New in cURL 7.66.0 (Sep 13, 2019)
- Changes:
- CURLINFO_RETRY_AFTER: parse the Retry-After header value
- HTTP3: initial (experimental still not working) support
- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
- curl: support parallel transfers with -Z
- curl_multi_poll: a sister to curl_multi_wait() that waits more
- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
- Bugfixes:
- CVE-2019-5481: FTP-KRB double-free
- CVE-2019-5482: TFTP small blocksize heap buffer overflow
- CI: remove duplicate configure flag for LGTM.com
- CMake: remove needless newlines at end of gss variables
- CMake: use platform dependent name for dlopen() library
- CURLINFO docs: mention that in redirects times are added
- CURLOPT_ALTSVC.3: use a "" file name to not load from a file
- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
- CURLOPT_HEADERFUNCTION.3: clarify
- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
- CURLOPT_READFUNCTION.3: provide inline example
- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
- Curl_addr2string: take an addrlen argument too
- Curl_fillreadbuffer: avoid double-free trailer buf on error
- HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
- alt-svc: add protocol version selection masking
- alt-svc: fix removal of expired cache entry
- alt-svc: make it use h3-22 with ngtcp2 as well
- alt-svc: more liberal ALPN name parsing
- alt-svc: send Alt-Used: in redirected requests
- alt-svc: with quiche, use the quiche h3 alpn string
- appveyor: pass on -k to make
- asyn-thread: create a socketpair to wait on
- build-openssl: fix build with Visual Studio 2019
- cleanup: move functions out of url.c and make them static
- cleanup: remove the 'numsocks' argument used in many places
- configure: avoid undefined check_for_ca_bundle
- curl.h: add CURL_HTTP_VERSION_3 to the version enum
- curl.h: fix outdated comment
- curl: cap the maximum allowed values for retry time arguments
- curl: handle a libcurl build without netrc support
- curl: make use of CURLINFO_RETRY_AFTER when retrying
- curl: remove outdated comment
- curl: use .curlrc (with a dot) on Windows
- curl: use CURLINFO_PROTOCOL to check for HTTP(s)
- curl_global_init_mem.3: mention it was added in 7.12.0
- curl_version: bump string buffer size to 250
- curl_version_info.3: mentioned ALTSVC and HTTP3
- curl_version_info: offer quic (and h3) library info
- curl_version_info: provide nghttp2 details
- defines: avoid underscore-prefixed defines
- docs/ALTSVC: remove what works and the experimental explanation
- docs/EXPERIMENTAL: explain what it means and what's experimental now
- docs/MANUAL.md: converted to markdown from plain text
- docs/examples/curlx: fix errors
- docs: s/curl_debug/curl_dbg_debug in comments and docs
- easy: resize receive buffer on easy handle reset
- examples: Avoid reserved names in hiperfifo examples
- examples: add http3.c, altsvc.c and http3-present.c
- getenv: support up to 4K environment variable contents on windows
- http09: disable HTTP/0.9 by default in both tool and library
- http2: when marked for closure and wanted to close == OK
- http2_recv: trigger another read when the last data is returned
- http: fix use of credentials from URL when using HTTP proxy
- http_negotiate: improve handling of gss_init_sec_context() failures
- md4: Use our own MD4 when no crypto libraries are available
- multi: call detach_connection before Curl_disconnect
- netrc: make the code try ".netrc" on Windows
- nss: use TLSv1.3 as default if supported
- openssl: build warning free with boringssl
- openssl: use SSL_CTX_set__proto_version() when available
- plan9: add support for running on Plan 9
- progress: reset download/uploaded counter between transfers
- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
- scp: fix directory name length used in memcpy
- smb: init *msg to NULL in smb_send_and_recv()
- smtp: check for and bail out on too short EHLO response
- source: remove names from source comments
- spnego_sspi: add typecast to fix build warning
- src/makefile: fix uncompressed hugehelp.c generation
- ssh-libssh: do not specify O_APPEND when not in append mode
- ssh: move code into vssh for SSH backends
- sspi: fix memory leaks
- tests: Replace outdated test case numbering documentation
- tftp: return error when packet is too small for options
- timediff: make it 64 bit (if possible) even with 32 bit time_t
- travis: reduce number of torture tests in 'coverage'
- url: make use of new HTTP version if alt-svc has one
- urlapi: verify the IPv6 numerical address
- urldata: avoid 'generic', use dedicated pointers
- vauth: Use CURLE_AUTH_ERROR for auth function errors
New in cURL 7.65.3 (Jul 23, 2019)
- Bugfixes:
- progress: make the progress meter appear again
New in cURL 7.65.1 (Jun 5, 2019)
- Bugfixes:
- CURLOPT_LOW_SPEED_* repaired
- NTLM: reset proxy "multipass" state when CONNECT request is done
- PolarSSL: deprecate support step 1. Removed from configure
- appveyor: add Visual Studio solution build
- cmake: check for if_nametoindex()
- cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
- config-win32: add support for if_nametoindex and getsockname
- conncache: Remove the DEBUGASSERT on length check
- conncache: make "bundles" per host name when doing proxy tunnels
- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
- curl_share_setopt.3: improve wording
- dump-header.d: spell out that no headers == empty file
- example/http2-download: fix format specifier
- examples: cleanups and compiler warning fixes
- http2: Stop drain from being permanently set
- http: don't parse body-related headers in bodyless responses
- md4: build correctly with openssl without MD4
- md4: include the mbedtls config.h to get the MD4 info
- multi: track users of a socket better
- nss: allow to specify TLS 1.3 ciphers if supported by NSS
- parse_proxy: make sure portptr is initialized
- parse_proxy: use the IPv6 zone id if given
- sectransp: handle errSSLPeerAuthCompleted from SSLRead()
- singlesocket: use separate variable for inner loop
- ssl: Update outdated "openssl-only" comments for supported backends
- tests: add HAProxy keywords
- tests: add support to test against OpenSSH for Windows
- tests: make test 1420 and 1406 work with rtsp-disabled libcurl
- tls13-docs: mention it is only for OpenSSL >= 1.1.1
- tool_parse_cfg: Avoid 2 fopen() for WIN32
- tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
- url: fix bad feature-disable #ifdef
- url: use correct port in ConnectionExists()
- winbuild: Use two space indentation
New in cURL 7.64.0 (Feb 6, 2019)
- Changes:
- cookies: leave secure cookies alone
- hostip: support wildcard hosts
- http: Implement trailing headers for chunked transfers
- http: added options for allowing HTTP/0.9 responses
- timeval: Use high resolution timestamps on Windows
- Bugfixes:
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- FAQ: remove mention of sourceforge for github
- OS400: handle memory error in list conversion
- OS400: upgrade ILE/RPG binding.
- README: add codacy code quality badge
- Revert http_negotiate: do not close connection
- THANKS: added several missing names from year
New in cURL 7.63.0 (Dec 12, 2018)
- Changes:
- curl: add %{stderr} and %{stdout} for --write-out
- curl: add undocumented option --dump-module-paths for win32
- setopt: add CURLOPT_CURLU
- Bugfixes:
- (lib)curl.rc: fixup for minor bugs
- CURLINFO_REDIRECT_URL: extract the Location: header field unvalidated
- CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
- CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
- Curl_follow: accept non-supported schemes for "fake" redirects
- KNOWN_BUGS: add --proxy-any connection issue
- NTLM: Remove redundant ifdef USE_OPENSSL
- NTLM: force the connection to HTTP/1.1
- OS400: add URL API ccsid wrappers and sync ILE/RPG bindings
- SECURITY-PROCESS: bountygraph shuts down again
- TODO: Have the URL API offer IDN decoding
- ares: remove fd from multi fd set when ares is about to close the fd
- axtls: removed
- checksrc: add COPYRIGHTYEAR check
- cmake: fix MIT/Heimdal Kerberos detection
- configure: include all libraries in ssl-libs fetch
- configure: show CFLAGS, LDFLAGS etc in summary
- connect: fix building for recent versions of Minix
- cookies: create the cookiejar even if no cookies to save
- cookies: expire "Max-Age=0" immediately
- curl: --local-port range was not "including"
- curl: fix --local-port integer overflow
- curl: fix memory leak reading --writeout from file
- curl: fixed UTF-8 in current console code page (Windows)
- curl_easy_perform: fix timeout handling
- curl_global_sslset(): id == -1 is not necessarily an error
- curl_multibyte: fix a malloc overcalculation
- curle: move deprecated error code to ifndef block
- docs: curl_formadd field and file names are now escaped
- docs: escape "n" codes
- doh: fix memory leak in OOM situation
- doh: make it work for h2-disabled builds too
- examples/ephiperfifo: report error when epoll_ctl fails
- ftp: avoid two unsigned int overflows in FTP listing parser
- host names: allow trailing dot in name resolve, then strip it
- http2: Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
- http: don't set CURLINFO_CONDITION_UNMET for http status code 204
- http: fix HTTP Digest auth to include query in URI
- http_negotiate: do not close connection until negotiation is completed
- impacket: add LICENSE
- infof: clearly indicate truncation
- ldap: fix LDAP URL parsing regressions
- libcurl: stop reading from paused transfers
- mprintf: avoid unsigned integer overflow warning
- netrc: don't ignore the login name specified with "--user"
- nss: Fall back to latest supported SSL version
- nss: Fix compatibility with nss versions 3.14 to 3.15
- nss: fix fallthrough comment to fix picky compiler warning
- nss: remove version selecting dead code
- nss: set default max-tls to 1.3/1.2
- openssl: Remove SSLEAY leftovers
- openssl: do not log excess "TLS app data" lines for TLS 1.3
- openssl: do not use file BIOs if not requested
- openssl: fix unused variable compiler warning with old openssl
- openssl: support session resume with TLS 1.3
- openvms: fix example name
- os400: Add curl_easy_conn_upkeep() to ILE/RPG binding
- os400: add CURLOPT_CURLU to ILE/RPG binding
- os400: fix return type of curl_easy_pause() in ILE/RPG binding
- packages: remove old leftover files and dirs
- pop3: only do APOP with a valid timestamp
- runtests: use the local curl for verifying
- schannel: be consistent in Schannel capitalization
- schannel: better CURLOPT_CERTINFO support
- schannel: use Curl_ prefix for global private symbols
- snprintf: renamed and we now only use msnprintf()
- ssl: fix compilation with OpenSSL 0.9.7
- ssl: replace all internal uses of CURLE_SSL_CACERT
- symbols-in-versions: add missing CURLU_ symbols
- test328: verify Content-Encoding: none
- tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
- tests: drop http_pipe.py script no longer used
- tool_cb_wrt: Silence function cast compiler warning
- tool_doswin: Fix uninitialized field warning
- travis: build with clang sanitizers
- travis: remove curl before a normal build
- url: a short host name + port is not a scheme
- url: fix IPv6 numeral address parser
- urlapi: only skip encoding the first '=' with APPENDQUERY set
New in cURL 7.61.0 (Jul 11, 2018)
- Changes:
- getinfo: add microsecond precise timers for seven intervals
- curl: show headers in bold, switch off with --no-styled-output
- httpauth: add support for Bearer tokens
- Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
- curl: --tls13-ciphers and --proxy-tls13-ciphers
- Add CURLOPT_DISALLOW_USERNAME_IN_URL
- curl: --disallow-username-in-url
- Bugfixes:
- CVE-2018-0500: smtp: fix SMTP send buffer overflow
- schannel: disable client cert option if APIs not available
- schannel: disable manual verify if APIs not available
- tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
- openssl: acknowledge --tls-max for default version too
- stub_gssapi: fix 'unused parameter' warnings
- examples/progressfunc: make it build on both new and old libcurls
- docs: mention it is HA Proxy protocol "version 1"
- curl_fnmatch: only allow two asterisks for matching
- docs: clarify CURLOPT_HTTPGET
- configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
- configure: do compile-time SIZEOF checks instead of run-time
- checksrc: make sure sizeof() is used *with* parentheses
- CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
- schannel: make CAinfo parsing resilient to CR/LF
- tftp: make sure error is zero terminated before printfing it
- http resume: skip body if http code 416 (range error) is ignored
- configure: add basic test of --with-ssl prefix
- cmake: set -d postfix for debug builds
- multi: provide a socket to wait for in Curl_protocol_getsock
- content_encoding: handle zlib versions too old for Z_BLOCK
- winbuild: only delete OUTFILE if it exists
- winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
- schannel: add failf calls for client certificate failures
- cmake: Fix the test for fsetxattr and strerror_r
- curl.1: Fix cmdline-opts reference errors
- cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
- cmake: check for getpwuid_r
- configure: fix ssh2 linking when built with a static mbedtls
- psl: use latest psl and refresh it periodically
- fnmatch: insist on escaped bracket to match
- KNOWN_BUGS: restore text regarding #2101
- INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
- configure: override AR_FLAGS to silence warning
- os400: implement mime api EBCDIC wrappers
- curl.rc: embed manifest for correct Windows version detection
- strictness: correct {infof, failf} format specifiers
- tests: update .gitignore for libtests
- configure: check for declaration of getpwuid_r
- fnmatch: use the system one if available
- CURLOPT_RESOLVE: always purge old entry first
- multi: remove a potentially bad DEBUGF()
- curl_addrinfo: use same #ifdef conditions in source as header
- build: remove the Borland specific makefiles
- axTLS: not considered fit for use
- cmdline-opts/cert-type.d: mention "p12" as a recognized type
- system.h: add support for IBM xlc C compiler
- tests/libtest: Add lib1521 to nodist_SOURCES
- mk-ca-bundle.pl: leave certificate name untouched
- boringssl + schannel: undef X509_NAME in lib/schannel.h
- openssl: assume engine support in 1.0.1 or later
- cppcheck: fix warnings
- test 46: make test pass after year 2025
- schannel: support selecting ciphers
- Curl_debug: remove dead printhost code
- test 1455: unflakified
- Curl_init_do: handle NULL connection pointer passed in
- progress: remove a set of unused defines
- mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
- GOVERNANCE.md: explains how this project is run
- configure: use pkg-config for c-ares detection
- configure: enhance ability to build with static openssl
- maketgz: fix sed issues on OSX
- multi: fix memory leak when stopped during name resolve
- CURLOPT_INTERFACE.3: interface names not supported on Windows
- url: fix dangling conn->data pointer
- cmake: allow multiple SSL backends
- system.h: fix for gcc on 32 bit OpenServer
- ConnectionExists: make sure conn->data is set when "taking" a connection
- multi: fix crash due to dangling entry in connect-pending list
- CURLOPT_SSL_VERIFYPEER.3: Add performance note
- netrc: use a larger buffer to support longer passwords
- url: check Curl_conncache_add_conn return code
- configure: Add dependent libraries after crypto
- easy_perform: faster local name resolves by using *multi_timeout()
- getnameinfo: not used, removed all configure checks
- travis: add a build using the synchronous name resolver
- CURLINFO_TLS_SSL_PTR.3: improve the example
- openssl: allow TLS 1.3 by default
- openssl: make the requested TLS version the *minimum* wanted
- openssl: Remove some dead code
- telnet: fix clang warnings
- DEPRECATE: new doc describing planned item removals
- example/crawler.c: simple crawler based on libxml2
- libssh: goto DISCONNECT state on error, not SESSION_FREE
- CMake: Remove unused functions
- darwinssl: allow High Sierra users to build the code using GCC
- scripts: include _curl as part of CLEANFILES
New in cURL 7.59.0 (Mar 14, 2018)
- Changes:
- curl: add --proxy-pinnedpubkey
- added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T
- CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
- Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- Add new tool option --happy-eyeballs-timeout-ms
- Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA
- Bugfixes:
- openldap: check ldap_get_attribute_ber() results for NULL before using
- FTP: reject path components with control codes
- readwrite: make sure excess reads don't go beyond buffer end
- lib555: drop text conversion and encode data as ascii codes
- lib517: make variable static to avoid compiler warning
- lib544: sync ascii code data with textual data
- GSKit: restore pinnedpubkey functionality
- darwinssl: Don't import client certificates into Keychain on macOS
- parsedate: fix date parsing for systems with 32 bit long
- openssl: fix pinned public key build error in FIPS mode
- SChannel/WinSSL: Implement public key pinning
- cookies: remove verbose "cookie size:" output
- progress-bar: don't use stderr explicitly, use bar->out
- Fixes for MSDOS
- build: open VC15 projects with VS 2017
- curl_ctype: private is*() type macros and functions
- configure: set PATH_SEPARATOR to colon for PATH w/o separator
- winbuild: make linker generate proper PDB
- curl_easy_reset: clear digest auth state
- curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
- range: commonize FTP and FILE range handling
- progress-bar docs: update to match implementation
- fnmatch: do not match the empty string with a character set
- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
- build: fix termios issue on android cross-compile
- getdate: return -1 for out of range
- formdata: use the mime-content type function
- time-cond: fix reading the file modification time on Windows
- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- openssl: Don't add verify locations when verifypeer==0
- fnmatch: optimize processing of consecutive *s and ?s pattern characters
- schannel: fix compiler warnings
- content_encoding: Add "none" alias to "identity"
- get_posix_time: only check for overflows if they can happen
- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING
- README: language fix
- sha256: build with OpenSSL < 0.9.8
- smtp: fix processing of initial dot in data
- --tlsauthtype: works only if libcurl is built with TLS-SRP support
- tests: new tests for http raw mode
- libcurl-security.3: man page discussion security concerns when using libcurl
- curl_gssapi: make sure this file too uses our *printf()
- BINDINGS: fix curb link (and remove ruby-curl-multi)
- nss: use PK11_CreateManagedGenericObject() if available
- travis: add build with iconv enabled
- ssh: add two missing state names
- CURLOPT_HEADERFUNCTION.3: mention folded headers
- http: fix the max header length detection logic
- header callback: don't chop headers into smaller pieces
- CURLOPT_HEADER.3: clarify problems with different data sizes
- curl --version: show PSL if the run-time lib has it enabled
- examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Return error if called recursively from within callbacks
- sasl: prefer PLAIN mechanism over LOGIN
- winbuild: Use CALL to run batch scripts
- curl_share_setopt.3: connection cache is shared within multi handles
- winbuild: Use macros for the names of some build utilities
- projects/README: remove reference to dead IDN link/package
- lib655: silence compiler warning
- configure: Fix version check for OpenSSL 1.1.1
- docs/MANUAL: formfind.pl is not accessible on the site anymore
- unit1309: fix warning on Windows x64
- unit1307: proper cleanup on OOM to fix torture tests
- curl_ctype: fix macro redefinition warnings
- build: get CFLAGS (including -werror) used for examples and tests
- NO_PROXY: fix for IPv6 numericals in the URL
- krb5: use nondeprecated functions
- winbuild: prefer documented zlib library names
- http2: mark the connection for close on GOAWAY
- limit-rate: kick in even before "limit" data has been received
- HTTP: allow "header;" to replace an internal header with a blank one
- http2: verbose output new MAX_CONCURRENT_STREAMS values
- SECURITY: distros' max embargo time is 14 days
- curl tool: accept --compressed also if Brotli is enabled and zlib is not
- WolfSSL: adding TLSv1.3
- checksrc.pl: add -i and -m options
- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
New in cURL 7.58.0 (Jan 25, 2018)
- Changes:
- new libssh-powered SSH SCP/SFTP back-end
- curl-config: add --ssl-backends
- Bugfixes:
- http2: fix incorrect trailer buffer size
- http: prevent custom Authorization headers in redirects
- travis: add boringssl build
- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
- SSL: Avoid magic allocation of SSL backend specific data
- lib: don't export all symbols, just everything curl_*
- libssh2: send the correct CURLE error code on scp file not found
- libssh2: return CURLE_UPLOAD_FAILED on failure to upload
- openssl: enable pkcs12 in boringssl builds
- libssh2: remove dead code from SSH_SFTP_QUOTE
- sasl_getmesssage: make sure we have a long enough string to pass
- conncache: fix several lock issues
- threaded-shared-conn.c: new example
- conncache: only allow multiplexing within same multi handle
- configure: check for netinet/in6.h
- URL: tolerate backslash after drive letter for FILE:
- openldap: add commented out debug possibilities
- include: get netinet/in.h before linux/tcp.h
- CONNECT: keep close connection flag in http_connect_state struct
- BINDINGS: another PostgreSQL client
- curl: limit -# update frequency for unknown total size
- configure: add AX_CODE_COVERAGE only if using gcc
- curl.h: remove incorrect comment about ERRORBUFFER
- openssl: improve data-pending check for https proxy
- curl: remove __EMX__ #ifdefs
- CURLOPT_PRIVATE.3: fix grammar
- sftp: allow quoted commands to use relative paths
- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
- RESOLVE: output verbose text when trying to set a duplicate name
- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
- multi_done: prune DNS cache
- tests: update .gitignore for libtests
- tests: mark data files as non-executable in git
- CURLOPT_DNS_LOCAL_IP4.3: fixed the "SEE ALSO" to not self-reference
- curl.1: documented two missing valid exit codes
- curl.1: mention http:// and https:// as valid proxy prefixes
- vtls: replaced getenv() with curl_getenv()
- setopt: less *or equal* than INT_MAX/1000 should be fine
- examples/smtp-mail.c: use separate defines for options and mail
- curl: support >256 bytes warning messsages
- conncache: fix a return code
- krb5: fix a potential access of uninitialized memory
- rand: add a clang-analyzer work-around
- CURLOPT_READFUNCTION.3: refer to argument with correct name
- brotli: allow compiling with version 0.6.0
- content_encoding: rework zlib_inflate
- curl_easy_reset: release mime-related data
- examples/rtsp: fix error handling macros
- build-openssl.bat: Added support for VC15
- build-wolfssl.bat: Added support for VC15
- build: Added Visual Studio 2017 project files
- winbuild: Added support for VC15
- curl: Support size modifiers for --max-filesize
- examples/cacertinmem: ignore cert-already-exists error
- brotli: data at the end of content can be lost
- curl_version_info.3: call the argument 'age'
- openssl: fix memory leak of SSLKEYLOGFILE filename
- build: remove HAVE_LIMITS_H check
- --mail-rcpt: fix short-text description
- scripts: allow all perl scripts to be run directly
- progress: calculate transfer speed on milliseconds if possible
- system.h: check __LONG_MAX__ for defining curl_off_t
- easy: fix connection ownership in curl_easy_pause
- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
- configure.ac: append extra linker flags instead of prepending them
- HTTP: bail out on negative Content-Length: values
- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
- mime: clone mime tree upon easy handle duplication
- openssl: enable SSLKEYLOGFILE support by default
- smtp/pop3/imap_get_message: decrease the data length too...
- CURLOPT_TCP_NODELAY.3: fix typo
- SMB: fix numeric constant suffix and variable types
- ftp-wildcard: fix matching an empty string with "*[^a]"
- curl_fnmatch: only allow 5 '*' sections in a single pattern
- openssl: fix potential memory leak in SSLKEYLOGFILE logic
- SSH: Fix state machine for ssh-agent authentication
- examples/url2file.c: add missing curl_global_cleanup() call
- http2: don't close connection when single transfer is stopped
- libcurl-env.3: first version
- curl: progress bar refresh, get width using ioctl()
- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
New in cURL 7.57.0 (Nov 29, 2017)
- Changes:
- auth: add support for RFC7616 - HTTP Digest access authentication
- share: add support for sharing the connection cache
- HTTP: implement Brotli content encoding
- Bugfixes:
- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access
- curl_mime_filedata.3: fix typos
- libtest: Add required test libraries for lib1552 and lib1553
- fix time diffs for systems using unsigned time_t
- ftplistparser: memory leak fix: free temporary memory always
- multi: allow table handle sizes to be overridden
- wildcards: don't use with non-supported protocols
- curl_fnmatch: return error on illegal wildcard pattern
- transfer: Fix chunked-encoding upload too early exit
- curl_setup: Improve detection of CURL_WINDOWS_APP
- resolvers: only include anything if needed
- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
- appveyor: add a win32 build
- Curl_timeleft: change return type to timediff_t
- cmake: Export libcurl and curl targets to use by other cmake projects
- curl: in -F option arg, comma is a delimiter for files only
- curl: improved ";type=" handling in -F option arguments
- timeval: use mach_absolute_time() on MacOS
- curlx: the timeval functions are no longer provided as curlx_*
- mkhelp.pl: do not generate comment with current date
- memdebug: use send/recv signature for curl_dosend/curl_dorecv
- cookie: avoid NULL dereference
- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- include: remove conncache.h inclusion from where its not needed
- CURLOPT_MAXREDIRS: allow -1 as a value
- tests: Fixed torture tests on tests 556 and 650
- http2: Fixed OOM handling in upgrade request
- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
- CURLOPT_INFILESIZE: accept -1
- curl: pass through [] in URLs instead of calling globbing error
- curl: speed up handling of many URLs
- ntlm: avoid malloc(0) for zero length passwords
- url: remove faulty arg value check from CURLOPT_SSH_AUTH_TYPES
- HTTP: support multiple Content-Encodings
- travis: add a job with brotli enabled
- url: remove unncessary NULL-check
- fnmatch: remove dead code
- connect: store IPv6 connection status after valid connection
- imap: deal with commands case insensitively
- --interface: add support for Linux VRF
- content_encoding: fix inflate_stream for no bytes available
- cmake: Correctly include curl.rc in Windows builds
- cmake: Add missing setmode check
- connect.c: remove executable bit on file
- SMB: fix uninitialized local variable
- zlib/brotli: only include header files in modules needing them
- URL: return error on malformed URLs with junk after IPv6 bracket
- openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- macOS: Fix missing connectx function with Xcode version older than 9.0
- --resolve: allow IP address within [] brackets
- examples/curlx: Fix code style
- ntlm: remove unnecessary NULL-check to please scan-build
- Curl_llist_remove: fix potential NULL pointer deref
- mime: fix "Value stored to 'sz' is never read" scan-build error
- openssl: fix "Value stored to 'rc' is never read" scan-build error
- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
- http2: fix "Value stored to 'end' is never read" scan-build error
- Curl_open: fix OOM return error correctly
- url: reject ASCII control characters and space in host names
- examples/rtsp: clear RANGE again after use
- connect: improve the bind error message
- make: fix "make distclean"
- connect: add support for new TCP Fast Open API on Linux
- metalink: fix memory-leak and NULL pointer dereference
- URL: update "file:" URL handling
- ssh: remove check for a NULL pointer
- global_init: ignore CURL_GLOBAL_SSL's absense
New in cURL 7.56.1 (Oct 29, 2017)
- Bugfixes:
- imap: if a FETCH response has no size, don't call write callback
- ftp: UBsan fixup 'pointer index expression overflowed
- failf: skip the sprintf() if there are no consumers
- fuzzer: move to using external curl-fuzzer
- lib/Makefile.m32: allow customizing dll suffixes
- docs: fix typo in curl_mime_data_cb man page
- darwinssl: add support for TLSv1.3
- build: fix --disable-crypto-auth
- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
- strtoofft: Remove extraneous null check
- multi_cleanup: call DONE on handles that never got that
- tests: added flaky keyword to tests 587 and 644
- pingpong: return error when trying to send without connection
- remove_handle: call multi_done() first, then clear dns cache pointer
- mime: be tolerant about setting the same header list twice in a part
- mime: improve unbinding top multipart from easy handle
- mime: avoid resetting a part's encoder when part's contents change
- mime: refuse to add subparts to one of their own descendants
- RTSP: avoid integer overflow on funny RTSP responses
- curl: don't pass semicolons when parsing Content-Disposition
- openssl: enable PKCS12 support for !BoringSSL
- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
- CURLOPT_XFERINFODATA.3: fix duplicate see also
- test298: verify --ftp-method nowcwd with URL encoded path
- FTP: URL decode path for dir listing in nocwd mode
- smtp_done: fix memory leak on send failure
- ftpserver: support case insensitive commands
- test950; verify SMTP with custom request
- openssl: don't use old BORINGSSL_YYYYMM macros
- setopt: update current connection SSL verify params
- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
- curl: reimplement stdin buffering in -F option
- mime: keep "text/plain" content type if user-specified
- mime: fix the content reader to handle >16K data properly
- configure: remove the C++ compiler check
- memdebug: trace send, recv and socket
- runtests: use valgrind for torture as well
- ldap: silence clang warning
- makefile.m32: allow to override gcc, ar and ranlib
- setopt: avoid integer overflows when setting millsecond values
- setopt: range check most long options
- ftp: reject illegal IP/port in PASV 227 response
- mime: do not reuse previously computed multipart size
- vtls: change struct Curl_ssl `close' field name to `close_one'
- os400: add missing symbols in config file
- mime: limit bas64-encoded lines length to 76 characters
- mk-ca-bundle: Remove URL for aurora
- mk-ca-bundle: Fix URL for NSS
New in cURL 7.53.1 (Feb 25, 2017)
- Bugfixes:
- cyassl: fix typo
- url: Improve CURLOPT_PROXY_CAPATH error handling
- urldata: include curl_sspi.h when Windows SSPI is enabled
- formdata: check for EOF when reading from stdin
- tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
- url: Default the proxy CA bundle location to CURL_CA_BUNDLE
- rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
New in cURL 7.53.0 (Feb 22, 2017)
- Changes:
- unix_socket: added --abstract-unix-socket and CURLOPT_ABSTRACT_UNIX_SOCKET
- CURLOPT_BUFFERSIZE: support enlarging receive buffer
- Bugfixes:
- CVE-2017-2629: make SSL_VERIFYSTATUS work again
- gnutls-random: check return code for failed random
- openssl-random: check return code when asking for random
- http: remove "Curl_http_done: called premature" message
- cyassl: use time_t instead of long for timeout
- build-wolfssl: Sync config with wolfSSL 3.10
- ftp-gss: check for init before use
- configure: accept --with-libidn2 instead
- ftp: failure to resolve proxy should return that error code
- curl.1: add three more exit codes
- docs/ciphers: link to our own new page about ciphers
- vtls: s/SSLEAY/OPENSSL - fixes multi_socket timeouts with openssl
- darwinssl: fix iOS build
- darwinssl: fix CFArrayRef leak
- cmake: use crypt32.lib when building with OpenSSL on windows
- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
- digest_sspi: copy terminating NUL as well
- curl: fix --remote-time incorrect times on Windows
- curl.1: several updates and corrections
- content_encoding: change return code on a failure
- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
- docs: TCP_KEEPALIVE start and interval default to 60
- darwinssl: --insecure overrides --cacert if both settings are in use
- TheArtOfHttpScripting: grammar
- CIPHERS.md: document GSKit ciphers
- wolfssl: support setting cipher list
- wolfssl: display negotiated SSL version and cipher
- lib506: fix build for Open Watcom
- asiohiper: improved socket handling
- examples: make the C++ examples follow our code style too
- tests/sws: retry send() on EWOULDBLOCK
- cmake: Fix passing _WINSOCKAPI_ macro to compiler
- smtp: Fix STARTTLS denied error message
- imap/pop3: don't print response character in STARTTLS denied messages
- rand: make it work without TLS backing
- url: fix parsing for when 'file' is the default protocol
- url: allow file://X:/path URLs on windows again
- gnutls: check for alpn and ocsp in configure
- IDN: Use TR46 'non-transitional' for toASCII translations
- url: Fix NO_PROXY env var to work properly with --proxy option
- CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
- docs: Add note about libcurl copying strings to CURLOPT_* manpages
- curl: reset the easy handle at --next
- --next docs: --trace and --trace-ascii are also global
- --write-out docs: 'time_total' is not always shown with ms precision
- http: print correct HTTP string in verbose output when using HTTP/2
- docs: improved language in README.md HISTORY.md CONTRIBUTE.md
- http2: disable server push if not requested
- nss: use the correct lock in nss_find_slot_by_name()
- usercertinmem.c: improve the short description
- CURLOPT_CONNECT_TO: Fix compile warnings
- docs: non-blocking SSL handshake is now supported with NSS
- *.rc: escape non-ASCII/non-UTF-8 character for clarity
- mbedTLS: fix multi interface non-blocking handshake
- PolarSSL: fix multi interface non-blocking handshake
- VC: remove the makefile.vc6 build infra
- telnet: fix windows compiler warnings
- cookies: do not assume a valid domain has a dot
- polarssl: fix hangs
- gnutls: disable TLS session tickets
- mbedtls: disable TLS session tickets
- mbedtls: implement CTR-DRBG and HAVEGE random generators
- openssl: Don't use certificate after transferring ownership
- cmake: Support curl --xattr when built with cmake
- OS400: Fix symbols
- docs: Add more HTTPS proxy documentation
- docs: use more HTTPS links
- cmdline-opts: Fixed build and test in out of source tree builds
- CHANGES.0: removed
- schannel: Remove incorrect SNI disabled message
- darwinssl: Avoid parsing certificates when not in verbose mode
- test552: Fix typos
- telnet: Fix typos
- transfer: only retry nobody-requests for HTTP
- http2: reset push header counter fixes crash
- nss: make FTPS work with --proxytunnel
- test1139: Added the --manual keyword since the manual is required
- polarssl, mbedtls: Fix detection of pending data
- http_proxy: Fix tiny memory leak upon edge case connecting to proxy
- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
- curl.1: ftp.sunet.se is no longer an FTP mirror
- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
- http2: fix memory-leak when denying push streams
- configure: Allow disabling pthreads, fall back on Win32 threads
- curl: fix typo in time condition warning message
- axtls: adapt to API changes
- tool_urlglob: Allow a glob range with the same start and stop
- winbuild: add note on auto-detection of MACHINE in Makefile.vc
- http: fix missing 'Content-Length: 0' while negotiating auth
- proxy: fix hostname resolution and IDN conversion
- docs: fix timeout handling in multi-uv example
- digest_sspi: Fix nonce-count generation in HTTP digest
- sftp: improved checks for create dir failures
- smb: use getpid replacement for windows UWP builds
- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
New in cURL 7.52.1 (Dec 29, 2016)
- Bugfixes:
- CVE-2016-9594: unititialized random
- lib557: fix checksrc warnings
- lib: fix MSVC compiler warnings
- lib557.c: use a shorter MAXIMIZE representation
- tests: run checksrc on debug builds
New in cURL 7.52.0 (Dec 22, 2016)
- Changes:
- nss: map CURL_SSLVERSION_DEFAULT to NSS default
- vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
- curl: introduce the --tlsv1.3 option to force TLS 1.3
- curl: Add --retry-connrefused
- proxy: Support HTTPS proxy and SOCKS+HTTP(s)
- add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
- curl: add --fail-early
- Bugfixes:
- CVE-2016-9586: printf floating point buffer overflow
- CVE-2016-9952: Win CE schannel cert wildcard matches too much
- CVE-2016-9953: Win CE schannel cert name out of buffer read
- msvc: removed a straggling reference to strequal.c
- winbuild: remove strcase.obj from curl build
- examples: bugfixed multi-uv.c
- configure: verify that compiler groks -Werror=partial-availability
- mbedtls: fix build with mbedtls versions < 2.4.0
- dist: add unit test CMakeLists.txt to the tarball
- curl -w: added more decimal digits to timing counters
- easy: Initialize info variables on easy init and duphandle
- cmake: disable poll for macOS
- http2: Don't send header fields prohibited by HTTP/2 spec
- ssh: check md5 fingerprints case insensitively (regression)
- openssl: initial TLS 1.3 adaptions
- curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
- printf: fix ".*f" handling
- examples/fileupload.c: fclose the file as well
- SPNEGO: Fix memory leak when authentication fails
- realloc: use Curl_saferealloc to avoid common mistakes
- openssl: make sure to fail in the unlikely event that PRNG seeding fails
- URL-parser: for file://[host]/ URLs, the [host] must be localhost
- timeval: prefer time_t to hold seconds instead of long
- Curl_rand: fixed and moved to rand.c
- glob: fix [a-c] globbing regression
- darwinssl: fix SSL client certificate not found on MacOS Sierra
- curl.1: Clarify --dump-header only writes received headers
- http2: Fix address sanitizer memcpy warning
- http2: Use huge HTTP/2 windows
- connects: Don't mix unix domain sockets with regular ones
- url: Fix conn reuse for local ports and interfaces
- x509: Limit ASN.1 structure sizes to 256K
- checksrc: add more checks
- winbuild: add config option ENABLE_NGHTTP2
- http2: check nghttp2_session_set_local_window_size exists
- http2: Fix crashes when parent stream gets aborted
- CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries
- URL parser: reject non-numerical port numbers
- CONNECT: reject TE or CL in 2xx responses
- CONNECT: read responses one byte at a time
- curl: support zero-length argument strings in config files
- openssl: don't use OpenSSL's ERR_PACK
- curl.1: generated with the new man page system
- curl_easy_recv: Improve documentation and example program
- Curl_getconnectinfo: avoid checking if the connection is closed
- CIPHERS.md: attempt to document TLS cipher names
New in cURL 7.51.0 (Nov 2, 2016)
- Changes:
- nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
- New option: CURLOPT_KEEP_SENDING_ON_ERROR
- Bugfixes:
- CVE-2016-8615: cookie injection for other servers
- CVE-2016-8616: case insensitive password comparison
- CVE-2016-8617: OOB write via unchecked multiplication
- CVE-2016-8618: double-free in curl_maprintf
- CVE-2016-8619: double-free in krb5 code
- CVE-2016-8620: glob parser write/read out of bounds
- CVE-2016-8621: curl_getdate read out of bounds
- CVE-2016-8622: URL unescape heap overflow via integer truncation
- CVE-2016-8623: Use-after-free via shared cookies
- CVE-2016-8624: invalid URL parsing with '#'
- CVE-2016-8625: IDNA 2003 makes curl use wrong host
- openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
- LICENSE-MIXING.md: update with mbedTLS dual licensing
- examples/imap-append: Set size of data to be uploaded
- test2048: fix url
- darwinssl: disable RC4 cipher-suite support
- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
- openssl: don’t call CRYTPO_cleanup_all_ex_data
- libressl: fix version output
- easy: Reset all statistical session info in curl_easy_reset
- curl_global_cleanup.3: don't unload the lib with sub threads running
- dist: add CurlSymbolHiding.cmake to the tarball
- docs: Remove that --proto is just used for initial retrieval
- configure: Fixed builds with libssh2 in a custom location
- curl.1: --trace supports % for sending to stderr!
- cookies: same domain handling changed to match browser behavior
- formpost: trying to attach a directory no longer crashes
- CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
- formpost: avoid silent snprintf() truncation
- ftp: fix Curl_ftpsendf
- mprintf: return error on too many arguments
- smb: properly check incoming packet boundaries
- GIT-INFO: remove the Mac 10.1-specific details
- resolve: add error message when resolving using SIGALRM
- cmake: add nghttp2 support
- dist: remove PDF and HTML converted docs from the releases
- configure: disable poll() in macOS builds
- vtls: only re-use session-ids using the same scheme
- pipelining: skip to-be-closed connections when pipelining
- win: fix Universal Windows Platform build
- curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
- maketgz: make it support "only" generating version info
- Curl_socket_check: add extra check to avoid integer overflow
- gopher: properly return error for poll failures
- curl: set INTERLEAVEDATA too
- polarssl: clear thread array at init
- polarssl: fix unaligned SSL session-id lock
- polarssl: reduce #ifdef madness with a macro
- curl_multi_add_handle: set timeouts in closure handles
- configure: set min version flags for builds on mac
- INSTALL: converted to markdown => INSTALL.md
- curl_multi_remove_handle: fix a double-free
- multi: fix inifinte loop in curl_multi_cleanup()
- nss: fix tight loop in non-blocking TLS handhsake over proxy
- mk-ca-bundle: Change URL retrieval to HTTPS-only by default
- mbedtls: stop using deprecated include file
- docs: fix req->data in multi-uv example
- configure: Fix test syntax for monotonic clock_gettime
- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
New in cURL 7.50.3 (Sep 20, 2016)
- Bugfixes:
- CVE-2016-7167: escape and unescape integer overflows
- mk-ca-bundle.pl: use SHA256 instead of SHA1
- checksrc: detect strtok() use
- errors: new alias CURLE_WEIRD_SERVER_REPLY
- http2: support > 64bit sized uploads
- openssl: fix bad memory free (regression)
- CMake: hide private library symbols
- http: refuse to pass on response body when NO_NODY is set
- cmake: fix curl-config --static-libs
- mbedtls: switch off NTLM in build if md4 isn't available
- curl: --create-dirs on windows groks both forward and backward slashes
New in cURL 7.50.2 (Sep 7, 2016)
- Bugfixes:
- mbedtls: Added support for NTLM
- SSH: fixed SFTP/SCP transfer problems
- multi: make Curl_expire() work with 0 ms timeouts
- mk-ca-bundle.pl: -m keeps ca cert meta data in output
- TFTP: Fix upload problem with piped input
- CURLOPT_TCP_NODELAY: now enabled by default
- mbedtls: set verbose TLS debug when MBEDTLS_DEBUG is defined
- http2: always wait for readable socket
- cmake: Enable win32 large file support by default
- cmake: Enable win32 threaded resolver by default
- winbuild: Avoid setting redundant CFLAGS to compile commands
- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
- docs: make more markdown files use .md extension
- docs: CONTRIBUTE and LICENSE-MIXING were converted to markdown
- winbuild: Allow changing C compiler via environment variable CC
- rtsp: accept any RTSP session id
- HTTP: retry failed HEAD requests on reused connections too
- configure: add zlib search with pkg-config
- openssl: accept subjectAltName iPAddress if no dNSName match
- MANUAL: Remove invalid link to LDAP documentation
- socks: improved connection procedure
- proxy: reject attempts to use unsupported proxy schemes
- proxy: bring back use of "Proxy-Connection:"
- curl: allow "pkcs11:" prefix for client certificates
- spnego_sspi: fix memory leak in case *outlen is zero
- SOCKS: improve verbose output of SOCKS5 connection sequence
- SOCKS: display the hostname returned by the SOCKS5 proxy server
- http/sasl: Query authentication mechanism supported by SSPI before using
- sasl: Don't use GSSAPI authentication when domain name not specified
- win: Basic support for Universal Windows Platform apps
- nss: fix incorrect use of a previously loaded certificate from file
- nss: work around race condition in PK11_FindSlotByName()
- ftp: fix wrong poll on the secondary socket
- openssl: build warning-free with 1.1.0 (again)
- HTTP: stop parsing headers when switching to unknown protocols
- test219: Add http as a required feature
- TLS: random file/egd doesn't have to match for conn reuse
- schannel: Disable ALPN for Wine since it is causing problems
- http2: make sure stream errors don't needlessly close the connection
- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- darwinssl: --cainfo is intended for backward compatibility only
- speed caps: not based on average speeds anymore
- configure: make the cpp -P detection not clobber CPPFLAGS
- http2: use named define instead of magic constant in read callback
- http2: skip the content-length parsing, detect unknown size
- http2: return EOF when done uploading without known size
- darwinssl: test for errSecSuccess in PKCS12 import rather than noErr
- openssl: fix CURLINFO_SSL_VERIFYRESULT
New in cURL 7.50.1 (Aug 3, 2016)
- Bugfixes:
- TLS: switch off SSL session id when client cert is used
- TLS: only reuse connections with the same client cert
- curl_multi_cleanup: clear connection pointer for easy handles
- include the CURLINFO_HTTP_VERSION man page into the release tarball
- include the http2-server.pl script in the release tarball
- test558: fix test by stripping file paths from FD lines
- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- tests: Fix for http/2 feature
- cmake: Fix for schannel support
- curl.h: make public types void * again
- win32: fix a potential memory leak in Curl_load_library
- travis: fix OSX build by re-installing libtool
- mbedtls: Fix debug function name
New in cURL 7.50.0 (Jul 25, 2016)
- Changes:
- http: add CURLINFO_HTTP_VERSION and %{http_version}
- Bugfixes:
- memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- openssl: fix build with OPENSSL_NO_COMP
- mbedtls: removed unused variables
- cmake: Added missing mbedTLS support
- URL parser: allow URLs to use one, two or three slashes
- curl: fix -q [regression]
- openssl: Use correct buffer sizes for error messages
- curl: fix SIGSEGV while parsing URL with too many globs
- schannel: add CURLOPT_CERTINFO support
- vtls: fix ssl session cache race condition
- http: Fix HTTP/2 connection reuse [regression]
- checksrc: Add LoadLibrary to the banned functions list
- schannel: Disable ALPN on Windows < 8.1
- configure: occasional ignorance of --enable-symbol-hiding with GCC
- http2: test17xx are the first real HTTP/2 tests
- resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
- curl_multi_socket_action.3: rewording
- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
- cmake: Fix build with winldap
- openssl: fix cert check with non-DNS name fields present
- curl.1: mention the units for the progress meter
- openssl: use more 'const' to fix build warnings with 1.1.0 branch
- cmake: now using BUILD_TESTING=ON/OFF
- vtls: Only call add/getsession if session id is enabled
- headers: forward declare CURL, CURLM and CURLSH as structs
- configure: improve detection of CA bundle path on FreeBSD
- SFTP: set a generic error when no SFTP one exists
- curl_global_init.3: expand on the SSL and WIN32 bits purpose
- conn: don't free easy handle data in handler->disconnect
- cookie.c: Fix misleading indentation
- library: Fix memory leaks found during static analysis
- CURLMOPT_SOCKETFUNCTION.3: fix typo
- curl_global_init: moved the "IPv6 works" check here
- connect: disable TFO on Linux when using SSL
- vauth: Fixed memory leak due to function returning without free
- winbuild: fix embedded manifest option
New in cURL 7.49.1 (May 30, 2016)
- Windows: prevent DLL hijacking, CVE-2016-4802
- dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md
- schannel: fix compile break with MSVC XP toolset
- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- dist: include curl_multi_socket_all.3
- http2: use HTTP/2 in the HTTP/1.1-alike response
- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- libcurl.m4: Avoid obsolete warning
- winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
- curl_multibyte: fix compiler error
- openssl: cleanup must free compression methods (memory leak)
- mbedtls: fix includes so snprintf() works
- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- contributors.sh: better grep pattern and show GitHub username
- ssh: fix build for libssh2 before 1.2.6
- curl_share_setopt.3: Add min ver needed for ssl session lock
New in cURL 7.49.0 (May 18, 2016)
- Changes:
- schannel: Add ALPN support
- SSH: support CURLINFO_FILETIME
- SSH: new CURLOPT_QUOTE command "statvfs"
- wolfssl: Add ALPN support
- http2: added --http2-prior-knowledge
- http2: added CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
- libcurl: added CURLOPT_CONNECT_TO
- curl: added --connect-to
- libcurl: added CURLOPT_TCP_FASTOPEN
- curl: added --tcp-fastopen
- curl: remove support for --ftpport, -http-request and --socks
- Bugfixes:
- CVE-2016-3739: TLS certificate check bypass with mbedTLS/PolarSSL
- checksrc.bat: Updated the help to be consistent with generate.bat
- checksrc.bat: Added support for scanning the tests and examples
- openssl: fix ERR_remove_thread_state() for boringssl/libressl
- openssl: boringssl provides the same numbering as openssl
- multi: fix "Operation timed out after" timer
- url: don't use bad offset in tld_check_name to show error
- sshserver.pl: use quotes for given options
- Makefile.am: skip the scripts dir
- curl: warn for --capath use if not supported by libcurl
- http2: fix connection reuse
- GSS: make Curl_gss_log_error more verbose
- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
- wolfssl: Use ECC supported curves extension
- openssl: Fix compilation warnings
- Curl_add_buffer_send: avoid possible NULL dereference
- SOCKS5_gssapi_negotiate: don't assume little-endian ints
- strerror: don't bit shift a signed integer
- url: Corrected get protocol family for FTP and LDAP
- curl/mprintf.h: remove support for _MPRINTF_REPLACE
- upload: missing rewind call could make libcurl hang
- IMAP: check pointer before dereferencing it
- build: Changed the Visual Studio projects warning level from 3 to 4
- checksrc: now stricter, wider checks, code cleaned up
- checksrc: added docs/CHECKSRC.md
- curl_sasl: Fixed potential null pointer utilisation
- krb5: Fixed missing client response when mutual authentication enabled
- krb5: Only process challenge when present
- krb5: Only generate a SPN when its not known
- formdata: use appropriate fopen() macros
- curl.1: -w filename_effective was introduced in 7.26.0
- http2: make use of the nghttp2 error callback
- http2: fix connection reuse when PING comes after last DATA
- curl.1: change example for -F
- HTTP2: Add a space character after the status code
- curl.1: use example.com more
- mbedtls.c: changed private prefix to mbed_
- mbedtls: implement and provide *_data_pending() to avoid hang
- mbedtls: fix MBEDTLS_DEBUG builds
- ftp/imap/pop3/smtp: Allow the service name to be overridden
- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- build: include scripts/ in the dist
- http2: Add handling stream level error
- http2: Improve header parsing
- makefile.vc6: use d suffix on debug object
- configure: remove check for libresolve
- scripts/make: use $(EXEEXT) for executables
- checksrc: got rid of the whitelist files
- sendf: added ability to call recv() before send() as workaround
- NTLM: check for NULL pointer before dereferencing
- openssl: builds with OpenSSL 1.1.0-pre5
- configure: ac_cv_ -> curl_cv_ for all cached vars
- winbuild: add mbedtls support
- curl: make --ftp-create-dirs retry on failure
- PolarSSL: implement public key pinning
- multi: accidentally used resolved host name instead of proxy
- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
- CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- opts: Fix some syntax errors in example code fragments
- mbedtls: Fix session resume
- test1139: verifies libcurl option man page presence
- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- curl: make --disable work as long form of -q
- curl: use --telnet-option as documented
- curl.1: document --ftp-ssl-reqd, --krb4 and --ntlm-wb
- curl: -h output lacked --proxy-header and --ntlm-wb
- curl -J: make it work even without http:// scheme on URL
- lib: include curl_printf.h as one of the last headers
- tests: handle path properly on Msys/Cygwin
- curl.1: --mail-rcpt can be used multiple times
- CURLOPT_ACCEPT_ENCODING.3: clarified
- docs: fixed lots of broken man page references
- tls: make setting pinnedkey option fail if not supported
- test1140: run nroff-scan to verify man pages
- http: make sure a blank header overrides accept_decoding
- connections: do not reuse non-HTTP proxies on different ports
- connect: fix invalid "Network is unreachable" errors
- TLS: move the ALPN/NPN enable bits to the connection
- TLS: SSL_peek is not a const operation
- http2: Add space between colon and header value
- darwinssl: fix certificate verification disable on OS X 10.8
- mprintf: Fix processing of width and prec args
- ftp wildcard: segfault due to init only in multi_perform
New in cURL 7.48.0 (Mar 23, 2016)
- Changes:
- configure: --with-ca-fallback: use built-in TLS CA fallback
- TFTP: add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS
- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- added CODE_STYLE.md
- Bugfixes:
- Proxy-Connection: stop sending this header by default
- os400: sync ILE/RPG definitions with latest public header files
- cookies: allow spaces in cookie names, cut of trailing spaces
- tool_urlglob: Allow reserved dos device names (Windows)
- openssl: remove most BoringSSL #ifdefs
- tool_doswin: Support for literal path prefix \\?
- mbedtls: fix ALPN usage segfault
- mbedtls: fix memory leak when destroying SSL connection data
- nss: do not count enabled cipher-suites
- examples/cookie_interface.c: add cleanup call
- examples: adhere to curl code style
- curlx_tvdiff: handle 32bit time_t overflows
- dist: ship buildconf.bat too
- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- generate.bat: Fix comment bug by removing old comments
- test1604: Add to Makefile.inc so it gets run
- gtls: fix for builds lacking encrypted key file support
- SCP: use libssh2_scp_recv2 to support > 2GB files on windows
- CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- cookie: do not refuse cookies to localhost
- openssl: avoid direct PKEY access with OpenSSL 1.1.0
- http: Don't break the header into chunks if HTTP/2
- http2: don't decompress gzip decoding automatically
- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
- curl.1: add a missing dash
- curl.1: HTTP headers for --cookie must be Set-Cookie style
- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- curl_sasl: Fix memory leak in digest parser
- src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- CURLOPT_DEBUGFUNCTION.3: Fix example
- runtests: Fixed usage of %PWD on MinGW64
- tests/sshserver.pl: use RSA instead of DSA for host auth
- multi_remove_handle: keep the timeout list until after disconnect
- Curl_read: check for activated HTTP/1 pipelining, not only requested
- configure: warn on invalid ca bundle or path
- file: try reading from files with no size
- getinfo: Add support for mbedTLS TLS session info
- formpost: fix memory leaks in AddFormData error branches
- makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
- url: if Curl_done is premature then pipeline not in use
- cookie: remove redundant check
- cookie: Don't expire session cookies in remove_expired
- makefile.m32: fix to allow -ssh2-winssl combination
- checksrc.bat: Fixed cannot find perl if installed but not in path
- build-openssl.bat: Fixed cannot find perl if installed but not in path
- mbedtls: fix user-specified SSL protocol version
- makefile.m32: add missing libs for static -winssl-ssh2 builds
- test46: change cookie expiry date
- pipeline: Sanity check pipeline pointer before accessing it
- openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
- ftp_done: clear tunnel_state when secondary socket closes
- opt-docs: fix heading macros
- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- curl_multi_wait: never return -1 in 'numfds'
- url.c: fix clang warning: no newline at end of file
- krb5: improved type handling to avoid clang compiler warnings
- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- multi: avoid blocking during CURLM_STATE_WAITPROXYCONNECT
- multi hash: ensure modulo performed on curl_socket_t
- curl: glob_range: no need to check unsigned variable for negative
- easy: add check to malloc() when running event-based
- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- version: thread safety
- openssl: verbose: show matching SAN pattern
- openssl: adapt to OpenSSL 1.1.0 API breakage in ERR_remove_thread_state()
- formdata.c: Fixed compilation warning
- configure: use cpp -P when needed
- imap.c: Fixed compilation warning with /Wall enabled
- config-w32.h: Fixed compilation warning when /Wall enabled
- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
- build: Added missing Visual Studio filter files for VC10 onwards
- easy: Remove poll failure check in easy_transfer
- mbedtls: fix compiler warning
- build-wolfssl: Update VS properties for wolfSSL v3.9.0
- Fixed various compilation warnings when verbose strings disabled
- sshserver: remove use of AuthorizedKeysFile2
New in cURL 7.47.1 (Feb 10, 2016)
- Bugfixes:
- getredirect.c: fix variable name
- tool_doswin: silence unused function warning
- cmake: fixed when OpenSSL enabled on Windows and schannel detected
- curl.1: Explain remote-name behavior if file already exists
- tool_operate: Don't sanitize --output path (Windows)
- URLs: change all http:// URLs to https:// in documentation & comments
- sasl_sspi: Fix memory leak in domain populate
- COPYING: clarify that Daniel is not the sole author
- examples/htmltitle: Use _stricmp on Windows
- examples/asiohiper: Avoid function name collision on Windows
- idn_win32: Better error checking
- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
- curl save files: check for backslashes on cygwin
New in cURL 7.46.0 (Dec 3, 2015)
- Changes:
- configure: build silently by default
- cookies: Add support for Publix Suffix List with libpsl
- vtls: added support for mbedTLS
- Added CURLOPT_STREAM_DEPENDS
- Added CURLOPT_STREAM_DEPENDS_E
- Added CURLOPT_STREAM_WEIGHT
- Added CURLFORM_CONTENTLEN
- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
- Bugfixes:
- des: Fix header conditional for Curl_des_set_odd_parity
- ntlm: get rid of unconditional use of long long
- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
- docs: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
- http2: Fix http2_recv to return -1 if recv returned -1
- curl_global_init_mem: set function pointers before doing init
- ntlm: error out without 64bit support as the code needs it
- openssl: Fix set up of pkcs12 certificate verification chain
- acinclude: remove PKGCONFIG override
- test1531: case the size to fix the test on non-largefile builds
- fread_func: move callback pointer from set to state struct
- test1601: fix compilation with --enable-debug and --disable-crypto-auth
- http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
- curlbuild.h: Fix non-configure compiling to mips and sh4 targets
- tool: Generate easysrc with last cache linked-list
- cmake: Fix for add_subdirectory(curl) use-case
- vtls: fix compiler warning for TLS backends without sha256
- build: fix for MSDOS/djgpp
- checksrc: add crude // detection
- http2: on_frame_recv: trust the conn/data input
- ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
- polarssl/mbedtls: fix name space pollution
- build: Fix mingw ssl gdi32 order
- build: Fix support for PKG_CONFIG
- MacOSX-Framework: sdk regex fix for sdk 10.10 and later
- socks: Fix incorrect port numbers in failed connect messages
- curl.1: -E: s/private certificate/client certificate
- curl.h: s/HTTPPOST_/CURL_HTTPOST_
- curl_formadd: support >2GB files on windows
- http redirects: %-encode bytes outside of ascii range
- rawstr: Speed up Curl_raw_toupper by 40%
- curl_ntlm_core: fix 2 curl_off_t constant overflows.
- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
- tftp tests: verify sent options too
- imap: Don't call imap_atom() when no mailbox specified in LIST command
- imap: Fixed double quote in LIST command when mailbox contains spaces
- imap: Don't check for continuation when executing a CUSTOMREQUEST
- acinclude: Remove check for 16-bit curl_off_t
- BoringSSL: Work with stricter BIO_get_mem_data()
- cmake: Add missing feature macros in config header
- sasl_sspi: fixed unicode build for digest authentication
- sasl_sspi: fix identity memory leak in digest authentication
- unit1602: Fixed failure in torture test
- unit1603: Added unit tests for hash functions
- vtls/openssl: remove unused traces of yassl ifdefs
- openssl: remove #ifdefs for < 0.9.7 support
- typecheck-gcc.h: add some missing options
- curl: mark two more options strings for --libcurl output
- openssl: Free modules on cleanup
- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
- getconnectinfo: Don't call recv(2) if socket == -1
- http2: http_done: don't free already-freed push headers
- zsh completion: Preserve single quotes in output
- os400: Provide options for libssh2 use in compile scripts.
- build: Fix theoretical infinite loops
- pop3: Differentiate between success and continuation responses
- examples: Fixed compilation warnings
- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
- CURLOPT_HEADERFUNCTION.3: fix typo
- curl: expanded the -XHEAD warning text
- done: make sure the final progress update is made
- build: Install zsh completion
- RTSP: do not add if-modified-since without timecondition
- curl: Fixed display of URL index in password prompt for --next
- nonblock: fix setting non-blocking mode for Amiga
- http2 push: add missing inits of new stream
- http2: convert some verbose output into debug-only output
- Curl_read_plain: clean up ifdefs that break statements
New in cURL 7.45.0 (Oct 8, 2015)
- Changes:
- added CURLOPT_DEFAULT_PROTOCOL
- added new tool option --proto-default
- getinfo: added CURLINFO_ACTIVESOCKET
- turned CURLINFO_* option docs as stand-alone man pages
- curl: point out unnecessary uses of -X in verbose mode
- Bugfixes:
- curl_global_init_mem.3: Stronger thread safety warning
- buildconf.bat: Fixed issues when ran in directories with special chars
- cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
- generate.bat: Fixed issues when ran in directories with special chars
- generate.bat: Only call buildconf.bat if it exists
- generate.bat: Added support for generating only the prerequisite files
- curl.1: Document weaknesses in SSLv2 and SSLv3
- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
- docs: Update the redirect protocols disabled by default
- inet_pton.c: Fix MSVC run-time check failure
- CURLMOPT_PUSHFUNCTION.3: fix argument types
- rtsp: support basic/digest authentication
- rtsp: stop reading empty DESCRIBE responses
- travis: Upgrading to container based build
- travis.yml: Add OS X testbot
- FTP: make state machine not get stuck in state
- openssl: handle lack of server cert when strict checking disabled
- configure: change functions to detect openssl (clones)
- configure: detect latest boringssl
- runtests: Allow for spaces in server-verify curl custom path
- http2: on_frame_recv: get a proper 'conn' for the debug logging
- ntlm: mark deliberate switch case fall-through
- http2: remove dead code
- curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
- curl: point out the conflicting HTTP methods if used
- cmake: added Windows SSL support
- curl_easy_{escape,setopt}.3: fix example
- curl_easy_escape.3: escape '\n'
- libcurl.m4: Put braces around empty if body
- buildconf.bat: Fixed double blank line in 'curl manual' warning output
- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
- inet_pton.c: Fix MSVC run-time check failure
- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
- http2: don't pass on Connection: headers
- nss: do not directly access SSL_ImplementedCiphers
- docs: numerous cleanups and spelling fixes
- FTP: do_more: add check for wait_data_conn in upload case
- parse_proxy: reject illegal port numbers
- cmake: IPv6 : disable Unix header check on Windows platform
- winbuild: run buildconf.bat if necessary
- buildconf.bat: fix syntax error
- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
- nss: prevent NSS from incorrectly re-using a session
- libcurl-errors.3: add two missing error codes
- openssl: fix build with < 0.9.8
- openssl: refactor certificate parsing to use OpenSSL memory BIO
- openldap: only part of LDAP query results received
- ssl: add server cert's "sha256//" hash to verbose
- NTLM: Reset auth-done when using a fresh connection
- curl: generate easysrc only on --libcurl
- tests: disable 1801 until fixed
- CURLINFO_TLS_SESSION: always return backend info
- gnutls: Support CURLOPT_KEYPASSWD
- gnutls: Report actual GnuTLS error message for certificate errors
- tests: disable 1510 due to CI-problems on github
- cmake: Put "winsock2.h" before "windows.h" during configure checks
- cmake: Ensure discovered include dirs are considered
- configure: Add missing ')' for CURL_CHECK_OPTION_RT
- build: fix failures with -Wcast-align and -Werror
- FTP: fix uploading ASCII with unknown size
- readwrite_data: set a max number of loops
- http2: avoid superfluous Curl_expire() calls
- http2: set TCP_NODELAY unconditionally
- docs: fix unescaped '\n' in man pages
- openssl: Fix algorithm init to make (gost) engines work
- win32: make recent Borland compilers use long long
- runtests: Fix pid check in checkdied
- gopher: don't send NUL byte
- tool_setopt: fix c_escape truncated octal
- hiperfifo: fix the pointer passed to WRITEDATA
- getinfo: Fix return code for unknown CURLINFO options
New in cURL 7.44.0 (Aug 12, 2015)
- Changes:
- http2: added CURLMOPT_PUSHFUNCTION and CURLMOPT_PUSHDATA
- examples: added http2-serverpush.c
- http2: added curl_pushheader_byname() and curl_pushheader_bynum()
- docs: added CODE_OF_CONDUCT.md
- curl: Add --ssl-no-revoke to disable certificate revocation checks
- libcurl: New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS
- makefile: Added support for VC14
- build: Added Visual Studio 2015 (VC14) project files
- build: Added wolfSSL configurations to VC10+ project files
- Bugfixes:
- FTP: fix HTTP CONNECT logic regression
- openssl: Fix build with openssl < ~ 0.9.8f
- openssl: fix build with BoringSSL
- curl_easy_setopt.3: option order doesn't matter
- openssl: fix use of uninitialized buffer
- RTSP: removed dead code
- Makefile.m32: add support for CURL_LDFLAG_EXTRAS
- curl: always provide negotiate/kerberos options
- cookie: Fix bug in export if any-domain cookie is present
- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
- INSTALL: Advise use of non-native SSL for Windows = for TLSv1
- HTTP: POSTFIELDSIZE set after added to multi handle
- SSL-PROBLEMS: mention WinSSL problems in WinXP
- setup-vms.h: Symbol case fixups
- SSL: Pinned public key hash support
- libtest: call PR_Cleanup() on exit if NSPR is used
- ntlm_wb: Fix theoretical memory leak
- runtests: Allow for spaces in curl custom path
- http2: add stream != NULL checks for reliability
- schannel: Replace deprecated GetVersion with VerifyVersionInfo
- http2: verify success of strchr() in http2_send()
- configure: add --disable-rt option
- openssl: work around MSVC warning
- HTTP: ignore "Content-Encoding: compress"
- configure: check if OpenSSL linking wants -ldl
- build-openssl.bat: Show syntax if required args are missing
- test1902: attempt to make the test more reliable
- libcurl-thread.3: Consolidate thread safety info
- maketgz: Fixed some VC makefiles missing from the release tarball
- libcurl-multi.3: mention curl_multi_wait
- ABI doc: use secure URL
- http: move HTTP/2 cleanup code off http_disconnect()
- libcurl-thread.3: Warn memory functions must be thread safe
- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
- docs: formpost needs the full size at start of upload
- curl_gssapi: remove 'const' to fix compiler warnings
- SSH: three state machine fixups
- libcurl.3: fix a single typo
- generate.bat: Only clean prerequisite files when in ALL mode
- curl_slist_append.3: add error checking to the example
- buildconf.bat: Added support for file clean-up via -clean
- generate.bat: Use buildconf.bat for prerequisite file clean-up
- NTLM: handle auth for only a single request
- curl_multi_remove_handle.3: fix formatting
- checksrc.bat: Fixed error when [directory] isn't a curl source directory
- checksrc.bat: Fixed error when missing *.c and *.h files
- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
- test46: update cookie expire time
- SFTP: fix range request off-by-one in size check
- CMake: fix GSSAPI builds
- build: refer to fixed libidn versions
- http2: discard frames with no SessionHandle
- curl_easy_recv.3: fix formatting
- libcurl-tutorial.3: fix formatting
- curl_formget.3: correct return code
New in cURL 7.43.0 (Jun 18, 2015)
- Changes:
- Added CURLOPT_PROXY_SERVICE_NAME
- Added CURLOPT_SERVICE_NAME
- New curl option: --proxy-service-name
- New curl option: --service-name
- New curl option: --data-raw
- Added CURLOPT_PIPEWAIT
- Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING
- HTTP/2: requires nghttp2 1.0.0 or later
- scripts: add zsh.pl for generating zsh completion
- curl.h: add CURL_HTTP_VERSION_2
- Bugfixes:
- CVE-2015-3236: lingering HTTP credentials in connection re-use
- CVE-2015-3237: SMB send off unrelated memory contents
- nss: fix compilation failure with old versions of NSS
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
- Curl_ossl_init: load builtin modules
- configure: follow-up fix for krb5-config
- sasl_sspi: Populate domain from the realm in the challenge
- netrc: support 'default' token
- README: convert to UTF-8
- cyassl: Implement public key pinning
- nss: implement public key pinning for NSS backend
- mingw build: add arch -m32/-m64 to LDFLAGS
- schannel: Fix out of bounds array
- configure: remove autogenerated files by autoconf
- configure: remove --automake from libtoolize call
- acinclude.m4: fix shell test for default CA cert bundle/path
- schannel: fix regression in schannel_recv
- openssl: skip trace outputs for ssl_ver == 0
- gnutls: properly retrieve certificate status
- netrc: Read in text mode when cygwin
- winbuild: Document the option used to statically link the CRT
- FTP: Make EPSV use the control IP address rather than the original host
- FTP: fix dangling conn->ip_addr dereference on verbose EPSV
- conncache: keep bundles on host+port bases, not only host names
- runtests.pl: use 'h2c' now, no -14 anymore
- curlver: introducing new version number (checking) macros
- openssl: boringssl build brekage, use SSL_CTX_set_msg_callback
- CURLOPT_POSTFIELDS.3: correct variable names
- curl_easy_unescape.3: update RFC reference
- gnutls: don't fail on non-fatal alerts during handshake
- testcurl.pl: allow source to be in an arbitrary directory
- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy
- SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description
- parse_proxy: switch off tunneling if non-HTTP proxy
- share_init: fix OOM crash
- perl: remove subdir, not touched in 9 years
- CURLOPT_COOKIELIST.3: Add example
- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
- FAQ: How do I port libcurl to my OS?
- openssl: Use TLS_client_method for OpenSSL 1.1.0+
- HTTP-NTLM: fail auth on connection close instead of looping
- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
- curl_getdate.3: update RFC reference
- curl_multi_info_read.3: added example
- curl_multi_perform.3: added example
- curl_multi_timeout.3: added example
- cookie: Stop exporting any-domain cookies
- openssl: remove dummy callback use from SSL_CTX_set_verify()
- openssl: remove SSL_get_session()-using code
- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
- openssl: removed error string #ifdef
- openssl: Fix verification of server-sent legacy intermediates
- docs: man page indentation and syntax fixes
- docs: Spelling fixes
- fopen.c: fix a few compiler warnings
- CURLOPT_OPENSOCKETFUNCTION: return error at once
- schannel: Add support for optional client certificates
- build: Properly detect OpenSSL 1.0.2 when using configure
- urldata: store POST size in state.infilesize too
- security:choose_mech remove dead code
- rtsp_do: remove dead code
- docs: many HTTP URIs changed to HTTPS
- schannel: schannel_recv overhaul
New in cURL 7.42.1 (Apr 29, 2015)
- Bugfixes:
- CURLOPT_HEADEROPT: default to separate
- dist: include {src,lib}/checksrc.whitelist
- connectionexists: fix build without NTLM
- docs: distribute the CURLOPT_PINNEDPUBLICKEY man page, too
- curl -z: do not write empty file on unmet condition
- openssl: fix serial number output
- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- sws: init http2 state properly
- curl.1: fix typo
New in cURL 7.42.0 (Apr 23, 2015)
- Changes:
- openssl: show the cipher selection to use in verbose text
- gtls: implement CURLOPT_CERTINFO
- add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
- curl: add --false-start option
- add CURLOPT_PATH_AS_IS
- curl: add --path-as-is option
- curl: create output file on successful download of an empty file
- Bugfixes:
- ConnectionExists: for NTLM re-use, require credentials to match
- cookie: cookie parser out of boundary memory access
- fix_hostname: zero length host name caused -1 index offset
- http_done: close Negotiate connections when done
- sws: timeout idle CONNECT connections
- nss: improve error handling in Curl_nss_random()
- nss: do not skip Curl_nss_seed() if data is NULL
- curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
- http2: move lots of verbose output to be debug-only
- dist: add extern-scan.pl to the tarball
- http2: return recv error on unexpected EOF
- build: Use default RandomizedBaseAddress directive in VC9+ project files
- build: Removed DataExecutionPrevention directive from VC9+ project files
- tool: Updated the warnf() function to use the GlobalConfig structure
- http2: Return error if stream was closed with other than NO_ERROR
- mprintf.h: remove #ifdef CURLDEBUG
- libtest: fixed linker errors on msvc
- tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
- curl.1: fix "The the" typo
- cmake: handle build definitions CURLDEBUG/DEBUGBUILD
- openssl: remove all uses of USE_SSLEAY
- multi: fix memory-leak on timeout (regression)
- curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
- metalink: add some error checks
- TLS: make it possible to enable ALPN/NPN without HTTP/2
- http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
- conncontrol: only log changes to the connection bit
- multi: fix *getsock() with CONNECT
- symbols.pl: handle '-' in the deprecated field
- MacOSX-Framework: use @rpath instead of @executable_path
- GnuTLS: add support for CURLOPT_CAPATH
- GnuTLS: print negotiated TLS version and full cipher suite name
- GnuTLS: don't print double newline after certificate dates
- memanalyze.pl: handle free(NULL)
- proxy: re-use proxy connections (regression)
- mk-ca-bundle: Don't report SHA1 numbers with "-q"
- http: always send Host: header as first header
- openssl: sort ciphers to use based on strength
- openssl: use colons properly in the ciphers list
- http2: detect premature close without data transfered
- hostip: Fix signal race in Curl_resolv_timeout
- closesocket: call multi socket cb on close even with custom close
- mksymbolsmanpage.pl: use std header and generate better nroff header
- connect: Fix happy eyeballs logic for IPv4-only builds
- curl_easy_perform.3: remove superfluous close brace from example
- HTTP: don't use Expect: headers when on HTTP/2
- Curl_sh_entry: remove unused 'timestamp'
- docs/libcurl: makefile portability fix
- mkhelp: Remove trailing carriage return from every line of input
- nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
- curl_easy_setopt.3: added a few missing options
- metalink: fix resource leak in OOM
- axtls: version 1.5.2 now requires that config.h be manually included
- HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
- cyassl: detect the library as renamed wolfssl
- CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
- CURLOPT_URL.3: Added "SECURITY CONCERNS
- openssl: try to avoid accessing OCSP structs when possible
- test938: added missing closing tags
- testcurl: Allow '=' in values given on command line
- tests/certs: added make target to rebuild certificates
- tests/certs: rebuild certificates with modified key usage bits
- gtls: avoid uninitialized variable
- gtls: dereferencing NULL pointer
- gtls: add check of return code
- test1513: eliminated race condition in test run
- dict: rename byte to avoid compiler shadowed declaration warning
- curl_easy_recv/send: make them work with the multi interface
- vtls: fix compile with --disable-crypto-auth but with SSL
- openssl: adapt to ASN1/X509 things gone opaque in 1.1
- openssl: verifystatus: only use the OCSP work-around
New in cURL 7.41.0 (Feb 25, 2015)
- Changes:
- NetWare build: added TLS-SRP enabled build
- winbuild: Added option to build with c-ares
- Added --cert-status
- Added CURLOPT_SSL_VERIFYSTATUS
- sasl: implement EXTERNAL authentication mechanism
- Bugfixes:
- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
- FTP: fix IPv6 host using link-local address
- FTP: if EPSV fails on IPV6 connections, bail out
- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
- NSS: fix compiler error when built http2-enabled
- mingw build: allow to pass custom CFLAGS
- add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
- curl_schannel.c: mark session as removed from cache if not freed
- Curl_pretransfer: reset expected transfer sizes
- curl.h: remove extra space
- curl_endian: Fixed build when 64-bit integers are not supported
- checksrc.bat: Better detection of Perl installation
- build-openssl.bat: Added check for Perl installation
- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
- http_negotiate: Added empty decoded challenge message info text
- vtls: Removed unimplemented overrides of curlssl_close_all()
- sasl_gssapi: Fixed memory leak with local SPN variable
- http_negotiate: Use dynamic buffer for SPN generation
- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
- openssl: do public key pinning check independently
- timeval: typecast for better type (on Amiga)
- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
- SASL: common URL option and auth capabilities decoders for all protocols
- BoringSSL: fix build
- BoringSSL: detected by configure, switches off NTLM
- openvms: Handle openssl/0.8.9zb version parsing
- configure: detect libresssl
- configure: remove detection of the old yassl emulation API
- curl_setup: Disable SMB/CIFS support when HTTP only
- imap: remove automatic password setting: it breaks external sasl authentication
- sasl: remove XOAUTH2 from default enabled authentication mechanism
- runtests: identify BoringSSL and libressl
- security: avoid compiler warning
- ldap: build with BoringSSL
- des: Added Curl_des_set_odd_parity()
- CURLOPT_SEEKFUNCTION.3: also when server closes a connection
- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
- build: Removed unused Visual Studio bscmake settings
- build: Enabled DEBUGBUILD in Visual Studio debug builds
- build: Renamed top level Visual Studio solution files
- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
- libcurl-symbols: first basic shot for autogenerated docs
- Makefile.am: fix 'make distcheck'
- getpass_r: read from stdin, not stdout!
- getpass: protect include with proper #ifdef
- opts: CURLOPT_CAINFO availability depends on SSL engine
- more cleanup of 'CURLcode result' return code
- MD4: replace implementation
- MD5: replace implementation
- openssl: SSL_SESSION->ssl_version no longer exist
- md5: use axTLS's own MD5 functions when available
- schannel: Removed curl_ prefix from source files
- curl.1: add warning when using -H and redirects
- curl.1: clarify that -X is used for all requests
- gskit: Fix exclusive SSLv3 option
- polarssl: Fix exclusive SSL protocol version options
- http2: Fix bug that associated stream canceled on PUSH_PROMISE
- ftp: accept all 2xx responses to the PORT command
- configure: allow both --with-ca-bundle and --with-ca-path
- cmake: install the dll file to the correct directory
- nss: fix NPN/ALPN protocol negotiation
- polarssl: fix ALPN protocol negotiation
- cmake: Fix generation of tool_hugehelp.c on windows
- cmake: fix winsock2 detection on windows
- gnutls: fix build with HTTP2
- connect: fix a spurious connect failure on dual-stacked hosts
- test: test 530 is now less timing dependent
- telnet: invalid use of custom read function if not set
New in cURL 7.39.0 (Nov 5, 2014)
- Changes:
- SSLv3 is disabled by default
- CURLOPT_COOKIELIST: Added "RELOAD" command
- build: Added WinIDN build configuration options to Visual Studio projects
- ssh: improve key file search
- SSL: public key pinning. Use CURLOPT_PINNEDPUBLICKEY and --pinnedpubkey
- vtls: remove QsoSSL support, use gskit!
- mk-ca-bundle: added SHA-384 signature algorithm
- docs: added many examples for libcurl opts and other doc improvements
- build: Added VC ssh2 target to main Makefile
- MinGW: Added support to build with nghttp2
- NetWare: Added support to build with nghttp2
- build: added Watcom support to build with WinSSL
- build: Added optional specific version generation of VC project files
- Bugfixes:
- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
- openssl: build fix for versions < 0.9.8e
- newlines: fix mixed newlines to LF-only
- ntlm: Fixed HTTP proxy authentication when using Windows SSPI
- sasl_sspi: Fixed Unicode build
- file: reject paths using embedded
- threaded-resolver: revert Curl_expire_latest() switch
- configure: allow --with-ca-path with PolarSSL too
- HTTP/2: Fix busy loop when EOF is encountered
- CURLOPT_CAPATH: return failure if set without backend support
- nss: do not fail if a CRL is already cached
- smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
- fixed 20+ nits/memory leaks identified by Coverity scans
- curl_schannel.c: Fixed possible memory or handle leak
- multi-uv.c: call curl_multi_info_read() better
- cmake: Check for OpenSSL before OpenLDAP
- cmake: Fix library list provided to cURL tests
- cmake: Avoid cycle directory dependencies
- cmake: Build with GSS-API libraries (MIT or Heimdal)
- vtls: provide backend defines for internal source code
- nss: fix a connection failure when FTPS handle is reused
- tests/http_pipe.py: Python 3 support
- cmake: build tool_hugehelp (ENABLE_MANUAL)
- cmake: enable IPv6 by default if available
- tests: move TESTCASES to Makefile.inc, add show for cmake
- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
- ntlm: Fixed empty/bad base-64 decoded buffer return codes
- ntlm: Fixed empty type-2 decoded message info text
- cmake: add CMake/Macros.cmake to the release tarball
- cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
- cmake: use LIBCURL_VERSION from curlver.h
- cmake: generate pkg-config and curl-config
- fixed several superfluous variable assignements identified by cppcheck
- cleanup of 'CURLcode result' return code
- pipelining: only output "is not blacklisted" in debug builds
- SSL: Remove SSLv3 from SSL default due to POODLE attack
- gskit.c: remove SSLv3 from SSL default
- darwinssl: detect possible future removal of SSLv3 from the framework
- ntlm: Only define ntlm data structure when USE_NTLM is defined
- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
- sspi: Only call CompleteAuthToken() when complete is needed
- http_negotiate: Fixed missing check for USE_SPNEGO
- HTTP: return larger than 3 digit response codes too
- openssl: Check for NPN / ALPN via OpenSSL version number
- openssl: enable NPN separately from ALPN
- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
- resume: consider a resume from
- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
- build-openssl.bat: Fix x64 release build
- cmake: drop _BSD_SOURCE macro usage
- cmake: fix gethostby{addr,name}_r in CurlTests
- cmake: clean OtherTests, fixing -Werror
- cmake: fix struct sockaddr_storage check
- Curl_single_getsock: fix hold/pause sock handling
- SSL: PolarSSL default min SSL version TLS 1.0
- cmake: fix ZLIB_INCLUDE_DIRS use
- buildconf: stop checking for libtool
New in cURL 7.38.0 (Sep 10, 2014)
- Changes:
- supports HTTP/2 draft-14
- CURLE_HTTP2 is a new error code
- CURLAUTH_NEGOTIATE is a new auth define
- CURL_VERSION_GSSAPI is a new capability bit
- no longer use fbopenssl for anything
- schannel: use CryptGenRandom for random numbers
- axtls: define curlssl_random using axTLS's PRNG
- cyassl: use RNG_GenerateBlock to generate a good random number
- findprotocol: show unsupported protocol within quotes
- version: detect and show LibreSSL
- version: detect and show BoringSSL
- imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
- http2: requires nghttp2 0.6.0 or later
- Bugfixes:
- SECURITY ADVISORY: cookie leak with IP address as domain
- SECURITY ADVISORY: cookie leak for TLDs
- fix a build failure on Debian when NSS support is enabled
- HTTP/2: fixed compiler warnings when built disabled
- cyassl: return the correct error code on no CA cert
- http: Deprecate GSS-Negotiate macros due to bad naming
- http: Fixed Negotiate: authentication
- multi: Improve proxy CONNECT performance (regression)
- ntlm_wb: Avoid invoking ntlm_auth helper with empty username
- ntlm_wb: Fix hard-coded limit on NTLM auth packet size
- url.c: use the preferred symbol name: *READDATA
- smtp: fixed a segfault during test 1320 torture test
- cyassl: made it compile with version 2.0.6 again
- nss: do not check the version of NSS at run time
- c-ares: fix build without IPv6 support
- HTTP/2: use base64url encoding
- SSPI Negotiate: Fix 3 memory leaks
- libtest: fixed duplicated line in Makefile
- conncache: fix compiler warning
- openssl: make ossl_send return CURLE_OK better
- HTTP/2: Support expect: 100-continue
- HTTP/2: Fix infinite loop in readwrite_data()
- parsedate: fix the return code for an overflow edge condition
- darwinssl: don't use strtok()
- http_negotiate_sspi: Fixed specific username and password not working
- openssl: replace call to OPENSSL_config
- http2: show the received header for better debugging
- HTTP/2: Move :authority before non-pseudo header fields
- HTTP/2: Reset promised stream, not its associated stream
- HTTP/2: added some more logging for debugging stream problems
- ntlm: Added support for SSPI package info query
- ntlm: Fixed hard coded buffer for SSPI based auth packet generation
- sasl_sspi: Fixed memory leak with not releasing Package Info struct
- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
- sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
- http_negotiate_sspi: Use a dynamic buffer for SPN generation
- sasl_sspi: Fixed missing free of challenge buffer on SPN failure
- sasl_sspi: Fixed hard coded buffer for response generation
- Curl_poll + Curl_wait_ms: fix timeout return value
- docs/SSLCERTS: update the section about NSS database
- create_conn: prune dead connections
- openssl: fix version report for the 0.9.8 branch
- mk-ca-bundle.pl: switched to using hg.mozilla.org
- http: fix the Content-Range: parser
- Curl_disconnect: don't free the URL
- win32: Fixed WinSock 2 #if
- NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
- curl.1: clarify --limit-rate's effect on both directions
- disconnect: don't touch easy-related state on disconnects
- Cmake: big cleanup and numerous fixes
- HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
- HTTP/2: Reset promised stream, not its associated stream
- configure.ac: Add support for recent GSS-API implementations for HP-UX
- CONNECT: close proxy connections that fail
- CURLOPT_NOBODY.3: clarify this option is for downloads
- darwinssl: fix CA certificate checking using PEM format
- resolve: cache lookup for async resolvers
- low-speed-limit: avoid timeout flood
- polarssl: implement CURLOPT_SSLVERSION
- multi: convert CURLM_STATE_CONNECT_PEND handling to a list
- curl_multi_cleanup: remove superfluous NULL assigns
- polarssl: support CURLOPT_CAPATH / --capath
- progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly
New in cURL 7.37.1 (Aug 27, 2014)
- Changes:
- bits.close: introduce connection close tracking
- darwinssl: Add support for --cacert
- polarssl: add ALPN support
- docs: Added new option man pages
- Bugfixes:
- build: Fixed incorrect reference to curl_setup.h in Visual Studio files
- build: Use $(TargetDir) and $(TargetName) macros for .pdb and .lib output
- curl.1: clarify that -u can't specify a user with colon
- openssl: Fix uninitialized variable use in NPN callback
- curl_easy_reset: reset the URL
- curl_version_info.3: returns a pointer to a static struct
- url-parser: only use if_nametoindex if detected by configure
- select: with winsock, avoid passing unsupported arguments to select()
- gnutls: don't use deprecated type names anymore
- gnutls: allow building with nghttp2 but without ALPN support
- tests: Fix portability issue with the tftpd server
- curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN
- curl_sasl: extended native DIGEST-MD5 cnonce to be a 32-byte hex string
- random: use Curl_rand() for proper random data
- Curl_ossl_init: call OPENSSL_config for initing engines
- config-win32.h: Updated for VC12
- winbuild: Don't USE_WINSSL when WITH_SSL is being used
- getinfo: HTTP CONNECT code not reset between transfers
- Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set
- http2: avoid segfault when using the plain-text http2
- conncache: move the connection counter to the cache struct
- http2: better return code error checking
- curlbuild: fix GCC build on SPARC systems without configure script
- tool_metalink: Support polarssl as digest provider
- curl.h: reverse the enum/define setup for old symbols
- curl.h: moved two really old deprecated symbols
- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
- buildconf: do not search tools in current directory.
- OS400: make it compilable again. Make RPG binding up to date
- nss: do not abort on connection failure (failing tests 305 and 404)
- nss: make the fallback to SSLv3 work again
- tool: prevent valgrind from reporting possibly lost memory (nss only)
- progress callback: skip last callback update on errors
- nss: fix a memory leak when CURLOPT_CRLFILE is used
- compiler warnings: potentially uninitialized variables
- url.c: Fixed memory leak on OOM
- gnutls: ignore invalid certificate dates with VERIFYPEER disabled
- gnutls: fix SRP support with versions of GnuTLS from 2.99.0
- gnutls: fixed a couple of uninitialized variable references
- gnutls: fixed compilation against versions < 2.12.0
- build: Fixed overridden compiler PDB settings in VC7 to VC12
- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
- netrc: don't abort if home dir cannot be found
- netrc: fixed thread safety problem by using getpwuid_r if available
- cookie: avoid mutex deadlock
- configure: respect host tool prefix for krb5-config
- gnutls: handle IP address in cert name check
New in cURL 7.35.0 (Jan 29, 2014)
- Changes:
- imap/pop3/smtp: Added support for SASL authentication downgrades
- imap/pop3/smtp: Extended the login options to support multiple auth mechanisms
- TheArtOfHttpScripting: major update, converted layout and more
- mprintf: Added support for I, I32 and I64 size specifiers
- makefile: Added support for VC7, VC11 and VC12
- Bugfixes:
- SECURITY ADVISORY: re-use of wrong HTTP NTLM connection
- curl_easy_setopt: Fixed OAuth 2.0 Bearer option name
- pop3: Fixed APOP being determined by CAPA response rather than by timestamp
- Curl_pp_readresp: zero terminate line
- FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE
- docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE://
- pop3: Fixed auth preference not being honored when CAPA not supported
- imap: Fixed auth preference not being honored when CAPABILITY not supported
- threaded resolver: Use pthread_t * for curl_thread_t
- FILE: we don't support paused transfers using this protocol
- connect: Try all addresses in first connection attempt
- curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE
- OpenSSL: Fix forcing SSLv3 connections
- openssl: allow explicit sslv2 selection
- FTP parselist: fix "total" parser
- conncache: fix possible dereference of null pointer
- multi.c: fix possible dereference of null pointer
- mk-ca-bundle: introduces -d and warns about using this script
- ConnectionExists: fix NTLM check for new connection
- trynextip: fix build for non-IPV6 capable systems
- Curl_updateconninfo: don't do anything for UDP "connections"
- darwinssl: un-break Leopard build after PKCS#12 change
- threaded-resolver: never use NULL hints with getaddrinf
- multi_socket: remind app if timeout didn't run
- OpenSSL: deselect weak ciphers by default
- error message: Sensible message on timeout when transfer size unknown
- curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE*
- win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12
- configure: fix gssapi linking on HP-UX
- chunked-parser: abort on overflows, allow 64 bit chunks
- chunked parsing: relax the CR strictness
- cookie: max-age fixes
- progress bar: always update when at 100%
- progress bar: increase update frequency to 10Hz
- tool: Fixed incorrect return code if command line parser runs out of memory
- tool: Fixed incorrect return code if password prompting runs out of memory
- HTTP POST: omit Content-Length if data size is unknown
- GnuTLS: disable insecure ciphers
- GnuTLS: honor --slv2 and the --tlsv1[.N] switches
- multi: Fixed a memory leak on OOM condition
- netrc: Fixed a memory and file descriptor leak on OOM
- getpass: fix password parsing from console
- TFTP: fix crash on time-out
- hostip: don't remove DNS entries that are in use
- tests: lots of tests fixed to pass the OOM torture tests
New in cURL 7.34.0 (Dec 23, 2013)
- Changes:
- SSL: protocol version can be specified more precisely
- imap/pop3/smtp: Added graceful cancellation of SASL authentication
- Add "Happy Eyeballs" for IPv4/IPv6 dual connect attempts
- base64: Added validation of base64 input strings when decoding
- curl_easy_setopt: Added the ability to set the login options separately
- smtp: Added support for additional SMTP commands
- curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals
- nss: allow to use TLS > 1.0 if built against recent NSS
- SECURITY: added this document to describe our security processes
- parseconfig: warn if unquoted white spaces are detected
- Bugfixes:
- SECURITY VULNERABILITY: libcurl cert name check ignore with GnuTLS
- darwinssl: un-break iOS build after PKCS#12 feature added
- tool: use XFERFUNCTION to save some casts
- usercertinmem: fix memory leaks
- ssh: Handle successful SSH_USERAUTH_NONE
- NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option
- test906: Fixed failing test on some platforms
- sasl: initialize NSS before using NTLM crypto
- sasl: Fixed memory leak in OAUTH2 message creation
- imap/pop3/smtp: Fixed QUIT / LOGOUT being sent when SSL connect fails
- cmake: unbreak for non-Windows platforms
- ssh: initialize per-handle data in ssh_connect()
- glob: fix broken URLs
- configure: check for long long when building with cyassl
- CURLOPT_RESOLVE: mention they don't time-out
- docs/examples/httpput.c: fix build for MSVC
- FTP: make the data connection work when going through proxy
- NSS: support for CERTINFO feature
- curl_multi_wait: accept 0 from multi_timeout() as valid timeout
- glob_range: pass the closing bracket for a-z ranges
- tool_help: Updated --list-only description to include POP3
- Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string
- cmake: fix Windows build with IPv6 support
- ares: Fixed compilation under Visual Studio 2012
- curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation
- curl.1: mention that -O does no URL decoding
- darwinssl: PKCS#12 import feature now requires Lion or later
- darwinssl: check for SSLSetSessionOption() presence when toggling BEAST
- configure: Fix test with -Werror=implicit-function-declaration
- sigpipe: factor out sigpipe_reset from easy.c
- curl_multi_cleanup: ignore SIGPIPE
- globbing: curl glob counter mismatch with {} list use
- parseconfig: dash options can't specified with colon or equals
- digest: fix CURLAUTH_DIGEST_IE
- curl.h: for OpenBSD
- darwinssl: Fix #if 10.6.0 for SecKeychainSearch
- TFTP: fix return codes for connect timeout
- login options: remove the ;[options] support from CURLOPT_USERPWD
- imap: Fixed incorrect fallback to clear text authentication
- parsedate: avoid integer overflow
- curl.1: document -J doesn't %-decode
- multi: add timer inaccuracy margin to timeout/connecttimeout
New in cURL 7.33.0 (Oct 15, 2013)
- Changes:
- test code for testing the event based API
- CURLM_ADDED_ALREADY: new error code
- test TFTP server: support "writedelay" within
- krb4 support has been removed
- imap/pop3/smtp: added basic SASL XOAUTH2 support
- darwinssl: add support for PKCS#12 files for client authentication
- darwinssl: enable BEAST workaround on iOS 7 & later
- Pass password to OpenSSL engine by user interface
- c-ares: Add support for various DNS binding options
- cookies: add expiration
- curl: added --oauth2-bearer option
- Bugfixes:
- nss: make sure that NSS is initialized
- curl: make --no-[option] work properly for several options
- FTP: with socket_action send better socket updates in active mode
- curl: fix the --sasl-ir in the --help output
- tests 2032, 2033: Don't hardcode port in expected output
- urlglob: better detect unclosed braces, empty lists and overflows
- urlglob: error out on range overflow
- imap: Fixed response check for SEARCH, EXPUNGE, LSUB, UID and NOOP commands
- handle arbitrary-length username and password
- TFTP: make the CURLOPT_LOW_SPEED* options work
- curl.h: name space pollution by "enum type"
- multi: move on from STATE_DONE faster
- FTP: 60 secs delay if aborted in the CURLOPT_HEADERFUNCTION callback
- multi_socket: improved 100-continue timeout handling
- curl_multi_remove_handle: allow multiple removes
- FTP: fix getsock during DO_MORE state
- -x: rephrased the --proxy section somewhat
- acinclude: fix --without-ca-path when cross-compiling
- LDAP: fix bad free() when URL parsing failed
- --data: mention CRLF treatment when reading from file
- curl_easy_pause: suggest one way to unpause
- imap: Fixed calculation of transfer when partial FETCH received
- pingpong: Check SSL library buffers for already read data
- imap/pop3/smtp: Speed up SSL connection initialization
- libcurl.3: for multi interface connections are held in the multi handle
- curl_easy_setopt.3: mention RTMP URL quirks
- curl.1: detail how short/long options work
- curl.1: Added information about optional login options to --user option
- curl: Added clarification to the --mail options in the --help output
- curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value
- openssl: use correct port number in error message
- darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher
- OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER
- xattr: add support for FreeBSD xattr API
- win32: fix Visual Studio 2010 build with WINVER >= 0x600
- configure: use icc options without space
- test1112: Increase the timeout from 7s to 16s
- SCP: upload speed on a fast connection limited to 16384 B/s
- curl_setup_once: fix errno access for lwip on Windows
- HTTP: Output http response 304 when modified time is too old
New in cURL 7.32.0 (Aug 12, 2013)
- curl: allow timeouts to accept decimal values
- OS400: add slist and certinfo EBCDIC support
- OS400: new SSL backend GSKit
- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
- LIBCURL-STRUCTS: new document
New in cURL 7.31.0 (Jun 24, 2013)
- Changes:
- darwinssl: add TLS session resumption
- darwinssl: add TLS crypto authentication
- imap/pop3/smtp: Added support for ;auth= in the URL
- imap/pop3/smtp: Added support for ;auth= to CURLOPT_USERPWD
- usercertinmem.c: add example showing user cert in memory
- url: Added smtp and pop3 hostnames to the protocol detection list
- imap/pop3/smtp: Added support for enabling the SASL initial response
- curl -E: allow to use ':' in certificate nicknames
- Bugfixes:
- SECURITY VULNERABILITY: curl_easy_unescape() may parse data beyond the end of the input buffer [26]
- FTP: access files in root dir correctly
- configure: try pthread_create without -lpthread
- FTP: handle a 230 welcome response
- curl-config: don't output static libs when they are disabled
- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
- Various documentation updates
- getinfo.c: reset timecond when clearing session-info variables
- FILE: prevent an artificial timeout event due to stale speed-check data
- ftp_state_pasv_resp: connect through proxy also when set by env
- sshserver: disable StrictHostKeyChecking
- ftpserver: Fixed imap logout confirmation data
- curl_easy_init: use less mallocs
- smtp: Fixed unknown percentage complete in progress bar
- smtp: Fixed sending of double CRLF caused by first in EOB
- bindlocal: move brace out of #ifdef
- winssl: Fixed invalid memory access during SSL shutdown
- OS X framework: fix invalid symbolic link
- OpenSSL: allow empty server certificate subject
- axtls: prevent memleaks on SSL handshake failures
- cookies: only consider full path matches
- Revert win32 MemoryTracking: wcsdup() _wcsdup() and _tcsdup()
- Curl_cookie_add: handle IPv6 hosts
- ossl_send: SSL_write() returning 0 is an error too
- ossl_recv: SSL_read() returning 0 is an error too
- Digest auth: escape user names with backslash or " in them
- curl_formadd.3: fixed wrong "end-marker" syntax
- libcurl-tutorial.3: fix incorrect backslash
- curl_multi_wait: reduce timeout if the multi handle wants to
- tests/Makefile: typo in the perlcheck target
- axtls: honor disabled VERIFYHOST
- OpenSSL: avoid double free in the PKCS12 certificate code
- multi_socket: reduce timeout inaccuracy margin
- digest: support auth-int for empty entity body
- axtls: now done non-blocking
- lib1900: use tutil_tvnow instead of gettimeofday
- curl_easy_perform: avoid busy-looping
- CURLOPT_COOKIELIST: take cookie share lock
- multi_socket: react on socket close immediately
New in cURL 7.30.0 (Apr 12, 2013)
- imap: Changed response tag generation to be completely unique
- imap: Added support for SASL-IR extension
- imap: Added support for the list command
- imap: Added support for the append command
- imap: Added custom request parsing
- imap: Added support to the fetch command for UID and SECTION properties
- imap: Added parsing and verification of the UIDVALIDITY mailbox attribute
- darwinssl: Make certificate errors less techy
- imap/pop3/smtp: Added support for the STARTTLS capability
- checksrc: ban use of sprintf, vsprintf, strcat, strncat and gets
- curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
- Added CURLMOPT_MAX_HOST_CONNECTIONS, CURLMOPT_MAX_TOTAL_CONNECTIONS for new multi interface connection handling
- Added CURLMOPT_MAX_PIPELINE_LENGTH, CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE, CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE, CURLMOPT_PIPELINING_SITE_BL and CURLMOPT_PIPELI NING_SERVER_BL for new pipelining control
- Bugfixes:
- SECURITY ADVISORY: cookie tailmatching to avoid cross-domain leakage
- darwinssl: Fix build under Leopard
- DONE: consider callback-aborted transfers premature
- ntlm: Fixed memory leaks
- smtp: Fixed an issue when processing EHLO failure responses
- pop3: Fixed incorrect return value from pop3_endofresp()
- pop3: Fixed SASL authentication capability detection
- pop3: Fixed blocking SSL connect when connecting via POP3S
- imap: Fixed memory leak when performing multiple selects
- nss: fix misplaced code enabling non-blocking socket mode
- AddFormData: prevent only directories from being posted
- darwinssl: fix infinite loop if server disconnected abruptly
- metalink: fix improbable crash parsing metalink filename
- show proper host name on failed resolve
- MacOSX-Framework: Make script work in Xcode 4.0 and later
- strlcat: remove function
- darwinssl: Fix send glitchiness with data > 32 or so KB
- polarssl: better 1.1.x and 1.2.x support
- various documentation improvements
- multi: NULL pointer reference when closing an unused multi handle
- SOCKS: fix socks proxy when noproxy matched
- install-sh: updated to support multiple source files as arguments
- PolarSSL: added human readable error strings
- resolver_error: remove wrong error message output
- docs: updates HTML index and general improvements
- curlbuild.h.dist: enhance non-configure GCC ABI detection logic
- sasl: Fixed null pointer reference when decoding empty digest challenge
- easy: do not ignore poll() failures other than EINTR
- darwinssl: disable ECC ciphers under Mountain Lion by default
- CONNECT: count received headers
- build: fixes for VMS
- CONNECT: clear 'rewindaftersend' on success
- HTTP proxy: insert slash in URL if missing
- hiperfifo: updated to use current libevent API
- getinmemory.c: abort the transfer nicely if not enough memory
- improved win32 memorytracking
- corrected proxy header response headers count
- FTP quote operations on re-used connection
- tcpkeepalive on win32
- tcpkeepalive on Mac OS X
- easy: acknowledge the CURLOPT_MAXCONNECTS option properly
- easy interface: restore default MAXCONNECTS to 5
- win32: don't set SO_SNDBUF for windows vista or later versions
- HTTP: made cookie sort function more deterministic
- winssl: Fixed memory leak if connection was not successful
- FTP: wait on both connections during active STOR state
- connect: treat a failed local bind of an interface as a non-fatal error
- darwinssl: disable insecure ciphers by default
- FTP: handle "rubbish" in front of directory name in 257 responses
- mk-ca-bundle: Fixed lost OpenSSL output with "-t"
New in cURL 7.29.0 (Feb 6, 2013)
- Changes:
- test: offer "automake" output and check for perl better
- always-multi: always use non-blocking internals
- imap: Added support for sasl digest-md5 authentication
- imap: Added support for sasl cram-md5 authentication
- imap: Added support for sasl ntlm authentication
- imap: Added support for sasl login authentication
- imap: Added support for sasl plain text authentication
- imap: Added support for login disabled server capability
- mk-ca-bundle: add -f, support passing to stdout and more
- writeout: -w now supports remote_ip/port and local_ip/port
- Bugfixes:
- SECURITY ADVISORY: SASL buffer overflow vulnerability
- nss: prevent NSS from crashing on client auth hook failure
- darwinssl: Fixed inability to disable peer verification on Snow Leopard and Lion
- curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
- SCP: relative path didn't work as documented
- setup_once.h: HP-UX issue workaround
- configure: fix cross pkg-config detection
- runtests: Do not add undefined values to @INC
- build: fix compilation with CURL_DISABLE_CRYPTO_AUTH flag
- multi: fix re-sending request on early connection close
- HTTP: remove stray CRLF in chunk-encoded content-free request bodies
- build: fix AIX compilation and usage of events/revents
- VC Makefiles: add missing hostcheck
- nss: clear session cache if a client certificate from file is used
- nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
- fix HTTP CONNECT tunnel establishment upon delayed response
- --libcurl: fix for non-zero default options
- FTP: reject illegal port numbers in EPSV 229 responses
- build: use per-target '_CPPFLAGS' for those currently using default
- configure: fix automake 1.13 compatibility
- curl: ignore SIGPIPE
- pop3: Added support for non-blocking SSL upgrade
- pop3: Fixed default authentication detection
- imap: Fixed usernames and passwords that contain escape characters
- packages/DOS/common.dj: remove COFF debug info generation
- imap/pop3/smtp: Fixed failure detection during TLS upgrade
- pop3: Fixed no known authentication mechanism when fallback is required
- formadd: reject trying to read a directory where a file is expected
- formpost: support quotes, commas and semicolon in file names
- docs: update the comments about loading CA certs with NSS
- docs: fix typos in man pages
- darwinssl: Fix bug where packets were sometimes transmitted twice
- winbuild: include version info for .dll .exe
- schannel: Removed extended error connection setup flag
- VMS: fix and generate the VMS build config
New in cURL 7.23.1 (Nov 23, 2011)
- Several improvements and various bugfixes were made.
New in cURL 7.21.1 (Aug 12, 2010)
- This version supports NTLM authentication when compiled with NSS.
- It has at least 37 documented bugfixes.
New in cURL 7.21.0 (Jun 17, 2010)
- Changes:
- added the --proto and -proto-redir options
- new configure option --enable-threaded-resolver
- improve TELNET ability with libcurl
- added support for PolarSSL
- added support for FTP wildcard matching and downloads
- added support for RTMP
- introducing new LDAP code for new enough OpenLDAP
- OpenLDAP support enabled for cygwin builds
- added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and CURLINFO_LOCAL_PORT
- Bugfixes:
- prevent needless reverse name lookups
- detect GSS on ancient Linux distros
- GnuTLS: EOF caused error when it wasn't
- GnuTLS: SSL handshake phase is non-blocking
- -J/--remote-header-name strips CRLF
- MSVC makefiles now use ws2_32.lib instead of wsock32.lib
- -O crash on windows
- SSL handshake timeout underflow in libcurl-NSS
- multi interface missed storing connection time
- broken CRL support in libcurl-NSS
- ignore response-body on redirect even if compressed
- OpenSSL handshake state-machine for multi interface
- TFTP timeout option sent correctly
- TFTP block id wrap
- curl_multi_socket_action() timeout handles inaccuracy in timers better
- SCP/SFTP failure to respect the timeout
- spurious SSL connection aborts with OpenSSL
New in cURL 7.19.1 (Nov 5, 2008)
- CURLOPT_CERTINFO, CURLINFO_CERTINFO, CURLOPT_POSTREDIR, CURLOPT_USERNAME, CURLOPT_PASSWORD, CURLOPT_PROXYUSERNAME, and CURLOPT_PROXYPASSWORD were added. 24 bugs were fixed.
New in cURL 7.19.0 (Sep 2, 2008)
- Some new libcurl options, new Boolean options handling in the curl tool, and around 40 bugfixes.