What's new in cURL 8.7.1
Mar 27, 2024
- Bugfixes:
- Fixed empty tool_hugehelp.c file
New in cURL 8.7.0 (Mar 27, 2024)
- Changes:
- configure: add --disable-docs flag
- CURLINFO_USED_PROXY: return bool whether the proxy was used
- digest: support SHA-512/256
- DoH: add trace configuration
- write-out: add '%{proxy_used}'
- Bugfixes:
- ALTSVC.md: correct a typo
- asyn-ares: fix data race warning
- asyn-thread: use wakeup_close to close the read descriptor
- badwords: use hostname, not host name
- BINDINGS: add mcurl, the python binding
- bufq: writing into a softlimit queue cannot be partial
- c-hyper: add header collection writer in hyper builds
- cd2nroff: gen: make `>` in input to render as plain '>' in output
- cd2nroff: remove backticks from titles
- checksrc.pl: fix handling .checksrc with CRLF
- cmake: add USE_OPENSSL_QUIC support
- cmake: add warning for using TLS libraries without 1.3 support
- cmake: enable `ENABLE_CURL_MANUAL` by default
- cmake: fix `CURL_WINDOWS_SSPI=ON` with Schannel disabled
- cmake: fix function description in comment
- cmake: fix install for older CMake versions
- cmake: fix libcurl.pc and curl-config library specifications
- cmdline-docs/Makefile: avoid using a fixed temp file name
- cmdline-docs: quote and angle bracket cleanup
- cmdline-opts/_EXITCODES: sync with libcurl-errors
- cmdline-opts/_VARIABLES.md: improve the description
- cmdline-opts/_VERSION: provide %VERSION correctly
- cmdline-opts: shorter help texts
- configure: add pkg-config support to rustls detection
- configure: add warning for using TLS libraries without 1.3 support
- configure: build & install shell completions when enabled
- configure: do not link with nghttp3 unless necessary
- configure: Don't build shell completions when disabled
- configure: Don't make shell completions without perl
- configure: find libpsl with pkg-config
- connect.c: fix typo
- CONTRIBUTE: update the section on documentation format
- cookie.md: provide an example sending a fixed cookie
- cookie: if psl fails, reject the cookie
- curl: exit on config file parser errors
- curl: make --libcurl output better CURLOPT_*SSLVERSION
- curl: when allocating variables, add the name into the struct
- curl_setup.h: add curl_uint64_t internal type
- curldown: fix email address in Copyright
- CURLMOPT_MAX*: mention what happens if changed mid-transfer
- CURLOPT_INTERFACE.md: remove spurious amp, add see-also
- CURLOPT_POSTQUOTE.md: fix typo
- CURLOPT_SSL_CTX_FUNCTION.md: no promises of lifetime after return
- CURLOPT_WRITEFUNCTION.md: typo fix
- digest: add check for hashing error
- dist: make sure the http tests are in the tarball
- DISTROS: add document with distro pointers
- docs/libcurl: add TLS backend info for all TLS options
- docs/libcurl: generate PROTOCOLS from meta-data
- docs: add missing slashes to SChannel client certificate documentation
- docs: add necessary setup for nghttp3
- docs: ascii version of manpage without nroff
- docs: dist curl*.1 and install without perl
- docs: make curldown do angle brackets like markdown
- docs: make each libcurl man specify protocol(s)
- docs: make sure curl.1 is included in dist tarballs
- docs: update minimal binary size in INSTALL.md
- docs: use present tense
- examples: use present tense in comments
- file: use xfer buf for file:// transfers
- fopen: fix narrowing conversion warning on 32-bit Android
- form-string.md: correct the example
- ftp: do lineend conversions in client writer
- ftp: fix socket wait activity in ftp_domore_getsock
- ftp: tracing improvements
- ftp: treat a 226 arriving before data as a signal to read data
- gen.pl: make the "manpageification" faster
- gen: make `>` in input to render as plain '>' in output
- getparam: make --ftp-ssl work again
- GHA/linux: add sysctl trick to work-around GitHub runner issue
- GIT-INFO: convert to markdown
- GOVERNANCE: document the core team
- header.md: remove backslash, make nicer markdown
- HTTP/2: write response directly
- http2, http3: return CURLE_PARTIAL_FILE when bytes were received
- http2: fix push discard
- http2: memory errors in the push callbacks are fatal
- http2: minor tweaks to optimize two struct sizes
- http2: push headers better cleanup
- http2: remove the third (unused) argument from http2_data_done()
- HTTP3.md: adjust the OpenSSL QUIC install instructions
- http: better error message for HTTP/1.x response without status line
- http: improve response header handling, save cpu cycles
- http: move headers collecting to writer
- http: remove stale comment about rewindbeforesend
- http: separate response parsing from response action
- http_chunks: fix the accounting of consumed bytes
- http_chunks: remove unused 'endptr' variable
- https-proxy: use IP address and cert with ip in alt names
- hyper: implement unpausing via client reader
- ipv6.md: mention IPv4 mapped addresses
- KNOWN_BUGS: POP3 issue when reading small chunks
- lib1598: fix `CURLOPT_POSTFIELDSIZE` usage
- lib582: remove code causing warning that is never run
- lib: add `void *ctx` to reader/writer instances
- lib: convert Curl_get_line to use dynbuf
- lib: Curl_read/Curl_write clarifications
- lib: enhance client reader resume + rewind
- lib: initialize output pointers to NULL before calling strto[ff,l,ul]
- lib: keep conn IP information together
- lib: move 'done' parameter to SingleRequests
- lib: remove curl_mimepart object when CURL_DISABLE_MIME
- libcurl-docs: cleanups
- libcurl-security.md: Active FTP passes on the local IP address
- libssh/libssh2: return error on too big range
- MANUAL.md: fix typo
- mbedtls: fix building when MBEDTLS_X509_REMOVE_INFO flag is defined
- mbedtls: fix pytest for newer versions
- mbedtls: properly cleanup the thread-shared entropy
- mbedtls: use mbedtls_ssl_conf_{min|max}_tls_version
- md4: include strdup.h for the memdup proto
- mime: add client reader
- misc: fix typos in docs and lib
- mkhelp: simplify the generated hugehelp program
- mprintf: fix format prefix I32/I64 for windows compilers
- multi: add xfer_buf to multi handle
- multi: fix multi_sock handling of select_bits
- multi: make add_handle free any multi_easy
- ngtcp2: no recvbuf for stream
- ntml_wb: fix buffer type typo
- OpenSSL QUIC: adapt to v3.3.x
- openssl-quic: check on Windows that socket conv to int is possible
- openssl-quic: fix BIO leak and Windows warning
- openssl-quic: fix unity build, casing, indentation
- OS400: avoid using awk in the build scripts
- paramhlp: fix CRLF-stripping files with "-d @file"
- proxy1.0.md: fix example
- pytest: adapt to API change
- request: clarify message when request has been sent off
- rustls: make curl compile with 0.12.0
- schannel: fix hang on unexpected server close
- scripts: fix cijobs.pl for Azure and GHA
- sendf: ignore response body to HEAD
- setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value
- setopt: fix disabling all protocols
- sha512_256: add support for GnuTLS and OpenSSL
- smtp: fix STARTTLS
- SPONSORS: describe the basics
- strtoofft: fix the overflow check
- test 1541: verify getinfo values on first header callback
- test1165: improve pattern matching
- tests: support setting/using blank content env variables
- TIMER_STARTTRANSFER: set the same for everyone
- TLS: start shutdown only when peer did not already close
- TODO: update 13.11 with more information
- tool_cb_hdr: only parse etag + content-disposition for 2xx
- tool_getparam: accept a blank -w ""
- tool_getparam: handle non-existing (out of range) short-options
- tool_operate: change precedence of server Retry-After time
- tool_operate: do not set CURLOPT_QUICK_EXIT in debug builds
- trace-config.md: remove the mutexed options list
- transfer.c: break receive loop in speed limited transfers
- transfer: improve Windows SO_SNDBUF update limit
- urldata: move authneg bit from conn to Curl_easy
- version: allow building with ancient libpsl
- vquic-tls: fix the error code returned for bad CA file
- vtls: fix tls proxy peer verification
- vtls: revert "receive max buffer" + add test case
- VULN-DISCLOSURE-POLICY.md: update detail about CVE requests
- websocket: fix curl_ws_recv()
- wolfSSL: do not call the stub function wolfSSL_BIO_set_init()
- write-out.md: clarify error handling details
New in cURL 8.6.0 (Jan 31, 2024)
- Changes:
- add CURLE_TOO_LARGE
- add CURLINFO_QUEUE_TIME_T
- add CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add
- asyn-thread: use GetAddrInfoExW on >= Windows 8
- configure: make libpsl detection failure cause error
- docs/cmdline: change to .md for cmdline docs
- docs: introduce "curldown" for libcurl man page format
- runtests: support -gl. Like -g but for lldb.
- Bugfixes:
- altsvc: free 'as' when returning error
- appveyor: replace PowerShell with bash + parallel autotools
- appveyor: switch to out-of-tree builds
- asyn-ares: with modern c-ares, use its default timeout
- build: delete unused `HAVE_{GSSHEIMDAL,GSSMIT,HEIMDAL}`
- build: delete/replace clang warning pragmas
- build: enable missing OpenSSF-recommended warnings, with fixes
- build: fix `-Wconversion`/`-Wsign-conversion` warnings
- build: fix Windows ADDRESS_FAMILY detection
- build: more `-Wformat` fixes
- build: remove redundant `CURL_PULL_*` settings
- cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper
- cf-socket: show errno in tcpkeepalive error messages
- CI/distcheck: run full tests
- cmake: add option to disable building docs
- cmake: fix generation for system name iOS
- cmake: fix typo
- cmake: freshen up docs/INSTALL.cmake
- cmake: prefill/cache `HAVE_STRUCT_SOCKADDR_STORAGE`
- cmake: rework options to enable curl and libcurl docs
- cmake: when USE_MANUAL=YES, build the curl.1 man page
- cmdline-opts/write-out.d: remove spurious double quotes
- cmdline-opts: update availability for the *-ca-native options
- cmdline/gen: fix the sorting of the man page options
- configure: add libngtcp2_crypto_boringssl detection
- configure: fix no default int compile error in ipv6 detection
- configure: when enabling QUIC, check that TLS supports QUIC
- connect: remove margin from eyeballer alloc
- content_encoding: change return code to typedef'ed enum
- cookie.d: document use of empty string to enable cookie engine
- cookie: avoid fopen with empty file name
- curl.h: CURLOPT_DNS_SERVERS is only available with c-ares
- curl: show ipfs and ipns as supported "protocols"
- curl_easy_getinfo.3: remove the wrong time value count
- curl_multi_fdset.3: remove mention of null pointer support
- CURLINFO_REFERER.3: clarify that it is the *request* header
- CURLOPT_AUTOREFERER.3: mention CURLINFO_REFERER
- CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example
- CURLOPT_SSH_*_KEYFILE: clarify
- dist: add tests/errorcodes.pl to the tarball
- docs: clean up Protocols: for cmdline options
- docs: describe and highlight super cookies
- docs: do not start lines/sentences with So, But nor And
- docs: install curl.1 with cmake
- docs: mention env vars not used by schannel
- doh: remove unused local variable
- examples: add four new examples
- file+ftp: use stack buffers instead of data->state.buffer
- ftp: handle the PORT parsing without allocation
- ftp: use dynbuf to store entrypath
- ftp: use memdup0 to store the OS from a SYST 215 response
- ftpserver.pl: send 213 SIZE response without spurious newline
- gen.pl: support ## for doing .IP in table-like lists
- gen: do italics/bold for a range of letters, not just single word
- GHA: add a job scanning for "bad words" in markdown
- GHA: bump ngtcp2, gnutls, mod_h2, quiche
- gnutls: fix build with --disable-verbose
- haproxy-clientip.d: document the arg
- headers: make sure the trailing newline is not stored
- headers: remove assert from Curl_headers_push
- hostip: return error immediately when Curl_ip2addr() fails
- hsts: remove assert for zero length domain
- http2: improved on_stream_close/data_done handling
- http3/quiche: fix result code on a stream reset
- http3: initial support for OpenSSL 3.2 QUIC stack
- http: adjust_pollset fix
- http: check for "Host:" case insensitively
- http: fix off-by-one error in request method length check
- http: only act on 101 responses when they are HTTP/1.1
- http: remove comment reference to a removed solution
- http: use stack scratch buffer
- http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT
- krb5: add prototype to silence clang warnings on mvsnprintf()
- lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
- lib: error out on multissl + http3
- lib: fix variable undeclared error caused by `infof` changes
- lib: reduce use of strncpy
- lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
- lib: replace readwrite with write_resp
- lib: strndup/memdup instead of malloc, memcpy and null-terminate
- libssh2: use `libssh2_session_callback_set2()` with v1.11.1
- libssh: improve the deprecation warning dismissal
- libssh: supress warnings without version check
- Makefile.am: fix the MSVC project generation
- Makefile.mk: drop Windows support
- mbedtls: fix `-Wnull-dereference` and `-Wredundant-decls`
- mbedtls: free the entropy when threaded
- mime: use memdup0 instead of malloc + memcpy
- mksymbolsmanpage.pl: provide references to where the symbol is used
- mprintf: overhaul and bugfixes
- mqtt: use stack scratch buffer for recv+publish
- multi: remove total timer reset in file_do() while fetching file://
- ngtcp2: put h3 at the front of alpn
- ntlm_wb: do not use data->state.buffer any longer
- openldap: fix an LDAP crash
- openldap: fix STARTTLS
- openssl: re-match LibreSSL deinit with init
- openssl: when verifystatus fails, remove session id from cache
- OS400: sync ILE/RPG binding
- pingpong: stop using the download buffer
- pop3: replace calloc + memcpy with memdup0
- pytest: scorecard tracking CPU and RSS
- quiche: return CURLE_HTTP3 on send to invalid stream
- readwrite_data: loop less
- Revert "urldata: move async resolver state from easy handle to connectdata"
- rtsp: deal with borked server responses
- runtests: for mode="text" on , fix newlines on both parts
- sasl: make login option string override http auth
- schannel: fix `-Warith-conversion` gcc 13 warning
- sectransp: do verify_cert without memdup for blobs
- sectransp_ make TLSCipherNameForNumber() available in non-verbose config
- sendf: fix compiler warning with CURL_DISABLE_HEADERS_API
- setopt: clear mimepost when formp is freed
- setopt: use memdup0 when cloning COPYPOSTFIELDS
- socks: fix generic output string to say SOCKS instead of SOCKS4
- socks: use own buffer instead of data->state.buffer
- ssh: fix namespace of two local macros
- ssh: use stack scratch buffer for seeks
- strerror: repair get_winsock_error()
- system.h: sync mingw `CURL_TYPEOF_CURL_SOCKLEN_T` with other compilers
- system_win32: fix a function pointer assignment warning
- telnet: use dynbuf instad of malloc for escape buffer
- telnet: use stack scratch buffer for do
- tests/server: delete workaround for old-mingw
- tests: avoid int/size_t conversion size/sign warnings
- tests: respect $TMPDIR when creating unix domain sockets
- tool: make parser reject blank arguments if not supported
- tool: prepend output_dir in header callback
- tool_getparam: bsearch cmdline options
- tool_getparam: do not try to expand without an argument
- tool_getparam: stop supporting `@filename` style for --cookie
- tool_listhelp: regenerate after recent .d updates
- tool_operate: make --remove-on-error only remove "real" files
- tool_operate: stop setting the file comment on Amiga
- transfer: adjust_pollset improvements
- transfer: fix upload rate limiting, add test cases
- transfer: make the select_bits_paused condition check both directions
- transfer: remove warning: Value stored to 'blen' is never read
- url: don't set default CA paths for Secure Transport backend
- url: for disabled protocols, mention if found in redirect
- urlapi: remove assert
- verify-examples.pl: fail verification on unescaped backslash
- version: show only the libpsl version, not its dependencies
- vquic: extract TLS setup into own source
- vtls: fix missing multissl version info
- vtls: receive max buffer
- vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY
- websockets: check for negative payload lengths
- websockets: refactor decode chain
- windows: delete redundant headers
- windows: simplify detecting and using system headers
- wolfssl: load certificate *chain* for PEM client certs
- x509asn1: remove code for WANT_VERIFYHOST
- x509asn1: switch from malloc to dynbuf
New in cURL 8.5.0 (Dec 6, 2023)
- Changes:
- gnutls: support CURLSSLOPT_NATIVE_CA
- HTTP3: ngtcp2 builds are no longer experimental
- Bugfixes:
- appveyor: make VS2008-built curl tool runnable
- asyn-thread: use pipe instead of socketpair for IPC when available
- autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`
- autotools: avoid passing `LDFLAGS` twice to libcurl
- autotools: delete LCC compiler support bits
- autotools: fix/improve gcc and Apple clang version detection
- autotools: stop setting `-std=gnu89` with `--enable-warnings`
- autotools: update references to deleted `crypt-auth` option
- BINDINGS: add V binding
- build: add `src/.checksrc` to source tarball
- build: add more picky warnings and fix them
- build: always revert `#pragma GCC diagnostic` after use
- build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`
- build: delete support bits for obsolete Windows compilers
- build: fix 'threadsafe' feature detection for older gcc
- build: fix builds that disable protocols but not digest auth
- build: fix compiler warning with auths disabled
- build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`
- build: picky warning updates
- build: require Windows XP or newer
- cfilter: provide call to tell connection to forget a socket
- CI: add autotools, out-of-tree, debug build to distro check job
- CI: ignore test 286 on Appveyor gcc 9 build
- cmake: add `CURL_DISABLE_BINDLOCAL` option
- cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API`
- cmake: dedupe Windows system libs
- cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection
- cmake: fix CURL_DISABLE_GETOPTIONS
- cmake: fix multiple include of CURL package
- cmake: fix OpenSSL quic detection in quiche builds
- cmake: option to disable install & drop `curlu` target when unused
- cmake: pre-fill rest of detection values for Windows
- cmake: replace `check_library_exists_concat()`
- cmake: speed up threads setup for Windows
- cmake: speed up zstd detection
- config-win32: set `HAVE_SNPRINTF` for mingw-w64
- configure: better --disable-http
- configure: check for the fseeko declaration too
- conncache: use the closure handle when disconnecting surplus connections
- content_encoding: make Curl_all_content_encodings allocless
- cookie: lowercase the domain names before PSL checks
- curl.h: delete Symbian OS references
- curl.h: on FreeBSD include sys/param.h instead of osreldate.h
- curl.rc: switch out the copyright symbol for plain ASCII
- curl: improved IPFS and IPNS URL support
- curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped
- Curl_http_body: cleanup properly when Curl_getformdata errors
- curl_setup: disallow Windows IPv6 builds missing getaddrinfo
- curl_sspi: support more revocation error names in error messages
- CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation
- CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
- CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does
- CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR
- CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
- docs/example/keepalive.c: show TCP keep-alive options
- docs/example/localport.c: show off CURLOPT_LOCALPORT
- docs/examples/interface.c: show CURLOPT_INTERFACE use
- docs/libcurl: fix three minor man page format mistakes
- docs/libcurl: SYNSOPSIS cleanup
- docs: add supported version for the json write-out
- docs: clarify that curl passes on input unfiltered
- docs: fix function typo in curl_easy_option_next.3
- docs: KNOWN_BUGS cleanup
- docs: preserve the modification date when copying the prebuilt man page
- docs: remove bold from some man page SYNOPSIS sections
- docs: use SOURCE_DATE_EPOCH for generated manpages
- doh: provide better return code for responses w/o addresses
- doh: use PIPEWAIT when HTTP/2 is attempted
- duphandle: also free 'outcurl->cookies' in error path
- duphandle: make dupset() not return with pointers to old alloced data
- duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
- easy: in duphandle, init the cookies for the new handle
- easy: remove duplicate wolfSSH init call
- easy_lock: add a pthread_mutex_t fallback
- fopen: create new file using old file's mode
- fopen: create short(er) temporary file name
- getenv: PlayStation doesn't have getenv()
- GHA: move mod_h2 version in CI to v2.0.25
- hostip: show the list of IPs when resolving is done
- hostip: silence compiler warning `-Wparentheses-equality`
- hsts: skip single-dot hostname
- HTTP/2, HTTP/3: handle detach of onoing transfers
- http2: header conversion tightening
- http2: provide an error callback and failf the message
- http2: safer invocation of populate_binsettings
- http: allow longer HTTP/2 request method names
- http: avoid Expect: 100-continue if Upgrade: is used
- http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine
- http: fix `-Wunused-parameter` with no auth and no proxy
- http: fix `-Wunused-variable` compiler warning
- http: fix empty-body warning
- http_aws_sigv4: canonicalise valueless query params
- hyper: temporarily remove HTTP/2 support
- INSTALL: update list of ports and CPU archs
- IPFS: fix IPFS_PATH and file parsing
- keylog: disable if unused
- lib: add and use Curl_strndup()
- lib: apache style infof and trace macros/functions
- lib: fix gcc warning in printf call
- libcurl-errors.3: sync with current public headers
- libcurl-thread.3: simplify the TLS section
- Makefile.am: drop vc10, vc11 and vc12 projects from dist
- Makefile.mk: fix `-rtmp` option for non-Windows
- mime: store "form escape" as a single bit
- misc: fix -Walloc-size warnings
- msh3: error when built with CURL_DISABLE_SOCKETPAIR set
- multi: during ratelimit multi_getsock should return no sockets
- multi: use pipe instead of socketpair to *wakeup()
- ngtcp2: fix races in stream handling
- ntlm_wb: use pipe instead of socketpair when possible
- openldap: move the alloc of ldapconninfo to *connect()
- openldap: set the callback argument in oldap_do
- openssl: avoid BN_num_bits() NULL pointer derefs
- openssl: fix building with v3 `no-deprecated` + add CI test
- openssl: fix infof() to avoid compiler warning for %s with null
- openssl: identify the "quictls" backend correctly
- openssl: include SIG and KEM algorithms in verbose
- openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
- openssl: two multi pointer checks should probably rather be asserts
- openssl: when a session-ID is reused, skip OCSP stapling
- page-footer: clarify exit code 25
- projects: add VC14.20 project files
- pytest: use lower count in repeat tests
- quic: make eyeballers connect retries stop at weird replies
- quic: manage connection idle timeouts
- quiche: use quiche_conn_peer_transport_params()
- rand: fix build error with autotools + LibreSSL
- resolve.d: drop a multi use-sentence
- RTSP: improved RTP parser
- sasl: fix `-Wunused-function` compiler warning
- schannel: add CA cache support for files and memory blobs
- setopt: check CURLOPT_TFTP_BLKSIZE range on set
- setopt: remove outdated cookie comment
- setopt: remove superfluous use of ternary expressions
- socks: better buffer size checks for socks4a user and hostname
- socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
- symbols-in-versions: the CLOSEPOLICY options are deprecated
- test1683: remove commented-out check alternatives
- test3103: add missing quotes around a test tag attribute
- test613: stop showing an error on missing output file
- tests/README: SOCKS tests are not using OpenSSH, it has its own server
- tests/server: add more SOCKS5 handshake error checking
- tests: Fix Windows test helper tool search & use it for handle64
- tidy-up: casing typos, delete unused Windows version aliases
- tool: fix --capath when proxy support is disabled
- tool: support bold headers in Windows
- tool_cb_hdr: add an additional parsing check
- tool_cb_prg: make the carriage return fit for wide progress bars
- tool_cb_wrt: fix write output for very old Windows versions
- tool_getparam: limit --rate to be smaller than number of ms
- tool_operate: do not mix memory models
- tool_operate: fix links in ipfs errors
- tool_parsecfg: make warning output propose double-quoting
- tool_urlglob: fix build for old gcc versions
- tool_urlglob: make multiply() bail out on negative values
- tool_writeout_json: fix JSON encoding of non-ascii bytes
- transfer: abort pause send when connection is marked for closing
- transfer: avoid calling the read callback again after EOF
- transfer: only reset the FTP wildcard engine in CLEAR state
- url: don't touch the multi handle when closing internal handles
- url: find scheme with a "perfect hash"
- url: fix `-Wzero-length-array` with no protocols
- url: fix builds with `CURL_DISABLE_HTTP`
- url: protocol handler lookup tidy-up
- url: proxy ssl connection reuse fix
- urlapi: avoid null deref if setting blank host to url encode
- urlapi: skip appending NULL pointer query
- urlapi: when URL encoding the fragment, pass in the right length
- urldata: make maxconnects a 32 bit value
- urldata: move async resolver state from easy handle to connectdata
- urldata: move cookielist from UserDefined to UrlState
- urldata: move hstslist from 'set' to 'state'
- urldata: move the 'internal' boolean to the state struct
- vssh: remove the #ifdef for Curl_ssh_init, use empty macro
- vtls: cleanup SSL config management
- vtls: consistently use typedef names for OpenSSL structs
- vtls: late clone of connection ssl config
- vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
- VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw
- windows: use built-in `_WIN32` macro to detect Windows
- wolfssh: remove redundant static prototypes
- wolfssl: add default case for wolfssl_connect_step1 switch
- wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA
New in cURL 8.3.0 (Sep 13, 2023)
- Changes:
- curl: make %output{} in -w specify a file to write to
- gskit: remove
- lib: --disable-bindlocal builds curl without local binding support
- nss: remove support for this TLS library
- tool: add "variable" support
- trace: make tracing available in non-debug builds
- url: change default value for CURLOPT_MAXREDIRS to 30
- urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
- wolfssl: support loading system CA certificates
- Bugfixes:
- altsvc: accept and parse IPv6 addresses in response headers
- asyn-ares: reduce timeout to 2000ms
- aws-sigv4: canonicalize the query
- aws-sigv4: fix having date header twice in some cases
- aws-sigv4: handle no-value user header entries
- bearssl: don't load CA certs when peer verification is disabled
- bearssl: handshake fix, provide proper get_select_socks() implementation
- build: fix portability of mancheck and checksrc targets
- build: streamline non-UWP wincrypt detections
- c-hyper: adjust the hyper to curlcode conversion
- c-hyper: fix memory leaks in `Curl_http`
- cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
- cf-socket: log successful interface bind
- CI/cirrus: disable python install on FreeBSD
- CI: add a 32-bit i686 Linux build
- CI: add caching to many jobs
- CI: move on to ngtcp2 v0.19.1
- CI: move the Alpine build from Cirrus to GHA
- CI: ngtcp2-linux: use separate caches for tls libraries
- CI: remove Windows builds from Cirrus, without replacement
- CI: switch macOS ARM build from Cirrus to Circle CI
- CI: use master again for wolfssl
- cirrus: install everthing with pkg, avoid pip
- cmake: add GnuTLS option
- cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
- cmake: add support for single libcurl compilation pass
- cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms
- cmake: assume `wldap32` availability on Windows
- cmake: cache more config and delete unused ones
- cmake: detect `SSL_set0_wbio` in OpenSSL
- cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks
- cmake: fix to use variable for the curl namespace
- cmake: fixup H2 duplicate symbols for unity builds
- cmake: set SIZEOF_LONG_LONG in curl_config.h
- cmake: support building static and shared libcurl in one go
- cmdline-docs: make sure to phrase it as "added in ...."
- cmdline-docs: use present tense, not future
- cmdline-opts/docs: mention the negative option part
- cmdline-opts/page-header: clarify stronger that !opt == URL
- cmdline-opts/page-header: reorder, clean up
- configure, cmake, lib: more form api deprecation
- configure: fix `HAVE_TIME_T_UNSIGNED` check
- configure: trust pkg-config when it's used for zlib
- configure: use the pkg-config --libs-only-l flag for libssh2
- connect: stop halving the remaining timeout when less than 600 ms left
- cookie-jar.d: emphasize that this option is ONLY writing cookies
- crypto: ensure crypto initialization works
- curl_url_get/set.3: add missing semicolon in SYNOPSIS
- CURLINFO_CERTINFO.3: better explain curl_certinfo struct
- CURLINFO_TLS_SSL_PTR.3: clarify a recommendation
- CURLOPT_*TIMEOUT*: extend and clarify
- CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled
- CURLOPT_URL.3: add two URL API calls in the see-also section
- CURLOPT_URL.3: explain curl_url_set() uses the same parser
- digest: Use hostname to generate spn instead of realm
- disable.d: explain --disable not implemented prior to 7.50.0
- docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0
- docs/cmdline-opts: match the current output
- docs/cmdline-opts: spellfixes, typos and polish
- docs/cmdline: add small "warning" to verbose options
- docs/cmdline: remove repeated working for negotiate + ntlm
- docs/HYPER.md: document a workaround for a link error
- docs: add curl_global_trace to some SEE ALSO sections
- docs: link to the website versions instead of markdowns
- docs: mark --ssl-revoke-best-effort as Schannel specific
- docs: mention critical files in same directories as curl saves
- docs: removing "pausing transfers" from HYPER.md.
- docs: rewrite to present tense
- easy: remove #ifdefs to make code easier on the eye
- egd: delete feature detection and related source code
- ftp: fix temp write of ipv6 address
- gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens
- gen.pl: replace all single quotes with aq
- GHA: adding quiche workflow
- headers: accept leading whitespaces on first response header
- http2: avoid too early connection re-use/multiplexing
- http2: cleanup trace messages
- http2: disable asssertion blocking OSSFuzz testing
- http2: fix in h2 proxy tunnel: progress in ingress on sending
- http2: polish things around POST
- http2: upgrade tests and add fix for non-existing stream
- http3/ngtcp2: shorten handshake, trace cleanup
- http3: quiche, handshake optimization, trace cleanup
- http: close the connection after a late 417 is received
- http: do not require a user name when using CURLAUTH_NEGOTIATE
- http: fix sending of large requests
- http: remove the p_pragma struct field
- http: return error when receiving too large header set
- hyper: fix a progress upload counter bug
- hyper: fix ownership problems
- hyper: remove `hyptransfer->endtask`
- imap: add a check for failing strdup()
- imap: remove the only sscanf() call in the IMAP code
- include.d: explain headers not printed with --fail before 7.75.0
- include/curl/mprintf.h: add __attribute__ for the prototypes
- krb5: fix "implicit conversion loses integer precision" warnings
- lib: add ability to disable auths individually
- lib: build fixups when built with most things disabled
- lib: fix a few *printf() flag mistakes
- lib: fix null ptr derefs and uninitialized vars (h2/h3)
- lib: move mimepost data from ->req.p.http to ->state
- libtest: use curl_free() to free libcurl allocated data
- list-only.d: mention SFTP as supported protocol
- macOS: fix target detection more
- misc: fix various typos
- multi.h: the 'revents' field of curl_waitfd is supported
- multi: more efficient pollfd count for poll
- multi: remove 'processing: ' debug message
- ngtcp2: fix handling of large requests
- openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
- openssl: clear error queue after SSL_shutdown
- openssl: make aws-lc version support OCSP
- openssl: Support async cert verify callback
- openssl: switch to modern init for LibreSSL 2.7.0+
- openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1
- openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0
- openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
- os400: build test servers
- os400: do not check translatable options at build time
- os400: implement CLI tool
- page-footer: QLOGDIR works with ngtcp2 and quiche
- page-header: move up a URL paragraph from GLOBBING to URL
- pytest: fix check for slow_network skips to only apply when intended
- quic: don't set SNI if hostname is an IP address
- quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
- quiche: enable quiche to handle timeout events
- resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
- revert "schannel: reverse the order of certinfo insertions"
- schannel: fix ordering of cert chain info
- schannel: fix user-set legacy algorithms in Windows 10 & 11
- schannel: verify hostname independent of verify cert
- sectransp: fix compiler warnings
- sectransp: prevent CFRelease() of NULL
- secureserver.pl: fix stunnel path quoting
- secureserver.pl: fix stunnel version parsing
- SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline
- system.h: add CURL_OFF_T definitions on HP-UX with HP aCC
- test1304: build and skip without netrc support
- test1554: check translatable string options in OS400 wrapper
- test1608: make it build and get skipped without shuffle DNS support
- test687/688: two more basic --xattr tests
- tests/tftpd+mqttd: make variables static to silence picky warnings
- tests: add 'large-time' as a testable feature
- tests: add support for nested %if conditions
- tests: don't call HTTP errors OK in test cases
- tests: ensure `libcurl.def` contains all exports
- tests: fix h3 server check and parallel instances
- tests: TLS session sharing test
- tests: update cookie expiry dates to far in the future
- time-cond.d: mention what happens on a missing file
- tool: avoid including leading spaces in the Location hyperlink
- tool: change some fopen failures from warnings to errors
- tool: make the length argument an int for printf()-.* flags
- tool_cb_wrt: fix invalid unicode for windows console
- tool_filetime: make -z work with file dates before 1970
- tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR
- tool_operate: make aws-sigv4 not require TLS to be used
- tool_paramhlp: improve str2num(): avoid unnecessary call to strlen()
- tool_urlglob: use the correct format specifier for curl_off_t in msnprintf
- transfer: also stop the sending on closed connection
- transfer: don't set TIMER_STARTTRANSFER on first send
- unit2600: fix build warning if built without verbose messages
- url: remove infof() output for "still name resolving"
- urlapi: fix heap buffer overflow
- urlapi: make sure zoneid is also duplicated in curl_url_dup
- urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails
- urlapi: setting a blank URL ("") is not an ok URL
- vquic: show stringified messages for errno
- vtls: clarify "ALPN: offers" message
- winbuild: improve check for static zlib
- wolfSSL: avoid the OpenSSL compat API when not needed
- workflows/macos.yml: disable zstd and alt-svc in the http-only build
- write-out.d: clarify %{time_starttransfer}
- ws: fix spelling mistakes in examples and tests
New in cURL 8.2.1 (Jul 26, 2023)
- Bugfixes:
- amigaos: fix sys/mbuf.h m_len macro clash
- amissl: add missing signal.h include
- amissl: fix AmiSSL v5 detection
- cfilters: rename close/connect functions to avoid clashes
- ciphers.d: put URL in first column
- cmake: add `libcurlu`/`libcurltool` for unit tests
- cmake: update ngtcp2 detection
- configure: check for nghttp2_session_get_stream_local_window_size
- CONTRIBUTE: drop mention of copyright year ranges
- CONTRIBUTE: fix syntax in commit message description
- curl_multi_wait.3: fix arg quoting to doc macro .BR
- docs: mark two TLS options for TLS, not SSL
- docs: provide more see also for cipher options
- hostip: return IPv6 first for localhost resolves
- http2: fix regression on upload EOF handling
- http: VLH, very large header test and fixes
- libcurl-errors.3: add CURLUE_OK
- os400: correct EXPECTED_STRING_LASTZEROTERMINATED
- quiche: fix lookup of transfer at multi
- quiche: fix segfault and other things
- rustls: update rustls-ffi 0.10.0
- socks: print ipv6 address within brackets
- src/mkhelp: strip off escape sequences
- tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
- transfer: do not clear the credentials on redirect to absolute URL
- unittest: remove unneeded *_LDADD
- websocket: rename arguments/variables to match docs
New in cURL 8.1.2 (May 30, 2023)
- Bugfixes:
- configure: quote the assignments for run-compiler
- configure: without pkg-config and no custom path, use -lnghttp2
- curl: cache the --trace-time value for a second
- http2: fix EOF handling on uploads with auth negotiation
- http3: send EOF indicator early as possible
- lib1560: verify more scheme guessing
- lib: remove unused functions, make single-use static
- libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
- libssh: when keyboard-interactive auth fails, try password
- misc: fix spelling mistakes
- page-header: mention curl version and how to figure out current release
- page-header: minor wording polish in the URL segment
- scripts/singleuse.pl: add more API calls
- urlapi: remove superfluous host name check
New in cURL 8.1.1 (May 23, 2023)
- Bugfixes:
- cf-socket: completely remove the disabled USE_RECV_BEFORE_SEND_WORKAROUND
- checksrc: disallow spaces before labels
- cmake: avoid `list(PREPEND)` for compatibility
- cmake: repair cross compiling
- configure: fix --help alignment
- configure: generate a script to run the compiler
- curl_easy_getinfo: clarify on return data types
- docs: document that curl_url_cleanup(NULL) is a safe no-op
- hostip: move easy_lock.h include above curl_memory.h
- http2: double http request parser max line length
- http2: increase stream window size to 10 MB
- http2: upload improvements
- lib: fix conversion warnings with gcc on macOS
- lib: rename struct 'http_req' to 'httpreq'
- ngtcp2: fix compiler warning about possible null-deref
- ngtcp2: proper handling of uint64_t when adjusting send buffer
- os400: update chkstrings.c
- runtests: handle interrupted reads from IPC pipes
- runtests: use the correct fd after select
- sectransp.c: make the code c89 compatible
- select: avoid returning an error on EINTR from select() or poll()
- test425: fix the log directory for the upload
- url: provide better error message when URLs fail to parse
- urlapi: allow numerical parts in the host name
- vquic.c: make recvfrom_packets static, avoid compiler warning
New in cURL 8.0.1 (Mar 21, 2023)
- Bugfixes:
- fix crash in curl_easy_cleanup
New in cURL 7.88.1 (Feb 20, 2023)
- Bugfixes:
- build-openssl.bat: keep OpenSSL 3 engine binaries
- cmake: fix Windows check for CryptAcquireContext
- connnect: fix timeout handling to use full duration
- curl: make --silent work stand-alone
- curl_setup: Suppress OpenSSL 3 deprecation warnings
- CURLOPT_WS_OPTIONS.3: fix the availability version
- GHA: update rustls dependency to 0.9.2
- http2: buffer/pausedata and output flush fix.
- http2: set drain on stream end
- http: include stdint.h more readily
- krb5: silence cast-align warning
- lib1560: add IPv6 canonicalization tests
- os400: correct Curl_os400_sendto()
- remote-header-name.d: mention that filename* is not supported
- runtests: fix "uninitialized value $port"
- setopt: allow HTTP3 when HTTP2 is not defined
- socketpair: allow EWOULDBLOCK when reading the pair check bytes
- socks: allow using DoH to resolve host names
- tests-httpd: add proxy tests
- tests: make sure gnuserv-tls has SRP support before using it
- tests: make the telnet server shut down a socket gracefully
- tool_getparam: make --get a true boolean
- tool_operate: allow debug builds to set buffersize
- urlapi: do the port number extraction without using sscanf()
- urldata: remove `now` from struct SingleRequest - not needed
New in cURL 7.88.0 (Feb 15, 2023)
- Changes:
- curl.h: add CURL_HTTP_VERSION_3ONLY
- share: add sharing of HSTS cache among handles
- src: add --http3-only
- tool_operate: share HSTS between handles
- urlapi: add CURLU_PUNYCODE
- writeout: add %{certs} and %{num_certs}
- Bugfixes:
- cf-socket: fix build when not HAVE_GETPEERNAME
- cf-socket: keep sockaddr local in the socket filters
- cfilters:Curl_conn_get_select_socks: use the first non-connected filter
- CI: add a workflow to automatically label pull requests
- CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup
- CI: Retry failed downloads to reduce spurious failures
- CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
- cmake: bump requirement to 3.7
- cmake: check for sendmsg
- cmake: delete redundant macro definition `SECURITY_WIN32`
- cmake: fix dev warning due to mismatched arg
- cmake: fix the snprintf detection
- cmake: remove deprecated symbols check
- cmake: set SOVERSION also for macOS
- cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
- cmdline-opts/Makefile: on error, do not leave a partial
- CODEOWNERS: remove the peeps mentioned as CI owners
- connect: fix access of pointer before NULL check
- connect: fix build when not ENABLE_IPV6
- connect: fix strategy testing for attempts, timeouts and happy-eyeball
- connections: introduce http/3 happy eyeballs
- content_encoding: do not reset stage counter for each header
- CONTRIBUTE: More formally specify the commit description
- cookies: fp is always not NULL
- copyright.pl: cease doing year verifications
- copyright: update all copyright lines and remove year ranges
- curl.1: make help, version and manual sections "custom"
- curl.h: allow up to 10M buffer size
- curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
- curl/websockets.h: extend the websocket frame struct
- curl: output warning at --verbose output for debug-enabled version
- curl_free.3: fix return type of `curl_free`
- curl_global_sslset.3: clarify the openssl situation
- curl_log: for failf/infof and debug logging implementations
- curl_setup: Disable by default recv-before-send in Windows
- curl_version_info.3: fix typo
- curl_ws_send.3: clarify how to send multi-frame messages
- CURLOPT_HEADERDATA.3: warn DLL users must set write function
- CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
- CURLOPT_WRITEFUNCTION.3: fix memory leak in example
- dict: URL decode the entire path always
- docs/DEPRECATE.md: deprecate gskit
- docs: add link to GitHub Discussions
- docs: mention indirect effects of --insecure
- docs: POSTFIELDSIZE must be set to -1 with read function
- doh: ifdef IPv6 code
- easyoptions: fix header printing in generation script
- escape: hex decode with a lookup-table
- escape: use table lookup when adding %-codes to output
- examples: remove the curlgtk.c example
- fopen: remove unnecessary assignment
- ftpserver: lower the DATA connect timeout to speed up torture tests
- GHA/macos.yml: bump to gcc-12
- GHA/macos: use Xcode_14.0.1 for cmake builds
- GHA: add job on Slackware 15.0
- GHA: bump ngtcp2 workflow dependencies
- GHA: enable websockets in the torture job
- GHA: move the quiche job here from zuul
- GHA: use designated ngtcp2 and its dependencies versions
- haxproxy: send before TLS handhshake
- header.d: add a header file example
- hsts.d: explain hsts more
- hsts: handle adding the same host name again
- HTTP/[23]: continue upload when state.drain is set
- http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
- http2: fix compiler warning due to uninitialized variable
- http2: minor buffer and error path fixes
- http2: when using printf %.*s, the length arg must be 'int'
- HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
- http: add additional condition for including stdint.h
- http: decode transfer encoding first
- http: fix "part of conditional expression is always false"
- http: remove the trace message "Mark bundle... multiuse"
- http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
- http_proxy: do not assign data->req.p.http use local copy
- INSTALL: document how to use multiple TLS backends
- lib670: make test.h the first include
- lib: connect/h2/h3 refactor
- lib: fix typos
- lib: fix typos in comments which repeat a word
- libssh2: try sha2 algos for hostkey methods
- libtest: add a sleep macro for Windows
- Linux CI: update some dependecies to latest tag
- Makefile.mk: fix wolfssl and mbedtls default paths
- man pages: call the custom user pointer 'clientp' consistently
- md4: fix build with GnuTLS + OpenSSL v1
- misc: fix grammar and spelling
- misc: fix spelling
- misc: reduce struct and struct field sizes
- msh3: add support for request payload
- msh3: update to v0.5 Release
- msh3: update to v0.6
- multi: stop sending empty HTTP/3 UDP datagrams on Windows
- multihandle: turn bool struct fields into bits
- ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
- ngtcp2: fix the build without 'sendmsg'
- ngtcp2: replace removed define and stop using removed function
- no-clobber.d: only use long form options in man page text
- noproxy: support for space-separated names is deprecated
- nss: implement data_pending method
- openldap: fix missing sasl symbols at build in specific configs
- openssl: adapt to boringssl's error code type
- openssl: don't ignore CA paths when using Windows CA store (redux)
- openssl: don't log raw record headers
- openssl: make the BIO_METHOD a local variable in the connection filter
- openssl: only use CA_BLOB if verifying peer
- openssl: remove attached easy handles from SSL instances
- openssl: store the CA after first send (ClientHello)
- os400: fixes to make-lib.sh and initscript.sh
- packages: remove Android, update README
- release-notes.pl: check fixes/closes lines better
- Revert "x509asn1: avoid freeing unallocated pointers"
- runtest.pl: add expected fourth return value
- runtests: tear down http2/http3 servers when https server is stopped
- runtests: consider warnings fatal and error on them
- runtests: fix detection of TLS backends
- runtests: make 'mbedtls' a testable feature
- rustls: improve error messages
- scripts/delta: show percent of number of files changed since last tag
- scripts: fix Appveyor job detection in cijobs.pl
- scripts: set file mode +x on all perl and shell scripts
- sectransp: fix for incomplete read/writes
- SECURITY-PROCESS.md: document severity levels
- setopt: Address undefined behaviour by checking for null
- setopt: move the SHA256 opt within #ifdef libssh2
- setopt: use >, not >=, when checking if uarg is larger than uint-max
- smb: return error on upload without size
- socketpair: allow localhost MITM sniffers
- strdup: name it Curl_strdup
- system.h: assume OS400 is always built with ILEC compiler
- test1560: use a UTF8-using locale when run
- test2304: remove stdout verification
- tests-httpd: basic infra to run curl against an apache httpd
- tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
- tests: add tests for HTTP/2 and HTTP/3 to verify the header API
- tests: avoid use of sha1 in certificates
- tls: fixes for wolfssl + openssl combo builds
- tool_getparam: fix hiding of command line secrets
- tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
- tool_operate: fix error codes during DOS filename sanitize
- tool_operate: fix error codes on bad URL & OOM
- tool_operate: fix headerfile writing
- tool_operate: repair --rate
- transfer: break the read loop when RECV is cleared
- typecheck: accept expressions for option/info parameters
- url: fix part of conditional expression is always true
- urlapi: avoid Curl_dyn_addf() for hex outputs
- urlapi: fix part of conditional expression is always true: qlen
- urlapi: skip path checks if path is just "/"
- urlapi: skip the extra dedotdot alloc if no dot in path
- urldata: cease storing TLS auth type
- urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
- urldata: make set.http200aliases conditional on HTTP being present
- urldata: move the cookefilelist to the 'set' struct
- urldata: remove unused struct fields, made more conditional
- vquic: stabilization and improvements
- vtls: fix hostname handling in filters
- vtls: manage current easy handle in nested cfilter calls
- vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
- winbuild: document that arm64 is supported
- windows: always use curl's basename() implementation
- wolfssl: remove deprecated post-quantum algorithms
- workflows/linux.yml: merge 3 common packages
- write-out.d: add 'since version' to %{header_json} documentation
- write-out.d: clarify Windows % symbol escaping
- ws: fix autoping handling
- ws: fix multiframe send handling
- ws: fix recv of larger frames
- ws: remove bad assert
- ws: unstick connect-only shutdown
- ws: use %Ou for outputting curl_off_t with info()
- x509asn1: fix compile errors and warnings
- zuul: stop using this CI service
New in cURL 7.87.0 (Dec 21, 2022)
- Changes:
- curl: add --url-query
- CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
- lib: add CURL_WRITEFUNC_ERROR to signal write callback error
- openssl: reduce CA certificate bundle reparsing by caching
- version: add a feature names array to curl_version_info_data
- Bugfixes:
- altsvc: fix rejection of negative port numbers
- aws_sigv4: consult x-%s-content-sha256 for payload hash
- aws_sigv4: fix typos in aws_sigv4.c
- base64: better alloc size
- base64: encode without using snprintf
- base64: faster base64 decoding
- build: assume assert.h is always available
- build: assume errno.h is always available
- c-hyper: CONNECT respones are not server responses
- c-hyper: fix multi-request mechanism
- CI: Change FreeBSD image from 12.3 to 12.4
- CI: LGTM.com will be shut down in December 2022
- ci: Remove zuul fuzzing job as it's superseded by CIFuzz
- cmake: check for cross-compile, not for toolchain
- CMake: fix build with `CURL_USE_GSSAPI`
- cmake: really enable warnings with clang
- cmake: set the soname on the shared library
- cmdline-opts/gen.pl: fix the linkifier
- cmdline-opts/page-footer: remove long option nroff formatting
- config-mac: define HAVE_SYS_IOCTL_H
- config-mac: fix typo: size_T -> size_t
- config-mac: remove HAVE_SYS_SELECT_H
- config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
- configure: require fork for NTLM-WB
- contributors.sh: actually use $CURLWWW instead of just setting it
- cookie: compare cookie prefixes case insensitively
- cookie: expire cookies at once when max-age is negative
- cookie: open cookie jar as a binary file
- curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
- curl-rustls.m4: on macOS, rustls also needs the Security framework
- curl.h: include on SerenityOS
- curl.h: name all public function parameters
- curl.h: reword comment to not use deprecated option
- curl: override the numeric locale and set "C" by force
- curl: timeout in the read callback
- curl_endian: remove Curl_write64_le from header
- curl_get_line: allow last line without newline char
- curl_path: do not add '/' if homedir ends with one
- curl_url_get.3: remove spurious backtick
- curl_url_set.3: document CURLU_DISALLOW_USER
- curl_url_set.3: fix typo
- CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
- CURLOPT_COOKIEFILE.3: advice => advise
- CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
- CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
- CURLOPT_POST.3: Explain setting to 0 changes request type
- docs/curl_ws_send: Fixed typo in websocket docs
- docs/EARLY-RELEASE.md: how to determine an early release
- docs/examples: spell correction ('Retrieve')
- docs/INSTALL.md: expand on static builds
- docs/WEBSOCKET.md: explain the URL use
- docs: add missing parameters for --retry flag
- docs: add more "SEE ALSO" links to CA related pages
- docs: explain the noproxy CIDR notation support
- docs: extend the dump-header documentation
- docs: remove performance note in CURLOPT_SSL_VERIFYPEER
- examples/10-at-a-time: fix possible skipped final transfers
- examples: update descriptions
- ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
- gen.pl: do not generate CURLHELP bitmask lines > 79 characters
- GHA: clarify workflows permissions, set least possible privilege
- GHA: NSS use clang instead of clang-9
- gnutls: use common gnutls init and verify code for ngtcp2
- headers: add endif comments
- HTTP-COOKIES.md: mention that http://localhost is a secure context
- HTTP-COOKIES.md: update the 6265bis link to draft-11
- http: do not send PROXY more than once
- http: fix the ::1 comparison for IPv6 localhost for cookies
- http: set 'this_is_a_follow' in the Location: logic
- http: use the IDN decoded name in HSTS checks
- hyper: classify headers as CONNECT and 1XX
- hyper: fix handling of hyper_task's when reusing the same address
- idn: remove Curl_win32_ascii_to_idn
- INSTALL: update operating systems and CPU archs
- KNOWN_BUGS: remove eight entries
- lib1560: add some basic IDN host name tests
- lib: connection filters (cfilter) addition to curl:
- lib: feature deprecation warnings in gcc >= 4.3
- lib: fix some type mismatches and remove unneeded typecasts
- lib: parse numbers with fixed known base 10
- lib: remove bad set.opt_no_body assignments
- lib: rewind BEFORE request instead of AFTER previous
- lib: sync guard for Curl_getaddrinfo_ex() definition and use
- lib: use size_t or int etc instead of longs
- libcurl-errors.3: remove duplicate word
- libssh2: return error when ssh_hostkeyfunc returns error
- limit-rate.d: see also --rate
- log2changes.pl: wrap long lines at 80 columns
- Makefile.mk: address minor issues
- Makefile.mk: improve a GNU Make hack
- Makefile.mk: portable Makefile.m32
- maketgz: set the right version in lib/libcurl.plist
- mime: relax easy/mime structures binding
- misc: Fix incorrect spelling
- misc: remove duplicated include files
- misc: typo and grammar fixes
- negtelnetserver.py: have it call its close() method
- netrc.d: provide mutext info
- netware: remove leftover traces
- noproxy: also match with adjacent comma
- noproxy: guard against empty hostnames in noproxy check
- noproxy: tailmatch like in 7.85.0 and earlier
- nroff-scan.pl: detect double highlights
- ntlm: improve comment for encrypt_des
- ntlm: silence ubsan warning about copying from null target_info pointer
- openssl/mbedtls: use %d for outputing port with failf (int)
- openssl: prefix errors with '[lib]/[version]: '
- os400: use platform socklen_t in Curl_getnameinfo_a
- page-header: grammar improvement (display transfer rate)
- proxy: refactor haproxy protocol handling as connection filter
- README.md: remove badges and xmas-tree garnish
- rtsp: fix RTSP auth
- runtests: --no-debuginfod now disables DEBUGINFOD_URLS
- runtests: do CRLF replacements per section only
- scripts/checksrc.pl: detect duplicated include files
- sendf: change Curl_read_plain to wrap Curl_recv_plain
- sendf: remove unnecessary if condition
- setup: do not require __MRC__ defined for Mac OS 9 builds
- smb/telnet: do not free the protocol struct in *_done()
- socks: fix username max size is 255 (0xFF)
- spellcheck.words: remove 'github' as an accepted word
- ssl-reqd.d: clarify that this is for upgrading connections only
- strcase: use curl_str(n)equal for case insensitive matches
- styled-output.d: this option does not work on Windows
- system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
- system.h: support 64-bit curl_off_t for NonStop 32-bit
- test1421: fix typo
- test3026: reduce runtime in legacy mingw builds
- tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
- tests: add authorityInfoAccess to generated certs
- tests: add HTTP/3 test case, custom location for proper nghttpx
- tls: backends use connection filters for IO, enabling HTTPS-proxy
- tool: determine the correct fopen option for -D
- tool_cfgable: free the ssl_ec_curves on exit
- tool_cfgable: make socks5_gssapi_nec a boolean
- tool_formparse: avoid clobbering on function params
- tool_getparam: make --no-get work as the opposite of --get
- tool_operate: provide better errmsg for -G with bad URL
- tool_operate: when aborting, make sure there is a non-NULL error buffer
- tool_paramhlp: free the proto strings on exit
- url: move back the IDN conversion of proxy names
- urlapi: reject more bad letters from the host name: &+()
- urldata: change port num storage to int and unsigned short
- vms: remove SIZEOF_SHORT
- vtls: fix build without proxy support
- vtls: localization of state data in filters
- WEBSOCKET.md: fix broken link
- Websocket: fixes for partial frames and buffer updates
- websockets: fix handling of partial frames
- windows: fail early with a missing windres in autotools
- windows: fix linking .rc to shared curl with autotools
- winidn: drop WANT_IDN_PROTOTYPES
- ws: if no connection is around, return error
- ws: return CURLE_NOT_BUILT_IN when websockets not built in
- x509asn1: avoid freeing unallocated pointers
New in cURL 7.86.0 (Oct 26, 2022)
- Changes:
- NPN: remove support for and use of
- Websockets: initial support
- Bugfixes:
- altsvc: reject bad port numbers
- altsvc: use 'h3' for h3
- amiga: do not hardcode openssl/zlib into the os config
- amiga: set SIZEOF_CURL_OFF_T=8 by default
- amigaos: add missing curl header
- asyn-ares: set hint flags when calling ares_getaddrinfo
- autotools: allow --enable-symbol-hiding with windows
- autotools: allow unix sockets on Windows
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- bearssl: make it proper C89 compliant
- CI/GHA: cancel outdated CI runs on new PR changes
- CI/GHA: merge msh3 and openssl3 builds into linux workflow
- cirrus-ci: add macOS build with m1
- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
- cli tool: do not use disabled protocols
- cmake: add missing inet_ntop check
- cmake: add the check of HAVE_SOCKETPAIR
- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
- cmake: delete duplicate HAVE_GETADDRINFO test
- cmake: enable more detection on Windows
- cmake: fix original MinGW builds
- cmake: improve usability of CMake build as a sub-project
- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
- cmake: sync HAVE_SIGNAL detection with autotools
- cmdline/docs: add a required 'multi' keyword for each option
- configure: correct the wording when checking grep -E
- configure: deprecate builds with small curl_off_t
- configure: fail if '--without-ssl' + explicit parameter for an ssl lib
- configure: the ngtcp2 option should default to 'no'
- connect: change verbose IPv6 address:port to [address]:port
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- ctype: remove all use of , use our own versions
- curl-compilers.m4: for gcc + want warnings, set gnu89 standard
- curl-compilers.m4: use -O2 as default optimize for clang
- curl-wolfssl.m4: error out if wolfSSL is not usable
- curl.h: fix mention of wrong error code in comment
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/add_parallel_transfers: better error handling
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- curl_ctype: convert to macros-only
- curl_easy_pause.3: unpausing is as fast as possible
- curl_escape.3: fix typo
- curl_setup: disable use of FLOSS for 64-bit NonStop builds
- curl_setup: include curl.h after platform setup headers
- curl_setup: include only system.h instead of curl.h
- curl_strequal.3: fix argument typo
- curl_url_set.3: document CURLU_APPENDQUERY proper
- CURLMOPT_PIPELINING.3: dedup manpage xref
- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
- CURLOPT_COOKIEFILE: insist on "" for enable-without-file
- CURLOPT_COOKIELIST.3: fix formatting mistake
- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
- CURLOPT_MIMEPOST.3: add an (inline) example
- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
- CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
- CURLSHOPT_UNLOCKFUNC.3: the callback has no 'access' argument
- DEPRECATE.md: Support for systems without 64 bit data types
- docs/examples: avoid deprecated options in examples where possible
- docs/INSTALL: update Android Instructions for newer NDKs
- docs/libcurl/symbols-in-versions: add several missing symbols
- docs: 100+ spellfixes
- docs: correct missing uppercase in Markdown files
- docs: document more server names for test files
- docs: fix deprecation versions inconsistencies
- docs: make sure libcurl opts examples pass in long arguments
- docs: remove mentions of deprecated '--without-openssl' parameter
- docs: tag curl options better in man pages
- docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
- docs: update sourceforge project links
- easy: fix the #include order
- easy: fix the altsvc init for curl_easy_duphandle
- easy_lock: check for HAVE_STDATOMIC_H as well
- examples/chkspeed: improve portability
- formdata: fix warning: 'CURLformoption' is promoted to 'int'
- ftp: ignore a 550 response to MDTM
- ftp: remove redundant if
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- GHA: build tests in a separate step from the running of them
- GHA: run proselint on markdown files
- github: initial CODEOWNERS setup for CI configuration
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
- hostip: lazily wait to figure out if IPv6 works until needed
- http, vauth: always provide Curl_allow_auth_to_host() functionality
- http2: make nghttp2 less picky about field whitespace
- HTTP3.md: update Caddy example
- http: try parsing Retry-After: as a number first
- http_proxy: restore the protocol pointer on error
- httpput-postfields.c: shorten string for C89 compliance
- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
- lib1560: extended to verify detect/reject of unknown schemes
- lib517: fix C89 constant signedness
- lib: add missing limits.h includes
- lib: add required Win32 setup definitions in setup-win32.h
- lib: prepare the incoming of additional protocols
- lib: sanitize conditional exclusion around MIME
- lib: set more flags in config-win32.h
- lib: the number four in a sequence is the "fourth"
- libssh: if sftp_init fails, don't get the sftp error code
- Makefile.m32: deduplicate build rules
- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults
- Makefile.m32: exclude libs & libpaths for shared mode exes
- Makefile.m32: fix regression with tool_hugehelp
- Makefile.m32: major rework
- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall
- Makefile.m32: support more options
- manpage-syntax.pl: all libcurl option symbols should be fI-tagged
- manpages: Fix spelling of "allows to" -> "allows one to"
- misc: ISSPACE() => ISBLANK()
- misc: use the term "null-terminate" consistently
- mprintf: reject two kinds of precision for the same argument
- mprintf: use snprintf if available
- mqtt: return error for too long topic
- mqtt: spell out CONNECT in comments
- msh3: change the static_assert to make the code C89
- netrc: compare user name case sensitively
- netrc: replace fgets with Curl_get_line
- netrc: use the URL-decoded user
- ngtcp2: fix build errors due to changes in ngtcp2 library
- ngtcp2: fix C89 compliance nit
- noproxy: support proxies specified using cidr notation
- openssl: make certinfo available for QUIC
- README.md: add GHA status badges for Linux and macOS builds
- RELEASE-PROCEDURE.md: mention patch releases
- resolve: make forced IPv4 resolve only use A queries
- runtests: fix uninitialized value on ignored tests
- schannel: ban server ALPN change during recv renegotiation
- schannel: don't reset recv/send function pointers on renegotiation
- schannel: when importing PFX, disable key persistence
- scripts: use `grep -E` instead of `egrep`
- setopt: use the handler table for protocol name to number conversions
- setopt: when POST is set, reset the 'upload' field
- setup-win32: no longer define UNICODE/_UNICODE implicitly
- single_transfer: use the libcurl URL parser when appending query parts
- smb: replace CURL_WIN32 with WIN32
- strcase: add and use Curl_timestrcmp
- strerror: improve two URL API error messages
- symbol-scan.pl: also check for LIBCURL* symbols
- symbol-scan.pl: scan and verify .3 man pages
- symbols-in-versions: add missing LIBCURL* symbols
- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
- test1119: scan all public headers
- test1275: verify uppercase after period in markdown
- test972: verify the output without using external tool
- tests/certs/scripts: insert standard curl source headers
- tests/Makefile: remove run time stats from ci-test
- tests: avoid CreateThread if _beginthreadex is available
- tests: fix tag syntax errors in test files
- tests: skip mime/form tests when mime is not built-in
- tidy-up: delete parallel/unused feature flags
- tidy-up: delete unused HAVE_STRUCT_POLLFD
- TODO: provide the error body from a CONNECT response
- tool: avoid generating ambiguous escaped characters in --libcurl
- tool: remove dead code
- tool: reorganize function c_escape around a dynbuf
- tool_hugehelp: make hugehelp a blank macro when disabled
- tool_main: exit at once if out of file descriptors
- tool_operate: avoid a few #ifdefs for disabled-libcurl builds
- tool_operate: more transfer cleanup after parallel transfer fail
- tool_operate: prevent over-queuing in parallel mode
- tool_operate: reduce errorbuffer allocs
- tool_paramhelp: asserts verify maximum sizes for string loading
- tool_paramhelp: make the max argument a 'double'
- tool_progress: remove 'Qd' from the parallel progress bar
- tool_setopt: use better English in --libcurl source comments
- tool_xattr: save the original URL, not the final redirected one
- unit test 1655: make it C89-compliant
- url: a zero-length userinfo part in the URL is still a (blank) user
- url: allow non-HTTPS HSTS-matching for debug builds
- url: rename function due to name-clash in Watt-32
- url: use IDN decoded names for HSTS checks
- urlapi: detect scheme better when not guessing
- urlapi: fix parsing URL without slash with CURLU_URLENCODE
- urlapi: leaner with fewer allocs
- urlapi: reject more bad characters from the host name field
- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
- winbuild: use NMake batch-rules for compilation
- windows: add .rc support to autotools builds
- windows: adjust name of two internal public functions
- windows: autotools .rc warnings fixup
- wolfSSL: fix session management bug.
New in cURL 7.84.0 (Jun 27, 2022)
- Changes:
- curl: add --rate to set max request rate per time unit
- curl: deprecate --random-file and --egd-file
- curl_version_info: add CURL_VERSION_THREADSAFE
- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
- lib: make curl_global_init() threadsafe when possible
- libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
- opts: deprecate RANDOM_FILE and EGDSOCKET
- socks: support unix sockets for socks proxy
- Bugfixes:
- aws-sigv4: fix potentional NULL pointer arithmetic
- bindlocal: don't use a random port if port number would wrap
- c-hyper: mark status line as status for Curl_client_write()
- ci: avoid `cmake -Hpath`
- CI: bump FreeBSD 13.0 to 13.1
- ci: update github actions
- cmake: add libpsl support
- cmake: do not add libcurl.rc to the static libcurl library
- cmake: enable curl.rc for all Windows targets
- cmake: fix detecting libidn2
- cmake: support adding a suffix to the OS value
- configure: skip libidn2 detection when winidn is used
- configure: use the SED value to invoke sed
- configure: warn about rustls being experimental
- content_encoding: return error on too many compression steps
- cookie: address secure domain overlay
- cookie: apply limits
- copyright.pl: parse and use .reuse/dep5 for skips
- copyright: make repository REUSE compliant
- curl.1: add a few see also --tls-max
- curl.1: mention exit code zero too
- curl: re-enable --no-remote-name
- curl_easy_pause.3: remove explanation of progress function
- curl_getdate.3: document that some illegal dates pass through
- Curl_parsenetrc: don't access local pwbuf outside of scope
- curl_url_set.3: clarify by default using known schemes only
- CURLOPT_ALTSVC.3: document the file format
- CURLOPT_FILETIME.3: fix the protocols this works with
- CURLOPT_HTTPHEADER.3: improve comment in example
- CURLOPT_NETRC.3: document the .netrc file format
- CURLOPT_PORT.3: We discourage using this option
- CURLOPT_RANGE.3: remove ranged upload advice
- digest: added detection of more syntax error in server headers
- digest: tolerate missing "realm"
- digest: unquote realm and nonce before processing
- DISABLED: disable 1021 for hyper again
- docs/cmdline-opts: add copyright and license identifier to each file
- docs/CONTRIBUTE.md: document the 'needs-votes' concept
- docs: clarify data replacement policy for MIME API
- doh: remove UNITTEST macro definition
- examples/crawler.c: use the curl license
- examples: remove fopen.c and rtsp.c
- FAQ: Clarify Windows double quote usage
- fopen: add Curl_fopen() for better overwriting of files
- ftp: restore protocol state after http proxy CONNECT
- ftp: when failing to do a secure GSSAPI login, fail hard
- GHA/hyper: enable debug in the build
- gssapi: improve handling of errors from gss_display_status
- gssapi: initialize gss_buffer_desc strings
- headers api: remove EXPERIMENTAL tag
- http2: always debug print stream id in decimal with %u
- http2: reject overly many push-promise headers
- http: restore header folding behavior
- hyper: use 'alt-used'
- krb5: return error properly on decode errors
- lib: make more protocol specific struct fields #ifdefed
- libcurl-security.3: add "Secrets in memory"
- libcurl-security.3: document CRLF header injection
- libssh: skip the fake-close when libssh does the right thing
- links: update dead links to the curl-wiki
- log2changes: do not indent empty lines [ci skip]
- macos9: remove partial support
- Makefile.am: fix portability issues
- Makefile.m32: delete obsolete options, improve -On [ci skip]
- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
- max-time.d: clarify max-time sets max transfer time
- mprintf: ignore clang non-literal format string
- netrc: check %USERPROFILE% as well on Windows
- netrc: support quoted strings
- ngtcp2: allow curl to send larger UDP datagrams
- ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
- ngtcp2: enable Linux GSO
- ngtcp2: extend QUIC transport parameters buffer
- ngtcp2: fix alert_read_func return value
- ngtcp2: fix typo in preprocessor condition
- ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
- ngtcp2: send appropriate connection close error code
- ngtcp2: support boringssl crypto backend
- ngtcp2: use helper funcs to simplify TLS handshake integration
- ntlm: provide a fixed fake host name
- projects: fix third-party SSL library build paths for Visual Studio
- quic: add Curl_quic_idle
- quiche: support ca-fallback
- rand: stop detecting /dev/urandom in cross-builds
- remote-name.d: mention --output-dir
- runtests.pl: add the --repeat parameter to the --help output
- runtests: fix skipping tests not done event-based
- runtests: skip starting the ssh server if user name is lacking
- scripts/copyright.pl: fix the exclusion to not ignore man pages
- sectransp: check for a function defined when __BLOCKS__ is undefined
- select: return error from "lethal" poll/select errors
- server/sws: support spaces in the HTTP request path
- speed-limit/time.d: mention these affect transfers in either direction
- strcase: some optimisations
- test 2081: add a valid reply for the second request
- test 675: add missing CR so the test passes when run through Privoxy
- test414: add the '--resolve' keyword
- test681: verify --no-remote-name
- tests 266, 116 and 1540: add a small write delay
- tests/data/test1501: kill ftp server after slow LIST response
- tests/getpart: fix getpartattr to work with "data" and "data2"
- tests/server/sws.c: change the HTTP writedelay unit to milliseconds
- test{440,441,493,977}: add "HTTP proxy" keywords
- tool_getparam: fix --parallel-max maximum value constraint
- tool_operate: make sure --fail-with-body works with --retry
- transfer: fix potential NULL pointer dereference
- transfer: maintain --path-as-is after redirects
- transfer: upload performance; avoid tiny send
- url: free old conn better on reuse
- url: remove redundant #ifdefs in allocate_conn()
- url: URL encode the path when extracted, if spaces were set
- urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
- urlapi: support CURLU_URLENCODE for curl_url_get()
- urldata: reduce size of a few struct fields
- urldata: remove three unused booleans from struct UserDefined
- urldata: store tcp_keepidle and tcp_keepintvl as ints
- version: allow stricmp() for sorting the feature list
- vtls: make curl_global_sslset thread-safe
- wolfssh.h: removed
- wolfssl: correct the failf() message when a handle can't be made
- wolfSSL: explicitly use compatibility layer
- x509asn1: mark msnprintf return as unchecked
New in cURL 7.83.1 (May 11, 2022)
- Bugfixes:
- altsvc: fix host name matching for trailing dots
- cirrus: Update to FreeBSD 12.3
- cirrus: Use pip for Python packages on FreeBSD
- conn: fix typo 'connnection' -> 'connection' in two function names
- cookies: make bad_domain() not consider a trailing dot fine
- curl: free resource in error path
- curl: guard against size_t wraparound in no-clobber code
- CURLOPT_DOH_URL.3: mention the known bug
- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
- CURLOPT_SSH_AUTH_TYPES.3: fix the default
- data/test376: set a proper name
- GHA/mbedtls: enabled nghttp2 in the build
- gha: build msh3
- gskit: fixed bogus setsockopt calls
- gskit: remove unused function set_callback
- hsts: ignore trailing dots when comparing hosts names
- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
- http: move Curl_allow_auth_to_host()
- http_proxy/hyper: handle closed connections
- hyper: fix test 357
- Makefile: fix "make ca-firefox"
- mbedtls: bail out if rng init fails
- mbedtls: fix compile when h2-enabled
- mbedtls: fix some error messages
- misc: use "autoreconf -fi" instead buildconf
- msh3: get msh3 version from MsH3Version
- msh3: print boolean value as text representation
- msh3: psss remote_port to MsH3ConnectionOpen
- ngtcp2: add ca-fallback support for OpenSSL backend
- nss: return error if seemingly stuck in a cert loop
- openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
- post_per_transfer: remove the updated file name
- sectransp: bail out if SSLSetPeerDomainName fails
- tests/server: declare variable 'reqlogfile' static
- tests: fix markdown formatting in README
- test{898,974,976}: add 'HTTP proxy' keywords
- tls: check more TLS details for connection reuse
- url: check SSH config match on connection reuse
- urlapi: address (harmless) UndefinedBehavior sanitizer warning
- urlapi: reject percent-decoding host name into separator bytes
- x509asn1: make do_pubkey handle EC public keys
New in cURL 7.79.1 (Sep 24, 2021)
- Bugfixes:
- Curl_http2_setup: don't change connection data on repeat invokes
- curl_multi_fdset: make FD_SET() not operate on sockets out of range
- dist: provide lib/.checksrc in the tarball
- FAQ: add GOPHERS + curl works on data, not files
- hsts: CURLSTS_FAIL from hsts read callback should fail transfer
- hsts: handle unlimited expiry
- http: fix the broken >3 digit response code detection
- strerror: use sys_errlist instead of strerror on Windows
- test1184: disable
- tests/sshserver.pl: make it work with openssh-8.7p1
New in cURL 7.76.1 (Apr 14, 2021)
- Bugfixes:
- configure: disable min version set for Darwin
- configure: include unconditionally
- configure: remove use of RETSIGTYPE
- docs/HTTP3.md: update the build instruction using gnutls
- examples/hiperfifo.c: check event_initialized before delete
- file: support GETing directories again
- github/workflow: add "security-extended" to codeql-analysis.yml
- h2: allow 100 streams by default
- hostip: fix builds that disable all asynchronous DNS
- http_proxy: only loop on 407 + close if we have credentials
- install: add instructions for Apple Darwin platforms
- lib: remove unused HAVE_INET_NTOA_R* defines
- libssh: get rid of PATH_MAX
- ngtcp2+gnutls: clear credentials when freed
- ngtcp2: Use ALPN h3-29 for now
- ntlm: fix negotiated flags usage
- ntlm: support version 2 on 32-bit platforms
- openssl: fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
- TLS: fix HTTP/2 selection
- tool_progress: fix progress meter final update in parallel mode
- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
New in cURL 7.71.1 (Jul 1, 2020)
- Bugfixes:
- cirrus-ci: disable FreeBSD 13 (again)
- Curl_inet_ntop: always check the return code
- CURLOPT_READFUNCTION.3: provide the upload data size up front
- DYNBUF.md: fix a typo: trail => tail
- escape: make the URL decode able to reject only -bytes
- escape: zero length input should return a zero length output
- examples/multithread.c: call curl_global_cleanup()
- http2: set the correct URL in pushed transfers
- http: fix proxy auth with blank password
- mbedtls: fix build with disabled proxy support
- ngtcp2: sync with current master
- openssl: Fix compilation on Windows when ngtcp2 is enabled
- Revert "multi: implement wait using winsock events"
- sendf: improve the message on client write errors
- terminology: call them null-terminated strings
- tool_cb_hdr: Fix etag warning output and return code
- url: allow user + password to contain "control codes" for HTTP(S)
- vtls: compare cert blob when finding a connection to reuse
New in cURL 7.69.1 (Mar 12, 2020)
- Bugfixes:
- ares: store dns parameters for duphandle
- cirrus-ci: disable the FreeBSD 13 builds
- curl_share_setopt.3: Note sharing cookies doesn't enable the engine
- lib1564: reduce number of mid-wait wakeup calls
- libssh: Fix matching user-specified MD5 hex key
- MANUAL: update a dict-using command line
- mime: do not perform more than one read in a row
- mime: fix the binary encoder to handle large data properly
- mime: latch last read callback status
- multi: skip EINTR check on wakeup socket if it was closed
- pause: bail out on bad input
- pause: force a connection recheck after unpausing (take 2)
- pause: return early for calls that don't change pause state
- runtests.1: rephrase how to specify what tests to run
- runtests: fix missing use of exe_ext helper function
- seek: fix fall back for missing ftruncate on Windows
- sftp: fix segfault regression introduced by #4747 in 7.69.0
- sha256: Added SecureTransport implementation
- sha256: Added WinCrypt implementation
- socks4: fix host resolve regression
- socks5: host name resolv regression fix
- tests/server: fix missing use of exe_ext helper function
- tests: fix static ip:port instead of dynamic values being used
- tests: make sleeping portable by avoiding select
- unit1612: fix the inclusion and compilation of the HMAC unit test
- urldata: remove the 'stream_was_rewound' connectdata struct member
- version: make curl_version* thread-safe without using global context
New in cURL 7.66.0 (Sep 11, 2019)
- Changes:
- CURLINFO_RETRY_AFTER: parse the Retry-After header value
- HTTP3: initial (experimental still not working) support
- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
- curl: support parallel transfers with -Z
- curl_multi_poll: a sister to curl_multi_wait() that waits more
- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
- Bugfixes:
- CVE-2019-5481: FTP-KRB double-free
- CVE-2019-5482: TFTP small blocksize heap buffer overflow
- CI: remove duplicate configure flag for LGTM.com
- CMake: remove needless newlines at end of gss variables
- CMake: use platform dependent name for dlopen() library
- CURLINFO docs: mention that in redirects times are added
- CURLOPT_ALTSVC.3: use a "" file name to not load from a file
- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
- CURLOPT_HEADERFUNCTION.3: clarify
- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
- CURLOPT_READFUNCTION.3: provide inline example
- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
- Curl_addr2string: take an addrlen argument too
- Curl_fillreadbuffer: avoid double-free trailer buf on error
- HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
- alt-svc: add protocol version selection masking
- alt-svc: fix removal of expired cache entry
- alt-svc: make it use h3-22 with ngtcp2 as well
- alt-svc: more liberal ALPN name parsing
- alt-svc: send Alt-Used: in redirected requests
- alt-svc: with quiche, use the quiche h3 alpn string
- appveyor: pass on -k to make
- asyn-thread: create a socketpair to wait on
- build-openssl: fix build with Visual Studio 2019
- cleanup: move functions out of url.c and make them static
- cleanup: remove the 'numsocks' argument used in many places
- configure: avoid undefined check_for_ca_bundle
- curl.h: add CURL_HTTP_VERSION_3 to the version enum
- curl.h: fix outdated comment
- curl: cap the maximum allowed values for retry time arguments
- curl: handle a libcurl build without netrc support
- curl: make use of CURLINFO_RETRY_AFTER when retrying
- curl: remove outdated comment
- curl: use .curlrc (with a dot) on Windows
- curl: use CURLINFO_PROTOCOL to check for HTTP(s)
- curl_global_init_mem.3: mention it was added in 7.12.0
- curl_version: bump string buffer size to 250
- curl_version_info.3: mentioned ALTSVC and HTTP3
- curl_version_info: offer quic (and h3) library info
- curl_version_info: provide nghttp2 details
- defines: avoid underscore-prefixed defines
- docs/ALTSVC: remove what works and the experimental explanation
- docs/EXPERIMENTAL: explain what it means and what's experimental now
- docs/MANUAL.md: converted to markdown from plain text
- docs/examples/curlx: fix errors
- docs: s/curl_debug/curl_dbg_debug in comments and docs
- easy: resize receive buffer on easy handle reset
- examples: Avoid reserved names in hiperfifo examples
- examples: add http3.c, altsvc.c and http3-present.c
- getenv: support up to 4K environment variable contents on windows
- http09: disable HTTP/0.9 by default in both tool and library
- http2: when marked for closure and wanted to close == OK
- http2_recv: trigger another read when the last data is returned
- http: fix use of credentials from URL when using HTTP proxy
- http_negotiate: improve handling of gss_init_sec_context() failures
- md4: Use our own MD4 when no crypto libraries are available
- multi: call detach_connection before Curl_disconnect
- netrc: make the code try ".netrc" on Windows
- nss: use TLSv1.3 as default if supported
- openssl: build warning free with boringssl
- openssl: use SSL_CTX_set__proto_version() when available
- plan9: add support for running on Plan 9
- progress: reset download/uploaded counter between transfers
- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
- scp: fix directory name length used in memcpy
- smb: init *msg to NULL in smb_send_and_recv()
- smtp: check for and bail out on too short EHLO response
- source: remove names from source comments
- spnego_sspi: add typecast to fix build warning
- src/makefile: fix uncompressed hugehelp.c generation
- ssh-libssh: do not specify O_APPEND when not in append mode
- ssh: move code into vssh for SSH backends
- sspi: fix memory leaks
- tests: Replace outdated test case numbering documentation
- tftp: return error when packet is too small for options
- timediff: make it 64 bit (if possible) even with 32 bit time_t
- travis: reduce number of torture tests in 'coverage'
- url: make use of new HTTP version if alt-svc has one
- urlapi: verify the IPv6 numerical address
- urldata: avoid 'generic', use dedicated pointers
- vauth: Use CURLE_AUTH_ERROR for auth function errors
New in cURL 7.65.3 (Jul 19, 2019)
- Bugfixes:
- progress: make the progress meter appear again
New in cURL 7.65.2 (Jul 17, 2019)
- Bugfixes:
- CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
- CMake: Convert errant elseif() to else()
- CMake: Fix finding Brotli on case-sensitive file systems
- CURLMOPT_SOCKETFUNCTION.3: clarified
- CURLMOPT_SOCKETFUNCTION.3: fix typo
- CURLOPT_CAINFO.3: polished wording
- CURLOPT_HEADEROPT.3: Fix example
- CURLOPT_RANGE.3: Caution against using it for HTTP PUT
- CURLOPT_SEEKDATA.3: fix variable name
- DEPRECATE: fixup versions and spelling
- bindlocal: detect and avoid IP version mismatches in bind()
- build: fix Codacy warnings
- buildconf.bat: fix header filename
- c-ares: honor port numbers in CURLOPT_DNS_SERVERS
- config-os400: add getpeername and getsockname defines
- configure: --disable-progress-meter
- configure: fix --disable-code-coverage
- configure: fix typo '--disable-http-uath'
- configure: more --disable switches to toggle off individual features
- configure: remove CURL_DISABLE_TLS_SRP
- conn_maxage: move the check to prune_dead_connections()
- curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
- curl_multi_wait.3: escape backslash in example
- docs: Explain behavior change in --tlsv1. options since 7.54
- docs: Fix links to OpenSSL docs
- docs: fix string suggesting HTTP/2 is not the default
- examples/fopen: fix comparison
- examples/htmltitle: use C++ casts between pointer types
- headers: Remove no longer exported functions
- http2: call done_sending on end of upload
- http2: don't call stream-close on already closed streams
- http2: remove CURL_DISABLE_TYPECHECK define
- http: allow overriding timecond with custom header
- http: clarify header buffer size calculation
- krb5: fix compiler warning
- lib: Use UTF-8 encoding in comments
- libcurl-tutorial.3: Fix small typo (mutipart -> multipart)
- libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
- multi: enable multiplexing by default (again)
- multi: fix the transfer hashes in the socket hash entries
- multi: make sure 'data' can present in several sockhash entries
- netrc: Return the correct error code when out of memory
- nss: don't set unused parameter
- nss: inspect returnvalue of token check
- nss: only cache valid CRL entries
- nss: support using libnss on macOS
- openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
- openssl: fix pubkey/signature algorithm detection in certinfo
- openssl: remove outdated comment
- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
- quote.d: asterisk prefix works for SFTP as well
- runtests: keep logfiles around by default
- runtests: report single test time + total duration
- smb: Use the correct error code for access denied on file open
- sws: remove unused variables
- system_win32: fix clang warning
- system_win32: fix typo
- test1165: verify that CURL_DISABLE_ symbols are in sync
- test1521: adapt to SLISTPOINT
- test1523: test CURLOPT_LOW_SPEED_LIMIT
- test153: fix content-length to avoid occasional hang
- test188/189: fix Content-Length
- tests: have runtests figure out disabled features
- tests: support non-localhost HOSTIP for dict/smb servers
- tests: update fixed IP for hostip/clientip split
- tool_cb_prg: Fix integer overflow in progress bar
- travis: disable threaded resolver for coverage build
- travis: enable alt-svc for coverage build
- travis: enable brotli for all xenial jobs
- travis: enable libssh2 for coverage build
- travis: enable warnings-as-errors for coverage build
- travis: update scan-build job to xenial
- typecheck: CURLOPT_CONNECT_TO takes an slist too
- typecheck: add 3 missing strings and a callback data pointer
- unit1654: cleanup on memory failure
- unpause: trigger a timeout for event-based transfers
- url: Fix CURLOPT_MAXAGE_CONN time comparison
- win32: make DLL loading a no-op for UWP
- winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG
- winbuild: use WITH_PREFIX if given
- wolfssl: refer to it as wolfSSL only
New in cURL 7.65.1 (Jun 5, 2019)
- Bugfixes:
- CURLOPT_LOW_SPEED_* repaired
- NTLM: reset proxy "multipass" state when CONNECT request is done
- PolarSSL: deprecate support step 1. Removed from configure
- appveyor: add Visual Studio solution build
- cmake: check for if_nametoindex()
- cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
- config-win32: add support for if_nametoindex and getsockname
- conncache: Remove the DEBUGASSERT on length check
- conncache: make "bundles" per host name when doing proxy tunnels
- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
- curl_share_setopt.3: improve wording
- dump-header.d: spell out that no headers == empty file
- example/http2-download: fix format specifier
- examples: cleanups and compiler warning fixes
- http2: Stop drain from being permanently set
- http: don't parse body-related headers in bodyless responses
- md4: build correctly with openssl without MD4
- md4: include the mbedtls config.h to get the MD4 info
- multi: track users of a socket better
- nss: allow to specify TLS 1.3 ciphers if supported by NSS
- parse_proxy: make sure portptr is initialized
- parse_proxy: use the IPv6 zone id if given
- sectransp: handle errSSLPeerAuthCompleted from SSLRead()
- singlesocket: use separate variable for inner loop
- ssl: Update outdated "openssl-only" comments for supported backends
- tests: add HAProxy keywords
- tests: add support to test against OpenSSH for Windows
- tests: make test 1420 and 1406 work with rtsp-disabled libcurl
- tls13-docs: mention it is only for OpenSSL >= 1.1.1
- tool_parse_cfg: Avoid 2 fopen() for WIN32
- tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
- url: fix bad feature-disable #ifdef
- url: use correct port in ConnectionExists()
- winbuild: Use two space indentation
New in cURL 7.64.0 (Mar 6, 2019)
- Changes:
- cookies: leave secure cookies alone
- hostip: support wildcard hosts
- http: Implement trailing headers for chunked transfers
- http: added options for allowing HTTP/0.9 responses
- timeval: Use high resolution timestamps on Windows
- Bugfixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- FAQ: remove mention of sourceforge for github
- OS400: handle memory error in list conversion
- OS400: upgrade ILE/RPG binding.
- README: add codacy code quality badge
- Revert http_negotiate: do not close connection
- THANKS: added several missing names from year
New in cURL 7.63.0 (Dec 21, 2018)
- Changes:
- curl: add %{stderr} and %{stdout} for --write-out
- curl: add undocumented option --dump-module-paths for win32
- setopt: add CURLOPT_CURLU
- Bugfixes:
- (lib)curl.rc: fixup for minor bugs
- CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
- CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
- CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
- Curl_follow: accept non-supported schemes for "fake" redirects
- KNOWN_BUGS: add --proxy-any connection issue
- NTLM: Remove redundant ifdef USE_OPENSSL
- NTLM: force the connection to HTTP/1.1
- OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
- SECURITY-PROCESS: bountygraph shuts down again
- TODO: Have the URL API offer IDN decoding
- ares: remove fd from multi fd set when ares is about to close the fd
- axtls: removed
- checksrc: add COPYRIGHTYEAR check
- cmake: fix MIT/Heimdal Kerberos detection
- configure: include all libraries in ssl-libs fetch
- configure: show CFLAGS, LDFLAGS etc in summary
- connect: fix building for recent versions of Minix
- cookies: create the cookiejar even if no cookies to save
- cookies: expire "Max-Age=0" immediately
- curl: --local-port range was not "including"
- curl: fix --local-port integer overflow
- curl: fix memory leak reading --writeout from file
- curl: fixed UTF-8 in current console code page (Windows)
- curl_easy_perform: fix timeout handling
- curl_global_sslset(): id == -1 is not necessarily an error
- curl_multibyte: fix a malloc overcalculation
- curle: move deprecated error code to ifndef block
- docs: curl_formadd field and file names are now escaped
- docs: escape "n" codes
- doh: fix memory leak in OOM situation
- doh: make it work for h2-disabled builds too
- examples/ephiperfifo: report error when epoll_ctl fails
- ftp: avoid two unsigned int overflows in FTP listing parser
- host names: allow trailing dot in name resolve, then strip it
- http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
- http: don't set CURLINFO_CONDITION_UNMET for http status code 204
- http: fix HTTP Digest auth to include query in URI
- http_negotiate: do not close connection until negotiation is completed
- impacket: add LICENSE
- infof: clearly indicate truncation
- ldap: fix LDAP URL parsing regressions
- libcurl: stop reading from paused transfers
- mprintf: avoid unsigned integer overflow warning
- netrc: don't ignore the login name specified with "--user"
- nss: Fall back to latest supported SSL version
- nss: Fix compatibility with nss versions 3.14 to 3.15
- nss: fix fallthrough comment to fix picky compiler warning
- nss: remove version selecting dead code
- nss: set default max-tls to 1.3/1.2
- openssl: Remove SSLEAY leftovers
- openssl: do not log excess "TLS app data" lines for TLS 1.3
- openssl: do not use file BIOs if not requested
- openssl: fix unused variable compiler warning with old openssl
- openssl: support session resume with TLS 1.3
- openvms: fix example name
- os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
- os400: add CURLOPT_CURLU to ILE/RPG binding
- os400: fix return type of curl_easy_pause() in ILE/RPG binding
- packages: remove old leftover files and dirs
- pop3: only do APOP with a valid timestamp
- runtests: use the local curl for verifying
- schannel: be consistent in Schannel capitalization
- schannel: better CURLOPT_CERTINFO support
- schannel: use Curl_ prefix for global private symbols
- snprintf: renamed and we now only use msnprintf()
- ssl: fix compilation with OpenSSL 0.9.7
- ssl: replace all internal uses of CURLE_SSL_CACERT
- symbols-in-versions: add missing CURLU_ symbols
- test328: verify Content-Encoding: none
- tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
- tests: drop http_pipe.py script no longer used
- tool_cb_wrt: Silence function cast compiler warning
- tool_doswin: Fix uninitialized field warning
- travis: build with clang sanitizers
- travis: remove curl before a normal build
- url: a short host name + port is not a scheme
- url: fix IPv6 numeral address parser
- urlapi: only skip encoding the first '=' with APPENDQUERY set
New in cURL 7.61.0 (Jul 11, 2018)
- Changes:
- getinfo: add microsecond precise timers for seven intervals
- curl: show headers in bold, switch off with --no-styled-output
- httpauth: add support for Bearer tokens
- Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
- curl: --tls13-ciphers and --proxy-tls13-ciphers
- Add CURLOPT_DISALLOW_USERNAME_IN_URL
- curl: --disallow-username-in-url
- Bug fixes:
- CVE-2018-0500: smtp: fix SMTP send buffer overflow
- schannel: disable client cert option if APIs not available
- schannel: disable manual verify if APIs not available
- tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
- openssl: acknowledge --tls-max for default version too
- stub_gssapi: fix 'unused parameter' warnings
- examples/progressfunc: make it build on both new and old libcurls
- docs: mention it is HA Proxy protocol "version 1"
- curl_fnmatch: only allow two asterisks for matching
- docs: clarify CURLOPT_HTTPGET
- configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
- configure: do compile-time SIZEOF checks instead of run-time
- checksrc: make sure sizeof() is used *with* parentheses
- CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
- schannel: make CAinfo parsing resilient to CR/LF
- tftp: make sure error is zero terminated before printfing it
- http resume: skip body if http code 416 (range error) is ignored
- configure: add basic test of --with-ssl prefix
- cmake: set -d postfix for debug builds
- multi: provide a socket to wait for in Curl_protocol_getsock
- content_encoding: handle zlib versions too old for Z_BLOCK
- winbuild: only delete OUTFILE if it exists
- winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
- schannel: add failf calls for client certificate failures
- cmake: Fix the test for fsetxattr and strerror_r
- curl.1: Fix cmdline-opts reference errors
- cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
- cmake: check for getpwuid_r
- configure: fix ssh2 linking when built with a static mbedtls
- psl: use latest psl and refresh it periodically
- fnmatch: insist on escaped bracket to match
- KNOWN_BUGS: restore text regarding #2101
- INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
- configure: override AR_FLAGS to silence warning
- os400: implement mime api EBCDIC wrappers
- curl.rc: embed manifest for correct Windows version detection
- strictness: correct {infof, failf} format specifiers
- tests: update .gitignore for libtests
- configure: check for declaration of getpwuid_r
- fnmatch: use the system one if available
- CURLOPT_RESOLVE: always purge old entry first
- multi: remove a potentially bad DEBUGF()
- curl_addrinfo: use same #ifdef conditions in source as header
- build: remove the Borland specific makefiles
- axTLS: not considered fit for use
- cmdline-opts/cert-type.d: mention "p12" as a recognized type
- system.h: add support for IBM xlc C compiler
- tests/libtest: Add lib1521 to nodist_SOURCES
- mk-ca-bundle.pl: leave certificate name untouched
- boringssl + schannel: undef X509_NAME in lib/schannel.h
- openssl: assume engine support in 1.0.1 or later
- cppcheck: fix warnings
- test 46: make test pass after year 2025
- schannel: support selecting ciphers
- Curl_debug: remove dead printhost code
- test 1455: unflakified
- Curl_init_do: handle NULL connection pointer passed in
- progress: remove a set of unused defines
- mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
- GOVERNANCE.md: explains how this project is run
- configure: use pkg-config for c-ares detection
- configure: enhance ability to build with static openssl
- maketgz: fix sed issues on OSX
- multi: fix memory leak when stopped during name resolve
- CURLOPT_INTERFACE.3: interface names not supported on Windows
- url: fix dangling conn->data pointer
- cmake: allow multiple SSL backends
- system.h: fix for gcc on 32 bit OpenServer
- ConnectionExists: make sure conn->data is set when "taking" a connection
- multi: fix crash due to dangling entry in connect-pending list
- CURLOPT_SSL_VERIFYPEER.3: Add performance note
- netrc: use a larger buffer to support longer passwords
- url: check Curl_conncache_add_conn return code
- configure: Add dependent libraries after crypto
- easy_perform: faster local name resolves by using *multi_timeout()
- getnameinfo: not used, removed all configure checks
- travis: add a build using the synchronous name resolver
- CURLINFO_TLS_SSL_PTR.3: improve the example
- openssl: allow TLS 1.3 by default
- openssl: make the requested TLS version the *minimum* wanted
- openssl: Remove some dead code
- telnet: fix clang warnings
- DEPRECATE: new doc describing planned item removals
- example/crawler.c: simple crawler based on libxml2
- libssh: goto DISCONNECT state on error, not SESSION_FREE
- CMake: Remove unused functions
- darwinssl: allow High Sierra users to build the code using GCC
- scripts: include _curl as part of CLEANFILES
New in cURL 7.59.0 (Mar 30, 2018)
- Changes:
- curl: add --proxy-pinnedpubkey
- added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
- CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
- Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- Add new tool option --happy-eyeballs-timeout-ms
- Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA
- Bug fixes:
- openldap: check ldap_get_attribute_ber() results for NULL before using
- FTP: reject path components with control codes
- readwrite: make sure excess reads don't go beyond buffer end
- lib555: drop text conversion and encode data as ascii codes
- lib517: make variable static to avoid compiler warning
- lib544: sync ascii code data with textual data
- GSKit: restore pinnedpubkey functionality
- darwinssl: Don't import client certificates into Keychain on macOS
- parsedate: fix date parsing for systems with 32 bit long
- openssl: fix pinned public key build error in FIPS mode
- SChannel/WinSSL: Implement public key pinning
- cookies: remove verbose "cookie size:" output
- progress-bar: don't use stderr explicitly, use bar->out
- Fixes for MSDOS
- build: open VC15 projects with VS 2017
- curl_ctype: private is*() type macros and functions
- configure: set PATH_SEPARATOR to colon for PATH w/o separator
- winbuild: make linker generate proper PDB
- curl_easy_reset: clear digest auth state
- curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
- range: commonize FTP and FILE range handling
- progress-bar docs: update to match implementation
- fnmatch: do not match the empty string with a character set
- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
- build: fix termios issue on android cross-compile
- getdate: return -1 for out of range
- formdata: use the mime-content type function
- time-cond: fix reading the file modification time on Windows
- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- openssl: Don't add verify locations when verifypeer==0
- fnmatch: optimize processing of consecutive *s and ?s pattern characters
- schannel: fix compiler warnings
- content_encoding: Add "none" alias to "identity"
- get_posix_time: only check for overflows if they can happen
- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING
- README: language fix
- sha256: build with OpenSSL < 0.9.8
- smtp: fix processing of initial dot in data
- --tlsauthtype: works only if libcurl is built with TLS-SRP support
- tests: new tests for http raw mode
- libcurl-security.3: man page discussion security concerns when using libcurl
- curl_gssapi: make sure this file too uses our *printf()
- BINDINGS: fix curb link (and remove ruby-curl-multi)
- nss: use PK11_CreateManagedGenericObject() if available
- travis: add build with iconv enabled
- ssh: add two missing state names
- CURLOPT_HEADERFUNCTION.3: mention folded headers
- http: fix the max header length detection logic
- header callback: don't chop headers into smaller pieces
- CURLOPT_HEADER.3: clarify problems with different data sizes
- curl --version: show PSL if the run-time lib has it enabled
- examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Return error if called recursively from within callbacks
- sasl: prefer PLAIN mechanism over LOGIN
- winbuild: Use CALL to run batch scripts
- curl_share_setopt.3: connection cache is shared within multi handles
- winbuild: Use macros for the names of some build utilities
- projects/README: remove reference to dead IDN link/package
- lib655: silence compiler warning
- configure: Fix version check for OpenSSL 1.1.1
- docs/MANUAL: formfind.pl is not accessible on the site anymore
- unit1309: fix warning on Windows x64
- unit1307: proper cleanup on OOM to fix torture tests
- curl_ctype: fix macro redefinition warnings
- build: get CFLAGS (including -werror) used for examples and tests
- NO_PROXY: fix for IPv6 numericals in the URL
- krb5: use nondeprecated functions
- winbuild: prefer documented zlib library names
- http2: mark the connection for close on GOAWAY
- limit-rate: kick in even before "limit" data has been received
- HTTP: allow "header;" to replace an internal header with a blank one
- http2: verbose output new MAX_CONCURRENT_STREAMS values
- SECURITY: distros' max embargo time is 14 days
- curl tool: accept --compressed also if Brotli is enabled and zlib is not
- WolfSSL: adding TLSv1.3
- checksrc.pl: add -i and -m options
- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
New in cURL 7.58.0 (Jan 25, 2018)
- Changes:
- new libssh-powered SSH SCP/SFTP back-end
- curl-config: add --ssl-backends
- Bug fixes:
- http2: fix incorrect trailer buffer size
- http: prevent custom Authorization headers in redirects
- travis: add boringssl build
- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
- SSL: Avoid magic allocation of SSL backend specific data
- lib: don't export all symbols, just everything curl_*
- libssh2: send the correct CURLE error code on scp file not found
- libssh2: return CURLE_UPLOAD_FAILED on failure to upload
- openssl: enable pkcs12 in boringssl builds
- libssh2: remove dead code from SSH_SFTP_QUOTE
- sasl_getmesssage: make sure we have a long enough string to pass
- conncache: fix several lock issues
- threaded-shared-conn.c: new example
- conncache: only allow multiplexing within same multi handle
- configure: check for netinet/in6.h
- URL: tolerate backslash after drive letter for FILE:
- openldap: add commented out debug possibilities
- include: get netinet/in.h before linux/tcp.h
- CONNECT: keep close connection flag in http_connect_state struct
- BINDINGS: another PostgreSQL client
- curl: limit -# update frequency for unknown total size
- configure: add AX_CODE_COVERAGE only if using gcc
- curl.h: remove incorrect comment about ERRORBUFFER
- openssl: improve data-pending check for https proxy
- curl: remove __EMX__ #ifdefs
- CURLOPT_PRIVATE.3: fix grammar
- sftp: allow quoted commands to use relative paths
- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
- RESOLVE: output verbose text when trying to set a duplicate name
- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
- multi_done: prune DNS cache
- tests: update .gitignore for libtests
- tests: mark data files as non-executable in git
- CURLOPT_DNS_LOCAL_IP4.3: fixed the "SEE ALSO" to not self-reference
- curl.1: documented two missing valid exit codes
- curl.1: mention http:// and https:// as valid proxy prefixes
- vtls: replaced getenv() with curl_getenv()
- setopt: less *or equal* than INT_MAX/1000 should be fine
- examples/smtp-mail.c: use separate defines for options and mail
- curl: support >256 bytes warning messsages
- conncache: fix a return code
- krb5: fix a potential access of uninitialized memory
- rand: add a clang-analyzer work-around
- CURLOPT_READFUNCTION.3: refer to argument with correct name
- brotli: allow compiling with version 0.6.0
- content_encoding: rework zlib_inflate
- curl_easy_reset: release mime-related data
- examples/rtsp: fix error handling macros
- build-openssl.bat: Added support for VC15
- build-wolfssl.bat: Added support for VC15
- build: Added Visual Studio 2017 project files
- winbuild: Added support for VC15
- curl: Support size modifiers for --max-filesize
- examples/cacertinmem: ignore cert-already-exists error
- brotli: data at the end of content can be lost
- curl_version_info.3: call the argument 'age'
- openssl: fix memory leak of SSLKEYLOGFILE filename
- build: remove HAVE_LIMITS_H check
- --mail-rcpt: fix short-text description
- scripts: allow all perl scripts to be run directly
- progress: calculate transfer speed on milliseconds if possible
- system.h: check __LONG_MAX__ for defining curl_off_t
- easy: fix connection ownership in curl_easy_pause
- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
- configure.ac: append extra linker flags instead of prepending them
- HTTP: bail out on negative Content-Length: values
- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
- mime: clone mime tree upon easy handle duplication
- openssl: enable SSLKEYLOGFILE support by default
- smtp/pop3/imap_get_message: decrease the data length too...
- CURLOPT_TCP_NODELAY.3: fix typo
- SMB: fix numeric constant suffix and variable types
- ftp-wildcard: fix matching an empty string with "*[^a]"
- curl_fnmatch: only allow 5 '*' sections in a single pattern
- openssl: fix potential memory leak in SSLKEYLOGFILE logic
- SSH: Fix state machine for ssh-agent authentication
- examples/url2file.c: add missing curl_global_cleanup() call
- http2: don't close connection when single transfer is stopped
- libcurl-env.3: first version
- curl: progress bar refresh, get width using ioctl()
- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
New in cURL 7.57.0 (Nov 29, 2017)
- Changes:
- auth: add support for RFC7616 - HTTP Digest access authentication
- share: add support for sharing the connection cache
- HTTP: implement Brotli content encoding
- Bug fixes:
- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access
- curl_mime_filedata.3: fix typos
- libtest: Add required test libraries for lib1552 and lib1553
- fix time diffs for systems using unsigned time_t
- ftplistparser: memory leak fix: free temporary memory always
- multi: allow table handle sizes to be overridden
- wildcards: don't use with non-supported protocols
- curl_fnmatch: return error on illegal wildcard pattern
- transfer: Fix chunked-encoding upload too early exit
- curl_setup: Improve detection of CURL_WINDOWS_APP
- resolvers: only include anything if needed
- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
- appveyor: add a win32 build
- Curl_timeleft: change return type to timediff_t
- cmake: Export libcurl and curl targets to use by other cmake projects
- curl: in -F option arg, comma is a delimiter for files only
- curl: improved ";type=" handling in -F option arguments
- timeval: use mach_absolute_time() on MacOS
- curlx: the timeval functions are no longer provided as curlx_*
- mkhelp.pl: do not generate comment with current date
- memdebug: use send/recv signature for curl_dosend/curl_dorecv
- cookie: avoid NULL dereference
- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- include: remove conncache.h inclusion from where its not needed
- CURLOPT_MAXREDIRS: allow -1 as a value
- tests: Fixed torture tests on tests 556 and 650
- http2: Fixed OOM handling in upgrade request
- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
- CURLOPT_INFILESIZE: accept -1
- curl: pass through [] in URLs instead of calling globbing error
- curl: speed up handling of many URLs
- ntlm: avoid malloc(0) for zero length passwords
- url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES
- HTTP: support multiple Content-Encodings
- travis: add a job with brotli enabled
- url: remove unncessary NULL-check
- fnmatch: remove dead code
- connect: store IPv6 connection status after valid connection
- imap: deal with commands case insensitively
- --interface: add support for Linux VRF
- content_encoding: fix inflate_stream for no bytes available
- cmake: Correctly include curl.rc in Windows builds
- cmake: Add missing setmode check
- connect.c: remove executable bit on file
- SMB: fix uninitialized local variable
- zlib/brotli: only include header files in modules needing them
- URL: return error on malformed URLs with junk after IPv6 bracket
- openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- macOS: Fix missing connectx function with Xcode version older than 9.0
- --resolve: allow IP address within [] brackets
- examples/curlx: Fix code style
- ntlm: remove unnecessary NULL-check to please scan-build
- Curl_llist_remove: fix potential NULL pointer deref
- mime: fix "Value stored to 'sz' is never read" scan-build error
- openssl: fix "Value stored to 'rc' is never read" scan-build error
- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
- http2: fix "Value stored to 'end' is never read" scan-build error
- Curl_open: fix OOM return error correctly
- url: reject ASCII control characters and space in host names
- examples/rtsp: clear RANGE again after use
- connect: improve the bind error message
- make: fix "make distclean"
- connect: add support for new TCP Fast Open API on Linux
- metalink: fix memory-leak and NULL pointer dereference
- URL: update "file:" URL handling
- ssh: remove check for a NULL pointer
- global_init: ignore CURL_GLOBAL_SSL's absense
New in cURL 7.56.1 (Oct 23, 2017)
- Bug fixes:
- imap: if a FETCH response has no size, don't call write callback
- ftp: UBsan fixup 'pointer index expression overflowed
- failf: skip the sprintf() if there are no consumers
- fuzzer: move to using external curl-fuzzer
- lib/Makefile.m32: allow customizing dll suffixes
- docs: fix typo in curl_mime_data_cb man page
- darwinssl: add support for TLSv1.3
- build: fix --disable-crypto-auth
- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
- strtoofft: Remove extraneous null check
- multi_cleanup: call DONE on handles that never got that
- tests: added flaky keyword to tests 587 and 644
- pingpong: return error when trying to send without connection
- remove_handle: call multi_done() first, then clear dns cache pointer
- mime: be tolerant about setting the same header list twice in a part
- mime: improve unbinding top multipart from easy handle
- mime: avoid resetting a part's encoder when part's contents change
- mime: refuse to add subparts to one of their own descendants
- RTSP: avoid integer overflow on funny RTSP responses
- curl: don't pass semicolons when parsing Content-Disposition
- openssl: enable PKCS12 support for !BoringSSL
- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
- CURLOPT_XFERINFODATA.3: fix duplicate see also
- test298: verify --ftp-method nowcwd with URL encoded path
- FTP: URL decode path for dir listing in nocwd mode
- smtp_done: fix memory leak on send failure
- ftpserver: support case insensitive commands
- test950; verify SMTP with custom request
- openssl: don't use old BORINGSSL_YYYYMM macros
- setopt: update current connection SSL verify params
- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
- curl: reimplement stdin buffering in -F option
- mime: keep "text/plain" content type if user-specified
- mime: fix the content reader to handle >16K data properly
- configure: remove the C++ compiler check
- memdebug: trace send, recv and socket
- runtests: use valgrind for torture as well
- ldap: silence clang warning
- makefile.m32: allow to override gcc, ar and ranlib
- setopt: avoid integer overflows when setting millsecond values
- setopt: range check most long options
- ftp: reject illegal IP/port in PASV 227 response
- mime: do not reuse previously computed multipart size
- vtls: change struct Curl_ssl `close' field name to `close_one'
- os400: add missing symbols in config file
- mime: limit bas64-encoded lines length to 76 characters
- mk-ca-bundle: Remove URL for aurora
- mk-ca-bundle: Fix URL for NSS
New in cURL 7.56.0 (Oct 14, 2017)
- Changes:
- curl: enable compression for SCP/SFTP with --compressed-ssh
- libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION
- vtls: added dynamic changing SSL backend with curl_global_sslset()
- new MIME API, curl_mime_init() and friends
- openssl: initial SSLKEYLOGFILE implementation
- Bug fixes:
- FTP: zero terminate the entry path even on bad input
- examples/ftpuploadresume.c: use portable code
- runtests: match keywords case insensitively
- travis: build the examples too
- strtoofft: reduce integer overflow risks globally
- zsh.pl: produce a working completion script again
- cmake: remove dead code for CURL_DISABLE_RTMP
- progress: Track total times following redirects
- configure: fix --disable-threaded-resolver
- cmake: remove dead code for DISABLED_THREADSAFE
- configure: fix clang version detection
- darwinssi: fix error: variable length array used
- travis: add metalink to some osx builds
- configure: check for __builtin_available() availability
- http_proxy: fix build error for CURL_DOES_CONVERSIONS
- examples/ftpuploadresume: checksrc compliance
- ftp: fix CWD when doing multicwd then nocwd on same connection
- system.h: remove all CURL_SIZEOF_* defines
- http: Don't wait on CONNECT when there is no proxy
- system.h: check for __ppc__ as well
- http2_recv: return error better on fatal h2 errors
- scripts/contri*sh: use "git log --use-mailmap"
- tftp: fix memory leak on too long filename
- system.h: fix build for hppa
- cmake: enable picky compiler options with clang and gcc
- makefile.m32: add support for libidn2
- curl: turn off MinGW CRT's globbing
- request-target.d: mention added in 7.55.0
- curl: shorten and clean up CA cert verification error message
- imap: support PREAUTH
- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
- examples/threaded-ssl: mention that this is for openssl before 1.1
- winbuild: fix embedded manifest option
- tests: Make sure libtests & unittests call curl_global_cleanup()
- system.h: include sys/poll.h for AIX
- darwinssl: handle long strings in TLS certs
- strtooff: fix build for systems with long long but no strtoll
- asyn-thread: Improved cleanup after OOM situations
- HELP-US.md: "How to get started helping out in the curl project"
- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
- unit1301: fix error message on first test
- ossfuzz: moving towards the ideal integration
- http: fix a memory leakage in checkrtspprefix()
- examples/post-callback: stop returning one byte at a time
- schannel: return CURLE_SSL_CACERT on failed verification
- MAIL-ETIQUETTE: added "1.9 Your emails are public"
- http-proxy: treat all 2xx as CONNECT success
- openssl: use OpenSSL's default ciphers by default
- runtests.pl: support attribute "nonewline" in part verify/upload
- configure: remove --enable-soname-bump and SONAME_BUMP
- travis: add c-ares enabled builds linux + osx
- vtls: fix WolfSSL 3.12 build problems
- http-proxy: when not doing CONNECT, that phase is done immediately
- configure: fix curl_off_t check's include order
- configure: use -Wno-varargs on clang 3.9[.X] debug builds
- rtsp: do not call fwrite() with NULL pointer FILE *
- mbedtls: enable CA path processing
- travis: add build without HTTP/SMTP/IMAP
- checksrc: verify more code style rules
- HTTP proxy: on connection re-use, still use the new remote port
- tests: add initial gssapi test using stub implementation
- rtsp: Segfault when using WRITEDATA
- docs: clarify the CURLOPT_INTERLEAVE* options behavior
- non-ascii: use iconv() with 'char **' argument
- server/getpart: provide dummy function to build conversion enabled
- conversions: fix several compiler warnings
- openssl: add missing includes
- schannel: Support partial send for when data is too large
- socks: fix incorrect port number in SOCKS4 error message
- curl: fix integer overflow in timeout options
- travis: on mac, don't install openssl or libidn
- cookies: reject oversized cookies instead of truncating
- cookies: use lock when using CURLINFO_COOKIELIST
- curl: check fseek() return code and bail on error
- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
- openssl: only verify RSA private key if supported
- tests: make the imap server not verify user+password
- imap: quote atoms properly when escaping characters
- tests: fix a compiler warning in test 643
- file_range: avoid integer overflow when figuring out byte range
- curl.h: include on cygwin too
- reuse_conn: don't copy flags that are known to be equal
- http: fix adding custom empty headers to repeated requests
- docs: clarify the use of environment variables for proxy
- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
- connect: fix race condition with happy eyeballs timeout
- cookie: fix memory leak if path was set twice in header
- vtls: compare and clone ssl configs properly
- proxy: read the "no_proxy" variable only if necessary
New in cURL 7.53.1 (Feb 24, 2017)
- Bug fixes:
- cyassl: fix typo
- url: Improve CURLOPT_PROXY_CAPATH error handling
- urldata: include curl_sspi.h when Windows SSPI is enabled
- formdata: check for EOF when reading from stdin
- tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
- url: Default the proxy CA bundle location to CURL_CA_BUNDLE
- rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
New in cURL 7.53.0 (Feb 22, 2017)
- Changes:
- unix_socket: added --abstract-unix-socket and CURLOPT_ABSTRACT_UNIX_SOCKET
- CURLOPT_BUFFERSIZE: support enlarging receive buffer
- Bug fixes:
- CVE-2017-2629: make SSL_VERIFYSTATUS work again
- gnutls-random: check return code for failed random
- openssl-random: check return code when asking for random
- http: remove "Curl_http_done: called premature" message
- cyassl: use time_t instead of long for timeout
- build-wolfssl: Sync config with wolfSSL 3.10
- ftp-gss: check for init before use
- configure: accept --with-libidn2 instead
- ftp: failure to resolve proxy should return that error code
- curl.1: add three more exit codes
- docs/ciphers: link to our own new page about ciphers
- vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl
- darwinssl: fix iOS build
- darwinssl: fix CFArrayRef leak
- cmake: use crypt32.lib when building with OpenSSL on windows
- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
- digest_sspi: copy terminating NUL as well
- curl: fix --remote-time incorrect times on Windows
- curl.1: several updates and corrections
- content_encoding: change return code on a failure
- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
- docs: TCP_KEEPALIVE start and interval default to 60
- darwinssl: --insecure overrides --cacert if both settings are in use
- TheArtOfHttpScripting: grammar
- CIPHERS.md: document GSKit ciphers
- wolfssl: support setting cipher list
- wolfssl: display negotiated SSL version and cipher
- lib506: fix build for Open Watcom
- asiohiper: improved socket handling
- examples: make the C++ examples follow our code style too
- tests/sws: retry send() on EWOULDBLOCK
- cmake: Fix passing _WINSOCKAPI_ macro to compiler
- smtp: Fix STARTTLS denied error message
- imap/pop3: don't print response character in STARTTLS denied messages
- rand: make it work without TLS backing
- url: fix parsing for when 'file' is the default protocol
- url: allow file://X:/path URLs on windows again
- gnutls: check for alpn and ocsp in configure
- IDN: Use TR46 'non-transitional' for toASCII translations
- url: Fix NO_PROXY env var to work properly with --proxy option
- CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
- docs: Add note about libcurl copying strings to CURLOPT_* manpages
- curl: reset the easy handle at --next
- --next docs: --trace and --trace-ascii are also global
- --write-out docs: 'time_total' is not always shown with ms precision
- http: print correct HTTP string in verbose output when using HTTP/2
- docs: improved language in README.md HISTORY.md CONTRIBUTE.md
- http2: disable server push if not requested
- nss: use the correct lock in nss_find_slot_by_name()
- usercertinmem.c: improve the short description
- CURLOPT_CONNECT_TO: Fix compile warnings
- docs: non-blocking SSL handshake is now supported with NSS
- *.rc: escape non-ASCII/non-UTF-8 character for clarity
- mbedTLS: fix multi interface non-blocking handshake
- PolarSSL: fix multi interface non-blocking handshake
- VC: remove the makefile.vc6 build infra
- telnet: fix windows compiler warnings
- cookies: do not assume a valid domain has a dot
- polarssl: fix hangs
- gnutls: disable TLS session tickets
- mbedtls: disable TLS session tickets
- mbedtls: implement CTR-DRBG and HAVEGE random generators
- openssl: Don't use certificate after transferring ownership
- cmake: Support curl --xattr when built with cmake
- OS400: Fix symbols
- docs: Add more HTTPS proxy documentation
- docs: use more HTTPS links
- cmdline-opts: Fixed build and test in out of source tree builds
- CHANGES.0: removed
- schannel: Remove incorrect SNI disabled message
- darwinssl: Avoid parsing certificates when not in verbose mode
- test552: Fix typos
- telnet: Fix typos
- transfer: only retry nobody-requests for HTTP
- http2: reset push header counter fixes crash
- nss: make FTPS work with --proxytunnel
- test1139: Added the --manual keyword since the manual is required
- polarssl, mbedtls: Fix detection of pending data
- http_proxy: Fix tiny memory leak upon edge case connecting to proxy
- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
- curl.1: ftp.sunet.se is no longer an FTP mirror
- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
- http2: fix memory-leak when denying push streams
- configure: Allow disabling pthreads, fall back on Win32 threads
- curl: fix typo in time condition warning message
- axtls: adapt to API changes
- tool_urlglob: Allow a glob range with the same start and stop
- winbuild: add note on auto-detection of MACHINE in Makefile.vc
- http: fix missing 'Content-Length: 0' while negotiating auth
- proxy: fix hostname resolution and IDN conversion
- docs: fix timeout handling in multi-uv example
- digest_sspi: Fix nonce-count generation in HTTP digest
- sftp: improved checks for create dir failures
- smb: use getpid replacement for windows UWP builds
- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
New in cURL 7.51.0 (Nov 2, 2016)
- Changes:
- nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
- New option: CURLOPT_KEEP_SENDING_ON_ERROR
- Bug fixes:
- CVE-2016-8615: cookie injection for other servers
- CVE-2016-8616: case insensitive password comparison
- CVE-2016-8617: OOB write via unchecked multiplication
- CVE-2016-8618: double-free in curl_maprintf
- CVE-2016-8619: double-free in krb5 code
- CVE-2016-8620: glob parser write/read out of bounds
- CVE-2016-8621: curl_getdate read out of bounds
- CVE-2016-8622: URL unescape heap overflow via integer truncation
- CVE-2016-8623: Use-after-free via shared cookies
- CVE-2016-8624: invalid URL parsing with '#'
- CVE-2016-8625: IDNA 2003 makes curl use wrong host
- openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
- LICENSE-MIXING.md: update with mbedTLS dual licensing
- examples/imap-append: Set size of data to be uploaded
- test2048: fix url
- darwinssl: disable RC4 cipher-suite support
- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
- openssl: don’t call CRYTPO_cleanup_all_ex_data
- libressl: fix version output
- easy: Reset all statistical session info in curl_easy_reset
- curl_global_cleanup.3: don't unload the lib with sub threads running
- dist: add CurlSymbolHiding.cmake to the tarball
- docs: Remove that --proto is just used for initial retrieval
- configure: Fixed builds with libssh2 in a custom location
- curl.1: --trace supports % for sending to stderr!
- cookies: same domain handling changed to match browser behavior
- formpost: trying to attach a directory no longer crashes
- CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
- formpost: avoid silent snprintf() truncation
- ftp: fix Curl_ftpsendf
- mprintf: return error on too many arguments
- smb: properly check incoming packet boundaries
- GIT-INFO: remove the Mac 10.1-specific details
- resolve: add error message when resolving using SIGALRM
- cmake: add nghttp2 support
- dist: remove PDF and HTML converted docs from the releases
- configure: disable poll() in macOS builds
- vtls: only re-use session-ids using the same scheme
- pipelining: skip to-be-closed connections when pipelining
- win: fix Universal Windows Platform build
- curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
- maketgz: make it support "only" generating version info
- Curl_socket_check: add extra check to avoid integer overflow
- gopher: properly return error for poll failures
- curl: set INTERLEAVEDATA too
- polarssl: clear thread array at init
- polarssl: fix unaligned SSL session-id lock
- polarssl: reduce #ifdef madness with a macro
- curl_multi_add_handle: set timeouts in closure handles
- configure: set min version flags for builds on mac
- INSTALL: converted to markdown => INSTALL.md
- curl_multi_remove_handle: fix a double-free
- multi: fix inifinte loop in curl_multi_cleanup()
- nss: fix tight loop in non-blocking TLS handhsake over proxy
- mk-ca-bundle: Change URL retrieval to HTTPS-only by default
- mbedtls: stop using deprecated include file
- docs: fix req->data in multi-uv example
- configure: Fix test syntax for monotonic clock_gettime
- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
New in cURL 7.50.3 (Sep 14, 2016)
- Bug fixes:
- CVE-2016-7167: escape and unescape integer overflows
- mk-ca-bundle.pl: use SHA256 instead of SHA1
- checksrc: detect strtok() use
- errors: new alias CURLE_WEIRD_SERVER_REPLY
- http2: support > 64bit sized uploads
- openssl: fix bad memory free (regression)
- CMake: hide private library symbols
- http: refuse to pass on response body when NO_NODY is set
- cmake: fix curl-config --static-libs
- mbedtls: switch off NTLM in build if md4 isn't available
- curl: --create-dirs on windows groks both forward and backward slashes
New in cURL 7.50.2 (Sep 14, 2016)
- Bug fixes:
- mbedtls: Added support for NTLM
- SSH: fixed SFTP/SCP transfer problems
- multi: make Curl_expire() work with 0 ms timeouts
- mk-ca-bundle.pl: -m keeps ca cert meta data in output
- TFTP: Fix upload problem with piped input
- CURLOPT_TCP_NODELAY: now enabled by default
- mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined
- http2: always wait for readable socket
- cmake: Enable win32 large file support by default
- cmake: Enable win32 threaded resolver by default
- winbuild: Avoid setting redundant CFLAGS to compile commands
- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
- docs: make more markdown files use .md extension
- docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown
- winbuild: Allow changing C compiler via environment variable CC
- rtsp: accept any RTSP session id
- HTTP: retry failed HEAD requests on reused connections too
- configure: add zlib search with pkg-config
- openssl: accept subjectAltName iPAddress if no dNSName match
- MANUAL: Remove invalid link to LDAP documentation
- socks: improved connection procedure
- proxy: reject attempts to use unsupported proxy schemes
- proxy: bring back use of "Proxy-Connection:"
- curl: allow "pkcs11:" prefix for client certificates
- spnego_sspi: fix memory leak in case *outlen is zero
- SOCKS: improve verbose output of SOCKS5 connection sequence
- SOCKS: display the hostname returned by the SOCKS5 proxy server
- http/sasl: Query authentication mechanism supported by SSPI before using
- sasl: Don't use GSSAPI authentication when domain name not specified
- win: Basic support for Universal Windows Platform apps
- nss: fix incorrect use of a previously loaded certificate from file
- nss: work around race condition in PK11_FindSlotByName()
- ftp: fix wrong poll on the secondary socket
- openssl: build warning-free with 1.1.0 (again)
- HTTP: stop parsing headers when switching to unknown protocols
- test219: Add http as a required feature
- TLS: random file/egd doesn't have to match for conn reuse
- schannel: Disable ALPN for Wine since it is causing problems
- http2: make sure stream errors don't needlessly close the connection
- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- darwinssl: --cainfo is intended for backward compatibility only
- speed caps: not based on average speeds anymore
- configure: make the cpp -P detection not clobber CPPFLAGS
- http2: use named define instead of magic constant in read callback
- http2: skip the content-length parsing, detect unknown size
- http2: return EOF when done uploading without known size
- darwinssl: test for errSecSuccess in PKCS12 import rather than noErr
- openssl: fix CURLINFO_SSL_VERIFYRESULT
New in cURL 7.50.1 (Aug 3, 2016)
- Bug fixes:
- TLS: switch off SSL session id when client cert is used
- TLS: only reuse connections with the same client cert
- curl_multi_cleanup: clear connection pointer for easy handles
- include the CURLINFO_HTTP_VERSION man page into the release tarball
- include the http2-server.pl script in the release tarball
- test558: fix test by stripping file paths from FD lines
- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- tests: Fix for http/2 feature
- cmake: Fix for schannel support
- curl.h: make public types void * again
- win32: fix a potential memory leak in Curl_load_library
- travis: fix OSX build by re-installing libtool
- mbedtls: Fix debug function name
New in cURL 7.50.0 (Jul 21, 2016)
- Changes:
- http: add CURLINFO_HTTP_VERSION and %{http_version}
- Bug fixes:
- memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- openssl: fix build with OPENSSL_NO_COMP
- mbedtls: removed unused variables
- cmake: Added missing mbedTLS support
- URL parser: allow URLs to use one, two or three slashes
- curl: fix -q [regression]
- openssl: Use correct buffer sizes for error messages
- curl: fix SIGSEGV while parsing URL with too many globs
- schannel: add CURLOPT_CERTINFO support
- vtls: fix ssl session cache race condition
- http: Fix HTTP/2 connection reuse [regression]
- checksrc: Add LoadLibrary to the banned functions list
- schannel: Disable ALPN on Windows < 8.1
- configure: occasional ignorance of --enable-symbol-hiding with GCC
- http2: test17xx are the first real HTTP/2 tests
- resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
- curl_multi_socket_action.3: rewording
- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
- cmake: Fix build with winldap
- openssl: fix cert check with non-DNS name fields present
- curl.1: mention the units for the progress meter
- openssl: use more 'const' to fix build warnings with 1.1.0 branch
- cmake: now using BUILD_TESTING=ON/OFF
- vtls: Only call add/getsession if session id is enabled
- headers: forward declare CURL, CURLM and CURLSH as structs
- configure: improve detection of CA bundle path on FreeBSD
- SFTP: set a generic error when no SFTP one exists
- curl_global_init.3: expand on the SSL and WIN32 bits purpose
- conn: don't free easy handle data in handler->disconnect
- cookie.c: Fix misleading indentation
- library: Fix memory leaks found during static analysis
- CURLMOPT_SOCKETFUNCTION.3: fix typo
- curl_global_init: moved the "IPv6 works" check here
- connect: disable TFO on Linux when using SSL
- vauth: Fixed memory leak due to function returning without free
- winbuild: fix embedded manifest option
New in cURL 7.49.1 (May 30, 2016)
- Bug fixes:
- Windows: prevent DLL hijacking, CVE-2016-4802
- dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md
- schannel: fix compile break with MSVC XP toolset
- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- dist: include curl_multi_socket_all.3
- http2: use HTTP/2 in the HTTP/1.1-alike response
- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- libcurl.m4: Avoid obsolete warning
- winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
- curl_multibyte: fix compiler error
- openssl: cleanup must free compression methods (memory leak)
- mbedtls: fix includes so snprintf() works
- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- contributors.sh: better grep pattern and show GitHub username
- ssh: fix build for libssh2 before 1.2.6
- curl_share_setopt.3: Add min ver needed for ssl session lock
New in cURL 7.49.0 (May 18, 2016)
- Changes:
- schannel: Add ALPN support
- SSH: support CURLINFO_FILETIME
- SSH: new CURLOPT_QUOTE command "statvfs"
- wolfssl: Add ALPN support
- http2: added --http2-prior-knowledge
- http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
- libcurl: added CURLOPT_CONNECT_TO
- curl: added --connect-to
- libcurl: added CURLOPT_TCP_FASTOPEN
- curl: added --tcp-fastopen
- curl: remove support for --ftpport, -http-request and --socks
- Bug fixes:
- CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
- checksrc.bat: Updated the help to be consistent with generate.bat
- checksrc.bat: Added support for scanning the tests and examples
- openssl: fix ERR_remove_thread_state() for boringssl/libressl
- openssl: boringssl provides the same numbering as openssl
- multi: fix "Operation timed out after" timer
- url: don't use bad offset in tld_check_name to show error
- sshserver.pl: use quotes for given options
- Makefile.am: skip the scripts dir
- curl: warn for --capath use if not supported by libcurl
- http2: fix connection reuse
- GSS: make Curl_gss_log_error more verbose
- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
- wolfssl: Use ECC supported curves extension
- openssl: Fix compilation warnings
- Curl_add_buffer_send: avoid possible NULL dereference
- SOCKS5_gssapi_negotiate: don't assume little-endian ints
- strerror: don't bit shift a signed integer
- url: Corrected get protocol family for FTP and LDAP
- curl/mprintf.h: remove support for _MPRINTF_REPLACE
- upload: missing rewind call could make libcurl hang
- IMAP: check pointer before dereferencing it
- build: Changed the Visual Studio projects warning level from 3 to 4
- checksrc: now stricter, wider checks, code cleaned up
- checksrc: added docs/CHECKSRC.md
- curl_sasl: Fixed potential null pointer utilisation
- krb5: Fixed missing client response when mutual authentication enabled
- krb5: Only process challenge when present
- krb5: Only generate a SPN when its not known
- formdata: use appropriate fopen() macros
- curl.1: -w filename_effective was introduced in 7.26.0
- http2: make use of the nghttp2 error callback
- http2: fix connection reuse when PING comes after last DATA
- curl.1: change example for -F
- HTTP2: Add a space character after the status code
- curl.1: use example.com more
- mbedtls.c: changed private prefix to mbed_
- mbedtls: implement and provide *_data_pending() to avoid hang
- mbedtls: fix MBEDTLS_DEBUG builds
- ftp/imap/pop3/smtp: Allow the service name to be overridden
- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- build: include scripts/ in the dist
- http2: Add handling stream level error
- http2: Improve header parsing
- makefile.vc6: use d suffix on debug object
- configure: remove check for libresolve
- scripts/make: use $(EXEEXT) for executables
- checksrc: got rid of the whitelist files
- sendf: added ability to call recv() before send() as workaround
- NTLM: check for NULL pointer before dereferencing
- openssl: builds with OpenSSL 1.1.0-pre5
- configure: ac_cv_ -> curl_cv_ for all cached vars
- winbuild: add mbedtls support
- curl: make --ftp-create-dirs retry on failure
- PolarSSL: implement public key pinning
- multi: accidentally used resolved host name instead of proxy
- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
- CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- opts: Fix some syntax errors in example code fragments
- mbedtls: Fix session resume
- test1139: verifies libcurl option man page presence
- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- curl: make --disable work as long form of -q
- curl: use --telnet-option as documented
- curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
- curl: -h output lacked --proxy-header and --ntlm-wb
- curl -J: make it work even without http:// scheme on URL
- lib: include curl_printf.h as one of the last headers
- tests: handle path properly on Msys/Cygwin
- curl.1: --mail-rcpt can be used multiple times
- CURLOPT_ACCEPT_ENCODING.3: clarified
- docs: fixed lots of broken man page references
- tls: make setting pinnedkey option fail if not supported
- test1140: run nroff-scan to verify man pages
- http: make sure a blank header overrides accept_decoding
- connections: do not reuse non-HTTP proxies on different ports
- connect: fix invalid "Network is unreachable" errors
- TLS: move the ALPN/NPN enable bits to the connection
- TLS: SSL_peek is not a const operation
- http2: Add space between colon and header value
- darwinssl: fix certificate verification disable on OS X 10.8
- mprintf: Fix processing of width and prec args
- ftp wildcard: segfault due to init only in multi_perform
New in cURL 7.48.0 (Mar 23, 2016)
- Changes:
- configure: --with-ca-fallback: use built-in TLS CA fallback
- TFTP: add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS
- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- added CODE_STYLE.md
- Bug fixes:
- Proxy-Connection: stop sending this header by default
- os400: sync ILE/RPG definitions with latest public header files
- cookies: allow spaces in cookie names, cut of trailing spaces
- tool_urlglob: Allow reserved dos device names (Windows)
- openssl: remove most BoringSSL #ifdefs
- tool_doswin: Support for literal path prefix \\?
- mbedtls: fix ALPN usage segfault
- mbedtls: fix memory leak when destroying SSL connection data
- nss: do not count enabled cipher-suites
- examples/cookie_interface.c: add cleanup call
- examples: adhere to curl code style
- curlx_tvdiff: handle 32bit time_t overflows
- dist: ship buildconf.bat too
- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- generate.bat: Fix comment bug by removing old comments
- test1604: Add to Makefile.inc so it gets run
- gtls: fix for builds lacking encrypted key file support
- SCP: use libssh2_scp_recv2 to support > 2GB files on windows
- CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- cookie: do not refuse cookies to localhost
- openssl: avoid direct PKEY access with OpenSSL 1.1.0
- http: Don't break the header into chunks if HTTP/2
- http2: don't decompress gzip decoding automatically
- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
- curl.1: add a missing dash
- curl.1: HTTP headers for --cookie must be Set-Cookie style
- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- curl_sasl: Fix memory leak in digest parser
- src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- CURLOPT_DEBUGFUNCTION.3: Fix example
- runtests: Fixed usage of %PWD on MinGW64
- tests/sshserver.pl: use RSA instead of DSA for host auth
- multi_remove_handle: keep the timeout list until after disconnect
- Curl_read: check for activated HTTP/1 pipelining, not only requested
- configure: warn on invalid ca bundle or path
- file: try reading from files with no size
- getinfo: Add support for mbedTLS TLS session info
- formpost: fix memory leaks in AddFormData error branches
- makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
- url: if Curl_done is premature then pipeline not in use
- cookie: remove redundant check
- cookie: Don't expire session cookies in remove_expired
- makefile.m32: fix to allow -ssh2-winssl combination
- checksrc.bat: Fixed cannot find perl if installed but not in path
- build-openssl.bat: Fixed cannot find perl if installed but not in path
- mbedtls: fix user-specified SSL protocol version
- makefile.m32: add missing libs for static -winssl-ssh2 builds
- test46: change cookie expiry date
- pipeline: Sanity check pipeline pointer before accessing it
- openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
- ftp_done: clear tunnel_state when secondary socket closes
- opt-docs: fix heading macros
- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- curl_multi_wait: never return -1 in 'numfds'
- url.c: fix clang warning: no newline at end of file
- krb5: improved type handling to avoid clang compiler warnings
- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- multi: avoid blocking during CURLM_STATE_WAITPROXYCONNECT
- multi hash: ensure modulo performed on curl_socket_t
- curl: glob_range: no need to check unsigned variable for negative
- easy: add check to malloc() when running event-based
- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- version: thread safety
- openssl: verbose: show matching SAN pattern
- openssl: adapt to OpenSSL 1.1.0 API breakage in ERR_remove_thread_state()
- formdata.c: Fixed compilation warning
- configure: use cpp -P when needed
- imap.c: Fixed compilation warning with /Wall enabled
- config-w32.h: Fixed compilation warning when /Wall enabled
- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
- build: Added missing Visual Studio filter files for VC10 onwards
- easy: Remove poll failure check in easy_transfer
- mbedtls: fix compiler warning
- build-wolfssl: Update VS properties for wolfSSL v3.9.0
- Fixed various compilation warnings when verbose strings disabled
- sshserver: remove use of AuthorizedKeysFile2
New in cURL 7.47.1 (Feb 8, 2016)
- Bug fixes:
- getredirect.c: fix variable name
- tool_doswin: silence unused function warning
- cmake: fixed when OpenSSL enabled on Windows and schannel detected
- curl.1: Explain remote-name behavior if file already exists
- tool_operate: Don't sanitize --output path (Windows)
- URLs: change all http:// URLs to https:// in documentation & comments
- sasl_sspi: Fix memory leak in domain populate
- COPYING: clarify that Daniel is not the sole author
- examples/htmltitle: Use _stricmp on Windows
- examples/asiohiper: Avoid function name collision on Windows
- idn_win32: Better error checking
- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
- curl save files: check for backslashes on cygwin
New in cURL 7.47.0 (Jan 27, 2016)
- Changes:
- version: Add flag CURL_VERSION_PSL for libpsl
- http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only
- curl: use 2TLS by default
- curl --expect100-timeout: added
- Add .dir-locals and set c-basic-offset to 2 (for emacs)
- Bug fixes:
- curl: avoid local drive traversal when saving file on Windows
- NTLM: do not resuse proxy connections without diff proxy credentials
- tests: Disable the OAUTHBEARER tests when using a non-default port number
- curl: remove keepalive #ifdef checks done on libcurl's behalf
- formdata: Check if length is too large for memory
- lwip: Fix compatibility issues with later versions
- openssl: BoringSSL doesn't have CONF_modules_free
- config-win32: Fix warning HAVE_WINSOCK2_H undefined
- build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
- http2: Fix hanging paused stream
- scripts/Makefile: fix GNUism and survive no perl
- openssl: adapt to 1.1.0+ name changes
- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
- HTTP2.md: spell fix and remove TODO now implemented
- setstropt: const-correctness
- cyassl: fix compiler warning on type conversion
- gskit: Fix host subject altname verification
- http2: Support trailer fields
- wolfssl: handle builds without SSLv3 support
- cyassl: deal with lack of *get_peer_certificate
- sockfilt: do not wait on unreliable file or pipe handle
- make: build zsh script even in an out-of-tree build
- test 1326: fix getting stuck on Windows
- test 87: fix file check on Windows
- configure: allow static builds on mingw
- configure: detect IPv6 support on Windows
- ConnectionExists: with *PIPEWAIT, wait for connections
- Makefile.inc: s/curl_SOURCES/CURL_FILES
- test 16: fixed for Windows
- test 252-255: use datacheck mode text for ASCII-mode LISTings
- tftpd server: add Windows support by writing files in binary mode
- ftplistparser: fix handling of file LISTings using Windows EOL
- tests first.c: fix calculation of sleep timeout on Windows
- tests (several): use datacheck mode text for ASCII-mode LISTings
- CURLOPT_RANGE.3: for HTTP servers, range support is optional
- test 1515: add MSYS support by passing a relative path
- curl_global_init.3: Add Windows-specific info for init via DLL
- http2: Fix client write for trailers on stream close
- mbedtls: Fix ALPN support
- connection reuse: IDN host names fixed
- http2: Fix PUSH_PROMISE headers being treated as trailers
- http2: handle the received SETTINGS frame
- http2: Ensure that http2_handle_stream_close is called
- mbedtls: implement CURLOPT_PINNEDPUBLICKEY
- runtests: Add mbedTLS to the SSL backends
- IDN host names: Remove the port number before converting to ACE
- zsh.pl: fail if no curl is found
- scripts: fix zsh completion generation
- scripts: don't generate and install zsh completion when cross-compiling
- lib: Prefix URLs with lower-case protocol names/schemes
- ConnectionExists: only do pipelining/multiplexing when asked
- configure: assume IPv6 works when cross-compiled
- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
- openssl: improved error detection/reporting
- ssh: CURLOPT_SSH_PUBLIC_KEYFILE now treats "" as NULL again
- mbedtls: Fix pinned key return value on fail
- maketgz: generate date stamp with LC_TIME=C
New in cURL 7.46.0 (Dec 10, 2015)
- Changes:
- configure: build silently by default
- cookies: Add support for Publix Suffix List with libpsl
- vtls: added support for mbedTLS
- Added CURLOPT_STREAM_DEPENDS
- Added CURLOPT_STREAM_DEPENDS_E
- Added CURLOPT_STREAM_WEIGHT
- Added CURLFORM_CONTENTLEN
- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
- Bugfixes:
- des: Fix header conditional for Curl_des_set_odd_parity
- ntlm: get rid of unconditional use of long long
- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
- docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
- http2: Fix http2_recv to return -1 if recv returned -1
- curl_global_init_mem: set function pointers before doing init
- ntlm: error out without 64bit support as the code needs it
- openssl: Fix set up of pkcs12 certificate verification chain
- acinclude: remove PKGCONFIG override
- test1531: case the size to fix the test on non-largefile builds
- fread_func: move callback pointer from set to state struct
- test1601: fix compilation with --enable-debug and --disable-crypto-auth
- http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
- curlbuild.h: Fix non-configure compiling to mips and sh4 targets
- tool: Generate easysrc with last cache linked-list
- cmake: Fix for add_subdirectory(curl) use-case
- vtls: fix compiler warning for TLS backends without sha256
- build: fix for MSDOS/djgpp
- checksrc: add crude // detection
- http2: on_frame_recv: trust the conn/data input
- ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
- polarssl/mbedtls: fix name space pollution
- build: Fix mingw ssl gdi32 order
- build: Fix support for PKG_CONFIG
- MacOSX-Framework: sdk regex fix for sdk 10.10 and later
- socks: Fix incorrect port numbers in failed connect messages
- curl.1: -E: s/private certificate/client certificate
- curl.h: s/HTTPPOST_/CURL_HTTPOST_
- curl_formadd: support >2GB files on windows
- http redirects: %-encode bytes outside of ascii range
- rawstr: Speed up Curl_raw_toupper by 40%
- curl_ntlm_core: fix 2 curl_off_t constant overflows.
- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
- tftp tests: verify sent options too
- imap: Don't call imap_atom() when no mailbox specified in LIST command
- imap: Fixed double quote in LIST command when mailbox contains spaces
- imap: Don't check for continuation when executing a CUSTOMREQUEST
- acinclude: Remove check for 16-bit curl_off_t
- BoringSSL: Work with stricter BIO_get_mem_data()
- cmake: Add missing feature macros in config header
- sasl_sspi: fixed unicode build for digest authentication
- sasl_sspi: fix identity memory leak in digest authentication
- unit1602: Fixed failure in torture test
- unit1603: Added unit tests for hash functions
- vtls/openssl: remove unused traces of yassl ifdefs
- openssl: remove #ifdefs for < 0.9.7 support
- typecheck-gcc.h: add some missing options
- curl: mark two more options strings for --libcurl output
- openssl: Free modules on cleanup
- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
- getconnectinfo: Don't call recv(2) if socket == -1
- http2: http_done: don't free already-freed push headers
- zsh completion: Preserve single quotes in output
- os400: Provide options for libssh2 use in compile scripts.
- build: Fix theoretical infinite loops
- pop3: Differentiate between success and continuation responses
- examples: Fixed compilation warnings
- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
- CURLOPT_HEADERFUNCTION.3: fix typo
- curl: expanded the -XHEAD warning text
- done: make sure the final progress update is made
- build: Install zsh completion
- RTSP: do not add if-modified-since without timecondition
- curl: Fixed display of URL index in password prompt for --next
- nonblock: fix setting non-blocking mode for Amiga
- http2 push: add missing inits of new stream
- http2: convert some verbose output into debug-only output
- Curl_read_plain: clean up ifdefs that break statements
New in cURL 7.45.0 (Oct 7, 2015)
- Changes:
- added CURLOPT_DEFAULT_PROTOCOL
- added new tool option --proto-default
- getinfo: added CURLINFO_ACTIVESOCKET
- turned CURLINFO_* option docs as stand-alone man pages
- curl: point out unnecessary uses of -X in verbose mode
- Bug fixes:
- curl_global_init_mem.3: Stronger thread safety warning
- buildconf.bat: Fixed issues when ran in directories with special chars
- cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
- generate.bat: Fixed issues when ran in directories with special chars
- generate.bat: Only call buildconf.bat if it exists
- generate.bat: Added support for generating only the prerequisite files
- curl.1: Document weaknesses in SSLv2 and SSLv3
- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
- docs: Update the redirect protocols disabled by default
- inet_pton.c: Fix MSVC run-time check failure
- CURLMOPT_PUSHFUNCTION.3: fix argument types
- rtsp: support basic/digest authentication
- rtsp: stop reading empty DESCRIBE responses
- travis: Upgrading to container based build
- travis.yml: Add OS X testbot
- FTP: make state machine not get stuck in state
- openssl: handle lack of server cert when strict checking disabled
- configure: change functions to detect openssl (clones)
- configure: detect latest boringssl
- runtests: Allow for spaces in server-verify curl custom path
- http2: on_frame_recv: get a proper 'conn' for the debug logging
- ntlm: mark deliberate switch case fall-through
- http2: remove dead code
- curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
- curl: point out the conflicting HTTP methods if used
- cmake: added Windows SSL support
- curl_easy_{escape,setopt}.3: fix example
- curl_easy_escape.3: escape '\n'
- libcurl.m4: Put braces around empty if body
- buildconf.bat: Fixed double blank line in 'curl manual' warning output
- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
- inet_pton.c: Fix MSVC run-time check failure
- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
- http2: don't pass on Connection: headers
- nss: do not directly access SSL_ImplementedCiphers
- docs: numerous cleanups and spelling fixes
- FTP: do_more: add check for wait_data_conn in upload case
- parse_proxy: reject illegal port numbers
- cmake: IPv6 : disable Unix header check on Windows platform
- winbuild: run buildconf.bat if necessary
- buildconf.bat: fix syntax error
- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
- nss: prevent NSS from incorrectly re-using a session
- libcurl-errors.3: add two missing error codes
- openssl: fix build with < 0.9.8
- openssl: refactor certificate parsing to use OpenSSL memory BIO
- openldap: only part of LDAP query results received
- ssl: add server cert's "sha256//" hash to verbose
- NTLM: Reset auth-done when using a fresh connection
- curl: generate easysrc only on --libcurl
- tests: disable 1801 until fixed
- CURLINFO_TLS_SESSION: always return backend info
- gnutls: Support CURLOPT_KEYPASSWD
- gnutls: Report actual GnuTLS error message for certificate errors
- tests: disable 1510 due to CI-problems on github
- cmake: Put "winsock2.h" before "windows.h" during configure checks
- cmake: Ensure discovered include dirs are considered
- configure: Add missing ')' for CURL_CHECK_OPTION_RT
- build: fix failures with -Wcast-align and -Werror
- FTP: fix uploading ASCII with unknown size
- readwrite_data: set a max number of loops
- http2: avoid superfluous Curl_expire() calls
- http2: set TCP_NODELAY unconditionally
- docs: fix unescaped '\n' in man pages
- openssl: Fix algorithm init to make (gost) engines work
- win32: make recent Borland compilers use long long
- runtests: Fix pid check in checkdied
- gopher: don't send NUL byte
- tool_setopt: fix c_escape truncated octal
- hiperfifo: fix the pointer passed to WRITEDATA
- getinfo: Fix return code for unknown CURLINFO options
New in cURL 7.44.0 (Aug 12, 2015)
- Changes:
- http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA
- examples: added http2-serverpush.c
- http2: added curl_pushheader_byname() and curl_pushheader_bynum()
- docs: added CODE_OF_CONDUCT.md
- curl: Add --ssl-no-revoke to disable certificate revocation checks
- libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS
- makefile: Added support for VC14
- build: Added Visual Studio 2015 (VC14) project files
- build: Added wolfSSL configurations to VC10+ project files
- Bug fixes:
- FTP: fix HTTP CONNECT logic regression
- openssl: Fix build with openssl < ~ 0.9.8f
- openssl: fix build with BoringSSL
- curl_easy_setopt.3: option order doesn't matter
- openssl: fix use of uninitialized buffer
- RTSP: removed dead code
- Makefile.m32: add support for CURL_LDFLAG_EXTRAS
- curl: always provide negotiate/kerberos options
- cookie: Fix bug in export if any-domain cookie is present
- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
- INSTALL: Advise use of non-native SSL for Windows = for TLSv1
- HTTP: POSTFIELDSIZE set after added to multi handle
- SSL-PROBLEMS: mention WinSSL problems in WinXP
- setup-vms.h: Symbol case fixups
- SSL: Pinned public key hash support
- libtest: call PR_Cleanup() on exit if NSPR is used
- ntlm_wb: Fix theoretical memory leak
- runtests: Allow for spaces in curl custom path
- http2: add stream != NULL checks for reliability
- schannel: Replace deprecated GetVersion with VerifyVersionInfo
- http2: verify success of strchr() in http2_send()
- configure: add --disable-rt option
- openssl: work around MSVC warning
- HTTP: ignore "Content-Encoding: compress"
- configure: check if OpenSSL linking wants -ldl
- build-openssl.bat: Show syntax if required args are missing
- test1902: attempt to make the test more reliable
- libcurl-thread.3: Consolidate thread safety info
- maketgz: Fixed some VC makefiles missing from the release tarball
- libcurl-multi.3: mention curl_multi_wait
- ABI doc: use secure URL
- http: move HTTP/2 cleanup code off http_disconnect()
- libcurl-thread.3: Warn memory functions must be thread safe
- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
- docs: formpost needs the full size at start of upload
- curl_gssapi: remove 'const' to fix compiler warnings
- SSH: three state machine fixups
- libcurl.3: fix a single typo
- generate.bat: Only clean prerequisite files when in ALL mode
- curl_slist_append.3: add error checking to the example
- buildconf.bat: Added support for file clean-up via -clean
- generate.bat: Use buildconf.bat for prerequisite file clean-up
- NTLM: handle auth for only a single request
- curl_multi_remove_handle.3: fix formatting
- checksrc.bat: Fixed error when [directory] isn't a curl source directory
- checksrc.bat: Fixed error when missing *.c and *.h files
- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
- test46: update cookie expire time
- SFTP: fix range request off-by-one in size check
- CMake: fix GSSAPI builds
- build: refer to fixed libidn versions
- http2: discard frames with no SessionHandle
- curl_easy_recv.3: fix formatting
- libcurl-tutorial.3: fix formatting
- curl_formget.3: correct return code
New in cURL 7.43.0 (Jun 18, 2015)
- Changes:
- Added CURLOPT_PROXY_SERVICE_NAME
- Added CURLOPT_SERVICE_NAME
- New curl option: --proxy-service-name
- New curl option: --service-name
- New curl option: --data-raw
- Added CURLOPT_PIPEWAIT
- Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
- HTTP/2: requires nghttp2 1.0.0 or later
- scripts: add zsh.pl for generating zsh completion
- curl.h: add CURL_HTTP_VERSION_2
- Bug fixes:
- CVE-2015-3236: lingering HTTP credentials in connection re-use
- CVE-2015-3237: SMB send off unrelated memory contents
- nss: fix compilation failure with old versions of NSS
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
- Curl_ossl_init: load builtin modules
- configure: follow-up fix for krb5-config
- sasl_sspi: Populate domain from the realm in the challenge
- netrc: support 'default' token
- README: convert to UTF-8
- cyassl: Implement public key pinning
- nss: implement public key pinning for NSS backend
- mingw build: add arch -m32/-m64 to LDFLAGS
- schannel: Fix out of bounds array
- configure: remove autogenerated files by autoconf
- configure: remove --automake from libtoolize call
- acinclude.m4: fix shell test for default CA cert bundle/path
- schannel: fix regression in schannel_recv
- openssl: skip trace outputs for ssl_ver == 0
- gnutls: properly retrieve certificate status
- netrc: Read in text mode when cygwin
- winbuild: Document the option used to statically link the CRT
- FTP: Make EPSV use the control IP address rather than the original host
- FTP: fix dangling conn->ip_addr dereference on verbose EPSV
- conncache: keep bundles on host+port bases, not only host names
- runtests.pl: use 'h2c' now, no -14 anymore
- curlver: introducing new version number (checking) macros
- openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
- CURLOPT_POSTFIELDS.3: correct variable names
- curl_easy_unescape.3: update RFC reference
- gnutls: don't fail on non-fatal alerts during handshake
- testcurl.pl: allow source to be in an arbitrary directory
- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
- SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
- parse_proxy: switch off tunneling if non-HTTP proxy
- share_init: fix OOM crash
- perl: remove subdir, not touched in 9 years
- CURLOPT_COOKIELIST.3: Add example
- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
- FAQ: How do I port libcurl to my OS?
- openssl: Use TLS_client_method for OpenSSL 1.1.0+
- HTTP-NTLM: fail auth on connection close instead of looping
- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
- curl_getdate.3: update RFC reference
- curl_multi_info_read.3: added example
- curl_multi_perform.3: added example
- curl_multi_timeout.3: added example
- cookie: Stop exporting any-domain cookies
- openssl: remove dummy callback use from SSL_CTX_set_verify()
- openssl: remove SSL_get_session()-using code
- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
- openssl: removed error string #ifdef
- openssl: Fix verification of server-sent legacy intermediates
- docs: man page indentation and syntax fixes
- docs: Spelling fixes
- fopen.c: fix a few compiler warnings
- CURLOPT_OPENSOCKETFUNCTION: return error at once
- schannel: Add support for optional client certificates
- build: Properly detect OpenSSL 1.0.2 when using configure
- urldata: store POST size in state.infilesize too
- security:choose_mech remove dead code
- rtsp_do: remove dead code
- docs: many HTTP URIs changed to HTTPS
- schannel: schannel_recv overhaul
New in cURL 7.42.1 (Apr 29, 2015)
- Bug fixes:
- CURLOPT_HEADEROPT: default to separate
- dist: include {src,lib}/checksrc.whitelist
- connectionexists: fix build without NTLM
- docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
- curl -z: do not write empty file on unmet condition
- openssl: fix serial number output
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- sws: init http2 state properly
- curl.1: fix typo
New in cURL 7.42.0 (Apr 23, 2015)
- Changes:
- openssl: show the cipher selection to use in verbose text
- gtls: implement CURLOPT_CERTINFO
- add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
- curl: add --false-start option
- add CURLOPT_PATH_AS_IS
- curl: add --path-as-is option
- curl: create output file on successful download of an empty file
- Bug fixes:
- ConnectionExists: for NTLM re-use, require credentials to match
- cookie: cookie parser out of boundary memory access
- fix_hostname: zero length host name caused -1 index offset
- http_done: close Negotiate connections when done
- sws: timeout idle CONNECT connections
- nss: improve error handling in Curl_nss_random()
- nss: do not skip Curl_nss_seed() if data is NULL
- curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
- http2: move lots of verbose output to be debug-only
- dist: add extern-scan.pl to the tarball
- http2: return recv error on unexpected EOF
- build: Use default RandomizedBaseAddress directive in VC9+ project files
- build: Removed DataExecutionPrevention directive from VC9+ project files
- tool: Updated the warnf() function to use the GlobalConfig structure
- http2: Return error if stream was closed with other than NO_ERROR
- mprintf.h: remove #ifdef CURLDEBUG
- libtest: fixed linker errors on msvc
- tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
- curl.1: fix "The the" typo
- cmake: handle build definitions CURLDEBUG/DEBUGBUILD
- openssl: remove all uses of USE_SSLEAY
- multi: fix memory-leak on timeout (regression)
- curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
- metalink: add some error checks
- TLS: make it possible to enable ALPN/NPN without HTTP/2
- http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
- conncontrol: only log changes to the connection bit
- multi: fix *getsock() with CONNECT
- symbols.pl: handle '-' in the deprecated field
- MacOSX-Framework: use @rpath instead of @executable_path
- GnuTLS: add support for CURLOPT_CAPATH
- GnuTLS: print negotiated TLS version and full cipher suite name
- GnuTLS: don't print double newline after certificate dates
- memanalyze.pl: handle free(NULL)
- proxy: re-use proxy connections (regression)
- mk-ca-bundle: Don't report SHA1 numbers with "-q"
- http: always send Host: header as first header
- openssl: sort ciphers to use based on strength
- openssl: use colons properly in the ciphers list
- http2: detect premature close without data transfered
- hostip: Fix signal race in Curl_resolv_timeout
- closesocket: call multi socket cb on close even with custom close
- mksymbolsmanpage.pl: use std header and generate better nroff header
- connect: Fix happy eyeballs logic for IPv4-only builds
- curl_easy_perform.3: remove superfluous close brace from example
- HTTP: don't use Expect: headers when on HTTP/2
- Curl_sh_entry: remove unused 'timestamp'
- docs/libcurl: makefile portability fix
- mkhelp: Remove trailing carriage return from every line of input
- nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
- curl_easy_setopt.3: added a few missing options
- metalink: fix resource leak in OOM
- axtls: version 1.5.2 now requires that config.h be manually included
- HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
- cyassl: detect the library as renamed wolfssl
- CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
- CURLOPT_URL.3: Added "SECURITY CONCERNS
- openssl: try to avoid accessing OCSP structs when possible
- test938: added missing closing tags
- testcurl: Allow '=' in values given on command line
- tests/certs: added make target to rebuild certificates
- tests/certs: rebuild certificates with modified key usage bits
- gtls: avoid uninitialized variable
- gtls: dereferencing NULL pointer
- gtls: add check of return code
- test1513: eliminated race condition in test run
- dict: rename byte to avoid compiler shadowed declaration warning
- curl_easy_recv/send: make them work with the multi interface
- vtls: fix compile with --disable-crypto-auth but with SSL
- openssl: adapt to ASN1/X509 things gone opaque in 1.1
- openssl: verifystatus: only use the OCSP work-around
New in cURL 7.41.0 (Feb 25, 2015)
- Changes:
- NetWare build: added TLS-SRP enabled build
- winbuild: Added option to build with c-ares
- Added --cert-status
- Added CURLOPT_SSL_VERIFYSTATUS
- sasl: implement EXTERNAL authentication mechanism
- Bug fixes:
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
- FTP: fix IPv6 host using link-local address
- FTP: if EPSV fails on IPV6 connections, bail out
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
- NSS: fix compiler error when built http2-enabled
- mingw build: allow to pass custom CFLAGS
- add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
- curl_schannel.c: mark session as removed from cache if not freed
- Curl_pretransfer: reset expected transfer sizes
- curl.h: remove extra space
- curl_endian: Fixed build when 64-bit integers are not supported
- checksrc.bat: Better detection of Perl installation
- build-openssl.bat: Added check for Perl installation
- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
- http_negotiate: Added empty decoded challenge message info text
- vtls: Removed unimplemented overrides of curlssl_close_all()
- sasl_gssapi: Fixed memory leak with local SPN variable
- http_negotiate: Use dynamic buffer for SPN generation
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
- openssl: do public key pinning check independently
- timeval: typecast for better type (on Amiga)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
- SASL: common URL option and auth capabilities decoders for all protocols
- BoringSSL: fix build
- BoringSSL: detected by configure, switches off NTLM
- openvms: Handle openssl/0.8.9zb version parsing
- configure: detect libresssl
- configure: remove detection of the old yassl emulation API
- curl_setup: Disable SMB/CIFS support when HTTP only
- imap: remove automatic password setting: it breaks external sasl authentication
- sasl: remove XOAUTH2 from default enabled authentication mechanism
- runtests: identify BoringSSL and libressl
- security: avoid compiler warning
- ldap: build with BoringSSL
- des: Added Curl_des_set_odd_parity()
- CURLOPT_SEEKFUNCTION.3: also when server closes a connection
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
- build: Removed unused Visual Studio bscmake settings
- build: Enabled DEBUGBUILD in Visual Studio debug builds
- build: Renamed top level Visual Studio solution files
- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
- libcurl-symbols: first basic shot for autogenerated docs
- Makefile.am: fix 'make distcheck'
- getpass_r: read from stdin, not stdout!
- getpass: protect include with proper #ifdef
- opts: CURLOPT_CAINFO availability depends on SSL engine
- more cleanup of 'CURLcode result' return code
- MD4: replace implementation
- MD5: replace implementation
- openssl: SSL_SESSION->ssl_version no longer exist
- md5: use axTLS's own MD5 functions when available
- schannel: Removed curl_ prefix from source files
- curl.1: add warning when using -H and redirects
- curl.1: clarify that -X is used for all requests
- gskit: Fix exclusive SSLv3 option
- polarssl: Fix exclusive SSL protocol version options
- http2: Fix bug that associated stream canceled on PUSH_PROMISE
- ftp: accept all 2xx responses to the PORT command
- configure: allow both --with-ca-bundle and --with-ca-path
- cmake: install the dll file to the correct directory
- nss: fix NPN/ALPN protocol negotiation
- polarssl: fix ALPN protocol negotiation
- cmake: Fix generation of tool_hugehelp.c on windows
- cmake: fix winsock2 detection on windows
- gnutls: fix build with HTTP2
- connect: fix a spurious connect failure on dual-stacked hosts
- test: test 530 is now less timing dependent
- telnet: invalid use of custom read function if not set
New in cURL 7.39.0 (Nov 10, 2014)
- CHANGES:
- SSLv3 is disabled by default
- CURLOPT_COOKIELIST: Added "RELOAD" command
- build: Added WinIDN build configuration options to Visual Studio projects
- ssh: improve key file search
- SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
- vtls: remove QsoSSL support, use gskit!
- mk-ca-bundle: added SHA-384 signature algorithm
- docs: added many examples for libcurl opts and other doc improvements
- build: Added VC ssh2 target to main Makefile
- MinGW: Added support to build with nghttp2
- NetWare: Added support to build with nghttp2
- build: added Watcom support to build with WinSSL
- build: Added optional specific version generation of VC project files
- BUGFIXES:
- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
- openssl: build fix for versions < 0.9.8e
- newlines: fix mixed newlines to LF-only
- ntlm: Fixed HTTP proxy authentication when using Windows SSPI
- sasl_sspi: Fixed Unicode build
- file: reject paths using embedded
- threaded-resolver: revert Curl_expire_latest() switch
- configure: allow --with-ca-path with PolarSSL too
- HTTP/2: Fix busy loop when EOF is encountered
- CURLOPT_CAPATH: return failure if set without backend support
- nss: do not fail if a CRL is already cached
- smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
- fixed 20+ nits/memory leaks identified by Coverity scans
- curl_schannel.c: Fixed possible memory or handle leak
- multi-uv.c: call curl_multi_info_read() better
- cmake: Check for OpenSSL before OpenLDAP
- cmake: Fix library list provided to cURL tests
- cmake: Avoid cycle directory dependencies
- cmake: Build with GSS-API libraries (MIT or Heimdal)
- vtls: provide backend defines for internal source code
- nss: fix a connection failure when FTPS handle is reused
- tests/http_pipe.py: Python 3 support
- cmake: build tool_hugehelp (ENABLE_MANUAL)
- cmake: enable IPv6 by default if available
- tests: move TESTCASES to Makefile.inc, add show for cmake
- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
- ntlm: Fixed empty/bad base-64 decoded buffer return codes
- ntlm: Fixed empty type-2 decoded message info text
- cmake: add CMake/Macros.cmake to the release tarball
- cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
- cmake: use LIBCURL_VERSION from curlver.h
- cmake: generate pkg-config and curl-config
- fixed several superfluous variable assignements identified by cppcheck
- cleanup of 'CURLcode result' return code
- pipelining: only output "is not blacklisted" in debug builds
- SSL: Remove SSLv3 from SSL default due to POODLE attack
- gskit.c: remove SSLv3 from SSL default
- darwinssl: detect possible future removal of SSLv3 from the framework
- ntlm: Only define ntlm data structure when USE_NTLM is defined
- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
- sspi: Only call CompleteAuthToken() when complete is needed
- http_negotiate: Fixed missing check for USE_SPNEGO
- HTTP: return larger than 3 digit response codes too
- openssl: Check for NPN / ALPN via OpenSSL version number
- openssl: enable NPN separately from ALPN
- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
- resume: consider a resume from
- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
- build-openssl.bat: Fix x64 release build
- cmake: drop _BSD_SOURCE macro usage
- cmake: fix gethostby{addr,name}_r in CurlTests
- cmake: clean OtherTests, fixing -Werror
- cmake: fix struct sockaddr_storage check
- Curl_single_getsock: fix hold/pause sock handling
- SSL: PolarSSL default min SSL version TLS 1.0
- cmake: fix ZLIB_INCLUDE_DIRS use
- buildconf: stop checking for libtool
New in cURL 7.38.0 (Sep 10, 2014)
- Changes:
- supports HTTP/2 draft-14
- CURLE_HTTP2 is a new error code
- CURLAUTH_NEGOTIATE is a new auth define
- CURL_VERSION_GSSAPI is a new capability bit
- no longer use fbopenssl for anything
- schannel: use CryptGenRandom for random numbers
- axtls: define curlssl_random using axTLS's PRNG
- cyassl: use RNG_GenerateBlock to generate a good random number
- findprotocol: show unsupported protocol within quotes
- version: detect and show LibreSSL
- version: detect and show BoringSSL
- imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
- http2: requires nghttp2 0.6.0 or later
- Bugfixes:
- SECURITY ADVISORY: cookie leak with IP address as domain
- SECURITY ADVISORY: cookie leak for TLDs
- fix a build failure on Debian when NSS support is enabled
- HTTP/2: fixed compiler warnings when built disabled
- cyassl: return the correct error code on no CA cert
- http: Deprecate GSS-Negotiate macros due to bad naming
- http: Fixed Negotiate: authentication
- multi: Improve proxy CONNECT performance (regression)
- ntlm_wb: Avoid invoking ntlm_auth helper with empty username
- ntlm_wb: Fix hard-coded limit on NTLM auth packet size
- url.c: use the preferred symbol name: *READDATA
- smtp: fixed a segfault during test 1320 torture test
- cyassl: made it compile with version 2.0.6 again
- nss: do not check the version of NSS at run time
- c-ares: fix build without IPv6 support
- HTTP/2: use base64url encoding
- SSPI Negotiate: Fix 3 memory leaks
- libtest: fixed duplicated line in Makefile
- conncache: fix compiler warning
- openssl: make ossl_send return CURLE_OK better
- HTTP/2: Support expect: 100-continue
- HTTP/2: Fix infinite loop in readwrite_data()
- parsedate: fix the return code for an overflow edge condition
- darwinssl: don't use strtok()
- http_negotiate_sspi: Fixed specific username and password not working
- openssl: replace call to OPENSSL_config
- http2: show the received header for better debugging
- HTTP/2: Move :authority before non-pseudo header fields
- HTTP/2: Reset promised stream, not its associated stream
- HTTP/2: added some more logging for debugging stream problems
- ntlm: Added support for SSPI package info query
- ntlm: Fixed hard coded buffer for SSPI based auth packet generation
- sasl_sspi: Fixed memory leak with not releasing Package Info struct
- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
- sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
- http_negotiate_sspi: Use a dynamic buffer for SPN generation
- sasl_sspi: Fixed missing free of challenge buffer on SPN failure
- sasl_sspi: Fixed hard coded buffer for response generation
- Curl_poll + Curl_wait_ms: fix timeout return value
- docs/SSLCERTS: update the section about NSS database
- create_conn: prune dead connections
- openssl: fix version report for the 0.9.8 branch
- mk-ca-bundle.pl: switched to using hg.mozilla.org
- http: fix the Content-Range: parser
- Curl_disconnect: don't free the URL
- win32: Fixed WinSock 2 #if
- NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
- curl.1: clarify --limit-rate's effect on both directions
- disconnect: don't touch easy-related state on disconnects
- Cmake: big cleanup and numerous fixes
- HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
- HTTP/2: Reset promised stream, not its associated stream
- configure.ac: Add support for recent GSS-API implementations for HP-UX
- CONNECT: close proxy connections that fail
- CURLOPT_NOBODY.3: clarify this option is for downloads
- darwinssl: fix CA certificate checking using PEM format
- resolve: cache lookup for async resolvers
- low-speed-limit: avoid timeout flood
- polarssl: implement CURLOPT_SSLVERSION
- multi: convert CURLM_STATE_CONNECT_PEND handling to a list
- curl_multi_cleanup: remove superfluous NULL assigns
- polarssl: support CURLOPT_CAPATH / --capath
- progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly
New in cURL 7.37.1 (Jul 17, 2014)
- Changes:
- bits.close: introduce connection close tracking
- darwinssl: Add support for --cacert
- polarssl: add ALPN support
- docs: Added new option man pages
- Bug fixes:
- build: Fixed incorrect reference to curl_setup.h in Visual Studio files
- build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
- curl.1: clarify that -u can't specify a user with colon
- openssl: Fix uninitialized variable use in NPN callback
- curl_easy_reset: reset the URL
- curl_version_info.3: returns a pointer to a static struct
- url-parser: only use if_nametoindex if detected by configure
- select: with winsock, avoid passing unsupported arguments to select()
- gnutls: don't use deprecated type names anymore
- gnutls: allow building with nghttp2 but without ALPN support
- tests: Fix portability issue with the tftpd server
- curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
- curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
- random: use Curl_rand() for proper random data
- Curl_ossl_init: call OPENSSL_config for initing engines
- config-win32.h: Updated for VC12
- winbuild: Don't USE_WINSSL when WITH_SSL is being used
- getinfo: HTTP CONNECT code not reset between transfers
- Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
- http2: avoid segfault when using the plain-text http2
- conncache: move the connection counter to the cache struct
- http2: better return code error checking
- curlbuild: fix GCC build on SPARC systems without configure script
- tool_metalink: Support polarssl as digest provider
- curl.h: reverse the enum/define setup for old symbols
- curl.h: moved two really old deprecated symbols
- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
- buildconf: do not search tools in current directory.
- OS400: make it compilable again. Make RPG binding up to date
- nss: do not abort on connection failure (failing tests 305 and 404)
- nss: make the fallback to SSLv3 work again
- tool: prevent valgrind from reporting possibly lost memory (nss only)
- progress callback: skip last callback update on errors
- nss: fix a memory leak when CURLOPT_CRLFILE is used
- compiler warnings: potentially uninitialized variables
- url.c: Fixed memory leak on OOM
- gnutls: ignore invalid certificate dates with VERIFYPEER disabled
- gnutls: fix SRP support with versions of GnuTLS from 2.99.0
- gnutls: fixed a couple of uninitialized variable references
- gnutls: fixed compilation against versions < 2.12.0
- build: Fixed overridden compiler PDB settings in VC7 to VC12
- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
- netrc: don't abort if home dir cannot be found
- netrc: fixed thread safety problem by using getpwuid_r if available
- cookie: avoid mutex deadlock
- configure: respect host tool prefix for krb5-config
- gnutls: handle IP address in cert name check
New in cURL 7.37.0 (May 21, 2014)
- Changes:
- URL parser: IPv6 zone identifiers are now supported
- CURLOPT_PROXYHEADER: set headers for proxy-only
- CURLOPT_HEADEROPT: added
- curl: add --proxy-header
- sasl: Added support for DIGEST-MD5 via Windows SSPI
- sasl: Added DIGEST-MD5 qop-option validation in native challange handling
- imap: Expanded mailbox SEARCH support to use URL query strings
- imap: Extended FETCH support to include PARTIAL URL specifier
- nss: implement non-blocking SSL handshake
- build: Reworked Visual Studio project files
- poll: enable poll on darwin13
- mk-ca-bundle: added -p
- libtests: add a wait_ms() function
- Bug fixes:
- mkhelp: generate code for --disable-manual as well
- hostcheck: added a system include to define struct in_addr
- winbuild: added warnless.c to fix build
- Makefile.vc6: added warnless.c to fix build
- smtp: Fixed login denied when server doesn't support AUTH capability
- smtp: Fixed login denied with a RFC-821 based server
- curl: stop interpreting IPv6 literals as glob patterns
- http2: remove _DRAFT09 from the NPN_HTTP2 enum
- http2: let openssl mention the exact protocol negotiated
- http2+openssl: fix compiler warnings in ALPN using code
- ftp: in passive data connect wait for happy eyeballs sockets
- HTTP: don't send Content-Length: 0 _and_ Expect: 100-continue
- http2: Compile with current nghttp2, which supports h2-11
- http_negotiate_sspi: Fixed compilation when USE_HTTP_NEGOTIATE not defined
- strerror: fix comment about vxworks' strerror_r buffer size
- url: only use if_nametoindex() if IFNAMSIZ is available
- imap: Fixed untagged response detection when no data after command
- various: fix possible dereference of null pointer
- various: fix use of uninitialized variable
- various: fix use of non-null terminated strings
- telnet.c: check sscanf results before passing them to snprintf
- parsedate.c: check sscanf result before passing it to strlen
- sockfilt.c: free memory in case of memory allocation errors
- sockfilt.c: ignore non-key-events and continue waiting for input
- sockfilt.c: properly handle disk files, pipes and character input
- sockfilt.c: fixed getting stuck waiting for MinGW stdin pipe
- sockfilt.c: clean up threaded approach and add documentation
- configure: use the nghttp2 path correctly with pkg-config
- curl_global_init_mem: bump initialized even if already initialized
- gtls: fix NULL pointer dereference
- cyassl: Use error-ssl.h when available
- handler: make 'protocol' always specified as a single bit
- INFILESIZE: fields in UserDefined must not be changed run-time
- openssl: biomem->data is not zero terminated
- config-win32.h: Fixed HAVE_LONGLONG for Visual Studio .NET 2003 and up
- curl_ntlm_core: Fixed use of long long for VC6 and VC7
- SNI: strip off a single trailing dot from host name
- curl: bail on cookie use when built with disabled cookies
- curl_easy_setopt.3: added the proto for CURLOPT_SSH_KNOWNHOSTS
- curl_multi_cleanup: ignore SIGPIPE better
- schannel: don't use the connect-timeout during send
- mprintf: allow %.s with data not being zero terminated
- tool_help: Fixed missing --login-options option
- configure: Don't set LD_LIBRARY_PATH when cross-compiling
- http: auth failure on duplicated 'WWW-Authenticate: Negotiate' header
- cacertinmem: fix memory leak
- lib1506: make sure the transfers are not within the same ms
- Makefile.b32: Fixed for vtls changes
- sasl: Fixed missing qop in the client's challenge-response message
- openssl: unbreak PKCS12 support
- darwinssl: fix potential crash with a P12 file
- timers: fix timer regression involving redirects / reconnects
- CURLINFO_SSL_VERIFYRESULT: made more reliable
- HTTP: fixed connection re-use
- configure: add SPNEGO to supported features
- configure: add GSS-API to supported features
- ALPN: fix typo in http/1.1 identifier
- http2: make connection re-use work
New in cURL 7.36.0 (Mar 31, 2014)
- Changes:
- ntlm: Added support for NTLMv2
- tool: Added support for URL specific options
- openssl: add ALPN support
- gtls: add ALPN support
- nss: add ALPN and NPN support
- added CURLOPT_EXPECT_100_TIMEOUT_MS
- tool: add --no-alpn and --no-npn
- added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
- winssl: enable TLSv1.1 and TLSv1.2 by default
- winssl: TLSv1.2 disables certificate signatures using MD5 hash
- winssl: enable hostname verification of IP address using SAN or CN
- darwinssl: Don't omit CN verification when an IP address is used
- http2: build with current nghttp2 version
- polarssl: dropped support for PolarSSL < 1.3.0
- openssl: info message with SSL version used
- Bug fixes:
- SECURITY ADVISORY: wrong re-use of connections
- SECURITY ADVISORY: IP address wildcard certificate validation
- SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
- SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
- nss: allow to use ECC ciphers if NSS implements them
- netrc: Fixed a memory leak in an OOM condition
- ftp: fixed a memory leak on wildcard error path
- pipeline: Fixed a NULL pointer dereference on OOM
- nss: prefer highest available TLS version
- 100-continue: fix timeout condition
- ssh: Fixed a NULL pointer dereference on OOM condition
- formpost: use semicolon in multipart/mixaed
- --help: add missing --tlsv1.x options
- formdata: Fixed memory leak on OOM condition
- ConnectionExists: reusing possible HTTP+NTLM connections better
- mingw32: fix compilation
- chunked decoder: track overflows correctly
- curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
- dict: fix memory leak in OOM exit path
- valgrind: added suppression on optimized code
- curl: output protocol headers using binary mode
- tool: Added URL index to password prompt for multiple operations
- ConnectionExists: re-use non-NTLM connections better
- axtls: call ssl_read repeatedly
- multi: make MAXCONNECTS default 4 x number of easy handles function
- configure: Fix the --disable-crypto-auth option
- multi: ignore SIGPIPE internally
- curl.1: update the description of --tlsv1
- SFTP: skip reading the dir when NOBODY=1
- easy: Fixed a memory leak on OOM condition
- tool: Fixed incorrect return code when setting HTTP request fails
- configure: Tiny fix to honor POSIX
- tool: Do not output libcurl source for the information only parameters
- Rework Open Watcom make files to use standard Wmake features
- x509asn: moved out Curl_verifyhost from NSS builds
- configure: call it GSS-API
- hostcheck: Curl_cert_hostcheck is not used by NSS builds
- multi_runsingle: move timestamp into INIT
- remote_port: allow connect to port 0
- parse_remote_port: error out on illegal port numbers better
- ssh: Pass errors from libssh2_sftp_read up the stack
- docs: remove documentation on setting up krb4 support
- polarssl: build fixes to work with PolarSSL 1.3.x
- polarssl: fix possible handshake timeout issue in multi
- nss: allow to enable/disable cipher-suites better
- ssh: prevent a logic error that could result in an infinite loop
- http2: free resources on disconnect
- polarssl: avoid extra newlines in debug messages
- rtsp: parse "Session:" header properly
- trynextip: don't store 'ai' on failed connects
- Curl_cert_hostcheck: strip trailing dots in host name and wildcard
New in cURL 7.34.0 (Jan 7, 2014)
- Changes:
- SSL: protocol version can be specified more precisely
- imap/pop3/smtp: Added graceful cancellation of SASL authentication
- Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
- base64: Added validation of base64 input strings when decoding
- curl_easy_setopt: Added the ability to set the login options separately
- smtp: Added support for additional SMTP commands
- curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
- nss: allow to use TLS > 1.0 if built against recent NSS
- SECURITY: added this document to describe our security processes
- parseconfig: warn if unquoted white spaces are detected
- Bug fixes:
- SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
- darwinssl: un-break iOS build after PKCS#12 feature added
- tool: use XFERFUNCTION to save some casts
- usercertinmem: fix memory leaks
- ssh: Handle successful SSH_USERAUTH_NONE
- NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
- test906: Fixed failing test on some platforms
- sasl: initialize NSS before using NTLM crypto
- sasl: Fixed memory leak in OAUTH2 message creation
- imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
- cmake: unbreak for non-Windows platforms
- ssh: initialize per-handle data in ssh_connect()
- glob: fix broken URLs
- configure: check for long long when building with cyassl
- CURLOPT_RESOLVE: mention they don't time-out
- docs/examples/httpput.c: fix build for MSVC
- FTP: make the data connection work when going through proxy
- NSS: support for CERTINFO feature
- curl_multi_wait: accept 0 from multi_timeout() as valid timeout
- glob_range: pass the closing bracket for a-z ranges
- tool_help: Updated --list-only description to include POP3
- Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
- cmake: fix Windows build with IPv6 support
- ares: Fixed compilation under Visual Studio 2012
- curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
- curl.1: mention that -O does no URL decoding
- darwinssl: PKCS#12 import feature now requires Lion or later
- darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
- configure: Fix test with -Werror=implicit-function-declaration
- sigpipe: factor out sigpipe_reset from easy.c
- curl_multi_cleanup: ignore SIGPIPE
- globbing: curl glob counter mismatch with {} list use
- parseconfig: dash options can't specified with colon or equals
- digest: fix CURLAUTH_DIGEST_IE
- curl.h: for OpenBSD
- darwinssl: Fix #if 10.6.0 for SecKeychainSearch
- TFTP: fix return codes for connect timeout
- login options: remove the ;[options] support from CURLOPT_USERPWD
- imap: Fixed incorrect fallback to clear text authentication
- parsedate: avoid integer overflow
- curl.1: document -J doesn't %-decode
- multi: add timer inaccuracy margin to timeout/connecttimeout
New in cURL 7.33.0 (Oct 18, 2013)
- Changes:
- test code for testing the event based API
- CURLM_ADDED_ALREADY: new error code
- test TFTP server: support "writedelay" within
- krb4 support has been removed
- imap/pop3/smtp: added basic SASL XOAUTH2 support
- darwinssl: add support for PKCS#12 files for client authentication
- darwinssl: enable BEAST workaround on iOS 7 & later
- Pass password to OpenSSL engine by user interface
- c-ares: Add support for various DNS binding options
- cookies: add expiration
- curl: added --oauth2-bearer option
- Bugfixes:
- nss: make sure that NSS is initialized
- curl: make --no-[option] work properly for several options
- FTP: with socket_action send better socket updates in active mode
- curl: fix the --sasl-ir in the --help output
- tests 2032, 2033: Don't hardcode port in expected output
- urlglob: better detect unclosed braces, empty lists and overflows
- urlglob: error out on range overflow
- imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands
- handle arbitrary-length username and password
- TFTP: make the CURLOPT_LOW_SPEED* options work
- curl.h: name space pollution by "enum type"
- multi: move on from STATE_DONE faster
- FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback
- multi_socket: improved 100-continue timeout handling
- curl_multi_remove_handle: allow multiple removes
- FTP: fix getsock during DO_MORE state
- -x: rephrased the --proxy section somewhat
- acinclude: fix --without-ca-path when cross-compiling
- LDAP: fix bad free() when URL parsing failed
- --data: mention CRLF treatment when reading from file
- curl_easy_pause: suggest one way to unpause
- imap: Fixed calculation of transfer when partial FETCH received
- pingpong: Check SSL library buffers for already read data
- imap/pop3/smtp: Speed up SSL connection initialization
- libcurl.3: for multi interface connections are held in the multi handle
- curl_easy_setopt.3: mention RTMP URL quirks
- curl.1: detail how short/long options work
- curl.1: Added information about optional login options to --user option
- curl: Added clarification to the --mail options in the --help output
- curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
- openssl: use correct port number in error message
- darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
- OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
- xattr: add support for FreeBSD xattr API
- win32: fix Visual Studio 2010 build with WINVER >= 0x600
- configure: use icc options without space
- test1112: Increase the timeout from 7s to 16s
- SCP: upload speed on a fast connection limited to 16384 B/s
- curl_setup_once: fix errno access for lwip on Windows
- HTTP: Output http response 304 when modified time is too old
New in cURL 7.32.0 (Aug 19, 2013)
- Changes:
- curl: allow timeouts to accept decimal values
- OS400: add slist and certinfo EBCDIC support
- OS400: new SSL backend GSKit
- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
- LIBCURL-STRUCTS: new document
- Bugfixes:
- dotdot: introducing dot file path cleanup
- docs: fix typo in curl_easy_getinfo manpage
- test1230: avoid using hard-wired port number
- test1396: invoke the correct test tool
- SIGPIPE: ignored while inside the library
- darwinssl: fix crash that started happening in Lion
- OpenSSL: check for read errors, don't assume
- c-ares: improve error message on failed resolve
- printf: make sure %x are treated unsigned
- formpost: better random boundaries
- url: restore the functionality of 'curl -u :'
- curl.1: fix typo in --xattr description
- digest: improve nonce generation
- configure: automake 1.14 compatibility tweak
- curl.1: document the --post303 option in the man page
- curl.1: document the --sasl-ir option in the man page
- setup-vms.h: sk_pop symbol tweak
- tool_paramhlp: try harder to catch negatives
- cmake: Fix for MSVC2010 project generation
- asyn-ares: Don't blank ares servers if none configured
- curl_multi_wait: set revents for extra fds
- Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup()
- ftp_do_more: consider DO_MORE complete when server connects back
- curl_easy_perform: gradually increase the delay time
- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
- curl: fix upload of a zip file in OpenVMS
- build: fix linking on Solaris 10
- curl_formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
- curl_formadd: fix file upload on VMS
- curl_easy_pause: on unpause, trigger mulit-socket handling
- md5 & metalink: use better build macros on Apple operating systems
- darwinssl: fix build error in crypto authentication under Snow Leopard
- curl: make --progress-bar update the line less frequently
- configure: don't error out on variable confusions (CFLAGS, LDFLAGS etc)
- mk-ca-bundle: skip more untrusted certificates
- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
- FTP: when EPSV gets a 229 but fails to connect, retry with PASV
- mk-ca-bundle.1: don't install on make install
- VMS: lots of updates and fixes of the build procedure
- global dns cache: didn't work (regression)
- global dns cache: fix memory leak
New in cURL 7.31.0 (Jul 1, 2013)
- Changes:
- darwinssl: add TLS session resumption
- darwinssl: add TLS crypto authentication
- imap/pop3/smtp: Added support for ;auth= in the URL
- imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
- usercertinmem.c: add example showing user cert in memory
- url: Added smtp and pop3 hostnames to the protocol detection list
- imap/pop3/smtp: Added support for enabling the SASL initial response
- curl -E: allow to use ':' in certificate nicknames
- Bug fixes:
- SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end of the input buffer [26]
- FTP: access files in root dir correctly
- configure: try pthread_create without -lpthread
- FTP: handle a 230 welcome response
- curl-config: don't output static libs when they are disabled
- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
- Various documentation updates
- getinfo.c: reset timecond when clearing session-info variables
- FILE: prevent an artificial timeout event due to stale speed-check data
- ftp_state_pasv_resp: connect through proxy also when set by env
- sshserver: disable StrictHostKeyChecking
- ftpserver: Fixed imap logout confirmation data
- curl_easy_init: use less mallocs
- smtp: Fixed unknown percentage complete in progress bar
- smtp: Fixed sending of double CRLF caused by first in EOB
- bindlocal: move brace out of #ifdef
- winssl: Fixed invalid memory access during SSL shutdown
- OS X framework: fix invalid symbolic link
- OpenSSL: allow empty server certificate subject
- axtls: prevent memleaks on SSL handshake failures
- cookies: only consider full path matches
- Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
- Curl_cookie_add: handle IPv6 hosts
- ossl_send: SSL_write() returning 0 is an error too
- ossl_recv: SSL_read() returning 0 is an error too
- Digest auth: escape user names with backslash or " in them
- curl_formadd.3: fixed wrong "end-marker" syntax
- libcurl-tutorial.3: fix incorrect backslash
- curl_multi_wait: reduce timeout if the multi handle wants to
- tests/Makefile: typo in the perlcheck target
- axtls: honor disabled VERIFYHOST
- OpenSSL: avoid double free in the PKCS12 certificate code
- multi_socket: reduce timeout inaccuracy margin
- digest: support auth-int for empty entity body
- axtls: now done non-blocking
- lib1900: use tutil_tvnow instead of gettimeofday
- curl_easy_perform: avoid busy-looping
- CURLOPT_COOKIELIST: take cookie share lock
- multi_socket: react on socket close immediately
New in cURL 7.30.0 (Apr 22, 2013)
- Changes:
- imap: Changed response tag generation to be completely unique
- imap: Added support for SASL-IR extension
- imap: Added support for the list command
- imap: Added support for the append command
- imap: Added custom request parsing
- imap: Added support to the fetch command for UID and SECTION properties
- imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
- darwinssl: Make certificate errors less techy
- imap/pop3/smtp: Added support for the STARTTLS capability
- checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
- curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
- Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
- Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
- Bug fixes:
- SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
- darwinssl: Fix build under Leopard
- DONE: consider callback-aborted transfers premature
- ntlm: Fixed memory leaks
- smtp: Fixed an issue when processing EHLO failure responses
- pop3: Fixed incorrect return value from pop3_endofresp()
- pop3: Fixed SASL authentication capability detection
- pop3: Fixed blocking SSL connect when connecting via POP3S
- imap: Fixed memory leak when performing multiple selects
- nss: fix misplaced code enabling non-blocking socket mode
- AddFormData: prevent only directories from being posted
- darwinssl: fix infinite loop if server disconnected abruptly
- metalink: fix improbable crash parsing metalink filename
- show proper host name on failed resolve
- MacOSX-Framework: Make script work in Xcode 4.0 and later
- strlcat: remove function
- darwinssl: Fix send glitchiness with data > 32 or so KB
- polarssl: better 1.1.x and 1.2.x support
- various documentation improvements
- multi: NULL pointer reference when closing an unused multi handle
- SOCKS: fix socks proxy when noproxy matched
- install-sh: updated to support multiple source files as arguments
- PolarSSL: added human readable error strings
- resolver_error: remove wrong error message output
- docs: updates HTML index and general improvements
- curlbuild.h.dist: enhance non-configure GCC ABI detection logic
- sasl: Fixed null pointer reference when decoding empty digest challenge
- easy: do not ignore poll() failures other than EINTR
- darwinssl: disable ECC ciphers under Mountain Lion by default
- CONNECT: count received headers
- build: fixes for VMS
- CONNECT: clear 'rewindaftersend' on success
- HTTP proxy: insert slash in URL if missing
- hiperfifo: updated to use current libevent API
- getinmemory.c: abort the transfer nicely if not enough memory
- improved win32 memorytracking
- corrected proxy header response headers count
- FTP quote operations on re-used connection
- tcpkeepalive on win32
- tcpkeepalive on Mac OS X
- easy: acknowledge the CURLOPT_MAXCONNECTS option properly
- easy interface: restore default MAXCONNECTS to 5
- win32: don't set SO_SNDBUF for windows vista or later versions
- HTTP: made cookie sort function more deterministic
- winssl: Fixed memory leak if connection was not successful
- FTP: wait on both connections during active STOR state
- connect: treat a failed local bind of an interface as a non-fatal error
- darwinssl: disable insecure ciphers by default
- FTP: handle "rubbish" in front of directory name in 257 responses
- mk-ca-bundle: Fixed lost OpenSSL output with "-t"
New in cURL 7.29.0 (Feb 11, 2013)
- Changes:
- test: offer "automake" output and check for perl better
- always-multi: always use non-blocking internals
- imap: Added support for sasl digest-md5 authentication
- imap: Added support for sasl cram-md5 authentication
- imap: Added support for sasl ntlm authentication
- imap: Added support for sasl login authentication
- imap: Added support for sasl plain text authentication
- imap: Added support for login disabled server capability
- mk-ca-bundle: add -f, support passing to stdout and more
- writeout: -w now supports remote_ip/port and local_ip/port
- Bug fixes:
- SECURITY ADVISORY: SASL buffer overflow vulnerability
- nss: prevent NSS from crashing on client auth hook failure
- darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
- curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
- SCP: relative path didn't work as documented
- setup_once.h: HP-UX issue workaround
- configure: fix cross pkg-config detection
- runtests: Do not add undefined values to @INC
- build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
- multi: fix re-sending request on early connection close
- HTTP: remove stray CRLF in chunk-encoded content-free request bodies
- build: fix AIX compilation and usage of events/revents
- VC Makefiles: add missing hostcheck
- nss: clear session cache if a client certificate from file is used
- nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
- fix HTTP CONNECT tunnel establishment upon delayed response
- --libcurl: fix for non-zero default options
- FTP: reject illegal port numbers in EPSV 229 responses
- build: use per-target '_CPPFLAGS' for those currently using default
- configure: fix automake 1.13 compatibility
- curl: ignore SIGPIPE
- pop3: Added support for non-blocking SSL upgrade
- pop3: Fixed default authentication detection
- imap: Fixed usernames and passwords that contain escape characters
- packages/DOS/common.dj: remove COFF debug info generation
- imap/pop3/smtp: Fixed failure detection during TLS upgrade
- pop3: Fixed no known authentication mechanism when fallback is required
- formadd: reject trying to read a directory where a file is expected
- formpost: support quotes, commas and semicolon in file names
- docs: update the comments about loading CA certs with NSS
- docs: fix typos in man pages
- darwinssl: Fix bug where packets were sometimes transmitted twice
- winbuild: include version info for .dll .exe
- schannel: Removed extended error connection setup flag
- VMS: fix and generate the VMS build config
New in cURL 7.28.1 (Feb 11, 2013)
- Changes:
- metalink/md5: Use CommonCrypto on Apple operating systems
- href_extractor: new example code extracting href elements
- NSS can be used for metalink hashing
- Bug fixes:
- Fix broken libmetalink-aware OpenSSL build
- gnutls: fix the error is fatal logic
- darwinssl: un-broke iOS build, fix error on server disconnect
- asyn-ares: restore functionality with c-ares < 1.6.1
- tlsauthtype: deal with the string case insensitively
- Fixed MSVC libssh2 static build
- evhiperfifo: fix the pointer passed to WRITEDATA
- BUGS: fix the bug tracker URL
- winbuild: Use machine type of development environment
- FTP: prevent the multi interface from blocking
- uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
- httpcustomheader.c: free the headers after use
- fix >2000 bytes POST over NTLM-using proxy
- redirects to URLs with fragments
- don't send '#' fragments when using proxy
- OpenSSL: show full issuer string
- fix HTTP auth regression
- CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value
- ftp: EPSV-disable fix over SOCKS
- Digest: Add microseconds into nounce calculation
- SCP/SFTP: improve error code used for send failures
- SSL: Several SSL-backend related fixes
- removed the notorious "additional stuff not fine" debug output
- OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
- FILE: Make upload-writes unbuffered
- custom memory callbacks failure with HTTP proxy (and more)
- TFTP: handle resends
- autoconf: don't force-disable compiler debug option
- winbuild: Fix PDB file output
- test2032: spurious failure caused by premature termination
- memory leak: CURLOPT_RESOLVE with multi interface
New in cURL 7.28.0 (Oct 11, 2012)
- Changes:
- SSH: added agent based authentication
- ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
- multi: add curl_multi_wait()
- metalink: Added support for Microsoft Windows CryptoAPI
- md5: Added support for Microsoft Windows CryptoAPI
- parse_proxy: treat "socks://x" as a socks4 proxy
- socks: Added support for IPv6 connections through SOCKSv5 proxy
- Bug fixes:
- WSAPoll disabled on Windows builds due to its bugs
- segfault on request retries
- curl-config: parentheses fix
- VC build: add define for openssl
- globbing: fix segfault when >9 globs were used
- fixed a few clang-analyzer warnings
- metalink: change code order to build with gnutls-nettle
- gtls: fix build failure by including nettle-specific headers
- change preferred HTTP auth on a handle previously used for another auth
- file: use fdopen() to avoid race condition
- Added DWANT_IDN_PROTOTYPES define for MSVC too
- verbose: fixed (nil) output of hostnames in re-used connections
- metalink: Un-broke the build when building --with-darwinssl
- curl man page cleanup
- Avoid leak of local device string when reusing connection
- Curl_socket_check: fix return code for timeout
- nss: do not print misleading NSS error codes
- configure: remove the --enable/disable-nonblocking options
- darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
- NTLM: re-use existing connection better
- schannel crash on multi and easy handle cleanup
- SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
- mk-ca-bundle: detect start of trust section better
- gnutls: do not fail on non-fatal handshake errors
- SMTP: only send SIZE if supported
- ftpserver: respond with a 250 to SMTP EHLO
- ssh: do not crash if MD5 fingerprint is not provided by libssh2
- winbuild: Added support for building with SPNEGO enabled
- metalink: Fixed validation of binary files containing EOF
- setup.h: fixed for MS VC10 build
- cmake: use standard findxxx modules for cmake v2.8+
- HTTP_ONLY: disable more protocols
- Curl_reconnect_request: clear pointer on failure
- https.c example: remember to call curl_global_init()
- metalink: Filter resource URLs by type
- multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
- curl_schannel: Removed buffer limit and optimized buffer strategy
New in cURL 7.27.0 (Oct 8, 2012)
- Changes:
- nss: use human-readable error messages provided by NSS
- added --metalink for metalink download support
- pop3: Added support for sasl plain text authentication
- pop3: Added support for sasl login authentication
- pop3: Added support for sasl ntlm authentication
- pop3: Added support for sasl cram-md5 authentication
- pop3: Added support for sasl digest-md5 authentication
- pop3: Added support for apop authentication
- Added support for Schannel (Native Windows) SSL/TLS encryption
- Added support for Darwin SSL (Native Mac OS X and iOS)
- http: print reason phrase from HTTP status line on error
- Bugfixes:
- pop3: Fixed the issue of having to supply the user name for all requests
- configure: fix LDAPS disabling related misplaced closing parenthesis
- cmdline: made -D option work with -O and -J
- configure: Fix libcurl.pc and curl-config generation for static MingW* cross builds
- ssl: fix duplicated SSL handshake with multi interface and proxy
- winbuild: Fix Makefile.vc ignoring USE_IPV6 and USE_IDN flags
- OpenSSL: support longer certificate subject names
- openldap: OOM fixes
- log2changes.pl: fix the Version output
- lib554.c: use curl_formadd() properly
- urldata.h: fix cyassl build clash with wincrypt.h
- cookies: changed the URL in the cookiejar headers
- http-proxy: keep CONNECT connections alive (for NTLM)
- NTLM SSPI: fixed to work with unicode user names and passwords
- OOM fix in the curl tool when cloning cmdline options
- fixed some examples to use curl_global_init() properly
- cmdline: stricter numerical option parser
- HTTP HEAD: don't force-close after response-headers
- test231: fix wrong -C use
- docs: switch to proper UTF-8 for text file encoding
- keepalive: DragonFly uses milliseconds
- HTTP Digest: Client's "qop" value should not be quoted
- make distclean works again
New in cURL 7.26.0 (May 26, 2012)
- Changes:
- nss: the minimal supported version of NSS bumped to 3.12.x
- nss: human-readable names are now provided for NSS errors if available
- add a manual page for mk-ca-bundle
- added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
- smtp: Add support for DIGEST-MD5 authentication
- pop3: Added support for additional pop3 commands
- Bug fixes:
- nss: libcurl now uses NSS_InitContext() to prevent collisions if available [1]
- URL parse: reject numerical IPv6 addresses outside brackets
- MD5: fix OOM memory leak
- OpenSSL cert: provide more details when cert check fails
- HTTP: empty chunked POST ended up in two zero size chunks
- fixed a regression when curl resolved to multiple addresses and the first isn't supported [7]
- -# progress meter: avoid superfluous updates and duplicate lines
- headers: surround GCC attribute names with double underscores
- PolarSSL: correct return code for CRL matches
- PolarSSL: include version number in version string
- PolarSSL: add support for asynchronous connect
- mk-ca-bundle: revert the LWP usage
- IPv6 cookie domain: get rid of the first bracket before the second
- connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
- OpenSSL: Made cert hostname check conform to RFC 6125
- HTTP: reset expected DL/UL sizes on redirects
- CMake: fix Windows LDAP/LDAPS option handling
- CMake: fix MS Visual Studio x64 unsigned long long literal suffix
- configure: update detection logic of getaddrinfo() thread-safeness
- configure: check for gethostbyname in the watt lib
- curl-config.1: fix curl-config usage in example
- smtp: Fixed non-escaping of dot character at beginning of line
- MakefileBuild.vc: use the correct IDN variable
- autoconf: improve handling of versioned symbols
- curl.1: clarify -x usage
- curl: shorten user-agent
- smtp: issue with the multi-interface always sending postdata
- compile error with GnuTLS+Nettle fixed
- winbuild: fix IPv6 enabled build
New in cURL 7.25.0 (Mar 23, 2012)
- Changes:
- configure: add option disable --libcurl output
- --ssl-allow-beast and CURLOPT_SSL_OPTIONS added
- Added CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE, CURLOPT_TCP_KEEPINTVL
- curl: use new library-side TCP_KEEPALIVE options
- Added a new CURLOPT_MAIL_AUTH option
- Added support for --mail-auth
- --libcurl now also works with -F and more!
- Bug fixes:
- --max-redirs: allow negative numbers as option value
- parse_proxy: bail out on zero-length proxy names
- configure: don't modify LD_LIBRARY_PATH for cross compiles
- curl_easy_reset: reset the referer string
- curl tool: don't abort glob-loop due to failures
- CONNECT: send correct Host: with IPv6 numerical address
- Explicitly link to the nettle/gcrypt libraries
- more resilient connection times among IP addresses
- winbuild: fix IPV6 and IDN options
- SMTP: Fixed error when using CURLOPT_CONNECT_ONLY
- cyassl: update to CyaSSL 2.0.x API
- smtp: Fixed an issue with the EOB checking
- pop3: Fixed drop of final CRLF in EOB checking
- smtp: Fixed an issue with writing postdata
- smtp: Added support for returning SMTP response codes
- CONNECT: fix ipv6 address in the Request-Line
- curl-config: only provide libraries with --libs
- LWIP: don't consider HAVE_ERRNO_H to be winsock
- ssh: tunnel through HTTP proxy if requested
- cookies: strip off [brackets] from numerical ipv6 host names
- libcurl docs: version corrections
- cmake: list_spaces_append_once failure
- resolve with c-ares: don't resolve IPv6 when not working
- smtp: changed error code for EHLO and HELO responses
- parsedate: fix a numeric overflow
New in cURL 7.24.0 (Jan 26, 2012)
- Changes:
- CURLOPT_QUOTE: SFTP supports the '*'-prefix now
- CURLOPT_DNS_SERVERS: set name servers if possible
- Add support for using nettle instead of gcrypt as gnutls backend
- CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
- Added CURLOPT_ACCEPTTIMEOUT_MS
- configure: add symbols versioning option --enable-versioned-symbols
- Bug fixes:
- curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
- curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
- SSL session share: move the age counter to the share object
- -J -O: use -O name if no Content-Disposition header comes!
- protocol_connect: show verbose connect and set connect time
- query-part: ignore the URI part for given protocols
- gnutls: only translate winsock errors for old versions
- POP3: fix end of body detection
- POP3: detect when LIST returns no mails
- TELNET: improved treatment of options
- configure: add support for pkg-config detection of libidn
- CyaSSL 2.0+ library initialization adjustment
- multi interface: only use non-NULL socker function pointer
- call opensocket callback properly for active FTP
- don't call close socket callback for sockets created with accept()
- differentiate better between host/proxy errors
- SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
- multi: handle timeouts on DNS servers by checking for new sockets
- CURLOPT_DNS_SERVERS: fix return code
- POP3: fixed escaped dot not being stripped out
- OpenSSL: check for the SSLv2 function in configure
- MakefileBuild: fix the static build
- create_conn: don't switch to HTTP protocol if tunneling is enabled
- multi interface: fix block when CONNECT_ONLY option is used
- Fix connection reuse for TLS upgraded connections
- multiple file upload with -F and custom type
- multi interface: active FTP connections are no longer blocking
- Android build fix
- timer: restore PRETRANSFER timing
- libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
- appconnect time fixed for non-blocking connect ssl backends
- do not include SSL handshake into time spent waiting for 100-continue
- handle dns cache case insensitive
- use new host name casing for subsequent HTTP requests
- CURLOPT_RESOLVE: avoid adding already present host names
- SFTP mkdir: use correct permission
- resolve: don't leak pre-populated dns entries
- --retry: Retry transfers on timeout and DNS errors
- negotiate with SSPI backend: use the correct buffer for input
- SFTP dir: increase buffer size counter to avoid cut off file names
- TFTP: fix resending (again)
- c-ares: don't include getaddrinfo-using code
- FTP: CURLE_PARTIAL_FILE will not close the control channel
- win32-threaded-resolver: stop using a dummy socket
- OpenSSL: remove reference to openssl internal struct
- OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
- OpenSSL: fix PKCS#12 certificate parsing related memory leak
- OpenLDAP: fix LDAP connection phase memory leak
- Telnet: Use correct file descriptor for telnet upload
- Telnet: Remove bogus optimisation of telnet upload
- URL parse: user name with ipv6 numerical address
- polarssl: show cipher suite name correctly with 1.1.0
- polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure
- gnutls: enforced use of SSLv3
New in cURL 7.23.1 (Nov 21, 2011)
- Bug fixes:
- Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used
New in cURL 7.22.0 (Nov 21, 2011)
- Changes:
- Empty headers can be sent in HTTP requests by terminating with a semicolon
- SSL session sharing support added to curl_share_setopt()
- Added support to MAIL FROM for the optional SIZE parameter
- smtp: Added support for NTLM authentication
- curl tool: code split into tool_*.[ch] files
- Bug fixes:
- handle HTTP redirects to "//hostname/path"
- SMTP without --mail-from caused segfault
- prevent extra progress meter headers between multiple files
- allow Content-Length to be replaced when sending HTTP requests
- curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
- curl_multi_fdset: avoid FD_SET out of bounds
- lots of MinGW build tweaks
- Curl_gethostname: return un-qualified machine name
- fixed the openssl version number configure check
- nss: certificates from files are no longer looked up by file base names
- returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
- fix libcurl.m4 to not fail with modern gcc versions
- ftp: improved the failed PORT host name resolved error message
- TFTP timeout and unexpected block adjustments
- HTTP and GOPHER test server-side connection closing adjustments
- fix endless loop upon transport connection timeout
- don't clobber errno on failed connect
- typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
- formdata: ack read callback abort
- make --show-error properly position independent
- set the ipv6-connection boolean correctly on connect
- SMTP: fix end-of-body string escaping
- gtls: only call gnutls_transport_set_lowat with HTTP: handle multiple auths in a single WWW-Authenticate line
- curl_multi_fdset: correct fdset with FTP PORT use
- windbuild: fix the static build
- fix builds with GnuTLS version 3
- fix calling of OpenSSL's ERR_remove_state(0)
- HTTP auth: fix proxy Negotiate bug when Negotiate not requested
- ftp PORT: don't hang if bind() fails
- -# would crash on terminals wider than 256 columns
New in cURL 7.21.7 (Jun 25, 2011)
- Changes:
- recognize the [protocol]:// prefix in proxy hosts where the protocol is one of socks4, socks4a, socks5 or socks5h.
- Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA
- Bug fixes:
- SECURITY ADVISORY: inappropriate GSSAPI delegation
- NTLM: work with unicode
- fix connect with SOCKS proxy when using the multi interface
- anyauthput.c: stdint.h must not be included unconditionally
- CMake: improved build
- SCP/SFTP enable non-blocking earlier
- GnuTLS handshake: fix timeout
- cyassl: build without filesystem
- HTTPS over HTTP proxy using the multi interface
- speedcheck: invalid timeout event on a reused handle
- Force connection close for HTTP 200 OK when time condition matched
- curl_formget: fix FILE * leak
- configure: improved OpenSSL detection
- Android build: support gingerbread
- CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
- windows build: use correct MS CRT
- pop3: remove extra space in LIST command
New in cURL 7.21.6 (Apr 23, 2011)
- Changes:
- Added --tr-encoding and CURLOPT_TRANSFER_ENCODING
- Bugfixes:
- curl-config: fix --version
- curl_easy_setopt.3: CURLOPT_PROXYTYPE clarification
- use HTTPS properly after CONNECT
- SFTP: close file before post quote operations
New in cURL 7.21.4 (Feb 19, 2011)
- Changes:
- CURLINFO_FTP_ENTRY_PATH now supports SFTP
- introduced new framework for unit-testing
- IDN: use win32 API if told to
- ares: ask for both IPv4 and IPv6 addresses
- HTTP: do Negotiate authentication using SSPI on windows
- Windows build: alternative makefile
- TLS-SRP: support added when using GnuTLS
- Bugfixes:
- SMTP: add brackets for MAIL FROM
- ossl_seed: no more RAND_screen (on Windows)
- multi: connect fail => use next IP address
- use the timeout when using multiple IP addresses similar to how the easy interface does it
- cookies: tricked dotcounter fixed
- pubkey_show: allocate buffer to fit any-size result
- Curl_nss_connect: avoid PATH_MAX
- Curl_do: avoid using stale conn pointer
- tftpd test server: avoid buffer overflow report from glibc
- nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slash
- nss: fix a bug in handling of CURLOPT_CAPATH
- CMake: Use upstream CheckTypeSize module
- OpenSSL get_cert_chain: support larger data sets
- SCP/SFTP transfers: acknowledge speedcheck
- GnuTLS builds: fix memory leak
- connect problem: use UDP correctly
- Borland C++ makefile tweaks
- OpenSSL: improved error message on SSL_CTX_new failures
- HTTP: memory leak on multiple Location:
- ares_query_completed_cb: don't touch invalid data
- ares: memory leak fix
- mk-ca-bundle: use new cacert url
- Curl_gmtime: added a portable gmtime and check for NULL
- curl.1: typo in -v description
- CURLOPT_SOCKOPTFUNCTION: return proper error code
- --keepalive-time: warn if not supported properly
- file: add support for CURLOPT_TIMECONDITION
- nss: avoid memory leaks and failure of NSS shutdown
- multi: fix CURLM_STATE_TOOFAST for multi_socket
New in cURL 7.21.3 (Dec 17, 2010)
- Changes:
- Added --noconfigure switch to testcurl.pl
- Added --xattr option
- Added CURLOPT_RESOLVE and --resolve
- Added CURLAUTH_ONLY
- Added version-check.pl to the examples dir
- Bugfixes:
- check for libcurl features for some command line options
- Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
- http_chunks: remove debug output
- URL-parsing: consider ? a divider
- SSH: avoid using the libssh2_ prefix
- SSH: use libssh2_session_handshake() to work on win64
- ftp: prevent server from hanging on closed data connection when stopping a transfer before the end of the full transfer (ranges)
- LDAP: detect non-binary attributes properly
- ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
- gnutls->handshake: improved timeout handling
- security: Pass the right parameter to init
- krb5: Use GSS_ERROR to check for error
- TFTP: resend the correct data
- configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
- GnuTLS: now detects socket errors on Windows
- symbols-in-versions: updated en masse
- added a couple examples that were missing from the tar ball
- Curl_send/recv_plain: return errno on failure
- Curl_wait_for_resolv (for c-ares): correct timeout
- ossl_connect_common: detect connection re-use
- configure: Prevent link errors with --librtmp
- openldap: use remote port in URL passed to ldap_init_fd()
- url: provide dead_connection flag in Curl_handler::disconnect
- lots of compiler warning fixes
- ssh: fix a download resume point calculation
- fix getinfo CURLINFO_LOCAL* for reused connections
- multi: the returned running handles conuter could turn negative
- multi: only ever consider pipelining for connections doing HTTP(S)
New in cURL 7.21.2 (Oct 13, 2010)
- Changes:
- curl -T: ignore file size of special files
- Added GOPHER protocol support
- Added mk-ca-bundle.vbs script
- c-ares build now requires c-ares >= 1.6.0
- Bug fixes:
- --remote-header-name security vulnerability fixed
- multi: support the timeouts correctly, fixes known bug #62
- multi: use timeouts properly for MAX_RECV/SEND_SPEED
- negotiation: Wrong proxy authorization
- multi: avoid sending multiple complete messages
- cmdline: make -F type= accept ;charset=
- RESUME_FROM: clarify what ftp uploads do
- http: handle trailer headers in all chunked responses
- Curl_is_connected: use correct errno
- Added SSPI build to Watcom makefile
- progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
- linking problem on Fedora 13
- Link curl and the test apps with -lrt explicitly when necessary
- chunky parser: only rewind stream internally if needed
- remote-header-name: don't output filename when NULL
- Curl_timeleft: avoid returning "no timeout" by mistake
- timeout: use the correct start value as offset
- FTP: fix wrong timeout trigger
- buildconf got better output on failures
- rtsp: avoid SIGSEGV on malformed header
- LDAP: Support for tunnelling queries through HTTP proxy
- configure's --enable-werror had a bashism
- test565: Don't hardcode IP:PORT
- configure: check for gcrypt if using GnuTLS
- configure: don't enable RTMP if the lib detect fails
- curl_easy_duphandle: clone the c-ares handle correctly
- MacOSX-Framework: updates for Snowleopard
- support URL containing colon without trailing port number
- parsedate: allow time specified without seconds
- curl_easy_escape: don't escape "unreserved" characters
- SFTP: avoid downloading negative sizes
- Lots of GSS/KRB FTP fixes
- TFTP: Work around tftpd-hpa upload bug
- libcurl.m4: several fixes
- HTTP: remove special case for 416
- examples: use example.com in example URLs
- globbing: fix crash on unballanced open brace
- cmake: build fixed
New in cURL 7.21.1 (Aug 12, 2010)
- Changes:
- maketgz: produce CHANGES automatically
- added support for NTLM authentication when compiled with NSS
- build: Enable configure --enable-werror
- curl-config: --built-shared returns shared info
- Bugfixes:
- configure: spell --disable-threaded-resolver correctly
- multi: call the progress callback in all states
- multi: unmark handle as used when no longer head of pipeline
- sendrecv: treat all negative values from send/recv as errors
- ftp-wildcard: avoid tight loop when used without any pattern
- multi_socket: re-use of same socket without notifying app
- ftp wildcard: FTP LIST parser FIX
- urlglobbing backslash escaping bug
- build: add enable IPV6 option for the VC makefiles
- multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
- --libcurl: use *_LARGE options with typecasted constants
- --libcurl: hide setopt() calls setting default options
- curl: avoid setting libcurl options to its default
- --libcurl: list the tricky options instead of using [REMARK]
- http: don't enable chunked during authentication negotiations
- upload: warn users trying to upload from stdin with anyauth
- configure: allow environments variable to override internals
- threaded resolver: fix timeout issue
- multi: fix condition that remove timers before trigger
- examples: add curl_multi_timeout
- --retry: access violation with URL part sets continued
- ssh: Fix compile error on 64-bit systems.
- remote-header-name: chop filename at next semicolon
- ftp: response timeout bug in "quote" sending
- CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
- Watcom makefiles overhaul.
- NTLM tests: boost coverage by forcing the hostname
- multi: fix FTPS connecting the data connection with OpenSSL
- retry: consider retrying even if -f is used
- fix SOCKS problem when using multi interface
- typecheck-gcc: add checks for recently added options
- SCP: send large files properly with new enough libssh2
- multi_socket: set timeout for 100-continue
- ";type=" URL suffix over HTTP proxy
- acknowledge progress callback error returns during connect
- Watcom makefile fixes
- runtests: clear old setenv remainders before test
New in cURL 7.21.0 (Jun 16, 2010)
- Changes:
- added the --proto and -proto-redir options
- new configure option --enable-threaded-resolver
- improve TELNET ability with libcurl
- added support for PolarSSL
- added support for FTP wildcard matching and downloads
- added support for RTMP
- introducing new LDAP code for new enough OpenLDAP
- OpenLDAP support enabled for cygwin builds
- added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT
- Bugfixes:
- prevent needless reverse name lookups
- detect GSS on ancient Linux distros
- GnuTLS: EOF caused error when it wasn't
- GnuTLS: SSL handshake phase is non-blocking
- -J/--remote-header-name strips CRLF
- MSVC makefiles now use ws2_32.lib instead of wsock32.lib
- -O crash on windows
- SSL handshake timeout underflow in libcurl-NSS
- multi interface missed storing connection time
- broken CRL support in libcurl-NSS
- ignore response-body on redirect even if compressed
- OpenSSL handshake state-machine for multi interface
- TFTP timeout option sent correctly
- TFTP block id wrap
- curl_multi_socket_action() timeout handles inaccuracy in timers better
- SCP/SFTP failure to respect the timeout
- spurious SSL connection aborts with OpenSSL
New in cURL 7.20.0 (Feb 10, 2010)
- Changes:
- support SSL_FILETYPE_ENGINE for client certificate
- curl-config can now show the arguments used when building curl
- non-blocking TFTP
- send Expect: 100-continue for POSTs with unknown sizes
- added support for IMAP(S), POP3(S), SMTP(S) and RTSP
- added new curl_easy_setopt() options for SMTP and RTSP
- added --mail-from and --mail-rcpt for SMTP
- VMS build system enhancements
- added support for the PRET ftp command
- curl supports --ssl and --ssl-reqd
- added -J/--remote-header-name for using server-provided filename with -O
- enhanced asynchronous DNS lookups
- symbol CURL_FORMAT_OFF_T is obsoleted
- Bugfixes:
- progress meter percentage and transfer time estimates fixes
- portability enhancement for OS's without orthogonal directory tree structure
- progress meter/callback during FTP connection
- DNS cache timeout while transfer in progress
- compilation when configured --with-gssapi having GNU GSS installed
- SSL connection reused with mismatched protection level
- configure --with-nss is set but not "yes"
- don't store LDFLAGS in pkg-config file
- never-pruned DNS cached entries
- HTTP proxy tunnel re-used connection even if tunnel got disabled
- SSL lib post-close write
- curl failed to report write errors for tiny failed downloads
- TFTP BLKSIZE
- Expect: 100-continue handling when set by the application
- multi interface with OpenSSL read already freed memory when closing down
- --retry didn't do right for FTP transient errors
- some *_proxy environment variables didn't function
- libcurl-OpenSSL engine cleanup
- header include fix for FreeBSD versions before v8
- fragment part of URLs are no longer sent to the server
- progress callback called repeatedly with c-ares for resolving
- OpenSSL session id ref count leak
- progress callback called repeatedly during slow connects
- curl_multi_fdset() would return -1 too often during SCP/SFTP transfers
- FTP file size checks with ASCII transfers
- HTTP Cookie: headers sort cookies based on specified path lengths
- CURLM_CALL_MULTI_PERFORM fix for multi socket timeout calls
- libcurl data callback excessive length
New in cURL 7.19.7 (Nov 6, 2009)
- Changes:
- -T. is now for non-blocking uploading from stdin
- SYST handling on FTP for OS/400 FTP server cases
- libcurl refuses to read a single HTTP header longer than 100K
- added the --crlfile option to curl
- Bugfixes:
- The windows makefiles work again
- libcurl-NSS acknowledges verifyhost
- SIGSEGV when pipelined pipe unexpectedly breaks
- data corruption issue with re-connected transfers
- use after free if we're completed but easy_conn not NULL (pipelined)
- missing strdup() return code check
- CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
- configure --with-gnutls=PATH fixed
- ftp response reader bug on failed control connections
- improved NSS error message on failed host name verifications
- ftp NOBODY on re-used connection hang
- configure uses pkg-config for cross-compiles as well
- improved NSS detection in configure
- cookie expiry date at 1970-jan-1 00:00:00
- libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
- libcurl-OpenSSL can load CRL files with more than one certificate inside
- received cookies without explicit path got saved wrong if the URL had a query part
- don't shrink SO_SNDBUF on windows for those who have it set large already
- connect next bug
- invalid file name characters handling on Windows
- double close() on the primary socket with libcurl-NSS
- GSS negotiate infinite loop on bad credentials
- memory leak in SCP/SFTP connections
- use pkg-config to find out libssh2 installation details in configure
- unparsable cookie expire dates make cookies get treated as session coookies
- POST with Digest authentication and "Transfer-Encoding: chunked"
- SCP connection re-use with wrong auth
- CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
- CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)
New in cURL 7.19.6 (Aug 16, 2009)
- Changes:
- CURLOPT_FTPPORT (and curl's -P/--ftpport) support port ranges
- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA
- CURLOPT_QUOTE, CURLOPT_POSTQUOTE and CURLOPT_PREQUOTE can be told to ignore error responses when used with FTP
- Bug fixes:
- crash on bad socket close with FTP
- leaking cookie memory when duplicate domains or paths were used
- build fix for Symbian
- CURLOPT_USERPWD set to NULL clears auth credentials
- libcurl-NSS build fixes
- configure script fixed for VMS
- set Content-Length: with POST and PUT failed with NTLM auth
- allow building libcurl for VxWorks
- curl tool exit codes fixed for VMS
- --no-buffer treated correctly
- djgpp build fix
- configure detection of GnuTLS now based on pkg-config as well
- libcurl-NSS client cert handling segfaults
- curl uploading from stdin/pipes now works in non-blocking way so that it continues the downloading even when the read stalls
- ftp credentials are added to the url if needed for http proxies
- curl -o - sends data to stdout using binary mode on windows
- fixed the separators for "array" style string that CURLINFO_CERTINFO returns
- auth problem over several hosts with re-used connection
- improved the support for client certificates in libcurl+NSS
- fix leak in gtls code
- missing algorithms in libcurl+OpenSSL
- with noproxy set you could still get a proxy if a proxy env was set
- rand seeding on libcurl on windows built with OpenSSL was not thread-safe
- fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
- don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
- libcurl+OpenSSL would wrongly acknowledge a cert if CN matched but subjectAltName didn't
- TFTP upload sent illegal TSIZE packets
New in cURL 7.19.5 (May 22, 2009)
- Changes:
- libcurl now closes all dead connections whenever you attempt to open a new connection
- libssh2's version number can now be figured out run-time instead of using the build-time fixed number
- CURLOPT_SEEKFUNCTION may now return CURL_SEEKFUNC_CANTSEEK
- curl can now upload with resume even when reading from a pipe
- a build-time configured curl_socklen_t is now used instead of socklen_t
- Bugfixes:
- NTLM authentication memory leak on SSPI enabled Windows builds
- fixed the GnuTLS-using code to do correct return code checks
- an alloc-related call in the OpenSSL-using code didn't check the return value
- curl_easy_duphandle() failed to duplicate cookies at times
- missing TELNET timeout support in Windows builds
- missing Curl_read() and write callback result checking in TELNET transfers
- more ciphers enabled in libcurl built to use NSS
- properly return an error code in curl_easy_recv
- Sun compilers specific preprocessor block removed from curlbuild.h.dist
- allow creation of four way fat libcurl Mac OS X Framework
- several memory leaks in libcurl+NSS
- improved the CURLOPT_NOBODY set to 0 confusions
- persistent connections when doing FTP over a HTTP proxy
- --libcurl bogus strings where other data was pointed to
- crash related to FTP and "Re-used connection seems dead, get a new one"
- CURLINFO_APPCONNECT_TIME with the multi interface
- Enhanced upload speeds on Windows
- TFTP problems after a failed transfer to the same host
- improved out of the box TPF compatibility
- HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
- Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
- Deal with the TFTP OACK packet
- fixed roff mistakes in man pages
- use SOCKS proxy with the multi interface
- fixed the Curl_getoff_all_pipelines SIGSEGV
- POST, NTLM and following a redirect hang
- libcurl+NSS endless loop on incorrect password for private key
- gzip decompression memory leak
- no_proxy flaw with user name in URL
New in cURL 7.19.4 (Mar 18, 2009)
- Changes:
- Added CURLOPT_NOPROXY and the corresponding --noproxy
- the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default in openssl 0.9.8j
- Added CURLOPT_TFTP_BLKSIZE
- Added CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC - with the corresponding curl options --socks5-gssapi-service and --socks5-gssapi-nec
- Improved IPv6 support when built with with c-ares >= 1.6.1
- Added CURLPROXY_HTTP_1_0 and --proxy1.0
- Added docs/libcurl/symbols-in-versions
- Added CURLINFO_CONDITION_UNMET
- Added support for Digest and NTLM authentication using GnuTLS
- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even when MKD fails
- GnuTLS initing moved to curl_global_init()
- Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS, see also the security advisory
- Bugfixes:
- missing ssh.obj in VS makefiles
- FTP ;type=i URLs now work with CURLOPT_PROXY_TRANSFER_MODE in Turkish locale
- realms with quoted quotation marks in HTTP Digest headers
- VC9 makefiles are now really included
- multi interface memory leak with CURLMOPT_MAXCONNECTS set
- CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with CURLOPT_NOBODY set true
- memory leak on some libz errors for content encodings
- NSS-enabled build is repaired
- superfluous wait in SFTP downloads removed
- FTP with the multi interface no longer kills the control connection as easily on transfer failures
- compilation halting when using VS2008 to build a Windows 2000 target
- ease creation of libcurl Mac OS X Framework
- CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD are -1 if unknown
- Negotiate proxy authentication
- CURLOPT_INTERFACE and CURLOPT_LOCALPORT used together
New in cURL 7.19.3 (Jan 20, 2009)
- Changes:
- CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH
- VC9 Makefiles were added to the release package
- Bugfixes:
- build failure when disabling FTP but enabling GSS
- fixed several calls to memory functions that didn't check return codes
- memory leak for SSL connects with libcurl/NSS when CURLOPT_ISSUERCERT was used
- re-use of connections with the multi interface when multiple handles used the same server
- memory leak with HTTP GSS/kerberos authentication
- removed the default use of "Pragma: no-cache"
- fix SCP/SFTP busyloop by using a new libssh2 1.0 function
- bad fclose() after a fatal error in cookie code
- curl_multi_remove_handle() when the handle was in use in a HTTP pipeline
- GSS authentication infinite loop problem
- 550 response from SIZE no longer treated as missing file
- ftps:// control connections now use explicit protection level
- dotted IPv6 addresses longer than 39 bytes failed
- curl_easy_duphandle() doesn't try to duplicate the connection cache pointer
- build failure on OS/400 when enabling IPv6
- better detection of SFTP failures
- improved connection re-use for subsequent SCP and SFTP transfers
- multi interface does less busy-loops for SCP and SFTP transfers with libssh2 1.0 or later
- curl_multi_timeout() no longer returns timeout 0 when there's still more than 0 but less than 999 microseconds left
- the multi_socket API and HTTP pipelining now work a lot better when combined
- SFTP seek/resume beyond 32bit file sizes
- fixed breakage with --with-ssl --disable-verbose
- TTL "leak" in the DNS cache
- improved NSS initing
- curl_easy_reset now resets more options
- rare Location: follow bug with the multi interface
- the configure script can now detect gnutls with pkg-config
- curlbuild.h was adjusted for SunPro compilers
- CURLOPT_COOKIELIST set to "SESS" on an easy handle with no cookies data
- fixed timeouts for TFTP
- fixed PPC builds
New in cURL 7.19.2 (Nov 15, 2008)
- build failure when using MSVC 6 makefile and on four platforms more
- crash when using --interface name on Linux systems with a TEQL device
- using the multi interface to download a HTTPS page with libcurl built powered by OpenSSL could download "rubbish" instead of actual content
New in cURL 7.19.1 (Nov 5, 2008)
- Changes:
- pkg-config can now show supported_protocols and supported_features.
- Added CURLOPT_CERTINFO and CURLINFO_CERTINFO.
- Added CURLOPT_POSTREDIR.
- Better detect HTTP 1.0 servers and don't do HTTP 1.1 requests on them.
- configure --disable-proxy disables proxy support.
- Added CURLOPT_USERNAME and CURLOPT_PASSWORD.
- --interface now works with IPv6 connections on glibc systems.
- Added CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD.
- Bugfixes:
- MingW32 non-configure builds are now largefile feature enabled by default.
- NetWare LIBC builds are now largefile feature enabled by default.
- curl_easy_pause() could behave wrongly on unpause.
- cookies with invalid expire dates are now considered expired.
- HTTP pipelining over proxy.
- fix regression in configure script which affected OpenSSL builds on MSYS.
- GnuTLS-based multi interface doing HTTPS over proxy failed.
- recv() failures cause CURLE_RECV_ERROR.
- SFTP over SOCKS crash fixed.
- thread-safety issues addressed for NSS-powered libcurls.
- removed the use of mktime() and gmtime(_r)() in date parsing and conversions.
- HTTP Digest with a blank realm did wrong.
- CURLINFO_REDIRECT_URL didn't work with the multi interface.
- CURLOPT_RANGE now works for SFTP downloads.
- FTP SIZE response 550 now causes CURLE_REMOTE_FILE_NOT_FOUND.
- CURLINFO_PRIMARY_IP fixed for persistent connection re-use cases.
- remove_handle/add_handle multi interface timer callback flaw.
- CURLINFO_REDIRECT_URL memory leak and wrong-doing.
- case insensitive string matching works in Turkish too.
- Solaris builds get _REENTRANT defined properly and work again.
- Garbage sent on chunky upload after curl_easy_pause().
- ipv4 name resolves when libcurl is built with ipv6-enabled c-ares.
- undersized IPv6 address internal buffer truncated long IPv6 addresses.
- CURLINFO_FILETIME works for file:// transfers as well.
New in cURL 7.19.0 (Sep 2, 2008)
- curl_off_t gets its size/typedef somewhat differently than before. This _may_ cause an ABI change for you. See lib/README.curl_off_t for a full explanation.
- Added CURLINFO_PRIMARY_IP
- Added CURLOPT_CRLFILE and CURLE_SSL_CRL_BADFILE
- Added CURLOPT_ISSUERCERT and CURLE_SSL_ISSUER_ERROR
- curl's option parser for boolean options reworked
- Added --remote-name-all
- Now builds for the INTEGRITY operating system
- Added CURLINFO_APPCONNECT_TIME
- Added test selection by key word in runtests.pl
- the curl tool's -w option support the %{ssl_verify_result} variable
- Added CURLOPT_ADDRESS_SCOPE and scope parsing of the URL according to RFC4007
- Support --append on SFTP uploads (not with OpenSSH, though)
- Added curlbuild.h and curlrules.h to the external library interface
- Fixed curl-config --ca
- Fixed the multi interface connection re-use with NSS-built libcurl
- connection re-use when using the multi interface with pipelining enabled
- curl_multi_socket() socket callback fix for close/re-create sockets case
- SCP or SFTP over socks proxy crashed
- RC4-MD5 cipher now works with NSS-built libcurl
- range requests with --head are now done correctly
- fallback to gettimeofday when monotonic clock is unavailable at run-time
- range numbers could be made to wrongly get output as signed
- unexpected 1xx responses hung transfers
- FTP transfers segfault when using different CURLOPT_FTP_FILEMETHOD
- c-ares powered libcurls can resolve/use IPv6 addresses
- poll not working on Windows Vista due to POLLPRI being incorrectly used
- user-agent in CONNECT with non-HTTP protocols
- CURL_READFUNC_PAUSE problems fixed
- --use-ascii now works on Symbian OS, MS-DOS and OS/2
- CURLINFO_SSL_VERIFYRESULT is fixed
- FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
- a user name in a proxy URL without a password was parsed incorrectly
- library will now be built with _REENTRANT symbol defined only if needed
- no longer link with gdi32 on Windows cross-compiled targets
- HTTP PUT with -C - sent bad Content-Range: header
- HTTP PUT or POST with redirect could lead to hang
- re-use of connections with failed SSL connects in the multi interface
- NTLM over proxy state was wrongly cleared when host connection was closed
- Windows SSPI DLL loading is now done in curl_global_init()
- runtests.pl has an improved find-stunnel-and-invoke
- FTP sessions could go out of sync on a long header boundary condition
- potential buffer overflows in the MS-DOS command-line port fixed
- --stderr is now honoured with the -v option
- memory leak in libcurl on Windows built with OpenSSL
- improved curl_m*printf() integral data type size and signedness handling
- error when --dump-header - used with more than one URL
- proxy closing connect during CONNECT with auth with the multi interface
- CURLOPT_UPLOAD sets HTTP method back to GET or HEAD when passed in a 0
- shared cookies could get locked twice
- deal with closed connection while doing POST/PUT
New in cURL 7.18.2 (Jun 5, 2008)
- CURLFORM_STREAM was added
- CURLOPT_NOBODY is now supported over SFTP
- curl can now run on Symbian OS
- curl -w redirect_url and CURLINFO_REDIRECT_URL
- added curl_easy_send() and curl_easy_recv()
- CURLOPT_NOBODY first set to TRUE and then FALSE for HTTP no longer causes the confusion that could lead to a hung transfer
- curl_easy_reset() resets the max redirect limit properly
- configure now correctly recognizes Heimdal and MIT gssapi libraries
- malloc() failure check in Negotiate
- -i and -I together now work the same no matter what order they're used
- the typechecker can be bypassed by defining CURL_DISABLE_TYPECHECK
- a pointer mixup could make the FTP code send bad user password under rare circumstances (found when using curlftpfs)
- CURLOPT_OPENSOCKETFUNCTION can now be used to create a unix domain socket
- CURLOPT_TCP_NODELAY crash due to getprotobyname() use
- libcurl sometimes sent body twice when using CURLAUTH_ANY
- configure detecting debug-enabled c-ares
- microsecond resolution keys for internal splay trees
- krb4 and krb5 ftp segfault
- multi interface busy loop for CONNECT requests
- internal time differences now use monotonic time source if available
- several curl_multi_socket() fixes
- builds fine for Haiku OS
- follow redirect with only a new query string
- SCP and SFTP memory leaks on aborted transfers
- curl_multi_socket() and HTTP pipelining transfer stalls
- lost telnet data on an EWOULDBLOCK condition
New in cURL 7.18.1 (Mar 31, 2008)
- added support for HttpOnly cookies
- 'make ca-bundle' downloads and generates an updated ca bundle file
- we no longer distribute or install a ca cert bundle
- SSLv2 is now disabled by default for SSL operations
- the test509-style setting URL in callback is officially no longer supported
- support a full chain of certificates in a given PKCS12 certificate
- resumed transfers work with SFTP
- added type checking macros for curl_easy_setopt() and curl_easy_getinfo(), watch out for new warnings in code using libcurl (needs gcc-4.3 and currently only works in C mode)
- curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and curl_multi_setopt() uses are now checked to use exactly three arguments
- --with-ca-path=DIR configure option allows to set an openSSL CApath instead of a default ca bundle.
- improved pipelining
- improved strdup replacement
- GnuTLS-built libcurl failed when doing global cleanup and reinit
- error message problem when unable to resolve a host on Windows
- Accept: header replacing
- not verifying server certs with GnuTLS still failed if gnutls had problems with the cert
- when using the multi interface and a handle is removed while still having a transfer going on, the connection is now closed by force
- bad re-use of SSL connections in non-complete state
- test case 405 failures with GnuTLS builds
- crash when connection cache size is 1 and Curl_do() failed
- GnuTLS-built libcurl can now be forced to prefer SSLv3
- crash when doing Negotiate again on a re-used connection
- select/poll regression
- better MIT kerberos configure check
- curl_easy_reset() SFTP re-used connection download crash
- SFTP non-existing file SFTP existing file error
- sharing DNS cache between easy handles running in multiple threads could lead to crash
- SFTP upload with CURLOPT_FTP_CREATE_MISSING_DIRS on re-used connection
- SFTP infinite loop when given an invalid quote command
- curl-config erroneously reported LDAPS support with missing LDAP libraries
- SCP infinite loop when downloading a zero byte file
- setting the CURLOPT_SSL_CTX_FUNCTION with libcurl built without OpenSSL now makes curl_easy_setopt() properly return failure
- configure --with-libssh2 (with no given path)