_ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | | (__| |_| | _ <| |___ \___|\___/|_| \_\_____| Changelog Version 7.64.1 (27 Mar 2019) Daniel Stenberg (27 Mar 2019) - RELEASE: 7.64.1 - Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. Fixes #3708 - [Christian Schmitz brought this change] ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set Closes #3704 Jay Satiro (26 Mar 2019) - tool_cb_wrt: fix writing to Windows null device NUL - Improve console detection. Prior to this change WriteConsole could be called to write to a handle that may not be a console, which would cause an error. This issue is limited to character devices that are not also consoles such as the null device NUL. Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 Reported-by: Gisle Vanem - CURLMOPT_PIPELINING.3: fix typo Daniel Stenberg (25 Mar 2019) - TODO: config file parsing Closes #3698 Jay Satiro (24 Mar 2019) - os400: Disable Alt-Svc by default since it's experimental Follow-up to 520f0b4 which added Alt-Svc support and enabled it by default for OS400. Since the feature is experimental, it should be disabled by default. Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html Closes https://github.com/curl/curl/pull/3688 Dan Fandrich (24 Mar 2019) - tests: Fixed XML validation errors in some test files. - tests: Fix some incorrect precheck error messages. [ci skip] Daniel Stenberg (22 Mar 2019) - curl_url.3: this is not experimental anymore - travis: bump the used wolfSSL version to 4.0.0 Test 311 is now fine, leaving only 313 (CRL) disabled. Test 313 details can be found here: https://github.com/wolfSSL/wolfssl/issues/1546 Closes #3697 Daniel Gustafsson (22 Mar 2019) - lib: Fix typos in comments David Woodhouse (20 Mar 2019) - openssl: if cert type is ENG and no key specified, key is ENG too Fixes #3692 Closes #3692 Daniel Stenberg (20 Mar 2019) - sectransp: tvOS 11 is required for ALPN support Reported-by: nianxuejie on github Assisted-by: Nick Zitzmann Assisted-by: Jay Satiro Fixes #3689 Closes #3690 - test1541: threaded connection sharing The threaded-shared-conn.c example turned into test case. Only works if pthread was detected. An attempt to detect future regressions such as e3a53e3efb942a5 Closes #3687 Patrick Monnerat (17 Mar 2019) - os400: alt-svc support. Although experimental, enable it in the platform config file. Upgrade ILE/RPG binding. Daniel Stenberg (17 Mar 2019) - conncache: use conn->data to know if a transfer owns it - make sure an already "owned" connection isn't returned unless multiplexed. - clear ->data when returning the connection to the cache again Regression since 7.62.0 (probably in commit 1b76c38904f0) Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html Closes #3686 - RELEASE-NOTES: synced - [Chris Young brought this change] configure: add --with-amissl AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. It also requires all programs using it to use bsdsocket.library directly, rather than accessing socket functions through clib, which libcurl was not necessarily doing previously. Configure will now check for the headers and ensure they are included if found. Closes #3677 - [Chris Young brought this change] vtls: rename some of the SSL functions ... in the SSL structure as AmiSSL is using macros for the socket API functions. - [Chris Young brought this change] tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr - [Chris Young brought this change] tool_operate: build on AmigaOS - makefile: make checksrc and hugefile commands "silent" ... to match the style already used for compiling, linking etc. Acknowledges 'make V=1' to enable verbose. Closes #3681 - curl.1: --user and --proxy-user are hidden from ps output Suggested-by: Eric Curtin Improved-by: Dan Fandrich Ref: #3680 Closes #3683 - curl.1: mark the argument to --cookie as From a discussion in #3676 Suggested-by: Tim Rühsen Closes #3682 Dan Fandrich (14 Mar 2019) - fuzzer: Only clone the latest fuzzer code, for speed. Daniel Stenberg (14 Mar 2019) - [Dominik Hölzl brought this change] Negotiate: fix for HTTP POST with Negotiate * Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975 - [Marc Schlatter brought this change] http: send payload when (proxy) authentication is done The check that prevents payload from sending in case of authentication doesn't check properly if the authentication is done or not. They're cases where the proxy respond "200 OK" before sending authentication challenge. This change takes care of that. Fixes #2431 Closes #3669 - file: fix "Checking if unsigned variable 'readcount' is less than zero." Pointed out by codacy Closes #3672 - memdebug: log pointer before freeing its data Coverity warned for two potentional "Use after free" cases. Both are false positives because the memory wasn't used, it was only the actual pointer value that was logged. The fix still changes the order of execution to avoid the warnings. Coverity CID 1443033 and 1443034 Closes #3671 - RELEASE-NOTES: synced Marcel Raad (12 Mar 2019) - travis: actually use updated compiler versions For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the new GCC versions were only used for the coverage build and for building nghttp2, while the new clang version was not used at all. BoringSSL needs to use the default GCC as it respects CC, but not CXX, so it would otherwise pass gcc 8 options to g++ 4.8 and fail. Also remove GCC 7, it's not needed anymore. Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning Closes https://github.com/curl/curl/pull/3670 - travis: update clang to version 7 Closes https://github.com/curl/curl/pull/3670 Jay Satiro (11 Mar 2019) - [Andre Guibert de Bruet brought this change] examples/externalsocket: add missing close socket calls .. and for Windows also call WSACleanup since we call WSAStartup. The example is to demonstrate handling the socket independently of libcurl. In this case libcurl is not responsible for creating, opening or closing the socket, it is handled by the application (our example). Fixes https://github.com/curl/curl/pull/3663 Daniel Stenberg (11 Mar 2019) - multi: removed unused code for request retries This code was once used for the non multi-interface using code path, but ever since easy_perform was turned into a wrapper around the multi interface, this code path never runs. Closes #3666 Jay Satiro (11 Mar 2019) - doh: inherit some SSL options from user's easy handle - Inherit SSL options for the doh handle but not SSL client certs, SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, SSL pinned public key, SSL ciphers, SSL id cache setting, SSL kerberos or SSL gss-api settings. - Fix inheritance of verbose setting. - Inherit NOSIGNAL. There is no way for the user to set options for the doh (DNS-over-HTTPS) handles and instead we inherit some options from the user's easy handle. My thinking for the SSL options not inherited is they are most likely not intended by the user for the DOH transfer. I did inherit insecure because I think that should still be in control of the user. Prior to this change doh did not work for me because CAINFO was not inherited. Also verbose was set always which AFAICT was a bug (#3660). Fixes https://github.com/curl/curl/issues/3660 Closes https://github.com/curl/curl/pull/3661 Daniel Stenberg (9 Mar 2019) - test331: verify set-cookie for dotless host name Reproduced bug #3649 Closes #3659 - Revert "cookies: extend domain checks to non psl builds" This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. Regression shipped in 7.64.0 Fixes #3649 - memdebug: make debug-specific functions use curl_dbg_ prefix To not "collide" or use up the regular curl_ name space. Also makes them easier to detect in helper scripts. Closes #3656 - cmdline-opts/proxytunnel.d: the option tunnnels all protocols Clarify the language and simplify. Reported-by: Daniel Lublin Closes #3658 - KNOWN_BUGS: Client cert (MTLS) issues with Schannel Closes #3145 - ROADMAP: updated to some more current things to work on - tests: fix multiple may be used uninitialized warnings - RELEASE-NOTES: synced - source: fix two 'nread' may be used uninitialized warnings Both seem to be false positives but we don't like warnings. Closes #3646 - gopher: remove check for path == NULL Since it can't be NULL and it makes Coverity believe we lack proper NULL checks. Verified by test 659, landed in commit 15401fa886b. Pointed out by Coverity CID 1442746. Assisted-by: Dan Fandrich Fixes #3617 Closes #3642 - examples: only include That's the only public curl header we should encourage use of. Reviewed-by: Marcel Raad Closes #3645 - ssh: loop the state machine if not done and not blocking If the state machine isn't complete, didn't fail and it didn't return due to blocking it can just as well loop again. This addresses the problem with SFTP directory listings where we would otherwise return back to the parent and as the multi state machine doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the doing phase isn't complete, it would return out when in reality there was more data to deal with. Fixes #3506 Closes #3644 Jay Satiro (5 Mar 2019) - multi: support verbose conncache closure handle - Change closure handle to receive verbose setting from the easy handle most recently added via curl_multi_add_handle. The closure handle is a special easy handle used for closing cached connections. It receives limited settings from the easy handle most recently added to the multi handle. Prior to this change that did not include verbose which was a problem because on connection shutdown verbose mode was not acknowledged. Ref: https://github.com/curl/curl/pull/3598 Co-authored-by: Daniel Stenberg Closes https://github.com/curl/curl/pull/3618 Daniel Stenberg (4 Mar 2019) - CURLU: fix NULL dereference when used over proxy Test 659 verifies Also fixed the test 658 name Closes #3641 - altsvc_out: check the return code from Curl_gmtime Pointed out by Coverity, CID 1442956. Closes #3640 - docs/ALTSVC.md: docs describing the approach Closes #3498 - alt-svc: add a travis build - alt-svc: add test 355 and 356 to verify with command line curl - alt-svc: the curl command line bits - alt-svc: the libcurl bits - travis: add build using gnutls Closes #3637 - RELEASE-NOTES: synced - [Simon Legner brought this change] scripts/completion.pl: also generate fish completion file This is the renamed script formerly known as zsh.pl Closes #3545 - gnutls: remove call to deprecated gnutls_compression_get_name It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636 Jay Satiro (2 Mar 2019) - system_win32: move win32_init here from easy.c .. since system_win32 is a more appropriate location for the functions and to extern the globals. Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 Reported-by: Gisle Vanem Closes https://github.com/curl/curl/pull/3625 Daniel Stenberg (1 Mar 2019) - curl_easy_duphandle.3: clarify that a duped handle has no shares Reported-by: Sara Golemon Fixes #3592 Closes #3634 - 10-at-a-time.c: fix too long line - [Arnaud Rebillout brought this change] examples: various fixes in ephiperfifo.c The main change here is the timer value that was wrong, it was given in usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * 1000). This resulted in the callback being invoked WAY TOO OFTEN. As a quick check you can run this command before and after applying this commit: # shell 1 ./ephiperfifo 2>&1 | tee ephiperfifo.log # shell 2 echo http://hacking.elboulangero.com > hiper.fifo Then just compare the size of the logs files. Closes #3633 Fixes #3632 Signed-off-by: Arnaud Rebillout - urldata: simplify bytecounters - no need to have them protocol specific - no need to set pointers to them with the Curl_setup_transfer() call - make Curl_setup_transfer() operate on a transfer pointer, not connection - switch some counters from long to the more proper curl_off_t type Closes #3627 - examples/10-at-a-time.c: improve readability and simplify - use better variable names to explain their purposes - convert logic to curl_multi_wait() - threaded-resolver: shutdown the resolver thread without error message When a transfer is done, the resolver thread will be brought down. That could accidentally generate an error message in the error buffer even though this is not an error situationand the transfer would still return OK. An application that still reads the error buffer could find a "Could not resolve host: [host name]" message there and get confused. Reported-by: Michael Schmid Fixes #3629 Closes #3630 - [Ԝеѕ brought this change] docs: update max-redirs.d phrasing clarify redir - "in absurdum" doesn't seem to make sense in this context Closes #3631 - ssh: fix Condition '!status' is always true in the same sftp_done function in both SSH backends. Simplify them somewhat. Pointed out by Codacy. Closes #3628 - test578: make it read data from the correct test - Curl_easy: remove req.maxfd - never used! Introduced in 8b6314ccfb, but not used anymore in current code. Unclear since when. Closes #3626 - http: set state.infilesize when sending formposts Without it set, we would unwillingly triger the "HTTP error before end of send, stop sending" condition even if the entire POST body had been sent (since it wouldn't know the expected size) which would unnecessarily log that message and close the connection when it didn't have to. Reported-by: Matt McClure Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html Closes #3624 - INSTALL: refer to the current TLS library names and configure options - FAQ: minor updates and spelling fixes - GOVERNANCE.md: minor spelling fixes - Secure Transport: no more "darwinssl" Everyone calls it Secure Transport, now we do too. Reviewed-by: Nick Zitzmann Closes #3619 Marcel Raad (27 Feb 2019) - AppVeyor: add classic MinGW build But use the MSYS2 shell rather than the default MSYS shell because of POSIX path conversion issues. Classic MinGW is only available on the Visual Studio 2015 image. Closes https://github.com/curl/curl/pull/3623 - AppVeyor: add MinGW-w64 build Add a MinGW-w64 build using CMake's MSYS Makefiles generator. Use the Visual Studio 2015 image as it has GCC 8, while the Visual Studio 2017 image only has GCC 7.2. Closes https://github.com/curl/curl/pull/3623 Daniel Stenberg (27 Feb 2019) - cookies: only save the cookie file if the engine is enabled Follow-up to 8eddb8f4259. If the cookieinfo pointer is NULL there really is nothing to save. Without this fix, we got a problem when a handle was using shared object with cookies and is told to "FLUSH" it to file (which worked) and then the share object was removed and when the easy handle was closed just afterwards it has no cookieinfo and no cookies so it decided to save an empty jar (overwriting the file just flushed). Test 1905 now verifies that this works. Assisted-by: Michael Wallner Assisted-by: Marcel Raad Closes #3621 - [DaVieS brought this change] cacertinmem.c: use multiple certificates for loading CA-chain Closes #3421 - urldata: convert bools to bitfields and move to end This allows the compiler to pack and align the structs better in memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. Removed an unused struct field. No functionality changes. Closes #3610 - [Don J Olmstead brought this change] curl.h: use __has_declspec_attribute for shared builds Closes #3616 - curl: display --version features sorted alphabetically Closes #3611 - runtests: detect "schannel" as an alias for "winssl" Follow-up to 180501cb02 Reported-by: Marcel Raad Fixes #3609 Closes #3620 Marcel Raad (26 Feb 2019) - AppVeyor: update to Visual Studio 2017 Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a moving target anymore as the last update, Update 9, has been released. Closes https://github.com/curl/curl/pull/3606 - AppVeyor: switch VS 2015 builds to VS 2017 image The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. Closes https://github.com/curl/curl/pull/3606 - AppVeyor: explicitly select worker image Currently, we're using the default Visual Studio 2015 image for everything. Closes https://github.com/curl/curl/pull/3606 Daniel Stenberg (26 Feb 2019) - strerror: make the strerror function use local buffers Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612 - [Michael Wallner brought this change] cookies: fix NULL dereference if flushing cookies with no CookieInfo set Regression brought by a52e46f3900fb0 (shipped in 7.63.0) Closes #3613 Marcel Raad (26 Feb 2019) - AppVeyor: re-enable test 500 It's passing now. Closes https://github.com/curl/curl/pull/3615 - AppVeyor: remove redundant builds Remove the Visual Studio 2012 and 2013 builds as they add little value. Ref: https://github.com/curl/curl/pull/3606 Closes https://github.com/curl/curl/pull/3614 Daniel Stenberg (25 Feb 2019) - RELEASE-NOTES: synced - [Bernd Mueller brought this change] OpenSSL: add support for TLS ASYNC state Closes #3591 Jay Satiro (25 Feb 2019) - [Michael Felt brought this change] acinclude: add additional libraries to check for LDAP support - Add an additional check for LDAP that also checks for OpenSSL since on AIX those libraries may be required to link LDAP properly. Fixes https://github.com/curl/curl/issues/3595 Closes https://github.com/curl/curl/pull/3596 - [georgeok brought this change] schannel: support CALG_ECDH_EPHEM algorithm Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608 Daniel Stenberg (24 Feb 2019) - multi: call multi_done on connect timeouts Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get updated correctly and could end up getting reported to the application completely wrong (way too small). Reported-by: accountantM on github Fixes #3602 Closes #3605 - examples: remove recursive calls to curl_multi_socket_action From within the timer callbacks. Recursive is problematic for several reasons. They should still work, but this way the examples and the documentation becomes simpler. I don't think we need to encourage recursive calls. Discussed in #3537 Closes #3601 Marcel Raad (23 Feb 2019) - configure: remove CURL_CHECK_FUNC_FDOPEN call The macro itself has been removed in commit 11974ac859c5d82def59e837e0db56fef7f6794e. Closes https://github.com/curl/curl/pull/3604 Daniel Stenberg (23 Feb 2019) - wolfssl: stop custom-adding curves since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in wolfSSL 3.10.2 and later) it sends these curves by default already. Pointed-out-by: David Garske Closes #3599 - configure: remove the unused fdopen macro and the two remaining #ifdefs for it Closes #3600 Jay Satiro (22 Feb 2019) - url: change conn shutdown order to unlink data as last step - Split off connection shutdown procedure from Curl_disconnect into new function conn_shutdown. - Change the shutdown procedure to close the sockets before disassociating the transfer. Prior to this change the sockets were closed after disassociating the transfer so SOCKETFUNCTION wasn't called since the transfer was already disassociated. That likely came about from recent work started in Jan 2019 (#3442) to separate transfers from connections. Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html Reported-by: Pavel Löbl Closes https://github.com/curl/curl/issues/3597 Closes https://github.com/curl/curl/pull/3598 Marcel Raad (22 Feb 2019) - Fix strict-prototypes GCC warning As seen in the MinGW autobuilds. Caused by commit f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. Dan Fandrich (21 Feb 2019) - tests: Fixed XML validation errors in some test files. Daniel Stenberg (20 Feb 2019) - TODO: Allow SAN names in HTTP/2 server push Suggested-by: Nicolas Grekas - RELEASE-NOTES: synced - curl: remove MANUAL from -M output ... and remove it from the dist tarball. It has served its time, it barely gets updated anymore and "everything curl" is now convering all this document once tried to include, and does it more and better. In the compressed scenario, this removes ~15K data from the binary, which is 25% of the -M output. It remains in the git repo for now for as long as the web site builds a page using that as source. It renders poorly on the site (especially for mobile users) so its not even good there. Closes #3587 - http2: verify :athority in push promise requests RFC 7540 says we should verify that the push is for an "authoritative" server. We make sure of this by only allowing push with an :athority header that matches the host that was asked for in the URL. Fixes #3577 Reported-by: Nicolas Grekas Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html Closes #3581 - singlesocket: fix the 'sincebefore' placement The variable wasn't properly reset within the loop and thus could remain set for sockets that hadn't been set before and miss notifying the app. This is a follow-up to 4c35574 (shipped in curl 7.64.0) Reported-by: buzo-ffm on github Detected-by: Jan Alexander Steffens Fixes #3585 Closes #3589 - connection: never reuse CONNECT_ONLY conections and make CONNECT_ONLY conections never reuse any existing ones either. Reported-by: Pavel Löbl Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html Closes #3586 Patrick Monnerat (19 Feb 2019) - cli tool: fix mime post with --disable-libcurl-option configure option Reported-by: Marcel Raad Fixes #3576 Closes #3583 Daniel Stenberg (19 Feb 2019) - x509asn1: cleanup and unify code layout - rename 'n' to buflen in functions, and use size_t for them. Don't pass in negative buffer lengths. - move most function comments to above the function starts like we use to - remove several unnecessary typecasts (especially of NULL) Reviewed-by: Patrick Monnerat Closes #3582 - curl_multi_remove_handle.3: use at any time, just not from within callbacks [ci skip] - http: make adding a blank header thread-safe Previously the function would edit the provided header in-place when a semicolon is used to signify an empty header. This made it impossible to use the same set of custom headers in multiple threads simultaneously. This approach now makes a local copy when it needs to edit the string. Reported-by: d912e3 on github Fixes #3578 Closes #3579 - unit1651: survive curl_easy_init() fails - [Frank Gevaerts brought this change] rand: Fix a mismatch between comments in source and header. Reported-by: Björn Stenberg Closes #3584 Patrick Monnerat (18 Feb 2019) - x509asn1: replace single char with an array Although safe in this context, using a single char as an array may cause invalid accesses to adjacent memory locations. Detected by Coverity. Daniel Stenberg (18 Feb 2019) - examples/http2-serverpush: add some sensible error checks To avoid NULL pointer dereferences etc in the case of problems. Closes #3580 Jay Satiro (18 Feb 2019) - easy: fix win32 init to work without CURL_GLOBAL_WIN32 - Change the behavior of win32_init so that the required initialization procedures are not affected by CURL_GLOBAL_WIN32 flag. libcurl via curl_global_init supports initializing for win32 with an optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop Winsock initialization. It did so internally by skipping win32_init() when that flag was set. Since then win32_init() has been expanded to include required initialization routines that are separate from Winsock and therefore must be called in all cases. This commit fixes it so that CURL_GLOBAL_WIN32 only controls the optional win32 initialization (which is Winsock initialization, according to our doc). The only users affected by this change are those that don't pass CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the risk of a potential crash. Ref: https://github.com/curl/curl/pull/3573 Fixes https://github.com/curl/curl/issues/3313 Closes https://github.com/curl/curl/pull/3575 Daniel Gustafsson (17 Feb 2019) - cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg - mbedtls: release sessionid resources on error If mbedtls_ssl_get_session() fails, it may still have allocated memory that needs to be freed to avoid leaking. Call the library API function to release session resources on this errorpath as well as on Curl_ssl_addsessionid() errors. Closes: #3574 Reported-by: Michał Antoniak Reviewed-by: Daniel Stenberg Patrick Monnerat (16 Feb 2019) - cli tool: refactor encoding conversion sequence for switch case fallthrough. - version.c: silent scan-build even when librtmp is not enabled Daniel Stenberg (15 Feb 2019) - RELEASE-NOTES: synced - Curl_now: figure out windows version in win32_init ... and avoid use of static variables that aren't thread safe. Fixes regression from e9ababd4f5a (present in the 7.64.0 release) Reported-by: Paul Groke Fixes #3572 Closes #3573 Marcel Raad (15 Feb 2019) - unit1307: just fail without FTP support I missed to check this in with commit 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. This fixes the actual linker error. Closes https://github.com/curl/curl/pull/3568 Daniel Stenberg (15 Feb 2019) - travis: enable valgrind for the iconv tests too Closes #3571 - travis: add scan-build Closes #3564 - examples/sftpuploadresume: Value stored to 'result' is never read Detected by scan-build - examples/http2-upload: cleaned up Fix scan-build warnings, no globals, no silly handle scan. Also remove handles from the multi before cleaning up. - examples/http2-download: cleaned up To avoid scan-build warnings and global variables. - examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' Detected by scan-build - examples/httpcustomheader: Value stored to 'res' is never read Detected by scan-build - examples: remove superfluous null-pointer checks in ftpget, ftpsget and sftpget, so that scan-build stops warning for potential NULL pointer dereference below! Detected by scan-build - strip_trailing_dot: make sure NULL is never used for strlen scan-build warning: Null pointer passed as an argument to a 'nonnull' parameter - [Jay Satiro brought this change] connection_check: restore original conn->data after the check - Save the original conn->data before it's changed to the specified data transfer for the connection check and then restore it afterwards. This is a follow-up to 38d8e1b 2019-02-11. History: It was discovered a month ago that before checking whether to extract a dead connection that that connection should be associated with a "live" transfer for the check (ie original conn->data ignored and set to the passed in data). A fix was landed in 54b201b which did that and also cleared conn->data after the check. The original conn->data was not restored, so presumably it was thought that a valid conn->data was no longer needed. Several days later it was discovered that a valid conn->data was needed after the check and follow-up fix was landed in bbae24c which partially reverted the original fix and attempted to limit the scope of when conn->data was changed to only when pruning dead connections. In that case conn->data was not cleared and the original conn->data not restored. A month later it was discovered that the original fix was somewhat correct; a "live" transfer is needed for the check in all cases because original conn->data could be null which could cause a bad deref at arbitrary points in the check. A fix was landed in 38d8e1b which expanded the scope to all cases. conn->data was not cleared and the original conn->data not restored. A day later it was discovered that not restoring the original conn->data may lead to busy loops in applications that use the event interface, and given this observation it's a pretty safe assumption that there is some code path that still needs the original conn->data. This commit is the follow-up fix for that, it restores the original conn->data after the connection check. Assisted-by: tholin@users.noreply.github.com Reported-by: tholin@users.noreply.github.com Fixes https://github.com/curl/curl/issues/3542 Closes #3559 - memdebug: bring back curl_mark_sclose Used by debug builds with NSS. Reverted from 05b100aee247bb Patrick Monnerat (14 Feb 2019) - transfer.c: do not compute length of undefined hex buffer. On non-ascii platforms, the chunked hex header was measured for char code conversion length, even for chunked trailers that do not have an hex header. In addition, the efective length is already known: use it. Since the hex length can be zero, only convert if needed. Reported by valgrind. Daniel Stenberg (14 Feb 2019) - KNOWN_BUGS: Cannot compile against a static build of OpenLDAP Closes #2367 Patrick Monnerat (14 Feb 2019) - x509asn1: "Dereference of null pointer" Detected by scan-build (false positive). Daniel Stenberg (14 Feb 2019) - configure: show features as well in the final summary Closes #3569 - KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 Closes #2905 - KNOWN_BUGS: Deflate error after all content was received Closes #2719 - gssapi: fix deprecated header warnings Heimdal includes on FreeBSD spewed out lots of them. Less so now. Closes #3566 - TODO: Upgrade to websockets Closes #3523 - TODO: cmake test suite improvements Closes #3109 Patrick Monnerat (13 Feb 2019) - curl: "Dereference of null pointer" Rephrase to satisfy scan-build. Marcel Raad (13 Feb 2019) - unit1307: require FTP support This test doesn't link without FTP support after fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch unavailable without FTP support. Closes https://github.com/curl/curl/pull/3565 Daniel Stenberg (13 Feb 2019) - TODO: TFO support on Windows Nobody works on this now. Closes #3378 - multi: Dereference of null pointer Mostly a false positive, but this makes the code easier to read anyway. Detected by scan-build. Closes #3563 - urlglob: Argument with 'nonnull' attribute passed null Detected by scan-build. Jay Satiro (12 Feb 2019) - schannel: restore some debug output but only for debug builds Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy debug output in DEBUGF but omitted a few lines. Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - examples/crawler: Fix the Accept-Encoding setting - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default supported encodings. Prior to this change the specific encodings of gzip and deflate were set but there's no guarantee they'd be supported by the user's libcurl. Daniel Stenberg (12 Feb 2019) - mime: put the boundary buffer into the curl_mime struct ... instead of allocating it separately and point to it. It is fixed-size and always used for each part. Closes #3561 - schannel: be quiet Convert numerous infof() calls into debug-build only messages since they are annoyingly verbose for regular applications. Removed a few. Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html Reported-by: Volker Schmid Closes #3552 - [Romain Geissler brought this change] Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning Closes #3562 - http2: multi_connchanged() moved from multi.c, only used for h2 Closes #3557 - curl: "Function call argument is an uninitialized value" Follow-up to cac0e4a6ad14b42471eb Detected by scan-build Closes #3560 - pretransfer: don't strlen() POSTFIELDS set for GET requests ... since that data won't be used in the request anyway. Fixes #3548 Reported-by: Renaud Allard Close #3549 - multi: remove verbose "Expire in" ... messages Reported-by: James Brown Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html Closes #3558 - mbedtls: make it build even if MBEDTLS_VERSION_C isn't set Reported-by: MAntoniak on github Fixes #3553 Closes #3556 Daniel Gustafsson (12 Feb 2019) - non-ascii.c: fix typos in comments Fix two occurrences of s/convers/converts/ spotted while reading code. Daniel Stenberg (12 Feb 2019) - fnmatch: disable if FTP is disabled Closes #3551 - curl_path: only enabled for SSH builds - [Frank Gevaerts brought this change] tests: add stderr comparison to the test suite The code is more or less copied from the stdout comparison code, maybe some better reuse is possible. test 1457 is adjusted to make the output actually match (by using --silent) test 506 used without actually needing it, so that block is removed Closes #3536 Patrick Monnerat (11 Feb 2019) - cli tool: do not use mime.h private structures. Option -F generates an intermediate representation of the mime structure that is used later to create the libcurl mime structure and generate the --libcurl statements. Reported-by: Daniel Stenberg Fixes #3532 Closes #3546 Daniel Stenberg (11 Feb 2019) - curlver: bump to 7.64.1-dev - RELEASE-NOTES: synced and bump the version in progress to 7.64.1. If we merge any "change" before the cut-off date, we update again. Daniel Gustafsson (11 Feb 2019) - curl: follow-up to 3f16990ec84 Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was inadvertently introducing a new bug in the ternary expression. Close #3555 Reviewed-by: Daniel Stenberg - dns: release sharelock as soon as possible There is no benefit to holding the data sharelock when freeing the addrinfo in case it fails, so ensure releaseing it as soon as we can rather than holding on to it. This also aligns the code with other consumers of sharelocks. Closes #3516 Reviewed-by: Daniel Stenberg Daniel Stenberg (11 Feb 2019) - curl: follow-up to b49652ac66cc0 On FreeBSD, return non-zero on error otherwise zero. Reported-by: Marcel Raad - multi: (void)-prefix when ignoring return values ... and added braces to two function calls which fixes warnings if they are replace by empty macros at build-time. - curl: fix FreeBSD compiler warning in the --xattr code Closes #3550 - connection_check: set ->data to the transfer doing the check The http2 code for connection checking needs a transfer to use. Make sure a working one is set before handler->connection_check() is called. Reported-by: jnbr on github Fixes #3541 Closes #3547 - hostip: make create_hostcache_id avoid alloc + free Closes #3544 - scripts/singleuse: script to use to track single-use functions That is functions that are declared global but are not used from outside of the file in which it is declared. Such functions should be made static or even at times be removed. It also verifies that all used curl_ prefixed functions are "blessed" Closes #3538 - cleanup: make local functions static urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static Dan Fandrich (10 Feb 2019) - cirrus: Added FreeBSD builds using Cirrus CI. The build logs will be at https://cirrus-ci.com/github/curl/curl Some tests are currently failing and so disabled for now. The SSH server isn't starting for the SSH tests due to unsupported options used in its config file. The DICT server also is failing on startup. Daniel Stenberg (9 Feb 2019) - url/idnconvert: remove scan for <= 32 ascii values The check was added back in fa939220df before the URL parser would catch these problems and therefore these will never trigger now. Closes #3539 - urlapi: reduce variable scope, remove unreachable 'break' Both nits pointed out by codacy.com Closes #3540 Alessandro Ghedini (7 Feb 2019) - zsh.pl: escape ':' character ':' is interpreted as separator by zsh, so if used as part of the argument or option's description it needs to be escaped. The problem can be reproduced as follows: % curl --reso % curl -E Bug: https://bugs.debian.org/921452 - zsh.pl: update regex to better match curl -h output The current regex fails to match '<...>' arguments properly (e.g. those with spaces in them), which causes an completion script with wrong descriptions for some options. Here's a diff of the generated completion script, comparing the previous version to the one with this fix: --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 +++ _curl 2019-02-05 20:57:29.453349040 +0000 @@ -9,48 +9,48 @@ _arguments -C -S \ --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ + --resolve'[Resolve the host+port to this address]':'' \ {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ {-D,--dump-header}'[Write the received headers to ]':'':_files \ {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ {-E,--cert}'[Client certificate file and password]':'' \ --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ --local-port'[Force use of RANGE for local port numbers]':'' \ --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ - --location-trusted'[--location, and send auth to other hosts]':'Like' \ + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ {-O,--remote-name}'[Write output to a file named as the remote file]' \ + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ --trace-ascii'[Like --trace, but without hex output]':'':_files \ --connect-timeout'[Maximum time allowed for connection]':'' \ --expect100-timeout'[How long to wait for 100-continue]':'' \ {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ - --ignore-content-length'[the size of the remote resource]':'Ignore' \ {-k,--insecure}'[Allow insecure server connections when using SSL]' \ + --location-trusted'[Like --location, and send auth to other hosts]' \ --mail-auth'[Originator address of the original email]':'
' \ --noproxy'[List of hosts which do not use proxy]':'' \ --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ @@ -62,18 +62,19 @@ --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ --cacert'[CA certificate to verify peer against]':'':_files \ {-H,--header}'[Pass custom header(s) to server]':'
' \ + --ignore-content-length'[Ignore the size of the remote resource]' \ {-i,--include}'[Include protocol response headers in the output]' \ --proxy-header'[Pass custom header(s) to proxy]':'
' \ --unix-socket'[Connect through this Unix domain socket]':'' \ {-w,--write-out}'[Use output FORMAT after completion]':'' \ - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ {-o,--output}'[Write to file instead of stdout]':'':_files \ - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ --socks4a'[SOCKS4a proxy on given host + port]':'' \ {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ {-z,--time-cond}'[Transfer based on a time condition]':'