cURL Changelog

What's new in cURL 8.7.1

Mar 27, 2024
  • Bugfixes:
  • Fixed empty tool_hugehelp.c file

New in cURL 8.7.0 (Mar 27, 2024)

  • Changes:
  • configure: add --disable-docs flag
  • CURLINFO_USED_PROXY: return bool whether the proxy was used
  • digest: support SHA-512/256
  • DoH: add trace configuration
  • write-out: add '%{proxy_used}'
  • Bugfixes:
  • ALTSVC.md: correct a typo
  • asyn-ares: fix data race warning
  • asyn-thread: use wakeup_close to close the read descriptor
  • badwords: use hostname, not host name
  • BINDINGS: add mcurl, the python binding
  • bufq: writing into a softlimit queue cannot be partial
  • c-hyper: add header collection writer in hyper builds
  • cd2nroff: gen: make `>` in input to render as plain '>' in output
  • cd2nroff: remove backticks from titles
  • checksrc.pl: fix handling .checksrc with CRLF
  • cmake: add USE_OPENSSL_QUIC support
  • cmake: add warning for using TLS libraries without 1.3 support
  • cmake: enable `ENABLE_CURL_MANUAL` by default
  • cmake: fix `CURL_WINDOWS_SSPI=ON` with Schannel disabled
  • cmake: fix function description in comment
  • cmake: fix install for older CMake versions
  • cmake: fix libcurl.pc and curl-config library specifications
  • cmdline-docs/Makefile: avoid using a fixed temp file name
  • cmdline-docs: quote and angle bracket cleanup
  • cmdline-opts/_EXITCODES: sync with libcurl-errors
  • cmdline-opts/_VARIABLES.md: improve the description
  • cmdline-opts/_VERSION: provide %VERSION correctly
  • cmdline-opts: shorter help texts
  • configure: add pkg-config support to rustls detection
  • configure: add warning for using TLS libraries without 1.3 support
  • configure: build & install shell completions when enabled
  • configure: do not link with nghttp3 unless necessary
  • configure: Don't build shell completions when disabled
  • configure: Don't make shell completions without perl
  • configure: find libpsl with pkg-config
  • connect.c: fix typo
  • CONTRIBUTE: update the section on documentation format
  • cookie.md: provide an example sending a fixed cookie
  • cookie: if psl fails, reject the cookie
  • curl: exit on config file parser errors
  • curl: make --libcurl output better CURLOPT_*SSLVERSION
  • curl: when allocating variables, add the name into the struct
  • curl_setup.h: add curl_uint64_t internal type
  • curldown: fix email address in Copyright
  • CURLMOPT_MAX*: mention what happens if changed mid-transfer
  • CURLOPT_INTERFACE.md: remove spurious amp, add see-also
  • CURLOPT_POSTQUOTE.md: fix typo
  • CURLOPT_SSL_CTX_FUNCTION.md: no promises of lifetime after return
  • CURLOPT_WRITEFUNCTION.md: typo fix
  • digest: add check for hashing error
  • dist: make sure the http tests are in the tarball
  • DISTROS: add document with distro pointers
  • docs/libcurl: add TLS backend info for all TLS options
  • docs/libcurl: generate PROTOCOLS from meta-data
  • docs: add missing slashes to SChannel client certificate documentation
  • docs: add necessary setup for nghttp3
  • docs: ascii version of manpage without nroff
  • docs: dist curl*.1 and install without perl
  • docs: make curldown do angle brackets like markdown
  • docs: make each libcurl man specify protocol(s)
  • docs: make sure curl.1 is included in dist tarballs
  • docs: update minimal binary size in INSTALL.md
  • docs: use present tense
  • examples: use present tense in comments
  • file: use xfer buf for file:// transfers
  • fopen: fix narrowing conversion warning on 32-bit Android
  • form-string.md: correct the example
  • ftp: do lineend conversions in client writer
  • ftp: fix socket wait activity in ftp_domore_getsock
  • ftp: tracing improvements
  • ftp: treat a 226 arriving before data as a signal to read data
  • gen.pl: make the "manpageification" faster
  • gen: make `>` in input to render as plain '>' in output
  • getparam: make --ftp-ssl work again
  • GHA/linux: add sysctl trick to work-around GitHub runner issue
  • GIT-INFO: convert to markdown
  • GOVERNANCE: document the core team
  • header.md: remove backslash, make nicer markdown
  • HTTP/2: write response directly
  • http2, http3: return CURLE_PARTIAL_FILE when bytes were received
  • http2: fix push discard
  • http2: memory errors in the push callbacks are fatal
  • http2: minor tweaks to optimize two struct sizes
  • http2: push headers better cleanup
  • http2: remove the third (unused) argument from http2_data_done()
  • HTTP3.md: adjust the OpenSSL QUIC install instructions
  • http: better error message for HTTP/1.x response without status line
  • http: improve response header handling, save cpu cycles
  • http: move headers collecting to writer
  • http: remove stale comment about rewindbeforesend
  • http: separate response parsing from response action
  • http_chunks: fix the accounting of consumed bytes
  • http_chunks: remove unused 'endptr' variable
  • https-proxy: use IP address and cert with ip in alt names
  • hyper: implement unpausing via client reader
  • ipv6.md: mention IPv4 mapped addresses
  • KNOWN_BUGS: POP3 issue when reading small chunks
  • lib1598: fix `CURLOPT_POSTFIELDSIZE` usage
  • lib582: remove code causing warning that is never run
  • lib: add `void *ctx` to reader/writer instances
  • lib: convert Curl_get_line to use dynbuf
  • lib: Curl_read/Curl_write clarifications
  • lib: enhance client reader resume + rewind
  • lib: initialize output pointers to NULL before calling strto[ff,l,ul]
  • lib: keep conn IP information together
  • lib: move 'done' parameter to SingleRequests
  • lib: remove curl_mimepart object when CURL_DISABLE_MIME
  • libcurl-docs: cleanups
  • libcurl-security.md: Active FTP passes on the local IP address
  • libssh/libssh2: return error on too big range
  • MANUAL.md: fix typo
  • mbedtls: fix building when MBEDTLS_X509_REMOVE_INFO flag is defined
  • mbedtls: fix pytest for newer versions
  • mbedtls: properly cleanup the thread-shared entropy
  • mbedtls: use mbedtls_ssl_conf_{min|max}_tls_version
  • md4: include strdup.h for the memdup proto
  • mime: add client reader
  • misc: fix typos in docs and lib
  • mkhelp: simplify the generated hugehelp program
  • mprintf: fix format prefix I32/I64 for windows compilers
  • multi: add xfer_buf to multi handle
  • multi: fix multi_sock handling of select_bits
  • multi: make add_handle free any multi_easy
  • ngtcp2: no recvbuf for stream
  • ntml_wb: fix buffer type typo
  • OpenSSL QUIC: adapt to v3.3.x
  • openssl-quic: check on Windows that socket conv to int is possible
  • openssl-quic: fix BIO leak and Windows warning
  • openssl-quic: fix unity build, casing, indentation
  • OS400: avoid using awk in the build scripts
  • paramhlp: fix CRLF-stripping files with "-d @file"
  • proxy1.0.md: fix example
  • pytest: adapt to API change
  • request: clarify message when request has been sent off
  • rustls: make curl compile with 0.12.0
  • schannel: fix hang on unexpected server close
  • scripts: fix cijobs.pl for Azure and GHA
  • sendf: ignore response body to HEAD
  • setopt: fix check for CURLOPT_PROXY_TLSAUTH_TYPE value
  • setopt: fix disabling all protocols
  • sha512_256: add support for GnuTLS and OpenSSL
  • smtp: fix STARTTLS
  • SPONSORS: describe the basics
  • strtoofft: fix the overflow check
  • test 1541: verify getinfo values on first header callback
  • test1165: improve pattern matching
  • tests: support setting/using blank content env variables
  • TIMER_STARTTRANSFER: set the same for everyone
  • TLS: start shutdown only when peer did not already close
  • TODO: update 13.11 with more information
  • tool_cb_hdr: only parse etag + content-disposition for 2xx
  • tool_getparam: accept a blank -w ""
  • tool_getparam: handle non-existing (out of range) short-options
  • tool_operate: change precedence of server Retry-After time
  • tool_operate: do not set CURLOPT_QUICK_EXIT in debug builds
  • trace-config.md: remove the mutexed options list
  • transfer.c: break receive loop in speed limited transfers
  • transfer: improve Windows SO_SNDBUF update limit
  • urldata: move authneg bit from conn to Curl_easy
  • version: allow building with ancient libpsl
  • vquic-tls: fix the error code returned for bad CA file
  • vtls: fix tls proxy peer verification
  • vtls: revert "receive max buffer" + add test case
  • VULN-DISCLOSURE-POLICY.md: update detail about CVE requests
  • websocket: fix curl_ws_recv()
  • wolfSSL: do not call the stub function wolfSSL_BIO_set_init()
  • write-out.md: clarify error handling details

New in cURL 8.6.0 (Jan 31, 2024)

  • Changes:
  • add CURLE_TOO_LARGE
  • add CURLINFO_QUEUE_TIME_T
  • add CURLOPT_SERVER_RESPONSE_TIMEOUT_MS: add
  • asyn-thread: use GetAddrInfoExW on >= Windows 8
  • configure: make libpsl detection failure cause error
  • docs/cmdline: change to .md for cmdline docs
  • docs: introduce "curldown" for libcurl man page format
  • runtests: support -gl. Like -g but for lldb.
  • Bugfixes:
  • altsvc: free 'as' when returning error
  • appveyor: replace PowerShell with bash + parallel autotools
  • appveyor: switch to out-of-tree builds
  • asyn-ares: with modern c-ares, use its default timeout
  • build: delete unused `HAVE_{GSSHEIMDAL,GSSMIT,HEIMDAL}`
  • build: delete/replace clang warning pragmas
  • build: enable missing OpenSSF-recommended warnings, with fixes
  • build: fix `-Wconversion`/`-Wsign-conversion` warnings
  • build: fix Windows ADDRESS_FAMILY detection
  • build: more `-Wformat` fixes
  • build: remove redundant `CURL_PULL_*` settings
  • cf-h1-proxy: no CURLOPT_USERAGENT in CONNECT with hyper
  • cf-socket: show errno in tcpkeepalive error messages
  • CI/distcheck: run full tests
  • cmake: add option to disable building docs
  • cmake: fix generation for system name iOS
  • cmake: fix typo
  • cmake: freshen up docs/INSTALL.cmake
  • cmake: prefill/cache `HAVE_STRUCT_SOCKADDR_STORAGE`
  • cmake: rework options to enable curl and libcurl docs
  • cmake: when USE_MANUAL=YES, build the curl.1 man page
  • cmdline-opts/write-out.d: remove spurious double quotes
  • cmdline-opts: update availability for the *-ca-native options
  • cmdline/gen: fix the sorting of the man page options
  • configure: add libngtcp2_crypto_boringssl detection
  • configure: fix no default int compile error in ipv6 detection
  • configure: when enabling QUIC, check that TLS supports QUIC
  • connect: remove margin from eyeballer alloc
  • content_encoding: change return code to typedef'ed enum
  • cookie.d: document use of empty string to enable cookie engine
  • cookie: avoid fopen with empty file name
  • curl.h: CURLOPT_DNS_SERVERS is only available with c-ares
  • curl: show ipfs and ipns as supported "protocols"
  • curl_easy_getinfo.3: remove the wrong time value count
  • curl_multi_fdset.3: remove mention of null pointer support
  • CURLINFO_REFERER.3: clarify that it is the *request* header
  • CURLOPT_AUTOREFERER.3: mention CURLINFO_REFERER
  • CURLOPT_POSTFIELDS.3: fix incorrect C string escape in example
  • CURLOPT_SSH_*_KEYFILE: clarify
  • dist: add tests/errorcodes.pl to the tarball
  • docs: clean up Protocols: for cmdline options
  • docs: describe and highlight super cookies
  • docs: do not start lines/sentences with So, But nor And
  • docs: install curl.1 with cmake
  • docs: mention env vars not used by schannel
  • doh: remove unused local variable
  • examples: add four new examples
  • file+ftp: use stack buffers instead of data->state.buffer
  • ftp: handle the PORT parsing without allocation
  • ftp: use dynbuf to store entrypath
  • ftp: use memdup0 to store the OS from a SYST 215 response
  • ftpserver.pl: send 213 SIZE response without spurious newline
  • gen.pl: support ## for doing .IP in table-like lists
  • gen: do italics/bold for a range of letters, not just single word
  • GHA: add a job scanning for "bad words" in markdown
  • GHA: bump ngtcp2, gnutls, mod_h2, quiche
  • gnutls: fix build with --disable-verbose
  • haproxy-clientip.d: document the arg
  • headers: make sure the trailing newline is not stored
  • headers: remove assert from Curl_headers_push
  • hostip: return error immediately when Curl_ip2addr() fails
  • hsts: remove assert for zero length domain
  • http2: improved on_stream_close/data_done handling
  • http3/quiche: fix result code on a stream reset
  • http3: initial support for OpenSSL 3.2 QUIC stack
  • http: adjust_pollset fix
  • http: check for "Host:" case insensitively
  • http: fix off-by-one error in request method length check
  • http: only act on 101 responses when they are HTTP/1.1
  • http: remove comment reference to a removed solution
  • http: use stack scratch buffer
  • http_proxy: a blank CURLOPT_USERAGENT should not be used in CONNECT
  • krb5: add prototype to silence clang warnings on mvsnprintf()
  • lib: add debug log outputs for CURLE_BAD_FUNCTION_ARGUMENT
  • lib: error out on multissl + http3
  • lib: fix variable undeclared error caused by `infof` changes
  • lib: reduce use of strncpy
  • lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding
  • lib: replace readwrite with write_resp
  • lib: strndup/memdup instead of malloc, memcpy and null-terminate
  • libssh2: use `libssh2_session_callback_set2()` with v1.11.1
  • libssh: improve the deprecation warning dismissal
  • libssh: supress warnings without version check
  • Makefile.am: fix the MSVC project generation
  • Makefile.mk: drop Windows support
  • mbedtls: fix `-Wnull-dereference` and `-Wredundant-decls`
  • mbedtls: free the entropy when threaded
  • mime: use memdup0 instead of malloc + memcpy
  • mksymbolsmanpage.pl: provide references to where the symbol is used
  • mprintf: overhaul and bugfixes
  • mqtt: use stack scratch buffer for recv+publish
  • multi: remove total timer reset in file_do() while fetching file://
  • ngtcp2: put h3 at the front of alpn
  • ntlm_wb: do not use data->state.buffer any longer
  • openldap: fix an LDAP crash
  • openldap: fix STARTTLS
  • openssl: re-match LibreSSL deinit with init
  • openssl: when verifystatus fails, remove session id from cache
  • OS400: sync ILE/RPG binding
  • pingpong: stop using the download buffer
  • pop3: replace calloc + memcpy with memdup0
  • pytest: scorecard tracking CPU and RSS
  • quiche: return CURLE_HTTP3 on send to invalid stream
  • readwrite_data: loop less
  • Revert "urldata: move async resolver state from easy handle to connectdata"
  • rtsp: deal with borked server responses
  • runtests: for mode="text" on , fix newlines on both parts
  • sasl: make login option string override http auth
  • schannel: fix `-Warith-conversion` gcc 13 warning
  • sectransp: do verify_cert without memdup for blobs
  • sectransp_ make TLSCipherNameForNumber() available in non-verbose config
  • sendf: fix compiler warning with CURL_DISABLE_HEADERS_API
  • setopt: clear mimepost when formp is freed
  • setopt: use memdup0 when cloning COPYPOSTFIELDS
  • socks: fix generic output string to say SOCKS instead of SOCKS4
  • socks: use own buffer instead of data->state.buffer
  • ssh: fix namespace of two local macros
  • ssh: use stack scratch buffer for seeks
  • strerror: repair get_winsock_error()
  • system.h: sync mingw `CURL_TYPEOF_CURL_SOCKLEN_T` with other compilers
  • system_win32: fix a function pointer assignment warning
  • telnet: use dynbuf instad of malloc for escape buffer
  • telnet: use stack scratch buffer for do
  • tests/server: delete workaround for old-mingw
  • tests: avoid int/size_t conversion size/sign warnings
  • tests: respect $TMPDIR when creating unix domain sockets
  • tool: make parser reject blank arguments if not supported
  • tool: prepend output_dir in header callback
  • tool_getparam: bsearch cmdline options
  • tool_getparam: do not try to expand without an argument
  • tool_getparam: stop supporting `@filename` style for --cookie
  • tool_listhelp: regenerate after recent .d updates
  • tool_operate: make --remove-on-error only remove "real" files
  • tool_operate: stop setting the file comment on Amiga
  • transfer: adjust_pollset improvements
  • transfer: fix upload rate limiting, add test cases
  • transfer: make the select_bits_paused condition check both directions
  • transfer: remove warning: Value stored to 'blen' is never read
  • url: don't set default CA paths for Secure Transport backend
  • url: for disabled protocols, mention if found in redirect
  • urlapi: remove assert
  • verify-examples.pl: fail verification on unescaped backslash
  • version: show only the libpsl version, not its dependencies
  • vquic: extract TLS setup into own source
  • vtls: fix missing multissl version info
  • vtls: receive max buffer
  • vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY
  • websockets: check for negative payload lengths
  • websockets: refactor decode chain
  • windows: delete redundant headers
  • windows: simplify detecting and using system headers
  • wolfssl: load certificate *chain* for PEM client certs
  • x509asn1: remove code for WANT_VERIFYHOST
  • x509asn1: switch from malloc to dynbuf

New in cURL 8.5.0 (Dec 6, 2023)

  • Changes:
  • gnutls: support CURLSSLOPT_NATIVE_CA
  • HTTP3: ngtcp2 builds are no longer experimental
  • Bugfixes:
  • appveyor: make VS2008-built curl tool runnable
  • asyn-thread: use pipe instead of socketpair for IPC when available
  • autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`
  • autotools: avoid passing `LDFLAGS` twice to libcurl
  • autotools: delete LCC compiler support bits
  • autotools: fix/improve gcc and Apple clang version detection
  • autotools: stop setting `-std=gnu89` with `--enable-warnings`
  • autotools: update references to deleted `crypt-auth` option
  • BINDINGS: add V binding
  • build: add `src/.checksrc` to source tarball
  • build: add more picky warnings and fix them
  • build: always revert `#pragma GCC diagnostic` after use
  • build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`
  • build: delete support bits for obsolete Windows compilers
  • build: fix 'threadsafe' feature detection for older gcc
  • build: fix builds that disable protocols but not digest auth
  • build: fix compiler warning with auths disabled
  • build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`
  • build: picky warning updates
  • build: require Windows XP or newer
  • cfilter: provide call to tell connection to forget a socket
  • CI: add autotools, out-of-tree, debug build to distro check job
  • CI: ignore test 286 on Appveyor gcc 9 build
  • cmake: add `CURL_DISABLE_BINDLOCAL` option
  • cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API`
  • cmake: dedupe Windows system libs
  • cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection
  • cmake: fix CURL_DISABLE_GETOPTIONS
  • cmake: fix multiple include of CURL package
  • cmake: fix OpenSSL quic detection in quiche builds
  • cmake: option to disable install & drop `curlu` target when unused
  • cmake: pre-fill rest of detection values for Windows
  • cmake: replace `check_library_exists_concat()`
  • cmake: speed up threads setup for Windows
  • cmake: speed up zstd detection
  • config-win32: set `HAVE_SNPRINTF` for mingw-w64
  • configure: better --disable-http
  • configure: check for the fseeko declaration too
  • conncache: use the closure handle when disconnecting surplus connections
  • content_encoding: make Curl_all_content_encodings allocless
  • cookie: lowercase the domain names before PSL checks
  • curl.h: delete Symbian OS references
  • curl.h: on FreeBSD include sys/param.h instead of osreldate.h
  • curl.rc: switch out the copyright symbol for plain ASCII
  • curl: improved IPFS and IPNS URL support
  • curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped
  • Curl_http_body: cleanup properly when Curl_getformdata errors
  • curl_setup: disallow Windows IPv6 builds missing getaddrinfo
  • curl_sspi: support more revocation error names in error messages
  • CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation
  • CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
  • CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does
  • CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR
  • CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
  • docs/example/keepalive.c: show TCP keep-alive options
  • docs/example/localport.c: show off CURLOPT_LOCALPORT
  • docs/examples/interface.c: show CURLOPT_INTERFACE use
  • docs/libcurl: fix three minor man page format mistakes
  • docs/libcurl: SYNSOPSIS cleanup
  • docs: add supported version for the json write-out
  • docs: clarify that curl passes on input unfiltered
  • docs: fix function typo in curl_easy_option_next.3
  • docs: KNOWN_BUGS cleanup
  • docs: preserve the modification date when copying the prebuilt man page
  • docs: remove bold from some man page SYNOPSIS sections
  • docs: use SOURCE_DATE_EPOCH for generated manpages
  • doh: provide better return code for responses w/o addresses
  • doh: use PIPEWAIT when HTTP/2 is attempted
  • duphandle: also free 'outcurl->cookies' in error path
  • duphandle: make dupset() not return with pointers to old alloced data
  • duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
  • easy: in duphandle, init the cookies for the new handle
  • easy: remove duplicate wolfSSH init call
  • easy_lock: add a pthread_mutex_t fallback
  • fopen: create new file using old file's mode
  • fopen: create short(er) temporary file name
  • getenv: PlayStation doesn't have getenv()
  • GHA: move mod_h2 version in CI to v2.0.25
  • hostip: show the list of IPs when resolving is done
  • hostip: silence compiler warning `-Wparentheses-equality`
  • hsts: skip single-dot hostname
  • HTTP/2, HTTP/3: handle detach of onoing transfers
  • http2: header conversion tightening
  • http2: provide an error callback and failf the message
  • http2: safer invocation of populate_binsettings
  • http: allow longer HTTP/2 request method names
  • http: avoid Expect: 100-continue if Upgrade: is used
  • http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine
  • http: fix `-Wunused-parameter` with no auth and no proxy
  • http: fix `-Wunused-variable` compiler warning
  • http: fix empty-body warning
  • http_aws_sigv4: canonicalise valueless query params
  • hyper: temporarily remove HTTP/2 support
  • INSTALL: update list of ports and CPU archs
  • IPFS: fix IPFS_PATH and file parsing
  • keylog: disable if unused
  • lib: add and use Curl_strndup()
  • lib: apache style infof and trace macros/functions
  • lib: fix gcc warning in printf call
  • libcurl-errors.3: sync with current public headers
  • libcurl-thread.3: simplify the TLS section
  • Makefile.am: drop vc10, vc11 and vc12 projects from dist
  • Makefile.mk: fix `-rtmp` option for non-Windows
  • mime: store "form escape" as a single bit
  • misc: fix -Walloc-size warnings
  • msh3: error when built with CURL_DISABLE_SOCKETPAIR set
  • multi: during ratelimit multi_getsock should return no sockets
  • multi: use pipe instead of socketpair to *wakeup()
  • ngtcp2: fix races in stream handling
  • ntlm_wb: use pipe instead of socketpair when possible
  • openldap: move the alloc of ldapconninfo to *connect()
  • openldap: set the callback argument in oldap_do
  • openssl: avoid BN_num_bits() NULL pointer derefs
  • openssl: fix building with v3 `no-deprecated` + add CI test
  • openssl: fix infof() to avoid compiler warning for %s with null
  • openssl: identify the "quictls" backend correctly
  • openssl: include SIG and KEM algorithms in verbose
  • openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
  • openssl: two multi pointer checks should probably rather be asserts
  • openssl: when a session-ID is reused, skip OCSP stapling
  • page-footer: clarify exit code 25
  • projects: add VC14.20 project files
  • pytest: use lower count in repeat tests
  • quic: make eyeballers connect retries stop at weird replies
  • quic: manage connection idle timeouts
  • quiche: use quiche_conn_peer_transport_params()
  • rand: fix build error with autotools + LibreSSL
  • resolve.d: drop a multi use-sentence
  • RTSP: improved RTP parser
  • sasl: fix `-Wunused-function` compiler warning
  • schannel: add CA cache support for files and memory blobs
  • setopt: check CURLOPT_TFTP_BLKSIZE range on set
  • setopt: remove outdated cookie comment
  • setopt: remove superfluous use of ternary expressions
  • socks: better buffer size checks for socks4a user and hostname
  • socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
  • symbols-in-versions: the CLOSEPOLICY options are deprecated
  • test1683: remove commented-out check alternatives
  • test3103: add missing quotes around a test tag attribute
  • test613: stop showing an error on missing output file
  • tests/README: SOCKS tests are not using OpenSSH, it has its own server
  • tests/server: add more SOCKS5 handshake error checking
  • tests: Fix Windows test helper tool search & use it for handle64
  • tidy-up: casing typos, delete unused Windows version aliases
  • tool: fix --capath when proxy support is disabled
  • tool: support bold headers in Windows
  • tool_cb_hdr: add an additional parsing check
  • tool_cb_prg: make the carriage return fit for wide progress bars
  • tool_cb_wrt: fix write output for very old Windows versions
  • tool_getparam: limit --rate to be smaller than number of ms
  • tool_operate: do not mix memory models
  • tool_operate: fix links in ipfs errors
  • tool_parsecfg: make warning output propose double-quoting
  • tool_urlglob: fix build for old gcc versions
  • tool_urlglob: make multiply() bail out on negative values
  • tool_writeout_json: fix JSON encoding of non-ascii bytes
  • transfer: abort pause send when connection is marked for closing
  • transfer: avoid calling the read callback again after EOF
  • transfer: only reset the FTP wildcard engine in CLEAR state
  • url: don't touch the multi handle when closing internal handles
  • url: find scheme with a "perfect hash"
  • url: fix `-Wzero-length-array` with no protocols
  • url: fix builds with `CURL_DISABLE_HTTP`
  • url: protocol handler lookup tidy-up
  • url: proxy ssl connection reuse fix
  • urlapi: avoid null deref if setting blank host to url encode
  • urlapi: skip appending NULL pointer query
  • urlapi: when URL encoding the fragment, pass in the right length
  • urldata: make maxconnects a 32 bit value
  • urldata: move async resolver state from easy handle to connectdata
  • urldata: move cookielist from UserDefined to UrlState
  • urldata: move hstslist from 'set' to 'state'
  • urldata: move the 'internal' boolean to the state struct
  • vssh: remove the #ifdef for Curl_ssh_init, use empty macro
  • vtls: cleanup SSL config management
  • vtls: consistently use typedef names for OpenSSL structs
  • vtls: late clone of connection ssl config
  • vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
  • VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw
  • windows: use built-in `_WIN32` macro to detect Windows
  • wolfssh: remove redundant static prototypes
  • wolfssl: add default case for wolfssl_connect_step1 switch
  • wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA

New in cURL 8.4.0 (Dec 6, 2023)

  • Changes:
  • curl: add support for the IPFS protocols via HTTP gateway
  • curl_multi_get_handles: get easy handles from a multi handle
  • mingw: delete support for legacy mingw.org toolchain
  • Bugfixes:
  • acinclude.m4: Document proper system truststore on FreeBSD
  • appveyor: fix yamlint issues, indent
  • appveyor: rewrite batch in PowerShell + CI improvements
  • autotools: adjust `CURL_CA_PATH` value to CMake
  • autotools: restore `HAVE_IOCTL_*` detections
  • base64: also build for curl
  • bufq: remove Curl_bufq_skip_and_shift (unused)
  • build: delete checks for C89 standard headers
  • build: do not publish `HAVE_BORINGSSL`, `HAVE_AWSLC` macros
  • cf-socket: simulate slow/blocked receives in debug
  • cmake, configure: also link with CoreServices
  • cmake: add check for suseconds_t
  • cmake: add feature checks for `memrchr` and `getifaddrs`
  • cmake: add missing checks
  • cmake: delete old `HAVE_LDAP_URL_PARSE` logic
  • cmake: detect `HAVE_CLOCK_GETTIME_MONOTONIC_RAW`
  • cmake: detect `HAVE_GETADDRINFO_THREADSAFE`
  • cmake: detect `sys/wait.h` and `netinet/udp.h`
  • cmake: detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS
  • cmake: disable unity mode with Windows Unicode + TrackMemory
  • cmake: fix `HAVE_LDAP_SSL`, `HAVE_LDAP_URL_PARSE` on non-Windows
  • cmake: fix `HAVE_WRITABLE_ARGV` detection
  • cmake: fix duplicate symbols when linking tests
  • cmake: fix missing `zlib.h` when compiling `libcurltool`
  • cmake: fix stderr initialization in unity builds
  • cmake: fix the help text to the static build option in CMakeLists.txt
  • cmake: fix unity builds for more build combinations
  • cmake: fix unity symbol collisions in h2 builds
  • cmake: fix unity with Windows Unicode + TrackMemory
  • cmake: improve OpenLDAP builds
  • cmake: lib `CURL_STATICLIB` fixes (Windows)
  • cmake: move global headers to specific checks
  • cmake: pre-cache `HAVE_BASENAME` for mingw-w64 and MSVC
  • cmake: pre-cache `HAVE_POLL_FINE` on Windows
  • cmake: tidy-up `NOT_NEED_LBER_H` detection
  • cmake: validate `CURL_DEFAULT_SSL_BACKEND` config value
  • configure: check for the capath by default
  • configure: remove unused checks
  • configure: replace adhoc domain with `localhost` in tests
  • configure: sort AC_CHECK_FUNCS
  • connect: expire the timeout when trying next
  • connect: only start the happy eyeballs timer when needed
  • cookie: do not store the expire or max-age strings
  • cookie: remove unnecessary struct fields
  • cookie: set ->running in cookie_init even if data is NULL
  • create-dirs.d: clarify it also uses --output-dirs
  • curl.h: mark CURLSSLBACKEND_NSS as deprecated since 8.3.0
  • curl_easy_pause.3: mention h2/h3 buffering
  • curl_easy_pause.3: mention it works within callbacks
  • curl_easy_pause: set "in callback" true on exit if true
  • CURLOPT_DEBUGFUNCTION.3: warn about internal handles
  • docs/libcurl/opts/Makefile.inc: add missing manpage files
  • docs: adapt SEE ALSO sections to new requirements
  • docs: explain how PINNEDPUBLICKEY is independent of VERIFYPEER
  • docs: replace made up domains with example.com
  • docs: update curl man page references
  • docs: use CURLSSLBACKEND_NONE
  • doh: inherit DEBUGFUNCTION/DATA
  • escape: replace Curl_isunreserved with ISUNRESERVED
  • FAQ: How do I upgrade curl.exe in Windows?
  • GHA/linux: run singleuse to detect single-use global functions
  • GHA: add workflow to compare configure vs cmake outputs
  • h2-proxy: remove left-over mistake in drain_tunnel()
  • h2: testcase and fix for pausing h2 streams
  • h3: add support for ngtcp2 with AWS-LC builds
  • http2: refused stream handling for retry
  • http: fix CURL_DISABLE_BEARER_AUTH breakage
  • http: h1/h2 proxy unification
  • http: remove wrong comment for http_should_fail
  • http: use per-request counter to check too large headers
  • http_aws_sigv4: fix sorting with empty parts
  • idn: fix WinIDN null ptr deref on bad host
  • idn: if idn2_check_version returns NULL, return error
  • inet_ntop: add typecast to silence Coverity
  • lib: disambiguate Curl_client_write flag semantics
  • lib: enable hmac for digest as well
  • lib: failf/infof compiler warnings
  • lib: let the max filesize option stop too big transfers too
  • lib: move handling of `data->req.writer_stack` into Curl_client_write()
  • lib: provide and use Curl_hexencode
  • lib: remove TIME_WITH_SYS_TIME
  • lib: use wrapper for curl_mime_data fseek callback
  • libssh2: fix error message on failed pubkey-from-file
  • libssh: cap SFTP packet size sent
  • Makefile.mk: always set `CURL_STATICLIB` for lib (Windows)
  • MANUAL.md: change domain to example.com
  • misc: better random strings
  • MQTT: improve receive of ACKs
  • multi: do CURLM_CALL_MULTI_PERFORM at two more places
  • multi: fix small timeouts
  • multi: remove Curl_multi_dump
  • multi: round the timeout up to prevent early wakeups
  • multi: set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE
  • openssl: improve ssl shutdown handling
  • openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
  • pytest: exclude test_03_goaway in CI runs due to timing dependency
  • quic: set ciphers/curves the same way regular TLS does
  • quiche: fix build error with --with-ca-fallback
  • RELEASE-PROCEDURE.md: updated coming release dates
  • runtests: display the test status if tests appear hung
  • runtests: eliminate a warning on old perl versions
  • socks: return error if hostname too long for remote resolve
  • src/mkhelp: make generated code pass `checksrc`
  • test1056: disable on Windows
  • test1474: disable test on NetBSD, OpenBSD and Solaris 10
  • test1592: greatly increase the maximum test timeout
  • test1903: actually verify the cookies after the test
  • test1906: set a lower timeout since it's hit on Windows
  • test2600: remove special case handling for USE_ALARM_TIMEOUT
  • test650: fix an end tag typo
  • test661: return from test early in case of curl error
  • test: add missing s
  • tests: close the shell used to start sshd
  • tests: fix a race condition in ftp server disconnect
  • tests: fix compiler warnings
  • tests: Fix zombie processes left behind by FTP tests.
  • tests: improve SLOWDOWN test reliability by reducing sent data
  • tests: increase lib571 timeout from 3s to 30s
  • tests: log the test result code after each libtest
  • tests: propagate errors in libtests
  • tests: set --expect100-timeout to improve test reliability
  • tests: show which curl tool `runtests.pl` is using
  • tests: stop overriding the lock timeout
  • tftpd: always use curl's own tftp.h
  • tool: use our own stderr variable
  • tool_cb_wrt: fix debug assertion
  • tool_getparam: accept variable expansion on file names too
  • tool_setopt: remove unused function tool_setopt_flags
  • upload-file.d: describe the file name slash/backslash handling
  • url: fall back to http/https proxy env-variable if ws/wss not set
  • url: fix netrc info message
  • warnless: remove unused functions
  • wolfssh: do cleanup in Curl_ssh_cleanup
  • wolfssl: allow capath with CURLOPT_CAINFO_BLOB
  • wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
  • wolfssl: ignore errors in CA path

New in cURL 8.3.0 (Sep 13, 2023)

  • Changes:
  • curl: make %output{} in -w specify a file to write to
  • gskit: remove
  • lib: --disable-bindlocal builds curl without local binding support
  • nss: remove support for this TLS library
  • tool: add "variable" support
  • trace: make tracing available in non-debug builds
  • url: change default value for CURLOPT_MAXREDIRS to 30
  • urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
  • wolfssl: support loading system CA certificates
  • Bugfixes:
  • altsvc: accept and parse IPv6 addresses in response headers
  • asyn-ares: reduce timeout to 2000ms
  • aws-sigv4: canonicalize the query
  • aws-sigv4: fix having date header twice in some cases
  • aws-sigv4: handle no-value user header entries
  • bearssl: don't load CA certs when peer verification is disabled
  • bearssl: handshake fix, provide proper get_select_socks() implementation
  • build: fix portability of mancheck and checksrc targets
  • build: streamline non-UWP wincrypt detections
  • c-hyper: adjust the hyper to curlcode conversion
  • c-hyper: fix memory leaks in `Curl_http`
  • cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
  • cf-socket: log successful interface bind
  • CI/cirrus: disable python install on FreeBSD
  • CI: add a 32-bit i686 Linux build
  • CI: add caching to many jobs
  • CI: move on to ngtcp2 v0.19.1
  • CI: move the Alpine build from Cirrus to GHA
  • CI: ngtcp2-linux: use separate caches for tls libraries
  • CI: remove Windows builds from Cirrus, without replacement
  • CI: switch macOS ARM build from Cirrus to Circle CI
  • CI: use master again for wolfssl
  • cirrus: install everthing with pkg, avoid pip
  • cmake: add GnuTLS option
  • cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
  • cmake: add support for single libcurl compilation pass
  • cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms
  • cmake: assume `wldap32` availability on Windows
  • cmake: cache more config and delete unused ones
  • cmake: detect `SSL_set0_wbio` in OpenSSL
  • cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks
  • cmake: fix to use variable for the curl namespace
  • cmake: fixup H2 duplicate symbols for unity builds
  • cmake: set SIZEOF_LONG_LONG in curl_config.h
  • cmake: support building static and shared libcurl in one go
  • cmdline-docs: make sure to phrase it as "added in ...."
  • cmdline-docs: use present tense, not future
  • cmdline-opts/docs: mention the negative option part
  • cmdline-opts/page-header: clarify stronger that !opt == URL
  • cmdline-opts/page-header: reorder, clean up
  • configure, cmake, lib: more form api deprecation
  • configure: fix `HAVE_TIME_T_UNSIGNED` check
  • configure: trust pkg-config when it's used for zlib
  • configure: use the pkg-config --libs-only-l flag for libssh2
  • connect: stop halving the remaining timeout when less than 600 ms left
  • cookie-jar.d: emphasize that this option is ONLY writing cookies
  • crypto: ensure crypto initialization works
  • curl_url_get/set.3: add missing semicolon in SYNOPSIS
  • CURLINFO_CERTINFO.3: better explain curl_certinfo struct
  • CURLINFO_TLS_SSL_PTR.3: clarify a recommendation
  • CURLOPT_*TIMEOUT*: extend and clarify
  • CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled
  • CURLOPT_URL.3: add two URL API calls in the see-also section
  • CURLOPT_URL.3: explain curl_url_set() uses the same parser
  • digest: Use hostname to generate spn instead of realm
  • disable.d: explain --disable not implemented prior to 7.50.0
  • docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0
  • docs/cmdline-opts: match the current output
  • docs/cmdline-opts: spellfixes, typos and polish
  • docs/cmdline: add small "warning" to verbose options
  • docs/cmdline: remove repeated working for negotiate + ntlm
  • docs/HYPER.md: document a workaround for a link error
  • docs: add curl_global_trace to some SEE ALSO sections
  • docs: link to the website versions instead of markdowns
  • docs: mark --ssl-revoke-best-effort as Schannel specific
  • docs: mention critical files in same directories as curl saves
  • docs: removing "pausing transfers" from HYPER.md.
  • docs: rewrite to present tense
  • easy: remove #ifdefs to make code easier on the eye
  • egd: delete feature detection and related source code
  • ftp: fix temp write of ipv6 address
  • gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens
  • gen.pl: replace all single quotes with aq
  • GHA: adding quiche workflow
  • headers: accept leading whitespaces on first response header
  • http2: avoid too early connection re-use/multiplexing
  • http2: cleanup trace messages
  • http2: disable asssertion blocking OSSFuzz testing
  • http2: fix in h2 proxy tunnel: progress in ingress on sending
  • http2: polish things around POST
  • http2: upgrade tests and add fix for non-existing stream
  • http3/ngtcp2: shorten handshake, trace cleanup
  • http3: quiche, handshake optimization, trace cleanup
  • http: close the connection after a late 417 is received
  • http: do not require a user name when using CURLAUTH_NEGOTIATE
  • http: fix sending of large requests
  • http: remove the p_pragma struct field
  • http: return error when receiving too large header set
  • hyper: fix a progress upload counter bug
  • hyper: fix ownership problems
  • hyper: remove `hyptransfer->endtask`
  • imap: add a check for failing strdup()
  • imap: remove the only sscanf() call in the IMAP code
  • include.d: explain headers not printed with --fail before 7.75.0
  • include/curl/mprintf.h: add __attribute__ for the prototypes
  • krb5: fix "implicit conversion loses integer precision" warnings
  • lib: add ability to disable auths individually
  • lib: build fixups when built with most things disabled
  • lib: fix a few *printf() flag mistakes
  • lib: fix null ptr derefs and uninitialized vars (h2/h3)
  • lib: move mimepost data from ->req.p.http to ->state
  • libtest: use curl_free() to free libcurl allocated data
  • list-only.d: mention SFTP as supported protocol
  • macOS: fix target detection more
  • misc: fix various typos
  • multi.h: the 'revents' field of curl_waitfd is supported
  • multi: more efficient pollfd count for poll
  • multi: remove 'processing: ' debug message
  • ngtcp2: fix handling of large requests
  • openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
  • openssl: clear error queue after SSL_shutdown
  • openssl: make aws-lc version support OCSP
  • openssl: Support async cert verify callback
  • openssl: switch to modern init for LibreSSL 2.7.0+
  • openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1
  • openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0
  • openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
  • os400: build test servers
  • os400: do not check translatable options at build time
  • os400: implement CLI tool
  • page-footer: QLOGDIR works with ngtcp2 and quiche
  • page-header: move up a URL paragraph from GLOBBING to URL
  • pytest: fix check for slow_network skips to only apply when intended
  • quic: don't set SNI if hostname is an IP address
  • quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
  • quiche: enable quiche to handle timeout events
  • resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
  • revert "schannel: reverse the order of certinfo insertions"
  • schannel: fix ordering of cert chain info
  • schannel: fix user-set legacy algorithms in Windows 10 & 11
  • schannel: verify hostname independent of verify cert
  • sectransp: fix compiler warnings
  • sectransp: prevent CFRelease() of NULL
  • secureserver.pl: fix stunnel path quoting
  • secureserver.pl: fix stunnel version parsing
  • SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline
  • system.h: add CURL_OFF_T definitions on HP-UX with HP aCC
  • test1304: build and skip without netrc support
  • test1554: check translatable string options in OS400 wrapper
  • test1608: make it build and get skipped without shuffle DNS support
  • test687/688: two more basic --xattr tests
  • tests/tftpd+mqttd: make variables static to silence picky warnings
  • tests: add 'large-time' as a testable feature
  • tests: add support for nested %if conditions
  • tests: don't call HTTP errors OK in test cases
  • tests: ensure `libcurl.def` contains all exports
  • tests: fix h3 server check and parallel instances
  • tests: TLS session sharing test
  • tests: update cookie expiry dates to far in the future
  • time-cond.d: mention what happens on a missing file
  • tool: avoid including leading spaces in the Location hyperlink
  • tool: change some fopen failures from warnings to errors
  • tool: make the length argument an int for printf()-.* flags
  • tool_cb_wrt: fix invalid unicode for windows console
  • tool_filetime: make -z work with file dates before 1970
  • tool_operate: allow both SSL_CERT_FILE and SSL_CERT_DIR
  • tool_operate: make aws-sigv4 not require TLS to be used
  • tool_paramhlp: improve str2num(): avoid unnecessary call to strlen()
  • tool_urlglob: use the correct format specifier for curl_off_t in msnprintf
  • transfer: also stop the sending on closed connection
  • transfer: don't set TIMER_STARTTRANSFER on first send
  • unit2600: fix build warning if built without verbose messages
  • url: remove infof() output for "still name resolving"
  • urlapi: fix heap buffer overflow
  • urlapi: make sure zoneid is also duplicated in curl_url_dup
  • urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails
  • urlapi: setting a blank URL ("") is not an ok URL
  • vquic: show stringified messages for errno
  • vtls: clarify "ALPN: offers" message
  • winbuild: improve check for static zlib
  • wolfSSL: avoid the OpenSSL compat API when not needed
  • workflows/macos.yml: disable zstd and alt-svc in the http-only build
  • write-out.d: clarify %{time_starttransfer}
  • ws: fix spelling mistakes in examples and tests

New in cURL 8.2.1 (Jul 26, 2023)

  • Bugfixes:
  • amigaos: fix sys/mbuf.h m_len macro clash
  • amissl: add missing signal.h include
  • amissl: fix AmiSSL v5 detection
  • cfilters: rename close/connect functions to avoid clashes
  • ciphers.d: put URL in first column
  • cmake: add `libcurlu`/`libcurltool` for unit tests
  • cmake: update ngtcp2 detection
  • configure: check for nghttp2_session_get_stream_local_window_size
  • CONTRIBUTE: drop mention of copyright year ranges
  • CONTRIBUTE: fix syntax in commit message description
  • curl_multi_wait.3: fix arg quoting to doc macro .BR
  • docs: mark two TLS options for TLS, not SSL
  • docs: provide more see also for cipher options
  • hostip: return IPv6 first for localhost resolves
  • http2: fix regression on upload EOF handling
  • http: VLH, very large header test and fixes
  • libcurl-errors.3: add CURLUE_OK
  • os400: correct EXPECTED_STRING_LASTZEROTERMINATED
  • quiche: fix lookup of transfer at multi
  • quiche: fix segfault and other things
  • rustls: update rustls-ffi 0.10.0
  • socks: print ipv6 address within brackets
  • src/mkhelp: strip off escape sequences
  • tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
  • transfer: do not clear the credentials on redirect to absolute URL
  • unittest: remove unneeded *_LDADD
  • websocket: rename arguments/variables to match docs

New in cURL 8.2.0 (Jul 19, 2023)

  • Changes:
  • curl: add --ca-native and --proxy-ca-native
  • curl: add --trace-ids
  • CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
  • haproxy: add --haproxy-clientip flag to set client IPs
  • lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID
  • Bugfixes:
  • bufq: make write/pass methods more robust
  • build: drop unused/redundant `HAVE_WINLDAP_H`
  • cf-socket: don't bypass fclosesocket callback if cancelled before connect
  • cf-socket: move ctx declaration under HAVE_GETPEERNAME
  • cf-socket: skip getpeername()/getsockname for TFTP
  • checksrc: modernise perl file open
  • checksrc: quote the file name to work with "funny" letters
  • CI: brew fix for openssl in default path
  • CI: don't install impacket if tests are not run
  • CI: enable parallel make in more builds
  • circleci: install impacket & wolfssl 5.6.0
  • cmake: add support for "unity" builds
  • cmake: make use of snprintf
  • cmake: stop CMake from quietly ignoring missing Brotli
  • configure: add check for ldap_init_fd
  • configure: fix run-compiler for old /bin/sh
  • configure: the --without forms of the options are also gone
  • connect-timeout.d: mention that the DNS lookup is included
  • curl.h: include for vxworks
  • curl: count uploaded data to stop at the originally given size
  • curl: return error when asked to use an unsupported HTTP version
  • curl_easy_nextheader.3: add missing open parenthesis examples
  • curl_log: evaluate log statement only when transfer is verbose
  • curl_mprintf.3: minor fix of the example
  • curl_pushheader_byname/bynum.3: document in their own man pages
  • curl_url_set: enforce the max string length check for all parts
  • CURLOPT_AWS_SIGV4.3: remove unused variable from example
  • CURLOPT_INFILESIZE.3: mention -1 triggers chunked
  • CURLOPT_MIMEPOST.3: clarify what setting to NULL means
  • CURLOPT_SSH_PRIVATE_KEYFILE.3: expand on the file search
  • docs/libcurl/libcurl.3: cleanups and improvements
  • docs: add more .IP after .RE to fix indentation of generate paragraphs
  • docs: fix missing parameter names in examples
  • docs: update CURLOPT_UPLOAD.3
  • docs: update HTTP3.md for newer ngtcp2 and nghttp3
  • docs: use a space after RFC when spelling out RFC numbers
  • example/connect-to: show CURLOPT_CONNECT_TO
  • example/crawler: also set CURLOPT_AUTOREFERER
  • example/crawler: make it use a few more options
  • example/default-scheme: set the default scheme for schemeless URLs
  • example/hsts-preload: show one way to HSTS preload
  • example/http2-download: set CURLOPT_BUFFERSIZE
  • example/ipv6: feature CURLOPT_ADDRESS_SCOPE in use
  • example/maxconnects: set maxconnect example
  • example/opensslthreadlock: remove
  • examples/ftpuploadresume.c: add use of CURLOPT_ACCEPTTIMEOUT_MS
  • examples/http-options: show how to send "OPTIONS *"
  • examples/https.c: use CURLOPT_CA_CACHE_TIMEOUT
  • examples/multi-debugcallback.c: avoid the bool typedef
  • examples/smtp-mime: use CURLOPT_MAIL_RCPT_ALLOWFAILS
  • examples/unixsocket.c: example using CURLOPT_UNIX_SOCKET_PATH
  • examples/websocket.c: websocket example using CONNECT_ONLY
  • examples: make use of CURLOPT_(REDIR_|)PROTOCOLS_STR
  • fopen: fix conversion warning on 32-bit Android
  • fopen: optimize
  • hostip.c: Move macOS-specific calls into global init call
  • HTTP/2: upload handling fixes
  • http2: better support for --limit-rate
  • http2: error stream resets with code CURLE_HTTP2_STREAM
  • http2: fix crash in handling stream weights
  • http2: fix variable type
  • http2: h2 and h2-PROXY connection alive check fixes
  • http2: raise header limitations above and beyond
  • http2: send HEADER & DATA together if possible
  • http2: treat initial SETTINGS as a WINDOW_UPDATE
  • HTTP3.md: update openssl version
  • http3/ngtcp2: upload EAGAIN handling
  • http: rectify the outgoing Cookie: header field size check
  • hyper: fix EOF handling on input
  • hyper: unslow
  • imap-append.c: update to make it more likely to work
  • imap: Provide method to disable SASL if it is advertised
  • krb5: add typecast to please Coverity
  • libcurl-url.3: also mention CURLUPART_ZONEID
  • libcurl-ws.3. WebSocket API overview
  • libssh2: provide error message when setting host key type fails
  • libssh2: use custom memory functions
  • ngtcp2: assigning timeout, but value is overwritten before used
  • ngtcp2: build with 0.17.0 and nghttp3 0.13.0
  • ngtcp2: use ever increasing timestamp in io
  • quiche: avoid NULL deref in debug logging
  • quiche: fix defects found in latest coverity report
  • quote.d: fix indentation of generated paragraphs
  • runtests: abort test run after failure without -a
  • runtests: better handle ^C during slow tests
  • runtests: consistently write the test check summary block
  • runtests: create multiple test runners when requested
  • runtests: include missing valgrind package
  • runtests: make test file directories in log/N
  • runtests: rename server command file
  • runtests: use more consistent failure lines
  • runtests: work around a perl without SIGUSR1
  • runtests; give each server a unique log lock file
  • scripts: Fix GHA matrix job detection in cijobs.pl
  • sectransp: fix EOF handling
  • system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
  • test2600: fix the description
  • test427: verify sending more cookies than fit in a 8190 bytes line
  • tests/http: Add mod_h2 directive `H2ProxyRequests`
  • tests/servers.pm: pick unused port number with a server socket
  • tests/servers: generate temp names in /tmp for unix domain sockets
  • tests: fix error messages & handling around sockets
  • tests: improve reliability of TFTP tests
  • testutil: allow multiple %-operators on the same line
  • timeval: use CLOCK_MONOTONIC_RAW if available
  • tls13-ciphers.d: include Schannel
  • tool: remove exclamation marks from error/warning messages
  • tool: remove newlines from all helpf/notef/warnf/errorf calls
  • tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
  • tool_getparam: fix comment
  • tool_operate: allow cookie lines up to 8200 bytes
  • tool_parsecfg: accept line lengths up to 10M
  • tool_urlglob: use curl_off_t instead of longs
  • tool_writeout_json: fix encoding of control characters
  • transfer: clear credentials when redirecting to absolute URL
  • urlapi: have *set(PATH) prepend a slash if one is missing
  • urlapi: scheme must start with alpha
  • vtls: avoid memory leak if sha256 call fails
  • websocket-cb: example doing WebSocket download using callback
  • wolfssl: detect when TLS 1.2 support is not built into wolfssl
  • wolfssl: support setting CA certificates as blob
  • ws: make the curl_ws_meta() return pointer a const

New in cURL 8.1.2 (May 30, 2023)

  • Bugfixes:
  • configure: quote the assignments for run-compiler
  • configure: without pkg-config and no custom path, use -lnghttp2
  • curl: cache the --trace-time value for a second
  • http2: fix EOF handling on uploads with auth negotiation
  • http3: send EOF indicator early as possible
  • lib1560: verify more scheme guessing
  • lib: remove unused functions, make single-use static
  • libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
  • libssh: when keyboard-interactive auth fails, try password
  • misc: fix spelling mistakes
  • page-header: mention curl version and how to figure out current release
  • page-header: minor wording polish in the URL segment
  • scripts/singleuse.pl: add more API calls
  • urlapi: remove superfluous host name check

New in cURL 8.1.1 (May 23, 2023)

  • Bugfixes:
  • cf-socket: completely remove the disabled USE_RECV_BEFORE_SEND_WORKAROUND
  • checksrc: disallow spaces before labels
  • cmake: avoid `list(PREPEND)` for compatibility
  • cmake: repair cross compiling
  • configure: fix --help alignment
  • configure: generate a script to run the compiler
  • curl_easy_getinfo: clarify on return data types
  • docs: document that curl_url_cleanup(NULL) is a safe no-op
  • hostip: move easy_lock.h include above curl_memory.h
  • http2: double http request parser max line length
  • http2: increase stream window size to 10 MB
  • http2: upload improvements
  • lib: fix conversion warnings with gcc on macOS
  • lib: rename struct 'http_req' to 'httpreq'
  • ngtcp2: fix compiler warning about possible null-deref
  • ngtcp2: proper handling of uint64_t when adjusting send buffer
  • os400: update chkstrings.c
  • runtests: handle interrupted reads from IPC pipes
  • runtests: use the correct fd after select
  • sectransp.c: make the code c89 compatible
  • select: avoid returning an error on EINTR from select() or poll()
  • test425: fix the log directory for the upload
  • url: provide better error message when URLs fail to parse
  • urlapi: allow numerical parts in the host name
  • vquic.c: make recvfrom_packets static, avoid compiler warning

New in cURL 8.1.0 (May 17, 2023)

  • Changes:
  • curl: add --proxy-http2
  • CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
  • hostip: refuse to resolve the .onion TLD
  • tool_writeout: add URL component variables
  • Bugfixes:
  • amiga: Fix CA certificate paths for AmiSSL and MorphOS
  • autotools: sync up clang picky warnings with cmake
  • aws-sigv4.d: fix region identifier in example
  • bufq: simplify since expression is always true
  • cf-h1-proxy: skip an extra NULL assign
  • cf-h2-proxy: fix processing ingress to stop too early
  • cf-socket: add socket recv buffering for most tcp cases
  • cf-socket: Disable socket receive buffer by default
  • cf-socket: remove dead code discovered by PVS
  • cf-socket: turn off IPV6_V6ONLY on Windows if it is supported
  • checksrc: check for spaces before the colon of switch labels
  • checksrc: find bad indentation in conditions without open brace
  • checksrc: fix SPACEBEFOREPAREN for conditions starting with "*"
  • ci: `-Wno-vla` no longer necessary
  • CI: fix brew retries on GHA
  • CI: Set minimal permissions on workflow ngtcp2-quictls.yml
  • CI: skip Azure for commits which change only GHA
  • CI: use another glob syntax for matching files on Appveyor
  • cmake: bring in the network library on Haiku
  • cmake: do not add zlib headers for openssl
  • CMake: make config version 8 compatible with 7
  • cmake: picky-linker fixes for openssl, ZLIB, H3 and more
  • cmake: set SONAME for SunOS too
  • cmake: speed up and extend picky clang/gcc options
  • CMakeLists.txt: fix typo for Haiku detection
  • compressed.d: clarify the words on "not notifying headers"
  • config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP
  • configure: don't set HAVE_WRITABLE_ARGV on Windows
  • configure: fix detection of apxs (for httpd)
  • configure: make quiche require quiche_conn_send_ack_eliciting
  • connect: fix https connection setup to treat ssl_mode correctly
  • content_encoding: only do transfer-encoding compression if asked to
  • cookie: address PVS nits
  • cookie: clarify that init with data set to NULL reads no file
  • curl: do NOT append file name to path for upload when there's a query
  • curl_easy_getinfo.3: typo fix (duplicated "from the")
  • curl_easy_unescape.3: rename the argument
  • curl_path: bring back support for SFTP path ending in /~
  • curl_url_set.3: mention that users can set content rather freely
  • CURLOPT_IPRESOLVE.3: this for host names, not IP addresses
  • data.d: emphasize no conversion
  • digest: clear target buffer
  • doc: curl_mime_init() strong easy binding was relaxed in 7.87.0
  • docs/cmdline-opts: document the dotless config path
  • docs/examples/protofeats.c: outputs all protocols and features
  • docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string"
  • docs/SECURITY-ADVISORY.md: how to write a curl security advisory
  • docs: bump the minimum perl version to 5.6
  • docs: clarify that more backends have HTTPS proxy support
  • dynbuf: never allocate larger than "toobig"
  • easy_cleanup: require a "good" handle to act
  • ftp: fix 'portsock' variable was assigned the same value
  • ftp: remove dead code
  • ftplistparser: move out private data from public struct
  • ftplistparser: replace realloc with dynbuf
  • gen.pl: error on duplicated See-Also fields
  • getpart: better handle case of file not found
  • GHA-linux: add an address-sanitizer build
  • GHA: add a memory-sanitizer job
  • GHA: run all linux test jobs with valgrind
  • GHA: suppress git clone output
  • GIT-INFO: add --with-openssl
  • gskit: various compile errors in OS400
  • h2/h3: replace `state.drain` counter with `state.dselect_bits`
  • hash: fix assigning same value
  • headers: clear (possibly) lingering pointer in init
  • hostcheck: fix host name wildcard checking
  • hostip: add locks around use of global buffer for alarm()
  • hostip: enforce a maximum DNS cache size independent of timeout value
  • HTTP-COOKIES.md: mention the #HttpOnly_ prefix
  • http2: always EXPIRE_RUN_NOW unpaused http/2 transfers
  • http2: do flow window accounting for cancelled streams
  • http2: enlarge the connection window
  • http2: flow control and buffer improvements
  • http2: move HTTP/2 stream vars into local context
  • http2: pass `stream` to http2_handle_stream_close to avoid NULL checks
  • http2: remove unused Curl_http2_strerror function declaration
  • HTTP3/quiche: terminate h1 response header when no body is sent
  • http3: check stream_ctx more thoroughly in all backends
  • HTTP3: document the ngtcp2/nghttp3 versions to use for building curl
  • http3: expire unpaused transfers in all HTTP/3 backends
  • http3: improvements across backends
  • http: free the url before storing a new copy
  • http: skip a double NULL assign
  • ipv4.d/ipv6.d: they are "mutex", not "boolean"
  • KNOWN_BUGS: remove fixed or outdated issues, move non-bugs
  • lib/cmake: add HAVE_WRITABLE_ARGV check
  • lib/sha256.c: typo fix in comment (duplicated "is available")
  • lib1560: verify that more bad host names are rejected
  • lib: add `bufq` and `dynhds`
  • lib: remove CURLX_NO_MEMORY_CALLBACKS
  • lib: unify the upload/method handling
  • lib: use correct printf flags for sockets and timediffs
  • libssh2: fix crash in keyboard callback
  • libssh2: free fingerprint better
  • libssh: tell it to use SFTP non-blocking
  • man pages: simplify the .TH sections
  • MANUAL.md: add dict example for looking up a single definition
  • md(4|5): don't use deprecated iOS functions
  • md4: only build when used
  • mime: skip NULL assigns after Curl_safefree()
  • multi: add handle asserts in DEBUG builds
  • multi: add multi-ignore logic to multi_socket_action
  • multi: free up more data earleier in DONE
  • multi: remove a few superfluous assigns
  • multi: remove PENDING + MSGSENT handles from the main linked list
  • ngtcp2: adapted to 0.15.0
  • ngtcp2: adjust config and code checks for ngtcp2 without nghttp3
  • noproxy: pointer to local array 'hostip' is stored outside scope
  • ntlm: clear lm and nt response buffers before use
  • openssl: interop with AWS-LC
  • OS400: fix and complete ILE/RPG binding
  • OS400: implement EBCDIC support for recent features
  • OS400: improve vararg emulation
  • OS400: provide ILE/RPG usage examples
  • pingpong: fix compiler warning "assigning an enum to unsigned char"
  • pytest: improvements for suitable curl and error output
  • quiche: disable pacing while pacing is not actually performed
  • quiche: Enable IDLE egress handling
  • RELEASE-PROCEDURE: update to new schedule
  • rtsp: convert mallocs to dynbuf for RTP buffering
  • rtsp: skip malformed RTSP interleaved frame data
  • rtsp: skip NULL assigns after Curl_safefree()
  • runtests: die if curl version can be found
  • runtests: don't start servers if -l is given
  • runtests: fix -c option when run with valgrind
  • runtests: fix quoting in Appveyor and Azure test integration
  • runtests: lots of refactoring
  • runtests: refactor into more packages
  • runtests: show error message if file can't be written
  • runtests: spawn a new process for the test runner
  • rustls: fix error in recv handling
  • schannel: add clarifying comment
  • server/getpart: clear target buffer before load
  • smb: remove double assign
  • smbserver: remove temporary files before exit
  • socketpair: verify with a random value
  • ssh: Add support for libssh2 read timeout
  • telnet: simplify the implementation of str_is_nonascii()
  • test1169: fix so it works properly everywhere
  • test1592: add flaky keyword
  • test1960: point to the correct path for the precheck tool
  • test303: kill server after test
  • tests/http: add timeout to running curl in test cases
  • tests/http: fix log formatting on wrong exit code
  • tests/http: fix out-of-tree builds
  • tests/http: improved httpd detection
  • tests/http: more tests with specific clients
  • tests/http: relax connection check in test_07_02
  • tests/keywords.pl: remove
  • tests/libtest/lib1900.c: remove
  • tests/sshserver.pl: Define AddressFamily earlier
  • tests: 1078 1288 1297 use valid IPv4 addresses
  • tests: document that the unittest keyword is special
  • tests: increase sws timeout for more robust testing
  • tests: log a too-long Unix socket path in sws and socksd
  • tests: make test_12_01 a bit more forgiving on connection counts
  • tests: move pidfiles and portfiles under the log directory
  • tests: move server config files under the pid dir
  • tests: silence some Perl::Critic warnings in test suite
  • tests: stop using strndup(), which isn't portable
  • tests: switch to 3-argument open in test suite
  • tests: turn perl modules into full packages
  • tests: use %LOGDIR to refer to the log directory
  • tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals
  • tool_operate: pass a long as CURLOPT_HEADEROPT argument
  • tool_operate: refuse (--data or --form) and --continue-at combo
  • transfer: refuse POSTFIELDS + RESUME_FROM combo
  • transfer: skip extra assign
  • url: fix null dispname for --connect-to option
  • url: fix PVS nits
  • url: remove call to Curl_llist_destroy in Curl_close
  • urlapi: cleanups and improvements
  • urlapi: detect and error on illegal IPv4 addresses
  • urlapi: prevent setting invalid schemes with *url_set()
  • urlapi: skip a pointless assign
  • urlapi: URL encoding for the URL missed the fragment
  • urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication
  • urldata: shrink *select_bits int => unsigned char
  • vlts: use full buffer size when receiving data if possible
  • vtls and h2 improvements
  • Websocket: enhanced en-/decoding
  • wolfssl.yml: bump to version 5.6.0
  • write-out.d: Use response_code in example
  • ws: handle reads before EAGAIN better

New in cURL 8.0.1 (Mar 21, 2023)

  • Bugfixes:
  • fix crash in curl_easy_cleanup

New in cURL 8.0.0 (Mar 20, 2023)

  • Changes:
  • build: remove support for curl_off_t < 8 bytes
  • Bugfixes:
  • .cirrus.yml: Bump to FreeBSD 13.2
  • aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
  • BINDINGS: add Fortran binding
  • build: drop the use of XC_AMEND_DISTCLEAN
  • build: fix stdint/inttypes detection with non-autotools
  • cf-socket: fix handling of remote addr for accepted tcp sockets
  • cf-socket: if socket is already connected, return CURLE_OK
  • cf-socket: use port 80 when resolving name for local bind
  • CI: don't run CI jobs if only another CI was changed
  • CI: update ngtcp2 and nghttp2 for pytest
  • cmake: delete unused HAVE__STRTOI64
  • cmake: fix enabling LDAPS on Windows
  • cmake: skip CA-path/bundle auto-detection in cross-builds
  • connect: fix time_connect and time_appconnect timer statistics
  • cookie: don't load cookies again when flushing
  • cookie: parse without sscanf()
  • curl.h: require gcc 12.1 for the deprecation magic
  • curl: make -w's %{stderr} use the file set with --stderr
  • curl_path: create the new path with dynbuf
  • CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections
  • CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket
  • CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
  • DEPRECATE: the original legacy mingw version 1
  • doc: fix compiler warning in libcurl.m4
  • docs/cmdline-opts: mark all global options
  • docs/SECURITY-PROCESS.md: updates
  • docs: extend the URL API descriptions
  • docs: note '--data-urlencode' option
  • DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
  • easy: remove infof() debug leftover from curl_easy_recv
  • examples/http3.c: use CURL_HTTP_VERSION_3
  • ftp: active mode with SSL, add the filter
  • ftp: add more conditions for connection reuse
  • ftp: allocate the wildcard struct on demand
  • ftp: make the EPSV response parser not use sscanf
  • ftp: replace sscanf for MDTM 213 response parsing
  • ftp: replace sscanf for PASV parsing
  • gssapi: align `gss_OID_desc` to silence ld warnings on macOS ventura
  • headers: make curl_easy_header and nextheader return different buffers
  • hostip: avoid sscanf and extra buffer copies
  • http2: fix error handling during parallel operations
  • http2: fix for http2-prior-knowledge when reusing connections
  • http2: fix handling of RST and GOAWAY to recognize partial transfers
  • http2: fix upload busy loop
  • http: don't send 100-continue for short PUT requests
  • http: fix unix domain socket use in https connects
  • http: rewrite the status line parser without sscanf
  • http_proxy: parse the status line without sscanf
  • idn: return error if the conversion ends up with a blank host
  • krb5: avoid sscanf for parsing
  • lib1560: test parsing URLs with ridiculously large fields
  • lib2305: deal with CURLE_AGAIN
  • lib517: verify time stamps without leading zeroes plus some more
  • lib: silence clang/gcc -Wvla warnings in brotli headers
  • lib: skip Curl_llist_destroy calls
  • libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3
  • libssh2: only set the memory callbacks when debugging
  • libssh2: remove unused variable from libssh2's struct
  • libssh: use dynbuf instead of realloc
  • Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro
  • Makefile.mk: fix -g option in debug mode
  • mqtt: on send error, return error
  • multi: make multi_perform ignore/unignore signals less often
  • multi: remove PENDING + MSGSENT handles from the main linked list
  • ngtcp2-gnutls.yml: bump to gnutls 3.8.0
  • ngtcp2: fix unwanted close of file descriptor 0
  • page-footer: add explanation for three missing exit codes
  • parsedate: parse strings without using sscanf()
  • parsedate: replace sscanf( for time stamp parsing
  • quic/schannel: fix compiler warnings
  • rand: use arc4random as fallback when available
  • rate.d: single URLs make no sense in --rate example
  • RELEASE-PROCEDURE.md: update coming release dates
  • rtsp: avoid sscanf for parsing
  • runtests: use a hash table for server port numbers
  • sectransp: fix compiler warning c89 mixed code/declaration
  • sectransp: make read_cert() use a dynbuf when loading
  • secure-transport: fix recv return code handling
  • select: stop treating POLLRDBAND as an error
  • setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct
  • socket: detect "dead" connections better, e.g. not fit for reuse
  • src: silence wmain() warning for all build methods
  • telnet: only accept option arguments in ascii
  • telnet: parse NEW_ENVIRON without sscanf
  • telnet: parse telnet options without sscanf
  • telnet: parse the WS= argument without sscanf
  • test1470: test socks proxy using unix sockets and connect to https
  • test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED
  • test2600: detect when ALARM_TIMEOUT is in use and adjust
  • test422: verify --next used without a prior URL
  • tests/http: add pytest to GHA and improve tests
  • tests: add `cookies` features
  • tests: add timeout, SLOWDOWN and DELAY keywords to tests
  • tests: fix gnutls-serv check
  • tests: fix MSVC unreachable code warnings in unit tests
  • tests: hack to build most unit tests under cmake
  • tests: HTTP server fixups
  • tests: keep cmake unit tests names in sync
  • tests: make CPPFLAGS common to all unit tests
  • tests: make first.c the same for both lib tests and unit tests
  • tests: support for imaps/pop3s/smtps protocols
  • tests: sync option lists in runtests.pl & its man page
  • tests: test secure mail protocols with explicit SSL requests
  • tests: use AM_CPPFILES to modify flags in unit tests
  • tests: use dynamic ports numbers in pytest suite
  • tool: dump headers even if file is write-only
  • tool: improve --stderr handling
  • tool_getparam: don't add a new node for just --no-remote-name
  • tool_getparam: error if --next is used without a prior URL
  • tool_operate: avoid fclose(NULL) on bad header dump file
  • tool_operate: propagate error codes for missing URL after --next
  • tool_progress: shut off progress meter for --silent in parallel
  • tool_writeout_json. fix the output for duplicate header names
  • transfer: limit Windows SO_SNDBUF updates to once a second
  • url: fix cookielist memleak when curl_easy_reset
  • url: fix logic in connection reuse to deny reuse on "unclean" connections
  • url: fix the SSH connection reuse check
  • url: only reuse connections with same GSS delegation
  • url: remove dummy protocol handler
  • urlapi: '%' is illegal in host names
  • urlapi: avoid mutating internals in getter routine
  • urlapi: parse IPv6 literals without ENABLE_IPV6
  • urlapi: take const args in _dup and _get functions
  • wildcard: remove files and move functions into ftplistparser.c
  • winbuild: fix makefile clean
  • wolfssl: add quic/ngtcp2 detection in cmake, and fix builds
  • wolfSSL: ressurect the BIO `io_result`
  • ws: keep the socket non-blocking
  • x509asn1.c: use correct format specifier for infof() call
  • x509asn1: use plain %x, not %lx, when the arg is an int

New in cURL 7.88.1 (Feb 20, 2023)

  • Bugfixes:
  • build-openssl.bat: keep OpenSSL 3 engine binaries
  • cmake: fix Windows check for CryptAcquireContext
  • connnect: fix timeout handling to use full duration
  • curl: make --silent work stand-alone
  • curl_setup: Suppress OpenSSL 3 deprecation warnings
  • CURLOPT_WS_OPTIONS.3: fix the availability version
  • GHA: update rustls dependency to 0.9.2
  • http2: buffer/pausedata and output flush fix.
  • http2: set drain on stream end
  • http: include stdint.h more readily
  • krb5: silence cast-align warning
  • lib1560: add IPv6 canonicalization tests
  • os400: correct Curl_os400_sendto()
  • remote-header-name.d: mention that filename* is not supported
  • runtests: fix "uninitialized value $port"
  • setopt: allow HTTP3 when HTTP2 is not defined
  • socketpair: allow EWOULDBLOCK when reading the pair check bytes
  • socks: allow using DoH to resolve host names
  • tests-httpd: add proxy tests
  • tests: make sure gnuserv-tls has SRP support before using it
  • tests: make the telnet server shut down a socket gracefully
  • tool_getparam: make --get a true boolean
  • tool_operate: allow debug builds to set buffersize
  • urlapi: do the port number extraction without using sscanf()
  • urldata: remove `now` from struct SingleRequest - not needed

New in cURL 7.88.0 (Feb 15, 2023)

  • Changes:
  • curl.h: add CURL_HTTP_VERSION_3ONLY
  • share: add sharing of HSTS cache among handles
  • src: add --http3-only
  • tool_operate: share HSTS between handles
  • urlapi: add CURLU_PUNYCODE
  • writeout: add %{certs} and %{num_certs}
  • Bugfixes:
  • cf-socket: fix build when not HAVE_GETPEERNAME
  • cf-socket: keep sockaddr local in the socket filters
  • cfilters:Curl_conn_get_select_socks: use the first non-connected filter
  • CI: add a workflow to automatically label pull requests
  • CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup
  • CI: Retry failed downloads to reduce spurious failures
  • CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
  • cmake: bump requirement to 3.7
  • cmake: check for sendmsg
  • cmake: delete redundant macro definition `SECURITY_WIN32`
  • cmake: fix dev warning due to mismatched arg
  • cmake: fix the snprintf detection
  • cmake: remove deprecated symbols check
  • cmake: set SOVERSION also for macOS
  • cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
  • cmdline-opts/Makefile: on error, do not leave a partial
  • CODEOWNERS: remove the peeps mentioned as CI owners
  • connect: fix access of pointer before NULL check
  • connect: fix build when not ENABLE_IPV6
  • connect: fix strategy testing for attempts, timeouts and happy-eyeball
  • connections: introduce http/3 happy eyeballs
  • content_encoding: do not reset stage counter for each header
  • CONTRIBUTE: More formally specify the commit description
  • cookies: fp is always not NULL
  • copyright.pl: cease doing year verifications
  • copyright: update all copyright lines and remove year ranges
  • curl.1: make help, version and manual sections "custom"
  • curl.h: allow up to 10M buffer size
  • curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
  • curl/websockets.h: extend the websocket frame struct
  • curl: output warning at --verbose output for debug-enabled version
  • curl_free.3: fix return type of `curl_free`
  • curl_global_sslset.3: clarify the openssl situation
  • curl_log: for failf/infof and debug logging implementations
  • curl_setup: Disable by default recv-before-send in Windows
  • curl_version_info.3: fix typo
  • curl_ws_send.3: clarify how to send multi-frame messages
  • CURLOPT_HEADERDATA.3: warn DLL users must set write function
  • CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
  • CURLOPT_WRITEFUNCTION.3: fix memory leak in example
  • dict: URL decode the entire path always
  • docs/DEPRECATE.md: deprecate gskit
  • docs: add link to GitHub Discussions
  • docs: mention indirect effects of --insecure
  • docs: POSTFIELDSIZE must be set to -1 with read function
  • doh: ifdef IPv6 code
  • easyoptions: fix header printing in generation script
  • escape: hex decode with a lookup-table
  • escape: use table lookup when adding %-codes to output
  • examples: remove the curlgtk.c example
  • fopen: remove unnecessary assignment
  • ftpserver: lower the DATA connect timeout to speed up torture tests
  • GHA/macos.yml: bump to gcc-12
  • GHA/macos: use Xcode_14.0.1 for cmake builds
  • GHA: add job on Slackware 15.0
  • GHA: bump ngtcp2 workflow dependencies
  • GHA: enable websockets in the torture job
  • GHA: move the quiche job here from zuul
  • GHA: use designated ngtcp2 and its dependencies versions
  • haxproxy: send before TLS handhshake
  • header.d: add a header file example
  • hsts.d: explain hsts more
  • hsts: handle adding the same host name again
  • HTTP/[23]: continue upload when state.drain is set
  • http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
  • http2: fix compiler warning due to uninitialized variable
  • http2: minor buffer and error path fixes
  • http2: when using printf %.*s, the length arg must be 'int'
  • HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
  • http: add additional condition for including stdint.h
  • http: decode transfer encoding first
  • http: fix "part of conditional expression is always false"
  • http: remove the trace message "Mark bundle... multiuse"
  • http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
  • http_proxy: do not assign data->req.p.http use local copy
  • INSTALL: document how to use multiple TLS backends
  • lib670: make test.h the first include
  • lib: connect/h2/h3 refactor
  • lib: fix typos
  • lib: fix typos in comments which repeat a word
  • libssh2: try sha2 algos for hostkey methods
  • libtest: add a sleep macro for Windows
  • Linux CI: update some dependecies to latest tag
  • Makefile.mk: fix wolfssl and mbedtls default paths
  • man pages: call the custom user pointer 'clientp' consistently
  • md4: fix build with GnuTLS + OpenSSL v1
  • misc: fix grammar and spelling
  • misc: fix spelling
  • misc: reduce struct and struct field sizes
  • msh3: add support for request payload
  • msh3: update to v0.5 Release
  • msh3: update to v0.6
  • multi: stop sending empty HTTP/3 UDP datagrams on Windows
  • multihandle: turn bool struct fields into bits
  • ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
  • ngtcp2: fix the build without 'sendmsg'
  • ngtcp2: replace removed define and stop using removed function
  • no-clobber.d: only use long form options in man page text
  • noproxy: support for space-separated names is deprecated
  • nss: implement data_pending method
  • openldap: fix missing sasl symbols at build in specific configs
  • openssl: adapt to boringssl's error code type
  • openssl: don't ignore CA paths when using Windows CA store (redux)
  • openssl: don't log raw record headers
  • openssl: make the BIO_METHOD a local variable in the connection filter
  • openssl: only use CA_BLOB if verifying peer
  • openssl: remove attached easy handles from SSL instances
  • openssl: store the CA after first send (ClientHello)
  • os400: fixes to make-lib.sh and initscript.sh
  • packages: remove Android, update README
  • release-notes.pl: check fixes/closes lines better
  • Revert "x509asn1: avoid freeing unallocated pointers"
  • runtest.pl: add expected fourth return value
  • runtests: tear down http2/http3 servers when https server is stopped
  • runtests: consider warnings fatal and error on them
  • runtests: fix detection of TLS backends
  • runtests: make 'mbedtls' a testable feature
  • rustls: improve error messages
  • scripts/delta: show percent of number of files changed since last tag
  • scripts: fix Appveyor job detection in cijobs.pl
  • scripts: set file mode +x on all perl and shell scripts
  • sectransp: fix for incomplete read/writes
  • SECURITY-PROCESS.md: document severity levels
  • setopt: Address undefined behaviour by checking for null
  • setopt: move the SHA256 opt within #ifdef libssh2
  • setopt: use >, not >=, when checking if uarg is larger than uint-max
  • smb: return error on upload without size
  • socketpair: allow localhost MITM sniffers
  • strdup: name it Curl_strdup
  • system.h: assume OS400 is always built with ILEC compiler
  • test1560: use a UTF8-using locale when run
  • test2304: remove stdout verification
  • tests-httpd: basic infra to run curl against an apache httpd
  • tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
  • tests: add tests for HTTP/2 and HTTP/3 to verify the header API
  • tests: avoid use of sha1 in certificates
  • tls: fixes for wolfssl + openssl combo builds
  • tool_getparam: fix hiding of command line secrets
  • tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
  • tool_operate: fix error codes during DOS filename sanitize
  • tool_operate: fix error codes on bad URL & OOM
  • tool_operate: fix headerfile writing
  • tool_operate: repair --rate
  • transfer: break the read loop when RECV is cleared
  • typecheck: accept expressions for option/info parameters
  • url: fix part of conditional expression is always true
  • urlapi: avoid Curl_dyn_addf() for hex outputs
  • urlapi: fix part of conditional expression is always true: qlen
  • urlapi: skip path checks if path is just "/"
  • urlapi: skip the extra dedotdot alloc if no dot in path
  • urldata: cease storing TLS auth type
  • urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
  • urldata: make set.http200aliases conditional on HTTP being present
  • urldata: move the cookefilelist to the 'set' struct
  • urldata: remove unused struct fields, made more conditional
  • vquic: stabilization and improvements
  • vtls: fix hostname handling in filters
  • vtls: manage current easy handle in nested cfilter calls
  • vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
  • winbuild: document that arm64 is supported
  • windows: always use curl's basename() implementation
  • wolfssl: remove deprecated post-quantum algorithms
  • workflows/linux.yml: merge 3 common packages
  • write-out.d: add 'since version' to %{header_json} documentation
  • write-out.d: clarify Windows % symbol escaping
  • ws: fix autoping handling
  • ws: fix multiframe send handling
  • ws: fix recv of larger frames
  • ws: remove bad assert
  • ws: unstick connect-only shutdown
  • ws: use %Ou for outputting curl_off_t with info()
  • x509asn1: fix compile errors and warnings
  • zuul: stop using this CI service

New in cURL 7.87.0 (Dec 21, 2022)

  • Changes:
  • curl: add --url-query
  • CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit
  • lib: add CURL_WRITEFUNC_ERROR to signal write callback error
  • openssl: reduce CA certificate bundle reparsing by caching
  • version: add a feature names array to curl_version_info_data
  • Bugfixes:
  • altsvc: fix rejection of negative port numbers
  • aws_sigv4: consult x-%s-content-sha256 for payload hash
  • aws_sigv4: fix typos in aws_sigv4.c
  • base64: better alloc size
  • base64: encode without using snprintf
  • base64: faster base64 decoding
  • build: assume assert.h is always available
  • build: assume errno.h is always available
  • c-hyper: CONNECT respones are not server responses
  • c-hyper: fix multi-request mechanism
  • CI: Change FreeBSD image from 12.3 to 12.4
  • CI: LGTM.com will be shut down in December 2022
  • ci: Remove zuul fuzzing job as it's superseded by CIFuzz
  • cmake: check for cross-compile, not for toolchain
  • CMake: fix build with `CURL_USE_GSSAPI`
  • cmake: really enable warnings with clang
  • cmake: set the soname on the shared library
  • cmdline-opts/gen.pl: fix the linkifier
  • cmdline-opts/page-footer: remove long option nroff formatting
  • config-mac: define HAVE_SYS_IOCTL_H
  • config-mac: fix typo: size_T -> size_t
  • config-mac: remove HAVE_SYS_SELECT_H
  • config-win32: fix SIZEOF_OFF_T for MSVC and old MinGW
  • configure: require fork for NTLM-WB
  • contributors.sh: actually use $CURLWWW instead of just setting it
  • cookie: compare cookie prefixes case insensitively
  • cookie: expire cookies at once when max-age is negative
  • cookie: open cookie jar as a binary file
  • curl-openssl.m4: do not add $prefix/include/openssl to CPPFLAGS
  • curl-rustls.m4: on macOS, rustls also needs the Security framework
  • curl.h: include on SerenityOS
  • curl.h: name all public function parameters
  • curl.h: reword comment to not use deprecated option
  • curl: override the numeric locale and set "C" by force
  • curl: timeout in the read callback
  • curl_endian: remove Curl_write64_le from header
  • curl_get_line: allow last line without newline char
  • curl_path: do not add '/' if homedir ends with one
  • curl_url_get.3: remove spurious backtick
  • curl_url_set.3: document CURLU_DISALLOW_USER
  • curl_url_set.3: fix typo
  • CURLMOPT_SOCKETFUNCTION.3: clarify CURL_POLL_REMOVE
  • CURLOPT_COOKIEFILE.3: advice => advise
  • CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example
  • CURLOPT_DEBUGFUNCTION.3: emphasize that incoming data is "raw"
  • CURLOPT_POST.3: Explain setting to 0 changes request type
  • docs/curl_ws_send: Fixed typo in websocket docs
  • docs/EARLY-RELEASE.md: how to determine an early release
  • docs/examples: spell correction ('Retrieve')
  • docs/INSTALL.md: expand on static builds
  • docs/WEBSOCKET.md: explain the URL use
  • docs: add missing parameters for --retry flag
  • docs: add more "SEE ALSO" links to CA related pages
  • docs: explain the noproxy CIDR notation support
  • docs: extend the dump-header documentation
  • docs: remove performance note in CURLOPT_SSL_VERIFYPEER
  • examples/10-at-a-time: fix possible skipped final transfers
  • examples: update descriptions
  • ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH
  • gen.pl: do not generate CURLHELP bitmask lines > 79 characters
  • GHA: clarify workflows permissions, set least possible privilege
  • GHA: NSS use clang instead of clang-9
  • gnutls: use common gnutls init and verify code for ngtcp2
  • headers: add endif comments
  • HTTP-COOKIES.md: mention that http://localhost is a secure context
  • HTTP-COOKIES.md: update the 6265bis link to draft-11
  • http: do not send PROXY more than once
  • http: fix the ::1 comparison for IPv6 localhost for cookies
  • http: set 'this_is_a_follow' in the Location: logic
  • http: use the IDN decoded name in HSTS checks
  • hyper: classify headers as CONNECT and 1XX
  • hyper: fix handling of hyper_task's when reusing the same address
  • idn: remove Curl_win32_ascii_to_idn
  • INSTALL: update operating systems and CPU archs
  • KNOWN_BUGS: remove eight entries
  • lib1560: add some basic IDN host name tests
  • lib: connection filters (cfilter) addition to curl:
  • lib: feature deprecation warnings in gcc >= 4.3
  • lib: fix some type mismatches and remove unneeded typecasts
  • lib: parse numbers with fixed known base 10
  • lib: remove bad set.opt_no_body assignments
  • lib: rewind BEFORE request instead of AFTER previous
  • lib: sync guard for Curl_getaddrinfo_ex() definition and use
  • lib: use size_t or int etc instead of longs
  • libcurl-errors.3: remove duplicate word
  • libssh2: return error when ssh_hostkeyfunc returns error
  • limit-rate.d: see also --rate
  • log2changes.pl: wrap long lines at 80 columns
  • Makefile.mk: address minor issues
  • Makefile.mk: improve a GNU Make hack
  • Makefile.mk: portable Makefile.m32
  • maketgz: set the right version in lib/libcurl.plist
  • mime: relax easy/mime structures binding
  • misc: Fix incorrect spelling
  • misc: remove duplicated include files
  • misc: typo and grammar fixes
  • negtelnetserver.py: have it call its close() method
  • netrc.d: provide mutext info
  • netware: remove leftover traces
  • noproxy: also match with adjacent comma
  • noproxy: guard against empty hostnames in noproxy check
  • noproxy: tailmatch like in 7.85.0 and earlier
  • nroff-scan.pl: detect double highlights
  • ntlm: improve comment for encrypt_des
  • ntlm: silence ubsan warning about copying from null target_info pointer
  • openssl/mbedtls: use %d for outputing port with failf (int)
  • openssl: prefix errors with '[lib]/[version]: '
  • os400: use platform socklen_t in Curl_getnameinfo_a
  • page-header: grammar improvement (display transfer rate)
  • proxy: refactor haproxy protocol handling as connection filter
  • README.md: remove badges and xmas-tree garnish
  • rtsp: fix RTSP auth
  • runtests: --no-debuginfod now disables DEBUGINFOD_URLS
  • runtests: do CRLF replacements per section only
  • scripts/checksrc.pl: detect duplicated include files
  • sendf: change Curl_read_plain to wrap Curl_recv_plain
  • sendf: remove unnecessary if condition
  • setup: do not require __MRC__ defined for Mac OS 9 builds
  • smb/telnet: do not free the protocol struct in *_done()
  • socks: fix username max size is 255 (0xFF)
  • spellcheck.words: remove 'github' as an accepted word
  • ssl-reqd.d: clarify that this is for upgrading connections only
  • strcase: use curl_str(n)equal for case insensitive matches
  • styled-output.d: this option does not work on Windows
  • system.h: fix socklen_t, curl_off_t, long long for Classic Mac OS
  • system.h: support 64-bit curl_off_t for NonStop 32-bit
  • test1421: fix typo
  • test3026: reduce runtime in legacy mingw builds
  • tests/sshserver.pl: re-enable ssh-rsa while using openssh 8.8+
  • tests: add authorityInfoAccess to generated certs
  • tests: add HTTP/3 test case, custom location for proper nghttpx
  • tls: backends use connection filters for IO, enabling HTTPS-proxy
  • tool: determine the correct fopen option for -D
  • tool_cfgable: free the ssl_ec_curves on exit
  • tool_cfgable: make socks5_gssapi_nec a boolean
  • tool_formparse: avoid clobbering on function params
  • tool_getparam: make --no-get work as the opposite of --get
  • tool_operate: provide better errmsg for -G with bad URL
  • tool_operate: when aborting, make sure there is a non-NULL error buffer
  • tool_paramhlp: free the proto strings on exit
  • url: move back the IDN conversion of proxy names
  • urlapi: reject more bad letters from the host name: &+()
  • urldata: change port num storage to int and unsigned short
  • vms: remove SIZEOF_SHORT
  • vtls: fix build without proxy support
  • vtls: localization of state data in filters
  • WEBSOCKET.md: fix broken link
  • Websocket: fixes for partial frames and buffer updates
  • websockets: fix handling of partial frames
  • windows: fail early with a missing windres in autotools
  • windows: fix linking .rc to shared curl with autotools
  • winidn: drop WANT_IDN_PROTOTYPES
  • ws: if no connection is around, return error
  • ws: return CURLE_NOT_BUILT_IN when websockets not built in
  • x509asn1: avoid freeing unallocated pointers

New in cURL 7.86.0 (Oct 26, 2022)

  • Changes:
  • NPN: remove support for and use of
  • Websockets: initial support
  • Bugfixes:
  • altsvc: reject bad port numbers
  • altsvc: use 'h3' for h3
  • amiga: do not hardcode openssl/zlib into the os config
  • amiga: set SIZEOF_CURL_OFF_T=8 by default
  • amigaos: add missing curl header
  • asyn-ares: set hint flags when calling ares_getaddrinfo
  • autotools: allow --enable-symbol-hiding with windows
  • autotools: allow unix sockets on Windows
  • autotools: reduce brute-force when detecting recv/send arg list
  • aws_sigv4: fix header computation
  • bearssl: make it proper C89 compliant
  • CI/GHA: cancel outdated CI runs on new PR changes
  • CI/GHA: merge msh3 and openssl3 builds into linux workflow
  • cirrus-ci: add macOS build with m1
  • cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
  • cli tool: do not use disabled protocols
  • cmake: add missing inet_ntop check
  • cmake: add the check of HAVE_SOCKETPAIR
  • cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
  • cmake: delete duplicate HAVE_GETADDRINFO test
  • cmake: enable more detection on Windows
  • cmake: fix original MinGW builds
  • cmake: improve usability of CMake build as a sub-project
  • cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
  • cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
  • cmake: sync HAVE_SIGNAL detection with autotools
  • cmdline/docs: add a required 'multi' keyword for each option
  • configure: correct the wording when checking grep -E
  • configure: deprecate builds with small curl_off_t
  • configure: fail if '--without-ssl' + explicit parameter for an ssl lib
  • configure: the ngtcp2 option should default to 'no'
  • connect: change verbose IPv6 address:port to [address]:port
  • connect: fix builds without AF_INET6
  • connect: fix Curl_updateconninfo for TRNSPRT_UNIX
  • connect: fix the wrong error message on connect failures
  • content_encoding: use writer struct subclasses for different encodings
  • cookie: reject cookie names or content with TAB characters
  • ctype: remove all use of , use our own versions
  • curl-compilers.m4: for gcc + want warnings, set gnu89 standard
  • curl-compilers.m4: use -O2 as default optimize for clang
  • curl-wolfssl.m4: error out if wolfSSL is not usable
  • curl.h: fix mention of wrong error code in comment
  • curl/add_file_name_to_url: use the libcurl URL parser
  • curl/add_parallel_transfers: better error handling
  • curl/get_url_file_name: use libcurl URL parser
  • curl: warn for --ssl use, considered insecure
  • curl_ctype: convert to macros-only
  • curl_easy_pause.3: unpausing is as fast as possible
  • curl_escape.3: fix typo
  • curl_setup: disable use of FLOSS for 64-bit NonStop builds
  • curl_setup: include curl.h after platform setup headers
  • curl_setup: include only system.h instead of curl.h
  • curl_strequal.3: fix argument typo
  • curl_url_set.3: document CURLU_APPENDQUERY proper
  • CURLMOPT_PIPELINING.3: dedup manpage xref
  • CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
  • CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
  • CURLOPT_COOKIEFILE: insist on "" for enable-without-file
  • CURLOPT_COOKIELIST.3: fix formatting mistake
  • CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
  • CURLOPT_MIMEPOST.3: add an (inline) example
  • CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
  • CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
  • CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
  • CURLSHOPT_UNLOCKFUNC.3: the callback has no 'access' argument
  • DEPRECATE.md: Support for systems without 64 bit data types
  • docs/examples: avoid deprecated options in examples where possible
  • docs/INSTALL: update Android Instructions for newer NDKs
  • docs/libcurl/symbols-in-versions: add several missing symbols
  • docs: 100+ spellfixes
  • docs: correct missing uppercase in Markdown files
  • docs: document more server names for test files
  • docs: fix deprecation versions inconsistencies
  • docs: make sure libcurl opts examples pass in long arguments
  • docs: remove mentions of deprecated '--without-openssl' parameter
  • docs: tag curl options better in man pages
  • docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
  • docs: update sourceforge project links
  • easy: fix the #include order
  • easy: fix the altsvc init for curl_easy_duphandle
  • easy_lock: check for HAVE_STDATOMIC_H as well
  • examples/chkspeed: improve portability
  • formdata: fix warning: 'CURLformoption' is promoted to 'int'
  • ftp: ignore a 550 response to MDTM
  • ftp: remove redundant if
  • functypes: provide the recv and send arg and return types
  • getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
  • GHA: build tests in a separate step from the running of them
  • GHA: run proselint on markdown files
  • github: initial CODEOWNERS setup for CI configuration
  • header: define public API functions as extern c
  • headers: reset the requests counter at transfer start
  • hostip: guard PF_INET6 use
  • hostip: lazily wait to figure out if IPv6 works until needed
  • http, vauth: always provide Curl_allow_auth_to_host() functionality
  • http2: make nghttp2 less picky about field whitespace
  • HTTP3.md: update Caddy example
  • http: try parsing Retry-After: as a number first
  • http_proxy: restore the protocol pointer on error
  • httpput-postfields.c: shorten string for C89 compliance
  • ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
  • lib1560: extended to verify detect/reject of unknown schemes
  • lib517: fix C89 constant signedness
  • lib: add missing limits.h includes
  • lib: add required Win32 setup definitions in setup-win32.h
  • lib: prepare the incoming of additional protocols
  • lib: sanitize conditional exclusion around MIME
  • lib: set more flags in config-win32.h
  • lib: the number four in a sequence is the "fourth"
  • libssh: if sftp_init fails, don't get the sftp error code
  • Makefile.m32: deduplicate build rules
  • Makefile.m32: drop CROSSPREFIX and our CC/AR defaults
  • Makefile.m32: exclude libs & libpaths for shared mode exes
  • Makefile.m32: fix regression with tool_hugehelp
  • Makefile.m32: major rework
  • Makefile.m32: reintroduce CROSSPREFIX and -W -Wall
  • Makefile.m32: support more options
  • manpage-syntax.pl: all libcurl option symbols should be fI-tagged
  • manpages: Fix spelling of "allows to" -> "allows one to"
  • misc: ISSPACE() => ISBLANK()
  • misc: use the term "null-terminate" consistently
  • mprintf: reject two kinds of precision for the same argument
  • mprintf: use snprintf if available
  • mqtt: return error for too long topic
  • mqtt: spell out CONNECT in comments
  • msh3: change the static_assert to make the code C89
  • netrc: compare user name case sensitively
  • netrc: replace fgets with Curl_get_line
  • netrc: use the URL-decoded user
  • ngtcp2: fix build errors due to changes in ngtcp2 library
  • ngtcp2: fix C89 compliance nit
  • noproxy: support proxies specified using cidr notation
  • openssl: make certinfo available for QUIC
  • README.md: add GHA status badges for Linux and macOS builds
  • RELEASE-PROCEDURE.md: mention patch releases
  • resolve: make forced IPv4 resolve only use A queries
  • runtests: fix uninitialized value on ignored tests
  • schannel: ban server ALPN change during recv renegotiation
  • schannel: don't reset recv/send function pointers on renegotiation
  • schannel: when importing PFX, disable key persistence
  • scripts: use `grep -E` instead of `egrep`
  • setopt: use the handler table for protocol name to number conversions
  • setopt: when POST is set, reset the 'upload' field
  • setup-win32: no longer define UNICODE/_UNICODE implicitly
  • single_transfer: use the libcurl URL parser when appending query parts
  • smb: replace CURL_WIN32 with WIN32
  • strcase: add and use Curl_timestrcmp
  • strerror: improve two URL API error messages
  • symbol-scan.pl: also check for LIBCURL* symbols
  • symbol-scan.pl: scan and verify .3 man pages
  • symbols-in-versions: add missing LIBCURL* symbols
  • symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
  • test1119: scan all public headers
  • test1275: verify uppercase after period in markdown
  • test972: verify the output without using external tool
  • tests/certs/scripts: insert standard curl source headers
  • tests/Makefile: remove run time stats from ci-test
  • tests: avoid CreateThread if _beginthreadex is available
  • tests: fix tag syntax errors in test files
  • tests: skip mime/form tests when mime is not built-in
  • tidy-up: delete parallel/unused feature flags
  • tidy-up: delete unused HAVE_STRUCT_POLLFD
  • TODO: provide the error body from a CONNECT response
  • tool: avoid generating ambiguous escaped characters in --libcurl
  • tool: remove dead code
  • tool: reorganize function c_escape around a dynbuf
  • tool_hugehelp: make hugehelp a blank macro when disabled
  • tool_main: exit at once if out of file descriptors
  • tool_operate: avoid a few #ifdefs for disabled-libcurl builds
  • tool_operate: more transfer cleanup after parallel transfer fail
  • tool_operate: prevent over-queuing in parallel mode
  • tool_operate: reduce errorbuffer allocs
  • tool_paramhelp: asserts verify maximum sizes for string loading
  • tool_paramhelp: make the max argument a 'double'
  • tool_progress: remove 'Qd' from the parallel progress bar
  • tool_setopt: use better English in --libcurl source comments
  • tool_xattr: save the original URL, not the final redirected one
  • unit test 1655: make it C89-compliant
  • url: a zero-length userinfo part in the URL is still a (blank) user
  • url: allow non-HTTPS HSTS-matching for debug builds
  • url: rename function due to name-clash in Watt-32
  • url: use IDN decoded names for HSTS checks
  • urlapi: detect scheme better when not guessing
  • urlapi: fix parsing URL without slash with CURLU_URLENCODE
  • urlapi: leaner with fewer allocs
  • urlapi: reject more bad characters from the host name field
  • winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
  • winbuild: use NMake batch-rules for compilation
  • windows: add .rc support to autotools builds
  • windows: adjust name of two internal public functions
  • windows: autotools .rc warnings fixup
  • wolfSSL: fix session management bug.

New in cURL 7.85.0 (Aug 31, 2022)

  • Changes:
  • quic: add support via wolfSSL
  • schannel: Add TLS 1.3 support
  • setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
  • Bugfixes:
  • amigaos: fix threaded resolver on AmigaOS 4.x
  • amissl: allow AmiSSL to be used with AmigaOS 4.x builds
  • amissl: make AmiSSL v5 a minimum requirement
  • asyn-ares: make a single alloc out of hostname + async data
  • asyn-thread: fix socket leak on OOM
  • asyn-thread: make getaddrinfo_complete return CURLcode
  • base64: base64url encoding has no padding
  • BUGS.md: improve language
  • build: improve OS string in CMake and `config-win32.h`
  • cert.d: clarify that escape character works for file paths
  • cirrus.yml: replace py38-pip with py39-pip
  • cirrus/freebsd-ci: bootstrap the pip installer
  • cmake: add detection of threadsafe feature
  • cmake: do not force Windows target versions
  • cmake: fix build for mingw cross compile
  • cmake: link curl to its dependencies with PRIVATE
  • cmake: remove APPEND in export(TARGETS)
  • cmake: set feature PSL if present
  • cmake: support ngtcp2 boringssl backend
  • cmdline-opts/gen.pl: improve performance
  • config: remove the check for and use of SIZEOF_SHORT
  • configure: -pthread not available on AmigaOS 4.x
  • configure: check for the stdatomic.h header in configure
  • configure: fix --disable-headers-api
  • configure: fix broken m4 syntax in TLS options
  • configure: fixup bsdsocket detection code for AmigaOS 4.x
  • configure: if asked to use TLS, fail if no TLS lib was detected
  • configure: introduce CURL_SIZEOF
  • connect: add quic connection information
  • connect: close the happy eyeballs loser connection when using QUIC
  • connect: revert the use of IP*_RECVERR
  • connect: set socktype/protocol correctly
  • cookie: reject cookies with "control bytes"
  • cookie: treat a blank domain in Set-Cookie: as non-existing
  • cookie: use %zu to infof() for size_t values
  • curl-compilers.m4: make icc use -diag* options and disable two warnings
  • curl-config: quote directories with potential space
  • curl-confopts: remove leftover AC_REQUIREs
  • curl-functions.m4: check whether atomics can link
  • curl-wolfssl.m4: add options header when building test code
  • curl.h: CURLE_CONV_FAILED is obsoleted
  • curl.h: include on SunOS
  • curl: output warning when a cookie is dropped due to size
  • curl: writeout: fix repeated header outputs
  • Curl_close: call Curl_resolver_cancel to avoid memory-leak
  • curl_easy_header: Add CURLH_PSEUDO to sanity check
  • curl_mime_data.3: polish the wording
  • curl_multi_timeout.3: clarify usage
  • CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples
  • CURLOPT_BUFFERSIZE.3: add upload buffersize to see also
  • CURLOPT_CONNECT_ONLY.3: clarify multi API use
  • CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name
  • digest: fix memory leak, fix not quoted 'opaque'
  • digest: fix missing increment of 'nc' value for auth-int
  • digest: pass over leading spaces in qop values
  • digest: reject broken header with session protocol but without qop
  • docs/cmdline-opts/gen.pl: encode leading single and double quotes
  • docs/cmdline-opts: fix example and categories for --form-escape
  • docs/cmdline: mark fail and fail-with-body as mutually exclusive
  • docs: add dns category to --resolve
  • docs: explain curl_easy_escape/unescape curl handle is ignored
  • docs: remove him/her/he/she from documentation
  • doh: move doh related struct definitions to doh.h
  • doh: use https protocol by default
  • easy_lock.h: include sched.h if available to fix build
  • easy_lock.h: use __asm__ instead of asm to fix build
  • easy_lock: fix build for mingw
  • easy_lock: fix build with icc
  • easy_lock: fix the #ifdef conditional for ia32_pause
  • easy_lock: switch to using atomic_int instead of bool
  • easyoptions: fix icc warning
  • escape: remove outdated comment
  • examples/curlx.c: remove
  • file: add handling of native AmigaOS paths
  • file: fix icc enumerated type mixed with another type warning
  • ftp: use a correct expire ID for timer expiry
  • getinfo: return better error on NULL as first argument
  • GHA: add two Intel compiler CI jobs
  • GHA: move libressl CI from zuul to GitHub
  • gha: move over ngtcp2-gnutls CI job from zuul
  • GHA: mv CI torture test from Zuul
  • h2h3: fix overriding the 'TE: Trailers' header
  • hostip: resolve *.localhost to 127.0.0.1/::1
  • HTTP3.md: update to msh3 v0.4.0
  • http: typecast the httpreq assignment to avoid icc compiler warning
  • http_aws_sigv4.c: remove two unusued includes
  • http_chunks: remove an assign + typecast
  • hyper: customize test1274 to how hyper unfolds headers
  • hyper: enable obs-folded multiline headers
  • hyper: use wakers for curl pause/resume
  • imap: use ISALNUM() for alphanumeric checks
  • ldap: adapt to conn->port now being an 'int'
  • lib/curl_path.c: add ISC to license expression
  • lib3026: reduce the number of threads to 100
  • libcurl-security.3: fix typo on macro "SH_"
  • libssh2: make atime/mtime date overflow return error
  • libssh2: provide symlink name in SFTP dir listing
  • libssh: ignore deprecation warnings
  • libssh: make atime/mtime date overflow return error
  • Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip]
  • Makefile.m32: add `NGTCP2_LIBS` option [ci skip]
  • makefile.m32: add support for custom ARCH [ci skip]
  • Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip]
  • Makefile.m32: do not set the libcurl.rc debug flag [ci skip]
  • Makefile.m32: stop trying to build libcares.a [ci skip]
  • memdebug: add annotation attributes
  • mprintf: fix *dyn_vprintf() when out-of-memory
  • mprintf: make dprintf_formatf never return negative
  • msh3: fix the QUIC disconnect function
  • multi: fix the return code from Curl_pgrsDone()
  • multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
  • multi: use a pipe instead of a socketpair on apple platforms
  • multi: use larger dns hash table for multi interface
  • multi_wait: fix and improve Curl_poll error handling on Windows
  • multi_wait: fix skipping to populate revents for extra_fds
  • netrc.d: remove spurious quote
  • netrc: Use the password from lines without login
  • ngtcp2: Fix build error due to change in nghttp3 prototypes
  • ngtcp2: fix incompatible function pointer types
  • ngtcp2: Fix missing initialization of nghttp3_nv.flags
  • ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
  • ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
  • openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL
  • openssl: add cert path in error message
  • openssl: add details to "unable to set client certificate" error
  • openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
  • quiche: fix build failure
  • select: do not return fatal error on EINTR from poll()
  • sendf: fix paused header writes since after the header API
  • sendf: make Curl_debug a void function
  • sendf: skip storing HTTP headers if HTTP disabled
  • sendf: store the header type in an usigned char to avoid icc warnings
  • splay: avoid using -1 in unsigned variable
  • test3026: add support for Windows using native Win32 threads
  • test3026: require 'threadsafe'
  • test44[2-4]: add '--resolve' to the keywords
  • tests/server/sockfilt.c: avoid race condition without a mutex
  • tests: fix http2 tests to use CRLF headers
  • tests: several enumerated type cleanups
  • THANKS: merged two entries for Evgeny Grin
  • tidy-up: delete unused build configuration macros
  • tool: reintroduce set file comment code for AmigaOS
  • tool_cfgable: make 'synthetic_error' a plain bool
  • tool_formparse: fix variable may be used before its value is set
  • tool_getparam: make --doh-url "" switch it off
  • tool_getparam: repair cleanarg
  • tool_operate: better cleanup of easy handle in exit path
  • tool_paramhlp: fix "enumerated type mixed with another type"
  • tool_paramhlp: make check_protocol return ParameterError
  • tool_progress: avoid division by zero in parallel progress meter
  • tool_writeout: fix enumerated type mixed with another type
  • trace: 0x7F character is non-printable
  • unit1303: four tests should have TRUE for 'connecting'
  • url: enumerated type mixed with another type
  • url: really use the user provided in the url when netrc entry exists
  • url: reject URLs with hostnames longer than 65535 bytes
  • url: treat missing usernames in netrc as empty
  • urldata: change second proxytype field to unsigned char to match
  • urldata: make 'negnpn' use less storage
  • urldata: make state.httpreq an unsigned char
  • urldata: make three *_proto struct fields smaller
  • urldata: move smaller fields down in connectdata struct
  • urldata: reduce size of several struct fields
  • vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
  • windows: improve random source

New in cURL 7.84.0 (Jun 27, 2022)

  • Changes:
  • curl: add --rate to set max request rate per time unit
  • curl: deprecate --random-file and --egd-file
  • curl_version_info: add CURL_VERSION_THREADSAFE
  • CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
  • lib: make curl_global_init() threadsafe when possible
  • libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
  • opts: deprecate RANDOM_FILE and EGDSOCKET
  • socks: support unix sockets for socks proxy
  • Bugfixes:
  • aws-sigv4: fix potentional NULL pointer arithmetic
  • bindlocal: don't use a random port if port number would wrap
  • c-hyper: mark status line as status for Curl_client_write()
  • ci: avoid `cmake -Hpath`
  • CI: bump FreeBSD 13.0 to 13.1
  • ci: update github actions
  • cmake: add libpsl support
  • cmake: do not add libcurl.rc to the static libcurl library
  • cmake: enable curl.rc for all Windows targets
  • cmake: fix detecting libidn2
  • cmake: support adding a suffix to the OS value
  • configure: skip libidn2 detection when winidn is used
  • configure: use the SED value to invoke sed
  • configure: warn about rustls being experimental
  • content_encoding: return error on too many compression steps
  • cookie: address secure domain overlay
  • cookie: apply limits
  • copyright.pl: parse and use .reuse/dep5 for skips
  • copyright: make repository REUSE compliant
  • curl.1: add a few see also --tls-max
  • curl.1: mention exit code zero too
  • curl: re-enable --no-remote-name
  • curl_easy_pause.3: remove explanation of progress function
  • curl_getdate.3: document that some illegal dates pass through
  • Curl_parsenetrc: don't access local pwbuf outside of scope
  • curl_url_set.3: clarify by default using known schemes only
  • CURLOPT_ALTSVC.3: document the file format
  • CURLOPT_FILETIME.3: fix the protocols this works with
  • CURLOPT_HTTPHEADER.3: improve comment in example
  • CURLOPT_NETRC.3: document the .netrc file format
  • CURLOPT_PORT.3: We discourage using this option
  • CURLOPT_RANGE.3: remove ranged upload advice
  • digest: added detection of more syntax error in server headers
  • digest: tolerate missing "realm"
  • digest: unquote realm and nonce before processing
  • DISABLED: disable 1021 for hyper again
  • docs/cmdline-opts: add copyright and license identifier to each file
  • docs/CONTRIBUTE.md: document the 'needs-votes' concept
  • docs: clarify data replacement policy for MIME API
  • doh: remove UNITTEST macro definition
  • examples/crawler.c: use the curl license
  • examples: remove fopen.c and rtsp.c
  • FAQ: Clarify Windows double quote usage
  • fopen: add Curl_fopen() for better overwriting of files
  • ftp: restore protocol state after http proxy CONNECT
  • ftp: when failing to do a secure GSSAPI login, fail hard
  • GHA/hyper: enable debug in the build
  • gssapi: improve handling of errors from gss_display_status
  • gssapi: initialize gss_buffer_desc strings
  • headers api: remove EXPERIMENTAL tag
  • http2: always debug print stream id in decimal with %u
  • http2: reject overly many push-promise headers
  • http: restore header folding behavior
  • hyper: use 'alt-used'
  • krb5: return error properly on decode errors
  • lib: make more protocol specific struct fields #ifdefed
  • libcurl-security.3: add "Secrets in memory"
  • libcurl-security.3: document CRLF header injection
  • libssh: skip the fake-close when libssh does the right thing
  • links: update dead links to the curl-wiki
  • log2changes: do not indent empty lines [ci skip]
  • macos9: remove partial support
  • Makefile.am: fix portability issues
  • Makefile.m32: delete obsolete options, improve -On [ci skip]
  • Makefile.m32: delete two obsolete OpenSSL options [ci skip]
  • Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
  • max-time.d: clarify max-time sets max transfer time
  • mprintf: ignore clang non-literal format string
  • netrc: check %USERPROFILE% as well on Windows
  • netrc: support quoted strings
  • ngtcp2: allow curl to send larger UDP datagrams
  • ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
  • ngtcp2: enable Linux GSO
  • ngtcp2: extend QUIC transport parameters buffer
  • ngtcp2: fix alert_read_func return value
  • ngtcp2: fix typo in preprocessor condition
  • ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
  • ngtcp2: send appropriate connection close error code
  • ngtcp2: support boringssl crypto backend
  • ngtcp2: use helper funcs to simplify TLS handshake integration
  • ntlm: provide a fixed fake host name
  • projects: fix third-party SSL library build paths for Visual Studio
  • quic: add Curl_quic_idle
  • quiche: support ca-fallback
  • rand: stop detecting /dev/urandom in cross-builds
  • remote-name.d: mention --output-dir
  • runtests.pl: add the --repeat parameter to the --help output
  • runtests: fix skipping tests not done event-based
  • runtests: skip starting the ssh server if user name is lacking
  • scripts/copyright.pl: fix the exclusion to not ignore man pages
  • sectransp: check for a function defined when __BLOCKS__ is undefined
  • select: return error from "lethal" poll/select errors
  • server/sws: support spaces in the HTTP request path
  • speed-limit/time.d: mention these affect transfers in either direction
  • strcase: some optimisations
  • test 2081: add a valid reply for the second request
  • test 675: add missing CR so the test passes when run through Privoxy
  • test414: add the '--resolve' keyword
  • test681: verify --no-remote-name
  • tests 266, 116 and 1540: add a small write delay
  • tests/data/test1501: kill ftp server after slow LIST response
  • tests/getpart: fix getpartattr to work with "data" and "data2"
  • tests/server/sws.c: change the HTTP writedelay unit to milliseconds
  • test{440,441,493,977}: add "HTTP proxy" keywords
  • tool_getparam: fix --parallel-max maximum value constraint
  • tool_operate: make sure --fail-with-body works with --retry
  • transfer: fix potential NULL pointer dereference
  • transfer: maintain --path-as-is after redirects
  • transfer: upload performance; avoid tiny send
  • url: free old conn better on reuse
  • url: remove redundant #ifdefs in allocate_conn()
  • url: URL encode the path when extracted, if spaces were set
  • urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
  • urlapi: support CURLU_URLENCODE for curl_url_get()
  • urldata: reduce size of a few struct fields
  • urldata: remove three unused booleans from struct UserDefined
  • urldata: store tcp_keepidle and tcp_keepintvl as ints
  • version: allow stricmp() for sorting the feature list
  • vtls: make curl_global_sslset thread-safe
  • wolfssh.h: removed
  • wolfssl: correct the failf() message when a handle can't be made
  • wolfSSL: explicitly use compatibility layer
  • x509asn1: mark msnprintf return as unchecked

New in cURL 7.83.1 (May 11, 2022)

  • Bugfixes:
  • altsvc: fix host name matching for trailing dots
  • cirrus: Update to FreeBSD 12.3
  • cirrus: Use pip for Python packages on FreeBSD
  • conn: fix typo 'connnection' -> 'connection' in two function names
  • cookies: make bad_domain() not consider a trailing dot fine
  • curl: free resource in error path
  • curl: guard against size_t wraparound in no-clobber code
  • CURLOPT_DOH_URL.3: mention the known bug
  • CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
  • CURLOPT_SSH_AUTH_TYPES.3: fix the default
  • data/test376: set a proper name
  • GHA/mbedtls: enabled nghttp2 in the build
  • gha: build msh3
  • gskit: fixed bogus setsockopt calls
  • gskit: remove unused function set_callback
  • hsts: ignore trailing dots when comparing hosts names
  • HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
  • http: move Curl_allow_auth_to_host()
  • http_proxy/hyper: handle closed connections
  • hyper: fix test 357
  • Makefile: fix "make ca-firefox"
  • mbedtls: bail out if rng init fails
  • mbedtls: fix compile when h2-enabled
  • mbedtls: fix some error messages
  • misc: use "autoreconf -fi" instead buildconf
  • msh3: get msh3 version from MsH3Version
  • msh3: print boolean value as text representation
  • msh3: psss remote_port to MsH3ConnectionOpen
  • ngtcp2: add ca-fallback support for OpenSSL backend
  • nss: return error if seemingly stuck in a cert loop
  • openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
  • post_per_transfer: remove the updated file name
  • sectransp: bail out if SSLSetPeerDomainName fails
  • tests/server: declare variable 'reqlogfile' static
  • tests: fix markdown formatting in README
  • test{898,974,976}: add 'HTTP proxy' keywords
  • tls: check more TLS details for connection reuse
  • url: check SSH config match on connection reuse
  • urlapi: address (harmless) UndefinedBehavior sanitizer warning
  • urlapi: reject percent-decoding host name into separator bytes
  • x509asn1: make do_pubkey handle EC public keys

New in cURL 7.83.0 (Apr 27, 2022)

  • Changes:
  • curl: add %header{name} experimental support in -w handling
  • curl: add %{header_json} experimental support in -w handling
  • curl: add --no-clobber
  • curl: add --remove-on-error
  • header api: add curl_easy_header and curl_easy_nextheader
  • msh3: add support for QUIC and HTTP/3 using msh3
  • Bugfixes:
  • appveyor: add Cygwin build
  • appveyor: only add MSYS2 to PATH where required
  • BearSSL: add CURLOPT_SSL_CIPHER_LIST support
  • BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
  • BINDINGS.md: add Hollywood binding
  • CI: Do not use buildconf. Instead, just use: autoreconf -fi
  • CI: install Python package impacket to run SMB test 1451
  • configure.ac: move -pthread CFLAGS setting back where it used to be
  • configure: bump the copyright year range int the generated output
  • conncache: include the zone id in the "bundle" hashkey
  • connecache: remove duplicate connc->closure_handle check
  • connect: make Curl_getconnectinfo work with conn cache from share handle
  • connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined
  • cookie.d: clarify when cookies are sent
  • cookies: improve errorhandling for reading cookiefile
  • curl/system.h: update ifdef condition for MCST-LCC compiler
  • curl: error out if -T and -d are used for the same URL
  • curl: error out when options need features not present in libcurl
  • curl: escape '?' in generated --libcurl code
  • curl: fix segmentation fault for empty output file names.
  • curl_easy_header: fix typos in documentation
  • CURLINFO_PRIMARY_PORT.3: clarify which port this is
  • CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS
  • CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
  • CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
  • CURLOPT_PROGRESSFUNCTION.3: fix typo in example
  • CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
  • CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
  • docs/HYPER.md: updated to reflect current hyper build needs
  • docs/opts: Mention Schannel client cert type is P12
  • docs: Fix missing semicolon in example code
  • docs: lots of minor language polish
  • English: use American spelling consistently
  • fail.d: tweak the description
  • firefox-db2pem.sh: make the shell script safer
  • ftp: fix error message for partial file upload
  • gen.pl: change wording for mutexed options
  • GHA: add openssl3 jobs moved over from zuul
  • GHA: build hyper with nightly rustc
  • GHA: move bearssl jobs over from zuul
  • gha: move the event-based test over from Zuul
  • gtls: fix build for disabled TLS-SRP
  • http2: handle DONE called for the paused stream
  • http2: RST the stream if we stop it on our own will
  • http: avoid auth/cookie on redirects same host diff port
  • http: close the stream (not connection) on time condition abort
  • http: reject header contents with nul bytes
  • http: return error on colon-less HTTP headers
  • http: streamclose "already downloaded"
  • hyper: fix status_line() return code
  • hyper: fix tests 580 and 581 for hyper
  • hyper: no h2c support
  • infof: consistent capitalization of warning messages
  • ipv4/6.d: clarify that they are about using IP addresses
  • json.d: fix typo (overriden -> overridden)
  • keepalive-time.d: It takes many probes to detect brokenness
  • lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
  • lib670: avoid double check result
  • lib: #ifdef on USE_HTTP2 better
  • lib: fix some misuse of curlx_convert_wchar_to_UTF8
  • lib: remove exclamation marks
  • libssh2: compare sha256 strings case sensitively
  • libssh2: make the md5 comparison fail if wrong length
  • libssh: fix build with old libssh versions
  • libssh: fix double close
  • libssh: Improve fix for missing SSH_S_ stat macros
  • libssh: unstick SFTP transfers when done event-based
  • macos: set .plist version in autoconf
  • mbedtls: remove 'protocols' array from backend when ALPN is not used
  • mbedtls: remove server_fd from backend
  • mk-ca-bundle.pl: Use stricter logic to process the certificates
  • mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
  • mlc_config.json: add file to ignore known troublesome URLs
  • mqtt: better handling of TCP disconnect mid-message
  • ngtcp2: add client certificate authentication for OpenSSL
  • ngtcp2: avoid busy loop in low CWND situation
  • ngtcp2: deal with sub-millisecond timeout
  • ngtcp2: disconnect the QUIC connection proper
  • ngtcp2: enlarge H3_SEND_SIZE
  • ngtcp2: fix HTTP/3 upload stall and avoid busy loop
  • ngtcp2: fix memory leak
  • ngtcp2: fix QUIC_IDLE_TIMEOUT
  • ngtcp2: make curl 1ms faster
  • ngtcp2: remove remote_addr which is not used in a meaningful way
  • ngtcp2: update to work after recent ngtcp2 updates
  • ngtcp2: use token when detecting :status header field
  • nonblock: restore setsockopt method to curlx_nonblock
  • openssl: check SSL_get_peer_cert_chain return value
  • openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL
  • openssl: fix CN check error code
  • options: remove mistaken space before paren in prototype
  • perl: removed a double semicolon at end of line
  • pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
  • projects/README: converted to markdown
  • projects: Update VC version names for VS2017, VS2022
  • rtsp: don't let CSeq error override earlier errors
  • runtests: add 'bearssl' as testable feature
  • runtests: make 'oldlibssh' be before 0.9.4
  • schannel: remove dead code that will never run
  • scripts/copyright.pl: ignore the new mlc_config.json file
  • scripts: move three scripts from lib/ to scripts/
  • test1135: sync with recent API updates
  • test1459: disable for oldlibssh
  • test375: fix line endings on Windows
  • test386: Fix an incorrect test markup tag
  • test718: edited slightly to return better HTTP
  • tests/server/util.h: align WIN32 condition with util.c
  • tests: refactor server/socksd.c to support --unix-socket
  • timediff.[ch]: add curlx helper functions for timeval conversions
  • tls: make mbedtls and NSS check for h2, not nghttp2
  • tool and tests: force flush of all buffers at end of program
  • tool_cb_hdr: Turn the Location: into a terminal hyperlink
  • tool_getparam: error out on missing -K file
  • tool_listhelp.c: uppercase URL
  • tool_operate: fix a scan-build warning
  • tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
  • transfer: redirects to other protocols or ports clear auth
  • unit1620: call global_init before calling Curl_open
  • url: check sasl additional parameters for connection reuse.
  • vtls: provide a unified APLN-disagree string for all backends
  • vtls: use a backend standard message for "ALPN: offers %s"
  • vtls: use a generic "ALPN, server accepted" message
  • winbuild/README.md: fixup dead link
  • winbuild: Add a Visual Studio example to the README
  • wolfssl: fix compiler error without IPv6

New in cURL 7.82.0 (Mar 7, 2022)

  • Changes:
  • curl: add --json
  • mesalink: remove support
  • Bugfixes:
  • appveyor: update images from VS 2019 to 2022
  • appveyor: use VS 2017 image for the autotools builds
  • azure-pipelines: add a build on Windows with libssh
  • bearssl: fix connect error on expired cert and no verify
  • bearssl: fix EXC_BAD_ACCESS on incomplete CA cert
  • bearssl: fix session resumption (session id)
  • build: enable -Warith-conversion
  • build: fix -Wenum-conversion handling
  • build: fix ngtcp2 crypto library detection
  • checkprefix: remove strlen calls
  • checksrc: fix typo in comment
  • CI: move 'distcheck' job from zuul to azure pipelines
  • CI: move scan-build job from Zuul to Azure Pipelines
  • CI: move the NSS job from zuul to GHA
  • ci: move the OpenSSL + c-ares job from Zuul to Circle CI
  • CI: move the rustls CI job to GHA from Zuul
  • CI: move two jobs from Zuul to Circle CI
  • CI: test building wolfssl with --enable-opensslextra
  • CI: workflows/wolfssl: install impacket
  • circleci: add a job using libssh
  • cirlceci: also run a c-ares job on arm with debug enabled
  • cmake: fix iOS CMake project generation error
  • cmdline-opts/gen.pl: fix option matching to improve references
  • config.d: Clarify _curlrc filename is still valid on Windows
  • configure.ac: use user-specified gssapi dir when using pkg-config
  • configure: change output for cross-compiled alt-svc support
  • configure: fix '--enable-code-coverage' typo
  • configure: remove support for "embedded ares"
  • configure: requires --with-nss-deprecated to build with NSS
  • configure: set CURL_LIBRARY_PATH for nghttp2
  • configure: support specification of a nghttp2 library path
  • configure: use correct CFLAGS for threaded resolver with xlC on AIX
  • curl tool: erase some more sensitive command line arguments
  • curl-functions.m4: fix LIBRARY_PATH adjustment to avoid eval
  • curl-functions.m4: revert DYLD_LIBRARY_PATH tricks in CURL_RUN_IFELSE
  • curl-openssl: fix SRP check for OpenSSL 3.0
  • curl-openssl: remove the OpenSSL headers and library versions check
  • curl.h: fix typo
  • curl: remove "separators" (when using globbed URLs)
  • curl_getdate.3: remove pointless .PP line
  • curl_multi_socket.3: remove callback and typical usage descriptions
  • curl_url_set.3: mention when CURLU_ALLOW_SPACE was added
  • CURLMOPT_TIMERFUNCTION/DATA.3: fix the examples
  • CURLOPT_PROGRESSFUNCTION.3: fix example struct assignment
  • CURLOPT_RESOLVE.3: change example port to 443
  • CURLOPT_XFERINFOFUNCTION.3: fix example struct assignment
  • CURLOPT_XFERINFOFUNCTION.3: fix typo in example
  • CURLSHOPT_LOCKFUNC.3: fix typo "relased" -> "released"
  • des: fix compile break for OpenSSL without DES
  • docs/cmdline-opts: add "mutexed" options for more http versions
  • docs/DEPRECATE: remove NPN support in August 2022
  • docs: capitalize the name 'Netscape'
  • docs: document HTTP/2 not insisting on TLS 1.2
  • docs: fix mandoc -T lint formatting complaints
  • docs: update IETF links to use datatracker
  • examples/curlx: support building with OpenSSL 1.1.0+
  • examples/multi-app.c: call curl_multi_remove_handle as well
  • formdata: avoid size_t => long typecast overflows
  • ftp: provide error message for control bytes in path
  • gen.pl: terminate "example" sections better
  • gha: add a macOS CI job with libssh
  • gskit: Convert to using Curl_poll
  • gskit: Fix errors from Curl_strerror refactor
  • gskit: Fix initialization of Curl_ssl_gskit struct
  • h2/h3: allow CURLOPT_HTTPHEADER change ":scheme"
  • hostcheck: fixed to not touch used input strings
  • hostcheck: reduce strlen calls on chained certificates
  • hostip: avoid unused parameter error in Curl_resolv_check
  • http2: move two infof calls to debug-h2-only
  • http: make Curl_compareheader() take string length arguments too
  • if2ip: make Curl_ipv6_scope a blank macro when IPv6-disabled
  • KNOWN_BUGS: fix typo "libpsl"
  • ldap: return CURLE_URL_MALFORMAT for bad URL
  • lib: remove support for CURL_DOES_CONVERSIONS
  • libssh2: don't typecast socket to int for libssh2_session_handshake
  • libssh: fix include files and defines use for Windows builds
  • Makefile.am: Generate VS 2022 projects
  • maketgz: return error if 'make dist' fails
  • mbedtls: enable use of mbedtls without CRL support
  • mbedtls: enable use of mbedtls without filesystem functions support
  • mbedtls: fix CURLOPT_SSLCERT_BLOB (again)
  • mbedtls: fix ssl_init error with mbedTLS 3.1.0+
  • mbedtls: remove #include
  • mbedtls: return CURLcode result instead of a mbedtls error code
  • md5: check md5_init_func return value
  • mime: use a define instead of the magic number 24
  • misc: allow curl to build with wolfssl --enable-opensslextra
  • misc: remove BeOS code and references
  • misc: remove the final watcom references
  • misc: remove unused data when IPv6 is not supported
  • mqtt: free 'sendleftovers' in disconnect
  • mqtt: free any send leftover data when done
  • multi: allow user callbacks to call curl_multi_assign
  • multi: grammar fix in comment
  • multi: remember connection_id before returning connection to pool
  • multi: set in_callback for multi interface callbacks
  • netware: remove support
  • next.d. remove .fi/.nf as they are handled by gen.pl
  • ngtcp2: adapt to changed end of headers callback proto
  • ngtcp2: fix declaration of ‘result’ shadows a previous local
  • ngtcp2: Reset dynbuf when it is fully drained
  • nss: handshake callback during shutdown has no conn->bundle
  • ntlm: remove unused feature defines
  • openldap: fix compiler warning when built without SSL support
  • openldap: implement SASL authentication
  • openldap: pass string length arguments to client_write()
  • openssl.h: avoid including OpenSSL headers here
  • openssl: check if sessionid flag is enabled before retrieving session
  • openssl: check SSL_get_ex_data to prevent potential NULL dereference
  • openssl: check the return value of BIO_new_mem_buf()
  • openssl: fix `ctx_option_t` for OpenSSL v3+
  • openssl: fix build for version < 1.1.0
  • openssl: return error if TLS 1.3 is requested when not supported
  • os400: Add function wrapper for system command
  • os400: Add link to QADRT devkit to README.OS400
  • os400: Default build to target current release
  • OS400: fix typos in rpg include file
  • projects: add support for Visual Studio 17 (2022)
  • projects: fix Visual Studio wolfSSL configurations
  • projects: remove support for MSVC before VC10 (Visual Studio 2010)
  • quiche: after leaving h3_recving state, poll again
  • quiche: change qlog file extension to `.sqlog`
  • quiche: fix upload for bigger content-length
  • quiche: handle stream reset
  • quiche: remove two leftover debug infof() outputs
  • quiche: verify the server cert on connect
  • quiche: when *recv_body() returns data, drain it before polling again
  • README.md: fix links
  • remote-header-name.d: clarify
  • runtests.pl: disable debuginfod
  • runtests.pl: properly print the test if it contains binary zeros
  • runtests.pl: support the nonewline attribute for the data part
  • runtests.pl: tolerate test directories without Makefile.inc
  • runtests: allow client/file to specify multiple directories
  • runtests: make 'rustls' a testable feature
  • runtests: make 'wolfssl' a testable feature
  • runtests: set 'oldlibssh' for libssh versions before 0.9.5
  • rustls: add CURLOPT_CAINFO_BLOB support
  • schannel: move the algIds array out of schannel.h
  • scripts/cijobs.pl: output data about all currect CI jobs
  • scripts/completion.pl: improve zsh completion
  • scripts/copyright.pl: support many provided file names on the cmdline
  • scripts/delta: check the file delta for current branch
  • sectransp: mark a 3DES cipher as weak
  • setopt: do bounds-check before strdup
  • setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
  • sha256: Fix minimum OpenSSL version
  • smb: pass socket for writing and reading data instead of FIRSTSOCKET
  • ssl: reduce allocated space for ssl backend when FTP is disabled
  • test3021: disable all msys2 path transformation
  • test374: gif data without new line at the end
  • tests/disable-scan.pl: properly detect multiple symbols per line
  • tests/unit/Makefile.am: add NSS_LIBS to build with NSS fine
  • tool_findfile: check ~/.config/curlrc too
  • tool_getparam: DNS options that need c-ares now fail without it
  • TPF: drop support
  • unit1610: init SSL library before calling SHA256 functions
  • url: exclude zonefrom_url when no ipv6 is available
  • url: given a user in the URL, find pwd for that user in netrc
  • url: keep trailing dot in host name
  • url: make Curl_disconnect return void
  • urlapi: handle "redirects" smarter
  • urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled
  • urldata: remove conn->bits.user_passwd
  • version_win32: fix warning for `CURL_WINDOWS_APP`
  • vtls: fix socket check conditions
  • vtls: pass on the right SNI name
  • vxworks: drop support
  • winbuild: add parameter WITH_SSH
  • wolfssl: return CURLE_AGAIN for the SSL_ERROR_NONE case
  • wolfssl: when SSL_read() returns zero, check the error
  • write-out.d: Fix num_headers formatting
  • x509asn1: toggle off functions not needed for diff tls backends

New in cURL 7.81.0 (Jan 5, 2022)

  • Changes:
  • mime: use percent-escaping for multipart form field and file names
  • Bugfixes:
  • asyn-ares: ares_getaddrinfo needs no happy eyeballs timer
  • azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper
  • BINDINGS: add cURL client for PostgreSQL
  • BINDINGS: add one from Everything curl and update a link
  • checksrc: detect more kinds of NULL comparisons we avoid
  • CI: build examples for additional code verification
  • CI: bump job to use mbedtls 3.1.0
  • cmake: don't set _USRDLL on a static Windows build
  • cmake: prevent dev warning due to mismatched arg
  • cmake: private identifiers use CURL_ instead of CMAKE_ prefix
  • config.d: update documentation to match the path search
  • configure: add -lm to configure for rustls build.
  • configure: better diagnostics if hyper is built wrong
  • configure: don't enable TLS when --without-* flags are used
  • configure: fix runtime-lib detection on macOS
  • curl.1: require "see also" for every documented option
  • curl: improve error message for --head with -J
  • curl_easy_cleanup.3: remove from multi handle first
  • curl_easy_escape.3: call curl_easy_cleanup in example
  • curl_easy_unescape.3: call curl_easy_cleanup in example
  • curl_multi_init.3: fix EXAMPLE formatting
  • curl_multi_perform/socket_action.3: clarify what errors mean
  • curl_share_setopt.3: split out options into their own manpages
  • CURLOPT_STDERR.3: does not work with libcurl as a win32 DLL
  • digest: compute user:realm:pass digest w/o userhash
  • docs/checksrc: Add documentation for STRERROR
  • docs/cmdline-opts: do not say "protocols: all"
  • docs/examples: workaround broken -Wno-pedantic-ms-format
  • docs/HTTP3: describe how to setup a h3 reverse-proxy for testing
  • docs/INSTALL.md: typo fix : added missing "get" verb
  • docs/URL-SYNTAX.md: space is not fine in a given URL
  • docs: add known bugs list to HTTP3.md
  • docs: address proselint nits
  • docs: consistent manpage SYNOPSIS
  • docs: fix dead links, remove ECH.md
  • docs: fix typo in OpenSSL 3 build instructions
  • docs: Update the Reducing Size section
  • example/progressfunc: remove code for old libcurls
  • examples/multi-single.c: remove WAITMS()
  • FAQ: typo fix : "yout" ➤ "your"
  • ftp: disable warning 4706 in MSVC
  • gen.pl: improve example output format
  • github workflow: add wolfssl (removed from zuul)
  • github/workflows: add mbedtls and mbedtls-clang (removed from zuul)
  • gtls: check return code for gnutls_alpn_set_protocols
  • hash: lazy-alloc the table in Curl_hash_add()
  • http2:set_transfer_url() return early on OOM
  • HTTP3: update quiche build instructions
  • http: enable haproxy support for hyper backend
  • http: Fix CURLOPT_HTTP200ALIASES
  • http_proxy: don't close the socket (too early)
  • insecure.d: detail its use for SFTP and SCP as well
  • insecure.d: expand and clarify
  • libcurl-multi.3: "SOCKS proxy handshakes" are not blocking
  • libcurl-security.3: mention address and URL mitigations
  • libssh2: fix error message for sha256 mismatch
  • libtest: avoid "assignment within conditional expression"
  • lift: ignore is a deprecated config option, use ignoreRules
  • linkcheck.yml: add CI job that checks markdown links
  • m4/curl-compilers: tell clang -Wno-pointer-bool-conversion
  • Makefile.m32: rename -winssl option to -schannel and tidy up
  • mbedTLS: add support for CURLOPT_CAINFO_BLOB
  • mbedtls: fix CURLOPT_SSLCERT_BLOB
  • mbedtls: fix private member designations for v3.1.0
  • misc: remove unused doh flags when CURL_DISABLE_DOH is defined
  • misc: s/e-mail/email
  • multi: cleanup the socket hash when destroying it
  • multi: handle errors returned from socket/timer callbacks
  • multi: shut down CONNECT in Curl_detach_connnection
  • netrc.d: edit the .netrc example to look nicer
  • ngtcp2: verify the server cert on connect (quictls)
  • ngtcp2: verify the server certificate for the gnutls case
  • nss:set_cipher don't clobber the cipher list
  • openldap: implement STARTTLS
  • openldap: process search query response messages one by one
  • openldap: several minor improvements
  • openldap: simplify ldif generation code
  • openssl: check the return value of BIO_new()
  • openssl: define HAVE_OPENSSL_VERSION for OpenSSL 1.1.0+
  • openssl: remove `RSA_METHOD_FLAG_NO_CHECK` handling if unavailable
  • openssl: remove usage of deprecated `SSL_get_peer_certificate`
  • openssl: use non-deprecated API to read key parameters
  • page-footer: add a mention of how to report bugs to the man page
  • page-footer: document more environment variables
  • request.d: refer to 'method' rather than 'command'
  • retry-all-errors.d: make the example complete
  • runtests: make the SSH library a testable feature
  • rustls: read of zero bytes might be okay
  • rustls: remove comment about checking handshaking
  • rustls: remove incorrect EOF check
  • sha256/md5: return errors when init fails
  • socks5: use appropriate ATYP for numerical IP address host names
  • test1156: enable for hyper
  • test1156: fixup the stdout check for Windows
  • test1525: tweaked for hyper
  • test1526: enable for hyper
  • test1527: enable for hyper
  • test1528: enable for hyper
  • test1554: adjust for hyper
  • test1556: adjust for hyper
  • test302[12]: run only with the libssh2 backend
  • test661: enable for hyper
  • tests/CI.md: add more information on CI environments
  • tests/data/test302[12]: fix MSYS2 path conversion of hostpubsha256
  • tftp: mark protocol as not possible to do over CONNECT
  • tool_findfile: updated search for a file in the homedir
  • tool_operate: only set SSH related libcurl options for SSH URLs
  • tool_operate: warn if too many output arguments were found
  • url.c: fix the SIGPIPE comment for Curl_close
  • url: check ssl_config when re-use proxy connection
  • url: reduce ssl backend count for CURL_DISABLE_PROXY builds
  • urlapi: accept port number zero
  • urlapi: if possible, shorten given numerical IPv6 addresses
  • urlapi: provide more detailed return codes
  • urlapi: reject short file URLs
  • version_win32: Check build number and platform id
  • vtls/rustls: adapt to the updated rustls_version proto
  • writeout: fix %{http_version} for HTTP/3
  • x509asn1: return early on errors
  • zuul.d: update rustls-ffi to version 0.8.2
  • zuul: fix quiche build pointing to wrong Cargo

New in cURL 7.80.0 (Nov 14, 2021)

  • Changes:
  • CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse
  • CURLOPT_PREREQFUNCTION: add new callback
  • libssh2: add SHA256 fingerprint support
  • urlapi: add curl_url_strerror()
  • urlapi: support UNC paths in file: URLs on Windows
  • wolfssl: allow setting of groups/curves
  • Bugfixes:
  • .github: retry macos "brew install" command on failure
  • aws-sigv4: make signature work when post data is binary
  • BINDINGS: URL updates
  • build: remove checks for WinSock 1
  • c-hyper: don't abort CONNECT responses early when auth-in-progress
  • c-hyper: make Curl_http propagate errors better
  • c-hyper: make CURLOPT_SUPPRESS_CONNECT_HEADERS work
  • c-hyper: make test 217 run
  • c-hyper: use hyper_request_set_uri_parts to make h2 better
  • checksrc: ignore preprocessor lines
  • CI/makefiles: introduce dedicated test target
  • ci: update Lift config to match requirements of curl build
  • cirrus: remove FreeBSD 11.4 from the matrix
  • cirrus: switch to openldap24-client
  • cleanup: constify unmodified static structs
  • cmake: add CURL_ENABLE_SSL option
  • cmake: fix error getting LOCATION property on non-imported target
  • CMake: restore support for SecureTransport on iOS
  • cmake: with OpenSSL, define OPENSSL_SUPPRESS_DEPRECATED
  • cmdline-opts: made the 'Added:' field mandatory
  • configure.ac: replace krb5-config with pkg-config
  • configure: when hyper is selected, deselect nghttp2
  • connect: use sysaddr_un from sys/un.h or custom-defined for windows
  • curl-confopts.m4: remove --enable/disable-hidden-symbols
  • curl-openssl.m4: modify library order for openssl linking
  • curl-openssl: pass argument to sed single-quoted
  • curl.1: remove mentions of really old version changes
  • curl: actually append "-" to --range without number only
  • curl: correct grammar in generated libcurl code
  • curl: print help descriptions in an aligned right column
  • curl_gssapi: fix link error on macOS Monterey
  • curl_multi_socket_action.3: add a "RETURN VALUE" section
  • curl_ntlm_core: use OpenSSL only if DES is available
  • Curl_updateconninfo: store addresses for QUIC connections too
  • CURLOPT_ALTSVC_CTRL.3: mention conn reuse is preferred
  • CURLOPT_HSTSWRITEFUNCTION.3: using CURLOPT_HSTS_CTRL is required
  • CURLOPT_HTTPHEADER.3: add descripion for specific headers
  • docs/HTTP3: improve build instructions
  • docs/Makefile.am: repair 'make html'
  • docs: fix typo in CURLOPT_TRAILERFUNCTION example
  • docs: provide "RETURN VALUE" section for more func manpages
  • docs: reduce use of "very"
  • doh: remove experimental code for DoH with GET
  • examples/htmltidy: correct wrong printf() use
  • examples/imap-append: fix end-of-data check
  • ftp: make the MKD retry to retry once per directory
  • gen.pl: insert the current date and version in generated man page
  • gen.pl: replace leading single quotes with (aq
  • http2: make getsock not wait for write if there's no remote window
  • HTTP3: fix the HTTP/3 Explained book link
  • http: fix Basic auth with empty name field in URL
  • http: reject HTTP response codes < 100
  • http: remove assert that breaks hyper
  • http: set content length earlier
  • http_proxy: make hyper CONNECT() return the correct error code
  • http_proxy: multiple CONNECT with hyper done better
  • hyper: disable test 1294 since hyper doesn't allow such crazy headers
  • hyper: does not support disabling CURLOPT_HTTP_TRANSFER_DECODING
  • hyper: pass the CONNECT line to the debug callback
  • imap: display quota information
  • INSTALL: update symbol hiding option
  • lib/mk-ca-bundle.pl: skip certs passed Not Valid After date
  • lib: avoid fallthrough cases in switch statements
  • libcurl.rc: switch out the copyright symbol for plain ASCII
  • libssh2: Get the version at runtime if possible
  • limit-rate.d: this is average over several seconds
  • llist: remove redundant code, branch will not be executed
  • Makefile.m32: fix to not require OpenSSL with -libssh2 or -rtmp options
  • maketgz: redirect updatemanpages.pl output to /dev/null
  • man pages: require all to use the same section header order
  • manpage: adjust the asterisk in some SYNOPSIS sections
  • md5: fix compilation with OpenSSL 3.0 API
  • misc: fix a few issues on MidnightBSD
  • misc: fix typos in docs and comments
  • ngtcp2: advertise h3 as well as h3-29
  • ngtcp2: compile with the latest nghttp3
  • ngtcp2: specify the missing required callback functions
  • ngtcp2: use latest QUIC TLS RFC9001
  • NTLM: use DES_set_key_unchecked with OpenSSL
  • openssl: if verifypeer is not requested, skip the CA loading
  • openssl: with OpenSSL 1.1.0+ a failed RAND_status means goaway
  • Revert "src/tool_filetime: disable -Wformat on mingw for this file"
  • sasl: binary messages
  • schannel: fix memory leak due to failed SSL connection
  • scripts/delta: count command line options in the new file
  • sendf: accept zero-length data in Curl_client_write()
  • sha256: use high-level EVP interface for OpenSSL
  • smooth-gtk-thread.c: enhance the mutex lock use
  • sws: fix memory leak on exit
  • test1160: edited to work with hyper
  • test1173: make manpage-syntax.pl spot n errors in examples
  • test1185: verify checksrc
  • test1266/1267: disabled on hyper: no HTTP/0.9 support
  • test1287: make work on hyper
  • test207: accept a different error code for hyper
  • test262: don't attempt with hyper
  • test552: updated to work with hyper
  • test559: add 'HTTP' in keywords
  • tests/smbserver.py: fix compatibility with impacket 0.9.23+
  • tests: add Schannel-specific tests and disable unsupported ones
  • tests: disable test 2043
  • tests: kill some test servers afterwards to avoid locked logfiles
  • tests: use python3 in test 1451
  • tls: remove newline from three infof() calls
  • tool_cb_prg: make resumed upload progress bar show better
  • tool_listhelp: easier generated with gen.pl
  • tool_main: fix typo in comment
  • tool_operate: a failed etag save now only fails that transfer
  • URL-SYNTAX: add IMAP UID SEARCH example
  • url: check the return value of curl_url()
  • url: set "k->size" -1 at start of request
  • urlapi: skip a strlen(), pass in zero
  • urlapi: URL decode percent-encoded host names
  • version_win32: use actual version instead of manifested version
  • vtls: Fix a memory leak if an SSL session cannot be added to the cache
  • wolfssl: use for SHA256, MD4, MD5, and setting DES odd parity
  • zuul: pin the quiche build to use an older cmake-rs

New in cURL 7.79.1 (Sep 24, 2021)

  • Bugfixes:
  • Curl_http2_setup: don't change connection data on repeat invokes
  • curl_multi_fdset: make FD_SET() not operate on sockets out of range
  • dist: provide lib/.checksrc in the tarball
  • FAQ: add GOPHERS + curl works on data, not files
  • hsts: CURLSTS_FAIL from hsts read callback should fail transfer
  • hsts: handle unlimited expiry
  • http: fix the broken >3 digit response code detection
  • strerror: use sys_errlist instead of strerror on Windows
  • test1184: disable
  • tests/sshserver.pl: make it work with openssh-8.7p1

New in cURL 7.79.0 (Sep 15, 2021)

  • Changes:
  • bearssl: support CURLOPT_CAINFO_BLOB
  • http: consider cookies over localhost to be secure
  • secure transport: support CURLINFO_CERTINFO
  • Bugfixes:
  • CVE-2021-22945: clear the leftovers pointer when sending succeeds
  • CVE-2021-22946: do not ignore --ssl-reqd
  • CVE-2021-22947: reject STARTTLS server response pipelining
  • ares: use ares_getaddrinfo()
  • asyn-ares.c: move all version number checks to the top
  • auth: do not append zero-terminator to authorisation id in kerberos
  • auth: properly handle byte order in kerberos security message
  • auth: use sasl authzid option in kerberos
  • auth: we do not support a security layer after kerberos authentication
  • BINDINGS.md: update links to use https where available
  • build: fix compiler warnings
  • c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
  • c-hyper: fix header value passed to debug callback
  • c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
  • c-hyper: initial step for 100-continue support
  • c-hyper: initial support for "dumping" 1xx HTTP responses
  • c-hyper: remove the hyper_executor_poll() loop from Curl_http
  • CI/cirrus: reduce compile time with increased parallism
  • CI: use GitHub Container Registry instead of Docker Hub
  • cirrus: Add FreeBSD 13.0 job and disable sanitizer build
  • cmake: avoid poll() on macOS
  • cmake: sync CURL_DISABLE options
  • codeql: fix error "Resource not accessible by integration"
  • compressed.d: it's a request, not an order
  • config.d: escape the backslash properly
  • config.d: note that curlrc is used even when --config
  • config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
  • configure.ac: revert bad nghttp2 library detection improvements
  • configure: error out if both ngtcp2 and quiche are specified
  • configure: make --disable-hsts work
  • configure: set classic mingw minimum OS version to XP
  • configure: tweak nghttp2 library name fix
  • connect: get local port + ip also when reusing connections
  • connect: remove superfluous conditional
  • curl-openssl.m4: check lib64 for the pkg-config file
  • curl-openssl.m4: show correct output for OpenSSL v3
  • curl.1: mention "global" flags
  • curl.1: provide examples for each option
  • curl: add warning for ignored data after quoted form parameter
  • curl: add warning for incompatible parameters usage
  • curl: better error message when -O fails to get a good name
  • curl: stop retry if Retry-After: is longer than allowed
  • curl_easy_setopt.3: improve the string copy wording
  • Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
  • curl_setup.h: sync values for HTTP_ONLY
  • curl_url_get.3: clarify about path and query
  • CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
  • CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
  • CURLOPT_SSL_CTX_*.3: tidy up the example
  • CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
  • docs/MQTT: update state of username/password support
  • docs: remove experimental mentions from HSTS and MQTT
  • docs: the security list is reached at security at curl.se now
  • easy: use a custom implementation of wcsdup on Windows
  • examples/*hiperfifo.c: fix calloc arguments to match function proto
  • examples/cookie_interface: avoid printfing time_t directly
  • examples/cookie_interface: fix scan-build printf warning
  • examples/ephiperfifo.c: simplify signal handler
  • FAQ: add two dev related questions
  • getparameter: fix the --local-port number parser
  • happy-eyeballs-timeout-ms.d: polish the wording
  • hostip: Make Curl_ipv6works function independent of getaddrinfo
  • http2: Curl_http2_setup needs to init stream data in all invokes
  • http2: revert a change that broke upgrade to h2c
  • http2: revert call the handle-closed function correctly on closed stream
  • http: disallow >3-digit response codes
  • http: ignore content-length if any transfer-encoding is used
  • http_proxy: clear 'sending' when the outgoing request is sent
  • http_proxy: fix the User-Agent inclusion in CONNECT
  • http_proxy: fix user-agent and custom headers for CONNECT with hyper
  • http_proxy: only wait for writable socket while sending request
  • INTERNALS: bump c-ares requirement to 1.16.0
  • INTERNALS: c-ares has a new home: c-ares.org
  • lib: don't use strerror()
  • libcurl-errors.3: clarify two CURLUcode errors
  • limit-rate.d: clarify base unit
  • mailing lists: move from cool.haxx.se to lists.haxx.se
  • mbedtls: avoid using a large buffer on the stack
  • mbedTLS: initial 3.0.0 support
  • mbedtls_threadlock: fix unused variable warning
  • mksymbolsmanpage.pl: Fix showing symbol's last used version
  • mksymbolsmanpage.pl: match symbols case insenitively
  • multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
  • ngtcp2: compile with the latest ngtcp2 and nghttp3
  • ngtcp2: fix build with ngtcp2 and nghttp3
  • ngtcp2: remove the acked_crypto_offset struct field init
  • ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
  • ngtcp2: reset the oustanding send buffer again when drained
  • ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
  • ngtcp2: stop buffering crypto data
  • ngtcp2: utilize crypto API functions to simplify
  • openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
  • openssl: when creating a new context, there cannot be an old one
  • opt-docs: make sure all man pages have examples
  • opt-docs: verify man page sections + order
  • opts docs: unify phrasing in NAME header
  • output.d: add method to suppress response bodies
  • page-header: add GOPHERS, simplify wording in the 1st para
  • progress: fix a compile warning on some systems
  • progress: make trspeed avoid floats
  • runtests: add option -u to error on server unexpectedly alive
  • schannel: Work around typo in classic mingw macro
  • scripts: invoke interpreters through /usr/bin/env
  • setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
  • strerror.h: remove the #include from files not using it
  • symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
  • test1138: remove trailing space to make work with hyper
  • test1173: check references to libcurl options
  • test1280: CRLFify the response to please hyper
  • test1565: fix windows build errors
  • test365: verify response with chunked AND Content-Length headers
  • tests/*server.pl: flush output before executing subprocess
  • tests/*server.py: remove pidfile on server termination
  • tests/runtests.pl: cleanup copy&paste mistakes and unused code
  • tests/server/*.c: align handling of portfile argument and file
  • tests: adjust the tftpd output to work with hyper mode
  • tests: be explicit about using 'python3' instead of 'python'
  • tests: enable test 1129 for hyper builds
  • tests: make three tests pass until 2037
  • tool/tests: fix potential year 2038 issues
  • tool_operate: Fix --fail-early with parallel transfers
  • url: fix compiler warning in no-verbose builds
  • urlapi.c:seturl: assert URL instead of using if-check
  • vtls: fix typo in schannel_verify.c
  • winbuild/README.md: clarify GEN_PDB option
  • wolfssl: clean up wolfcrypt error queue
  • write-out.d: clarify size_download/upload
  • x509asn1: fix heap over-read when parsing x509 certificates

New in cURL 7.78.0 (Jul 21, 2021)

  • Changes:
  • curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
  • CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
  • hostip: make 'localhost' return fixed values
  • mbedtls: add support for cert and key blob options
  • metalink: remove all support for it
  • mqtt: add support for username and password
  • Bugfixes:
  • --socks4[a]: clarify where the host name is resolved
  • ares: always store IPv6 addresses first
  • asyn-ares: remove check for 'data' in Curl_resolver_cancel
  • bearssl: explicitly initialize all fields of Curl_ssl
  • bearssl: remove incorrect const on variable that is modified
  • build: fix compiler warnings when CURL_DISABLE_VERBOSE_STRINGS
  • c-hyper: abort CONNECT response reading early on non 2xx responses
  • c-hyper: add support for transfer-encoding in the request
  • c-hyper: bail on too long response headers
  • c-hyper: clear NTLM auth buffer when request is issued
  • c-hyper: convert HYPERE_INVALID_PEER_MESSAGE to CURLE_UNSUPPORTED_PROTOCOL
  • c-hyper: fix NTLM on closed connection tested with test159
  • c-hyper: fix the uploaded field in progress callbacks
  • c-hyper: handle NULL from hyper_buf_copy()
  • c-hyper: support CURLINFO_STARTTRANSFER_TIME
  • c-hyper: support CURLOPT_HEADER
  • ccsidcurl: fix the compile errors
  • CI/cirrus: install impacket from PyPI instead of FreeBSD packages
  • CI: add bearssl build
  • CI: add Circle CI
  • CI: add jobs using Zuul
  • CI: delete --enable-hsts option (it is the default now)
  • CI: remove travis details
  • cleanup: spell DoH with a lowercase o
  • cmake: add CURL_DISABLE_NTLM option
  • cmake: avoid leaking absolute paths into exported config
  • cmake: fix IoctlSocket FIONBIO check
  • cmake: fix support for UnixSockets feature on Win32
  • cmake: remove libssh2 feature checks
  • cmake: try well-known send/recv signature for Apple
  • configure.ac: make non-executable
  • configure/cmake: remove checks for many unused functions
  • configure: add --disable-ntlm option
  • configure: disable RTSP when hyper is selected
  • configure: do not strip out debug flags
  • configure: fix nghttp2 library name for static builds
  • configure: inhibit the implicit-fallthrough warning on gcc-12
  • configure: rename get-easy-option configure option to get-easy-options
  • conn_shutdown: if closed during CONNECT cleanup properly
  • conncache: lowercase the hash key for better match
  • cookies: track expiration in jar to optimize removals
  • copyright: add boiler-plate headers to CI config files
  • crustls: bump crustls version and use new URL
  • curl.h: is supported by VxWorks7
  • curl.h: include sys/select.h for NuttX RTOS
  • curl: ignore blank --output-dir
  • curl_endian: remove the unused Curl_write64_le function
  • curl_multibyte: Remove local encoding fallbacks
  • Curl_ntlm_core_mk_nt_hash: fix OOM in error path
  • Curl_ssl_getsessionid: fail if no session cache exists
  • CURLOPT_WRITEFUNCTION.3: minor update of the example
  • docs/BINDINGS: fix outdated links
  • docs/examples: use curl_multi_poll() in multi examples
  • docs/INSTALL: remove mentions of configure --with-darwin-ssl
  • docs: document missing arguments to commands
  • docs: fix inconsistencies in EGDSOCKET documentation
  • docs: fix incorrect argument name reference
  • docs: Fix typos
  • docs: make docs for --etag-save match the program behaviour
  • docs: use --max-redirs instead of --max-redir
  • doh: (void)-prefix call to curl_easy_setopt
  • doh: fix wrong DEBUGASSERT for doh private_data
  • easy: during upkeep, attach Curl_easy to connections in the cache
  • examples/multi-single: fix scan-build warning
  • examples: length-limit two sscanf() uses of %s
  • examples: safer and more proper read callback logic
  • filecheck: quietly remove test-place/*~
  • formdata: avoid "Argument cannot be negative" warning
  • formdata: correct typecast in curl_mime_data call
  • GHA: add a linux-hyper job
  • GHA: add several libcurl tests to the hyper job
  • GHA: run the newly fixed tests with hyper
  • github: timeout jobs on macOS after 90 minutes
  • glob: pass an 'int' as len when using printf's %*s
  • gnutls: set the preferred TLS versions in correct order
  • GOVERNANCE: add 'user', 'committer' and 'contributor'
  • hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
  • hostip: bad CURLOPT_RESOLVE syntax now returns error
  • hsts: ignore numberical IP address hosts
  • HSTS: not experimental anymore
  • http2: clarify 'Using HTTP2' verbose message
  • http2: init recvbuf struct for pushed streams
  • http2_connisdead: handle trailing GOAWAY better
  • http: fix crash in rate-limited upload
  • http: make the haproxy support work with unix domain sockets
  • http_proxy: deal with non-200 CONNECT response with Hyper
  • hyper: propagate errors back up from read callbacks
  • HYPER: remove mentions of deprecated development branch
  • idn: fix libidn2 with windows unicode builds
  • infof: remove newline from format strings, always append it
  • lib: don't compare fd to FD_SETSIZE when using poll
  • lib: fix compiler warnings with CURL_DISABLE_NETRC
  • lib: fix type of len passed to *printf's %*s
  • lib: more %u for port and int for %*s fixes
  • lib: use %u instead of %ld for port number printf
  • libcurl-security.3: mention file descriptors and forks
  • libssh2: limit time a disconnect can take to 1 second
  • mbedtls: make mbedtls_strerror always work
  • mbedtls: Remove unnecessary include
  • mqtt: detect illegal and too large file size
  • mqtt: extend the error message for no topic
  • msnprintf: return number of printed characters excluding null byte
  • multi: add scan-build-6 work-around in curl_multi_fdset
  • multi: alter transfer timeout ordering
  • multi: do not switch off connect_only flag when closing
  • multi: fix crash in curl_multi_wait / curl_multi_poll
  • netrc: skip 'macdef' definitions
  • ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
  • openssl: avoid static variable for seed flag
  • openssl: don't remove session id entry in disassociate
  • pinnedpubkey.d: fix formatting for version support lists
  • proto.d: fix formatting for paragraphs after margin changes
  • quiche: use send() instead of sendto() to avoid macOS issue
  • Revert "c-hyper: handle body on HYPER_TASK_EMPTY"
  • Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
  • runtests: also find the last test in Makefile.inc
  • runtests: enable 'hyper mode' only for HTTP tests
  • runtests: init $VERSION to avoid warnings when using -l
  • runtests: parse data/Makefile.inc instead of using make
  • runtests: skip disabled tests unless -f is used
  • rustls: remove native_roots fallback
  • schannel: set ALPN length correctly for HTTP/2
  • SChannel: Use '_tcsncmp()' instead
  • sectransp: check for client certs by name first, then file
  • setopt: fix incorrect comments
  • socketpair: fix potential hangs
  • socks4: scan for the IPv4 address in resolve results
  • ssl: read pending close notify alert before closing the connection
  • sws: malloc request struct instead of using stack
  • telnet: fix option parser to not send uninitialized contents
  • test1116: hyper doesn't pass through "surprise-trailers"
  • test1147: hyper doesn't allow "crazy" request headers like built-in
  • test1151: added missing CRLF to work with hyper
  • test1216: adjusted for hyper mode
  • test1218: adjusted for hyper mode
  • test1230: adjust to work in hyper mode
  • test1340/1341: adjusted for hyper mode
  • test1438/1457: add HTTP keyword to make hyper mode work
  • test1514: add a CRLF to the response to make it correct
  • test1518: adjusted to work with hyper
  • test1519: adjusted to work with hyper
  • test1594/1595/1596: fix to work in hyper mode
  • test269: disable for hyper
  • test3010: work with hyper mode
  • test328: avoid a header-looking body to make hyper mode work
  • test339: CRLFify better to work in hyper mode
  • test347: CRLFify to work in hyper mode
  • test393: make Content-Length fit within 64 bit for hyper
  • test394: hyper returns a different error
  • test395: hyper cannot work around > 64 bit content-lengths like built-in
  • test433: adjust for hyper mode
  • test434: add HTTP keyword
  • test500: adjust to work with hyper mode
  • test566: adjust to work with hyper mode
  • test599: adjusted to work in hyper mode
  • test644: remove as duplicate of test 587
  • tests: fix Accept-Encoding strips to work with Hyper builds
  • TLS: prevent shutdown loops to get stuck
  • tool: make _lseeki64() macro work with the PellesC compiler
  • tool_help: document that --tlspassword takes a password
  • tool_help: remove unused define
  • url.c: remove two variable assigns that are never read
  • url: (void)-prefix a curl_url_get() call
  • url: bad CURLOPT_CONNECT_TO syntax now returns error
  • version: turn version number functions into returning void
  • vtls: exit addsessionid if no cache is inited
  • vtls: fix connection reuse checks for issuer cert and case sensitivity
  • vtls: only store TIMER_APPCONNECT for non-proxy connect
  • vtls: use free() not curl_free()
  • warnless: simplify type size handling
  • Win32: fix build with Watt-32
  • winbuild/README: VC should be set to 6 'or larger'
  • winbuild: support alternate nghttp2 static lib name
  • wolfssl: failing to set a session id is not reason to error out
  • write-out.d: clarify urlnum is not unique for de-globbed URLs
  • zuul: use the new rustls directory name

New in cURL 7.77.0 (Jul 21, 2021)

  • Changes:
  • configure: make the TLS library choice(s) explicit
  • curl: ignore options asking for SSLv2 or SSLv3
  • hsts: enable by default
  • SSL: support in-memory CA certs for some backends
  • vtls: refuse setting any SSL version
  • Bugfixes:
  • CVE-2021-22897: schannel cipher selection surprise
  • CVE-2021-22898: TELNET stack contents disclosure
  • CVE-2021-22901: TLS session caching disaster
  • AmigaOS: add functions definitions for SHA256
  • build: fix compilation for Windows UWP platform
  • c-hyper: don't write to set.writeheader if null
  • c-hyper: fix handling of zero-byte chunk from hyper
  • c-hyper: handle body on HYPER_TASK_EMPTY
  • checksrc: complain on == NULL or != 0 checks in conditions
  • CI/cirrus: add shared and static Windows release builds
  • cmake: add CURL_ENABLE_EXPORT_TARGET option
  • cmake: check for getppid and utimes
  • cmake: detect CURL_SA_FAMILY_T
  • cmake: fix two invokes result in different curl_config.h
  • cmake: make libcurl output filename configurable
  • cmake: Use multithreaded compilation on VS 2008+
  • config: remove now-unused macros
  • configure: if asked for, fail if ldap is not found
  • configure: provide --with-openssl, deprecate --with-ssl
  • conn: add 'attach' to protocol handler, make libssh2 use it
  • connect: use CURL_SA_FAMILY_T for portability
  • ConnectionExists: respect requests for h1 connections better
  • cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
  • curl-wolfssl.m4: without custom include path, assume /usr/include
  • curl: include libmetalink version in --version output
  • Curl_http_header: check for colon when matching Persistent-Auth
  • Curl_http_input_auth: require valid separator after negotiation type
  • Curl_input_digest: require space after Digest
  • curl_mprintf.3: add description
  • curl_setup: provide the shutdown flags wider
  • curl_url_set.3: add memory management information
  • CURLcode: add CURLE_SSL_CLIENTCERT
  • CURLOPT_CAPATH.3: defaults to a path, not NULL
  • CURLOPT_IPRESOLVE: preventing wrong IP version from being used
  • CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
  • data_pending: check only SECONDARY socket for FTP(S) transfers
  • docs/TheArtOfHttpScripting: fix markdown links
  • docs: camelcase it like GitHub everywhere
  • docs: cookies from HTTP headers need domain set
  • docs: fix typo in fail-with-body doc
  • docs: improve INTERNALS.md regarding getsock cb
  • docs: replace dots with dashes in markdown enums
  • easy: ignore sigpipe in curl_easy_send
  • FILEFORMAT: mention sectransp as a feature
  • GIT-INFO: suggest using autoreconf instead of buildconf
  • github: add a workflow with libssh2 on macOS using cmake
  • github: inhibit deprecated declarations for clang on macOS
  • GnuTLS: don't allow TLS 1.3 for versions that don't support it
  • gnutls: make setting only the MAX TLS allowed version work
  • gskit: fix CURL_DISABLE_PROXY build
  • gskit: fix undefined reference to 'conn'
  • hostip.h: remove declaration of unimplemented function
  • hostip: remove the debug code for LocalHost
  • http2: call the handle-closed function correctly on closed stream
  • http2: fix a resource leak in push_promise()
  • http2: fix resource leaks in set_transfer_url()
  • http2: make sure pause is done on HTTP
  • http2: move the stream error field to the per-transfer storage
  • http2: skip immediate parsing of payload following protocol switch
  • http2: use nghttp2_session_upgrade2 instead of nghttp2_session_upgrade
  • HTTP3.md: fix nghttp2's HTTP/3 server port
  • HTTP3.md: make the ngtcp2 build use the quictls fork
  • http: deal with partial CONNECT sends
  • http: fix the check for 'Authorization' with Bearer
  • http: limit the initial send amount to used upload buffer size
  • http: reset the header buffer when sending the request
  • http: use offsets inst of integer literals for header parsing
  • INSTALL: add IBM i specific quirks
  • krb5/name_to_level: replace checkprefix with curl_strequal
  • krb5: don't use 'static' to store PBSZ size response
  • krb5: remove the unused 'overhead' function
  • lib/hostip6.c: make NAT64 address synthesis on macOS work
  • lib1564.c: enable last wakeup test part on Windows
  • lib: fix 0-length Curl_client_write calls
  • lib: fix some misuse of curlx_convert_UTF8_to_tchar
  • libcurl-security.3: be careful of setuid
  • libcurl-security.3: don't try to filter IPv4 hosts based on the URL
  • libcurl.3: mention the URL API
  • libssh2: fix Value stored to 'sshp' is never read
  • libssh2: ignore timeout during disconnect
  • libssh: fix "empty expression statement has no effect" warnings
  • libtest: remove lib530.c
  • m4: add security frameworks on Mac when compiling rustls
  • multi: don't close connection HTTP_1_1_REQUIRED
  • multi: fix slow write/upload performance on Windows
  • multi: reduce Win32 API calls to improve performance
  • ngtcp2: fix the cb_acked_stream_data_offset proto
  • NSS: add ciphers to map
  • NSS: make colons, commas and spaces valid separators in cipher list
  • nss_set_blocking: avoid static for sock_opt
  • ntlm: precaution against super huge type2 offsets
  • openldap: protect SSL-specific code with proper #ifdef
  • openldap: replace ldap_ prefix on private functions
  • openssl: fix build error with OpenSSL < 1.0.2
  • openssl: remove unneeded cast for CertOpenSystemStore()
  • os400: additional support for options metadata
  • progress: fix scan-build-11 warnings
  • progress: reset limit_size variables at transfer start
  • progress: when possible, calculate transfer speeds with microseconds
  • README.md: delete Codacy UTM parameters
  • Revert "Revert 'multi: implement wait using winsock events'"
  • rustls: only return CURLE_AGAIN when TLS session is fully drained
  • rustls: use ALPN
  • sasl: use 'unsigned short' to store mechanism
  • schannel: Disable auto credentials; add an option to enable it
  • schannel: Support strong crypto option
  • sectransp: allow cipher name to be specified
  • sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
  • sigpipe: ignore SIGPIPE when using wolfSSL as well
  • sockfilt: avoid getting stuck waiting for writable socket
  • sockfilt: fix invalid increment of handles index variable nfd
  • sws: #ifdef S_IFSOCK use
  • sws: allow HTTP requests up to 2MB in size
  • test server: take care of siginterrupt() deprecation
  • test2100: make it run with and require IPv6
  • tests/disable-scan.pl: also scan all m4 files
  • tests/getpart: generate output URL encoded for better diffs
  • tests: ignore case of chunked hex numbers in tests
  • tls: add USE_HTTP2 define
  • tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
  • tool_getparam: replace (in-place) ' ' by '+' according to RFC1866
  • tool_operate: don't discard failed parallel transfer result
  • tool_writeout: fix the HTTP_CODE json output
  • travis: disable the failing libssh build
  • URL-SYNTAX: update IDNA section for WHATWG spec changes
  • urlapi: "normalize" numerical IPv4 host names
  • vauth: factor base64 conversions out of authentication procedures
  • version: add gsasl_version to curl_version_info_data
  • version: add OpenLDAP version in the output
  • vtls: deduplicate some DISABLE_PROXY ifdefs
  • vtls: reset ssl use flag upon negotiation failure
  • wolfssl: handle SSL_write() returns 0 for error
  • wolfssl: remove SSLv3 support leftovers

New in cURL 7.76.1 (Apr 14, 2021)

  • Bugfixes:
  • configure: disable min version set for Darwin
  • configure: include unconditionally
  • configure: remove use of RETSIGTYPE
  • docs/HTTP3.md: update the build instruction using gnutls
  • examples/hiperfifo.c: check event_initialized before delete
  • file: support GETing directories again
  • github/workflow: add "security-extended" to codeql-analysis.yml
  • h2: allow 100 streams by default
  • hostip: fix builds that disable all asynchronous DNS
  • http_proxy: only loop on 407 + close if we have credentials
  • install: add instructions for Apple Darwin platforms
  • lib: remove unused HAVE_INET_NTOA_R* defines
  • libssh: get rid of PATH_MAX
  • ngtcp2+gnutls: clear credentials when freed
  • ngtcp2: Use ALPN h3-29 for now
  • ntlm: fix negotiated flags usage
  • ntlm: support version 2 on 32-bit platforms
  • openssl: fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
  • TLS: fix HTTP/2 selection
  • tool_progress: fix progress meter final update in parallel mode
  • typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers

New in cURL 7.76.0 (Apr 1, 2021)

  • Changes:
  • cookies: Support multiple -b parameters
  • curl: add --fail-with-body
  • doh: add options to disable ssl verification
  • http: add support to read and store the referrer header
  • sasl: support SCRAM-SHA-1 and SCRAM-SHA-256 via libgsasl
  • vtls: initial implementation of rustls backend
  • Bugfixes:
  • CVE-2021-22876: strip credentials from the auto-referer header field
  • CVE-2021-22890: add 'isproxy' argument to Curl_ssl_get/addsessionid()
  • asyn-ares: use consistent resolve error message
  • BUG-BOUNTY: removed the cooperation mention
  • build: delete unused feature guards
  • build: fix --disable-dateparse
  • build: fix --disable-http-auth
  • build: remove all traces of USE_BLOCKING_SOCKETS
  • c-hyper: Remove superfluous pointer check
  • c-hyper: support automatic content-encoding
  • CI/azure: disable test 433 on azure-ubuntu
  • CI/azure: replace python-impacket with python3-impacket
  • ci: stop building on freebsd-12-1
  • cmake: fix import library name for non-MS compiler on Windows
  • cmake: use CMAKE_INSTALL_INCLUDEDIR indirection
  • cmake: support WinIDN
  • config: fix building SMB with configure using Win32 Crypto
  • config: fix detection of restricted Windows App environment
  • configure: fail if --with-quiche is used and quiche isn't found
  • configure: make AC_TRY_* into AC_*_IFELSE
  • configure: make hyper opt-in, and fail if missing
  • configure: only add OpenSSL paths if they are defined
  • configure: provide Largefile feature for curl-config
  • configure: remove use of deprecated macros
  • configure: s/AC_HELP_STRING/AS_HELP_STRING
  • cookies: Fix potential NULL pointer deref with PSL
  • curl: set CURLOPT_NEW_FILE_PERMS if requested
  • curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO
  • curl_multibyte: always return a heap-allocated copy of string
  • curl_multibyte: fall back to local code page stat/access on Windows
  • Curl_timeleft: check both timeouts during connect
  • curl_url_set.3: mention CURLU_PATH_AS_IS
  • CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
  • docs/HTTP2: remove the outdated remark about multiplexing for the tool
  • docs/Makefile.inc: format to be update-friendly
  • docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
  • docs: add missing Arg tag to --stderr
  • docs: Add SSL backend names to CURL_SSL_BACKEND
  • docs: clarify timeouts for queued transfers in multi API
  • docs: Explain DOH transfers inherit some SSL settings
  • docs: fix FILE example url in --metalink documentation
  • docs: make gen.pl support *italic* and **bold**
  • doh: Fix sharing user's resolve list with DOH handles
  • doh: Inherit CURLOPT_STDERR from user's easy handle
  • dynbuf: bump the max HTTP request to 1MB
  • examples: Remove threaded-shared-conn.c due to bug
  • file: Support unicode urls on windows
  • ftp: add 'list_only' to the transfer state struct
  • ftp: add 'prefer_ascii' to the transfer state struct
  • FTP: allow SIZE to fail when doing (resumed) upload
  • ftp: avoid SIZE when asking for a TYPE A file
  • ftp: fix Codacy/cppcheck warning about null pointer arithmetic
  • ftp: fix memory leak in ftp_done
  • ftp: never set data->set.ftp_append outside setopt
  • gen.pl: quote "bare" minuses in the nroff curl.1
  • github: add torture-ftp for FTP-only torture testing
  • gnutls: assume nettle crypto support
  • gskit: correct the gskit_send() prototype
  • hostip: fix build with sync resolver
  • hostip: fix crash in sync resolver builds that use DOH
  • hsts: remove unused defines
  • http2: don't set KEEP_SEND when there's no more data to be sent
  • http2: fail if connection terminated without END_STREAM
  • http: cap body data amount during send speed limiting
  • http: do not add a referrer header with empty value
  • http: make 416 not fail with resume + CURLOPT_FAILONERRROR
  • http: remove superfluous NULL assign
  • http: strip default port from URL sent to proxy
  • http: use credentials from transfer, not connection
  • ldap: use correct memory free function
  • lib1536: check ptr against NULL before dereferencing it
  • lib1537: check ptr against NULL before dereferencing it
  • lib: remove 'conn->data' completely
  • libssh2: kdb_callback: get the right struct pointer
  • libssh2:ssh_connect: clear session pointer after free
  • memdebug: close debug logfile explicitly on exit
  • mingw: enable using strcasecmp()
  • multi: close the connection when h2=>h1 downgrading
  • multi: do once-per-transfer inits in before_perform in DID state
  • multi: rename the multi transfer states
  • multi: update pending list when removing handle
  • ngtcp2: adapt to the new recv_datagram callback
  • ngtcp2: clarify calculation precedence
  • ngtcp2: Fix build error due to change in ngtcp2_addr_init
  • ngtcp2: sync with recent API updates
  • openldap: avoid NULL pointer dereferences
  • openssl: adapt to v3's new const for a few API calls
  • openssl: ensure to check SSL_CTX_set_alpn_protos return values
  • openssl: remove get_ssl_version_txt in favor of SSL_get_version
  • openssl: set the transfer pointer for logging early
  • OS400: update for CURLOPT_AWS_SIGV4
  • parse_proxy: fix a memory leak in the OOM path
  • pathhelp.pm: fix use of pwd -L in Msys environment
  • projects: Update VS projects for OpenSSL 1.1.x
  • quiche: fix build error: use 'int' for port number
  • quiche: fix crash when failing to connect
  • retry-all-errors.d: Explain curl errors versus HTTP response errors
  • retry.d: Clarify transient 5xx HTTP response codes
  • runtests.pl: add %TESTNUMBER variable to make copying tests more convenient
  • runtests.pl: add a -P option to specify an external proxy
  • runtests.pl: kill processes locking test log files
  • setopt: error on CURLOPT_HTTP09_ALLOWED set true with Hyper
  • test1188: change error to check for: --fail HTTP status
  • test220/314: adjust to run with Hyper
  • test304: header CRLF cleanup to work with Hyper
  • test306: make it not run with Hyper
  • tests: disable .curlrc in more environments
  • tests: use %TESTNUMBER instead of fixed number
  • tftp: remove the 3600 second default timeout
  • time: enable 64-bit time_t in supported mingw environments
  • tool_help: add missing argument for --create-file-mode
  • tool_help: Increase space between option and description
  • tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error
  • travis: add a rustls build
  • travis: bump wolfssl to 4.7.0
  • travis: only build wolfssl when needed
  • travis: split "torture" into a separate "events" build
  • travis: switch ngtcp2 build over to quictls
  • travis: use ubuntu nghttp2 package instead of build our own
  • url.c: use consistent error message for failed resolve
  • url: fix memory leak if OOM in the HSTS handling
  • url: fix possible use-after-free in default protocol
  • urldata: don't touch data->set.httpversion at run-time
  • urldata: fix build without HTTP and MQTT
  • urldata: make 'actions[]' use unsigned char instead of int
  • urldata: merge "struct DynamicStatic" into "struct UrlState"
  • urldata: remove the 'rtspversion' field
  • urldata: remove the _ORIG suffix from string names
  • version.d: Add missing features to the features list
  • wolfssl: don't store a NULL sessionid

New in cURL 7.75.0 (Feb 4, 2021)

  • Changes:
  • curl: add --create-file-mode [mode]
  • curl: add new variables to --write-out
  • dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
  • gopher: implement secure gopher protocol
  • http: add Hyper as new optional HTTP backend
  • http: introduce AWS HTTP v4 Signature support
  • Bugfixes:
  • badsymbols.pl: add verbose mode -v
  • badsymbols.pl: ignore stand-alone single hash lines
  • BUG-BOUNTY: minor language updates
  • build: fix djgpp builds
  • cleanup: fix empty expression statement has no effect
  • cmake: Add an option to disable libidn2
  • cmake: enable gophers correctly in curl-config
  • cmake: expose CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
  • cmdline-opts/gen.pl: return hard on errors
  • cmdline-opts/retry.d: mention response code 429 as well
  • configure: set -Wextra-semi-stmt for clang with --enable-debug
  • connect: defer port selection until connect() time
  • connect: mark intentional ignores of setsockopt return values
  • connect: on linux, enable reporting of all ICMP errors on UDP sockets
  • connect: zero variable on stack to silence valgrind complaint
  • cookie: avoid the C1001 internal compiler error with MSVC 14
  • curl.1: fix typo microsft -> microsoft
  • curl: fix handling of -q option
  • curl: include the file name in --xattr/--remote-time error msgs
  • curl: move fprintf outputs to warnf
  • Curl_chunker: shrink the struct
  • curl_easy_pause.3: add multiplexed pause effects
  • CURLINFO_PRETRANSFER_TIME.3: clarify
  • CURLOPT_URL.3: remove scheme specific details
  • digest_sspi: Show InitializeSecurityContext errors in verbose mode
  • docs/examples: adjust prototypes for CURLOPT_READFUNCTION
  • docs/URL-SYNTAX: the URL syntax curl accepts and works with
  • docs: enable syntax highlighting in several docs files
  • docs: fix line length bug in gen.pl
  • docs: fix typos in NEW-PROTOCOL.md
  • docs: fix wrong documentation in help.d
  • docs: remove redundant "better" in --fail help
  • doh: allocate state struct on demand
  • examples/libtest: add .checksrc to dist
  • examples: remove superfluous asterisk uses
  • failf: remove newline from formatting strings
  • file: don't provide content-length for directories
  • getinfo: build with disabled HTTP support
  • gitattributes: Set batch files to CRLF line endings on checkout
  • h2: do not wait for RECV on paused transfers
  • HISTORY: added dates to early history
  • http: empty reply connection are not left intact
  • http: get CURLOPT_REQUEST_TARGET working with a HTTP proxy
  • http: have CURLOPT_FAILONERROR fail after all headers
  • http: make providing Proxy-Connection header not cause duplicated headers
  • http: show the request as headers even when split-sending
  • http_chunks: correct and clarify a comment on hexnumber length
  • http_proxy: Fix CONNECT chunked encoding race condition
  • httpauth: make multi-request auth work with custom port
  • INSTALL: now at 85 operating systems
  • INSTALL: update the list known OSes and CPU archs curl has run on
  • lib/unit tests: add missing curl_global_cleanup() calls
  • lib1564/5: verify that curl_multi_wakeup returns OK
  • lib: pass in 'struct Curl_easy *' to most functions
  • lib: remove Curl_ prefix from many static functions
  • lib: save a bit of space with some structure packing
  • libssh2: fix "Value stored to 'readdir_len' is never read"
  • libssh2: move data from connection object to transfer object
  • libssh: avoid plain free() of libssh-memory
  • mime: make sure setting MIMEPOST to NULL resets properly
  • misc: assorted typo fixes
  • misc: fix "warning: empty expression statement has no effect"
  • misc: fix typos
  • mk-ca-bundle.pl: deterministic output when using -t
  • mqtt: deal with 0 byte reads correctly
  • mqtt: handle POST/PUBLISH without a set POSTFIELDSIZE
  • multi: set the PRETRANSFER time-stamp when we switch to PERFORM
  • multi: skip DONE state if there's no connection left for ftp wildcard
  • multi: when erroring in TOOFAST state, act as for PERFORM
  • multi_runsingle: bail out early on data->conn == NULL
  • ngtcp2: Fix http3 upload stall
  • ngtcp2: Fix stack buffer overflow
  • ngtcp2: make it build it current master again
  • nss: get the run-time version instead of build-time
  • openssl: lowercase the hostname before using it for SNI
  • OS400: update ccsidcurl.c
  • pretransfer: setup the User-Agent header here
  • quiche: remove fprintf() leftover
  • Revert "CI/github: work-around for brew breakage on macOS"
  • runtests: add 'wakeup' as a feature
  • runtests: add support for %if [feature] conditions
  • runtests: preprocess DISABLED to allow conditionals
  • schannel: plug a memory-leak
  • schannel_verify: fix safefree call typo
  • select: convert Curl_select() to private static function
  • socks: use the download buffer instead
  • speedcheck: exclude paused transfers
  • strerror: skip errnum >= 0 assertion on windows
  • test1522: add debug tracing
  • test1633: set appropriate name
  • test179: use consistent header line endings
  • test410: verify HTTPS GET with a 49K request header
  • tests/mqttd: extract the client id from the correct offset
  • tests: make --libcurl tests only test FTP options if ftp enabled
  • tool_doswin: Restore original console settings on CTRL signal
  • tool_operate: fix the suppression logic of some error messages
  • tool_operate: spellfix a comment
  • tooĺ_writeout: fix the -w time output units
  • transfer: fix GCC 10 warning with flag '-Wint-in-bool-context'
  • travis: build ngtcp2 --with-gnutls
  • travis: limit the tests with quiche builds to HTTPS and FTPS only
  • travis: restrict the openssl3 job to only run https and ftps tests
  • url: if IDNA conversion fails, fallback to Transitional
  • urldata: make magic be the first struct field
  • urldata: remove 'local_ip' from the connectdata struct
  • urldata: remove duplicate 'upkeep_interval_ms' from connectdata
  • urldata: remove duplicate port number storage
  • urldata: remove the duplicate 'ip_addr_str' field
  • urldata: store ip version in a single byte
  • vtls: remove md5sum
  • warnless: remove curlx_ultosi
  • wolfssl: add SECURE_RENEGOTIATION support
  • wolfssl: Support wolfSSL builds missing TLS 1.1

New in cURL 7.74.0 (Dec 10, 2020)

  • Changes:
  • hsts: add experimental support for Strict-Transport-Security
  • Bugfixes:
  • CVE-2020-8286: Inferior OCSP verification
  • CVE-2020-8285: FTP wildcard stack overflow
  • CVE-2020-8284: trusting FTP PASV responses
  • acinclude: detect manually set minimum macos/ipod version
  • alt-svc: enable (in the build) by default
  • alt-svc: minimize variable scope and avoid "DEAD_STORE"
  • asyn: use 'struct thread_data *' instead of 'void *'
  • checksrc: warn on empty line before open brace
  • CI/appveyor: disable test 571 in two cmake builds
  • CI/azure: improve on flakiness by avoiding libtool wrappers
  • CI/tests: enable test target on TravisCI for CMake builds
  • CI/travis: add brotli and zstd to the libssh2 build
  • cirrus: build with FreeBSD 12.2 in CirrusCI
  • cmake: call the feature unixsockets without dash
  • cmake: check for linux/tcp.h
  • cmake: correctly handle linker flags for static libs
  • cmake: don't pass -fvisibility=hidden to clang-cl on Windows
  • cmake: don't use reserved target name 'test'
  • cmake: make BUILD_TESTING dependent option
  • cmake: make CURL_ZLIB a tri-state variable
  • cmake: set the unicode feature in curl-config on Windows
  • cmake: store IDN2 information in curl_config.h
  • cmake: use libcurl.rc in all Windows builds
  • configure: pass -pthread to Libs.private for pkg-config
  • configure: use pkgconfig to find openSSL when cross-compiling
  • connect: repair build without ipv6 availability
  • curl.1: add an "OUTPUT" section at the top of the manpage
  • curl.se: new home
  • curl: add compatibility for Amiga and GCC 6.5
  • curl: only warn not fail, if not finding the home dir
  • curl_easy_escape: limit output string length to 3 * max input
  • Curl_pgrsStartNow: init speed limit time stamps at start
  • curl_setup: USE_RESOLVE_ON_IPS is for Apple native resolver use
  • curl_url_set.3: fix typo in the RETURN VALUE section
  • CURLOPT_DNS_USE_GLOBAL_CACHE.3: fix typo
  • CURLOPT_HSTS.3: document the file format
  • CURLOPT_NOBODY.3: fix typo
  • CURLOPT_TCP_NODELAY.3: fix comment in example code
  • CURLOPT_URL.3: clarify SCP/SFTP URLs are for uploads as well
  • docs: document the 8MB input string limit
  • docs: fix typos and markup in ETag manpage sections
  • docs: Fix various typos in documentation
  • examples/httpput: remove use of CURLOPT_PUT
  • FAQ: refreshed
  • file: avoid duplicated code sequence
  • ftp: retry getpeername for FTP with TCP_FASTOPEN
  • gnutls: fix memory leaks (certfields memory wasn't released)
  • header.d: mention the "Transfer-Encoding: chunked" handling
  • HISTORY: the new domain
  • http3: fix two build errors, silence warnings
  • http3: use the master branch of GnuTLS for testing
  • http: pass correct header size to debug callback for chunked post
  • http_proxy: use enum with state names for 'keepon'
  • httpput-postfields.c: new example doing PUT with POSTFIELDS
  • infof/failf calls: fix format specifiers
  • libssh2: fix build with disabled proxy support
  • libssh2: fix transport over HTTPS proxy
  • libssh2: require version 1.0 or later
  • Makefile.m32: add support for HTTP/3 via ngtcp2+nghttp3
  • Makefile.m32: add support for UNICODE builds
  • mqttd: fclose test file when done
  • NEW-PROTOCOL: document what needs to be done to add one
  • ngtcp2: adapt to recent nghttp3 updates
  • ngtcp2: advertise h3 ALPN unconditionally
  • ngtcp2: Fix build error due to symbol name change
  • ngtcp2: use the minimal version of QUIC supported by ngtcp2
  • ntlm: avoid malloc(0) on zero length user and domain
  • openssl: acknowledge SRP disabling in configure properly
  • openssl: free mem_buf in error path
  • openssl: guard against OOM on context creation
  • openssl: use OPENSSL_init_ssl() with >= 1.1.0
  • os400: Sync libcurl API options
  • packages/OS400: make the source code-style compliant
  • quiche: close the connection
  • quiche: remove 'static' from local buffer
  • range.d: clarify that curl will not parse multipart responses
  • range.d: fix typo
  • Revert "multi: implement wait using winsock events"
  • rtsp: error out on empty Session ID, unified the code
  • rtsp: fixed Session ID comparison to refuse prefix
  • rtsp: fixed the RTST Session ID mismatch in test 570
  • runtests: return error if no tests ran
  • runtests: revert the mistaken edit of $CURL
  • runtests: show keywords when no tests ran
  • scripts/completion.pl: parse all opts
  • socks: check for DNS entries with the right port number
  • src/tool_filetime: disable -Wformat on mingw for this file
  • strerror: use 'const' as the string should never be modified
  • test122[12]: remove these two tests
  • test506: make it not run in c-ares builds
  • tests/*server.py: close log file after each log line
  • tests/server/tftpd.c: close upload file right after transfer
  • tests/util.py: fix compatibility with Python 2
  • tests: add missing global_init/cleanup calls
  • tests: fix some http/2 tests for older versions of nghttpx
  • tool_debug_cb: do not assume zero-terminated data
  • tool_help: make "output" description less confusing
  • tool_operate: --retry for HTTP 408 responses too
  • tool_operate: bail out proper on errors during parallel transfers
  • tool_operate: fix compiler warning when --libcurl is disabled
  • tool_writeout: use off_t getinfo-types instead of doubles
  • travis: use ninja-build for CMake builds
  • travis: use valgrind when running tests for debug builds
  • urlapi: don't accept blank port number field without scheme
  • urlapi: URL encode a '+' in the query part
  • urldata: remove 'void *protop' and create the union 'p'
  • vquic/ngtcp2.h: define local_addr as sockaddr_storage

New in cURL 7.73.0 (Oct 14, 2020)

  • Changes:
  • curl: add --output-dir
  • curl: support XDG_CONFIG_HOME to find .curlrc
  • curl: update --help with categories
  • curl_easy_option_*: new API for meta-data about easy options
  • CURLE_PROXY: new error code
  • mqtt: enable by default
  • sftp: add new quote commands 'atime' and 'mtime'
  • ssh: add the option CURLKHSTAT_FINE_REPLACE
  • tls: add CURLOPT_SSL_EC_CURVES and --curves
  • Bugfixes:
  • altsvc: clone setting in curl_easy_duphandle
  • base64: also build for smtp, pop3 and imap
  • BUGS: convert document to markdown
  • build-wolfssl: fix build with Visual Studio 2019
  • buildconf: invoke 'autoreconf -fi' instead
  • checksrc: detect // comments on column 0
  • checksrc: verify do-while and spaces between the braces
  • checksrc: warn on space after exclamation mark
  • CI/azure: disable test 571 in the msys2 builds
  • CI/azure: MQTT is now enabled by default
  • CI/azure: no longer ignore results of test 1013
  • CI/tests: fix invocation of tests for CMake builds
  • CI/travis: add a CI job with openssl3 (from git master)
  • cleanups: avoid curl_ on local variables
  • CMake: add option to enable Unicode on Windows
  • cmake: make HTTP_ONLY also disable MQTT
  • CMake: remove explicit `CMAKE_ANSI_CFLAGS`
  • cmake: remove scary warning
  • cmdline-opts/gen.pl: generate nicer "See Also" in curl.1
  • configure: don't say HTTPS-proxy is enabled when disabled
  • configure: fix pkg-config detecting wolfssl
  • configure: let --enable-debug set -Wenum-conversion with gcc >= 10
  • conn: check for connection being dead before reuse
  • connect.c: remove superfluous 'else' in Curl_getconnectinfo
  • curl.1: add see also no-progress-meter on two spots
  • curl.1: fix typo invokved -> invoked
  • curl: in retry output don't call all problems "transient"
  • curl: make --libcurl show binary posts correctly
  • curl: make checkpasswd use dynbuf
  • curl: make file2memory use dynbuf
  • curl: make file2string use dynbuf
  • curl: make glob_match_url use dynbuf
  • curl: make sure setopt CURLOPT_IPRESOLVE passes on a long
  • curl: retry delays in parallel mode no longer sleeps blocking
  • curl: use curlx_dynbuf for realloc when loading config files
  • curl:parallel_transfers: make sure retry readds the transfer
  • curl_get_line: build only if cookies or alt-svc are enabled
  • curl_mime_headers.3: fix the example's use of curl_slist_append
  • Curl_pgrsTime - return new time to avoid timeout integer overflow
  • Curl_send: return error when pre_receive_plain can't malloc
  • dist: add missing CMake Find modules to the distribution
  • docs/LICENSE-MIXING: remove
  • docs/opts: fix typos in two manual pages
  • docs/RESOURCES: remove
  • docs/TheArtOfHttpScripting: convert to markdown
  • docs: add description about CI platforms to CONTRIBUTE.md
  • docs: correct non-existing macros in man pages
  • doh: add error message for DOH_DNS_NAME_TOO_LONG
  • dynbuf: make sure Curl_dyn_tail() zero terminates
  • easy_reset: clear retry counter
  • easygetopt: pass a valid enum to avoid compiler warning
  • etag: save and use the full received contents
  • ftp: a 550 response to SIZE returns CURLE_REMOTE_FILE_NOT_FOUND
  • ftp: avoid risk of reading uninitialized integers
  • ftp: get rid of the PPSENDF macro
  • ftp: make a 552 response return CURLE_REMOTE_DISK_FULL
  • ftp: separate FTPS from FTP over "HTTPS proxy"
  • git: ignore libtests in 3XXX area
  • github: use new issue template feature
  • HISTORY: mention alt-svc added in 2019
  • HTTP/3: update to OpenSSL_1_1_1g-quic-draft-29
  • http: consolidate nghttp2_session_mem_recv() call paths
  • http_proxy: do not count proxy headers in the header bytecount
  • http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
  • imap: make imap_send use dynbuf for the send buffer management
  • imap: set cselect_bits to CURL_CSELECT_IN initially
  • ldap: reduce the amount of #ifdefs needed
  • lib/Makefile.am: bump VERSIONINFO due to new functions
  • lib1560: verify "redirect" to double-slash leading URL
  • lib583: fix enum mixup
  • lib: fix -Wassign-enum warnings
  • lib: make Curl_gethostname accept a const pointer
  • libssh2: handle the SSH protocols done over HTTPS proxy
  • libssh2: pass on the error from ssh_force_knownhost_key_type
  • Makefile.m32: add ability to override zstd libs [ci skip]
  • man pages: switch to https://example.com URLs
  • MANUAL: update examples to resolve without redirects
  • mbedtls: add missing header when defining MBEDTLS_DEBUG
  • memdebug: remove 9 year old unused debug function
  • multi: expand pre-check for socket readiness
  • multi: handle connection state winsock events
  • multi: implement wait using winsock events
  • ngtcp2: adapt to new NGTCP2_PROTO_VER_MAX define
  • ngtcp2: adapt to the new pkt_info arguments
  • ntlm: fix condition for curl_ntlm_core usage
  • openssl: avoid error conditions when importing native CA
  • openssl: consider ALERT_CERTIFICATE_EXPIRED a failed verification
  • openssl: Fix wincrypt symbols conflict with BoringSSL
  • parsedate: tune the date to epoch conversion
  • pause: only trigger a reread if the unpause sticks
  • pingpong: use a dynbuf for the *_pp_sendf() function
  • READMEs: convert several to markdown
  • runtests: add %repeat[]% for test files
  • runtests: allow creating files without newlines
  • runtests: allow generating a binary sequence from hex
  • runtests: clear pid variables when failing to start a server
  • runtests: make cleardir() erase dot files too
  • runtests: provide curl's version string as %VERSION for tests
  • schannel: fix memory leak when using get_cert_location
  • schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
  • scripts: improve the "get latest curl release tag" logic
  • sectransp: make it build with --disable-proxy
  • select.h: make socket validation macros test for INVALID_SOCKET
  • select: align poll emulation to return all relevant events
  • select: fix poll-based check not detecting connect failure
  • select: reduce duplication of Curl_poll in Curl_socket_check
  • select: simplify return code handling for poll and select
  • setopt: if the buffer exists, refuse the new BUFFERSIZE
  • setopt: return CURLE_BAD_FUNCTION_ARGUMENT on bad argument
  • socketpair: allow CURL_DISABLE_SOCKETPAIR
  • sockfilt: handle FD_CLOSE winsock event on write socket
  • src: spell whitespace without whitespace
  • SSLCERTS: fix English syntax
  • strerror: honor Unicode API choice on Windows
  • symbian: drop support
  • telnet.c: depend on static requirement of WinSock version 2
  • test1541: remove since it is a known bug
  • test163[12]: require http to be built-in to run
  • test434: test -K use in a single line without newline
  • test971: show test mismatches "inline"
  • tests/data: Fix some mismatched XML tags in test cases
  • tests/FILEFORMAT: document nonewline support for
  • tests/FILEFORMAT: document type=shell for
  • tests/server/util.c: fix support for Windows Unicode builds
  • tests: remove pipelining tests
  • tls: fix SRP detection by using the proper #ifdefs
  • tls: provide the CApath verbose log on its own line
  • tool_setopt: escape binary data to hex, not octal
  • tool_writeout: add new writeout variable, %{num_headers}
  • travis: add a build using libressl (from git master)
  • url: use blank credentials when using proxy w/o username and password
  • urlapi: use more Curl_safefree
  • vtls: deduplicate client certificates in ssl_config_data
  • win32: drop support for WinSock version 1, require version 2
  • winbuild: convert the instruction text to README.md

New in cURL 7.72.0 (Aug 20, 2020)

  • Changes:
  • content_encoding: add zstd decoding support
  • CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
  • CURLINFO_EFFECTIVE_METHOD: added
  • Bugfixes:
  • CVE-2020-8231: libcurl: wrong connect-only connection
  • appveyor: collect libcurl.dll variants with prefix or suffix
  • asyn-ares: correct some bad comments
  • bearssl: fix build with disabled proxy support
  • buildconf: avoid array concatenation in die()
  • buildconf: retire ares buildconf invocation
  • checksrc: ban gmtime/localtime
  • checksrc: invoke script with -D to find .checksrc proper
  • CI/azure: install libssh2 for use with msys2-based builds
  • CI/azure: unconditionally enable warnings-as-errors with autotools
  • CI/macos: enable warnings as errors for CMake builds
  • CI/macos: set minimum macOS version
  • CI/macos: unconditionally enable warnings-as-errors with autotools
  • CI: Add muse CI analyzer
  • cirrus-ci: upgrade 11-STABLE to 11.4
  • CMake: don't complain about missing nroff
  • CMake: fix test for warning suppressions
  • cmake: fix windows xp build
  • configure.ac: Sort features name in summary
  • configure: allow disabling warnings
  • configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
  • configure: show zstd "no" in summary when built without it
  • connect: remove redundant message about connect failure
  • curl-config: ignore REQUIRE_LIB_DEPS in --libs output
  • curl.1: add a few missing valid exit codes
  • curl: add %{method} to the -w variables
  • curl: improve the existing file check with -J
  • curl_multi_setopt: fix compiler warning "result is always false"
  • curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
  • CURLINFO_CERTINFO.3: fix typo
  • CURLOPT_NOBODY.3: clarify what setting to 0 means
  • docs: add date of 7.20 to CURLM_CALL_MULTI_PERFORM mentions
  • docs: Add video link to docs/CONTRIBUTE.md
  • docs: change "web site" to "website"
  • docs: clarify MAX_SEND/RECV_SPEED functionality
  • docs: Update a few leftover mentions of DarwinSSL
  • doh: remove redundant cast
  • file2memory: use a define instead of -1 unsigned value
  • ftp: don't do ssl_shutdown instead of ssl_close
  • ftpserver: don't verify SMTP MAIL FROM names
  • getinfo: reset retry-after value in initinfo
  • gnutls: repair the build with `CURL_DISABLE_PROXY`
  • gtls: survive not being able to get name/issuer
  • h2: repair trailer handling
  • http2: close the http2 connection when no more requests may be sent
  • http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
  • libssh2: s/ssherr/sftperr/
  • libtest/Makefile.am: add -no-undefined for libstubgss for Cygwin
  • md(4|5): don't use deprecated macOS functions
  • mprintf: Fix dollar string handling
  • mprintf: Fix stack overflows
  • multi: Condition 'extrawait' is always true
  • multi: Remove 10-year old out-commented code
  • multi: remove two checks always true
  • multi: update comment to say easyp list is linear
  • multi_remove_handle: close unused connect-only connections
  • ngtcp2: adapt to error code rename
  • ngtcp2: adjust to recent sockaddr updates
  • ngtcp2: update to modified qlog callback prototype
  • nss: fix build with disabled proxy support
  • ntlm: free target_info before (re-)malloc
  • openssl: fix build with LibreSSL < 2.9.1
  • page-header: provide protocol details in the curl.1 man page
  • quiche: handle calling disconnect twice
  • runtests.pl: treat LibreSSL and BoringSSL as OpenSSL
  • runtests: move the gnutls-serv tests to a dynamic port
  • runtests: move the smbserver to use a dynamic port number
  • runtests: move the TELNET server to a dynamic port
  • runtests: run the DICT server on a random port number
  • runtests: run the http2 tests on a random port number
  • runtests: support dynamicly base64 encoded sections in tests
  • setopt: unset NOBODY switches to GET if still HEAD
  • smtp_parse_address: handle blank input string properly
  • socks: use size_t for size variable
  • strdup: remove the odd strlen check
  • test1119: verify stdout in the test
  • test1139: make it display the difference on test failures
  • test1140: compare stdout
  • test1908: treat file as text
  • tests/FILEFORMAT.md: mention %HTTP2PORT
  • tests/sshserver.pl: fix compatibility with OpenSSH for Windows
  • TLS naming: fix more Winssl and Darwinssl leftovers
  • tls-max.d: this option is only for TLS-using connections
  • tlsv1.3.d. only for TLS-using connections
  • tool_doswin: Simplify Windows version detection
  • tool_getparam: make --krb option work again
  • TrackMemory tests: ignore realloc and free in getenv.c
  • transfer: fix data_pending for builds with both h2 and h3 enabled
  • transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
  • transfer: move retrycount from connect struct to easy handle
  • travis/script.sh: fix use of `-n' with unquoted envvar
  • travis: add ppc64le and s390x builds
  • travis: update quiche builds for new boringssl layout
  • url: fix CURLU and location following
  • url: silence MSVC warning
  • util: silence conversion warnings
  • win32: Add Curl_verify_windows_version() to curlx
  • WIN32: stop forcing narrow-character API
  • windows: add unicode to feature list
  • windows: disable Unix Sockets for old mingw

New in cURL 7.71.1 (Jul 1, 2020)

  • Bugfixes:
  • cirrus-ci: disable FreeBSD 13 (again)
  • Curl_inet_ntop: always check the return code
  • CURLOPT_READFUNCTION.3: provide the upload data size up front
  • DYNBUF.md: fix a typo: trail => tail
  • escape: make the URL decode able to reject only -bytes
  • escape: zero length input should return a zero length output
  • examples/multithread.c: call curl_global_cleanup()
  • http2: set the correct URL in pushed transfers
  • http: fix proxy auth with blank password
  • mbedtls: fix build with disabled proxy support
  • ngtcp2: sync with current master
  • openssl: Fix compilation on Windows when ngtcp2 is enabled
  • Revert "multi: implement wait using winsock events"
  • sendf: improve the message on client write errors
  • terminology: call them null-terminated strings
  • tool_cb_hdr: Fix etag warning output and return code
  • url: allow user + password to contain "control codes" for HTTP(S)
  • vtls: compare cert blob when finding a connection to reuse

New in cURL 7.71.0 (Jun 25, 2020)

  • Changes:
  • CURLOPT_SSL_OPTIONS: optional use of Windows' CA store (with openssl)
  • setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
  • setopt: support certificate options in memory with struct curl_blob
  • tool: Add option --retry-all-errors to retry on any error
  • Bugfixes:
  • *_sspi: fix bad uses of CURLE_NOT_BUILT_IN
  • all: fix codespell errors
  • altsvc: bump to h3-29
  • altsvc: fix 'dsthost' may be used uninitialized in this function
  • altsvc: fix parser for lines ending with CRLF
  • altsvc: remove the num field from the altsvc struct
  • appveyor: add non-debug plain autotools-based build
  • appveyor: disable flaky test 1501 and ignore broken 1056
  • appveyor: disable test 1139 instead of ignoring it
  • asyn-*: remove support for never-used NULL entry pointers
  • azure: use matrix strategy to avoid configuration redundancy
  • build: disable more code/data when built without proxy support
  • buildconf: remove -print from the find command that removes files
  • checksrc: enhance the ASTERISKSPACE and update code accordingly
  • CI/macos: fix 'is already installed' errors by using bundle
  • cirrus: disable SFTP and SCP tests
  • CMake: add ENABLE_ALT_SVC option
  • CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
  • CMake: add libssh build support
  • CMake: do not build test programs by default
  • CMake: fix runtests.pl with CMake, add new test targets
  • CMake: ignore INTERFACE_LIBRARY targets for pkg-config file
  • CMake: rebuild Makefile.inc.cmake when Makefile.inc changes
  • CODE_REVIEW.md: how to do code reviews in curl
  • configure: fix pthread check with static boringssl
  • configure: for wolfSSL, check for the DES func needed for NTLM
  • configure: only strip first -L from LDFLAGS
  • configure: repair the check if argv can be written to
  • configure: the wolfssh backend does not provide SCP
  • connect: improve happy eyeballs handling
  • connect: make happy eyeballs work for QUIC (again)
  • curl.1: Quote globbed URLs
  • curl: remove -J "informational" written on stdout
  • Curl_addrinfo: use one malloc instead of three
  • CURLINFO_ACTIVESOCKET.3: clarify the description
  • doc: add missing closing parenthesis in CURLINFO_SSL_VERIFYRESULT.3
  • doc: Rename VERSIONS to VERSIONS.md as it already has Markdown syntax
  • docs/HTTP3: add qlog to the quiche build instruction
  • docs/options-in-versions: which version added each cmdline option
  • docs: unify protocol lists
  • dynbuf: introduce internal generic dynamic buffer functions
  • easy: fix dangling pointer on easy_perform fail
  • examples/ephiperfifo: turn off interval when setting timerfd
  • examples/http2-down/upload: add error checks
  • examples: remove asiohiper.cpp
  • FILEFORMAT: add more features that tests can depend on
  • FILEFORMAT: describe verify/stderr
  • ftp: make domore_getsock() return the secondary socket properly
  • ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
  • ftp: shut down the secondary connection properly when SSL is used
  • GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
  • hostip: make Curl_printable_address not return anything
  • hostip: on macOS avoid DoH when given a numerical IP address
  • http2: keep trying to send pending frames after req.upload_done
  • http2: simplify and clean up trailer handling
  • HTTP3.md: clarify cargo build directory
  • http: move header storage to Curl_easy from connectdata
  • libcurl.pc: Merge Libs.private into Libs for static-only builds
  • libssh2: improved error output for wrong quote syntax
  • libssh2: keep sftp errors as 'unsigned long'
  • libssh2: set the expected total size in SCP upload init
  • libtest/cmake: Remove commented code
  • list-only.d: this option existed already in 4.0
  • manpage: add three missing environment variables
  • multi: add defensive check on data->multi->num_alive
  • multi: implement wait using winsock events
  • ngtcp2: cleanup memory when failing to connect
  • ngtcp2: fix build with current ngtcp2 master implementing draft 28
  • ngtcp2: fix happy eyeballs quic connect crash
  • ngtcp2: introduce qlog support
  • ngtcp2: never call fprintf() in lib code in release version
  • ngtcp2: update with recent API changes
  • ntlm: enable NTLM support with wolfSSL
  • OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
  • openssl: set FLAG_TRUSTED_FIRST unconditionally
  • projects: Add crypt32.lib to dependencies for all OpenSSL configs
  • quiche: clean up memory properly when failing to connect
  • quiche: enable qlog output
  • quiche: update SSLKEYLOGFILE support
  • Revert "buildconf: use find -execdir"
  • Revert "ssh: ignore timeouts during disconnect"
  • runtests: remove sleep calls
  • runtests: show elapsed test time with higher precision (ms)
  • select: always use Sleep in Curl_wait_ms on Win32
  • select: fix overflow protection in Curl_socket_check
  • sendf: make failf() use the mvsnprintf() return code
  • server/sws: fix asan warning on use of uninitialized variable
  • server/util: fix logmsg format using curl_off_t argument
  • sha256: fixed potentially uninitialized variable
  • share: don not set the share flag it something fails
  • sockfilt: make select_ws stop waiting on exit signal event
  • socks: detect connection close during handshake
  • socks: fix expected length of SOCKS5 reply
  • socks: remove unreachable breaks in socks.c and mime.c
  • source cleanup: remove all custom typedef structs
  • test1167: fixes in badsymbols.pl
  • test1177: look for curl.h in source directory
  • test1238: avoid tftpd being busy for tests shortly following
  • test613.pl: make tests 613 and 614 work with OpenSSH for Windows
  • test75: Remove precheck test
  • tests: add https-proxy support to the test suite
  • tests: add support for SSH server variant specific transfer paths
  • tests: add two simple tests for --login-options
  • tests: make test 1248 + 1249 use %NOLISTENPORT
  • tests: pick a random port number for SSH
  • tests: run stunnel for HTTPS and FTPS on dynamic ports
  • timeouts: change millisecond timeouts to timediff_t from time_t
  • timeouts: move ms timeouts to timediff_t from int and long
  • tool: fixup a few --help descriptions
  • tool: support UTF-16 command line on Windows
  • tool_cfgable: free login_options at exit
  • tool_getparam: -i is not OK if -J is used
  • tool_getparam: fix memory leak in parse_args
  • tool_operate: fixed potentially uninitialized variables
  • tool_paramhlp: fixed potentially uninitialized strtol() variable
  • transfer: close connection after excess data has been read
  • travis: add "qlog" as feature in the quiche build
  • travis: Add ngtcp2 and quiche tests for CMake
  • travis: upgrade to bionic, clang-9, improve readability
  • typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
  • unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
  • url: accept "any length" credentials for proxy auth
  • url: alloc the download buffer at transfer start
  • url: make the updated credentials URL-encoded in the URL
  • url: reject too long input when parsing credentials
  • url: sort the protocol schemes in rough popularity order
  • urlapi: accept :: as a valid IPv6 address
  • urldata: leave the HTTP method untouched in the set.* struct
  • urlglob: treat literal IPv6 addresses with zone IDs as a host name
  • user-agent.d: spell out what happens given a blank argument
  • vauth/cleartext: fix theoretical integer overflow
  • version.d: expanded and alpha-sorted
  • vtls: Extract and simplify key log file handling from OpenSSL
  • wolfssl: add SSLKEYLOGFILE support
  • wording: avoid blacklist/whitelist stereotypes
  • write-out.d: added "response_code"

New in cURL 7.70.0 (Apr 29, 2020)

  • Changes:
  • curl: add --ssl-revoke-best-effort to allow a "best effort" revocation check
  • mqtt: add new experimental protocol
  • schannel: add "best effort" revocation check option: CURLSSLOPT_REVOKE_BEST_EFFORT
  • writeout: support to generate JSON output with '%{json}'
  • Bugfixes:
  • appveyor: add Unicode winbuild jobs
  • appveyor: completely disable tests that fail to timeout early
  • appveyor: show failed tests in log even if test is ignored
  • appveyor: sort builds by type and add two new variants
  • appveyor: turn disabled tests into ignored result tests
  • appveyor: use random test server ports based upon APPVEYOR_API_URL
  • build: fixed build for systems with select() in unistd.h
  • buildconf: avoid using tempfile when removing files
  • checksrc: warn on obvious conditional blocks on the same line as if()
  • CI-fuzz: increase fuzz time to 40 minutes
  • ci/tests: fix Azure Pipelines not running Windows containers
  • CI: add build with ngtcp2 + gnutls on Travis CI
  • CI: bring GitHub Actions fuzzing job in line with macOS jobs
  • CI: migrate macOS jobs from Azure and Travis CI to GitHub Actions
  • CI: remove default Ubuntu build from GitHub Actions
  • cirrus: no longer ignore test 504 which is working again
  • cirrus: re-enable the FreeBSD 13 CI builds
  • cleanup: insert newline after if() conditions
  • cmake: add aliases so exported target names are available in tree
  • cmake: add CMAKE_MSVC_RUNTIME_LIBRARY
  • cmake: add support for building with wolfSSL
  • cmake: Avoid MSVC C4273 warnings in send/recv checks
  • cmdline: fix handling of OperationConfig linked list (--next)
  • compressed.d: stress that the headers are not modified
  • config: remove all defines of HAVE_DES_H
  • configure: convert -I to -isystem as a last step
  • configure: document 'compiler_num' for gcc
  • configure: don't check for Security.framework when cross-compiling
  • configure: fix -pedantic-errors for GCC 5 and later
  • configure: remove use of -vec-report0 from CFLAGS with icc
  • connect: happy eyeballs cleanup
  • connect: store connection info for QUIC connections
  • copyright: fix out-of-date copyright ranges and missing headers
  • curl-functions.m4: remove inappropriate AC_REQUIRE
  • curl.h: remnove CURL_VERSION_ESNI. Never supported nor documented
  • curl.h: update comment typo
  • curl: allow both --etag-compare and --etag-save with same file name
  • curl_setup: define _WIN32_WINNT_[OS] symbols
  • CURLINFO_CONDITION_UNMET: return true for 304 http status code
  • CURLINFO_NUM_CONNECTS: improve accuracy
  • CURLOPT_WRITEFUNCTION.3: add inline example and new see-also
  • dist: add mail-rcpt-allowfails.d to the tarball
  • docs/make: generate curl.1 from listed files only
  • docs: add warnings about FILE: URLs on Windows
  • easy: fix curl_easy_duphandle for builds missing IPv6 that use c-ares
  • examples/sessioninfo.c: add include to fix compiler warning
  • github actions: run when pushed to master or */ci + PRs
  • gnutls: bump lowest supported version to 3.1.10
  • gnutls: Don't skip really long certificate fields
  • gnutls: ensure TLS 1.3 when SRP isn't requested
  • gopher: check remaining time left during write busy loop
  • gskit: use our internal select wrapper for portability
  • http2: Fix erroneous debug message that h2 connection closed
  • http: don't consider upload done if the request isn't completely sent off
  • http: free memory when Alt-Used header creation fails due to OOM
  • lib/mk-ca-bundle: skip empty certs
  • lib670: use the same Win32 API check as all other lib tests
  • lib: fix typos in comments and errormessages
  • lib: never define CURL_CA_BUNDLE with a getenv
  • libcurl-multi.3: added missing full stop
  • libssh: avoid options override by configuration files
  • libssh: Use new ECDSA key types to check known hosts
  • mailmap: fixup a few author names/fields
  • Makefile.m32: Improve windres parameter compatibility
  • Makefile: run the cd commands in a subshell
  • memdebug: don't log free(NULL)
  • mime: properly check Content-Type even if it has parameters
  • multi-ssl: reset the SSL backend on `Curl_global_cleanup()`
  • multi: improve parameter check for curl_multi_remove_handle
  • nghttp2: 1.12.0 required
  • ngtcp2: update to git master for the key installation API change
  • nss: check for PK11_CreateDigestContext() returning NULL
  • openssl: adapt to functions marked as deprecated since version 3
  • OS400: update strings for ccsid-ifier (fixes the build)
  • output.d: quote the URL when globbing
  • packages: add OS400/chkstrings.c to the dist
  • RELEASE-PROCEDURE.md: run the copyright.pl script!
  • Revert "file: on Windows, refuse paths that start with \"
  • runtests: always put test number in servercmd file
  • runtests: provide nicer errormsg when protocol "dump" file is empty
  • schannel: Fix blocking timeout logic
  • schannel: support .P12 or .PFX client certificates
  • scripts/release-notes.pl: add helper script for RELEASE-NOTES maintenance
  • select: make Curl_socket_check take timediff_t timeout
  • select: move duplicate select preparation code into Curl_select
  • select: remove typecast from SOCKET_WRITABLE/READABLE macros
  • server/getpart: make the "XML-parser" stricter
  • server/resolve: remove AI_CANONNAME to make macos tell the truth
  • smtp: set auth correctly
  • sockfilt: add logmsg output to select_ws_wait_thread on Windows
  • sockfilt: fix broken pipe on Windows to be ready in select_ws
  • sockfilt: fix handling of ready closed sockets on Windows
  • sockfilt: fix race-condition of waiting threads and event handling
  • socks: Fix blocking timeout logic
  • src: Remove C99 constructs to ensure C89 compliance
  • SSLCERTS.md: Fix example code for setting CA cert file
  • test1148: tolerate progress updates better (again)
  • test1154: set a proper name
  • test1177: verify that all the CURL_VERSION_ bits are documented
  • test1566: verify --etag-compare that gets a 304 back
  • test1908: avoid using fixed port number in test data
  • test2043: use revoked.badssl.com instead of revoked.grc.com
  • test2100: fix static port instead of dynamic value being used
  • tests/data: fix some XML formatting issues in test cases
  • tests/FILEFORMAT: converted to markdown and extended
  • tests/server/util.c: use curl_off_t instead of long for pid
  • tests: add %NOLISTENPORT and use it
  • tests: add Windows compatible pidwait like pidkill and pidterm
  • tests: fix conflict between Cygwin/msys and Windows PIDs
  • tests: introduce preprocessed test cases
  • tests: make Python-based servers compatible with Python 2 and 3
  • tests: make runtests check that disabled tests exists
  • tests: move pingpong server to dynamic listening port
  • tests: remove python_dependencies for smbserver from our tree
  • tests: run the RTSP test server on a dynamic port number
  • tests: run the SOCKS test server on a dynamic port number
  • tests: run the sws server on "any port"
  • tests: run the TFTP test server on a dynamic port number
  • tests: use Cygwin/msys PIDs for stunnel and sshd on Windows
  • tls: remove the BACKEND define kludge from most backends
  • tool: do not declare functions with Curl_ prefix
  • tool_operate: fix add_parallel_transfers when more are in queue
  • transfer: cap retries of "dead connections" to 5
  • transfer: Switch PUT to GET/HEAD on 303 redirect
  • travis: bump the wolfssl CI build to use 4.4.0
  • travis: update the ngtcp2 build to use the latest OpenSSL patch
  • url: allow non-HTTPS altsvc-matching for debug builds
  • version: add 'cainfo' and 'capath' to version info struct
  • version: increase buffer space for ssl version output
  • version: skip idn2_check_version() check and add precaution
  • vquic: add support for GnuTLS backend of ngtcp2
  • vtls: fix ssl_config memory-leak on out-of-memory
  • warnless: remove code block for icc that didn't work
  • windows: enable UnixSockets with all build toolchains
  • windows: suppress UI in all CryptAcquireContext() calls

New in cURL 7.69.1 (Mar 12, 2020)

  • Bugfixes:
  • ares: store dns parameters for duphandle
  • cirrus-ci: disable the FreeBSD 13 builds
  • curl_share_setopt.3: Note sharing cookies doesn't enable the engine
  • lib1564: reduce number of mid-wait wakeup calls
  • libssh: Fix matching user-specified MD5 hex key
  • MANUAL: update a dict-using command line
  • mime: do not perform more than one read in a row
  • mime: fix the binary encoder to handle large data properly
  • mime: latch last read callback status
  • multi: skip EINTR check on wakeup socket if it was closed
  • pause: bail out on bad input
  • pause: force a connection recheck after unpausing (take 2)
  • pause: return early for calls that don't change pause state
  • runtests.1: rephrase how to specify what tests to run
  • runtests: fix missing use of exe_ext helper function
  • seek: fix fall back for missing ftruncate on Windows
  • sftp: fix segfault regression introduced by #4747 in 7.69.0
  • sha256: Added SecureTransport implementation
  • sha256: Added WinCrypt implementation
  • socks4: fix host resolve regression
  • socks5: host name resolv regression fix
  • tests/server: fix missing use of exe_ext helper function
  • tests: fix static ip:port instead of dynamic values being used
  • tests: make sleeping portable by avoiding select
  • unit1612: fix the inclusion and compilation of the HMAC unit test
  • urldata: remove the 'stream_was_rewound' connectdata struct member
  • version: make curl_version* thread-safe without using global context

New in cURL 7.69.0 (Mar 5, 2020)

  • Changes:
  • polarssl: removed
  • smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
  • wolfSSH: new SSH backend
  • Bugfixes:
  • altsvc: improved header parser
  • altsvc: keep a copy of the file name to survive handle reset
  • altsvc: make saving the cache an atomic operation
  • altsvc: use h3-27
  • azure: disable brotli on the macos debug-builds
  • build: remove all HAVE_OPENSSL_ENGINE_H defines
  • checksrc.bat: Fix not being able to run script from the main curl dir
  • cleanup: fix several comment typos
  • cleanup: fix typos and wording in docs and comments
  • cmake: add support for CMAKE_LTO option
  • cmake: clean up and improve build procedures
  • cmake: enable SMB for Windows builds
  • cmake: improve libssh2 check on Windows
  • cmake: Show HTTPS-proxy in the features output
  • cmake: support specifying the target Windows version
  • cmake: use check_symbol_exists also for inet_pton
  • configure.ac: fix comments about --with-quiche
  • configure: disable metalink if mbedTLS is specified
  • configure: disable metalink support for incompatible SSL/TLS
  • conn: do not reuse connection if SOCKS proxy credentials differ
  • conncache: removed unused Curl_conncache_bundle_size()
  • connect: remove some spurious infof() calls
  • connection reuse: respect the max_concurrent_streams limits
  • contributors: also include people who contributed to curl-www
  • contrithanks: use the most recent tag by default
  • cookie: check __Secure- and __Host- case sensitively
  • cookies: make saving atomic with a rename
  • create-dirs.d: mention the mode
  • curl: avoid using strlen for testing if a string is empty
  • curl: error on --alt-svc use w/o support
  • curl: let -D merge headers in one file again
  • curl: make #0 not output the full URL
  • curl: make the -# spaceship bar not wrap the line
  • curl: remove 'config' field from OutStruct
  • curl:progressbarinit: ignore column width from terminals < 20
  • curl_escape.3: add a link to curl_free
  • curl_getenv.3: fix the memory handling description
  • curl_global_init: assume the EINTR bit by default
  • curl_global_init: move the IPv6 works status bool to multi handle
  • CURLINFO_COOKIELIST.3: Fix example
  • CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
  • CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
  • CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
  • data.d: remove "Multiple files can also be specified"
  • digest: do not quote algorithm in HTTP authorisation
  • docs/HTTP3: add --enable-alt-svc to curl's configure
  • docs/HTTP3: update the OpenSSL branch to use for ngtcp2
  • docs: fix typo on CURLINFO_RETRY_AFTER
  • easy: remove dead code
  • form.d: fix two minor typos
  • ftp: convert 'sock_accepted' to a plain boolean
  • ftp: remove superfluous checking for crlf in user or pwd
  • ftp: shrink temp buffers used for PORT
  • github action: add CIFuzz
  • github: Instructions to post "uname -a" on Unix systems in issues
  • GnuTLS: always send client cert
  • gtls: fixed compilation when using GnuTLS < 3.5.0
  • hostip: move code to resolve IP address literals to `Curl_resolv`
  • HTTP-COOKIES: describe the cookie file format
  • HTTP-COOKIES: mention that a trailing newline is required
  • http2: make pausing/unpausing set/clear local stream window
  • http2: now requires nghttp2 >= 1.12.0
  • http: added 417 response treatment
  • http: increase EXPECT_100_THRESHOLD to 1Mb
  • http: mark POSTs with no body as "upload done" from the start
  • http: move "oauth_bearer" from connectdata to Curl_easy
  • include: remove non-curl prefixed defines
  • KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
  • libssh2: add support for forcing a hostkey type
  • libssh2: fix variable type
  • libssh: improve known hosts handling
  • llist: removed unused Curl_llist_move()
  • location.d: the method change is from POST to GET only
  • md4: fixed compilation issues when using GNU TLS gcrypt
  • md4: use init/update/final functions in Secure Transport
  • md5: added implementation for mbedTLS
  • mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
  • multi: change curl_multi_wait/poll to error on negative timeout
  • multi: fix outdated comment
  • multi: if Curl_readwrite sets 'comeback' use expire, not loop
  • multi_done: if multiplexed, make conn->data point to another transfer
  • multi_wait: stop loop when sread() returns zero
  • ngtcp2: add error code for QUIC connection errors
  • ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
  • ngtcp2: update to git master and its draft-25 support
  • ntlm: move the winbind data into the NTLM data structure
  • ntlm: pass the Curl_easy structure to the private winbind functions
  • ntlm: removed the dependency on the TLS libaries when using MD5
  • ntlm_wb: use Curl_socketpair() for greater portability
  • oauth2-bearer.d: works for HTTP too
  • openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
  • openssl: remove redundant assignment
  • os400: fixed the build
  • pause: force-drain the transfer on unpause
  • quiche: update to draft-25
  • README: mention that the docs is in docs/
  • RELEASE-PROCEDURE: feature win is closed post-release a few days
  • runtests: make random seed fixed for a month
  • runtests: restore the command log
  • schannel: make CURLOPT_CAINFO work better on Windows 7
  • schannel_verify: Fix alt names manual verify for UNICODE builds
  • sha256: use crypto implementations when available
  • singleuse.pl: support new API functions, fix curl_dbg_ handling
  • smtp: support the SMTPUTF8 extension
  • smtp: support UTF-8 based host names in MAIL FROM
  • SOCKS: make the connect phase non-blocking
  • strcase: turn Curl_raw_tolower into static
  • strerror: increase STRERROR_LEN 128 -> 256
  • test1323: added missing 'unit test' feature requirement
  • tests: add a unit test for MD4 digest generation
  • tests: add a unit test for SHA256 digest generation
  • tests: add a unit test for the HMAC hash generation
  • tests: deduce the tool name from the test case for unit tests
  • tests: fix Python 3 compatibility of smbserver.py
  • tool_dirhie: allow directory traversal during creation
  • tool_homedir: change GetEnv() to use libcurl's curl_getenv()
  • tool_util: improve Windows version of tvnow()
  • travis: update non-OpenSSL Linux jobs to Bionic
  • url: include the failure reason when curl_win32_idn_to_ascii() fails
  • urlapi: guess scheme properly with credentials given
  • urldata: do string enums without #ifdefs for build scripts
  • vtls: refactor Curl_multissl_version to make the code clearer
  • win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256

New in cURL 7.68.0 (Jan 8, 2020)

  • Changes:
  • TLS: add BearSSL vtls implementation
  • XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
  • curl: add --etag-compare and --etag-save
  • curl: add --parallel-immediate
  • multi: add curl_multi_wakeup()
  • openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
  • Bugfixes:
  • CVE-2019-15601: file: on Windows, refuse paths that start with \
  • Azure Pipelines: add several builds
  • CMake: add support for building with the NSS vtls backend
  • CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
  • CURLOPT_HEADERFUNCTION.3: Document that size is always 1
  • CURLOPT_QUOTE.3: fix typos
  • CURLOPT_READFUNCTION.3: fix the example
  • CURLOPT_URL.3: "curl supports SMB version 1 (only)"
  • CURLOPT_VERBOSE.3: see also ERRORBUFFER
  • HISTORY: added cmake, HTTP/3 and parallel downloads with curl
  • HISTORY: the SMB(S) support landed in 2014
  • INSTALL.md: provide Android build instructions
  • KNOWN_BUGS: Connection information when using TCP Fast Open
  • KNOWN_BUGS: LDAP on Windows doesn't work correctly
  • KNOWN_BUGS: TLS session cache doesn't work with TFO
  • OPENSOCKETFUNCTION.3: correct the purpose description
  • TrackMemory tests: always remove CR before LF
  • altsvc: bump to h3-24
  • altsvc: make the save function ignore NULL filenames
  • build: Disable Visual Studio warning "conditional expression is constant"
  • build: fix for CURL_DISABLE_DOH
  • checksrc.bat: Add a check for vquic and vssh directories
  • checksrc: repair the copyrightyear check
  • cirrus-ci: enable clang sanitizers on freebsd 13
  • cirrus: Drop the FreeBSD 10.4 build
  • config-win32: cpu-machine-OS for Windows on ARM
  • configure: avoid unportable `==' test(1) operator
  • configure: enable IPv6 support without `getaddrinfo`
  • configure: fix typo in help text
  • conncache: CONNECT_ONLY connections assumed always in-use
  • conncache: fix multi-thread use of shared connection cache
  • copyrights: fix copyright year range
  • create_conn: prefer multiplexing to using new connections
  • curl -w: handle a blank input file correctly
  • curl.h: add two missing defines for "pre ISO C" compilers
  • curl/parseconfig: fix mem-leak
  • curl/parseconfig: use curl_free() to free memory allocated by libcurl
  • curl: cleanup multi handle on failure
  • curl: fix --upload-file . hangs if delay in STDIN
  • curl: fix -T globbing
  • curl: improved cleanup in upload error path
  • curl: make a few char pointers point to const char instead
  • curl: properly free mimepost data
  • curl: show better error message when no homedir is found
  • curl: show error for --http3 if libcurl lacks support
  • curl_setup_once: consistently use WHILE_FALSE in macros
  • define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
  • docs: Change 'experiemental' to 'experimental'
  • docs: TLS SRP doesn't work with TLS 1.3
  • docs: fix several typos
  • docs: mention CURL_MAX_INPUT_LENGTH restrictions
  • doh: improved both encoding and decoding
  • doh: make it behave when built without proxy support
  • examples/postinmemory.c: Call curl_global_cleanup always
  • examples/url2file.c: corrected erroneous comment
  • examples: add multi-poll.c
  • global_init: undo the "intialized" bump in case of failure
  • hostip: suppress compiler warning
  • http_ntlm: Remove duplicate NSS initialisation
  • lib: Move lib/ssh.h -> lib/vssh/ssh.h
  • lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
  • lib: fix warnings found when porting to NuttX
  • lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
  • lib: remove erroneous +x file permission on some c files
  • libssh2: add support for ECDSA and ed25519 knownhost keys
  • multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
  • multi: free sockhash on OOM
  • multi_poll: avoid busy-loop when called without easy handles attached
  • ngtcp2: Support the latest update key callback type
  • ngtcp2: fix thread-safety bug in error-handling
  • ngtcp2: free used resources on disconnect
  • ngtcp2: handle key updates as ngtcp2 master branch tells us
  • ngtcp2: increase QUIC window size when data is consumed
  • ngtcp2: use overflow buffer for extra HTTP/3 data
  • ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
  • ntlm_wb: fix double-free in OOM
  • openssl: Revert to less sensitivity for SYSCALL errors
  • openssl: improve error message for SYSCALL during connect
  • openssl: prevent recursive function calls from ctx callbacks
  • openssl: retrieve reported LibreSSL version at runtime
  • openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
  • parsedate: offer a getdate_capped() alternative
  • pause: avoid updating socket if done was already called
  • projects: Fix Visual Studio projects SSH builds
  • projects: Fix Visual Studio wolfSSL configurations
  • quiche: reject HTTP/3 headers in the wrong order
  • remove_handle: clear expire timers after multi_done()
  • runtests: --repeat=[num] to repeat tests
  • runtests: introduce --shallow to reduce huge torture tests
  • schannel: fix --tls-max for when min is --tlsv1 or default
  • setopt: Fix ALPN / NPN user option when built without HTTP2
  • strerror: Add Curl_winapi_strerror for Win API specific errors
  • strerror: Fix an error looking up some Windows error strings
  • strerror: Fix compiler warning "empty expression"
  • system.h: fix for MCST lcc compiler
  • test/sws: search for "Testno:" header unconditionally if no testno
  • test1175: verify symbols-in-versions and libcurl-errors.3 in sync
  • test1270: a basic -w redirect_url test
  • test1456: remove the use of a fixed local port number
  • test1558: use double slash after file:
  • test1560: require IPv6 for IPv6 aware URL parsing
  • tests/lib1557: fix mem-leak in OOM
  • tests/lib1559: fix mem-leak in OOM
  • tests/lib1591: free memory properly on OOM, in the trailers callback
  • tests/unit1607: fix mem-leak in OOM
  • tests/unit1609: fix mem-leak in OOM
  • tests/unit1620: fix bad free in OOM
  • tests: Change NTLM tests to require SSL
  • tests: Fix bounce requests with truncated writes
  • tests: fix build with `CURL_DISABLE_DOH`
  • tests: fix permissions of ssh keys in WSL
  • tests: make it possible to set executable extensions
  • tests: make sure checksrc runs on header files too
  • tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
  • tests: use DoH feature for DoH tests
  • tests: use rn for log messages in WSL
  • tool_operate: fix mem leak when failed config parse
  • travis: Fix error detection
  • travis: abandon coveralls, it is not reliable
  • travis: build ngtcp2 with --enable-lib-only
  • travis: export the CC/CXX variables when set
  • vtls: make BearSSL possible to set with CURL_SSL_BACKEND
  • winbuild: Define CARES_STATICLIB when WITH_CARES=static
  • winbuild: Document CURL_STATICLIB requirement for static libcurl

New in cURL 7.67.0 (Nov 6, 2019)

  • Changes:
  • curl: added --no-progress-meter
  • setopt: CURLMOPT_MAX_CONCURRENT_STREAMS is new
  • urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
  • Bugfixes:
  • BINDINGS: five new bindings addded
  • CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
  • CURLOPT_TIMEOUT.3: remove the mention of "minutes"
  • ESNI: initial build/setup support
  • FTP: FTPFILE_NOCWD: avoid redundant CWDs
  • FTP: allow "rubbish" prepended to the SIZE response
  • FTP: remove trailing slash from path for LIST/MLSD
  • FTP: skip CWD to entry dir when target is absolute
  • FTP: url-decode path before evaluation
  • HTTP3.md: move -p for mkdir, remove -j for make
  • HTTP3: fix invalid use of sendto for connected UDP socket
  • HTTP3: fix ngtcp2 Windows build
  • HTTP3: fix prefix parameter for ngtcp2 build
  • HTTP3: fix typo somehere1 > somewhere1
  • HTTP3: show an --alt-svc using example too
  • INSTALL: add missing space for configure commands
  • INSTALL: add vcpkg installation instructions
  • README: minor grammar fix
  • altsvc: accept quoted ma and persist values
  • altsvc: both backends run h3-23 now
  • appveyor: Add MSVC ARM64 build
  • appveyor: Use two parallel compilation on appveyor with CMake
  • appveyor: add --disable-proxy autotools build
  • appveyor: add 32-bit MinGW-w64 build
  • appveyor: add a winbuild
  • appveyor: add a winbuild that uses VS2017
  • appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
  • appveyor: publish artifacts on appveyor
  • appveyor: upgrade VS2017 to VS2019
  • asyn-thread: make use of Curl_socketpair() where available
  • asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
  • build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
  • checksrc: fix uninitialized variable warning
  • chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
  • cirrus: Increase the git clone depth
  • cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build
  • cirrus: switch off blackhole status on the freebsd CI machines
  • cleanups: 21 various PVS-Studio warnings
  • configure: only say ipv6 enabled when the variable is set
  • configure: remove all cyassl references
  • conn-reuse: requests wanting NTLM can reuse non-NTLM connections
  • connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
  • connect: silence sign-compare warning
  • cookie: avoid harmless use after free
  • cookie: pass in the correct cookie amount to qsort()
  • cookies: change argument type for Curl_flush_cookies
  • cookies: using a share with cookies shouldn't enable the cookie engine
  • copyrights: update copyright notices to 2019
  • curl: create easy handles on-demand and not ahead of time
  • curl: ensure HTTP 429 triggers --retry
  • curl: exit the create_transfers loop on errors
  • curl: fix memory leaked by parse_metalink()
  • curl: load large files with -d @ much faster
  • docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
  • docs: added multi-event.c example
  • docs: disambiguate CURLUPART_HOST is for host name (ie no port)
  • docs: note on failed handles not being counted by curl_multi_perform
  • doh: allow only http and https in debug mode
  • doh: avoid truncating DNS QTYPE to lower octet
  • doh: clean up dangling DOH memory on easy close
  • doh: fix (harmless) buffer overrun
  • doh: fix undefined behaviour and open up for gcc and clang optimization
  • doh: return early if there is no time left
  • examples/sslbackend: fix -Wchar-subscripts warning
  • examples: remove the "this exact code has not been verified"
  • git: add tests/server/disabled to .gitignore
  • gnutls: make gnutls_bye() not wait for response on shutdown
  • http2: expire a timeout at end of stream
  • http2: prevent dup'ed handles to send dummy PRIORITY frames
  • http2: relax verification of :authority in push promise requests
  • http2_recv: a closed stream trumps pause state
  • http: lowercase headernames for HTTP/2 and HTTP/3
  • ldap: Stop using wide char version of ldapp_err2string
  • ldap: fix OOM error on missing query string
  • mbedtls: add error message for cert validity starting in the future
  • mime: when disabled, avoid C99 macro
  • ngtcp2: adapt to API change
  • ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
  • ngtcp2: remove fprintf() calls
  • openssl: close_notify on the FTP data connection doesn't mean closure
  • openssl: fix compiler warning with LibreSSL
  • openssl: use strerror on SSL_ERROR_SYSCALL
  • os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr
  • parsedate: fix date parsing disabled builds
  • quiche: don't close connection at end of stream
  • quiche: persist connection details (fixes -I with --http3)
  • quiche: set 'drain' when returning without having drained the queues
  • quiche: update HTTP/3 config creation to new API
  • redirect: handle redirects to absolute URLs containing spaces
  • runtests: get textaware info from curl instead of perl
  • schannel: reverse the order of certinfo insertions
  • schannel_verify: Fix concurrent openings of CA file
  • security: silence conversion warning
  • setopt: handle ALTSVC set to NULL
  • setopt: make it easier to add new enum values
  • setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
  • smb: check for full size message before reading message details
  • smbserver: fix Python 3 compatibility
  • socks: Fix destination host shown on SOCKS5 error
  • test1162: disable MSYS2's POSIX path conversion
  • test1591: fix spelling of http feature
  • tests: add `connect to non-listen` keywords
  • tests: fix narrowing conversion warnings
  • tests: fix the test 3001 cert failures
  • tests: makes tests succeed when using --disable-proxy
  • tests: use %FILE_PWD for file:// URLs
  • tests: use port 2 instead of 60000 for a safer non-listening port
  • tool_operate: Fix retry sleep time shown to user when Retry-After
  • travis: Add an ARM64 build
  • url: Curl_free_request_state() should also free doh handles
  • url: don't set appconnect time for non-ssl/non-ssh connections
  • url: fix the NULL hostname compiler warning
  • url: normalize CURLINFO_EFFECTIVE_URL
  • url: only reuse TLS connections with matching pinning
  • urlapi: avoid index underflow for short ipv6 hostnames
  • urlapi: fix URL encoding when setting a full URL
  • urlapi: fix unused variable warning
  • urlapi: question mark within fragment is still fragment
  • urldata: use 'bool' for the bit type on MSVC compilers
  • vtls: Fix comment typo about macosx-version-min compiler flag
  • vtls: fix narrowing conversion warnings
  • winbuild/MakefileBuild.vc: Add vssh
  • winbuild/MakefileBuild.vc: Fix line endings
  • winbuild: Add manifest to curl.exe for proper OS version detection
  • winbuild: add ENABLE_UNICODE option

New in cURL 7.66.0 (Sep 11, 2019)

  • Changes:
  • CURLINFO_RETRY_AFTER: parse the Retry-After header value
  • HTTP3: initial (experimental still not working) support
  • curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
  • curl: support parallel transfers with -Z
  • curl_multi_poll: a sister to curl_multi_wait() that waits more
  • sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
  • Bugfixes:
  • CVE-2019-5481: FTP-KRB double-free
  • CVE-2019-5482: TFTP small blocksize heap buffer overflow
  • CI: remove duplicate configure flag for LGTM.com
  • CMake: remove needless newlines at end of gss variables
  • CMake: use platform dependent name for dlopen() library
  • CURLINFO docs: mention that in redirects times are added
  • CURLOPT_ALTSVC.3: use a "" file name to not load from a file
  • CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
  • CURLOPT_HEADERFUNCTION.3: clarify
  • CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
  • CURLOPT_READFUNCTION.3: provide inline example
  • CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
  • Curl_addr2string: take an addrlen argument too
  • Curl_fillreadbuffer: avoid double-free trailer buf on error
  • HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
  • alt-svc: add protocol version selection masking
  • alt-svc: fix removal of expired cache entry
  • alt-svc: make it use h3-22 with ngtcp2 as well
  • alt-svc: more liberal ALPN name parsing
  • alt-svc: send Alt-Used: in redirected requests
  • alt-svc: with quiche, use the quiche h3 alpn string
  • appveyor: pass on -k to make
  • asyn-thread: create a socketpair to wait on
  • build-openssl: fix build with Visual Studio 2019
  • cleanup: move functions out of url.c and make them static
  • cleanup: remove the 'numsocks' argument used in many places
  • configure: avoid undefined check_for_ca_bundle
  • curl.h: add CURL_HTTP_VERSION_3 to the version enum
  • curl.h: fix outdated comment
  • curl: cap the maximum allowed values for retry time arguments
  • curl: handle a libcurl build without netrc support
  • curl: make use of CURLINFO_RETRY_AFTER when retrying
  • curl: remove outdated comment
  • curl: use .curlrc (with a dot) on Windows
  • curl: use CURLINFO_PROTOCOL to check for HTTP(s)
  • curl_global_init_mem.3: mention it was added in 7.12.0
  • curl_version: bump string buffer size to 250
  • curl_version_info.3: mentioned ALTSVC and HTTP3
  • curl_version_info: offer quic (and h3) library info
  • curl_version_info: provide nghttp2 details
  • defines: avoid underscore-prefixed defines
  • docs/ALTSVC: remove what works and the experimental explanation
  • docs/EXPERIMENTAL: explain what it means and what's experimental now
  • docs/MANUAL.md: converted to markdown from plain text
  • docs/examples/curlx: fix errors
  • docs: s/curl_debug/curl_dbg_debug in comments and docs
  • easy: resize receive buffer on easy handle reset
  • examples: Avoid reserved names in hiperfifo examples
  • examples: add http3.c, altsvc.c and http3-present.c
  • getenv: support up to 4K environment variable contents on windows
  • http09: disable HTTP/0.9 by default in both tool and library
  • http2: when marked for closure and wanted to close == OK
  • http2_recv: trigger another read when the last data is returned
  • http: fix use of credentials from URL when using HTTP proxy
  • http_negotiate: improve handling of gss_init_sec_context() failures
  • md4: Use our own MD4 when no crypto libraries are available
  • multi: call detach_connection before Curl_disconnect
  • netrc: make the code try ".netrc" on Windows
  • nss: use TLSv1.3 as default if supported
  • openssl: build warning free with boringssl
  • openssl: use SSL_CTX_set__proto_version() when available
  • plan9: add support for running on Plan 9
  • progress: reset download/uploaded counter between transfers
  • readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
  • scp: fix directory name length used in memcpy
  • smb: init *msg to NULL in smb_send_and_recv()
  • smtp: check for and bail out on too short EHLO response
  • source: remove names from source comments
  • spnego_sspi: add typecast to fix build warning
  • src/makefile: fix uncompressed hugehelp.c generation
  • ssh-libssh: do not specify O_APPEND when not in append mode
  • ssh: move code into vssh for SSH backends
  • sspi: fix memory leaks
  • tests: Replace outdated test case numbering documentation
  • tftp: return error when packet is too small for options
  • timediff: make it 64 bit (if possible) even with 32 bit time_t
  • travis: reduce number of torture tests in 'coverage'
  • url: make use of new HTTP version if alt-svc has one
  • urlapi: verify the IPv6 numerical address
  • urldata: avoid 'generic', use dedicated pointers
  • vauth: Use CURLE_AUTH_ERROR for auth function errors

New in cURL 7.65.3 (Jul 19, 2019)

  • Bugfixes:
  • progress: make the progress meter appear again

New in cURL 7.65.2 (Jul 17, 2019)

  • Bugfixes:
  • CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
  • CMake: Convert errant elseif() to else()
  • CMake: Fix finding Brotli on case-sensitive file systems
  • CURLMOPT_SOCKETFUNCTION.3: clarified
  • CURLMOPT_SOCKETFUNCTION.3: fix typo
  • CURLOPT_CAINFO.3: polished wording
  • CURLOPT_HEADEROPT.3: Fix example
  • CURLOPT_RANGE.3: Caution against using it for HTTP PUT
  • CURLOPT_SEEKDATA.3: fix variable name
  • DEPRECATE: fixup versions and spelling
  • bindlocal: detect and avoid IP version mismatches in bind()
  • build: fix Codacy warnings
  • buildconf.bat: fix header filename
  • c-ares: honor port numbers in CURLOPT_DNS_SERVERS
  • config-os400: add getpeername and getsockname defines
  • configure: --disable-progress-meter
  • configure: fix --disable-code-coverage
  • configure: fix typo '--disable-http-uath'
  • configure: more --disable switches to toggle off individual features
  • configure: remove CURL_DISABLE_TLS_SRP
  • conn_maxage: move the check to prune_dead_connections()
  • curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
  • curl_multi_wait.3: escape backslash in example
  • docs: Explain behavior change in --tlsv1. options since 7.54
  • docs: Fix links to OpenSSL docs
  • docs: fix string suggesting HTTP/2 is not the default
  • examples/fopen: fix comparison
  • examples/htmltitle: use C++ casts between pointer types
  • headers: Remove no longer exported functions
  • http2: call done_sending on end of upload
  • http2: don't call stream-close on already closed streams
  • http2: remove CURL_DISABLE_TYPECHECK define
  • http: allow overriding timecond with custom header
  • http: clarify header buffer size calculation
  • krb5: fix compiler warning
  • lib: Use UTF-8 encoding in comments
  • libcurl-tutorial.3: Fix small typo (mutipart -> multipart)
  • libcurl: Restrict redirect schemes to HTTP, HTTPS, FTP and FTPS
  • multi: enable multiplexing by default (again)
  • multi: fix the transfer hashes in the socket hash entries
  • multi: make sure 'data' can present in several sockhash entries
  • netrc: Return the correct error code when out of memory
  • nss: don't set unused parameter
  • nss: inspect returnvalue of token check
  • nss: only cache valid CRL entries
  • nss: support using libnss on macOS
  • openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
  • openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
  • openssl: fix pubkey/signature algorithm detection in certinfo
  • openssl: remove outdated comment
  • os400: make vsetopt() non-static as Curl_vsetopt() for os400 support
  • quote.d: asterisk prefix works for SFTP as well
  • runtests: keep logfiles around by default
  • runtests: report single test time + total duration
  • smb: Use the correct error code for access denied on file open
  • sws: remove unused variables
  • system_win32: fix clang warning
  • system_win32: fix typo
  • test1165: verify that CURL_DISABLE_ symbols are in sync
  • test1521: adapt to SLISTPOINT
  • test1523: test CURLOPT_LOW_SPEED_LIMIT
  • test153: fix content-length to avoid occasional hang
  • test188/189: fix Content-Length
  • tests: have runtests figure out disabled features
  • tests: support non-localhost HOSTIP for dict/smb servers
  • tests: update fixed IP for hostip/clientip split
  • tool_cb_prg: Fix integer overflow in progress bar
  • travis: disable threaded resolver for coverage build
  • travis: enable alt-svc for coverage build
  • travis: enable brotli for all xenial jobs
  • travis: enable libssh2 for coverage build
  • travis: enable warnings-as-errors for coverage build
  • travis: update scan-build job to xenial
  • typecheck: CURLOPT_CONNECT_TO takes an slist too
  • typecheck: add 3 missing strings and a callback data pointer
  • unit1654: cleanup on memory failure
  • unpause: trigger a timeout for event-based transfers
  • url: Fix CURLOPT_MAXAGE_CONN time comparison
  • win32: make DLL loading a no-op for UWP
  • winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG
  • winbuild: use WITH_PREFIX if given
  • wolfssl: refer to it as wolfSSL only

New in cURL 7.65.1 (Jun 5, 2019)

  • Bugfixes:
  • CURLOPT_LOW_SPEED_* repaired
  • NTLM: reset proxy "multipass" state when CONNECT request is done
  • PolarSSL: deprecate support step 1. Removed from configure
  • appveyor: add Visual Studio solution build
  • cmake: check for if_nametoindex()
  • cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
  • config-win32: add support for if_nametoindex and getsockname
  • conncache: Remove the DEBUGASSERT on length check
  • conncache: make "bundles" per host name when doing proxy tunnels
  • curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
  • curl_share_setopt.3: improve wording
  • dump-header.d: spell out that no headers == empty file
  • example/http2-download: fix format specifier
  • examples: cleanups and compiler warning fixes
  • http2: Stop drain from being permanently set
  • http: don't parse body-related headers in bodyless responses
  • md4: build correctly with openssl without MD4
  • md4: include the mbedtls config.h to get the MD4 info
  • multi: track users of a socket better
  • nss: allow to specify TLS 1.3 ciphers if supported by NSS
  • parse_proxy: make sure portptr is initialized
  • parse_proxy: use the IPv6 zone id if given
  • sectransp: handle errSSLPeerAuthCompleted from SSLRead()
  • singlesocket: use separate variable for inner loop
  • ssl: Update outdated "openssl-only" comments for supported backends
  • tests: add HAProxy keywords
  • tests: add support to test against OpenSSH for Windows
  • tests: make test 1420 and 1406 work with rtsp-disabled libcurl
  • tls13-docs: mention it is only for OpenSSL >= 1.1.1
  • tool_parse_cfg: Avoid 2 fopen() for WIN32
  • tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
  • url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
  • url: fix bad feature-disable #ifdef
  • url: use correct port in ConnectionExists()
  • winbuild: Use two space indentation

New in cURL 7.65.0 (May 22, 2019)

  • Changes:
  • CURLOPT_DNS_USE_GLOBAL_CACHE: removed
  • CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
  • pipelining: removed
  • Bugfixes:
  • CVE-2019-5435: Integer overflows in curl_url_set
  • CVE-2019-5436: tftp: use the current blksize for recvfrom()
  • --config: clarify that initial : and = might need quoting
  • AppVeyor: enable testing for WinSSL build
  • CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
  • CURLOPT_ADDRESS_SCOPE: fix range check and more
  • CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
  • CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
  • CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
  • CURL_MAX_INPUT_LENGTH: largest acceptable string input size
  • Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
  • INTERNALS: Add code highlighting
  • OS400/ccsidcurl: replace use of Curl_vsetopt
  • OpenSSL: Report -fips in version if OpenSSL is built with FIPS
  • README.md: fix no-consecutive-blank-lines Codacy warning
  • VC15 project: remove MinimalRebuild
  • VS projects: use Unicode for VC10+
  • WRITEFUNCTION: add missing set_in_callback around callback
  • altsvc: Fix building with cookies disabled
  • auth: Rename the various authentication clean up functions
  • base64: build conditionally if there are users
  • build-openssl.bat: lots of improvements and polish
  • build: fix "clarify calculation precedence" warnings
  • checksrc.bat: ignore snprintf warnings in docs/examples
  • cirrus: Customize the disabled tests per FreeBSD version
  • cleanup: remove FIXME and TODO comments
  • cmake: avoid linking executable for some tests with cmake 3.6+
  • cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
  • cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
  • cmake: set SSL_BACKENDS
  • configure: avoid unportable `==' test(1) operator
  • configure: error out if OpenSSL wasn't detected when asked for
  • configure: fix default location for fish completions
  • cookie: Guard against possible NULL ptr deref
  • curl: make code work with protocol-disabled libcurl
  • curl: report error for "--no-" on non-boolean options
  • curl_easy_getinfo.3: fix minor formatting mistake
  • curlver.h: use parenthesis in CURL_VERSION_BITS macro
  • docs/BUG-BOUNTY: bug bounty time
  • docs/INSTALL: fix broken link
  • docs/RELEASE-PROCEDURE: link to live iCalendar
  • documentation: Fix several typos
  • doh: acknowledge CURL_DISABLE_DOH
  • doh: disable DOH for the cases it doesn't work
  • examples: remove unused variables
  • ftplistparser: fix LGTM alert "Empty block without comment"
  • hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
  • http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
  • http: acknowledge CURL_DISABLE_HTTP_AUTH
  • http: mark bundle as not for multiuse on < HTTP/2 response
  • http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
  • http_negotiate: do not treat failure of gss_init_sec_context() as fatal
  • http_ntlm: Corrected the name of the include guard
  • http_ntlm_wb: Handle auth for only a single request
  • http_ntlm_wb: Return the correct error on receiving an empty auth message
  • lib509: add missing include for strdup
  • lib557: initialize variables
  • makedebug: Fix ERRORLEVEL detection after running where.exe
  • mbedtls: enable use of EC keys
  • mime: acknowledge CURL_DISABLE_MIME
  • multi: improved HTTP_1_1_REQUIRED handling
  • netrc: acknowledge CURL_DISABLE_NETRC
  • nss: allow fifos and character devices for certificates
  • nss: provide more specific error messages on failed init
  • ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
  • ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
  • openssl: mark connection for close on TLS close_notify
  • openvms: Remove pre-processor for SecureTransport
  • openvms: Remove pre-processors for Windows
  • parse_proxy: use the URL parser API
  • parsedate: disabled on CURL_DISABLE_PARSEDATE
  • pingpong: disable more when no pingpong protocols are enabled
  • polarssl_threadlock: remove conditionally unused code
  • progress: acknowledge CURL_DISABLE_PROGRESS_METER
  • proxy: acknowledge DISABLE_PROXY more
  • resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
  • revert "multi: support verbose conncache closure handle"
  • sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
  • sasl: only enable if there's a protocol enabled using it
  • scripts: fix typos
  • singleipconnect: show port in the verbose "Trying ..." message
  • smtp: fix compiler warning
  • socks5: user name and passwords must be shorter than 256
  • socks: fix error message
  • socksd: new SOCKS 4+5 server for tests
  • spnego_gssapi: fix return code on gss_init_sec_context() failure
  • ssh-libssh: remove unused variable
  • ssh: define USE_SSH if SSH is enabled (any backend)
  • ssh: move variable declaration to where it's used
  • test1002: correct the name
  • test2100: Fix typos in test description
  • tests/server/util: fix Windows Unicode build
  • tests: Run global cleanup at end of tests
  • tests: make Impacket (SMB server) Python 3 compatible
  • tool_cb_wrt: fix bad-function-cast warning
  • tool_formparse: remove redundant assignment
  • tool_help: Warn if curl and libcurl versions do not match
  • tool_help: include for strcasecmp
  • transfer: fix LGTM alert "Comparison is always true"
  • travis: add an osx http-only build
  • travis: allow builds on branches named "ci"
  • travis: install dependencies only when needed
  • travis: update some builds do Xenial
  • travis: updated mesalink builds
  • url: always clone the CUROPT_CURLU handle
  • url: convert the zone id from a IPv6 URL to correct scope id
  • urlapi: add CURLUPART_ZONEID to set and get
  • urlapi: increase supported scheme length to 40 bytes
  • urlapi: require a non-zero host name length when parsing URL
  • urlapi: stricter CURLUPART_PORT parsing
  • urlapi: strip off zone id from numerical IPv6 addresses
  • urlapi: urlencode characters above 0x7f correctly
  • vauth/cleartext: update the PLAIN login to match RFC 4616
  • vauth/oauth2: Fix OAUTHBEARER token generation
  • vauth: Fix incorrect function description for Curl_auth_user_contains_domain
  • vtls: fix potential ssl_buffer stack overflow
  • wildcard: disable from build when FTP isn't present
  • winbuild: Support MultiSSL builds
  • xattr: skip unittest on unsupported platforms

New in cURL 7.64.1 (Mar 27, 2019)

  • Changes:
  • alt-svc: experiemental support added
  • configure: add --with-amissl
  • Bugfixes:
  • AppVeyor: add MinGW-w64 and classic Mingw builds
  • AppVeyor: switch VS 2015 builds to VS 2017 image
  • CURLU: fix NULL dereference when used over proxy
  • Curl_easy: remove req.maxfd - never used!
  • Curl_now: figure out windows version in win32_init:
  • Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
  • DoH: inherit some SSL options from user's easy handle
  • Secure Transport: no more "darwinssl"
  • Secure Transport: tvOS 11 is required for ALPN support
  • cirrus: Added FreeBSD builds using Cirrus CI
  • cleanup: make local functions static
  • cli tool: do not use mime.h private structures
  • cmdline-opts/proxytunnel.d: the option tunnnels all protocols
  • configure: add additional libraries to check for LDAP support
  • configure: remove the unused fdopen macro
  • configure: show features as well in the final summary
  • conncache: use conn->data to know if a transfer owns it
  • connection: never reuse CONNECT_ONLY connections
  • connection_check: restore original conn->data after the check
  • connection_check: set ->data to the transfer doing the check
  • cookie: Add support for cookie prefixes
  • cookies: dotless names can set cookies again
  • cookies: fix NULL dereference if flushing cookies with no CookieInfo set
  • curl.1: --user and --proxy-user are hidden from ps output
  • curl.1: mark the argument to --cookie as
  • curl.h: use __has_declspec_attribute for shared builds
  • curl: display --version features sorted alphabetically
  • curl: fix FreeBSD compiler warning in the --xattr code
  • curl: remove MANUAL from -M output
  • curl_easy_duphandle.3: clarify that a duped handle has no shares
  • curl_multi_remove_handle.3: use at any time, just not from within callbacks
  • curl_url.3: this API is not experimental anymore
  • dns: release sharelock as soon as possible
  • docs: update max-redirs.d phrasing
  • easy: fix win32 init to work without CURL_GLOBAL_WIN32
  • examples/10-at-a-time.c: improve readability and simplify
  • examples/cacertinmem.c: use multiple certificates for loading CA-chain
  • examples/crawler: Fix the Accept-Encoding setting
  • examples/ephiperfifo.c: various fixes
  • examples/externalsocket: add missing close socket calls
  • examples/http2-download: cleaned up
  • examples/http2-serverpush: add some sensible error checks
  • examples/http2-upload: cleaned up
  • examples/httpcustomheader: Value stored to 'res' is never read
  • examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory'
  • examples/sftpuploadresume: Value stored to 'result' is never read
  • examples: only include
  • examples: remove recursive calls to curl_multi_socket_action
  • examples: remove superfluous null-pointer checks
  • file: fix "Checking if unsigned variable 'readcount' is less than zero."
  • fnmatch: disable if FTP is disabled
  • gnutls: remove call to deprecated gnutls_compression_get_name
  • gopher: remove check for path == NULL
  • gssapi: fix deprecated header warnings
  • hostip: make create_hostcache_id avoid alloc + free
  • http2: multi_connchanged() moved from multi.c, only used for h2
  • http2: verify :athority in push promise requests
  • http: make adding a blank header thread-safe
  • http: send payload when (proxy) authentication is done
  • http: set state.infilesize when sending multipart formposts
  • makefile: make checksrc and hugefile commands "silent"
  • mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
  • mbedtls: release sessionid resources on error
  • memdebug: log pointer before freeing its data
  • memdebug: make debug-specific functions use curl_dbg_ prefix
  • mime: put the boundary buffer into the curl_mime struct
  • multi: call multi_done on connect timeouts, fixes CURLINFO_TOTAL_TIME
  • multi: remove verbose "Expire in" ... messages
  • multi: removed unused code for request retries
  • multi: support verbose conncache closure handle
  • negotiate: fix for HTTP POST with Negotiate
  • openssl: add support for TLS ASYNC state
  • openssl: if cert type is ENG and no key specified, key is ENG too
  • pretransfer: don't strlen() POSTFIELDS set for GET requests
  • rand: Fix a mismatch between comments in source and header
  • runtests: detect "schannel" as an alias for "winssl"
  • schannel: be quiet - remove verbose output
  • schannel: close TLS before removing conn from cache
  • schannel: support CALG_ECDH_EPHEM algorithm
  • scripts/completion.pl: also generate fish completion file
  • singlesocket: fix the 'sincebefore' placement
  • source: fix two 'nread' may be used uninitialized warnings
  • ssh: fix Condition '!status' is always true
  • ssh: loop the state machine if not done and not blocking
  • strerror: make the strerror function use local buffers
  • system_win32: move win32_init here from easy.c
  • test578: make it read data from the correct test
  • tests: Fixed XML validation errors in some test files
  • tests: add stderr comparison to the test suite
  • tests: fix multiple may be used uninitialized warnings
  • threaded-resolver: shutdown the resolver thread without error message
  • tool_cb_wrt: fix writing to Windows null device NUL
  • tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr
  • tool_operate: build on AmigaOS
  • tool_operate: fix typecheck warning
  • transfer.c: do not compute length of undefined hex buffer
  • travis: add build using gnutls
  • travis: add scan-build
  • travis: bump the used wolfSSL version to 4.0.0
  • travis: enable valgrind for the iconv tests
  • travis: use updated compiler versions: clang 7 and gcc 8
  • unit1307: require FTP support
  • unit1651: survive curl_easy_init() fails
  • url/idnconvert: remove scan for

New in cURL 7.64.0 (Mar 6, 2019)

  • Changes:
  • cookies: leave secure cookies alone
  • hostip: support wildcard hosts
  • http: Implement trailing headers for chunked transfers
  • http: added options for allowing HTTP/0.9 responses
  • timeval: Use high resolution timestamps on Windows
  • Bugfixes:
  • CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
  • CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
  • CVE-2019-3823: SMTP end-of-response out-of-bounds read
  • FAQ: remove mention of sourceforge for github
  • OS400: handle memory error in list conversion
  • OS400: upgrade ILE/RPG binding.
  • README: add codacy code quality badge
  • Revert http_negotiate: do not close connection
  • THANKS: added several missing names from year

New in cURL 7.63.0 (Dec 21, 2018)

  • Changes:
  • curl: add %{stderr} and %{stdout} for --write-out
  • curl: add undocumented option --dump-module-paths for win32
  • setopt: add CURLOPT_CURLU
  • Bugfixes:
  • (lib)curl.rc: fixup for minor bugs
  • CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
  • CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
  • CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
  • Curl_follow: accept non-supported schemes for "fake" redirects
  • KNOWN_BUGS: add --proxy-any connection issue
  • NTLM: Remove redundant ifdef USE_OPENSSL
  • NTLM: force the connection to HTTP/1.1
  • OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
  • SECURITY-PROCESS: bountygraph shuts down again
  • TODO: Have the URL API offer IDN decoding
  • ares: remove fd from multi fd set when ares is about to close the fd
  • axtls: removed
  • checksrc: add COPYRIGHTYEAR check
  • cmake: fix MIT/Heimdal Kerberos detection
  • configure: include all libraries in ssl-libs fetch
  • configure: show CFLAGS, LDFLAGS etc in summary
  • connect: fix building for recent versions of Minix
  • cookies: create the cookiejar even if no cookies to save
  • cookies: expire "Max-Age=0" immediately
  • curl: --local-port range was not "including"
  • curl: fix --local-port integer overflow
  • curl: fix memory leak reading --writeout from file
  • curl: fixed UTF-8 in current console code page (Windows)
  • curl_easy_perform: fix timeout handling
  • curl_global_sslset(): id == -1 is not necessarily an error
  • curl_multibyte: fix a malloc overcalculation
  • curle: move deprecated error code to ifndef block
  • docs: curl_formadd field and file names are now escaped
  • docs: escape "n" codes
  • doh: fix memory leak in OOM situation
  • doh: make it work for h2-disabled builds too
  • examples/ephiperfifo: report error when epoll_ctl fails
  • ftp: avoid two unsigned int overflows in FTP listing parser
  • host names: allow trailing dot in name resolve, then strip it
  • http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
  • http: don't set CURLINFO_CONDITION_UNMET for http status code 204
  • http: fix HTTP Digest auth to include query in URI
  • http_negotiate: do not close connection until negotiation is completed
  • impacket: add LICENSE
  • infof: clearly indicate truncation
  • ldap: fix LDAP URL parsing regressions
  • libcurl: stop reading from paused transfers
  • mprintf: avoid unsigned integer overflow warning
  • netrc: don't ignore the login name specified with "--user"
  • nss: Fall back to latest supported SSL version
  • nss: Fix compatibility with nss versions 3.14 to 3.15
  • nss: fix fallthrough comment to fix picky compiler warning
  • nss: remove version selecting dead code
  • nss: set default max-tls to 1.3/1.2
  • openssl: Remove SSLEAY leftovers
  • openssl: do not log excess "TLS app data" lines for TLS 1.3
  • openssl: do not use file BIOs if not requested
  • openssl: fix unused variable compiler warning with old openssl
  • openssl: support session resume with TLS 1.3
  • openvms: fix example name
  • os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
  • os400: add CURLOPT_CURLU to ILE/RPG binding
  • os400: fix return type of curl_easy_pause() in ILE/RPG binding
  • packages: remove old leftover files and dirs
  • pop3: only do APOP with a valid timestamp
  • runtests: use the local curl for verifying
  • schannel: be consistent in Schannel capitalization
  • schannel: better CURLOPT_CERTINFO support
  • schannel: use Curl_ prefix for global private symbols
  • snprintf: renamed and we now only use msnprintf()
  • ssl: fix compilation with OpenSSL 0.9.7
  • ssl: replace all internal uses of CURLE_SSL_CACERT
  • symbols-in-versions: add missing CURLU_ symbols
  • test328: verify Content-Encoding: none
  • tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
  • tests: drop http_pipe.py script no longer used
  • tool_cb_wrt: Silence function cast compiler warning
  • tool_doswin: Fix uninitialized field warning
  • travis: build with clang sanitizers
  • travis: remove curl before a normal build
  • url: a short host name + port is not a scheme
  • url: fix IPv6 numeral address parser
  • urlapi: only skip encoding the first '=' with APPENDQUERY set

New in cURL 7.62.0 (Dec 21, 2018)

  • Changes:
  • multiplex: enable by default
  • url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
  • setopt: add CURLOPT_DOH_URL
  • curl: --doh-url added
  • setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
  • imap: change from "FETCH" to "UID FETCH"
  • configure: add option to disable automatic OpenSSL config loading
  • upkeep: add a connection upkeep API: curl_easy_upkeep()
  • URL-API: added five new functions
  • vtls: MesaLink is a new TLS backend
  • Bugfixes:
  • CVE-2018-16839: SASL password overflow via integer overflow
  • CVE-2018-16840: use-after-free in handle close
  • CVE-2018-16842: warning message out-of-buffer read
  • CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
  • Curl_dedotdotify(): always nul terminate returned string
  • Curl_follow: Always free the passed new URL
  • Curl_http2_done: fix memleak in error path
  • Curl_retry_request: fix memory leak
  • Curl_saferealloc: Fixed typo in docblock
  • FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
  • GnutTLS: TLS 1.3 support
  • SECURITY-PROCESS: mention the bountygraph program
  • VS projects: add USE_IPV6:
  • Windows: fixes for MinGW targeting Windows Vista
  • anyauthput: fix compiler warning on 64-bit Windows
  • appveyor: add WinSSL builds
  • appveyor: run test suite (on Windows!)
  • certs: generate tests certs with sha256 digest algorithm
  • checksrc: enable strict mode and warnings
  • checksrc: handle zero scoped ignore commands
  • cmake: Backport to work with CMake 3.0 again
  • cmake: Improve config installation
  • cmake: add support for transitive ZLIB target
  • cmake: disable -Wpedantic-ms-format
  • cmake: don't require OpenSSL if USE_OPENSSL=OFF
  • cmake: fixed path used in generation of docs/tests
  • cmake: remove unused *SOCKLEN_T variables
  • cmake: suppress MSVC warning C4127 for libtest
  • cmake: test and set missed defines during configuration
  • comment: Fix multiple typos in function parameters
  • config: Remove unused SIZEOF_VOIDP
  • config_win32: enable LDAPS
  • configure: force-use -lpthreads on HPUX
  • configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
  • configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
  • cookies: Remove redundant expired check
  • cookies: fix leak when writing cookies to file
  • curl-config.in: remove dependency on bc
  • curl.1: --ipv6 mutexes ipv4 (fixed typo)
  • curl: enabled Windows VT Support and UTF-8 output
  • curl: update the documentation of --tlsv1.0
  • curl_multi_wait: call getsock before figuring out timeout
  • curl_ntlm_wb: check aprintf() return codes
  • curl_threads: fix classic MinGW compile break
  • darwinssl: Fix realloc memleak
  • darwinssl: more specific and unified error codes
  • data-binary.d: clarify default content-type is x-www-form-urlencoded
  • docs/BUG-BOUNTY: explain the bounty program
  • docs/CIPHERS: Mention the options used to set TLS 1.3 ciphers
  • docs/CIPHERS: fix the TLS 1.3 cipher names
  • docs/CIPHERS: mention the colon separation for OpenSSL
  • docs/examples: URL updates
  • docs: add "see also" links for SSL options
  • example/asiohiper: insert warning comment about its status
  • example/htmltidy: fix include paths of tidy libraries
  • examples/Makefile.m32: sync with core
  • examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
  • examples/parseurl.c: show off the URL API
  • examples: Fix memory leaks from realloc errors
  • examples: do not wait when no transfers are running
  • ftp: include command in Curl_ftpsend sendbuffer
  • gskit: make sure to terminate version string
  • gtls: Values stored to but never read
  • hostip: fix check on Curl_shuffle_addr return value
  • http2: fix memory leaks on error-path
  • http: fix memleak in rewind error path
  • krb5: fix memory leak in krb_auth
  • ldap: show precise LDAP call in error message on Windows
  • lib: fix gcc8 warning on Windows
  • memory: add missing curl_printf header
  • memory: ensure to check allocation results
  • multi: Fix error handling in the SENDPROTOCONNECT state
  • multi: fix memory leak in content encoding related error path
  • multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
  • netrc: free temporary strings if memory allocation fails
  • nss: fix nssckbi module loading on Windows
  • nss: try to connect even if libnssckbi.so fails to load
  • ntlm_wb: Fix memory leaks in ntlm_wb_response
  • ntlm_wb: bail out if the response gets overly large
  • openssl: assume engine support in 0.9.8 or later
  • openssl: enable TLS 1.3 post-handshake auth
  • openssl: fix gcc8 warning
  • openssl: load built-in engines too
  • openssl: make 'done' a proper boolean
  • openssl: output the correct cipher list on TLS 1.3 error
  • openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
  • openssl: show "proper" version number for libressl builds
  • pipelining: deprecated
  • rand: add comment to skip a clang-tidy false positive
  • rtmp: fix for compiling with lwIP
  • runtests: ignore disabled even when ranges are given
  • runtests: skip ld_preload tests on macOS
  • runtests: use Windows paths for Windows curl
  • schannel: unified error code handling
  • sendf: Fix whitespace in infof/failf concatenation
  • ssh: free the session on init failures
  • ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
  • system.h: use proper setting with Sun C++ as well
  • test1299: use single quotes around asterisk
  • test1452: mark as flaky
  • test1651: unit test Curl_extract_certinfo()
  • test320: strip out more HTML when comparing
  • tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
  • tests: add unit tests for url.c
  • timeval: fix use of weak symbol clock_gettime() on Apple platforms
  • tool_cb_hdr: handle failure of rename()
  • travis: add a "make tidy" build that runs clang-tidy
  • travis: add build for "configure --disable-verbose"
  • travis: bump the Secure Transport build to use xcode
  • travis: make distcheck scan for BOM markers
  • unit1300: fix stack-use-after-scope AddressSanitizer warning
  • urldata: Fix "connecting" comment
  • urlglob: improve error message on bad globs
  • vtls: fix ssl version "or later" behavior change for many backends
  • x509asn1: Fix SAN IP address verification
  • x509asn1: always check return code from getASN1Element()
  • x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
  • x509asn1: suppress left shift on signed value

New in cURL 7.61.1 (Sep 5, 2018)

  • Bug fixes:
  • security advisory (CVE-2018-14618): NTLM password overflow via integer overflow
  • CURLINFO_SIZE_UPLOAD: fix missing counter update
  • CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
  • CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse
  • Curl_getoff_all_pipelines: improved for multiplexed
  • DEPRECATE: remove release date from 7.62.0
  • HTTP: Don't attempt to needlessly decompress redirect body
  • INTERNALS: require GnuTLS >= 2.11.3
  • README.md: add LGTM.com code quality grade for C/C++
  • SSLCERTS: improve the openssl command line
  • Silence GCC 8 cast-function-type warnings
  • ares: check for NULL in completed-callback
  • asyn-thread: Remove unused macro
  • auth: only pick CURLAUTH_BEARER if we *have* a Bearer token
  • auth: pick Bearer authentication whenever a token is available
  • cmake: CMake config files are defining CURL_STATICLIB for static builds
  • cmake: Respect BUILD_SHARED_LIBS
  • cmake: Update scripts to use consistent style
  • cmake: bumped minimum version to 3.4
  • cmake: link curl to the OpenSSL targets instead of lib absolute paths
  • configure: conditionally enable pedantic-errors
  • configure: fix for -lpthread detection with OpenSSL and pkg-config
  • conn: remove the boolean 'inuse' field
  • content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
  • cookie tests: treat files as text
  • cookies: support creation-time attribute for cookies
  • curl: Fix segfault when -H @headerfile is empty
  • curl: add http code 408 to transient list for --retry
  • curl: fix time-of-check, time-of-use race in dir creation
  • curl: use Content-Disposition before the "URL end" for -OJ
  • curl: warn the user if a given file name looks like an option
  • curl_threads: silence bad-function-cast warning
  • darwinssl: add support for ALPN negotiation
  • docs/CURLOPT_URL: fix indentation
  • docs/CURLOPT_WRITEFUNCTION: size is always 1
  • docs/SECURITY-PROCESS: mention bounty, drop pre-notify
  • docs/examples: add hiperfifo example using linux epoll/timerfd
  • docs: add disallow-username-in-url.d and haproxy-protocol.d to dist
  • docs: clarify NO_PROXY env variable functionality
  • docs: improved the manual pages of some callbacks
  • docs: mention NULL is fine input to several functions
  • formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
  • gopher: Do not translate `?' to ` '
  • header output: switch off all styles, not just unbold
  • hostip: fix unused variable warning
  • http2: Use correct format identifier for stream_id
  • http2: abort the send_callback if not setup yet
  • http2: avoid set_stream_user_data() before stream is assigned
  • http2: check nghttp2_session_set_stream_user_data return code
  • http2: clear the drain counter in Curl_http2_done
  • http2: make sure to send after RST_STREAM
  • http2: separate easy handle from connections better
  • http: fix for tiny "HTTP/0.9" response
  • http_proxy: Remove unused macro SELECT_TIMEOUT
  • lib/Makefile: only do symbol hiding if told to
  • lib1502: fix memory leak in torture test
  • lib1522: fix curl_easy_setopt argument type
  • libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
  • mime: check Curl_rand_hex's return code
  • multi: always do the COMPLETED procedure/state
  • openssl: assume engine support in 1.0.0 or later
  • openssl: fix debug messages
  • projects: Improve Windows perl detection in batch scripts
  • retry: return error if rewind was necessary but didn't happen
  • reuse_conn(): memory leak - free old_conn->options
  • schannel: client certificate store opening fix
  • schannel: enable CALG_TLS1PRF for w32api >= 5.1
  • schannel: fix MinGW compile break
  • sftp: don't send post-qoute sequence when retrying a connection
  • smb: fix memory leak on early failure
  • smb: fix memory-leak in URL parse error path
  • smb_getsock: always wait for write socket too
  • ssh-libssh: fix infinite connect loop on invalid private key
  • ssh-libssh: reduce excessive verbose output about pubkey auth
  • ssh-libssh: use FALLTHROUGH to silence gcc8
  • ssl: set engine implicitly when a PKCS#11 URI is provided
  • sws: handle EINTR when calling select()
  • system_win32: fix version checking
  • telnet: Remove unused macros TELOPTS and TELCMDS
  • test1143: disable MSYS2's POSIX path conversion
  • test1148: disable if decimal separator is not point
  • test1307: (fnmatch testing) disabled
  • test1422: add required file feature
  • test1531: Add timeout
  • test1540: Remove unused macro TEST_HANG_TIMEOUT
  • test214: disable MSYS2's POSIX path conversion for URL
  • test320: treat curl320.out file as binary
  • tests/http_pipe.py: Use /usr/bin/env to find python
  • tests: Don't use Windows path %PWD for SSH tests
  • tests: fixes for Windows line endlings
  • tool_operate: Fix setting proxy TLS 1.3 ciphers
  • travis: build darwinssl on macos 10.12 to fix linker errors
  • travis: execute "set -eo pipefail" for coverage build
  • travis: run a 'make checksrc' too
  • travis: update to GCC-8
  • travis: verify that man pages can be regenerated
  • upload: allocate upload buffer on-demand
  • upload: change default UPLOAD_BUFSIZE to 64KB
  • urldata: remove unused pipe_broke struct field
  • vtls: reinstantiate engine on duplicated handles
  • windows: implement send buffer tuning
  • wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random

New in cURL 7.61.0 (Jul 11, 2018)

  • Changes:
  • getinfo: add microsecond precise timers for seven intervals
  • curl: show headers in bold, switch off with --no-styled-output
  • httpauth: add support for Bearer tokens
  • Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
  • curl: --tls13-ciphers and --proxy-tls13-ciphers
  • Add CURLOPT_DISALLOW_USERNAME_IN_URL
  • curl: --disallow-username-in-url
  • Bug fixes:
  • CVE-2018-0500: smtp: fix SMTP send buffer overflow
  • schannel: disable client cert option if APIs not available
  • schannel: disable manual verify if APIs not available
  • tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
  • openssl: acknowledge --tls-max for default version too
  • stub_gssapi: fix 'unused parameter' warnings
  • examples/progressfunc: make it build on both new and old libcurls
  • docs: mention it is HA Proxy protocol "version 1"
  • curl_fnmatch: only allow two asterisks for matching
  • docs: clarify CURLOPT_HTTPGET
  • configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
  • configure: do compile-time SIZEOF checks instead of run-time
  • checksrc: make sure sizeof() is used *with* parentheses
  • CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
  • schannel: make CAinfo parsing resilient to CR/LF
  • tftp: make sure error is zero terminated before printfing it
  • http resume: skip body if http code 416 (range error) is ignored
  • configure: add basic test of --with-ssl prefix
  • cmake: set -d postfix for debug builds
  • multi: provide a socket to wait for in Curl_protocol_getsock
  • content_encoding: handle zlib versions too old for Z_BLOCK
  • winbuild: only delete OUTFILE if it exists
  • winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
  • schannel: add failf calls for client certificate failures
  • cmake: Fix the test for fsetxattr and strerror_r
  • curl.1: Fix cmdline-opts reference errors
  • cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
  • cmake: check for getpwuid_r
  • configure: fix ssh2 linking when built with a static mbedtls
  • psl: use latest psl and refresh it periodically
  • fnmatch: insist on escaped bracket to match
  • KNOWN_BUGS: restore text regarding #2101
  • INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
  • configure: override AR_FLAGS to silence warning
  • os400: implement mime api EBCDIC wrappers
  • curl.rc: embed manifest for correct Windows version detection
  • strictness: correct {infof, failf} format specifiers
  • tests: update .gitignore for libtests
  • configure: check for declaration of getpwuid_r
  • fnmatch: use the system one if available
  • CURLOPT_RESOLVE: always purge old entry first
  • multi: remove a potentially bad DEBUGF()
  • curl_addrinfo: use same #ifdef conditions in source as header
  • build: remove the Borland specific makefiles
  • axTLS: not considered fit for use
  • cmdline-opts/cert-type.d: mention "p12" as a recognized type
  • system.h: add support for IBM xlc C compiler
  • tests/libtest: Add lib1521 to nodist_SOURCES
  • mk-ca-bundle.pl: leave certificate name untouched
  • boringssl + schannel: undef X509_NAME in lib/schannel.h
  • openssl: assume engine support in 1.0.1 or later
  • cppcheck: fix warnings
  • test 46: make test pass after year 2025
  • schannel: support selecting ciphers
  • Curl_debug: remove dead printhost code
  • test 1455: unflakified
  • Curl_init_do: handle NULL connection pointer passed in
  • progress: remove a set of unused defines
  • mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
  • GOVERNANCE.md: explains how this project is run
  • configure: use pkg-config for c-ares detection
  • configure: enhance ability to build with static openssl
  • maketgz: fix sed issues on OSX
  • multi: fix memory leak when stopped during name resolve
  • CURLOPT_INTERFACE.3: interface names not supported on Windows
  • url: fix dangling conn->data pointer
  • cmake: allow multiple SSL backends
  • system.h: fix for gcc on 32 bit OpenServer
  • ConnectionExists: make sure conn->data is set when "taking" a connection
  • multi: fix crash due to dangling entry in connect-pending list
  • CURLOPT_SSL_VERIFYPEER.3: Add performance note
  • netrc: use a larger buffer to support longer passwords
  • url: check Curl_conncache_add_conn return code
  • configure: Add dependent libraries after crypto
  • easy_perform: faster local name resolves by using *multi_timeout()
  • getnameinfo: not used, removed all configure checks
  • travis: add a build using the synchronous name resolver
  • CURLINFO_TLS_SSL_PTR.3: improve the example
  • openssl: allow TLS 1.3 by default
  • openssl: make the requested TLS version the *minimum* wanted
  • openssl: Remove some dead code
  • telnet: fix clang warnings
  • DEPRECATE: new doc describing planned item removals
  • example/crawler.c: simple crawler based on libxml2
  • libssh: goto DISCONNECT state on error, not SESSION_FREE
  • CMake: Remove unused functions
  • darwinssl: allow High Sierra users to build the code using GCC
  • scripts: include _curl as part of CLEANFILES

New in cURL 7.60.0 (May 16, 2018)

  • Changes:
  • Add CURLOPT_HAPROXYPROTOCOL, support for the HAProxy PROXY protocol
  • Add --haproxy-protocol for the command line tool
  • Add CURLOPT_DNS_SHUFFLE_ADDRESSES, shuffle returned IP addresses
  • Bug fixes:
  • FTP: shutdown response buffer overflow CVE-2018-1000300
  • RTSP: bad headers buffer over-read CVE-2018-1000301
  • FTP: fix typo in recursive callback detection for seeking
  • test1208: marked flaky
  • HTTP: make header-less responses still count correct body size
  • user-agent.d:: mention --proxy-header as well
  • http2: fixes typo
  • cleanup: misc typos in strings and comments
  • rate-limit: use three second window to better handle high speeds
  • examples/hiperfifo.c: improved
  • pause: when changing pause state, update socket state
  • multi: improved pending transfers handling => improved performance
  • curl_version_info.3: fix ssl_version description
  • add_handle/easy_perform: clear errorbuffer on start if set
  • darwinssl: fix iOS build
  • cmake: add support for brotli
  • parsedate: support UT timezone
  • vauth/ntlm.h: fix the #ifdef header guard
  • lib/curl_path.h: added #ifdef header guard
  • vauth/cleartext: fix integer overflow check
  • CURLINFO_COOKIELIST.3: made the example not leak memory
  • cookie.d: mention that "-" as filename means stdin
  • CURLINFO_SSL_VERIFYRESULT.3: fixed the example
  • http2: read pending frames (including GOAWAY) in connection-check
  • timeval: remove compilation warning by casting
  • cmake: avoid warn-as-error during config checks
  • travis-ci: enable -Werror for CMake builds
  • openldap: fix for NULL return from ldap_get_attribute_ber()
  • threaded resolver: track resolver time and set suitable timeout values
  • cmake: Add advapi32 as explicit link library for win32
  • docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
  • test1148: set a fixed locale for the test
  • cookies: when reading from a file, only remove_expired once
  • cookie: store cookies per top-level-domain-specific hash table
  • openssl: fix build with LibreSSL 2.7
  • tls: fix mbedTLS 2.7.0 build + handle sha256 failures
  • openssl: RESTORED verify locations when verifypeer==0
  • file: restore old behavior for file:////foo/bar URLs
  • FTP: allow PASV on IPv6 connections when a proxy is being used
  • build-openssl.bat: allow custom paths for VS and perl
  • winbuild: make the clean target work without build-type
  • build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
  • curl: retry on FTP 4xx, ignore other protocols
  • configure: detect (and use) sa_family_t
  • examples/sftpuploadresume: Fix Windows large file seek
  • build: cleanup to fix clang warnings/errors
  • winbuild: updated the documentation
  • lib: silence null-dereference warnings
  • travis: bump to clang 6 and gcc 7
  • travis: build libpsl and make builds use it
  • proxy: show getenv proxy use in verbose output
  • duphandle: make sure CURLOPT_RESOLVE is duplicated
  • all: Refactor malloc+memset to use calloc
  • checksrc: Fix typo
  • system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
  • vauth: Fix typo
  • ssh: show libSSH2 error code when closing fails
  • test1148: tolerate progress updates better
  • urldata: make service names unconditional
  • configure: keep LD_LIBRARY_PATH changes local
  • ntlm_sspi: fix authentication using Credential Manager
  • schannel: add client certificate authentication
  • winbuild: Support custom devel paths for each dependency
  • schannel: add support for CURLOPT_CAINFO
  • http2: handle on_begin_headers() called more than once
  • openssl: support OpenSSL 1.1.1 verbose-mode trace messages
  • openssl: fix subjectAltName check on non-ASCII platforms
  • http2: avoid strstr() on data not zero terminated
  • http2: clear the "drain counter" when a stream is closed
  • http2: handle GOAWAY properly
  • tool_help: clarify --max-time unit of time is seconds
  • curl.1: clarify that options and URLs can be mixed
  • http2: convert an assert to run-time check
  • curl_global_sslset: always provide available backends
  • ftplistparser: keep state between invokes
  • Curl_memchr: zero length input can't match
  • examples/sftpuploadresume: typecast fseek argument to long
  • examples/http2-upload: expand buffer to avoid silly warning
  • ctype: restore character classification for non-ASCII platforms
  • mime: avoid NULL pointer dereference risk
  • cookies: ensure that we have cookies before writing jar
  • os400.c: fix checksrc warnings
  • configure: provide --with-wolfssl as an alias for --with-cyassl
  • cyassl: adapt to libraries without TLS 1.0 support built-in
  • http2: get rid of another strstr
  • checksrc: force indentation of lines after an else
  • cookies: remove unused macro
  • CURLINFO_PROTOCOL.3: mention the existing defined names
  • tests: provide 'manual' as a feature to optionally require
  • travis: enable libssh2 on both macos and Linux
  • CURLOPT_URL.3: added ENCODING section
  • wolfssl: Fix non-blocking connect
  • vtls: don't define MD5_DIGEST_LENGTH for wolfssl
  • docs: remove extraneous commas in man pages
  • URL: fix ASCII dependency in strcpy_url and strlen_url
  • ssh-libssh.c: fix left shift compiler warning
  • configure: only check for CA bundle for file-using SSL backends
  • travis: add an mbedtls build
  • http: don't set the "rewind" flag when not uploading anything
  • configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
  • transfer: don't unset writesockfd on setup of multiplexed conns
  • vtls: use unified "supports" bitfield member in backends
  • URLs: fix one more http url
  • travis: add a build using WolfSSL
  • openssl: change FILE ops to BIO ops
  • travis: add build using NSS
  • smb: reject negative file sizes
  • cookies: accept parameter names as cookie name
  • http2: getsock fix for uploads
  • all over: fixed format specifiers
  • http2: use the correct function pointer typedef

New in cURL 7.59.0 (Mar 30, 2018)

  • Changes:
  • curl: add --proxy-pinnedpubkey
  • added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
  • CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
  • Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
  • Add new tool option --happy-eyeballs-timeout-ms
  • Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA
  • Bug fixes:
  • openldap: check ldap_get_attribute_ber() results for NULL before using
  • FTP: reject path components with control codes
  • readwrite: make sure excess reads don't go beyond buffer end
  • lib555: drop text conversion and encode data as ascii codes
  • lib517: make variable static to avoid compiler warning
  • lib544: sync ascii code data with textual data
  • GSKit: restore pinnedpubkey functionality
  • darwinssl: Don't import client certificates into Keychain on macOS
  • parsedate: fix date parsing for systems with 32 bit long
  • openssl: fix pinned public key build error in FIPS mode
  • SChannel/WinSSL: Implement public key pinning
  • cookies: remove verbose "cookie size:" output
  • progress-bar: don't use stderr explicitly, use bar->out
  • Fixes for MSDOS
  • build: open VC15 projects with VS 2017
  • curl_ctype: private is*() type macros and functions
  • configure: set PATH_SEPARATOR to colon for PATH w/o separator
  • winbuild: make linker generate proper PDB
  • curl_easy_reset: clear digest auth state
  • curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
  • range: commonize FTP and FILE range handling
  • progress-bar docs: update to match implementation
  • fnmatch: do not match the empty string with a character set
  • fnmatch: accept an alphanum to be followed by a non-alphanum in char set
  • build: fix termios issue on android cross-compile
  • getdate: return -1 for out of range
  • formdata: use the mime-content type function
  • time-cond: fix reading the file modification time on Windows
  • build-openssl.bat: Extend VC15 support to include Enterprise and Professional
  • build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
  • openssl: Don't add verify locations when verifypeer==0
  • fnmatch: optimize processing of consecutive *s and ?s pattern characters
  • schannel: fix compiler warnings
  • content_encoding: Add "none" alias to "identity"
  • get_posix_time: only check for overflows if they can happen
  • http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING
  • README: language fix
  • sha256: build with OpenSSL < 0.9.8
  • smtp: fix processing of initial dot in data
  • --tlsauthtype: works only if libcurl is built with TLS-SRP support
  • tests: new tests for http raw mode
  • libcurl-security.3: man page discussion security concerns when using libcurl
  • curl_gssapi: make sure this file too uses our *printf()
  • BINDINGS: fix curb link (and remove ruby-curl-multi)
  • nss: use PK11_CreateManagedGenericObject() if available
  • travis: add build with iconv enabled
  • ssh: add two missing state names
  • CURLOPT_HEADERFUNCTION.3: mention folded headers
  • http: fix the max header length detection logic
  • header callback: don't chop headers into smaller pieces
  • CURLOPT_HEADER.3: clarify problems with different data sizes
  • curl --version: show PSL if the run-time lib has it enabled
  • examples/sftpuploadresume: resume upload via CURLOPT_APPEND
  • Return error if called recursively from within callbacks
  • sasl: prefer PLAIN mechanism over LOGIN
  • winbuild: Use CALL to run batch scripts
  • curl_share_setopt.3: connection cache is shared within multi handles
  • winbuild: Use macros for the names of some build utilities
  • projects/README: remove reference to dead IDN link/package
  • lib655: silence compiler warning
  • configure: Fix version check for OpenSSL 1.1.1
  • docs/MANUAL: formfind.pl is not accessible on the site anymore
  • unit1309: fix warning on Windows x64
  • unit1307: proper cleanup on OOM to fix torture tests
  • curl_ctype: fix macro redefinition warnings
  • build: get CFLAGS (including -werror) used for examples and tests
  • NO_PROXY: fix for IPv6 numericals in the URL
  • krb5: use nondeprecated functions
  • winbuild: prefer documented zlib library names
  • http2: mark the connection for close on GOAWAY
  • limit-rate: kick in even before "limit" data has been received
  • HTTP: allow "header;" to replace an internal header with a blank one
  • http2: verbose output new MAX_CONCURRENT_STREAMS values
  • SECURITY: distros' max embargo time is 14 days
  • curl tool: accept --compressed also if Brotli is enabled and zlib is not
  • WolfSSL: adding TLSv1.3
  • checksrc.pl: add -i and -m options
  • CURLOPT_COOKIEFILE.3: "-" as file name means stdin

New in cURL 7.58.0 (Jan 25, 2018)

  • Changes:
  • new libssh-powered SSH SCP/SFTP back-end
  • curl-config: add --ssl-backends
  • Bug fixes:
  • http2: fix incorrect trailer buffer size
  • http: prevent custom Authorization headers in redirects
  • travis: add boringssl build
  • examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
  • SSL: Avoid magic allocation of SSL backend specific data
  • lib: don't export all symbols, just everything curl_*
  • libssh2: send the correct CURLE error code on scp file not found
  • libssh2: return CURLE_UPLOAD_FAILED on failure to upload
  • openssl: enable pkcs12 in boringssl builds
  • libssh2: remove dead code from SSH_SFTP_QUOTE
  • sasl_getmesssage: make sure we have a long enough string to pass
  • conncache: fix several lock issues
  • threaded-shared-conn.c: new example
  • conncache: only allow multiplexing within same multi handle
  • configure: check for netinet/in6.h
  • URL: tolerate backslash after drive letter for FILE:
  • openldap: add commented out debug possibilities
  • include: get netinet/in.h before linux/tcp.h
  • CONNECT: keep close connection flag in http_connect_state struct
  • BINDINGS: another PostgreSQL client
  • curl: limit -# update frequency for unknown total size
  • configure: add AX_CODE_COVERAGE only if using gcc
  • curl.h: remove incorrect comment about ERRORBUFFER
  • openssl: improve data-pending check for https proxy
  • curl: remove __EMX__ #ifdefs
  • CURLOPT_PRIVATE.3: fix grammar
  • sftp: allow quoted commands to use relative paths
  • CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
  • RESOLVE: output verbose text when trying to set a duplicate name
  • openssl: Disable file buffering for Win32 SSLKEYLOGFILE
  • multi_done: prune DNS cache
  • tests: update .gitignore for libtests
  • tests: mark data files as non-executable in git
  • CURLOPT_DNS_LOCAL_IP4.3: fixed the "SEE ALSO" to not self-reference
  • curl.1: documented two missing valid exit codes
  • curl.1: mention http:// and https:// as valid proxy prefixes
  • vtls: replaced getenv() with curl_getenv()
  • setopt: less *or equal* than INT_MAX/1000 should be fine
  • examples/smtp-mail.c: use separate defines for options and mail
  • curl: support >256 bytes warning messsages
  • conncache: fix a return code
  • krb5: fix a potential access of uninitialized memory
  • rand: add a clang-analyzer work-around
  • CURLOPT_READFUNCTION.3: refer to argument with correct name
  • brotli: allow compiling with version 0.6.0
  • content_encoding: rework zlib_inflate
  • curl_easy_reset: release mime-related data
  • examples/rtsp: fix error handling macros
  • build-openssl.bat: Added support for VC15
  • build-wolfssl.bat: Added support for VC15
  • build: Added Visual Studio 2017 project files
  • winbuild: Added support for VC15
  • curl: Support size modifiers for --max-filesize
  • examples/cacertinmem: ignore cert-already-exists error
  • brotli: data at the end of content can be lost
  • curl_version_info.3: call the argument 'age'
  • openssl: fix memory leak of SSLKEYLOGFILE filename
  • build: remove HAVE_LIMITS_H check
  • --mail-rcpt: fix short-text description
  • scripts: allow all perl scripts to be run directly
  • progress: calculate transfer speed on milliseconds if possible
  • system.h: check __LONG_MAX__ for defining curl_off_t
  • easy: fix connection ownership in curl_easy_pause
  • setopt: reintroduce non-static Curl_vsetopt() for OS400 support
  • setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
  • configure.ac: append extra linker flags instead of prepending them
  • HTTP: bail out on negative Content-Length: values
  • docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
  • mime: clone mime tree upon easy handle duplication
  • openssl: enable SSLKEYLOGFILE support by default
  • smtp/pop3/imap_get_message: decrease the data length too...
  • CURLOPT_TCP_NODELAY.3: fix typo
  • SMB: fix numeric constant suffix and variable types
  • ftp-wildcard: fix matching an empty string with "*[^a]"
  • curl_fnmatch: only allow 5 '*' sections in a single pattern
  • openssl: fix potential memory leak in SSLKEYLOGFILE logic
  • SSH: Fix state machine for ssh-agent authentication
  • examples/url2file.c: add missing curl_global_cleanup() call
  • http2: don't close connection when single transfer is stopped
  • libcurl-env.3: first version
  • curl: progress bar refresh, get width using ioctl()
  • CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support

New in cURL 7.57.0 (Nov 29, 2017)

  • Changes:
  • auth: add support for RFC7616 - HTTP Digest access authentication
  • share: add support for sharing the connection cache
  • HTTP: implement Brotli content encoding
  • Bug fixes:
  • CVE-2017-8816: NTLM buffer overflow via integer overflow
  • CVE-2017-8817: FTP wildcard out of bounds read
  • CVE-2017-8818: SSL out of buffer access
  • curl_mime_filedata.3: fix typos
  • libtest: Add required test libraries for lib1552 and lib1553
  • fix time diffs for systems using unsigned time_t
  • ftplistparser: memory leak fix: free temporary memory always
  • multi: allow table handle sizes to be overridden
  • wildcards: don't use with non-supported protocols
  • curl_fnmatch: return error on illegal wildcard pattern
  • transfer: Fix chunked-encoding upload too early exit
  • curl_setup: Improve detection of CURL_WINDOWS_APP
  • resolvers: only include anything if needed
  • setopt: fix CURLOPT_SSH_AUTH_TYPES option read
  • appveyor: add a win32 build
  • Curl_timeleft: change return type to timediff_t
  • cmake: Export libcurl and curl targets to use by other cmake projects
  • curl: in -F option arg, comma is a delimiter for files only
  • curl: improved ";type=" handling in -F option arguments
  • timeval: use mach_absolute_time() on MacOS
  • curlx: the timeval functions are no longer provided as curlx_*
  • mkhelp.pl: do not generate comment with current date
  • memdebug: use send/recv signature for curl_dosend/curl_dorecv
  • cookie: avoid NULL dereference
  • url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
  • include: remove conncache.h inclusion from where its not needed
  • CURLOPT_MAXREDIRS: allow -1 as a value
  • tests: Fixed torture tests on tests 556 and 650
  • http2: Fixed OOM handling in upgrade request
  • url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
  • CURLOPT_INFILESIZE: accept -1
  • curl: pass through [] in URLs instead of calling globbing error
  • curl: speed up handling of many URLs
  • ntlm: avoid malloc(0) for zero length passwords
  • url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES
  • HTTP: support multiple Content-Encodings
  • travis: add a job with brotli enabled
  • url: remove unncessary NULL-check
  • fnmatch: remove dead code
  • connect: store IPv6 connection status after valid connection
  • imap: deal with commands case insensitively
  • --interface: add support for Linux VRF
  • content_encoding: fix inflate_stream for no bytes available
  • cmake: Correctly include curl.rc in Windows builds
  • cmake: Add missing setmode check
  • connect.c: remove executable bit on file
  • SMB: fix uninitialized local variable
  • zlib/brotli: only include header files in modules needing them
  • URL: return error on malformed URLs with junk after IPv6 bracket
  • openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
  • macOS: Fix missing connectx function with Xcode version older than 9.0
  • --resolve: allow IP address within [] brackets
  • examples/curlx: Fix code style
  • ntlm: remove unnecessary NULL-check to please scan-build
  • Curl_llist_remove: fix potential NULL pointer deref
  • mime: fix "Value stored to 'sz' is never read" scan-build error
  • openssl: fix "Value stored to 'rc' is never read" scan-build error
  • http2: fix "Value stored to 'hdbuf' is never read" scan-build error
  • http2: fix "Value stored to 'end' is never read" scan-build error
  • Curl_open: fix OOM return error correctly
  • url: reject ASCII control characters and space in host names
  • examples/rtsp: clear RANGE again after use
  • connect: improve the bind error message
  • make: fix "make distclean"
  • connect: add support for new TCP Fast Open API on Linux
  • metalink: fix memory-leak and NULL pointer dereference
  • URL: update "file:" URL handling
  • ssh: remove check for a NULL pointer
  • global_init: ignore CURL_GLOBAL_SSL's absense

New in cURL 7.56.1 (Oct 23, 2017)

  • Bug fixes:
  • imap: if a FETCH response has no size, don't call write callback
  • ftp: UBsan fixup 'pointer index expression overflowed
  • failf: skip the sprintf() if there are no consumers
  • fuzzer: move to using external curl-fuzzer
  • lib/Makefile.m32: allow customizing dll suffixes
  • docs: fix typo in curl_mime_data_cb man page
  • darwinssl: add support for TLSv1.3
  • build: fix --disable-crypto-auth
  • lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
  • openssl: fix build without HAVE_OPAQUE_EVP_PKEY
  • strtoofft: Remove extraneous null check
  • multi_cleanup: call DONE on handles that never got that
  • tests: added flaky keyword to tests 587 and 644
  • pingpong: return error when trying to send without connection
  • remove_handle: call multi_done() first, then clear dns cache pointer
  • mime: be tolerant about setting the same header list twice in a part
  • mime: improve unbinding top multipart from easy handle
  • mime: avoid resetting a part's encoder when part's contents change
  • mime: refuse to add subparts to one of their own descendants
  • RTSP: avoid integer overflow on funny RTSP responses
  • curl: don't pass semicolons when parsing Content-Disposition
  • openssl: enable PKCS12 support for !BoringSSL
  • FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
  • CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
  • CURLOPT_XFERINFODATA.3: fix duplicate see also
  • test298: verify --ftp-method nowcwd with URL encoded path
  • FTP: URL decode path for dir listing in nocwd mode
  • smtp_done: fix memory leak on send failure
  • ftpserver: support case insensitive commands
  • test950; verify SMTP with custom request
  • openssl: don't use old BORINGSSL_YYYYMM macros
  • setopt: update current connection SSL verify params
  • winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
  • curl: reimplement stdin buffering in -F option
  • mime: keep "text/plain" content type if user-specified
  • mime: fix the content reader to handle >16K data properly
  • configure: remove the C++ compiler check
  • memdebug: trace send, recv and socket
  • runtests: use valgrind for torture as well
  • ldap: silence clang warning
  • makefile.m32: allow to override gcc, ar and ranlib
  • setopt: avoid integer overflows when setting millsecond values
  • setopt: range check most long options
  • ftp: reject illegal IP/port in PASV 227 response
  • mime: do not reuse previously computed multipart size
  • vtls: change struct Curl_ssl `close' field name to `close_one'
  • os400: add missing symbols in config file
  • mime: limit bas64-encoded lines length to 76 characters
  • mk-ca-bundle: Remove URL for aurora
  • mk-ca-bundle: Fix URL for NSS

New in cURL 7.56.0 (Oct 14, 2017)

  • Changes:
  • curl: enable compression for SCP/SFTP with --compressed-ssh
  • libcurl: enable compression for SCP/SFTP with CURLOPT_SSH_COMPRESSION
  • vtls: added dynamic changing SSL backend with curl_global_sslset()
  • new MIME API, curl_mime_init() and friends
  • openssl: initial SSLKEYLOGFILE implementation
  • Bug fixes:
  • FTP: zero terminate the entry path even on bad input
  • examples/ftpuploadresume.c: use portable code
  • runtests: match keywords case insensitively
  • travis: build the examples too
  • strtoofft: reduce integer overflow risks globally
  • zsh.pl: produce a working completion script again
  • cmake: remove dead code for CURL_DISABLE_RTMP
  • progress: Track total times following redirects
  • configure: fix --disable-threaded-resolver
  • cmake: remove dead code for DISABLED_THREADSAFE
  • configure: fix clang version detection
  • darwinssi: fix error: variable length array used
  • travis: add metalink to some osx builds
  • configure: check for __builtin_available() availability
  • http_proxy: fix build error for CURL_DOES_CONVERSIONS
  • examples/ftpuploadresume: checksrc compliance
  • ftp: fix CWD when doing multicwd then nocwd on same connection
  • system.h: remove all CURL_SIZEOF_* defines
  • http: Don't wait on CONNECT when there is no proxy
  • system.h: check for __ppc__ as well
  • http2_recv: return error better on fatal h2 errors
  • scripts/contri*sh: use "git log --use-mailmap"
  • tftp: fix memory leak on too long filename
  • system.h: fix build for hppa
  • cmake: enable picky compiler options with clang and gcc
  • makefile.m32: add support for libidn2
  • curl: turn off MinGW CRT's globbing
  • request-target.d: mention added in 7.55.0
  • curl: shorten and clean up CA cert verification error message
  • imap: support PREAUTH
  • CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
  • examples/threaded-ssl: mention that this is for openssl before 1.1
  • winbuild: fix embedded manifest option
  • tests: Make sure libtests & unittests call curl_global_cleanup()
  • system.h: include sys/poll.h for AIX
  • darwinssl: handle long strings in TLS certs
  • strtooff: fix build for systems with long long but no strtoll
  • asyn-thread: Improved cleanup after OOM situations
  • HELP-US.md: "How to get started helping out in the curl project"
  • curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
  • unit1301: fix error message on first test
  • ossfuzz: moving towards the ideal integration
  • http: fix a memory leakage in checkrtspprefix()
  • examples/post-callback: stop returning one byte at a time
  • schannel: return CURLE_SSL_CACERT on failed verification
  • MAIL-ETIQUETTE: added "1.9 Your emails are public"
  • http-proxy: treat all 2xx as CONNECT success
  • openssl: use OpenSSL's default ciphers by default
  • runtests.pl: support attribute "nonewline" in part verify/upload
  • configure: remove --enable-soname-bump and SONAME_BUMP
  • travis: add c-ares enabled builds linux + osx
  • vtls: fix WolfSSL 3.12 build problems
  • http-proxy: when not doing CONNECT, that phase is done immediately
  • configure: fix curl_off_t check's include order
  • configure: use -Wno-varargs on clang 3.9[.X] debug builds
  • rtsp: do not call fwrite() with NULL pointer FILE *
  • mbedtls: enable CA path processing
  • travis: add build without HTTP/SMTP/IMAP
  • checksrc: verify more code style rules
  • HTTP proxy: on connection re-use, still use the new remote port
  • tests: add initial gssapi test using stub implementation
  • rtsp: Segfault when using WRITEDATA
  • docs: clarify the CURLOPT_INTERLEAVE* options behavior
  • non-ascii: use iconv() with 'char **' argument
  • server/getpart: provide dummy function to build conversion enabled
  • conversions: fix several compiler warnings
  • openssl: add missing includes
  • schannel: Support partial send for when data is too large
  • socks: fix incorrect port number in SOCKS4 error message
  • curl: fix integer overflow in timeout options
  • travis: on mac, don't install openssl or libidn
  • cookies: reject oversized cookies instead of truncating
  • cookies: use lock when using CURLINFO_COOKIELIST
  • curl: check fseek() return code and bail on error
  • examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
  • openssl: only verify RSA private key if supported
  • tests: make the imap server not verify user+password
  • imap: quote atoms properly when escaping characters
  • tests: fix a compiler warning in test 643
  • file_range: avoid integer overflow when figuring out byte range
  • curl.h: include on cygwin too
  • reuse_conn: don't copy flags that are known to be equal
  • http: fix adding custom empty headers to repeated requests
  • docs: clarify the use of environment variables for proxy
  • docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
  • connect: fix race condition with happy eyeballs timeout
  • cookie: fix memory leak if path was set twice in header
  • vtls: compare and clone ssl configs properly
  • proxy: read the "no_proxy" variable only if necessary

New in cURL 7.54.1 (Jul 14, 2017)

  • Changes:
  • curl: show the libcurl release date in --version output
  • Bug fixes:
  • CVE-2017-9502: default protocol drive letter buffer overflow
  • openssl: fix memory leak in servercert
  • tests: remove the html and PDF versions from the tarball
  • mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable
  • typecheck-gcc: handle function pointers properly
  • llist: no longer uses malloc
  • gnutls: removed some code when --disable-verbose is configured
  • lib: fix maybe-uninitialized warnings
  • multi: clarify condition in curl_multi_wait
  • schannel: Don't treat encrypted partial record as pending data
  • configure: fix the -ldl check for openssl, add -lpthread check
  • configure: accept -Og and -Ofast GCC flags
  • Makefile: avoid use of GNU-specific form of $<
  • if2ip: fix -Wcast-align warning
  • configure: stop prepending to LDFLAGS, CPPFLAGS
  • curl: set a 100K buffer size by default
  • typecheck-gcc: fix _curl_is_slist_info
  • nss: do not leak PKCS #11 slot while loading a key
  • nss: load libnssckbi.so if no other trust is specified
  • examples: ftpuploadfrommem.c
  • url: declare get_protocol_family() static
  • examples/cookie_interface.c: changed to example.com
  • test1443: test --remote-time
  • curl: use utimes instead of obsolescent utime when available
  • url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
  • curl_rtmp: fix missing-variable-declarations warnings
  • tests: fixed OOM handling of unit tests to abort test
  • curl_setup: Ensure no more than one IDN lib is enabled
  • tool: Fix missing prototype warnings for CURL_DOES_CONVERSIONS
  • CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
  • curl: non-boolean command line args reject --no- prefixes
  • telnet: Write full buffer instead of byte-by-byte
  • typecheck-gcc: add missing string options
  • typecheck-gcc: add support for CURLINFO_SOCKET
  • opt man pages: they all have examples now
  • curl_setup_once: use SEND_QUAL_ARG2 for swrite
  • test557: set a known good numeric locale
  • schannel: return a more specific error code for SEC_E_UNTRUSTED_ROOT
  • tests/server: make string literals const
  • runtests: use -R for random order
  • unit1305: fix compiler warning
  • curl_slist_append.3: clarify a NULL input creates a new list
  • tests/server: run checksrc by default in debug-builds
  • tests: fix -Wcast-qual warnings
  • runtests.pl: simplify the datacheck read section
  • curl: remove --environment and tool_writeenv.c
  • buildconf: fix hang on IRIX
  • tftp: silence bad-function-cast warning
  • asyn-thread: fix unused macro warnings
  • tool_parsecfg: fix -Wcast-qual warning
  • sendrecv: fix MinGW-w64 warning
  • test537: use correct variable type
  • rand: treat fake entropy the same regardless of endianness
  • curl: generate the --help output
  • tests: removed redundant --trace-ascii arguments
  • multi: assign IDs to all timers and make each timer singleton
  • multi: use a fixed array of timers instead of malloc
  • mbedtls: Support server renegotiation request
  • pipeline: fix mistakenly trying to pipeline POSTs
  • lib510: don't write past the end of the buffer if it's too small
  • CURLOPT_HTTPPROXYTUNNEL.3: clarify, add example
  • SecureTransport/DarwinSSL: Implement public key pinning
  • curl.1: clarify --config
  • curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLM
  • darwinssl: Fix exception when processing a client-side certificate
  • curl.1: mention --oauth2-bearer's argument
  • mkhelp.pl: do not add current time into curl binary
  • asiohiper.cpp / evhiperfifo.c: deal with negative timerfunction input
  • ssh: fix memory leak in disconnect due to timeout
  • tests: stabilize test 1034
  • cmake: auto detection of CURL_CA_BUNDLE/CURL_CA_PATH
  • assert: avoid, use DEBUGASSERT instead
  • LDAP: using ldap_bind_s on Windows with methods
  • redirect: store the "would redirect to" URL when max redirs is reached
  • winbuild: fix the nghttp2 build
  • examples: fix -Wimplicit-fallthrough warnings
  • time: fix type conversions and compiler warnings
  • mbedtls: fix variable shadow warning
  • test557: fix ubsan runtime error due to int left shift
  • transfer: init the infilesize from the postfields
  • docs: clarify NO_PROXY further
  • build-wolfssl: Sync config with wolfSSL 3.11
  • curl-compilers.m4: enable -Wshift-sign-overflow for clang
  • example/externalsocket.c: make it use CLOSESOCKETFUNCTION too
  • lib574.c: use correct callback proto
  • lib583: fix compiler warning
  • curl-compilers.m4: fix compiler_num for clang
  • typecheck-gcc.h: separate getinfo slist checks from other pointers
  • typecheck-gcc.h: check CURLINFO_TLS_SSL_PTR and CURLINFO_TLS_SESSION
  • typecheck-gcc.h: check CURLINFO_CERTINFO
  • build: provide easy code coverage measuring
  • test1537: dedicated tests of the URL (un)escape API calls
  • curl_endian: remove unused functions
  • test1538: verify the libcurl strerror API calls
  • MD(4|5): silence cast-align clang warning
  • dedotdot: fixed output for ".." and "." only input
  • cyassl: define build macros before including ssl.h
  • updatemanpages.pl: error out on too old git version
  • curl_sasl: fix unused-variable warning
  • x509asn1: fix implicit-fallthrough warning with GCC 7
  • libtest: fix implicit-fallthrough warnings with GCC 7
  • BINDINGS: add Ring binding
  • curl_ntlm_core: pass unsigned char to toupper
  • test1262: verify ftp download with -z for "if older than this"
  • test1521: test all curl_easy_setopt options
  • typecheck-gcc: allow CURLOPT_STDERR to be NULL too
  • metalink: remove unused printf() argument
  • file: make speedcheck use current time for checks
  • configure: fix link with librtmp when specifying path
  • examples/multi-uv.c: fix deprecated symbol
  • cmake: Fix inconsistency regarding mbed TLS include directory
  • setopt: check CURLOPT_ADDRESS_SCOPE option range
  • gitignore: ignore all vim swap files
  • urlglob: fix division by zero
  • libressl: OCSP and intermediate certs workaround no longer needed

New in cURL 7.54.0 (Apr 19, 2017)

  • Changes:
  • Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION
  • Add --max-tls
  • Add CURLOPT_SUPPRESS_CONNECT_HEADERS
  • Add --suppress-connect-headers
  • Bug fixes:
  • CVE-2017-7468: switch off SSL session id when client cert is used
  • cmake: Replace invalid UTF-8 byte sequence
  • tests: use consistent environment variables for setting charset
  • proxy: fixed a memory leak on OOM
  • ftp: removed an erroneous free in an OOM path
  • docs: de-duplicate file lists in the Makefiles
  • ftp: fixed a NULL pointer dereference on OOM
  • gopher: fixed detection of an error condition from Curl_urldecode
  • url: fix unix-socket support for proxy-disabled builds
  • test1139: allow for the possibility that the man page is not rebuilt
  • cyassl: get library version string at runtime
  • digest_sspi: fix compilation warning
  • tests: enable HTTP/2 tests to run with non-default port numbers
  • warnless: suppress compiler warning
  • darwinssl: Warn that disabling host verify also disables SNI
  • configure: fix for --enable-pthreads
  • checksrc.bat: Ignore curl_config.h.in, curl_config.h
  • no-keepalive.d: fix typo
  • configure: fix --with-zlib when a path is specified
  • build: fix gcc7 implicit fallthrough warnings
  • fix potential use of uninitialized variables
  • CURLOPT_SSL_CTX_FUNCTION.3: Fix EXAMPLE formatting errors
  • CMake: Reorganize SSL support, separate WinSSL and SSPI
  • CMake: Add DarwinSSL support
  • CMake: Add mbedTLS support
  • ares: return error at once if timed out before name resolve starts
  • BINDINGS: added C++, perl, go and Scilab bindings
  • URL: return error on malformed URLs with junk after port number
  • KNOWN_BUGS: Add DarwinSSL won't import PKCS#12 without a password
  • http2: Fix assertion error on redirect with CL=0
  • updatemanpages.pl: Update man pages to use current date and versions
  • --insecure: clarify that this option is for server connections
  • mkhelp: simplified the gzip code
  • build: fixed making man page in out-of-tree tarball builds
  • tests: disabled 1903 due to flakiness
  • openssl: add two /* FALLTHROUGH */ to satisfy coverity
  • cmdline-opts: fixed a few typos
  • authneg: clear auth.multi flag at http_done
  • curl_easy_reset: Also reset the authentication state
  • proxy: skip SSL initialization for closed connections
  • http_proxy: ignore TE and CL in CONNECT 2xx responses
  • tool_writeout: fixed a buffer read overrun on --write-out
  • make: regenerate docs/curl.1 by running make in docs
  • winbuild: add basic support for OpenSSL 1.1.x
  • build: removed redundant DEPENDENCIES from makefiles
  • CURLINFO_LOCAL_PORT.3: added example
  • curl: show HTTPS-Proxy options on CURLE_SSL_CACERT
  • tests: strip more options from non-HTTP --libcurl tests
  • tests: fixed the documented test server port numbers
  • runtests.pl: fixed display of the Gopher IPv6 port number
  • multi: fix streamclose() crash in debug mode
  • cmake: build manual pages
  • cmake: add support for building HTML and PDF docs
  • mbedtls: add support for CURLOPT_SSL_CTX_FUNCTION
  • make: introduce 'test-nonflaky' target
  • CURLINFO_PRIMARY_IP.3: add example
  • tests/README: mention nroff for --manual tests
  • mkhelp: disable compression if the perl gzip module is unavailable
  • openssl: fall back on SSL_ERROR_* string when no error detail
  • asiohiper: make sure socket is open in event_cb
  • tests/README: make "Run" section foolproof
  • curl: check for end of input in writeout backslash handling
  • .gitattributes: turn off CRLF for *.am
  • multi: fix MinGW-w64 compiler warnings
  • schannel: fix variable shadowing warning
  • openssl: exclude DSA code when OPENSSL_NO_DSA is defined
  • http: Fix proxy connection reuse with basic-auth
  • pause: handle mixed types of data when paused
  • http: do not treat FTPS over CONNECT as HTTPS
  • conncache: make hashkey avoid malloc
  • make: use the variable MAKE for recursive calls
  • curl: fix callback argument inconsistency
  • NTLM: check for features with #ifdef instead of #if
  • cmake: add several missing files to the dist
  • select: use correct SIZEOF_ constant
  • connect: fix unreferenced parameter warning
  • schannel: fix unused variable warning
  • gcc7: fix ‘*’ in boolean context
  • http2: silence unused parameter warnings
  • ssh: fix narrowing conversion warning
  • telnet: (win32) fix read callback return variable
  • docs: Explain --fail-early does not imply --fail
  • docs: added examples for CURLINFO_FILETIME.3 and CURLOPT_FILETIME.3
  • tests/server/util: remove in6addr_any for recent MinGW
  • multi: make curl_multi_wait avoid malloc in the typical case
  • include: curl/system.h is a run-time version of curlbuild.h
  • easy: silence compiler warning
  • llist: replace Curl_llist_alloc with Curl_llist_init
  • hash: move key into hash struct to reduce mallocs
  • url: don't free postponed data on connection reuse
  • curl_sasl: declare mechtable static
  • curl: fix Windows Unicode build
  • multi: fix queueing of pending easy handles
  • tool_operate: fix MinGW compiler warning
  • low_speed_limit: improved function for longer time periods
  • gtls: fix compiler warning
  • sspi: print out InitializeSecurityContext() error message
  • schannel: fix compiler warnings
  • vtls: fix unreferenced variable warnings
  • INSTALL.md: fix secure transport configure arguments
  • CURLINFO_SCHEME.3: fix variable type
  • libcurl-thread.3: also mention threaded-resolver
  • nss: load CA certificates even with --insecure
  • openssl: fix this statement may fall through
  • poll: prefer over
  • polarssl: unbreak build with versions < 1.3.8
  • Curl_expire_latest: ignore already expired timers
  • configure: turn implicit function declarations into errors
  • mbedtls: fix memory leak in error path
  • http2: fix handle leak in error path
  • .gitattributes: force shell scripts to LF
  • configure.ac: ignore CR after version numbers
  • extern-scan.pl: strip trailing CR
  • openssl: make SSL_ERROR_to_str more future-proof
  • openssl: fix thread-safety bugs in error-handling
  • openssl: don't try to print nonexistant peer private keys
  • nss: fix MinGW compiler warnings

New in cURL 7.53.1 (Feb 24, 2017)

  • Bug fixes:
  • cyassl: fix typo
  • url: Improve CURLOPT_PROXY_CAPATH error handling
  • urldata: include curl_sspi.h when Windows SSPI is enabled
  • formdata: check for EOF when reading from stdin
  • tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
  • url: Default the proxy CA bundle location to CURL_CA_BUNDLE
  • rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header

New in cURL 7.53.0 (Feb 22, 2017)

  • Changes:
  • unix_socket: added --abstract-unix-socket and CURLOPT_ABSTRACT_UNIX_SOCKET
  • CURLOPT_BUFFERSIZE: support enlarging receive buffer
  • Bug fixes:
  • CVE-2017-2629: make SSL_VERIFYSTATUS work again
  • gnutls-random: check return code for failed random
  • openssl-random: check return code when asking for random
  • http: remove "Curl_http_done: called premature" message
  • cyassl: use time_t instead of long for timeout
  • build-wolfssl: Sync config with wolfSSL 3.10
  • ftp-gss: check for init before use
  • configure: accept --with-libidn2 instead
  • ftp: failure to resolve proxy should return that error code
  • curl.1: add three more exit codes
  • docs/ciphers: link to our own new page about ciphers
  • vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl
  • darwinssl: fix iOS build
  • darwinssl: fix CFArrayRef leak
  • cmake: use crypt32.lib when building with OpenSSL on windows
  • curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
  • digest_sspi: copy terminating NUL as well
  • curl: fix --remote-time incorrect times on Windows
  • curl.1: several updates and corrections
  • content_encoding: change return code on a failure
  • curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
  • docs: TCP_KEEPALIVE start and interval default to 60
  • darwinssl: --insecure overrides --cacert if both settings are in use
  • TheArtOfHttpScripting: grammar
  • CIPHERS.md: document GSKit ciphers
  • wolfssl: support setting cipher list
  • wolfssl: display negotiated SSL version and cipher
  • lib506: fix build for Open Watcom
  • asiohiper: improved socket handling
  • examples: make the C++ examples follow our code style too
  • tests/sws: retry send() on EWOULDBLOCK
  • cmake: Fix passing _WINSOCKAPI_ macro to compiler
  • smtp: Fix STARTTLS denied error message
  • imap/pop3: don't print response character in STARTTLS denied messages
  • rand: make it work without TLS backing
  • url: fix parsing for when 'file' is the default protocol
  • url: allow file://X:/path URLs on windows again
  • gnutls: check for alpn and ocsp in configure
  • IDN: Use TR46 'non-transitional' for toASCII translations
  • url: Fix NO_PROXY env var to work properly with --proxy option
  • CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
  • docs: Add note about libcurl copying strings to CURLOPT_* manpages
  • curl: reset the easy handle at --next
  • --next docs: --trace and --trace-ascii are also global
  • --write-out docs: 'time_total' is not always shown with ms precision
  • http: print correct HTTP string in verbose output when using HTTP/2
  • docs: improved language in README.md HISTORY.md CONTRIBUTE.md
  • http2: disable server push if not requested
  • nss: use the correct lock in nss_find_slot_by_name()
  • usercertinmem.c: improve the short description
  • CURLOPT_CONNECT_TO: Fix compile warnings
  • docs: non-blocking SSL handshake is now supported with NSS
  • *.rc: escape non-ASCII/non-UTF-8 character for clarity
  • mbedTLS: fix multi interface non-blocking handshake
  • PolarSSL: fix multi interface non-blocking handshake
  • VC: remove the makefile.vc6 build infra
  • telnet: fix windows compiler warnings
  • cookies: do not assume a valid domain has a dot
  • polarssl: fix hangs
  • gnutls: disable TLS session tickets
  • mbedtls: disable TLS session tickets
  • mbedtls: implement CTR-DRBG and HAVEGE random generators
  • openssl: Don't use certificate after transferring ownership
  • cmake: Support curl --xattr when built with cmake
  • OS400: Fix symbols
  • docs: Add more HTTPS proxy documentation
  • docs: use more HTTPS links
  • cmdline-opts: Fixed build and test in out of source tree builds
  • CHANGES.0: removed
  • schannel: Remove incorrect SNI disabled message
  • darwinssl: Avoid parsing certificates when not in verbose mode
  • test552: Fix typos
  • telnet: Fix typos
  • transfer: only retry nobody-requests for HTTP
  • http2: reset push header counter fixes crash
  • nss: make FTPS work with --proxytunnel
  • test1139: Added the --manual keyword since the manual is required
  • polarssl, mbedtls: Fix detection of pending data
  • http_proxy: Fix tiny memory leak upon edge case connecting to proxy
  • URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
  • curl.1: ftp.sunet.se is no longer an FTP mirror
  • tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
  • http2: fix memory-leak when denying push streams
  • configure: Allow disabling pthreads, fall back on Win32 threads
  • curl: fix typo in time condition warning message
  • axtls: adapt to API changes
  • tool_urlglob: Allow a glob range with the same start and stop
  • winbuild: add note on auto-detection of MACHINE in Makefile.vc
  • http: fix missing 'Content-Length: 0' while negotiating auth
  • proxy: fix hostname resolution and IDN conversion
  • docs: fix timeout handling in multi-uv example
  • digest_sspi: Fix nonce-count generation in HTTP digest
  • sftp: improved checks for create dir failures
  • smb: use getpid replacement for windows UWP builds
  • digest_sspi: Handle 'stale=TRUE' directive in HTTP digest

New in cURL 7.51.0 (Nov 2, 2016)

  • Changes:
  • nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
  • New option: CURLOPT_KEEP_SENDING_ON_ERROR
  • Bug fixes:
  • CVE-2016-8615: cookie injection for other servers
  • CVE-2016-8616: case insensitive password comparison
  • CVE-2016-8617: OOB write via unchecked multiplication
  • CVE-2016-8618: double-free in curl_maprintf
  • CVE-2016-8619: double-free in krb5 code
  • CVE-2016-8620: glob parser write/read out of bounds
  • CVE-2016-8621: curl_getdate read out of bounds
  • CVE-2016-8622: URL unescape heap overflow via integer truncation
  • CVE-2016-8623: Use-after-free via shared cookies
  • CVE-2016-8624: invalid URL parsing with '#'
  • CVE-2016-8625: IDNA 2003 makes curl use wrong host
  • openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
  • http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
  • LICENSE-MIXING.md: update with mbedTLS dual licensing
  • examples/imap-append: Set size of data to be uploaded
  • test2048: fix url
  • darwinssl: disable RC4 cipher-suite support
  • CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
  • openssl: don’t call CRYTPO_cleanup_all_ex_data
  • libressl: fix version output
  • easy: Reset all statistical session info in curl_easy_reset
  • curl_global_cleanup.3: don't unload the lib with sub threads running
  • dist: add CurlSymbolHiding.cmake to the tarball
  • docs: Remove that --proto is just used for initial retrieval
  • configure: Fixed builds with libssh2 in a custom location
  • curl.1: --trace supports % for sending to stderr!
  • cookies: same domain handling changed to match browser behavior
  • formpost: trying to attach a directory no longer crashes
  • CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
  • formpost: avoid silent snprintf() truncation
  • ftp: fix Curl_ftpsendf
  • mprintf: return error on too many arguments
  • smb: properly check incoming packet boundaries
  • GIT-INFO: remove the Mac 10.1-specific details
  • resolve: add error message when resolving using SIGALRM
  • cmake: add nghttp2 support
  • dist: remove PDF and HTML converted docs from the releases
  • configure: disable poll() in macOS builds
  • vtls: only re-use session-ids using the same scheme
  • pipelining: skip to-be-closed connections when pipelining
  • win: fix Universal Windows Platform build
  • curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
  • maketgz: make it support "only" generating version info
  • Curl_socket_check: add extra check to avoid integer overflow
  • gopher: properly return error for poll failures
  • curl: set INTERLEAVEDATA too
  • polarssl: clear thread array at init
  • polarssl: fix unaligned SSL session-id lock
  • polarssl: reduce #ifdef madness with a macro
  • curl_multi_add_handle: set timeouts in closure handles
  • configure: set min version flags for builds on mac
  • INSTALL: converted to markdown => INSTALL.md
  • curl_multi_remove_handle: fix a double-free
  • multi: fix inifinte loop in curl_multi_cleanup()
  • nss: fix tight loop in non-blocking TLS handhsake over proxy
  • mk-ca-bundle: Change URL retrieval to HTTPS-only by default
  • mbedtls: stop using deprecated include file
  • docs: fix req->data in multi-uv example
  • configure: Fix test syntax for monotonic clock_gettime
  • CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2

New in cURL 7.50.3 (Sep 14, 2016)

  • Bug fixes:
  • CVE-2016-7167: escape and unescape integer overflows
  • mk-ca-bundle.pl: use SHA256 instead of SHA1
  • checksrc: detect strtok() use
  • errors: new alias CURLE_WEIRD_SERVER_REPLY
  • http2: support > 64bit sized uploads
  • openssl: fix bad memory free (regression)
  • CMake: hide private library symbols
  • http: refuse to pass on response body when NO_NODY is set
  • cmake: fix curl-config --static-libs
  • mbedtls: switch off NTLM in build if md4 isn't available
  • curl: --create-dirs on windows groks both forward and backward slashes

New in cURL 7.50.2 (Sep 14, 2016)

  • Bug fixes:
  • mbedtls: Added support for NTLM
  • SSH: fixed SFTP/SCP transfer problems
  • multi: make Curl_expire() work with 0 ms timeouts
  • mk-ca-bundle.pl: -m keeps ca cert meta data in output
  • TFTP: Fix upload problem with piped input
  • CURLOPT_TCP_NODELAY: now enabled by default
  • mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined
  • http2: always wait for readable socket
  • cmake: Enable win32 large file support by default
  • cmake: Enable win32 threaded resolver by default
  • winbuild: Avoid setting redundant CFLAGS to compile commands
  • curl.h: make CURL_NO_OLDIES define CURL_STRICTER
  • docs: make more markdown files use .md extension
  • docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown
  • winbuild: Allow changing C compiler via environment variable CC
  • rtsp: accept any RTSP session id
  • HTTP: retry failed HEAD requests on reused connections too
  • configure: add zlib search with pkg-config
  • openssl: accept subjectAltName iPAddress if no dNSName match
  • MANUAL: Remove invalid link to LDAP documentation
  • socks: improved connection procedure
  • proxy: reject attempts to use unsupported proxy schemes
  • proxy: bring back use of "Proxy-Connection:"
  • curl: allow "pkcs11:" prefix for client certificates
  • spnego_sspi: fix memory leak in case *outlen is zero
  • SOCKS: improve verbose output of SOCKS5 connection sequence
  • SOCKS: display the hostname returned by the SOCKS5 proxy server
  • http/sasl: Query authentication mechanism supported by SSPI before using
  • sasl: Don't use GSSAPI authentication when domain name not specified
  • win: Basic support for Universal Windows Platform apps
  • nss: fix incorrect use of a previously loaded certificate from file
  • nss: work around race condition in PK11_FindSlotByName()
  • ftp: fix wrong poll on the secondary socket
  • openssl: build warning-free with 1.1.0 (again)
  • HTTP: stop parsing headers when switching to unknown protocols
  • test219: Add http as a required feature
  • TLS: random file/egd doesn't have to match for conn reuse
  • schannel: Disable ALPN for Wine since it is causing problems
  • http2: make sure stream errors don't needlessly close the connection
  • http2: return CURLE_HTTP2_STREAM for unexpected stream close
  • darwinssl: --cainfo is intended for backward compatibility only
  • speed caps: not based on average speeds anymore
  • configure: make the cpp -P detection not clobber CPPFLAGS
  • http2: use named define instead of magic constant in read callback
  • http2: skip the content-length parsing, detect unknown size
  • http2: return EOF when done uploading without known size
  • darwinssl: test for errSecSuccess in PKCS12 import rather than noErr
  • openssl: fix CURLINFO_SSL_VERIFYRESULT

New in cURL 7.50.1 (Aug 3, 2016)

  • Bug fixes:
  • TLS: switch off SSL session id when client cert is used
  • TLS: only reuse connections with the same client cert
  • curl_multi_cleanup: clear connection pointer for easy handles
  • include the CURLINFO_HTTP_VERSION man page into the release tarball
  • include the http2-server.pl script in the release tarball
  • test558: fix test by stripping file paths from FD lines
  • spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
  • tests: Fix for http/2 feature
  • cmake: Fix for schannel support
  • curl.h: make public types void * again
  • win32: fix a potential memory leak in Curl_load_library
  • travis: fix OSX build by re-installing libtool
  • mbedtls: Fix debug function name

New in cURL 7.50.0 (Jul 21, 2016)

  • Changes:
  • http: add CURLINFO_HTTP_VERSION and %{http_version}
  • Bug fixes:
  • memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
  • openssl: fix build with OPENSSL_NO_COMP
  • mbedtls: removed unused variables
  • cmake: Added missing mbedTLS support
  • URL parser: allow URLs to use one, two or three slashes
  • curl: fix -q [regression]
  • openssl: Use correct buffer sizes for error messages
  • curl: fix SIGSEGV while parsing URL with too many globs
  • schannel: add CURLOPT_CERTINFO support
  • vtls: fix ssl session cache race condition
  • http: Fix HTTP/2 connection reuse [regression]
  • checksrc: Add LoadLibrary to the banned functions list
  • schannel: Disable ALPN on Windows < 8.1
  • configure: occasional ignorance of --enable-symbol-hiding with GCC
  • http2: test17xx are the first real HTTP/2 tests
  • resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
  • curl_multi_socket_action.3: rewording
  • CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
  • cmake: Fix build with winldap
  • openssl: fix cert check with non-DNS name fields present
  • curl.1: mention the units for the progress meter
  • openssl: use more 'const' to fix build warnings with 1.1.0 branch
  • cmake: now using BUILD_TESTING=ON/OFF
  • vtls: Only call add/getsession if session id is enabled
  • headers: forward declare CURL, CURLM and CURLSH as structs
  • configure: improve detection of CA bundle path on FreeBSD
  • SFTP: set a generic error when no SFTP one exists
  • curl_global_init.3: expand on the SSL and WIN32 bits purpose
  • conn: don't free easy handle data in handler->disconnect
  • cookie.c: Fix misleading indentation
  • library: Fix memory leaks found during static analysis
  • CURLMOPT_SOCKETFUNCTION.3: fix typo
  • curl_global_init: moved the "IPv6 works" check here
  • connect: disable TFO on Linux when using SSL
  • vauth: Fixed memory leak due to function returning without free
  • winbuild: fix embedded manifest option

New in cURL 7.49.1 (May 30, 2016)

  • Bug fixes:
  • Windows: prevent DLL hijacking, CVE-2016-4802
  • dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md
  • schannel: fix compile break with MSVC XP toolset
  • curlbuild.h.dist: check __LP64__ as well to fix MIPS build
  • dist: include curl_multi_socket_all.3
  • http2: use HTTP/2 in the HTTP/1.1-alike response
  • openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
  • CURLOPT_CONNECT_TO.3: user must not free the list prematurely
  • libcurl.m4: Avoid obsolete warning
  • winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
  • curl_multibyte: fix compiler error
  • openssl: cleanup must free compression methods (memory leak)
  • mbedtls: fix includes so snprintf() works
  • checksrc.pl: Added variants of strcat() & strncat() to banned function list
  • contributors.sh: better grep pattern and show GitHub username
  • ssh: fix build for libssh2 before 1.2.6
  • curl_share_setopt.3: Add min ver needed for ssl session lock

New in cURL 7.49.0 (May 18, 2016)

  • Changes:
  • schannel: Add ALPN support
  • SSH: support CURLINFO_FILETIME
  • SSH: new CURLOPT_QUOTE command "statvfs"
  • wolfssl: Add ALPN support
  • http2: added --http2-prior-knowledge
  • http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
  • libcurl: added CURLOPT_CONNECT_TO
  • curl: added --connect-to
  • libcurl: added CURLOPT_TCP_FASTOPEN
  • curl: added --tcp-fastopen
  • curl: remove support for --ftpport, -http-request and --socks
  • Bug fixes:
  • CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
  • checksrc.bat: Updated the help to be consistent with generate.bat
  • checksrc.bat: Added support for scanning the tests and examples
  • openssl: fix ERR_remove_thread_state() for boringssl/libressl
  • openssl: boringssl provides the same numbering as openssl
  • multi: fix "Operation timed out after" timer
  • url: don't use bad offset in tld_check_name to show error
  • sshserver.pl: use quotes for given options
  • Makefile.am: skip the scripts dir
  • curl: warn for --capath use if not supported by libcurl
  • http2: fix connection reuse
  • GSS: make Curl_gss_log_error more verbose
  • build-wolfssl: Allow a broader range of ciphers (Visual Studio)
  • wolfssl: Use ECC supported curves extension
  • openssl: Fix compilation warnings
  • Curl_add_buffer_send: avoid possible NULL dereference
  • SOCKS5_gssapi_negotiate: don't assume little-endian ints
  • strerror: don't bit shift a signed integer
  • url: Corrected get protocol family for FTP and LDAP
  • curl/mprintf.h: remove support for _MPRINTF_REPLACE
  • upload: missing rewind call could make libcurl hang
  • IMAP: check pointer before dereferencing it
  • build: Changed the Visual Studio projects warning level from 3 to 4
  • checksrc: now stricter, wider checks, code cleaned up
  • checksrc: added docs/CHECKSRC.md
  • curl_sasl: Fixed potential null pointer utilisation
  • krb5: Fixed missing client response when mutual authentication enabled
  • krb5: Only process challenge when present
  • krb5: Only generate a SPN when its not known
  • formdata: use appropriate fopen() macros
  • curl.1: -w filename_effective was introduced in 7.26.0
  • http2: make use of the nghttp2 error callback
  • http2: fix connection reuse when PING comes after last DATA
  • curl.1: change example for -F
  • HTTP2: Add a space character after the status code
  • curl.1: use example.com more
  • mbedtls.c: changed private prefix to mbed_
  • mbedtls: implement and provide *_data_pending() to avoid hang
  • mbedtls: fix MBEDTLS_DEBUG builds
  • ftp/imap/pop3/smtp: Allow the service name to be overridden
  • CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
  • build: include scripts/ in the dist
  • http2: Add handling stream level error
  • http2: Improve header parsing
  • makefile.vc6: use d suffix on debug object
  • configure: remove check for libresolve
  • scripts/make: use $(EXEEXT) for executables
  • checksrc: got rid of the whitelist files
  • sendf: added ability to call recv() before send() as workaround
  • NTLM: check for NULL pointer before dereferencing
  • openssl: builds with OpenSSL 1.1.0-pre5
  • configure: ac_cv_ -> curl_cv_ for all cached vars
  • winbuild: add mbedtls support
  • curl: make --ftp-create-dirs retry on failure
  • PolarSSL: implement public key pinning
  • multi: accidentally used resolved host name instead of proxy
  • CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
  • CONNECT_ONLY: don't close connection on GSS 401/407 reponses
  • opts: Fix some syntax errors in example code fragments
  • mbedtls: Fix session resume
  • test1139: verifies libcurl option man page presence
  • CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
  • curl: make --disable work as long form of -q
  • curl: use --telnet-option as documented
  • curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
  • curl: -h output lacked --proxy-header and --ntlm-wb
  • curl -J: make it work even without http:// scheme on URL
  • lib: include curl_printf.h as one of the last headers
  • tests: handle path properly on Msys/Cygwin
  • curl.1: --mail-rcpt can be used multiple times
  • CURLOPT_ACCEPT_ENCODING.3: clarified
  • docs: fixed lots of broken man page references
  • tls: make setting pinnedkey option fail if not supported
  • test1140: run nroff-scan to verify man pages
  • http: make sure a blank header overrides accept_decoding
  • connections: do not reuse non-HTTP proxies on different ports
  • connect: fix invalid "Network is unreachable" errors
  • TLS: move the ALPN/NPN enable bits to the connection
  • TLS: SSL_peek is not a const operation
  • http2: Add space between colon and header value
  • darwinssl: fix certificate verification disable on OS X 10.8
  • mprintf: Fix processing of width and prec args
  • ftp wildcard: segfault due to init only in multi_perform

New in cURL 7.48.0 (Mar 23, 2016)

  • Changes:
  • configure: --with-ca-fallback: use built-in TLS CA fallback
  • TFTP: add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS
  • getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
  • added CODE_STYLE.md
  • Bug fixes:
  • Proxy-Connection: stop sending this header by default
  • os400: sync ILE/RPG definitions with latest public header files
  • cookies: allow spaces in cookie names, cut of trailing spaces
  • tool_urlglob: Allow reserved dos device names (Windows)
  • openssl: remove most BoringSSL #ifdefs
  • tool_doswin: Support for literal path prefix \\?
  • mbedtls: fix ALPN usage segfault
  • mbedtls: fix memory leak when destroying SSL connection data
  • nss: do not count enabled cipher-suites
  • examples/cookie_interface.c: add cleanup call
  • examples: adhere to curl code style
  • curlx_tvdiff: handle 32bit time_t overflows
  • dist: ship buildconf.bat too
  • curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
  • generate.bat: Fix comment bug by removing old comments
  • test1604: Add to Makefile.inc so it gets run
  • gtls: fix for builds lacking encrypted key file support
  • SCP: use libssh2_scp_recv2 to support > 2GB files on windows
  • CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
  • cookie: do not refuse cookies to localhost
  • openssl: avoid direct PKEY access with OpenSSL 1.1.0
  • http: Don't break the header into chunks if HTTP/2
  • http2: don't decompress gzip decoding automatically
  • curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
  • curl.1: add a missing dash
  • curl.1: HTTP headers for --cookie must be Set-Cookie style
  • CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
  • curl_sasl: Fix memory leak in digest parser
  • src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
  • CURLOPT_DEBUGFUNCTION.3: Fix example
  • runtests: Fixed usage of %PWD on MinGW64
  • tests/sshserver.pl: use RSA instead of DSA for host auth
  • multi_remove_handle: keep the timeout list until after disconnect
  • Curl_read: check for activated HTTP/1 pipelining, not only requested
  • configure: warn on invalid ca bundle or path
  • file: try reading from files with no size
  • getinfo: Add support for mbedTLS TLS session info
  • formpost: fix memory leaks in AddFormData error branches
  • makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
  • url: if Curl_done is premature then pipeline not in use
  • cookie: remove redundant check
  • cookie: Don't expire session cookies in remove_expired
  • makefile.m32: fix to allow -ssh2-winssl combination
  • checksrc.bat: Fixed cannot find perl if installed but not in path
  • build-openssl.bat: Fixed cannot find perl if installed but not in path
  • mbedtls: fix user-specified SSL protocol version
  • makefile.m32: add missing libs for static -winssl-ssh2 builds
  • test46: change cookie expiry date
  • pipeline: Sanity check pipeline pointer before accessing it
  • openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
  • ftp_done: clear tunnel_state when secondary socket closes
  • opt-docs: fix heading macros
  • imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
  • curl_multi_wait: never return -1 in 'numfds'
  • url.c: fix clang warning: no newline at end of file
  • krb5: improved type handling to avoid clang compiler warnings
  • cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
  • multi: avoid blocking during CURLM_STATE_WAITPROXYCONNECT
  • multi hash: ensure modulo performed on curl_socket_t
  • curl: glob_range: no need to check unsigned variable for negative
  • easy: add check to malloc() when running event-based
  • CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
  • version: thread safety
  • openssl: verbose: show matching SAN pattern
  • openssl: adapt to OpenSSL 1.1.0 API breakage in ERR_remove_thread_state()
  • formdata.c: Fixed compilation warning
  • configure: use cpp -P when needed
  • imap.c: Fixed compilation warning with /Wall enabled
  • config-w32.h: Fixed compilation warning when /Wall enabled
  • ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
  • build: Added missing Visual Studio filter files for VC10 onwards
  • easy: Remove poll failure check in easy_transfer
  • mbedtls: fix compiler warning
  • build-wolfssl: Update VS properties for wolfSSL v3.9.0
  • Fixed various compilation warnings when verbose strings disabled
  • sshserver: remove use of AuthorizedKeysFile2

New in cURL 7.47.1 (Feb 8, 2016)

  • Bug fixes:
  • getredirect.c: fix variable name
  • tool_doswin: silence unused function warning
  • cmake: fixed when OpenSSL enabled on Windows and schannel detected
  • curl.1: Explain remote-name behavior if file already exists
  • tool_operate: Don't sanitize --output path (Windows)
  • URLs: change all http:// URLs to https:// in documentation & comments
  • sasl_sspi: Fix memory leak in domain populate
  • COPYING: clarify that Daniel is not the sole author
  • examples/htmltitle: Use _stricmp on Windows
  • examples/asiohiper: Avoid function name collision on Windows
  • idn_win32: Better error checking
  • openssl: Fix signed/unsigned mismatch warning in X509V3_ext
  • curl save files: check for backslashes on cygwin

New in cURL 7.47.0 (Jan 27, 2016)

  • Changes:
  • version: Add flag CURL_VERSION_PSL for libpsl
  • http: added CURL_HTTP_VERSION_2TLS to do HTTP/2 for HTTPS only
  • curl: use 2TLS by default
  • curl --expect100-timeout: added
  • Add .dir-locals and set c-basic-offset to 2 (for emacs)
  • Bug fixes:
  • curl: avoid local drive traversal when saving file on Windows
  • NTLM: do not resuse proxy connections without diff proxy credentials
  • tests: Disable the OAUTHBEARER tests when using a non-default port number
  • curl: remove keepalive #ifdef checks done on libcurl's behalf
  • formdata: Check if length is too large for memory
  • lwip: Fix compatibility issues with later versions
  • openssl: BoringSSL doesn't have CONF_modules_free
  • config-win32: Fix warning HAVE_WINSOCK2_H undefined
  • build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
  • http2: Fix hanging paused stream
  • scripts/Makefile: fix GNUism and survive no perl
  • openssl: adapt to 1.1.0+ name changes
  • openssl: adapt to openssl >= 1.1.0 X509 opaque structs
  • HTTP2.md: spell fix and remove TODO now implemented
  • setstropt: const-correctness
  • cyassl: fix compiler warning on type conversion
  • gskit: Fix host subject altname verification
  • http2: Support trailer fields
  • wolfssl: handle builds without SSLv3 support
  • cyassl: deal with lack of *get_peer_certificate
  • sockfilt: do not wait on unreliable file or pipe handle
  • make: build zsh script even in an out-of-tree build
  • test 1326: fix getting stuck on Windows
  • test 87: fix file check on Windows
  • configure: allow static builds on mingw
  • configure: detect IPv6 support on Windows
  • ConnectionExists: with *PIPEWAIT, wait for connections
  • Makefile.inc: s/curl_SOURCES/CURL_FILES
  • test 16: fixed for Windows
  • test 252-255: use datacheck mode text for ASCII-mode LISTings
  • tftpd server: add Windows support by writing files in binary mode
  • ftplistparser: fix handling of file LISTings using Windows EOL
  • tests first.c: fix calculation of sleep timeout on Windows
  • tests (several): use datacheck mode text for ASCII-mode LISTings
  • CURLOPT_RANGE.3: for HTTP servers, range support is optional
  • test 1515: add MSYS support by passing a relative path
  • curl_global_init.3: Add Windows-specific info for init via DLL
  • http2: Fix client write for trailers on stream close
  • mbedtls: Fix ALPN support
  • connection reuse: IDN host names fixed
  • http2: Fix PUSH_PROMISE headers being treated as trailers
  • http2: handle the received SETTINGS frame
  • http2: Ensure that http2_handle_stream_close is called
  • mbedtls: implement CURLOPT_PINNEDPUBLICKEY
  • runtests: Add mbedTLS to the SSL backends
  • IDN host names: Remove the port number before converting to ACE
  • zsh.pl: fail if no curl is found
  • scripts: fix zsh completion generation
  • scripts: don't generate and install zsh completion when cross-compiling
  • lib: Prefix URLs with lower-case protocol names/schemes
  • ConnectionExists: only do pipelining/multiplexing when asked
  • configure: assume IPv6 works when cross-compiled
  • openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
  • openssl: improved error detection/reporting
  • ssh: CURLOPT_SSH_PUBLIC_KEYFILE now treats "" as NULL again
  • mbedtls: Fix pinned key return value on fail
  • maketgz: generate date stamp with LC_TIME=C

New in cURL 7.46.0 (Dec 10, 2015)

  • Changes:
  • configure: build silently by default
  • cookies: Add support for Publix Suffix List with libpsl
  • vtls: added support for mbedTLS
  • Added CURLOPT_STREAM_DEPENDS
  • Added CURLOPT_STREAM_DEPENDS_E
  • Added CURLOPT_STREAM_WEIGHT
  • Added CURLFORM_CONTENTLEN
  • oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
  • Bugfixes:
  • des: Fix header conditional for Curl_des_set_odd_parity
  • ntlm: get rid of unconditional use of long long
  • CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
  • docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
  • http2: Fix http2_recv to return -1 if recv returned -1
  • curl_global_init_mem: set function pointers before doing init
  • ntlm: error out without 64bit support as the code needs it
  • openssl: Fix set up of pkcs12 certificate verification chain
  • acinclude: remove PKGCONFIG override
  • test1531: case the size to fix the test on non-largefile builds
  • fread_func: move callback pointer from set to state struct
  • test1601: fix compilation with --enable-debug and --disable-crypto-auth
  • http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
  • curlbuild.h: Fix non-configure compiling to mips and sh4 targets
  • tool: Generate easysrc with last cache linked-list
  • cmake: Fix for add_subdirectory(curl) use-case
  • vtls: fix compiler warning for TLS backends without sha256
  • build: fix for MSDOS/djgpp
  • checksrc: add crude // detection
  • http2: on_frame_recv: trust the conn/data input
  • ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
  • polarssl/mbedtls: fix name space pollution
  • build: Fix mingw ssl gdi32 order
  • build: Fix support for PKG_CONFIG
  • MacOSX-Framework: sdk regex fix for sdk 10.10 and later
  • socks: Fix incorrect port numbers in failed connect messages
  • curl.1: -E: s/private certificate/client certificate
  • curl.h: s/HTTPPOST_/CURL_HTTPOST_
  • curl_formadd: support >2GB files on windows
  • http redirects: %-encode bytes outside of ascii range
  • rawstr: Speed up Curl_raw_toupper by 40%
  • curl_ntlm_core: fix 2 curl_off_t constant overflows.
  • getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
  • tftp tests: verify sent options too
  • imap: Don't call imap_atom() when no mailbox specified in LIST command
  • imap: Fixed double quote in LIST command when mailbox contains spaces
  • imap: Don't check for continuation when executing a CUSTOMREQUEST
  • acinclude: Remove check for 16-bit curl_off_t
  • BoringSSL: Work with stricter BIO_get_mem_data()
  • cmake: Add missing feature macros in config header
  • sasl_sspi: fixed unicode build for digest authentication
  • sasl_sspi: fix identity memory leak in digest authentication
  • unit1602: Fixed failure in torture test
  • unit1603: Added unit tests for hash functions
  • vtls/openssl: remove unused traces of yassl ifdefs
  • openssl: remove #ifdefs for < 0.9.7 support
  • typecheck-gcc.h: add some missing options
  • curl: mark two more options strings for --libcurl output
  • openssl: Free modules on cleanup
  • CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
  • getconnectinfo: Don't call recv(2) if socket == -1
  • http2: http_done: don't free already-freed push headers
  • zsh completion: Preserve single quotes in output
  • os400: Provide options for libssh2 use in compile scripts.
  • build: Fix theoretical infinite loops
  • pop3: Differentiate between success and continuation responses
  • examples: Fixed compilation warnings
  • schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
  • CURLOPT_HEADERFUNCTION.3: fix typo
  • curl: expanded the -XHEAD warning text
  • done: make sure the final progress update is made
  • build: Install zsh completion
  • RTSP: do not add if-modified-since without timecondition
  • curl: Fixed display of URL index in password prompt for --next
  • nonblock: fix setting non-blocking mode for Amiga
  • http2 push: add missing inits of new stream
  • http2: convert some verbose output into debug-only output
  • Curl_read_plain: clean up ifdefs that break statements

New in cURL 7.45.0 (Oct 7, 2015)

  • Changes:
  • added CURLOPT_DEFAULT_PROTOCOL
  • added new tool option --proto-default
  • getinfo: added CURLINFO_ACTIVESOCKET
  • turned CURLINFO_* option docs as stand-alone man pages
  • curl: point out unnecessary uses of -X in verbose mode
  • Bug fixes:
  • curl_global_init_mem.3: Stronger thread safety warning
  • buildconf.bat: Fixed issues when ran in directories with special chars
  • cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
  • generate.bat: Fixed issues when ran in directories with special chars
  • generate.bat: Only call buildconf.bat if it exists
  • generate.bat: Added support for generating only the prerequisite files
  • curl.1: Document weaknesses in SSLv2 and SSLv3
  • CURLOPT_HTTP_VERSION.3: connection re-use goes before version
  • docs: Update the redirect protocols disabled by default
  • inet_pton.c: Fix MSVC run-time check failure
  • CURLMOPT_PUSHFUNCTION.3: fix argument types
  • rtsp: support basic/digest authentication
  • rtsp: stop reading empty DESCRIBE responses
  • travis: Upgrading to container based build
  • travis.yml: Add OS X testbot
  • FTP: make state machine not get stuck in state
  • openssl: handle lack of server cert when strict checking disabled
  • configure: change functions to detect openssl (clones)
  • configure: detect latest boringssl
  • runtests: Allow for spaces in server-verify curl custom path
  • http2: on_frame_recv: get a proper 'conn' for the debug logging
  • ntlm: mark deliberate switch case fall-through
  • http2: remove dead code
  • curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
  • curl: point out the conflicting HTTP methods if used
  • cmake: added Windows SSL support
  • curl_easy_{escape,setopt}.3: fix example
  • curl_easy_escape.3: escape '\n'
  • libcurl.m4: Put braces around empty if body
  • buildconf.bat: Fixed double blank line in 'curl manual' warning output
  • sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
  • inet_pton.c: Fix MSVC run-time check failure
  • CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
  • http2: don't pass on Connection: headers
  • nss: do not directly access SSL_ImplementedCiphers
  • docs: numerous cleanups and spelling fixes
  • FTP: do_more: add check for wait_data_conn in upload case
  • parse_proxy: reject illegal port numbers
  • cmake: IPv6 : disable Unix header check on Windows platform
  • winbuild: run buildconf.bat if necessary
  • buildconf.bat: fix syntax error
  • curl_sspi: fix possibly undefined CRYPT_E_REVOKED
  • nss: prevent NSS from incorrectly re-using a session
  • libcurl-errors.3: add two missing error codes
  • openssl: fix build with < 0.9.8
  • openssl: refactor certificate parsing to use OpenSSL memory BIO
  • openldap: only part of LDAP query results received
  • ssl: add server cert's "sha256//" hash to verbose
  • NTLM: Reset auth-done when using a fresh connection
  • curl: generate easysrc only on --libcurl
  • tests: disable 1801 until fixed
  • CURLINFO_TLS_SESSION: always return backend info
  • gnutls: Support CURLOPT_KEYPASSWD
  • gnutls: Report actual GnuTLS error message for certificate errors
  • tests: disable 1510 due to CI-problems on github
  • cmake: Put "winsock2.h" before "windows.h" during configure checks
  • cmake: Ensure discovered include dirs are considered
  • configure: Add missing ')' for CURL_CHECK_OPTION_RT
  • build: fix failures with -Wcast-align and -Werror
  • FTP: fix uploading ASCII with unknown size
  • readwrite_data: set a max number of loops
  • http2: avoid superfluous Curl_expire() calls
  • http2: set TCP_NODELAY unconditionally
  • docs: fix unescaped '\n' in man pages
  • openssl: Fix algorithm init to make (gost) engines work
  • win32: make recent Borland compilers use long long
  • runtests: Fix pid check in checkdied
  • gopher: don't send NUL byte
  • tool_setopt: fix c_escape truncated octal
  • hiperfifo: fix the pointer passed to WRITEDATA
  • getinfo: Fix return code for unknown CURLINFO options

New in cURL 7.44.0 (Aug 12, 2015)

  • Changes:
  • http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA
  • examples: added http2-serverpush.c
  • http2: added curl_pushheader_byname() and curl_pushheader_bynum()
  • docs: added CODE_OF_CONDUCT.md
  • curl: Add --ssl-no-revoke to disable certificate revocation checks
  • libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS
  • makefile: Added support for VC14
  • build: Added Visual Studio 2015 (VC14) project files
  • build: Added wolfSSL configurations to VC10+ project files
  • Bug fixes:
  • FTP: fix HTTP CONNECT logic regression
  • openssl: Fix build with openssl < ~ 0.9.8f
  • openssl: fix build with BoringSSL
  • curl_easy_setopt.3: option order doesn't matter
  • openssl: fix use of uninitialized buffer
  • RTSP: removed dead code
  • Makefile.m32: add support for CURL_LDFLAG_EXTRAS
  • curl: always provide negotiate/kerberos options
  • cookie: Fix bug in export if any-domain cookie is present
  • curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
  • INSTALL: Advise use of non-native SSL for Windows = for TLSv1
  • HTTP: POSTFIELDSIZE set after added to multi handle
  • SSL-PROBLEMS: mention WinSSL problems in WinXP
  • setup-vms.h: Symbol case fixups
  • SSL: Pinned public key hash support
  • libtest: call PR_Cleanup() on exit if NSPR is used
  • ntlm_wb: Fix theoretical memory leak
  • runtests: Allow for spaces in curl custom path
  • http2: add stream != NULL checks for reliability
  • schannel: Replace deprecated GetVersion with VerifyVersionInfo
  • http2: verify success of strchr() in http2_send()
  • configure: add --disable-rt option
  • openssl: work around MSVC warning
  • HTTP: ignore "Content-Encoding: compress"
  • configure: check if OpenSSL linking wants -ldl
  • build-openssl.bat: Show syntax if required args are missing
  • test1902: attempt to make the test more reliable
  • libcurl-thread.3: Consolidate thread safety info
  • maketgz: Fixed some VC makefiles missing from the release tarball
  • libcurl-multi.3: mention curl_multi_wait
  • ABI doc: use secure URL
  • http: move HTTP/2 cleanup code off http_disconnect()
  • libcurl-thread.3: Warn memory functions must be thread safe
  • curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
  • docs: formpost needs the full size at start of upload
  • curl_gssapi: remove 'const' to fix compiler warnings
  • SSH: three state machine fixups
  • libcurl.3: fix a single typo
  • generate.bat: Only clean prerequisite files when in ALL mode
  • curl_slist_append.3: add error checking to the example
  • buildconf.bat: Added support for file clean-up via -clean
  • generate.bat: Use buildconf.bat for prerequisite file clean-up
  • NTLM: handle auth for only a single request
  • curl_multi_remove_handle.3: fix formatting
  • checksrc.bat: Fixed error when [directory] isn't a curl source directory
  • checksrc.bat: Fixed error when missing *.c and *.h files
  • CURLOPT_RESOLVE.3: Note removal support was added in 7.42
  • test46: update cookie expire time
  • SFTP: fix range request off-by-one in size check
  • CMake: fix GSSAPI builds
  • build: refer to fixed libidn versions
  • http2: discard frames with no SessionHandle
  • curl_easy_recv.3: fix formatting
  • libcurl-tutorial.3: fix formatting
  • curl_formget.3: correct return code

New in cURL 7.43.0 (Jun 18, 2015)

  • Changes:
  • Added CURLOPT_PROXY_SERVICE_NAME
  • Added CURLOPT_SERVICE_NAME
  • New curl option: --proxy-service-name
  • New curl option: --service-name
  • New curl option: --data-raw
  • Added CURLOPT_PIPEWAIT
  • Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
  • HTTP/2: requires nghttp2 1.0.0 or later
  • scripts: add zsh.pl for generating zsh completion
  • curl.h: add CURL_HTTP_VERSION_2
  • Bug fixes:
  • CVE-2015-3236: lingering HTTP credentials in connection re-use
  • CVE-2015-3237: SMB send off unrelated memory contents
  • nss: fix compilation failure with old versions of NSS
  • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
  • schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
  • Curl_ossl_init: load builtin modules
  • configure: follow-up fix for krb5-config
  • sasl_sspi: Populate domain from the realm in the challenge
  • netrc: support 'default' token
  • README: convert to UTF-8
  • cyassl: Implement public key pinning
  • nss: implement public key pinning for NSS backend
  • mingw build: add arch -m32/-m64 to LDFLAGS
  • schannel: Fix out of bounds array
  • configure: remove autogenerated files by autoconf
  • configure: remove --automake from libtoolize call
  • acinclude.m4: fix shell test for default CA cert bundle/path
  • schannel: fix regression in schannel_recv
  • openssl: skip trace outputs for ssl_ver == 0
  • gnutls: properly retrieve certificate status
  • netrc: Read in text mode when cygwin
  • winbuild: Document the option used to statically link the CRT
  • FTP: Make EPSV use the control IP address rather than the original host
  • FTP: fix dangling conn->ip_addr dereference on verbose EPSV
  • conncache: keep bundles on host+port bases, not only host names
  • runtests.pl: use 'h2c' now, no -14 anymore
  • curlver: introducing new version number (checking) macros
  • openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
  • CURLOPT_POSTFIELDS.3: correct variable names
  • curl_easy_unescape.3: update RFC reference
  • gnutls: don't fail on non-fatal alerts during handshake
  • testcurl.pl: allow source to be in an arbitrary directory
  • CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
  • SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
  • parse_proxy: switch off tunneling if non-HTTP proxy
  • share_init: fix OOM crash
  • perl: remove subdir, not touched in 9 years
  • CURLOPT_COOKIELIST.3: Add example
  • CURLOPT_COOKIE.3: Explain that the cookies won't be modified
  • CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
  • FAQ: How do I port libcurl to my OS?
  • openssl: Use TLS_client_method for OpenSSL 1.1.0+
  • HTTP-NTLM: fail auth on connection close instead of looping
  • curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
  • curl_getdate.3: update RFC reference
  • curl_multi_info_read.3: added example
  • curl_multi_perform.3: added example
  • curl_multi_timeout.3: added example
  • cookie: Stop exporting any-domain cookies
  • openssl: remove dummy callback use from SSL_CTX_set_verify()
  • openssl: remove SSL_get_session()-using code
  • openssl: removed USERDATA_IN_PWD_CALLBACK kludge
  • openssl: removed error string #ifdef
  • openssl: Fix verification of server-sent legacy intermediates
  • docs: man page indentation and syntax fixes
  • docs: Spelling fixes
  • fopen.c: fix a few compiler warnings
  • CURLOPT_OPENSOCKETFUNCTION: return error at once
  • schannel: Add support for optional client certificates
  • build: Properly detect OpenSSL 1.0.2 when using configure
  • urldata: store POST size in state.infilesize too
  • security:choose_mech remove dead code
  • rtsp_do: remove dead code
  • docs: many HTTP URIs changed to HTTPS
  • schannel: schannel_recv overhaul

New in cURL 7.42.1 (Apr 29, 2015)

  • Bug fixes:
  • CURLOPT_HEADEROPT: default to separate
  • dist: include {src,lib}/checksrc.whitelist
  • connectionexists: fix build without NTLM
  • docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
  • curl -z: do not write empty file on unmet condition
  • openssl: fix serial number output
  • curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
  • sws: init http2 state properly
  • curl.1: fix typo

New in cURL 7.42.0 (Apr 23, 2015)

  • Changes:
  • openssl: show the cipher selection to use in verbose text
  • gtls: implement CURLOPT_CERTINFO
  • add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
  • curl: add --false-start option
  • add CURLOPT_PATH_AS_IS
  • curl: add --path-as-is option
  • curl: create output file on successful download of an empty file
  • Bug fixes:
  • ConnectionExists: for NTLM re-use, require credentials to match
  • cookie: cookie parser out of boundary memory access
  • fix_hostname: zero length host name caused -1 index offset
  • http_done: close Negotiate connections when done
  • sws: timeout idle CONNECT connections
  • nss: improve error handling in Curl_nss_random()
  • nss: do not skip Curl_nss_seed() if data is NULL
  • curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
  • http2: move lots of verbose output to be debug-only
  • dist: add extern-scan.pl to the tarball
  • http2: return recv error on unexpected EOF
  • build: Use default RandomizedBaseAddress directive in VC9+ project files
  • build: Removed DataExecutionPrevention directive from VC9+ project files
  • tool: Updated the warnf() function to use the GlobalConfig structure
  • http2: Return error if stream was closed with other than NO_ERROR
  • mprintf.h: remove #ifdef CURLDEBUG
  • libtest: fixed linker errors on msvc
  • tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
  • curl.1: fix "The the" typo
  • cmake: handle build definitions CURLDEBUG/DEBUGBUILD
  • openssl: remove all uses of USE_SSLEAY
  • multi: fix memory-leak on timeout (regression)
  • curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
  • metalink: add some error checks
  • TLS: make it possible to enable ALPN/NPN without HTTP/2
  • http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
  • conncontrol: only log changes to the connection bit
  • multi: fix *getsock() with CONNECT
  • symbols.pl: handle '-' in the deprecated field
  • MacOSX-Framework: use @rpath instead of @executable_path
  • GnuTLS: add support for CURLOPT_CAPATH
  • GnuTLS: print negotiated TLS version and full cipher suite name
  • GnuTLS: don't print double newline after certificate dates
  • memanalyze.pl: handle free(NULL)
  • proxy: re-use proxy connections (regression)
  • mk-ca-bundle: Don't report SHA1 numbers with "-q"
  • http: always send Host: header as first header
  • openssl: sort ciphers to use based on strength
  • openssl: use colons properly in the ciphers list
  • http2: detect premature close without data transfered
  • hostip: Fix signal race in Curl_resolv_timeout
  • closesocket: call multi socket cb on close even with custom close
  • mksymbolsmanpage.pl: use std header and generate better nroff header
  • connect: Fix happy eyeballs logic for IPv4-only builds
  • curl_easy_perform.3: remove superfluous close brace from example
  • HTTP: don't use Expect: headers when on HTTP/2
  • Curl_sh_entry: remove unused 'timestamp'
  • docs/libcurl: makefile portability fix
  • mkhelp: Remove trailing carriage return from every line of input
  • nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
  • curl_easy_setopt.3: added a few missing options
  • metalink: fix resource leak in OOM
  • axtls: version 1.5.2 now requires that config.h be manually included
  • HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
  • cyassl: detect the library as renamed wolfssl
  • CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
  • CURLOPT_URL.3: Added "SECURITY CONCERNS
  • openssl: try to avoid accessing OCSP structs when possible
  • test938: added missing closing tags
  • testcurl: Allow '=' in values given on command line
  • tests/certs: added make target to rebuild certificates
  • tests/certs: rebuild certificates with modified key usage bits
  • gtls: avoid uninitialized variable
  • gtls: dereferencing NULL pointer
  • gtls: add check of return code
  • test1513: eliminated race condition in test run
  • dict: rename byte to avoid compiler shadowed declaration warning
  • curl_easy_recv/send: make them work with the multi interface
  • vtls: fix compile with --disable-crypto-auth but with SSL
  • openssl: adapt to ASN1/X509 things gone opaque in 1.1
  • openssl: verifystatus: only use the OCSP work-around

New in cURL 7.41.0 (Feb 25, 2015)

  • Changes:
  • NetWare build: added TLS-SRP enabled build
  • winbuild: Added option to build with c-ares
  • Added --cert-status
  • Added CURLOPT_SSL_VERIFYSTATUS
  • sasl: implement EXTERNAL authentication mechanism
  • Bug fixes:
  • sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
  • FTP: fix IPv6 host using link-local address
  • FTP: if EPSV fails on IPV6 connections, bail out
  • gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
  • NSS: fix compiler error when built http2-enabled
  • mingw build: allow to pass custom CFLAGS
  • add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
  • curl_schannel.c: mark session as removed from cache if not freed
  • Curl_pretransfer: reset expected transfer sizes
  • curl.h: remove extra space
  • curl_endian: Fixed build when 64-bit integers are not supported
  • checksrc.bat: Better detection of Perl installation
  • build-openssl.bat: Added check for Perl installation
  • http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
  • http_negotiate: Added empty decoded challenge message info text
  • vtls: Removed unimplemented overrides of curlssl_close_all()
  • sasl_gssapi: Fixed memory leak with local SPN variable
  • http_negotiate: Use dynamic buffer for SPN generation
  • ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
  • openssl: do public key pinning check independently
  • timeval: typecast for better type (on Amiga)
  • ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
  • SASL: common URL option and auth capabilities decoders for all protocols
  • BoringSSL: fix build
  • BoringSSL: detected by configure, switches off NTLM
  • openvms: Handle openssl/0.8.9zb version parsing
  • configure: detect libresssl
  • configure: remove detection of the old yassl emulation API
  • curl_setup: Disable SMB/CIFS support when HTTP only
  • imap: remove automatic password setting: it breaks external sasl authentication
  • sasl: remove XOAUTH2 from default enabled authentication mechanism
  • runtests: identify BoringSSL and libressl
  • security: avoid compiler warning
  • ldap: build with BoringSSL
  • des: Added Curl_des_set_odd_parity()
  • CURLOPT_SEEKFUNCTION.3: also when server closes a connection
  • CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
  • build: Removed unused Visual Studio bscmake settings
  • build: Enabled DEBUGBUILD in Visual Studio debug builds
  • build: Renamed top level Visual Studio solution files
  • build: Removed Visual Studio SuppressStartupBanner directive for VC8+
  • libcurl-symbols: first basic shot for autogenerated docs
  • Makefile.am: fix 'make distcheck'
  • getpass_r: read from stdin, not stdout!
  • getpass: protect include with proper #ifdef
  • opts: CURLOPT_CAINFO availability depends on SSL engine
  • more cleanup of 'CURLcode result' return code
  • MD4: replace implementation
  • MD5: replace implementation
  • openssl: SSL_SESSION->ssl_version no longer exist
  • md5: use axTLS's own MD5 functions when available
  • schannel: Removed curl_ prefix from source files
  • curl.1: add warning when using -H and redirects
  • curl.1: clarify that -X is used for all requests
  • gskit: Fix exclusive SSLv3 option
  • polarssl: Fix exclusive SSL protocol version options
  • http2: Fix bug that associated stream canceled on PUSH_PROMISE
  • ftp: accept all 2xx responses to the PORT command
  • configure: allow both --with-ca-bundle and --with-ca-path
  • cmake: install the dll file to the correct directory
  • nss: fix NPN/ALPN protocol negotiation
  • polarssl: fix ALPN protocol negotiation
  • cmake: Fix generation of tool_hugehelp.c on windows
  • cmake: fix winsock2 detection on windows
  • gnutls: fix build with HTTP2
  • connect: fix a spurious connect failure on dual-stacked hosts
  • test: test 530 is now less timing dependent
  • telnet: invalid use of custom read function if not set

New in cURL 7.40.0 (Jan 8, 2015)

  • Changes:
  • http_digest: Added support for Windows SSPI based authentication
  • version info: Added Kerberos V5 to the supported features
  • Makefile: Added VC targets for WinIDN
  • config-win32: Introduce build targets for VS2012+
  • SSL: Add PEM format support for public key pinning
  • smtp: Added support for the conversion of Unix newlines during mail send
  • smb: Added initial support for the SMB/CIFS protocol
  • Added support for HTTP over unix domain sockets, via CURLOPT_UNIX_SOCKET_PATH and --unix-socket
  • sasl: Added support for GSS-API based Kerberos V5 authentication
  • Bug fixes:
  • darwinssl: fix session ID keys to only reuse identical sessions
  • url-parsing: reject CRLFs within URLs
  • OS400: Adjust specific support to last release
  • THANKS: Remove duplicate names
  • url.c: Fixed compilation warning
  • ssh: Fixed build on platforms where R_OK is not defined
  • tool_strdup.c: include the tool strdup.h
  • build: Fixed Visual Studio project file generation of strdup.[c|h]
  • curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
  • curl.1: show zone index use in a URL
  • mk-ca-bundle.vbs: switch to new certdata.txt url
  • Makefile.dist: Added some missing SSPI configurations
  • build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
  • SSH: use the port number as well for known_known checks
  • libssh2: detect features based on version, not configure checks
  • http2: Deal with HTTP/2 data inside Upgrade response header buffer
  • multi: removed Curl_multi_set_easy_connection
  • symbol-scan.pl: do not require autotools
  • cmake: add ENABLE_THREADED_RESOLVER, rename ARES
  • cmake: build libhostname for test suite
  • cmake: fix HAVE_GETHOSTNAME definition
  • tests: fix libhostname visibility
  • tests: fix memleak in server/resolve.c
  • vtls.h: Fixed compiler warning when compiled without SSL
  • CMake: Restore order-dependent header checks
  • CMake: Restore order-dependent library checks
  • tool: Removed krb4 from the supported features
  • http2: Don't send Upgrade headers when we already do HTTP/2
  • examples: Don't call select() to sleep on windows
  • win32: Updated some legacy APIs to use the newer extended versions
  • easy.c: Fixed compilation warning when no verbose string support
  • connect.c: Fixed compilation warning when no verbose string support
  • build: in Makefile.m32 pass -F flag to windres
  • build: in Makefile.m32 add -m32 flag for 32bit
  • multi: when leaving for timeout, close accordingly
  • CMake: Simplify if() conditions on check result variables
  • build: in Makefile.m32 try to detect 64bit target
  • multi: inform about closed sockets before they are closed
  • multi-uv.c: close the file handle after download
  • examples: Wait recommended 100ms when no file descriptors are ready
  • ntlm: Split the SSPI based messaging code from the native messaging code
  • cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
  • cmake: add Kerberos to the supported feature
  • CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
  • http: Disable pipelining for HTTP/2 and upgraded connections
  • ntlm: Fixed static'ness of local decode function
  • sasl: Reduced the need for two sets of NTLM messaging functions
  • multi.c: Fixed compilation warnings when no verbose string support
  • select.c: fix compilation for VxWorks
  • multi-single.c: switch to use curl_multi_wait
  • curl_multi_wait.3: clarify numfds being used if not NULL
  • http.c: Fixed compilation warnings from features being disabled
  • NSS: enable the CAPATH option
  • docs: Fix FAILONERROR typos
  • HTTP: don't abort connections with pending Negotiate authentication
  • HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
  • http_perhapsrewind: don't abort CONNECT requests
  • build: updated dependencies in makefiles
  • multi.c: Fixed compilation warning
  • ftp.c: Fixed compilation warnings when proxy support disabled
  • get_url_file_name: Fixed crash on OOM on debug build
  • cookie.c: Refactored cleanup code to simplify
  • OS400: enable NTLM authentication
  • ntlm: Use Windows Crypt API
  • http2: avoid logging neg "failure" if h2 was not requested
  • schannel_recv: return the correct code
  • VC build: added sspi define for winssl-zlib builds
  • Curl_client_write(): chop long data, convert data only once
  • openldap: do not ignore Curl_client_write() return code
  • ldap: check Curl_client_write() return codes
  • parsedate.c: Fixed compilation warning
  • url.c: Fixed compilation warning when USE_NTLM is not defined
  • ntlm_wb_response: fix "statement not reached"
  • telnet: fix "cast increases required alignment of target type"
  • smtp: Fixed dot stuffing when EOL characters at end of input buffers
  • ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
  • ntlm: Disable NTLM v2 when 64-bit integers are not supported
  • ntlm: Use short integer when decoding 16-bit values
  • ftp.c: Fixed compilation warning when no verbose string support
  • synctime.c: fixed timeserver URLs
  • mk-ca-bundle.pl: restored forced run again
  • ntlm: Fixed return code for bad type-2 Target Info
  • curl_schannel.c: Data may be available before connection shutdown
  • curl_schannel: Improvements to memory re-allocation strategy
  • darwinssl: aprintf() to allocate the session key
  • tool_util.c: Use GetTickCount64 if it is available
  • lib: Fixed multiple code analysis warnings if SAL are available
  • tool_binmode.c: Explicitly ignore the return code of setmode
  • tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
  • opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
  • SFTP: work-around servers that return zero size on STAT
  • connect: singleipconnect(): properly try other address families after failure
  • IPV6: address scope != scope id
  • parseurlandfillconn(): fix improper non-numeric scope_id stripping
  • secureserver.pl: make OpenSSL CApath and cert absolute path values
  • secureserver.pl: update Windows detection and fix path conversion
  • secureserver.pl: clean up formatting of config and fix verbose output
  • tests: Added Windows support using Cygwin-based OpenSSH
  • sockfilt.c: use non-Ex functions that are available before WinXP
  • VMS: Updates for 0740-0D1220
  • openssl: warn for SRP set if SSLv3 is used, not for TLS version
  • openssl: make it compile against openssl 1.1.0-DEV master branch
  • openssl: fix SSL/TLS versions in verbose output
  • curl: show size of inhibited data when using -v
  • build: Removed WIN32 definition from the Visual Studio projects
  • build: Removed WIN64 definition from the libcurl Visual Studio projects
  • vtls: Use bool for Curl_ssl_getsessionid() return type
  • sockfilt.c: Replace 100ms sleep with thread throttle
  • sockfilt.c: Reduce the number of individual memory allocations
  • vtls: Don't set cert info count until memory allocation is successful
  • nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
  • nss: Don't ignore Curl_extract_certinfo() OOM failure
  • vtls: Fixed compilation warning and an ignored return code
  • sockfilt.c: Fixed compilation warnings
  • darwinssl: Fixed compilation warning
  • vtls: Use '(void) arg' for unused parameters
  • sepheaders.c: Fixed resource leak on failure
  • lib1900.c: Fixed cppcheck error
  • ldap: Fixed Unicode connection details in Win32 initialsation / bind calls
  • ldap: Fixed Unicode DN, attributes and filter in Win32 search calls

New in cURL 7.39.0 (Nov 10, 2014)

  • CHANGES:
  • SSLv3 is disabled by default
  • CURLOPT_COOKIELIST: Added "RELOAD" command
  • build: Added WinIDN build configuration options to Visual Studio projects
  • ssh: improve key file search
  • SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
  • vtls: remove QsoSSL support, use gskit!
  • mk-ca-bundle: added SHA-384 signature algorithm
  • docs: added many examples for libcurl opts and other doc improvements
  • build: Added VC ssh2 target to main Makefile
  • MinGW: Added support to build with nghttp2
  • NetWare: Added support to build with nghttp2
  • build: added Watcom support to build with WinSSL
  • build: Added optional specific version generation of VC project files
  • BUGFIXES:
  • curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
  • openssl: build fix for versions < 0.9.8e
  • newlines: fix mixed newlines to LF-only
  • ntlm: Fixed HTTP proxy authentication when using Windows SSPI
  • sasl_sspi: Fixed Unicode build
  • file: reject paths using embedded
  • threaded-resolver: revert Curl_expire_latest() switch
  • configure: allow --with-ca-path with PolarSSL too
  • HTTP/2: Fix busy loop when EOF is encountered
  • CURLOPT_CAPATH: return failure if set without backend support
  • nss: do not fail if a CRL is already cached
  • smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
  • fixed 20+ nits/memory leaks identified by Coverity scans
  • curl_schannel.c: Fixed possible memory or handle leak
  • multi-uv.c: call curl_multi_info_read() better
  • cmake: Check for OpenSSL before OpenLDAP
  • cmake: Fix library list provided to cURL tests
  • cmake: Avoid cycle directory dependencies
  • cmake: Build with GSS-API libraries (MIT or Heimdal)
  • vtls: provide backend defines for internal source code
  • nss: fix a connection failure when FTPS handle is reused
  • tests/http_pipe.py: Python 3 support
  • cmake: build tool_hugehelp (ENABLE_MANUAL)
  • cmake: enable IPv6 by default if available
  • tests: move TESTCASES to Makefile.inc, add show for cmake
  • ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
  • ntlm: Fixed empty/bad base-64 decoded buffer return codes
  • ntlm: Fixed empty type-2 decoded message info text
  • cmake: add CMake/Macros.cmake to the release tarball
  • cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
  • cmake: use LIBCURL_VERSION from curlver.h
  • cmake: generate pkg-config and curl-config
  • fixed several superfluous variable assignements identified by cppcheck
  • cleanup of 'CURLcode result' return code
  • pipelining: only output "is not blacklisted" in debug builds
  • SSL: Remove SSLv3 from SSL default due to POODLE attack
  • gskit.c: remove SSLv3 from SSL default
  • darwinssl: detect possible future removal of SSLv3 from the framework
  • ntlm: Only define ntlm data structure when USE_NTLM is defined
  • ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
  • ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
  • sspi: Only call CompleteAuthToken() when complete is needed
  • http_negotiate: Fixed missing check for USE_SPNEGO
  • HTTP: return larger than 3 digit response codes too
  • openssl: Check for NPN / ALPN via OpenSSL version number
  • openssl: enable NPN separately from ALPN
  • sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
  • sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
  • resume: consider a resume from
  • sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
  • build-openssl.bat: Fix x64 release build
  • cmake: drop _BSD_SOURCE macro usage
  • cmake: fix gethostby{addr,name}_r in CurlTests
  • cmake: clean OtherTests, fixing -Werror
  • cmake: fix struct sockaddr_storage check
  • Curl_single_getsock: fix hold/pause sock handling
  • SSL: PolarSSL default min SSL version TLS 1.0
  • cmake: fix ZLIB_INCLUDE_DIRS use
  • buildconf: stop checking for libtool

New in cURL 7.38.0 (Sep 10, 2014)

  • Changes:
  • supports HTTP/2 draft-14
  • CURLE_HTTP2 is a new error code
  • CURLAUTH_NEGOTIATE is a new auth define
  • CURL_VERSION_GSSAPI is a new capability bit
  • no longer use fbopenssl for anything
  • schannel: use CryptGenRandom for random numbers
  • axtls: define curlssl_random using axTLS's PRNG
  • cyassl: use RNG_GenerateBlock to generate a good random number
  • findprotocol: show unsupported protocol within quotes
  • version: detect and show LibreSSL
  • version: detect and show BoringSSL
  • imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
  • http2: requires nghttp2 0.6.0 or later
  • Bugfixes:
  • SECURITY ADVISORY: cookie leak with IP address as domain
  • SECURITY ADVISORY: cookie leak for TLDs
  • fix a build failure on Debian when NSS support is enabled
  • HTTP/2: fixed compiler warnings when built disabled
  • cyassl: return the correct error code on no CA cert
  • http: Deprecate GSS-Negotiate macros due to bad naming
  • http: Fixed Negotiate: authentication
  • multi: Improve proxy CONNECT performance (regression)
  • ntlm_wb: Avoid invoking ntlm_auth helper with empty username
  • ntlm_wb: Fix hard-coded limit on NTLM auth packet size
  • url.c: use the preferred symbol name: *READDATA
  • smtp: fixed a segfault during test 1320 torture test
  • cyassl: made it compile with version 2.0.6 again
  • nss: do not check the version of NSS at run time
  • c-ares: fix build without IPv6 support
  • HTTP/2: use base64url encoding
  • SSPI Negotiate: Fix 3 memory leaks
  • libtest: fixed duplicated line in Makefile
  • conncache: fix compiler warning
  • openssl: make ossl_send return CURLE_OK better
  • HTTP/2: Support expect: 100-continue
  • HTTP/2: Fix infinite loop in readwrite_data()
  • parsedate: fix the return code for an overflow edge condition
  • darwinssl: don't use strtok()
  • http_negotiate_sspi: Fixed specific username and password not working
  • openssl: replace call to OPENSSL_config
  • http2: show the received header for better debugging
  • HTTP/2: Move :authority before non-pseudo header fields
  • HTTP/2: Reset promised stream, not its associated stream
  • HTTP/2: added some more logging for debugging stream problems
  • ntlm: Added support for SSPI package info query
  • ntlm: Fixed hard coded buffer for SSPI based auth packet generation
  • sasl_sspi: Fixed memory leak with not releasing Package Info struct
  • sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
  • sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
  • http_negotiate_sspi: Use a dynamic buffer for SPN generation
  • sasl_sspi: Fixed missing free of challenge buffer on SPN failure
  • sasl_sspi: Fixed hard coded buffer for response generation
  • Curl_poll + Curl_wait_ms: fix timeout return value
  • docs/SSLCERTS: update the section about NSS database
  • create_conn: prune dead connections
  • openssl: fix version report for the 0.9.8 branch
  • mk-ca-bundle.pl: switched to using hg.mozilla.org
  • http: fix the Content-Range: parser
  • Curl_disconnect: don't free the URL
  • win32: Fixed WinSock 2 #if
  • NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
  • curl.1: clarify --limit-rate's effect on both directions
  • disconnect: don't touch easy-related state on disconnects
  • Cmake: big cleanup and numerous fixes
  • HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
  • HTTP/2: Reset promised stream, not its associated stream
  • configure.ac: Add support for recent GSS-API implementations for HP-UX
  • CONNECT: close proxy connections that fail
  • CURLOPT_NOBODY.3: clarify this option is for downloads
  • darwinssl: fix CA certificate checking using PEM format
  • resolve: cache lookup for async resolvers
  • low-speed-limit: avoid timeout flood
  • polarssl: implement CURLOPT_SSLVERSION
  • multi: convert CURLM_STATE_CONNECT_PEND handling to a list
  • curl_multi_cleanup: remove superfluous NULL assigns
  • polarssl: support CURLOPT_CAPATH / --capath
  • progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly

New in cURL 7.37.1 (Jul 17, 2014)

  • Changes:
  • bits.close: introduce connection close tracking
  • darwinssl: Add support for --cacert
  • polarssl: add ALPN support
  • docs: Added new option man pages
  • Bug fixes:
  • build: Fixed incorrect reference to curl_setup.h in Visual Studio files
  • build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
  • curl.1: clarify that -u can't specify a user with colon
  • openssl: Fix uninitialized variable use in NPN callback
  • curl_easy_reset: reset the URL
  • curl_version_info.3: returns a pointer to a static struct
  • url-parser: only use if_nametoindex if detected by configure
  • select: with winsock, avoid passing unsupported arguments to select()
  • gnutls: don't use deprecated type names anymore
  • gnutls: allow building with nghttp2 but without ALPN support
  • tests: Fix portability issue with the tftpd server
  • curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
  • curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
  • random: use Curl_rand() for proper random data
  • Curl_ossl_init: call OPENSSL_config for initing engines
  • config-win32.h: Updated for VC12
  • winbuild: Don't USE_WINSSL when WITH_SSL is being used
  • getinfo: HTTP CONNECT code not reset between transfers
  • Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
  • http2: avoid segfault when using the plain-text http2
  • conncache: move the connection counter to the cache struct
  • http2: better return code error checking
  • curlbuild: fix GCC build on SPARC systems without configure script
  • tool_metalink: Support polarssl as digest provider
  • curl.h: reverse the enum/define setup for old symbols
  • curl.h: moved two really old deprecated symbols
  • curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
  • buildconf: do not search tools in current directory.
  • OS400: make it compilable again. Make RPG binding up to date
  • nss: do not abort on connection failure (failing tests 305 and 404)
  • nss: make the fallback to SSLv3 work again
  • tool: prevent valgrind from reporting possibly lost memory (nss only)
  • progress callback: skip last callback update on errors
  • nss: fix a memory leak when CURLOPT_CRLFILE is used
  • compiler warnings: potentially uninitialized variables
  • url.c: Fixed memory leak on OOM
  • gnutls: ignore invalid certificate dates with VERIFYPEER disabled
  • gnutls: fix SRP support with versions of GnuTLS from 2.99.0
  • gnutls: fixed a couple of uninitialized variable references
  • gnutls: fixed compilation against versions < 2.12.0
  • build: Fixed overridden compiler PDB settings in VC7 to VC12
  • ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
  • netrc: don't abort if home dir cannot be found
  • netrc: fixed thread safety problem by using getpwuid_r if available
  • cookie: avoid mutex deadlock
  • configure: respect host tool prefix for krb5-config
  • gnutls: handle IP address in cert name check

New in cURL 7.37.0 (May 21, 2014)

  • Changes:
  • URL parser: IPv6 zone identifiers are now supported
  • CURLOPT_PROXYHEADER: set headers for proxy-only
  • CURLOPT_HEADEROPT: added
  • curl: add --proxy-header
  • sasl: Added support for DIGEST-MD5 via Windows SSPI
  • sasl: Added DIGEST-MD5 qop-option validation in native challange handling
  • imap: Expanded mailbox SEARCH support to use URL query strings
  • imap: Extended FETCH support to include PARTIAL URL specifier
  • nss: implement non-blocking SSL handshake
  • build: Reworked Visual Studio project files
  • poll: enable poll on darwin13
  • mk-ca-bundle: added -p
  • libtests: add a wait_ms() function
  • Bug fixes:
  • mkhelp: generate code for --disable-manual as well
  • hostcheck: added a system include to define struct in_addr
  • winbuild: added warnless.c to fix build
  • Makefile.vc6: added warnless.c to fix build
  • smtp: Fixed login denied when server doesn't support AUTH capability
  • smtp: Fixed login denied with a RFC-821 based server
  • curl: stop interpreting IPv6 literals as glob patterns
  • http2: remove _DRAFT09 from the NPN_HTTP2 enum
  • http2: let openssl mention the exact protocol negotiated
  • http2+openssl: fix compiler warnings in ALPN using code
  • ftp: in passive data connect wait for happy eyeballs sockets
  • HTTP: don't send Content-Length: 0 _and_ Expect: 100-continue
  • http2: Compile with current nghttp2, which supports h2-11
  • http_negotiate_sspi: Fixed compilation when USE_HTTP_NEGOTIATE not defined
  • strerror: fix comment about vxworks' strerror_r buffer size
  • url: only use if_nametoindex() if IFNAMSIZ is available
  • imap: Fixed untagged response detection when no data after command
  • various: fix possible dereference of null pointer
  • various: fix use of uninitialized variable
  • various: fix use of non-null terminated strings
  • telnet.c: check sscanf results before passing them to snprintf
  • parsedate.c: check sscanf result before passing it to strlen
  • sockfilt.c: free memory in case of memory allocation errors
  • sockfilt.c: ignore non-key-events and continue waiting for input
  • sockfilt.c: properly handle disk files, pipes and character input
  • sockfilt.c: fixed getting stuck waiting for MinGW stdin pipe
  • sockfilt.c: clean up threaded approach and add documentation
  • configure: use the nghttp2 path correctly with pkg-config
  • curl_global_init_mem: bump initialized even if already initialized
  • gtls: fix NULL pointer dereference
  • cyassl: Use error-ssl.h when available
  • handler: make 'protocol' always specified as a single bit
  • INFILESIZE: fields in UserDefined must not be changed run-time
  • openssl: biomem->data is not zero terminated
  • config-win32.h: Fixed HAVE_LONGLONG for Visual Studio .NET 2003 and up
  • curl_ntlm_core: Fixed use of long long for VC6 and VC7
  • SNI: strip off a single trailing dot from host name
  • curl: bail on cookie use when built with disabled cookies
  • curl_easy_setopt.3: added the proto for CURLOPT_SSH_KNOWNHOSTS
  • curl_multi_cleanup: ignore SIGPIPE better
  • schannel: don't use the connect-timeout during send
  • mprintf: allow %.s with data not being zero terminated
  • tool_help: Fixed missing --login-options option
  • configure: Don't set LD_LIBRARY_PATH when cross-compiling
  • http: auth failure on duplicated 'WWW-Authenticate: Negotiate' header
  • cacertinmem: fix memory leak
  • lib1506: make sure the transfers are not within the same ms
  • Makefile.b32: Fixed for vtls changes
  • sasl: Fixed missing qop in the client's challenge-response message
  • openssl: unbreak PKCS12 support
  • darwinssl: fix potential crash with a P12 file
  • timers: fix timer regression involving redirects / reconnects
  • CURLINFO_SSL_VERIFYRESULT: made more reliable
  • HTTP: fixed connection re-use
  • configure: add SPNEGO to supported features
  • configure: add GSS-API to supported features
  • ALPN: fix typo in http/1.1 identifier
  • http2: make connection re-use work

New in cURL 7.36.0 (Mar 31, 2014)

  • Changes:
  • ntlm: Added support for NTLMv2
  • tool: Added support for URL specific options
  • openssl: add ALPN support
  • gtls: add ALPN support
  • nss: add ALPN and NPN support
  • added CURLOPT_EXPECT_100_TIMEOUT_MS
  • tool: add --no-alpn and --no-npn
  • added CURLOPT_SSL_ENABLE_NPN and CURLOPT_SSL_ENABLE_ALPN
  • winssl: enable TLSv1.1 and TLSv1.2 by default
  • winssl: TLSv1.2 disables certificate signatures using MD5 hash
  • winssl: enable hostname verification of IP address using SAN or CN
  • darwinssl: Don't omit CN verification when an IP address is used
  • http2: build with current nghttp2 version
  • polarssl: dropped support for PolarSSL < 1.3.0
  • openssl: info message with SSL version used
  • Bug fixes:
  • SECURITY ADVISORY: wrong re-use of connections
  • SECURITY ADVISORY: IP address wildcard certificate validation
  • SECURITY ADVISORY: not verifying certs for TLS to IP address / Darwinssl
  • SECURITY ADVISORY: not verifying certs for TLS to IP address / Winssl
  • nss: allow to use ECC ciphers if NSS implements them
  • netrc: Fixed a memory leak in an OOM condition
  • ftp: fixed a memory leak on wildcard error path
  • pipeline: Fixed a NULL pointer dereference on OOM
  • nss: prefer highest available TLS version
  • 100-continue: fix timeout condition
  • ssh: Fixed a NULL pointer dereference on OOM condition
  • formpost: use semicolon in multipart/mixaed
  • --help: add missing --tlsv1.x options
  • formdata: Fixed memory leak on OOM condition
  • ConnectionExists: reusing possible HTTP+NTLM connections better
  • mingw32: fix compilation
  • chunked decoder: track overflows correctly
  • curl_easy_setopt.3: add CURL_HTTP_VERSION_2_0
  • dict: fix memory leak in OOM exit path
  • valgrind: added suppression on optimized code
  • curl: output protocol headers using binary mode
  • tool: Added URL index to password prompt for multiple operations
  • ConnectionExists: re-use non-NTLM connections better
  • axtls: call ssl_read repeatedly
  • multi: make MAXCONNECTS default 4 x number of easy handles function
  • configure: Fix the --disable-crypto-auth option
  • multi: ignore SIGPIPE internally
  • curl.1: update the description of --tlsv1
  • SFTP: skip reading the dir when NOBODY=1
  • easy: Fixed a memory leak on OOM condition
  • tool: Fixed incorrect return code when setting HTTP request fails
  • configure: Tiny fix to honor POSIX
  • tool: Do not output libcurl source for the information only parameters
  • Rework Open Watcom make files to use standard Wmake features
  • x509asn: moved out Curl_verifyhost from NSS builds
  • configure: call it GSS-API
  • hostcheck: Curl_cert_hostcheck is not used by NSS builds
  • multi_runsingle: move timestamp into INIT
  • remote_port: allow connect to port 0
  • parse_remote_port: error out on illegal port numbers better
  • ssh: Pass errors from libssh2_sftp_read up the stack
  • docs: remove documentation on setting up krb4 support
  • polarssl: build fixes to work with PolarSSL 1.3.x
  • polarssl: fix possible handshake timeout issue in multi
  • nss: allow to enable/disable cipher-suites better
  • ssh: prevent a logic error that could result in an infinite loop
  • http2: free resources on disconnect
  • polarssl: avoid extra newlines in debug messages
  • rtsp: parse "Session:" header properly
  • trynextip: don't store 'ai' on failed connects
  • Curl_cert_hostcheck: strip trailing dots in host name and wildcard

New in cURL 7.34.0 (Jan 7, 2014)

  • Changes:
  • SSL: protocol version can be specified more precisely
  • imap/pop3/smtp: Added graceful cancellation of SASL authentication
  • Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
  • base64: Added validation of base64 input strings when decoding
  • curl_easy_setopt: Added the ability to set the login options separately
  • smtp: Added support for additional SMTP commands
  • curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
  • nss: allow to use TLS > 1.0 if built against recent NSS
  • SECURITY: added this document to describe our security processes
  • parseconfig: warn if unquoted white spaces are detected
  • Bug fixes:
  • SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
  • darwinssl: un-break iOS build after PKCS#12 feature added
  • tool: use XFERFUNCTION to save some casts
  • usercertinmem: fix memory leaks
  • ssh: Handle successful SSH_USERAUTH_NONE
  • NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
  • test906: Fixed failing test on some platforms
  • sasl: initialize NSS before using NTLM crypto
  • sasl: Fixed memory leak in OAUTH2 message creation
  • imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
  • cmake: unbreak for non-Windows platforms
  • ssh: initialize per-handle data in ssh_connect()
  • glob: fix broken URLs
  • configure: check for long long when building with cyassl
  • CURLOPT_RESOLVE: mention they don't time-out
  • docs/examples/httpput.c: fix build for MSVC
  • FTP: make the data connection work when going through proxy
  • NSS: support for CERTINFO feature
  • curl_multi_wait: accept 0 from multi_timeout() as valid timeout
  • glob_range: pass the closing bracket for a-z ranges
  • tool_help: Updated --list-only description to include POP3
  • Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
  • cmake: fix Windows build with IPv6 support
  • ares: Fixed compilation under Visual Studio 2012
  • curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
  • curl.1: mention that -O does no URL decoding
  • darwinssl: PKCS#12 import feature now requires Lion or later
  • darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
  • configure: Fix test with -Werror=implicit-function-declaration
  • sigpipe: factor out sigpipe_reset from easy.c
  • curl_multi_cleanup: ignore SIGPIPE
  • globbing: curl glob counter mismatch with {} list use
  • parseconfig: dash options can't specified with colon or equals
  • digest: fix CURLAUTH_DIGEST_IE
  • curl.h: for OpenBSD
  • darwinssl: Fix #if 10.6.0 for SecKeychainSearch
  • TFTP: fix return codes for connect timeout
  • login options: remove the ;[options] support from CURLOPT_USERPWD
  • imap: Fixed incorrect fallback to clear text authentication
  • parsedate: avoid integer overflow
  • curl.1: document -J doesn't %-decode
  • multi: add timer inaccuracy margin to timeout/connecttimeout

New in cURL 7.33.0 (Oct 18, 2013)

  • Changes:
  • test code for testing the event based API
  • CURLM_ADDED_ALREADY: new error code
  • test TFTP server: support "writedelay" within
  • krb4 support has been removed
  • imap/pop3/smtp: added basic SASL XOAUTH2 support
  • darwinssl: add support for PKCS#12 files for client authentication
  • darwinssl: enable BEAST workaround on iOS 7 & later
  • Pass password to OpenSSL engine by user interface
  • c-ares: Add support for various DNS binding options
  • cookies: add expiration
  • curl: added --oauth2-bearer option
  • Bugfixes:
  • nss: make sure that NSS is initialized
  • curl: make --no-[option] work properly for several options
  • FTP: with socket_action send better socket updates in active mode
  • curl: fix the --sasl-ir in the --help output
  • tests 2032, 2033: Don't hardcode port in expected output
  • urlglob: better detect unclosed braces, empty lists and overflows
  • urlglob: error out on range overflow
  • imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands
  • handle arbitrary-length username and password
  • TFTP: make the CURLOPT_LOW_SPEED* options work
  • curl.h: name space pollution by "enum type"
  • multi: move on from STATE_DONE faster
  • FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback
  • multi_socket: improved 100-continue timeout handling
  • curl_multi_remove_handle: allow multiple removes
  • FTP: fix getsock during DO_MORE state
  • -x: rephrased the --proxy section somewhat
  • acinclude: fix --without-ca-path when cross-compiling
  • LDAP: fix bad free() when URL parsing failed
  • --data: mention CRLF treatment when reading from file
  • curl_easy_pause: suggest one way to unpause
  • imap: Fixed calculation of transfer when partial FETCH received
  • pingpong: Check SSL library buffers for already read data
  • imap/pop3/smtp: Speed up SSL connection initialization
  • libcurl.3: for multi interface connections are held in the multi handle
  • curl_easy_setopt.3: mention RTMP URL quirks
  • curl.1: detail how short/long options work
  • curl.1: Added information about optional login options to --user option
  • curl: Added clarification to the --mail options in the --help output
  • curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
  • openssl: use correct port number in error message
  • darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
  • OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
  • xattr: add support for FreeBSD xattr API
  • win32: fix Visual Studio 2010 build with WINVER >= 0x600
  • configure: use icc options without space
  • test1112: Increase the timeout from 7s to 16s
  • SCP: upload speed on a fast connection limited to 16384 B/s
  • curl_setup_once: fix errno access for lwip on Windows
  • HTTP: Output http response 304 when modified time is too old

New in cURL 7.32.0 (Aug 19, 2013)

  • Changes:
  • curl: allow timeouts to accept decimal values
  • OS400: add slist and certinfo EBCDIC support
  • OS400: new SSL backend GSKit
  • CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
  • LIBCURL-STRUCTS: new document
  • Bugfixes:
  • dotdot: introducing dot file path cleanup
  • docs: fix typo in curl_easy_getinfo manpage
  • test1230: avoid using hard-wired port number
  • test1396: invoke the correct test tool
  • SIGPIPE: ignored while inside the library
  • darwinssl: fix crash that started happening in Lion
  • OpenSSL: check for read errors, don't assume
  • c-ares: improve error message on failed resolve
  • printf: make sure %x are treated unsigned
  • formpost: better random boundaries
  • url: restore the functionality of 'curl -u :'
  • curl.1: fix typo in --xattr description
  • digest: improve nonce generation
  • configure: automake 1.14 compatibility tweak
  • curl.1: document the --post303 option in the man page
  • curl.1: document the --sasl-ir option in the man page
  • setup-vms.h: sk_pop symbol tweak
  • tool_paramhlp: try harder to catch negatives
  • cmake: Fix for MSVC2010 project generation
  • asyn-ares: Don't blank ares servers if none configured
  • curl_multi_wait: set revents for extra fds
  • Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup()
  • ftp_do_more: consider DO_MORE complete when server connects back
  • curl_easy_perform: gradually increase the delay time
  • curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
  • curl: fix upload of a zip file in OpenVMS
  • build: fix linking on Solaris 10
  • curl_formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
  • curl_formadd: fix file upload on VMS
  • curl_easy_pause: on unpause, trigger mulit-socket handling
  • md5 & metalink: use better build macros on Apple operating systems
  • darwinssl: fix build error in crypto authentication under Snow Leopard
  • curl: make --progress-bar update the line less frequently
  • configure: don't error out on variable confusions (CFLAGS, LDFLAGS etc)
  • mk-ca-bundle: skip more untrusted certificates
  • formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
  • FTP: when EPSV gets a 229 but fails to connect, retry with PASV
  • mk-ca-bundle.1: don't install on make install
  • VMS: lots of updates and fixes of the build procedure
  • global dns cache: didn't work (regression)
  • global dns cache: fix memory leak

New in cURL 7.31.0 (Jul 1, 2013)

  • Changes:
  • darwinssl: add TLS session resumption
  • darwinssl: add TLS crypto authentication
  • imap/pop3/smtp: Added support for ;auth= in the URL
  • imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
  • usercertinmem.c: add example showing user cert in memory
  • url: Added smtp and pop3 hostnames to the protocol detection list
  • imap/pop3/smtp: Added support for enabling the SASL initial response
  • curl -E: allow to use ':' in certificate nicknames
  • Bug fixes:
  • SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end of the input buffer [26]
  • FTP: access files in root dir correctly
  • configure: try pthread_create without -lpthread
  • FTP: handle a 230 welcome response
  • curl-config: don't output static libs when they are disabled
  • CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
  • Various documentation updates
  • getinfo.c: reset timecond when clearing session-info variables
  • FILE: prevent an artificial timeout event due to stale speed-check data
  • ftp_state_pasv_resp: connect through proxy also when set by env
  • sshserver: disable StrictHostKeyChecking
  • ftpserver: Fixed imap logout confirmation data
  • curl_easy_init: use less mallocs
  • smtp: Fixed unknown percentage complete in progress bar
  • smtp: Fixed sending of double CRLF caused by first in EOB
  • bindlocal: move brace out of #ifdef
  • winssl: Fixed invalid memory access during SSL shutdown
  • OS X framework: fix invalid symbolic link
  • OpenSSL: allow empty server certificate subject
  • axtls: prevent memleaks on SSL handshake failures
  • cookies: only consider full path matches
  • Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
  • Curl_cookie_add: handle IPv6 hosts
  • ossl_send: SSL_write() returning 0 is an error too
  • ossl_recv: SSL_read() returning 0 is an error too
  • Digest auth: escape user names with backslash or " in them
  • curl_formadd.3: fixed wrong "end-marker" syntax
  • libcurl-tutorial.3: fix incorrect backslash
  • curl_multi_wait: reduce timeout if the multi handle wants to
  • tests/Makefile: typo in the perlcheck target
  • axtls: honor disabled VERIFYHOST
  • OpenSSL: avoid double free in the PKCS12 certificate code
  • multi_socket: reduce timeout inaccuracy margin
  • digest: support auth-int for empty entity body
  • axtls: now done non-blocking
  • lib1900: use tutil_tvnow instead of gettimeofday
  • curl_easy_perform: avoid busy-looping
  • CURLOPT_COOKIELIST: take cookie share lock
  • multi_socket: react on socket close immediately

New in cURL 7.30.0 (Apr 22, 2013)

  • Changes:
  • imap: Changed response tag generation to be completely unique
  • imap: Added support for SASL-IR extension
  • imap: Added support for the list command
  • imap: Added support for the append command
  • imap: Added custom request parsing
  • imap: Added support to the fetch command for UID and SECTION properties
  • imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
  • darwinssl: Make certificate errors less techy
  • imap/pop3/smtp: Added support for the STARTTLS capability
  • checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
  • curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
  • Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
  • Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
  • Bug fixes:
  • SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
  • darwinssl: Fix build under Leopard
  • DONE: consider callback-aborted transfers premature
  • ntlm: Fixed memory leaks
  • smtp: Fixed an issue when processing EHLO failure responses
  • pop3: Fixed incorrect return value from pop3_endofresp()
  • pop3: Fixed SASL authentication capability detection
  • pop3: Fixed blocking SSL connect when connecting via POP3S
  • imap: Fixed memory leak when performing multiple selects
  • nss: fix misplaced code enabling non-blocking socket mode
  • AddFormData: prevent only directories from being posted
  • darwinssl: fix infinite loop if server disconnected abruptly
  • metalink: fix improbable crash parsing metalink filename
  • show proper host name on failed resolve
  • MacOSX-Framework: Make script work in Xcode 4.0 and later
  • strlcat: remove function
  • darwinssl: Fix send glitchiness with data > 32 or so KB
  • polarssl: better 1.1.x and 1.2.x support
  • various documentation improvements
  • multi: NULL pointer reference when closing an unused multi handle
  • SOCKS: fix socks proxy when noproxy matched
  • install-sh: updated to support multiple source files as arguments
  • PolarSSL: added human readable error strings
  • resolver_error: remove wrong error message output
  • docs: updates HTML index and general improvements
  • curlbuild.h.dist: enhance non-configure GCC ABI detection logic
  • sasl: Fixed null pointer reference when decoding empty digest challenge
  • easy: do not ignore poll() failures other than EINTR
  • darwinssl: disable ECC ciphers under Mountain Lion by default
  • CONNECT: count received headers
  • build: fixes for VMS
  • CONNECT: clear 'rewindaftersend' on success
  • HTTP proxy: insert slash in URL if missing
  • hiperfifo: updated to use current libevent API
  • getinmemory.c: abort the transfer nicely if not enough memory
  • improved win32 memorytracking
  • corrected proxy header response headers count
  • FTP quote operations on re-used connection
  • tcpkeepalive on win32
  • tcpkeepalive on Mac OS X
  • easy: acknowledge the CURLOPT_MAXCONNECTS option properly
  • easy interface: restore default MAXCONNECTS to 5
  • win32: don't set SO_SNDBUF for windows vista or later versions
  • HTTP: made cookie sort function more deterministic
  • winssl: Fixed memory leak if connection was not successful
  • FTP: wait on both connections during active STOR state
  • connect: treat a failed local bind of an interface as a non-fatal error
  • darwinssl: disable insecure ciphers by default
  • FTP: handle "rubbish" in front of directory name in 257 responses
  • mk-ca-bundle: Fixed lost OpenSSL output with "-t"

New in cURL 7.29.0 (Feb 11, 2013)

  • Changes:
  • test: offer "automake" output and check for perl better
  • always-multi: always use non-blocking internals
  • imap: Added support for sasl digest-md5 authentication
  • imap: Added support for sasl cram-md5 authentication
  • imap: Added support for sasl ntlm authentication
  • imap: Added support for sasl login authentication
  • imap: Added support for sasl plain text authentication
  • imap: Added support for login disabled server capability
  • mk-ca-bundle: add -f, support passing to stdout and more
  • writeout: -w now supports remote_ip/port and local_ip/port
  • Bug fixes:
  • SECURITY ADVISORY: SASL buffer overflow vulnerability
  • nss: prevent NSS from crashing on client auth hook failure
  • darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
  • curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
  • SCP: relative path didn't work as documented
  • setup_once.h: HP-UX issue workaround
  • configure: fix cross pkg-config detection
  • runtests: Do not add undefined values to @INC
  • build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
  • multi: fix re-sending request on early connection close
  • HTTP: remove stray CRLF in chunk-encoded content-free request bodies
  • build: fix AIX compilation and usage of events/revents
  • VC Makefiles: add missing hostcheck
  • nss: clear session cache if a client certificate from file is used
  • nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
  • fix HTTP CONNECT tunnel establishment upon delayed response
  • --libcurl: fix for non-zero default options
  • FTP: reject illegal port numbers in EPSV 229 responses
  • build: use per-target '_CPPFLAGS' for those currently using default
  • configure: fix automake 1.13 compatibility
  • curl: ignore SIGPIPE
  • pop3: Added support for non-blocking SSL upgrade
  • pop3: Fixed default authentication detection
  • imap: Fixed usernames and passwords that contain escape characters
  • packages/DOS/common.dj: remove COFF debug info generation
  • imap/pop3/smtp: Fixed failure detection during TLS upgrade
  • pop3: Fixed no known authentication mechanism when fallback is required
  • formadd: reject trying to read a directory where a file is expected
  • formpost: support quotes, commas and semicolon in file names
  • docs: update the comments about loading CA certs with NSS
  • docs: fix typos in man pages
  • darwinssl: Fix bug where packets were sometimes transmitted twice
  • winbuild: include version info for .dll .exe
  • schannel: Removed extended error connection setup flag
  • VMS: fix and generate the VMS build config

New in cURL 7.28.1 (Feb 11, 2013)

  • Changes:
  • metalink/md5: Use CommonCrypto on Apple operating systems
  • href_extractor: new example code extracting href elements
  • NSS can be used for metalink hashing
  • Bug fixes:
  • Fix broken libmetalink-aware OpenSSL build
  • gnutls: fix the error is fatal logic
  • darwinssl: un-broke iOS build, fix error on server disconnect
  • asyn-ares: restore functionality with c-ares < 1.6.1
  • tlsauthtype: deal with the string case insensitively
  • Fixed MSVC libssh2 static build
  • evhiperfifo: fix the pointer passed to WRITEDATA
  • BUGS: fix the bug tracker URL
  • winbuild: Use machine type of development environment
  • FTP: prevent the multi interface from blocking
  • uniformly use AM_CPPFLAGS, avoid deprecated INCLUDES
  • httpcustomheader.c: free the headers after use
  • fix >2000 bytes POST over NTLM-using proxy
  • redirects to URLs with fragments
  • don't send '#' fragments when using proxy
  • OpenSSL: show full issuer string
  • fix HTTP auth regression
  • CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value
  • ftp: EPSV-disable fix over SOCKS
  • Digest: Add microseconds into nounce calculation
  • SCP/SFTP: improve error code used for send failures
  • SSL: Several SSL-backend related fixes
  • removed the notorious "additional stuff not fine" debug output
  • OpenSSL: Disable SSL/TLS compression - avoid the "CRIME" attack
  • FILE: Make upload-writes unbuffered
  • custom memory callbacks failure with HTTP proxy (and more)
  • TFTP: handle resends
  • autoconf: don't force-disable compiler debug option
  • winbuild: Fix PDB file output
  • test2032: spurious failure caused by premature termination
  • memory leak: CURLOPT_RESOLVE with multi interface

New in cURL 7.28.0 (Oct 11, 2012)

  • Changes:
  • SSH: added agent based authentication
  • ftp: active conn, allow application to set sockopt after accept() call with CURLSOCKTYPE_ACCEPT
  • multi: add curl_multi_wait()
  • metalink: Added support for Microsoft Windows CryptoAPI
  • md5: Added support for Microsoft Windows CryptoAPI
  • parse_proxy: treat "socks://x" as a socks4 proxy
  • socks: Added support for IPv6 connections through SOCKSv5 proxy
  • Bug fixes:
  • WSAPoll disabled on Windows builds due to its bugs
  • segfault on request retries
  • curl-config: parentheses fix
  • VC build: add define for openssl
  • globbing: fix segfault when >9 globs were used
  • fixed a few clang-analyzer warnings
  • metalink: change code order to build with gnutls-nettle
  • gtls: fix build failure by including nettle-specific headers
  • change preferred HTTP auth on a handle previously used for another auth
  • file: use fdopen() to avoid race condition
  • Added DWANT_IDN_PROTOTYPES define for MSVC too
  • verbose: fixed (nil) output of hostnames in re-used connections
  • metalink: Un-broke the build when building --with-darwinssl
  • curl man page cleanup
  • Avoid leak of local device string when reusing connection
  • Curl_socket_check: fix return code for timeout
  • nss: do not print misleading NSS error codes
  • configure: remove the --enable/disable-nonblocking options
  • darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functions
  • NTLM: re-use existing connection better
  • schannel crash on multi and easy handle cleanup
  • SOCKS: truly disable it if CURL_DISABLE_PROXY is defined
  • mk-ca-bundle: detect start of trust section better
  • gnutls: do not fail on non-fatal handshake errors
  • SMTP: only send SIZE if supported
  • ftpserver: respond with a 250 to SMTP EHLO
  • ssh: do not crash if MD5 fingerprint is not provided by libssh2
  • winbuild: Added support for building with SPNEGO enabled
  • metalink: Fixed validation of binary files containing EOF
  • setup.h: fixed for MS VC10 build
  • cmake: use standard findxxx modules for cmake v2.8+
  • HTTP_ONLY: disable more protocols
  • Curl_reconnect_request: clear pointer on failure
  • https.c example: remember to call curl_global_init()
  • metalink: Filter resource URLs by type
  • multi interface: CURLOPT_LOW_SPEED_* fix during rate limitation
  • curl_schannel: Removed buffer limit and optimized buffer strategy

New in cURL 7.27.0 (Oct 8, 2012)

  • Changes:
  • nss: use human-readable error messages provided by NSS
  • added --metalink for metalink download support
  • pop3: Added support for sasl plain text authentication
  • pop3: Added support for sasl login authentication
  • pop3: Added support for sasl ntlm authentication
  • pop3: Added support for sasl cram-md5 authentication
  • pop3: Added support for sasl digest-md5 authentication
  • pop3: Added support for apop authentication
  • Added support for Schannel (Native Windows) SSL/TLS encryption
  • Added support for Darwin SSL (Native Mac OS X and iOS)
  • http: print reason phrase from HTTP status line on error
  • Bugfixes:
  • pop3: Fixed the issue of having to supply the user name for all requests
  • configure: fix LDAPS disabling related misplaced closing parenthesis
  • cmdline: made -D option work with -O and -J
  • configure: Fix libcurl.pc and curl-config generation for static MingW* cross builds
  • ssl: fix duplicated SSL handshake with multi interface and proxy
  • winbuild: Fix Makefile.vc ignoring USE_IPV6 and USE_IDN flags
  • OpenSSL: support longer certificate subject names
  • openldap: OOM fixes
  • log2changes.pl: fix the Version output
  • lib554.c: use curl_formadd() properly
  • urldata.h: fix cyassl build clash with wincrypt.h
  • cookies: changed the URL in the cookiejar headers
  • http-proxy: keep CONNECT connections alive (for NTLM)
  • NTLM SSPI: fixed to work with unicode user names and passwords
  • OOM fix in the curl tool when cloning cmdline options
  • fixed some examples to use curl_global_init() properly
  • cmdline: stricter numerical option parser
  • HTTP HEAD: don't force-close after response-headers
  • test231: fix wrong -C use
  • docs: switch to proper UTF-8 for text file encoding
  • keepalive: DragonFly uses milliseconds
  • HTTP Digest: Client's "qop" value should not be quoted
  • make distclean works again

New in cURL 7.26.0 (May 26, 2012)

  • Changes:
  • nss: the minimal supported version of NSS bumped to 3.12.x
  • nss: human-readable names are now provided for NSS errors if available
  • add a manual page for mk-ca-bundle
  • added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
  • smtp: Add support for DIGEST-MD5 authentication
  • pop3: Added support for additional pop3 commands
  • Bug fixes:
  • nss: libcurl now uses NSS_InitContext() to prevent collisions if available [1]
  • URL parse: reject numerical IPv6 addresses outside brackets
  • MD5: fix OOM memory leak
  • OpenSSL cert: provide more details when cert check fails
  • HTTP: empty chunked POST ended up in two zero size chunks
  • fixed a regression when curl resolved to multiple addresses and the first isn't supported [7]
  • -# progress meter: avoid superfluous updates and duplicate lines
  • headers: surround GCC attribute names with double underscores
  • PolarSSL: correct return code for CRL matches
  • PolarSSL: include version number in version string
  • PolarSSL: add support for asynchronous connect
  • mk-ca-bundle: revert the LWP usage
  • IPv6 cookie domain: get rid of the first bracket before the second
  • connect.c: return changed to CURLE_COULDNT_CONNECT when opensocket fails
  • OpenSSL: Made cert hostname check conform to RFC 6125
  • HTTP: reset expected DL/UL sizes on redirects
  • CMake: fix Windows LDAP/LDAPS option handling
  • CMake: fix MS Visual Studio x64 unsigned long long literal suffix
  • configure: update detection logic of getaddrinfo() thread-safeness
  • configure: check for gethostbyname in the watt lib
  • curl-config.1: fix curl-config usage in example
  • smtp: Fixed non-escaping of dot character at beginning of line
  • MakefileBuild.vc: use the correct IDN variable
  • autoconf: improve handling of versioned symbols
  • curl.1: clarify -x usage
  • curl: shorten user-agent
  • smtp: issue with the multi-interface always sending postdata
  • compile error with GnuTLS+Nettle fixed
  • winbuild: fix IPv6 enabled build

New in cURL 7.25.0 (Mar 23, 2012)

  • Changes:
  • configure: add option disable --libcurl output
  • --ssl-allow-beast and CURLOPT_SSL_OPTIONS added
  • Added CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE, CURLOPT_TCP_KEEPINTVL
  • curl: use new library-side TCP_KEEPALIVE options
  • Added a new CURLOPT_MAIL_AUTH option
  • Added support for --mail-auth
  • --libcurl now also works with -F and more!
  • Bug fixes:
  • --max-redirs: allow negative numbers as option value
  • parse_proxy: bail out on zero-length proxy names
  • configure: don't modify LD_LIBRARY_PATH for cross compiles
  • curl_easy_reset: reset the referer string
  • curl tool: don't abort glob-loop due to failures
  • CONNECT: send correct Host: with IPv6 numerical address
  • Explicitly link to the nettle/gcrypt libraries
  • more resilient connection times among IP addresses
  • winbuild: fix IPV6 and IDN options
  • SMTP: Fixed error when using CURLOPT_CONNECT_ONLY
  • cyassl: update to CyaSSL 2.0.x API
  • smtp: Fixed an issue with the EOB checking
  • pop3: Fixed drop of final CRLF in EOB checking
  • smtp: Fixed an issue with writing postdata
  • smtp: Added support for returning SMTP response codes
  • CONNECT: fix ipv6 address in the Request-Line
  • curl-config: only provide libraries with --libs
  • LWIP: don't consider HAVE_ERRNO_H to be winsock
  • ssh: tunnel through HTTP proxy if requested
  • cookies: strip off [brackets] from numerical ipv6 host names
  • libcurl docs: version corrections
  • cmake: list_spaces_append_once failure
  • resolve with c-ares: don't resolve IPv6 when not working
  • smtp: changed error code for EHLO and HELO responses
  • parsedate: fix a numeric overflow

New in cURL 7.24.0 (Jan 26, 2012)

  • Changes:
  • CURLOPT_QUOTE: SFTP supports the '*'-prefix now
  • CURLOPT_DNS_SERVERS: set name servers if possible
  • Add support for using nettle instead of gcrypt as gnutls backend
  • CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes
  • Added CURLOPT_ACCEPTTIMEOUT_MS
  • configure: add symbols versioning option --enable-versioned-symbols
  • Bug fixes:
  • curl was vulnerable to a data injection attack for certain protocols CVE-2012-0036
  • curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
  • SSL session share: move the age counter to the share object
  • -J -O: use -O name if no Content-Disposition header comes!
  • protocol_connect: show verbose connect and set connect time
  • query-part: ignore the URI part for given protocols
  • gnutls: only translate winsock errors for old versions
  • POP3: fix end of body detection
  • POP3: detect when LIST returns no mails
  • TELNET: improved treatment of options
  • configure: add support for pkg-config detection of libidn
  • CyaSSL 2.0+ library initialization adjustment
  • multi interface: only use non-NULL socker function pointer
  • call opensocket callback properly for active FTP
  • don't call close socket callback for sockets created with accept()
  • differentiate better between host/proxy errors
  • SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5
  • multi: handle timeouts on DNS servers by checking for new sockets
  • CURLOPT_DNS_SERVERS: fix return code
  • POP3: fixed escaped dot not being stripped out
  • OpenSSL: check for the SSLv2 function in configure
  • MakefileBuild: fix the static build
  • create_conn: don't switch to HTTP protocol if tunneling is enabled
  • multi interface: fix block when CONNECT_ONLY option is used
  • Fix connection reuse for TLS upgraded connections
  • multiple file upload with -F and custom type
  • multi interface: active FTP connections are no longer blocking
  • Android build fix
  • timer: restore PRETRANSFER timing
  • libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM
  • appconnect time fixed for non-blocking connect ssl backends
  • do not include SSL handshake into time spent waiting for 100-continue
  • handle dns cache case insensitive
  • use new host name casing for subsequent HTTP requests
  • CURLOPT_RESOLVE: avoid adding already present host names
  • SFTP mkdir: use correct permission
  • resolve: don't leak pre-populated dns entries
  • --retry: Retry transfers on timeout and DNS errors
  • negotiate with SSPI backend: use the correct buffer for input
  • SFTP dir: increase buffer size counter to avoid cut off file names
  • TFTP: fix resending (again)
  • c-ares: don't include getaddrinfo-using code
  • FTP: CURLE_PARTIAL_FILE will not close the control channel
  • win32-threaded-resolver: stop using a dummy socket
  • OpenSSL: remove reference to openssl internal struct
  • OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
  • OpenSSL: fix PKCS#12 certificate parsing related memory leak
  • OpenLDAP: fix LDAP connection phase memory leak
  • Telnet: Use correct file descriptor for telnet upload
  • Telnet: Remove bogus optimisation of telnet upload
  • URL parse: user name with ipv6 numerical address
  • polarssl: show cipher suite name correctly with 1.1.0
  • polarssl: havege_rand is not present in version 1.1.0 WARNING, we still use the old API which is said to be insecure
  • gnutls: enforced use of SSLv3

New in cURL 7.23.1 (Nov 21, 2011)

  • Bug fixes:
  • Windows: curl would fail if it found no CA cert, unless -k was used. Even if a non-SSL protocol URL was used

New in cURL 7.22.0 (Nov 21, 2011)

  • Changes:
  • Empty headers can be sent in HTTP requests by terminating with a semicolon
  • SSL session sharing support added to curl_share_setopt()
  • Added support to MAIL FROM for the optional SIZE parameter
  • smtp: Added support for NTLM authentication
  • curl tool: code split into tool_*.[ch] files
  • Bug fixes:
  • handle HTTP redirects to "//hostname/path"
  • SMTP without --mail-from caused segfault
  • prevent extra progress meter headers between multiple files
  • allow Content-Length to be replaced when sending HTTP requests
  • curl now always sets postfieldsize to allow --data-binary and --data to be mixed in the same command line
  • curl_multi_fdset: avoid FD_SET out of bounds
  • lots of MinGW build tweaks
  • Curl_gethostname: return un-qualified machine name
  • fixed the openssl version number configure check
  • nss: certificates from files are no longer looked up by file base names
  • returning abort from the progress function when using the multi interface would not properly cancel the transfer and close the connection
  • fix libcurl.m4 to not fail with modern gcc versions
  • ftp: improved the failed PORT host name resolved error message
  • TFTP timeout and unexpected block adjustments
  • HTTP and GOPHER test server-side connection closing adjustments
  • fix endless loop upon transport connection timeout
  • don't clobber errno on failed connect
  • typecheck: allow NULL to unset CURLOPT_ERRORBUFFER
  • formdata: ack read callback abort
  • make --show-error properly position independent
  • set the ipv6-connection boolean correctly on connect
  • SMTP: fix end-of-body string escaping
  • gtls: only call gnutls_transport_set_lowat with HTTP: handle multiple auths in a single WWW-Authenticate line
  • curl_multi_fdset: correct fdset with FTP PORT use
  • windbuild: fix the static build
  • fix builds with GnuTLS version 3
  • fix calling of OpenSSL's ERR_remove_state(0)
  • HTTP auth: fix proxy Negotiate bug when Negotiate not requested
  • ftp PORT: don't hang if bind() fails
  • -# would crash on terminals wider than 256 columns

New in cURL 7.21.7 (Jun 25, 2011)

  • Changes:
  • recognize the [protocol]:// prefix in proxy hosts where the protocol is one of socks4, socks4a, socks5 or socks5h.
  • Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA
  • Bug fixes:
  • SECURITY ADVISORY: inappropriate GSSAPI delegation
  • NTLM: work with unicode
  • fix connect with SOCKS proxy when using the multi interface
  • anyauthput.c: stdint.h must not be included unconditionally
  • CMake: improved build
  • SCP/SFTP enable non-blocking earlier
  • GnuTLS handshake: fix timeout
  • cyassl: build without filesystem
  • HTTPS over HTTP proxy using the multi interface
  • speedcheck: invalid timeout event on a reused handle
  • Force connection close for HTTP 200 OK when time condition matched
  • curl_formget: fix FILE * leak
  • configure: improved OpenSSL detection
  • Android build: support gingerbread
  • CURLFORM_STREAM: acknowledge CURLFORM_FILENAME
  • windows build: use correct MS CRT
  • pop3: remove extra space in LIST command

New in cURL 7.21.6 (Apr 23, 2011)

  • Changes:
  • Added --tr-encoding and CURLOPT_TRANSFER_ENCODING
  • Bugfixes:
  • curl-config: fix --version
  • curl_easy_setopt.3: CURLOPT_PROXYTYPE clarification
  • use HTTPS properly after CONNECT
  • SFTP: close file before post quote operations

New in cURL 7.21.4 (Feb 19, 2011)

  • Changes:
  • CURLINFO_FTP_ENTRY_PATH now supports SFTP
  • introduced new framework for unit-testing
  • IDN: use win32 API if told to
  • ares: ask for both IPv4 and IPv6 addresses
  • HTTP: do Negotiate authentication using SSPI on windows
  • Windows build: alternative makefile
  • TLS-SRP: support added when using GnuTLS
  • Bugfixes:
  • SMTP: add brackets for MAIL FROM
  • ossl_seed: no more RAND_screen (on Windows)
  • multi: connect fail => use next IP address
  • use the timeout when using multiple IP addresses similar to how the easy interface does it
  • cookies: tricked dotcounter fixed
  • pubkey_show: allocate buffer to fit any-size result
  • Curl_nss_connect: avoid PATH_MAX
  • Curl_do: avoid using stale conn pointer
  • tftpd test server: avoid buffer overflow report from glibc
  • nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slash
  • nss: fix a bug in handling of CURLOPT_CAPATH
  • CMake: Use upstream CheckTypeSize module
  • OpenSSL get_cert_chain: support larger data sets
  • SCP/SFTP transfers: acknowledge speedcheck
  • GnuTLS builds: fix memory leak
  • connect problem: use UDP correctly
  • Borland C++ makefile tweaks
  • OpenSSL: improved error message on SSL_CTX_new failures
  • HTTP: memory leak on multiple Location:
  • ares_query_completed_cb: don't touch invalid data
  • ares: memory leak fix
  • mk-ca-bundle: use new cacert url
  • Curl_gmtime: added a portable gmtime and check for NULL
  • curl.1: typo in -v description
  • CURLOPT_SOCKOPTFUNCTION: return proper error code
  • --keepalive-time: warn if not supported properly
  • file: add support for CURLOPT_TIMECONDITION
  • nss: avoid memory leaks and failure of NSS shutdown
  • multi: fix CURLM_STATE_TOOFAST for multi_socket

New in cURL 7.21.3 (Dec 17, 2010)

  • Changes:
  • Added --noconfigure switch to testcurl.pl
  • Added --xattr option
  • Added CURLOPT_RESOLVE and --resolve
  • Added CURLAUTH_ONLY
  • Added version-check.pl to the examples dir
  • Bugfixes:
  • check for libcurl features for some command line options
  • Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
  • http_chunks: remove debug output
  • URL-parsing: consider ? a divider
  • SSH: avoid using the libssh2_ prefix
  • SSH: use libssh2_session_handshake() to work on win64
  • ftp: prevent server from hanging on closed data connection when stopping a transfer before the end of the full transfer (ranges)
  • LDAP: detect non-binary attributes properly
  • ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
  • gnutls->handshake: improved timeout handling
  • security: Pass the right parameter to init
  • krb5: Use GSS_ERROR to check for error
  • TFTP: resend the correct data
  • configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
  • GnuTLS: now detects socket errors on Windows
  • symbols-in-versions: updated en masse
  • added a couple examples that were missing from the tar ball
  • Curl_send/recv_plain: return errno on failure
  • Curl_wait_for_resolv (for c-ares): correct timeout
  • ossl_connect_common: detect connection re-use
  • configure: Prevent link errors with --librtmp
  • openldap: use remote port in URL passed to ldap_init_fd()
  • url: provide dead_connection flag in Curl_handler::disconnect
  • lots of compiler warning fixes
  • ssh: fix a download resume point calculation
  • fix getinfo CURLINFO_LOCAL* for reused connections
  • multi: the returned running handles conuter could turn negative
  • multi: only ever consider pipelining for connections doing HTTP(S)

New in cURL 7.21.2 (Oct 13, 2010)

  • Changes:
  • curl -T: ignore file size of special files
  • Added GOPHER protocol support
  • Added mk-ca-bundle.vbs script
  • c-ares build now requires c-ares >= 1.6.0
  • Bug fixes:
  • --remote-header-name security vulnerability fixed
  • multi: support the timeouts correctly, fixes known bug #62
  • multi: use timeouts properly for MAX_RECV/SEND_SPEED
  • negotiation: Wrong proxy authorization
  • multi: avoid sending multiple complete messages
  • cmdline: make -F type= accept ;charset=
  • RESUME_FROM: clarify what ftp uploads do
  • http: handle trailer headers in all chunked responses
  • Curl_is_connected: use correct errno
  • Added SSPI build to Watcom makefile
  • progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
  • linking problem on Fedora 13
  • Link curl and the test apps with -lrt explicitly when necessary
  • chunky parser: only rewind stream internally if needed
  • remote-header-name: don't output filename when NULL
  • Curl_timeleft: avoid returning "no timeout" by mistake
  • timeout: use the correct start value as offset
  • FTP: fix wrong timeout trigger
  • buildconf got better output on failures
  • rtsp: avoid SIGSEGV on malformed header
  • LDAP: Support for tunnelling queries through HTTP proxy
  • configure's --enable-werror had a bashism
  • test565: Don't hardcode IP:PORT
  • configure: check for gcrypt if using GnuTLS
  • configure: don't enable RTMP if the lib detect fails
  • curl_easy_duphandle: clone the c-ares handle correctly
  • MacOSX-Framework: updates for Snowleopard
  • support URL containing colon without trailing port number
  • parsedate: allow time specified without seconds
  • curl_easy_escape: don't escape "unreserved" characters
  • SFTP: avoid downloading negative sizes
  • Lots of GSS/KRB FTP fixes
  • TFTP: Work around tftpd-hpa upload bug
  • libcurl.m4: several fixes
  • HTTP: remove special case for 416
  • examples: use example.com in example URLs
  • globbing: fix crash on unballanced open brace
  • cmake: build fixed

New in cURL 7.21.1 (Aug 12, 2010)

  • Changes:
  • maketgz: produce CHANGES automatically
  • added support for NTLM authentication when compiled with NSS
  • build: Enable configure --enable-werror
  • curl-config: --built-shared returns shared info
  • Bugfixes:
  • configure: spell --disable-threaded-resolver correctly
  • multi: call the progress callback in all states
  • multi: unmark handle as used when no longer head of pipeline
  • sendrecv: treat all negative values from send/recv as errors
  • ftp-wildcard: avoid tight loop when used without any pattern
  • multi_socket: re-use of same socket without notifying app
  • ftp wildcard: FTP LIST parser FIX
  • urlglobbing backslash escaping bug
  • build: add enable IPV6 option for the VC makefiles
  • multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
  • --libcurl: use *_LARGE options with typecasted constants
  • --libcurl: hide setopt() calls setting default options
  • curl: avoid setting libcurl options to its default
  • --libcurl: list the tricky options instead of using [REMARK]
  • http: don't enable chunked during authentication negotiations
  • upload: warn users trying to upload from stdin with anyauth
  • configure: allow environments variable to override internals
  • threaded resolver: fix timeout issue
  • multi: fix condition that remove timers before trigger
  • examples: add curl_multi_timeout
  • --retry: access violation with URL part sets continued
  • ssh: Fix compile error on 64-bit systems.
  • remote-header-name: chop filename at next semicolon
  • ftp: response timeout bug in "quote" sending
  • CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
  • Watcom makefiles overhaul.
  • NTLM tests: boost coverage by forcing the hostname
  • multi: fix FTPS connecting the data connection with OpenSSL
  • retry: consider retrying even if -f is used
  • fix SOCKS problem when using multi interface
  • typecheck-gcc: add checks for recently added options
  • SCP: send large files properly with new enough libssh2
  • multi_socket: set timeout for 100-continue
  • ";type=" URL suffix over HTTP proxy
  • acknowledge progress callback error returns during connect
  • Watcom makefile fixes
  • runtests: clear old setenv remainders before test

New in cURL 7.21.0 (Jun 16, 2010)

  • Changes:
  • added the --proto and -proto-redir options
  • new configure option --enable-threaded-resolver
  • improve TELNET ability with libcurl
  • added support for PolarSSL
  • added support for FTP wildcard matching and downloads
  • added support for RTMP
  • introducing new LDAP code for new enough OpenLDAP
  • OpenLDAP support enabled for cygwin builds
  • added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT
  • Bugfixes:
  • prevent needless reverse name lookups
  • detect GSS on ancient Linux distros
  • GnuTLS: EOF caused error when it wasn't
  • GnuTLS: SSL handshake phase is non-blocking
  • -J/--remote-header-name strips CRLF
  • MSVC makefiles now use ws2_32.lib instead of wsock32.lib
  • -O crash on windows
  • SSL handshake timeout underflow in libcurl-NSS
  • multi interface missed storing connection time
  • broken CRL support in libcurl-NSS
  • ignore response-body on redirect even if compressed
  • OpenSSL handshake state-machine for multi interface
  • TFTP timeout option sent correctly
  • TFTP block id wrap
  • curl_multi_socket_action() timeout handles inaccuracy in timers better
  • SCP/SFTP failure to respect the timeout
  • spurious SSL connection aborts with OpenSSL

New in cURL 7.20.0 (Feb 10, 2010)

  • Changes:
  • support SSL_FILETYPE_ENGINE for client certificate
  • curl-config can now show the arguments used when building curl
  • non-blocking TFTP
  • send Expect: 100-continue for POSTs with unknown sizes
  • added support for IMAP(S), POP3(S), SMTP(S) and RTSP
  • added new curl_easy_setopt() options for SMTP and RTSP
  • added --mail-from and --mail-rcpt for SMTP
  • VMS build system enhancements
  • added support for the PRET ftp command
  • curl supports --ssl and --ssl-reqd
  • added -J/--remote-header-name for using server-provided filename with -O
  • enhanced asynchronous DNS lookups
  • symbol CURL_FORMAT_OFF_T is obsoleted
  • Bugfixes:
  • progress meter percentage and transfer time estimates fixes
  • portability enhancement for OS's without orthogonal directory tree structure
  • progress meter/callback during FTP connection
  • DNS cache timeout while transfer in progress
  • compilation when configured --with-gssapi having GNU GSS installed
  • SSL connection reused with mismatched protection level
  • configure --with-nss is set but not "yes"
  • don't store LDFLAGS in pkg-config file
  • never-pruned DNS cached entries
  • HTTP proxy tunnel re-used connection even if tunnel got disabled
  • SSL lib post-close write
  • curl failed to report write errors for tiny failed downloads
  • TFTP BLKSIZE
  • Expect: 100-continue handling when set by the application
  • multi interface with OpenSSL read already freed memory when closing down
  • --retry didn't do right for FTP transient errors
  • some *_proxy environment variables didn't function
  • libcurl-OpenSSL engine cleanup
  • header include fix for FreeBSD versions before v8
  • fragment part of URLs are no longer sent to the server
  • progress callback called repeatedly with c-ares for resolving
  • OpenSSL session id ref count leak
  • progress callback called repeatedly during slow connects
  • curl_multi_fdset() would return -1 too often during SCP/SFTP transfers
  • FTP file size checks with ASCII transfers
  • HTTP Cookie: headers sort cookies based on specified path lengths
  • CURLM_CALL_MULTI_PERFORM fix for multi socket timeout calls
  • libcurl data callback excessive length

New in cURL 7.19.7 (Nov 6, 2009)

  • Changes:
  • -T. is now for non-blocking uploading from stdin
  • SYST handling on FTP for OS/400 FTP server cases
  • libcurl refuses to read a single HTTP header longer than 100K
  • added the --crlfile option to curl
  • Bugfixes:
  • The windows makefiles work again
  • libcurl-NSS acknowledges verifyhost
  • SIGSEGV when pipelined pipe unexpectedly breaks
  • data corruption issue with re-connected transfers
  • use after free if we're completed but easy_conn not NULL (pipelined)
  • missing strdup() return code check
  • CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
  • configure --with-gnutls=PATH fixed
  • ftp response reader bug on failed control connections
  • improved NSS error message on failed host name verifications
  • ftp NOBODY on re-used connection hang
  • configure uses pkg-config for cross-compiles as well
  • improved NSS detection in configure
  • cookie expiry date at 1970-jan-1 00:00:00
  • libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
  • libcurl-OpenSSL can load CRL files with more than one certificate inside
  • received cookies without explicit path got saved wrong if the URL had a query part
  • don't shrink SO_SNDBUF on windows for those who have it set large already
  • connect next bug
  • invalid file name characters handling on Windows
  • double close() on the primary socket with libcurl-NSS
  • GSS negotiate infinite loop on bad credentials
  • memory leak in SCP/SFTP connections
  • use pkg-config to find out libssh2 installation details in configure
  • unparsable cookie expire dates make cookies get treated as session coookies
  • POST with Digest authentication and "Transfer-Encoding: chunked"
  • SCP connection re-use with wrong auth
  • CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
  • CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)

New in cURL 7.19.6 (Aug 16, 2009)

  • Changes:
  • CURLOPT_FTPPORT (and curl's -P/--ftpport) support port ranges
  • Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA
  • CURLOPT_QUOTE, CURLOPT_POSTQUOTE and CURLOPT_PREQUOTE can be told to ignore error responses when used with FTP
  • Bug fixes:
  • crash on bad socket close with FTP
  • leaking cookie memory when duplicate domains or paths were used
  • build fix for Symbian
  • CURLOPT_USERPWD set to NULL clears auth credentials
  • libcurl-NSS build fixes
  • configure script fixed for VMS
  • set Content-Length: with POST and PUT failed with NTLM auth
  • allow building libcurl for VxWorks
  • curl tool exit codes fixed for VMS
  • --no-buffer treated correctly
  • djgpp build fix
  • configure detection of GnuTLS now based on pkg-config as well
  • libcurl-NSS client cert handling segfaults
  • curl uploading from stdin/pipes now works in non-blocking way so that it continues the downloading even when the read stalls
  • ftp credentials are added to the url if needed for http proxies
  • curl -o - sends data to stdout using binary mode on windows
  • fixed the separators for "array" style string that CURLINFO_CERTINFO returns
  • auth problem over several hosts with re-used connection
  • improved the support for client certificates in libcurl+NSS
  • fix leak in gtls code
  • missing algorithms in libcurl+OpenSSL
  • with noproxy set you could still get a proxy if a proxy env was set
  • rand seeding on libcurl on windows built with OpenSSL was not thread-safe
  • fixed the zero byte inserted in cert name flaw in libcurl+OpenSSL
  • don't try SNI with SSLv2 or SSLv3 (OpenSSL and GnuTLS builds)
  • libcurl+OpenSSL would wrongly acknowledge a cert if CN matched but subjectAltName didn't
  • TFTP upload sent illegal TSIZE packets

New in cURL 7.19.5 (May 22, 2009)

  • Changes:
  • libcurl now closes all dead connections whenever you attempt to open a new connection
  • libssh2's version number can now be figured out run-time instead of using the build-time fixed number
  • CURLOPT_SEEKFUNCTION may now return CURL_SEEKFUNC_CANTSEEK
  • curl can now upload with resume even when reading from a pipe
  • a build-time configured curl_socklen_t is now used instead of socklen_t
  • Bugfixes:
  • NTLM authentication memory leak on SSPI enabled Windows builds
  • fixed the GnuTLS-using code to do correct return code checks
  • an alloc-related call in the OpenSSL-using code didn't check the return value
  • curl_easy_duphandle() failed to duplicate cookies at times
  • missing TELNET timeout support in Windows builds
  • missing Curl_read() and write callback result checking in TELNET transfers
  • more ciphers enabled in libcurl built to use NSS
  • properly return an error code in curl_easy_recv
  • Sun compilers specific preprocessor block removed from curlbuild.h.dist
  • allow creation of four way fat libcurl Mac OS X Framework
  • several memory leaks in libcurl+NSS
  • improved the CURLOPT_NOBODY set to 0 confusions
  • persistent connections when doing FTP over a HTTP proxy
  • --libcurl bogus strings where other data was pointed to
  • crash related to FTP and "Re-used connection seems dead, get a new one"
  • CURLINFO_APPCONNECT_TIME with the multi interface
  • Enhanced upload speeds on Windows
  • TFTP problems after a failed transfer to the same host
  • improved out of the box TPF compatibility
  • HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF
  • Rejected SSL session ids are killed properly (for OpenSSL and GnuTLS builds)
  • Deal with the TFTP OACK packet
  • fixed roff mistakes in man pages
  • use SOCKS proxy with the multi interface
  • fixed the Curl_getoff_all_pipelines SIGSEGV
  • POST, NTLM and following a redirect hang
  • libcurl+NSS endless loop on incorrect password for private key
  • gzip decompression memory leak
  • no_proxy flaw with user name in URL

New in cURL 7.19.4 (Mar 18, 2009)

  • Changes:
  • Added CURLOPT_NOPROXY and the corresponding --noproxy
  • the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default in openssl 0.9.8j
  • Added CURLOPT_TFTP_BLKSIZE
  • Added CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC - with the corresponding curl options --socks5-gssapi-service and --socks5-gssapi-nec
  • Improved IPv6 support when built with with c-ares >= 1.6.1
  • Added CURLPROXY_HTTP_1_0 and --proxy1.0
  • Added docs/libcurl/symbols-in-versions
  • Added CURLINFO_CONDITION_UNMET
  • Added support for Digest and NTLM authentication using GnuTLS
  • CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even when MKD fails
  • GnuTLS initing moved to curl_global_init()
  • Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS, see also the security advisory
  • Bugfixes:
  • missing ssh.obj in VS makefiles
  • FTP ;type=i URLs now work with CURLOPT_PROXY_TRANSFER_MODE in Turkish locale
  • realms with quoted quotation marks in HTTP Digest headers
  • VC9 makefiles are now really included
  • multi interface memory leak with CURLMOPT_MAXCONNECTS set
  • CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with CURLOPT_NOBODY set true
  • memory leak on some libz errors for content encodings
  • NSS-enabled build is repaired
  • superfluous wait in SFTP downloads removed
  • FTP with the multi interface no longer kills the control connection as easily on transfer failures
  • compilation halting when using VS2008 to build a Windows 2000 target
  • ease creation of libcurl Mac OS X Framework
  • CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD are -1 if unknown
  • Negotiate proxy authentication
  • CURLOPT_INTERFACE and CURLOPT_LOCALPORT used together

New in cURL 7.19.3 (Jan 20, 2009)

  • Changes:
  • CURLAUTH_DIGEST_IE bit added for CURLOPT_HTTPAUTH and CURLOPT_PROXYAUTH
  • VC9 Makefiles were added to the release package
  • Bugfixes:
  • build failure when disabling FTP but enabling GSS
  • fixed several calls to memory functions that didn't check return codes
  • memory leak for SSL connects with libcurl/NSS when CURLOPT_ISSUERCERT was used
  • re-use of connections with the multi interface when multiple handles used the same server
  • memory leak with HTTP GSS/kerberos authentication
  • removed the default use of "Pragma: no-cache"
  • fix SCP/SFTP busyloop by using a new libssh2 1.0 function
  • bad fclose() after a fatal error in cookie code
  • curl_multi_remove_handle() when the handle was in use in a HTTP pipeline
  • GSS authentication infinite loop problem
  • 550 response from SIZE no longer treated as missing file
  • ftps:// control connections now use explicit protection level
  • dotted IPv6 addresses longer than 39 bytes failed
  • curl_easy_duphandle() doesn't try to duplicate the connection cache pointer
  • build failure on OS/400 when enabling IPv6
  • better detection of SFTP failures
  • improved connection re-use for subsequent SCP and SFTP transfers
  • multi interface does less busy-loops for SCP and SFTP transfers with libssh2 1.0 or later
  • curl_multi_timeout() no longer returns timeout 0 when there's still more than 0 but less than 999 microseconds left
  • the multi_socket API and HTTP pipelining now work a lot better when combined
  • SFTP seek/resume beyond 32bit file sizes
  • fixed breakage with --with-ssl --disable-verbose
  • TTL "leak" in the DNS cache
  • improved NSS initing
  • curl_easy_reset now resets more options
  • rare Location: follow bug with the multi interface
  • the configure script can now detect gnutls with pkg-config
  • curlbuild.h was adjusted for SunPro compilers
  • CURLOPT_COOKIELIST set to "SESS" on an easy handle with no cookies data
  • fixed timeouts for TFTP
  • fixed PPC builds

New in cURL 7.19.2 (Nov 15, 2008)

  • build failure when using MSVC 6 makefile and on four platforms more
  • crash when using --interface name on Linux systems with a TEQL device
  • using the multi interface to download a HTTPS page with libcurl built powered by OpenSSL could download "rubbish" instead of actual content

New in cURL 7.19.1 (Nov 5, 2008)

  • Changes:
  • pkg-config can now show supported_protocols and supported_features.
  • Added CURLOPT_CERTINFO and CURLINFO_CERTINFO.
  • Added CURLOPT_POSTREDIR.
  • Better detect HTTP 1.0 servers and don't do HTTP 1.1 requests on them.
  • configure --disable-proxy disables proxy support.
  • Added CURLOPT_USERNAME and CURLOPT_PASSWORD.
  • --interface now works with IPv6 connections on glibc systems.
  • Added CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD.
  • Bugfixes:
  • MingW32 non-configure builds are now largefile feature enabled by default.
  • NetWare LIBC builds are now largefile feature enabled by default.
  • curl_easy_pause() could behave wrongly on unpause.
  • cookies with invalid expire dates are now considered expired.
  • HTTP pipelining over proxy.
  • fix regression in configure script which affected OpenSSL builds on MSYS.
  • GnuTLS-based multi interface doing HTTPS over proxy failed.
  • recv() failures cause CURLE_RECV_ERROR.
  • SFTP over SOCKS crash fixed.
  • thread-safety issues addressed for NSS-powered libcurls.
  • removed the use of mktime() and gmtime(_r)() in date parsing and conversions.
  • HTTP Digest with a blank realm did wrong.
  • CURLINFO_REDIRECT_URL didn't work with the multi interface.
  • CURLOPT_RANGE now works for SFTP downloads.
  • FTP SIZE response 550 now causes CURLE_REMOTE_FILE_NOT_FOUND.
  • CURLINFO_PRIMARY_IP fixed for persistent connection re-use cases.
  • remove_handle/add_handle multi interface timer callback flaw.
  • CURLINFO_REDIRECT_URL memory leak and wrong-doing.
  • case insensitive string matching works in Turkish too.
  • Solaris builds get _REENTRANT defined properly and work again.
  • Garbage sent on chunky upload after curl_easy_pause().
  • ipv4 name resolves when libcurl is built with ipv6-enabled c-ares.
  • undersized IPv6 address internal buffer truncated long IPv6 addresses.
  • CURLINFO_FILETIME works for file:// transfers as well.

New in cURL 7.19.0 (Sep 2, 2008)

  • curl_off_t gets its size/typedef somewhat differently than before. This _may_ cause an ABI change for you. See lib/README.curl_off_t for a full explanation.
  • Added CURLINFO_PRIMARY_IP
  • Added CURLOPT_CRLFILE and CURLE_SSL_CRL_BADFILE
  • Added CURLOPT_ISSUERCERT and CURLE_SSL_ISSUER_ERROR
  • curl's option parser for boolean options reworked
  • Added --remote-name-all
  • Now builds for the INTEGRITY operating system
  • Added CURLINFO_APPCONNECT_TIME
  • Added test selection by key word in runtests.pl
  • the curl tool's -w option support the %{ssl_verify_result} variable
  • Added CURLOPT_ADDRESS_SCOPE and scope parsing of the URL according to RFC4007
  • Support --append on SFTP uploads (not with OpenSSH, though)
  • Added curlbuild.h and curlrules.h to the external library interface
  • Fixed curl-config --ca
  • Fixed the multi interface connection re-use with NSS-built libcurl
  • connection re-use when using the multi interface with pipelining enabled
  • curl_multi_socket() socket callback fix for close/re-create sockets case
  • SCP or SFTP over socks proxy crashed
  • RC4-MD5 cipher now works with NSS-built libcurl
  • range requests with --head are now done correctly
  • fallback to gettimeofday when monotonic clock is unavailable at run-time
  • range numbers could be made to wrongly get output as signed
  • unexpected 1xx responses hung transfers
  • FTP transfers segfault when using different CURLOPT_FTP_FILEMETHOD
  • c-ares powered libcurls can resolve/use IPv6 addresses
  • poll not working on Windows Vista due to POLLPRI being incorrectly used
  • user-agent in CONNECT with non-HTTP protocols
  • CURL_READFUNC_PAUSE problems fixed
  • --use-ascii now works on Symbian OS, MS-DOS and OS/2
  • CURLINFO_SSL_VERIFYRESULT is fixed
  • FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
  • a user name in a proxy URL without a password was parsed incorrectly
  • library will now be built with _REENTRANT symbol defined only if needed
  • no longer link with gdi32 on Windows cross-compiled targets
  • HTTP PUT with -C - sent bad Content-Range: header
  • HTTP PUT or POST with redirect could lead to hang
  • re-use of connections with failed SSL connects in the multi interface
  • NTLM over proxy state was wrongly cleared when host connection was closed
  • Windows SSPI DLL loading is now done in curl_global_init()
  • runtests.pl has an improved find-stunnel-and-invoke
  • FTP sessions could go out of sync on a long header boundary condition
  • potential buffer overflows in the MS-DOS command-line port fixed
  • --stderr is now honoured with the -v option
  • memory leak in libcurl on Windows built with OpenSSL
  • improved curl_m*printf() integral data type size and signedness handling
  • error when --dump-header - used with more than one URL
  • proxy closing connect during CONNECT with auth with the multi interface
  • CURLOPT_UPLOAD sets HTTP method back to GET or HEAD when passed in a 0
  • shared cookies could get locked twice
  • deal with closed connection while doing POST/PUT

New in cURL 7.18.2 (Jun 5, 2008)

  • CURLFORM_STREAM was added
  • CURLOPT_NOBODY is now supported over SFTP
  • curl can now run on Symbian OS
  • curl -w redirect_url and CURLINFO_REDIRECT_URL
  • added curl_easy_send() and curl_easy_recv()
  • CURLOPT_NOBODY first set to TRUE and then FALSE for HTTP no longer causes the confusion that could lead to a hung transfer
  • curl_easy_reset() resets the max redirect limit properly
  • configure now correctly recognizes Heimdal and MIT gssapi libraries
  • malloc() failure check in Negotiate
  • -i and -I together now work the same no matter what order they're used
  • the typechecker can be bypassed by defining CURL_DISABLE_TYPECHECK
  • a pointer mixup could make the FTP code send bad user password under rare circumstances (found when using curlftpfs)
  • CURLOPT_OPENSOCKETFUNCTION can now be used to create a unix domain socket
  • CURLOPT_TCP_NODELAY crash due to getprotobyname() use
  • libcurl sometimes sent body twice when using CURLAUTH_ANY
  • configure detecting debug-enabled c-ares
  • microsecond resolution keys for internal splay trees
  • krb4 and krb5 ftp segfault
  • multi interface busy loop for CONNECT requests
  • internal time differences now use monotonic time source if available
  • several curl_multi_socket() fixes
  • builds fine for Haiku OS
  • follow redirect with only a new query string
  • SCP and SFTP memory leaks on aborted transfers
  • curl_multi_socket() and HTTP pipelining transfer stalls
  • lost telnet data on an EWOULDBLOCK condition

New in cURL 7.18.1 (Mar 31, 2008)

  • added support for HttpOnly cookies
  • 'make ca-bundle' downloads and generates an updated ca bundle file
  • we no longer distribute or install a ca cert bundle
  • SSLv2 is now disabled by default for SSL operations
  • the test509-style setting URL in callback is officially no longer supported
  • support a full chain of certificates in a given PKCS12 certificate
  • resumed transfers work with SFTP
  • added type checking macros for curl_easy_setopt() and curl_easy_getinfo(), watch out for new warnings in code using libcurl (needs gcc-4.3 and currently only works in C mode)
  • curl_easy_setopt(), curl_easy_getinfo(), curl_share_setopt() and curl_multi_setopt() uses are now checked to use exactly three arguments
  • --with-ca-path=DIR configure option allows to set an openSSL CApath instead of a default ca bundle.
  • improved pipelining
  • improved strdup replacement
  • GnuTLS-built libcurl failed when doing global cleanup and reinit
  • error message problem when unable to resolve a host on Windows
  • Accept: header replacing
  • not verifying server certs with GnuTLS still failed if gnutls had problems with the cert
  • when using the multi interface and a handle is removed while still having a transfer going on, the connection is now closed by force
  • bad re-use of SSL connections in non-complete state
  • test case 405 failures with GnuTLS builds
  • crash when connection cache size is 1 and Curl_do() failed
  • GnuTLS-built libcurl can now be forced to prefer SSLv3
  • crash when doing Negotiate again on a re-used connection
  • select/poll regression
  • better MIT kerberos configure check
  • curl_easy_reset() SFTP re-used connection download crash
  • SFTP non-existing file SFTP existing file error
  • sharing DNS cache between easy handles running in multiple threads could lead to crash
  • SFTP upload with CURLOPT_FTP_CREATE_MISSING_DIRS on re-used connection
  • SFTP infinite loop when given an invalid quote command
  • curl-config erroneously reported LDAPS support with missing LDAP libraries
  • SCP infinite loop when downloading a zero byte file
  • setting the CURLOPT_SSL_CTX_FUNCTION with libcurl built without OpenSSL now makes curl_easy_setopt() properly return failure
  • configure --with-libssh2 (with no given path)