
| |
| Closes https://github.com/curl/curl/pull/4526 |
| |
| Daniel Stenberg (25 Oct 2019) |
| - appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 |
| |
| ... and invoke "curl -V" once done |
| |
| Co-Authored-By: Jay Satiro |
| |
| Closes #4523 |
| |
| - [Francois Rivard brought this change] |
| |
| schannel: reverse the order of certinfo insertions |
| |
| Fixes #4518 |
| Closes #4519 |
| |
| Marcel Raad (24 Oct 2019) |
| - test1591: fix spelling of http feature |
| |
| The test never got run because the feature name is `http` in lowercase. |
| |
| Closes https://github.com/curl/curl/pull/4520 |
| |
| Daniel Stenberg (23 Oct 2019) |
| - [Michał Janiszewski brought this change] |
| |
| appveyor: Use two parallel compilation on appveyor with CMake |
| |
| Appveyor provides 2 CPUs for each builder[1], make sure to use parallel |
| compilation, when running with CMake. CMake learned this new option in |
| version 3.12[2] and the version provided by appveyor is fresh enough. |
| |
| Curl doesn't really take that long to build and it is using the slowest |
| builder available, msbuild, so expect only a moderate improvement in |
| build times. |
| |
| [1] https://www.appveyor.com/docs/build-environment/ |
| [2] https://cmake.org/cmake/help/v3.12/release/3.12.html |
| |
| Closes #4508 |
| |
| - conn-reuse: requests wanting NTLM can reuse non-NTLM connections |
| |
| Added test case 338 to verify. |
| |
| Reported-by: Daniel Silverstone |
| Fixes #4499 |
| Closes #4514 |
| |
| Marcel Raad (23 Oct 2019) |
| - tests: add missing proxy features |
| |
| Daniel Stenberg (22 Oct 2019) |
| - RELEASE-NOTES: synced |
| |
| Marcel Raad (21 Oct 2019) |
| - tests: use %FILE_PWD for file:// URLs |
| |
| This way, we always have exactly one slash after the host name, making |
| the tests pass when curl is compiled with the MSYS GCC. |
| |
| Closes https://github.com/curl/curl/pull/4512 |
| |
| - tests: add `connect to non-listen` keywords |
| |
| These tests try to connect to ports nothing is listening on. |
| |
| Closes https://github.com/curl/curl/pull/4511 |
| |
| - runtests: get textaware info from curl instead of perl |
| |
| The MSYS system on Windows can run the test suite for curl built with |
| any toolset. When built with the MSYS GCC, curl uses Unix line endings, |
| while it uses Windows line endings when built with the MinGW GCC, and |
| `^O` reports 'msys' in both cases. Use the curl executable itself to |
| determine the line endings instead, which reports 'x86_64-pc-msys' when |
| built with the MSYS GCC. |
| |
| Closes https://github.com/curl/curl/pull/4506 |
| |
| Daniel Stenberg (20 Oct 2019) |
| - [Michał Janiszewski brought this change] |
| |
| appveyor: Add MSVC ARM64 build |
| |
| Closes #4507 |
| |
| - http2_recv: a closed stream trumps pause state |
| |
| ... and thus should return 0, not EAGAIN. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4496 |
| Closes #4505 |
| |
| - http2: expire a timeout at end of stream |
| |
| To make sure that transfer is being dealt with. Streams without |
| Content-Length need a final read to notice the end-of-stream state. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4496 |
| |
| Dan Fandrich (18 Oct 2019) |
| - travis: Add an ARM64 build |
| |
| Test 323 is failing for some reason, so disable it there for now. |
| |
| Marcel Raad (18 Oct 2019) |
| - examples/sslbackend: fix -Wchar-subscripts warning |
| |
| With the `isdigit` implementation that comes with MSYS2, the argument |
| is used as an array subscript, resulting in a -Wchar-subscripts |
| warning. `isdigit`'s behavior is undefined if the argument is negative |
| and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable |
| to `unsigned char` to avoid that. |
| |
| [0] https://en.cppreference.com/w/c/string/byte/isdigit |
| |
| Closes https://github.com/curl/curl/pull/4503 |
| |
| Daniel Stenberg (18 Oct 2019) |
| - configure: remove all cyassl references |
| |
| In particular, this removes the case where configure would find an old |
| cyall installation rather than a wolfssl one if present. The library is |
| named wolfssl in modern days so there's no real need to keep support for |
| the former. |
| |
| Reported-by: Jacob Barthelmeh |
| Closes #4502 |
| |
| Marcel Raad (17 Oct 2019) |
| - test1162: disable MSYS2's POSIX path conversion |
| |
| This avoids MSYS2 converting the backslasb in the URL to a slash, |
| causing the test to fail. |
| |
| Daniel Stenberg (17 Oct 2019) |
| - RELEASE-NOTES: synced |
| |
| Jay Satiro (16 Oct 2019) |
| - CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time |
| |
| Prior to this change some users did not understand that the "request" |
| starts when the handle is added to the multi handle, or probably they |
| did not understand that some of those transfers may be queued and that |
| time is included in timeout. |
| |
| Reported-by: Jeroen Ooms |
| |
| Fixes https://github.com/curl/curl/issues/4486 |
| Closes https://github.com/curl/curl/pull/4489 |
| |
| - [Stian Soiland-Reyes brought this change] |
| |
| tool_operate: Fix retry sleep time shown to user when Retry-After |
| |
| - If server header Retry-After is being used for retry sleep time then |
| show that value to the user instead of the normal retry sleep time. |
| |
| This is a follow-up to 640b973 (7.66.0) which changed curl tool so that |
| the value from Retry-After header overrides other retry timing options. |
| |
| Closes https://github.com/curl/curl/pull/4498 |
| |
| Daniel Stenberg (16 Oct 2019) |
| - url: normalize CURLINFO_EFFECTIVE_URL |
| |
| The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as |
| input in most cases, which made it not get a scheme prefixed like before |
| if the URL was given without one, and it didn't remove dotdot sequences |
| etc. |
| |
| Added test case 1907 to verify that this now works as intended and as |
| before 7.62.0. |
| |
| Regression introduced in 7.62.0 |
| |
| Reported-by: Christophe Dervieux |
| Fixes #4491 |
| Closes #4493 |
| |
| Marcel Raad (16 Oct 2019) |
| - tests: line ending fixes for Windows |
| |
| Mark some files as text. |
| |
| Closes https://github.com/curl/curl/pull/4490 |
| |
| - tests: use proxy feature |
| |
| This makes the tests succeed when using --disable-proxy. |
| |
| Closes https://github.com/curl/curl/pull/4488 |
| |
| - smbserver: fix Python 3 compatibility |
| |
| Python 2's `ConfigParser` module is spelled `configparser` in Python 3. |
| |
| Closes https://github.com/curl/curl/pull/4484 |
| |
| - security: silence conversion warning |
| |
| With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, |
| while `read` expects a 32 bit signed integer. |
| Use `sread` instead of `read` to use the correct parameter type. |
| |
| Closes https://github.com/curl/curl/pull/4483 |
| |
| - connect: silence sign-compare warning |
| |
| With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the |
| result of `sizeof` is unsigned. |
| |
| Closes https://github.com/curl/curl/pull/4483 |
| |
| Daniel Stenberg (13 Oct 2019) |
| - TODO: Handle growing SFTP files |
| |
| Closes #4344 |
| |
| - KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" |
| |
| The curl_formadd() function is deprecated and shouldn't be used so the |
| real fix for applications is to switch to the curl_mime_* API. |
| |
| - KNOWN_BUGS: "LDAP on Windows does authentication wrong" |
| |
| Closes #3116 |
| |
| - appveyor: add a winbuild that uses VS2017 |
| |
| Closes #4482 |
| |
| - [Harry Sintonen brought this change] |
| |
| socketpair: fix include and define for older TCP header systems |
| |
| fixed build for systems that need netinet/in.h for IPPROTO_TCP and are |
| missing INADDR_LOOPBACK |
| |
| Closes #4480 |
| |
| - socketpair: fix double-close in error case |
| |
| Follow-up to bc2dbef0afc08 |
| |
| - gskit: use the generic Curl_socketpair |
| |
| - asyn-thread: make use of Curl_socketpair() where available |
| |
| - socketpair: an implemention for Windows and more |
| |
| Curl_socketpair() is designed to be used and work everywhere if there's |
| no native version or the native version isn't good enough. |
| |
| Closes #4466 |
| |
| - RELEASE-NOTES: synced |
| |
| - connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT |
| |
| Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no |
| matter what errno said. |
| |
| This makes for example --retry work on these transfer failures. |
| |
| Reported-by: Nathaniel J. Smith |
| Fixes #4461 |
| Clsoes #4462 |
| |
| - cirrus: switch off blackhole status on the freebsd CI machines |
| |
| - tests: use port 2 instead of 60000 for a safer non-listening port |
| |
| ... when the tests want "connection refused". |
| |
| - KNOWN_BUGS: IDN tests failing on Windows |
| |
| Closes #3747 |
| |
| Dan Fandrich (9 Oct 2019) |
| - cirrus: Increase the git clone depth. |
| |
| If more commits are submitted to master between the time of triggering |
| the first Cirrus build and the time the final build gets started, the |
| desired commit is no longer at HEAD and the build will error out. |
| [skip ci] |
| |
| Daniel Stenberg (9 Oct 2019) |
| - docs: make sure the --no-progress-meter docs file is in dist too |
| |
| - docs: document it as --no-progress-meter instead of the reverse |
| |
| Follow-up to 93373a960c3bb4 |
| |
| Reported-by: infinnovation-dev on github |
| Fixes #4474 |
| Closes #4475 |
| |
| Dan Fandrich (9 Oct 2019) |
| - cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. |
| |
| Also, select the images using image_family to get the latest snapshots |
| automatically. |
| [skip ci] |
| |
| Daniel Stenberg (8 Oct 2019) |
| - curl: --no-progress-meter |
| |
| New option that allows a user to ONLY switch off curl's progress meter |
| and leave everything else in "talkative" mode. |
| |
| Reported-by: Piotr Komborski |
| Fixes #4422 |
| Closes #4470 |
| |
| - TODO: Consult %APPDATA% also for .netrc |
| |
| Closes #4016 |
| |
| - CURLOPT_TIMEOUT.3: remove the mention of "minutes" |
| |
| ... just say that limiting operations risk aborting otherwise fine |
| working transfers. If that means seconds, minutes or hours, we leave to |
| the user. |
| |
| Reported-by: Martin Gartner |
| Closes #4469 |
| |
| - [Andrei Valeriu BICA brought this change] |
| |
| docs: added multi-event.c example |
| |
| Similar to multi-uv.c but using libevent 2. This is a simpler libevent |
| integration example then hiperfifo.c. |
| |
| Closes #4471 |
| |
| Jay Satiro (5 Oct 2019) |
| - [Nicolas brought this change] |
| |
| ldap: fix OOM error on missing query string |
| |
| - Allow missing queries, don't return NO_MEMORY error in such a case. |
| |
| It is acceptable for there to be no specified query string, for example: |
| |
| curl ldap://ldap.forumsys.com |
| |
| A regression bug in 1b443a7 caused this issue. |
| |
| This is a partial fix for #4261. |
| |
| Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 |
| Reported-by: Jojojov@users.noreply.github.com |
| Analyzed-by: Samuel Surtees |
| |
| Closes https://github.com/curl/curl/pull/4467 |
| |
| - [Paul B. Omta brought this change] |
| |
| build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines |
| |
| Closes https://github.com/curl/curl/pull/4460 |
| |
| Daniel Stenberg (5 Oct 2019) |
| - RELEASE-NOTES: synced |
| |
| - [Stian Soiland-Reyes brought this change] |
| |
| curl: ensure HTTP 429 triggers --retry |
| |
| This completes #3794. |
| |
| Also make sure the new tests from #4195 are enabled |
| |
| Closes #4465 |
| |
| Marcel Raad (4 Oct 2019) |
| - [apique brought this change] |
| |
| winbuild: add ENABLE_UNICODE option |
| |
| Fixes https://github.com/curl/curl/issues/4308 |
| Closes https://github.com/curl/curl/pull/4309 |
| |
| Daniel Stenberg (4 Oct 2019) |
| - ngtcp2: adapt to API change |
| |
| Closes #4457 |
| |
| - cookies: change argument type for Curl_flush_cookies |
| |
| The second argument is really a 'bool' so use that and pass in TRUE/FALSE |
| to make it clear. |
| |
| Closes #4455 |
| |
| - http2: move state-init from creation to pre-transfer |
| |
| To make sure that the HTTP/2 state is initialized correctly for |
| duplicated handles. It would otherwise easily generate "spurious" |
| PRIORITY frames to get sent over HTTP/2 connections when duplicated easy |
| handles were used. |
| |
| Reported-by: Daniel Silverstone |
| Fixes #4303 |
| Closes #4442 |
| |
| - urlapi: fix use-after-free bug |
| |
| Follow-up from 2c20109a9b5d04 |
| |
| Added test 663 to verify. |
| |
| Reported by OSS-Fuzz |
| Bug: https://crbug.com/oss-fuzz/17954 |
| |
| Closes #4453 |
| |
| - [Paul Dreik brought this change] |
| |
| cookie: avoid harmless use after free |
| |
| This fix removes a use after free which can be triggered by |
| the internal cookie fuzzer, but otherwise is probably |
| impossible to trigger from an ordinary application. |
| |
| The following program reproduces it: |
| |
| curl_global_init(CURL_GLOBAL_DEFAULT); |
| CURL* handle=curl_easy_init(); |
| CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); |
| curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); |
| Curl_flush_cookies(handle, true); |
| Curl_cookie_cleanup(info); |
| curl_easy_cleanup(handle); |
| curl_global_cleanup(); |
| |
| This was found through fuzzing. |
| |
| Closes #4454 |
| |
| - [Denis Chaplygin brought this change] |
| |
| docs: add note on failed handles not being counted by curl_multi_perform |
| |
| Closes #4446 |
| |
| - CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo |
| |
| - [Niall brought this change] |
| |
| ESNI: initial build/setup |
| |
| Closes #4011 |
| |
| - RELEASE-NOTES: synced |
| |
| - redirect: when following redirects to an absolute URL, URL encode it |
| |
| ... to make it handle for example (RFC violating) embeded spaces. |
| |
| Reported-by: momala454 on github |
| Fixes #4445 |
| Closes #4447 |
| |
| - urlapi: fix URL encoding when setting a full URL |
| |
| - tool_operate: rename functions to make more sense |
| |
| - curl: create easy handles on-demand and not ahead of time |
| |
| This should again enable crazy-large download ranges of the style |
| [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 |
| when this new handle allocating scheme was introduced. |
| |
| Reported-by: Peter Sumatra |
| Fixes #4393 |
| Closes #4438 |
| |
| - [Kunal Ekawde brought this change] |
| |
| CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt |
| |
| Closes #4410 |
| |
| - chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error |
| |
| Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the |
| response is chunked-encoded. |
| |
| Reported-by: Ilya Kosarev |
| Fixes #4310 |
| Closes #4449 |
| |
| Marcel Raad (1 Oct 2019) |
| - checksrc: fix uninitialized variable warning |
| |
| The loop doesn't need to be executed without a file argument. |
| |
| Closes https://github.com/curl/curl/pull/4444 |
| |
| - urlapi: fix unused variable warning |
| |
| `dest` is only used with `ENABLE_IPV6`. |
| |
| Closes https://github.com/curl/curl/pull/4444 |
| |
| - lib: silence conversion warnings |
| |
| Closes https://github.com/curl/curl/pull/4444 |
| |
| - AppVeyor: add 32-bit MinGW-w64 build |
| |
| With WinSSL and testing enabled so that it would have detected most of |
| the warnings fixed in [0] and [1]. |
| |
| [0] https://github.com/curl/curl/pull/4398 |
| [1] https://github.com/curl/curl/pull/4415 |
| |
| Closes https://github.com/curl/curl/pull/4433 |
| |
| - AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild |
| |
| It's only used for MSYS2 with MinGW. |
| |
| Closes |
| |
| Daniel Stenberg (30 Sep 2019) |
| - [Emil Engler brought this change] |
| |
| git: add tests/server/disabled to .gitignore |
| |
| Closes #4441 |
| |
| - altsvc: accept quoted ma and persist values |
| |
| As mandated by the spec. Test 1654 is extended to verify. |
| |
| Closes #4443 |
| |
| - mailmap: a Lucas fix |
| |
| Alessandro Ghedini (29 Sep 2019) |
| - [Lucas Pardue brought this change] |
| |
| quiche: update HTTP/3 config creation to new API |
| |
| Daniel Stenberg (29 Sep 2019) |
| - BINDINGS: PureBasic, Net::Curl for perl and Nim |
| |
| - BINDINGS: Kapito is an Erlang library, basically a binding |
| |
| - BINDINGS: added clj-curl |
| |
| Reported-by: Lucas Severo |
| |
| - [Jay Satiro brought this change] |
| |
| docs: disambiguate CURLUPART_HOST is for host name (ie no port) |
| |
| Closes #4424 |
| |
| - cookies: using a share with cookies shouldn't enable the cookie engine |
| |
| The 'share object' only sets the storage area for cookies. The "cookie |
| engine" still needs to be enabled or activated using the normal cookie |
| options. |
| |
| This caused the curl command line tool to accidentally use cookies |
| without having been told to, since curl switched to using shared cookies |
| in 7.66.0. |
| |
| Test 1166 verifies |
| |
| Updated test 506 |
| |
| Fixes #4429 |
| Closes #4434 |
| |
| - setopt: handle ALTSVC set to NULL |
| |
| - RELEASE-NOTES: synced |
| |
| - [grdowns brought this change] |
| |
| INSTALL: add vcpkg installation instructions |
| |
| Closes #4435 |
| |
| - [Zenju brought this change] |
| |
| FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs |
| |
| Add libtest 661 |
| |
| Closes #4417 |
| |
| - [Zenju brought this change] |
| |
| FTP: url-decode path before evaluation |
| |
| Closes #4428 |
| |
| Marcel Raad (27 Sep 2019) |
| - tests: fix narrowing conversion warnings |
| |
| `timediff_t` is 64 bits wide also on 32-bit systems since |
| commit b1616dad8f0. |
| |
| Closes https://github.com/curl/curl/pull/4415 |
| |
| Jay Satiro (27 Sep 2019) |
| - [julian brought this change] |
| |
| vtls: Fix comment typo about macosx-version-min compiler flag |
| |
| Closes https://github.com/curl/curl/pull/4425 |
| |
| Daniel Stenberg (26 Sep 2019) |
| - [Yechiel Kalmenson brought this change] |
| |
| README: minor grammar fix |
| |
| Closes #4431 |
| |
| - [Spezifant brought this change] |
| |
| HTTP3: fix prefix parameter for ngtcp2 build |
| |
| Closes #4430 |
| |
| - quiche: don't close connection at end of stream! |
| |
| - quiche: set 'drain' when returning without having drained the queues |
| |
| - Revert "FTP: url-decode path before evaluation" |
| |
| This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. |
| |
| - HTTP3: merged and simplified the two 'running' sections |
| |
| - HTTP3: show an --alt-svc using example too |
| |
| - [Zenju brought this change] |
| |
| FTP: url-decode path before evaluation |
| |
| Closes #4423 |
| |
| - openssl: use strerror on SSL_ERROR_SYSCALL |
| |
| Instead of showing the somewhat nonsensical errno number, use strerror() |
| to provide a more relatable error message. |
| |
| Closes #4411 |
| |
| - HTTP3: update quic.aiortc.org + add link to server list |
| |
| Reported-by: Jeremy Lainé |
| |
| Jay Satiro (26 Sep 2019) |
| - url: don't set appconnect time for non-ssl/non-ssh connections |
| |
| Prior to this change non-ssl/non-ssh connections that were reused set |
| TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH |
| handshake took place. |
| |
| [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in |
| libcurl and %{time_appconnect} in the curl tool. It is documented as |
| "the time until the SSL/SSH handshake is completed". |
| |
| Reported-by: Marcel Hernandez |
| |
| Ref: https://github.com/curl/curl/issues/3760 |
| |
| Closes https://github.com/curl/curl/pull/3773 |
| |
| Daniel Stenberg (25 Sep 2019) |
| - ngtcp2: remove fprintf() calls |
| |
| - convert some of them to H3BUF() calls to infof() |
| - remove some of them completely |
| - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now |
| |
| Closes #4421 |
| |
| - [Jay Satiro brought this change] |
| |
| url: fix the NULL hostname compiler warning case |
| |
| Closes #4403 |
| |
| - [Jay Satiro brought this change] |
| |
| travis: move the go install to linux-only |
| |
| ... to repair the build again |
| Closes #4403 |
| |
| - altsvc: correct the #ifdef for the ngtcp2 backend |
| |
| - altsvc: save h3 as h3-23 |
| |
| Follow-up to d176a2c7e5 |
| |
| - urlapi: question mark within fragment is still fragment |
| |
| The parser would check for a query part before fragment, which caused it |
| to do wrong when the fragment contains a question mark. |
| |
| Extended test 1560 to verify. |
| |
| Reported-by: Alex Konev |
| Fixes #4412 |
| Closes #4413 |
| |
| - [Alex Samorukov brought this change] |
| |
| HTTP3.md: move -p for mkdir, remove -j for make |
| |
| - mkdir on OSX/Darwin requires `-p` argument before dir |
| |
| - portabbly figuring out number of cores is an exercise for somewhere |
| else |
| |
| Closes #4407 |
| |
| Patrick Monnerat (24 Sep 2019) |
| - os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, |
| |
| As libcurl now uses these 2 system functions, wrappers are needed on os400 |
| to convert returned AF_UNIX sockaddrs to ascii. |
| |
| This is a follow-up to commit 7fb54ef. |
| See also #4037. |
| Closes #4214 |
| |
| Jay Satiro (24 Sep 2019) |
| - [Lucas Pardue brought this change] |
| |
| strcase: fix raw lowercasing the letter X |
| |
| Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to |
| this change. |
| |
| Follow-up to 0023fce which added the function several days ago. |
| |
| Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 |
| |
| Closes https://github.com/curl/curl/pull/4408 |
| |
| Daniel Stenberg (23 Sep 2019) |
| - http2: Expression 'stream->stream_id != - 1' is always true |
| |
| PVS-Studio warning |
| Fixes #4402 |
| |
| - http2: A value is being subtracted from the unsigned variable |
| |
| PVS-Studio warning |
| Fixes #4402 |
| |
| - libssh: part of conditional expression is always true: !result |
| |
| PVS-Studio warning |
| Fixed #4402 |
| |
| - libssh: part of conditional expression is always true |
| |
| PVS-Studio warning |
| Fixes #4402 |
| |
| - libssh: The expression is excessive or contains a misprint |
| |
| PVS-Studio warning |
| Fixes #4402 |
| |
| - quiche: The expression must be surrounded by parentheses |
| |
| PVS-Studio warning |
| Fixes #4402 |
| |
| - vauth: The parameter 'status' must be surrounded by parentheses |
| |
| PVS-Studio warning |
| Fixes #4402 |
| |
| - [Paul Dreik brought this change] |
| |
| doh: allow only http and https in debug mode |
| |
| Otherwise curl may be told to use for instance pop3 to |
| communicate with the doh server, which most likely |
| is not what you want. |
| |
| Found through fuzzing. |
| |
| Closes #4406 |
| |
| - [Paul Dreik brought this change] |
| |
| doh: return early if there is no time left |
| |
| Closes #4406 |
| |
| - [Barry Pollard brought this change] |
| |
| http: lowercase headernames for HTTP/2 and HTTP/3 |
| |
| Closes #4401 |
| Fixes #4400 |
| |
| Marcel Raad (23 Sep 2019) |
| - vtls: fix narrowing conversion warnings |
| |
| Curl_timeleft returns `timediff_t`, which is 64 bits wide also on |
| 32-bit systems since commit b1616dad8f0. |
| |
| Closes https://github.com/curl/curl/pull/4398 |
| |
| Daniel Stenberg (23 Sep 2019) |
| - [Joel Depooter brought this change] |
| |
| winbuild: Add manifest to curl.exe for proper OS version detection |
| |
| This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 |
| in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to |
| CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is |
| overwritten. The fix is to append values to CURL_RC_FLAGS instead of |
| overwriting |
| |
| Closes #4399 |
| |
| - RELEASE-NOTES: synced |
| |
| Marcel Raad (22 Sep 2019) |
| - openssl: fix compiler warning with LibreSSL |
| |
| It was already fixed for BoringSSL in commit a0f8fccb1e0. |
| LibreSSL has had the second argument to SSL_CTX_set_min_proto_version |
| as uint16_t ever since the function was added in [0]. |
| |
| [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda |
| |
| Closes https://github.com/curl/curl/pull/4397 |
| |
| Daniel Stenberg (22 Sep 2019) |
| - curl: exit the create_transfers loop on errors |
| |
| When looping around the ranges and given URLs to create transfers, all |
| errors should exit the loop and return. Previously it would keep |
| looping. |
| |
| Reported-by: SumatraPeter on github |
| Bug: #4393 |
| Closes #4396 |
| |
| Jay Satiro (21 Sep 2019) |
| - socks: Fix destination host shown on SOCKS5 error |
| |
| Prior to this change when a server returned a socks5 connect error then |
| curl would parse the destination address:port from that data and show it |
| to the user as the destination: |
| |
| curld -v --socks5 10.0.3.1:1080 http://google.com:99 |
| * SOCKS5 communication to google.com:99 |
| * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) |
| * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) |
| curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) |
| |
| That's incorrect because the address:port included in the connect error |
| is actually a bind address:port (typically unused) and not the |
| destination address:port. This fix changes curl to show the destination |
| information that curl sent to the server instead: |
| |
| curld -v --socks5 10.0.3.1:1080 http://google.com:99 |
| * SOCKS5 communication to google.com:99 |
| * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) |
| * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) |
| curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) |
| |
| curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 |
| * SOCKS5 communication to google.com:99 |
| * SOCKS5 connect to google.com:99 (remotely resolved) |
| * Can't complete SOCKS5 connection to google.com:99. (1) |
| curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) |
| |
| Ref: https://tools.ietf.org/html/rfc1928#section-6 |
| |
| Closes https://github.com/curl/curl/pull/4394 |
| |
| Daniel Stenberg (21 Sep 2019) |
| - travis: enable ngtcp2 h3-23 builds |
| |
| - altsvc: both backends run h3-23 now |
| |
| Closes #4395 |
| |
| - http: fix warning on conversion from int to bit |
| |
| Follow-up from 03ebe66d70 |
| |
| - urldata: use 'bool' for the bit type on MSVC compilers |
| |
| Closes #4387 |
| Fixes #4379 |
| |
| - appveyor: upgrade VS2017 to VS2019 |
| |
| Closes #4383 |
| |
| - [Zenju brought this change] |
| |
| FTP: FTPFILE_NOCWD: avoid redundant CWDs |
| |
| Closes #4382 |
| |
| - cookie: pass in the correct cookie amount to qsort() |
| |
| As the loop discards cookies without domain set. This bug would lead to |
| qsort() trying to sort uninitialized pointers. We have however not found |
| it a security problem. |
| |
| Reported-by: Paul Dreik |
| Closes #4386 |
| |
| - [Paul Dreik brought this change] |
| |
| urlapi: avoid index underflow for short ipv6 hostnames |
| |
| If the input hostname is "[", hlen will underflow to max of size_t when |
| it is subtracted with 2. |
| |
| hostname[hlen] will then cause a warning by ubsanitizer: |
| |
| runtime error: addition of unsigned offset to 0x<snip> overflowed to |
| 0x<snip> |
| |
| I think that in practice, the generated code will work, and the output |
| of hostname[hlen] will be the first character "[". |
| |
| This can be demonstrated by the following program (tested in both clang |
| and gcc, with -O3) |
| |
| int main() { |
| char* hostname=strdup("["); |
| size_t hlen = strlen(hostname); |
| |
| hlen-=2; |
| hostname++; |
| printf("character is %d\n",+hostname[hlen]); |
| free(hostname-1); |
| } |
| |
| I found this through fuzzing, and even if it seems harmless, the proper |
| thing is to return early with an error. |
| |
| Closes #4389 |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 |
| |
| Closes #4392 |
| |
| - THANKS-filter: deal with my typos 'Jat' => 'Jay' |
| |
| - travis: use go master |
| |
| ... as the boringssl builds needs a very recent version |
| |
| Co-authored-by: Jat Satiro |
| Closes #4361 |
| |
| - tool_operate: removed unused variable 'done' |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - tool_operate: Expression 'config->resume_from' is always true |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - tool_getparam: remove duplicate switch case |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - libssh2: part of conditional expression is always true: !result |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - urlapi: Expression 'storep' is always true |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - urlapi: 'scheme' is always true |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - urlapi: part of conditional expression is always true: (relurl[0] == '/') |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly |
| |
| Fixes bug detected by PVS-Studio |
| Fixes #4374 |
| |
| - mime: make Curl_mime_duppart() assert if called without valid dst |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - http_proxy: part of conditional expression is always true: !error |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - imap: merged two case-branches performing the same action |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - multi: value '2L' is assigned to a boolean |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - easy: part of conditional expression is always true: !result |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - netrc: part of conditional expression is always true: !done |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - version: Expression 'left > 1' is always true |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - url: remove dead code |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - url: part of expression is always true: (bundle->multiuse == 0) |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - ftp: the conditional expression is always true |
| |
| ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - ftp: Expression 'ftpc->wait_data_conn' is always false |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - ftp: Expression 'ftpc->wait_data_conn' is always true |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - ftp: part of conditional expression is always true: !result |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| |
| - http: fix Expression 'http->postdata' is always false |
| |
| Fixes warning detected by PVS-Studio |
| Fixes #4374 |
| Reported-by: Valerii Zapodovnikov |
| |
| - [Niall O'Reilly brought this change] |
| |
| doh: avoid truncating DNS QTYPE to lower octet |
| |
| Closes #4381 |
| |
| - [Jens Finkhaeuser brought this change] |
| |
| urlapi: CURLU_NO_AUTHORITY allows empty authority/host part |
| |
| CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not |
| "file:///") to override cURL's default demand that an authority exists. |
| |
| Closes #4349 |
| |
| - version: next release will be 7.67.0 |
| |
| - RELEASE-NOTES: synced |
| |
| - url: only reuse TLS connections with matching pinning |
| |
| If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the |
| connection should not be reused. |
| |
| Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html |
| Reported-by: Sebastian Haglund |
| |
| Closes #4347 |
| |
| - README: add OSS-Fuzz badge [skip ci] |
| |
| Closes #4380 |
| |
| Michael Kaufmann (18 Sep 2019) |
| - http: merge two "case" statements |
| |
| Daniel Stenberg (18 Sep 2019) |
| - [Zenju brought this change] |
| |
| FTP: remove trailing slash from path for LIST/MLSD |
| |
| Closes #4348 |
| |
| - mime: when disabled, avoid C99 macro |
| |
| Closes #4368 |
| |
| - url: cleanup dangling DOH request headers too |
| |
| Follow-up to 9bc44ff64d9081 |
| |
| Credit to OSS-Fuzz |
| Bug: https://crbug.com/oss-fuzz/17269 |
| |
| Closes #4372 |
| |
| - [Christoph M. Becker brought this change] |
| |
| http2: relax verification of :authority in push promise requests |
| |
| If the :authority pseudo header field doesn't contain an explicit port, |
| we assume it is valid for the default port, instead of rejecting the |
| request for all ports. |
| |
| Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html |
| |
| Closes #4365 |
| |
| - doh: clean up dangling DOH handles and memory on easy close |
| |
| If you set the same URL for target as for DoH (and it isn't a DoH |
| server), like "https://example.com" in both, the easy handles used for |
| the DoH requests could be left "dangling" and end up not getting freed. |
| |
| Reported-by: Paul Dreik |
| Closes #4366 |
| |
| - unit1655: make it C90 compliant |
| |
| Unclear why this was not detected in the CI. |
| |
| Follow-up to b7666027296a |
| |
| - smb: check for full size message before reading message details |
| |
| To avoid reading of uninitialized data. |
| |
| Assisted-by: Max Dymond |
| Bug: https://crbug.com/oss-fuzz/16907 |
| Closes #4363 |
| |
| - quiche: persist connection details |
| |
| ... like we do for other protocols at connect time. This makes "curl -I" |
| and other things work. |
| |
| Reported-by: George Liu |
| Fixes #4358 |
| Closes #4360 |
| |
| - openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version |
| |
| Follow-up to ffe34b7b59 |
| Closes #4359 |
| |
| - [Paul Dreik brought this change] |
| |
| doh: fix undefined behaviour and open up for gcc and clang optimization |
| |
| The undefined behaviour is annoying when running fuzzing with |
| sanitizers. The codegen is the same, but the meaning is now not up for |
| dispute. See https://cppinsights.io/s/516a2ff4 |
| |
| By incrementing the pointer first, both gcc and clang recognize this as |
| a bswap and optimizes it to a single instruction. See |
| https://godbolt.org/z/994Zpx |
| |
| Closes #4350 |
| |
| - [Paul Dreik brought this change] |
| |
| doh: fix (harmless) buffer overrun |
| |
| Added unit test case 1655 to verify. |
| Close #4352 |
| |
| the code correctly finds the flaws in the old code, |
| if one temporarily restores doh.c to the old version. |
| |
| Alessandro Ghedini (15 Sep 2019) |
| - docs: remove trailing ':' from section names in CURLOPT_TRAILER* man |
| |
| - docs: fix typo in CURLOPT_HTTP_VERSION man |
| |
| GitHub (14 Sep 2019) |
| - [Daniel Stenberg brought this change] |
| |
| CI: inintial github action job |
| |
| First shot at a CI build on github actions |
| |
| Daniel Stenberg (13 Sep 2019) |
| - appveyor: add a winbuild |
| |
| Assisted-by: Marcel Raad |
| Assisted-by: Jay Satiro |
| |
| Closes #4324 |
| |
| - FTP: allow "rubbish" prepended to the SIZE response |
| |
| This is a protocol violation but apparently there are legacy proprietary |
| servers doing this. |
| |
| Added test 336 and 337 to verify. |
| |
| Reported-by: Philippe Marguinaud |
| Closes #4339 |
| |
| - [Zenju brought this change] |
| |
| FTP: skip CWD to entry dir when target is absolute |
| |
| Closes #4332 |
| |
| Kamil Dudka (13 Sep 2019) |
| - curl: fix memory leaked by parse_metalink() |
| |
| This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. |
| Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind |
| and libmetalink enabled. |
| |
| Closes #4326 |
| |
| Daniel Stenberg (13 Sep 2019) |
| - parsedate: still provide the name arrays when disabled |
| |
| If FILE or FTP are enabled, since they also use them! |
| |
| Reported-by: Roland Hieber |
| Fixes #4325 |
| Closes #4343 |
| |
| - [Gilles Vollant brought this change] |
| |
| curl:file2string: load large files much faster |
| |
| ... by using a more efficient realloc scheme. |
| |
| Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html |
| Closes #4336 |
| |
| - openssl: close_notify on the FTP data connection doesn't mean closure |
| |
| For FTPS transfers, curl gets close_notify on the data connection |
| without that being a signal to close the control connection! |
| |
| Regression since 3f5da4e59a556fc (7.65.0) |
| |
| Reported-by: Zenju on github |
| Reviewed-by: Jay Satiro |
| Fixes #4329 |
| Closes #4340 |
| |
| - [Jimmy Gaussen brought this change] |
| |
| docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag |
| |
| Closes #4338 |
| |
| - RELEASE-NOTES: synced |
| |
| - curlver: bump to 7.66.1 |
| |
| - [Zenju brought this change] |
| |
| setopt: make it easier to add new enum values |
| |
| ... by using the *_LAST define names better. |
| |
| Closes #4321 |
| |
| - asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris |
| |
| Reported-by: Dagobert Michelsen |
| Fixes #4328 |
| Closes #4333 |
| |
| - [Bernhard Walle brought this change] |
| |
| winbuild/MakefileBuild.vc: Add vssh |
| |
| Without that modification, the Windows build using the makefiles doesn't |
| work. |
| |
| Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu> |
| |
| Fixes #4322 |
| Closes #4323 |
| |
| Bernhard Walle (11 Sep 2019) |
| - winbuild/MakefileBuild.vc: Fix line endings |
| |
| The file had mixed line endings. |
| |
| Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu> |
| |
| Jay Satiro (11 Sep 2019) |
| - ldap: Stop using wide char version of ldapp_err2string |
| |
| Despite ldapp_err2string being documented by MS as returning a |
| PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and |
| returns PWCHAR (wchar_t *). |
| |
| We have lots of code that expects ldap_err2string to return char *, |
| most of it failf used like this: |
| |
| failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); |
| |
| Closes https://github.com/curl/curl/pull/4272 |
| |
| Version 7.66.0 (10 Sep 2019) |
| |
| Daniel Stenberg (10 Sep 2019) |
| - RELEASE-NOTES: curl 7.66.0 |
| |
| - THANKS: from the 7.66.0 release |
| |
| - curl: make sure the parallel transfers do them all |
| |
| The logic could erroneously break the loop too early before all |
| transfers had been transferred. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4316 |
| Closes #4317 |
| |
| - urlapi: one colon is enough for the strspn() input (typo) |
| |
| - urlapi: verify the IPv6 numerical address |
| |
| It needs to parse correctly. Otherwise it could be tricked into letting |
| through a-f using host names that libcurl would then resolve. Like |
| '[ab.be]'. |
| |
| Reported-by: Thomas Vegas |
| Closes #4315 |
| |
| - [Clément Notin brought this change] |
| |
| openssl: use SSL_CTX_set_<min|max>_proto_version() when available |
| |
| OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use |
| when available. Existing code is preserved for older versions of |
| OpenSSL. |
| |
| Closes #4304 |
| |
| - [Clément Notin brought this change] |
| |
| openssl: indent, re-organize and add comments |
| |
| - [migueljcrum brought this change] |
| |
| sspi: fix memory leaks |
| |
| Closes #4299 |
| |
| - travis: disable ngtcp2 builds (again) |
| |
| - Curl_fillreadbuffer: avoid double-free trailer buf on error |
| |
| Reviewed-by: Jay Satiro |
| Reported-by: Thomas Vegas |
| |
| Closes #4307 |
| |
| - tool_setopt: handle a libcurl build without netrc support |
| |
| Reported-by: codesniffer13 on github |
| Fixes #4302 |
| Closes #4305 |
| |
| - security:read_data fix bad realloc() |
| |
| ... that could end up a double-free |
| |
| CVE-2019-5481 |
| Bug: https://curl.haxx.se/docs/CVE-2019-5481.html |
| |
| - [Thomas Vegas brought this change] |
| |
| tftp: Alloc maximum blksize, and use default unless OACK is received |
| |
| Fixes potential buffer overflow from 'recvfrom()', should the server |
| return an OACK without blksize. |
| |
| Bug: https://curl.haxx.se/docs/CVE-2019-5482.html |
| CVE-2019-5482 |
| |
| - [Thomas Vegas brought this change] |
| |
| tftp: return error when packet is too small for options |
| |
| - KNOWN_BUGS/TODO: cleanup and remove outdated issues |
| |
| - RELEASE-NOTES: synced |
| |
| - netrc: free 'home' on error |
| |
| Follow-up to f9c7ba9096ec2 |
| |
| Coverity CID 1453474 |
| |
| Closes #4291 |
| |
| - urldata: avoid 'generic', use dedicated pointers |
| |
| For the 'proto' union within the connectdata struct. |
| |
| Closes #4290 |
| |
| - cleanup: move functions out of url.c and make them static |
| |
| Closes #4289 |
| |
| - smtp: check for and bail out on too short EHLO response |
| |
| Otherwise, a three byte response would make the smtp_state_ehlo_resp() |
| function misbehave. |
| |
| Credit to OSS-Fuzz |
| Bug: https://crbug.com/oss-fuzz/16918 |
| |
| Assisted-by: Max Dymond |
| |
| Closes #4287 |
| |
| - smb: init *msg to NULL in smb_send_and_recv() |
| |
| ... it might otherwise return OK from this function leaving that pointer |
| uninitialized. |
| |
| Bug: https://crbug.com/oss-fuzz/16907 |
| |
| Closes #4286 |
| |
| - ROADMAP: updated after recent user poll |
| |
| In rough prio order |
| |
| - THANKS: remove duplicate |
| |
| - Curl_addr2string: take an addrlen argument too |
| |
| This allows the function to figure out if a unix domain socket has a |
| file name or not associated with it! When a socket is created with |
| socketpair(), as done in the fuzzer testing, the path struct member is |
| uninitialized and must not be accessed. |
| |
| Bug: https://crbug.com/oss-fuzz/16699 |
| |
| Closes #4283 |
| |
| - [Rolf Eike Beer brought this change] |
| |
| CMake: remove needless newlines at end of gss variables |
| |
| - [Rolf Eike Beer brought this change] |
| |
| CI: remove duplicate configure flag for LGTM.com |
| |
| - [Rolf Eike Beer brought this change] |
| |
| CMake: use platform dependent name for dlopen() library |
| |
| Closes #4279 |
| |
| - quiche: expire when poll returned data |
| |
| ... to make sure we continue draining the queue until empty |
| |
| Closes #4281 |
| |
| - quiche: decrease available buffer size, don't assign it! |
| |
| Found-by: Jeremy Lainé |
| |
| - RELEASE-NOTES: synced |
| |
| - [Kyohei Kadota brought this change] |
| |
| curl: fix include conditions |
| |
| - [Kyohei Kadota brought this change] |
| |
| plan9: fix installation instructions |
| |
| Closes #4276 |
| |
| - ngtcp2: on h3 stream close, call expire |
| |
| ... to trigger a new read to detect the stream close! |
| |
| Closes #4275 |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl |
| |
| Closes #4278 |
| |
| - ngtcp2: set flow control window to stream buffer size |
| |
| Closes #4274 |
| |
| - [Christopher Head brought this change] |
| |
| CURLOPT_HEADERFUNCTION.3: clarify |
| |
| Closes #4273 |
| |
| - CURLINFO docs: mention that in redirects times are added |
| |
| Suggested-by: Brandon Dong |
| Fixes #4250 |
| Closes #4269 |
| |
| - travis: enable ngtcp2 builds again |
| |
| Switched to the openssl-quic-draft-22 openssl branch. |
| |
| Closes #4271 |
| |
| - HTTP3: switched openssl branch to use |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl |
| |
| Closes #4270 |
| |
| - http2: when marked for closure and wanted to close == OK |
| |
| It could otherwise return an error even when closed correctly if GOAWAY |
| had been received previously. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4267 |
| Closes #4268 |
| |
| - RELEASE-NOTES: synced |
| |
| - build-openssl: fix build with Visual Studio 2019 |
| |
| Reviewed-by: Marcel Raad |
| Contributed-by: osabc on github |
| Fixes #4188 |
| Closes #4266 |
| |
| Kamil Dudka (26 Aug 2019) |
| - vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure |
| |
| This is a follow-up to https://github.com/curl/curl/pull/3864 . |
| |
| Closes #4224 |
| |
| Daniel Stenberg (26 Aug 2019) |
| - KNOWN_BUGS: USE_UNIX_SOCKETS on Windows |
| |
| Closes #4040 |
| |
| - quiche: send the HTTP body correctly on callback uploads |
| |
| Closes #4265 |
| |
| - travis: disable ngtcp2 builds (temporarily) |
| |
| Just too many API changes right now |
| |
| Closes #4264 |
| |
| - ngtcp2: add support for SSLKEYLOGFILE |
| |
| Closes #4260 |
| |
| - ngtcp2: improve h3 response receiving |
| |
| Closes #4259 |
| |
| - ngtcp2: use nghttp3_version() |
| |
| - ngtcp2: sync with upstream API changes |
| |
| Assisted-by: Tatsuhiro Tsujikawa |
| |
| - [Kyle Abramowitz brought this change] |
| |
| scp: fix directory name length used in memcpy |
| |
| Fix read off end of array due to bad pointer math in getworkingpath for |
| SCP home directory case. |
| |
| Closes #4258 |
| |
| - http: the 'closed' struct field is used by both ngh2 and ngh3 |
| |
| and remove 'header_recvbuf', not used for anything |
| |
| Reported-by: Jeremy Lainé |
| |
| Closes #4257 |
| |
| - ngtcp2: accept upload via callback |
| |
| Closes #4256 |
| |
| - defines: avoid underscore-prefixed defines |
| |
| Double-underscored or underscore plus uppercase letter at least. |
| |
| ... as they're claimed to be reserved. |
| |
| Reported-by: patnyb on github |
| |
| Fixes #4254 |
| Closes #4255 |
| |
| - travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) |
| |
| Runs no tests |
| |
| Closes #4253 |
| |
| - travis: bump to using nghttp2 version 1.39.2 |
| |
| Closes #4252 |
| |
| - [Gisle Vanem brought this change] |
| |
| docs/examples/curlx: fix errors |
| |
| Initialise 'mimetype' and require the -p12 arg. |
| |
| Closes #4248 |
| |
| - cleanup: remove DOT_CHAR completely |
| |
| Follow-up to f9c7ba9096ec |
| |
| The use of DOT_CHAR for ".ssh" was probably a mistake and is removed |
| now. |
| |
| Pointed-out-by: Gisle Vanem |
| Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 |
| |
| Closes #4247 |
| |
| - spnego_sspi: add typecast to fix build warning |
| |
| Reported in build "Win32 target on Debian Stretch (64-bit) - |
| i686-w64-mingw32 - gcc-20170516" |
| |
| Closes #4245 |
| |
| - openssl: build warning free with boringssl |
| |
| Closes #4244 |
| |
| - curl: make --libcurl use CURL_HTTP_VERSION_3 |
| |
| Closes #4243 |
| |
| - ngtcp2: make postfields-set posts work |
| |
| Closes #4242 |
| |
| - http: remove chunked-encoding and expect header use for HTTP/3 |
| |
| - [Alessandro Ghedini brought this change] |
| |
| configure: use pkg-config to detect quiche |
| |
| This removes the need to hard-code the quiche target path in |
| configure.ac. |
| |
| This depends on https://github.com/cloudflare/quiche/pull/128 |
| |
| Closes #4237 |
| |
| - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 |
| |
| For a long time (since 7.28.1) we've returned error when setting the |
| value to 1 to make applications notice that we stopped supported the old |
| behavior for 1. Starting now, we treat 1 and 2 exactly the same. |
| |
| Closes #4241 |
| |
| - curl: use .curlrc (with a dot) on Windows as well |
| |
| Fall-back to _curlrc if the dot-version is missing. |
| |
| Co-Authored-By: Steve Holme |
| |
| Closes #4230 |
| |
| - netrc: make the code try ".netrc" on Windows as well |
| |
| ... but fall back and try "_netrc" too if the dot version didn't work. |
| |
| Co-Authored-By: Steve Holme |
| |
| - ngtcp2: use ngtcp2_version() to get the run-time version |
| |
| ... which of course doesn't have to be the same used at build-time. |
| |
| Function just recently merged in ngtcp2. |
| |
| - ngtcp2: move the h3 initing to immediately after the rx key |
| |
| To fix a segfault and to better deal with 0-RTT |
| |
| Assisted-by: Tatsuhiro Tsujikawa |
| |
| - [Alessandro Ghedini brought this change] |
| |
| quiche: register debug callback once and earlier |
| |
| The quiche debug callback is global and can only be initialized once, so |
| make sure we don't do it multiple times (e.g. if multiple requests are |
| executed). |
| |
| In addition this initializes the callback before the connection is |
| created, so we get logs for the handshake as well. |
| |
| Closes #4236 |
| |
| - ssh: add a generic Curl_ssh_version function for SSH backends |
| |
| Closes #4235 |
| |
| - base64: check for SSH, not specific SSH backends |
| |
| - vssh: move ssh init/cleanup functions into backend code |
| |
| - vssh: create directory for SSH backend code |
| |
| - TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 |
| |
| HTTP3 is now already in full progress |
| |
| Downgrade redirects can be achived almost exactly like that by setting |
| CURLOPT_REDIR_PROTOCOLS. |
| |
| - RELEASE-NOTES: synced |
| |
| - travis: add a quiche build |
| |
| Closes #4207 |
| |
| - http: fix use of credentials from URL when using HTTP proxy |
| |
| When a username and password are provided in the URL, they were wrongly |
| removed from the stored URL so that subsequent uses of the same URL |
| wouldn't find the crendentials. This made doing HTTP auth with multiple |
| connections (like Digest) mishave. |
| |
| Regression from 46e164069d1a5230 (7.62.0) |
| |
| Test case 335 added to verify. |
| |
| Reported-by: Mike Crowe |
| |
| Fixes #4228 |
| Closes #4229 |
| |
| - [Mike Crowe brought this change] |
| |
| tests: Replace outdated test case numbering documentation |
| |
| Tests are no longer grouped by numeric range[1]. Let's stop saying that |
| and provide some alternative advice for numbering tests. |
| |
| [1] https://curl.haxx.se/mail/lib-2019-08/0043.html |
| |
| Closes #4227 |
| |
| - travis: reduce number of torture tests in 'coverage' |
| |
| ... to make it complete in time. This cut seems not almost not affect |
| the coverage percentage and yet completes within 35 minutes on travis |
| where the previous runs recently always timed out after 50. |
| |
| Closes #4223 |
| |
| - [Igor Makarov brought this change] |
| |
| configure: use -lquiche to link to quiche |
| |
| Closes #4226 |
| |
| - ngtcp2: provide the callbacks as a static struct |
| |
| ... instead of having them in quicsocket |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: add missing nghttp3_conn_add_write_offset call |
| |
| Closes #4225 |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: deal with stream close |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: Consume QUIC STREAM data properly |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: don't reinitialize SSL on Retry |
| |
| - multi: getsock improvements for QUIC connecting |
| |
| - connect: connections are persistent by default for HTTP/3 |
| |
| - quiche: happy eyeballs |
| |
| Closes #4220 |
| |
| - ngtcp2: do QUIC connections happy-eyeballs friendly |
| |
| - curl_version: bump string buffer size to 250 |
| |
| With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which |
| causes a truncated output). |
| |
| - CURLOPT_ALTSVC.3: use a "" file name to not load from a file |
| |
| Jay Satiro (14 Aug 2019) |
| - vauth: Use CURLE_AUTH_ERROR for auth function errors |
| |
| - Add new error code CURLE_AUTH_ERROR. |
| |
| Prior to this change auth function errors were signaled by |
| CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was |
| technically correct. |
| |
| Ref: https://github.com/curl/curl/pull/3848 |
| |
| Co-authored-by: Dominik Hölzl |
| |
| Closes https://github.com/curl/curl/pull/3864 |
| |
| Daniel Stenberg (13 Aug 2019) |
| - curl_version_info: make the quic_version a const |
| |
| Follow-up from 1a2df1518ad8653f |
| |
| Closes #4222 |
| |
| - examples: add http3.c, altsvc.c and http3-present.c |
| |
| Closes #4221 |
| |
| Peter Wu (13 Aug 2019) |
| - nss: use TLSv1.3 as default if supported |
| |
| SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported |
| range in NSS 3.45. It looks like the intention is to raise the minimum |
| version rather than lowering the maximum, so adjust accordingly. Note |
| that the caller (nss_setup_connect) initializes the version range to |
| (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. |
| |
| Closes #4187 |
| Reviewed-by: Daniel Stenberg |
| Reviewed-by: Kamil Dudka |
| |
| Daniel Stenberg (13 Aug 2019) |
| - quic.h: remove unused proto |
| |
| - curl_version_info.3: mentioned ALTSVC and HTTP3 |
| |
| ... and sorted the list alphabetically |
| |
| - lib/quic.c: unused - removed |
| |
| - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED |
| |
| Follow-up to 98c3f148 that removed it from the header file |
| |
| - [Junho Choi brought this change] |
| |
| docs/HTTP3: simplify quiche build instruction |
| |
| Use --recursive to get boringssl in one line |
| |
| Closes #4219 |
| |
| - altsvc: make it use h3-22 with ngtcp2 as well |
| |
| - ngtcp2: initial h3 request work |
| |
| Closes #4217 |
| |
| - curl_version_info: offer quic (and h3) library info |
| |
| Closes #4216 |
| |
| - HTTP3: use ngtcp2's draft-22 branch |
| |
| - RELEASE-NOTES: synced |
| |
| - CURLOPT_READFUNCTION.3: provide inline example |
| |
| ... instead of mentioning one in another place |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: send HTTP/3 request with nghttp3 |
| |
| This commit makes sending HTTP/3 request with nghttp3 work. It |
| minimally receives HTTP response and calls nghttp3 callbacks, but no |
| processing is made at the moment. |
| |
| Closes #4215 |
| |
| - nghttp3: initial h3 template code added |
| |
| - nghttp3: required when ngtcp2 is used for QUIC |
| |
| - checked for by configure |
| - updated docs/HTTP3.md |
| - shown in the version string |
| |
| Closes #4210 |
| |
| - [Eric Wong brought this change] |
| |
| asyn-thread: issue CURL_POLL_REMOVE before closing socket |
| |
| This avoids EBADF errors from EPOLL_CTL_DEL operations in the |
| ephiperfifo.c example. EBADF is dangerous in multi-threaded |
| applications where I rely on epoll_ctl to operate on the same |
| epoll description from different threads. |
| |
| Follow-up to eb9a604f8d7db8 |
| |
| Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html |
| Closes #4211 |
| |
| - [Carlo Marcelo Arenas Belón brought this change] |
| |
| configure: avoid undefined check_for_ca_bundle |
| |
| instead of using a "greater than 0" test, check for variable being |
| set, as it is always set to 1, and could be left unset if non of |
| OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. |
| |
| Closes #4213 |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: Send ALPN h3-22 |
| |
| Closes #4212 |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: use ngtcp2_settings_default and specify initial_ts |
| |
| - curl_global_init_mem.3: mention it was added in 7.12.0 |
| |
| - [Tatsuhiro Tsujikawa brought this change] |
| |
| ngtcp2: make the QUIC handshake work |
| |
| Closes #4209 |
| |
| - [Alex Mayorga brought this change] |
| |
| HTTP3.md: Update quiche build instructions |
| |
| Added cloning for quiche and BoringSSL and modified the build |
| instructions so they work on a clean folder. |
| |
| Closes #4208 |
| |
| - CURLOPT_H3: removed |
| |
| There's no use for this anymore and it was never in a release. |
| |
| Closes #4206 |
| |
| - http3: make connection reuse work |
| |
| Closes #4204 |
| |
| - quiche: add SSLKEYLOGFILE support |
| |
| - cleanup: s/curl_debug/curl_dbg_debug in comments and docs |
| |
| Leftovers from the function rename back in 76b63489495 |
| |
| Reported-by: Gisle Vanem |
| Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com |
| mitcomment-34601751 |
| |
| Closes #4203 |
| |
| - RELEASE-NOTES: synced |
| |
| - alt-svc: add protocol version selection masking |
| |
| So that users can mask in/out specific HTTP versions when Alt-Svc is |
| used. |
| |
| - Removed "h2c" and updated test case accordingly |
| - Changed how the altsvc struct is laid out |
| - Added ifdefs to make the unittest run even in a quiche-tree |
| |
| Closes #4201 |
| |
| - http3: fix the HTTP/3 in the request, make alt-svc set right versions |
| |
| Closes #4200 |
| |
| - alt-svc: send Alt-Used: in redirected requests |
| |
| RFC 7838 section 5: |
| |
| When using an alternative service, clients SHOULD include an Alt-Used |
| header field in all requests. |
| |
| Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus |
| this is deemed ok). |
| |
| You can disable sending this header just like you disable any other HTTP |
| header in libcurl. |
| |
| Closes #4199 |
| |
| - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly |
| |
| Even though it cannot fall-back to a lower HTTP version automatically. The |
| safer way to upgrade remains via CURLOPT_ALTSVC. |
| |
| CURLOPT_H3 no longer has any bits that do anything and might be removed |
| before we remove the experimental label. |
| |
| Updated the curl tool accordingly to use "--http3". |
| |
| Closes #4197 |
| |
| - docs/ALTSVC: remove what works and the experimental explanation |
| |
| Also, put the TODO items at the bottom. |
| |
| Closes #4198 |
| |
| - docs/EXPERIMENTAL: explain what it means and what's experimental now |
| |
| - curl: make use of CURLINFO_RETRY_AFTER when retrying |
| |
| If a Retry-After: header was used in the response, that value overrides |
| other retry timing options. |
| |
| Fixes #3794 |
| Closes #4195 |
| |
| - curl: use CURLINFO_PROTOCOL to check for HTTP(s) |
| |
| ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. |
| |
| - CURLINFO_RETRY_AFTER: parse the Retry-After header value |
| |
| This is only the libcurl part that provides the information. There's no |
| user of the parsed value. This change includes three new tests for the |
| parser. |
| |
| Ref: #3794 |
| |
| - docs/ALTSVC.md: first basic file format description |
| |
| - curl: have -w's 'http_version' show '3' for HTTP/3 |
| |
| Closes #4196 |
| |
| - curl.h: add CURL_HTTP_VERSION_3 to the version enum |
| |
| It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with |
| CURLINFO_HTTP_VERSION. |
| |
| - quiche: make use of the connection timeout API properly |
| |
| - quiche: make POSTFIELDS posts work |
| |
| - quiche: improved error handling and memory cleanups |
| |
| - quiche: flush egress in h3_stream_recv() too |
| |
| - RELEASE-NOTES: synced |
| |
| Jay Satiro (6 Aug 2019) |
| - [Patrick Monnerat brought this change] |
| |
| os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). |
| |
| Ref: https://github.com/curl/curl/issues/3653 |
| Ref: https://github.com/curl/curl/pull/3790 |
| |
| NOTE: This commit was cherry-picked and is part of a series of commits |
| that added the authzid feature for upcoming 7.66.0. The series was |
| temporarily reverted in db8ec1f so that it would not ship in a 7.65.x |
| patch release. |
| |
| Closes https://github.com/curl/curl/pull/4186 |
| |
| - tests: Fix the line endings for the SASL alt-auth tests |
| |
| - Change data and protocol sections to CRLF line endings. |
| |
| Prior to this change the tests would fail or hang, which is because |
| certain sections such as protocol require CRLF line endings. |
| |
| Follow-up to grandparent commit which added the tests. |
| |
| Ref: https://github.com/curl/curl/issues/3653 |
| Ref: https://github.com/curl/curl/pull/3790 |
| |
| NOTE: This commit was cherry-picked and is part of a series of commits |
| that added the authzid feature for upcoming 7.66.0. The series was |
| temporarily reverted in db8ec1f so that it would not ship in a 7.65.x |
| patch release. |
| |
| Closes https://github.com/curl/curl/pull/4186 |
| |
| - [Steve Holme brought this change] |
| |
| examples: Added SASL PLAIN authorisation identity (authzid) examples |
| |
| Ref: https://github.com/curl/curl/issues/3653 |
| Ref: https://github.com/curl/curl/pull/3790 |
| |
| NOTE: This commit was cherry-picked and is part of a series of commits |
| that added the authzid feature for upcoming 7.66.0. The series was |
| temporarily reverted in db8ec1f so that it would not ship in a 7.65.x |
| patch release. |
| |
| Closes https://github.com/curl/curl/pull/4186 |
| |
| - [Steve Holme brought this change] |
| |
| curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool |
| |
| Ref: https://github.com/curl/curl/issues/3653 |
| Ref: https://github.com/curl/curl/pull/3790 |
| |
| NOTE: This commit was cherry-picked and is part of a series of commits |
| that added the authzid feature for upcoming 7.66.0. The series was |
| temporarily reverted in db8ec1f so that it would not ship in a 7.65.x |
| patch release. |
| |
| Closes https://github.com/curl/curl/pull/4186 |
| |
| - [Steve Holme brought this change] |
| |
| sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID |
| |
| Added the ability for the calling program to specify the authorisation |
| identity (authzid), the identity to act as, in addition to the |
| authentication identity (authcid) and password when using SASL PLAIN |
| authentication. |
| |
| Fixes #3653 |
| Closes #3790 |
| |
| NOTE: This commit was cherry-picked and is part of a series of commits |
| that added the authzid feature for upcoming 7.66.0. The series was |
| temporarily reverted in db8ec1f so that it would not ship in a 7.65.x |
| patch release. |
| |
| Closes https://github.com/curl/curl/pull/4186 |
| |
| Daniel Stenberg (6 Aug 2019) |
| - docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested |
| |
| - [Yiming Jing brought this change] |
| |
| mesalink: implement client authentication |
| |
| Closes #4184 |
| |
| - curl_multi_poll: a sister to curl_multi_wait() that waits more |
| |
| Repeatedly we see problems where using curl_multi_wait() is difficult or |
| just awkward because if it has no file descriptor to wait for |
| internally, it returns immediately and leaves it to the caller to wait |
| for a small amount of time in order to avoid occasional busy-looping. |
| |
| This is often missed or misunderstood, leading to underperforming |
| applications. |
| |
| This change introduces curl_multi_poll() as a replacement drop-in |
| function that accepts the exact same set of arguments. This function |
| works identically to curl_multi_wait() - EXCEPT - for the case when |
| there's nothing to wait for internally, as then this function will by |
| itself wait for a "suitable" short time before it returns. This |
| effectiely avoids all risks of busy-looping and should also make it less |
| likely that apps "over-wait". |
| |
| This also changes the curl tool to use this funtion internally when |
| doing parallel transfers and changes curl_easy_perform() to use it |
| internally. |
| |
| Closes #4163 |
| |
| - quiche:h3_stream_recv return 0 at end of stream |
| |
| ... and remove some verbose messages we don't need. Made transfers from |
| facebook.com work better. |
| |
| - altsvc: make quiche use h3-22 now |
| |
| - quiche: show the actual version number |
| |
| - quiche: first working HTTP/3 request |
| |
| - enable debug log |
| - fix use of quiche API |
| - use download buffer |
| - separate header/body |
| |
| Closes #4193 |
| |
| - http09: disable HTTP/0.9 by default in both tool and library |
| |
| As the plan has been laid out in DEPRECATED. Update docs accordingly and |
| verify in test 1174. Now requires the option to be set to allow HTTP/0.9 |
| responses. |
| |
| Closes #4191 |
| |
| - quiche: initial h3 request send/receive |
| |
| - lib/Makefile.am: make checksrc run in vquic too |
| |
| - altsvc: fix removal of expired cache entry |
| |
| Closes #4192 |
| |
| - RELEASE-NOTES: synced |
| |
| Steve Holme (4 Aug 2019) |
| - md4: Use our own MD4 implementation when no crypto libraries are available |
| |
| Closes #3780 |
| |
| - md4: No need to include Curl_md4.h for each TLS library |
| |
| - md4: No need for the NTLM code to call Curl_md4it() for each TLS library |
| |
| As the NTLM code no longer calls any of TLS libraries' specific MD4 |
| functions, there is no need to call this function for each #ifdef. |
| |
| - md4: Move the mbed TLS MD4 implementation out of the NTLM code |
| |
| - md4: Move the WinCrypt implementation out of the NTLM code |
| |
| - md4: Move the SecureTransport implementation out of the NTLM code |
| |
| - md4: Use the Curl_md4it() function for OpenSSL based NTLM |
| |
| - md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code |
| |
| - md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code |
| |
| Jay Satiro (4 Aug 2019) |
| - OS400: Add CURLOPT_H3 symbols |
| |
| Follow-up to 3af0e76 which added experimental H3 support. |
| |
| Closes https://github.com/curl/curl/pull/4185 |
| |
| Daniel Stenberg (3 Aug 2019) |
| - url: make use of new HTTP version if alt-svc has one |
| |
| - url: set conn->transport to default TCP at init time |
| |
| - altsvc: with quiche, use the quiche h3 alpn string |
| |
| Closes #4183 |
| |
| - alt-svc: more liberal ALPN name parsing |
| |
| Allow pretty much anything to be part of the ALPN identifier. In |
| particular minus, which is used for "h3-20" (in-progress HTTP/3 |
| versions) etc. |
| |
| Updated test 356. |
| Closes #4182 |
| |
| - quiche: use the proper HTTP/3 ALPN |
| |
| - quiche: add failf() calls for two error cases |
| |
| To aid debugging |
| |
| Closes #4181 |
| |
| - mailmap: added Kyohei Kadota |
| |
| Kamil Dudka (1 Aug 2019) |
| - http_negotiate: improve handling of gss_init_sec_context() failures |
| |
| If HTTPAUTH_GSSNEGOTIATE was used for a POST request and |
| gss_init_sec_context() failed, the POST request was sent |
| with empty body. This commit also restores the original |
| behavior of `curl --fail --negotiate`, which was changed |
| by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. |
| |
| Add regression tests 2077 and 2078 to cover this. |
| |
| Fixes #3992 |
| Closes #4171 |
| |
| Daniel Stenberg (1 Aug 2019) |
| - mailmap: added 4 more names |
| |
| Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli |
| |
| - mailmap: add Giorgos Oikonomou |
| |
| - src/makefile: fix uncompressed hugehelp.c generation |
| |
| Regression from 5cf5d57ab9 (7.64.1) |
| |
| Fixed-by: Lance Ware |
| Fixes #4176 |
| Closes #4177 |
| |
| - appveyor: pass on -k to make |
| |
| - timediff: make it 64 bit (if possible) even with 32 bit time_t |
| |
| ... to make it hold microseconds too. |
| |
| Fixes #4165 |
| Closes #4168 |
| |
| - ROADMAP: parallel transfers are merged now |
| |
| - getenv: support up to 4K environment variable contents on windows |
| |
| Reported-by: Michal Čaplygin |
| Fixes #4174 |
| Closes #4175 |
| |
| - [Kyohei Kadota brought this change] |
| |
| plan9: add support for running on Plan 9 |
| |
| Closes #3701 |
| |
| - [Kyohei Kadota brought this change] |
| |
| ntlm: explicit type casting |
| |
| - [Justin brought this change] |
| |
| curl.h: fix outdated comment |
| |
| Closes #4167 |
| |
| - curl: remove outdated comment |
| |
| Turned bad with commit b8894085000 |
| |
| Reported-by: niallor on github |
| Fixes #4172 |
| Closes #4173 |
| |
| - cleanup: remove the 'numsocks' argument used in many places |
| |
| It was used (intended) to pass in the size of the 'socks' array that is |
| also passed to these functions, but was rarely actually checked/used and |
| the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries |
| that should be used instead. |
| |
| Closes #4169 |
| |
| - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp |
| |
| Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) |
| |
| Reported-by: Jonathan Cardoso Machado |
| Assisted-by: Jay Satiro |
| |
| Fixes #4136 |
| Closes #4162 |
| |
| - mailmap: Amit Katyal |
| |
| - asyn-thread: removed unused variable |
| |
| Follow-up to eb9a604f. Mistake caused by me when I edited the commit |
| before push... |
| |
| - RELEASE-NOTES: synced |
| |
| - [Amit Katyal brought this change] |
| |
| asyn-thread: create a socketpair to wait on |
| |
| Closes #4157 |
| |
| - curl: cap the maximum allowed values for retry time arguments |
| |
| ... to avoid integer overflows later when multiplying with 1000 to |
| convert seconds to milliseconds. |
| |
| Added test 1269 to verify. |
| |
| Reported-by: Jason Lee |
| Closes #4166 |
| |
| - progress: reset download/uploaded counter |
| |
| ... to make CURLOPT_MAX_RECV_SPEED_LARGE and |
| CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that |
| reuse the same handle. |
| |
| Fixed-by: Ironbars13 on github |
| Fixes #4084 |
| Closes #4161 |
| |
| - http2_recv: trigger another read when the last data is returned |
| |
| ... so that end-of-stream is detected properly. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4043 |
| Closes #4160 |
| |
| - curl: avoid uncessary libcurl timeouts (in parallel mode) |
| |
| When curl_multi_wait() returns OK without file descriptors to wait for, |
| it might already have done a long timeout. |
| |
| Closes #4159 |
| |
| - [Balazs Kovacsics brought this change] |
| |
| HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown |
| |
| If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, |
| automatically add a Transfer-Encoding: chunked header, same as it is |
| already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update |
| test 1514 according to the new behaviour. |
| |
| Closes #4138 |
| |
| Jay Satiro (29 Jul 2019) |
| - [Daniel Stenberg brought this change] |
| |
| winbuild: add vquic to list of build directories |
| |
| This fixes the winbuild build method which broke several days ago |
| when experimental quic support was added in 3af0e76. |
| |
| Reported-by: Michael Lee |
| |
| Fixes https://github.com/curl/curl/issues/4158 |
| |
| - easy: resize receive buffer on easy handle reset |
| |
| - In curl_easy_reset attempt to resize the receive buffer to its default |
| size. If realloc fails then continue using the previous size. |
| |
| Prior to this change curl_easy_reset did not properly handle resetting |
| the receive buffer (data->state.buffer). It reset the variable holding |
| its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) |
| but then did not actually resize the buffer. If a user resized the |
| buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the |
| default, later called curl_easy_reset and attempted to reuse the handle |
| then a heap overflow would very likely occur during that handle's next |
| transfer. |
| |
| Reported-by: Felix Hädicke |
| |
| Fixes https://github.com/curl/curl/issues/4143 |
| Closes https://github.com/curl/curl/pull/4145 |
| |
| - [Brad Spencer brought this change] |
| |
| examples: Avoid reserved names in hiperfifo examples |
| |
| - Trade in __attribute__((unused)) for the classic (void)x to silence |
| unused symbols. |
| |
| Because the classic way is not gcc specific. Also because the prior |
| method mapped to symbol _Unused, which starts with _ and a capital |
| letter which is reserved. |
| |
| Assisted-by: The Infinnovation team |
| |
| Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 |
| |
| Closes https://github.com/curl/curl/pull/4153 |
| |
| Daniel Stenberg (25 Jul 2019) |
| - RELEASE-NOTES: synced |
| |
| - [Felix Hädicke brought this change] |
| |
| ssh-libssh: do not specify O_APPEND when not in append mode |
| |
| Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not |
| make much sense. And this combination of flags is not accepted by all |
| SFTP servers (at least not Apache SSHD). |
| |
| Fixes #4147 |
| Closes #4148 |
| |
| - [Gergely Nagy brought this change] |
| |
| multi: call detach_connection before Curl_disconnect |
| |
| Curl_disconnect bails out if conn->easyq is not empty, detach_connection |
| needs to be called first to remove the current easy from the queue. |
| |
| Fixes #4144 |
| Closes #4151 |
| |
| Jay Satiro (23 Jul 2019) |
| - tool_operate: fix implicit call to easysrc_cleanup |
| |
| easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not |
| defined, and prior to this change would be called regardless. |
| |
| Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 |
| Reported-by: Marcel Raad |
| |
| Closes https://github.com/curl/curl/pull/4142 |
| |
| Daniel Stenberg (22 Jul 2019) |
| - curl:create_transfers check return code from curl_easy_setopt |
| |
| From commit b8894085 |
| |
| Pointed out by Coverity CID 1451703 |
| |
| Closes #4134 |
| |
| - HTTP3: initial (experimental) support |
| |
| USe configure --with-ngtcp2 or --with-quiche |
| |
| Using either option will enable a HTTP3 build. |
| Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> |
| |
| Closes #3500 |
| |
| - curl: remove dead code |
| |
| The loop never loops (since b889408500), pointed out by Coverity (CID |
| 1451702) |
| |
| Closes #4133 |
| |
| - docs/PARALLEL-TRANSFERS: correct the version number |
| |
| - docs/PARALLEL-TRANSFERS: added |
| |
| - curl: support parallel transfers |
| |
| This is done by making sure each individual transfer is first added to a |
| linked list as then they can be performed serially, or at will, in |
| parallel. |
| |
| Closes #3804 |
| |
| - docs/MANUAL.md: converted to markdown from plain text |
| |
| ... will make it render as a nicer web page. |
| |
| Closes #4131 |
| |
| - curl_version_info: provide nghttp2 details |
| |
| Introducing CURLVERSION_SIXTH with nghttp2 info. |
| |
| Closes #4121 |
| |
| - bump: start working on 7.66.0 |
| |
| - source: remove names from source comments |
| |
| Several reasons: |
| |
| - we can't add everyone who's helping out so its unfair to just a few |
| selected ones. |
| - we already list all helpers in THANKS and in RELEASE-NOTES for each |
| release |
| - we don't want to give the impression that some parts of the code is |
| "owned" or "controlled" by specific persons |
| |
| Assisted-by: Daniel Gustafsson |
| Closes #4129 |
| |
| Version 7.65.3 (19 Jul 2019) |
| |
| Daniel Stenberg (19 Jul 2019) |
| - RELEASE-NOTES: 7.65.3 |
| |
| - THANKS: 7.65.3 status |
| |
| - progress: make the progress meter appear again |
| |
| Fix regression caused by 21080e1 |
| |
| Reported-by: Chih-Hsuan Yen |
| Fixes #4122 |
| Closes #4124 |
| |
| - version: bump to 7.65.3 |
| |
| - RELEASE-NOTES: Contributors or now 1990 |
| |
| Version 7.65.2 (17 Jul 2019) |
| |
| Daniel Stenberg (17 Jul 2019) |
| - RELEASE-NOTES: 7.65.2 |
| |
| - THANKS: add contributors from 7.65.2 |
| |
| Jay Satiro (17 Jul 2019) |
| - [aasivov brought this change] |
| |
| cmake: Fix finding Brotli on case-sensitive file systems |
| |
| - Find package "Brotli" instead of "BROTLI" since the former is the |
| casing used for CMake/FindBrotli.cmake, and otherwise find_package |
| may fail on a case-sensitive file system. |
| |
| Fixes https://github.com/curl/curl/issues/4117 |
| |
| - CURLOPT_RANGE.3: Caution against using it for HTTP PUT |
| |
| AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've |
| cautioned against using it for that purpose and included a workaround. |
| |
| Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html |
| Reported-by: Christopher Head |
| |
| Closes https://github.com/curl/curl/issues/3814 |
| |
| - [Stefano Simonelli brought this change] |
| |
| CURLOPT_SEEKDATA.3: fix variable name |
| |
| Closes https://github.com/curl/curl/pull/4118 |
| |
| - [Giorgos Oikonomou brought this change] |
| |
| CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH |
| |
| If the SSL backend is Schannel and the user specifies an Schannel CALG_ |
| that is not supported by the protocol or the server then curl returns |
| CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. |
| |
| Fixes https://github.com/curl/curl/issues/3389 |
| Closes https://github.com/curl/curl/pull/4106 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| nss: inspect returnvalue of token check |
| |
| PK11_IsPresent() checks for the token for the given slot is available, |
| and sets needlogin flags for the PK11_Authenticate() call. Should it |
| return false, we should however treat it as an error and bail out. |
| |
| Closes https://github.com/curl/curl/pull/4110 |
| |
| - docs: Explain behavior change in --tlsv1. options since 7.54 |
| |
| Since 7.54 --tlsv1. options use the specified version or later, however |
| older versions of curl documented it as using just the specified version |
| which may or may not have happened depending on the TLS library. |
| Document this discrepancy to allay confusion for users familiar with the |
| old documentation that expect just the specified version. |
| |
| Fixes https://github.com/curl/curl/issues/4097 |
| Closes https://github.com/curl/curl/pull/4119 |
| |
| - libcurl: Restrict redirect schemes (follow-up) |
| |
| - Allow FTPS on redirect. |
| |
| - Update default allowed redirect protocols in documentation. |
| |
| Follow-up to 6080ea0. |
| |
| Ref: https://github.com/curl/curl/pull/4094 |
| |
| Closes https://github.com/curl/curl/pull/4115 |
| |
| Daniel Stenberg (16 Jul 2019) |
| - test1173: make it also check all libcurl option man pages |
| |
| ... and adjust those that cause errors |
| |
| Closes #4116 |
| |
| - curl: only accept COLUMNS less than 10000 |
| |
| ... as larger values would rather indicate something silly (and could |
| potentially cause buffer problems). |
| |
| Reported-by: pendrek at hackerone |
| Closes #4114 |
| |
| - dist: add manpage-syntax.pl |
| |
| follow-up to 7fb66c403 |
| |
| - test1173: detect some basic man page format mistakes |
| |
| Triggered by PR #4111 |
| |
| Closes #4113 |
| |
| Jay Satiro (15 Jul 2019) |
| - [Bjarni Ingi Gislason brought this change] |
| |
| docs: Fix missing lines caused by undefined macros |
| |
| - Escape apostrophes at line start. |
| |
| Some lines begin with a "'" (apostrophe, single quote), which is then |
| interpreted as a control character in *roff. |
| |
| Such lines are interpreted as being a call to a macro, and if |
| undefined, the lines are removed from the output. |
| |
| Bug: https://bugs.debian.org/926352 |
| Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is> |
| |
| Submitted-by: Alessandro Ghedini |
| |
| Closes https://github.com/curl/curl/pull/4111 |
| |
| Daniel Stenberg (14 Jul 2019) |
| - libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults |
| |
| follow-up to 6080ea098 |
| |
| - [Linos Giannopoulos brought this change] |
| |
| libcurl: Add testcase for gopher redirects |
| |
| The testcase ensures that redirects to CURLPROTO_GOPHER won't be |
| allowed, by default, in the future. Also, curl is being used |
| for convenience while keeping the testcases DRY. |
| |
| The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is |
| redirected to CURLPROTO_GOPHER |
| |
| Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> |
| |
| - [Linos Giannopoulos brought this change] |
| |
| libcurl: Restrict redirect schemes |
| |
| All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS |
| counterpart were allowed for redirect. This vastly broadens the |
| exploitation surface in case of a vulnerability such as SSRF [1], where |
| libcurl-based clients are forced to make requests to arbitrary hosts. |
| |
| For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based |
| protocol by URL-encoding a payload in the URI. Gopher will open a TCP |
| connection and send the payload. |
| |
| Only HTTP/HTTPS and FTP are allowed. All other protocols have to be |
| explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. |
| |
| [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ |
| |
| Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> |
| |
| Closes #4094 |
| |
| - [Zenju brought this change] |
| |
| openssl: define HAVE_SSL_GET_SHUTDOWN based on version number |
| |
| Closes #4100 |
| |
| - [Peter Simonyi brought this change] |
| |
| http: allow overriding timecond with custom header |
| |
| With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. |
| If-Modified-Since). Allow this to be replaced or suppressed with |
| CURLOPT_HTTPHEADER. |
| |
| Fixes #4103 |
| Closes #4109 |
| |
| Jay Satiro (11 Jul 2019) |
| - [Juergen Hoetzel brought this change] |
| |
| smb: Use the correct error code for access denied on file open |
| |
| - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. |
| |
| Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. |
| |
| Closes https://github.com/curl/curl/pull/4095 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| DEPRECATE: fixup versions and spelling |
| |
| Correctly set the July 17 version to 7.65.2, and update spelling to |
| be consistent. Also fix a typo. |
| |
| Closes https://github.com/curl/curl/pull/4107 |
| |
| - [Gisle Vanem brought this change] |
| |
| system_win32: fix clang warning |
| |
| - Declare variable in header as extern. |
| |
| Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 |
| |
| Daniel Gustafsson (10 Jul 2019) |
| - headers: Remove no longer exported functions |
| |
| There were a leftover few prototypes of Curl_ functions that we used to |
| export but no longer do, this removes those prototypes and cleans up any |
| comments still referring to them. |
| |
| Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() |
| Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() |
| were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. |
| Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. |
| |
| For the remainder, I didn't trawl the Git logs hard enough to capture |
| their exact time of deletion, but they were all gone: Curl_splayprint(), |
| Curl_http2_send_request(), Curl_global_host_cache_dtor(), |
| Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), |
| Curl_http_auth_stage() and Curl_close_connections(). |
| |
| Closes #4096 |
| Reviewed-by: Daniel Stenberg <daniel@haxx.se> |
| |
| - CMake: fix typos and spelling |
| |
| - [Kyle Edwards brought this change] |
| |
| CMake: Convert errant elseif() to else() |
| |
| CMake interprets an elseif() with no arguments as elseif(FALSE), |
| resulting in the elseif() block not being executed. That is not what |
| was intended here. Change the empty elseif() to an else() as it was |
| intended. |
| |
| Closes #4101 |
| Reported-by: Artalus <artalus-mail@yandex.ru> |
| Reviewed-by: Daniel Gustafsson <daniel@yesql.se> |
| |
| - buildconf: fix header filename |
| |
| The header file inclusion had a typo, it should be .h and not .hd. |
| Fix by renaming. |
| |
| Fixes #4102 |
| Reported-by: AceCrow on Github |
| |
| - [Jan Chren brought this change] |
| |
| configure: fix --disable-code-coverage |
| |
| This fixes the case when --disable-code-coverage supplied to ./configure |
| would result in coverage="yes" being set. |
| |
| Closes #4099 |
| Reviewed-by: Daniel Gustafsson <daniel@yesql.se> |
| |
| - cleanup: fix typo in comment |
| |
| - RELEASE-NOTES: synced |
| |
| Jay Satiro (6 Jul 2019) |
| - [Daniel Gustafsson brought this change] |
| |
| nss: support using libnss on macOS |
| |
| The file suffix for dynamically loadable objects on macOS is .dylib, |
| which need to be added for the module definitions in order to get the |
| NSS TLS backend to work properly on macOS. |
| |
| Closes https://github.com/curl/curl/pull/4046 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| nss: don't set unused parameter |
| |
| The value of the maxPTDs parameter to PR_Init() has since at least |
| NSPR 2.1, which was released sometime in 1998, been marked ignored |
| as is accordingly not used in the initialization code. Setting it |
| to a value when calling PR_Init() is thus benign, but indicates an |
| intent which may be misleading. Reset the value to zero to improve |
| clarity. |
| |
| Closes https://github.com/curl/curl/pull/4054 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| nss: only cache valid CRL entries |
| |
| Change the logic around such that we only keep CRLs that NSS actually |
| ended up caching around for later deletion. If CERT_CacheCRL() fails |
| then there is little point in delaying the freeing of the CRL as it |
| is not used. |
| |
| Closes https://github.com/curl/curl/pull/4053 |
| |
| - [Gergely Nagy brought this change] |
| |
| lib: Use UTF-8 encoding in comments |
| |
| Some editors and IDEs assume that source files use UTF-8 file encodings. |
| It also fixes the build with MSVC when /utf-8 command line option is |
| used (this option is mandatory for some other open-source projects, this |
| is useful when using the same options is desired for building all |
| libraries of a project). |
| |
| Closes https://github.com/curl/curl/pull/4087 |
| |
| - [Caleb Raitto brought this change] |
| |
| CURLOPT_HEADEROPT.3: Fix example |
| |
| Fix an issue where example builds a curl_slist, but fails to actually |
| use it, or free it. |
| |
| Closes https://github.com/curl/curl/pull/4090 |
| |
| - [Shankar Jadhavar brought this change] |
| |
| winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG |
| |
| - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. |
| |
| - Also removed some ^M chars from file. |
| |
| Prior to this change while building on Windows platform even if we pass |
| the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does |
| not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. |
| |
| Closes https://github.com/curl/curl/pull/4086 |
| |
| Daniel Stenberg (4 Jul 2019) |
| - doh-url.d: added in 7.62.0 |
| |
| Jay Satiro (30 Jun 2019) |
| - docs: Fix links to OpenSSL docs |
| |
| OpenSSL changed their manual locations and does not redirect to the new |
| locations. |
| |
| Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html |
| Reported-by: Daniel Stenberg |
| |
| Daniel Stenberg (26 Jun 2019) |
| - [Gaël PORTAY brought this change] |
| |
| curl_multi_wait.3: escape backslash in example |
| |
| The backslash in the character Line Feed must be escaped. |
| |
| The current man-page outputs the code as following: |
| |
| fprintf(stderr, "curl_multi failed, code %d.0, mc); |
| |
| The commit fixes it as follow: |
| |
| fprintf(stderr, "curl_multi failed, code %d\n", mc); |
| |
| Closes #4079 |
| |
| - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined |
| |
| ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is |
| built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for |
| UWP (with "VC-WIN32-UWP"). |
| |
| Reported-by: Vasily Lobaskin |
| Fixes #4073 |
| Closes #4077 |
| |
| - test1521: adapt to SLISTPOINT |
| |
| The header now has the slist-using options marked as SLISTPOINT so this |
| makes sure test 1521 understands that. |
| |
| Follow-up to ae99b4de1c443ae989 |
| |
| Closes #4074 |
| |
| - win32: make DLL loading a no-op for UWP |
| |
| Reported-by: Michael Brehm |
| Fixes #4060 |
| Closes #4072 |
| |
| - [1ocalhost brought this change] |
| |
| configure: fix typo '--disable-http-uath' |
| |
| Closes #4076 |
| |
| - [Niklas Hambüchen brought this change] |
| |
| docs: fix string suggesting HTTP/2 is not the default |
| |
| Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the |
| man page that new default is mentioned, but the section at the top |
| contradicted it until now. |
| |
| Also remove claim that setting the HTTP version is not sensible. |
| |
| Closes #4075 |
| |
| - RELEASE-NOTES: synced |
| |
| - [Stephan Szabo brought this change] |
| |
| tests: update fixed IP for hostip/clientip split |
| |
| These tests give differences for me on linux when using a hostip |
| pointing to the external ip address for the local machine. |
| |
| Closes #4070 |
| |
| Daniel Gustafsson (24 Jun 2019) |
| - http: clarify header buffer size calculation |
| |
| The header buffer size calculation can from static analysis seem to |
| overlow as it performs an addition between two size_t variables and |
| stores the result in a size_t variable. Overflow is however guarded |
| against elsewhere since the input to the addition is regulated by |
| the maximum read buffer size. Clarify this with a comment since the |
| question was asked. |
| |
| Reviewed-by: Daniel Stenberg <daniel@haxx.se> |
| |
| Daniel Stenberg (24 Jun 2019) |
| - KNOWN_BUGS: Don't clear digest for single realm |
| |
| Closes #3267 |
| |
| - KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname |
| |
| Closes #3284 |
| |
| - http2: call done_sending on end of upload |
| |
| To make sure a HTTP/2 stream registers the end of stream. |
| |
| Bug #4043 made me find this problem but this fix doesn't correct the |
| reported issue. |
| |
| Closes #4068 |
| |
| - [James Brown brought this change] |
| |
| c-ares: honor port numbers in CURLOPT_DNS_SERVERS |
| |
| By using ares_set_servers_ports_csv on new enough c-ares. |
| |
| Fixes #4066 |
| Closes #4067 |
| |
| Daniel Gustafsson (24 Jun 2019) |
| - CURLMOPT_SOCKETFUNCTION.3: fix typo |
| |
| Daniel Stenberg (24 Jun 2019) |
| - [Koen Dergent brought this change] |
| |
| curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds |
| |
| Closes #4061 |
| |
| - test153: fix content-length to avoid occasional hang |
| |
| Closes #4065 |
| |
| - RELEASE-NOTES: synced |
| |
| - multi: enable multiplexing by default (again) |
| |
| It was originally made default in d7c4213bd0c (7.62.0) but mistakenly |
| reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. |
| |
| Closes #4051 |
| |
| - typecheck: add 3 missing strings and a callback data pointer |
| |
| Closes #4050 |
| |
| - tests: add disable-scan.pl to dist |
| |
| follow-up from 29177f422a5 |
| |
| Closes #4059 |
| |
| - http2: don't call stream-close on already closed streams |
| |
| Closes #4055 |
| |
| Marcel Raad (20 Jun 2019) |
| - travis: enable alt-svc for coverage build |
| |
| Closes |
| |
| - travis: enable libssh2 for coverage build |
| |
| It was enabled by default before commit c92d2e14cfb. |
| |
| Disable torture tests 600 and 601 because of |
| https://github.com/curl/curl/issues/1678. |
| |
| Closes |
| |
| - travis: disable threaded resolver for coverage build |
| |
| This enables more tests. |
| |
| Closes |
| |
| - travis: enable brotli for all xenial jobs |
| |
| There's no need for a separate job, and no need to build it from source |
| with Xenial. |
| |
| Closes |
| |
| - travis: enable warnings-as-errors for coverage build |
| |
| Closes |
| |
| GitHub (20 Jun 2019) |
| - [Gisle Vanem brought this change] |
| |
| system_win32: fix typo |
| |
| Daniel Stenberg (20 Jun 2019) |
| - typecheck: CURLOPT_CONNECT_TO takes an slist too |
| |
| Additionally, add an alias in curl.h for slist-using options so that |
| we can grep/parse those out at will. |
| |
| Closes #4042 |
| |
| - [Stephan Szabo brought this change] |
| |
| tests: support non-localhost HOSTIP for dict/smb servers |
| |
| smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for |
| binding the server which when we were running the tests with a separate |
| HOSTIP and CLIENTIP had failures verifying the server from the device we |
| were testing. |
| |
| This changes them to take the address from runtests.py and default to |
| localhost/127.0.0.1 if none is given. |
| |
| Closes #4048 |
| |
| - test1523: basic test of CURLOPT_LOW_SPEED_LIMIT |
| |
| - configure: --disable-progress-meter |
| |
| Builds libcurl without support for the built-in progress meter. |
| |
| Closes #4023 |
| |
| - curl: improved skip-setopt-options when built with disabled features |
| |
| Reduces #ifdefs in src/tool_operate.c |
| |
| Follow-up from 4e86f2fc4e6 |
| Closes #3936 |
| |
| Steve Holme (18 Jun 2019) |
| - netrc: Return the correct error code when out of memory |
| |
| Introduced in 763c5178. |
| |
| Closes #4036 |
| |
| Daniel Stenberg (18 Jun 2019) |
| - config-os400: add getpeername and getsockname defines |
| |
| Reported-by: jonrumsey on github |
| Fixes #4037 |
| Closes #4039 |
| |
| - runtests: keep logfiles around by default |
| |
| Make '-k' a no-op. The singletest function now clears the log directory |
| BEFORE each individual test and not after, which makes it possible to |
| always keep the logfiles around after a test has been run. No need to |
| specify -k anymore. Keeping the option parsing around to work with users |
| of old habits. |
| |
| Some tests also didn't work properly when -k was used (since the old |
| logs would be kep when a new test starts) which this change also fixes. |
| |
| Closes #4035 |
| |
| - [Gergely Nagy brought this change] |
| |
| openssl: fix pubkey/signature algorithm detection in certinfo |
| |
| Certinfo gives the same result for all OpenSSL versions. |
| Also made printing RSA pubkeys consistent with older versions. |
| |
| Reported-by: Michael Wallner |
| Fixes #3706 |
| Closes #4030 |
| |
| - conn_maxage: move the check to prune_dead_connections() |
| |
| ... and avoid the locking issue. |
| |
| Reported-by: Kunal Ekawde |
| Fixes #4029 |
| Closes #4032 |
| |
| - tests: have runtests figure out disabled features |
| |
| ... so that runtests can skip individual test cases that test features |
| that are explicitly disabled in this build. This new logic is intended |
| for disabled features that aren't otherwise easily visible through the |
| curl_version_info() or other API calls. |
| |
| tests/server/disabled is a newly built executable that will output a |
| list of disabled features. Outputs nothing for a default build. |
| |
| Closes #3950 |
| |
| - test188/189: fix Content-Length |
| |
| This cures the flaky test results |
| |
| Closes #4034 |
| |
| - [Thomas Gamper brought this change] |
| |
| winbuild: use WITH_PREFIX if given |
| |
| Closes #4031 |
| |
| Daniel Gustafsson (17 Jun 2019) |
| - openssl: remove outdated comment |
| |
| OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), |
| which is why we switched to CONF_modules_load_file() and introduced |
| a comment stating why. This behavior was however changed in OpenSSL |
| commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now |
| outdated and incorrect comment. The mentioned commit also declares |
| OPENSSL_config() deprecated so keep the current coding. |
| |
| Closes #4033 |
| Reviewed-by: Daniel Stenberg <daniel@haxx.se> |
| |
| Daniel Stenberg (16 Jun 2019) |
| - RELEASE-NOTES: synced |
| |
| Patrick Monnerat (16 Jun 2019) |
| - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. |
| |
| Use it in curl_easy_setopt_ccsid(). |
| |
| Reported-by: jonrumsey on github |
| Fixes #3833 |
| Closes #4028 |
| |
| Daniel Stenberg (15 Jun 2019) |
| - runtests: report single test time + total duration |
| |
| ... after each successful test. |
| |
| Closes #4027 |
| |
| - multi: fix the transfer hash function |
| |
| Follow-up from 8b987cc7eb |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4018 |
| Closes #4024 |
| |
| - unit1654: cleanup on memory failure |
| |
| ... to make it handle torture tests properly. |
| |
| Reported-by: Marcel Raad |
| Fixes #4021 |
| Closes #4022 |
| |
| Marcel Raad (13 Jun 2019) |
| - krb5: fix compiler warning |
| |
| Even though the variable was used in a DEBUGASSERT, GCC 8 warned in |
| debug mode: |
| krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] |
| |
| Just suppress the warning and declare the variable unconditionally |
| instead of only for DEBUGBUILD (which also missed the check for |
| HAVE_ASSERT_H). |
| |
| Closes https://github.com/curl/curl/pull/4020 |
| |
| Daniel Stenberg (13 Jun 2019) |
| - quote.d: asterisk prefix works for SFTP as well |
| |
| Reported-by: Ben Voris |
| Fixes #4017 |
| Closes #4019 |
| |
| - multi: fix the transfer hashes in the socket hash entries |
| |
| - The transfer hashes weren't using the correct keys so removing entries |
| failed. |
| |
| - Simplified the iteration logic over transfers sharing the same socket and |
| they now simply are set to expire and thus get handled in the "regular" |
| timer loop instead. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #4012 |
| Closes #4014 |
| |
| Jay Satiro (12 Jun 2019) |
| - [Cliff Crosland brought this change] |
| |
| url: Fix CURLOPT_MAXAGE_CONN time comparison |
| |
| Old connections are meant to expire from the connection cache after |
| CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x |
| that value. This occurs because a time value measured in milliseconds is |
| accidentally divided by 1M instead of by 1,000. |
| |
| Closes https://github.com/curl/curl/pull/4013 |
| |
| Daniel Stenberg (11 Jun 2019) |
| - test1165: verify that CURL_DISABLE_ symbols are in sync |
| |
| between configure.ac and source code. They should be possible to switch |
| on/off in configure AND be used in source code. |
| |
| - configure: remove CURL_DISABLE_TLS_SRP |
| |
| It isn't used by code so stop providing the define. |
| |
| Closes #4010 |
| |
| - Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" |
| |
| This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. |
| |
| Apparently several of the appveyor windows builds broke. |
| |
| - [sergey-raevskiy brought this change] |
| |
| cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified |
| |
| Reviewed-by: Jakub Zakrzewski |
| Closes #3770 |
| |
| - RELEASE-NOTES: synced |
| |
| - http2: remove CURL_DISABLE_TYPECHECK define |
| |
| ... in http2-less builds as it served no use. |
| |
| - configure: more --disable switches to toggle off individual features |
| |
| ... actual support in the code for disabling these has already landed. |
| |
| Closes #4009 |
| |
| - wolfssl: fix key pinning build error |
| |
| follow-up from deb9462ff2de8 |
| |
| - CURLMOPT_SOCKETFUNCTION.3: clarified |
| |
| Moved away the callback explanation from curl_multi_socket_action.3 and |
| expanded it somewhat. |
| |
| Closes #4006 |
| |
| - wolfssl: fixup for SNI use |
| |
| follow-up from deb9462ff2de8 |
| |
| Closes #4007 |
| |
| - CURLOPT_CAINFO.3: polished wording |
| |
| Clarify the functionality when built to use Schannel and Secure |
| Transport and stop calling it the "recommended" or "preferred" way and |
| instead rather call it the default. |
| |
| Removed the reference to the ssl comparison table as it isn't necessary. |
| |
| Reported-by: Richard Alcock |
| Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html |
| Closes #4005 |
| |
| GitHub (10 Jun 2019) |
| - [Daniel Stenberg brought this change] |
| |
| SECURITY.md: created |
| |
| Brief security policy description for use/display on github. |
| |
| Daniel Gustafsson (10 Jun 2019) |
| - tool_cb_prg: Fix integer overflow in progress bar |
| |
| Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar |
| width calculation to avoid integer overflow, but failed to account for |
| the fact that initial_size is initialized to -1 when the file size is |
| retrieved from the remote on an upload, causing another signed integer |
| overflow. Fix by separately checking for this case before the width |
| calculation. |
| |
| Closes #3984 |
| Reported-by: Brian Carpenter (Geeknik Labs) |
| Reviewed-by: Daniel Stenberg <daniel@haxx.se> |
| |
| Daniel Stenberg (10 Jun 2019) |
| - wolfssl: refer to it as wolfSSL only |
| |
| Remove support for, references to and use of "cyaSSL" from the source |
| and docs. wolfSSL is the current name and there's no point in keeping |
| references to ancient history. |
| |
| Assisted-by: Daniel Gustafsson |
| |
| Closes #3903 |
| |
| - RELEASE-NOTES: synced |
| |
| - bindlocal: detect and avoid IP version mismatches in bind() |
| |
| Reported-by: Alex Grebenschikov |
| Fixes #3993 |
| Closes #4002 |
| |
| - multi: make sure 'data' can present in several sockhash entries |
| |
| Since more than one socket can be used by each transfer at a given time, |
| each sockhash entry how has its own hash table with transfers using that |
| socket. |
| |
| In addition, the sockhash entry can now be marked 'blocked = TRUE'" |
| which then makes the delete function just set 'removed = TRUE' instead |
| of removing it "for real", as a way to not rip out the carpet under the |
| feet of a parent function that iterates over the transfers of that same |
| sockhash entry. |
| |
| Reported-by: Tom van der Woerdt |
| Fixes #3961 |
| Fixes #3986 |
| Fixes #3995 |
| Fixes #4004 |
| Closes #3997 |
| |
| - [Sorcus brought this change] |
| |
| libcurl-tutorial.3: Fix small typo (mutipart -> multipart) |
| |
| Fixed-by: MrSorcus on github |
| Closes #4000 |
| |
| - unpause: trigger a timeout for event-based transfers |
| |
| ... so that timeouts or other state machine actions get going again |
| after a changing pause state. For example, if the last delivery was |
| paused there's no pending socket activity. |
| |
| Reported-by: sstruchtrup on github |
| Fixes #3994 |
| Closes #4001 |
| |
| Marcel Raad (9 Jun 2019) |
| - travis: use xenial LLVM package for scan-build |
| |
| I missed that in commit 99a49d6. |
| |
| - travis: update scan-build job to xenial |
| |
| Closes https://github.com/curl/curl/pull/3999 |
| |
| Daniel Stenberg (8 Jun 2019) |
| - bump: start working on 7.65.2 |
| |
| Marcel Raad (5 Jun 2019) |
| - examples/htmltitle: use C++ casts between pointer types |
| |
| Compilers and static analyzers warn about using C-style casts here. |
| |
| Closes https://github.com/curl/curl/pull/3975 |
| |
| - examples/fopen: fix comparison |
| |
| As want is size_t, (file->buffer_pos - want) is unsigned, so checking |
| if it's less than zero makes no sense. |
| Check if file->buffer_pos is less than want instead to avoid the |
| unsigned integer wraparound. |
| |
| Closes https://github.com/curl/curl/pull/3975 |
| |
| - build: fix Codacy warnings |
| |
| Reduce variable scopes and remove redundant variable stores. |
| |
| Closes https://github.com/curl/curl/pull/3975 |
| |
| - sws: remove unused variables |
| |
| Unused since commit 2f44e94. |
| |
| Closes https://github.com/curl/curl/pull/3975 |
| |
| Version 7.65.1 (4 Jun 2019) |
| |
| Daniel Stenberg (4 Jun 2019) |
| - RELEASE-NOTES: 7.65.1 |
| |
| - THANKS: new contributors from 7.65.1 |
| |
| Steve Holme (4 Jun 2019) |
| - [Frank Gevaerts brought this change] |
| |
| ssl: Update outdated "openssl-only" comments for supported backends |
| |
| These are for features that used to be openssl-only but were expanded |
| over time to support other SSL backends. |
| |
| Closes #3985 |
| |
| Daniel Stenberg (4 Jun 2019) |
| - curl_share_setopt.3: improve wording [ci ship] |
| |
| Reported-by: Carlos ORyan |
| |
| Steve Holme (4 Jun 2019) |
| - tool_parsecfg: Use correct return type for GetModuleFileName() |
| |
| GetModuleFileName() returns a DWORD which is a typedef of an unsigned |
| long and not an int. |
| |
| Closes #3980 |
| |
| Daniel Stenberg (3 Jun 2019) |
| - TODO: "at least N milliseconds between requests" [ci skip] |
| |
| Suggested-by: dkwolfe4 on github |
| Closes #3920 |
| |
| Steve Holme (2 Jun 2019) |
| - tests/server/.gitignore: Add socksd to the ignore list |
| |
| Missed in 04fd6755. |
| |
| Closes #3978 |
| |
| - tool_parsecfg: Fix control flow issue (DEADCODE) |
| |
| Follow-up to 8144ba38. |
| |
| Detected by Coverity CID 1445663 |
| Closes #3976 |
| |
| Daniel Stenberg (2 Jun 2019) |
| - [Sergey Ogryzkov brought this change] |
| |
| NTLM: reset proxy "multipass" state when CONNECT request is done |
| |
| Closes #3972 |
| |
| - test334: verify HTTP 204 response with chunked coding header |
| |
| Verifies that a bodyless response don't parse this content-related |
| header. |
| |
| - [Michael Kaufmann brought this change] |
| |
| http: don't parse body-related headers bodyless responses |
| |
| Responses with status codes 1xx, 204 or 304 don't have a response body. For |
| these, don't parse these headers: |
| |
| - Content-Encoding |
| - Content-Length |
| - Content-Range |
| - Last-Modified |
| - Transfer-Encoding |
| |
| This change ensures that HTTP/2 upgrades work even if a |
| "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. |
| |
| Co-authored-by: Daniel Stenberg |
| Closes #3702 |
| Fixes #3968 |
| Closes #3977 |
| |
| - tls13-docs: mention it is only for OpenSSL >= 1.1.1 |
| |
| Reported-by: Jay Satiro |
| Co-authored-by: Jay Satiro |
| Fixes #3938 |
| Closes #3946 |
| |
| - dump-header.d: spell out that no headers == empty file [ci skip] |
| |
| Reported-by: wesinator at github |
| Fixes #3964 |
| Closes #3974 |
| |
| - singlesocket: use separate variable for inner loop |
| |
| An inner loop within the singlesocket() function wrongly re-used the |
| variable for the outer loop which then could cause an infinite |
| loop. Change to using a separate variable! |
| |
|