diff --git a/Changelog-NG.txt b/Changelog-NG.txt index 768d3328471..780491e1a15 100644 --- a/Changelog-NG.txt +++ b/Changelog-NG.txt @@ -1,6 +1,95 @@ Asuswrt-Merlin 384/NG Changelog =============================== +384.15 (8-Feb-2020) + The RT-AC87U and RT-AC3200 are not supported by this release, see + the 384.13_4 release released separately for these two models. + + - NEW: wan-event script. The first parameter will be the WAN unit + (0 for first WAN, 1 for secondary). The second parameter + will be a string describing the type of event (init, + connected, etc...). A wan-event of type "connected" will + be identical to when the original wan-start script was + being run (wan-start should be considered deprecated + and will be removed in a future release) + - NEW: Implemented an official API for addon developers to + better integrate with the router. This includes up + to ten different pages that can be added anywhere within + the webui, and a dedicated storage repository for your + settings, which can be interacted with through your + custom web page or through a shell script. + See the Wiki for more information: + + https://github.com/RMerl/asuswrt-merlin/wiki/Addons-API + + - NEW: amtm (Asuswrt-Merlin Terminal Menu) by thelonelycoder has + been added to the firmware. Running "amtm" over SSH will + give you a menu allowing you to select and install various + addons, such as Diversion (ad blocker) or SKynet (an + advanced firewall extension). The plugins for amtm are + still maintained by its original author (thelonelycoder). + + https://github.com/RMerl/asuswrt-merlin/wiki/AMTM + + - UPDATED: Backported some fixes from 384_81981, mostly related + to WAN, port bonding and mdns. + - UPDATED: Merged GPL 384_7756 for RT-AX88U, which adds OFDMA and + WPA3 support to that model. + - UPDATED: Merged with GPL 385_10002 for other models (from RT-AC68U) + - UPDATED: odhcp6c to 1.1-97-ge199804 (themiron) + - UPDATED: curl to 7.67.0. + - UPDATED: openssl-1.0 to 1.0.2u + - UPDATED: dnsmasq to 2.80-114-ge40d8be (themiron) + - CHANGED: Replaced entware-setup.sh script with link to amtm, as + using the amtm Entware installer is now the supported + method. + - CHANGED: Improved connection handling in httpd (themiron) + - FIXED: Some of the newest DNSFilter servers weren't properly set + up with IPv6 (dave14305) + + +384.13_4 (8-Feb-2020) + This release is only available for the RT-AC87U and RT-AC3200. + + - NEW: wan-event script. The first parameter will be the WAN unit + (0 for first WAN, 1 for secondary). The second parameter + will be a string describing the type of event (init, + connected, etc...). A wan-event of type "connected" will + be identical to when the original wan-start script was + being run (wan-start should be considered deprecated + and will be removed in a future release) + - NEW: Implemented an official API for addon developers to + better integrate with the router. This includes up + to ten different pages that can be added anywhere within + the webui, and a dedicated storage repository for your + settings, which can be interacted with through your + custom web page or through a shell script. + See the Wiki for more information: + + https://github.com/RMerl/asuswrt-merlin/wiki/Addons-API + + - NEW: amtm (Asuswrt-Merlin Terminal Menu) by thelonelycoder has + been added to the firmware. Running "amtm" over SSH will + give you a menu allowing you to select and install various + addons, such as Diversion (ad blocker) or SKynet (an + advanced firewall extension). The plugins for amtm are + still maintained by its original author (thelonelycoder). + + https://github.com/RMerl/asuswrt-merlin/wiki/AMTM + + - UPDATED: odhcp6c to 1.1-97-ge199804 (themiron) + - UPDATED: openssl-1.0 to 1.0.2u + - UPDATED: curl to 7.67.0. + - UPDATED: OpenVPN to 2.4.8. + - UPDATED: dnsmasq to 2.80-114-ge40d8be (themiron) + - CHANGED: Replaced entware-setup.sh script with link to amtm, as + using the amtm Entware installer is now the supported + method. + - CHANGED: Improved connection handling in httpd (themiron) + - FIXED: Some of the newest DNSFilter servers weren't properly set + up with IPv6 (dave14305) + + 384.14_2 (1-1-2020) - FIXED: Missing cifs kernel module - FIXED: stubby was linked with OpenSSL 1.0 instead of 1.1 diff --git a/release/src-rt/Makefile b/release/src-rt/Makefile index c38efe4b74f..ee565231aeb 100755 --- a/release/src-rt/Makefile +++ b/release/src-rt/Makefile @@ -412,7 +412,7 @@ else endif @echo '#endif' >> router/shared/version.h endif - @echo '$(BUILD_NAME) $(SERIALNO)-$(EXTENDNO)$(BUILDREV) $(BUILD_TIME)' > router/shared/version + @echo '$(BUILD_NAME) $(SERIALNO)_$(EXTENDNO)$(BUILDREV) $(BUILD_TIME)' > router/shared/version @echo 'EXTENDNO=$(EXTENDNO)$(BUILDREV)' > router/extendno.conf rt_ver_ntools: @@ -1447,6 +1447,12 @@ define RouterOptions sed -i "/RTCONFIG_PUSH_EMAIL/d" $(1); \ echo "RTCONFIG_PUSH_EMAIL=y" >>$(1); \ fi; \ + if [ "$(AHS)" = "y" ]; then \ + sed -i "/RTCONFIG_AHS/d" $(1); \ + echo "RTCONFIG_AHS=y" >>$(1); \ + sed -i "/RTCONFIG_HTTPS/d" $(1); \ + echo "RTCONFIG_HTTPS=y" >>$(1); \ + fi; \ if [ "$(RSYSLOGD)" = "y" ]; then \ sed -i "/RTCONFIG_RSYSLOGD/d" $(1); \ echo "RTCONFIG_RSYSLOGD=y" >>$(1); \ diff --git a/release/src-rt/target.mak b/release/src-rt/target.mak index c1a97f7fe89..5ed0bbc121c 100644 --- a/release/src-rt/target.mak +++ b/release/src-rt/target.mak @@ -32,7 +32,7 @@ export RT-AC68U_BASE := IPV6SUPP=y HTTPS=y ARM=y BCM57=y AUTODICT=y BBEXTRAS=y U export RT-AC68U := $(RT-AC68U_BASE) FAKEHDR=y FORCE_SN=384 FORCE_EN=20000 export RT-AC68U += BUILD_NAME="RT-AC68U" NEWSSID_REV2=y DBLOG=y ETHOBD=y DWB=y UUPLUGIN=y BTM_11V=y \ - BCN_RPT=y INFO_EXAP=y RAST_NONMESH_KVONLY=y IPERF3=y + BCN_RPT=y INFO_EXAP=y RAST_NONMESH_KVONLY=y IPERF3=y AVBLCHAN=y FILEFLEX=y export DSL-AC68U-NONE := LOGO_LED=y LED_BTN=y REPEATER=y ROG=y export DSL-AC68U := $(filter-out $(DSL-AC68U-NONE),$(RT-AC68U_BASE)) diff --git a/release/src-rt/version.conf b/release/src-rt/version.conf index 993ee17901d..05971b80284 100644 --- a/release/src-rt/version.conf +++ b/release/src-rt/version.conf @@ -1,5 +1,5 @@ KERNEL_VER=3.0 FS_VER=0.4 -SERIALNO=384.14 -EXTENDNO=2 +SERIALNO=384.15 +EXTENDNO=0 RCNO=0 diff --git a/release/src/btools/libfoo.pl b/release/src/btools/libfoo.pl index acda2258b8b..d4e17dee334 100755 --- a/release/src/btools/libfoo.pl +++ b/release/src/btools/libfoo.pl @@ -489,6 +489,7 @@ sub genSO my @u = usersOf($name); if ((scalar(@used) == 0) && (scalar(@u) > 0)) { print "$name: WARNING: Library symbol is not used by anything, but linked by (@u). so keep it ...\n"; + $cmd .= " ". $arc; } elsif (scalar(@used) == 0) { print "$name: WARNING: Library is not used by anything, deleting...\n"; @@ -496,7 +497,9 @@ sub genSO # <>; return 0; } + else { $cmd .= " -u " . join(" -u ", @used) . " ". $arc; + } print LOG "Command: $cmd\n"; print LOG "Used: ", join(",", @used), "\n"; diff --git a/release/src/router/Makefile b/release/src/router/Makefile index 2089e5abc2b..5ab2b9665b6 100644 --- a/release/src/router/Makefile +++ b/release/src/router/Makefile @@ -11,6 +11,7 @@ # # + export HND_ROUTER := $(shell pwd | sed 's/.*hnd.*/y/g') ifeq ($(HND_ROUTER),y) export BCM_CHIP := 4908 @@ -719,6 +720,11 @@ obj-$(RTCONFIG_LETSENCRYPT) += socat #obj-$(RTCONFIG_SYSSTATE) += sysstate obj-y += sysstate +obj-$(RTCONFIG_AHS) += openssl +obj-$(RTCONFIG_AHS) += $(CURL) +obj-$(RTCONFIG_AHS) += json-c +obj-$(RTCONFIG_AHS) += ahs + obj-$(RTCONFIG_OPENVPN) += libvpn obj-y += rc @@ -855,12 +861,10 @@ obj-y += scsi-idle endif obj-y += libusb10 obj-y += libusb -obj-y += libusb-0.1.12 -ifeq ($(RTCONFIG_USB),y) ifneq ($(RTCONFIG_8M_SFP),y) obj-y += hub-ctrl endif -endif +obj-$(RTCONFIG_USB_PRINTER) += libusb-0.1.12 obj-$(RTCONFIG_USB_PRINTER) += u2ec obj-$(RTCONFIG_USB_PRINTER) += LPRng @@ -3265,36 +3269,37 @@ libupnp-1.3.1/Makefile: libupnp-1.3.1/Makefile.in $(CONFIGURE) --prefix=/usr --disable-dependency-tracking \ ) -libusb10/stamp-h1: - cd libusb10 && CFLAGS="-Os -Wall $(EXTRACFLAGS)" LIBS="-lpthread -ldl -lc $(EXTRALDFLAGS)" \ - $(CONFIGURE) --enable-shared --prefix=/usr ac_cv_lib_rt_clock_gettime=no - -@$(MAKE) -C libusb10 clean - touch $@ +libusb10/Makefile: + cd libusb10 && \ + $(CONFIGURE) --enable-shared --prefix=/usr --disable-udev \ + CFLAGS="-Os -Wall $(EXTRACFLAGS)" \ + LIBS="-lpthread -ldl -lc $(EXTRALDFLAGS)" \ + ac_cv_lib_rt_clock_gettime=no -libusb10: libusb10/stamp-h1 +libusb10: libusb10/Makefile $(MAKE) -C $@ libusb10-install: libusb10 - install -D libusb10/libusb/.libs/libusb-1.0.so.0.0.0 $(INSTALLDIR)/libusb10/usr/lib/libusb-1.0.so.0 + install -D libusb10/libusb/.libs/libusb-1.0.so.0.2.0 $(INSTALLDIR)/libusb10/usr/lib/libusb-1.0.so.0 $(STRIP) $(INSTALLDIR)/libusb10/usr/lib/*.so.* cd $(INSTALLDIR)/libusb10/usr/lib && \ - ln -sf libusb-1.0.so.0 libusb-1.0.so.0.0.0 && \ + ln -sf libusb-1.0.so.0 libusb-1.0.so.0.2.0 && \ ln -sf libusb-1.0.so.0 libusb-1.0.so libusb10-clean: - -@$(MAKE) -C libusb10 clean - @rm -f libusb10/stamp-h1 - -libusb/stamp-h1: - cd libusb && CFLAGS="-Wall -Os $(EXTRACFLAGS)" LIBS="-lpthread -ldl -lc $(EXTRALDFLAGS)" \ - $(CONFIGURE) --prefix=/usr \ + [ ! -f libusb10/Makefile ] || $(MAKE) -C libusb10 distclean + @rm -f libusb10/Makefile + +libusb/Makefile: + cd libusb && \ + $(CONFIGURE) --enable-shared --prefix=/usr \ + CFLAGS="-Os -Wall $(EXTRACFLAGS)" \ + LIBS="-lpthread -ldl -lc $(EXTRALDFLAGS)" \ LIBUSB_1_0_CFLAGS="-I$(TOP)/libusb10/libusb" \ LIBUSB_1_0_LIBS="-L$(TOP)/libusb10/libusb/.libs -lusb-1.0 \ -Wl,-R/lib:/usr/lib:/opt/usr/lib:/usr/local/share" - -@$(MAKE) -C libusb clean - touch $@ -libusb: libusb10 libusb/stamp-h1 +libusb: libusb10 libusb/Makefile $(MAKE) -C $@ libusb-install: libusb @@ -3305,8 +3310,8 @@ libusb-install: libusb ln -sf libusb-0.1.so.4 libusb.so libusb-clean: - -@$(MAKE) -C libusb clean - @rm -f libusb/stamp-h1 + [ ! -f libusb/Makefile ] || $(MAKE) -C libusb distclean + @rm -f libusb/Makefile usb-modeswitch-1.2.3: libusb $(MAKE) -C $@ CC=$(CC) CFLAGS="-Os $(EXTRACFLAGS) -I$(TOP)/libusb/libusb" LIBS="\ @@ -4735,6 +4740,19 @@ sysstate-install: echo "install sysstate" $(MAKE) -C sysstate install +ahs: openssl $(CURL) json-c + @$(SEP) + echo "build ahs" + $(MAKE) -C ahs + +ahs-clean: + echo "clean ahs" + $(MAKE) -C ahs clean + +ahs-install: + echo "install ahs" + $(MAKE) -C ahs install + qsr10g_image: aqr107_image: @@ -6890,28 +6908,25 @@ libical-2.0.0-install: ln -sf libicalvcal.so.2.0.0 libicalvcal.so.2 libconfuse/Makefile: - cd libconfuse && $(CONFIGURE) \ - CFLAGS="$(EXTRACFLAGS) -Os -I$(STAGEDIR)/usr/include -ffunction-sections -fdata-sections -fPIC" \ - LDFLAGS="$(LDFLAGS) -ffunction-sections -fdata-sections -Wl,--gc-sections" \ - --prefix=/usr --disable-shared \ - --without-libiconv-prefix --without-libintl-prefix --disable-examples --disable-nls + cd libconfuse && $(CONFIGURE) --prefix=/usr --disable-shared \ + --disable-examples --disable-nls \ + --without-libiconv-prefix --without-libintl-prefix \ + CFLAGS="-Wall -Os -ffunction-sections -fdata-sections -fPIC $(EXTRACFLAGS)" \ + LDFLAGS="-Wl,--gc-sections $(LDFLAGS)" -libconfuse: libiconv-1.14 libconfuse/Makefile - @$(SEP) - $(MAKE) -C $@ +libconfuse: libconfuse/Makefile + $(MAKE) -C $@ && $(MAKE) $@-stage libconfuse-install: - @$(SEP) # Do nothing + @true # install -D libconfuse/src/.libs/libconfuse.so.1.1.0 $(INSTALLDIR)/libconfuse/usr/lib/libconfuse.so.1.1.0 # cd $(INSTALLDIR)/libconfuse/usr/lib && \ # ln -sf libconfuse.so.1.1.0 libconfuse.so.1 &&\ # ln -sf libconfuse.so.1.1.0 libconfuse.so # $(STRIP) $(INSTALLDIR)/libconfuse/usr/lib/*.so.* - libconfuse-clean: - @$(SEP) [ ! -f libconfuse/Makefile ] || $(MAKE) -C libconfuse distclean @rm -f libconfuse/Makefile diff --git a/release/src/router/acme.sh/acme.sh b/release/src/router/acme.sh/acme.sh index befe0133155..455df4a6e7e 100644 --- a/release/src/router/acme.sh/acme.sh +++ b/release/src/router/acme.sh/acme.sh @@ -4002,7 +4002,7 @@ $_authorizations_map" fi if [ "$ACME_VERSION" = "2" ]; then - response="$(echo "$_authorizations_map" | grep "^$(_idn "$d")," | sed "s/$d,//")" + response="$(echo "$_authorizations_map" | grep -i "^$(_idn "$d")," | sed "s/$d,//i")" _debug2 "response" "$response" if [ -z "$response" ]; then _err "get to authz error." diff --git a/release/src/router/acsd_arm/prebuilt/acsd b/release/src/router/acsd_arm/prebuilt/acsd index a4841f23564..c2972ea33fd 100755 Binary files a/release/src/router/acsd_arm/prebuilt/acsd and b/release/src/router/acsd_arm/prebuilt/acsd differ diff --git a/release/src/router/config/config.in b/release/src/router/config/config.in index ed50e5304aa..3dce6323999 100644 --- a/release/src/router/config/config.in +++ b/release/src/router/config/config.in @@ -403,6 +403,10 @@ config RTCONFIG_SYSSTATE bool "Support additional debug logs" default n +config RTCONFIG_AHS + bool "Auto Healing System" + default n + config RTCONFIG_DUALWAN bool "Dual WAN Support" default n diff --git a/release/src/router/config_base b/release/src/router/config_base index b2ce000867c..70cebc2f997 100644 --- a/release/src/router/config_base +++ b/release/src/router/config_base @@ -422,6 +422,7 @@ RTCONFIG_DNSSEC_OPENSSL=y # RTCONFIG_MERLINUPDATE is not set # RTCONFIG_DNSFILTER is not set RTCONFIG_NTPD=y +# RTCONFIG_AHS is not set # RTCONFIG_LETSENCRYPT is not set # RTCONFIG_FBWIFI is not set # RTCONFIG_ADV_RAST is not set diff --git a/release/src/router/curl/CHANGES b/release/src/router/curl/CHANGES index 0047ab41ace..d35f5419987 100644 --- a/release/src/router/curl/CHANGES +++ b/release/src/router/curl/CHANGES @@ -6,7620 +6,7094 @@ Changelog -Version 7.66.0 (10 Sep 2019) - -Daniel Stenberg (10 Sep 2019) -- RELEASE-NOTES: curl 7.66.0 +Version 7.67.0 (5 Nov 2019) -- THANKS: from the 7.66.0 release - -- curl: make sure the parallel transfers do them all - - The logic could erroneously break the loop too early before all - transfers had been transferred. +Daniel Stenberg (5 Nov 2019) +- RELEASE-NOTES: synced - Reported-by: Tom van der Woerdt - Fixes #4316 - Closes #4317 + The 7.67.0 release -- urlapi: one colon is enough for the strspn() input (typo) +- THANKS: add new names from 7.67.0 -- urlapi: verify the IPv6 numerical address +- configure: only say ipv6 enabled when the variable is set - It needs to parse correctly. Otherwise it could be tricked into letting - through a-f using host names that libcurl would then resolve. Like - '[ab.be]'. + Previously it could say "IPv6: enabled" at the end of the configure run + but the define wasn't set because of a missing getaddrinfo(). - Reported-by: Thomas Vegas - Closes #4315 - -- [Clément Notin brought this change] + Reported-by: Marcel Raad + Fixes #4555 + Closes #4560 - openssl: use SSL_CTX_set__proto_version() when available +Marcel Raad (2 Nov 2019) +- certs/Server-localhost-lastSAN-sv: regenerate with sha256 - OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use - when available. Existing code is preserved for older versions of - OpenSSL. + All other certificates were regenerated in commit ba782baac30, but + this one was missed. + Fixes test3001 on modern systems. - Closes #4304 + Closes https://github.com/curl/curl/pull/4551 -- [Clément Notin brought this change] +Daniel Stenberg (2 Nov 2019) +- [Vilhelm Prytz brought this change] - openssl: indent, re-organize and add comments + copyrights: update all copyright notices to 2019 on files changed this year + + Closes #4547 -- [migueljcrum brought this change] +- [Bastien Bouclet brought this change] - sspi: fix memory leaks + mbedtls: add error message for cert validity starting in the future - Closes #4299 - -- travis: disable ngtcp2 builds (again) + Closes #4552 -- Curl_fillreadbuffer: avoid double-free trailer buf on error +Jay Satiro (1 Nov 2019) +- schannel_verify: Fix concurrent openings of CA file - Reviewed-by: Jay Satiro - Reported-by: Thomas Vegas + - Open the CA file using FILE_SHARE_READ mode so that others can read + from it as well. - Closes #4307 - -- tool_setopt: handle a libcurl build without netrc support + Prior to this change our schannel code opened the CA file without + sharing which meant concurrent openings (eg an attempt from another + thread or process) would fail during the time it was open without + sharing, which in curl's case would cause error: + "schannel: failed to open CA file". - Reported-by: codesniffer13 on github - Fixes #4302 - Closes #4305 + Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html + Reported-by: Richard Alcock -- security:read_data fix bad realloc() +Daniel Stenberg (31 Oct 2019) +- gtls: make gnutls_bye() not wait for response on shutdown - ... that could end up a double-free + ... as it can make it wait there for a long time for no good purpose. - CVE-2019-5481 - Bug: https://curl.haxx.se/docs/CVE-2019-5481.html + Patched-by: Jay Satiro + Reported-by: Bylon2 on github + Adviced-by: Nikos Mavrogiannopoulos + + Fixes #4487 + Closes #4541 -- [Thomas Vegas brought this change] +- [Michał Janiszewski brought this change] - tftp: Alloc maximum blksize, and use default unless OACK is received + appveyor: publish artifacts on appveyor - Fixes potential buffer overflow from 'recvfrom()', should the server - return an OACK without blksize. + This allows obtaining upstream builds of curl directly from appveyor for + all the available configurations - Bug: https://curl.haxx.se/docs/CVE-2019-5482.html - CVE-2019-5482 - -- [Thomas Vegas brought this change] - - tftp: return error when packet is too small for options - -- KNOWN_BUGS/TODO: cleanup and remove outdated issues + Closes #4509 -- RELEASE-NOTES: synced - -- netrc: free 'home' on error +- url: make Curl_close() NULLify the pointer too - Follow-up to f9c7ba9096ec2 + This is the common pattern used in the code and by a unified approach we + avoid mistakes. - Coverity CID 1453474 + Closes #4534 + +- [Trivikram Kamat brought this change] + + INSTALL: add missing space for configure commands - Closes #4291 + Closes #4539 -- urldata: avoid 'generic', use dedicated pointers +- url: Curl_free_request_state() should also free doh handles - For the 'proto' union within the connectdata struct. + ... or risk DoH memory leaks. - Closes #4290 + Reported-by: Paul Dreik + Fixes #4463 + Closes #4527 -- cleanup: move functions out of url.c and make them static +- examples: remove the "this exact code has not been verified" - Closes #4289 + ... as really confuses the reader to not know what to believe! -- smtp: check for and bail out on too short EHLO response - - Otherwise, a three byte response would make the smtp_state_ehlo_resp() - function misbehave. +- [Trivikram Kamat brought this change] + + HTTP3: fix typo somehere1 > somewhere1 - Credit to OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/16918 + Closes #4535 + +Jay Satiro (28 Oct 2019) +- [Javier Blazquez brought this change] + + HTTP3: fix invalid use of sendto for connected UDP socket - Assisted-by: Max Dymond + On macOS/BSD, trying to call sendto on a connected UDP socket fails + with a EISCONN error. Because the singleipconnect has already called + connect on the socket when we're trying to use it for QUIC transfers + we need to use plain send instead. - Closes #4287 + Fixes #4529 + Closes https://github.com/curl/curl/pull/4533 -- smb: init *msg to NULL in smb_send_and_recv() +Daniel Stenberg (28 Oct 2019) +- RELEASE-NOTES: synced + +- [Javier Blazquez brought this change] + + HTTP3: fix Windows build - ... it might otherwise return OK from this function leaving that pointer - uninitialized. + The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv + in order to perform nonblocking operations. On Windows this flag does + not exist. Instead, the socket must be set to nonblocking mode via + ioctlsocket. - Bug: https://crbug.com/oss-fuzz/16907 + This change sets the nonblocking flag on UDP sockets used for QUIC on + all platforms so the use of MSG_DONTWAIT is not needed. - Closes #4286 + Fixes #4531 + Closes #4532 -- ROADMAP: updated after recent user poll +Marcel Raad (27 Oct 2019) +- appveyor: add --disable-proxy autotools build - In rough prio order - -- THANKS: remove duplicate + This would have caught issue #3926. + + Also make formatting more consistent. + + Closes https://github.com/curl/curl/pull/4526 -- Curl_addr2string: take an addrlen argument too +Daniel Stenberg (25 Oct 2019) +- appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 - This allows the function to figure out if a unix domain socket has a - file name or not associated with it! When a socket is created with - socketpair(), as done in the fuzzer testing, the path struct member is - uninitialized and must not be accessed. + ... and invoke "curl -V" once done - Bug: https://crbug.com/oss-fuzz/16699 + Co-Authored-By: Jay Satiro - Closes #4283 - -- [Rolf Eike Beer brought this change] + Closes #4523 - CMake: remove needless newlines at end of gss variables +- [Francois Rivard brought this change] -- [Rolf Eike Beer brought this change] + schannel: reverse the order of certinfo insertions + + Fixes #4518 + Closes #4519 - CI: remove duplicate configure flag for LGTM.com +Marcel Raad (24 Oct 2019) +- test1591: fix spelling of http feature + + The test never got run because the feature name is `http` in lowercase. + + Closes https://github.com/curl/curl/pull/4520 -- [Rolf Eike Beer brought this change] +Daniel Stenberg (23 Oct 2019) +- [Michał Janiszewski brought this change] - CMake: use platform dependent name for dlopen() library + appveyor: Use two parallel compilation on appveyor with CMake - Closes #4279 - -- quiche: expire when poll returned data + Appveyor provides 2 CPUs for each builder[1], make sure to use parallel + compilation, when running with CMake. CMake learned this new option in + version 3.12[2] and the version provided by appveyor is fresh enough. - ... to make sure we continue draining the queue until empty + Curl doesn't really take that long to build and it is using the slowest + builder available, msbuild, so expect only a moderate improvement in + build times. - Closes #4281 - -- quiche: decrease available buffer size, don't assign it! + [1] https://www.appveyor.com/docs/build-environment/ + [2] https://cmake.org/cmake/help/v3.12/release/3.12.html - Found-by: Jeremy Lainé + Closes #4508 -- RELEASE-NOTES: synced +- conn-reuse: requests wanting NTLM can reuse non-NTLM connections + + Added test case 338 to verify. + + Reported-by: Daniel Silverstone + Fixes #4499 + Closes #4514 -- [Kyohei Kadota brought this change] +Marcel Raad (23 Oct 2019) +- tests: add missing proxy features - curl: fix include conditions +Daniel Stenberg (22 Oct 2019) +- RELEASE-NOTES: synced -- [Kyohei Kadota brought this change] +Marcel Raad (21 Oct 2019) +- tests: use %FILE_PWD for file:// URLs + + This way, we always have exactly one slash after the host name, making + the tests pass when curl is compiled with the MSYS GCC. + + Closes https://github.com/curl/curl/pull/4512 - plan9: fix installation instructions +- tests: add `connect to non-listen` keywords - Closes #4276 + These tests try to connect to ports nothing is listening on. + + Closes https://github.com/curl/curl/pull/4511 -- ngtcp2: on h3 stream close, call expire +- runtests: get textaware info from curl instead of perl - ... to trigger a new read to detect the stream close! + The MSYS system on Windows can run the test suite for curl built with + any toolset. When built with the MSYS GCC, curl uses Unix line endings, + while it uses Windows line endings when built with the MinGW GCC, and + `^O` reports 'msys' in both cases. Use the curl executable itself to + determine the line endings instead, which reports 'x86_64-pc-msys' when + built with the MSYS GCC. - Closes #4275 + Closes https://github.com/curl/curl/pull/4506 -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (20 Oct 2019) +- [Michał Janiszewski brought this change] - ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl + appveyor: Add MSVC ARM64 build - Closes #4278 + Closes #4507 -- ngtcp2: set flow control window to stream buffer size +- http2_recv: a closed stream trumps pause state - Closes #4274 + ... and thus should return 0, not EAGAIN. + + Reported-by: Tom van der Woerdt + Fixes #4496 + Closes #4505 -- [Christopher Head brought this change] +- http2: expire a timeout at end of stream + + To make sure that transfer is being dealt with. Streams without + Content-Length need a final read to notice the end-of-stream state. + + Reported-by: Tom van der Woerdt + Fixes #4496 - CURLOPT_HEADERFUNCTION.3: clarify +Dan Fandrich (18 Oct 2019) +- travis: Add an ARM64 build - Closes #4273 + Test 323 is failing for some reason, so disable it there for now. -- CURLINFO docs: mention that in redirects times are added +Marcel Raad (18 Oct 2019) +- examples/sslbackend: fix -Wchar-subscripts warning - Suggested-by: Brandon Dong - Fixes #4250 - Closes #4269 + With the `isdigit` implementation that comes with MSYS2, the argument + is used as an array subscript, resulting in a -Wchar-subscripts + warning. `isdigit`'s behavior is undefined if the argument is negative + and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable + to `unsigned char` to avoid that. + + [0] https://en.cppreference.com/w/c/string/byte/isdigit + + Closes https://github.com/curl/curl/pull/4503 -- travis: enable ngtcp2 builds again +Daniel Stenberg (18 Oct 2019) +- configure: remove all cyassl references - Switched to the openssl-quic-draft-22 openssl branch. + In particular, this removes the case where configure would find an old + cyall installation rather than a wolfssl one if present. The library is + named wolfssl in modern days so there's no real need to keep support for + the former. - Closes #4271 + Reported-by: Jacob Barthelmeh + Closes #4502 -- HTTP3: switched openssl branch to use +Marcel Raad (17 Oct 2019) +- test1162: disable MSYS2's POSIX path conversion + + This avoids MSYS2 converting the backslasb in the URL to a slash, + causing the test to fail. -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (17 Oct 2019) +- RELEASE-NOTES: synced - ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl +Jay Satiro (16 Oct 2019) +- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time - Closes #4270 + Prior to this change some users did not understand that the "request" + starts when the handle is added to the multi handle, or probably they + did not understand that some of those transfers may be queued and that + time is included in timeout. + + Reported-by: Jeroen Ooms + + Fixes https://github.com/curl/curl/issues/4486 + Closes https://github.com/curl/curl/pull/4489 -- http2: when marked for closure and wanted to close == OK +- [Stian Soiland-Reyes brought this change] + + tool_operate: Fix retry sleep time shown to user when Retry-After - It could otherwise return an error even when closed correctly if GOAWAY - had been received previously. + - If server header Retry-After is being used for retry sleep time then + show that value to the user instead of the normal retry sleep time. - Reported-by: Tom van der Woerdt - Fixes #4267 - Closes #4268 + This is a follow-up to 640b973 (7.66.0) which changed curl tool so that + the value from Retry-After header overrides other retry timing options. + + Closes https://github.com/curl/curl/pull/4498 -- RELEASE-NOTES: synced +Daniel Stenberg (16 Oct 2019) +- url: normalize CURLINFO_EFFECTIVE_URL + + The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as + input in most cases, which made it not get a scheme prefixed like before + if the URL was given without one, and it didn't remove dotdot sequences + etc. + + Added test case 1907 to verify that this now works as intended and as + before 7.62.0. + + Regression introduced in 7.62.0 + + Reported-by: Christophe Dervieux + Fixes #4491 + Closes #4493 -- build-openssl: fix build with Visual Studio 2019 +Marcel Raad (16 Oct 2019) +- tests: line ending fixes for Windows - Reviewed-by: Marcel Raad - Contributed-by: osabc on github - Fixes #4188 - Closes #4266 + Mark some files as text. + + Closes https://github.com/curl/curl/pull/4490 -Kamil Dudka (26 Aug 2019) -- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure +- tests: use proxy feature - This is a follow-up to https://github.com/curl/curl/pull/3864 . + This makes the tests succeed when using --disable-proxy. - Closes #4224 + Closes https://github.com/curl/curl/pull/4488 -Daniel Stenberg (26 Aug 2019) -- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows +- smbserver: fix Python 3 compatibility - Closes #4040 + Python 2's `ConfigParser` module is spelled `configparser` in Python 3. + + Closes https://github.com/curl/curl/pull/4484 -- quiche: send the HTTP body correctly on callback uploads +- security: silence conversion warning - Closes #4265 + With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, + while `read` expects a 32 bit signed integer. + Use `sread` instead of `read` to use the correct parameter type. + + Closes https://github.com/curl/curl/pull/4483 -- travis: disable ngtcp2 builds (temporarily) +- connect: silence sign-compare warning - Just too many API changes right now + With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the + result of `sizeof` is unsigned. - Closes #4264 + Closes https://github.com/curl/curl/pull/4483 -- ngtcp2: add support for SSLKEYLOGFILE +Daniel Stenberg (13 Oct 2019) +- TODO: Handle growing SFTP files - Closes #4260 + Closes #4344 -- ngtcp2: improve h3 response receiving +- KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" - Closes #4259 + The curl_formadd() function is deprecated and shouldn't be used so the + real fix for applications is to switch to the curl_mime_* API. -- ngtcp2: use nghttp3_version() +- KNOWN_BUGS: "LDAP on Windows does authentication wrong" + + Closes #3116 -- ngtcp2: sync with upstream API changes +- appveyor: add a winbuild that uses VS2017 - Assisted-by: Tatsuhiro Tsujikawa + Closes #4482 -- [Kyle Abramowitz brought this change] +- [Harry Sintonen brought this change] - scp: fix directory name length used in memcpy + socketpair: fix include and define for older TCP header systems - Fix read off end of array due to bad pointer math in getworkingpath for - SCP home directory case. + fixed build for systems that need netinet/in.h for IPPROTO_TCP and are + missing INADDR_LOOPBACK - Closes #4258 + Closes #4480 -- http: the 'closed' struct field is used by both ngh2 and ngh3 +- socketpair: fix double-close in error case - and remove 'header_recvbuf', not used for anything + Follow-up to bc2dbef0afc08 + +- gskit: use the generic Curl_socketpair + +- asyn-thread: make use of Curl_socketpair() where available + +- socketpair: an implemention for Windows and more - Reported-by: Jeremy Lainé + Curl_socketpair() is designed to be used and work everywhere if there's + no native version or the native version isn't good enough. - Closes #4257 + Closes #4466 -- ngtcp2: accept upload via callback - - Closes #4256 +- RELEASE-NOTES: synced -- defines: avoid underscore-prefixed defines - - Double-underscored or underscore plus uppercase letter at least. +- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT - ... as they're claimed to be reserved. + Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no + matter what errno said. - Reported-by: patnyb on github + This makes for example --retry work on these transfer failures. - Fixes #4254 - Closes #4255 + Reported-by: Nathaniel J. Smith + Fixes #4461 + Clsoes #4462 -- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) +- cirrus: switch off blackhole status on the freebsd CI machines + +- tests: use port 2 instead of 60000 for a safer non-listening port - Runs no tests + ... when the tests want "connection refused". + +- KNOWN_BUGS: IDN tests failing on Windows - Closes #4253 + Closes #3747 -- travis: bump to using nghttp2 version 1.39.2 +Dan Fandrich (9 Oct 2019) +- cirrus: Increase the git clone depth. - Closes #4252 + If more commits are submitted to master between the time of triggering + the first Cirrus build and the time the final build gets started, the + desired commit is no longer at HEAD and the build will error out. + [skip ci] -- [Gisle Vanem brought this change] +Daniel Stenberg (9 Oct 2019) +- docs: make sure the --no-progress-meter docs file is in dist too - docs/examples/curlx: fix errors +- docs: document it as --no-progress-meter instead of the reverse - Initialise 'mimetype' and require the -p12 arg. + Follow-up to 93373a960c3bb4 - Closes #4248 + Reported-by: infinnovation-dev on github + Fixes #4474 + Closes #4475 -- cleanup: remove DOT_CHAR completely +Dan Fandrich (9 Oct 2019) +- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. - Follow-up to f9c7ba9096ec + Also, select the images using image_family to get the latest snapshots + automatically. + [skip ci] + +Daniel Stenberg (8 Oct 2019) +- curl: --no-progress-meter - The use of DOT_CHAR for ".ssh" was probably a mistake and is removed - now. + New option that allows a user to ONLY switch off curl's progress meter + and leave everything else in "talkative" mode. - Pointed-out-by: Gisle Vanem - Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 + Reported-by: Piotr Komborski + Fixes #4422 + Closes #4470 + +- TODO: Consult %APPDATA% also for .netrc - Closes #4247 + Closes #4016 -- spnego_sspi: add typecast to fix build warning +- CURLOPT_TIMEOUT.3: remove the mention of "minutes" - Reported in build "Win32 target on Debian Stretch (64-bit) - - i686-w64-mingw32 - gcc-20170516" + ... just say that limiting operations risk aborting otherwise fine + working transfers. If that means seconds, minutes or hours, we leave to + the user. - Closes #4245 + Reported-by: Martin Gartner + Closes #4469 -- openssl: build warning free with boringssl +- [Andrei Valeriu BICA brought this change] + + docs: added multi-event.c example - Closes #4244 + Similar to multi-uv.c but using libevent 2. This is a simpler libevent + integration example then hiperfifo.c. + + Closes #4471 -- curl: make --libcurl use CURL_HTTP_VERSION_3 +Jay Satiro (5 Oct 2019) +- [Nicolas brought this change] + + ldap: fix OOM error on missing query string - Closes #4243 + - Allow missing queries, don't return NO_MEMORY error in such a case. + + It is acceptable for there to be no specified query string, for example: + + curl ldap://ldap.forumsys.com + + A regression bug in 1b443a7 caused this issue. + + This is a partial fix for #4261. + + Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 + Reported-by: Jojojov@users.noreply.github.com + Analyzed-by: Samuel Surtees + + Closes https://github.com/curl/curl/pull/4467 -- ngtcp2: make postfields-set posts work +- [Paul B. Omta brought this change] + + build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines - Closes #4242 + Closes https://github.com/curl/curl/pull/4460 -- http: remove chunked-encoding and expect header use for HTTP/3 +Daniel Stenberg (5 Oct 2019) +- RELEASE-NOTES: synced -- [Alessandro Ghedini brought this change] +- [Stian Soiland-Reyes brought this change] - configure: use pkg-config to detect quiche + curl: ensure HTTP 429 triggers --retry - This removes the need to hard-code the quiche target path in - configure.ac. + This completes #3794. - This depends on https://github.com/cloudflare/quiche/pull/128 + Also make sure the new tests from #4195 are enabled - Closes #4237 + Closes #4465 -- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 - - For a long time (since 7.28.1) we've returned error when setting the - value to 1 to make applications notice that we stopped supported the old - behavior for 1. Starting now, we treat 1 and 2 exactly the same. +Marcel Raad (4 Oct 2019) +- [apique brought this change] + + winbuild: add ENABLE_UNICODE option - Closes #4241 + Fixes https://github.com/curl/curl/issues/4308 + Closes https://github.com/curl/curl/pull/4309 -- curl: use .curlrc (with a dot) on Windows as well +Daniel Stenberg (4 Oct 2019) +- ngtcp2: adapt to API change - Fall-back to _curlrc if the dot-version is missing. + Closes #4457 + +- cookies: change argument type for Curl_flush_cookies - Co-Authored-By: Steve Holme + The second argument is really a 'bool' so use that and pass in TRUE/FALSE + to make it clear. - Closes #4230 + Closes #4455 -- netrc: make the code try ".netrc" on Windows as well +- http2: move state-init from creation to pre-transfer - ... but fall back and try "_netrc" too if the dot version didn't work. + To make sure that the HTTP/2 state is initialized correctly for + duplicated handles. It would otherwise easily generate "spurious" + PRIORITY frames to get sent over HTTP/2 connections when duplicated easy + handles were used. - Co-Authored-By: Steve Holme + Reported-by: Daniel Silverstone + Fixes #4303 + Closes #4442 -- ngtcp2: use ngtcp2_version() to get the run-time version +- urlapi: fix use-after-free bug - ... which of course doesn't have to be the same used at build-time. + Follow-up from 2c20109a9b5d04 - Function just recently merged in ngtcp2. - -- ngtcp2: move the h3 initing to immediately after the rx key + Added test 663 to verify. - To fix a segfault and to better deal with 0-RTT + Reported by OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/17954 - Assisted-by: Tatsuhiro Tsujikawa + Closes #4453 -- [Alessandro Ghedini brought this change] +- [Paul Dreik brought this change] - quiche: register debug callback once and earlier + cookie: avoid harmless use after free - The quiche debug callback is global and can only be initialized once, so - make sure we don't do it multiple times (e.g. if multiple requests are - executed). + This fix removes a use after free which can be triggered by + the internal cookie fuzzer, but otherwise is probably + impossible to trigger from an ordinary application. - In addition this initializes the callback before the connection is - created, so we get logs for the handshake as well. + The following program reproduces it: - Closes #4236 - -- ssh: add a generic Curl_ssh_version function for SSH backends + curl_global_init(CURL_GLOBAL_DEFAULT); + CURL* handle=curl_easy_init(); + CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); + curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); + Curl_flush_cookies(handle, true); + Curl_cookie_cleanup(info); + curl_easy_cleanup(handle); + curl_global_cleanup(); - Closes #4235 + This was found through fuzzing. + + Closes #4454 -- base64: check for SSH, not specific SSH backends +- [Denis Chaplygin brought this change] -- vssh: move ssh init/cleanup functions into backend code + docs: add note on failed handles not being counted by curl_multi_perform + + Closes #4446 -- vssh: create directory for SSH backend code +- CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo -- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 - - HTTP3 is now already in full progress +- [Niall brought this change] + + ESNI: initial build/setup - Downgrade redirects can be achived almost exactly like that by setting - CURLOPT_REDIR_PROTOCOLS. + Closes #4011 - RELEASE-NOTES: synced -- travis: add a quiche build - - Closes #4207 - -- http: fix use of credentials from URL when using HTTP proxy - - When a username and password are provided in the URL, they were wrongly - removed from the stored URL so that subsequent uses of the same URL - wouldn't find the crendentials. This made doing HTTP auth with multiple - connections (like Digest) mishave. +- redirect: when following redirects to an absolute URL, URL encode it - Regression from 46e164069d1a5230 (7.62.0) + ... to make it handle for example (RFC violating) embeded spaces. - Test case 335 added to verify. + Reported-by: momala454 on github + Fixes #4445 + Closes #4447 + +- urlapi: fix URL encoding when setting a full URL + +- tool_operate: rename functions to make more sense + +- curl: create easy handles on-demand and not ahead of time - Reported-by: Mike Crowe + This should again enable crazy-large download ranges of the style + [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 + when this new handle allocating scheme was introduced. - Fixes #4228 - Closes #4229 + Reported-by: Peter Sumatra + Fixes #4393 + Closes #4438 -- [Mike Crowe brought this change] +- [Kunal Ekawde brought this change] - tests: Replace outdated test case numbering documentation + CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt - Tests are no longer grouped by numeric range[1]. Let's stop saying that - and provide some alternative advice for numbering tests. + Closes #4410 + +- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error - [1] https://curl.haxx.se/mail/lib-2019-08/0043.html + Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the + response is chunked-encoded. - Closes #4227 + Reported-by: Ilya Kosarev + Fixes #4310 + Closes #4449 -- travis: reduce number of torture tests in 'coverage' +Marcel Raad (1 Oct 2019) +- checksrc: fix uninitialized variable warning - ... to make it complete in time. This cut seems not almost not affect - the coverage percentage and yet completes within 35 minutes on travis - where the previous runs recently always timed out after 50. + The loop doesn't need to be executed without a file argument. - Closes #4223 - -- [Igor Makarov brought this change] + Closes https://github.com/curl/curl/pull/4444 - configure: use -lquiche to link to quiche +- urlapi: fix unused variable warning - Closes #4226 + `dest` is only used with `ENABLE_IPV6`. + + Closes https://github.com/curl/curl/pull/4444 -- ngtcp2: provide the callbacks as a static struct +- lib: silence conversion warnings - ... instead of having them in quicsocket + Closes https://github.com/curl/curl/pull/4444 -- [Tatsuhiro Tsujikawa brought this change] +- AppVeyor: add 32-bit MinGW-w64 build + + With WinSSL and testing enabled so that it would have detected most of + the warnings fixed in [0] and [1]. + + [0] https://github.com/curl/curl/pull/4398 + [1] https://github.com/curl/curl/pull/4415 + + Closes https://github.com/curl/curl/pull/4433 - ngtcp2: add missing nghttp3_conn_add_write_offset call +- AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild - Closes #4225 + It's only used for MSYS2 with MinGW. + + Closes -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (30 Sep 2019) +- [Emil Engler brought this change] - ngtcp2: deal with stream close + git: add tests/server/disabled to .gitignore + + Closes #4441 -- [Tatsuhiro Tsujikawa brought this change] +- altsvc: accept quoted ma and persist values + + As mandated by the spec. Test 1654 is extended to verify. + + Closes #4443 - ngtcp2: Consume QUIC STREAM data properly +- mailmap: a Lucas fix -- [Tatsuhiro Tsujikawa brought this change] +Alessandro Ghedini (29 Sep 2019) +- [Lucas Pardue brought this change] - ngtcp2: don't reinitialize SSL on Retry + quiche: update HTTP/3 config creation to new API -- multi: getsock improvements for QUIC connecting +Daniel Stenberg (29 Sep 2019) +- BINDINGS: PureBasic, Net::Curl for perl and Nim -- connect: connections are persistent by default for HTTP/3 +- BINDINGS: Kapito is an Erlang library, basically a binding -- quiche: happy eyeballs +- BINDINGS: added clj-curl - Closes #4220 + Reported-by: Lucas Severo -- ngtcp2: do QUIC connections happy-eyeballs friendly +- [Jay Satiro brought this change] -- curl_version: bump string buffer size to 250 + docs: disambiguate CURLUPART_HOST is for host name (ie no port) - With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which - causes a truncated output). - -- CURLOPT_ALTSVC.3: use a "" file name to not load from a file + Closes #4424 -Jay Satiro (14 Aug 2019) -- vauth: Use CURLE_AUTH_ERROR for auth function errors +- cookies: using a share with cookies shouldn't enable the cookie engine - - Add new error code CURLE_AUTH_ERROR. + The 'share object' only sets the storage area for cookies. The "cookie + engine" still needs to be enabled or activated using the normal cookie + options. - Prior to this change auth function errors were signaled by - CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was - technically correct. + This caused the curl command line tool to accidentally use cookies + without having been told to, since curl switched to using shared cookies + in 7.66.0. - Ref: https://github.com/curl/curl/pull/3848 + Test 1166 verifies - Co-authored-by: Dominik Hölzl + Updated test 506 - Closes https://github.com/curl/curl/pull/3864 + Fixes #4429 + Closes #4434 -Daniel Stenberg (13 Aug 2019) -- curl_version_info: make the quic_version a const +- setopt: handle ALTSVC set to NULL + +- RELEASE-NOTES: synced + +- [grdowns brought this change] + + INSTALL: add vcpkg installation instructions - Follow-up from 1a2df1518ad8653f + Closes #4435 + +- [Zenju brought this change] + + FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs - Closes #4222 + Add libtest 661 + + Closes #4417 -- examples: add http3.c, altsvc.c and http3-present.c +- [Zenju brought this change] + + FTP: url-decode path before evaluation - Closes #4221 + Closes #4428 -Peter Wu (13 Aug 2019) -- nss: use TLSv1.3 as default if supported +Marcel Raad (27 Sep 2019) +- tests: fix narrowing conversion warnings - SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported - range in NSS 3.45. It looks like the intention is to raise the minimum - version rather than lowering the maximum, so adjust accordingly. Note - that the caller (nss_setup_connect) initializes the version range to - (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. + `timediff_t` is 64 bits wide also on 32-bit systems since + commit b1616dad8f0. - Closes #4187 - Reviewed-by: Daniel Stenberg - Reviewed-by: Kamil Dudka + Closes https://github.com/curl/curl/pull/4415 -Daniel Stenberg (13 Aug 2019) -- quic.h: remove unused proto +Jay Satiro (27 Sep 2019) +- [julian brought this change] -- curl_version_info.3: mentioned ALTSVC and HTTP3 + vtls: Fix comment typo about macosx-version-min compiler flag - ... and sorted the list alphabetically + Closes https://github.com/curl/curl/pull/4425 -- lib/quic.c: unused - removed +Daniel Stenberg (26 Sep 2019) +- [Yechiel Kalmenson brought this change] -- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED + README: minor grammar fix - Follow-up to 98c3f148 that removed it from the header file + Closes #4431 -- [Junho Choi brought this change] +- [Spezifant brought this change] - docs/HTTP3: simplify quiche build instruction - - Use --recursive to get boringssl in one line + HTTP3: fix prefix parameter for ngtcp2 build - Closes #4219 + Closes #4430 -- altsvc: make it use h3-22 with ngtcp2 as well +- quiche: don't close connection at end of stream! -- ngtcp2: initial h3 request work - - Closes #4217 +- quiche: set 'drain' when returning without having drained the queues -- curl_version_info: offer quic (and h3) library info +- Revert "FTP: url-decode path before evaluation" - Closes #4216 + This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. -- HTTP3: use ngtcp2's draft-22 branch +- HTTP3: merged and simplified the two 'running' sections -- RELEASE-NOTES: synced +- HTTP3: show an --alt-svc using example too -- CURLOPT_READFUNCTION.3: provide inline example - - ... instead of mentioning one in another place +- [Zenju brought this change] -- [Tatsuhiro Tsujikawa brought this change] + FTP: url-decode path before evaluation + + Closes #4423 - ngtcp2: send HTTP/3 request with nghttp3 +- openssl: use strerror on SSL_ERROR_SYSCALL - This commit makes sending HTTP/3 request with nghttp3 work. It - minimally receives HTTP response and calls nghttp3 callbacks, but no - processing is made at the moment. + Instead of showing the somewhat nonsensical errno number, use strerror() + to provide a more relatable error message. - Closes #4215 + Closes #4411 -- nghttp3: initial h3 template code added +- HTTP3: update quic.aiortc.org + add link to server list + + Reported-by: Jeremy Lainé -- nghttp3: required when ngtcp2 is used for QUIC +Jay Satiro (26 Sep 2019) +- url: don't set appconnect time for non-ssl/non-ssh connections - - checked for by configure - - updated docs/HTTP3.md - - shown in the version string + Prior to this change non-ssl/non-ssh connections that were reused set + TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH + handshake took place. - Closes #4210 - -- [Eric Wong brought this change] - - asyn-thread: issue CURL_POLL_REMOVE before closing socket + [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in + libcurl and %{time_appconnect} in the curl tool. It is documented as + "the time until the SSL/SSH handshake is completed". - This avoids EBADF errors from EPOLL_CTL_DEL operations in the - ephiperfifo.c example. EBADF is dangerous in multi-threaded - applications where I rely on epoll_ctl to operate on the same - epoll description from different threads. + Reported-by: Marcel Hernandez - Follow-up to eb9a604f8d7db8 + Ref: https://github.com/curl/curl/issues/3760 - Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html - Closes #4211 - -- [Carlo Marcelo Arenas Belón brought this change] + Closes https://github.com/curl/curl/pull/3773 - configure: avoid undefined check_for_ca_bundle +Daniel Stenberg (25 Sep 2019) +- ngtcp2: remove fprintf() calls - instead of using a "greater than 0" test, check for variable being - set, as it is always set to 1, and could be left unset if non of - OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. + - convert some of them to H3BUF() calls to infof() + - remove some of them completely + - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now - Closes #4213 + Closes #4421 -- [Tatsuhiro Tsujikawa brought this change] +- [Jay Satiro brought this change] - ngtcp2: Send ALPN h3-22 + url: fix the NULL hostname compiler warning case - Closes #4212 + Closes #4403 -- [Tatsuhiro Tsujikawa brought this change] +- [Jay Satiro brought this change] - ngtcp2: use ngtcp2_settings_default and specify initial_ts + travis: move the go install to linux-only + + ... to repair the build again + Closes #4403 -- curl_global_init_mem.3: mention it was added in 7.12.0 +- altsvc: correct the #ifdef for the ngtcp2 backend -- [Tatsuhiro Tsujikawa brought this change] +- altsvc: save h3 as h3-23 + + Follow-up to d176a2c7e5 - ngtcp2: make the QUIC handshake work +- urlapi: question mark within fragment is still fragment - Closes #4209 + The parser would check for a query part before fragment, which caused it + to do wrong when the fragment contains a question mark. + + Extended test 1560 to verify. + + Reported-by: Alex Konev + Fixes #4412 + Closes #4413 -- [Alex Mayorga brought this change] +- [Alex Samorukov brought this change] - HTTP3.md: Update quiche build instructions + HTTP3.md: move -p for mkdir, remove -j for make - Added cloning for quiche and BoringSSL and modified the build - instructions so they work on a clean folder. + - mkdir on OSX/Darwin requires `-p` argument before dir - Closes #4208 + - portabbly figuring out number of cores is an exercise for somewhere + else + + Closes #4407 -- CURLOPT_H3: removed +Patrick Monnerat (24 Sep 2019) +- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, - There's no use for this anymore and it was never in a release. + As libcurl now uses these 2 system functions, wrappers are needed on os400 + to convert returned AF_UNIX sockaddrs to ascii. - Closes #4206 - -- http3: make connection reuse work - - Closes #4204 + This is a follow-up to commit 7fb54ef. + See also #4037. + Closes #4214 -- quiche: add SSLKEYLOGFILE support +Jay Satiro (24 Sep 2019) +- [Lucas Pardue brought this change] -- cleanup: s/curl_debug/curl_dbg_debug in comments and docs + strcase: fix raw lowercasing the letter X - Leftovers from the function rename back in 76b63489495 + Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to + this change. - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com - mitcomment-34601751 + Follow-up to 0023fce which added the function several days ago. - Closes #4203 + Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 + + Closes https://github.com/curl/curl/pull/4408 -- RELEASE-NOTES: synced +Daniel Stenberg (23 Sep 2019) +- http2: Expression 'stream->stream_id != - 1' is always true + + PVS-Studio warning + Fixes #4402 -- alt-svc: add protocol version selection masking +- http2: A value is being subtracted from the unsigned variable - So that users can mask in/out specific HTTP versions when Alt-Svc is - used. + PVS-Studio warning + Fixes #4402 + +- libssh: part of conditional expression is always true: !result - - Removed "h2c" and updated test case accordingly - - Changed how the altsvc struct is laid out - - Added ifdefs to make the unittest run even in a quiche-tree + PVS-Studio warning + Fixed #4402 + +- libssh: part of conditional expression is always true - Closes #4201 + PVS-Studio warning + Fixes #4402 -- http3: fix the HTTP/3 in the request, make alt-svc set right versions +- libssh: The expression is excessive or contains a misprint - Closes #4200 + PVS-Studio warning + Fixes #4402 -- alt-svc: send Alt-Used: in redirected requests +- quiche: The expression must be surrounded by parentheses - RFC 7838 section 5: + PVS-Studio warning + Fixes #4402 + +- vauth: The parameter 'status' must be surrounded by parentheses - When using an alternative service, clients SHOULD include an Alt-Used - header field in all requests. + PVS-Studio warning + Fixes #4402 + +- [Paul Dreik brought this change] + + doh: allow only http and https in debug mode - Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus - this is deemed ok). + Otherwise curl may be told to use for instance pop3 to + communicate with the doh server, which most likely + is not what you want. - You can disable sending this header just like you disable any other HTTP - header in libcurl. + Found through fuzzing. - Closes #4199 + Closes #4406 -- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly +- [Paul Dreik brought this change] + + doh: return early if there is no time left - Even though it cannot fall-back to a lower HTTP version automatically. The - safer way to upgrade remains via CURLOPT_ALTSVC. + Closes #4406 + +- [Barry Pollard brought this change] + + http: lowercase headernames for HTTP/2 and HTTP/3 - CURLOPT_H3 no longer has any bits that do anything and might be removed - before we remove the experimental label. + Closes #4401 + Fixes #4400 + +Marcel Raad (23 Sep 2019) +- vtls: fix narrowing conversion warnings - Updated the curl tool accordingly to use "--http3". + Curl_timeleft returns `timediff_t`, which is 64 bits wide also on + 32-bit systems since commit b1616dad8f0. - Closes #4197 + Closes https://github.com/curl/curl/pull/4398 -- docs/ALTSVC: remove what works and the experimental explanation +Daniel Stenberg (23 Sep 2019) +- [Joel Depooter brought this change] + + winbuild: Add manifest to curl.exe for proper OS version detection - Also, put the TODO items at the bottom. + This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 + in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to + CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is + overwritten. The fix is to append values to CURL_RC_FLAGS instead of + overwriting - Closes #4198 + Closes #4399 -- docs/EXPERIMENTAL: explain what it means and what's experimental now +- RELEASE-NOTES: synced -- curl: make use of CURLINFO_RETRY_AFTER when retrying +Marcel Raad (22 Sep 2019) +- openssl: fix compiler warning with LibreSSL - If a Retry-After: header was used in the response, that value overrides - other retry timing options. + It was already fixed for BoringSSL in commit a0f8fccb1e0. + LibreSSL has had the second argument to SSL_CTX_set_min_proto_version + as uint16_t ever since the function was added in [0]. - Fixes #3794 - Closes #4195 + [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda + + Closes https://github.com/curl/curl/pull/4397 -- curl: use CURLINFO_PROTOCOL to check for HTTP(s) +Daniel Stenberg (22 Sep 2019) +- curl: exit the create_transfers loop on errors - ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. + When looping around the ranges and given URLs to create transfers, all + errors should exit the loop and return. Previously it would keep + looping. + + Reported-by: SumatraPeter on github + Bug: #4393 + Closes #4396 -- CURLINFO_RETRY_AFTER: parse the Retry-After header value +Jay Satiro (21 Sep 2019) +- socks: Fix destination host shown on SOCKS5 error - This is only the libcurl part that provides the information. There's no - user of the parsed value. This change includes three new tests for the - parser. + Prior to this change when a server returned a socks5 connect error then + curl would parse the destination address:port from that data and show it + to the user as the destination: - Ref: #3794 + curld -v --socks5 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) + * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + + That's incorrect because the address:port included in the connect error + is actually a bind address:port (typically unused) and not the + destination address:port. This fix changes curl to show the destination + information that curl sent to the server instead: + + curld -v --socks5 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) + * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + + curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to google.com:99 (remotely resolved) + * Can't complete SOCKS5 connection to google.com:99. (1) + curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) + + Ref: https://tools.ietf.org/html/rfc1928#section-6 + + Closes https://github.com/curl/curl/pull/4394 -- docs/ALTSVC.md: first basic file format description +Daniel Stenberg (21 Sep 2019) +- travis: enable ngtcp2 h3-23 builds -- curl: have -w's 'http_version' show '3' for HTTP/3 +- altsvc: both backends run h3-23 now - Closes #4196 + Closes #4395 -- curl.h: add CURL_HTTP_VERSION_3 to the version enum +- http: fix warning on conversion from int to bit - It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with - CURLINFO_HTTP_VERSION. + Follow-up from 03ebe66d70 -- quiche: make use of the connection timeout API properly +- urldata: use 'bool' for the bit type on MSVC compilers + + Closes #4387 + Fixes #4379 -- quiche: make POSTFIELDS posts work +- appveyor: upgrade VS2017 to VS2019 + + Closes #4383 -- quiche: improved error handling and memory cleanups +- [Zenju brought this change] -- quiche: flush egress in h3_stream_recv() too + FTP: FTPFILE_NOCWD: avoid redundant CWDs + + Closes #4382 -- RELEASE-NOTES: synced +- cookie: pass in the correct cookie amount to qsort() + + As the loop discards cookies without domain set. This bug would lead to + qsort() trying to sort uninitialized pointers. We have however not found + it a security problem. + + Reported-by: Paul Dreik + Closes #4386 -Jay Satiro (6 Aug 2019) -- [Patrick Monnerat brought this change] +- [Paul Dreik brought this change] - os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). + urlapi: avoid index underflow for short ipv6 hostnames - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + If the input hostname is "[", hlen will underflow to max of size_t when + it is subtracted with 2. - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + hostname[hlen] will then cause a warning by ubsanitizer: - Closes https://github.com/curl/curl/pull/4186 - -- tests: Fix the line endings for the SASL alt-auth tests + runtime error: addition of unsigned offset to 0x overflowed to + 0x - - Change data and protocol sections to CRLF line endings. + I think that in practice, the generated code will work, and the output + of hostname[hlen] will be the first character "[". - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + This can be demonstrated by the following program (tested in both clang + and gcc, with -O3) - Follow-up to grandparent commit which added the tests. + int main() { + char* hostname=strdup("["); + size_t hlen = strlen(hostname); - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + hlen-=2; + hostname++; + printf("character is %d\n",+hostname[hlen]); + free(hostname-1); + } - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + I found this through fuzzing, and even if it seems harmless, the proper + thing is to return early with an error. - Closes https://github.com/curl/curl/pull/4186 + Closes #4389 -- [Steve Holme brought this change] +- [Tatsuhiro Tsujikawa brought this change] - examples: Added SASL PLAIN authorisation identity (authzid) examples - - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 - - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 - Closes https://github.com/curl/curl/pull/4186 + Closes #4392 -- [Steve Holme brought this change] +- THANKS-filter: deal with my typos 'Jat' => 'Jay' - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool +- travis: use go master - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + ... as the boringssl builds needs a very recent version - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + Co-authored-by: Jat Satiro + Closes #4361 + +- tool_operate: removed unused variable 'done' - Closes https://github.com/curl/curl/pull/4186 + Fixes warning detected by PVS-Studio + Fixes #4374 -- [Steve Holme brought this change] +- tool_operate: Expression 'config->resume_from' is always true + + Fixes warning detected by PVS-Studio + Fixes #4374 - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID +- tool_getparam: remove duplicate switch case - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- libssh2: part of conditional expression is always true: !result - Fixes #3653 - Closes #3790 + Fixes warning detected by PVS-Studio + Fixes #4374 + +- urlapi: Expression 'storep' is always true - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- urlapi: 'scheme' is always true - Closes https://github.com/curl/curl/pull/4186 + Fixes warning detected by PVS-Studio + Fixes #4374 -Daniel Stenberg (6 Aug 2019) -- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested +- urlapi: part of conditional expression is always true: (relurl[0] == '/') + + Fixes warning detected by PVS-Studio + Fixes #4374 -- [Yiming Jing brought this change] +- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly + + Fixes bug detected by PVS-Studio + Fixes #4374 - mesalink: implement client authentication +- mime: make Curl_mime_duppart() assert if called without valid dst - Closes #4184 + Fixes warning detected by PVS-Studio + Fixes #4374 -- curl_multi_poll: a sister to curl_multi_wait() that waits more +- http_proxy: part of conditional expression is always true: !error - Repeatedly we see problems where using curl_multi_wait() is difficult or - just awkward because if it has no file descriptor to wait for - internally, it returns immediately and leaves it to the caller to wait - for a small amount of time in order to avoid occasional busy-looping. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- imap: merged two case-branches performing the same action - This is often missed or misunderstood, leading to underperforming - applications. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- multi: value '2L' is assigned to a boolean - This change introduces curl_multi_poll() as a replacement drop-in - function that accepts the exact same set of arguments. This function - works identically to curl_multi_wait() - EXCEPT - for the case when - there's nothing to wait for internally, as then this function will by - itself wait for a "suitable" short time before it returns. This - effectiely avoids all risks of busy-looping and should also make it less - likely that apps "over-wait". + Fixes warning detected by PVS-Studio + Fixes #4374 + +- easy: part of conditional expression is always true: !result - This also changes the curl tool to use this funtion internally when - doing parallel transfers and changes curl_easy_perform() to use it - internally. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- netrc: part of conditional expression is always true: !done - Closes #4163 + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche:h3_stream_recv return 0 at end of stream +- version: Expression 'left > 1' is always true - ... and remove some verbose messages we don't need. Made transfers from - facebook.com work better. + Fixes warning detected by PVS-Studio + Fixes #4374 -- altsvc: make quiche use h3-22 now +- url: remove dead code + + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche: show the actual version number +- url: part of expression is always true: (bundle->multiuse == 0) + + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche: first working HTTP/3 request +- ftp: the conditional expression is always true - - enable debug log - - fix use of quiche API - - use download buffer - - separate header/body + ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! - Closes #4193 + Fixes warning detected by PVS-Studio + Fixes #4374 -- http09: disable HTTP/0.9 by default in both tool and library - - As the plan has been laid out in DEPRECATED. Update docs accordingly and - verify in test 1174. Now requires the option to be set to allow HTTP/0.9 - responses. +- ftp: Expression 'ftpc->wait_data_conn' is always false - Closes #4191 + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche: initial h3 request send/receive +- ftp: Expression 'ftpc->wait_data_conn' is always true + + Fixes warning detected by PVS-Studio + Fixes #4374 -- lib/Makefile.am: make checksrc run in vquic too +- ftp: part of conditional expression is always true: !result + + Fixes warning detected by PVS-Studio + Fixes #4374 -- altsvc: fix removal of expired cache entry +- http: fix Expression 'http->postdata' is always false - Closes #4192 + Fixes warning detected by PVS-Studio + Fixes #4374 + Reported-by: Valerii Zapodovnikov -- RELEASE-NOTES: synced +- [Niall O'Reilly brought this change] -Steve Holme (4 Aug 2019) -- md4: Use our own MD4 implementation when no crypto libraries are available + doh: avoid truncating DNS QTYPE to lower octet - Closes #3780 + Closes #4381 -- md4: No need to include Curl_md4.h for each TLS library +- [Jens Finkhaeuser brought this change] -- md4: No need for the NTLM code to call Curl_md4it() for each TLS library + urlapi: CURLU_NO_AUTHORITY allows empty authority/host part - As the NTLM code no longer calls any of TLS libraries' specific MD4 - functions, there is no need to call this function for each #ifdef. + CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not + "file:///") to override cURL's default demand that an authority exists. + + Closes #4349 -- md4: Move the mbed TLS MD4 implementation out of the NTLM code +- version: next release will be 7.67.0 -- md4: Move the WinCrypt implementation out of the NTLM code +- RELEASE-NOTES: synced -- md4: Move the SecureTransport implementation out of the NTLM code +- url: only reuse TLS connections with matching pinning + + If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the + connection should not be reused. + + Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html + Reported-by: Sebastian Haglund + + Closes #4347 -- md4: Use the Curl_md4it() function for OpenSSL based NTLM +- README: add OSS-Fuzz badge [skip ci] + + Closes #4380 -- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code +Michael Kaufmann (18 Sep 2019) +- http: merge two "case" statements -- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code +Daniel Stenberg (18 Sep 2019) +- [Zenju brought this change] -Jay Satiro (4 Aug 2019) -- OS400: Add CURLOPT_H3 symbols + FTP: remove trailing slash from path for LIST/MLSD - Follow-up to 3af0e76 which added experimental H3 support. + Closes #4348 + +- mime: when disabled, avoid C99 macro - Closes https://github.com/curl/curl/pull/4185 + Closes #4368 -Daniel Stenberg (3 Aug 2019) -- url: make use of new HTTP version if alt-svc has one +- url: cleanup dangling DOH request headers too + + Follow-up to 9bc44ff64d9081 + + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/17269 + + Closes #4372 -- url: set conn->transport to default TCP at init time +- [Christoph M. Becker brought this change] -- altsvc: with quiche, use the quiche h3 alpn string + http2: relax verification of :authority in push promise requests - Closes #4183 - -- alt-svc: more liberal ALPN name parsing + If the :authority pseudo header field doesn't contain an explicit port, + we assume it is valid for the default port, instead of rejecting the + request for all ports. - Allow pretty much anything to be part of the ALPN identifier. In - particular minus, which is used for "h3-20" (in-progress HTTP/3 - versions) etc. + Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html - Updated test 356. - Closes #4182 - -- quiche: use the proper HTTP/3 ALPN + Closes #4365 -- quiche: add failf() calls for two error cases +- doh: clean up dangling DOH handles and memory on easy close - To aid debugging + If you set the same URL for target as for DoH (and it isn't a DoH + server), like "https://example.com" in both, the easy handles used for + the DoH requests could be left "dangling" and end up not getting freed. - Closes #4181 + Reported-by: Paul Dreik + Closes #4366 -- mailmap: added Kyohei Kadota +- unit1655: make it C90 compliant + + Unclear why this was not detected in the CI. + + Follow-up to b7666027296a -Kamil Dudka (1 Aug 2019) -- http_negotiate: improve handling of gss_init_sec_context() failures +- smb: check for full size message before reading message details - If HTTPAUTH_GSSNEGOTIATE was used for a POST request and - gss_init_sec_context() failed, the POST request was sent - with empty body. This commit also restores the original - behavior of `curl --fail --negotiate`, which was changed - by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. + To avoid reading of uninitialized data. - Add regression tests 2077 and 2078 to cover this. + Assisted-by: Max Dymond + Bug: https://crbug.com/oss-fuzz/16907 + Closes #4363 + +- quiche: persist connection details - Fixes #3992 - Closes #4171 + ... like we do for other protocols at connect time. This makes "curl -I" + and other things work. + + Reported-by: George Liu + Fixes #4358 + Closes #4360 -Daniel Stenberg (1 Aug 2019) -- mailmap: added 4 more names +- openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version - Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli + Follow-up to ffe34b7b59 + Closes #4359 -- mailmap: add Giorgos Oikonomou +- [Paul Dreik brought this change] -- src/makefile: fix uncompressed hugehelp.c generation + doh: fix undefined behaviour and open up for gcc and clang optimization - Regression from 5cf5d57ab9 (7.64.1) + The undefined behaviour is annoying when running fuzzing with + sanitizers. The codegen is the same, but the meaning is now not up for + dispute. See https://cppinsights.io/s/516a2ff4 - Fixed-by: Lance Ware - Fixes #4176 - Closes #4177 + By incrementing the pointer first, both gcc and clang recognize this as + a bswap and optimizes it to a single instruction. See + https://godbolt.org/z/994Zpx + + Closes #4350 -- appveyor: pass on -k to make +- [Paul Dreik brought this change] -- timediff: make it 64 bit (if possible) even with 32 bit time_t + doh: fix (harmless) buffer overrun - ... to make it hold microseconds too. + Added unit test case 1655 to verify. + Close #4352 - Fixes #4165 - Closes #4168 + the code correctly finds the flaws in the old code, + if one temporarily restores doh.c to the old version. -- ROADMAP: parallel transfers are merged now +Alessandro Ghedini (15 Sep 2019) +- docs: remove trailing ':' from section names in CURLOPT_TRAILER* man -- getenv: support up to 4K environment variable contents on windows - - Reported-by: Michal Čaplygin - Fixes #4174 - Closes #4175 +- docs: fix typo in CURLOPT_HTTP_VERSION man -- [Kyohei Kadota brought this change] +GitHub (14 Sep 2019) +- [Daniel Stenberg brought this change] - plan9: add support for running on Plan 9 + CI: inintial github action job - Closes #3701 + First shot at a CI build on github actions -- [Kyohei Kadota brought this change] +Daniel Stenberg (13 Sep 2019) +- appveyor: add a winbuild + + Assisted-by: Marcel Raad + Assisted-by: Jay Satiro + + Closes #4324 - ntlm: explicit type casting +- FTP: allow "rubbish" prepended to the SIZE response + + This is a protocol violation but apparently there are legacy proprietary + servers doing this. + + Added test 336 and 337 to verify. + + Reported-by: Philippe Marguinaud + Closes #4339 -- [Justin brought this change] +- [Zenju brought this change] - curl.h: fix outdated comment + FTP: skip CWD to entry dir when target is absolute - Closes #4167 + Closes #4332 -- curl: remove outdated comment +Kamil Dudka (13 Sep 2019) +- curl: fix memory leaked by parse_metalink() - Turned bad with commit b8894085000 + This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. + Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind + and libmetalink enabled. - Reported-by: niallor on github - Fixes #4172 - Closes #4173 + Closes #4326 -- cleanup: remove the 'numsocks' argument used in many places +Daniel Stenberg (13 Sep 2019) +- parsedate: still provide the name arrays when disabled - It was used (intended) to pass in the size of the 'socks' array that is - also passed to these functions, but was rarely actually checked/used and - the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries - that should be used instead. + If FILE or FTP are enabled, since they also use them! - Closes #4169 + Reported-by: Roland Hieber + Fixes #4325 + Closes #4343 -- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp +- [Gilles Vollant brought this change] + + curl:file2string: load large files much faster - Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) + ... by using a more efficient realloc scheme. - Reported-by: Jonathan Cardoso Machado - Assisted-by: Jay Satiro + Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html + Closes #4336 + +- openssl: close_notify on the FTP data connection doesn't mean closure - Fixes #4136 - Closes #4162 + For FTPS transfers, curl gets close_notify on the data connection + without that being a signal to close the control connection! + + Regression since 3f5da4e59a556fc (7.65.0) + + Reported-by: Zenju on github + Reviewed-by: Jay Satiro + Fixes #4329 + Closes #4340 -- mailmap: Amit Katyal +- [Jimmy Gaussen brought this change] -- asyn-thread: removed unused variable + docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag - Follow-up to eb9a604f. Mistake caused by me when I edited the commit - before push... + Closes #4338 - RELEASE-NOTES: synced -- [Amit Katyal brought this change] +- curlver: bump to 7.66.1 - asyn-thread: create a socketpair to wait on - - Closes #4157 +- [Zenju brought this change] -- curl: cap the maximum allowed values for retry time arguments + setopt: make it easier to add new enum values - ... to avoid integer overflows later when multiplying with 1000 to - convert seconds to milliseconds. + ... by using the *_LAST define names better. - Added test 1269 to verify. + Closes #4321 + +- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris - Reported-by: Jason Lee - Closes #4166 + Reported-by: Dagobert Michelsen + Fixes #4328 + Closes #4333 -- progress: reset download/uploaded counter +- [Bernhard Walle brought this change] + + winbuild/MakefileBuild.vc: Add vssh - ... to make CURLOPT_MAX_RECV_SPEED_LARGE and - CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that - reuse the same handle. + Without that modification, the Windows build using the makefiles doesn't + work. - Fixed-by: Ironbars13 on github - Fixes #4084 - Closes #4161 + Signed-off-by: Bernhard Walle + + Fixes #4322 + Closes #4323 -- http2_recv: trigger another read when the last data is returned +Bernhard Walle (11 Sep 2019) +- winbuild/MakefileBuild.vc: Fix line endings - ... so that end-of-stream is detected properly. + The file had mixed line endings. - Reported-by: Tom van der Woerdt - Fixes #4043 - Closes #4160 + Signed-off-by: Bernhard Walle -- curl: avoid uncessary libcurl timeouts (in parallel mode) +Jay Satiro (11 Sep 2019) +- ldap: Stop using wide char version of ldapp_err2string - When curl_multi_wait() returns OK without file descriptors to wait for, - it might already have done a long timeout. + Despite ldapp_err2string being documented by MS as returning a + PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and + returns PWCHAR (wchar_t *). - Closes #4159 + We have lots of code that expects ldap_err2string to return char *, + most of it failf used like this: + + failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); + + Closes https://github.com/curl/curl/pull/4272 -- [Balazs Kovacsics brought this change] +Version 7.66.0 (10 Sep 2019) - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown +Daniel Stenberg (10 Sep 2019) +- RELEASE-NOTES: curl 7.66.0 + +- THANKS: from the 7.66.0 release + +- curl: make sure the parallel transfers do them all - If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, - automatically add a Transfer-Encoding: chunked header, same as it is - already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update - test 1514 according to the new behaviour. + The logic could erroneously break the loop too early before all + transfers had been transferred. - Closes #4138 + Reported-by: Tom van der Woerdt + Fixes #4316 + Closes #4317 -Jay Satiro (29 Jul 2019) -- [Daniel Stenberg brought this change] +- urlapi: one colon is enough for the strspn() input (typo) - winbuild: add vquic to list of build directories - - This fixes the winbuild build method which broke several days ago - when experimental quic support was added in 3af0e76. +- urlapi: verify the IPv6 numerical address - Reported-by: Michael Lee + It needs to parse correctly. Otherwise it could be tricked into letting + through a-f using host names that libcurl would then resolve. Like + '[ab.be]'. - Fixes https://github.com/curl/curl/issues/4158 + Reported-by: Thomas Vegas + Closes #4315 -- easy: resize receive buffer on easy handle reset - - - In curl_easy_reset attempt to resize the receive buffer to its default - size. If realloc fails then continue using the previous size. +- [Clément Notin brought this change] + + openssl: use SSL_CTX_set__proto_version() when available - Prior to this change curl_easy_reset did not properly handle resetting - the receive buffer (data->state.buffer). It reset the variable holding - its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) - but then did not actually resize the buffer. If a user resized the - buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the - default, later called curl_easy_reset and attempted to reuse the handle - then a heap overflow would very likely occur during that handle's next - transfer. + OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use + when available. Existing code is preserved for older versions of + OpenSSL. - Reported-by: Felix Hädicke + Closes #4304 + +- [Clément Notin brought this change] + + openssl: indent, re-organize and add comments + +- [migueljcrum brought this change] + + sspi: fix memory leaks - Fixes https://github.com/curl/curl/issues/4143 - Closes https://github.com/curl/curl/pull/4145 + Closes #4299 -- [Brad Spencer brought this change] +- travis: disable ngtcp2 builds (again) - examples: Avoid reserved names in hiperfifo examples +- Curl_fillreadbuffer: avoid double-free trailer buf on error - - Trade in __attribute__((unused)) for the classic (void)x to silence - unused symbols. + Reviewed-by: Jay Satiro + Reported-by: Thomas Vegas - Because the classic way is not gcc specific. Also because the prior - method mapped to symbol _Unused, which starts with _ and a capital - letter which is reserved. + Closes #4307 + +- tool_setopt: handle a libcurl build without netrc support - Assisted-by: The Infinnovation team + Reported-by: codesniffer13 on github + Fixes #4302 + Closes #4305 + +- security:read_data fix bad realloc() - Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 + ... that could end up a double-free - Closes https://github.com/curl/curl/pull/4153 - -Daniel Stenberg (25 Jul 2019) -- RELEASE-NOTES: synced + CVE-2019-5481 + Bug: https://curl.haxx.se/docs/CVE-2019-5481.html -- [Felix Hädicke brought this change] +- [Thomas Vegas brought this change] - ssh-libssh: do not specify O_APPEND when not in append mode + tftp: Alloc maximum blksize, and use default unless OACK is received - Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not - make much sense. And this combination of flags is not accepted by all - SFTP servers (at least not Apache SSHD). + Fixes potential buffer overflow from 'recvfrom()', should the server + return an OACK without blksize. - Fixes #4147 - Closes #4148 + Bug: https://curl.haxx.se/docs/CVE-2019-5482.html + CVE-2019-5482 -- [Gergely Nagy brought this change] +- [Thomas Vegas brought this change] - multi: call detach_connection before Curl_disconnect - - Curl_disconnect bails out if conn->easyq is not empty, detach_connection - needs to be called first to remove the current easy from the queue. - - Fixes #4144 - Closes #4151 + tftp: return error when packet is too small for options -Jay Satiro (23 Jul 2019) -- tool_operate: fix implicit call to easysrc_cleanup +- KNOWN_BUGS/TODO: cleanup and remove outdated issues + +- RELEASE-NOTES: synced + +- netrc: free 'home' on error - easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not - defined, and prior to this change would be called regardless. + Follow-up to f9c7ba9096ec2 - Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 - Reported-by: Marcel Raad + Coverity CID 1453474 - Closes https://github.com/curl/curl/pull/4142 + Closes #4291 -Daniel Stenberg (22 Jul 2019) -- curl:create_transfers check return code from curl_easy_setopt - - From commit b8894085 +- urldata: avoid 'generic', use dedicated pointers - Pointed out by Coverity CID 1451703 + For the 'proto' union within the connectdata struct. - Closes #4134 + Closes #4290 -- HTTP3: initial (experimental) support +- cleanup: move functions out of url.c and make them static - USe configure --with-ngtcp2 or --with-quiche - - Using either option will enable a HTTP3 build. - Co-authored-by: Alessandro Ghedini - - Closes #3500 + Closes #4289 -- curl: remove dead code +- smtp: check for and bail out on too short EHLO response - The loop never loops (since b889408500), pointed out by Coverity (CID - 1451702) + Otherwise, a three byte response would make the smtp_state_ehlo_resp() + function misbehave. - Closes #4133 - -- docs/PARALLEL-TRANSFERS: correct the version number - -- docs/PARALLEL-TRANSFERS: added - -- curl: support parallel transfers + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/16918 - This is done by making sure each individual transfer is first added to a - linked list as then they can be performed serially, or at will, in - parallel. + Assisted-by: Max Dymond - Closes #3804 + Closes #4287 -- docs/MANUAL.md: converted to markdown from plain text +- smb: init *msg to NULL in smb_send_and_recv() - ... will make it render as a nicer web page. + ... it might otherwise return OK from this function leaving that pointer + uninitialized. - Closes #4131 - -- curl_version_info: provide nghttp2 details + Bug: https://crbug.com/oss-fuzz/16907 - Introducing CURLVERSION_SIXTH with nghttp2 info. + Closes #4286 + +- ROADMAP: updated after recent user poll - Closes #4121 + In rough prio order -- bump: start working on 7.66.0 +- THANKS: remove duplicate -- source: remove names from source comments +- Curl_addr2string: take an addrlen argument too - Several reasons: + This allows the function to figure out if a unix domain socket has a + file name or not associated with it! When a socket is created with + socketpair(), as done in the fuzzer testing, the path struct member is + uninitialized and must not be accessed. - - we can't add everyone who's helping out so its unfair to just a few - selected ones. - - we already list all helpers in THANKS and in RELEASE-NOTES for each - release - - we don't want to give the impression that some parts of the code is - "owned" or "controlled" by specific persons + Bug: https://crbug.com/oss-fuzz/16699 - Assisted-by: Daniel Gustafsson - Closes #4129 + Closes #4283 -Version 7.65.3 (19 Jul 2019) +- [Rolf Eike Beer brought this change] -Daniel Stenberg (19 Jul 2019) -- RELEASE-NOTES: 7.65.3 + CMake: remove needless newlines at end of gss variables -- THANKS: 7.65.3 status +- [Rolf Eike Beer brought this change] -- progress: make the progress meter appear again + CI: remove duplicate configure flag for LGTM.com + +- [Rolf Eike Beer brought this change] + + CMake: use platform dependent name for dlopen() library - Fix regression caused by 21080e1 + Closes #4279 + +- quiche: expire when poll returned data - Reported-by: Chih-Hsuan Yen - Fixes #4122 - Closes #4124 + ... to make sure we continue draining the queue until empty + + Closes #4281 -- version: bump to 7.65.3 +- quiche: decrease available buffer size, don't assign it! + + Found-by: Jeremy Lainé -- RELEASE-NOTES: Contributors or now 1990 +- RELEASE-NOTES: synced -Version 7.65.2 (17 Jul 2019) +- [Kyohei Kadota brought this change] -Daniel Stenberg (17 Jul 2019) -- RELEASE-NOTES: 7.65.2 + curl: fix include conditions -- THANKS: add contributors from 7.65.2 +- [Kyohei Kadota brought this change] -Jay Satiro (17 Jul 2019) -- [aasivov brought this change] + plan9: fix installation instructions + + Closes #4276 - cmake: Fix finding Brotli on case-sensitive file systems +- ngtcp2: on h3 stream close, call expire - - Find package "Brotli" instead of "BROTLI" since the former is the - casing used for CMake/FindBrotli.cmake, and otherwise find_package - may fail on a case-sensitive file system. + ... to trigger a new read to detect the stream close! - Fixes https://github.com/curl/curl/issues/4117 + Closes #4275 -- CURLOPT_RANGE.3: Caution against using it for HTTP PUT - - AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've - cautioned against using it for that purpose and included a workaround. +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl - Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html - Reported-by: Christopher Head + Closes #4278 + +- ngtcp2: set flow control window to stream buffer size - Closes https://github.com/curl/curl/issues/3814 + Closes #4274 -- [Stefano Simonelli brought this change] +- [Christopher Head brought this change] - CURLOPT_SEEKDATA.3: fix variable name + CURLOPT_HEADERFUNCTION.3: clarify - Closes https://github.com/curl/curl/pull/4118 + Closes #4273 -- [Giorgos Oikonomou brought this change] +- CURLINFO docs: mention that in redirects times are added + + Suggested-by: Brandon Dong + Fixes #4250 + Closes #4269 - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH +- travis: enable ngtcp2 builds again - If the SSL backend is Schannel and the user specifies an Schannel CALG_ - that is not supported by the protocol or the server then curl returns - CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. + Switched to the openssl-quic-draft-22 openssl branch. - Fixes https://github.com/curl/curl/issues/3389 - Closes https://github.com/curl/curl/pull/4106 + Closes #4271 -- [Daniel Gustafsson brought this change] +- HTTP3: switched openssl branch to use - nss: inspect returnvalue of token check - - PK11_IsPresent() checks for the token for the given slot is available, - and sets needlogin flags for the PK11_Authenticate() call. Should it - return false, we should however treat it as an error and bail out. - - Closes https://github.com/curl/curl/pull/4110 +- [Tatsuhiro Tsujikawa brought this change] -- docs: Explain behavior change in --tlsv1. options since 7.54 - - Since 7.54 --tlsv1. options use the specified version or later, however - older versions of curl documented it as using just the specified version - which may or may not have happened depending on the TLS library. - Document this discrepancy to allay confusion for users familiar with the - old documentation that expect just the specified version. + ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl - Fixes https://github.com/curl/curl/issues/4097 - Closes https://github.com/curl/curl/pull/4119 + Closes #4270 -- libcurl: Restrict redirect schemes (follow-up) +- http2: when marked for closure and wanted to close == OK - - Allow FTPS on redirect. + It could otherwise return an error even when closed correctly if GOAWAY + had been received previously. - - Update default allowed redirect protocols in documentation. + Reported-by: Tom van der Woerdt + Fixes #4267 + Closes #4268 + +- RELEASE-NOTES: synced + +- build-openssl: fix build with Visual Studio 2019 - Follow-up to 6080ea0. + Reviewed-by: Marcel Raad + Contributed-by: osabc on github + Fixes #4188 + Closes #4266 + +Kamil Dudka (26 Aug 2019) +- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure - Ref: https://github.com/curl/curl/pull/4094 + This is a follow-up to https://github.com/curl/curl/pull/3864 . - Closes https://github.com/curl/curl/pull/4115 + Closes #4224 -Daniel Stenberg (16 Jul 2019) -- test1173: make it also check all libcurl option man pages +Daniel Stenberg (26 Aug 2019) +- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows - ... and adjust those that cause errors + Closes #4040 + +- quiche: send the HTTP body correctly on callback uploads - Closes #4116 + Closes #4265 -- curl: only accept COLUMNS less than 10000 +- travis: disable ngtcp2 builds (temporarily) - ... as larger values would rather indicate something silly (and could - potentially cause buffer problems). + Just too many API changes right now - Reported-by: pendrek at hackerone - Closes #4114 + Closes #4264 -- dist: add manpage-syntax.pl +- ngtcp2: add support for SSLKEYLOGFILE - follow-up to 7fb66c403 + Closes #4260 -- test1173: detect some basic man page format mistakes - - Triggered by PR #4111 +- ngtcp2: improve h3 response receiving - Closes #4113 + Closes #4259 -Jay Satiro (15 Jul 2019) -- [Bjarni Ingi Gislason brought this change] +- ngtcp2: use nghttp3_version() - docs: Fix missing lines caused by undefined macros +- ngtcp2: sync with upstream API changes - - Escape apostrophes at line start. + Assisted-by: Tatsuhiro Tsujikawa + +- [Kyle Abramowitz brought this change] + + scp: fix directory name length used in memcpy - Some lines begin with a "'" (apostrophe, single quote), which is then - interpreted as a control character in *roff. + Fix read off end of array due to bad pointer math in getworkingpath for + SCP home directory case. - Such lines are interpreted as being a call to a macro, and if - undefined, the lines are removed from the output. + Closes #4258 + +- http: the 'closed' struct field is used by both ngh2 and ngh3 - Bug: https://bugs.debian.org/926352 - Signed-off-by: Bjarni Ingi Gislason + and remove 'header_recvbuf', not used for anything - Submitted-by: Alessandro Ghedini + Reported-by: Jeremy Lainé - Closes https://github.com/curl/curl/pull/4111 + Closes #4257 -Daniel Stenberg (14 Jul 2019) -- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults +- ngtcp2: accept upload via callback - follow-up to 6080ea098 - -- [Linos Giannopoulos brought this change] + Closes #4256 - libcurl: Add testcase for gopher redirects +- defines: avoid underscore-prefixed defines - The testcase ensures that redirects to CURLPROTO_GOPHER won't be - allowed, by default, in the future. Also, curl is being used - for convenience while keeping the testcases DRY. + Double-underscored or underscore plus uppercase letter at least. - The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is - redirected to CURLPROTO_GOPHER + ... as they're claimed to be reserved. - Signed-off-by: Linos Giannopoulos + Reported-by: patnyb on github + + Fixes #4254 + Closes #4255 -- [Linos Giannopoulos brought this change] +- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) + + Runs no tests + + Closes #4253 - libcurl: Restrict redirect schemes +- travis: bump to using nghttp2 version 1.39.2 - All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS - counterpart were allowed for redirect. This vastly broadens the - exploitation surface in case of a vulnerability such as SSRF [1], where - libcurl-based clients are forced to make requests to arbitrary hosts. + Closes #4252 + +- [Gisle Vanem brought this change] + + docs/examples/curlx: fix errors - For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based - protocol by URL-encoding a payload in the URI. Gopher will open a TCP - connection and send the payload. + Initialise 'mimetype' and require the -p12 arg. - Only HTTP/HTTPS and FTP are allowed. All other protocols have to be - explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. + Closes #4248 + +- cleanup: remove DOT_CHAR completely - [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ + Follow-up to f9c7ba9096ec - Signed-off-by: Linos Giannopoulos + The use of DOT_CHAR for ".ssh" was probably a mistake and is removed + now. - Closes #4094 - -- [Zenju brought this change] + Pointed-out-by: Gisle Vanem + Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 + + Closes #4247 - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number +- spnego_sspi: add typecast to fix build warning - Closes #4100 + Reported in build "Win32 target on Debian Stretch (64-bit) - + i686-w64-mingw32 - gcc-20170516" + + Closes #4245 -- [Peter Simonyi brought this change] +- openssl: build warning free with boringssl + + Closes #4244 - http: allow overriding timecond with custom header +- curl: make --libcurl use CURL_HTTP_VERSION_3 - With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. - If-Modified-Since). Allow this to be replaced or suppressed with - CURLOPT_HTTPHEADER. + Closes #4243 + +- ngtcp2: make postfields-set posts work - Fixes #4103 - Closes #4109 + Closes #4242 -Jay Satiro (11 Jul 2019) -- [Juergen Hoetzel brought this change] +- http: remove chunked-encoding and expect header use for HTTP/3 - smb: Use the correct error code for access denied on file open +- [Alessandro Ghedini brought this change] + + configure: use pkg-config to detect quiche - - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. + This removes the need to hard-code the quiche target path in + configure.ac. - Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. + This depends on https://github.com/cloudflare/quiche/pull/128 - Closes https://github.com/curl/curl/pull/4095 - -- [Daniel Gustafsson brought this change] + Closes #4237 - DEPRECATE: fixup versions and spelling +- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 - Correctly set the July 17 version to 7.65.2, and update spelling to - be consistent. Also fix a typo. + For a long time (since 7.28.1) we've returned error when setting the + value to 1 to make applications notice that we stopped supported the old + behavior for 1. Starting now, we treat 1 and 2 exactly the same. - Closes https://github.com/curl/curl/pull/4107 - -- [Gisle Vanem brought this change] + Closes #4241 - system_win32: fix clang warning +- curl: use .curlrc (with a dot) on Windows as well - - Declare variable in header as extern. + Fall-back to _curlrc if the dot-version is missing. - Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 + Co-Authored-By: Steve Holme + + Closes #4230 -Daniel Gustafsson (10 Jul 2019) -- headers: Remove no longer exported functions +- netrc: make the code try ".netrc" on Windows as well - There were a leftover few prototypes of Curl_ functions that we used to - export but no longer do, this removes those prototypes and cleans up any - comments still referring to them. + ... but fall back and try "_netrc" too if the dot version didn't work. - Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() - Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() - were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. - Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. + Co-Authored-By: Steve Holme + +- ngtcp2: use ngtcp2_version() to get the run-time version - For the remainder, I didn't trawl the Git logs hard enough to capture - their exact time of deletion, but they were all gone: Curl_splayprint(), - Curl_http2_send_request(), Curl_global_host_cache_dtor(), - Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), - Curl_http_auth_stage() and Curl_close_connections(). + ... which of course doesn't have to be the same used at build-time. - Closes #4096 - Reviewed-by: Daniel Stenberg + Function just recently merged in ngtcp2. -- CMake: fix typos and spelling +- ngtcp2: move the h3 initing to immediately after the rx key + + To fix a segfault and to better deal with 0-RTT + + Assisted-by: Tatsuhiro Tsujikawa -- [Kyle Edwards brought this change] +- [Alessandro Ghedini brought this change] - CMake: Convert errant elseif() to else() + quiche: register debug callback once and earlier - CMake interprets an elseif() with no arguments as elseif(FALSE), - resulting in the elseif() block not being executed. That is not what - was intended here. Change the empty elseif() to an else() as it was - intended. + The quiche debug callback is global and can only be initialized once, so + make sure we don't do it multiple times (e.g. if multiple requests are + executed). - Closes #4101 - Reported-by: Artalus - Reviewed-by: Daniel Gustafsson - -- buildconf: fix header filename + In addition this initializes the callback before the connection is + created, so we get logs for the handshake as well. - The header file inclusion had a typo, it should be .h and not .hd. - Fix by renaming. + Closes #4236 + +- ssh: add a generic Curl_ssh_version function for SSH backends - Fixes #4102 - Reported-by: AceCrow on Github + Closes #4235 -- [Jan Chren brought this change] +- base64: check for SSH, not specific SSH backends - configure: fix --disable-code-coverage +- vssh: move ssh init/cleanup functions into backend code + +- vssh: create directory for SSH backend code + +- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 - This fixes the case when --disable-code-coverage supplied to ./configure - would result in coverage="yes" being set. + HTTP3 is now already in full progress - Closes #4099 - Reviewed-by: Daniel Gustafsson - -- cleanup: fix typo in comment + Downgrade redirects can be achived almost exactly like that by setting + CURLOPT_REDIR_PROTOCOLS. - RELEASE-NOTES: synced -Jay Satiro (6 Jul 2019) -- [Daniel Gustafsson brought this change] +- travis: add a quiche build + + Closes #4207 - nss: support using libnss on macOS +- http: fix use of credentials from URL when using HTTP proxy - The file suffix for dynamically loadable objects on macOS is .dylib, - which need to be added for the module definitions in order to get the - NSS TLS backend to work properly on macOS. + When a username and password are provided in the URL, they were wrongly + removed from the stored URL so that subsequent uses of the same URL + wouldn't find the crendentials. This made doing HTTP auth with multiple + connections (like Digest) mishave. - Closes https://github.com/curl/curl/pull/4046 - -- [Daniel Gustafsson brought this change] - - nss: don't set unused parameter + Regression from 46e164069d1a5230 (7.62.0) - The value of the maxPTDs parameter to PR_Init() has since at least - NSPR 2.1, which was released sometime in 1998, been marked ignored - as is accordingly not used in the initialization code. Setting it - to a value when calling PR_Init() is thus benign, but indicates an - intent which may be misleading. Reset the value to zero to improve - clarity. + Test case 335 added to verify. - Closes https://github.com/curl/curl/pull/4054 + Reported-by: Mike Crowe + + Fixes #4228 + Closes #4229 -- [Daniel Gustafsson brought this change] +- [Mike Crowe brought this change] - nss: only cache valid CRL entries + tests: Replace outdated test case numbering documentation - Change the logic around such that we only keep CRLs that NSS actually - ended up caching around for later deletion. If CERT_CacheCRL() fails - then there is little point in delaying the freeing of the CRL as it - is not used. + Tests are no longer grouped by numeric range[1]. Let's stop saying that + and provide some alternative advice for numbering tests. - Closes https://github.com/curl/curl/pull/4053 - -- [Gergely Nagy brought this change] + [1] https://curl.haxx.se/mail/lib-2019-08/0043.html + + Closes #4227 - lib: Use UTF-8 encoding in comments +- travis: reduce number of torture tests in 'coverage' - Some editors and IDEs assume that source files use UTF-8 file encodings. - It also fixes the build with MSVC when /utf-8 command line option is - used (this option is mandatory for some other open-source projects, this - is useful when using the same options is desired for building all - libraries of a project). + ... to make it complete in time. This cut seems not almost not affect + the coverage percentage and yet completes within 35 minutes on travis + where the previous runs recently always timed out after 50. - Closes https://github.com/curl/curl/pull/4087 + Closes #4223 -- [Caleb Raitto brought this change] +- [Igor Makarov brought this change] - CURLOPT_HEADEROPT.3: Fix example + configure: use -lquiche to link to quiche - Fix an issue where example builds a curl_slist, but fails to actually - use it, or free it. + Closes #4226 + +- ngtcp2: provide the callbacks as a static struct - Closes https://github.com/curl/curl/pull/4090 + ... instead of having them in quicsocket -- [Shankar Jadhavar brought this change] +- [Tatsuhiro Tsujikawa brought this change] - winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - - - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. + ngtcp2: add missing nghttp3_conn_add_write_offset call - - Also removed some ^M chars from file. - - Prior to this change while building on Windows platform even if we pass - the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does - not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. - - Closes https://github.com/curl/curl/pull/4086 + Closes #4225 -Daniel Stenberg (4 Jul 2019) -- doh-url.d: added in 7.62.0 +- [Tatsuhiro Tsujikawa brought this change] -Jay Satiro (30 Jun 2019) -- docs: Fix links to OpenSSL docs - - OpenSSL changed their manual locations and does not redirect to the new - locations. + ngtcp2: deal with stream close + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Consume QUIC STREAM data properly + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: don't reinitialize SSL on Retry + +- multi: getsock improvements for QUIC connecting + +- connect: connections are persistent by default for HTTP/3 + +- quiche: happy eyeballs - Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html - Reported-by: Daniel Stenberg + Closes #4220 -Daniel Stenberg (26 Jun 2019) -- [Gaël PORTAY brought this change] +- ngtcp2: do QUIC connections happy-eyeballs friendly - curl_multi_wait.3: escape backslash in example +- curl_version: bump string buffer size to 250 - The backslash in the character Line Feed must be escaped. + With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which + causes a truncated output). + +- CURLOPT_ALTSVC.3: use a "" file name to not load from a file + +Jay Satiro (14 Aug 2019) +- vauth: Use CURLE_AUTH_ERROR for auth function errors - The current man-page outputs the code as following: + - Add new error code CURLE_AUTH_ERROR. - fprintf(stderr, "curl_multi failed, code %d.0, mc); + Prior to this change auth function errors were signaled by + CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was + technically correct. - The commit fixes it as follow: + Ref: https://github.com/curl/curl/pull/3848 - fprintf(stderr, "curl_multi failed, code %d\n", mc); + Co-authored-by: Dominik Hölzl - Closes #4079 + Closes https://github.com/curl/curl/pull/3864 -- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined +Daniel Stenberg (13 Aug 2019) +- curl_version_info: make the quic_version a const - ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is - built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for - UWP (with "VC-WIN32-UWP"). + Follow-up from 1a2df1518ad8653f - Reported-by: Vasily Lobaskin - Fixes #4073 - Closes #4077 + Closes #4222 -- test1521: adapt to SLISTPOINT +- examples: add http3.c, altsvc.c and http3-present.c - The header now has the slist-using options marked as SLISTPOINT so this - makes sure test 1521 understands that. + Closes #4221 + +Peter Wu (13 Aug 2019) +- nss: use TLSv1.3 as default if supported - Follow-up to ae99b4de1c443ae989 + SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported + range in NSS 3.45. It looks like the intention is to raise the minimum + version rather than lowering the maximum, so adjust accordingly. Note + that the caller (nss_setup_connect) initializes the version range to + (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. - Closes #4074 + Closes #4187 + Reviewed-by: Daniel Stenberg + Reviewed-by: Kamil Dudka -- win32: make DLL loading a no-op for UWP +Daniel Stenberg (13 Aug 2019) +- quic.h: remove unused proto + +- curl_version_info.3: mentioned ALTSVC and HTTP3 - Reported-by: Michael Brehm - Fixes #4060 - Closes #4072 + ... and sorted the list alphabetically -- [1ocalhost brought this change] +- lib/quic.c: unused - removed - configure: fix typo '--disable-http-uath' +- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - Closes #4076 + Follow-up to 98c3f148 that removed it from the header file -- [Niklas Hambüchen brought this change] +- [Junho Choi brought this change] - docs: fix string suggesting HTTP/2 is not the default - - Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the - man page that new default is mentioned, but the section at the top - contradicted it until now. + docs/HTTP3: simplify quiche build instruction - Also remove claim that setting the HTTP version is not sensible. + Use --recursive to get boringssl in one line - Closes #4075 + Closes #4219 -- RELEASE-NOTES: synced +- altsvc: make it use h3-22 with ngtcp2 as well -- [Stephan Szabo brought this change] +- ngtcp2: initial h3 request work + + Closes #4217 - tests: update fixed IP for hostip/clientip split +- curl_version_info: offer quic (and h3) library info - These tests give differences for me on linux when using a hostip - pointing to the external ip address for the local machine. + Closes #4216 + +- HTTP3: use ngtcp2's draft-22 branch + +- RELEASE-NOTES: synced + +- CURLOPT_READFUNCTION.3: provide inline example - Closes #4070 + ... instead of mentioning one in another place -Daniel Gustafsson (24 Jun 2019) -- http: clarify header buffer size calculation +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: send HTTP/3 request with nghttp3 - The header buffer size calculation can from static analysis seem to - overlow as it performs an addition between two size_t variables and - stores the result in a size_t variable. Overflow is however guarded - against elsewhere since the input to the addition is regulated by - the maximum read buffer size. Clarify this with a comment since the - question was asked. + This commit makes sending HTTP/3 request with nghttp3 work. It + minimally receives HTTP response and calls nghttp3 callbacks, but no + processing is made at the moment. - Reviewed-by: Daniel Stenberg + Closes #4215 -Daniel Stenberg (24 Jun 2019) -- KNOWN_BUGS: Don't clear digest for single realm - - Closes #3267 +- nghttp3: initial h3 template code added -- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname +- nghttp3: required when ngtcp2 is used for QUIC - Closes #3284 + - checked for by configure + - updated docs/HTTP3.md + - shown in the version string + + Closes #4210 -- http2: call done_sending on end of upload +- [Eric Wong brought this change] + + asyn-thread: issue CURL_POLL_REMOVE before closing socket - To make sure a HTTP/2 stream registers the end of stream. + This avoids EBADF errors from EPOLL_CTL_DEL operations in the + ephiperfifo.c example. EBADF is dangerous in multi-threaded + applications where I rely on epoll_ctl to operate on the same + epoll description from different threads. - Bug #4043 made me find this problem but this fix doesn't correct the - reported issue. + Follow-up to eb9a604f8d7db8 - Closes #4068 + Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html + Closes #4211 -- [James Brown brought this change] +- [Carlo Marcelo Arenas Belón brought this change] - c-ares: honor port numbers in CURLOPT_DNS_SERVERS + configure: avoid undefined check_for_ca_bundle - By using ares_set_servers_ports_csv on new enough c-ares. + instead of using a "greater than 0" test, check for variable being + set, as it is always set to 1, and could be left unset if non of + OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. - Fixes #4066 - Closes #4067 - -Daniel Gustafsson (24 Jun 2019) -- CURLMOPT_SOCKETFUNCTION.3: fix typo + Closes #4213 -Daniel Stenberg (24 Jun 2019) -- [Koen Dergent brought this change] +- [Tatsuhiro Tsujikawa brought this change] - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds + ngtcp2: Send ALPN h3-22 - Closes #4061 + Closes #4212 -- test153: fix content-length to avoid occasional hang - - Closes #4065 +- [Tatsuhiro Tsujikawa brought this change] -- RELEASE-NOTES: synced + ngtcp2: use ngtcp2_settings_default and specify initial_ts -- multi: enable multiplexing by default (again) - - It was originally made default in d7c4213bd0c (7.62.0) but mistakenly - reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. - - Closes #4051 +- curl_global_init_mem.3: mention it was added in 7.12.0 -- typecheck: add 3 missing strings and a callback data pointer +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: make the QUIC handshake work - Closes #4050 + Closes #4209 -- tests: add disable-scan.pl to dist +- [Alex Mayorga brought this change] + + HTTP3.md: Update quiche build instructions - follow-up from 29177f422a5 + Added cloning for quiche and BoringSSL and modified the build + instructions so they work on a clean folder. - Closes #4059 + Closes #4208 -- http2: don't call stream-close on already closed streams +- CURLOPT_H3: removed - Closes #4055 + There's no use for this anymore and it was never in a release. + + Closes #4206 -Marcel Raad (20 Jun 2019) -- travis: enable alt-svc for coverage build +- http3: make connection reuse work - Closes + Closes #4204 -- travis: enable libssh2 for coverage build +- quiche: add SSLKEYLOGFILE support + +- cleanup: s/curl_debug/curl_dbg_debug in comments and docs - It was enabled by default before commit c92d2e14cfb. + Leftovers from the function rename back in 76b63489495 - Disable torture tests 600 and 601 because of - https://github.com/curl/curl/issues/1678. + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com + mitcomment-34601751 - Closes + Closes #4203 -- travis: disable threaded resolver for coverage build - - This enables more tests. - - Closes +- RELEASE-NOTES: synced -- travis: enable brotli for all xenial jobs +- alt-svc: add protocol version selection masking - There's no need for a separate job, and no need to build it from source - with Xenial. + So that users can mask in/out specific HTTP versions when Alt-Svc is + used. - Closes - -- travis: enable warnings-as-errors for coverage build + - Removed "h2c" and updated test case accordingly + - Changed how the altsvc struct is laid out + - Added ifdefs to make the unittest run even in a quiche-tree - Closes - -GitHub (20 Jun 2019) -- [Gisle Vanem brought this change] - - system_win32: fix typo + Closes #4201 -Daniel Stenberg (20 Jun 2019) -- typecheck: CURLOPT_CONNECT_TO takes an slist too - - Additionally, add an alias in curl.h for slist-using options so that - we can grep/parse those out at will. +- http3: fix the HTTP/3 in the request, make alt-svc set right versions - Closes #4042 - -- [Stephan Szabo brought this change] + Closes #4200 - tests: support non-localhost HOSTIP for dict/smb servers +- alt-svc: send Alt-Used: in redirected requests - smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for - binding the server which when we were running the tests with a separate - HOSTIP and CLIENTIP had failures verifying the server from the device we - were testing. + RFC 7838 section 5: - This changes them to take the address from runtests.py and default to - localhost/127.0.0.1 if none is given. + When using an alternative service, clients SHOULD include an Alt-Used + header field in all requests. - Closes #4048 - -- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT - -- configure: --disable-progress-meter + Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus + this is deemed ok). - Builds libcurl without support for the built-in progress meter. + You can disable sending this header just like you disable any other HTTP + header in libcurl. - Closes #4023 + Closes #4199 -- curl: improved skip-setopt-options when built with disabled features - - Reduces #ifdefs in src/tool_operate.c +- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - Follow-up from 4e86f2fc4e6 - Closes #3936 - -Steve Holme (18 Jun 2019) -- netrc: Return the correct error code when out of memory + Even though it cannot fall-back to a lower HTTP version automatically. The + safer way to upgrade remains via CURLOPT_ALTSVC. - Introduced in 763c5178. + CURLOPT_H3 no longer has any bits that do anything and might be removed + before we remove the experimental label. - Closes #4036 - -Daniel Stenberg (18 Jun 2019) -- config-os400: add getpeername and getsockname defines + Updated the curl tool accordingly to use "--http3". - Reported-by: jonrumsey on github - Fixes #4037 - Closes #4039 + Closes #4197 -- runtests: keep logfiles around by default - - Make '-k' a no-op. The singletest function now clears the log directory - BEFORE each individual test and not after, which makes it possible to - always keep the logfiles around after a test has been run. No need to - specify -k anymore. Keeping the option parsing around to work with users - of old habits. +- docs/ALTSVC: remove what works and the experimental explanation - Some tests also didn't work properly when -k was used (since the old - logs would be kep when a new test starts) which this change also fixes. + Also, put the TODO items at the bottom. - Closes #4035 + Closes #4198 -- [Gergely Nagy brought this change] +- docs/EXPERIMENTAL: explain what it means and what's experimental now - openssl: fix pubkey/signature algorithm detection in certinfo +- curl: make use of CURLINFO_RETRY_AFTER when retrying - Certinfo gives the same result for all OpenSSL versions. - Also made printing RSA pubkeys consistent with older versions. + If a Retry-After: header was used in the response, that value overrides + other retry timing options. - Reported-by: Michael Wallner - Fixes #3706 - Closes #4030 + Fixes #3794 + Closes #4195 -- conn_maxage: move the check to prune_dead_connections() - - ... and avoid the locking issue. +- curl: use CURLINFO_PROTOCOL to check for HTTP(s) - Reported-by: Kunal Ekawde - Fixes #4029 - Closes #4032 + ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. -- tests: have runtests figure out disabled features - - ... so that runtests can skip individual test cases that test features - that are explicitly disabled in this build. This new logic is intended - for disabled features that aren't otherwise easily visible through the - curl_version_info() or other API calls. +- CURLINFO_RETRY_AFTER: parse the Retry-After header value - tests/server/disabled is a newly built executable that will output a - list of disabled features. Outputs nothing for a default build. + This is only the libcurl part that provides the information. There's no + user of the parsed value. This change includes three new tests for the + parser. - Closes #3950 + Ref: #3794 -- test188/189: fix Content-Length +- docs/ALTSVC.md: first basic file format description + +- curl: have -w's 'http_version' show '3' for HTTP/3 - This cures the flaky test results + Closes #4196 + +- curl.h: add CURL_HTTP_VERSION_3 to the version enum - Closes #4034 + It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with + CURLINFO_HTTP_VERSION. -- [Thomas Gamper brought this change] +- quiche: make use of the connection timeout API properly - winbuild: use WITH_PREFIX if given - - Closes #4031 +- quiche: make POSTFIELDS posts work -Daniel Gustafsson (17 Jun 2019) -- openssl: remove outdated comment - - OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), - which is why we switched to CONF_modules_load_file() and introduced - a comment stating why. This behavior was however changed in OpenSSL - commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now - outdated and incorrect comment. The mentioned commit also declares - OPENSSL_config() deprecated so keep the current coding. - - Closes #4033 - Reviewed-by: Daniel Stenberg +- quiche: improved error handling and memory cleanups + +- quiche: flush egress in h3_stream_recv() too -Daniel Stenberg (16 Jun 2019) - RELEASE-NOTES: synced -Patrick Monnerat (16 Jun 2019) -- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. +Jay Satiro (6 Aug 2019) +- [Patrick Monnerat brought this change] + + os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). - Use it in curl_easy_setopt_ccsid(). + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Reported-by: jonrumsey on github - Fixes #3833 - Closes #4028 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -Daniel Stenberg (15 Jun 2019) -- runtests: report single test time + total duration +- tests: Fix the line endings for the SASL alt-auth tests - ... after each successful test. + - Change data and protocol sections to CRLF line endings. - Closes #4027 - -- multi: fix the transfer hash function + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. - Follow-up from 8b987cc7eb + Follow-up to grandparent commit which added the tests. - Reported-by: Tom van der Woerdt - Fixes #4018 - Closes #4024 - -- unit1654: cleanup on memory failure + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - ... to make it handle torture tests properly. + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Reported-by: Marcel Raad - Fixes #4021 - Closes #4022 + Closes https://github.com/curl/curl/pull/4186 -Marcel Raad (13 Jun 2019) -- krb5: fix compiler warning +- [Steve Holme brought this change] + + examples: Added SASL PLAIN authorisation identity (authzid) examples - Even though the variable was used in a DEBUGASSERT, GCC 8 warned in - debug mode: - krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Just suppress the warning and declare the variable unconditionally - instead of only for DEBUGBUILD (which also missed the check for - HAVE_ASSERT_H). + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Closes https://github.com/curl/curl/pull/4020 + Closes https://github.com/curl/curl/pull/4186 -Daniel Stenberg (13 Jun 2019) -- quote.d: asterisk prefix works for SFTP as well - - Reported-by: Ben Voris - Fixes #4017 - Closes #4019 +- [Steve Holme brought this change] -- multi: fix the transfer hashes in the socket hash entries + curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - - The transfer hashes weren't using the correct keys so removing entries - failed. + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - - Simplified the iteration logic over transfers sharing the same socket and - they now simply are set to expire and thus get handled in the "regular" - timer loop instead. + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Reported-by: Tom van der Woerdt - Fixes #4012 - Closes #4014 + Closes https://github.com/curl/curl/pull/4186 -Jay Satiro (12 Jun 2019) -- [Cliff Crosland brought this change] +- [Steve Holme brought this change] - url: Fix CURLOPT_MAXAGE_CONN time comparison - - Old connections are meant to expire from the connection cache after - CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x - that value. This occurs because a time value measured in milliseconds is - accidentally divided by 1M instead of by 1,000. + sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - Closes https://github.com/curl/curl/pull/4013 - -Daniel Stenberg (11 Jun 2019) -- test1165: verify that CURL_DISABLE_ symbols are in sync - - between configure.ac and source code. They should be possible to switch - on/off in configure AND be used in source code. - -- configure: remove CURL_DISABLE_TLS_SRP - - It isn't used by code so stop providing the define. - - Closes #4010 - -- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. - This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. + Fixes #3653 + Closes #3790 - Apparently several of the appveyor windows builds broke. - -- [sergey-raevskiy brought this change] - - cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Reviewed-by: Jakub Zakrzewski - Closes #3770 + Closes https://github.com/curl/curl/pull/4186 -- RELEASE-NOTES: synced +Daniel Stenberg (6 Aug 2019) +- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested -- http2: remove CURL_DISABLE_TYPECHECK define - - ... in http2-less builds as it served no use. +- [Yiming Jing brought this change] -- configure: more --disable switches to toggle off individual features - - ... actual support in the code for disabling these has already landed. + mesalink: implement client authentication - Closes #4009 + Closes #4184 -- wolfssl: fix key pinning build error +- curl_multi_poll: a sister to curl_multi_wait() that waits more - follow-up from deb9462ff2de8 - -- CURLMOPT_SOCKETFUNCTION.3: clarified + Repeatedly we see problems where using curl_multi_wait() is difficult or + just awkward because if it has no file descriptor to wait for + internally, it returns immediately and leaves it to the caller to wait + for a small amount of time in order to avoid occasional busy-looping. - Moved away the callback explanation from curl_multi_socket_action.3 and - expanded it somewhat. + This is often missed or misunderstood, leading to underperforming + applications. - Closes #4006 - -- wolfssl: fixup for SNI use + This change introduces curl_multi_poll() as a replacement drop-in + function that accepts the exact same set of arguments. This function + works identically to curl_multi_wait() - EXCEPT - for the case when + there's nothing to wait for internally, as then this function will by + itself wait for a "suitable" short time before it returns. This + effectiely avoids all risks of busy-looping and should also make it less + likely that apps "over-wait". - follow-up from deb9462ff2de8 + This also changes the curl tool to use this funtion internally when + doing parallel transfers and changes curl_easy_perform() to use it + internally. - Closes #4007 + Closes #4163 -- CURLOPT_CAINFO.3: polished wording - - Clarify the functionality when built to use Schannel and Secure - Transport and stop calling it the "recommended" or "preferred" way and - instead rather call it the default. - - Removed the reference to the ssl comparison table as it isn't necessary. +- quiche:h3_stream_recv return 0 at end of stream - Reported-by: Richard Alcock - Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html - Closes #4005 + ... and remove some verbose messages we don't need. Made transfers from + facebook.com work better. -GitHub (10 Jun 2019) -- [Daniel Stenberg brought this change] +- altsvc: make quiche use h3-22 now - SECURITY.md: created - - Brief security policy description for use/display on github. +- quiche: show the actual version number -Daniel Gustafsson (10 Jun 2019) -- tool_cb_prg: Fix integer overflow in progress bar +- quiche: first working HTTP/3 request - Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar - width calculation to avoid integer overflow, but failed to account for - the fact that initial_size is initialized to -1 when the file size is - retrieved from the remote on an upload, causing another signed integer - overflow. Fix by separately checking for this case before the width - calculation. + - enable debug log + - fix use of quiche API + - use download buffer + - separate header/body - Closes #3984 - Reported-by: Brian Carpenter (Geeknik Labs) - Reviewed-by: Daniel Stenberg + Closes #4193 -Daniel Stenberg (10 Jun 2019) -- wolfssl: refer to it as wolfSSL only +- http09: disable HTTP/0.9 by default in both tool and library - Remove support for, references to and use of "cyaSSL" from the source - and docs. wolfSSL is the current name and there's no point in keeping - references to ancient history. + As the plan has been laid out in DEPRECATED. Update docs accordingly and + verify in test 1174. Now requires the option to be set to allow HTTP/0.9 + responses. - Assisted-by: Daniel Gustafsson + Closes #4191 + +- quiche: initial h3 request send/receive + +- lib/Makefile.am: make checksrc run in vquic too + +- altsvc: fix removal of expired cache entry - Closes #3903 + Closes #4192 - RELEASE-NOTES: synced -- bindlocal: detect and avoid IP version mismatches in bind() +Steve Holme (4 Aug 2019) +- md4: Use our own MD4 implementation when no crypto libraries are available - Reported-by: Alex Grebenschikov - Fixes #3993 - Closes #4002 + Closes #3780 -- multi: make sure 'data' can present in several sockhash entries +- md4: No need to include Curl_md4.h for each TLS library + +- md4: No need for the NTLM code to call Curl_md4it() for each TLS library - Since more than one socket can be used by each transfer at a given time, - each sockhash entry how has its own hash table with transfers using that - socket. + As the NTLM code no longer calls any of TLS libraries' specific MD4 + functions, there is no need to call this function for each #ifdef. + +- md4: Move the mbed TLS MD4 implementation out of the NTLM code + +- md4: Move the WinCrypt implementation out of the NTLM code + +- md4: Move the SecureTransport implementation out of the NTLM code + +- md4: Use the Curl_md4it() function for OpenSSL based NTLM + +- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code + +- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code + +Jay Satiro (4 Aug 2019) +- OS400: Add CURLOPT_H3 symbols - In addition, the sockhash entry can now be marked 'blocked = TRUE'" - which then makes the delete function just set 'removed = TRUE' instead - of removing it "for real", as a way to not rip out the carpet under the - feet of a parent function that iterates over the transfers of that same - sockhash entry. + Follow-up to 3af0e76 which added experimental H3 support. - Reported-by: Tom van der Woerdt - Fixes #3961 - Fixes #3986 - Fixes #3995 - Fixes #4004 - Closes #3997 + Closes https://github.com/curl/curl/pull/4185 -- [Sorcus brought this change] +Daniel Stenberg (3 Aug 2019) +- url: make use of new HTTP version if alt-svc has one - libcurl-tutorial.3: Fix small typo (mutipart -> multipart) +- url: set conn->transport to default TCP at init time + +- altsvc: with quiche, use the quiche h3 alpn string - Fixed-by: MrSorcus on github - Closes #4000 + Closes #4183 -- unpause: trigger a timeout for event-based transfers +- alt-svc: more liberal ALPN name parsing - ... so that timeouts or other state machine actions get going again - after a changing pause state. For example, if the last delivery was - paused there's no pending socket activity. + Allow pretty much anything to be part of the ALPN identifier. In + particular minus, which is used for "h3-20" (in-progress HTTP/3 + versions) etc. - Reported-by: sstruchtrup on github - Fixes #3994 - Closes #4001 + Updated test 356. + Closes #4182 -Marcel Raad (9 Jun 2019) -- travis: use xenial LLVM package for scan-build - - I missed that in commit 99a49d6. +- quiche: use the proper HTTP/3 ALPN -- travis: update scan-build job to xenial +- quiche: add failf() calls for two error cases - Closes https://github.com/curl/curl/pull/3999 + To aid debugging + + Closes #4181 -Daniel Stenberg (8 Jun 2019) -- bump: start working on 7.65.2 +- mailmap: added Kyohei Kadota -Marcel Raad (5 Jun 2019) -- examples/htmltitle: use C++ casts between pointer types +Kamil Dudka (1 Aug 2019) +- http_negotiate: improve handling of gss_init_sec_context() failures - Compilers and static analyzers warn about using C-style casts here. + If HTTPAUTH_GSSNEGOTIATE was used for a POST request and + gss_init_sec_context() failed, the POST request was sent + with empty body. This commit also restores the original + behavior of `curl --fail --negotiate`, which was changed + by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. - Closes https://github.com/curl/curl/pull/3975 - -- examples/fopen: fix comparison + Add regression tests 2077 and 2078 to cover this. - As want is size_t, (file->buffer_pos - want) is unsigned, so checking - if it's less than zero makes no sense. - Check if file->buffer_pos is less than want instead to avoid the - unsigned integer wraparound. + Fixes #3992 + Closes #4171 + +Daniel Stenberg (1 Aug 2019) +- mailmap: added 4 more names - Closes https://github.com/curl/curl/pull/3975 + Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli -- build: fix Codacy warnings +- mailmap: add Giorgos Oikonomou + +- src/makefile: fix uncompressed hugehelp.c generation - Reduce variable scopes and remove redundant variable stores. + Regression from 5cf5d57ab9 (7.64.1) - Closes https://github.com/curl/curl/pull/3975 + Fixed-by: Lance Ware + Fixes #4176 + Closes #4177 -- sws: remove unused variables +- appveyor: pass on -k to make + +- timediff: make it 64 bit (if possible) even with 32 bit time_t - Unused since commit 2f44e94. + ... to make it hold microseconds too. - Closes https://github.com/curl/curl/pull/3975 + Fixes #4165 + Closes #4168 -Version 7.65.1 (4 Jun 2019) - -Daniel Stenberg (4 Jun 2019) -- RELEASE-NOTES: 7.65.1 +- ROADMAP: parallel transfers are merged now -- THANKS: new contributors from 7.65.1 +- getenv: support up to 4K environment variable contents on windows + + Reported-by: Michal Čaplygin + Fixes #4174 + Closes #4175 -Steve Holme (4 Jun 2019) -- [Frank Gevaerts brought this change] +- [Kyohei Kadota brought this change] - ssl: Update outdated "openssl-only" comments for supported backends - - These are for features that used to be openssl-only but were expanded - over time to support other SSL backends. + plan9: add support for running on Plan 9 - Closes #3985 + Closes #3701 -Daniel Stenberg (4 Jun 2019) -- curl_share_setopt.3: improve wording [ci ship] - - Reported-by: Carlos ORyan +- [Kyohei Kadota brought this change] -Steve Holme (4 Jun 2019) -- tool_parsecfg: Use correct return type for GetModuleFileName() - - GetModuleFileName() returns a DWORD which is a typedef of an unsigned - long and not an int. + ntlm: explicit type casting + +- [Justin brought this change] + + curl.h: fix outdated comment - Closes #3980 + Closes #4167 -Daniel Stenberg (3 Jun 2019) -- TODO: "at least N milliseconds between requests" [ci skip] +- curl: remove outdated comment - Suggested-by: dkwolfe4 on github - Closes #3920 + Turned bad with commit b8894085000 + + Reported-by: niallor on github + Fixes #4172 + Closes #4173 -Steve Holme (2 Jun 2019) -- tests/server/.gitignore: Add socksd to the ignore list +- cleanup: remove the 'numsocks' argument used in many places - Missed in 04fd6755. + It was used (intended) to pass in the size of the 'socks' array that is + also passed to these functions, but was rarely actually checked/used and + the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries + that should be used instead. - Closes #3978 + Closes #4169 -- tool_parsecfg: Fix control flow issue (DEADCODE) +- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - Follow-up to 8144ba38. + Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) - Detected by Coverity CID 1445663 - Closes #3976 + Reported-by: Jonathan Cardoso Machado + Assisted-by: Jay Satiro + + Fixes #4136 + Closes #4162 -Daniel Stenberg (2 Jun 2019) -- [Sergey Ogryzkov brought this change] +- mailmap: Amit Katyal - NTLM: reset proxy "multipass" state when CONNECT request is done +- asyn-thread: removed unused variable - Closes #3972 + Follow-up to eb9a604f. Mistake caused by me when I edited the commit + before push... -- test334: verify HTTP 204 response with chunked coding header - - Verifies that a bodyless response don't parse this content-related - header. +- RELEASE-NOTES: synced -- [Michael Kaufmann brought this change] +- [Amit Katyal brought this change] - http: don't parse body-related headers bodyless responses + asyn-thread: create a socketpair to wait on - Responses with status codes 1xx, 204 or 304 don't have a response body. For - these, don't parse these headers: + Closes #4157 + +- curl: cap the maximum allowed values for retry time arguments - - Content-Encoding - - Content-Length - - Content-Range - - Last-Modified - - Transfer-Encoding + ... to avoid integer overflows later when multiplying with 1000 to + convert seconds to milliseconds. - This change ensures that HTTP/2 upgrades work even if a - "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. + Added test 1269 to verify. - Co-authored-by: Daniel Stenberg - Closes #3702 - Fixes #3968 - Closes #3977 + Reported-by: Jason Lee + Closes #4166 -- tls13-docs: mention it is only for OpenSSL >= 1.1.1 +- progress: reset download/uploaded counter - Reported-by: Jay Satiro - Co-authored-by: Jay Satiro - Fixes #3938 - Closes #3946 - -- dump-header.d: spell out that no headers == empty file [ci skip] + ... to make CURLOPT_MAX_RECV_SPEED_LARGE and + CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that + reuse the same handle. - Reported-by: wesinator at github - Fixes #3964 - Closes #3974 + Fixed-by: Ironbars13 on github + Fixes #4084 + Closes #4161 -- singlesocket: use separate variable for inner loop +- http2_recv: trigger another read when the last data is returned - An inner loop within the singlesocket() function wrongly re-used the - variable for the outer loop which then could cause an infinite - loop. Change to using a separate variable! + ... so that end-of-stream is detected properly. - Reported-by: Eric Wu - Fixes #3970 - Closes #3973 - -- RELEASE-NOTES: synced - -- [Josie Huddleston brought this change] + Reported-by: Tom van der Woerdt + Fixes #4043 + Closes #4160 - http2: Stop drain from being permanently set on - - Various functions called within Curl_http2_done() can have the - side-effect of setting the Easy connection into drain mode (by calling - drain_this()). However, the last time we unset this for a transfer (by - calling drained_transfer()) is at the beginning of Curl_http2_done(). - If the Curl_easy is reused for another transfer, it is then stuck in - drain mode permanently, which in practice makes it unable to write any - data in the new transfer. +- curl: avoid uncessary libcurl timeouts (in parallel mode) - This fix moves the last call to drained_transfer() to later in - Curl_http2_done(), after the functions that could potentially call for a - drain. + When curl_multi_wait() returns OK without file descriptors to wait for, + it might already have done a long timeout. - Fixes #3966 - Closes #3967 - Reported-by: Josie-H + Closes #4159 -Steve Holme (29 May 2019) -- conncache: Remove the DEBUGASSERT on length check +- [Balazs Kovacsics brought this change] + + HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - We trust the calling code as this is an internal function. + If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, + automatically add a Transfer-Encoding: chunked header, same as it is + already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update + test 1514 according to the new behaviour. - Closes #3962 + Closes #4138 -Jay Satiro (29 May 2019) -- [Gisle Vanem brought this change] +Jay Satiro (29 Jul 2019) +- [Daniel Stenberg brought this change] - system_win32: fix function prototype + winbuild: add vquic to list of build directories - - Change if_nametoindex parameter type from char * to const char *. + This fixes the winbuild build method which broke several days ago + when experimental quic support was added in 3af0e76. - Follow-up to 09eef8af from this morning. + Reported-by: Michael Lee - Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 + Fixes https://github.com/curl/curl/issues/4158 -Marcel Raad (29 May 2019) -- appveyor: add Visual Studio solution build +- easy: resize receive buffer on easy handle reset - Closes https://github.com/curl/curl/pull/3941 - -- appveyor: add support for other build systems + - In curl_easy_reset attempt to resize the receive buffer to its default + size. If realloc fails then continue using the previous size. - Introduce BUILD_SYSTEM variable, which is currently always CMake. + Prior to this change curl_easy_reset did not properly handle resetting + the receive buffer (data->state.buffer). It reset the variable holding + its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) + but then did not actually resize the buffer. If a user resized the + buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the + default, later called curl_easy_reset and attempted to reuse the handle + then a heap overflow would very likely occur during that handle's next + transfer. - Closes https://github.com/curl/curl/pull/3941 + Reported-by: Felix Hädicke + + Fixes https://github.com/curl/curl/issues/4143 + Closes https://github.com/curl/curl/pull/4145 -Steve Holme (29 May 2019) -- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows +- [Brad Spencer brought this change] + + examples: Avoid reserved names in hiperfifo examples - This fixes the static dependency on iphlpapi.lib and allows curl to - build for targets prior to Windows Vista. + - Trade in __attribute__((unused)) for the classic (void)x to silence + unused symbols. - This partially reverts 170bd047. + Because the classic way is not gcc specific. Also because the prior + method mapped to symbol _Unused, which starts with _ and a capital + letter which is reserved. - Fixes #3960 - Closes #3958 + Assisted-by: The Infinnovation team + + Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 + + Closes https://github.com/curl/curl/pull/4153 -Daniel Stenberg (29 May 2019) -- http: fix "error: equality comparison with extraneous parentheses" +Daniel Stenberg (25 Jul 2019) +- RELEASE-NOTES: synced -- parse_proxy: make sure portptr is initialized +- [Felix Hädicke brought this change] + + ssh-libssh: do not specify O_APPEND when not in append mode - Reported-by: Benbuck Nason + Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not + make much sense. And this combination of flags is not accepted by all + SFTP servers (at least not Apache SSHD). - fixes #3959 + Fixes #4147 + Closes #4148 -- url: default conn->port to the same as conn->remote_port +- [Gergely Nagy brought this change] + + multi: call detach_connection before Curl_disconnect - ... so that it has a sensible value when ConnectionExists() is called which - needs it set to differentiate host "bundles" correctly on port number! + Curl_disconnect bails out if conn->easyq is not empty, detach_connection + needs to be called first to remove the current easy from the queue. - Also, make conncache:hashkey() use correct port for bundles that are proxy vs - host connections. + Fixes #4144 + Closes #4151 + +Jay Satiro (23 Jul 2019) +- tool_operate: fix implicit call to easysrc_cleanup - Probably a regression from 7.62.0 - - Reported-by: Tom van der Woerdt - Fixes #3956 - Closes #3957 - -- conncache: make "bundles" per host name when doing proxy tunnels + easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not + defined, and prior to this change would be called regardless. - Only HTTP proxy use where multiple host names can be used over the same - connection should use the proxy host name for bundles. + Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 + Reported-by: Marcel Raad - Reported-by: Tom van der Woerdt - Fixes #3951 - Closes #3955 + Closes https://github.com/curl/curl/pull/4142 -- multi: track users of a socket better - - They need to be removed from the socket hash linked list with more care. - - When sh_delentry() is called to remove a sockethash entry, remove all - individual transfers from the list first. To enable this, each Curl_easy struct - now stores a pointer to the sockethash entry to know how to remove itself. - - Reported-by: Tom van der Woerdt and Kunal Ekawde +Daniel Stenberg (22 Jul 2019) +- curl:create_transfers check return code from curl_easy_setopt - Fixes #3952 - Fixes #3904 - Closes #3953 - -Steve Holme (28 May 2019) -- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version + From commit b8894085 - Microsoft added support for Unix Domain Sockets in Windows 10 1803 - (RS4). Rather than expect the user to enable Unix Domain Sockets by - uncommenting the #define that was added in 0fd6221f we use the RS4 - pre-processor variable that is present in newer versions of the - Windows SDK. + Pointed out by Coverity CID 1451703 - Closes #3939 - -Daniel Stenberg (28 May 2019) -- [Jonas Vautherin brought this change] + Closes #4134 - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables +- HTTP3: initial (experimental) support - Closes #3945 - -Marcel Raad (27 May 2019) -- HAProxy tests: add keywords + USe configure --with-ngtcp2 or --with-quiche - Add the proxy and haproxy keywords in order to be able to exclude or - run these specific tests. + Using either option will enable a HTTP3 build. + Co-authored-by: Alessandro Ghedini - Closes https://github.com/curl/curl/pull/3949 - -Daniel Stenberg (27 May 2019) -- [Maksim Stsepanenka brought this change] + Closes #3500 - tests: make test 1420 and 1406 work with rtsp-disabled libcurl +- curl: remove dead code - Closes #3948 - -Kamil Dudka (27 May 2019) -- [Hubert Kario brought this change] - - nss: allow to specify TLS 1.3 ciphers if supported by NSS + The loop never loops (since b889408500), pointed out by Coverity (CID + 1451702) - Closes #3916 + Closes #4133 -Daniel Stenberg (26 May 2019) -- RELEASE-NOTES: synced +- docs/PARALLEL-TRANSFERS: correct the version number -- [Jay Satiro brought this change] +- docs/PARALLEL-TRANSFERS: added - Revert all SASL authzid (new feature) commits - - - Revert all commits related to the SASL authzid feature since the next - release will be a patch release, 7.65.1. - - Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined - for the next release, assuming it would be a feature release 7.66.0. - However instead the next release will be a patch release, 7.65.1 and - will not contain any new features. - - After the patch release after the reverted commits can be restored by - using cherry-pick: - - git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 - - Details for all reverted commits: - - Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." +- curl: support parallel transfers - This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. + This is done by making sure each individual transfer is first added to a + linked list as then they can be performed serially, or at will, in + parallel. - Revert "tests: Fix the line endings for the SASL alt-auth tests" + Closes #3804 + +- docs/MANUAL.md: converted to markdown from plain text - This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. + ... will make it render as a nicer web page. - Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" + Closes #4131 + +- curl_version_info: provide nghttp2 details - This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. + Introducing CURLVERSION_SIXTH with nghttp2 info. - Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" + Closes #4121 + +- bump: start working on 7.66.0 + +- source: remove names from source comments - This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. + Several reasons: - Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" + - we can't add everyone who's helping out so its unfair to just a few + selected ones. + - we already list all helpers in THANKS and in RELEASE-NOTES for each + release + - we don't want to give the impression that some parts of the code is + "owned" or "controlled" by specific persons - This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. + Assisted-by: Daniel Gustafsson + Closes #4129 -- [dbrowndan brought this change] +Version 7.65.3 (19 Jul 2019) - FAQ: more minor updates and spelling fixes - - Closes #3937 +Daniel Stenberg (19 Jul 2019) +- RELEASE-NOTES: 7.65.3 -- RELEASE-NOTES: synced +- THANKS: 7.65.3 status -- sectransp: handle errSSLPeerAuthCompleted from SSLRead() +- progress: make the progress meter appear again - Reported-by: smuellerDD on github - Fixes #3932 - Closes #3933 + Fix regression caused by 21080e1 + + Reported-by: Chih-Hsuan Yen + Fixes #4122 + Closes #4124 -GitHub (24 May 2019) -- [Gisle Vanem brought this change] +- version: bump to 7.65.3 - Fix typo. +- RELEASE-NOTES: Contributors or now 1990 -Daniel Stenberg (23 May 2019) -- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() - - Reported-by: Marcel Raad - Fixes #3926 - Closes #3929 +Version 7.65.2 (17 Jul 2019) -Steve Holme (23 May 2019) -- winbuild: Use two space indentation - - Closes #3930 +Daniel Stenberg (17 Jul 2019) +- RELEASE-NOTES: 7.65.2 -GitHub (23 May 2019) -- [Gisle Vanem brought this change] +- THANKS: add contributors from 7.65.2 - tool_parse_cfg: Avoid 2 fopen() for WIN32 +Jay Satiro (17 Jul 2019) +- [aasivov brought this change] + + cmake: Fix finding Brotli on case-sensitive file systems - Using the memdebug.h mem-leak feature, I noticed 2 calls like: - FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + - Find package "Brotli" instead of "BROTLI" since the former is the + casing used for CMake/FindBrotli.cmake, and otherwise find_package + may fail on a case-sensitive file system. - No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. - -Daniel Stenberg (23 May 2019) -- md4: include the mbedtls config.h to get the MD4 info + Fixes https://github.com/curl/curl/issues/4117 -- md4: build correctly with openssl without MD4 +- CURLOPT_RANGE.3: Caution against using it for HTTP PUT - Reported-by: elsamuko at github - Fixes #3921 - Closes #3922 + AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've + cautioned against using it for that purpose and included a workaround. + + Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html + Reported-by: Christopher Head + + Closes https://github.com/curl/curl/issues/3814 -Patrick Monnerat (23 May 2019) -- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). +- [Stefano Simonelli brought this change] -Daniel Stenberg (23 May 2019) -- .github/FUNDING: mention our opencollective "home" [ci skip] + CURLOPT_SEEKDATA.3: fix variable name + + Closes https://github.com/curl/curl/pull/4118 -Marcel Raad (23 May 2019) -- [Zenju brought this change] +- [Giorgos Oikonomou brought this change] - config-win32: add support for if_nametoindex and getsockname + CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - Closes https://github.com/curl/curl/pull/3923 + If the SSL backend is Schannel and the user specifies an Schannel CALG_ + that is not supported by the protocol or the server then curl returns + CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. + + Fixes https://github.com/curl/curl/issues/3389 + Closes https://github.com/curl/curl/pull/4106 -Jay Satiro (23 May 2019) -- tests: Fix the line endings for the SASL alt-auth tests +- [Daniel Gustafsson brought this change] + + nss: inspect returnvalue of token check - - Change data and protocol sections to CRLF line endings. + PK11_IsPresent() checks for the token for the given slot is available, + and sets needlogin flags for the PK11_Authenticate() call. Should it + return false, we should however treat it as an error and bail out. - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + Closes https://github.com/curl/curl/pull/4110 + +- docs: Explain behavior change in --tlsv1. options since 7.54 - Follow-up to a9499ff from today which added the tests. + Since 7.54 --tlsv1. options use the specified version or later, however + older versions of curl documented it as using just the specified version + which may or may not have happened depending on the TLS library. + Document this discrepancy to allay confusion for users familiar with the + old documentation that expect just the specified version. - Ref: https://github.com/curl/curl/pull/3790 + Fixes https://github.com/curl/curl/issues/4097 + Closes https://github.com/curl/curl/pull/4119 -Daniel Stenberg (23 May 2019) -- url: fix bad #ifdef +- libcurl: Restrict redirect schemes (follow-up) - Regression since e91e48161235272ff485. + - Allow FTPS on redirect. - Reported-by: Tom Greenslade - Fixes #3924 - Closes #3925 - -- Revert "progress: CURL_DISABLE_PROGRESS_METER" + - Update default allowed redirect protocols in documentation. - This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + Follow-up to 6080ea0. - Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + - CURLOPT_LOW_SPEED_TIME - - Reported-by: Dave Reisner + Ref: https://github.com/curl/curl/pull/4094 - Fixes #3927 - Closes #3928 - -Steve Holme (22 May 2019) -- examples: Added SASL PLAIN authorisation identity (authzid) examples - -- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + Closes https://github.com/curl/curl/pull/4115 -- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID +Daniel Stenberg (16 Jul 2019) +- test1173: make it also check all libcurl option man pages - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. + ... and adjust those that cause errors - Fixed #3653 - Closes #3790 + Closes #4116 -Marc Hoersken (22 May 2019) -- tests: add support to test against OpenSSH for Windows +- curl: only accept COLUMNS less than 10000 - Testing against OpenSSH for Windows requires v7.7.0.0 or newer - due to the use of AllowUsers and DenyUsers. For more info see: - https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config - -Daniel Stenberg (22 May 2019) -- bump: start on the next release - -Marcel Raad (22 May 2019) -- examples: fix "clarify calculation precedence" warnings + ... as larger values would rather indicate something silly (and could + potentially cause buffer problems). - Closes https://github.com/curl/curl/pull/3919 + Reported-by: pendrek at hackerone + Closes #4114 -- hiperfifo: remove unused variable +- dist: add manpage-syntax.pl - Closes https://github.com/curl/curl/pull/3919 + follow-up to 7fb66c403 -- examples: remove dead variable stores +- test1173: detect some basic man page format mistakes - Closes https://github.com/curl/curl/pull/3919 - -- examples: reduce variable scopes + Triggered by PR #4111 - Closes https://github.com/curl/curl/pull/3919 + Closes #4113 -- http2-download: fix format specifier - - Closes https://github.com/curl/curl/pull/3919 +Jay Satiro (15 Jul 2019) +- [Bjarni Ingi Gislason brought this change] -Daniel Stenberg (22 May 2019) -- PolarSSL: deprecate support step 1. Removed from configure. + docs: Fix missing lines caused by undefined macros - Also removed mentions from most docs. + - Escape apostrophes at line start. - Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html + Some lines begin with a "'" (apostrophe, single quote), which is then + interpreted as a control character in *roff. - Closes #3888 - -- configure/cmake: check for if_nametoindex() + Such lines are interpreted as being a call to a macro, and if + undefined, the lines are removed from the output. - - adds the check to cmake + Bug: https://bugs.debian.org/926352 + Signed-off-by: Bjarni Ingi Gislason - - fixes the configure check to work for cross-compiled windows builds + Submitted-by: Alessandro Ghedini - Closes #3917 + Closes https://github.com/curl/curl/pull/4111 -- parse_proxy: use the IPv6 zone id if given - - If the proxy string is given as an IPv6 numerical address with a zone - id, make sure to use that for the connect to the proxy. - - Reported-by: Edmond Yu +Daniel Stenberg (14 Jul 2019) +- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults - Fixes #3482 - Closes #3918 - -Version 7.65.0 (22 May 2019) - -Daniel Stenberg (22 May 2019) -- RELEASE-NOTES: 7.65.0 release - -- THANKS: from the 7.65.0 release-notes + follow-up to 6080ea098 -- url: convert the zone id from a IPv6 URL to correct scope id - - Reported-by: GitYuanQu on github - Fixes #3902 - Closes #3914 +- [Linos Giannopoulos brought this change] -- configure: detect getsockname and getpeername on windows too + libcurl: Add testcase for gopher redirects - Made detection macros for these two functions in the same style as other - functions possibly in winsock in the hope this will work better to - detect these functions when cross-compiling for Windows. + The testcase ensures that redirects to CURLPROTO_GOPHER won't be + allowed, by default, in the future. Also, curl is being used + for convenience while keeping the testcases DRY. - Follow-up to e91e4816123 + The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is + redirected to CURLPROTO_GOPHER - Fixes #3913 - Closes #3915 + Signed-off-by: Linos Giannopoulos -Marcel Raad (21 May 2019) -- examples: remove unused variables +- [Linos Giannopoulos brought this change] + + libcurl: Restrict redirect schemes - Fixes Codacy/CppCheck warnings. + All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS + counterpart were allowed for redirect. This vastly broadens the + exploitation surface in case of a vulnerability such as SSRF [1], where + libcurl-based clients are forced to make requests to arbitrary hosts. - Closes - -Daniel Gustafsson (21 May 2019) -- udpateconninfo: mark variable unused + For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based + protocol by URL-encoding a payload in the URI. Gopher will open a TCP + connection and send the payload. - When compiling without getpeername() or getsockname(), the sockfd - paramter to Curl_udpateconninfo() became unused after commit e91e481612 - added ifdef guards. + Only HTTP/HTTPS and FTP are allowed. All other protocols have to be + explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. - Closes #3910 - Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 - Reviewed-by: Marcel Raad, Daniel Stenberg - -- ftp: move ftp_ccc in under featureflag + [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ - Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under - the FTP featureflag in the UserDefined struct, but vtls callsites were - still using it unprotected. + Signed-off-by: Linos Giannopoulos - Closes #3912 - Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 - Reviewed-by: Daniel Stenberg, Marcel Raad + Closes #4094 -Daniel Stenberg (20 May 2019) -- curl: report error for "--no-" on non-boolean options +- [Zenju brought this change] + + openssl: define HAVE_SSL_GET_SHUTDOWN based on version number - Reported-by: Olen Andoni - Fixes #3906 - Closes #3907 + Closes #4100 -- [Guy Poizat brought this change] +- [Peter Simonyi brought this change] - mbedtls: enable use of EC keys + http: allow overriding timecond with custom header - Closes #3892 - -- lib1560: add tests for parsing URL with too long scheme + With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. + If-Modified-Since). Allow this to be replaced or suppressed with + CURLOPT_HTTPHEADER. - Ref: #3905 + Fixes #4103 + Closes #4109 -- [Omar Ramadan brought this change] +Jay Satiro (11 Jul 2019) +- [Juergen Hoetzel brought this change] - urlapi: increase supported scheme length to 40 bytes + smb: Use the correct error code for access denied on file open - The longest currently registered URI scheme at IANA is 36 bytes long. + - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. - Closes #3905 - Closes #3900 + Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. + + Closes https://github.com/curl/curl/pull/4095 -Marcel Raad (20 May 2019) -- lib: reduce variable scopes +- [Daniel Gustafsson brought this change] + + DEPRECATE: fixup versions and spelling - Fixes Codacy/CppCheck warnings. + Correctly set the July 17 version to 7.65.2, and update spelling to + be consistent. Also fix a typo. - Closes https://github.com/curl/curl/pull/3872 + Closes https://github.com/curl/curl/pull/4107 -- tool_formparse: remove redundant assignment +- [Gisle Vanem brought this change] + + system_win32: fix clang warning - Just initialize word_begin with the correct value. + - Declare variable in header as extern. - Closes https://github.com/curl/curl/pull/3873 + Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 -- ssh: move variable declaration to where it's used +Daniel Gustafsson (10 Jul 2019) +- headers: Remove no longer exported functions - This way, we need only one call to free. + There were a leftover few prototypes of Curl_ functions that we used to + export but no longer do, this removes those prototypes and cleans up any + comments still referring to them. - Closes https://github.com/curl/curl/pull/3873 - -- ssh-libssh: remove unused variable + Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() + Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() + were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. + Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. - sock was only used to be assigned to fd_read. + For the remainder, I didn't trawl the Git logs hard enough to capture + their exact time of deletion, but they were all gone: Curl_splayprint(), + Curl_http2_send_request(), Curl_global_host_cache_dtor(), + Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), + Curl_http_auth_stage() and Curl_close_connections(). - Closes https://github.com/curl/curl/pull/3873 + Closes #4096 + Reviewed-by: Daniel Stenberg -Daniel Stenberg (20 May 2019) -- test332: verify the blksize fix +- CMake: fix typos and spelling -- tftp: use the current blksize for recvfrom() - - bug: https://curl.haxx.se/docs/CVE-2019-5436.html - Reported-by: l00p3r on hackerone - CVE-2019-5436 +- [Kyle Edwards brought this change] -Daniel Gustafsson (19 May 2019) -- version: make ssl_version buffer match for multi_ssl + CMake: Convert errant elseif() to else() - When running a multi TLS backend build the version string needs more - buffer space. Make the internal ssl_buffer stack buffer match the one - in Curl_multissl_version() to allow for the longer string. For single - TLS backend builds there is no use in extended to buffer. This is a - fallout from #3863 which fixes up the multi_ssl string generation to - avoid a buffer overflow when the buffer is too small. + CMake interprets an elseif() with no arguments as elseif(FALSE), + resulting in the elseif() block not being executed. That is not what + was intended here. Change the empty elseif() to an else() as it was + intended. - Closes #3875 - Reviewed-by: Daniel Stenberg + Closes #4101 + Reported-by: Artalus + Reviewed-by: Daniel Gustafsson -Steve Holme (18 May 2019) -- http_ntlm_wb: Handle auth for only a single request - - Currently when the server responds with 401 on NTLM authenticated - connection (re-used) we consider it to have failed. However this is - legitimate and may happen when for example IIS is set configured to - 'authPersistSingleRequest' or when the request goes thru a proxy (with - 'via' header). +- buildconf: fix header filename - Implemented by imploying an additional state once a connection is - re-used to indicate that if we receive 401 we need to restart - authentication. + The header file inclusion had a typo, it should be .h and not .hd. + Fix by renaming. - Missed in fe6049f0. + Fixes #4102 + Reported-by: AceCrow on Github -- http_ntlm_wb: Cleanup handshake after clean NTLM failure - - Missed in 50b87c4e. +- [Jan Chren brought this change] -- http_ntlm_wb: Return the correct error on receiving an empty auth message - - Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. + configure: fix --disable-code-coverage - Closes #3894 - -Daniel Stenberg (18 May 2019) -- curl: make code work with protocol-disabled libcurl + This fixes the case when --disable-code-coverage supplied to ./configure + would result in coverage="yes" being set. - Closes #3844 - -- libcurl: #ifdef away more code for disabled features/protocols + Closes #4099 + Reviewed-by: Daniel Gustafsson -- progress: CURL_DISABLE_PROGRESS_METER +- cleanup: fix typo in comment -- hostip: CURL_DISABLE_SHUFFLE_DNS +- RELEASE-NOTES: synced -- netrc: CURL_DISABLE_NETRC +Jay Satiro (6 Jul 2019) +- [Daniel Gustafsson brought this change] -Viktor Szakats (16 May 2019) -- docs: Markdown and misc improvements [ci skip] + nss: support using libnss on macOS - Approved-by: Daniel Stenberg - Closes #3896 - -- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] + The file suffix for dynamically loadable objects on macOS is .dylib, + which need to be added for the module definitions in order to get the + NSS TLS backend to work properly on macOS. - Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 - Approved-by: Daniel Stenberg - Closes #3895 + Closes https://github.com/curl/curl/pull/4046 -Daniel Stenberg (16 May 2019) -- travis: add an osx http-only build - - Closes #3887 +- [Daniel Gustafsson brought this change] -- cleanup: remove FIXME and TODO comments + nss: don't set unused parameter - They serve very little purpose and mostly just add noise. Most of them - have been around for a very long time. I read them all before removing - or rephrasing them. + The value of the maxPTDs parameter to PR_Init() has since at least + NSPR 2.1, which was released sometime in 1998, been marked ignored + as is accordingly not used in the initialization code. Setting it + to a value when calling PR_Init() is thus benign, but indicates an + intent which may be misleading. Reset the value to zero to improve + clarity. - Ref: #3876 - Closes #3883 + Closes https://github.com/curl/curl/pull/4054 -- curl: don't set FTP options for FTP-disabled builds - - ... since libcurl has started to be totally unaware of options for - disabled protocols they now return error. +- [Daniel Gustafsson brought this change] + + nss: only cache valid CRL entries - Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 + Change the logic around such that we only keep CRLs that NSS actually + ended up caching around for later deletion. If CERT_CacheCRL() fails + then there is little point in delaying the freeing of the CRL as it + is not used. - Reported-by: Marcel Raad - Closes #3886 + Closes https://github.com/curl/curl/pull/4053 -Steve Holme (16 May 2019) -- http_ntlm_wb: Move the type-2 message processing into a dedicated function +- [Gergely Nagy brought this change] + + lib: Use UTF-8 encoding in comments - This brings the code inline with the other HTTP authentication mechanisms. + Some editors and IDEs assume that source files use UTF-8 file encodings. + It also fixes the build with MSVC when /utf-8 command line option is + used (this option is mandatory for some other open-source projects, this + is useful when using the same options is desired for building all + libraries of a project). - Closes #3890 - -Daniel Stenberg (15 May 2019) -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/4087 -- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] +- [Caleb Raitto brought this change] -- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] + CURLOPT_HEADEROPT.3: Fix example - Reported-by: Roy Bellingan - Bug: #3885 + Fix an issue where example builds a curl_slist, but fails to actually + use it, or free it. + + Closes https://github.com/curl/curl/pull/4090 -- parse_proxy: use the URL parser API +- [Shankar Jadhavar brought this change] + + winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - As we treat a given proxy as a URL we should use the unified URL parser - to extract the parts out of it. + - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - Closes #3878 - -Steve Holme (15 May 2019) -- http_negotiate: Move the Negotiate state out of the negotiatedata structure + - Also removed some ^M chars from file. - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. + Prior to this change while building on Windows platform even if we pass + the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does + not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. - Closes #3882 + Closes https://github.com/curl/curl/pull/4086 -- http_ntlm: Move the NTLM state out of the ntlmdata structure +Daniel Stenberg (4 Jul 2019) +- doh-url.d: added in 7.62.0 + +Jay Satiro (30 Jun 2019) +- docs: Fix links to OpenSSL docs - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. + OpenSSL changed their manual locations and does not redirect to the new + locations. + + Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html + Reported-by: Daniel Stenberg -- url: Move the negotiate state type into a dedicated enum +Daniel Stenberg (26 Jun 2019) +- [Gaël PORTAY brought this change] -- url: Remove duplicate clean up of the winbind variables in conn_shutdown() + curl_multi_wait.3: escape backslash in example - Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior - to calling conn_shutdown() and it in turn performs this, there is no - need to perform the same action in conn_shutdown(). + The backslash in the character Line Feed must be escaped. - Closes #3881 - -Daniel Stenberg (14 May 2019) -- urlapi: require a non-zero host name length when parsing URL + The current man-page outputs the code as following: - Updated test 1560 to verify. + fprintf(stderr, "curl_multi failed, code %d.0, mc); - Closes #3880 - -- configure: error out if OpenSSL wasn't detected when asked for + The commit fixes it as follow: - If --with-ssl is used and configure still couldn't enable SSL this - creates an error instead of just silently ignoring the fact. + fprintf(stderr, "curl_multi failed, code %d\n", mc); - Suggested-by: Isaiah Norton - Fixes #3824 - Closes #3830 - -Daniel Gustafsson (14 May 2019) -- imap: Fix typo in comment + Closes #4079 -Steve Holme (14 May 2019) -- url: Remove unnecessary initialisation from allocate_conn() +- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - No need to set variables to zero as calloc() does this for us. + ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is + built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for + UWP (with "VC-WIN32-UWP"). - Closes #3879 + Reported-by: Vasily Lobaskin + Fixes #4073 + Closes #4077 -Daniel Stenberg (14 May 2019) -- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] +- test1521: adapt to SLISTPOINT - Clues-provided-by: Jay Satiro - Clues-provided-by: Jeroen Ooms - Fixes #3711 - Closes #3874 - -Daniel Gustafsson (13 May 2019) -- vtls: fix potential ssl_buffer stack overflow + The header now has the slist-using options marked as SLISTPOINT so this + makes sure test 1521 understands that. - In Curl_multissl_version() it was possible to overflow the passed in - buffer if the generated version string exceeded the size of the buffer. - Fix by inverting the logic, and also make sure to not exceed the local - buffer during the string generation. + Follow-up to ae99b4de1c443ae989 - Closes #3863 - Reported-by: nevv on HackerOne/curl - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (13 May 2019) -- RELEASE-NOTES: synced - -- appveyor: also build "/ci" branches like travis - -- pingpong: disable more when no pingpong enabled - -- proxy: acknowledge DISABLE_PROXY more + Closes #4074 -- parsedate: CURL_DISABLE_PARSEDATE +- win32: make DLL loading a no-op for UWP + + Reported-by: Michael Brehm + Fixes #4060 + Closes #4072 -- sasl: only enable if there's a protocol enabled using it +- [1ocalhost brought this change] -- mime: acknowledge CURL_DISABLE_MIME + configure: fix typo '--disable-http-uath' + + Closes #4076 -- wildcard: disable from build when FTP isn't present +- [Niklas Hambüchen brought this change] -- http: CURL_DISABLE_HTTP_AUTH + docs: fix string suggesting HTTP/2 is not the default + + Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the + man page that new default is mentioned, but the section at the top + contradicted it until now. + + Also remove claim that setting the HTTP version is not sensible. + + Closes #4075 -- base64: build conditionally if there are users +- RELEASE-NOTES: synced -- doh: CURL_DISABLE_DOH +- [Stephan Szabo brought this change] -Steve Holme (12 May 2019) -- auth: Rename the various authentication clean up functions + tests: update fixed IP for hostip/clientip split - For consistency and to a avoid confusion. + These tests give differences for me on linux when using a hostip + pointing to the external ip address for the local machine. - Closes #3869 + Closes #4070 -Daniel Stenberg (12 May 2019) -- [Jay Satiro brought this change] - - docs/INSTALL: fix broken link [ci skip] +Daniel Gustafsson (24 Jun 2019) +- http: clarify header buffer size calculation - Reported-by: Joombalaya on github - Fixes #3818 - -Marcel Raad (12 May 2019) -- easy: fix another "clarify calculation precedence" warning + The header buffer size calculation can from static analysis seem to + overlow as it performs an addition between two size_t variables and + stores the result in a size_t variable. Overflow is however guarded + against elsewhere since the input to the addition is regulated by + the maximum read buffer size. Clarify this with a comment since the + question was asked. - I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + Reviewed-by: Daniel Stenberg -- build: fix "clarify calculation precedence" warnings - - Codacy/CppCheck warns about this. Consistently use parentheses as we - already do in some places to silence the warning. +Daniel Stenberg (24 Jun 2019) +- KNOWN_BUGS: Don't clear digest for single realm - Closes https://github.com/curl/curl/pull/3866 + Closes #3267 -- cmake: restore C89 compatibility of CurlTests.c - - I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and - 97de97daefc2ed084c91eff34af2426f2e55e134. +- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname - Reported-by: Viktor Szakats - Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 - Closes https://github.com/curl/curl/pull/3868 + Closes #3284 -Steve Holme (11 May 2019) -- http_ntlm: Corrected the name of the include guard +- http2: call done_sending on end of upload - Missed in f0bdd72c. + To make sure a HTTP/2 stream registers the end of stream. - Closes #3867 + Bug #4043 made me find this problem but this fix doesn't correct the + reported issue. + + Closes #4068 -- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled +- [James Brown brought this change] + + c-ares: honor port numbers in CURLOPT_DNS_SERVERS - Closes #3861 + By using ares_set_servers_ports_csv on new enough c-ares. + + Fixes #4066 + Closes #4067 -- http_negotiate: Don't expose functions when HTTP is disabled +Daniel Gustafsson (24 Jun 2019) +- CURLMOPT_SOCKETFUNCTION.3: fix typo -Daniel Stenberg (11 May 2019) -- SECURITY-PROCESS: fix links [ci skip] +Daniel Stenberg (24 Jun 2019) +- [Koen Dergent brought this change] -Marcel Raad (11 May 2019) -- CMake: suppress unused variable warnings + curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds - I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. + Closes #4061 -Daniel Stenberg (11 May 2019) -- doh: disable DOH for the cases it doesn't work +- test153: fix content-length to avoid occasional hang - Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for - DOH resolves. This fix disables DOH for those. + Closes #4065 + +- RELEASE-NOTES: synced + +- multi: enable multiplexing by default (again) - Limitation added to KNOWN_BUGS. + It was originally made default in d7c4213bd0c (7.62.0) but mistakenly + reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. - Fixes #3850 - Closes #3857 + Closes #4051 -Jay Satiro (11 May 2019) -- checksrc.bat: Ignore snprintf warnings in docs/examples - - .. because we allow snprintf use in docs/examples. +- typecheck: add 3 missing strings and a callback data pointer - Closes https://github.com/curl/curl/pull/3862 + Closes #4050 -Steve Holme (10 May 2019) -- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() +- tests: add disable-scan.pl to dist - ...and misalignment of these comments. From a78c61a4. + follow-up from 29177f422a5 - Closes #3860 + Closes #4059 -Jay Satiro (10 May 2019) -- Revert "multi: support verbose conncache closure handle" +- http2: don't call stream-close on already closed streams - This reverts commit b0972bc. + Closes #4055 + +Marcel Raad (20 Jun 2019) +- travis: enable alt-svc for coverage build - - No longer show verbose output for the conncache closure handle. + Closes + +- travis: enable libssh2 for coverage build - The offending commit was added so that the conncache closure handle - would inherit verbose mode from the user's easy handle. (Note there is - no way for the user to set options for the closure handle which is why - that was necessary.) Other debug settings such as the debug function - were not also inherited since we determined that could lead to crashes - if the user's per-handle private data was used on an unexpected handle. + It was enabled by default before commit c92d2e14cfb. - The reporter here says he has a debug function to capture the verbose - output, and does not expect or want any output to stderr; however - because the conncache closure handle does not inherit the debug function - the verbose output for that handle does go to stderr. + Disable torture tests 600 and 601 because of + https://github.com/curl/curl/issues/1678. - There are other plausible scenarios as well such as the user redirects - stderr on their handle, which is also not inherited since it could lead - to crashes when used on an unexpected handle. + Closes + +- travis: disable threaded resolver for coverage build - Short of allowing the user to set options for the conncache closure - handle I don't think there's much we can safely do except no longer - inherit the verbose setting. + This enables more tests. - Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html - Reported-by: Kristoffer Gleditsch + Closes + +- travis: enable brotli for all xenial jobs - Ref: https://github.com/curl/curl/pull/3598 - Ref: https://github.com/curl/curl/pull/3618 + There's no need for a separate job, and no need to build it from source + with Xenial. - Closes https://github.com/curl/curl/pull/3856 + Closes -Steve Holme (10 May 2019) -- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() - - From 6012fa5a. +- travis: enable warnings-as-errors for coverage build - Closes #3858 + Closes -Daniel Stenberg (9 May 2019) -- BUG-BOUNTY: minor formatting fixes [ci skip] +GitHub (20 Jun 2019) +- [Gisle Vanem brought this change] -- RELEASE-NOTES: synced + system_win32: fix typo -- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] +Daniel Stenberg (20 Jun 2019) +- typecheck: CURLOPT_CONNECT_TO takes an slist too - Closes #3839 - -Kamil Dudka (9 May 2019) -- http_negotiate: do not treat failure of gss_init_sec_context() as fatal + Additionally, add an alias in curl.h for slist-using options so that + we can grep/parse those out at will. - Fixes #3726 - Closes #3849 + Closes #4042 -- spnego_gssapi: fix return code on gss_init_sec_context() failure - - Fixes #3726 - Closes #3849 +- [Stephan Szabo brought this change] -Steve Holme (9 May 2019) -- gen_resp_file.bat: Removed unnecessary @ from all but the first command + tests: support non-localhost HOSTIP for dict/smb servers - There is need to use @ on every command once echo has been turned off. + smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for + binding the server which when we were running the tests with a separate + HOSTIP and CLIENTIP had failures verifying the server from the device we + were testing. - Closes #3854 + This changes them to take the address from runtests.py and default to + localhost/127.0.0.1 if none is given. + + Closes #4048 -Jay Satiro (8 May 2019) -- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies +- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT + +- configure: --disable-progress-meter - - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to - the destination host. + Builds libcurl without support for the built-in progress meter. - We already do something similar for HTTPS proxies by not sending h2. [1] + Closes #4023 + +- curl: improved skip-setopt-options when built with disabled features - Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would - incorrectly use HTTP/2 to talk to the proxy, which is not something we - support (yet?). Also it's debatable whether or not that setting should - apply to HTTP/2 proxies. + Reduces #ifdefs in src/tool_operate.c - [1]: https://github.com/curl/curl/commit/17c5d05 + Follow-up from 4e86f2fc4e6 + Closes #3936 + +Steve Holme (18 Jun 2019) +- netrc: Return the correct error code when out of memory - Bug: https://github.com/curl/curl/issues/3570 - Bug: https://github.com/curl/curl/issues/3832 + Introduced in 763c5178. - Closes https://github.com/curl/curl/pull/3853 + Closes #4036 -Marcel Raad (8 May 2019) -- travis: update mesalink build to xenial +Daniel Stenberg (18 Jun 2019) +- config-os400: add getpeername and getsockname defines - Closes https://github.com/curl/curl/pull/3842 - -Daniel Stenberg (8 May 2019) -- [Ricky Leverence brought this change] + Reported-by: jonrumsey on github + Fixes #4037 + Closes #4039 - OpenSSL: Report -fips in version if OpenSSL is built with FIPS +- runtests: keep logfiles around by default - Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS - define. It uses this define to determine whether to publish -fips at - the end of the version displayed. Applications that utilize the version - reported by OpenSSL will see a mismatch if they compare it to what curl - reports, as curl is not modifying the version in the same way. This - change simply adds a check to see if OPENSSL_FIPS is defined, and will - alter the reported version to match what OpenSSL itself provides. This - only appears to be applicable in versions of OpenSSL <1.1.1 + Make '-k' a no-op. The singletest function now clears the log directory + BEFORE each individual test and not after, which makes it possible to + always keep the logfiles around after a test has been run. No need to + specify -k anymore. Keeping the option parsing around to work with users + of old habits. - Closes #3771 + Some tests also didn't work properly when -k was used (since the old + logs would be kep when a new test starts) which this change also fixes. + + Closes #4035 -Kamil Dudka (7 May 2019) -- [Frank Gevaerts brought this change] +- [Gergely Nagy brought this change] - nss: allow fifos and character devices for certificates. - - Currently you can do things like --cert <(cat ./cert.crt) with (at least) the - openssl backend, but that doesn't work for nss because is_file rejects fifos. + openssl: fix pubkey/signature algorithm detection in certinfo - I don't actually know if this is sufficient, nss might do things internally - (like seeking back) that make this not work, so actual testing is needed. + Certinfo gives the same result for all OpenSSL versions. + Also made printing RSA pubkeys consistent with older versions. - Closes #3807 - -Daniel Gustafsson (6 May 2019) -- test2100: Fix typos in test description + Reported-by: Michael Wallner + Fixes #3706 + Closes #4030 -Daniel Stenberg (6 May 2019) -- ssh: define USE_SSH if SSH is enabled (any backend) +- conn_maxage: move the check to prune_dead_connections() - Closes #3846 - -Steve Holme (5 May 2019) -- winbuild: Add our standard copyright header to the winbuild batch files - -- makedebug: Fix ERRORLEVEL detection after running where.exe + ... and avoid the locking issue. - Closes #3838 + Reported-by: Kunal Ekawde + Fixes #4029 + Closes #4032 -Daniel Stenberg (5 May 2019) -- urlapi: add CURLUPART_ZONEID to set and get +- tests: have runtests figure out disabled features - The zoneid can be used with IPv6 numerical addresses. + ... so that runtests can skip individual test cases that test features + that are explicitly disabled in this build. This new logic is intended + for disabled features that aren't otherwise easily visible through the + curl_version_info() or other API calls. - Updated test 1560 to verify. + tests/server/disabled is a newly built executable that will output a + list of disabled features. Outputs nothing for a default build. - Closes #3834 - -- [Taiyu Len brought this change] + Closes #3950 - WRITEFUNCTION: add missing set_in_callback around callback +- test188/189: fix Content-Length - Closes #3837 + This cures the flaky test results + + Closes #4034 -- RELEASE-NOTES: synced +- [Thomas Gamper brought this change] -- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] - - Reported-by: Ricardo Gomes + winbuild: use WITH_PREFIX if given - Bug: #3537 - Closes #3836 + Closes #4031 -- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value +Daniel Gustafsson (17 Jun 2019) +- openssl: remove outdated comment - The time field in the curl_fileinfo struct will always be zero. No code - was ever implemented to actually convert the date string to a time_t. + OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), + which is why we switched to CONF_modules_load_file() and introduced + a comment stating why. This behavior was however changed in OpenSSL + commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now + outdated and incorrect comment. The mentioned commit also declares + OPENSSL_config() deprecated so keep the current coding. - Fixes #3829 - Closes #3835 + Closes #4033 + Reviewed-by: Daniel Stenberg -- OS400/ccsidcurl.c: code style fixes +Daniel Stenberg (16 Jun 2019) +- RELEASE-NOTES: synced -- OS400/ccsidcurl: replace use of Curl_vsetopt +Patrick Monnerat (16 Jun 2019) +- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. - (and make the code style comply) + Use it in curl_easy_setopt_ccsid(). + Reported-by: jonrumsey on github Fixes #3833 + Closes #4028 -- urlapi: strip off scope id from numerical IPv6 addresses - - ... to make the host name "usable". Store the scope id and put it back - when extracting a URL out of it. +Daniel Stenberg (15 Jun 2019) +- runtests: report single test time + total duration - Also makes curl_url_set() syntax check CURLUPART_HOST. + ... after each successful test. - Fixes #3817 - Closes #3822 - -- RELEASE-NOTES: synced + Closes #4027 -- multiif.h: remove unused protos +- multi: fix the transfer hash function - ... for functions related to pipelining. Those functions were removed in - 2f44e94efb3df. + Follow-up from 8b987cc7eb - Closes #3828 - -- [Yiming Jing brought this change] + Reported-by: Tom van der Woerdt + Fixes #4018 + Closes #4024 - travis: mesalink: temporarily disable test 3001 +- unit1654: cleanup on memory failure - ... due to SHA-1 signatures in test certs - -- [Yiming Jing brought this change] - - travis: upgrade the MesaLink TLS backend to v1.0.0 + ... to make it handle torture tests properly. - Closes #3823 - Closes #3776 + Reported-by: Marcel Raad + Fixes #4021 + Closes #4022 -- ConnectionExists: improve non-multiplexing use case +Marcel Raad (13 Jun 2019) +- krb5: fix compiler warning - - better log output + Even though the variable was used in a DEBUGASSERT, GCC 8 warned in + debug mode: + krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] - - make sure multiplex is enabled for it to be used - -- multi: provide Curl_multiuse_state to update information + Just suppress the warning and declare the variable unconditionally + instead of only for DEBUGBUILD (which also missed the check for + HAVE_ASSERT_H). - As soon as a TLS backend gets ALPN conformation about the specific HTTP - version it can now set the multiplex situation for the "bundle" and - trigger moving potentially queued up transfers to the CONNECT state. + Closes https://github.com/curl/curl/pull/4020 -- process_pending_handles: mark queued transfers as previously pending +Daniel Stenberg (13 Jun 2019) +- quote.d: asterisk prefix works for SFTP as well - With transfers being queued up, we only move one at a a time back to the - CONNECT state but now we mark moved transfers so that when a moved - transfer is confirmed "successful" (it connected) it will trigger the - move of another pending transfer. Previously, it would otherwise wait - until the transfer was done before doing this. This makes queued up - pending transfers get processed (much) faster. + Reported-by: Ben Voris + Fixes #4017 + Closes #4019 -- http: mark bundle as not for multiuse on < HTTP/2 response +- multi: fix the transfer hashes in the socket hash entries - Fixes #3813 - Closes #3815 - -Daniel Gustafsson (1 May 2019) -- cookie: Guard against possible NULL ptr deref + - The transfer hashes weren't using the correct keys so removing entries + failed. - In case the name pointer isn't set (due to memory pressure most likely) - we need to skip the prefix matching and reject with a badcookie to avoid - a possible NULL pointer dereference. + - Simplified the iteration logic over transfers sharing the same socket and + they now simply are set to expire and thus get handled in the "regular" + timer loop instead. - Closes #3820 #3821 - Reported-by: Jonathan Moerman - Reviewed-by: Daniel Stenberg + Reported-by: Tom van der Woerdt + Fixes #4012 + Closes #4014 -Patrick Monnerat (30 Apr 2019) -- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings +Jay Satiro (12 Jun 2019) +- [Cliff Crosland brought this change] -Kamil Dudka (29 Apr 2019) -- nss: provide more specific error messages on failed init + url: Fix CURLOPT_MAXAGE_CONN time comparison - Closes #3808 - -Daniel Stenberg (29 Apr 2019) -- [Reed Loden brought this change] - - docs: minor polish to the bug bounty / security docs + Old connections are meant to expire from the connection cache after + CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x + that value. This occurs because a time value measured in milliseconds is + accidentally divided by 1M instead of by 1,000. - Closes #3811 + Closes https://github.com/curl/curl/pull/4013 -- CURL_MAX_INPUT_LENGTH: largest acceptable string input size +Daniel Stenberg (11 Jun 2019) +- test1165: verify that CURL_DISABLE_ symbols are in sync - This limits all accepted input strings passed to libcurl to be less than - CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: - curl_easy_setopt() and curl_url_set(). + between configure.ac and source code. They should be possible to switch + on/off in configure AND be used in source code. + +- configure: remove CURL_DISABLE_TLS_SRP - The 8000000 number is arbitrary picked and is meant to detect mistakes - or abuse, not to limit actual practical use cases. By limiting the - acceptable string lengths we also reduce the risk of integer overflows - all over. + It isn't used by code so stop providing the define. - NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + Closes #4010 + +- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" - Test 1559 verifies. + This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. - Closes #3805 + Apparently several of the appveyor windows builds broke. -- [Tseng Jun brought this change] +- [sergey-raevskiy brought this change] - curlver.h: use parenthesis in CURL_VERSION_BITS macro + cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified - Closes #3809 + Reviewed-by: Jakub Zakrzewski + Closes #3770 -Marcel Raad (27 Apr 2019) -- [Simon Warta brought this change] +- RELEASE-NOTES: synced - cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP +- http2: remove CURL_DISABLE_TYPECHECK define - Closes https://github.com/curl/curl/pull/3769 - -Steve Holme (23 Apr 2019) -- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 + ... in http2-less builds as it served no use. -- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 +- configure: more --disable switches to toggle off individual features - Just like we do for mbed TLS, use our local implementation of MD4 when - OpenSSL doesn't support it. This allows a type-3 message to include the - NT response. - -Daniel Gustafsson (23 Apr 2019) -- INTERNALS: fix misindentation of ToC item + ... actual support in the code for disabling these has already landed. - Kerberos was incorrectly indented as a subsection under FTP, which is - incorrect as they are both top level sections. A fix for this was first - attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that - was a few paddles short of being complete. + Closes #4009 -- [Aron Bergman brought this change] +- wolfssl: fix key pinning build error + + follow-up from deb9462ff2de8 - INTERNALS: Add structs to ToC +- CURLMOPT_SOCKETFUNCTION.3: clarified - Add the subsections under "Structs in libcurl" to the table of contents. + Moved away the callback explanation from curl_multi_socket_action.3 and + expanded it somewhat. - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson - -- [Aron Bergman brought this change] + Closes #4006 - INTERNALS: Add code highlighting +- wolfssl: fixup for SNI use - Make all struct members under the Curl_handler section - print in monospace font. + follow-up from deb9462ff2de8 - Closes #3801 - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Closes #4007 -Daniel Stenberg (22 Apr 2019) -- docs/BUG-BOUNTY: bug bounty time [skip ci] +- CURLOPT_CAINFO.3: polished wording - Introducing the curl bug bounty program on hackerone. We now recommend - filing security issues directly in the hackerone ticket system which - only is readable to curl security team members. + Clarify the functionality when built to use Schannel and Secure + Transport and stop calling it the "recommended" or "preferred" way and + instead rather call it the default. - Assisted-by: Daniel Gustafsson + Removed the reference to the ssl comparison table as it isn't necessary. - Closes #3488 + Reported-by: Richard Alcock + Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html + Closes #4005 -Steve Holme (22 Apr 2019) -- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - - RFC 4616 specifies the authzid is optional in the client authentication - message and that the server will derive the authorisation identity - (authzid) from the authentication identity (authcid) when not specified - by the client. +GitHub (10 Jun 2019) +- [Daniel Stenberg brought this change] -Jay Satiro (22 Apr 2019) -- [Gisle Vanem brought this change] + SECURITY.md: created + + Brief security policy description for use/display on github. - memdebug: fix variable name +Daniel Gustafsson (10 Jun 2019) +- tool_cb_prg: Fix integer overflow in progress bar - Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar + width calculation to avoid integer overflow, but failed to account for + the fact that initial_size is initialized to -1 when the file size is + retrieved from the remote on an upload, causing another signed integer + overflow. Fix by separately checking for this case before the width + calculation. - Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + Closes #3984 + Reported-by: Brian Carpenter (Geeknik Labs) + Reviewed-by: Daniel Stenberg -Steve Holme (21 Apr 2019) -- vauth/cleartext: Don't send the authzid if it is empty +Daniel Stenberg (10 Jun 2019) +- wolfssl: refer to it as wolfSSL only - Follow up to 762a292f. - -Daniel Stenberg (21 Apr 2019) -- test 196,197,198: add 'retry' keyword [skip ci] + Remove support for, references to and use of "cyaSSL" from the source + and docs. wolfSSL is the current name and there's no point in keeping + references to ancient history. + + Assisted-by: Daniel Gustafsson + + Closes #3903 - RELEASE-NOTES: synced -- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - - ... and disconnect too old ones instead of trying to reuse. - - Default max age is set to 118 seconds. +- bindlocal: detect and avoid IP version mismatches in bind() - Ref: #3722 - Closes #3782 - -Daniel Gustafsson (20 Apr 2019) -- [Po-Chuan Hsieh brought this change] + Reported-by: Alex Grebenschikov + Fixes #3993 + Closes #4002 - altsvc: Fix building with cookies disables +- multi: make sure 'data' can present in several sockhash entries - ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if - check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is - disabled. Fix by splitting out the function into a separate file which can - be included where needed. + Since more than one socket can be used by each transfer at a given time, + each sockhash entry how has its own hash table with transfers using that + socket. - Closes #3717 - Reviewed-by: Daniel Gustafsson - Reviewed-by: Marcel Raad + In addition, the sockhash entry can now be marked 'blocked = TRUE'" + which then makes the delete function just set 'removed = TRUE' instead + of removing it "for real", as a way to not rip out the carpet under the + feet of a parent function that iterates over the transfers of that same + sockhash entry. + + Reported-by: Tom van der Woerdt + Fixes #3961 + Fixes #3986 + Fixes #3995 + Fixes #4004 + Closes #3997 -Daniel Stenberg (20 Apr 2019) -- test1002: correct the name [skip ci] +- [Sorcus brought this change] -- test660: verify CONNECT_ONLY with IMAP + libcurl-tutorial.3: Fix small typo (mutipart -> multipart) - which basically just makes sure LOGOUT is *not* issued on disconnect + Fixed-by: MrSorcus on github + Closes #4000 -- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" +- unpause: trigger a timeout for event-based transfers - Since the connection has been used by the "outside" we don't know the - state of it anymore and curl should not use it anymore. + ... so that timeouts or other state machine actions get going again + after a changing pause state. For example, if the last delivery was + paused there's no pending socket activity. - Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html + Reported-by: sstruchtrup on github + Fixes #3994 + Closes #4001 + +Marcel Raad (9 Jun 2019) +- travis: use xenial LLVM package for scan-build - Closes #3795 + I missed that in commit 99a49d6. -- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) +- travis: update scan-build job to xenial - The list of names must be in sync with the defined states in the header - file! + Closes https://github.com/curl/curl/pull/3999 -Steve Holme (16 Apr 2019) -- openvms: Remove pre-processors for Windows as VMS cannot support them +Daniel Stenberg (8 Jun 2019) +- bump: start working on 7.65.2 -- openvms: Remove pre-processor for SecureTransport as VMS cannot support it +Marcel Raad (5 Jun 2019) +- examples/htmltitle: use C++ casts between pointer types - Fixes #3768 - Closes #3785 - -Jay Satiro (16 Apr 2019) -- TODO: Add issue link to an existing entry + Compilers and static analyzers warn about using C-style casts here. + + Closes https://github.com/curl/curl/pull/3975 -Daniel Stenberg (16 Apr 2019) -- RELEASE-NOTES: synced +- examples/fopen: fix comparison + + As want is size_t, (file->buffer_pos - want) is unsigned, so checking + if it's less than zero makes no sense. + Check if file->buffer_pos is less than want instead to avoid the + unsigned integer wraparound. + + Closes https://github.com/curl/curl/pull/3975 -Jay Satiro (16 Apr 2019) -- tool_help: Warn if curl and libcurl versions do not match +- build: fix Codacy warnings - .. because functionality may be affected if the versions differ. + Reduce variable scopes and remove redundant variable stores. - This commit implements TODO 18.7 "warning if curl version is not in sync - with libcurl version". + Closes https://github.com/curl/curl/pull/3975 + +- sws: remove unused variables - Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + Unused since commit 2f44e94. - Closes https://github.com/curl/curl/pull/3774 + Closes https://github.com/curl/curl/pull/3975 -Steve Holme (16 Apr 2019) -- md5: Update the function signature following d84da52d +Version 7.65.1 (4 Jun 2019) -- md5: Forgot to update the code alignment in d84da52d +Daniel Stenberg (4 Jun 2019) +- RELEASE-NOTES: 7.65.1 -- md5: Return CURLcode from the internally accessible functions - - Following 28f826b3 to return CURLE_OK instead of numeric 0. +- THANKS: new contributors from 7.65.1 -Daniel Gustafsson (15 Apr 2019) -- tests: Run global cleanup at end of tests +Steve Holme (4 Jun 2019) +- [Frank Gevaerts brought this change] + + ssl: Update outdated "openssl-only" comments for supported backends - Make sure to run curl_global_cleanup() when shutting down the test - suite to release any resources allocated in the SSL setup. This is - clearly visible when running tests with PolarSSL where the thread - lock calloc() memory which isn't released when not running cleanup. - Below is an excerpt from the autobuild logs: + These are for features that used to be openssl-only but were expanded + over time to support other SSL backends. - ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 - ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) - ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) - ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup - (polarssl_threadlock.c:54) - ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) - ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) - ==12368== by 0x118B4C: global_init (easy.c:158) - ==12368== by 0x118BF5: curl_global_init (easy.c:221) - ==12368== by 0x118D0B: curl_easy_init (easy.c:299) - ==12368== by 0x114E96: test (lib1906.c:32) - ==12368== by 0x115495: main (first.c:174) + Closes #3985 + +Daniel Stenberg (4 Jun 2019) +- curl_share_setopt.3: improve wording [ci ship] - Closes #3783 - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg + Reported-by: Carlos ORyan -Marcel Raad (15 Apr 2019) -- travis: use mbedtls from Xenial +Steve Holme (4 Jun 2019) +- tool_parsecfg: Use correct return type for GetModuleFileName() - No need to build it from source anymore. + GetModuleFileName() returns a DWORD which is a typedef of an unsigned + long and not an int. - Closes https://github.com/curl/curl/pull/3779 + Closes #3980 -- travis: use libpsl from Xenial - - This makes building libpsl and libidn2 from source unnecessary and - removes the need for the autopoint and libunistring-dev packages. +Daniel Stenberg (3 Jun 2019) +- TODO: "at least N milliseconds between requests" [ci skip] - Closes https://github.com/curl/curl/pull/3779 + Suggested-by: dkwolfe4 on github + Closes #3920 -Daniel Stenberg (15 Apr 2019) -- runtests: start socksd like other servers +Steve Holme (2 Jun 2019) +- tests/server/.gitignore: Add socksd to the ignore list - ... without a $srcdir prefix. Triggered by the failures in several - autobuilds. + Missed in 04fd6755. - Closes #3781 + Closes #3978 -Daniel Gustafsson (14 Apr 2019) -- socksd: Fix typos +- tool_parsecfg: Fix control flow issue (DEADCODE) - Reviewed-by: Daniel Stenberg - -- socksd: Properly decorate static variables + Follow-up to 8144ba38. - Mark global variables static to avoid compiler warning in Clang when - using -Wmissing-variable-declarations. + Detected by Coverity CID 1445663 + Closes #3976 + +Daniel Stenberg (2 Jun 2019) +- [Sergey Ogryzkov brought this change] + + NTLM: reset proxy "multipass" state when CONNECT request is done - Closes #3778 - Reviewed-by: Daniel Stenberg + Closes #3972 -Steve Holme (14 Apr 2019) -- md(4|5): Fixed indentation oddities with the importation of replacement code +- test334: verify HTTP 204 response with chunked coding header - The indentation from 211d5329 and 57d6d253 was a little strange as - parts didn't align correctly, uses 4 spaces rather than 2. Checked - the indentation of the original source so it aligns, albeit, using - curl style. - -- md5: Code style to return CURLE_OK rather than numeric 0 + Verifies that a bodyless response don't parse this content-related + header. -- md5: Corrected code style for some pointer arguments +- [Michael Kaufmann brought this change] -Marcel Raad (13 Apr 2019) -- travis: update some builds to xenial + http: don't parse body-related headers bodyless responses - Xenial comes with more up-to-date software versions and more available - packages, some of which we currently build from source. Unfortunately, - some builds would fail with Xenial because of assertion failures in - Valgrind when using OpenSSL, so leave these at Trusty. + Responses with status codes 1xx, 204 or 304 don't have a response body. For + these, don't parse these headers: - Closes https://github.com/curl/curl/pull/3777 - -Daniel Stenberg (13 Apr 2019) -- test: make tests and test scripts use socksd for SOCKS + - Content-Encoding + - Content-Length + - Content-Range + - Last-Modified + - Transfer-Encoding - Make all SOCKS tests use socksd instead of ssh. - -- socksd: new SOCKS 4+5 server for tests + This change ensures that HTTP/2 upgrades work even if a + "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. - Closes #3752 + Co-authored-by: Daniel Stenberg + Closes #3702 + Fixes #3968 + Closes #3977 -- singleipconnect: show port in the verbose "Trying ..." message +- tls13-docs: mention it is only for OpenSSL >= 1.1.1 - To aid debugging better. + Reported-by: Jay Satiro + Co-authored-by: Jay Satiro + Fixes #3938 + Closes #3946 -- [tmilburn brought this change] +- dump-header.d: spell out that no headers == empty file [ci skip] + + Reported-by: wesinator at github + Fixes #3964 + Closes #3974 - CURLOPT_ADDRESS_SCOPE: fix range check and more +- singlesocket: use separate variable for inner loop - Commit 9081014 fixed most of the confusing issues between scope id and - scope however 844896d added bad limits checking assuming that the scope - is being set and not the scope id. + An inner loop within the singlesocket() function wrongly re-used the + variable for the outer loop which then could cause an infinite + loop. Change to using a separate variable! - I have fixed the documentation so it all refers to scope ids. + Reported-by: Eric Wu + Fixes #3970 + Closes #3973 + +- RELEASE-NOTES: synced + +- [Josie Huddleston brought this change] + + http2: Stop drain from being permanently set on - In addition Curl_if2ip refered to the scope id as remote_scope_id which - is incorrect, so I renamed it to local_scope_id. + Various functions called within Curl_http2_done() can have the + side-effect of setting the Easy connection into drain mode (by calling + drain_this()). However, the last time we unset this for a transfer (by + calling drained_transfer()) is at the beginning of Curl_http2_done(). + If the Curl_easy is reused for another transfer, it is then stuck in + drain mode permanently, which in practice makes it unable to write any + data in the new transfer. - Adjusted-by: Daniel Stenberg + This fix moves the last call to drained_transfer() to later in + Curl_http2_done(), after the functions that could potentially call for a + drain. - Closes #3655 - Closes #3765 - Fixes #3713 + Fixes #3966 + Closes #3967 + Reported-by: Josie-H -- urlapi: stricter CURLUPART_PORT parsing - - Only allow well formed decimal numbers in the input. - - Document that the number MUST be between 1 and 65535. +Steve Holme (29 May 2019) +- conncache: Remove the DEBUGASSERT on length check - Add tests to test 1560 to verify the above. + We trust the calling code as this is an internal function. - Ref: https://github.com/curl/curl/issues/3753 - Closes #3762 + Closes #3962 -Jay Satiro (13 Apr 2019) -- [Jan Ehrhardt brought this change] +Jay Satiro (29 May 2019) +- [Gisle Vanem brought this change] - winbuild: Support MultiSSL builds + system_win32: fix function prototype - - Remove the lines in winbuild/Makefile.vc that generate an error with - multiple SSL backends. + - Change if_nametoindex parameter type from char * to const char *. - - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL - backends are set. + Follow-up to 09eef8af from this morning. - Closes https://github.com/curl/curl/pull/3772 + Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 -Daniel Stenberg (12 Apr 2019) -- travis: remove mesalink builds (temporarily?) - - Since the mesalink build started to fail on travis, even though we build - a fixed release version, we disable it to prevent it from blocking - progress. +Marcel Raad (29 May 2019) +- appveyor: add Visual Studio solution build - Closes #3767 + Closes https://github.com/curl/curl/pull/3941 -- openssl: mark connection for close on TLS close_notify +- appveyor: add support for other build systems - Without this, detecting and avoid reusing a closed TLS connection - (without a previous GOAWAY) when doing HTTP/2 is tricky. + Introduce BUILD_SYSTEM variable, which is currently always CMake. - Reported-by: Tom van der Woerdt - Fixes #3750 - Closes #3763 - -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/3941 -Steve Holme (11 Apr 2019) -- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 +Steve Holme (29 May 2019) +- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows - Functionally this doesn't change anything as we still use the username - for both the authorisation identity and the authentication identity. + This fixes the static dependency on iphlpapi.lib and allows curl to + build for targets prior to Windows Vista. - Closes #3757 - -Daniel Stenberg (11 Apr 2019) -- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage + This partially reverts 170bd047. - Based-on-code-by: Poul T Lomholt + Fixes #3960 + Closes #3958 -- url: always clone the CUROPT_CURLU handle - - Since a few code paths actually update that data. - - Fixes #3753 - Closes #3761 - - Reported-by: Poul T Lomholt +Daniel Stenberg (29 May 2019) +- http: fix "error: equality comparison with extraneous parentheses" -- CURLOPT_DNS_USE_GLOBAL_CACHE: remove +- parse_proxy: make sure portptr is initialized - Remove the code too. The functionality has been disabled in code since - 7.62.0. Setting this option will from now on simply be ignored and have - no function. + Reported-by: Benbuck Nason - Closes #3654 + fixes #3959 -Marcel Raad (11 Apr 2019) -- travis: install libgnutls28-dev only for --with-gnutls build +- url: default conn->port to the same as conn->remote_port - Reduces the time needed for the other jobs a little. + ... so that it has a sensible value when ConnectionExists() is called which + needs it set to differentiate host "bundles" correctly on port number! - Closes https://github.com/curl/curl/pull/3721 - -- travis: install libnss3-dev only for --with-nss build + Also, make conncache:hashkey() use correct port for bundles that are proxy vs + host connections. - Reduces the time needed for the other jobs a little. + Probably a regression from 7.62.0 - Closes https://github.com/curl/curl/pull/3721 + Reported-by: Tom van der Woerdt + Fixes #3956 + Closes #3957 -- travis: install libssh2-dev only for --with-libssh2 build +- conncache: make "bundles" per host name when doing proxy tunnels - Reduces the time needed for the other jobs a little. + Only HTTP proxy use where multiple host names can be used over the same + connection should use the proxy host name for bundles. - Closes https://github.com/curl/curl/pull/3721 + Reported-by: Tom van der Woerdt + Fixes #3951 + Closes #3955 -- travis: install libssh-dev only for --with-libssh build +- multi: track users of a socket better - Reduces the time needed for the other jobs a little. + They need to be removed from the socket hash linked list with more care. - Closes https://github.com/curl/curl/pull/3721 - -- travis: install krb5-user only for --with-gssapi build + When sh_delentry() is called to remove a sockethash entry, remove all + individual transfers from the list first. To enable this, each Curl_easy struct + now stores a pointer to the sockethash entry to know how to remove itself. - Reduces the time needed for the other jobs a little. + Reported-by: Tom van der Woerdt and Kunal Ekawde - Closes https://github.com/curl/curl/pull/3721 + Fixes #3952 + Fixes #3904 + Closes #3953 -- travis: install lcov only for the coverage job +Steve Holme (28 May 2019) +- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version - Reduces the time needed for the other jobs a little. + Microsoft added support for Unix Domain Sockets in Windows 10 1803 + (RS4). Rather than expect the user to enable Unix Domain Sockets by + uncommenting the #define that was added in 0fd6221f we use the RS4 + pre-processor variable that is present in newer versions of the + Windows SDK. - Closes https://github.com/curl/curl/pull/3721 + Closes #3939 -- travis: install clang only when needed - - This reduces the GCC job runtimes a little and it's needed to - selectively update clang builds to xenial. - - Closes https://github.com/curl/curl/pull/3721 +Daniel Stenberg (28 May 2019) +- [Jonas Vautherin brought this change] -- AppVeyor: enable testing for WinSSL build + cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables - Closes https://github.com/curl/curl/pull/3725 + Closes #3945 -- build: fix Codacy/CppCheck warnings +Marcel Raad (27 May 2019) +- HAProxy tests: add keywords - - remove unused variables - - declare conditionally used variables conditionally - - suppress unused variable warnings in the CMake tests - - remove dead variable stores - - consistently use WIN32 macro to detect Windows + Add the proxy and haproxy keywords in order to be able to exclude or + run these specific tests. - Closes https://github.com/curl/curl/pull/3739 + Closes https://github.com/curl/curl/pull/3949 -- polarssl_threadlock: remove conditionally unused code +Daniel Stenberg (27 May 2019) +- [Maksim Stsepanenka brought this change] + + tests: make test 1420 and 1406 work with rtsp-disabled libcurl - Make functions no-ops if neither both USE_THREADS_POSIX and - HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are - defined. Previously, if only one of them was defined, there was either - code compiled that did nothing useful or the wrong header included for - the functions used. - - Also, move POLARSSL_MUTEX_T define to implementation file as it's not - used externally. - - Closes https://github.com/curl/curl/pull/3739 + Closes #3948 -- lib557: initialize variables - - These variables are only conditionally initialized. - - Closes https://github.com/curl/curl/pull/3739 +Kamil Dudka (27 May 2019) +- [Hubert Kario brought this change] -- lib509: add missing include for strdup + nss: allow to specify TLS 1.3 ciphers if supported by NSS - Closes https://github.com/curl/curl/pull/3739 + Closes #3916 -- README.md: fix no-consecutive-blank-lines Codacy warning - - Consistently use one blank line between blocks. - - Closes https://github.com/curl/curl/pull/3739 +Daniel Stenberg (26 May 2019) +- RELEASE-NOTES: synced -- tests/server/util: fix Windows Unicode build +- [Jay Satiro brought this change] + + Revert all SASL authzid (new feature) commits - Always use the ANSI version of FormatMessage as we don't have the - curl_multibyte gear available here. + - Revert all commits related to the SASL authzid feature since the next + release will be a patch release, 7.65.1. - Closes https://github.com/curl/curl/pull/3758 - -Daniel Stenberg (11 Apr 2019) -- curl_easy_getinfo.3: fix minor formatting mistake - -Daniel Gustafsson (11 Apr 2019) -- xattr: skip unittest on unsupported platforms + Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined + for the next release, assuming it would be a feature release 7.66.0. + However instead the next release will be a patch release, 7.65.1 and + will not contain any new features. - The stripcredentials unittest fails to compile on platforms without - xattr support, for example the Solaris member in the buildfarm which - fails with the following: + After the patch release after the reverted commits can be restored by + using cherry-pick: - CC unit1621-unit1621.o - CC ../libtest/unit1621-first.o - CCLD unit1621 - Undefined first referenced - symbol in file - stripcredentials unit1621-unit1621.o - goto problem 2 - ld: fatal: symbol referencing errors. No output written to .libs/unit1621 - collect2: error: ld returned 1 exit status - gmake[2]: *** [Makefile:996: unit1621] Error 1 + git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 - Fix by excluding the test on such platforms by using the reverse - logic from where stripcredentials() is defined. + Details for all reverted commits: - Closes #3759 - Reviewed-by: Daniel Stenberg - -Steve Holme (11 Apr 2019) -- emailL Added reference to RFC8314 for implicit TLS - -- README: Schannel, stop calling it "winssl" + Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." - Stick to "Schannel" everywhere - follow up to 180501cb. - -Jakub Zakrzewski (10 Apr 2019) -- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use + This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. - This fixes GSSAPI builds with the libraries in a non-standard location. - The testing for recv() were failing because it failed to link - the Kerberos libraries, which are not needed for this or subsequent - tests. + Revert "tests: Fix the line endings for the SASL alt-auth tests" - fixes #3743 - closes #3744 - -- cmake: avoid linking executable for some tests with cmake 3.6+ + This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. - With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() - (which is used by check_c_source_compiles()) will build static library - instead of executable. This avoids linking additional libraries in and thus - speeds up those checks a little. + Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" - This commit also avoids #3743 (GSSAPI build errors) on itself with cmake - 3.6 or above. That issue was fixed separately for all versions. + This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. - Ref: #3744 - -- cmake: minor cleanup + Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" - - Remove nneeded include_regular_expression. - It was setting what is already a default. + This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. - - Remove duplicated include. + Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" - - Don't check for pre-3.0.0 CMake version. - We already require at least 3.0.0, so it's just clutter. + This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. + +- [dbrowndan brought this change] + + FAQ: more minor updates and spelling fixes - Ref: #3744 + Closes #3937 -Steve Holme (8 Apr 2019) -- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ +- RELEASE-NOTES: synced -- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) +- sectransp: handle errSSLPeerAuthCompleted from SSLRead() + + Reported-by: smuellerDD on github + Fixes #3932 + Closes #3933 -- build-openssl.bat: Perform the install for each build type directly after the build +GitHub (24 May 2019) +- [Gisle Vanem brought this change] -- build-openssl.bat: Split the install of static and shared build types + Fix typo. -- build-openssl.bat: Split the building of static and shared build types +Daniel Stenberg (23 May 2019) +- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + + Reported-by: Marcel Raad + Fixes #3926 + Closes #3929 -- build-openssl.bat: Move the installation into a separate function +Steve Holme (23 May 2019) +- winbuild: Use two space indentation + + Closes #3930 -- build-openssl.bat: Move the build step into a separate function +GitHub (23 May 2019) +- [Gisle Vanem brought this change] -- build-openssl.bat: Move the OpenSSL configuration into a separate function + tool_parse_cfg: Avoid 2 fopen() for WIN32 + + Using the memdebug.h mem-leak feature, I noticed 2 calls like: + FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + + No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. -- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised +Daniel Stenberg (23 May 2019) +- md4: include the mbedtls config.h to get the MD4 info + +- md4: build correctly with openssl without MD4 - Should the parent environment set this variable then the build might - not be performed as the user intended. + Reported-by: elsamuko at github + Fixes #3921 + Closes #3922 -Daniel Stenberg (8 Apr 2019) -- socks: fix error message +Patrick Monnerat (23 May 2019) +- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). -- config.d: clarify that initial : and = might need quoting [skip ci] +Daniel Stenberg (23 May 2019) +- .github/FUNDING: mention our opencollective "home" [ci skip] + +Marcel Raad (23 May 2019) +- [Zenju brought this change] + + config-win32: add support for if_nametoindex and getsockname - Fixes #3738 - Closes #3749 + Closes https://github.com/curl/curl/pull/3923 -- RELEASE-NOTES: synced +Jay Satiro (23 May 2019) +- tests: Fix the line endings for the SASL alt-auth tests - bumped to 7.65.0 for next release + - Change data and protocol sections to CRLF line endings. + + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. + + Follow-up to a9499ff from today which added the tests. + + Ref: https://github.com/curl/curl/pull/3790 -- socks5: user name and passwords must be shorter than 256 +Daniel Stenberg (23 May 2019) +- url: fix bad #ifdef - bytes... since the protocol needs to store the length in a single byte field. + Regression since e91e48161235272ff485. - Reported-by: XmiliaH on github - Fixes #3737 - Closes #3740 + Reported-by: Tom Greenslade + Fixes #3924 + Closes #3925 -- [Jakub Zakrzewski brought this change] +- Revert "progress: CURL_DISABLE_PROGRESS_METER" + + This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + + Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + + CURLOPT_LOW_SPEED_TIME + + Reported-by: Dave Reisner + + Fixes #3927 + Closes #3928 - test: urlapi: urlencode characters above 0x7f correctly +Steve Holme (22 May 2019) +- examples: Added SASL PLAIN authorisation identity (authzid) examples -- [Jakub Zakrzewski brought this change] +- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - urlapi: urlencode characters above 0x7f correctly +- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - fixes #3741 - Closes #3742 + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. + + Fixed #3653 + Closes #3790 -- [Even Rouault brought this change] +Marc Hoersken (22 May 2019) +- tests: add support to test against OpenSSH for Windows + + Testing against OpenSSH for Windows requires v7.7.0.0 or newer + due to the use of AllowUsers and DenyUsers. For more info see: + https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config - multi_runsingle(): fix use-after-free +Daniel Stenberg (22 May 2019) +- bump: start on the next release + +Marcel Raad (22 May 2019) +- examples: fix "clarify calculation precedence" warnings - Fixes #3745 - Closes #3746 + Closes https://github.com/curl/curl/pull/3919 + +- hiperfifo: remove unused variable - The following snippet - ``` + Closes https://github.com/curl/curl/pull/3919 + +- examples: remove dead variable stores - int main() - { - CURL* hCurlHandle = curl_easy_init(); - curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); - curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); - curl_easy_perform(hCurlHandle); - curl_easy_cleanup(hCurlHandle); - return 0; - } - ``` - triggers the following Valgrind warning - - ``` - ==4125== Invalid read of size 8 - ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) - ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) - ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd - ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) - ==4125== by 0x4E62C36: conn_free (url.c:756) - ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) - ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) - ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Block was alloc'd at - ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) - ==4125== by 0x4E6438E: allocate_conn (url.c:1654) - ==4125== by 0x4E685B4: create_conn (url.c:3496) - ==4125== by 0x4E6968F: Curl_connect (url.c:4023) - ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ``` - - This has been bisected to commit 2f44e94 - - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 - Credit to OSS Fuzz + Closes https://github.com/curl/curl/pull/3919 -- pipelining: removed - - As previously planned and documented in DEPRECATE.md, all pipelining - code is removed. +- examples: reduce variable scopes - Closes #3651 - -- [cclauss brought this change] + Closes https://github.com/curl/curl/pull/3919 - tests: make Impacket (SMB server) Python 3 compatible +- http2-download: fix format specifier - Closes #3731 - Fixes #3289 - -Marcel Raad (6 Apr 2019) -- [Simon Warta brought this change] + Closes https://github.com/curl/curl/pull/3919 - cmake: set SSL_BACKENDS - - This groups all SSL backends into the feature "SSL" and sets the - SSL_BACKENDS analogue to configure.ac +Daniel Stenberg (22 May 2019) +- PolarSSL: deprecate support step 1. Removed from configure. - Closes https://github.com/curl/curl/pull/3736 - -- [Simon Warta brought this change] - - cmake: don't run SORT on empty list + Also removed mentions from most docs. - In case of an empty list, SORTing leads to the cmake error "list - sub-command SORT requires list to be present." + Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html - Closes https://github.com/curl/curl/pull/3736 - -Daniel Gustafsson (5 Apr 2019) -- [Eli Schwartz brought this change] + Closes #3888 - configure: fix default location for fish completions +- configure/cmake: check for if_nametoindex() - Fish defines a vendor completions directory for completions that are not - installed as part of the fish project itself, and the vendor completions - are preferred if they exist. This prevents trying to overwrite the - builtin curl.fish completion (or creating file conflicts in distro - packaging). + - adds the check to cmake - Prefer the pkg-config defined location exported by fish, if it can be - found, and fall back to the correct directory defined by most systems. + - fixes the configure check to work for cross-compiled windows builds - Closes #3723 - Reviewed-by: Daniel Gustafsson + Closes #3917 -Marcel Raad (5 Apr 2019) -- ftplistparser: fix LGTM alert "Empty block without comment" - - Removing the block is consistent with line 954/957. +- parse_proxy: use the IPv6 zone id if given - Closes https://github.com/curl/curl/pull/3732 - -- transfer: fix LGTM alert "Comparison is always true" + If the proxy string is given as an IPv6 numerical address with a zone + id, make sure to use that for the connect to the proxy. - Just remove the redundant condition, which also makes it clear that - k->buf is always 0-terminated if this break is not hit. + Reported-by: Edmond Yu - Closes https://github.com/curl/curl/pull/3732 + Fixes #3482 + Closes #3918 -Jay Satiro (4 Apr 2019) -- [Rikard Falkeborn brought this change] +Version 7.65.0 (22 May 2019) - smtp: fix compiler warning +Daniel Stenberg (22 May 2019) +- RELEASE-NOTES: 7.65.0 release + +- THANKS: from the 7.65.0 release-notes + +- url: convert the zone id from a IPv6 URL to correct scope id - - Fix clang string-plus-int warning. + Reported-by: GitYuanQu on github + Fixes #3902 + Closes #3914 + +- configure: detect getsockname and getpeername on windows too - Clang 8 warns about adding a string to an int does not append to the - string. Indeed it doesn't, but that was not the intention either. Use - array indexing as suggested to silence the warning. There should be no - functional changes. + Made detection macros for these two functions in the same style as other + functions possibly in winsock in the hope this will work better to + detect these functions when cross-compiling for Windows. - (In other words clang warns about "foo"+2 but not &"foo"[2] so use the - latter.) + Follow-up to e91e4816123 - smtp.c:1221:29: warning: adding 'int' to a string does not append to the - string [-Wstring-plus-int] - eob = strdup(SMTP_EOB + 2); - ~~~~~~~~~~~~~~~~^~~~ + Fixes #3913 + Closes #3915 + +Marcel Raad (21 May 2019) +- examples: remove unused variables - Closes https://github.com/curl/curl/pull/3729 + Fixes Codacy/CppCheck warnings. + + Closes -Marcel Raad (4 Apr 2019) -- VS projects: use Unicode for VC10+ +Daniel Gustafsson (21 May 2019) +- udpateconninfo: mark variable unused - All Windows APIs have been natively UTF-16 since Windows 2000 and the - non-Unicode variants are just wrappers around them. Only Windows 9x - doesn't understand Unicode without the UnicoWS DLL. As later Visual - Studio versions cannot target Windows 9x anyway, using the ANSI API - doesn't really have any benefit there. + When compiling without getpeername() or getsockname(), the sockfd + paramter to Curl_udpateconninfo() became unused after commit e91e481612 + added ifdef guards. - This avoids issues like KNOWN_BUGS 6.5. + Closes #3910 + Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 + Reviewed-by: Marcel Raad, Daniel Stenberg + +- ftp: move ftp_ccc in under featureflag - Ref: https://github.com/curl/curl/issues/2120 - Closes https://github.com/curl/curl/pull/3720 + Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under + the FTP featureflag in the UserDefined struct, but vtls callsites were + still using it unprotected. + + Closes #3912 + Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 + Reviewed-by: Daniel Stenberg, Marcel Raad -Daniel Gustafsson (3 Apr 2019) -- RELEASE-NOTES: synced +Daniel Stenberg (20 May 2019) +- curl: report error for "--no-" on non-boolean options - Bump the version in progress to 7.64.2, if we merge any "change" - before the cut-off date we can update the version. + Reported-by: Olen Andoni + Fixes #3906 + Closes #3907 -- [Tim Rühsen brought this change] +- [Guy Poizat brought this change] - documentation: Fix several typos + mbedtls: enable use of EC keys - Closes #3724 - Reviewed-by: Jakub Zakrzewski - Reviewed-by: Daniel Gustafsson - -Jay Satiro (2 Apr 2019) -- [Mert Yazıcıoğlu brought this change] + Closes #3892 - vauth/oauth2: Fix OAUTHBEARER token generation +- lib1560: add tests for parsing URL with too long scheme - OAUTHBEARER tokens were incorrectly generated in a format similar to - XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the - RFC7628. + Ref: #3905 + +- [Omar Ramadan brought this change] + + urlapi: increase supported scheme length to 40 bytes - Fixes: #2487 - Reported-by: Paolo Mossino + The longest currently registered URI scheme at IANA is 36 bytes long. - Closes https://github.com/curl/curl/pull/3377 + Closes #3905 + Closes #3900 -Marcel Raad (2 Apr 2019) -- tool_cb_wrt: fix bad-function-cast warning +Marcel Raad (20 May 2019) +- lib: reduce variable scopes - Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the - warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. - Extend fhnd's scope and reuse that variable instead of calling - _get_osfhandle a second time to fix the warning again. + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3718 + Closes https://github.com/curl/curl/pull/3872 -- VC15 project: remove MinimalRebuild +- tool_formparse: remove redundant assignment - Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the - library project, but I forgot the tool project template. Now also - removed for that. + Just initialize word_begin with the correct value. + + Closes https://github.com/curl/curl/pull/3873 -Dan Fandrich (1 Apr 2019) -- cirrus: Customize the disabled tests per FreeBSD version +- ssh: move variable declaration to where it's used - Try to run as many test cases as possible on each OS version. - 12.0 passes 13 more tests than the older versions, so we might as well - run them. + This way, we need only one call to free. + + Closes https://github.com/curl/curl/pull/3873 -Daniel Stenberg (1 Apr 2019) -- tool_help: include for strcasecmp +- ssh-libssh: remove unused variable - Reported-by: Wyatt O'Day - Fixes #3715 - Closes #3716 + sock was only used to be assigned to fd_read. + + Closes https://github.com/curl/curl/pull/3873 -Daniel Gustafsson (31 Mar 2019) -- scripts: fix typos +Daniel Stenberg (20 May 2019) +- test332: verify the blksize fix -Dan Fandrich (28 Mar 2019) -- travis: allow builds on branches named "ci" - - This allows a way to test changes other than through PRs. - -Daniel Stenberg (27 Mar 2019) -- [Brad Spencer brought this change] - - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries +- tftp: use the current blksize for recvfrom() - Closes #3699 + bug: https://curl.haxx.se/docs/CVE-2019-5436.html + Reported-by: l00p3r on hackerone + CVE-2019-5436 -- multi: improved HTTP_1_1_REQUIRED handling +Daniel Gustafsson (19 May 2019) +- version: make ssl_version buffer match for multi_ssl - Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error - on first flight. + When running a multi TLS backend build the version string needs more + buffer space. Make the internal ssl_buffer stack buffer match the one + in Curl_multissl_version() to allow for the longer string. For single + TLS backend builds there is no use in extended to buffer. This is a + fallout from #3863 which fixes up the multi_ssl string generation to + avoid a buffer overflow when the buffer is too small. - Reported-by: niner on github - Fixes #3696 - Closes #3707 - -- [Leonardo Taccari brought this change] + Closes #3875 + Reviewed-by: Daniel Stenberg - configure: avoid unportable `==' test(1) operator +Steve Holme (18 May 2019) +- http_ntlm_wb: Handle auth for only a single request - Closes #3709 - -Version 7.64.1 (27 Mar 2019) - -Daniel Stenberg (27 Mar 2019) -- RELEASE: 7.64.1 - -- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). - This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. - Fixes #3708 - -- [Christian Schmitz brought this change] + Missed in fe6049f0. - ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set +- http_ntlm_wb: Cleanup handshake after clean NTLM failure - Closes #3704 + Missed in 50b87c4e. -Jay Satiro (26 Mar 2019) -- tool_cb_wrt: fix writing to Windows null device NUL - - - Improve console detection. +- http_ntlm_wb: Return the correct error on receiving an empty auth message - Prior to this change WriteConsole could be called to write to a handle - that may not be a console, which would cause an error. This issue is - limited to character devices that are not also consoles such as the null - device NUL. + Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. - Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 - Reported-by: Gisle Vanem - -- CURLMOPT_PIPELINING.3: fix typo + Closes #3894 -Daniel Stenberg (25 Mar 2019) -- TODO: config file parsing +Daniel Stenberg (18 May 2019) +- curl: make code work with protocol-disabled libcurl - Closes #3698 + Closes #3844 -Jay Satiro (24 Mar 2019) -- os400: Disable Alt-Svc by default since it's experimental - - Follow-up to 520f0b4 which added Alt-Svc support and enabled it by - default for OS400. Since the feature is experimental, it should be - disabled by default. - - Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 - Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html - - Closes https://github.com/curl/curl/pull/3688 +- libcurl: #ifdef away more code for disabled features/protocols -Dan Fandrich (24 Mar 2019) -- tests: Fixed XML validation errors in some test files. +- progress: CURL_DISABLE_PROGRESS_METER -- tests: Fix some incorrect precheck error messages. - - [ci skip] +- hostip: CURL_DISABLE_SHUFFLE_DNS -Daniel Stenberg (22 Mar 2019) -- curl_url.3: this is not experimental anymore +- netrc: CURL_DISABLE_NETRC -- travis: bump the used wolfSSL version to 4.0.0 - - Test 311 is now fine, leaving only 313 (CRL) disabled. - - Test 313 details can be found here: - https://github.com/wolfSSL/wolfssl/issues/1546 +Viktor Szakats (16 May 2019) +- docs: Markdown and misc improvements [ci skip] - Closes #3697 - -Daniel Gustafsson (22 Mar 2019) -- lib: Fix typos in comments + Approved-by: Daniel Stenberg + Closes #3896 -David Woodhouse (20 Mar 2019) -- openssl: if cert type is ENG and no key specified, key is ENG too +- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] - Fixes #3692 - Closes #3692 + Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 + Approved-by: Daniel Stenberg + Closes #3895 -Daniel Stenberg (20 Mar 2019) -- sectransp: tvOS 11 is required for ALPN support +Daniel Stenberg (16 May 2019) +- travis: add an osx http-only build - Reported-by: nianxuejie on github - Assisted-by: Nick Zitzmann - Assisted-by: Jay Satiro - Fixes #3689 - Closes #3690 + Closes #3887 -- test1541: threaded connection sharing - - The threaded-shared-conn.c example turned into test case. Only works if - pthread was detected. - - An attempt to detect future regressions such as e3a53e3efb942a5 +- cleanup: remove FIXME and TODO comments - Closes #3687 - -Patrick Monnerat (17 Mar 2019) -- os400: alt-svc support. + They serve very little purpose and mostly just add noise. Most of them + have been around for a very long time. I read them all before removing + or rephrasing them. - Although experimental, enable it in the platform config file. - Upgrade ILE/RPG binding. + Ref: #3876 + Closes #3883 -Daniel Stenberg (17 Mar 2019) -- conncache: use conn->data to know if a transfer owns it +- curl: don't set FTP options for FTP-disabled builds - - make sure an already "owned" connection isn't returned unless - multiplexed. + ... since libcurl has started to be totally unaware of options for + disabled protocols they now return error. - - clear ->data when returning the connection to the cache again + Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 - Regression since 7.62.0 (probably in commit 1b76c38904f0) + Reported-by: Marcel Raad + Closes #3886 + +Steve Holme (16 May 2019) +- http_ntlm_wb: Move the type-2 message processing into a dedicated function - Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + This brings the code inline with the other HTTP authentication mechanisms. - Closes #3686 + Closes #3890 +Daniel Stenberg (15 May 2019) - RELEASE-NOTES: synced -- [Chris Young brought this change] +- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] - configure: add --with-amissl - - AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. - It also requires all programs using it to use bsdsocket.library - directly, rather than accessing socket functions through clib, which - libcurl was not necessarily doing previously. Configure will now check - for the headers and ensure they are included if found. +- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] - Closes #3677 - -- [Chris Young brought this change] + Reported-by: Roy Bellingan + Bug: #3885 - vtls: rename some of the SSL functions +- parse_proxy: use the URL parser API - ... in the SSL structure as AmiSSL is using macros for the socket API - functions. - -- [Chris Young brought this change] + As we treat a given proxy as a URL we should use the unified URL parser + to extract the parts out of it. + + Closes #3878 - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr +Steve Holme (15 May 2019) +- http_negotiate: Move the Negotiate state out of the negotiatedata structure + + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. + + Closes #3882 -- [Chris Young brought this change] +- http_ntlm: Move the NTLM state out of the ntlmdata structure + + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. - tool_operate: build on AmigaOS +- url: Move the negotiate state type into a dedicated enum -- makefile: make checksrc and hugefile commands "silent" +- url: Remove duplicate clean up of the winbind variables in conn_shutdown() - ... to match the style already used for compiling, linking - etc. Acknowledges 'make V=1' to enable verbose. + Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior + to calling conn_shutdown() and it in turn performs this, there is no + need to perform the same action in conn_shutdown(). - Closes #3681 + Closes #3881 -- curl.1: --user and --proxy-user are hidden from ps output +Daniel Stenberg (14 May 2019) +- urlapi: require a non-zero host name length when parsing URL - Suggested-by: Eric Curtin - Improved-by: Dan Fandrich - Ref: #3680 + Updated test 1560 to verify. - Closes #3683 + Closes #3880 -- curl.1: mark the argument to --cookie as - - From a discussion in #3676 +- configure: error out if OpenSSL wasn't detected when asked for - Suggested-by: Tim Rühsen + If --with-ssl is used and configure still couldn't enable SSL this + creates an error instead of just silently ignoring the fact. - Closes #3682 + Suggested-by: Isaiah Norton + Fixes #3824 + Closes #3830 -Dan Fandrich (14 Mar 2019) -- fuzzer: Only clone the latest fuzzer code, for speed. +Daniel Gustafsson (14 May 2019) +- imap: Fix typo in comment -Daniel Stenberg (14 Mar 2019) -- [Dominik Hölzl brought this change] +Steve Holme (14 May 2019) +- url: Remove unnecessary initialisation from allocate_conn() + + No need to set variables to zero as calloc() does this for us. + + Closes #3879 - Negotiate: fix for HTTP POST with Negotiate +Daniel Stenberg (14 May 2019) +- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] - * Adjusted unit tests 2056, 2057 - * do not generally close connections with CURLAUTH_NEGOTIATE after every request - * moved negotiatedata from UrlState to connectdata - * Added stream rewind logic for CURLAUTH_NEGOTIATE - * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC - * Consider authproblem state for CURLAUTH_NEGOTIATE - * Consider reuse_forbid for CURLAUTH_NEGOTIATE - * moved and adjusted negotiate authentication state handling from - output_auth_headers into Curl_output_negotiate - * Curl_output_negotiate: ensure auth done is always set - * Curl_output_negotiate: Set auth done also if result code is - GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may - also indicate the last challenge request (only works with disabled - Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) - * Consider "Persistent-Auth" header, detect if not present; - Reset/Cleanup negotiate after authentication if no persistent - authentication - * apply changes introduced with #2546 for negotiate rewind logic - - Fixes #1261 - Closes #1975 - -- [Marc Schlatter brought this change] + Clues-provided-by: Jay Satiro + Clues-provided-by: Jeroen Ooms + Fixes #3711 + Closes #3874 - http: send payload when (proxy) authentication is done - - The check that prevents payload from sending in case of authentication - doesn't check properly if the authentication is done or not. +Daniel Gustafsson (13 May 2019) +- vtls: fix potential ssl_buffer stack overflow - They're cases where the proxy respond "200 OK" before sending - authentication challenge. This change takes care of that. + In Curl_multissl_version() it was possible to overflow the passed in + buffer if the generated version string exceeded the size of the buffer. + Fix by inverting the logic, and also make sure to not exceed the local + buffer during the string generation. - Fixes #2431 - Closes #3669 + Closes #3863 + Reported-by: nevv on HackerOne/curl + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg -- file: fix "Checking if unsigned variable 'readcount' is less than zero." +Daniel Stenberg (13 May 2019) +- RELEASE-NOTES: synced + +- appveyor: also build "/ci" branches like travis + +- pingpong: disable more when no pingpong enabled + +- proxy: acknowledge DISABLE_PROXY more + +- parsedate: CURL_DISABLE_PARSEDATE + +- sasl: only enable if there's a protocol enabled using it + +- mime: acknowledge CURL_DISABLE_MIME + +- wildcard: disable from build when FTP isn't present + +- http: CURL_DISABLE_HTTP_AUTH + +- base64: build conditionally if there are users + +- doh: CURL_DISABLE_DOH + +Steve Holme (12 May 2019) +- auth: Rename the various authentication clean up functions - Pointed out by codacy + For consistency and to a avoid confusion. - Closes #3672 + Closes #3869 -- memdebug: log pointer before freeing its data +Daniel Stenberg (12 May 2019) +- [Jay Satiro brought this change] + + docs/INSTALL: fix broken link [ci skip] - Coverity warned for two potentional "Use after free" cases. Both are false - positives because the memory wasn't used, it was only the actual pointer - value that was logged. + Reported-by: Joombalaya on github + Fixes #3818 + +Marcel Raad (12 May 2019) +- easy: fix another "clarify calculation precedence" warning - The fix still changes the order of execution to avoid the warnings. + I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + +- build: fix "clarify calculation precedence" warnings - Coverity CID 1443033 and 1443034 + Codacy/CppCheck warns about this. Consistently use parentheses as we + already do in some places to silence the warning. - Closes #3671 - -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/3866 -Marcel Raad (12 Mar 2019) -- travis: actually use updated compiler versions - - For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the - new GCC versions were only used for the coverage build and for building - nghttp2, while the new clang version was not used at all. +- cmake: restore C89 compatibility of CurlTests.c - BoringSSL needs to use the default GCC as it respects CC, but not CXX, - so it would otherwise pass gcc 8 options to g++ 4.8 and fail. + I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and + 97de97daefc2ed084c91eff34af2426f2e55e134. - Also remove GCC 7, it's not needed anymore. + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 + Closes https://github.com/curl/curl/pull/3868 + +Steve Holme (11 May 2019) +- http_ntlm: Corrected the name of the include guard - Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + Missed in f0bdd72c. - Closes https://github.com/curl/curl/pull/3670 + Closes #3867 -- travis: update clang to version 7 +- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - Closes https://github.com/curl/curl/pull/3670 + Closes #3861 -Jay Satiro (11 Mar 2019) -- [Andre Guibert de Bruet brought this change] +- http_negotiate: Don't expose functions when HTTP is disabled - examples/externalsocket: add missing close socket calls +Daniel Stenberg (11 May 2019) +- SECURITY-PROCESS: fix links [ci skip] + +Marcel Raad (11 May 2019) +- CMake: suppress unused variable warnings - .. and for Windows also call WSACleanup since we call WSAStartup. + I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. + +Daniel Stenberg (11 May 2019) +- doh: disable DOH for the cases it doesn't work - The example is to demonstrate handling the socket independently of - libcurl. In this case libcurl is not responsible for creating, opening - or closing the socket, it is handled by the application (our example). + Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for + DOH resolves. This fix disables DOH for those. - Fixes https://github.com/curl/curl/pull/3663 + Limitation added to KNOWN_BUGS. + + Fixes #3850 + Closes #3857 -Daniel Stenberg (11 Mar 2019) -- multi: removed unused code for request retries +Jay Satiro (11 May 2019) +- checksrc.bat: Ignore snprintf warnings in docs/examples - This code was once used for the non multi-interface using code path, but - ever since easy_perform was turned into a wrapper around the multi - interface, this code path never runs. + .. because we allow snprintf use in docs/examples. - Closes #3666 + Closes https://github.com/curl/curl/pull/3862 -Jay Satiro (11 Mar 2019) -- doh: inherit some SSL options from user's easy handle - - - Inherit SSL options for the doh handle but not SSL client certs, - SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, - SSL pinned public key, SSL ciphers, SSL id cache setting, - SSL kerberos or SSL gss-api settings. +Steve Holme (10 May 2019) +- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - - Fix inheritance of verbose setting. + ...and misalignment of these comments. From a78c61a4. - - Inherit NOSIGNAL. + Closes #3860 + +Jay Satiro (10 May 2019) +- Revert "multi: support verbose conncache closure handle" - There is no way for the user to set options for the doh (DNS-over-HTTPS) - handles and instead we inherit some options from the user's easy handle. + This reverts commit b0972bc. - My thinking for the SSL options not inherited is they are most likely - not intended by the user for the DOH transfer. I did inherit insecure - because I think that should still be in control of the user. + - No longer show verbose output for the conncache closure handle. - Prior to this change doh did not work for me because CAINFO was not - inherited. Also verbose was set always which AFAICT was a bug (#3660). + The offending commit was added so that the conncache closure handle + would inherit verbose mode from the user's easy handle. (Note there is + no way for the user to set options for the closure handle which is why + that was necessary.) Other debug settings such as the debug function + were not also inherited since we determined that could lead to crashes + if the user's per-handle private data was used on an unexpected handle. - Fixes https://github.com/curl/curl/issues/3660 - Closes https://github.com/curl/curl/pull/3661 - -Daniel Stenberg (9 Mar 2019) -- test331: verify set-cookie for dotless host name + The reporter here says he has a debug function to capture the verbose + output, and does not expect or want any output to stderr; however + because the conncache closure handle does not inherit the debug function + the verbose output for that handle does go to stderr. - Reproduced bug #3649 - Closes #3659 - -- Revert "cookies: extend domain checks to non psl builds" + There are other plausible scenarios as well such as the user redirects + stderr on their handle, which is also not inherited since it could lead + to crashes when used on an unexpected handle. - This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. + Short of allowing the user to set options for the conncache closure + handle I don't think there's much we can safely do except no longer + inherit the verbose setting. - Regression shipped in 7.64.0 - Fixes #3649 - -- memdebug: make debug-specific functions use curl_dbg_ prefix + Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html + Reported-by: Kristoffer Gleditsch - To not "collide" or use up the regular curl_ name space. Also makes them - easier to detect in helper scripts. + Ref: https://github.com/curl/curl/pull/3598 + Ref: https://github.com/curl/curl/pull/3618 - Closes #3656 + Closes https://github.com/curl/curl/pull/3856 -- cmdline-opts/proxytunnel.d: the option tunnnels all protocols - - Clarify the language and simplify. +Steve Holme (10 May 2019) +- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() - Reported-by: Daniel Lublin - Closes #3658 - -- KNOWN_BUGS: Client cert (MTLS) issues with Schannel + From 6012fa5a. - Closes #3145 - -- ROADMAP: updated to some more current things to work on + Closes #3858 -- tests: fix multiple may be used uninitialized warnings +Daniel Stenberg (9 May 2019) +- BUG-BOUNTY: minor formatting fixes [ci skip] - RELEASE-NOTES: synced -- source: fix two 'nread' may be used uninitialized warnings - - Both seem to be false positives but we don't like warnings. +- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] - Closes #3646 + Closes #3839 -- gopher: remove check for path == NULL - - Since it can't be NULL and it makes Coverity believe we lack proper NULL - checks. Verified by test 659, landed in commit 15401fa886b. +Kamil Dudka (9 May 2019) +- http_negotiate: do not treat failure of gss_init_sec_context() as fatal - Pointed out by Coverity CID 1442746. + Fixes #3726 + Closes #3849 + +- spnego_gssapi: fix return code on gss_init_sec_context() failure - Assisted-by: Dan Fandrich - Fixes #3617 - Closes #3642 + Fixes #3726 + Closes #3849 -- examples: only include +Steve Holme (9 May 2019) +- gen_resp_file.bat: Removed unnecessary @ from all but the first command - That's the only public curl header we should encourage use of. + There is need to use @ on every command once echo has been turned off. - Reviewed-by: Marcel Raad - Closes #3645 + Closes #3854 -- ssh: loop the state machine if not done and not blocking - - If the state machine isn't complete, didn't fail and it didn't return - due to blocking it can just as well loop again. - - This addresses the problem with SFTP directory listings where we would - otherwise return back to the parent and as the multi state machine - doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the - doing phase isn't complete, it would return out when in reality there - was more data to deal with. +Jay Satiro (8 May 2019) +- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies - Fixes #3506 - Closes #3644 - -Jay Satiro (5 Mar 2019) -- multi: support verbose conncache closure handle + - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to + the destination host. - - Change closure handle to receive verbose setting from the easy handle - most recently added via curl_multi_add_handle. + We already do something similar for HTTPS proxies by not sending h2. [1] - The closure handle is a special easy handle used for closing cached - connections. It receives limited settings from the easy handle most - recently added to the multi handle. Prior to this change that did not - include verbose which was a problem because on connection shutdown - verbose mode was not acknowledged. + Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would + incorrectly use HTTP/2 to talk to the proxy, which is not something we + support (yet?). Also it's debatable whether or not that setting should + apply to HTTP/2 proxies. - Ref: https://github.com/curl/curl/pull/3598 + [1]: https://github.com/curl/curl/commit/17c5d05 - Co-authored-by: Daniel Stenberg + Bug: https://github.com/curl/curl/issues/3570 + Bug: https://github.com/curl/curl/issues/3832 - Closes https://github.com/curl/curl/pull/3618 + Closes https://github.com/curl/curl/pull/3853 -Daniel Stenberg (4 Mar 2019) -- CURLU: fix NULL dereference when used over proxy +Marcel Raad (8 May 2019) +- travis: update mesalink build to xenial - Test 659 verifies + Closes https://github.com/curl/curl/pull/3842 + +Daniel Stenberg (8 May 2019) +- [Ricky Leverence brought this change] + + OpenSSL: Report -fips in version if OpenSSL is built with FIPS - Also fixed the test 658 name + Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS + define. It uses this define to determine whether to publish -fips at + the end of the version displayed. Applications that utilize the version + reported by OpenSSL will see a mismatch if they compare it to what curl + reports, as curl is not modifying the version in the same way. This + change simply adds a check to see if OPENSSL_FIPS is defined, and will + alter the reported version to match what OpenSSL itself provides. This + only appears to be applicable in versions of OpenSSL <1.1.1 - Closes #3641 + Closes #3771 -- altsvc_out: check the return code from Curl_gmtime +Kamil Dudka (7 May 2019) +- [Frank Gevaerts brought this change] + + nss: allow fifos and character devices for certificates. - Pointed out by Coverity, CID 1442956. + Currently you can do things like --cert <(cat ./cert.crt) with (at least) the + openssl backend, but that doesn't work for nss because is_file rejects fifos. - Closes #3640 - -- docs/ALTSVC.md: docs describing the approach + I don't actually know if this is sufficient, nss might do things internally + (like seeking back) that make this not work, so actual testing is needed. - Closes #3498 - -- alt-svc: add a travis build - -- alt-svc: add test 355 and 356 to verify with command line curl - -- alt-svc: the curl command line bits + Closes #3807 -- alt-svc: the libcurl bits +Daniel Gustafsson (6 May 2019) +- test2100: Fix typos in test description -- travis: add build using gnutls +Daniel Stenberg (6 May 2019) +- ssh: define USE_SSH if SSH is enabled (any backend) - Closes #3637 - -- RELEASE-NOTES: synced + Closes #3846 -- [Simon Legner brought this change] +Steve Holme (5 May 2019) +- winbuild: Add our standard copyright header to the winbuild batch files - scripts/completion.pl: also generate fish completion file - - This is the renamed script formerly known as zsh.pl +- makedebug: Fix ERRORLEVEL detection after running where.exe - Closes #3545 + Closes #3838 -- gnutls: remove call to deprecated gnutls_compression_get_name +Daniel Stenberg (5 May 2019) +- urlapi: add CURLUPART_ZONEID to set and get - It has been deprecated by GnuTLS since a year ago and now causes build - warnings. + The zoneid can be used with IPv6 numerical addresses. - Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f - Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + Updated test 1560 to verify. - Closes #3636 + Closes #3834 -Jay Satiro (2 Mar 2019) -- system_win32: move win32_init here from easy.c - - .. since system_win32 is a more appropriate location for the functions - and to extern the globals. - - Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 - Reported-by: Gisle Vanem - - Closes https://github.com/curl/curl/pull/3625 +- [Taiyu Len brought this change] -Daniel Stenberg (1 Mar 2019) -- curl_easy_duphandle.3: clarify that a duped handle has no shares - - Reported-by: Sara Golemon + WRITEFUNCTION: add missing set_in_callback around callback - Fixes #3592 - Closes #3634 - -- 10-at-a-time.c: fix too long line + Closes #3837 -- [Arnaud Rebillout brought this change] +- RELEASE-NOTES: synced - examples: various fixes in ephiperfifo.c - - The main change here is the timer value that was wrong, it was given in - usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * - 1000). This resulted in the callback being invoked WAY TOO OFTEN. +- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] - As a quick check you can run this command before and after applying this - commit: + Reported-by: Ricardo Gomes - # shell 1 - ./ephiperfifo 2>&1 | tee ephiperfifo.log - # shell 2 - echo http://hacking.elboulangero.com > hiper.fifo + Bug: #3537 + Closes #3836 + +- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - Then just compare the size of the logs files. + The time field in the curl_fileinfo struct will always be zero. No code + was ever implemented to actually convert the date string to a time_t. - Closes #3633 - Fixes #3632 - Signed-off-by: Arnaud Rebillout + Fixes #3829 + Closes #3835 -- urldata: simplify bytecounters +- OS400/ccsidcurl.c: code style fixes + +- OS400/ccsidcurl: replace use of Curl_vsetopt - - no need to have them protocol specific + (and make the code style comply) - - no need to set pointers to them with the Curl_setup_transfer() call + Fixes #3833 + +- urlapi: strip off scope id from numerical IPv6 addresses - - make Curl_setup_transfer() operate on a transfer pointer, not - connection + ... to make the host name "usable". Store the scope id and put it back + when extracting a URL out of it. - - switch some counters from long to the more proper curl_off_t type + Also makes curl_url_set() syntax check CURLUPART_HOST. - Closes #3627 + Fixes #3817 + Closes #3822 -- examples/10-at-a-time.c: improve readability and simplify - - - use better variable names to explain their purposes - - convert logic to curl_multi_wait() +- RELEASE-NOTES: synced -- threaded-resolver: shutdown the resolver thread without error message +- multiif.h: remove unused protos - When a transfer is done, the resolver thread will be brought down. That - could accidentally generate an error message in the error buffer even - though this is not an error situationand the transfer would still return - OK. An application that still reads the error buffer could find a - "Could not resolve host: [host name]" message there and get confused. + ... for functions related to pipelining. Those functions were removed in + 2f44e94efb3df. - Reported-by: Michael Schmid - Fixes #3629 - Closes #3630 + Closes #3828 -- [Ԝеѕ brought this change] +- [Yiming Jing brought this change] - docs: update max-redirs.d phrasing - - clarify redir - "in absurdum" doesn't seem to make sense in this context + travis: mesalink: temporarily disable test 3001 - Closes #3631 + ... due to SHA-1 signatures in test certs -- ssh: fix Condition '!status' is always true +- [Yiming Jing brought this change] + + travis: upgrade the MesaLink TLS backend to v1.0.0 - in the same sftp_done function in both SSH backends. Simplify them - somewhat. + Closes #3823 + Closes #3776 + +- ConnectionExists: improve non-multiplexing use case - Pointed out by Codacy. + - better log output - Closes #3628 + - make sure multiplex is enabled for it to be used -- test578: make it read data from the correct test +- multi: provide Curl_multiuse_state to update information + + As soon as a TLS backend gets ALPN conformation about the specific HTTP + version it can now set the multiplex situation for the "bundle" and + trigger moving potentially queued up transfers to the CONNECT state. -- Curl_easy: remove req.maxfd - never used! +- process_pending_handles: mark queued transfers as previously pending - Introduced in 8b6314ccfb, but not used anymore in current code. Unclear - since when. + With transfers being queued up, we only move one at a a time back to the + CONNECT state but now we mark moved transfers so that when a moved + transfer is confirmed "successful" (it connected) it will trigger the + move of another pending transfer. Previously, it would otherwise wait + until the transfer was done before doing this. This makes queued up + pending transfers get processed (much) faster. + +- http: mark bundle as not for multiuse on < HTTP/2 response - Closes #3626 + Fixes #3813 + Closes #3815 -- http: set state.infilesize when sending formposts +Daniel Gustafsson (1 May 2019) +- cookie: Guard against possible NULL ptr deref - Without it set, we would unwillingly triger the "HTTP error before end - of send, stop sending" condition even if the entire POST body had been - sent (since it wouldn't know the expected size) which would - unnecessarily log that message and close the connection when it didn't - have to. + In case the name pointer isn't set (due to memory pressure most likely) + we need to skip the prefix matching and reject with a badcookie to avoid + a possible NULL pointer dereference. - Reported-by: Matt McClure - Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html - Closes #3624 - -- INSTALL: refer to the current TLS library names and configure options - -- FAQ: minor updates and spelling fixes + Closes #3820 #3821 + Reported-by: Jonathan Moerman + Reviewed-by: Daniel Stenberg -- GOVERNANCE.md: minor spelling fixes +Patrick Monnerat (30 Apr 2019) +- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings -- Secure Transport: no more "darwinssl" - - Everyone calls it Secure Transport, now we do too. - - Reviewed-by: Nick Zitzmann +Kamil Dudka (29 Apr 2019) +- nss: provide more specific error messages on failed init - Closes #3619 + Closes #3808 -Marcel Raad (27 Feb 2019) -- AppVeyor: add classic MinGW build - - But use the MSYS2 shell rather than the default MSYS shell because of - POSIX path conversion issues. Classic MinGW is only available on the - Visual Studio 2015 image. - - Closes https://github.com/curl/curl/pull/3623 +Daniel Stenberg (29 Apr 2019) +- [Reed Loden brought this change] -- AppVeyor: add MinGW-w64 build - - Add a MinGW-w64 build using CMake's MSYS Makefiles generator. - Use the Visual Studio 2015 image as it has GCC 8, while the - Visual Studio 2017 image only has GCC 7.2. + docs: minor polish to the bug bounty / security docs - Closes https://github.com/curl/curl/pull/3623 + Closes #3811 -Daniel Stenberg (27 Feb 2019) -- cookies: only save the cookie file if the engine is enabled - - Follow-up to 8eddb8f4259. +- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - If the cookieinfo pointer is NULL there really is nothing to save. + This limits all accepted input strings passed to libcurl to be less than + CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: + curl_easy_setopt() and curl_url_set(). - Without this fix, we got a problem when a handle was using shared object - with cookies and is told to "FLUSH" it to file (which worked) and then - the share object was removed and when the easy handle was closed just - afterwards it has no cookieinfo and no cookies so it decided to save an - empty jar (overwriting the file just flushed). + The 8000000 number is arbitrary picked and is meant to detect mistakes + or abuse, not to limit actual practical use cases. By limiting the + acceptable string lengths we also reduce the risk of integer overflows + all over. - Test 1905 now verifies that this works. + NOTE: This does not apply to `CURLOPT_POSTFIELDS`. - Assisted-by: Michael Wallner - Assisted-by: Marcel Raad + Test 1559 verifies. - Closes #3621 + Closes #3805 -- [DaVieS brought this change] +- [Tseng Jun brought this change] - cacertinmem.c: use multiple certificates for loading CA-chain + curlver.h: use parenthesis in CURL_VERSION_BITS macro - Closes #3421 + Closes #3809 -- urldata: convert bools to bitfields and move to end - - This allows the compiler to pack and align the structs better in - memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 - makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. - - Removed an unused struct field. - - No functionality changes. +Marcel Raad (27 Apr 2019) +- [Simon Warta brought this change] + + cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP - Closes #3610 + Closes https://github.com/curl/curl/pull/3769 -- [Don J Olmstead brought this change] +Steve Holme (23 Apr 2019) +- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 - curl.h: use __has_declspec_attribute for shared builds +- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 - Closes #3616 + Just like we do for mbed TLS, use our local implementation of MD4 when + OpenSSL doesn't support it. This allows a type-3 message to include the + NT response. -- curl: display --version features sorted alphabetically +Daniel Gustafsson (23 Apr 2019) +- INTERNALS: fix misindentation of ToC item - Closes #3611 + Kerberos was incorrectly indented as a subsection under FTP, which is + incorrect as they are both top level sections. A fix for this was first + attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that + was a few paddles short of being complete. -- runtests: detect "schannel" as an alias for "winssl" - - Follow-up to 180501cb02 - - Reported-by: Marcel Raad - Fixes #3609 - Closes #3620 +- [Aron Bergman brought this change] -Marcel Raad (26 Feb 2019) -- AppVeyor: update to Visual Studio 2017 + INTERNALS: Add structs to ToC - Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a - moving target anymore as the last update, Update 9, has been released. + Add the subsections under "Structs in libcurl" to the table of contents. - Closes https://github.com/curl/curl/pull/3606 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -- AppVeyor: switch VS 2015 builds to VS 2017 image - - The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. - - Closes https://github.com/curl/curl/pull/3606 +- [Aron Bergman brought this change] -- AppVeyor: explicitly select worker image + INTERNALS: Add code highlighting - Currently, we're using the default Visual Studio 2015 image for - everything. + Make all struct members under the Curl_handler section + print in monospace font. - Closes https://github.com/curl/curl/pull/3606 + Closes #3801 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -Daniel Stenberg (26 Feb 2019) -- strerror: make the strerror function use local buffers - - Instead of using a fixed 256 byte buffer in the connectdata struct. +Daniel Stenberg (22 Apr 2019) +- docs/BUG-BOUNTY: bug bounty time [skip ci] - In my build, this reduces the size of the connectdata struct by 11.8%, - from 2160 to 1904 bytes with no functionality or performance loss. + Introducing the curl bug bounty program on hackerone. We now recommend + filing security issues directly in the hackerone ticket system which + only is readable to curl security team members. - This also fixes a bug in schannel's Curl_verify_certificate where it - called Curl_sspi_strerror when it should have called Curl_strerror for - string from GetLastError. the only effect would have been no text or the - wrong text being shown for the error. + Assisted-by: Daniel Gustafsson - Co-authored-by: Jay Satiro + Closes #3488 + +Steve Holme (22 Apr 2019) +- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - Closes #3612 + RFC 4616 specifies the authzid is optional in the client authentication + message and that the server will derive the authorisation identity + (authzid) from the authentication identity (authcid) when not specified + by the client. -- [Michael Wallner brought this change] +Jay Satiro (22 Apr 2019) +- [Gisle Vanem brought this change] - cookies: fix NULL dereference if flushing cookies with no CookieInfo set + memdebug: fix variable name - Regression brought by a52e46f3900fb0 (shipped in 7.63.0) + Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. - Closes #3613 + Ref: https://github.com/curl/curl/commit/76b6348#r33259088 -Marcel Raad (26 Feb 2019) -- AppVeyor: re-enable test 500 - - It's passing now. +Steve Holme (21 Apr 2019) +- vauth/cleartext: Don't send the authzid if it is empty - Closes https://github.com/curl/curl/pull/3615 + Follow up to 762a292f. -- AppVeyor: remove redundant builds - - Remove the Visual Studio 2012 and 2013 builds as they add little value. - - Ref: https://github.com/curl/curl/pull/3606 - Closes https://github.com/curl/curl/pull/3614 +Daniel Stenberg (21 Apr 2019) +- test 196,197,198: add 'retry' keyword [skip ci] -Daniel Stenberg (25 Feb 2019) - RELEASE-NOTES: synced -- [Bernd Mueller brought this change] - - OpenSSL: add support for TLS ASYNC state +- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - Closes #3591 - -Jay Satiro (25 Feb 2019) -- [Michael Felt brought this change] - - acinclude: add additional libraries to check for LDAP support + ... and disconnect too old ones instead of trying to reuse. - - Add an additional check for LDAP that also checks for OpenSSL since - on AIX those libraries may be required to link LDAP properly. + Default max age is set to 118 seconds. - Fixes https://github.com/curl/curl/issues/3595 - Closes https://github.com/curl/curl/pull/3596 + Ref: #3722 + Closes #3782 -- [Giorgos Oikonomou brought this change] +Daniel Gustafsson (20 Apr 2019) +- [Po-Chuan Hsieh brought this change] - schannel: support CALG_ECDH_EPHEM algorithm + altsvc: Fix building with cookies disables - Add support for Ephemeral elliptic curve Diffie-Hellman key exchange - algorithm option when selecting ciphers. This became available on the - Win10 SDK. + ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if + check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is + disabled. Fix by splitting out the function into a separate file which can + be included where needed. - Closes https://github.com/curl/curl/pull/3608 + Closes #3717 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Marcel Raad -Daniel Stenberg (24 Feb 2019) -- multi: call multi_done on connect timeouts - - Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get - updated correctly and could end up getting reported to the application - completely wrong (way too small). +Daniel Stenberg (20 Apr 2019) +- test1002: correct the name [skip ci] + +- test660: verify CONNECT_ONLY with IMAP - Reported-by: accountantM on github - Fixes #3602 - Closes #3605 + which basically just makes sure LOGOUT is *not* issued on disconnect -- examples: remove recursive calls to curl_multi_socket_action +- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - From within the timer callbacks. Recursive is problematic for several - reasons. They should still work, but this way the examples and the - documentation becomes simpler. I don't think we need to encourage - recursive calls. + Since the connection has been used by the "outside" we don't know the + state of it anymore and curl should not use it anymore. - Discussed in #3537 - Closes #3601 + Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html + + Closes #3795 -Marcel Raad (23 Feb 2019) -- configure: remove CURL_CHECK_FUNC_FDOPEN call +- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) - The macro itself has been removed in commit - 11974ac859c5d82def59e837e0db56fef7f6794e. + The list of names must be in sync with the defined states in the header + file! + +Steve Holme (16 Apr 2019) +- openvms: Remove pre-processors for Windows as VMS cannot support them + +- openvms: Remove pre-processor for SecureTransport as VMS cannot support it - Closes https://github.com/curl/curl/pull/3604 + Fixes #3768 + Closes #3785 -Daniel Stenberg (23 Feb 2019) -- wolfssl: stop custom-adding curves +Jay Satiro (16 Apr 2019) +- TODO: Add issue link to an existing entry + +Daniel Stenberg (16 Apr 2019) +- RELEASE-NOTES: synced + +Jay Satiro (16 Apr 2019) +- tool_help: Warn if curl and libcurl versions do not match - since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in - wolfSSL 3.10.2 and later) it sends these curves by default already. + .. because functionality may be affected if the versions differ. - Pointed-out-by: David Garske + This commit implements TODO 18.7 "warning if curl version is not in sync + with libcurl version". - Closes #3599 - -- configure: remove the unused fdopen macro + Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 - and the two remaining #ifdefs for it + Closes https://github.com/curl/curl/pull/3774 + +Steve Holme (16 Apr 2019) +- md5: Update the function signature following d84da52d + +- md5: Forgot to update the code alignment in d84da52d + +- md5: Return CURLcode from the internally accessible functions - Closes #3600 + Following 28f826b3 to return CURLE_OK instead of numeric 0. -Jay Satiro (22 Feb 2019) -- url: change conn shutdown order to unlink data as last step +Daniel Gustafsson (15 Apr 2019) +- tests: Run global cleanup at end of tests - - Split off connection shutdown procedure from Curl_disconnect into new - function conn_shutdown. + Make sure to run curl_global_cleanup() when shutting down the test + suite to release any resources allocated in the SSL setup. This is + clearly visible when running tests with PolarSSL where the thread + lock calloc() memory which isn't released when not running cleanup. + Below is an excerpt from the autobuild logs: - - Change the shutdown procedure to close the sockets before - disassociating the transfer. + ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 + ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) + ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) + ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup + (polarssl_threadlock.c:54) + ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) + ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) + ==12368== by 0x118B4C: global_init (easy.c:158) + ==12368== by 0x118BF5: curl_global_init (easy.c:221) + ==12368== by 0x118D0B: curl_easy_init (easy.c:299) + ==12368== by 0x114E96: test (lib1906.c:32) + ==12368== by 0x115495: main (first.c:174) - Prior to this change the sockets were closed after disassociating the - transfer so SOCKETFUNCTION wasn't called since the transfer was already - disassociated. That likely came about from recent work started in - Jan 2019 (#3442) to separate transfers from connections. + Closes #3783 + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg + +Marcel Raad (15 Apr 2019) +- travis: use mbedtls from Xenial - Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html - Reported-by: Pavel Löbl + No need to build it from source anymore. - Closes https://github.com/curl/curl/issues/3597 - Closes https://github.com/curl/curl/pull/3598 + Closes https://github.com/curl/curl/pull/3779 -Marcel Raad (22 Feb 2019) -- Fix strict-prototypes GCC warning +- travis: use libpsl from Xenial - As seen in the MinGW autobuilds. Caused by commit - f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. - -Dan Fandrich (21 Feb 2019) -- tests: Fixed XML validation errors in some test files. - -Daniel Stenberg (20 Feb 2019) -- TODO: Allow SAN names in HTTP/2 server push + This makes building libpsl and libidn2 from source unnecessary and + removes the need for the autopoint and libunistring-dev packages. - Suggested-by: Nicolas Grekas - -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/3779 -- curl: remove MANUAL from -M output - - ... and remove it from the dist tarball. It has served its time, it - barely gets updated anymore and "everything curl" is now convering all - this document once tried to include, and does it more and better. +Daniel Stenberg (15 Apr 2019) +- runtests: start socksd like other servers - In the compressed scenario, this removes ~15K data from the binary, - which is 25% of the -M output. + ... without a $srcdir prefix. Triggered by the failures in several + autobuilds. - It remains in the git repo for now for as long as the web site builds a - page using that as source. It renders poorly on the site (especially for - mobile users) so its not even good there. + Closes #3781 + +Daniel Gustafsson (14 Apr 2019) +- socksd: Fix typos - Closes #3587 + Reviewed-by: Daniel Stenberg -- http2: verify :athority in push promise requests +- socksd: Properly decorate static variables - RFC 7540 says we should verify that the push is for an "authoritative" - server. We make sure of this by only allowing push with an :athority - header that matches the host that was asked for in the URL. + Mark global variables static to avoid compiler warning in Clang when + using -Wmissing-variable-declarations. - Fixes #3577 - Reported-by: Nicolas Grekas - Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html - Closes #3581 + Closes #3778 + Reviewed-by: Daniel Stenberg -- singlesocket: fix the 'sincebefore' placement +Steve Holme (14 Apr 2019) +- md(4|5): Fixed indentation oddities with the importation of replacement code - The variable wasn't properly reset within the loop and thus could remain - set for sockets that hadn't been set before and miss notifying the app. + The indentation from 211d5329 and 57d6d253 was a little strange as + parts didn't align correctly, uses 4 spaces rather than 2. Checked + the indentation of the original source so it aligns, albeit, using + curl style. + +- md5: Code style to return CURLE_OK rather than numeric 0 + +- md5: Corrected code style for some pointer arguments + +Marcel Raad (13 Apr 2019) +- travis: update some builds to xenial - This is a follow-up to 4c35574 (shipped in curl 7.64.0) + Xenial comes with more up-to-date software versions and more available + packages, some of which we currently build from source. Unfortunately, + some builds would fail with Xenial because of assertion failures in + Valgrind when using OpenSSL, so leave these at Trusty. - Reported-by: buzo-ffm on github - Detected-by: Jan Alexander Steffens - Fixes #3585 - Closes #3589 + Closes https://github.com/curl/curl/pull/3777 -- connection: never reuse CONNECT_ONLY conections +Daniel Stenberg (13 Apr 2019) +- test: make tests and test scripts use socksd for SOCKS - and make CONNECT_ONLY conections never reuse any existing ones either. + Make all SOCKS tests use socksd instead of ssh. + +- socksd: new SOCKS 4+5 server for tests - Reported-by: Pavel Löbl - Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html - Closes #3586 + Closes #3752 -Patrick Monnerat (19 Feb 2019) -- cli tool: fix mime post with --disable-libcurl-option configure option +- singleipconnect: show port in the verbose "Trying ..." message - Reported-by: Marcel Raad - Fixes #3576 - Closes #3583 + To aid debugging better. -Daniel Stenberg (19 Feb 2019) -- x509asn1: cleanup and unify code layout +- [tmilburn brought this change] + + CURLOPT_ADDRESS_SCOPE: fix range check and more - - rename 'n' to buflen in functions, and use size_t for them. Don't pass - in negative buffer lengths. + Commit 9081014 fixed most of the confusing issues between scope id and + scope however 844896d added bad limits checking assuming that the scope + is being set and not the scope id. - - move most function comments to above the function starts like we use - to + I have fixed the documentation so it all refers to scope ids. - - remove several unnecessary typecasts (especially of NULL) + In addition Curl_if2ip refered to the scope id as remote_scope_id which + is incorrect, so I renamed it to local_scope_id. - Reviewed-by: Patrick Monnerat - Closes #3582 - -- curl_multi_remove_handle.3: use at any time, just not from within callbacks + Adjusted-by: Daniel Stenberg - [ci skip] + Closes #3655 + Closes #3765 + Fixes #3713 -- http: make adding a blank header thread-safe +- urlapi: stricter CURLUPART_PORT parsing - Previously the function would edit the provided header in-place when a - semicolon is used to signify an empty header. This made it impossible to - use the same set of custom headers in multiple threads simultaneously. + Only allow well formed decimal numbers in the input. - This approach now makes a local copy when it needs to edit the string. + Document that the number MUST be between 1 and 65535. - Reported-by: d912e3 on github - Fixes #3578 - Closes #3579 - -- unit1651: survive curl_easy_init() fails + Add tests to test 1560 to verify the above. + + Ref: https://github.com/curl/curl/issues/3753 + Closes #3762 -- [Frank Gevaerts brought this change] +Jay Satiro (13 Apr 2019) +- [Jan Ehrhardt brought this change] - rand: Fix a mismatch between comments in source and header. + winbuild: Support MultiSSL builds - Reported-by: Björn Stenberg - Closes #3584 - -Patrick Monnerat (18 Feb 2019) -- x509asn1: replace single char with an array + - Remove the lines in winbuild/Makefile.vc that generate an error with + multiple SSL backends. - Although safe in this context, using a single char as an array may - cause invalid accesses to adjacent memory locations. + - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL + backends are set. - Detected by Coverity. + Closes https://github.com/curl/curl/pull/3772 -Daniel Stenberg (18 Feb 2019) -- examples/http2-serverpush: add some sensible error checks +Daniel Stenberg (12 Apr 2019) +- travis: remove mesalink builds (temporarily?) - To avoid NULL pointer dereferences etc in the case of problems. + Since the mesalink build started to fail on travis, even though we build + a fixed release version, we disable it to prevent it from blocking + progress. - Closes #3580 + Closes #3767 -Jay Satiro (18 Feb 2019) -- easy: fix win32 init to work without CURL_GLOBAL_WIN32 +- openssl: mark connection for close on TLS close_notify - - Change the behavior of win32_init so that the required initialization - procedures are not affected by CURL_GLOBAL_WIN32 flag. + Without this, detecting and avoid reusing a closed TLS connection + (without a previous GOAWAY) when doing HTTP/2 is tricky. - libcurl via curl_global_init supports initializing for win32 with an - optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop - Winsock initialization. It did so internally by skipping win32_init() - when that flag was set. Since then win32_init() has been expanded to - include required initialization routines that are separate from - Winsock and therefore must be called in all cases. This commit fixes - it so that CURL_GLOBAL_WIN32 only controls the optional win32 - initialization (which is Winsock initialization, according to our doc). + Reported-by: Tom van der Woerdt + Fixes #3750 + Closes #3763 + +- RELEASE-NOTES: synced + +Steve Holme (11 Apr 2019) +- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - The only users affected by this change are those that don't pass - CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the - risk of a potential crash. + Functionally this doesn't change anything as we still use the username + for both the authorisation identity and the authentication identity. - Ref: https://github.com/curl/curl/pull/3573 + Closes #3757 + +Daniel Stenberg (11 Apr 2019) +- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - Fixes https://github.com/curl/curl/issues/3313 - Closes https://github.com/curl/curl/pull/3575 + Based-on-code-by: Poul T Lomholt -Daniel Gustafsson (17 Feb 2019) -- cookie: Add support for cookie prefixes +- url: always clone the CUROPT_CURLU handle - The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes - and how they should affect cookie initialization, which has been - adopted by the major browsers. This adds support for the two prefixes - defined, __Host- and __Secure, and updates the testcase with the - supplied examples from the draft. + Since a few code paths actually update that data. - Closes #3554 - Reviewed-by: Daniel Stenberg + Fixes #3753 + Closes #3761 + + Reported-by: Poul T Lomholt -- mbedtls: release sessionid resources on error +- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - If mbedtls_ssl_get_session() fails, it may still have allocated - memory that needs to be freed to avoid leaking. Call the library - API function to release session resources on this errorpath as - well as on Curl_ssl_addsessionid() errors. + Remove the code too. The functionality has been disabled in code since + 7.62.0. Setting this option will from now on simply be ignored and have + no function. - Closes: #3574 - Reported-by: Michał Antoniak - Reviewed-by: Daniel Stenberg - -Patrick Monnerat (16 Feb 2019) -- cli tool: refactor encoding conversion sequence for switch case fallthrough. + Closes #3654 -- version.c: silent scan-build even when librtmp is not enabled +Marcel Raad (11 Apr 2019) +- travis: install libgnutls28-dev only for --with-gnutls build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -Daniel Stenberg (15 Feb 2019) -- RELEASE-NOTES: synced +- travis: install libnss3-dev only for --with-nss build + + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -- Curl_now: figure out windows version in win32_init +- travis: install libssh2-dev only for --with-libssh2 build - ... and avoid use of static variables that aren't thread safe. + Reduces the time needed for the other jobs a little. - Fixes regression from e9ababd4f5a (present in the 7.64.0 release) + Closes https://github.com/curl/curl/pull/3721 + +- travis: install libssh-dev only for --with-libssh build - Reported-by: Paul Groke - Fixes #3572 - Closes #3573 + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -Marcel Raad (15 Feb 2019) -- unit1307: just fail without FTP support +- travis: install krb5-user only for --with-gssapi build - I missed to check this in with commit - 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. - This fixes the actual linker error. + Reduces the time needed for the other jobs a little. - Closes https://github.com/curl/curl/pull/3568 + Closes https://github.com/curl/curl/pull/3721 -Daniel Stenberg (15 Feb 2019) -- travis: enable valgrind for the iconv tests too +- travis: install lcov only for the coverage job - Closes #3571 + Reduces the time needed for the other jobs a little. + + Closes https://github.com/curl/curl/pull/3721 -- travis: add scan-build +- travis: install clang only when needed - Closes #3564 + This reduces the GCC job runtimes a little and it's needed to + selectively update clang builds to xenial. + + Closes https://github.com/curl/curl/pull/3721 -- examples/sftpuploadresume: Value stored to 'result' is never read +- AppVeyor: enable testing for WinSSL build - Detected by scan-build + Closes https://github.com/curl/curl/pull/3725 -- examples/http2-upload: cleaned up +- build: fix Codacy/CppCheck warnings - Fix scan-build warnings, no globals, no silly handle scan. Also remove - handles from the multi before cleaning up. + - remove unused variables + - declare conditionally used variables conditionally + - suppress unused variable warnings in the CMake tests + - remove dead variable stores + - consistently use WIN32 macro to detect Windows + + Closes https://github.com/curl/curl/pull/3739 -- examples/http2-download: cleaned up +- polarssl_threadlock: remove conditionally unused code - To avoid scan-build warnings and global variables. + Make functions no-ops if neither both USE_THREADS_POSIX and + HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are + defined. Previously, if only one of them was defined, there was either + code compiled that did nothing useful or the wrong header included for + the functions used. + + Also, move POLARSSL_MUTEX_T define to implementation file as it's not + used externally. + + Closes https://github.com/curl/curl/pull/3739 -- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' +- lib557: initialize variables - Detected by scan-build + These variables are only conditionally initialized. + + Closes https://github.com/curl/curl/pull/3739 -- examples/httpcustomheader: Value stored to 'res' is never read +- lib509: add missing include for strdup - Detected by scan-build + Closes https://github.com/curl/curl/pull/3739 -- examples: remove superfluous null-pointer checks +- README.md: fix no-consecutive-blank-lines Codacy warning - in ftpget, ftpsget and sftpget, so that scan-build stops warning for - potential NULL pointer dereference below! + Consistently use one blank line between blocks. - Detected by scan-build + Closes https://github.com/curl/curl/pull/3739 -- strip_trailing_dot: make sure NULL is never used for strlen +- tests/server/util: fix Windows Unicode build - scan-build warning: Null pointer passed as an argument to a 'nonnull' - parameter + Always use the ANSI version of FormatMessage as we don't have the + curl_multibyte gear available here. + + Closes https://github.com/curl/curl/pull/3758 -- [Jay Satiro brought this change] +Daniel Stenberg (11 Apr 2019) +- curl_easy_getinfo.3: fix minor formatting mistake - connection_check: restore original conn->data after the check +Daniel Gustafsson (11 Apr 2019) +- xattr: skip unittest on unsupported platforms - - Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. + The stripcredentials unittest fails to compile on platforms without + xattr support, for example the Solaris member in the buildfarm which + fails with the following: - This is a follow-up to 38d8e1b 2019-02-11. + CC unit1621-unit1621.o + CC ../libtest/unit1621-first.o + CCLD unit1621 + Undefined first referenced + symbol in file + stripcredentials unit1621-unit1621.o + goto problem 2 + ld: fatal: symbol referencing errors. No output written to .libs/unit1621 + collect2: error: ld returned 1 exit status + gmake[2]: *** [Makefile:996: unit1621] Error 1 - History: + Fix by excluding the test on such platforms by using the reverse + logic from where stripcredentials() is defined. - It was discovered a month ago that before checking whether to extract a - dead connection that that connection should be associated with a "live" - transfer for the check (ie original conn->data ignored and set to the - passed in data). A fix was landed in 54b201b which did that and also - cleared conn->data after the check. The original conn->data was not - restored, so presumably it was thought that a valid conn->data was no - longer needed. + Closes #3759 + Reviewed-by: Daniel Stenberg + +Steve Holme (11 Apr 2019) +- emailL Added reference to RFC8314 for implicit TLS + +- README: Schannel, stop calling it "winssl" - Several days later it was discovered that a valid conn->data was needed - after the check and follow-up fix was landed in bbae24c which partially - reverted the original fix and attempted to limit the scope of when - conn->data was changed to only when pruning dead connections. In that - case conn->data was not cleared and the original conn->data not - restored. + Stick to "Schannel" everywhere - follow up to 180501cb. + +Jakub Zakrzewski (10 Apr 2019) +- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - A month later it was discovered that the original fix was somewhat - correct; a "live" transfer is needed for the check in all cases - because original conn->data could be null which could cause a bad deref - at arbitrary points in the check. A fix was landed in 38d8e1b which - expanded the scope to all cases. conn->data was not cleared and the - original conn->data not restored. + This fixes GSSAPI builds with the libraries in a non-standard location. + The testing for recv() were failing because it failed to link + the Kerberos libraries, which are not needed for this or subsequent + tests. - A day later it was discovered that not restoring the original conn->data - may lead to busy loops in applications that use the event interface, and - given this observation it's a pretty safe assumption that there is some - code path that still needs the original conn->data. This commit is the - follow-up fix for that, it restores the original conn->data after the - connection check. + fixes #3743 + closes #3744 + +- cmake: avoid linking executable for some tests with cmake 3.6+ - Assisted-by: tholin@users.noreply.github.com - Reported-by: tholin@users.noreply.github.com + With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() + (which is used by check_c_source_compiles()) will build static library + instead of executable. This avoids linking additional libraries in and thus + speeds up those checks a little. - Fixes https://github.com/curl/curl/issues/3542 - Closes #3559 + This commit also avoids #3743 (GSSAPI build errors) on itself with cmake + 3.6 or above. That issue was fixed separately for all versions. + + Ref: #3744 -- memdebug: bring back curl_mark_sclose +- cmake: minor cleanup - Used by debug builds with NSS. + - Remove nneeded include_regular_expression. + It was setting what is already a default. - Reverted from 05b100aee247bb + - Remove duplicated include. + + - Don't check for pre-3.0.0 CMake version. + We already require at least 3.0.0, so it's just clutter. + + Ref: #3744 -Patrick Monnerat (14 Feb 2019) -- transfer.c: do not compute length of undefined hex buffer. +Steve Holme (8 Apr 2019) +- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ + +- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) + +- build-openssl.bat: Perform the install for each build type directly after the build + +- build-openssl.bat: Split the install of static and shared build types + +- build-openssl.bat: Split the building of static and shared build types + +- build-openssl.bat: Move the installation into a separate function + +- build-openssl.bat: Move the build step into a separate function + +- build-openssl.bat: Move the OpenSSL configuration into a separate function + +- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised - On non-ascii platforms, the chunked hex header was measured for char code - conversion length, even for chunked trailers that do not have an hex header. - In addition, the efective length is already known: use it. - Since the hex length can be zero, only convert if needed. + Should the parent environment set this variable then the build might + not be performed as the user intended. + +Daniel Stenberg (8 Apr 2019) +- socks: fix error message + +- config.d: clarify that initial : and = might need quoting [skip ci] - Reported by valgrind. + Fixes #3738 + Closes #3749 -Daniel Stenberg (14 Feb 2019) -- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP +- RELEASE-NOTES: synced - Closes #2367 + bumped to 7.65.0 for next release -Patrick Monnerat (14 Feb 2019) -- x509asn1: "Dereference of null pointer" +- socks5: user name and passwords must be shorter than 256 - Detected by scan-build (false positive). + bytes... since the protocol needs to store the length in a single byte field. + + Reported-by: XmiliaH on github + Fixes #3737 + Closes #3740 -Daniel Stenberg (14 Feb 2019) -- configure: show features as well in the final summary +- [Jakub Zakrzewski brought this change] + + test: urlapi: urlencode characters above 0x7f correctly + +- [Jakub Zakrzewski brought this change] + + urlapi: urlencode characters above 0x7f correctly - Closes #3569 + fixes #3741 + Closes #3742 -- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 +- [Even Rouault brought this change] + + multi_runsingle(): fix use-after-free + + Fixes #3745 + Closes #3746 + + The following snippet + ``` + + int main() + { + CURL* hCurlHandle = curl_easy_init(); + curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); + curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); + curl_easy_perform(hCurlHandle); + curl_easy_cleanup(hCurlHandle); + return 0; + } + ``` + triggers the following Valgrind warning + + ``` + ==4125== Invalid read of size 8 + ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) + ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) + ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd + ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) + ==4125== by 0x4E62C36: conn_free (url.c:756) + ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) + ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) + ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Block was alloc'd at + ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) + ==4125== by 0x4E6438E: allocate_conn (url.c:1654) + ==4125== by 0x4E685B4: create_conn (url.c:3496) + ==4125== by 0x4E6968F: Curl_connect (url.c:4023) + ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ``` - Closes #2905 - -- KNOWN_BUGS: Deflate error after all content was received + This has been bisected to commit 2f44e94 - Closes #2719 + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 + Credit to OSS Fuzz -- gssapi: fix deprecated header warnings +- pipelining: removed - Heimdal includes on FreeBSD spewed out lots of them. Less so now. + As previously planned and documented in DEPRECATE.md, all pipelining + code is removed. - Closes #3566 + Closes #3651 -- TODO: Upgrade to websockets - - Closes #3523 +- [cclauss brought this change] -- TODO: cmake test suite improvements + tests: make Impacket (SMB server) Python 3 compatible - Closes #3109 + Closes #3731 + Fixes #3289 -Patrick Monnerat (13 Feb 2019) -- curl: "Dereference of null pointer" - - Rephrase to satisfy scan-build. +Marcel Raad (6 Apr 2019) +- [Simon Warta brought this change] -Marcel Raad (13 Feb 2019) -- unit1307: require FTP support + cmake: set SSL_BACKENDS - This test doesn't link without FTP support after - fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch - unavailable without FTP support. + This groups all SSL backends into the feature "SSL" and sets the + SSL_BACKENDS analogue to configure.ac - Closes https://github.com/curl/curl/pull/3565 + Closes https://github.com/curl/curl/pull/3736 -Daniel Stenberg (13 Feb 2019) -- TODO: TFO support on Windows - - Nobody works on this now. - - Closes #3378 +- [Simon Warta brought this change] -- multi: Dereference of null pointer - - Mostly a false positive, but this makes the code easier to read anyway. + cmake: don't run SORT on empty list - Detected by scan-build. + In case of an empty list, SORTing leads to the cmake error "list + sub-command SORT requires list to be present." - Closes #3563 + Closes https://github.com/curl/curl/pull/3736 -- urlglob: Argument with 'nonnull' attribute passed null - - Detected by scan-build. +Daniel Gustafsson (5 Apr 2019) +- [Eli Schwartz brought this change] -Jay Satiro (12 Feb 2019) -- schannel: restore some debug output but only for debug builds - - Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy - debug output in DEBUGF but omitted a few lines. + configure: fix default location for fish completions - Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - -- examples/crawler: Fix the Accept-Encoding setting + Fish defines a vendor completions directory for completions that are not + installed as part of the fish project itself, and the vendor completions + are preferred if they exist. This prevents trying to overwrite the + builtin curl.fish completion (or creating file conflicts in distro + packaging). - - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default - supported encodings. + Prefer the pkg-config defined location exported by fish, if it can be + found, and fall back to the correct directory defined by most systems. - Prior to this change the specific encodings of gzip and deflate were set - but there's no guarantee they'd be supported by the user's libcurl. + Closes #3723 + Reviewed-by: Daniel Gustafsson -Daniel Stenberg (12 Feb 2019) -- mime: put the boundary buffer into the curl_mime struct +Marcel Raad (5 Apr 2019) +- ftplistparser: fix LGTM alert "Empty block without comment" - ... instead of allocating it separately and point to it. It is - fixed-size and always used for each part. + Removing the block is consistent with line 954/957. - Closes #3561 + Closes https://github.com/curl/curl/pull/3732 -- schannel: be quiet +- transfer: fix LGTM alert "Comparison is always true" - Convert numerous infof() calls into debug-build only messages since they - are annoyingly verbose for regular applications. Removed a few. + Just remove the redundant condition, which also makes it clear that + k->buf is always 0-terminated if this break is not hit. - Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html - Reported-by: Volker Schmid - Closes #3552 - -- [Romain Geissler brought this change] + Closes https://github.com/curl/curl/pull/3732 - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning - - Closes #3562 +Jay Satiro (4 Apr 2019) +- [Rikard Falkeborn brought this change] -- http2: multi_connchanged() moved from multi.c, only used for h2 + smtp: fix compiler warning - Closes #3557 - -- curl: "Function call argument is an uninitialized value" + - Fix clang string-plus-int warning. - Follow-up to cac0e4a6ad14b42471eb + Clang 8 warns about adding a string to an int does not append to the + string. Indeed it doesn't, but that was not the intention either. Use + array indexing as suggested to silence the warning. There should be no + functional changes. - Detected by scan-build - Closes #3560 - -- pretransfer: don't strlen() POSTFIELDS set for GET requests + (In other words clang warns about "foo"+2 but not &"foo"[2] so use the + latter.) - ... since that data won't be used in the request anyway. + smtp.c:1221:29: warning: adding 'int' to a string does not append to the + string [-Wstring-plus-int] + eob = strdup(SMTP_EOB + 2); + ~~~~~~~~~~~~~~~~^~~~ - Fixes #3548 - Reported-by: Renaud Allard - Close #3549 + Closes https://github.com/curl/curl/pull/3729 -- multi: remove verbose "Expire in" ... messages +Marcel Raad (4 Apr 2019) +- VS projects: use Unicode for VC10+ - Reported-by: James Brown - Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html - Closes #3558 - -- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set + All Windows APIs have been natively UTF-16 since Windows 2000 and the + non-Unicode variants are just wrappers around them. Only Windows 9x + doesn't understand Unicode without the UnicoWS DLL. As later Visual + Studio versions cannot target Windows 9x anyway, using the ANSI API + doesn't really have any benefit there. - Reported-by: MAntoniak on github - Fixes #3553 - Closes #3556 - -Daniel Gustafsson (12 Feb 2019) -- non-ascii.c: fix typos in comments + This avoids issues like KNOWN_BUGS 6.5. - Fix two occurrences of s/convers/converts/ spotted while reading code. + Ref: https://github.com/curl/curl/issues/2120 + Closes https://github.com/curl/curl/pull/3720 -Daniel Stenberg (12 Feb 2019) -- fnmatch: disable if FTP is disabled +Daniel Gustafsson (3 Apr 2019) +- RELEASE-NOTES: synced - Closes #3551 - -- curl_path: only enabled for SSH builds - -- [Frank Gevaerts brought this change] + Bump the version in progress to 7.64.2, if we merge any "change" + before the cut-off date we can update the version. - tests: add stderr comparison to the test suite - - The code is more or less copied from the stdout comparison code, maybe - some better reuse is possible. - - test 1457 is adjusted to make the output actually match (by using --silent) - test 506 used without actually needing it, so that block is removed - - Closes #3536 +- [Tim Rühsen brought this change] -Patrick Monnerat (11 Feb 2019) -- cli tool: do not use mime.h private structures. - - Option -F generates an intermediate representation of the mime structure - that is used later to create the libcurl mime structure and generate - the --libcurl statements. + documentation: Fix several typos - Reported-by: Daniel Stenberg - Fixes #3532 - Closes #3546 - -Daniel Stenberg (11 Feb 2019) -- curlver: bump to 7.64.1-dev + Closes #3724 + Reviewed-by: Jakub Zakrzewski + Reviewed-by: Daniel Gustafsson -- RELEASE-NOTES: synced - - and bump the version in progress to 7.64.1. If we merge any "change" - before the cut-off date, we update again. +Jay Satiro (2 Apr 2019) +- [Mert Yazıcıoğlu brought this change] -Daniel Gustafsson (11 Feb 2019) -- curl: follow-up to 3f16990ec84 - - Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was - inadvertently introducing a new bug in the ternary expression. + vauth/oauth2: Fix OAUTHBEARER token generation - Close #3555 - Reviewed-by: Daniel Stenberg - -- dns: release sharelock as soon as possible + OAUTHBEARER tokens were incorrectly generated in a format similar to + XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the + RFC7628. - There is no benefit to holding the data sharelock when freeing the - addrinfo in case it fails, so ensure releaseing it as soon as we can - rather than holding on to it. This also aligns the code with other - consumers of sharelocks. + Fixes: #2487 + Reported-by: Paolo Mossino - Closes #3516 - Reviewed-by: Daniel Stenberg + Closes https://github.com/curl/curl/pull/3377 -Daniel Stenberg (11 Feb 2019) -- curl: follow-up to b49652ac66cc0 +Marcel Raad (2 Apr 2019) +- tool_cb_wrt: fix bad-function-cast warning - On FreeBSD, return non-zero on error otherwise zero. + Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the + warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. + Extend fhnd's scope and reuse that variable instead of calling + _get_osfhandle a second time to fix the warning again. - Reported-by: Marcel Raad + Closes https://github.com/curl/curl/pull/3718 -- multi: (void)-prefix when ignoring return values +- VC15 project: remove MinimalRebuild - ... and added braces to two function calls which fixes warnings if they - are replace by empty macros at build-time. + Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the + library project, but I forgot the tool project template. Now also + removed for that. -- curl: fix FreeBSD compiler warning in the --xattr code +Dan Fandrich (1 Apr 2019) +- cirrus: Customize the disabled tests per FreeBSD version - Closes #3550 + Try to run as many test cases as possible on each OS version. + 12.0 passes 13 more tests than the older versions, so we might as well + run them. -- connection_check: set ->data to the transfer doing the check - - The http2 code for connection checking needs a transfer to use. Make - sure a working one is set before handler->connection_check() is called. +Daniel Stenberg (1 Apr 2019) +- tool_help: include for strcasecmp - Reported-by: jnbr on github - Fixes #3541 - Closes #3547 + Reported-by: Wyatt O'Day + Fixes #3715 + Closes #3716 -- hostip: make create_hostcache_id avoid alloc + free +Daniel Gustafsson (31 Mar 2019) +- scripts: fix typos + +Dan Fandrich (28 Mar 2019) +- travis: allow builds on branches named "ci" - Closes #3544 + This allows a way to test changes other than through PRs. -- scripts/singleuse: script to use to track single-use functions +Daniel Stenberg (27 Mar 2019) +- [Brad Spencer brought this change] + + resolve: apply Happy Eyeballs philosophy to parallel c-ares queries - That is functions that are declared global but are not used from outside - of the file in which it is declared. Such functions should be made - static or even at times be removed. + Closes #3699 + +- multi: improved HTTP_1_1_REQUIRED handling - It also verifies that all used curl_ prefixed functions are "blessed" + Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error + on first flight. - Closes #3538 + Reported-by: niner on github + Fixes #3696 + Closes #3707 -- cleanup: make local functions static - - urlapi: turn three local-only functions into statics +- [Leonardo Taccari brought this change] + + configure: avoid unportable `==' test(1) operator - conncache: make conncache_find_first_connection static + Closes #3709 + +Version 7.64.1 (27 Mar 2019) + +Daniel Stenberg (27 Mar 2019) +- RELEASE: 7.64.1 + +- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - multi: make detach_connnection static + This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - connect: make getaddressinfo static + Fixes #3708 + +- [Christian Schmitz brought this change] + + ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set - curl_ntlm_core: make hmac_md5 static + Closes #3704 + +Jay Satiro (26 Mar 2019) +- tool_cb_wrt: fix writing to Windows null device NUL - http2: make two functions static + - Improve console detection. - http: make http_setup_conn static + Prior to this change WriteConsole could be called to write to a handle + that may not be a console, which would cause an error. This issue is + limited to character devices that are not also consoles such as the null + device NUL. - connect: make tcpnodelay static + Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 + Reported-by: Gisle Vanem + +- CURLMOPT_PIPELINING.3: fix typo + +Daniel Stenberg (25 Mar 2019) +- TODO: config file parsing - tests: make UNITTEST a thing to mark functions with, so they can be static for - normal builds and non-static for unit test builds + Closes #3698 + +Jay Satiro (24 Mar 2019) +- os400: Disable Alt-Svc by default since it's experimental - ... and mark Curl_shuffle_addr accordingly. + Follow-up to 520f0b4 which added Alt-Svc support and enabled it by + default for OS400. Since the feature is experimental, it should be + disabled by default. - url: make up_free static + Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 + Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html - setopt: make vsetopt static + Closes https://github.com/curl/curl/pull/3688 + +Dan Fandrich (24 Mar 2019) +- tests: Fixed XML validation errors in some test files. + +- tests: Fix some incorrect precheck error messages. - curl_endian: make write32_le static + [ci skip] + +Daniel Stenberg (22 Mar 2019) +- curl_url.3: this is not experimental anymore + +- travis: bump the used wolfSSL version to 4.0.0 - rtsp: make rtsp_connisdead static + Test 311 is now fine, leaving only 313 (CRL) disabled. - warnless: remove unused functions + Test 313 details can be found here: + https://github.com/wolfSSL/wolfssl/issues/1546 - memdebug: remove one unused function, made another static + Closes #3697 -Dan Fandrich (10 Feb 2019) -- cirrus: Added FreeBSD builds using Cirrus CI. +Daniel Gustafsson (22 Mar 2019) +- lib: Fix typos in comments + +David Woodhouse (20 Mar 2019) +- openssl: if cert type is ENG and no key specified, key is ENG too - The build logs will be at https://cirrus-ci.com/github/curl/curl + Fixes #3692 + Closes #3692 + +Daniel Stenberg (20 Mar 2019) +- sectransp: tvOS 11 is required for ALPN support - Some tests are currently failing and so disabled for now. The SSH server - isn't starting for the SSH tests due to unsupported options used in its - config file. The DICT server also is failing on startup. + Reported-by: nianxuejie on github + Assisted-by: Nick Zitzmann + Assisted-by: Jay Satiro + Fixes #3689 + Closes #3690 -Daniel Stenberg (9 Feb 2019) -- url/idnconvert: remove scan for <= 32 ascii values +- test1541: threaded connection sharing - The check was added back in fa939220df before the URL parser would catch - these problems and therefore these will never trigger now. + The threaded-shared-conn.c example turned into test case. Only works if + pthread was detected. - Closes #3539 - -- urlapi: reduce variable scope, remove unreachable 'break' + An attempt to detect future regressions such as e3a53e3efb942a5 - Both nits pointed out by codacy.com + Closes #3687 + +Patrick Monnerat (17 Mar 2019) +- os400: alt-svc support. - Closes #3540 + Although experimental, enable it in the platform config file. + Upgrade ILE/RPG binding. -Alessandro Ghedini (7 Feb 2019) -- zsh.pl: escape ':' character +Daniel Stenberg (17 Mar 2019) +- conncache: use conn->data to know if a transfer owns it - ':' is interpreted as separator by zsh, so if used as part of the argument - or option's description it needs to be escaped. + - make sure an already "owned" connection isn't returned unless + multiplexed. - The problem can be reproduced as follows: + - clear ->data when returning the connection to the cache again - % curl --reso - % curl -E + Regression since 7.62.0 (probably in commit 1b76c38904f0) - Bug: https://bugs.debian.org/921452 - -- zsh.pl: update regex to better match curl -h output - - The current regex fails to match '<...>' arguments properly (e.g. those - with spaces in them), which causes an completion script with wrong - descriptions for some options. - - Here's a diff of the generated completion script, comparing the previous - version to the one with this fix: - - --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 - +++ _curl 2019-02-05 20:57:29.453349040 +0000 - @@ -9,48 +9,48 @@ - - _arguments -C -S \ - --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ - + --resolve'[Resolve the host+port to this address]':'' \ - {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ - {-D,--dump-header}'[Write the received headers to ]':'':_files \ - {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ - --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ - {-E,--cert}'[Client certificate file and password]':'' \ - --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ - --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ - --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ - --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ - + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ - --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ - --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ - + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ - --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ - + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ - {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ - --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ - --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ - --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ - --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ - {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ - --local-port'[Force use of RANGE for local port numbers]':'' \ - --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ - {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - - --location-trusted'[--location, and send auth to other hosts]':'Like' \ - + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ - --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ - {-O,--remote-name}'[Write output to a file named as the remote file]' \ - + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ - + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ - --trace-ascii'[Like --trace, but without hex output]':'':_files \ - --connect-timeout'[Maximum time allowed for connection]':'' \ - --expect100-timeout'[How long to wait for 100-continue]':'' \ - {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ - + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ - {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ - --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ - --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - - --ignore-content-length'[the size of the remote resource]':'Ignore' \ - {-k,--insecure}'[Allow insecure server connections when using SSL]' \ - + --location-trusted'[Like --location, and send auth to other hosts]' \ - --mail-auth'[Originator address of the original email]':'
' \ - --noproxy'[List of hosts which do not use proxy]':'' \ - --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ - @@ -62,18 +62,19 @@ - --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ - --cacert'[CA certificate to verify peer against]':'':_files \ - {-H,--header}'[Pass custom header(s) to server]':'
' \ - + --ignore-content-length'[Ignore the size of the remote resource]' \ - {-i,--include}'[Include protocol response headers in the output]' \ - --proxy-header'[Pass custom header(s) to proxy]':'
' \ - --unix-socket'[Connect through this Unix domain socket]':'' \ - {-w,--write-out}'[Use output FORMAT after completion]':'' \ - - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ - {-o,--output}'[Write to file instead of stdout]':'':_files \ - - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ - + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ - --socks4a'[SOCKS4a proxy on given host + port]':'' \ - {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ - {-z,--time-cond}'[Transfer based on a time condition]':'