diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c6127b3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,52 @@ +# Prerequisites +*.d + +# Object files +*.o +*.ko +*.obj +*.elf + +# Linker output +*.ilk +*.map +*.exp + +# Precompiled Headers +*.gch +*.pch + +# Libraries +*.lib +*.a +*.la +*.lo + +# Shared objects (inc. Windows DLLs) +*.dll +*.so +*.so.* +*.dylib + +# Executables +*.exe +*.out +*.app +*.i*86 +*.x86_64 +*.hex + +# Debug files +*.dSYM/ +*.su +*.idb +*.pdb + +# Kernel Module Compile Results +*.mod* +*.cmd +.tmp_versions/ +modules.order +Module.symvers +Mkfile.old +dkms.conf diff --git a/build_rules.mk b/build_rules.mk new file mode 100644 index 0000000..1bf94aa --- /dev/null +++ b/build_rules.mk @@ -0,0 +1,69 @@ +# Check for linux vs macOS and account for clang/ld path +UNAME_S := $(shell uname -s) + +ifeq ($(UNAME_S),Linux) + CC := clang + CXX := clang++ + LD := ld.lld + AR := llvm-ar + CDIR := linux +endif +ifeq ($(UNAME_S),Darwin) + CC := /usr/local/opt/llvm/bin/clang + CXX := /usr/local/opt/llvm/bin/clang++ + LD := /usr/local/opt/llvm/bin/ld.lld + AR := /usr/local/opt/llvm/bin/llvm-ar + CDIR := macos +endif + +# Allow for 'make VERBOSE=1' to see the recepie executions +ifndef VERBOSE + VERB := @ +endif + +#--------------------------------------------------------------------------------- +%.a: +#--------------------------------------------------------------------------------- + $(VERB) echo $(notdir $@) + $(VERB) rm -f $@ + $(VERB) $(AR) -rc $@ $^ + +#--------------------------------------------------------------------------------- +%.elf: $(OFILES) + $(VERB) echo linking ... $(notdir $@) + $(VERB) $(LD) $^ $(LDFLAGS) $(LIBPATHS) $(LIBS) -o $@ + +#--------------------------------------------------------------------------------- +%.o: %.cpp + $(VERB) echo $(notdir $<) + $(VERB) $(CXX) $(DEPSOPT) $(CXXFLAGS) -o $@ $< $(ERROR_FILTER) + +#--------------------------------------------------------------------------------- +%.o: %.c + $(VERB) echo $(notdir $<) + $(VERB) $(CC) $(DEPSOPT) $(CFLAGS) -o $@ $< $(ERROR_FILTER) + +#--------------------------------------------------------------------------------- +%.o: %.m + $(VERB) echo $(notdir $<) + $(VERB) $(CC) $(DEPSOPT) $(OBJCFLAGS) -o $@ $< $(ERROR_FILTER) + +#--------------------------------------------------------------------------------- +%.o: %.s + $(VERB) echo $(notdir $<) + $(VERB) $(CC) $(DEPSOPT) -x assembler-with-cpp $(ASFLAGS) -o $@ $< $(ERROR_FILTER) + +#--------------------------------------------------------------------------------- +%.o: %.S + $(VERB) echo $(notdir $<) + $(VERB) $(CC) $(DEPSOPT) -x assembler-with-cpp $(ASFLAGS) -o $@ $< $(ERROR_FILTER) + +#--------------------------------------------------------------------------------- +# canned command sequence for binary data +#--------------------------------------------------------------------------------- +define bin2o + $(VERB) bin2s -a 64 $< | $(AS) -o $(@) + $(VERB) echo "extern const u8" `(echo $( `(echo $(> `(echo $(> `(echo $(data to know if a transfer owns it + + - make sure an already "owned" connection isn't returned unless + multiplexed. + + - clear ->data when returning the connection to the cache again + + Regression since 7.62.0 (probably in commit 1b76c38904f0) + + Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + + Closes #3686 + +- RELEASE-NOTES: synced + +- [Chris Young brought this change] + + configure: add --with-amissl + + AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. + It also requires all programs using it to use bsdsocket.library + directly, rather than accessing socket functions through clib, which + libcurl was not necessarily doing previously. Configure will now check + for the headers and ensure they are included if found. + + Closes #3677 + +- [Chris Young brought this change] + + vtls: rename some of the SSL functions + + ... in the SSL structure as AmiSSL is using macros for the socket API + functions. + +- [Chris Young brought this change] + + tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr + +- [Chris Young brought this change] + + tool_operate: build on AmigaOS + +- makefile: make checksrc and hugefile commands "silent" + + ... to match the style already used for compiling, linking + etc. Acknowledges 'make V=1' to enable verbose. + + Closes #3681 + +- curl.1: --user and --proxy-user are hidden from ps output + + Suggested-by: Eric Curtin + Improved-by: Dan Fandrich + Ref: #3680 + + Closes #3683 + +- curl.1: mark the argument to --cookie as + + From a discussion in #3676 + + Suggested-by: Tim Rühsen + + Closes #3682 + +Dan Fandrich (14 Mar 2019) +- fuzzer: Only clone the latest fuzzer code, for speed. + +Daniel Stenberg (14 Mar 2019) +- [Dominik Hölzl brought this change] + + Negotiate: fix for HTTP POST with Negotiate + + * Adjusted unit tests 2056, 2057 + * do not generally close connections with CURLAUTH_NEGOTIATE after every request + * moved negotiatedata from UrlState to connectdata + * Added stream rewind logic for CURLAUTH_NEGOTIATE + * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC + * Consider authproblem state for CURLAUTH_NEGOTIATE + * Consider reuse_forbid for CURLAUTH_NEGOTIATE + * moved and adjusted negotiate authentication state handling from + output_auth_headers into Curl_output_negotiate + * Curl_output_negotiate: ensure auth done is always set + * Curl_output_negotiate: Set auth done also if result code is + GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may + also indicate the last challenge request (only works with disabled + Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) + * Consider "Persistent-Auth" header, detect if not present; + Reset/Cleanup negotiate after authentication if no persistent + authentication + * apply changes introduced with #2546 for negotiate rewind logic + + Fixes #1261 + Closes #1975 + +- [Marc Schlatter brought this change] + + http: send payload when (proxy) authentication is done + + The check that prevents payload from sending in case of authentication + doesn't check properly if the authentication is done or not. + + They're cases where the proxy respond "200 OK" before sending + authentication challenge. This change takes care of that. + + Fixes #2431 + Closes #3669 + +- file: fix "Checking if unsigned variable 'readcount' is less than zero." + + Pointed out by codacy + + Closes #3672 + +- memdebug: log pointer before freeing its data + + Coverity warned for two potentional "Use after free" cases. Both are false + positives because the memory wasn't used, it was only the actual pointer + value that was logged. + + The fix still changes the order of execution to avoid the warnings. + + Coverity CID 1443033 and 1443034 + + Closes #3671 + +- RELEASE-NOTES: synced + +Marcel Raad (12 Mar 2019) +- travis: actually use updated compiler versions + + For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the + new GCC versions were only used for the coverage build and for building + nghttp2, while the new clang version was not used at all. + + BoringSSL needs to use the default GCC as it respects CC, but not CXX, + so it would otherwise pass gcc 8 options to g++ 4.8 and fail. + + Also remove GCC 7, it's not needed anymore. + + Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + + Closes https://github.com/curl/curl/pull/3670 + +- travis: update clang to version 7 + + Closes https://github.com/curl/curl/pull/3670 + +Jay Satiro (11 Mar 2019) +- [Andre Guibert de Bruet brought this change] + + examples/externalsocket: add missing close socket calls + + .. and for Windows also call WSACleanup since we call WSAStartup. + + The example is to demonstrate handling the socket independently of + libcurl. In this case libcurl is not responsible for creating, opening + or closing the socket, it is handled by the application (our example). + + Fixes https://github.com/curl/curl/pull/3663 + +Daniel Stenberg (11 Mar 2019) +- multi: removed unused code for request retries + + This code was once used for the non multi-interface using code path, but + ever since easy_perform was turned into a wrapper around the multi + interface, this code path never runs. + + Closes #3666 + +Jay Satiro (11 Mar 2019) +- doh: inherit some SSL options from user's easy handle + + - Inherit SSL options for the doh handle but not SSL client certs, + SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, + SSL pinned public key, SSL ciphers, SSL id cache setting, + SSL kerberos or SSL gss-api settings. + + - Fix inheritance of verbose setting. + + - Inherit NOSIGNAL. + + There is no way for the user to set options for the doh (DNS-over-HTTPS) + handles and instead we inherit some options from the user's easy handle. + + My thinking for the SSL options not inherited is they are most likely + not intended by the user for the DOH transfer. I did inherit insecure + because I think that should still be in control of the user. + + Prior to this change doh did not work for me because CAINFO was not + inherited. Also verbose was set always which AFAICT was a bug (#3660). + + Fixes https://github.com/curl/curl/issues/3660 + Closes https://github.com/curl/curl/pull/3661 + +Daniel Stenberg (9 Mar 2019) +- test331: verify set-cookie for dotless host name + + Reproduced bug #3649 + Closes #3659 + +- Revert "cookies: extend domain checks to non psl builds" + + This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. + + Regression shipped in 7.64.0 + Fixes #3649 + +- memdebug: make debug-specific functions use curl_dbg_ prefix + + To not "collide" or use up the regular curl_ name space. Also makes them + easier to detect in helper scripts. + + Closes #3656 + +- cmdline-opts/proxytunnel.d: the option tunnnels all protocols + + Clarify the language and simplify. + + Reported-by: Daniel Lublin + Closes #3658 + +- KNOWN_BUGS: Client cert (MTLS) issues with Schannel + + Closes #3145 + +- ROADMAP: updated to some more current things to work on + +- tests: fix multiple may be used uninitialized warnings + +- RELEASE-NOTES: synced + +- source: fix two 'nread' may be used uninitialized warnings + + Both seem to be false positives but we don't like warnings. + + Closes #3646 + +- gopher: remove check for path == NULL + + Since it can't be NULL and it makes Coverity believe we lack proper NULL + checks. Verified by test 659, landed in commit 15401fa886b. + + Pointed out by Coverity CID 1442746. + + Assisted-by: Dan Fandrich + Fixes #3617 + Closes #3642 + +- examples: only include + + That's the only public curl header we should encourage use of. + + Reviewed-by: Marcel Raad + Closes #3645 + +- ssh: loop the state machine if not done and not blocking + + If the state machine isn't complete, didn't fail and it didn't return + due to blocking it can just as well loop again. + + This addresses the problem with SFTP directory listings where we would + otherwise return back to the parent and as the multi state machine + doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the + doing phase isn't complete, it would return out when in reality there + was more data to deal with. + + Fixes #3506 + Closes #3644 + +Jay Satiro (5 Mar 2019) +- multi: support verbose conncache closure handle + + - Change closure handle to receive verbose setting from the easy handle + most recently added via curl_multi_add_handle. + + The closure handle is a special easy handle used for closing cached + connections. It receives limited settings from the easy handle most + recently added to the multi handle. Prior to this change that did not + include verbose which was a problem because on connection shutdown + verbose mode was not acknowledged. + + Ref: https://github.com/curl/curl/pull/3598 + + Co-authored-by: Daniel Stenberg + + Closes https://github.com/curl/curl/pull/3618 + +Daniel Stenberg (4 Mar 2019) +- CURLU: fix NULL dereference when used over proxy + + Test 659 verifies + + Also fixed the test 658 name + + Closes #3641 + +- altsvc_out: check the return code from Curl_gmtime + + Pointed out by Coverity, CID 1442956. + + Closes #3640 + +- docs/ALTSVC.md: docs describing the approach + + Closes #3498 + +- alt-svc: add a travis build + +- alt-svc: add test 355 and 356 to verify with command line curl + +- alt-svc: the curl command line bits + +- alt-svc: the libcurl bits + +- travis: add build using gnutls + + Closes #3637 + +- RELEASE-NOTES: synced + +- [Simon Legner brought this change] + + scripts/completion.pl: also generate fish completion file + + This is the renamed script formerly known as zsh.pl + + Closes #3545 + +- gnutls: remove call to deprecated gnutls_compression_get_name + + It has been deprecated by GnuTLS since a year ago and now causes build + warnings. + + Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f + Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + + Closes #3636 + +Jay Satiro (2 Mar 2019) +- system_win32: move win32_init here from easy.c + + .. since system_win32 is a more appropriate location for the functions + and to extern the globals. + + Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 + Reported-by: Gisle Vanem + + Closes https://github.com/curl/curl/pull/3625 + +Daniel Stenberg (1 Mar 2019) +- curl_easy_duphandle.3: clarify that a duped handle has no shares + + Reported-by: Sara Golemon + + Fixes #3592 + Closes #3634 + +- 10-at-a-time.c: fix too long line + +- [Arnaud Rebillout brought this change] + + examples: various fixes in ephiperfifo.c + + The main change here is the timer value that was wrong, it was given in + usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * + 1000). This resulted in the callback being invoked WAY TOO OFTEN. + + As a quick check you can run this command before and after applying this + commit: + + # shell 1 + ./ephiperfifo 2>&1 | tee ephiperfifo.log + # shell 2 + echo http://hacking.elboulangero.com > hiper.fifo + + Then just compare the size of the logs files. + + Closes #3633 + Fixes #3632 + Signed-off-by: Arnaud Rebillout + +- urldata: simplify bytecounters + + - no need to have them protocol specific + + - no need to set pointers to them with the Curl_setup_transfer() call + + - make Curl_setup_transfer() operate on a transfer pointer, not + connection + + - switch some counters from long to the more proper curl_off_t type + + Closes #3627 + +- examples/10-at-a-time.c: improve readability and simplify + + - use better variable names to explain their purposes + - convert logic to curl_multi_wait() + +- threaded-resolver: shutdown the resolver thread without error message + + When a transfer is done, the resolver thread will be brought down. That + could accidentally generate an error message in the error buffer even + though this is not an error situationand the transfer would still return + OK. An application that still reads the error buffer could find a + "Could not resolve host: [host name]" message there and get confused. + + Reported-by: Michael Schmid + Fixes #3629 + Closes #3630 + +- [Ԝеѕ brought this change] + + docs: update max-redirs.d phrasing + + clarify redir - "in absurdum" doesn't seem to make sense in this context + + Closes #3631 + +- ssh: fix Condition '!status' is always true + + in the same sftp_done function in both SSH backends. Simplify them + somewhat. + + Pointed out by Codacy. + + Closes #3628 + +- test578: make it read data from the correct test + +- Curl_easy: remove req.maxfd - never used! + + Introduced in 8b6314ccfb, but not used anymore in current code. Unclear + since when. + + Closes #3626 + +- http: set state.infilesize when sending formposts + + Without it set, we would unwillingly triger the "HTTP error before end + of send, stop sending" condition even if the entire POST body had been + sent (since it wouldn't know the expected size) which would + unnecessarily log that message and close the connection when it didn't + have to. + + Reported-by: Matt McClure + Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html + Closes #3624 + +- INSTALL: refer to the current TLS library names and configure options + +- FAQ: minor updates and spelling fixes + +- GOVERNANCE.md: minor spelling fixes + +- Secure Transport: no more "darwinssl" + + Everyone calls it Secure Transport, now we do too. + + Reviewed-by: Nick Zitzmann + + Closes #3619 + +Marcel Raad (27 Feb 2019) +- AppVeyor: add classic MinGW build + + But use the MSYS2 shell rather than the default MSYS shell because of + POSIX path conversion issues. Classic MinGW is only available on the + Visual Studio 2015 image. + + Closes https://github.com/curl/curl/pull/3623 + +- AppVeyor: add MinGW-w64 build + + Add a MinGW-w64 build using CMake's MSYS Makefiles generator. + Use the Visual Studio 2015 image as it has GCC 8, while the + Visual Studio 2017 image only has GCC 7.2. + + Closes https://github.com/curl/curl/pull/3623 + +Daniel Stenberg (27 Feb 2019) +- cookies: only save the cookie file if the engine is enabled + + Follow-up to 8eddb8f4259. + + If the cookieinfo pointer is NULL there really is nothing to save. + + Without this fix, we got a problem when a handle was using shared object + with cookies and is told to "FLUSH" it to file (which worked) and then + the share object was removed and when the easy handle was closed just + afterwards it has no cookieinfo and no cookies so it decided to save an + empty jar (overwriting the file just flushed). + + Test 1905 now verifies that this works. + + Assisted-by: Michael Wallner + Assisted-by: Marcel Raad + + Closes #3621 + +- [DaVieS brought this change] + + cacertinmem.c: use multiple certificates for loading CA-chain + + Closes #3421 + +- urldata: convert bools to bitfields and move to end + + This allows the compiler to pack and align the structs better in + memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 + makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. + + Removed an unused struct field. + + No functionality changes. + + Closes #3610 + +- [Don J Olmstead brought this change] + + curl.h: use __has_declspec_attribute for shared builds + + Closes #3616 + +- curl: display --version features sorted alphabetically + + Closes #3611 + +- runtests: detect "schannel" as an alias for "winssl" + + Follow-up to 180501cb02 + + Reported-by: Marcel Raad + Fixes #3609 + Closes #3620 + +Marcel Raad (26 Feb 2019) +- AppVeyor: update to Visual Studio 2017 + + Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a + moving target anymore as the last update, Update 9, has been released. + + Closes https://github.com/curl/curl/pull/3606 + +- AppVeyor: switch VS 2015 builds to VS 2017 image + + The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + + Closes https://github.com/curl/curl/pull/3606 + +- AppVeyor: explicitly select worker image + + Currently, we're using the default Visual Studio 2015 image for + everything. + + Closes https://github.com/curl/curl/pull/3606 + +Daniel Stenberg (26 Feb 2019) +- strerror: make the strerror function use local buffers + + Instead of using a fixed 256 byte buffer in the connectdata struct. + + In my build, this reduces the size of the connectdata struct by 11.8%, + from 2160 to 1904 bytes with no functionality or performance loss. + + This also fixes a bug in schannel's Curl_verify_certificate where it + called Curl_sspi_strerror when it should have called Curl_strerror for + string from GetLastError. the only effect would have been no text or the + wrong text being shown for the error. + + Co-authored-by: Jay Satiro + + Closes #3612 + +- [Michael Wallner brought this change] + + cookies: fix NULL dereference if flushing cookies with no CookieInfo set + + Regression brought by a52e46f3900fb0 (shipped in 7.63.0) + + Closes #3613 + +Marcel Raad (26 Feb 2019) +- AppVeyor: re-enable test 500 + + It's passing now. + + Closes https://github.com/curl/curl/pull/3615 + +- AppVeyor: remove redundant builds + + Remove the Visual Studio 2012 and 2013 builds as they add little value. + + Ref: https://github.com/curl/curl/pull/3606 + Closes https://github.com/curl/curl/pull/3614 + +Daniel Stenberg (25 Feb 2019) +- RELEASE-NOTES: synced + +- [Bernd Mueller brought this change] + + OpenSSL: add support for TLS ASYNC state + + Closes #3591 + +Jay Satiro (25 Feb 2019) +- [Michael Felt brought this change] + + acinclude: add additional libraries to check for LDAP support + + - Add an additional check for LDAP that also checks for OpenSSL since + on AIX those libraries may be required to link LDAP properly. + + Fixes https://github.com/curl/curl/issues/3595 + Closes https://github.com/curl/curl/pull/3596 + +- [georgeok brought this change] + + schannel: support CALG_ECDH_EPHEM algorithm + + Add support for Ephemeral elliptic curve Diffie-Hellman key exchange + algorithm option when selecting ciphers. This became available on the + Win10 SDK. + + Closes https://github.com/curl/curl/pull/3608 + +Daniel Stenberg (24 Feb 2019) +- multi: call multi_done on connect timeouts + + Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get + updated correctly and could end up getting reported to the application + completely wrong (way too small). + + Reported-by: accountantM on github + Fixes #3602 + Closes #3605 + +- examples: remove recursive calls to curl_multi_socket_action + + From within the timer callbacks. Recursive is problematic for several + reasons. They should still work, but this way the examples and the + documentation becomes simpler. I don't think we need to encourage + recursive calls. + + Discussed in #3537 + Closes #3601 + +Marcel Raad (23 Feb 2019) +- configure: remove CURL_CHECK_FUNC_FDOPEN call + + The macro itself has been removed in commit + 11974ac859c5d82def59e837e0db56fef7f6794e. + + Closes https://github.com/curl/curl/pull/3604 + +Daniel Stenberg (23 Feb 2019) +- wolfssl: stop custom-adding curves + + since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in + wolfSSL 3.10.2 and later) it sends these curves by default already. + + Pointed-out-by: David Garske + + Closes #3599 + +- configure: remove the unused fdopen macro + + and the two remaining #ifdefs for it + + Closes #3600 + +Jay Satiro (22 Feb 2019) +- url: change conn shutdown order to unlink data as last step + + - Split off connection shutdown procedure from Curl_disconnect into new + function conn_shutdown. + + - Change the shutdown procedure to close the sockets before + disassociating the transfer. + + Prior to this change the sockets were closed after disassociating the + transfer so SOCKETFUNCTION wasn't called since the transfer was already + disassociated. That likely came about from recent work started in + Jan 2019 (#3442) to separate transfers from connections. + + Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html + Reported-by: Pavel Löbl + + Closes https://github.com/curl/curl/issues/3597 + Closes https://github.com/curl/curl/pull/3598 + +Marcel Raad (22 Feb 2019) +- Fix strict-prototypes GCC warning + + As seen in the MinGW autobuilds. Caused by commit + f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. + +Dan Fandrich (21 Feb 2019) +- tests: Fixed XML validation errors in some test files. + +Daniel Stenberg (20 Feb 2019) +- TODO: Allow SAN names in HTTP/2 server push + + Suggested-by: Nicolas Grekas + +- RELEASE-NOTES: synced + +- curl: remove MANUAL from -M output + + ... and remove it from the dist tarball. It has served its time, it + barely gets updated anymore and "everything curl" is now convering all + this document once tried to include, and does it more and better. + + In the compressed scenario, this removes ~15K data from the binary, + which is 25% of the -M output. + + It remains in the git repo for now for as long as the web site builds a + page using that as source. It renders poorly on the site (especially for + mobile users) so its not even good there. + + Closes #3587 + +- http2: verify :athority in push promise requests + + RFC 7540 says we should verify that the push is for an "authoritative" + server. We make sure of this by only allowing push with an :athority + header that matches the host that was asked for in the URL. + + Fixes #3577 + Reported-by: Nicolas Grekas + Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html + Closes #3581 + +- singlesocket: fix the 'sincebefore' placement + + The variable wasn't properly reset within the loop and thus could remain + set for sockets that hadn't been set before and miss notifying the app. + + This is a follow-up to 4c35574 (shipped in curl 7.64.0) + + Reported-by: buzo-ffm on github + Detected-by: Jan Alexander Steffens + Fixes #3585 + Closes #3589 + +- connection: never reuse CONNECT_ONLY conections + + and make CONNECT_ONLY conections never reuse any existing ones either. + + Reported-by: Pavel Löbl + Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html + Closes #3586 + +Patrick Monnerat (19 Feb 2019) +- cli tool: fix mime post with --disable-libcurl-option configure option + + Reported-by: Marcel Raad + Fixes #3576 + Closes #3583 + +Daniel Stenberg (19 Feb 2019) +- x509asn1: cleanup and unify code layout + + - rename 'n' to buflen in functions, and use size_t for them. Don't pass + in negative buffer lengths. + + - move most function comments to above the function starts like we use + to + + - remove several unnecessary typecasts (especially of NULL) + + Reviewed-by: Patrick Monnerat + Closes #3582 + +- curl_multi_remove_handle.3: use at any time, just not from within callbacks + + [ci skip] + +- http: make adding a blank header thread-safe + + Previously the function would edit the provided header in-place when a + semicolon is used to signify an empty header. This made it impossible to + use the same set of custom headers in multiple threads simultaneously. + + This approach now makes a local copy when it needs to edit the string. + + Reported-by: d912e3 on github + Fixes #3578 + Closes #3579 + +- unit1651: survive curl_easy_init() fails + +- [Frank Gevaerts brought this change] + + rand: Fix a mismatch between comments in source and header. + + Reported-by: Björn Stenberg + Closes #3584 + +Patrick Monnerat (18 Feb 2019) +- x509asn1: replace single char with an array + + Although safe in this context, using a single char as an array may + cause invalid accesses to adjacent memory locations. + + Detected by Coverity. + +Daniel Stenberg (18 Feb 2019) +- examples/http2-serverpush: add some sensible error checks + + To avoid NULL pointer dereferences etc in the case of problems. + + Closes #3580 + +Jay Satiro (18 Feb 2019) +- easy: fix win32 init to work without CURL_GLOBAL_WIN32 + + - Change the behavior of win32_init so that the required initialization + procedures are not affected by CURL_GLOBAL_WIN32 flag. + + libcurl via curl_global_init supports initializing for win32 with an + optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop + Winsock initialization. It did so internally by skipping win32_init() + when that flag was set. Since then win32_init() has been expanded to + include required initialization routines that are separate from + Winsock and therefore must be called in all cases. This commit fixes + it so that CURL_GLOBAL_WIN32 only controls the optional win32 + initialization (which is Winsock initialization, according to our doc). + + The only users affected by this change are those that don't pass + CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the + risk of a potential crash. + + Ref: https://github.com/curl/curl/pull/3573 + + Fixes https://github.com/curl/curl/issues/3313 + Closes https://github.com/curl/curl/pull/3575 + +Daniel Gustafsson (17 Feb 2019) +- cookie: Add support for cookie prefixes + + The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes + and how they should affect cookie initialization, which has been + adopted by the major browsers. This adds support for the two prefixes + defined, __Host- and __Secure, and updates the testcase with the + supplied examples from the draft. + + Closes #3554 + Reviewed-by: Daniel Stenberg + +- mbedtls: release sessionid resources on error + + If mbedtls_ssl_get_session() fails, it may still have allocated + memory that needs to be freed to avoid leaking. Call the library + API function to release session resources on this errorpath as + well as on Curl_ssl_addsessionid() errors. + + Closes: #3574 + Reported-by: Michał Antoniak + Reviewed-by: Daniel Stenberg + +Patrick Monnerat (16 Feb 2019) +- cli tool: refactor encoding conversion sequence for switch case fallthrough. + +- version.c: silent scan-build even when librtmp is not enabled + +Daniel Stenberg (15 Feb 2019) +- RELEASE-NOTES: synced + +- Curl_now: figure out windows version in win32_init + + ... and avoid use of static variables that aren't thread safe. + + Fixes regression from e9ababd4f5a (present in the 7.64.0 release) + + Reported-by: Paul Groke + Fixes #3572 + Closes #3573 + +Marcel Raad (15 Feb 2019) +- unit1307: just fail without FTP support + + I missed to check this in with commit + 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. + This fixes the actual linker error. + + Closes https://github.com/curl/curl/pull/3568 + +Daniel Stenberg (15 Feb 2019) +- travis: enable valgrind for the iconv tests too + + Closes #3571 + +- travis: add scan-build + + Closes #3564 + +- examples/sftpuploadresume: Value stored to 'result' is never read + + Detected by scan-build + +- examples/http2-upload: cleaned up + + Fix scan-build warnings, no globals, no silly handle scan. Also remove + handles from the multi before cleaning up. + +- examples/http2-download: cleaned up + + To avoid scan-build warnings and global variables. + +- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' + + Detected by scan-build + +- examples/httpcustomheader: Value stored to 'res' is never read + + Detected by scan-build + +- examples: remove superfluous null-pointer checks + + in ftpget, ftpsget and sftpget, so that scan-build stops warning for + potential NULL pointer dereference below! + + Detected by scan-build + +- strip_trailing_dot: make sure NULL is never used for strlen + + scan-build warning: Null pointer passed as an argument to a 'nonnull' + parameter + +- [Jay Satiro brought this change] + + connection_check: restore original conn->data after the check + + - Save the original conn->data before it's changed to the specified + data transfer for the connection check and then restore it afterwards. + + This is a follow-up to 38d8e1b 2019-02-11. + + History: + + It was discovered a month ago that before checking whether to extract a + dead connection that that connection should be associated with a "live" + transfer for the check (ie original conn->data ignored and set to the + passed in data). A fix was landed in 54b201b which did that and also + cleared conn->data after the check. The original conn->data was not + restored, so presumably it was thought that a valid conn->data was no + longer needed. + + Several days later it was discovered that a valid conn->data was needed + after the check and follow-up fix was landed in bbae24c which partially + reverted the original fix and attempted to limit the scope of when + conn->data was changed to only when pruning dead connections. In that + case conn->data was not cleared and the original conn->data not + restored. + + A month later it was discovered that the original fix was somewhat + correct; a "live" transfer is needed for the check in all cases + because original conn->data could be null which could cause a bad deref + at arbitrary points in the check. A fix was landed in 38d8e1b which + expanded the scope to all cases. conn->data was not cleared and the + original conn->data not restored. + + A day later it was discovered that not restoring the original conn->data + may lead to busy loops in applications that use the event interface, and + given this observation it's a pretty safe assumption that there is some + code path that still needs the original conn->data. This commit is the + follow-up fix for that, it restores the original conn->data after the + connection check. + + Assisted-by: tholin@users.noreply.github.com + Reported-by: tholin@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/3542 + Closes #3559 + +- memdebug: bring back curl_mark_sclose + + Used by debug builds with NSS. + + Reverted from 05b100aee247bb + +Patrick Monnerat (14 Feb 2019) +- transfer.c: do not compute length of undefined hex buffer. + + On non-ascii platforms, the chunked hex header was measured for char code + conversion length, even for chunked trailers that do not have an hex header. + In addition, the efective length is already known: use it. + Since the hex length can be zero, only convert if needed. + + Reported by valgrind. + +Daniel Stenberg (14 Feb 2019) +- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP + + Closes #2367 + +Patrick Monnerat (14 Feb 2019) +- x509asn1: "Dereference of null pointer" + + Detected by scan-build (false positive). + +Daniel Stenberg (14 Feb 2019) +- configure: show features as well in the final summary + + Closes #3569 + +- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 + + Closes #2905 + +- KNOWN_BUGS: Deflate error after all content was received + + Closes #2719 + +- gssapi: fix deprecated header warnings + + Heimdal includes on FreeBSD spewed out lots of them. Less so now. + + Closes #3566 + +- TODO: Upgrade to websockets + + Closes #3523 + +- TODO: cmake test suite improvements + + Closes #3109 + +Patrick Monnerat (13 Feb 2019) +- curl: "Dereference of null pointer" + + Rephrase to satisfy scan-build. + +Marcel Raad (13 Feb 2019) +- unit1307: require FTP support + + This test doesn't link without FTP support after + fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch + unavailable without FTP support. + + Closes https://github.com/curl/curl/pull/3565 + +Daniel Stenberg (13 Feb 2019) +- TODO: TFO support on Windows + + Nobody works on this now. + + Closes #3378 + +- multi: Dereference of null pointer + + Mostly a false positive, but this makes the code easier to read anyway. + + Detected by scan-build. + + Closes #3563 + +- urlglob: Argument with 'nonnull' attribute passed null + + Detected by scan-build. + +Jay Satiro (12 Feb 2019) +- schannel: restore some debug output but only for debug builds + + Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy + debug output in DEBUGF but omitted a few lines. + + Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 + +- examples/crawler: Fix the Accept-Encoding setting + + - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default + supported encodings. + + Prior to this change the specific encodings of gzip and deflate were set + but there's no guarantee they'd be supported by the user's libcurl. + +Daniel Stenberg (12 Feb 2019) +- mime: put the boundary buffer into the curl_mime struct + + ... instead of allocating it separately and point to it. It is + fixed-size and always used for each part. + + Closes #3561 + +- schannel: be quiet + + Convert numerous infof() calls into debug-build only messages since they + are annoyingly verbose for regular applications. Removed a few. + + Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html + Reported-by: Volker Schmid + Closes #3552 + +- [Romain Geissler brought this change] + + Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning + + Closes #3562 + +- http2: multi_connchanged() moved from multi.c, only used for h2 + + Closes #3557 + +- curl: "Function call argument is an uninitialized value" + + Follow-up to cac0e4a6ad14b42471eb + + Detected by scan-build + Closes #3560 + +- pretransfer: don't strlen() POSTFIELDS set for GET requests + + ... since that data won't be used in the request anyway. + + Fixes #3548 + Reported-by: Renaud Allard + Close #3549 + +- multi: remove verbose "Expire in" ... messages + + Reported-by: James Brown + Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html + Closes #3558 + +- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set + + Reported-by: MAntoniak on github + Fixes #3553 + Closes #3556 + +Daniel Gustafsson (12 Feb 2019) +- non-ascii.c: fix typos in comments + + Fix two occurrences of s/convers/converts/ spotted while reading code. + +Daniel Stenberg (12 Feb 2019) +- fnmatch: disable if FTP is disabled + + Closes #3551 + +- curl_path: only enabled for SSH builds + +- [Frank Gevaerts brought this change] + + tests: add stderr comparison to the test suite + + The code is more or less copied from the stdout comparison code, maybe + some better reuse is possible. + + test 1457 is adjusted to make the output actually match (by using --silent) + test 506 used without actually needing it, so that block is removed + + Closes #3536 + +Patrick Monnerat (11 Feb 2019) +- cli tool: do not use mime.h private structures. + + Option -F generates an intermediate representation of the mime structure + that is used later to create the libcurl mime structure and generate + the --libcurl statements. + + Reported-by: Daniel Stenberg + Fixes #3532 + Closes #3546 + +Daniel Stenberg (11 Feb 2019) +- curlver: bump to 7.64.1-dev + +- RELEASE-NOTES: synced + + and bump the version in progress to 7.64.1. If we merge any "change" + before the cut-off date, we update again. + +Daniel Gustafsson (11 Feb 2019) +- curl: follow-up to 3f16990ec84 + + Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was + inadvertently introducing a new bug in the ternary expression. + + Close #3555 + Reviewed-by: Daniel Stenberg + +- dns: release sharelock as soon as possible + + There is no benefit to holding the data sharelock when freeing the + addrinfo in case it fails, so ensure releaseing it as soon as we can + rather than holding on to it. This also aligns the code with other + consumers of sharelocks. + + Closes #3516 + Reviewed-by: Daniel Stenberg + +Daniel Stenberg (11 Feb 2019) +- curl: follow-up to b49652ac66cc0 + + On FreeBSD, return non-zero on error otherwise zero. + + Reported-by: Marcel Raad + +- multi: (void)-prefix when ignoring return values + + ... and added braces to two function calls which fixes warnings if they + are replace by empty macros at build-time. + +- curl: fix FreeBSD compiler warning in the --xattr code + + Closes #3550 + +- connection_check: set ->data to the transfer doing the check + + The http2 code for connection checking needs a transfer to use. Make + sure a working one is set before handler->connection_check() is called. + + Reported-by: jnbr on github + Fixes #3541 + Closes #3547 + +- hostip: make create_hostcache_id avoid alloc + free + + Closes #3544 + +- scripts/singleuse: script to use to track single-use functions + + That is functions that are declared global but are not used from outside + of the file in which it is declared. Such functions should be made + static or even at times be removed. + + It also verifies that all used curl_ prefixed functions are "blessed" + + Closes #3538 + +- cleanup: make local functions static + + urlapi: turn three local-only functions into statics + + conncache: make conncache_find_first_connection static + + multi: make detach_connnection static + + connect: make getaddressinfo static + + curl_ntlm_core: make hmac_md5 static + + http2: make two functions static + + http: make http_setup_conn static + + connect: make tcpnodelay static + + tests: make UNITTEST a thing to mark functions with, so they can be static for + normal builds and non-static for unit test builds + + ... and mark Curl_shuffle_addr accordingly. + + url: make up_free static + + setopt: make vsetopt static + + curl_endian: make write32_le static + + rtsp: make rtsp_connisdead static + + warnless: remove unused functions + + memdebug: remove one unused function, made another static + +Dan Fandrich (10 Feb 2019) +- cirrus: Added FreeBSD builds using Cirrus CI. + + The build logs will be at https://cirrus-ci.com/github/curl/curl + + Some tests are currently failing and so disabled for now. The SSH server + isn't starting for the SSH tests due to unsupported options used in its + config file. The DICT server also is failing on startup. + +Daniel Stenberg (9 Feb 2019) +- url/idnconvert: remove scan for <= 32 ascii values + + The check was added back in fa939220df before the URL parser would catch + these problems and therefore these will never trigger now. + + Closes #3539 + +- urlapi: reduce variable scope, remove unreachable 'break' + + Both nits pointed out by codacy.com + + Closes #3540 + +Alessandro Ghedini (7 Feb 2019) +- zsh.pl: escape ':' character + + ':' is interpreted as separator by zsh, so if used as part of the argument + or option's description it needs to be escaped. + + The problem can be reproduced as follows: + + % curl --reso + % curl -E + + Bug: https://bugs.debian.org/921452 + +- zsh.pl: update regex to better match curl -h output + + The current regex fails to match '<...>' arguments properly (e.g. those + with spaces in them), which causes an completion script with wrong + descriptions for some options. + + Here's a diff of the generated completion script, comparing the previous + version to the one with this fix: + + --- /usr/share/zsh/vendor-completions/_curl 2019-01-15 20:47:40.000000000 +0000 + +++ _curl 2019-02-05 20:57:29.453349040 +0000 + @@ -9,48 +9,48 @@ + + _arguments -C -S \ + --happy-eyeballs-timeout-ms'[How long to wait in milliseconds for IPv6 before trying IPv4]':'' \ + + --resolve'[Resolve the host+port to this address]':'' \ + {-c,--cookie-jar}'[Write cookies to after operation]':'':_files \ + {-D,--dump-header}'[Write the received headers to ]':'':_files \ + {-y,--speed-time}'[Trigger '\''speed-limit'\'' abort after this time]':'' \ + --proxy-cacert'[CA certificate to verify peer against for proxy]':'':_files \ + - --tls13-ciphers'[of TLS 1.3 ciphersuites> TLS 1.3 cipher suites to use]':'' \ + {-E,--cert}'[Client certificate file and password]':'' \ + --libcurl'[Dump libcurl equivalent code of this command line]':'':_files \ + --proxy-capath'[CA directory to verify peer against for proxy]':'':_files \ + - --proxy-negotiate'[HTTP Negotiate (SPNEGO) authentication on the proxy]':'Use' \ + --proxy-pinnedpubkey'[FILE/HASHES public key to verify proxy with]':'' \ + --crlfile'[Get a CRL list in PEM format from the given file]':'':_files \ + - --proxy-insecure'[HTTPS proxy connections without verifying the proxy]':'Do' \ + - --proxy-ssl-allow-beast'[security flaw for interop for HTTPS proxy]':'Allow' \ + + --proxy-negotiate'[Use HTTP Negotiate (SPNEGO) authentication on the proxy]' \ + --abstract-unix-socket'[Connect via abstract Unix domain socket]':'' \ + --pinnedpubkey'[FILE/HASHES Public key to verify peer against]':'' \ + + --proxy-insecure'[Do HTTPS proxy connections without verifying the proxy]' \ + --proxy-pass'[Pass phrase for the private key for HTTPS proxy]':'' \ + + --proxy-ssl-allow-beast'[Allow security flaw for interop for HTTPS proxy]' \ + {-p,--proxytunnel}'[Operate through an HTTP proxy tunnel (using CONNECT)]' \ + --socks5-hostname'[SOCKS5 proxy, pass host name to proxy]':'' \ + --proto-default'[Use PROTOCOL for any URL missing a scheme]':'' \ + - --proxy-tls13-ciphers'[list> TLS 1.3 proxy cipher suites]':'' \ + --socks5-gssapi-service'[SOCKS5 proxy service name for GSS-API]':'' \ + --ftp-alternative-to-user'[String to replace USER \[name\]]':'' \ + - --ftp-ssl-control'[SSL/TLS for FTP login, clear for transfer]':'Require' \ + {-T,--upload-file}'[Transfer local FILE to destination]':'':_files \ + --local-port'[Force use of RANGE for local port numbers]':'' \ + --proxy-tlsauthtype'[TLS authentication type for HTTPS proxy]':'' \ + {-R,--remote-time}'[Set the remote file'\''s time on the local output]' \ + - --retry-connrefused'[on connection refused (use with --retry)]':'Retry' \ + - --suppress-connect-headers'[proxy CONNECT response headers]':'Suppress' \ + - {-j,--junk-session-cookies}'[session cookies read from file]':'Ignore' \ + - --location-trusted'[--location, and send auth to other hosts]':'Like' \ + + --ftp-ssl-control'[Require SSL/TLS for FTP login, clear for transfer]' \ + --proxy-cert-type'[Client certificate type for HTTPS proxy]':'' \ + {-O,--remote-name}'[Write output to a file named as the remote file]' \ + + --retry-connrefused'[Retry on connection refused (use with --retry)]' \ + + --suppress-connect-headers'[Suppress proxy CONNECT response headers]' \ + --trace-ascii'[Like --trace, but without hex output]':'':_files \ + --connect-timeout'[Maximum time allowed for connection]':'' \ + --expect100-timeout'[How long to wait for 100-continue]':'' \ + {-g,--globoff}'[Disable URL sequences and ranges using {} and \[\]]' \ + + {-j,--junk-session-cookies}'[Ignore session cookies read from file]' \ + {-m,--max-time}'[Maximum time allowed for the transfer]':'' \ + --dns-ipv4-addr'[IPv4 address to use for DNS requests]':'
' \ + --dns-ipv6-addr'[IPv6 address to use for DNS requests]':'
' \ + - --ignore-content-length'[the size of the remote resource]':'Ignore' \ + {-k,--insecure}'[Allow insecure server connections when using SSL]' \ + + --location-trusted'[Like --location, and send auth to other hosts]' \ + --mail-auth'[Originator address of the original email]':'
' \ + --noproxy'[List of hosts which do not use proxy]':'' \ + --proto-redir'[Enable/disable PROTOCOLS on redirect]':'' \ + @@ -62,18 +62,19 @@ + --socks5-basic'[Enable username/password auth for SOCKS5 proxies]' \ + --cacert'[CA certificate to verify peer against]':'':_files \ + {-H,--header}'[Pass custom header(s) to server]':'
' \ + + --ignore-content-length'[Ignore the size of the remote resource]' \ + {-i,--include}'[Include protocol response headers in the output]' \ + --proxy-header'[Pass custom header(s) to proxy]':'
' \ + --unix-socket'[Connect through this Unix domain socket]':'' \ + {-w,--write-out}'[Use output FORMAT after completion]':'' \ + - --http2-prior-knowledge'[HTTP 2 without HTTP/1.1 Upgrade]':'Use' \ + {-o,--output}'[Write to file instead of stdout]':'':_files \ + - {-J,--remote-header-name}'[the header-provided filename]':'Use' \ + + --preproxy'[\[protocol://\]host\[:port\] Use this proxy first]' \ + --socks4a'[SOCKS4a proxy on given host + port]':'' \ + {-Y,--speed-limit}'[Stop transfers slower than this]':'' \ + {-z,--time-cond}'[Transfer based on a time condition]':'