diff options
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 3396 |
1 files changed, 1746 insertions, 1650 deletions
@@ -6,6 +6,1752 @@ Changelog +Version 7.62.0 (30 Oct 2018) + +Daniel Stenberg (30 Oct 2018) +- RELEASE-NOTES: 7.62.0 + +- THANKS: 7.62.0 status + +Daniel Gustafsson (30 Oct 2018) +- vtls: add MesaLink to curl_sslbackend enum + + MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the + backend was never added to the curl_sslbackend enum in curl/curl.h. + This adds the new backend to the enum and updates the relevant docs. + + Closes #3195 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (30 Oct 2018) +- [Ruslan Baratov brought this change] + + cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable + + Closes #3191 + +- test2080: verify the fix for CVE-2018-16842 + +- voutf: fix bad arethmetic when outputting warnings to stderr + + CVE-2018-16842 + Reported-by: Brian Carpenter + Bug: https://curl.haxx.se/docs/CVE-2018-16842.html + +- [Tuomo Rinne brought this change] + + cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in + + Closes #3123 + +- [Tuomo Rinne brought this change] + + cmake: add find_dependency call for ZLIB to CMake config file + +- [Tuomo Rinne brought this change] + + cmake: add support for transitive ZLIB target + +- unit1650: fix "null pointer passed as argument 1 to memcmp" + + Detected by UndefinedBehaviorSanitizer + + Closes #3187 + +- travis: add a "make tidy" build that runs clang-tidy + + Closes #3182 + +- unit1300: fix stack-use-after-scope AddressSanitizer warning + + Closes #3186 + +- Curl_auth_create_plain_message: fix too-large-input-check + + CVE-2018-16839 + Reported-by: Harry Sintonen + Bug: https://curl.haxx.se/docs/CVE-2018-16839.html + +- Curl_close: clear data->multi_easy on free to avoid use-after-free + + Regression from b46cfbc068 (7.59.0) + CVE-2018-16840 + Reported-by: Brian Carpenter (Geeknik Labs) + + Bug: https://curl.haxx.se/docs/CVE-2018-16840.html + +- [randomswdev brought this change] + + system.h: use proper setting with Sun C++ as well + + system.h selects the proper Sun settings when __SUNPRO_C is defined. The + Sun compiler does not define it when compiling C++ files. I'm adding a + check also on __SUNPRO_CC to allow curl to work properly also when used + in a C++ project on Sun Solaris. + + Closes #3181 + +- rand: add comment to skip a clang-tidy false positive + +- test1651: unit test Curl_extract_certinfo() + + The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel. + +- x509asn1: always check return code from getASN1Element() + +- Makefile: add 'tidy' target that runs clang-tidy + + Available in the root, src and lib dirs. + + Closes #3163 + +- RELEASE-PROCEDURE: adjust the release dates + + See: https://curl.haxx.se/mail/lib-2018-10/0107.html + +Patrick Monnerat (27 Oct 2018) +- x509asn1: suppress left shift on signed value + + Use an unsigned variable: as the signed operation behavior is undefined, + this change silents clang-tidy about it. + + Ref: https://github.com/curl/curl/pull/3163 + Reported-By: Daniel Stenberg + +Michael Kaufmann (27 Oct 2018) +- multi: Fix error handling in the SENDPROTOCONNECT state + + If Curl_protocol_connect() returns an error code, + handle the error instead of switching to the next state. + + Closes #3170 + +Daniel Stenberg (27 Oct 2018) +- RELEASE-NOTES: synced + +- openssl: output the correct cipher list on TLS 1.3 error + + When failing to set the 1.3 cipher suite, the wrong string pointer would + be used in the error message. Most often saying "(nil)". + + Reported-by: Ricky-Tigg on github + Fixes #3178 + Closes #3180 + +- docs/CIPHERS: fix the TLS 1.3 cipher names + + ... picked straight from the OpenSSL man page: + https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html + + Reported-by: Ricky-Tigg on github + Bug: #3178 + +Marcel Raad (27 Oct 2018) +- travis: install gnutls-bin package + + This is required for gnutls-serv, which enables a few more tests. + + Closes https://github.com/curl/curl/pull/2958 + +Daniel Gustafsson (26 Oct 2018) +- ssh: free the session on init failures + + Ensure to clear the session object in case the libssh2 initialization + fails. + + It could be argued that the libssh2 error function should be called to + get a proper error message in this case. But since the only error path + in libssh2_knownhost_init() is memory a allocation failure it's safest + to avoid since the libssh2 error handling allocates memory. + + Closes #3179 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (26 Oct 2018) +- docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date + + ... I'm moving it up one week due to travels. The rest stays. + +- [Daniel Gustafsson brought this change] + + openssl: make 'done' a proper boolean + + Closes #3176 + +- gtls: Values stored to but never read + + Detected by clang-tidy + + Closes #3176 + +- [Alexey Eremikhin brought this change] + + curl.1: --ipv6 mutexes ipv4 (fixed typo) + + Fixes #3171 + Closes #3172 + +- tool_main: make TerminalSettings static + + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819 + Closes #3161 + +- curl-config.in: remove dependency on bc + + Reported-by: Dima Pasechnik + Fixes #3143 + Closes #3174 + +- [Gisle Vanem brought this change] + + rtmp: fix for compiling with lwIP + + Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: + curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' + setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, + ^ + curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' + #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) + ^ + Closes #3155 + +- configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T + + Follow-up to #3166 which did the cmake part of this. This type/define is + not used. + + Closes #3168 + +- [Ruslan Baratov brought this change] + + cmake: remove unused variables + + Remove variables: + * HAVE_SOCKLEN_T + * CURL_SIZEOF_CURL_SOCKLEN_T + * CURL_TYPEOF_CURL_SOCKLEN_T + + Closes #3166 + +Michael Kaufmann (25 Oct 2018) +- urldata: Fix comment in header + + The "connecting" function is used by multiple protocols, not only FTP + +- netrc: free temporary strings if memory allocation fails + + - Change the inout parameters after all needed memory has been + allocated. Do not change them if something goes wrong. + - Free the allocated temporary strings if strdup() fails. + + Closes #3122 + +Daniel Stenberg (24 Oct 2018) +- [Ruslan Baratov brought this change] + + config: Remove unused SIZEOF_VOIDP + + Closes #3162 + +- RELEASE-NOTES: synced + +GitHub (23 Oct 2018) +- [Gisle Vanem brought this change] + + Fix for compiling with lwIP (3) + + lwIP on Windows does not have a WSAIoctl() function. + But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing. + +Daniel Stenberg (23 Oct 2018) +- Curl_follow: return better errors on URL problems + + ... by making the converter function global and accessible. + + Closes #3153 + +- Curl_follow: remove remaining free(newurl) + + Follow-up to 05564e750e8f0c. This function no longer frees the passed-in + URL. + + Reported-by: Michael Kaufmann + Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm + ent-30985666 + +Daniel Gustafsson (23 Oct 2018) +- headers: end all headers with guard comment + + Most headerfiles end with a /* <headerguard> */ comment, but it was + missing from some. The comment isn't the most important part of our + code documentation but consistency has an intrinsic value in itself. + This adds header guard comments to the files that were lacking it. + + Closes #3158 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Jay Satiro (23 Oct 2018) +- CIPHERS.md: Mention the options used to set TLS 1.3 ciphers + + Closes https://github.com/curl/curl/pull/3159 + +Daniel Stenberg (20 Oct 2018) +- docs/BUG-BOUNTY: the sponsors actually decide the amount + + Retract the previous approach as the sponsors will be the ones to set the + final amounts. + + Closes #3152 + [ci skip] + +- multi: avoid double-free + + Curl_follow() no longer frees the string. Make sure it happens in the + caller function, like we normally handle allocations. + + This bug was introduced with the use of the URL API internally, it has + never been in a release version + + Reported-by: Dario Weißer + Closes #3149 + +- multi: make the closure handle "inherit" CURLOPT_NOSIGNAL + + Otherwise, closing that handle can still cause surprises! + + Reported-by: Martin Ankerl + Fixes #3138 + Closes #3147 + +Marcel Raad (19 Oct 2018) +- VS projects: add USE_IPV6 + + The Visual Studio builds didn't use IPv6. Add it to all projects since + Visual Studio 2008, which is verified to build via AppVeyor. + + Closes https://github.com/curl/curl/pull/3137 + +- config_win32: enable LDAPS + + As done in the autotools and CMake builds by default. + + Closes https://github.com/curl/curl/pull/3137 + +Daniel Stenberg (18 Oct 2018) +- travis: add build for "configure --disable-verbose" + + Closes #3144 + +Kamil Dudka (17 Oct 2018) +- tool_cb_hdr: handle failure of rename() + + Detected by Coverity. + + Closes #3140 + Reviewed-by: Jay Satiro + +Daniel Stenberg (17 Oct 2018) +- RELEASE-NOTES: synced + +- docs/SECURITY-PROCESS: the hackerone IBB program drops curl + + ... now there's only BountyGraph. + +Jay Satiro (16 Oct 2018) +- [Matthew Whitehead brought this change] + + x509asn1: Fix SAN IP address verification + + For IP addresses in the subject alternative name field, the length + of the IP address (and hence the number of bytes to perform a + memcmp on) is incorrectly calculated to be zero. The code previously + subtracted q from name.end. where in a successful case q = name.end + and therefore addrlen equalled 0. The change modifies the code to + subtract name.beg from name.end to calculate the length correctly. + + The issue only affects libcurl with GSKit SSL, not other SSL backends. + The issue is not a security issue as IP verification would always fail. + + Fixes #3102 + Closes #3141 + +Daniel Gustafsson (15 Oct 2018) +- INSTALL: mention mesalink in TLS section + + Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the + MesaLink vtls backend, but missed updating the TLS section containing + supported backends in the docs. + + Closes #3134 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (14 Oct 2018) +- nonblock: fix unused parameter warning + + If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not + used. + +Michael Kaufmann (13 Oct 2018) +- Curl_follow: Always free the passed new URL + + Closes #3124 + +Viktor Szakats (12 Oct 2018) +- replace rawgit links [ci skip] + + Ref: https://rawgit.com/ "RawGit has reached the end of its useful life" + Ref: https://news.ycombinator.com/item?id=18202481 + Closes https://github.com/curl/curl/pull/3131 + +Daniel Stenberg (12 Oct 2018) +- docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018 + + [ci skip] + +- travis: make distcheck scan for BOM markers + + and remove BOM from projects/wolfssl_override.props + + Closes #3126 + +Marcel Raad (11 Oct 2018) +- CMake: remove BOM + + Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea. + + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136 + +Daniel Gustafsson (10 Oct 2018) +- transfer: fix typo in comment + +Michael Kaufmann (10 Oct 2018) +- docs: add "see also" links for SSL options + + - link TLS 1.2 and TLS 1.3 options + - link proxy and non-proxy options + + Closes #3121 + +Marcel Raad (10 Oct 2018) +- AppVeyor: remove BDIR variable that sneaked in again + + Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added + again in 9f3be5672dc4dda30ab43e0152e13d714a84d762. + +- CMake: disable -Wpedantic-ms-format + + As done in the autotools build. This is required for MinGW, which + supports only %I64 for printing 64-bit values, but warns about it. + + Closes https://github.com/curl/curl/pull/3120 + +Viktor Szakats (9 Oct 2018) +- ldap: show precise LDAP call in error message on Windows + + Also add a unique but common text ('bind via') to make it + easy to grep this specific failure regardless of platform. + + Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468 + Closes https://github.com/curl/curl/pull/3118 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Daniel Stenberg (9 Oct 2018) +- docs/DEPRECATE: minor reformat to render nicer on web + +Daniel Gustafsson (9 Oct 2018) +- CURLOPT_SSL_VERIFYSTATUS: Fix typo + + Changes s/OSCP/OCSP/ and bumps the copyright year due to the change. + +Marcel Raad (9 Oct 2018) +- curl_setup: define NOGDI on Windows + + This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h> + on MinGW. + + Closes https://github.com/curl/curl/pull/3113 + +- Windows: fixes for MinGW targeting Windows Vista + + Classic MinGW has neither InitializeCriticalSectionEx nor + GetTickCount64, independent of the target Windows version. + + Closes https://github.com/curl/curl/pull/3113 + +Daniel Stenberg (8 Oct 2018) +- TODO: fixed 'API for URL parsing/splitting' + +Daniel Gustafsson (8 Oct 2018) +- KNOWN_BUGS: Fix various typos + + Closes #3112 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Viktor Szakats (8 Oct 2018) +- spelling fixes [ci skip] + + as detected by codespell 1.14.0 + + Closes https://github.com/curl/curl/pull/3114 + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Daniel Stenberg (8 Oct 2018) +- RELEASE-NOTES: synced + +- curl_ntlm_wb: check aprintf() return codes + + ... when they return NULL we're out of memory and MUST return failure. + + closes #3111 + +- docs/BUG-BOUNTY: proposed additional docs + + Bug bounty explainer. See https://bountygraph.com/programs/curl + + Closes #3067 + +- [Rick Deist brought this change] + + hostip: fix check on Curl_shuffle_addr return value + + Closes #3110 + +- FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output + + Now FILE transfers send headers to the header callback like HTTP and + other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) + work for FILE in the callbacks. + + Makes "curl -i file://.." and "curl -I file://.." work like before + again. Applied the bold header logic to them too. + + Regression from c1c2762 (7.61.0) + + Reported-by: Shaun Jackman + Fixes #3083 + Closes #3101 + +Daniel Gustafsson (7 Oct 2018) +- gskit: make sure to terminate version string + + In case a very small buffer was passed to the version function, it could + result in the buffer not being NULL-terminated since strncpy() doesn't + guarantee a terminator on an overflowed buffer. Rather than adding code + to terminate (and handle zero-sized buffers), move to using snprintf() + instead like all the other vtls backends. + + Closes #3105 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Viktor Szakats <commit@vszakats.net> + +- TODO: add LD_PRELOAD support on macOS + + Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394. + +- runtests: skip ld_preload tests on macOS + + The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests + requiring it. + + Fixes #2394 + Closes #3106 + Reported-by: Github user @jakirkham + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (7 Oct 2018) +- AppVeyor: use Debug builds to run tests + + This enables more tests. + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: add HTTP_ONLY build + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: add WinSSL builds + + Use the oldest and latest Windows SDKs for them. + Also, remove all but one OpenSSL build. + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: add remaining Visual Studio versions + + This adds Visual Studio 9 and 10 builds. + There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32 + build. Also, VC9 cannot be used for running the test suite. + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: break long line + + Closes https://github.com/curl/curl/pull/3104 + +- AppVeyor: remove unused BDIR variable + + Closes https://github.com/curl/curl/pull/3104 + +Daniel Stenberg (6 Oct 2018) +- test2100: test DoH using IPv4-only + + To make it only send one DoH request and avoid the race condition that + could lead to the requests getting sent in reversed order and thus + making it hard to compare in the test case. + + Fixes #3107 + Closes #3108 + +- tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> too + + [ci skip] + +- RELEASE-NOTES: synced + +- [Dmitry Kostjuchenko brought this change] + + timeval: fix use of weak symbol clock_gettime() on Apple platforms + + Closes #3048 + +- doh: keep the IPv4 address in (original) network byte order + + Ideally this will fix the reversed order shown in SPARC tests: + + resp 8: Expected 127.0.0.1 got 1.0.0.127 + + Closes #3091 + +Jay Satiro (5 Oct 2018) +- INTERNALS.md: wrap lines longer than 79 + +Daniel Gustafsson (5 Oct 2018) +- INTERNALS: escape reference to parameter + + The parameter reference <string> was causing rendering issues in the + generated HTML page, as <string> isn't a valid HTML tag. Fix by back- + tick escaping it. + + Closes #3099 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- checksrc: handle zero scoped ignore commands + + If a !checksrc! disable command specified to ignore zero errors, it was + still added to the ignore block even though nothing was ignored. While + there were no blocks ignored that shouldn't be ignored, the processing + ended with with a warning: + + <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE) + /* !checksrc! disable LONGLINE 0 */ + ^ + Fix by instead treating a zero ignore as a a badcommand and throw a + warning for that one. + + Closes #3096 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- checksrc: enable strict mode and warnings + + Enable strict and warnings mode for checksrc to ensure we aren't missing + anything due to bugs in the checking code. This uncovered a few things + which are all fixed in this commit: + + * several variables were used uninitialized + * several variables were not defined in the correct scope + * the whitelist filehandle was read even if the file didn't exist + * the enable_warn() call when a disable counter had expired was passing + incorrect variables, but since the checkwarn() call is unlikely to hit + (the counter is only decremented to zero on actual ignores) it didn't + manifest a problem. + + Closes #3090 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + +Marcel Raad (5 Oct 2018) +- CMake: suppress MSVC warning C4127 for libtest + + It's issued by older Windows SDKs (prior to version 8.0). + +Sergei Nikulov (5 Oct 2018) +- Merge branch 'dmitrykos-fix_missing_CMake_defines' + +- [Dmitry Kostjuchenko brought this change] + + cmake: test and set missed defines during configuration + + Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC. + + Closes #3097 + +Marcel Raad (5 Oct 2018) +- AppVeyor: disable test 500 + + It almost always results in + "starttransfer vs total: 0.000001 0.000000". + I cannot reproduce this locally, so disable it for now. + + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: set custom install prefix + + CMake's default has spaces and in 32-bit mode parentheses, which result + in syntax errors in curl-config. + + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: Remove non-SSL non-test builds + + They don't add much value. + + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: run test suite + + Use the preinstalled MSYS2 bash for that. + Disable test 1139 as the CMake build doesn't generate curl.1. + + Ref: https://github.com/curl/curl/issues/3070#issuecomment-425922224 + Closes https://github.com/curl/curl/pull/3100 + +- AppVeyor: use in-tree build + + Required to run the tests. + + Closes https://github.com/curl/curl/pull/3100 + +Daniel Stenberg (4 Oct 2018) +- doh: make sure TTL isn't re-inited by second (discarded?) response + + Closes #3092 + +- test320: strip out more HTML when comparing + + To make the test case work with different gnutls-serv versions better. + + Reported-by: Kamil Dudka + Fixes #3093 + Closes #3094 + +Marcel Raad (4 Oct 2018) +- runtests: use Windows paths for Windows curl + + curl generated by CMake's Visual Studio generator has "Windows" in the + version number. + +Daniel Stenberg (4 Oct 2018) +- [Colin Hogben brought this change] + + tests/negtelnetserver.py: fix Python2-ism in neg TELNET server + + Fix problems caused by differences in treatment of bytes objects between + python2 and python3. + + Fixes #2929 + Closes #3080 + +Daniel Gustafsson (3 Oct 2018) +- memory: ensure to check allocation results + + The result of a memory allocation should always be checked, as we may + run under memory pressure where even a small allocation can fail. This + adds checking and error handling to a few cases where the allocation + wasn't checked for success. In the ftp case, the freeing of the path + variable is moved ahead of the allocation since there is little point + in keeping it around across the strdup, and the separation makes for + more readable code. In nwlib, the lock is aslo freed in the error path. + + Also bumps the copyright years on affected files. + + Closes #3084 + Reviewed-by: Jay Satiro <raysatiro@yahoo.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- comment: Fix multiple typos in function parameters + + Ensure that the parameters in the comment match the actual names in the + prototype. + + Closes #3079 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- CURLOPT_SSLVERSION.3: fix typos and consistent spelling + + Use TLS vX.Y throughout the document, instead of TLS X.Y, as that was + already done in all but a few cases. Also fix a few typos. + + Closes #3076 + Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com> + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- SECURITY-PROCESS: make links into hyperlinks + + Use proper Markdown hyperlink format for the Bountygraph links in order + for the generated website page to be more user friendly. Also link to + the sponsors to give them a little extra credit. + + Closes #3082 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Jay Satiro (3 Oct 2018) +- CURLOPT_HEADER.3: fix typo + +- nss: fix nssckbi module loading on Windows + + - Use .DLL extension instead of .so to load modules on Windows. + + Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html + Reported-by: Maxime Legros + + Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442 + + Closes https://github.com/curl/curl/pull/3086 + +- data-binary.d: clarify default content-type is x-www-form-urlencoded + + - Advise user that --data-binary sends a default content type of + x-www-form-urlencoded, and to have the data treated as arbitrary + binary data by the server set the content-type header to octet-stream. + + Ref: https://github.com/curl/curl/pull/2852#issuecomment-426465094 + + Closes https://github.com/curl/curl/pull/3085 + +Marcel Raad (2 Oct 2018) +- test1299: use single quotes around asterisk + + Ref: https://github.com/curl/curl/issues/1751#issuecomment-321522580 + +Daniel Stenberg (2 Oct 2018) +- docs/CIPHERS: mention the colon separation for OpenSSL + + Bug: #3077 + +- runtests: ignore disabled even when ranges are given + + runtests.pl support running a range of tests, like "44 to 127". Starting + now, the code makes sure that even such given ranges will ignore tests + that are marked as disabled. + + Disabled tests can still be run by explictly specifying that test + number. + + Closes #3075 + +- urlapi: starting with a drive letter on win32 is not an abs url + + ... and libcurl doesn't support any single-letter URL schemes (if there + even exist any) so it should be fairly risk-free. + + Reported-by: Marcel Raad + + Fixes #3070 + Closes #3071 + +Marcel Raad (2 Oct 2018) +- doh: fix curl_easy_setopt argument type + + CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit + MinGW. + +Daniel Stenberg (2 Oct 2018) +- RELEASE-NOTES: synced + +Jay Satiro (1 Oct 2018) +- [Ruslan Baratov brought this change] + + CMake: Improve config installation + + Use 'GNUInstallDirs' standard module to set destinations of installed + files. + + Use uppercase "CURL" names instead of lowercase "curl" to match standard + 'FindCURL.cmake' CMake module: + * https://cmake.org/cmake/help/latest/module/FindCURL.html + + Meaning: + * Install 'CURLConfig.cmake' instead of 'curl-config.cmake' + * User should call 'find_package(CURL)' instead of 'find_package(curl)' + + Use 'configure_package_config_file' function to generate + 'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template + file smaller and handle components better. E.g. current configuration + report no error if user specified unknown components (note: new + configuration expects no components, report error if user will try to + specify any). + + Closes https://github.com/curl/curl/pull/2849 + +Daniel Stenberg (1 Oct 2018) +- test1650: make it depend on http/2 + + Follow-up to 570008c99da0ccbb as it gets link errors. + + Reported-by: Michael Kaufmann + Closes #3068 + +- [Nate Prewitt brought this change] + + MANUAL: minor grammar fix + + Noticed a typo reading through the docs. + + Closes #3069 + +- doh: only build if h2 enabled + + The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version + of HTTP for use with DoH". + + Reported-by: Marcel Raad + Closes #3066 + +- test2100: require http2 to run + + Reported-by: Marcel Raad + Fixes #3064 + Closes #3065 + +- multi: fix memory leak in content encoding related error path + + ... a missing multi_done() call. + + Credit to OSS-Fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728 + Closes #3063 + +- travis: bump the Secure Transport build to use xcode 10 + + Due to an issue with travis + (https://github.com/travis-ci/travis-ci/issues/9956) we've been using + Xcode 9.2 for darwinssl builds for a while. Now xcode 10 is offered as + an alternative and as it builds curl+darwinssl fine that seems like a + better choice. + + Closes #3062 + +- [Rich Turner brought this change] + + curl: enabled Windows VT Support and UTF-8 output + + Enabled Console VT support (if running OS supports VT) in tool_main.c. + + Fixes #3008 + Closes #3011 + +- multi: fix location URL memleak in error path + + Follow-up to #3044 - fix a leak OSS-Fuzz detected + Closes #3057 + +Sergei Nikulov (28 Sep 2018) +- cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...) + +- [Brad King brought this change] + + cmake: Backport to work with CMake 3.0 again + + Changes in commit 7867aaa9a0 (cmake: link curl to the OpenSSL targets + instead of lib absolute paths, 2018-07-17) and commit f826b4ce98 (cmake: + bumped minimum version to 3.4, 2018-07-19) required CMake 3.4 to fix + issue #2746. This broke support for users on older versions of CMake + even if they just want to build curl and do not care whether transitive + dependencies work. + + Backport the logic to work with CMake 3.0 again by implementing the + fix only when the version of CMake is at least 3.4. + +Marcel Raad (27 Sep 2018) +- curl_threads: fix classic MinGW compile break + + Classic MinGW still has _beginthreadex's return type as unsigned long + instead of uintptr_t [0]. uintptr_t is not even defined because of [1]. + + [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167 + [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90 + + Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807 + Closes https://github.com/curl/curl/pull/3051 + +Daniel Stenberg (26 Sep 2018) +- configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE + + fix a few leftovers + + Fixes #3006 + Closes #3049 + +- [Doron Behar brought this change] + + example/htmltidy: fix include paths of tidy libraries + + Closes #3050 + +- RELEASE-NOTES: synced + +- Curl_http2_done: fix memleak in error path + + Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for + early failures. + + Detected by OSS-Fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669 + Closes #3046 + +- http: fix memleak in rewind error path + + If the rewind would fail, a strdup() would not get freed. + + Detected by OSS-Fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 + Closes #3044 + +Viktor Szakats (24 Sep 2018) +- test320: fix regression in [ci skip] + + The value in question is coming directly from `gnutls-serv`, so it cannot + be modified freely. + + Reported-by: Marcel Raad + Ref: https://github.com/curl/curl/commit/6ae6b2a533e8630afbb21f570305bd4ceece6348#commitcomment-30621004 + +Daniel Stenberg (24 Sep 2018) +- Curl_retry_request: fix memory leak + + Detected by OSS-Fuzz + + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648 + Closes #3042 + +- openssl: load built-in engines too + + Regression since 38203f1 + + Reported-by: Jean Fabrice + Fixes #3023 + Closes #3040 + +- [Christian Heimes brought this change] + + OpenSSL: enable TLS 1.3 post-handshake auth + + OpenSSL 1.1.1 requires clients to opt-in for post-handshake + authentication. + + Fixes: https://github.com/curl/curl/issues/3026 + Signed-off-by: Christian Heimes <christian@python.org> + + Closes https://github.com/curl/curl/pull/3027 + +- [Even Rouault brought this change] + + Curl_dedotdotify(): always nul terminate returned string. + + This fixes potential out-of-buffer access on "file:./" URL + + $ valgrind curl "file:./" + ==24516== Memcheck, a memory error detector + ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. + ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info + ==24516== Command: /home/even/install-curl-git/bin/curl file:./ + ==24516== + ==24516== Conditional jump or move depends on uninitialised value(s) + ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==24516== by 0x4EBB315: seturl (urlapi.c:801) + ==24516== by 0x4EBB568: parseurl (urlapi.c:861) + ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) + ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) + ==24516== by 0x4E67AEF: create_conn (url.c:3613) + ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) + ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) + ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) + ==24516== by 0x4E7558C: easy_transfer (easy.c:686) + ==24516== by 0x4E75801: easy_perform (easy.c:779) + ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) + + Was originally spotted by + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 + Credit to OSS-Fuzz + + Closes #3039 + +Viktor Szakats (23 Sep 2018) +- update URLs in tests + + - and one in docs/MANUAL as well + + Closes https://github.com/curl/curl/pull/3038 + +- whitespace fixes + + - replace tabs with spaces where possible + - remove line ending spaces + - remove double/triple newlines at EOF + - fix a non-UTF-8 character + - cleanup a few indentations/line continuations + in manual examples + + Closes https://github.com/curl/curl/pull/3037 + +Daniel Stenberg (23 Sep 2018) +- http: add missing return code check + + Detected by Coverity. CID 1439610. + + Follow-up from 46e164069d1a523 + + Closes #3034 + +- ftp: don't access pointer before NULL check + + Detected by Coverity. CID 1439611. + + Follow-up from 46e164069d1a523 + +- unit1650: fix out of boundary access + + Fixes #2987 + Closes #3035 + +Viktor Szakats (23 Sep 2018) +- docs/examples: URL updates + + - also update two URLs outside of docs/examples + - fix spelling of filename persistant.c + - fix three long lines that started failing checksrc.pl + + Closes https://github.com/curl/curl/pull/3036 + +- examples/Makefile.m32: sync with core [ci skip] + + also: + - fix two warnings in synctime.c (one of them Windows-specific) + - upgrade URLs in synctime.c and remove a broken one + + Closes https://github.com/curl/curl/pull/3033 + +Daniel Stenberg (22 Sep 2018) +- examples/parseurl.c: show off the URL API a bit + + Closes #3030 + +- SECURITY-PROCESS: mention the bountygraph program [ci skip] + + Closes #3032 + +- url: use the URL API internally as well + + ... to make it a truly unified URL parser. + + Closes #3017 + +Viktor Szakats (22 Sep 2018) +- URL and mailmap updates, remove an obsolete directory [ci skip] + + Closes https://github.com/curl/curl/pull/3031 + +Daniel Stenberg (22 Sep 2018) +- RELEASE-NOTES: synced + +- configure: force-use -lpthreads on HPUX + + When trying to detect pthreads use on HPUX the checks will succeed + without the correct -l option but then end up failing at run-time. + + Reported-by: Eason-Yu on github + Fixes #2697 + Closes #3025 + +- [Erik Minekus brought this change] + + Curl_saferealloc: Fixed typo in docblock + + Closes #3029 + +- urlapi: fix support for address scope in IPv6 numerical addresses + + Closes #3024 + +- [Loganaden Velvindron brought this change] + + GnutTLS: TLS 1.3 support + + Closes #2971 + +- TODO: c-ares and CURLOPT_OPENSOCKETFUNCTION + + Removed DoH. + + Closes #2734 + +Jay Satiro (20 Sep 2018) +- vtls: fix ssl version "or later" behavior change for many backends + + - Treat CURL_SSLVERSION_MAX_NONE the same as + CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use + the minimum version also as the maximum. + + This is a follow-up to 6015cef which changed the behavior of setting + the SSL version so that the requested version would only be the minimum + and not the maximum. It appears it was (mostly) implemented in OpenSSL + but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to + mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. + + - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. + + Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was + erroneously treated as always TLS 1.3, and would cause an error if + OpenSSL was built without TLS 1.3 support. + + Co-authored-by: Daniel Gustafsson + + Fixes https://github.com/curl/curl/issues/2969 + Closes https://github.com/curl/curl/pull/3012 + +Daniel Stenberg (20 Sep 2018) +- certs: generate tests certs with sha256 digest algorithm + + As OpenSSL 1.1.1 starts to complain and fail on sha1 CAs: + + "SSL certificate problem: CA signature digest algorithm too weak" + + Closes #3014 + +- urlapi: document the error codes, remove two unused ones + + Assisted-by: Daniel Gustafsson + Closes #3019 + +- urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance + + In order for this API to fully work for libcurl itself, it now offers a + CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host + name prefix just like libcurl always did. If there's no known prefix, it + will guess "http://". + + Separately, it relaxes the check of the host name so that IDN host names + can be passed in as well. + + Both these changes are necessary for libcurl itself to use this API. + + Assisted-by: Daniel Gustafsson + Closes #3018 + +Kamil Dudka (19 Sep 2018) +- nss: try to connect even if libnssckbi.so fails to load + + One can still use CA certificates stored in NSS database. + + Reported-by: Maxime Legros + Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html + + Closes #3016 + +Daniel Gustafsson (19 Sep 2018) +- urlapi: don't set value which is never read + + In the CURLUPART_URL case, there is no codepath which invokes url + decoding so remove the assignment of the urldecode variable. This + fixes the deadstore bug-report from clang static analysis. + + Closes #3015 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- todo: Update reference to already done item + + TODO item 1.1 was implemented in commit 946ce5b61f, update reference + to it with instead referencing the implemented option. + + Closes #3013 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (18 Sep 2018) +- RELEASE-NOTES: synced + +- [slodki brought this change] + + cmake: don't require OpenSSL if USE_OPENSSL=OFF + + User must have OpenSSL installed even if not used by libcurl at all + since 7.61.1 release. Broken at + 7867aaa9a01decf93711428462335be8cef70212 + + Reviewed-by: Sergei Nikulov + Closes #3001 + +- curl_multi_wait: call getsock before figuring out timeout + + .... since getsock may update the expiry timer. + + Fixes #2996 + Closes #3000 + +- examples/http2-pushinmemory: receive HTTP/2 pushed files in memory + + Closes #3004 + +Daniel Gustafsson (18 Sep 2018) +- darwinssl: Fix realloc memleak + + The reallocation was using the input pointer for the return value, which + leads to a memory leak on reallication failure. Fix by instead use the + safe internal API call Curl_saferealloc(). + + Closes #3005 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + Reviewed-by: Nick Zitzmann <nickzman@gmail.com> + +- [Kruzya brought this change] + + examples: Fix memory leaks from realloc errors + + Make sure to not overwrite the reallocated pointer in realloc() calls + to avoid a memleak on memory errors. + +- memory: add missing curl_printf header + + ftp_send_command() was using vsnprintf() without including the libcurl + *rintf() replacement header. Fix by including curl_printf.h and also + add curl_memory.h while at it since memdebug.h depends on it. + + Closes #2999 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (16 Sep 2018) +- [Si brought this change] + + curl: update --tlsv* descriptions in --help output + + Closes #2994 + +- http: made Curl_add_buffer functions take a pointer-pointer + + ... so that they can clear the original pointer on failure, which makes + the error-paths and their cleanups easier. + + Closes #2992 + +- http2: fix memory leaks on error-path + +- [Rikard Falkeborn brought this change] + + libtest: Add chkdecimalpoint to .gitignore + + Closes #2998 + +Viktor Szakats (14 Sep 2018) +- secure Openwall URLs + +Daniel Stenberg (14 Sep 2018) +- openssl: show "proper" version number for libressl builds + + Closes #2989 + +- [Rainer Jung brought this change] + + openssl: assume engine support in 0.9.8 or later + + Fixes #2983 + Closes #2988 + +Daniel Gustafsson (13 Sep 2018) +- sendf: use failf() rather than Curl_failf() + + The failf() macro is the name used for invoking Curl_failf(). While + there isn't a way to turn off failf like there is for infof, but it's + still a good idea to use the macro. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- sendf: Fix whitespace in infof/failf concatenation + + Strings broken on multiple rows in the .c file need to have appropriate + whitespace padding on either side of the concatenation point to render + a correct amalgamated string. Fix by adding a space at the occurrences + found. + + Closes #2986 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- krb5: fix memory leak in krb_auth + + The FTP command allocated by aprintf() must be freed after usage. + + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- ftp: include command in Curl_ftpsend sendbuffer + + Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed + the actual command to be sent from the send buffer in a refactoring. + Add back copying the command into the buffer. Also add more guards + against malformed input while at it. + + Closes #2985 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +- ntlm_wb: Fix memory leaks in ntlm_wb_response + + When erroring out on a request being too large, the existing buffer was + leaked. Fix by explicitly freeing on the way out. + + Closes #2966 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Daniel Stenberg (13 Sep 2018) +- [Yiming Jing brought this change] + + travis: build the MesaLink vtls backend with MesaLink 0.7.1 + +- [Yiming Jing brought this change] + + runtests.pl: run tests against the MesaLink vtls backend + +- [Yiming Jing brought this change] + + vtls: add a MesaLink vtls backend + + Closes #2984 + +- [Yiming Jing brought this change] + + configure.ac: add a MesaLink vtls backend + +- [Dave Reisner brought this change] + + curl_url_set.3: properly escape \n in example code + + This yields + + "the scheme is %s\n" + + instead of + + "the scheme is %s0 + + Closes #2970 + +- [Dave Reisner brought this change] + + curl_url_set.3: fix typo in reference to CURLU_APPENDQUERY + +- urlglob: improve error message + + to help user understand what the problem is + + Reported-by: Daniel Shahaf + + Fixes #2763 + Closes #2977 + +- [Yiming Jing brought this change] + + tests/certs: rebuild certs with 2048-bit RSA keys + + The previous test certificates contained RSA keys of only 1024 bits. + However, RSA claims that 1024-bit RSA keys are likely to become + crackable some time before 2010. The NIST recommends at least 2048-bit + keys for RSA for now. + + Better use full 2048 also for testing. + + Closes #2973 + +Daniel Gustafsson (12 Sep 2018) +- TODO: fix typo in item + + Closes #2968 + Reviewed-by: Daniel Stenberg <daniel@haxx.se> + +Marcel Raad (12 Sep 2018) +- anyauthput: fix compiler warning on 64-bit Windows + + On Windows, the read function from <io.h> is used, which has its byte + count parameter as unsigned int instead of size_t. + + Closes https://github.com/curl/curl/pull/2972 + +Viktor Szakats (12 Sep 2018) +- lib: fix gcc8 warning on Windows + + Closes https://github.com/curl/curl/pull/2979 + +Jay Satiro (12 Sep 2018) +- openssl: fix gcc8 warning + + - Use memcpy instead of strncpy to copy a string without termination, + since gcc8 warns about using strncpy to copy as many bytes from a + string as its length. + + Suggested-by: Viktor Szakats + + Closes https://github.com/curl/curl/issues/2980 + +Daniel Stenberg (10 Sep 2018) +- libcurl-url.3: overview man page for the URL API + + Closes #2967 + +- example/asiohiper: insert warning comment about its status + + This example is simply not working correctly but there's nobody around + with the skills and energy to fix it. + + Closes #2407 + +Kamil Dudka (10 Sep 2018) +- docs/cmdline-opts: update the documentation of --tlsv1.0 + + ... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9 + + Closes #2955 + +- docs/examples: do not wait when no transfers are running + + Closes #2948 + +Daniel Stenberg (10 Sep 2018) +- [Daniel Gustafsson brought this change] + + cookies: Move failure case label to end of function + + Rather than jumping backwards to where failure cleanup happens + to be performed, move the failure case to end of the function + where it is expected per existing coding convention. + + Closes #2965 + +- [Daniel Gustafsson brought this change] + + misc: fix typos in comments + + Closes #2963 + +- [Daniel Gustafsson brought this change] + + cookies: fix leak when writing cookies to file + + If the formatting fails, we error out on a fatal error and + clean up on the way out. The array was however freed within + the wrong scope and was thus never freed in case the cookies + were written to a file instead of STDOUT. + + Closes #2957 + +- [Daniel Gustafsson brought this change] + + cookies: Remove redundant expired check + + Expired cookies have already been purged at a later expiration time + before this check, so remove the redundant check. + + closes #2962 + +- ntlm_wb: bail out if the response gets overly large + + Exit the realloc() loop if the response turns out ridiculously large to + avoid worse problems. + + Reported-by: Harry Sintonen + Closes #2959 + +- [Daniel Gustafsson brought this change] + + url.c: fix comment typo and indentation + + Closes #2960 + +- urlapi: avoid derefencing a possible NULL pointer + + Coverity CID 1439134 + +- RELEASE-NOTES: synced + +Marcel Raad (8 Sep 2018) +- test324: fix after 3f3b26d6feb0667714902e836af608094235fca2 + + The expected error code is now 60. 51 is dead. + +Daniel Stenberg (8 Sep 2018) +- curl_url_set.3: correct description + +- curl_url-docs: fix AVAILABILITY as Added in curl 7.62.0 + +- URL-API + + See header file and man pages for API. All documented API details work + and are tested in the 1560 test case. + + Closes #2842 + +- curl_easy_upkeep: removed 'conn' from the name + + ... including the associated option. + + Fixes #2951 + Closes #2952 + +- [Max Dymond brought this change] + + upkeep: add a connection upkeep API: curl_easy_conn_upkeep() + + Add functionality so that protocols can do custom keepalive on their + connections, when an external API function is called. + + Add docs for the new options in 7.62.0 + + Closes #1641 + +- [Philipp Waehnert brought this change] + + configure: add option to disable automatic OpenSSL config loading + + Sometimes it may be considered a security risk to load an external + OpenSSL configuration automatically inside curl_global_init(). The + configuration option --disable-ssl-auto-load-config disables this + automatism. The Windows build scripts winbuild/Makefile.vs provide a + corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean + value. + + Setting neither of these options corresponds to the previous behavior + loading the external OpenSSL configuration automatically. + + Fixes #2724 + Closes #2791 + +- doh: minor edits to please Coverity + + The gcc typecheck macros and coverity combined made it warn on the 2nd + argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it. + + Coverity CID 1439115 and CID 1439114. + +- schannel: avoid switch-cases that go to default anyway + + SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of + mingw and would require an ifdef otherwise. + + Reported-by: Thomas Glanzmann + Approved-by: Marc Hörsken + Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html + Closes #2950 + +- [Nicklas Avén brought this change] + + imap: change from "FETCH" to "UID FETCH" + + ... and add "MAILINDEX". + + As described in #2789, this is a suggested solution. Changing UID=xx to + actually get mail with UID xx and add "MAILINDEX" to get a mail with a + special index in the mail box (old behavior). So MAILINDEX=1 gives the + first non deleted mail in the mail box. + + Fixes #2789 + Closes #2815 + +- CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size + + This is step 3 of #2888. + + Fixes #2888 + Closes #2896 + +- travis: add the DOH tests to the torture testing + +- DOH: add test case 1650 and 2100 + +- curl: --doh-url added + +- setopt: add CURLOPT_DOH_URL + + Closes #2668 + +- [Han Han brought this change] + + ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code + + Long live CURLE_PEER_FAILED_VERIFICATION + +- [Han Han brought this change] + + x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert + + CURLE_PEER_FAILED_VERIFICATION makes more sense because Curl_parseX509 + does not allocate memory internally as its first argument is a pointer + to the certificate structure. The same error code is also returned by + Curl_verifyhost when its call to Curl_parseX509 fails so the change + makes error handling more consistent. + +- [Han Han brought this change] + + openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer + + Failure to extract the issuer name from the server certificate should + return a more specific error code like on other TLS backends. + +- [Han Han brought this change] + + schannel: unified error code handling + + Closes #2901 + +- [Han Han brought this change] + + darwinssl: more specific and unified error codes + + Closes #2901 + +- CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated + + Disable the CURLOPT_DNS_USE_GLOBAL_CACHE option and mark it for + deprecation and complete removal in six months. + + Bug: https://curl.haxx.se/mail/lib-2018-09/0010.html + Closes #2942 + +- url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled + + Closes #2709 + +- multiplex: enable by default + + Starting 7.62.0, multiplexing is enabled by default in multi handles. + +- [Jim Fuller brought this change] + + tests: add unit tests for url.c + + Approved-by: Daniel Gustafsson + Closes #2937 + +- test1452: mark as flaky + + makes it not run in the CI builds + + Closes #2941 + +- pipelining: deprecated + + Transparently. The related curl_multi_setopt() options all still returns + OK when pipelining is selected. + + To re-enable the support, the single line change in lib/multi.c needs to + be reverted. + + See docs/DEPRECATE.md + + Closes #2705 + +- RELEASE-NOTES: start working on 7.62.0 + Version 7.61.1 (4 Sep 2018) Daniel Stenberg (4 Sep 2018) @@ -5544,1653 +7290,3 @@ Daniel Stenberg (2 Dec 2017) - RELEASE-NOTES: synced with af8cc7a69 - curlver: towards 7.57.1 - -- [W. Mark Kubacki brought this change] - - lib: don't export all symbols, just everything curl_* - - Absent any 'symbol map' or script to limit what gets exported, static - linking of libraries previously resulted in a libcurl with curl's and - those other symbols being (re-)exported. - - This did not happen if 'versioned symbols' were enabled (which is not - the default) because then a version script is employed. - - This limits exports to everything starting in 'curl_*'., which is - what "libcurl.vers" exports. - - This avoids strange side-effects such as with mixing methods - from system libraries and those erroneously offered by libcurl. - - Closes #2127 - -- [Johannes Schindelin brought this change] - - SSL: Avoid magic allocation of SSL backend specific data - - Originally, my idea was to allocate the two structures (or more - precisely, the connectdata structure and the four SSL backend-specific - strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so - that they all could be free()d together. - - However, getting the alignment right is tricky. Too tricky. - - So let's just bite the bullet and allocate the SSL backend-specific - data separately. - - As a consequence, we now have to be very careful to release the memory - allocated for the SSL backend-specific data whenever we release any - connectdata. - - Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> - - Closes #2119 - -- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL - - Reported-by: Dima Tisnek - -- travis: add boringssl build - - Uses a separate build without --enable-debug and no valgrind. - - The debug option causes far too many warnings in boringssl's headers - (C++ comments, trailing commas etc). Valgrind triggers some false - positive errors in thread-local data used by boringssl. - - Closes #2118 - -Version 7.57.0 (29 Nov 2017) - -Daniel Stenberg (29 Nov 2017) -- RELEASE-NOTES: curl 7.57.0 - -- THANKS: added contributors from 7.57.0 release - -- openssl: fix boringssl build again - - commit d3ab7c5a21e broke the boringssl build since it doesn't have - RSA_flags(), so we disable that code block for boringssl builds. - - Reported-by: W. Mark Kubacki - Fixes #2117 - -- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided - -- libcurl-share.3: the connection cache is shareable now - -- global_init: ignore CURL_GLOBAL_SSL's absense - - This bit is no longer used. It is not clear what it meant for users to - "init the TLS" in a world with different TLS backends and since the - introduction of multissl, libcurl didn't properly work if inited without - this bit set. - - Not a single user responded to the call for users of it: - https://curl.haxx.se/mail/lib-2017-11/0072.html - - Reported-by: Evgeny Grin - Assisted-by: Jay Satiro - - Fixes #2089 - Fixes #2083 - Closes #2107 - -- ntlm: avoid integer overflow for malloc size - - Reported-by: Alex Nichols - Assisted-by: Kamil Dudka and Max Dymond - - CVE-2017-8816 - - Bug: https://curl.haxx.se/docs/adv_2017-11e7.html - -- wildcardmatch: fix heap buffer overflow in setcharset - - The code would previous read beyond the end of the pattern string if the - match pattern ends with an open bracket when the default pattern - matching function is used. - - Detected by OSS-Fuzz: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 - - CVE-2017-8817 - - Bug: https://curl.haxx.se/docs/adv_2017-ae72.html - -- [Jay Satiro brought this change] - - url: fix alignment of ssl_backend_data struct - - - Align the array of ssl_backend_data on a max 32 byte boundary. - - 8 is likely to be ok but I went with 32 for posterity should one of - the ssl_backend_data structs change to contain a larger sized variable - in the future. - - Prior to this change (since dev 70f1db3, release 7.56) the connectdata - structure was undersized by 4 bytes in 32-bit builds with ssl enabled - because long long * was mistakenly used for alignment instead of - long long, with the intention being an 8 byte boundary. Also long long - may not be an available type. - - The undersized connectdata could lead to oob read/write past the end in - what was expected to be the last 4 bytes of the connection's secondary - socket https proxy ssl_backend_data struct (the secondary socket in a - connection is used by ftp, others?). - - Closes https://github.com/curl/curl/issues/2093 - - CVE-2017-8818 - - Bug: https://curl.haxx.se/docs/adv_2017-af0a.html - -- ssh: remove check for a NULL pointer (!) - - With this check present, scan-build warns that we might dereference this - point in other places where it isn't first checked for NULL. Thus, if it - *can* be NULL we have a problem on a few places. However, this pointer - should not be possible to be NULL here so I remove the check and thus - also three different scan-build warnings. - - Closes #2111 - -- [Matthew Kerwin brought this change] - - test: add test for bad UNC/SMB path in file: URL - -- [Matthew Kerwin brought this change] - - test: add tests to ensure basic file: URLs - -- [Matthew Kerwin brought this change] - - URL: update "file:" URL handling - - * LOTS of comment updates - * explicit error for SMB shares (e.g. "file:////share/path/file") - * more strict handling of authority (i.e. "//localhost/") - * now accepts dodgy old "C:|" drive letters - * more precise handling of drive letters in and out of Windows - (especially recognising both "file:c:/" and "file:/c:/") - - Closes #2110 - -- metalink: fix memory-leak and NULL pointer dereference - - Reported by scan-build - - Closes #2109 - -- [Alessandro Ghedini brought this change] - - connect: add support for new TCP Fast Open API on Linux - - The new API added in Linux 4.11 only requires setting a socket option - before connecting, without the whole sento() machinery. - - Notably, this makes it possible to use TFO with SSL connections on Linux - as well, without the need to mess around with OpenSSL (or whatever other - SSL library) internals. - - Closes #2056 - -- make: fix "make distclean" - - Fixes #2097 - Closes #2108 - -- RELEASE-NOTES: synced with 31f18d272 - -Jay Satiro (23 Nov 2017) -- connect: improve the bind error message - - eg consider a non-existent interface eth8, curl --interface eth8 - - Before: curl: (45) Could not resolve host: eth8 - After: curl: (45) Couldn't bind to 'eth8' - - Bug: https://github.com/curl/curl/issues/2104 - Reported-by: Alfonso Martone - -Daniel Stenberg (23 Nov 2017) -- examples/rtsp: clear RANGE again after use - - Fixes #2106 - Reported-by: youngchopin on github - -- [Michael Kaufmann brought this change] - - test1264: verify URL with space in host name being rejected - -- url: reject ASCII control characters and space in host names - - Host names like "127.0.0.1 moo" would otherwise be accepted by some - getaddrinfo() implementations. - - Updated test 1034 and 1035 accordingly. - - Fixes #2073 - Closes #2092 - -- Curl_open: fix OOM return error correctly - - Closes #2098 - -- http2: fix "Value stored to 'end' is never read" scan-build error - -- http2: fix "Value stored to 'hdbuf' is never read" scan-build error - -- openssl: fix "Value stored to 'rc' is never read" scan-build error - -- mime: fix "Value stored to 'sz' is never read" scan-build error - -- Curl_llist_remove: fix potential NULL pointer deref - - Fixes a scan-build warning. - -- ntlm: remove unnecessary NULL-check to please scan-build - -- BUGS: spellchecked - -Jay Satiro (18 Nov 2017) -- [fmmedeiros brought this change] - - examples/curlx: Fix code style - - - Add braces around multi-line if statement. - - Closes https://github.com/curl/curl/pull/2096 - -Daniel Stenberg (17 Nov 2017) -- resolve: allow IP address within [] brackets - - ... so that IPv6 addresses can be passed like they can for connect-to - and how they're used in URLs. - - Added test 1324 to verify - Reported-by: Alex Malinovich - - Fixes #2087 - Closes #2091 - -- [Pavol Markovic brought this change] - - macOS: Fix missing connectx function with Xcode version older than 9.0 - - The previous fix https://github.com/curl/curl/pull/1788 worked just for - Xcode 9. This commit extends the fix to older Xcode versions effectively - by not using connectx function. - - Fixes https://github.com/curl/curl/issues/1330 - Fixes https://github.com/curl/curl/issues/2080 - Closes https://github.com/curl/curl/pull/1336 - Closes #2082 - -- [Dirk Feytons brought this change] - - openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY - - Fixes #2079 - Closes #2081 - -- TODO: ignore private IP addresses in PASV response - - Closes #1455 - -- RELEASE-NOTES: synced with ae7369b6d - -Michael Kaufmann (14 Nov 2017) -- URL: return error on malformed URLs with junk after IPv6 bracket - - Follow-up to aadb7c7. Verified by new test 1263. - - Closes #2072 - -Daniel Stenberg (14 Nov 2017) -- INTERNALS: we may use libidn2 now, not libidn - -Patrick Monnerat (13 Nov 2017) -- zlib/brotli: only include header files in modules needing them - - There is a conflict on symbol 'free_func' between openssl/crypto.h and - zlib.h on AIX. This is an attempt to resolve it. - - Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html - Reported-By: Michael Felt - -Daniel Stenberg (13 Nov 2017) -- SMB: fix uninitialized local variable - - Reported-by: Brian Carpenter - -- [Orgad Shaneh brought this change] - - connect.c: remove executable bit on file - - Closes #2071 - -- [hsiao yi brought this change] - - README.md: fixed layout - - Closes #2069 - -- setopt: split out curl_easy_setopt() to its own file - - ... to make url.c smaller. - - Closes #1944 - -Jay Satiro (10 Nov 2017) -- [John Starks brought this change] - - cmake: Add missing setmode check - - Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this, - curl will corrupt binary files when writing them to stdout on Windows. - - Closes https://github.com/curl/curl/pull/2067 - -Daniel Stenberg (10 Nov 2017) -- curl_share_setopt: va_end was not called if conncache errors - - CID 984459, detected by Coverity - -Sergei Nikulov (10 Nov 2017) -- [John Starks brought this change] - - cmake: Correctly include curl.rc in Windows builds (#2064) - - Update CMakeLists.txt to add curl.rc to the correct list. - -Daniel Stenberg (9 Nov 2017) -- RELEASE-NOTES: synced with 32828cc4f - -- [Luca Boccassi brought this change] - - --interface: add support for Linux VRF - - The --interface command (CURLOPT_INTERFACE option) already uses - SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP - address first, which fails in case the user passes a VRF. - - Try to use the socket option immediately and parse it as a fallback - instead. Update the documentation to mention this feature, and that it - requires the binary to be ran by root or with CAP_NET_RAW capabilities - for this to work. - - Closes #2024 - -- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT - - Closes #2043 - -- examples: add shared-connection-cache - -- test1554: verify connection cache sharing - -- share: add support for sharing the connection cache - -- imap: deal with commands case insensitively - - As documented in RFC 3501 section 9: - https://tools.ietf.org/html/rfc3501#section-9 - - Closes #2061 - -- connect: store IPv6 connection status after valid connection - - ... previously it would store it already in the happy eyeballs stage - which could lead to the IPv6 bit being set for an IPv4 connection, - leading to curl not wanting to do EPSV=>PASV for FTP transfers. - - Closes #2053 - -- curl_multi_fdset.3: emphasize curl_multi_timeout - - ... even when there's no socket to wait for, the timeout can still be - very short. - -Jay Satiro (9 Nov 2017) -- content_encoding: fix inflate_stream for no bytes available - - - Don't call zlib's inflate() when avail_in stream bytes is 0. - - This is a follow up to the parent commit 19e66e5. Prior to that change - libcurl's inflate_stream could call zlib's inflate even when no bytes - were available, causing inflate to return Z_BUF_ERROR, and then - inflate_stream would treat that as a hard error and return - CURLE_BAD_CONTENT_ENCODING. - - According to the zlib FAQ, Z_BUF_ERROR is not fatal. - - This bug would happen randomly since packet sizes are arbitrary. A test - of 10,000 transfers had 55 fail (ie 0.55%). - - Ref: https://zlib.net/zlib_faq.html#faq05 - - Closes https://github.com/curl/curl/pull/2060 - -Patrick Monnerat (7 Nov 2017) -- content_encoding: do not write 0 length data - -Daniel Stenberg (6 Nov 2017) -- fnmatch: remove dead code - - There was a duplicate check for backslashes in the setcharset() - function. - - Coverity CID 1420611 - -- url: remove unncessary NULL-check - - Since 'conn' won't be NULL in there and we also access the pointer in - there without the check. - - Coverity CID 1420610 - -Viktor Szakats (6 Nov 2017) -- src/Makefile.m32: fix typo in brotli lib customization - - Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31 - -- Makefile.m32: allow to customize brotli libs - - It adds the ability to link against static brotli libs. - - Also fix brotli include path. - -Patrick Monnerat (5 Nov 2017) -- travis: add a job with brotli enabled - -- [Viktor Szakats brought this change] - - Makefile.m32: add brotli support - -- HTTP: implement Brotli content encoding - - This uses the brotli external library (https://github.com/google/brotli). - Brotli becomes a feature: additional curl_version_info() bit and - structure fields are provided for it and CURLVERSION_NOW bumped. - - Tests 314 and 315 check Brotli content unencoding with correct and - erroneous data. - - Some tests are updated to accomodate with the now configuration dependent - parameters of the Accept-Encoding header. - -- HTTP: support multiple Content-Encodings - - This is implemented as an output streaming stack of unencoders, the last - calling the client write procedure. - - New test 230 checks this feature. - - Bug: https://github.com/curl/curl/pull/2002 - Reported-By: Daniel Bankhead - -Jay Satiro (4 Nov 2017) -- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES - - Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value - check on this option is incorrect; we have to accept any value. - - Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES - erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT. - - Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120 - -Daniel Stenberg (4 Nov 2017) -- ntlm: avoid malloc(0) for zero length passwords - - It triggers an assert() when built with memdebug since malloc(0) may - return NULL *or* a valid pointer. - - Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 - - Assisted-by: Max Dymond - Closes #2054 - -- RELEASE-NOTES: synced with ee8016b3d - -- curl: speed up handling of many URLs - - By properly keeping track of the last entry in the list of URLs/uploads - to handle, curl now avoids many meaningless traverses of the list which - speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K - URLs). - - Added test 1291, to verify that it doesn't take ages - but we don't have - any detection of "too slow" command in the test suite. - - Reported-by: arainchik on github - Fixes #1959 - Closes #2052 - -- curl: pass through [] in URLs instead of calling globbing error - - Assisted-by: Per Lundberg - Fixes #2044 - Closes #2046 - Closes #2048 - -- CURLOPT_INFILESIZE: accept -1 - - Regression since f121575 - - Reported-by: Petr Voytsik - Fixes #2047 - -Jay Satiro (2 Nov 2017) -- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1 - - Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT - erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT. - -Dan Fandrich (1 Nov 2017) -- http2: Fixed OOM handling in upgrade request - - This caused the torture tests on test 1800 to fail. - -- tests: Fixed torture tests on tests 556 and 650 - - Test cleanup after OOM wasn't being consistently performed. - -Daniel Stenberg (1 Nov 2017) -- CURLOPT_MAXREDIRS: allow -1 as a value - - ... which is valid according to documentation. Regression since - f121575c0b5f. - - Verified now in test 501. - - Reported-by: cbartl on github - Fixes #2038 - Closes #2039 - -- include: remove conncache.h inclusion from where its not needed - -Jay Satiro (1 Nov 2017) -- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 - - .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE. - - Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE - erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT. - - Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html - Reported-by: Andrew Lambert - -Daniel Stenberg (31 Oct 2017) -- cookie: avoid NULL dereference - - ... when expiring old cookies. - - Reported-by: Pavel Gushchin - Fixes #2032 - Closes #2035 - -Marcel Raad (30 Oct 2017) -- memdebug: use send/recv signature for curl_dosend/curl_dorecv - - This avoids build errors and warnings caused by implicit casts. - - Closes https://github.com/curl/curl/pull/2031 - -Daniel Stenberg (30 Oct 2017) -- [Juro Bystricky brought this change] - - mkhelp.pl: support reproducible build - - Do not generate line with the current date, such as: - - * Generation time: Tue Oct-24 18:01:41 2017 - - This will improve reproducibility. The generated string is only - part of a comment, so there should be no adverse consequences. - - Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> - - closes #2026 - -Dan Fandrich (30 Oct 2017) -- runtests.pl: Fixed typo in message - -Daniel Stenberg (30 Oct 2017) -- curlx: the timeval functions are no longer provided as curlx_* - - Pointed-out-by: Dmitri Tikhonov - Bug: #2034 - -- select: update comments - - s/curlx_tvnow/Curl_now - -- INTERNALS: remove curlx_tv* functions no longer provided - -- [Dmitri Tikhonov brought this change] - - timeval: use mach time on MacOS - - If clock_gettime() is not supported, use mach_absolute_time() on MacOS. - - closes #2033 - -Patrick Monnerat (29 Oct 2017) -- cli tool: improve ";type=" handling in -F option arguments - -- cli tool: in -F option arg, comma is a delimiter for files only - - Also upgrade test 1133 to cover this case and clarify man page about - form data quoting. - - Bug: https://github.com/curl/curl/issues/2022 - Reported-By: omau on github - -Daniel Stenberg (29 Oct 2017) -- timeleft: made two more users of Curl_timeleft use timediff_t - -Jakub Zakrzewski (28 Oct 2017) -- cmake: Export libcurl and curl targets to use by other cmake projects - - The config files define curl and libcurl targets as imported targets - CURL::curl and CURL::libcurl. For backward compatibility with CMake- - provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are - also set. - - Closes #1879 - -Daniel Stenberg (28 Oct 2017) -- RELEASE-NOTES: synced with f20cbac97 - -- [Florin Petriuc brought this change] - - auth: Added test cases for RFC7616 - - Updated docs to include support for RFC7616 - - Signed-off-by: Florin <petriuc.florin@gmail.com> - - Closes #1934 - -- [Florin Petriuc brought this change] - - auth: add support for RFC7616 - HTTP Digest access authentication - - Signed-off-by: Florin <petriuc.florin@gmail.com> - -- [Daniel Bankhead brought this change] - - TODO: support multiple Content-Encodings - - Closes #2002 - -- ROADMAP: cleanup - - Removed done stuff. Removed entries no longer considered for the near - term. - -- [Magicansk brought this change] - - ROADMAP.md: spelling fixes - - Closes #2028 - -- Curl_timeleft: change return type to timediff_t - - returning 'time_t' is problematic when that type is unsigned and we - return values less than zero to signal "already expired", used in - several places in the code. - - Closes #2021 - -- appveyor: add a win32 build - -- setopt: fix CURLOPT_SSH_AUTH_TYPES option read - - Regression since f121575c0b5f - - Reported-by: Rob Cotrone - -Marcel Raad (27 Oct 2017) -- resolvers: only include anything if needed - - This avoids warnings about unused stuff. - - Closes https://github.com/curl/curl/pull/2023 - -Daniel Stenberg (27 Oct 2017) -- HELP-US: rename the subtitle too since the label is changed - - "PR-welcome" was the former name. - -- curl_setup.h: oops, shorten the too long line - -- [Martin Storsjo brought this change] - - curl_setup: Improve detection of CURL_WINDOWS_APP - - If WINAPI_FAMILY is defined, it should be safe to try to include - winapifamily.h to check what the define evaluates to. - - This should fix detection of CURL_WINDOWS_APP if building with - _WIN32_WINNT set to 0x0600. - - Closes #2025 - -Jay Satiro (26 Oct 2017) -- transfer: Fix chunked-encoding upload bug - - - When uploading via chunked-encoding don't compare file size to bytes - sent to determine whether the upload has finished. - - Chunked-encoding adds its own overhead which why the bytes sent is not - equal to the file size. Prior to this change if a file was uploaded in - chunked-encoding and its size was known it was possible that the upload - could end prematurely without sending the final few chunks. That would - result in a server hang waiting for the remaining data, likely followed - by a disconnect. - - The scope of this bug is limited to some arbitrary file sizes which have - not been determined. One size that triggers the bug is 475020. - - Bug: https://github.com/curl/curl/issues/2001 - Reported-by: moohoorama@users.noreply.github.com - - Closes https://github.com/curl/curl/pull/2010 - -Daniel Stenberg (26 Oct 2017) -- timeval: make timediff_t also work on 32bit windows - - ... by using curl_off_t for the typedef if time_t is larger than 4 - bytes. - - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co - mmitcomment-25205058 - Closes #2019 - -- curl_fnmatch: return error on illegal wildcard pattern - - ... instead of doing an infinite loop! - - Added test 1162 to verify. - - Reported-by: Max Dymond - Fixes #2015 - Closes #2017 - -- [Max Dymond brought this change] - - wildcards: don't use with non-supported protocols - - Fixes timeouts in the fuzzing tests for non-FTP protocols. - - Closes #2016 - -- [Max Dymond brought this change] - - multi: allow table handle sizes to be overridden - - Allow users to specify their own hash define for - CURL_CONNECTION_HASH_SIZE so that both values can be overridden. - - Closes #1982 - -- time: rename Curl_tvnow to Curl_now - - ... since the 'tv' stood for timeval and this function does not return a - timeval struct anymore. - - Also, cleaned up the Curl_timediff*() functions to avoid typecasts and - clean up the descriptive comments. - - Closes #2011 - -- ftplistparser: follow-up cleanup to remove PL_ERROR() - -- [Max Dymond brought this change] - - ftplistparser: free off temporary memory always - - When using the FTP list parser, ensure that the memory that's - allocated is always freed. - - Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682 - Closes #2013 - -- timediff: return timediff_t from the time diff functions - - ... to cater for systems with unsigned time_t variables. - - - Renamed the functions to curlx_timediff and Curl_timediff_us. - - - Added overflow protection for both of them in either direction for - both 32 bit and 64 bit time_ts - - - Reprefixed the curlx_time functions to use Curl_* - - Reported-by: Peter Piekarski - Fixes #2004 - Closes #2005 - -- [Paul Howarth brought this change] - - libtest: Add required test libraries for lib1552 and lib1553 - - They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too. - - This fixes build failures on Fedora 13. - - Closes #2006 - -- [Alessandro Ghedini brought this change] - - libcurl-tutorial.3: fix typo - - closes #2008 - -Alessandro Ghedini (23 Oct 2017) -- curl_mime_filedata.3: fix typos - -Daniel Stenberg (23 Oct 2017) -- RELEASE-NOTES: clean slate towards 7.57.0 - -- [Max Dymond brought this change] - - travis: exit if any steps fail - - We don't expect any steps to fail in travis. Exit the script if they do. - - Closes #1966 - -Version 7.56.1 (23 Oct 2017) - -Daniel Stenberg (23 Oct 2017) -- RELEASE-NOTES: 7.56.1 - -- THANKS: update at 7.56.1 release time - -- [Jon DeVree brought this change] - - mk-ca-bundle: Remove URL for aurora - - Aurora is no longer used by Mozilla - https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/ - -- [Jon DeVree brought this change] - - mk-ca-bundle: Fix URL for NSS - - The 'tip' is the most recent branch committed to, this should be - 'default' like the URLs for the browser are. - - Closes #1998 - -- imap: if a FETCH response has no size, don't call write callback - - CVE-2017-1000257 - - Reported-by: Brian Carpenter and 0xd34db347 - Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 - -- ftp: reject illegal IP/port in PASV 227 response - - ... by using range checks. Among other things, this avoids an undefined - behavior for a left shift that could happen on negative or very large - values. - - Closes #1997 - - Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694 - -Patrick Monnerat (20 Oct 2017) -- test653: check reuse of easy handle after mime data change - - See issue #1999 - -- mime: do not reuse previously computed multipart size - - The contents might have changed: size must be recomputed. - - Reported-by: moteus on github - Fixes #1999 - -- test308: disable if MultiSSL feature enabled - - Even if OpenSSL is enabled, it might not be the default backend when - multi-ssl is enabled, causing the test to fail. - -- runtests: support MultiSSL client feature - -- vtls: change struct Curl_ssl `close' field name to `close_one'. - - On OS/400, `close' is an ASCII system macro that corrupts the code if - not used in a context not targetting the close() system API. - -- os400: add missing symbols in config file. - - Also adjust makefile to renamed files and warn about installation dirs mix-up. - -- test652: curl_mime_data + base64 encoder with large contents - -- mime: limit bas64-encoded lines length to 76 characters - -Daniel Stenberg (16 Oct 2017) -- RELEASE-NOTES: synced with f121575c0 - -- setopt: range check most long options - - ... filter early instead of risking "funny values" having to be dealt - with elsewhere. - -- setopt: avoid integer overflows when setting millsecond values - - ... that are multiplied by 1000 when stored. - - For 32 bit long systems, the max value accepted (2147483 seconds) is > - 596 hours which is unlikely to ever be set by a legitimate application - - and previously it didn't work either, it just caused undefined behavior. - - Also updated the man pages for these timeout options to mention the - return code. - - Closes #1938 - -Viktor Szakats (15 Oct 2017) -- makefile.m32: allow to override gcc, ar and ranlib - - Allow to ovverride certain build tools, making it possible to - use LLVM/Clang to build curl. The default behavior is unchanged. - To build with clang (as offered by MSYS2), these settings can - be used: - - CURL_CC=clang - CURL_AR=llvm-ar - CURL_RANLIB=llvm-ranlib - - Closes https://github.com/curl/curl/pull/1993 - -- ldap: silence clang warning - - Use memset() to initialize a structure to avoid LLVM/Clang warning: - ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers] - - Closes https://github.com/curl/curl/pull/1992 - -Daniel Stenberg (14 Oct 2017) -- runtests: use valgrind for torture as well - - NOTE: it makes them terribly slow. I recommend only using valgrind for - specific torture tests or using lots of patience. - -- memdebug: trace send, recv and socket - - ... to allow them to be included in torture tests too. - - closes #1980 - -- configure: remove the C++ compiler check - - ... we used it only for the fuzzer, which we now have in a separate git - repo. - - Closes #1990 - -Patrick Monnerat (13 Oct 2017) -- mime: do not call failf() if easy handle is NULL. - -Daniel Stenberg (13 Oct 2017) -- test651: curl_formadd with huge COPYCONTENTS - -- mime: fix the content reader to handle >16K data properly - - Reported-by: Jeroen Ooms - Closes #1988 - -Patrick Monnerat (12 Oct 2017) -- mime: keep "text/plain" content type if user-specified. - - Include test cases in 554, 587, 650. - - Fixes https://github.com/curl/curl/issues/1986 - -- cli tool: use file2memory() to buffer stdin in -F option. - - Closes PR https://github.com/curl/curl/pull/1985 - -- cli tool: reimplement stdin buffering in -F option. - - If stdin is not a regular file, its content is memory-buffered to enable - a possible data "rewind". - In all cases, stdin data size is determined before real use to avoid - having an unknown part's size. - - --libcurl generated code is left as an unbuffered stdin fread/fseek callback - part with unknown data size. - - Buffering is not supported in deprecated curl_formadd() API. - -Daniel Stenberg (12 Oct 2017) -- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2 - -- HELP-US: the label "PR-welcome" is now renamed to "help wanted" - - following the new github "standard" - -- RELEASE-NOTES: synced with 5505df7d2 - -Jay Satiro (11 Oct 2017) -- [Artak Galoyan brought this change] - - url: Update current connection SSL verify params in setopt - - Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active - connection updates the current connection's (i.e.'connectdata' - structure) appropriate ssl_config (and ssl_proxy_config) structures - variables, making these options effective for ongoing connection. - - This functionality was available before and was broken by the - following change: - "proxy: Support HTTPS proxy and SOCKS+HTTP(s)" - CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151. - - Bug: https://github.com/curl/curl/issues/1941 - - Closes https://github.com/curl/curl/pull/1951 - -Daniel Stenberg (11 Oct 2017) -- [David Benjamin brought this change] - - openssl: don't use old BORINGSSL_YYYYMM macros - - Those were temporary things we'd add and remove for our own convenience - long ago. The last few stayed around for too long as an oversight but - have since been removed. These days we have a running - BORINGSSL_API_VERSION counter which is bumped when we find it - convenient, but 2015-11-19 was quite some time ago, so just check - OPENSSL_IS_BORINGSSL. - - Closes #1979 - -- test950; verify SMTP with custom request - -- ftpserver: support case insensitive commands - -- smtp_done: free data before returning (on send failure) - - ... as otherwise it could leak that memory. - - Detected by OSS-fuzz: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600 - - Assisted-by: Max Dymond - Closes #1977 - -- FTP: URL decode path for dir listing in nocwd mode - - Reported-by: Zenju on github - - Test 244 added to verify - Fixes #1974 - Closes #1976 - -- test298: verify --ftp-method nowcwd with URL encoded path - - Ref: #1974 - -- CURLOPT_XFERINFODATA.3: fix duplicate see also - -- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction - -- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION - -- openssl: enable PKCS12 support for !BoringSSL - - Enable PKCS12 for all non-boringssl builds without relying on configure - or cmake checks. - - Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html - Reported-by: Christian Schmitz - Closes #1948 - -- [Kristiyan Tsaklev brought this change] - - curl: don't pass semicolons when parsing Content-Disposition - - Test 1422 updated to verify. - - Closes #1964 - -Patrick Monnerat (9 Oct 2017) -- mime: properly unbind mime structure in curl_mime_free(). - - This allows freeing a mime structure bound to the easy handle before - curl_easy_cleanup(). - - Fixes #1970. - -Daniel Stenberg (9 Oct 2017) -- RTSP: avoid integer overflow on funny RTSP response - - ... like a very large non-existing RTSP version number. - - Added test 577 to verify. - - Detected by OSS-fuzz. - Closes #1969 - -Patrick Monnerat (8 Oct 2017) -- ftpserver: properly reset $ftptargetdir. - -- test643: verify curl_mime_subparts() rejects cyclic additions. - -- mime: refuse to add subparts to one of their own descendants. - - Reported-by: Alexey Melnichuk - Fixes #1962 - -- mime: avoid resetting a part's encoder when part's contents change. - -- mime: improve unbinding top multipart from easy handle. - - Also avoid dangling pointers in referencing parts. - -Daniel Stenberg (8 Oct 2017) -- RELEASE-NOTES: synced with a4c1c75da30af1 - -- curlver.h: next expected release is 7.57.0 - -Patrick Monnerat (8 Oct 2017) -- mime: be tolerant about setting twice the same header list in a part. - -- docs: clarify form/mime usage of non-regular data files. - -Daniel Stenberg (8 Oct 2017) -- Revert "multi_done: wait for name resolve to finish if still ongoing" - - This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe. - - Caused memory leaks in the fuzzer, needs to be done differently. - - Disable test 1553 for now too, as it causes memory leaks without this - commit! - -- remove_handle: call multi_done() first, then clear dns cache pointer - - Closes #1960 - -- multi_done: wait for name resolve to finish if still ongoing - - ... as we must clean up memory. - -- pingpong: return error when trying to send without connection - - When imap_done() got called before a connection is setup, it would try - to "finish up" and dereffed a NULL pointer. - - Test case 1553 managed to reproduce. I had to actually use a host name - to try to resolve to slow it down, as using the normal local server IP - will make libcurl get a connection in the first curl_multi_perform() - loop and then the bug doesn't trigger. - - Fixes #1953 - Assisted-by: Max Dymond - -Dan Fandrich (6 Oct 2017) -- tests: added flaky keyword to tests 587 and 644 - - These are around 5% flaky in my Linux x86 autobuilds. - -Marcel Raad (6 Oct 2017) -- vtls: fix warnings with --disable-crypto-auth - - When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters - are not used. - -Daniel Stenberg (6 Oct 2017) -- multi_cleanup: call DONE on handles that never got that - - ... fixes a memory leak with at least IMAP when remove_handle is never - called and the transfer is abruptly just abandoned early. - - Test 1552 added to verify - - Detected by OSS-fuzz - Assisted-by: Max Dymond - Closes #1954 - -- [Benbuck Nason brought this change] - - strtoofft: Remove extraneous null check - - Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str' - argument. - - Closes #1952 - -- openssl: fix build without HAVE_OPAQUE_EVP_PKEY - - Reported-by: Javier Sixto - Fixes #1955 - Closes #1956 - -Viktor Szakats (6 Oct 2017) -- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS - - The source code is now prepared to handle the case when both - Win32 Crypto and OpenSSL/NSS crypto backends are enabled - at the same time, making it now possible to enable `USE_WIN32_CRYPTO` - whenever the targeted Windows version supports it. Since this - matches the minimum Windows version supported by curl - (Windows 2000), enable it unconditionally for the Win32 platform. - - This in turn enables SMB (and SMBS) protocol support whenever - Win32 Crypto is available, regardless of what other crypto backends - are enabled. - - Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052 - - Closes https://github.com/curl/curl/pull/1943 - -Daniel Stenberg (5 Oct 2017) -- build: fix --disable-crypto-auth - - Reported-by: Wyatt O'Day - Fixes #1945 - Closes #1947 - -Jay Satiro (5 Oct 2017) -- [Nick Zitzmann brought this change] - - darwinssl: add support for TLSv1.3 - - Closes https://github.com/curl/curl/pull/1794 - -Daniel Stenberg (4 Oct 2017) -- [Felix Kaiser brought this change] - - docs: fix typo in curl_mime_data_cb man page - - Closes #1946 - -Viktor Szakats (4 Oct 2017) -- lib/Makefile.m32: allow customizing dll suffixes - - - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated - libcurl dll name. Useful to add `-x64` to 64-bit builds so that - it can live in the same directory as the 32-bit one. By default - this is empty. - - - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the - generated import library (implib) for libcurl .dll. It defaults - to `dll`, and it's useful to modify that to `.dll` to have the - standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`. - - Closes https://github.com/curl/curl/pull/1942 - -Daniel Stenberg (4 Oct 2017) -- [Max Dymond brought this change] - - fuzzer: move to using external curl-fuzzer - - Use the external curl-fuzzer repository for fuzzing. - - Closes #1923 - -- failf: skip the sprintf() if there are no consumers - - Closes #1936 - -- ftp: UBsan fixup 'pointer index expression overflowed' - - Closes #1939 - -- RELEASE-PROCEDURE: update the release schedule - -Version 7.56.0 (4 Oct 2017) - -Daniel Stenberg (4 Oct 2017) -- RELEASE-NOTES: curl 7.56.0 - -- THANKS: added new 7.56.0 contributors - -Jay Satiro (4 Oct 2017) -- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported - - Ref: https://github.com/curl/curl/issues/1002 - -Michael Kaufmann (3 Oct 2017) -- idn: fix source code comment - -- vtls: compare and clone ssl configs properly - - Compare these settings in Curl_ssl_config_matches(): - - verifystatus (CURLOPT_SSL_VERIFYSTATUS) - - random_file (CURLOPT_RANDOM_FILE) - - egdsocket (CURLOPT_EGDSOCKET) - - Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(), - and copy the setting "sessionid" unconditionally. - - This means that reusing connections that are secured with a client - certificate is now possible, and the statement "TLS session resumption - is disabled when a client certificate is used" in the old advisory at - https://curl.haxx.se/docs/adv_20170419.html is obsolete. - - Reviewed-by: Daniel Stenberg - - Closes #1917 - -- proxy: read the "no_proxy" variable only if necessary - - Reviewed-by: Daniel Stenberg - - Closes #1919 - -Patrick Monnerat (3 Oct 2017) -- libcurl-tutorial: add casts in example to avoid compilation warnings. - -Daniel Stenberg (3 Oct 2017) -- examples: bring back curl_formadd-using examples - - ... now with a -formadd suffix. While the new mime API is introduced in - 7.56.0 we must acknowledge that lots of users can't upgrade their curl - versions immediately. - -- test1153: verify quoted double-qoutes in PWD response - -- FTP: zero terminate the entry path even on bad input - - ... a single double quote could leave the entry path buffer without a zero - terminating byte. CVE-2017-1000254 - - Test 1152 added to verify. - - Reported-by: Max Dymond - Bug: https://curl.haxx.se/docs/adv_20171004.html - -Jay Satiro (2 Oct 2017) -- [Sergei Nikulov brought this change] - - cmake: disable tests and man generation if perl/nroff not found - - Fixes https://github.com/curl/curl/issues/1500 - Reported-by: Jay Satiro - - Fixes https://github.com/curl/curl/pull/1662 - Assisted-by: Tom Seddon - Assisted-by: dpull@users.noreply.github.com - Assisted-by: elelel@users.noreply.github.com - - Closes https://github.com/curl/curl/pull/1924 - -Patrick Monnerat (2 Oct 2017) -- libcurl-tutorial: fix two typos. - -- TODO: remove deprecated form API items. - -- libcurl-tutorial: describe MIME API and deprecate form API. - - Include a guide to form/mime API conversion. - -Daniel Stenberg (30 Sep 2017) -- cookie: fix memory leak if path was set twice in header - - ... this will let the second occurance override the first. - - Added test 1161 to verify. - - Reported-by: Max Dymond - Fixes #1932 - Closes #1933 - -Dan Fandrich (30 Sep 2017) -- test650: Use variable replacement to set the host address and port - - Otherwise, the test fails when the -b test option is used to set a - different test port range. - -- Set and use more necessary options when some protocols are disabled - - When curl and libcurl are built with some protocols disabled, they stop - setting and receiving some options that don't make sense with those - protocols. In particular, when HTTP is disabled many options aren't set - that are used only by HTTP. However, some options that appear to be - HTTP-only are actually used by other protocols as well (some despite - having HTTP in the name) and should be set, but weren't. This change now - causes some of these options to be set and used for more (or for all) - protocols. In particular, this fixes tests 646 through 649 in an - HTTP-disabled build, which use the MIME API in the mail protocols. - -Daniel Stenberg (29 Sep 2017) -- test1160: verifies cookie leak for large cookies - - The fix done in 20ea22ff735 - -- cookie: fix memory leak on oversized rejection - - Regression brought by 2bc230de63b - - Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513 - Assisted-by: Max Dymond - - Closes #1930 - -- [Anders Bakken brought this change] - - connect: fix race condition with happy eyeballs timeout - - The timer should be started after conn->connecttime is set. Otherwise - the timer could expire without this condition being true: - - /* should we try another protocol family? */ - if(i == 0 && conn->tempaddr[1] == NULL && - curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) { - - Ref: #1928 - -Michael Kaufmann (28 Sep 2017) -- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS - - Closes #1922 - -- docs: clarify the use of environment variables for proxy - - Closes #1921 - -- http: add custom empty headers to repeated requests - - Closes #1920 - -- reuse_conn: don't copy flags that are known to be equal - - A connection can only be reused if the flags "conn_to_host" and - "conn_to_port" match. Therefore it is not necessary to copy these flags - in reuse_conn(). - - Closes #1918 - -Daniel Stenberg (27 Sep 2017) -- curl.h: include <sys/select.h> on cygwin too - - When building with -std=c++14 on cygwin, this header won't be - automatically included as it otherwise is. - - The <sys/select.h> include decision should ideally be reversed and be - avoided where that header file doesn't exist. - - Reported-by: Ian Fette - Fixes #1925 - -- RELEASE-NOTES: synced with d8ab5dc50 - -Michael Kaufmann (24 Sep 2017) -- tests: adjust .gitignore for new tests - -Jay Satiro (23 Sep 2017) -- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header - - .. and include the core NTLM header in all NTLM-related source files. - - Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT - but did not include vtls.h where it was defined. - - Closes https://github.com/curl/curl/pull/1911 - -Daniel Stenberg (23 Sep 2017) -- file_range: avoid integer overflow when figuring out byte range - - When trying to bump the value with one and the value is already at max, - it causes an integer overflow. - - Closes #1908 - Detected by oss-fuzz: - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 - - Assisted-by: Max Dymond - -Michael Kaufmann (23 Sep 2017) -- tests: fix a compiler warning in test 643 - -Jay Satiro (23 Sep 2017) -- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry - - - Use spaces instead of tabs as the delimiter. - - Follow up to 7c52b12 which added the entry. The entry had used tabs but - the symbol-scan parser doesn't recognize tabs and would fail the symbol. - -Viktor Szakats (22 Sep 2017) -- metalink: fix NSS issue in MultiSSL builds - - In MultiSSL mode (i.e. when more than one SSL backend is compiled - in), we cannot use the compile time flag `USE_NSS` as indicator that - the NSS backend is in use. As far as Metalink is concerned, the SSL - backend is only used for MD5, SHA-1 and SHA-256 calculations, - therefore one of the available SSL backends is selected at compile - time, in a strict order of preference. - - Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used - to determine whether the SSL backend used for Metalink is the NSS - backend, and use that to guard the code that wants to de-initialize - the NSS-specific data structure. - - Ref: https://github.com/curl/curl/pull/1848 - -- ntlm: use strict order for SSL backend #if branches - - With the recently introduced MultiSSL support multiple SSL backends - can be compiled into cURL That means that now the order of the SSL - - One option would be to use the same SSL backend as was configured - via `curl_global_sslset()`, however, NTLMv2 support would appear - to be available only with some SSL backends. For example, when - eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced - support for NTLMv1 using Windows' Crypt API, it specifically did - *not* introduce NTLMv2 support using Crypt API at the same time. - - So let's select one specific SSL backend for NTLM support when - compiled with multiple SSL backends, using a priority order such - that we support NTLMv2 even if only one compiled-in SSL backend can - be used for that. - - Ref: https://github.com/curl/curl/pull/1848 - -Daniel Stenberg (22 Sep 2017) -- symbols-in-versions: add CURLSSLSET_NO_BACKENDS - - ...fixup from b8e0fe19ec - -- imap: quote atoms properly when escaping characters - - Updates test 800 to verify - - Fixes #1902 - Closes #1903 - -- tests: make the imap server not verify user+password - - ... as the test cases themselves do that and it makes it easier to add - crazy test cases. - - Test 800 updated to use user name + password that need quoting. - - Test 856 updated to trigger an auth fail differently. - - Ref: #1902 - -- vtls: provide curl_global_sslset() even in non-SSL builds - - ... it just returns error: - - Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367 - Reported-by: Marcel Raad - - Closes #1906 - -Patrick Monnerat (22 Sep 2017) -- form/mime: field names are not allowed to contain zero-valued bytes. - - Also suppress length argument of curl_mime_name() (names are always - zero-terminated). - -Daniel Stenberg (21 Sep 2017) -- [Dirk Feytons brought this change] - - openssl: only verify RSA private key if supported - - In some cases the RSA key does not support verifying it because it's - located on a smart card, an engine wants to hide it, ... - Check the flags on the key before trying to verify it. - OpenSSL does the same thing internally; see ssl/ssl_rsa.c - - Closes #1904 - -Marcel Raad (21 Sep 2017) -- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE - - Otherwise, typecheck-gcc.h warns on MinGW-w64. - -Patrick Monnerat (20 Sep 2017) -- mime: rephrase the multipart output state machine (#1898) ... - - ... in hope coverity will like it much. - -- mime: fix an explicit null dereference (#1899) - -Daniel Stenberg (20 Sep 2017) -- curl: check fseek() return code and bail on error - - Detected by coverity. CID 1418137. - -- smtp: fix memory leak in OOM - - Regression since ce0881edee - - Coverity CID 1418139 and CID 1418136 found it, but it was also seen in - torture testing. - -- RELEASE-NOTES: synced with 5fe85587c - -- [Pavel Pavlov brought this change] - - cookies: use lock when using CURLINFO_COOKIELIST - - Closes #1896 - -- [Max Dymond brought this change] - - ossfuzz: changes before merging the generated corpora - - Before merging in the oss-fuzz corpora from Google, there are some changes - to the fuzzer. - - Add a read corpus script, to display corpus files nicely. - - Change the behaviour of the fuzzer so that TLV parse failures all now - go down the same execution paths, which should reduce the size of the - corpora. - - Make unknown TLVs a failure to parse, which should decrease the size - of the corpora as well. - - Closes #1881 |