[Feature][ZXW-88]merge P50 version
Only Configure: No
Affected branch: master
Affected module: unknown
Is it affected on both ZXIC and MTK: only ZXIC
Self-test: Yes
Doc Update: No
Change-Id: I34667719d9e0e7e29e8e4368848601cde0a48408
diff --git a/ap/lib/libcurl/curl-7.86.0/CHANGES b/ap/lib/libcurl/curl-7.86.0/CHANGES
new file mode 100755
index 0000000..d48abab
--- /dev/null
+++ b/ap/lib/libcurl/curl-7.86.0/CHANGES
@@ -0,0 +1,8865 @@
+ _ _ ____ _
+ ___| | | | _ \| |
+ / __| | | | |_) | |
+ | (__| |_| | _ <| |___
+ \___|\___/|_| \_\_____|
+
+ Changelog
+
+Version 7.86.0 (26 Oct 2022)
+
+Daniel Stenberg (26 Oct 2022)
+- RELEASE: synced
+
+ The 7.86.0 release
+
+- THANKS: added from the 7.86.0 release
+
+Viktor Szakats (25 Oct 2022)
+- noproxy: include netinet/in.h for htonl()
+
+ Solve the Amiga build warning by including `netinet/in.h`.
+
+ `krb5.c` and `socketpair.c` are using `htonl()` too. This header is
+ already included in those sources.
+
+ Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9787
+
+Marc Hoersken (24 Oct 2022)
+- CI: fix AppVeyor status failing for starting jobs
+
+Daniel Stenberg (24 Oct 2022)
+- test445: verifies the protocols-over-http-proxy flaw and fix
+
+- http_proxy: restore the protocol pointer on error
+
+ Reported-by: Trail of Bits
+
+ Closes #9790
+
+- multi: remove duplicate include of connect.h
+
+ Reported-by: Martin Strunz
+ Fixes #9794
+ Closes #9795
+
+Daniel Gustafsson (24 Oct 2022)
+- idn: fix typo in test description
+
+ s/enabked/enabled/i
+
+Daniel Stenberg (24 Oct 2022)
+- url: use IDN decoded names for HSTS checks
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #9791
+
+- unit1614: fix disabled-proxy build
+
+ Follow-up to 1e9a538e05c01
+
+ Closes #9792
+
+Daniel Gustafsson (24 Oct 2022)
+- cookies: optimize control character check
+
+ When checking for invalid octets the strcspn() call will return the
+ position of the first found invalid char or the first NULL byte.
+ This means that we can check the indicated position in the search-
+ string saving a strlen() call.
+
+ Closes: #9736
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+Daniel Stenberg (24 Oct 2022)
+- netrc: replace fgets with Curl_get_line
+
+ Make the parser only accept complete lines and avoid problems with
+ overly long lines.
+
+ Reported-by: Hiroki Kurosawa
+
+ Closes #9789
+
+- RELEASE-NOTES: add "Planned upcoming removals include"
+
+ URL: https://curl.se/mail/archive-2022-10/0001.html
+
+ Suggested-by: Dan Fandrich
+
+Viktor Szakats (23 Oct 2022)
+- ci: bump to gcc-11 for macos
+
+ Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/
+ Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md
+
+ Reviewed-by: Max Dymond
+ Closes #9785
+
+- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip]
+
+ - Reintroduce `CROSSPREFIX`:
+
+ If set, we add it to the `CC` and `AR` values, and to the _default_
+ value of `RC`, which is `windres`. This allows to control each of
+ these individidually, while also allowing to simplify configuration
+ via `CROSSPREFIX`.
+
+ This variable worked differently earlier. Hopefully this new solution
+ hits a better compromise in usefulness/complexity/flexibility.
+
+ Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50
+
+ - Enable warnings again:
+
+ This time with an option to override it via `CFLAGS`. Warnings are
+ also enabled by default in CMake, `makefile.dj` and `makefile.amiga`
+ builds (not in autotools though).
+
+ Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3
+
+ Closes #9784
+
+- noproxy: silence unused variable warnings with no ipv6
+
+ Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9782
+
+Daniel Stenberg (22 Oct 2022)
+- test644: verify --xattr (with redirect)
+
+- tool_xattr: save the original URL, not the final redirected one
+
+ Adjusted test 1621 accordingly.
+
+ Reported-by: Viktor Szakats
+ Fixes #9766
+ Closes #9768
+
+- docs: make sure libcurl opts examples pass in long arguments
+
+ Reported-by: Sergey
+ Fixes #9779
+ Closes #9780
+
+Marc Hoersken (21 Oct 2022)
+- CI: fix AppVeyor job links only working for most recent build
+
+ Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916
+ Reported-by: Daniel Stenberg
+
+ Follow up to #9769
+
+Viktor Szakats (21 Oct 2022)
+- noproxy: fix builds without AF_INET6
+
+ Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9778
+
+Daniel Stenberg (21 Oct 2022)
+- noproxy: support proxies specified using cidr notation
+
+ For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly"
+ and not with string comparisons.
+
+ Split out the noproxy checks and functionality into noproxy.c
+
+ Added unit test 1614 to verify checking functions.
+
+ Reported-by: Mathieu Carbonneaux
+
+ Fixes #9773
+ Fixes #5745
+ Closes #9775
+
+- urlapi: remove two variable assigns
+
+ To please scan-build:
+
+ urlapi.c:1163:9: warning: Value stored to 'qlen' is never read
+ qlen = Curl_dyn_len(&enc);
+ ^ ~~~~~~~~~~~~~~~~~~
+ urlapi.c:1164:9: warning: Value stored to 'query' is never read
+ query = u->query = Curl_dyn_ptr(&enc);
+ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+ Follow-up to 7d6cf06f571d57
+
+ Closes #9777
+
+- [Jeremy Maitin-Shepard brought this change]
+
+ cmake: improve usability of CMake build as a sub-project
+
+ - Renames `uninstall` -> `curl_uninstall`
+ - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET
+
+ Closes #9638
+
+- [Don J Olmstead brought this change]
+
+ easy_lock: check for HAVE_STDATOMIC_H as well
+
+ The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h`
+ header is present.
+
+ Closes #9755
+
+- RELEASE-NOTES: synced
+
+- [Brad Harder brought this change]
+
+ CURLMOPT_PIPELINING.3: dedup manpage xref
+
+ Closes #9776
+
+Marc Hoersken (20 Oct 2022)
+- CI: report AppVeyor build status for each job
+
+ Also give each job on AppVeyor CI a human-readable name.
+
+ This aims to make job and therefore build failures more visible.
+
+ Reviewed-by: Marcel Raad
+ Closes #9769
+
+Viktor Szakats (20 Oct 2022)
+- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip]
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9771
+
+- connect: fix builds without AF_INET6
+
+ Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+
+ Closes #9770
+
+Daniel Stenberg (20 Oct 2022)
+- test1105: adjust <data> to work with a hyper build
+
+ Closes #9767
+
+- urlapi: fix parsing URL without slash with CURLU_URLENCODE
+
+ When CURLU_URLENCODE is set, the parser would mistreat the path
+ component if the URL was specified without a slash like in
+ http://local.test:80?-123
+
+ Extended test 1560 to reproduce and verify the fix.
+
+ Reported-by: Trail of Bits
+
+ Closes #9763
+
+Marc Hoersken (19 Oct 2022)
+- tests: avoid CreateThread if _beginthreadex is available
+
+ CreateThread is not threadsafe if mixed with CRT calls.
+ _beginthreadex on the other hand can be mixed with CRT.
+
+ Reviewed-by: Marcel Raad
+ Closes #9705
+
+Jay Satiro (19 Oct 2022)
+- [Joel Depooter brought this change]
+
+ schannel: Don't reset recv/send function pointers on renegotiation
+
+ These function pointers will have been set when the initial TLS
+ handshake was completed. If they are unchanged, there is no need to set
+ them again. If they have been changed, as is the case with HTTP/2, we
+ don't want to override that change. That would result in the
+ http22_recv/send functions being completely bypassed.
+
+ Prior to this change a connection that uses Schannel with HTTP/2 would
+ fail on renegotiation with error "Received HTTP/0.9 when not allowed".
+
+ Fixes https://github.com/curl/curl/issues/9451
+ Closes https://github.com/curl/curl/pull/9756
+
+Viktor Szakats (18 Oct 2022)
+- hostip: guard PF_INET6 use
+
+ Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code
+ for these.
+
+ ```
+ hostip.c: In function 'fetch_addr':
+ hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function)
+ pf = PF_INET6;
+ ^~~~~~~~
+ ```
+
+ Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9760
+
+- amiga: do not hardcode openssl/zlib into the os config [ci skip]
+
+ Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead.
+
+ This allows builds without openssl and/or zlib. E.g. with the
+ <https://github.com/bebbo/amiga-gcc> cross-compiler.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9762
+
+- amigaos: add missing curl header [ci skip]
+
+ Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and
+ conditional local code need them.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9761
+
+Daniel Stenberg (18 Oct 2022)
+- cmdline/docs: add a required 'multi' keyword for each option
+
+ The keyword specifies how option works when specified multiple times:
+
+ - single: the last provided value replaces the earlier ones
+ - append: it supports being provided multiple times
+ - boolean: on/off values
+ - mutex: flag-like option that disable anoter flag
+
+ The 'gen.pl' script then outputs the proper and unified language for
+ each option's multi-use behavior in the generated man page.
+
+ The multi: header is requires in each .d file and will cause build error
+ if missing or set to an unknown value.
+
+ Closes #9759
+
+- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
+
+ Closes #9757
+
+- mprintf: reject two kinds of precision for the same argument
+
+ An input like "%.*1$.9999d" would first use the precision taken as an
+ argument *and* then the precision specified in the string, which is
+ confusing and wrong. pass1 will now instead return error on this double
+ use.
+
+ Adjusted unit test 1398 to verify
+
+ Reported-by: Peter Goodman
+
+ Closes #9754
+
+- ftp: remove redundant if
+
+ Reported-by: Trail of Bits
+
+ Closes #9753
+
+- tool_operate: more transfer cleanup after parallel transfer fail
+
+ In some circumstances when doing parallel transfers, the
+ single_transfer_cleanup() would not be called and then 'inglob' could
+ leak.
+
+ Test 496 verifies
+
+ Reported-by: Trail of Bits
+ Closes #9749
+
+- mqtt: spell out CONNECT in comments
+
+ Instead of calling it 'CONN' in several comments, use the full and
+ correct protocol packet name.
+
+ Suggested by Trail of Bits
+
+ Closes #9751
+
+- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
+
+ Not the deprecated CURLOPT_HTTPPOST option.
+
+ Also added two see-alsos.
+
+ Reported-by: Trail of Bits
+ Closes #9752
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (17 Oct 2022)
+- ngtcp2: Fix build errors due to changes in ngtcp2 library
+
+ ngtcp2/ngtcp2@b0d86f60 changed:
+
+ - ngtcp2_conn_get_max_udp_payload_size =>
+ ngtcp2_conn_get_max_tx_udp_payload_size
+
+ - ngtcp2_conn_get_path_max_udp_payload_size =>
+ ngtcp2_conn_get_path_max_tx_udp_payload_size
+
+ ngtcp2/ngtcp2@ec59b873 changed:
+
+ - 'early_data_rejected' member added to ng_callbacks.
+
+ Assisted-by: Daniel Stenberg
+ Reported-by: jurisuk@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9747
+ Closes https://github.com/curl/curl/pull/9748
+
+Daniel Stenberg (16 Oct 2022)
+- curl_path: return error if given a NULL homedir
+
+ Closes #9740
+
+- libssh: if sftp_init fails, don't get the sftp error code
+
+ This flow extracted the wrong code (sftp code instead of ssh code), and
+ the code is sometimes (erroneously) returned as zero anyway, so skip
+ getting it and set a generic error.
+
+ Reported-by: David McLaughlin
+ Fixes #9737
+ Closes #9740
+
+- mqtt: return error for too long topic
+
+ Closes #9744
+
+- [Rickard Hallerbäck brought this change]
+
+ tool_paramhlp: make the max argument a 'double'
+
+ To fix compiler warnings "Implicit conversion from 'long' to 'double'
+ may lose precision"
+
+ Closes #9700
+
+Marc Hoersken (15 Oct 2022)
+- [Philip Heiduck brought this change]
+
+ cirrus-ci: add more macOS builds with m1 based on x86_64 builds
+
+ Also refactor macOS builds to use task matrix.
+
+ Assisted-by: Marc Hörsken
+ Closes #9565
+
+Viktor Szakats (14 Oct 2022)
+- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
+
+ `lib/config-win32.h` enables this configuration option unconditionally.
+ Make it apply to CMake builds as well.
+
+ While here, delete a broken check for
+ `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with
+ the initial commit [1], but did not include the actual verification code
+ inside `CMake/CurlTests.c`, so it always failed. A later commit [2]
+ added a second test, for non-Windows platforms.
+
+ Enabling this flag causes test 1056 to fail with CMake builds, as they
+ do with autotools builds. Let's apply the same solution and ignore the
+ results here as well.
+
+ [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
+ [2] aec7c5a87c8482b6ddffa352d7d220698652262e
+
+ Reviewed-by: Daniel Stenberg
+ Assisted-by: Marcel Raad
+
+ Closes #9726
+
+- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
+
+ autotools enables this configuration option unconditionally for Windows
+ [^1]. Do the same in CMake.
+
+ The above will make this work for all reasonably recent environments.
+ The logic present in `lib/config-win32.h` [^2] has the following
+ exceptions which we did not cover in this CMake update:
+
+ - Builds targeting Windows 2000 and earlier
+ - MS Visual C++ 5.0 (1997) and earlier
+
+ Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't
+ set, to avoid a broken build. We might want to handle that in the C
+ sources in a future commit.
+
+ [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070
+
+ [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528
+
+ Closes #9727
+
+- cmake: sync HAVE_SIGNAL detection with autotools
+
+ `HAVE_SIGNAL` means the availability of the `signal()` function in
+ autotools, while in CMake it meant the availability of that function
+ _and_ the symbol `SIGALRM`.
+
+ The latter is not available on Windows, but the function is, which means
+ on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not,
+ introducing a slight difference into the binaries.
+
+ This patch syncs CMake behaviour with autotools to look for the function
+ only.
+
+ The logic came with the initial commit adding CMake support to curl, so
+ the commit history doesn't reveal the reason behind it. In any case,
+ it's best to check the existence of `SIGALRM` directly in the source
+ before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and
+ `SIGALRM` missing.
+
+ Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6
+
+ Closes #9725
+
+- cmake: delete duplicate HAVE_GETADDRINFO test
+
+ A custom `HAVE_GETADDRINFO` check came with the initial CMake commit
+ [1]. A later commit [2] added a standard check for it as well. The
+ standard check run before the custom one, so CMake ignored the latter.
+
+ The custom check was also non-portable, so this patch deletes it in
+ favor of the standard check.
+
+ [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
+ [2] aec7c5a87c8482b6ddffa352d7d220698652262e
+
+ Closes #9731
+
+Daniel Stenberg (14 Oct 2022)
+- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros
+
+ To make the code read more obvious
+
+ Assisted-by: Jay Satiro
+
+ Closes #9710
+
+- [Christopher Sauer brought this change]
+
+ docs/INSTALL: update Android Instructions for newer NDKs
+
+ Closes #9732
+
+- markdown-uppercase: ignore quoted sections
+
+ Sections within the markdown ~~~ or ``` are now ignored.
+
+ Closes #9733
+
+- RELEASE-NOTES: synced
+
+- test8: update as cookies no longer can have "embedded" TABs in content
+
+- test1105: extend to verify TAB in name/content discarding cookies
+
+- cookie: reject cookie names or content with TAB characters
+
+ TABs in name and content seem allowed by RFC 6265: "the algorithm strips
+ leading and trailing whitespace from the cookie name and value (but
+ maintains internal whitespace)"
+
+ Cookies with TABs in the names are rejected by Firefox and Chrome.
+
+ TABs in content are stripped out by Firefox, while Chrome discards the
+ whole cookie.
+
+ TABs in cookies also cause issues in saved netscape cookie files.
+
+ Reported-by: Trail of Bits
+
+ URL: https://curl.se/mail/lib-2022-10/0032.html
+ URL: https://github.com/httpwg/http-extensions/issues/2262
+
+ Closes #9659
+
+- curl/add_parallel_transfers: better error handling
+
+ 1 - consider the transfer handled at once when in the function, to avoid
+ the same list entry to get added more than once in rare error
+ situations
+
+ 2 - set the ERRORBUFFER for the handle first after it has been added
+ successfully
+
+ Reported-by: Trail of Bits
+
+ Closes #9729
+
+- netrc: remove the two 'changed' arguments
+
+ As no user of these functions used the returned content.
+
+- test495: verify URL encoded user name + netrc-optional
+
+ Reproduced issue #9709
+
+- netrc: use the URL-decoded user
+
+ When the user name is provided in the URL it is URL encoded there, but
+ when used for authentication the encoded version should be used.
+
+ Regression introduced after 7.83.0
+
+ Reported-by: Jonas Haag
+ Fixes #9709
+ Closes #9715
+
+- [Shaun Mirani brought this change]
+
+ url: allow non-HTTPS HSTS-matching for debug builds
+
+ Closes #9728
+
+- test1275: remove the check of stderr
+
+ To avoid the mysterious test failures on Windows, instead rely on the
+ error code returned on failure.
+
+ Fixes #9716
+ Closes #9723
+
+Viktor Szakats (13 Oct 2022)
+- lib: set more flags in config-win32.h
+
+ The goal is to add any flag that affect the created binary, to get in
+ sync with the ones built with CMake and autotools.
+
+ I took these flags from curl-for-win [0], where they've been tested with
+ mingw-w64 and proven to work well.
+
+ This patch brings them to curl as follows:
+
+ - Enable unconditionally those force-enabled via
+ `CMake/WindowsCache.cmake`:
+
+ - `HAVE_SETJMP_H`
+ - `HAVE_STRING_H`
+ - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`)
+
+ - Expand existing guards with mingw-w64:
+
+ - `HAVE_STDBOOL_H`
+ - `HAVE_BOOL_T`
+
+ - Enable Win32 API functions for Windows Vista and later:
+
+ - `HAVE_INET_NTOP`
+ - `HAVE_INET_PTON`
+
+ - Set sizes, if not already set:
+
+ - `SIZEOF_OFF_T = 8`
+ - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set,
+ and using mingw-w64.
+
+ - Add the remaining for mingw-w64 only. Feel free to expand as desired:
+
+ - `HAVE_LIBGEN_H`
+ - `HAVE_FTRUNCATE`
+ - `HAVE_BASENAME`
+ - `HAVE_STRTOK_R`
+
+ Future TODO:
+
+ - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both
+ the `signal()` function and the `SIGALRM` macro are found. In
+ autotools and this header, it means the function only. For the
+ function alone, CMake uses `HAVE_SIGNAL_FUNC`.
+
+ [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9712
+
+Daniel Stenberg (13 Oct 2022)
+- tests: add tests/markdown-uppercase.pl to dist tarball
+
+ Follow-up to aafb06c5928183d
+
+ Closes #9722
+
+- tool_paramhelp: asserts verify maximum sizes for string loading
+
+ The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest
+ strings accepted when loading files into memory, but as the size is
+ later used as input to functions that take the size as 'int' as
+ argument, the sizes must not be larger than INT_MAX.
+
+ These two new assert()s make the code error out if someone would bump
+ the sizes without this consideration.
+
+ Reported-by Trail of Bits
+
+ Closes #9719
+
+- http: try parsing Retry-After: as a number first
+
+ Since the date parser allows YYYYMMDD as a date format (due to it being
+ a bit too generic for parsing this particular header), a large integer
+ number could wrongly match that pattern and cause the parser to generate
+ a wrong value.
+
+ No date format accepted for this header starts with a decimal number, so
+ by reversing the check and trying a number first we can deduct that if
+ that works, it was not a date.
+
+ Reported-by Trail of Bits
+
+ Closes #9718
+
+- [Patrick Monnerat brought this change]
+
+ doc: fix deprecation versions inconsistencies
+
+ Ref: https://curl.se/mail/lib-2022-10/0026.html
+
+ Closes #9711
+
+- http_aws_sigv4: fix strlen() check
+
+ The check was off-by-one leading to buffer overflow.
+
+ Follow-up to 29c4aa00a16872
+
+ Detected by OSS-Fuzz
+
+ Closes #9714
+
+- curl/main_checkfds: check the fcntl return code better
+
+ fcntl() can (in theory) return a non-zero number for success, so a
+ better test for error is checking for -1 explicitly.
+
+ Follow-up to 41e1b30ea1b77e9ff
+
+ Mentioned-by: Dominik Klemba
+
+ Closes #9708
+
+Viktor Szakats (12 Oct 2022)
+- tidy-up: delete unused HAVE_STRUCT_POLLFD
+
+ It was only defined in `lib/config-win32.h`, when building for Vista.
+
+ It was only used in `select.h`, in a condition that also included a
+ check for `POLLIN` which is a superior choice for this detection and
+ which was already used by cmake and autotools builds.
+
+ Delete both instances of this macro.
+
+ Closes #9707
+
+Daniel Stenberg (12 Oct 2022)
+- test1275: verify upercase after period in markdown
+
+ Script based on the #9474 pull-request logic, but implemented in perl.
+
+ Updated docs/URL-SYNTAX.md accordingly.
+
+ Suggested-by: Dan Fandrich
+
+ Closes #9697
+
+- [12932 brought this change]
+
+ misc: nitpick grammar in comments/docs
+
+ because the 'u' in URL is actually a consonant *sound* it is only
+ correct to write "a URL"
+
+ sorry this is a bit nitpicky :P
+
+ https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an
+ https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL
+
+ Closes #9699
+
+Viktor Szakats (11 Oct 2022)
+- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip]
+
+ This patch aimed to fix a regression [0], where `CC` initialization
+ moved beyond its first use. But, on closer inspection it turned out that
+ the `CC` initialization does not work as expected due to GNU Make
+ filling it with `cc` by default. So unless implicit values were
+ explicitly disabled via a GNU Make option, the default value of
+ `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit
+ value `cc` maps to `gcc` in (most/all?) MinGW envs.
+
+ `AR` has the same issue, with a default value of `ar`.
+
+ We could reintroduce a separate variable to fix this without ill
+ effects, but for simplicity and flexibility, it seems better to drop
+ support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and
+ require the caller to initialize `CC`, `AR` and `RC` to the full
+ (prefixed if necessary) names of these tools, as desired.
+
+ We keep `RC ?= windres` because `RC` is empty by default.
+
+ Also fix grammar in a comment.
+
+ [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3
+
+ Closes #9698
+
+- smb: replace CURL_WIN32 with WIN32
+
+ PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the
+ `CURL_WIN32` macro, but that one is not defined here, while compiling
+ curl itself. This patch changes this to `WIN32`, assuming this was the
+ original intent.
+
+ Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a
+
+ Reviewed-by: Marcel Raad
+
+ Closes #9701
+
+Daniel Stenberg (11 Oct 2022)
+- [Matthias Gatto brought this change]
+
+ aws_sigv4: fix header computation
+
+ Handle canonical headers and signed headers creation as explained here:
+ https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+
+ The algo tells that signed and canonical must contain at last host and
+ x-amz-date.
+
+ So we check whatever thoses are present in the curl http headers list.
+ If they are, we use the one enter by curl user, otherwise we generate
+ them. then we to lower, and remove space from each http headers plus
+ host and x-amz-date, then sort them all by alphabetical order.
+
+ This patch also fix a bug with host header, which was ignoring the port.
+
+ Closes #7966
+
+Jay Satiro (11 Oct 2022)
+- [Aftab Alam brought this change]
+
+ README.md: link the curl logo to the website
+
+ - Link the curl:// image to https://curl.se/
+
+ Closes https://github.com/curl/curl/pull/9675
+
+- [Dustin Howett brought this change]
+
+ schannel: when importing PFX, disable key persistence
+
+ By default, the PFXImportCertStore API persists the key in the user's
+ key store (as though the certificate was being imported for permanent,
+ ongoing use.)
+
+ The documentation specifies that keys that are not to be persisted
+ should be imported with the flag PKCS12_NO_PERSIST_KEY.
+ NOTE: this flag is only supported on versions of Windows newer than XP
+ and Server 2003.
+
+ --
+
+ This is take 2 of the original fix. It extends the lifetime of the
+ client certificate store to that of the credential handle. The original
+ fix which landed in 70d010d and was later reverted in aec8d30 failed to
+ work properly because it did not do that.
+
+ Minor changes were made to the schannel credential context to support
+ closing the client certificate store handle at the end of an SSL session.
+
+ --
+
+ Reported-by: ShadowZzj@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9300
+ Supersedes https://github.com/curl/curl/pull/9363
+ Closes https://github.com/curl/curl/pull/9460
+
+Viktor Szakats (11 Oct 2022)
+- Makefile.m32: support more options [ci skip]
+
+ - Add support for these options:
+ `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl`
+
+ Caveats:
+ - `-wolfssh` requires `-wolfssl`.
+ - `-wolfssl` cannot be used with OpenSSL backends in parallel.
+ - `-libssh` has build issues with BoringSSL and LibreSSL, and also
+ what looks like a world-writable-config vulnerability on Windows.
+ Consider it experimental.
+ - `-psl` requires `-idn2` and extra libs passed via
+ `LIBS=-liconv -lunistring`.
+
+ - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly.
+ - Generalize MultiSSL detection.
+ - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01).
+ - Document more customization options.
+
+ This brings over some configuration logic from `curl-for-win`.
+
+ Closes #9680
+
+- cmake: enable more detection on Windows
+
+ Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection
+ on Windows, instead of having predefined values.
+
+ With these features detected correctly, CMake Windows builds get closer
+ to the autotools and `config-win32.h` ones.
+
+ This also fixes detecting `HAVE_FTRUNCATE` correctly, which required
+ `unistd.h`.
+
+ Fixing `ftruncate()` in turn causes a build warning/error with legacy
+ MinGW/MSYS1 due to an offset type size mismatch. This env misses to
+ detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch
+ force-disables `HAVE_FTRUNCATE` for this platform.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9687
+
+- autotools: allow unix sockets on Windows
+
+ Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47
+
+ On Windows this feature is present, but not the header used in the
+ detection logic. It also requires an elaborate enabler logic
+ (as seen in `lib/curl_setup.h`). Let's always allow it and let the
+ lib code deal with the details.
+
+ Closes #9688
+
+- cmake: add missing inet_ntop check
+
+ This adds the missing half of the check, next to the other half
+ already present in `lib/curl_config.h.cmake`.
+
+ Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler
+ warnings.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9689
+
+Daniel Stenberg (11 Oct 2022)
+- RELEASE-NOTES: synced
+
+- [bsergean on github brought this change]
+
+ asyn-ares: set hint flags when calling ares_getaddrinfo
+
+ The hint flag is ARES_AI_NUMERICSERV, and it will save a call to
+ getservbyname or getservbyname_r to set it.
+
+ Closes #9694
+
+- header.d: add category smtp and imap
+
+ They were previously (erroneously) added manually to tool_listhelp.c
+ which would make them get removed again when the file is updated next
+ time, unless added correctly here in header.d
+
+ Follow-up to 2437fac01
+
+ Closes #9690
+
+- curl/get_url_file_name: use libcurl URL parser
+
+ To avoid URL tricks, use the URL parser for this.
+
+ This update changes curl's behavior slightly in that it will ignore the
+ possible query part from the URL and only use the file name from the
+ actual path from the URL. I consider it a bugfix.
+
+ "curl -O localhost/name?giveme-giveme" will now save the output in the
+ local file named 'name'
+
+ Updated test 1210 to verify
+
+ Assisted-by: Jay Satiro
+
+ Closes #9684
+
+- [Martin Ågren brought this change]
+
+ docs: fix grammar around needing pass phrase
+
+ "You never needed a pass phrase" reads like it's about to be followed by
+ something like "until version so-and-so", but that is not what is
+ intended. Change to "You never need a pass phrase". There are two
+ instances of this text, so make sure to update both.
+
+- [Xiang Xiao brought this change]
+
+ cmake: add the check of HAVE_SOCKETPAIR
+
+ which is used by Curl_socketpair
+
+ Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
+
+ Closes #9686
+
+- curl/add_file_name_to_url: use the libcurl URL parser
+
+ instead of the custom error-prone parser, to extract and update the path
+ of the given URL
+
+ Closes #9683
+
+- single_transfer: use the libcurl URL parser when appending query parts
+
+ Instead of doing "manual" error-prone parsing in another place.
+
+ Used when --data contents is added to the URL query when -G is provided.
+
+ Closes #9681
+
+- ws: fix buffer pointer use in the callback loop
+
+ Closes #9678
+
+- [Petr Štetiar brought this change]
+
+ curl-wolfssl.m4: error out if wolfSSL is not usable
+
+ When I explicitly declare, that I would like to have curl built with
+ wolfSSL support using `--with-wolfssl` configure option, then I would
+ expect, that either I endup with curl having that support, for example
+ in form of https support or it wouldn't be available at all.
+
+ Downstream projects like for example OpenWrt build curl wolfSSL variant
+ with `--with-wolfssl` already, but in certain corner cases it does fail:
+
+ configure:25299: checking for wolfSSL_Init in -lwolfssl
+ configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
+ In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
+ from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
+ from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
+ from conftest.c:47:
+ target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
+ #include <wolfssl/wolfcrypt/sp_int.h>
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ compilation terminated.
+
+ and in the end thus produces curl without https support:
+
+ curl: (1) Protocol "https" not supported or disabled in libcurl
+
+ So fix it, by making the working wolfSSL mandatory and error out in
+ configure step when that's not the case:
+
+ checking for wolfSSL_Init in -lwolfssl... no
+ configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
+
+ References: https://github.com/openwrt/packages/issues/19005
+ References: https://github.com/openwrt/packages/issues/19547
+ Signed-off-by: Petr Štetiar <ynezz@true.cz>
+
+ Closes #9682
+
+- tool_getparam: pass in the snprintf("%.*s") string length as 'int'
+
+ Reported by Coverity CID 1515928
+
+ Closes #9679
+
+- [Paul Seligman brought this change]
+
+ ws: minor fixes for web sockets without the CONNECT_ONLY flag
+
+ - Fixed an issue where is_in_callback was getting cleared when using web
+ sockets with debug logging enabled
+ - Ensure the handle is is_in_callback when calling out to fwrite_func
+ - Change the write vs. send_data decision to whether or not the handle
+ is in CONNECT_ONLY mode.
+ - Account for buflen not including the header length in curl_ws_send
+
+ Closes #9665
+
+Marc Hoersken (8 Oct 2022)
+- CI/cirrus: merge existing macOS jobs into a job matrix
+
+ Ref: #9627
+ Reviewed-by: Philip H.
+
+ Closes #9672
+
+Daniel Stenberg (8 Oct 2022)
+- strcase: add and use Curl_timestrcmp
+
+ This is a strcmp() alternative function for comparing "secrets",
+ designed to take the same time no matter the content to not leak
+ match/non-match info to observers based on how fast it is.
+
+ The time this function takes is only a function of the shortest input
+ string.
+
+ Reported-by: Trail of Bits
+
+ Closes #9658
+
+- tool_getparam: split out data_urlencode() into its own function
+
+ Closes #9673
+
+- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
+
+ Reported-by: Vasiliy Ulyanov
+ Fixes #9664
+ Closes #9670
+
+- ws: fix Coverity complaints
+
+ Coverity pointed out several flaws where variables remained
+ uninitialized after forks.
+
+ Follow-up to e3f335148adc6742728f
+
+ Closes #9666
+
+Marc Hoersken (7 Oct 2022)
+- CI/GHA: merge msh3 and openssl3 builds into linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Follow up to #9501
+ Closes #9646
+
+Daniel Stenberg (7 Oct 2022)
+- curl_ws_send.3: call the argument 'fragsize'
+
+ Since WebSocket works with "fragments" not "frames"
+
+ Closes #9668
+
+- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type
+
+ Follow-up to e3f335148adc6742728ff8
+
+ Closes #9669
+
+- tool_main: exit at once if out of file descriptors
+
+ If the main_checkfds function cannot create new file descriptors in an
+ attempt to detect of stdin, stdout or stderr are closed.
+
+ Also changed the check to use fcntl() to check if the descriptors are
+ open, which avoids superfluously calling pipe() if they all already are.
+
+ Follow-up to facfa19cdd4d0094
+
+ Reported-by: Trail of Bits
+
+ Closes #9663
+
+- websockets: remodeled API to support 63 bit frame sizes
+
+ curl_ws_recv() now receives data to fill up the provided buffer, but can
+ return a partial fragment. The function now also get a pointer to a
+ curl_ws_frame struct with metadata that also mentions the offset and
+ total size of the fragment (of which you might be receiving a smaller
+ piece). This way, large incoming fragments will be "streamed" to the
+ application. When the curl_ws_frame struct field 'bytesleft' is 0, the
+ final fragment piece has been delivered.
+
+ curl_ws_recv() was also adjusted to work with a buffer size smaller than
+ the fragment size. (Possibly needless to say as the fragment size can
+ now be 63 bit large).
+
+ curl_ws_send() now supports sending a piece of a fragment, in a
+ streaming manner, in addition to sending the entire fragment in a single
+ call if it is small enough. To send a huge fragment, curl_ws_send() can
+ be used to send it in many small calls by first telling libcurl about
+ the total expected fragment size, and then send the payload in N number
+ of separate invokes and libcurl will stream those over the wire.
+
+ The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it
+ has been extended with two new fields: *offset* and *bytesleft*. To help
+ describe the passed on data chunk when a fragment is delivered in many
+ smaller pieces.
+
+ The documentation has been updated accordingly.
+
+ Closes #9636
+
+- [Patrick Monnerat brought this change]
+
+ docs/examples: avoid deprecated options in examples where possible
+
+ Example programs targeting a deprecated feature/option are commented with
+ a warning about it.
+ Other examples are adapted to not use deprecated options.
+
+ Closes #9661
+
+Viktor Szakats (6 Oct 2022)
+- cmake: fix enabling websocket support
+
+ Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77
+
+ Closes #9660
+
+- tidy-up: delete parallel/unused feature flags
+
+ Detecting headers and lib separately makes sense when headers come in
+ variations or with extra ones, but this wasn't the case here. These were
+ duplicate/parallel macros that we had to keep in sync with each other
+ for a working build. This patch leaves a single macro for each of these
+ dependencies:
+
+ - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`.
+
+ Also delete CMake logic making sure these two were in sync, along with
+ a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`.
+
+ Also delete stray `HAVE_ZLIB` defines.
+
+ There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch
+ retains it for compatibility and deprecates it.
+
+ - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`.
+
+ Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from
+ `winbuild/MakefileBuild.vc`, these have a role when building libssh2
+ itself. And `CURL_USE_LIBSSH`, which had no use at all.
+
+ Also delete stray `HAVE_LIBSSH2` defines.
+
+ - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`.
+
+ Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from
+ `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the
+ libssh2 line, and were not having any use.
+
+ - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9652
+
+Daniel Stenberg (6 Oct 2022)
+- netrc: compare user name case sensitively
+
+ User name comparisions in netrc need to match the case.
+
+ Closes #9657
+
+- CURLOPT_COOKIEFILE: insist on "" for enable-without-file
+
+ The former way that also suggested using a non-existing file to just
+ enable the cookie engine could lead to developers maybe a bit carelessly
+ guessing a file name that will not exist, and then in a future due to
+ circumstances, such a file could be made to exist and then accidentally
+ libcurl would read cookies not actually meant to.
+
+ Reported-by: Trail of bits
+
+ Closes #9654
+
+- tests/Makefile: remove run time stats from ci-test
+
+ The ci-test is the normal makefile target invoked in CI jobs. This has
+ been using the -r option to runtests.pl since a long time, but I find
+ that it mostly just adds many lines to the test output report without
+ anyone caring much about those stats.
+
+ Remove it.
+
+ Closes #9656
+
+- [Patrick Monnerat brought this change]
+
+ tool: reorganize function c_escape around a dynbuf
+
+ This is a bit shorter and a lot safer.
+
+ Substrings of unescaped characters are added by a single call to reduce
+ overhead.
+
+ Extend test 1465 to handle more kind of escapes.
+
+ Closes #9653
+
+Jay Satiro (5 Oct 2022)
+- CURLOPT_HTTPPOST.3: bolden the deprecation notice
+
+ Ref: https://github.com/curl/curl/pull/9621
+
+ Closes https://github.com/curl/curl/pull/9637
+
+Daniel Stenberg (5 Oct 2022)
+- [John Bampton brought this change]
+
+ misc: fix spelling in docs and comments
+
+ also: remove outdated sentence
+
+ Closes #9644
+
+- [Patrick Monnerat brought this change]
+
+ tool: avoid generating ambiguous escaped characters in --libcurl
+
+ C string hexadecimal-escaped characters may have more than 2 digits.
+ This results in a wrong C compiler interpretation of a 2-digit escaped
+ character when followed by an hex digit character.
+
+ The solution retained here is to represent such characters as 3-digit
+ octal escapes.
+
+ Adjust and extend test 1465 for this case.
+
+ Closes #9643
+
+- configure: the ngtcp2 option should default to 'no'
+
+ While still experimental.
+
+ Bug: https://curl.se/mail/lib-2022-10/0007.html
+ Reported-by: Daniel Hallberg
+
+ Closes #9650
+
+- CURLOPT_MIMEPOST.3: add an (inline) example
+
+ Reported-by: Jay Satiro
+ Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723
+
+ Closes #9649
+
+Viktor Szakats (5 Oct 2022)
+- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip]
+
+ Exclude linker flags specifying depedency libs and libpaths, when
+ building against `libcurl.dll`. In such case these options are not
+ necessary (but may cause errors if not/wrongly configured.)
+
+ Also move and reword a comment on `CPPFLAGS` to not apply to
+ `UNICODE` options. These are necessary for all build targets.
+
+ Closes #9651
+
+Jay Satiro (5 Oct 2022)
+- runtests: fix uninitialized value on ignored tests
+
+ - Don't show TESTFAIL message (ie tests failed which aren't ignored) if
+ only ignored tests failed.
+
+ Before:
+ IGNORED: failed tests: 571 612 1056
+ TESTDONE: 1214 tests out of 1217 reported OK: 99%
+ Use of uninitialized value $failed in concatenation (.) or string at
+ ./runtests.pl line 6290.
+ TESTFAIL: These test cases failed:
+
+ After:
+ IGNORED: failed tests: 571 612 1056
+ TESTDONE: 1214 tests out of 1217 reported OK: 99%
+
+ Closes https://github.com/curl/curl/pull/9648
+
+- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
+
+ - Correct the use of -all-static for static Windows CI builds.
+
+ curl_LDFLAGS was removed from the makefile when metalink support was
+ removed. LDFLAGS=-all-static is passed to make only, because it is not a
+ valid option for configure compilation tests.
+
+ Closes https://github.com/curl/curl/pull/9633
+
+Viktor Szakats (4 Oct 2022)
+- Makefile.m32: fix regression with tool_hugehelp [ci skip]
+
+ In a recent commit I mistakenly deleted this logic, after seeing a
+ reference to a filename ending with `.cvs` and thinking it must have
+ been long gone. Turns out this is an existing file. Restore the rule
+ and the necessary `COPY` definitions with it.
+
+ The restored logic is required for a successful build on a bare source
+ tree (as opposed to a source release tarball).
+
+ Also shorten an existing condition similar to the one added in this
+ patch.
+
+ Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6
+
+ Closes #9645
+
+- Makefile.m32: deduplicate build rules [ci skip]
+
+ After this patch, we reduce the three copies of most `Makefile.m32`
+ logic to one. This now resides in `lib/Makefile.m32`. It makes future
+ updates easier, the code shorter, with a small amount of added
+ complexity.
+
+ `Makefile.m32` reduction:
+
+ | | bytes | LOC total | blank | comment | code |
+ |-------------------|-------:|----------:|-------:|---------:|------:|
+ | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 |
+ | before this patch | 17601 | 625 | 62 | 106 | 457 |
+ | after this patch | 11680 | 392 | 52 | 104 | 236 |
+
+ Details:
+
+ - Change rules to create objects for the `v*` subdirs in the `lib` dir.
+ This allows to use a shared compile rule and assumes that filenames
+ are not (and will not be) colliding across these directories.
+ `Makefile.m32` now also stores a list of these subdirs. They are
+ changing rarely though.
+
+ - Sync as much as possible between the three `Makefile.m32` scripts'
+ rules and their source/target sections.
+
+ - After this patch `CPPFLAGS` are all applied to the `src` sources once
+ again. This matches the behaviour of cmake/autotools. Only zlib ones
+ are actually required there.
+
+ - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate.
+
+ - Change examples to link `libcurl.dll` by default. This makes building
+ trivial, even as a cross-build:
+ `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32`
+ To run them, you need to move/copy or add-to-path `libcurl.dll`.
+ You can select static mode via `CFG=-static`.
+
+ - List more of the `Makefile.m32` config variables.
+
+ - Drop `.rc` support from examples. It made it fragile without much
+ benefit.
+
+ - Include a necessary system lib for the `externalsocket.c` example.
+
+ - Exclude unnecessary systems libs when building in `-dyn` mode.
+
+ Closes #9642
+
+Daniel Stenberg (4 Oct 2022)
+- RELEASE-NOTES: synced
+
+- CURLOPT_COOKIELIST.3: fix formatting mistake
+
+ Also, updated manpage-syntax.pl to make it detect this error in test
+ 1173.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9639
+ Closes #9640
+
+- [Jay Satiro brought this change]
+
+ connect: change verbose IPv6 address:port to [address]:port
+
+ - Use brackets for the IPv6 address shown in verbose message when the
+ format is address:port so that it is less confusing.
+
+ Before: Trying 2606:4700:4700::1111:443...
+ After: Trying [2606:4700:4700::1111]:443...
+
+ Bug: https://curl.se/mail/archive-2022-02/0041.html
+ Reported-by: David Hu
+
+ Closes #9635
+
+Viktor Szakats (3 Oct 2022)
+- Makefile.m32: major rework [ci skip]
+
+ This patch overhauls `Makefile.m32` scripts, fixing a list of quirks,
+ making its behaviour and customization envvars align better with other
+ build systems, aiming for less code, that is easier to read, use and
+ maintain.
+
+ Details:
+ - Rename customization envvars:
+ `CURL_CC` -> `CC`
+ `CURL_RC` -> `RC`
+ `CURL_AR` -> `AR`
+ `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB`
+ `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN`
+ - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used.
+ - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars.
+ - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in
+ favor of the above.
+ - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional
+ with `libssh2`.
+ - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and
+ examples.
+ - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel`
+ instead.
+ - Avoid late evaluation where not necessary (`=` -> `:=`).
+ - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix.
+ Instead, use the standard naming scheme by default: `libcurl.dll.a`.
+ The toolchain recognizes the name, and selects it automatically when
+ asking for a `-shared` vs. `-static` build.
+ - Stop applying `strip` to `libcurl.a`. Follow-up from
+ 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to
+ strip since then.
+ - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to
+ `CFLAGS` as desired.
+ - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL,
+ to avoid that vulnerability on Windows.
+ - Add `-lbrotlicommon` to `LIBS` when using `brotli`.
+ - Do not enable `-nghttp3` without `-ngtcp2`.
+ - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend.
+ You need to set the backend explicitly. This scales better and avoids
+ issues with certain combinations (e.g. `libssh2` + `wolfssl` with no
+ `schannel`).
+ - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via
+ `NGTCP2_LIBS`.
+ - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer
+ supported.
+ - Delete `SPNEGO` references. They were no-ops.
+ - Drop support for Win9x environments.
+ - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`.
+ - Support autotools/CMake `libssh2` builds by default.
+ - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and
+ examples.
+ - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the
+ long gone embedded one.)
+ - Stop static linking with c-ares by default. Add
+ `CPPFLAGS=-DCARES_STATICLIB` to enable it.
+ - Reorganize internal layout to avoid redundancy and emit clean diffs
+ between src/lib and example make files.
+ - Delete unused variables.
+ - Code cleanups/rework.
+ - Comment and indentation fixes.
+
+ Closes #9632
+
+- scripts/release-notes.pl: strip ci skip tag [ci skip]
+
+ Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303ae97#commitcomment-85637701
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9634
+
+- Makefile.m32: delete legacy component bits [ci skip]
+
+ - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting
+ to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL.
+
+ - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been
+ using a standard file layout since 1.1.0, so this seems unnecessary
+ now.
+
+ - Drop special logic to enable Novell LDAP SDK support.
+
+ - Drop special logic to enable OpenLDAP LDAP SDK support. This seems
+ to be distinct from native OpenLDAP, with support implemented inside
+ `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist
+ yet in curl.
+
+ - Add `-lwldap32` only if there is no other LDAP library (either native
+ OpenLDAP, or SDKs above) present.
+
+ - Update `doc/INSTALL.md` accordingly.
+
+ After this patch, it's necessary to make configration changes when using
+ OpenSSL 1.0.2 or earlier, or the two LDAP SDKs.
+
+ OpenSSL 1.0.2 and earlier:
+ ```
+ export OPENSSL_INCLUDE = <path-to-openssl>/outinc
+ export OPENSSL_LIBPATH = <path-to-openssl>/out
+ export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32
+ ```
+
+ Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`:
+ ```
+ export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/inc -DCURL_HAS_NOVELL_LDAPSDK
+ export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib/mscvc -lldapsdk -lldapssl -lldapx
+ ```
+
+ OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`:
+ ```
+ export CURL_CFLAG_EXTRAS = -I<path-to-sdk>/include -DCURL_HAS_OPENLDAP_LDAPSDK
+ export CURL_LDFLAG_EXTRAS = -L<path-to-sdk>/lib -lldap -llber
+ ```
+
+ I haven't tested these scenarios, and in general we recommend using
+ a recent OpenSSL release. Also, WinLDAP (the Windows default) and
+ OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on
+ in curl.
+
+ Closes #9631
+
+Daniel Stenberg (2 Oct 2022)
+- vauth/ntlm.h: make line shorter than 80 columns
+
+ Follow-up from 265fbd937
+
+Viktor Szakats (1 Oct 2022)
+- docs: update sourceforge project links [ci skip]
+
+ SourceForge projects can now choose between two hostnames, with .io and
+ .net ending. Both support HTTPS by default now. Opening the other variant
+ will perm-redirected to the one chosen by the project.
+
+ The .io -> .net redirection is done insecurely.
+
+ Let's update the URLs to point to the current canonical endpoints to
+ avoid any redirects.
+
+ Closes #9630
+
+Daniel Stenberg (1 Oct 2022)
+- curl_url_set.3: document CURLU_APPENDQUERY proper
+
+ Listed among the other supported flags.
+
+ Reported-by: Robby Simpson
+ Fixes #9628
+ Closes #9629
+
+Viktor Szakats (1 Oct 2022)
+- Makefile.m32: cleanups and fixes [ci skip]
+
+ - Add `-lcrypt32` once, and add it always for simplicity.
+ - Delete broken link and reference to the pre-Vista WinIDN add-on.
+ MS no longer distribute it.
+ - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista.
+ - Sync `LIBCARES_PATH` default with the rest of dependencies.
+ - Delete version numbers from dependency path defaults.
+ - `libgsasl` package is now called `gsasl`.
+ - Delete `libexpat` and `libxml2` references. No longer used by curl.
+ - Delete `Edit the path below...` comments. We recommend to predefine
+ those envvars instead.
+ - `libcares.a` is not an internal dependency anymore. Stop using it as
+ such.
+ - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability.
+ - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`.
+ They were never used.
+ - Stop to `clean` some objects twice in `src/Makefile.m32`.
+ - Delete cvs-specific leftovers.
+ - Finish resource support in examples make file.
+ - Delete `-I<root>/lib` from examples make file.
+ - Fix copyright start year in examples make file.
+ - Delete duplicate `ftpuploadresume` input in examples make file.
+ - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path
+ defaults, variables names and other internal bits between the three
+ make files.
+ - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This
+ was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL`
+ envvar for the same effect.
+ - Fix linking `curl.exe` and examples to wrong static libs with
+ auto-detected OpenSSL 1.0.2 or earlier.
+ - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only.
+ - Add link to Novell LDAP SDK and use a relative default path. Latest
+ version is from 2016, linked to an outdated OpenSSL 1.0.1.
+ - Whitespace and comment cleanups.
+
+ TODO in a next commit:
+
+ Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell
+ LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the
+ necessary custom envvars to configure them.
+
+ Closes #9616
+
+Daniel Stenberg (30 Sep 2022)
+- RELEASE-NOTES: synced
+
+- [Matt Holt brought this change]
+
+ HTTP3.md: update Caddy example
+
+ Closes #9623
+
+- easy: fix the altsvc init for curl_easy_duphandle
+
+ It was using the old #ifdef which nothing sets anymore
+
+ Closes #9624
+
+- GHA: build tests in a separate step from the running of them
+
+ ... to make the output smaller for when you want to look at test
+ failures.
+
+ Removed the examples build from msh3
+
+ Closes #9619
+
+Viktor Szakats (29 Sep 2022)
+- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
+
+ Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap
+ support. This is also the single mention of this constant in the source
+ tree and also in that commit. Based on these, it seems like an accident.
+
+ Delete this reference.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9625
+
+- docs: spelling nits
+
+ - MingW -> MinGW (Minimalist GNU for Windows)
+ - f.e. -> e.g.
+ - some whitespace and punctuation.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9622
+
+Daniel Stenberg (29 Sep 2022)
+- [Philip Heiduck brought this change]
+
+ cirrus-ci: add macOS build with m1
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+
+ Closes #9565
+
+- [Patrick Monnerat brought this change]
+
+ lib: sanitize conditional exclusion around MIME
+
+ The introduction of CURL_DISABLE_MIME came with some additional bugs:
+ - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled.
+ - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are
+ conditioned on HTTP, although also needed for SMTP and IMAP MIME mail
+ uploads.
+
+ In addition, the CURLOPT_HTTPHEADER and --header documentation does not
+ mention their use for MIME mail.
+
+ This commit fixes the problems above.
+
+ Closes #9610
+
+- [Thiago Suchorski brought this change]
+
+ docs: minor grammar fixes
+
+ Closes #9609
+
+- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument
+
+ Probably a copy and paste error from the lock function man page.
+
+ Reported-by: Robby Simpson
+ Fixes #9612
+ Closes #9613
+
+- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
+
+ ... instead just list the supported encodings.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9614
+ Closes #9615
+
+Dan Fandrich (28 Sep 2022)
+- tests: Remove a duplicated keyword
+
+- docs: document more server names for test files
+
+Daniel Stenberg (28 Sep 2022)
+- altsvc: reject bad port numbers
+
+ The existing code tried but did not properly reject alternative services
+ using negative or too large port numbers.
+
+ With this fix, the logic now also flushes the old entries immediately
+ before adding a new one, making a following header with an illegal entry
+ not flush the already stored entry.
+
+ Report from the ongoing source code audit by Trail of Bits.
+
+ Adjusted test 356 to verify.
+
+ Closes #9607
+
+- functypes: provide the recv and send arg and return types
+
+ This header is for providing the argument types for recv() and send()
+ when built to not use a dedicated config-[platfor].h file.
+
+ Remove the slow brute-force checks from configure and cmake.
+
+ This change also removes the use of the types for select, as they were
+ not used in code.
+
+ Closes #9592
+
+- urlapi: reject more bad characters from the host name field
+
+ Extended test 1560 to verify
+
+ Report from the ongoing source code audit by Trail of Bits.
+
+ Closes #9608
+
+- configure: deprecate builds with small curl_off_t
+
+ If curl_off_t turns out to be smaller than 8 bytes,
+ --with-n64-deprecated needs to be used to allow the build to
+ continue. This is to highlight the fact that support for such builds is
+ going away next year.
+
+ Also mentioned in DEPRECATED.md
+
+ Closes #9605
+
+- [Patrick Monnerat brought this change]
+
+ http, vauth: always provide Curl_allow_auth_to_host() functionality
+
+ This function is currently located in the lib/http.c module and is
+ therefore disabled by the CURL_DISABLE_HTTP conditional token.
+
+ As it may be called by TLS backends, disabling HTTP results in an
+ undefined reference error at link time.
+
+ Move this function to vauth/vauth.c to always provide it and rename it
+ as Curl_auth_allowed_to_host() to respect the vauth module naming
+ convention.
+
+ Closes #9600
+
+- ngtcp2: fix C89 compliance nit
+
+- openssl: make certinfo available for QUIC
+
+ Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
+ can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
+ connections as well.
+
+ The *certchain function was moved to the top of the file for this reason.
+
+ Reported-by: Eloy Degen
+ Fixes #9584
+ Closes #9597
+
+- RELEASE-NOTES: synced
+
+- DEPRECATE.md: Support for systems without 64 bit data types
+
+ Closes #9604
+
+- [Patrick Monnerat brought this change]
+
+ tests: skip mime/form tests when mime is not built-in
+
+ Closes #9596
+
+- url: rename function due to name-clash in Watt-32
+
+ Follow-up to 2481dbe5f4f58 and applies the change the way it was
+ intended.
+
+Viktor Szakats (26 Sep 2022)
+- windows: adjust name of two internal public functions
+
+ According to `docs/INTERNALS.md`, internal function names spanning source
+ files start with uppercase `Curl_`. Bring these two functions in
+ alignment with this.
+
+ This also stops exporting them from `libcurl.dll` in autotools builds.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9598
+
+Daniel Stenberg (26 Sep 2022)
+- [Gisle Vanem brought this change]
+
+ url: rename function due to name-clash in Watt-32
+
+ Since the commit 764c958c52edb427f39, there was a new function called
+ resolve_ip(). This clashes with an internal function in Watt-32.
+
+ Closes #9585
+
+Jay Satiro (26 Sep 2022)
+- schannel: ban server ALPN change during recv renegotiation
+
+ By the time schannel_recv is renegotiating the connection, libcurl has
+ already decided on a protocol and it is too late for the server to
+ select a protocol via ALPN except for the originally selected protocol.
+
+ Ref: https://github.com/curl/curl/issues/9451
+
+ Closes https://github.com/curl/curl/pull/9463
+
+Daniel Stenberg (26 Sep 2022)
+- url: a zero-length userinfo part in the URL is still a (blank) user
+
+ Adjusted test 1560 to verify
+
+ Reported-by: Jay Satiro
+
+ Fixes #9088
+ Closes #9590
+
+Viktor Szakats (25 Sep 2022)
+- autotools: allow --enable-symbol-hiding with windows
+
+ This local autotools logic was put in place in
+ 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for
+ Windows unconditionally. Testing reveals that it actually works with
+ tested toolchains (mingw-w64 and CI ones), so let's allow this build
+ feature on that platform. Bringing this in sync with CMake, which already
+ supported this.
+
+ Reviewed-by: Jay Satiro
+
+ Closes #9586
+
+- autotools: reduce brute-force when detecting recv/send arg list
+
+ autotools uses brute-force to detect `recv`/`send`/`select` argument
+ lists, by interating through _all_ argument type combinations on each
+ `./configure` run. This logic exists since
+ 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later
+ extended with Windows support.
+
+ This results in a worst-case number of compile + link cycles as below:
+ - `recv`: 96
+ - `send`: 192
+ - `select`: 60
+ Total: 348 (the number of curl C source files is 195, for comparison)
+
+ Notice that e.g. curl-for-win autotools builds require two `./configure`
+ invocations, doubling these numbers.
+
+ `recv` on Windows was especially unlucky because `SOCKET` (the correct
+ choice there) was listed _last_ in one of the outer trial loops. This
+ resulted in lengthy waits while autotools was trying all invalid
+ combinations first, wasting cycles, disk writes and slowing down
+ iteration.
+
+ This patch reduces the amount of idle work by reordering the tests in
+ a way to succeed first on a well-known platform such as Windows, and
+ also on non-Windows by testing for POSIX prototypes first, on the
+ assumption that these are the most likely candidates these days. (We do
+ not touch `select`, where the order was already optimal for these
+ platforms.)
+
+ For non-Windows, this means to try a return value of `ssize_t` first,
+ then `int`, reordering the buffer argument type to try `void *` first,
+ then `byte *`, and prefer the `const` flavor with `send`. If we are
+ here, also stop testing for `SOCKET` type in non-Windows builds.
+
+ After the patch, detection on Windows is instantaneous. It should also be
+ faster on popular platforms such as Linux and BSD-based ones.
+
+ If there are known-good variations for other platforms, they can also be
+ fast-tracked like above, given a way to check for that platform inside
+ the autotools logic.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #9591
+
+Daniel Stenberg (23 Sep 2022)
+- TODO: Provide the error body from a CONNECT response
+
+ Spellchecked-by: Jay Satiro
+
+ Closes #9513
+ Closes #9581
+
+Viktor Szakats (23 Sep 2022)
+- windows: autotools .rc warnings fixup
+
+ Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing:
+
+ - Warnings when running `autoreconf -fi`.
+
+ - Warning when compiling .rc files:
+ libtool: compile: unable to infer tagged configuration
+ libtool: error: specify a tag with '--tag'
+
+ Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057
+ Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156
+
+ Suggested-by: Patrick Monnerat
+ Closes #9582
+
+Daniel Stenberg (23 Sep 2022)
+- [Randall S. Becker brought this change]
+
+ curl_setup: disable use of FLOSS for 64-bit NonStop builds
+
+ Older 32-bit builds currently need FLOSS. This dependency may be removed
+ in future OS releases.
+
+ Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+
+ Closes #9575
+
+- [Patrick Monnerat brought this change]
+
+ tool: remove dead code
+
+ Add a debug assertion to verify protocols included/excluded in a set
+ are always tokenized.
+
+ Follow-up to commit 677266c.
+
+ Closes #9576
+
+- [Patrick Monnerat brought this change]
+
+ lib: prepare the incoming of additional protocols
+
+ Move the curl_prot_t to its own conditional block. Introduce symbol
+ PROTO_TYPE_SMALL to control it.
+
+ Fix a cast in a curl_prot_t assignment.
+ Remove an outdated comment.
+
+ Follow-up to cd5ca80.
+
+ Closes #9534
+
+- msh3: change the static_assert to make the code C89
+
+- bearssl: make it proper C89 compliant
+
+- curl-compilers.m4: for gcc + want warnings, set gnu89 standard
+
+ To better verify that the code is C89
+
+ Closes #9542
+
+- [Patrick Monnerat brought this change]
+
+ lib517: fix C89 constant signedness
+
+ In C89, positive integer literals that overflow an int but not an
+ unsigned int may be understood as a negative int.
+
+ lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90
+ {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 },
+ ^
+
+ Closes #9572
+
+- mprintf: use snprintf if available
+
+ This is the single place in libcurl code where it uses the "native"
+ s(n)printf() function. Used for writing floats. The use has been
+ reviewed and vetted and uses a HUGE target buffer, but switching to
+ snprintf() still makes this safer and removes build-time warnings.
+
+ Reported-by: Philip Heiduck
+
+ Fixes #9569
+ Closes #9570
+
+- docs: tag curl options better in man pages
+
+ As it makes them links in the HTML versions.
+
+ Verified by the extended test 1176
+
+- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
+
+- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged
+
+ ... as that makes them links to their corresponding man page.
+
+ This script is used for test 1173.
+
+ Closes #9574
+
+- RELEASE-NOTES: synced
+
+- [Patrick Monnerat brought this change]
+
+ tool: remove protocol count limitation
+
+ Replace bit mask protocol sets by null-terminated arrays of protocol
+ tokens. These are the addresses of the protocol names returned by
+ curl_version_info().
+
+ Protocol names are sorted case-insensitively before output to satisfy CI
+ tests matches consistency.
+
+ The protocol list returned by curl_version_info() is augmented with all
+ RTMP protocol variants.
+
+ Test 1401 adjusted for new alpha ordered output.
+
+ Closes #9546
+
+- test972: verify the output without using external tool
+
+ It seems too restrictive to assume and use an external tool to verify
+ the JSON. This now verifies the outut byte per byte. We could consider
+ building a local "JSON verifyer" in a future.
+
+ Remove 'jsonlint' from the CI job.
+
+ Reported-by: Marcel Raad
+ Fixes #9563
+ Closes #9564
+
+- hostip: lazily wait to figure out if IPv6 works until needed
+
+ The check may take many milliseconds, so now it is performed once the
+ value is first needed. Also, this change makes sure that the value is
+ not used if the resolve is set to be IPv4-only.
+
+ Closes #9553
+
+- curl.h: fix mention of wrong error code in comment
+
+ The same error and comment were also used and is now corrected in
+ CURLOPT_SSH_KEYFUNCTION.3
+
+- symbol-scan.pl: scan and verify .3 man pages
+
+ This script now also finds all .3 man pages in docs/include and
+ docs/include/opts, extracts all uses of CURL* symbols and verifies that all
+ symbols mentioned in docs are defined in public headers.
+
+ A "global symbol" is one of those matching a known prefix and the script makes
+ an attempt to check all/most of them. Just using *all* symbols that match
+ CURL* proved matching a little too many other references as well and turned
+ difficult turning into something useful.
+
+ Closes #9544
+
+- symbols-in-versions: add missing LIBCURL* symbols
+
+- symbol-scan.pl: also check for LIBCURL* symbols
+
+ Closes #9544
+
+- docs/libcurl/symbols-in-versions: add several missing symbols
+
+- test1119: scan all public headers
+
+ Previously this test only scanned a subset of the headers, which made us
+ accidentally miss symbols that were provided in the others. Now, the script
+ iterates over all headers present in include/curl.
+
+ Closes #9544
+
+- [Patrick Monnerat brought this change]
+
+ examples/chkspeed: improve portability
+
+ The example program chkspeed uses strncasecmp() which is not portable
+ across systems. Replace calls to this function by tests on characters.
+
+ Closes #9562
+
+- easy: fix the #include order
+
+ The mentioned "last 3 includes" order should be respected. easy_lock.h should
+ be included before those three.
+
+ Reported-by: Yuriy Chernyshov
+ Fixes #9560
+ Closes #9561
+
+- docs: spellfixes
+
+ Pointed by the new CI job
+
+- GHA: spellcheck
+
+ This spellchecker checks markdown files. For this reason this job
+ converts all man pages in the repository to markdown with pandoc before
+ the check runs.
+
+ The perl script 'cleanspell' filters out details from the man page in
+ the process, to avoid the spellchecker trying to spellcheck things it
+ can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections
+ of libcurl man pages.
+
+ The spell checker does not check words in sections that are within pre,
+ strong and em tags.
+
+ 'spellcheck.words' is a custom word list with additional accepted words.
+
+ Closes #9523
+
+- connect: fix the wrong error message on connect failures
+
+ The "Failed to connect to" message after a connection failure would
+ include the strerror message based on the presumed previous socket
+ error, but in times it seems that error number is not set when reaching
+ this code and therefore it would include the wrong error message.
+
+ The strerror message is now removed from here and the curl_easy_strerror
+ error is used instead.
+
+ Reported-by: Edoardo Lolletti
+ Fixes #9549
+ Closes #9554
+
+- httpput-postfields.c: shorten string for C89 compliance
+
+ httpput-postfields.c:41:3: error: string length ‘522’ is greater than the length ‘509’ ISO C90 compilers are required to support [-Woverlength-strings]
+ 41 | "this chapter.";
+ | ^~~~~~~~~~~~~~~
+
+ Closes #9555
+
+- ws: fix a C89 compliance nit
+
+ Closes #9541
+
+- [Patrick Monnerat brought this change]
+
+ unit test 1655: make it C89-compliant
+
+ Initializations performed in unit test 1655 use automatic variables in
+ aggregates and thus can only be computed at run-time. Using gcc in C89
+ dialect mode produces warning messages like:
+
+ unit1655.c:96:7: warning: initializer element is not computable at load time [-Wpedantic]
+ 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */
+ | ^~~~~~~
+
+ Fix the problem by converting these automatic pointer variables to
+ static arrays.
+
+ Closes #9551
+
+- [Tobias Schaefer brought this change]
+
+ curl_strequal.3: fix typo
+
+ Closes #9548
+
+- [Dmitry Karpov brought this change]
+
+ resolve: make forced IPv4 resolve only use A queries
+
+ This protects IPv4-only transfers from undesired bad IPv6-related side
+ effects and make IPv4 transfers in dual-stack libcurl behave the same
+ way as in IPv4 single-stack libcurl.
+
+ Closes #9540
+
+- RELEASE-NOTES: synced
+
+- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
+
+ Patched-by: Mark Itzcovitz
+ Bug: https://curl.se/mail/lib-2022-09/0038.html
+
+ Closes #9536
+
+- TODO: Reduce CA certificate bundle reparsing
+
+ By adding some sort of cache.
+
+ Reported-by: Michael Drake
+ Closes #9379
+ Closes #9538
+
+Marc Hoersken (19 Sep 2022)
+- CI/GHA: cancel outdated CI runs on new PR changes
+
+ Avoid letting outdated CI runs continue if a PR receives
+ new changes. Outside a PR we let them continue running
+ by tying the concurrency to the commit hash instead.
+
+ Also only let one CodeQL or Hacktoberfest job run at a time.
+
+ Other CI platforms we use have this build in, but GitHub
+ unfortunately neither by default nor with a simple option.
+
+ This saves CI resources and therefore a little energy.
+
+ Approved-by: Daniel Stenberg
+ Approved-by: Max Dymond
+ Closes #9533
+
+Daniel Stenberg (19 Sep 2022)
+- docs: fix proselint complaints
+
+- GHA: run proselint on markdown files
+
+ Co-authored-by: Marc Hörsken
+
+ Closes #9520
+
+- lib: the number four in a sequence is the "fourth"
+
+ Spelling is hard
+
+ Closes #9535
+
+- [John Bampton brought this change]
+
+ misc: fix spelling in two source files
+
+ Closes #9529
+
+Viktor Szakats (18 Sep 2022)
+- windows: add .rc support to autotools builds
+
+ After this update autotools builds will compile and link `.rc` resources
+ to Windows executables. Bringing this feature on par with CMake and
+ Makefile.m32 builds. And also making it unnecessary to improvise these
+ steps manually, while monkey patching build files, e.g. [0].
+
+ You can customize the resource compiler via the `RC` envvar, and its
+ options via `RCFLAGS`.
+
+ This harmless warning may appear throughout the build, even though the
+ autotools manual documents [1] `RC` as a valid tag, and it fails when
+ omitting one:
+ `libtool: error: ignoring unknown tag RC`
+
+ [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce50baa1b84/curl-autotools.sh#L376-L382
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html
+
+ Closes #9521
+
+Marc Hoersken (18 Sep 2022)
+- CI/linkcheck: only run if a Markdown file is changed
+
+ This saves CI resources and therefore a little energy.
+
+ Reviewed-by: Max Dymond
+ Closes #9531
+
+- README.md: add GHA status badges for Linux and macOS builds
+
+ This makes sense now that Linux builds are being consolidated.
+
+ Approved-by: Daniel Stenberg
+ Closes #9530
+
+ [skip ci]
+
+Daniel Stenberg (17 Sep 2022)
+- misc: null-terminate
+
+ Make use of this term consistently.
+
+ Closes #9527
+
+Marc Hoersken (17 Sep 2022)
+- CI/GHA: merge intel CC and more TLS libs into linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Reviewed-by: Max Dymond
+ Follow up to #9501
+ Closes #9514
+
+Daniel Stenberg (17 Sep 2022)
+- [Patrick Monnerat brought this change]
+
+ lib1597: make it C89-compliant again
+
+ Automatic variable addresses cannot be used in an initialisation
+ aggregate.
+
+ Follow-up to 9d51329
+
+ Reported-by: Daniel Stenberg
+ Fixes: #9524
+ Closes #9525
+
+- tool_libinfo: silence "different 'const' qualifiers" in qsort()
+
+ MSVC 15.0.30729.1 warned about it
+
+ Follow-up to dd2a024323dcc
+
+ Closes #9522
+
+- [Patrick Monnerat brought this change]
+
+ docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
+
+ Disabled protocols are now handled as if they were unknown.
+ Also update the possible protocol list.
+
+- [Patrick Monnerat brought this change]
+
+ cli tool: do not use disabled protocols
+
+ As they are now rejected by the library, take care of not passing
+ disabled protocol names to CURLOPT_PROTOCOLS_STR and
+ CURLOPT_REDIR_PROTOCOLS_STR.
+
+ Rather than using the CURLPROTO_* constants, dynamically assign protocol
+ numbers based on the order they are listed by curl_version_info().
+
+ New type proto_set_t implements prototype bit masks: it should therefore
+ be large enough to accomodate all library-enabled protocols. If not,
+ protocol numbers beyond the bit count of proto_set_t are recognized but
+ "inaccessible": when used, a warning is displayed and the value is
+ ignored. Should proto_set_t overflows, enabled protocols are reordered to
+ force those having a public CURLPROTO_* representation to be accessible.
+
+ Code has been added to subordinate RTMP?* protocols to the presence of
+ RTMP in the enabled protocol list, being returned by curl_version_info()
+ or not.
+
+- [Patrick Monnerat brought this change]
+
+ setopt: use the handler table for protocol name to number conversions
+
+ This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than
+ CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found.
+
+ A new schemelen parameter is added to Curl_builtin_scheme() to support
+ this extended use.
+
+ Note that disabled protocols are not recognized anymore.
+
+ Tests adapted accordingly.
+
+ Closes #9472
+
+- altsvc: use 'h3' for h3
+
+ Since the official and real version has been out for a while now and servers
+ are deployed out there using it, there is no point in sticking to h3-29.
+
+ Reported-by: ウさん
+ Fixes #9515
+ Closes #9516
+
+Jay Satiro (16 Sep 2022)
+- [chemodax brought this change]
+
+ winbuild: Use NMake batch-rules for compilation
+
+ - Invoke cl compiler once for each group of .c files.
+
+ This is significantly improves compilation time. For example in my
+ environment: 40 s --> 20 s.
+
+ Prior to this change cl was invoked per .c file.
+
+ Closes https://github.com/curl/curl/pull/9512
+
+Daniel Stenberg (16 Sep 2022)
+- ws: the infof() flags should be %zu
+
+ Follow-up to e5e9e0c5e49ae0
+
+ Closes #9518
+
+- curl: warn for --ssl use, considered insecure
+
+ Closes #9519
+
+- [Sergey Bronnikov brought this change]
+
+ curl_escape.3: fix typo
+
+ lengthf -> length
+
+ Closes #9517
+
+- mailmap: merge Philip Heiduck's two addresses into one
+
+- test1948: verify PUT + POST reusing the same handle
+
+ Reproduced #9507, verifies the fix
+
+- setopt: when POST is set, reset the 'upload' field
+
+ Reported-by: RobBotic1 on github
+ Fixes #9507
+ Closes #9511
+
+Marc Hoersken (15 Sep 2022)
+- github: initial CODEOWNERS setup for CI configuration
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Max Dymond
+
+ Closes #9505
+
+ [skip ci]
+
+- [Philip Heiduck brought this change]
+
+ CI: optimize some more dependencies install
+
+ Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>
+
+ Closes #9500
+
+- CI/GHA: merge event-based and NSS into new linux workflow
+
+ Continue work on merging all Linux workflows into one file.
+
+ Follow up to #9501
+ Closes #9506
+
+Daniel Stenberg (15 Sep 2022)
+- include/curl/websockets.h: add extern "C" for C++
+
+ Reported-by: n0name321 on github
+ Fixes #9509
+ Closes #9510
+
+- lib1560: extended to verify detect/reject of unknown schemes
+
+ ... when no guessing is allowed.
+
+- urlapi: detect scheme better when not guessing
+
+ When the parser is not allowed to guess scheme, it should consider the
+ word ending at the first colon to be the scheme, independently of number
+ of slashes.
+
+ The parser now checks that the scheme is known before it counts slashes,
+ to improve the error messge for URLs with unknown schemes and maybe no
+ slashes.
+
+ When following redirects, no scheme guessing is allowed and therefore
+ this change effectively prevents redirects to unknown schemes such as
+ "data".
+
+ Fixes #9503
+
+- strerror: improve two URL API error messages
+
+Marc Hoersken (14 Sep 2022)
+- CI/GHA: merge bearssl and hyper into initial linux workflow
+
+ Begin work on merging all Linux workflows into one file.
+
+ Closes #9501
+
+Daniel Stenberg (14 Sep 2022)
+- RELEASE-NOTES: synced
+
+- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
+
+ Since the config file might also get included by the tool code at times.
+ This syncs with how other builds do it.
+
+ Closes #9498
+
+- tool_hugehelp: make hugehelp a blank macro when disabled
+
+ Closes #9485
+
+- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
+
+ ... to improve the output in this situation. Now it doesn't say "option
+ unknown" anymore.
+
+ Closes #9485
+
+- setopt: fix compiler warning
+
+ Follow-up to cd5ca80f00d2
+
+ closes #9502
+
+- [Philip Heiduck brought this change]
+
+ CI: skip make, do make install at once for dependencies
+
+ Signed-off-by: Philip Heiduck <pheiduck@Philips-MBP.lan>
+
+ Closes #9477
+
+- formdata: typecast the va_arg return value
+
+ To avoid "enumerated type mixed with another type" warnings
+
+ Follow-up from 0f52dd5fd5aa3592691a
+
+ Closes #9499
+
+- RELEASE-PROCEDURE.md: mention patch releases
+
+ - When to make them and how to argue for them
+ - Refreshed the release date list
+
+ Closes #9495
+
+- urldata: use a curl_prot_t type for storing protocol bits
+
+ This internal-use-only storage type can be bumped to a curl_off_t once
+ we need to use bit 32 as the previous 'unsigned int' can no longer hold
+ them all then.
+
+ The websocket protocols take bit 30 and 31 so they are the last ones
+ that fit within 32 bits - but cannot properly be exported through APIs
+ since those use *signed* 32 bit types (long) in places.
+
+ Closes #9481
+
+- [zhanghu on xiaomi brought this change]
+
+ formdata: fix warning: 'CURLformoption' is promoted to 'int'
+
+ curl/lib/formdata.c: In function 'FormAdd':
+ curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...'
+ 249 | option = va_arg(params, CURLformoption);
+ | ^
+ curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg')
+ curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort
+
+ Closes #9484
+
+- CURLOPT_CONNECT_ONLY.3: for ws(s) as well
+
+ and correct the version number for when that support comes. Even if it
+ is still experimental for WebSocket.
+
+ Closes #9487
+
+- tool_operate: avoid a few #ifdefs for disabled-libcurl builds
+
+ By providing empty macros in the header file instead, the code gets
+ easier to read and yet is disabled on demand.
+
+ Closes #9486
+
+- [a1346054 on github brought this change]
+
+ scripts: use `grep -E` instead of `egrep`
+
+ egrep is deprecated
+
+ Closes #9491
+
+- [Hayden Roche brought this change]
+
+ wolfSSL: fix session management bug.
+
+ Prior to this commit, non-persistent pointers were being used to store
+ sessions. When a WOLFSSL object was then freed, that freed the session
+ it owned, and thus invalidated the pointer held in curl's cache. This
+ commit makes it so we get a persistent (deep copied) session pointer
+ that we then add to the cache. Accordingly, wolfssl_session_free, which
+ was previously a no-op, now needs to actually call SSL_SESSION_free.
+
+ This bug was discovered by a wolfSSL customer.
+
+ Closes #9492
+
+- docs: use "WebSocket" in singular
+
+ This is how the RFC calls the protocol. Also rename the file in docs/ to
+ WEBSOCKET.md in uppercase to match how we have done it for many other
+ protocol docs in similar fashion.
+
+ Add the WebSocket docs to the tarball.
+
+ Closes #9496
+
+Marcel Raad (12 Sep 2022)
+- ws: fix build without `USE_WEBSOCKETS`
+
+ The curl.h include is required unconditionally.
+
+- ws: add missing curl.h include
+
+ A conflict between commits 664249d0952 and e5839f4ee70 broke the build.
+
+Daniel Stenberg (12 Sep 2022)
+- ws: fix an infof() call to use %uz for size_t output
+
+ Detected by Coverity, CID 1514665.
+
+ Closes #9480
+
+Marcel Raad (12 Sep 2022)
+- curl_setup: include only system.h instead of curl.h
+
+ As done before commit 9506d01ee50.
+
+ Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158
+ Closes https://github.com/curl/curl/pull/9453
+
+- lib: add missing limits.h includes
+
+ Closes https://github.com/curl/curl/pull/9453
+
+- lib and tests: add missing curl.h includes
+
+ Closes https://github.com/curl/curl/pull/9453
+
+- curl_setup: include curl.h after platform setup headers
+
+ The platform setup headers might set definitions required for the
+ includes in curl.h.
+
+ Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269
+ Closes https://github.com/curl/curl/pull/9453
+
+Daniel Stenberg (12 Sep 2022)
+- [Benjamin Loison brought this change]
+
+ docs: correct missing uppercase in Markdown files
+
+ To detect these typos I used:
+
+ ```
+ clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | grep -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --color=always '\. [a-z]' | grep '\.md'
+ ```
+
+ Closes #9474
+
+- tool_setopt: use better English in --libcurl source comments
+
+ Like this:
+
+ XYZ was set to an object pointer
+ ABC was set to a function pointer
+
+ Closes #9475
+
+- setopt: make protocol2num use a curl_off_t for the protocol bit
+
+ ... since WSS does not fit within 32 bit.
+
+ Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887
+ Closes #9476
+
+- RELEASE-NOTES: synced
+
+- configure: polish the grep -E message a bit further
+
+ Suggested-by: Emanuele Torre
+ Closes #9473
+
+- GHA: add a gcc-11 -O3 build using OpenSSL
+
+ Since -O3 might trigger other warnings
+
+ Closes #9454
+
+- [Patrick Monnerat brought this change]
+
+ content_encoding: use writer struct subclasses for different encodings
+
+ The variable-sized encoding-specific storage of a struct contenc_writer
+ currently relies on void * alignment that may be insufficient with
+ regards to the specific storage fields, although having not caused any
+ problems yet.
+
+ In addition, gcc 11.3 issues a warning on access to fields of partially
+ allocated structures that can occur when the specific storage size is 0:
+
+ content_encoding.c: In function ‘Curl_build_unencoding_stack’:
+ content_encoding.c:980:21: warning: array subscript ‘struct contenc_writer[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bounds]
+ 980 | writer->handler = handler;
+ | ~~~~~~~~~~~~~~~~^~~~~~~~~
+ In file included from content_encoding.c:49:
+ memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘curl_dbg_calloc’
+ 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, __FILE__)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ content_encoding.c:977:60: note: in expansion of macro ‘calloc’
+ 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz);
+
+ To solve both these problems, the current commit replaces the
+ contenc_writer/params structure pairs by "subclasses" of struct
+ contenc_writer. These are structures that contain a contenc_writer at
+ offset 0. Proper field alignment is therefore handled by the compiler and
+ full structure allocation is performed, silencing the warnings.
+
+ Closes #9455
+
+- configure: correct the wording when checking grep -E
+
+ The check first checks that grep -E works, and only as a fallback tries
+ to find and use egrep. egrep is deprecated.
+
+ This change only corrects the output wording, not the checks themselves.
+
+ Closes #9471
+
+Viktor Szakats (10 Sep 2022)
+- websockets: sync prototypes in docs with implementation [ci skip]
+
+ Docs for the new send/recv functions synced with the committed versions
+ of these.
+
+ Closes #9470
+
+Daniel Stenberg (10 Sep 2022)
+- setopt: make protocols2num() work with websockets
+
+ So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can
+ specify those as well.
+
+ Reported-by: Patrick Monnerat
+ Bug: https://curl.se/mail/lib-2022-09/0016.html
+ Closes #9467
+
+- curl/websockets.h: remove leftover bad typedef
+
+ Just a leftover trace of a development thing that did not stay like
+ that.
+
+ Reported-by: Marc Hörsken
+ Fixes #9465
+ Cloes #9466
+
+Marcel Raad (10 Sep 2022)
+- [Orgad Shaneh brought this change]
+
+ fix Cygwin/MSYS compilation
+
+ _getpid is Windows API. On Cygwin variants it should remain getpid.
+
+ Fixes #8220
+ Closes #9255
+
+Marc Hoersken (10 Sep 2022)
+- GHA: prepare workflow merge by aligning structure again
+
+ Closes #9413
+
+Daniel Stenberg (9 Sep 2022)
+- docs: the websockets symbols are added in 7.86.0
+
+ Nothing else
+
+ Closes #9459
+
+- tests/libtest/Makefile.inc: fixup merge conflict mistake
+
+- EXPERIMENTAL.md: add WebSockets
+
+- appveyor: enable websockets
+
+- cirrus: enable websockets in the windows builds
+
+- GHA: add websockets to macos, openssl3 and hyper builds
+
+- tests: add websockets tests
+
+ - add websockets support to sws
+ - 2300: first very basic websockets test
+ - 2301: first libcurl test for ws (not working yet)
+ - 2302: use the ws callback
+ - 2303: test refused upgrade
+
+- curl_ws_meta: initial implementation
+
+- curl_ws_meta.3: added docs
+
+- ws: initial websockets support
+
+ Closes #8995
+
+- version: add ws + wss
+
+- libtest/lib1560: test basic websocket URL parsing
+
+- configure: add --enable-websockets
+
+- docs/WebSockets.md: docs
+
+- test415: verify Content-Length parser with control code + negative value
+
+- strtoofft: after space, there cannot be a control code
+
+ With the change from ISSPACE() to ISBLANK() this function no longer
+ deals with (ignores) control codes the same way, which could lead to
+ this function returning unexpected values like in the case of
+ "Content-Length: \r-12354".
+
+ Follow-up to 6f9fb7ec2d7cb389a0da5
+
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140
+ Assisted-by: Max Dymond
+ Closes #9458
+
+- headers: reset the requests counter at transfer start
+
+ If not, reusing an easy handle to do a subsequent transfer would
+ continue the counter from the previous invoke, which then would make use
+ of the header API difficult/impossible as the request counter
+ mismatched.
+
+ Add libtest 1947 to verify.
+
+ Reported-by: Andrew Lambert
+ Fixes #9424
+ Closes #9447
+
+Jay Satiro (8 Sep 2022)
+- header: define public API functions as extern c
+
+ Prior to this change linker errors would occur if curl_easy_header or
+ curl_easy_nextheader was called from a C++ unit.
+
+ Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007
+ Reported-by: Andrew Lambert
+
+ Closes https://github.com/curl/curl/pull/9446
+
+Daniel Stenberg (8 Sep 2022)
+- http2: make nghttp2 less picky about field whitespace
+
+ In nghttp2 1.49.0 it returns error on leading and trailing whitespace in
+ header fields according to language in the recently shipped RFC 9113.
+
+ nghttp2 1.50.0 introduces an option to switch off this strict check and
+ this change enables this option by default which should make curl behave
+ more similar to how it did with nghttp2 1.48.0 and earlier.
+
+ We might want to consider making this an option in the future.
+
+ Closes #9448
+
+- RELEASE-NOTES: synced
+
+ And bump to 7.86.0 for the pending next release
+
+- [Michael Heimpold brought this change]
+
+ ftp: ignore a 550 response to MDTM
+
+ The 550 is overused as a return code for multiple error case, e.g.
+ file not found and/or insufficient permissions to access the file.
+
+ So we cannot fail hard in this case.
+
+ Adjust test 511 since we now fail later.
+ Add new test 3027 which check that when MDTM failed, but the file could
+ actually be retrieved, that in this case no filetime is provided.
+
+ Reported-by: Michael Heimpold
+ Fixes #9357
+ Closes #9387
+
+- urlapi: leaner with fewer allocs
+
+ Slightly faster with more robust code. Uses fewer and smaller mallocs.
+
+ - remove two fields from the URL handle struct
+ - reduce copies and allocs
+ - use dynbuf buffers more instead of custom malloc + copies
+ - uses dynbuf to build the host name in reduces serial alloc+free within
+ the same function.
+ - move dedotdotify into urlapi.c and make it static, not strdup the input
+ and optimize it by checking for . and / before using strncmp
+ - remove a few strlen() calls
+ - add Curl_dyn_setlen() that can "trim" an existing dynbuf
+
+ Closes #9408
+
+Jay Satiro (7 Sep 2022)
+- setup-win32: no longer define UNICODE/_UNICODE implicitly
+
+ - If UNICODE or _UNICODE is defined but the other isn't then error
+ instead of implicitly defining it.
+
+ As Marcel pointed out it is too late at this point to make such a define
+ because Windows headers may already be included, so likely it never
+ worked. We never noticed because build systems that can make Windows
+ Unicode builds always define both. If one is defined but not the other
+ then something went wrong during the build configuration.
+
+ Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272
+ Reported-by: Marcel Raad
+
+ Closes https://github.com/curl/curl/pull/9384
+
+Dan Fandrich (6 Sep 2022)
+- tests: fix tag syntax errors in test files
+
+Marc Hoersken (6 Sep 2022)
+- lib: add required Win32 setup definitions in setup-win32.h
+
+ Assisted-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+ Follow up to #9312
+ Closes #9375
+
+Daniel Stenberg (6 Sep 2022)
+- pingpong: extend the response reading error with errno
+
+ To help diagnosing the cause of the problem.
+
+ See #9380
+ Closes #9443
+
+- curl-compilers.m4: use -O2 as default optimize for clang
+
+ Not -Os
+
+ Closes #9444
+
+- tool_operate: fix msnprintfing the error message
+
+ Follow-up to 7be53774c41c59b47075fba
+
+ Coverity CID 1513717 pointed out that we cannot use sizeof() on the
+ error buffer anymore.
+
+ Closes #9440
+
+- [Emanuele Torre brought this change]
+
+ curl_ctype: add space around <= operator in ISSPACE macro
+
+ Follow-up to f65f750
+
+ Closes #9441
+
+- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
+
+ The 'protocols' listed were previously wrong.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9434
+ Closes #9435
+
+- curl_ctype: convert to macros-only
+
+ This no longer provide functions, only macros. Runs faster and produces
+ smaller output.
+
+ The biggest precaution this change brings:
+
+ DO NOT use post/pre-increments when passing arguments to the macros.
+
+ Closes #9429
+
+- misc: ISSPACE() => ISBLANK()
+
+ Instances of ISSPACE() use that should rather use ISBLANK(). I think
+ somewhat carelessly used because it sounds as if it checks for space or
+ whitespace, but also includes %0a to %0d.
+
+ For parsing purposes, we should only accept what we must and not be
+ overly liberal. It leads to surprises and surprises lead to bad things.
+
+ Closes #9432
+
+- ctype: remove all use of <ctype.h>, use our own versions
+
+ Except in the test servers.
+
+ Closes #9433
+
+Marc Hoersken (5 Sep 2022)
+- cmake: skip superfluous hex2dec conversion using math expr
+
+ CMake seems to be able to compare two hex values just fine.
+ Also make sure CURL_TARGET_WINDOWS_VERSION is respected.
+
+ Assisted-by: Marcel Raad
+ Reviewed-by: Viktor Szakats
+ Reported-by: Keitagit-kun on github
+
+ Follow up to #9312
+ Fixes #9406
+ Closes #9411
+
+Daniel Stenberg (5 Sep 2022)
+- curl_easy_pause.3: unpausing is as fast as possible
+
+ Reported-by: ssdbest on github
+ Fixes #9410
+ Closes #9430
+
+- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
+
+ Except file.
+
+ Reported-by: ProceduralMan on github
+ Fixes #9427
+ Closes #9428
+
+- NPN: remove support for and use of
+
+ Next Protocol Negotiation is a TLS extension that was created and used
+ for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
+ HTTPS. In the early days of HTTP/2, before the spec was finalized and
+ shipped, the protocol could be enabled using this extension with some
+ servers.
+
+ curl supports the NPN extension with some TLS backends since then, with
+ a command line option `--npn` and in libcurl with
+ `CURLOPT_SSL_ENABLE_NPN`.
+
+ HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
+ Negotiation) extension and the NPN extension has no purposes
+ anymore. The HTTP/2 spec was published in May 2015.
+
+ Today, use of NPN in the wild should be extremely rare and most likely
+ totally extinct. Chrome removed NPN support in Chrome 51, shipped in
+ June 2016. Removed in Firefox 53, April 2017.
+
+ Closes #9307
+
+- RELEASE-NOTES: synced
+
+ and bump the tentative next release version to 7.85.1
+
+- [Samuel Henrique brought this change]
+
+ configure: fail if '--without-ssl' + explicit parameter for an ssl lib
+
+ A side effect of a previous change to configure (576e507c78bdd2ec88)
+ exposed a non-critical issue that can happen if configure is called with
+ both '--without-ssl' and some parameter setting the use of a ssl library
+ (e.g. --with-gnutls). The configure script would end up assuming this is
+ a MultiSSL build, due to the way the case statement is written.
+
+ I have changed the order of the variables in the string concatenation
+ for the case statement and also tweaked the options so that
+ --without-ssl never turns the build into a MultiSSL one and also clearly
+ stating that there are conflicting parameters if the user sets it like
+ described above.
+
+ Closes #9414
+
+- tests/certs/scripts: insert standard curl source headers
+
+ ... including the SPDX-License-Identifier.
+
+ These omissions were not detected by the RUEUSE CI job nor the copyright.pl
+ scanners because we have a general wildcard in .reuse/dep5 for
+ "tests/certs/*".
+
+ Reported-by: Samuel Henrique
+ Fixes #9417
+ Closes #9420
+
+- [Samuel Henrique brought this change]
+
+ docs: remove mentions of deprecated '--without-openssl' config parameter
+
+ Closes #9415
+
+- [Samuel Henrique brought this change]
+
+ manpages: Fix spelling of "allows to" -> "allows one to"
+
+ References:
+ https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual-page.tag
+ https://english.stackexchange.com/questions/60271/grammatical-complements-for-allow/60285#60285
+
+ Closes #9419
+
+- [Samuel Henrique brought this change]
+
+ CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
+
+ Lintian (on Debian) has been complaining about this for a while but
+ I didn't bother initially as the groff parser that we use is not
+ affected by this.
+
+ But I have now noticed that the online manpage is affected by it:
+ https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html
+
+ (I'm using double quotes for quoting-only down below)
+
+ The section that should be parsed as "'\'" ends up being parsed as
+ "'´".
+
+ This is due to roffit not parsing "'\\'" correctly, which is fine
+ as the "correct" way of writing "'\'" is "'\e'" instead.
+
+ Note that this fix is not enough to fix the online manpage at
+ curl's website, as roffit seems to parse it wrongly either way.
+
+ My intent is to at least fix the manpage so that roffit can
+ be changed to parse "'\e'" correctly (although I suggest making
+ roffit parse both ways correctly, since that's what groff does).
+
+ More details at:
+ https://bugs.debian.org/966803
+ https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a884cca7965c3/tags/a/acute-accent-in-manual-page.tag
+
+ Closes #9418
+
+- tool_operate: reduce errorbuffer allocs
+
+ - parallel transfers: only alloc and keep errorbuffers in memory for
+ actual "live" transfers and not for the ones in the pending queue
+
+ - serial transfers: reuse the same fixed buffer for all transfers, not
+ allocated at all.
+
+ Closes #9394
+
+Viktor Szakats (31 Aug 2022)
+- misc: spelling fixes
+
+ Found using codespell 2.2.1.
+
+ Also delete the redundant protocol designator from an archive.org URL.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9403
+
+Daniel Stenberg (31 Aug 2022)
+- tool_progress: remove 'Qd' from the parallel progress bar
+
+ The "queued" value is no longer showing anything useful to the user. It
+ is an internal number of transfers waiting at that moment.
+
+ Closes #9389
+
+- tool_operate: prevent over-queuing in parallel mode
+
+ When doing a huge amount of parallel transfers, we must not add them to
+ the per_transfer list frivolously since they all use memory after all.
+ This was previous done without really considering millions or billions
+ of transfers. Massive parallelism would use a lot of memory for no good
+ purpose.
+
+ The queue is now limited to twice the paralleism number.
+
+ This makes the 'Qd' value in the parallel progress meter mostly useless
+ for users, but works for now for us as a debug display.
+
+ Reported-by: justchen1369 on github
+ Fixes #8933
+ Closes #9389
+
+Viktor Szakats (31 Aug 2022)
+- cmake: fix original MinGW builds
+
+ 1. Re-enable `HAVE_GETADDRINFO` detection on Windows
+
+ Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic
+ that automatically assumed `getaddrinfo()` to be present for builds
+ with IPv6 enabled. As it turns out, certain toolchains (e.g. original
+ MinGW) by default target older Windows versions, and thus do not
+ support `getaddrinfo()` out of the box. The issue was masked for
+ a while by CMake builds forcing a newer Windows version, but that
+ logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761.
+ Since then, some CI builds started failing due to IPv6 enabled,
+ `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing.
+
+ It also turns out that IPv6 works without `getaddrinfo()` since commit
+ 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So,
+ to resolve all this, we can now revert the initial commit, thus
+ restoring `getaddrinfo()` detection and support IPv6 regardless of its
+ outcome.
+
+ Reported-by: Daniel Stenberg
+
+ 2. Omit `bcrypt` with original MinGW
+
+ Original (aka legacy/old) MinGW versions do not support `bcrypt`
+ (introduced with Vista). We already have logic to handle that in
+ `lib/rand.c` and autotools builds, where we do not call the
+ unsupported API and do not link `bcrypt`, respectively, when using
+ original MinGW.
+
+ This patch ports that logic to CMake, fixing the link error:
+ `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: cannot find -lbcrypt`
+
+ Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vle84cn4vle7s0#L508
+ Regression since 76172511e7adcf720f4c77bd91f49278300ec97e
+
+ Fixes #9214
+ Fixes #9393
+ Fixes #9395
+ Closes #9396
+
+Version 7.85.0 (31 Aug 2022)
+
+Daniel Stenberg (31 Aug 2022)
+- RELEASE-NOTES: synced
+
+ curl 7.85.0 release
+
+- THANKS: add contributors from the 7.85.0 release
+
+- getparam: correctly clean args
+
+ Follow-up to bf7e887b2442783ab52
+
+ The previous fix for #9128 was incomplete and caused #9397.
+
+ Fixes #9397
+ Closes #9399
+
+- zuul: remove the clang-tidy job
+
+ Turns out we don't see the warnings, but the warnings right now are
+ plain ridiculous and unhelpful so we can just as well just kill this
+ job.
+
+ Closes #9390
+
+- cmake: set feature PSL if present
+
+ ... make test 1014 pass when libpsl is used.
+
+ Closes #9391
+
+- lib530: simplify realloc failure exit path
+
+ To make code analyzers happier
+
+ Closes #9392
+
+- [Orgad Shaneh brought this change]
+
+ tests: add tests for netrc login/password combinations
+
+ Covers the following PRs:
+
+ - #9066
+ - #9247
+ - #9248
+
+ Closes #9256
+
+- [Orgad Shaneh brought this change]
+
+ url: really use the user provided in the url when netrc entry exists
+
+ If the user is specified as part of the URL, and the same user exists
+ in .netrc, Authorization header was not sent at all.
+
+ The user and password fields were assigned in conn->user and password
+ but the user was not assigned to data->state.aptr, which is the field
+ that is used in output_auth_headers and friends.
+
+ Fix by assigning the user also to aptr.
+
+ Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5.
+
+ Fixes #9243
+
+- [Orgad Shaneh brought this change]
+
+ netrc: Use the password from lines without login
+
+ If netrc entry has password with empty login, use it for any username.
+
+ Example:
+ .netrc:
+ machine example.com password 123456
+
+ curl -vn http://user@example.com/
+
+ Fix it by initializing state_our_login to TRUE, and reset it only when
+ finding an entry with the same host and different login.
+
+ Closes #9248
+
+- [Jay Satiro brought this change]
+
+ url: treat missing usernames in netrc as empty
+
+ - If, after parsing netrc, there is a password with no username then
+ set a blank username.
+
+ This used to be the case prior to 7d600ad (precedes 7.82). Note
+ parseurlandfillconn already does the same thing for URLs.
+
+ Reported-by: Raivis <standsed@users.noreply.github.com>
+ Testing-by: Domen Kožar
+
+ Fixes https://github.com/curl/curl/issues/8653
+ Closes #9334
+ Closes #9066
+
+- test8: verify that "ctrl-byte cookies" are ignored
+
+- cookie: reject cookies with "control bytes"
+
+ Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
+
+ Reported-by: Axel Chong
+
+ Bug: https://curl.se/docs/CVE-2022-35252.html
+
+ CVE-2022-35252
+
+ Closes #9381
+
+- libssh: ignore deprecation warnings
+
+ libssh 0.10.0 marks all SCP functions as "deprecated" which causes
+ compiler warnings and errors in our CI jobs and elsewhere. Ignore
+ deprecation warnings if 0.10.0 or later is found in the build.
+
+ If they actually remove the functions at a later point, then someone can
+ deal with that pain and functionality break then.
+
+ Fixes #9382
+ Closes #9383
+
+- Revert "schannel: when importing PFX, disable key persistence"
+
+ This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692.
+
+ Due to further reports in #9300 that indicate this commit might
+ introduce problems.
+
+- multi: use larger dns hash table for multi interface
+
+ Have curl_multi_init() use a much larger DNS hash table than used for
+ the easy interface to scale and perform better when used with _many_
+ host names.
+
+ curl_share_init() sets an in-between size.
+
+ Inspired-by: Ivan Tsybulin
+ See #9340
+ Closes #9376
+
+Marc Hoersken (28 Aug 2022)
+- CI/runtests.pl: add param for dedicated curl to talk to APIs
+
+ This should make it possible to also report test failures
+ if our freshly build curl binary is not fully functional.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9360
+
+Daniel Stenberg (27 Aug 2022)
+- [Jacob Tolar brought this change]
+
+ openssl: add cert path in error message
+
+ Closes #9349
+
+- [Jacob Tolar brought this change]
+
+ cert.d: clarify that escape character works for file paths
+
+ Closes #9349
+
+- gha: move over ngtcp2-gnutls CI job from zuul
+
+ Closes #9331
+
+Marc Hoersken (26 Aug 2022)
+- cmake: add detection of threadsafe feature
+
+ Avoids failing test 1014 by replicating configure checks
+ for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests.
+
+ Reviewed-by: Marcel Raad
+
+ Follow up to #8680
+ Closes #9312
+
+Daniel Stenberg (26 Aug 2022)
+- RELEASE-NOTES: synced
+
+Marc Hoersken (26 Aug 2022)
+- CI/azure: align torture shallowness with GHA
+
+ There 25 is used with FTP tests skipped, and 20 for FTP tests.
+ This should make torture tests stay within the 60min timeout.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9371
+
+- multi_wait: fix and improve Curl_poll error handling on Windows
+
+ First check for errors and return CURLM_UNRECOVERABLE_POLL
+ before moving forward and waiting on socket readiness events.
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+ Reported-by: Daniel Stenberg
+ Ref: #9361
+
+ Follow up to #8961
+ Closes #9372
+
+- multi_wait: fix skipping to populate revents for extra_fds
+
+ On Windows revents was not populated for extra_fds if
+ multi_wait had to wait due to the Curl_poll pre-check
+ not signalling any readiness. This commit fixes that.
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Jay Satiro
+
+ Closes #9361
+
+- CI/appveyor: disable TLS in msys2-native autotools builds
+
+ Schannel cannot be used from msys2-native Linux-emulated builds.
+
+ Reviewed-by: Marcel Raad
+ Reviewed-by: Daniel Stenberg
+
+ Follow up to #9367
+ Closes #9370
+
+Jay Satiro (25 Aug 2022)
+- tests: fix http2 tests to use CRLF headers
+
+ Prior to this change some tests that rely on nghttpx proxy did not use
+ CRLF headers everywhere. A recent change in nghttp2, which updated its
+ version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to
+ use CRLF headers.
+
+ Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8
+
+ Fixes https://github.com/curl/curl/issues/9364
+ Closes https://github.com/curl/curl/pull/9365
+
+Daniel Stenberg (25 Aug 2022)
+- [rcombs brought this change]
+
+ multi: use a pipe instead of a socketpair on apple platforms
+
+ Sockets may be shut down by the kernel when the app is moved to the
+ background, but pipes are not.
+
+ Removed from KNOWN_BUGS
+
+ Fixes #6132
+ Closes #9368
+
+- [Somnath Kundu brought this change]
+
+ libssh2: provide symlink name in SFTP dir listing
+
+ When reading the symbolic link name for a file, we need to add the file
+ name to base path name.
+
+ Closes #9369
+
+- configure: if asked to use TLS, fail if no TLS lib was detected
+
+ Previously the configure script would just warn about this fact and
+ continue with TLS disabled build which is not always helpful. TLS should
+ be explicitly disabled if that is what the user wants.
+
+ Closes #9367
+
+- [Dustin Howett brought this change]
+
+ schannel: when importing PFX, disable key persistence
+
+ By default, the PFXImportCertStore API persists the key in the user's
+ key store (as though the certificate was being imported for permanent,
+ ongoing use.)
+
+ The documentation specifies that keys that are not to be persisted
+ should be imported with the flag `PKCS12_NO_PERSIST_KEY`.
+ NOTE: this flag is only supported on versions of Windows newer than XP
+ and Server 2003.
+
+ Fixes #9300
+ Closes #9363
+
+- unit1303: four tests should have TRUE for 'connecting'
+
+ To match the comments.
+
+ Reported-by: Wu Zheng
+
+ See #9355
+ Closes #9356
+
+- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also
+
+ Closes #9354
+
+- [Fabian Fischer brought this change]
+
+ HTTP3.md: add missing autoreconf command for building with wolfssl
+
+ Closes #9353
+
+- RELEASE-NOTES: synced
+
+- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer
+
+ Ẃhen it has been used in the multi interface, it is otherwise left in
+ the connection cache, can't be reused and nothing will close them since
+ the easy handle loses the association with the multi handle and thus the
+ connection cache - until the multi handle is closed or it gets pruned
+ because the cache is full.
+
+ Reported-by: Dominik Thalhammer
+ Fixes #9335
+ Closes #9342
+
+- docs/cmdline-opts: remove \& escapes from all .d files
+
+ gen.pl escapes them itself now
+
+- docs/cmdline-opts/gen.pl: encode leading single and double quotes
+
+ As "(aq" and "(dq" to prevent them from implying a meaning in the nroff
+ output. This removes the need for using \& escapes in the .d files'
+ description parts.
+
+ Closes #9352
+
+Marc Hoersken (23 Aug 2022)
+- tests/server/sockfilt.c: avoid race condition without a mutex
+
+ Avoid loosing any triggered handles by first aborting and joining
+ the waiting threads before evaluating the individual signal state.
+
+ This removes the race condition and therefore need for a mutex.
+
+ Closes #9023
+
+Daniel Stenberg (22 Aug 2022)
+- [Emil Engler brought this change]
+
+ url: output the maximum when rejecting a url
+
+ This commit changes the failf message to output the maximum length, when
+ curl refuses to process a URL because it is too long.
+
+ See: #9317
+ Closes: #9327
+
+- [Chris Paulson-Ellis brought this change]
+
+ configure: fix broken m4 syntax in TLS options
+
+ Commit b589696f added lines to some shell within AC_ARG_WITH macros, but
+ inadvertently failed to move the final closing ).
+
+ Quote the script section using braces.
+
+ So, if these problems have been around for a while, how did I find them?
+ Only because I did a configure including these options:
+
+ $ ./configure --with-openssl --without-rustls
+ SSL: enabled (OpenSSL)
+
+ Closes #9344
+
+- tests/data/CMakeLists: remove making the 'show' makefile target
+
+ It is not used by runtests since 3c0f462
+
+ Closes #9333
+
+- tests/data/Makefile: remove 'filecheck' target
+
+ No practical use anymore since 3c0f4622cdfd6
+
+ Closes #9332
+
+- libssh2: make atime/mtime date overflow return error
+
+ Closes #9328
+
+- libssh: make atime/mtime date overflow return error
+
+ Closes #9328
+
+- examples/curlx.c: remove
+
+ This example is a bit convoluted to use as an example, combined with the
+ special license for it makes it unsuitable.
+
+ Closes #9330
+
+- [Tobias Nygren brought this change]
+
+ curl.h: include <sys/select.h> on SunOS
+
+ It is needed for fd_set to be visible to downstream consumers that use
+ <curl/multi.h>. Header is known to exist at least as far back as Solaris
+ 2.6.
+
+ Closes #9329
+
+- DEPRECATE.md: push the NSS deprecation date forward one year to 2023
+
+ URL: https://curl.se/mail/lib-2022-08/0016.html
+
+- libssh2: setting atime or mtime >32bit on 4-bytes-long systems
+
+ Since the libssh2 API uses 'long' to store the timestamp, it cannot
+ transfer >32bit times on Windows and 32bit architecture builds.
+
+ Avoid nasty surprises by instead not setting such time.
+
+ Spotted by Coverity
+
+ Closes #9325
+
+- libssh: setting atime or mtime > 32bit is now just skipped
+
+ The libssh API used caps the time to an unsigned 32bit variable. Avoid
+ nasty surprises by instead not setting such time.
+
+ Spotted by Coverity.
+
+ Closes #9324
+
+Jay Satiro (16 Aug 2022)
+- KNOWN_BUGS: Windows Unicode builds use homedir in current locale
+
+ Bug: https://github.com/curl/curl/pull/7252
+ Reported-by: dEajL3kA@users.noreply.github.com
+
+ Ref: https://github.com/curl/curl/pull/7281
+
+ Closes https://github.com/curl/curl/pull/9305
+
+Daniel Stenberg (16 Aug 2022)
+- test399: switch it to use a config file instead
+
+ ... as using a 65535 bytes host name in a URL does not fit on the
+ command line on some systems - like Windows.
+
+ Reported-by: Marcel Raad
+ Fixes #9321
+ Closes #9322
+
+- RELEASE-NOTES: synced
+
+- asyn-ares: make a single alloc out of hostname + async data
+
+ This saves one alloc per name resolve and simplifies the exit path.
+
+ Closes #9310
+
+- Curl_close: call Curl_resolver_cancel to avoid memory-leak
+
+ There might be a pending (c-ares) resolve that isn't free'd up yet.
+
+ Closes #9310
+
+- asyn-thread: fix socket leak on OOM
+
+ Closes #9310
+
+- GHA: mv CI torture test from Zuul
+
+ Closes #9310
+
+- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL
+
+ Closes #9318
+
+- test399: verify check of too long host name
+
+- url: reject URLs with hostnames longer than 65535 bytes
+
+ It *probably* causes other problems too since DNS can't resolve such
+ long names, but the SNI field in TLS is limited to 16 bits length.
+
+ Closes #9317
+
+- curl_multi_perform.3: minor language fix
+
+ Closes #9316
+
+- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC
+
+ Follow-up to 8a13be227eede2
+
+ Closes #9315
+
+- ngtcp2: remove leftover variable
+
+ Mistake leftover from my edit before push.
+
+ Follow-up from 8a13be227eede2601c2b3b
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167
+
+Viktor Szakats (15 Aug 2022)
+- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip]
+
+ Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl`
+ was also enabled. `-ssl` meaning OpenSSL (and its forks). After
+ 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be
+ used together with wolfSSL. This patch adds the ability to enable
+ `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to
+ use it with wolfSSL or other, future TLS backends.
+
+ Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2`
+ unconditionally. After this patch, this is no longer the case, and now
+ it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only
+ together with a compatible TLS backend.
+
+ When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2
+ library must be configured manually, e.g.:
+ `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl`
+
+ (or via `NGTCP2_LIBS`)
+
+ Closes #9314
+
+Daniel Stenberg (15 Aug 2022)
+- [Stefan Eissing brought this change]
+
+ quic: add support via wolfSSL
+
+ - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505
+ - configure adapted to build against ngtcp2 wolfssl crypto lib
+ - quic code added for creation of WOLFSSL* instances
+
+ Closes #9290
+
+Marcel Raad (14 Aug 2022)
+- [David Carlier brought this change]
+
+ memdebug: add annotation attributes
+
+ memory debug tracking annotates whether the returned pointer does not
+ `alias`, hints where the size required is, for Windows to be better
+ debugged via Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/9306
+
+Daniel Stenberg (14 Aug 2022)
+- GHA: move libressl CI from zuul to GitHub
+
+ Closes #9309
+
+- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel
+
+ Closes #9161
+
+- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel
+
+ Closes #8741
+
+- KNOWN_BUGS: libssh blocking and infinite loop problem
+
+ Closes #8632
+
+- RELEASE-NOTES: synced
+
+- msh3: fix the QUIC disconnect function
+
+ And free request related memory better in 'done'. Fixes a memory-leak.
+
+ Reported-by: Gisle Vanem
+ Fixes #8915
+ Closes #9304
+
+- connect: close the happy eyeballs loser connection when using QUIC
+
+ Reviewed-by: Nick Banks
+
+ Closes #9303
+
+- [Emil Engler brought this change]
+
+ refactor: split resolve_server() into functions
+
+ This commit splits the branch-heavy resolve_server() function into
+ various sub-functions, in order to reduce the amount of nested
+ if/else-statements.
+
+ Beside this, it also removes many else-sequences, by returning in the
+ previous if-statement.
+
+ Closes #9283
+
+- schannel: re-indent to use curl style better
+
+ Only white space changes
+
+ Closes #9301
+
+- [Emanuele Torre brought this change]
+
+ docs/cmdline-opts: fix example and categories for --form-escape
+
+ The example was missing a "--form" argument
+ I also replaced "--form" with "-F" to shorten the line a bit since it
+ was already very long.
+
+ And I also moved --form-escape from the "post" category to the "upload"
+ category (this is what I originally wanted to fix, before also noticing
+ the mistake in the example).
+
+ Closes #9298
+
+- [Nick Banks brought this change]
+
+ HTTP3.md: update to msh3 v0.4.0
+
+ Closes #9297
+
+- hostip: resolve *.localhost to 127.0.0.1/::1
+
+ Following the footsteps of other clients like Firefox/Chrome. RFC 6761
+ says clients SHOULD do this.
+
+ Add test 389 to verify.
+
+ Reported-by: TheKnarf on github
+ Fixes #9192
+ Closes #9296
+
+Jay Satiro (11 Aug 2022)
+- KNOWN_BUGS: long paths are not fully supported on Windows
+
+ Bug: https://github.com/curl/curl/issues/8361
+ Reported-by: Gisle Vanem
+
+ Closes https://github.com/curl/curl/pull/9288
+
+Daniel Stenberg (11 Aug 2022)
+- config: remove the check for and use of SIZEOF_SHORT
+
+ shorts are 2 bytes on all platforms curl runs and have ever run on.
+
+ Closes #9291
+
+- configure: introduce CURL_SIZEOF
+
+ This is a rewrite of the previously used GPLv3+exception licensed
+ file. With this change, there is no more reference to GPL so we can
+ remove that from LICENSES/.
+
+ Ref: #9220
+ Closes #9291
+
+- [Sean McArthur brought this change]
+
+ hyper: customize test1274 to how hyper unfolds headers
+
+ Closes #9217
+
+- [Orgad Shaneh brought this change]
+
+ curl-config: quote directories with potential space
+
+ On Windows (at least with CMake), the default prefix is
+ C:/Program Files (x86)/CURL.
+
+ Closes #9253
+
+- [Oliver Roberts brought this change]
+
+ amigaos: fix threaded resolver on AmigaOS 4.x
+
+ Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime
+ feature detection and extra code to make it thread safe.
+
+ Closes #9265
+
+- [Emil Engler brought this change]
+
+ imap: use ISALNUM() for alphanumeric checks
+
+ This commit replaces a self-made character check for alphanumeric
+ characters within imap_is_bchar() with the ISALNUM() macro, as it is
+ reduces the size of the code and makes the performance better, due to
+ ASCII arithmetic.
+
+ Closes #9289
+
+- RELEASE-NOTES: synced
+
+- [Cering on github brought this change]
+
+ connect: add quic connection information
+
+ Fixes #9286
+ Closes #9287
+
+- [Philip Heiduck brought this change]
+
+ cirrus/freebsd-ci: bootstrap the pip installer
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+
+ Closes #9213
+
+- urldata: move smaller fields down in connectdata struct
+
+ By (almost) sorting the struct fields in connectdata in a decending size
+ order, having the single char ones last, we reduce the number of holes
+ in the struct and thus the amount of storage needed.
+
+ Closes #9280
+
+- ldap: adapt to conn->port now being an 'int'
+
+ Remove typecasts. Fix printf() formats.
+
+ Follow-up from 764c6bd3bf.
+ Pointed out by Coverity CID 1507858.
+
+ Closes #9281
+
+- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS
+
+ Closes #8264
+
+- [Oliver Roberts brought this change]
+
+ file: add handling of native AmigaOS paths
+
+ On AmigaOS 4.x, handle native absolute paths, whilst blocking relative
+ paths. Also allow unix style paths if feature enabled at link time.
+
+ Inspiration-from: Michael Trebilcock
+
+ Closes #9259
+
+- KNOWN_BUGS: cmake build is not thread-safe
+
+ The cmake build does not check for and verify presence of a working
+ Atomic type, which then makes curl_global_init() to not build
+ thread-safe on non-Windows platforms.
+
+ Closes https://github.com/curl/curl/issues/8973
+ Closes https://github.com/curl/curl/pull/8982
+
+- [Oliver Roberts brought this change]
+
+ configure: fixup bsdsocket detection code for AmigaOS 4.x
+
+ The code that detects bsdsocket.library for AmigaOS did not work
+ for AmigaOS 4.x. This has been fixed and also cleaned up a little
+ to reduce duplication. Wasn't technically necessary before, but is
+ required when building with AmiSSL instead of OpenSSL.
+
+ Closes #9268
+
+- [Oliver Roberts brought this change]
+
+ tool: reintroduce set file comment code for AmigaOS
+
+ Amiga specific code which put the URL in the file comment was perhaps
+ accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having
+ originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314.
+ Reworked to fit the code changes and added it back in.
+
+ Reported-by: Michael Trebilcock
+ Originally-added-by: Chris Young
+
+ Closes #9258
+
+- urldata: make 'negnpn' use less storage
+
+ The connectdata struct field 'negnpn' never holds a value larger than
+ 30, so an unsigned char saves 3 bytes struct space.
+
+ Closes #9279
+
+- urldata: make three *_proto struct fields smaller
+
+ Use 'unsigned char' for storage instead of the enum, for three GSSAPI
+ related fields in the connectdata struct.
+
+ Closes #9278
+
+- connect: set socktype/protocol correctly
+
+ So that an address used from the DNS cache that was previously used for
+ QUIC can be reused for TCP and vice versa.
+
+ To make this possible, set conn->transport to "unix" for unix domain
+ connections ... and store the transport struct field in an unsigned char
+ to use less space.
+
+ Reported-by: ウさん
+ Fixes #9274
+ Closes #9276
+
+- [Oliver Roberts brought this change]
+
+ amissl: allow AmiSSL to be used with AmigaOS 4.x builds
+
+ Enable AmiSSL to be used instead of static OpenSSL link libraries.
+ for AmigaOS 4.x, as it already is in the AmigaOS 3.x build.
+
+ Closes #9269
+
+- [opensignature on github brought this change]
+
+ openssl: add details to "unable to set client certificate" error
+
+ from: "curl: (58) unable to set client certificate"
+
+ to: curl: (58) unable to set client certificate [error:0A00018F:SSL
+ routines::ee key too small]
+
+ Closes #9228
+
+- [Oliver Roberts brought this change]
+
+ amissl: make AmiSSL v5 a minimum requirement
+
+ AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
+ Support for previous OpenSSL 1.1.x versions has been dropped, so
+ makes sense to enforce v5 as the minimum requirement. This also
+ allows all the AmiSSL stub workarounds to be removed as they are
+ now provided in a link library in the AmiSSL SDK.
+
+ Closes #9267
+
+- [Oliver Roberts brought this change]
+
+ configure: -pthread not available on AmigaOS 4.x
+
+ The most recent GCC builds for AmigaOS 4.x do not allow -pthread and
+ exit with an error. Instead, need to explictly specify -lpthread.
+
+ Closes #9266
+
+- digest: pass over leading spaces in qop values
+
+ When parsing the "qop=" parameter of the digest authentication, and the
+ value is provided within quotes, the list of values can have leading
+ white space which the parser previously did not handle correctly.
+
+ Add test case 388 to verify.
+
+ Reported-by: vlubart on github
+ Fixes #9264
+ Closes #9270
+
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ digest: reject broken header with session protocol but without qop
+
+ Closes #9077
+
+- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples
+
+ Reported-by: jvvprasad78 on github
+ Assisted-by: Jay Satiro
+ Fixes #9239
+ Closes #9241
+
+- [Fabian Keil brought this change]
+
+ test44[2-4]: add '--resolve' to the keywords
+
+ ... so the tests can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #9250
+
+- RELEASE-NOTES: synced
+
+- CURLOPT_CONNECT_ONLY.3: clarify multi API use
+
+ Reported-by: Maxim Ivanov
+ Fixes #9244
+ Closes #9262
+
+- [Andrew Lambert brought this change]
+
+ curl_easy_header: Add CURLH_PSEUDO to sanity check
+
+ Fixes #9235
+ Closes #9236
+
+- [Emil Engler brought this change]
+
+ docs: add dns category to --resolve
+
+ This commit adds the dns category to the --resolve command line option,
+ because it can be interpreted as both: a low-level connection option and
+ an option related to the resolving of a hostname.
+
+ It is also not common for dns options to belong to the connection
+ category and vice versa. --ipv4 and --ipv6 are both good examples.
+
+ Closes #9229
+
+Jay Satiro (2 Aug 2022)
+- [Wyatt O'Day brought this change]
+
+ schannel: Add TLS 1.3 support
+
+ - Support TLS 1.3 as the default max TLS version for Windows Server 2022
+ and Windows 11.
+
+ - Support specifying TLS 1.3 ciphers via existing option
+ CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers).
+
+ Closes https://github.com/curl/curl/pull/8419
+
+Daniel Stenberg (2 Aug 2022)
+- [Emil Engler brought this change]
+
+ cmdline-opts/gen.pl: improve performance
+
+ On some systems, the gen.pl script takes nearly two minutes for the
+ generation of the main-page, which is a completely unacceptable time.
+
+ The slow performance has two causes:
+ 1. Use of a regex locale operator
+ 2. Useless invokations of loops
+
+ The commit addresses the first issue by replacing the "\W" wiht
+ [^a-zA-Z0-9_], which is, according to regex101.com, functionally
+ equivalent to the previous operation, except that it is obviously
+ limited to ASCII only, which is fine, as the curl project is
+ English-only anyway.
+
+ The second issue is being addressed by only running the loop if the line
+ contains a "--" in it. The loop may be completeley removed in the
+ future.
+
+ Co-authored-by: Emanuele Torre <torreemanuele6@gmail.com>
+
+ See #8299
+ Fixes #9230
+ Closes #9232
+
+- docs/cmdline: mark fail and fail-with-body as mutually exclusive
+
+ Reported-by: Andreas Sommer
+ Fixes #9221
+ Closes #9222
+
+- [Nao Yonashiro brought this change]
+
+ quiche: fix build failure
+
+ Reviewed-by: Alessandro Ghedini
+ Closes #9223
+
+Viktor Szakats (2 Aug 2022)
+- configure.ac: drop references to deleted functions
+
+ follow-up from 4d73854462f30948acab12984b611e9e33ee41e6
+
+ Reported-by: Oliver Roberts
+ Fixes #9238
+ Closes #9240
+
+Daniel Stenberg (28 Jul 2022)
+- [Sean McArthur brought this change]
+
+ hyper: enable obs-folded multiline headers
+
+ Closes #9216
+
+- connect: revert the use of IP*_RECVERR
+
+ The options were added in #6341 and d13179d, but cause problems: Lots of
+ POLLIN event occurs but recvfrom read nothing.
+
+ Reported-by: Tatsuhiro Tsujikawa
+ Fixes #9209
+ Closes #9215
+
+- [Marco Kamner brought this change]
+
+ docs: remove him/her/he/she from documentation
+
+ Closes #9208
+
+- RELEASE-NOTES: synced
+
+- tool_getparam: make --doh-url "" switch it off
+
+ A possible future addition could be to parse the URL first too to verify
+ that it is valid before trying to use it.
+
+ Assisted-by: Jay Satiro
+ Closes #9207
+
+- mailmap: add rzrymiak on github
+
+Jay Satiro (26 Jul 2022)
+- ngtcp2: Fix build error due to change in nghttp3 prototypes
+
+ ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and
+ nghttp3_conn_shutdown_stream_write return from int to void.
+
+ Reported-by: jurisuk@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/9204
+ Closes https://github.com/curl/curl/pull/9200
+
+Daniel Stenberg (26 Jul 2022)
+- [rzrymiak on github brought this change]
+
+ BUGS.md: improve language
+
+ Closes #9205
+
+- [Philip Heiduck brought this change]
+
+ cirrus.yml: replace py38-pip with py39-pip
+
+ Reported-by: Jay Satiro
+ Fixes #9201
+ Closes #9202
+
+- tool_getparam: fix cleanarg() for unicode builds
+
+ Use the correct type, and make cleanarg an empty macro if the cleaning
+ ability is absent.
+
+ Fixes #9195
+ Closes #9196
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+
+Marc Hoersken (25 Jul 2022)
+- test3026: add support for Windows using native Win32 threads
+
+ Reviewed-by: Viktor Szakats
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Daniel Stenberg
+
+ Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690
+ Closes #9012
+
+Jay Satiro (25 Jul 2022)
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ digest: fix memory leak, fix not quoted 'opaque'
+
+ Fix leak regression introduced by 3a6fe0c.
+
+ Closes https://github.com/curl/curl/pull/9199
+
+Daniel Stenberg (23 Jul 2022)
+- tests: several enumerated type cleanups
+
+ To please icc
+
+ Closes #9179
+
+- tool_paramhlp: fix "enumerated type mixed with another type"
+
+ Warning by icc
+
+ Closes #9179
+
+- tool_writeout: fix enumerated type mixed with another type
+
+ Closes #9179
+
+- tool_cfgable: make 'synthetic_error' a plain bool
+
+ The specific reason was not used.
+
+ Closes #9179
+
+- tool_paramhlp: make check_protocol return ParameterError
+
+ "enumerated type mixed with another type"
+
+ Closes #9179
+
+- tool_formparse: fix variable may be used before its value is set
+
+ Warning by icc
+
+ Closes #9179
+
+- sendf: skip storing HTTP headers if HTTP disabled
+
+ Closes #9179
+
+- url: enumerated type mixed with another type
+
+ Follow-up to 1c58e7ae99ce2030213f28b
+
+ Closes #9179
+
+- urldata: change second proxytype field to unsigned char to match
+
+ To avoid "enumerated type mixed with another type"
+
+ Closes #9179
+
+- http: typecast the httpreq assignment to avoid icc compiler warning
+
+ error #188: enumerated type mixed with another type
+
+ Closes #9179
+
+- urldata: make state.httpreq an unsigned char
+
+ To match set.method used for the same purpose.
+
+ Closes #9179
+
+- splay: avoid using -1 in unsigned variable
+
+ To fix icc compiler warning integer conversion resulted in a change of sign
+
+ Closes #9179
+
+- sendf: store the header type in an usigned char to avoid icc warnings
+
+ Closes #9179
+
+- multi: fix the return code from Curl_pgrsDone()
+
+ It does not return a CURLcode. Detected by the icc compiler warning
+ "enumerated type mixed with another type"
+
+ Closes #9179
+
+- sendf: make Curl_debug a void function
+
+ As virtually no called checked the return code, and those that did
+ wrongly treated it as a CURLcode. Detected by the icc compiler warning:
+ enumerated type mixed with another type
+
+ Closes #9179
+
+- http_chunks: remove an assign + typecast
+
+ As it caused icc to complain: "pointer cast involving 64-bit pointed-to
+ type"
+
+ Closes #9179
+
+- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend
+
+ To fix the icc warning enumerated type mixed with another type
+
+ Closes #9179
+
+- curl-compilers.m4: make icc use -diag* options and disable two warnings
+
+ -wd and -we are deprecated and are now -diag-disable and -diag-error
+
+ Disable warning 1024 and 2259
+
+ Closes #9179
+
+- [Matthew Thompson brought this change]
+
+ GHA: add two Intel compiler CI jobs
+
+ Closes #9179
+
+- [Daniel Katz brought this change]
+
+ curl-functions.m4: check whether atomics can link rather than just compile
+
+ Some build toolchains support C11 atomics (i.e., _Atomic types), but
+ will not link the associated atomics runtime unless a flag is passed. In
+ such an environment, linking an application with libcurl.a can fail due
+ to undefined symbols for atomic load/store functions.
+
+ I encountered this behavior when upgrading curl to 7.84.0 and attempting
+ to build with Solaris Studio 12.6. Solaris provides the flag
+ -xatomic=[gcc | studio], allowing users to link to one of two atomics
+ runtime implementations. However, if the user does not provide this
+ flag, then neither runtime is linked. This led to builds failing in CI.
+
+ Closes #9190
+
+- [Rosen Penev brought this change]
+
+ curl-wolfssl.m4: add options header when building test code
+
+ Needed for certain configurations of wolfSSL. Otherwise, missing header
+ error may occur.
+
+ Tested with OpenWrt.
+
+ Closes #9187
+
+- ftp: use a correct expire ID for timer expiry
+
+ This was an accurate error pointed out by the icc warning: enumerated
+ type mixed with another type
+
+ Ref: #9179
+ Closes #9184
+
+- sendf: fix paused header writes since after the header API
+
+ Regression since d1e4a67
+
+ Reported-by: Sergey Ogryzkov
+ Fixes #9180
+ Closes #9182
+
+- mprintf: fix *dyn_vprintf() when out-of-memory
+
+ Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory
+ leak otherwise.
+
+ Closes #9185
+
+- curl-confopts: remove leftover AC_REQUIREs
+
+ configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd
+ configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd
+
+ follow-up from 4d73854462f30
+
+ Closes #9183
+
+- file: fix icc enumerated type mixed with another type warning
+
+ Ref: #9179
+ Closes #9181
+
+Viktor Szakats (19 Jul 2022)
+- tidy-up: delete unused build configuration macros
+
+ Most of them feature guards:
+
+ - `CURL_INCLUDES_SYS_UIO` [1]
+ - `HAVE_ALLOCA_H` [2]
+ - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc)
+ - `HAVE_DLFCN_H`
+ - `HAVE_DLOPEN`
+ - `HAVE_DOPRNT`
+ - `HAVE_FCNTL`
+ - `HAVE_GETHOSTBYNAME` [3]
+ - `HAVE_GETOPT_H`
+ - `HAVE_GETPASS`
+ - `HAVE_GETPROTOBYNAME`
+ - `HAVE_GETSERVBYNAME`
+ - `HAVE_IDN_FREE*`
+ - `HAVE_INET_ADDR`
+ - `HAVE_IOCTL`
+ - `HAVE_KRB4`
+ - `HAVE_KRB_GET_OUR_IP_FOR_REALM`
+ - `HAVE_KRB_H`
+ - `HAVE_LDAPSSL_H`
+ - `HAVE_LDAP_INIT_FD`
+ - `HAVE_LIBDL`
+ - `HAVE_LIBNSL`
+ - `HAVE_LIBRESOLV*`
+ - `HAVE_LIBUCB`
+ - `HAVE_LL`
+ - `HAVE_LOCALTIME_R`
+ - `HAVE_MALLOC_H`
+ - `HAVE_MEMCPY`
+ - `HAVE_MEMORY_H`
+ - `HAVE_NETINET_IF_ETHER_H`
+ - `HAVE_NI_WITHSCOPEID`
+ - `HAVE_OPENSSL_CRYPTO_H`
+ - `HAVE_OPENSSL_ERR_H`
+ - `HAVE_OPENSSL_PEM_H`
+ - `HAVE_OPENSSL_PKCS12_H`
+ - `HAVE_OPENSSL_RAND_H`
+ - `HAVE_OPENSSL_RSA_H`
+ - `HAVE_OPENSSL_SSL_H`
+ - `HAVE_OPENSSL_X509_H`
+ - `HAVE_PEM_H`
+ - `HAVE_POLL`
+ - `HAVE_RAND_SCREEN`
+ - `HAVE_RAND_STATUS`
+ - `HAVE_RECVFROM`
+ - `HAVE_SETSOCKOPT`
+ - `HAVE_SETVBUF`
+ - `HAVE_SIZEOF_LONG_DOUBLE`
+ - `HAVE_SOCKIO_H`
+ - `HAVE_SOCK_OPTS`
+ - `HAVE_STDIO_H`
+ - `HAVE_STRCASESTR`
+ - `HAVE_STRFTIME`
+ - `HAVE_STRLCAT`
+ - `HAVE_STRNCMPI`
+ - `HAVE_STRNICMP`
+ - `HAVE_STRSTR`
+ - `HAVE_STRUCT_IN6_ADDR`
+ - `HAVE_TLD_H`
+ - `HAVE_TLD_STRERROR`
+ - `HAVE_UNAME`
+ - `HAVE_USLEEP`
+ - `HAVE_WINBER_H`
+ - `HAVE_WRITEV`
+ - `HAVE_X509_H`
+ - `LT_OBJDIR`
+ - `NEED_BASENAME_PROTO`
+ - `NOT_NEED_LIBNSL`
+ - `OPENSSL_NO_KRB5`
+ - `RECVFROM_TYPE*`
+ - `SIZEOF_LONG_DOUBLE`
+ - `STRERROR_R_TYPE_ARG3`
+ - `USE_YASSLEMUL`
+ - `_USRDLL` (from CMake) [4]
+
+ [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might
+ also be deleted.
+
+ [2] Related comment can possibly be deleted in
+ `packages/vms/generate_config_vms_h_curl.com`.
+
+ [3] There are more instances of this in autotools, but I did not dare to
+ touch those. Looked like it's used to detect socket support.
+
+ [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to
+ force linking MFC components statically to the DLL. `libcurl.dll`
+ does not use MFC, so we can delete this define.
+ Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc
+
+ Script that can help finding unused settings like above:
+ ```shell
+
+ autoheader configure.ac # generate lib/curl_config.h.in
+
+ {
+ grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g'
+ grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g'
+ grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g'
+ grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g'
+ } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do
+ c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')"
+ if [ "${c}" = '0' ]; then
+ echo "${def}"
+ fi
+ done
+ ```
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9044
+
+Daniel Stenberg (19 Jul 2022)
+- RELEASE-NOTES: synced
+
+- cookie: treat a blank domain in Set-Cookie: as non-existing
+
+ This matches what RFC 6265 section 5.2.3 says.
+
+ Extended test 31 to verify.
+
+ Fixes #9164
+ Reported-by: Gwen Shapira
+ Closes #9177
+
+- [Patrick Monnerat brought this change]
+
+ base64: base64url encoding has no padding
+
+ See RFC4648 section 5 and RFC7540 section 3.2.1.
+
+ Suppress generation of '=' padding of base64url encoding. This is
+ accomplished by considering the string beginning at offset 64 in the
+ character table as the padding: this is "=" for base64, "" for base64url.
+
+ Also use strchr() to replace character search loops where possible.
+
+ Suppress erroneous comments about empty encoding results.
+
+ Adjust unit test 1302 to unpadded base64url encoding and add tests for
+ empty results.
+
+ Closes #9139
+
+- easyoptions: fix icc warning
+
+ easyoptions.c(360): error #188: enumerated type mixed with another type
+
+ Ref: #9156
+ Reported-by: Matthew Thompson
+ Closes #9176
+
+- [lwthiker brought this change]
+
+ h2h3: fix overriding the 'TE: Trailers' header
+
+ A 'TE: Trailers' header is explicitly replaced by 'te: trailers'
+ (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or
+ HTTP/3 headers. However, this is then replaced again by the original
+ value due to a bug, resulting in the uppercased version being sent. Some
+ HTTP/2 servers reject the whole HTTP/2 stream when this is the case.
+
+ Closes #9170
+
+- lib3026: reduce the number of threads to 100
+
+ Down from 1000, to make it run and work in more systems.
+
+ Fixes #9172
+ Reported-by: Érico Nogueira Rolim
+ Closes #9173
+
+- doh: move doh related struct definitions to doh.h
+
+ and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning:
+
+ doh.c(924): error #188: enumerated type mixed with another type
+
+ Reported-by: Matthew Thompson
+ Ref #9156
+ Closes #9174
+
+Viktor Szakats (17 Jul 2022)
+- Makefile.m32: stop trying to build libcares.a [ci skip]
+
+ Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in
+ `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in
+ 2007 [1]. The commit message doesn't specifically address this particular
+ change. This logic comes from the times when c-ares was part of the curl
+ source tree, hence the special treatment.
+
+ This feature creates problems when building c-ares first, using CMake
+ and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32`
+ is missing in such case. A sub-build for c-ares is undesired also when
+ c-ares had already been build via its own `Makefile.m32`.
+
+ To avoid the sub-build, this patch deletes its Makefile rule. After this
+ patch `libcares.a` needs to be manually built before using it in
+ `Makefile.m32`. Aligning it with the rest of dependencies.
+
+ [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9169
+
+Daniel Stenberg (17 Jul 2022)
+- curl: writeout: fix repeated header outputs
+
+ The function stored a terminating zero into the buffer for convenience,
+ but when on repeated calls that would cause problems. Starting now, the
+ passed in buffer is not modified.
+
+ Reported-by: highmtworks on github
+ Fixes #9150
+ Closes #9152
+
+- curl_multi_timeout.3: clarify usage
+
+ Fixes #9155
+ Closes #9157
+ Reported-by: jvvprasad78 on github
+
+- mprintf: make dprintf_formatf never return negative
+
+ This function no longer returns a negative value if the formatting
+ string is bad since the return value would sometimes be propagated as a
+ return code from the mprintf* functions and they are documented to
+ return the length of the output. Which cannot be negative.
+
+ Fixes #9149
+ Closes #9151
+ Reported-by: yiyuaner on github
+
+Viktor Szakats (17 Jul 2022)
+- trace: 0x7F character is non-printable
+
+ `0x7F` is `DEL`, a non-printable symbol, so print it as
+ `UNPRINTABLE_CHAR`.
+
+ Reported-by: MasterInQuestion on github
+ Fixes #9162
+ Closes #9166
+
+- doh: use https protocol by default
+
+ The only allowed protocol is https, so it makes sense to use that
+ by default if not passed explicitly by the user.
+
+ Reported-by: MasterInQuestion on github
+ Reviewed-by: Jay Satiro
+ Fixes #9163
+ Closes #9165
+
+- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
+
+ Same issue as here [1], but this time when building curl with BoringSSL
+ for Windows with LDAP(S) or Schannel support enabled.
+
+ Apply the same fix [2] for these source files as well.
+
+ This can also be fixed by moving `#include "urldata.h"` _before_
+ including `winldap.h` and `schnlsp.h` respectively. This seems like
+ a cleaner fix, though I'm not sure why it works and if it has any
+ downside.
+
+ [1] https://github.com/curl/curl/issues/5669
+ [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9
+
+ Co-authored-by: Jay Satiro
+ Closes #9110
+
+Daniel Stenberg (13 Jul 2022)
+- asyn-thread: make getaddrinfo_complete return CURLcode
+
+ ... as the only caller that cares about what it returns assumes that
+ anyway. This caused icc to warn:
+
+ asyn-thread.c(505): error #188: enumerated type mixed with another type
+ result = getaddrinfo_complete(data);
+
+ Repoorted-by: Matthew Thompson
+ Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076
+ Closes #9146
+
+- easy_lock: fix build with icc
+
+ The Intel compiler tries to look like GCC *and* clang *and* it lies in
+ its __has_builtin() function (returns true when it should return false),
+ so override it.
+
+ Reported-by: Matthew Thompson
+ Fixes #9081
+ Closes #9144
+
+- configure: fix --disable-headers-api
+
+ Reported-by: Michał Antoniak
+ Fixes #9134
+ Closes #9143
+
+- test3026: require 'threadsafe'
+
+ Reported-by: Sukanya Hanumanthu
+ Fixes #9141
+ Closes #9142
+
+- [Even Rouault brought this change]
+
+ CMake: link curl to its dependencies with PRIVATE
+
+ The current PUBLIC visibility causes issues for downstream users.
+ Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9125
+
+- [Even Rouault brought this change]
+
+ CMake: remove APPEND in export(TARGETS)
+
+ When running cmake several times, new content was appended to already
+ existing generated files, which is not appropriate
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9124
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks
+
+ Closes #9135
+
+- RELEASE-NOTES: synced
+
+Viktor Szakats (11 Jul 2022)
+- build: improve OS string in CMake and `config-win32.h`
+
+ This patch makes CMake fill the "OS string" with the value of
+ `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet,
+ the same we can pass to `./configure` via `--host=`.
+
+ For non-CMake, non-autotools, Windows builds, this patch adds the ability
+ to override the default `OS` value in `lib/config-win32.h`.
+
+ With these its possible to get the same OS string across the three build
+ systems.
+
+ This patch supersedes the earlier, partial, CMake-only solution:
+ 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the
+ `CURL_OS_SUFFIX` CMake option.
+
+ Reviewed-by: Jay Satiro
+ Closes #9117
+
+- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip]
+
+ They allow to override the hardcoded values for the `windres` and `strip`
+ tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables.
+
+ `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and
+ `CURL_CC=clang` set on current latest debian:unstable or earlier, where
+ `llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it.
+ Hopefully this will be fixed in the llvm package. FWIW `llvm-windres`
+ does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9132
+
+Daniel Stenberg (10 Jul 2022)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: fix stall or busy loop on STOP_SENDING with upload data
+
+ Fixes #9122
+ Closes #9123
+
+- [Xiaoke Wang brought this change]
+
+ tool_operate: better cleanup of easy handle in exit path
+
+ Closes #9114
+
+- [Xiaoke Wang brought this change]
+
+ getinfo: return better error on NULL as first argument
+
+ Closes #9114
+
+- tool_getparam: repair cleanarg
+
+ Regression since 9e5669f.
+
+ Make sure the "cleaning" of command line arguments is done on the
+ original argv[] pointers. As a bonus, it also exits better on out of
+ memory error.
+
+ Reported-by: Litter White
+ Fixes #9128
+ Closes #9130
+
+Jay Satiro (10 Jul 2022)
+- docs: explain curl_easy_escape/unescape curl handle is ignored
+
+ 26101421 (precedes 7.82.0) removed character conversion support used by
+ very old legacy operating systems and since then the curl handle passed
+ to curl_easy_escape/unescape is always ignored.
+
+ Bug: https://github.com/curl/curl/discussions/9115
+ Reported-by: Ted Lyngmo
+
+ Closes https://github.com/curl/curl/pull/9121
+
+Viktor Szakats (8 Jul 2022)
+- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL
+
+ BoringSSL doesn't keep a version number, and doesn't self-identify itself
+ via any other revision number via its own headers. We can identify
+ BoringSSL revisions by their commit hash. This hash is typically known by
+ the builder. This patch adds a way to pass this hash to libcurl, so that
+ it can display in the curl version string:
+
+ For example:
+
+ `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"`
+
+ ```
+ curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...]
+ Release-Date: 2022-06-27
+ Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...]
+ Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...]
+ ```
+
+ The setting is optional, and if not passed, BoringSSL will appear without
+ a version number, like before this patch.
+
+ Closes #9113
+
+Jay Satiro (8 Jul 2022)
+- escape: remove outdated comment
+
+ Bug: https://github.com/curl/curl/discussions/9115
+ Reported-by: Ted Lyngmo
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: Fix missing initialization of nghttp3_nv.flags
+
+ Closes https://github.com/curl/curl/pull/9118
+
+Daniel Stenberg (6 Jul 2022)
+- [Brad Forschinger brought this change]
+
+ netrc.d: remove spurious quote
+
+ Closes #9111
+
+Viktor Szakats (6 Jul 2022)
+- Makefile.m32: add `NGTCP2_LIBS` option [ci skip]
+
+ Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL.
+ Add `NGTCP2_LIBS` envvar to override them with a custom list,
+ making it possible to use BoringSSL, or any other backend.
+
+ Closes #9109
+
+Jay Satiro (6 Jul 2022)
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ digest: fix missing increment of 'nc' value for auth-int
+
+ - Increment nc regardless of qop type.
+
+ Prior to this change nc was only incremented for qop type auth even
+ though libcurl sends nc with any qop.
+
+ Closes https://github.com/curl/curl/pull/9090
+
+Daniel Stenberg (5 Jul 2022)
+- RELEASE-NOTES: synced
+
+ Bumped to 7.85.0
+
+- urldata: reduce size of four ftp related members
+
+ ftp_filemethod, ftpsslauth and ftp_ccc are now uchars
+
+ accepttimeout is now unsigned int - almost 50 days ought to be enough
+ for this value.
+
+ Closes #9106
+
+- urldata: reduce three type-members from int to uchar
+
+ - timecondition
+ - proxytype
+ - method
+
+ ... previously used their enum type in the struct, which made them
+ unnecesarily large.
+
+ Closes #9105
+
+- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name
+
+ Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the
+ other way around.
+
+ Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias
+ but since the option is for more protocols than FTP the more "correct"
+ version of the option is the "server" one so now we switch.
+
+ Closes #9104
+
+- urldata: make 'ftp_create_missing_dirs' a uchar
+
+ It only ever holds the values 0-2.
+
+ Closes #9103
+
+- [Don J Olmstead brought this change]
+
+ cmake: support ngtcp2 boringssl backend
+
+ Update the ngtcp2 find module to detect the boringssl backend. Determine
+ if the underlying OpenSSL implementation is BoringSSL and if so use that
+ as the ngtcp2 backend.
+
+ Reviewed-by: Jakub Zakrzewski
+ Closes #9065
+
+- urldata: change 4 timeouts to unsigned int from long
+
+ They're not used for that long times anyway, 32 bit milliseconds is long
+ enough.
+
+ Closes #9101
+
+- urldata: make 'use_netrc' a uchar
+
+ Closes #9102
+
+- urldata: make 'buffer_size' an unsigned int
+
+ It is already capped at READBUFFER_MAX which fits easily in 32 bits.
+
+ Closes #9098
+
+- urldata: remove the unused 'rtspversion' struct member
+
+ Closes #9100
+
+- urldata: make 'use_port' an usigned short
+
+ ... instead of a long. It is already enforced to not attempt to set any
+ value outside of 16 bits unsigned.
+
+ Closes #9099
+
+- urldata: store dns cache timeout in an int
+
+ 68 years ought to be enough for most.
+
+ Closes #9097
+
+- curl: proto2num: make sure obuf is inited
+
+ Detected by Coverity. CID 1507052.
+
+ Closes #9096
+
+- cookie: use %zu to infof() for size_t values
+
+ Detected by Coverity. CID 1507051
+ Closes #9095
+
+Viktor Szakats (4 Jul 2022)
+- makefile.m32: add support for custom ARCH [ci skip]
+
+ When building curl for target platform other than x64 and x86, it is now
+ possible to pass `ARCH=custom`, that will omit all hardcoded logic for
+ setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be
+ customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly
+ added one for the resource compiler: `CURL_RCFLAG_EXTRAS`.
+
+ This makes it possible to use `makefile.m32` to build for ARM64 for
+ example.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9092
+
+- cmake: do not force Windows target versions
+
+ The goal of this patch is to avoid CMake forcing specific Windows
+ versions and rely on toolchain defaults or manual selection instead.
+ This gives back control to the user. This also brings CMake closer to
+ how autotools and `Makefile.m32` behaves in this regard.
+
+ - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did
+ nothing else than fixing the Windows build target to Vista. This also
+ happened when the toolchain did not have Vista support (e.g. original
+ MinGW), breaking such builds.
+
+ In other environments it did not make a user-facing difference,
+ because libcurl has its own pton() implementation, so it works well
+ with or without Vista's inet_pton().
+
+ This patch drops this setting. inet_pton() is now used whenever
+ building for Vista or newer, either when requested manually or by
+ default with modern toolchains (e.g. mingw-w64). Older envs will fall
+ back to curl's pton().
+
+ Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604
+ Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155
+
+ - When the user did no select a Windows target version manually, stop
+ explicitly targeting Windows XP, and instead use the toolchain default.
+
+ This may pose an issue with old toolchains defaulting to pre-XP
+ targets. In such case you must manually target Windows XP via:
+ `-DCURL_TARGET_WINDOWS_VERSION=0x0501`
+ or
+ `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501`
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Marcel Raad
+ Closes #9046
+
+- windows: improve random source
+
+ - Use the Windows API to seed the fallback random generator.
+
+ This ensures to always have a random seed, even when libcurl is built
+ with a vtls backend lacking a random generator API, such as rustls
+ (experimental), GSKit and certain mbedTLS builds, or, when libcurl is
+ built without a TLS backend. We reuse the Windows-specific random
+ function from the Schannel backend.
+
+ - Implement support for `BCryptGenRandom()` [1] on Windows, as a
+ replacement for the deprecated `CryptGenRandom()` [2] function.
+
+ It is used as the secure random generator for Schannel, and also to
+ provide entropy for libcurl's fallback random generator. The new
+ function is supported on Vista and newer via its `bcrypt.dll`. It is
+ used automatically when building for supported versions. It also works
+ in UWP apps (the old function did not).
+
+ - Clear entropy buffer before calling the Windows random generator.
+
+ This avoids using arbitrary application memory as entropy (with
+ `CryptGenRandom()`) and makes sure to return in a predictable state
+ when an API call fails.
+
+ [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
+ [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom
+
+ Closes #9027
+
+Daniel Stenberg (4 Jul 2022)
+- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
+
+ ... as replacements for deprecated CURLOPT_PROTOCOLS and
+ CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
+ 32 bit limit the old ones are facing.
+
+ CURLINFO_PROTCOOL is now deprecated.
+
+ The curl tool is updated to use the new options.
+
+ Added test 1597 to verify the libcurl protocol parser.
+
+ Closes #8992
+
+- digest: simplify a switch() to a simple if
+
+- digest: provide a special bit for "sess" algos
+
+ Also shortened the names and moved them to the .c file since they are
+ private for this source file only. Also made them #defines instead of
+ enum.
+
+ Closes #9079
+
+Jay Satiro (4 Jul 2022)
+- [Thomas Weißschuh brought this change]
+
+ select: do not return fatal error on EINTR from poll()
+
+ The same was done for select() in 5912da25 but poll() was missed.
+
+ Bug: https://bugs.archlinux.org/task/75201
+ Reported-by: Alexandre Bury (gyscos at archlinux)
+
+ Ref: https://github.com/curl/curl/issues/8921
+ Ref: https://github.com/curl/curl/pull/8961
+ Ref: https://github.com/curl/curl/commit/5912da25#r77584294
+
+ Closes https://github.com/curl/curl/pull/9091
+
+- [Kai Pastor brought this change]
+
+ cmake: fix build for mingw cross compile
+
+ - Change normaliz lib name to all lowercase.
+
+ This is from a standing patch in vcpkg:
+ Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross
+ builds from Linux), the spelling must match exactly.
+
+ Closes https://github.com/curl/curl/pull/9084
+
+- easy_lock: fix build for mingw
+
+ - Define SRWLOCK symbols missing in some mingw environments.
+
+ Closes https://github.com/curl/curl/pull/8997
+
+Daniel Stenberg (2 Jul 2022)
+- tool_progress: avoid division by zero in parallel progress meter
+
+ Reported-by: Brian Carpenter
+ Fixes #9082
+ Closes #9083
+
+- http_aws_sigv4.c: remove two unusued includes
+
+ Closes #9080
+
+- .mailmap: additional edit
+
+ Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git
+ logs even when using old email.
+
+- RELEASE-NOTES: synced
+
+ bumped to 7.84.1
+
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ .mailmap: updated
+
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ THANKS: merged two entries for Evgeny Grin
+
+ Also updated THANKS-filter file
+
+ Closes #9076
+
+- [Jilayne Lovejoy brought this change]
+
+ lib/curl_path.c: add ISC to license expression
+
+ THe text of the ISC license is in this file, so the SPDX license
+ expression should be updated
+
+ Closes #9073
+
+- [Sean McArthur brought this change]
+
+ hyper: use wakers for curl pause/resume
+
+ Closes #9070
+
+Viktor Szakats (30 Jun 2022)
+- Makefile.m32: do not set the libcurl.rc debug flag [ci skip]
+
+ Delete `-DDEBUGBUILD=0` windres option. This was likely meant to
+ disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled
+ it instead. Delete this unnecessary option and thus sync up with
+ how CMake compiles libcurl.rc by default.
+
+ Reviewed-by: Jay Satiro
+ Closes #9069
+
+Daniel Stenberg (29 Jun 2022)
+- curl.h: CURLE_CONV_FAILED is obsoleted
+
+ The last use was removed in 7.82.0. Updated some docs too to reflect the
+ current error code situation.
+
+ Closes #9067
+
+- curl: output warning when a cookie is dropped due to size
+
+ Dropped from the request, that is.
+
+ Closes #9064
+
+- curl_mime_data.3: polish the wording
+
+ Closes #9063
+
+- configure: check for the stdatomic.h header in configure
+
+ ... and only set HAVE_ATOMIC if that header exists since we use
+ typedefes set in it.
+
+ Reported-by: Ryan Schmidt
+ Fixes #9059
+ Closes #9060
+
+- easy_lock: fix the #ifdef conditional for ia32_pause
+
+ To work better with new and old clang compilers.
+
+ Reported-by: Ryan Schmidt
+ Assisted-by: Joshua Root
+
+ Fixes #9058
+ Closes #9062
+
+- easy_lock: switch to using atomic_int instead of bool
+
+ To work with more compilers without requiring separate libs to
+ link. Like with gcc-12 for RISC-V on Linux.
+
+ Reported-by: Adam Sampson
+ Fixes #9055
+ Closes #9061
+
+- [vvb2060 brought this change]
+
+ ngtcp2: fix incompatible function pointer types
+
+ Closes #9056
+
+- [vvb2060 brought this change]
+
+ easy_lock.h: use __asm__ instead of asm to fix build
+
+ Closes #9056
+
+- [Samuel Henrique brought this change]
+
+ libcurl-security.3: fix typo on macro "SH_"
+
+ During the packaging of the latest curl release for Debian, Lintian
+ warned me about a typo which causes the section name "Secrets in memory"
+ to not be rendered in the manpage due to "SH_" not being recognized as a
+ header.
+
+ Closes #9057
+
+- easy_lock.h: include sched.h if available to fix build
+
+ Patched-by: Harry Sintonen
+
+ Closes #9054
+
+Version 7.84.0 (27 Jun 2022)
+
+Daniel Stenberg (27 Jun 2022)
+- RELEASE-NOTES: synced
+
+ Version 7.84.0 release
+
+- THANKS: contributors from 7.84.0 release notes
+
+- hsts: use Curl_fopen()
+
+- altsvc: use Curl_fopen()
+
+- fopen: add Curl_fopen() for better overwriting of files
+
+ Bug: https://curl.se/docs/CVE-2022-32207.html
+ CVE-2022-32207
+ Reported-by: Harry Sintonen
+ Closes #9050
+
+- test444: test many received Set-Cookie:
+
+ The amount of sent cookies in the test is limited to 80 because hyper
+ has its own strict limits in how many headers it allows to be received
+ which triggers at some point beyond this number.
+
+- test442/443: test cookie caps
+
+ 442 - verify that only 150 cookies are sent
+ 443 - verify that the cookie: header remains less than 8K in size
+
+- cookie: apply limits
+
+ - Send no more than 150 cookies per request
+ - Cap the max length used for a cookie: header to 8K
+ - Cap the max number of received Set-Cookie: headers to 50
+
+ Bug: https://curl.se/docs/CVE-2022-32205.html
+ CVE-2022-32205
+ Reported-by: Harry Sintonen
+ Closes #9048
+
+- test387: verify rejection of compression chain attack
+
+- content_encoding: return error on too many compression steps
+
+ The max allowed steps is arbitrarily set to 5.
+
+ Bug: https://curl.se/docs/CVE-2022-32206.html
+ CVE-2022-32206
+ Reported-by: Harry Sintonen
+ Closes #9049
+
+- krb5: return error properly on decode errors
+
+ Bug: https://curl.se/docs/CVE-2022-32208.html
+ CVE-2022-32208
+ Reported-by: Harry Sintonen
+ Closes #9051
+
+- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro
+
+ clang 14 warns about its use. It is being deprecated by the working
+ group for the programming language C: "The macro ATOMIC_VAR_INIT is
+ basically useless for the purpose for which it was designed"
+
+ Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm
+
+ Reported-by: Tatsuhiro Tsujikawa
+ Fixes #9041
+ Closes #9042
+
+- [Stefan Eissing brought this change]
+
+ ngtcp2: avoid supplying 0 length `msg_control` to sendmsg()
+
+ Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control
+ buffer is provided in sengmsg(), even though msg_controllen was set to
+ 0.
+
+ Initialize msg.msg_controllen just as needed and also perform the size
+ assertion only when needed.
+
+ Closes #9039
+
+- [Tom Eccles brought this change]
+
+ ftp: restore protocol state after http proxy CONNECT
+
+ connect_init() (lib/http_proxy.c) swaps out the protocol state while
+ working on the proxy connection, this is then restored by
+ Curl_connect_done() after the connection completes.
+
+ ftp_do_more() extracted the protocol state pointer to a local variable
+ at the start of the function then calls Curl_proxy_connect(). If the proxy
+ connection completes, Curl_proxy_connect() will call Curl_connect_done()
+ (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
+ protocol state instead of the http proxy protocol state, but the local
+ variable in ftp_do_more still pointed to the old value.
+
+ Ultimately this meant that the state worked on by ftp_do_more() was the
+ http proxy state not the ftp state initialised by ftp_connect(), but
+ subsequent calls to any ftp_ function would use the original state.
+
+ For my use-case, the visible consequence was that ftp->downloadsize was
+ never set and so downloaded data was never returned to the application.
+
+ This commit updates the ftp protocol state pointer in ftp_do_more() after
+ Curl_proxy_connect() returns, ensuring that the correct state pointer is
+ used.
+
+ Fixes #8737
+ Closes #9043
+
+Jay Satiro (23 Jun 2022)
+- THANKS: add contributor missing from aea8ac1
+
+ aea8ac1 fixed #8980 which was reported by Sgharat on github, but that
+ info was not included in the commit message.
+
+- curl_setup: include _mingw.h
+
+ Prior to this change _mingw.h needed to be included in each unit before
+ evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
+ is included only in some mingw headers (eg stdio.h) and not others
+ (eg windows.h) so it's better to explicitly include it once.
+
+ Closes https://github.com/curl/curl/pull/9036
+
+Viktor Szakats (22 Jun 2022)
+- rand: stop detecting /dev/urandom in cross-builds
+
+ - Prevent CMake to auto-detect /dev/urandom when cross-building.
+ Before this patch, it would detect it in a cross-build scenario on *nix
+ hosts with this device present. This was a problem for example with
+ Windows builds, but it could affect any target system with this device
+ missing. This also syncs detection behaviour with autotools, which also
+ skips it for cross-builds.
+ - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
+ fallback random number generator on Windows. Windows does not have the
+ concept of reading a random stream from a filename, nor any guaranteed
+ non-world-writable path on disk. With this, a manual misconfiguration or
+ an overeager auto-detection can no longer result in a user-controllable
+ seed source.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #9038
+
+Daniel Stenberg (22 Jun 2022)
+- [Emanuele Torre brought this change]
+
+ ci: avoid `cmake -Hpath`
+
+ This is an undocumented option similar to the `-Spath' option introduced
+ in cmake 3.13.
+ Replace all instances of `-Hpath' with `-Spath' in macos workflow.
+ Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul
+ scripts since it runs an older version of cmake.
+
+ Fixes #9008
+ Closes #9014
+
+- INTERNALS: bring back the "Library symbols" section
+
+ Most contents was moved, but this text should remain here.
+
+ Follow-up to: d324ac8
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326
+ Closes #9037
+
+Viktor Szakats (22 Jun 2022)
+- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
+
+ Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
+ XP when the `-ipv6` option is selected. Maybe this was added to support
+ pre-XP Windows versions (?). These days libcurl builds fine for both XP
+ and post-XP versions with IPv6 support enabled. The relevance of pre-XP
+ version is also low by now. Other build methods also do not impose such
+ limitation for a similar configuration. So, drop this hard-wired
+ `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
+ Windows version set by the compiler. This is Vista for recent MinGW
+ versions.
+
+ Old behaviour can be restored by setting this envvar:
+ export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
+
+ [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7
+
+ Closes #9035
+
+Daniel Stenberg (21 Jun 2022)
+- CONTRIBUTE: mention how we maintain REUSE compliance
+
+ for copyright and license information of all files stored in git
+
+ Closes #9032
+
+- CURLOPT_ALTSVC.3: document the file format
+
+ Closes #9033
+
+Jay Satiro (21 Jun 2022)
+- runtests: add "threadsafe" to detected features
+
+ Follow-up to recent commits which added thread-safety support.
+
+ Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782
+ Reported-by: Marc Hörsken
+
+ Closes https://github.com/curl/curl/pull/9030
+
+Daniel Stenberg (20 Jun 2022)
+- easy: remove dead code
+
+ Follow-up from 5912da253b64d
+
+ Detected by Coverity (CID 1506519)
+
+ Closes #9029
+
+- [Glenn Strauss brought this change]
+
+ transfer: upload performance; avoid tiny send
+
+ Append to the upload buffer when only small amount remains in buffer
+ rather than performing a separate tiny send to empty buffer.
+
+ Avoid degenerative upload behavior which might cause curl to send mostly
+ 1-byte DATA frames after exhausing the h2 send window size
+
+ Related discussion: https://github.com/nghttp2/nghttp2/issues/1722
+
+ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+ Closes #8965
+
+- [Steve Holme brought this change]
+
+ projects: fix third-party SSL library build paths for Visual Studio
+
+ The paths used by the build batch files were inconsistent with those in
+ the Visual Studio project files.
+
+ Closes #8991
+
+- [Pierrick Charron brought this change]
+
+ urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
+
+ As per the documentation :
+
+ > Setting a part to a NULL pointer will effectively remove that
+ > part's contents from the CURLU handle.
+
+ But currently clearing CURLUPART_URL does nothing and returns
+ CURLUE_OK. This change will clear all parts of the URL at once.
+
+ Closes #9028
+
+- [Philip Heiduck brought this change]
+
+ CI: bump FreeBSD 13.0 to 13.1
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+ Closes #8815
+
+- RELEASE-NOTES: synced
+
+ and updated release date in RELEASE-PROCEDURE.md
+
+- [divinity76 brought this change]
+
+ CURLOPT_HTTPHEADER.3: improve comment in example
+
+ Closes #9025
+
+Marc Hoersken (16 Jun 2022)
+- CI/azure: reduce flakiness by retrying install/prepare steps
+
+ Closes #9010
+
+- CI/cirrus: align Windows timeout with Azure CI at 120 minutes
+
+ Closes #9009
+
+Jay Satiro (16 Jun 2022)
+- vtls: make curl_global_sslset thread-safe
+
+ .. and update some docs to explain curl_global_* is now thread-safe.
+
+ Follow-up to 23af112 which made curl_global_init/cleanup thread-safe.
+
+ Closes https://github.com/curl/curl/pull/9016
+
+- curl_easy_pause.3: remove explanation of progress function
+
+ - Remove misleading text that says progress function "gets called at
+ least once per second, even if the connection is paused."
+
+ The progress function behavior is more nuanced and the user is better
+ served reading the progress function doc rather than attempt to explain
+ it in the curl_easy_pause doc.
+
+ The progress function can only be called at least once per second if an
+ appropriate multi transfer function is called (eg curl_multi_perform) in
+ that time. For a paused transfer there may not be such a call. Rather
+ than explain this in detail in the curl_easy_pause doc, rely on the user
+ reading the CURLOPT_PROGRESSFUNCTION doc.
+
+ Ref: https://github.com/curl/curl/issues/8983
+
+ Closes https://github.com/curl/curl/pull/9015
+
+Daniel Stenberg (15 Jun 2022)
+- libssh: skip the fake-close when libssh does the right thing
+
+ Starting in libssh 0.10.0 ssh_disconnect() will no longer close our
+ socket. Instead it will be kept alive as we want it, and it is our
+ responsibility to close it later.
+
+ Ref: #8718
+ Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240
+ Closes #9021
+
+- configure: warn about rustls being experimental
+
+ Right now a dozen test cases are disabled because they don't work with
+ rustls.
+
+ Closes #9019
+
+- runtests: skip starting the ssh server if user name is lacking
+
+ Because the ssh server startup script *requires* a user name there's no
+ point in invoking it if no name was found.
+
+ Reported-by: Ricardo M. Correia
+ Ref: #9007
+ Closes #9013
+
+- copyright.pl: parse and use .reuse/dep5 for skips
+
+ Also scan skipped files to be able to find superfluous ignores, shown with -v.
+
+ Closes #9006
+
+- reuse/dep5: adjusted to parse better
+
+ ... adjusted a few files to contain copyright and license info.
+
+ Closes #9006
+
+- buildconf.bat: update copyright year range
+
+ Closes #9006
+
+- README.md: use the common "Copyright" style formatting
+
+ Closes #9006
+
+- reuse: move license info from .mailmap.license to .reuse/dep5
+
+ Closes #9006
+
+- README.md: add a REUSE badge
+
+ Closes #9004
+
+- .reuse/dep5: remove recursive docs ignore, only skip markdown files
+
+ ... and some additional non-markdown individual files in docs/
+
+ Closes #9005
+
+- docs/cmdline-opts: add copyright and license identifier to each file
+
+ gen.pl now insists on C: and SPDX-License-Identifier: fields to be
+ present in all files.
+
+ Closes #9002
+
+- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md
+
+ Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that
+ file broke site functionality.
+
+ Closes #9001
+
+- bug_report.md: revert the REUSE template to see if it works again
+
+Viktor Szakats (13 Jun 2022)
+- version: rename threadsafe-init to threadsafe
+
+ Referring to Daniel's article [1], making the init function thread-safe
+ was the last bit to make libcurl thread-safe as a whole. So the name of
+ the feature may as well be the more concise 'threadsafe', also telling
+ the story that libcurl is now fully thread-safe, not just its init
+ function. Chances are high that libcurl wants to remain so in the
+ future, so there is little likelihood of ever needing any other distinct
+ `threadsafe-<name>` feature flags.
+
+ For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
+ `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
+ thread safety documentation.
+
+ [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+ Closes #8989
+
+Daniel Stenberg (13 Jun 2022)
+- test3026: disable on win32
+
+ ... as it's not likely to have working pthreads
+
+ Closes #8996
+
+- GHA: shorten the reuse CI job name
+
+ "REUSE compliance / check" should be good enough
+
+ Closes #9000
+
+- misc: add missing SPDX-License-Identifier info
+
+ For some reason the REUSE CI job did not find these.
+
+ Closes #8999
+
+- copyright: verify SPDX-License-Identifier presence as well
+
+- easy_lock: add SPDX license identifier
+
+ Closes #8998
+
+- mailmap: Max Mehl
+
+- [Max Mehl brought this change]
+
+ git: ignore large commit making the curl REUSE compliant
+
+- [Max Mehl brought this change]
+
+ copyright: make repository REUSE compliant
+
+ Add licensing and copyright information for all files in this repository. This
+ either happens in the file itself as a comment header or in the file
+ `.reuse/dep5`.
+
+ This commit also adds a Github workflow to check pull requests and adapts
+ copyright.pl to the changes.
+
+ Closes #8869
+
+- curl_url_set.3: clarify by default using known schemes only
+
+ Closes #8994
+
+- scripts/copyright.pl: ignore leading spaces
+
+Viktor Szakats (10 Jun 2022)
+- ngtcp2: fix typo in preprocessor condition
+
+ Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7
+
+ Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185
+ Reported-by: Emil Engler
+ Closes #8987
+
+Daniel Stenberg (10 Jun 2022)
+- RELEASE-NOTES: synced
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: build without sendmsg
+
+ Closes #8981
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: use handshake helper funcs to simplify TLS handshake integration
+
+ Closes #8968
+
+- test390: verify --parallel
+
+ Closes #8985
+
+- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set
+
+ Triggered by a bug report from Adam Light:
+ https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly
+ a misunderstanding of how CURLINFO_EFFECTIVE_URL works.
+
+ Closes #8971
+
+- url: URL encode the path when extracted, if spaces were set
+
+- urlapi: support CURLU_URLENCODE for curl_url_get()
+
+- server/sws: support spaces in the HTTP request path
+
+- tests/getpart: fix getpartattr to work with "data" and "data2"
+
+- select: return error from "lethal" poll/select errors
+
+ Adds two new error codes: CURLE_UNRECOVERABLE_POLL and
+ CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces.
+
+ Reported-by: Harry Sintonen
+ Fixes #8921
+ Closes #8961
+
+- test3026: add missing control file
+
+ Follow-up from 2ed101256414ea5
+
+ Makes the test run, makes 'make dist' work
+
+ This single test takes 24-25 seconds on my machine (with valgrind). For
+ this reason I tag it with a "slow" keyword.
+
+ Closes #8976
+
+- runtests: fix skipping tests not done event-based
+
+ ... and call timestampskippedevents() to avoid the flood of
+ uninitialized variable warnings.
+
+ Closes #8977
+
+- transfer: maintain --path-as-is after redirects
+
+ Reported-by: Marcus T
+ Fixes #8974
+ Closes #8975
+
+- test391: verify --path-as-is with redirect
+
+Jay Satiro (8 Jun 2022)
+- curl_global_init.3: Separate the Windows loader lock warning
+
+ This is a slight correction of the parent commit which implied the
+ loader lock warning only applied if not thread-safe. In fact the loader
+ lock warning applies either way.
+
+ Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030
+
+Daniel Stenberg (8 Jun 2022)
+- curl_global_init.3: this is now (usually) thread-safe
+
+ Follow-up to 23af112f5556
+
+ Closes #8972
+
+Jay Satiro (8 Jun 2022)
+- [Haxatron brought this change]
+
+ libcurl-security.3: Document CRLF header injection
+
+ - Document that user input to header options is not sanitized, which
+ could result in CRLF used to modify the request in a way other than
+ what was intended.
+
+ Ref: https://hackerone.com/reports/1589877
+ Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545
+
+ Closes https://github.com/curl/curl/pull/8964
+
+- CURLOPT_RANGE.3: remove ranged upload advice
+
+ The e-mail link in the advice contains instructions that are prone to
+ error. We need an example that works and can demonstrate how to properly
+ perform a ranged upload, and then we can refer to that example instead.
+
+ Bug: https://github.com/curl/curl/issues/8969
+ Reported-by: Simon Berger
+
+ Closes https://github.com/curl/curl/pull/8970
+
+Daniel Stenberg (7 Jun 2022)
+- [Thomas Guillem brought this change]
+
+ curl_version_info: add CURL_VERSION_THREADSAFE_INIT
+
+ This flag can be used to make sure that curl_global_init() is
+ thread-safe.
+
+ This can be useful for libraries that can't control what other
+ dependencies are doing with Curl.
+
+ Closes #8680
+
+- [Thomas Guillem brought this change]
+
+ lib: make curl_global_init() threadsafe when possible
+
+ Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and
+ curl_global_cleanup().
+
+ Closes #8680
+
+- RELEASE-NOTES: synced
+
+- [Fabian Keil brought this change]
+
+ test414: add the '--resolve' keyword
+
+ ... so the test can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #8959
+
+- [Fabian Keil brought this change]
+
+ test{440,441,493,977}: add "HTTP proxy" keywords
+
+ ... so the tests can be automatically skipped when
+ using an external proxy like Privoxy.
+
+ Closes #8959
+
+- [Fabian Keil brought this change]
+
+ runtests.pl: add the --repeat parameter to the --help output
+
+ Closes #8959
+
+- [Fabian Keil brought this change]
+
+ test 2081: add a valid reply for the second request
+
+ ... so the test works when using a HTTP proxy like
+ Privoxy that sends an error message if the server
+ doesn't send data.
+
+ Closes #8959
+
+- [Fabian Keil brought this change]
+
+ test 675: add missing CR so the test passes when run through Privoxy
+
+ Closes #8959
+
+- ftp: when failing to do a secure GSSAPI login, fail hard
+
+ ... instead of switching to cleartext. For the sake of security.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1590102
+ Closes #8963
+
+- http2: reject overly many push-promise headers
+
+ Getting more than a thousand of them is rather a sign of some kind of
+ attack.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1589847
+ Closes #8962
+
+- [Fabian Keil brought this change]
+
+ misc: spelling improvements
+
+ Closes #8956
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: fix assertion failure on EMSGSIZE
+
+ Closes #8958
+
+- easy/transfer: fix cookie-disabled build
+
+ Follow-up from 45de940cebf6a
+ Reported-by: Marcel Raad
+ Fixes #8953
+ Closes #8954
+
+- examples/crawler.c: use the curl license
+
+ With permission from Jeroen Ooms
+
+ URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731
+ Closes #8950
+
+- speed-limit/time.d: mention these affect transfers in either direction
+
+ Reported-by: Ladar Levison
+ Fixes #8948
+ Closes #8951
+
+- scripts/copyright.pl: fix the exclusion to not ignore man pages
+
+ Ref: #8869
+ Closes #8952
+
+- examples: remove fopen.c and rtsp.c
+
+ To simplify the license situation, as they were the only files in the
+ source tree using these specific BSD-3 clause licenses.
+
+ For an fopen style API, we recommend instead going
+ https://github.com/curl/fcurl
+
+ Ref: #8869
+ Closes #8949
+
+- [Wolf Vollprecht brought this change]
+
+ netrc: check %USERPROFILE% as well on Windows
+
+ Closes #8855
+
+- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish
+
+- [michael musset brought this change]
+
+ libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
+
+ The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check
+ wether or not the connection should continue.
+
+ The host key is passed in argument with a custom handle for the
+ application.
+
+ It overrides CURLOPT_SSH_KNOWNHOSTS
+
+ Closes #7959
+
+- docs/CONTRIBUTE.md: document the 'needs-votes' concept
+
+ A pull request sent to the project might get labeled `needs-votes` by a
+ project maintainer. This label means that in addition to meeting all
+ other checks and qualifications this pull request must also receive
+ proven support/thumbs-ups from more community members to be considered
+ for merging.
+
+ Closes #8910
+
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ digest: tolerate missing "realm"
+
+ Server headers may not define "realm", avoid NULL pointer dereference
+ in such cases.
+
+ Closes #8912
+
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ digest: added detection of more syntax error in server headers
+
+ Invalid headers should not be processed otherwise they may create
+ a security risk.
+
+ Closes #8912
+
+- [Evgeny Grin (Karlson2k) brought this change]
+
+ digest: unquote realm and nonce before processing
+
+ RFC 7616 (and 2617) requires values to be "unquoted" before used for
+ digest calculations. The only place where unquoting can be done
+ correctly is header parsing function (realm="DOMAIN\\host" and
+ realm=DOMAN\\host are different realms).
+
+ This commit adds unquoting (de-escaping) of all values during header
+ parsing and quoting of the values during header forming. This approach
+ should be most straightforward and easy to read/maintain as all values
+ are processed in the same way as required by RFC.
+
+ Closes #8912
+
+- headers: handle unfold of space-cleansed headers
+
+ Detected by OSS-fuzz
+
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767
+
+ Updated test 1274
+
+ Closes #8947
+
+- lib: make more protocol specific struct fields #ifdefed
+
+ ... so that they don't take up space if the protocols are disabled in
+ the build.
+
+ Closes #8944
+
+- DISABLED: disable 1021 for hyper again
+
+ due to flakiness in the CI builds
+
+- urldata: store tcp_keepidle and tcp_keepintvl as ints
+
+ They can't be set larger than INT_MAX in the setsocket API calls.
+
+ Also document the max values in their respective man pages.
+
+ Closes #8940
+
+- urldata: reduce size of a few struct fields
+
+ When the values are never larger than 32 bit, ints are better than longs.
+
+ Closes #8940
+
+- urldata: remove three unused booleans from struct UserDefined
+
+ - is_fwrite_set
+ - free_referer
+ - strip_path_slash
+
+ Closes #8940
+
+- remote-name.d: mention --output-dir
+
+ plus add two see-alsos
+
+ Closes #8945
+
+Jay Satiro (1 Jun 2022)
+- configure: skip libidn2 detection when winidn is used
+
+ Prior to this change --with-winidn could be overridden by libidn2
+ detection.
+
+ Closes https://github.com/curl/curl/pull/8934
+
+Daniel Stenberg (31 May 2022)
+- CURLOPT_FILETIME.3: fix the protocols this works with
+
+- test681: verify --no-remote-name
+
+ Follow-up to 83ee5c428d960 (from #8931)
+
+ Closes #8942
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: enable Linux GSO
+
+ Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
+ EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
+ packet buffer is now held by struct quicsocket. GSO write might fail in
+ runtime depending on NIC. Disable GSO if sendmsg returns EIO.
+
+ Closes #8909
+
+- CURLOPT_PORT.3: We discourage using this option
+
+ Closes #8941
+
+- RELEASE-NOTES: synced
+
+- headers_push: error out if a folded header has no previous header
+
+ As that would indicate an illegal header. The fuzzer reached the assert
+ in unfold_value() proving that this case can happen.
+
+ Follow-up to c9b60f005358a364
+
+ Closes #8939
+
+- [Boris Verkhovskiy brought this change]
+
+ curl: re-enable --no-remote-name
+
+ Closes #8931
+
+- test680: require 'http' since it uses such a URL
+
+ Follow-up to d1b376c03524
+
+- CURLOPT_NETRC.3: document the .netrc file format
+
+- test680: verify rejection of malformatted .netrc quoted password
+
+- test679: verify netrc quoted string
+
+- netrc: support quoted strings
+
+ The .netrc parser now accepts strings within double-quotes in order to
+ deal with for example passwords containing white space - which
+ previously was not possible.
+
+ A password that starts with a double-quote also ends with one, and
+ double-quotes themselves are escaped with backslashes, like \". It also
+ supports \n, \r and \t for newline, carriage return and tabs
+ respectively.
+
+ If the password does not start with a double quote, it will end at first
+ white space and no escaping is performed.
+
+ WARNING: this change is not entirely backwards compatible. If anyone
+ previously used a double-quote as the first letter of their password,
+ the parser will now get it differently compared to before. This is
+ highly unfortunate but hard to avoid.
+
+ Reported-by: ImpatientHippo on GitHub
+ Fixes #8908
+ Closes #8937
+
+- curl_getdate.3: document that some illegal dates pass through
+
+ Closes #8938
+
+- CI: remove configure --enable-headers-api flags
+
+- headers api: remove EXPERIMENTAL tag
+
+ Closes #8900
+
+Daniel Gustafsson (30 May 2022)
+- cookies: fix documentation comment
+
+ Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but
+ missed updating the documentation comment at the head of the file.
+
+Daniel Stenberg (30 May 2022)
+- [Marc Hoersken brought this change]
+
+ tests/data/test1940: use binary mode for expected stdout
+
+ The generated stdout data is written in binary mode with [LF]
+ line endings, therefore we also need to do a binary comparison.
+
+ Assisted-by: Jay Satiro
+ Assisted-by: Daniel Stenberg
+
+ Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84
+ Fixes #8920
+ Closes #8936
+
+- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation
+
+ Spell out the multi-TLS situation.
+
+ Reported-by: Dan Fandrich
+ Fixes #8926
+ Closes #8932
+
+Jay Satiro (28 May 2022)
+- [JustAnotherArchivist brought this change]
+
+ tool_getparam: fix --parallel-max maximum value constraint
+
+ - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to
+ default value.
+
+ Previously, --parallel-max 300 would use 300 concurrent transfers, but
+ --parallel-max 301 would unexpectedly use only 50. This change clamps
+ higher values to the maximum (ie --parallel-max 301 would use 300).
+
+ Closes https://github.com/curl/curl/pull/8930
+
+Daniel Stenberg (27 May 2022)
+- curl.1: add a few see also --tls-max
+
+ Closes #8929
+
+Viktor Szakats (26 May 2022)
+- cmake: do not add libcurl.rc to the static libcurl library
+
+ Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855
+
+ Reviewed-By: Karlson2k@users.noreply.github.com
+ Closes #8923
+
+- cmake: support adding a suffix to the OS value
+
+ CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS
+ string appearing in the --version output after the curl version number,
+ for example:
+
+ 'curl 7.83.1 (Windows)'
+
+ This patchs adds the ability to pass a suffix that is appended to this
+ value. It's useful to add CPU info or other platform details,
+ for example:
+
+ 'curl 7.83.1 (Windows-x64)'
+
+ Closes #8919
+
+- cmake: enable curl.rc for all Windows targets
+
+ Before this patch, it was only enabled for MSVC. This syncs this
+ configuration with libcurl.rc, which was already included with
+ every Windows compiler.
+
+ Closes #8918
+
+- cmake: fix detecting libidn2
+
+ Without this patch, libidn2 detection doesn't even seem to be
+ attempted. With this patch, cmake can be configured to pick it
+ up and enable it. Necessary configuration remains manual and
+ differs from most other dependencies.
+
+ If you are aware of a better fix, we're glad hearing about it
+ in a new Issue.
+
+ Closes #8917
+
+- version: allow stricmp() for sorting the feature list
+
+ In CMakeLists.txt there is an attempt to detect `stricmp()`, and in
+ certain cases, this attempt is the only successful one to detect a
+ case-insensitive comparison function. `HAVE_STRICMP` is defined as
+ a result, but this macro wasn't used anywhere in the source. This
+ patch makes use of it as an alternative when alpha-sorting the
+ `--version` feature list.
+
+ Reviewed-by: Daniel Stenberg
+ Closes #8916
+
+Daniel Stenberg (25 May 2022)
+- DISABLED: add six tests that fail with hyper
+
+ 1117 1274 1940 1941 1942 1943
+
+- c-hyper: mark status line as status for Curl_client_write()
+
+ To make sure the headers API can filter it out as not a regular header.
+
+ Reported-by: Gisle Vanem
+ Fixes #8894
+ Closes #8914
+
+Marc Hoersken (25 May 2022)
+- tests/data/test1501: kill ftp server after slow LIST response
+
+ This test is contributing to flakiness on the Windows CI runs.
+ Killing the ftp server after the test run like other slowness
+ tests already do may help resolve or reduce the flakiness.
+
+ Closes #8907
+
+Daniel Stenberg (25 May 2022)
+- headers: fix the unfold realloc to use proper new size
+
+ Previously it didn't take the old name length into acount
+
+ Follow-up to: c9b60f005358a364
+ Closes #8913
+
+Marc Hoersken (25 May 2022)
+- GHA: align all install, configure and build steps again
+
+ First step towards more unified build steps on GitHub Actions.
+
+ Closes #8873
+
+- CI/azure: remove obsolete strategy for single builds
+
+ This shortens these CI job names on GitHub even more.
+ Follow up to #8906 which also increased their timeout.
+
+ Closes #8911
+
+- CI/azure: shorten names of Windows CI jobs
+
+ Suggested-by: Daniel Stenberg
+ Closes #8906
+
+Daniel Stenberg (24 May 2022)
+- http: restore header folding behavior
+
+ Folded header lines will now get passed through like before. The headers
+ API is adapted and will provide the content unfolded.
+
+ Added test 1274 and extended test 1940 to verify.
+
+ Reported-by: Petr Pisar
+ Fixes #8844
+ Closes #8899
+
+Viktor Szakats (24 May 2022)
+- Makefile.m32: delete obsolete options, improve -On [ci skip]
+
+ - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now.
+ - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and
+ I used this with VxWorks in another project, but otherwise this isn't
+ necessary anymore as a default. If a target still needs it, it can be
+ added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing`
+ - bump up default optimization level to `-O3` (from `-O2`), and also rearrange
+ option order so the default can now be overridden via
+ `CURL_CFLAG_EXTRAS`.
+ - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS`
+ (strip debug info). They were working against each other. Now, if someone
+ needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g`
+
+ Closes #8904
+
+Daniel Gustafsson (24 May 2022)
+- ntlm: fix one more hostname test fallout
+
+ This fixup was missed in commit 5a41abef6dca19.
+
+ Closes: #8901
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- doh: remove UNITTEST macro definition
+
+ The UNITTEST macro is defined by curl_setup.h so there is no use in
+ carry a local copy of the logic.
+
+ Closes: #8902
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (24 May 2022)
+- cookie: fix false positive "potentially uninitialized local variable"
+
+ Reviewed-by: Daniel Gustafsson
+ Closes #8903
+
+- curl: add --rate to set max request rate per time unit
+
+ --rate "12/m" - for 12 per minute or
+ --rate "5/h" - for 5 per hour
+
+ Removed from TODO
+
+ Closes #8671
+
+- [Jay Satiro brought this change]
+
+ max-time.d: clarify max-time sets max transfer time
+
+ Prior to this change the doc said --max-time set the maximum time of the
+ 'whole operation' which is not accurate. The option maps to
+ CURLOPT_TIMEOUT_MS which sets maximum transfer time.
+
+ For example, the maximum time on a transfer is reset if the transfer is
+ retried (--retry).
+
+ Reported-by: Nuru@users.noreply.github.com
+
+ Fixes https://github.com/curl/curl/issues/8877
+ Closes #8879
+
+- GHA/hyper: enable debug in the build
+
+- hyper: use 'alt-used'
+
+ Makes test 412+413 work
+
+ Closes #8898
+
+- RELEASE-NOTES: synced
+
+- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
+
+ Closes #8888
+
+- links: update dead links
+
+ The wiki pages are gone, remove and link to more long-living docs.
+
+ Closes #8897
+
+- ntlm: (void) typecast msnprintf() where we ignore return code
+
+ Follow-up to 5a41abef6, to please Coverity
+
+Daniel Gustafsson (22 May 2022)
+- ntlm: copy NTLM_HOSTNAME to host buffer
+
+ Commit 709ae2454f43 added a fake hostname to avoid leaking the local
+ hostname, but omitted copying it to the host buffer. Fix by copying
+ and adjust the test fallout.
+
+ Closes: #8895
+ Fixes: #8893
+ Reported-by: Patrick Monnerat <patrick@monnerat.net>
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- configure: use the SED value to invoke sed
+
+ Rather than assuming sed in PATH, use the resolved $SED variable
+ like in all other invocations of sed in configure.
+
+ Closes: #8891
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
+
+Daniel Stenberg (20 May 2022)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: Allow curl to send larger UDP datagrams
+
+ Allow curl to send larger UDP datagram if Path MTU Discovery finds the
+ availability of larger path MTU. To make it work and not to send
+ fragmented packet, we need to set DF bit. That makes send(2) fail with
+ EMSGSIZE if UDP datagram is too large. In that case, just let it be
+ lost. This patch enables DF bit for Linux only.
+
+ Closes #8883
+
+- libcurl-security.3: add "Secrets in memory"
+
+ Closes #8881
+
+- tests: update NTLM tests to use new host name
+
+ Also drop the debug requirement, remove the setenv sections, remove
+ prechecks and add NTLM to the top keywords.
+
+ Closes #8889
+
+- ntlm: provide a fixed fake host name
+
+ The NTLM protocol includes providing the local host name, but apparently
+ other implementations already provide a fixed fake name instead to avoid
+ leaking the real local name.
+
+ The exact name used is 'WORKSTATION', because Firefox uses that.
+
+ The change is written to allow someone to "back-pedal" fairly easy in
+ case of need.
+
+ Reported-by: Carlo Alberto
+ Fixes #8859
+ Closes #8889
+
+Daniel Gustafsson (20 May 2022)
+- KNOWN_BUGS: fix typo in problem description
+
+ s/TSL/TLS/
+
+- FEATURES: remove yassl as TLS library for NTLM
+
+ yassl was added in commit 9d904ee41b880b but is no longer available
+ and is thus not a library to use for NTLM. This aligns the FEATURES
+ doc with the FAQ.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- FEATURES: reorder footnotes
+
+ The empty left-behind footnote confused the website rendering into
+ creating a nested emoty list, making the resulting page look quite
+ odd. Remove and re-order the remaining ones to avoid a gap in the
+ sequence.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- FAQ: remove opinionated sentence on NTLM
+
+ curl is a tool that support many different things, and it doesn't
+ really seem like our job to tell other what to use (as they might
+ not have much say in the matter even). Also tidy up wording.
+
+ Closes: #8886
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Viktor Szakats (20 May 2022)
+- log2changes: do not indent empty lines [ci skip]
+
+ This will omit two spaces of indentation from lines with no content,
+ thus avoiding 'spaces @ EOL'.
+
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Closes #8887
+
+Daniel Stenberg (19 May 2022)
+- wolfssl: correct the failf() message when a handle can't be made
+
+ Closes #8885
+
+Viktor Szakats (19 May 2022)
+- Makefile.m32: delete two obsolete OpenSSL options [ci skip]
+
+ - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or
+ LibreSSL 3.5.x, yet it collides with the latter, which defines
+ it unconditionally, resulting in this warning:
+ ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined]
+ It was originally added to curl in 2004.
+
+ - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or
+ LibreSSL back to at least 2.5.5. Originally added in the same
+ commit as the above, in 2004.
+
+ Closes #8884
+
+Daniel Stenberg (19 May 2022)
+- RELEASE-NOTES: synced
+
+ bump to 7.84.0
+
+- [Christian Weisgerber via curl-library brought this change]
+
+ Makefile.am: fix portability issues
+
+ Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that
+ there is a portability issue in curl's top-level Makefile.am.
+
+ $< can only be used in rules that deal with .SUFFIXES. Its use
+ for general prerequisites is a GNU make extension.
+
+ $< could be replaced by $?, but I think in an autotools context,
+ something like this is better:
+
+ Bug: https://curl.se/mail/lib-2022-05/0024.html
+ Closes #8861
+
+- [Balakrishnan Balasubramanian brought this change]
+
+ socks: support unix sockets for socks proxy
+
+ Usage:
+ curl -x "socks5h://localhost/run/tor/socks" "https://example.com"
+
+ Updated runtests.pl to run a socksd server listening on unix socket
+
+ Added tests test1467 test1468
+
+ Added documentation for proxy command line option and socks proxy
+ options
+
+ Closes #8668
+
+- [Vincent Torri brought this change]
+
+ cmake: add libpsl support
+
+ Fixes #8865
+ Closes #8867
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: extend QUIC transport parameters buffer
+
+ Extend QUIC transport parameters buffer because 64 bytes are too
+ short for the ever increasing parameters.
+
+ Closes #8872
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
+
+ Closes #8871
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: send appropriate connection close error code
+
+ Closes #8870
+
+- test1561: adjusted for the cookie fix
+
+- test414: verify secure cookie domain overlay
+
+- [Harry Sintonen brought this change]
+
+ cookie: address secure domain overlay
+
+ Bug: https://hackerone.com/reports/1560324
+ Co-authored-by: Daniel Stenberg
+ Closes #8840
+
+- [Frank Gevaerts brought this change]
+
+ strcase: some optimisations
+
+ Lookup tables for toupper() and tolower() make Curl_strcasecompare()
+ about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit
+ early then also allows simplifying the check at the end, for another
+ 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7
+ times faster.
+
+ Note that these optimisation assume ASCII. The original
+ Curl_raw_toupper() and raw_tolower() look like they already made that
+ assumption.
+
+ Closes #8875
+
+- BUG-BOUNTY.md: mention the audit exception
+
+ Dedicated - paid for - security audits that are performed in
+ collaboration with curl developers are not eligible for bounties.
+
+ (plus I changed the sub-titles to use ## instead of # in the markdown)
+
+ Closes #8880
+
+- lib/vssh/wolfssh.h: removed
+
+ Unused header file
+
+ Reported-by: Illarion Taev
+ Fixes #8863
+ Closes #8866
+
+- [Elms brought this change]
+
+ wolfSSL: explicitly use compatibility layer
+
+ This change removes adding an include `$prefix/wolfssl` or similar to
+ allow for openssl include aliasing. Include paths of `wolfssl/openssl/`
+ are used to explicitly use wolfSSL includes. This fixes cmake builds as
+ well as avoiding potentially using openSSL headers since include path
+ order is not guaranteed.
+
+ Closes #8864
+
+- curl: deprecate --random-file and --egd-file
+
+ As libcurl no longer has any functionality for them, the tool now does
+ nothing with them.
+
+ Closes #8670
+
+- opts: deprecate RANDOM_FILE and EGDSOCKET
+
+ These two options were only ever used for the OpenSSL backend for
+ versions before 1.1.0. They were never used for other backends and they
+ are not used with recent OpenSSL versions. They were never used much by
+ applications.
+
+ The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time
+ for ancient EOL OpenSSL versions.
+
+ Closes #8670
+
+- [Harry Sintonen brought this change]
+
+ bindlocal: don't use a random port if port number would wrap
+
+ Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port
+ 65535 the code would fall back to random port rather than giving up.
+
+ Closes #8862
+
+Daniel Gustafsson (16 May 2022)
+- transfer: Fix potential NULL pointer dereference
+
+ Commit 0ef54abf5208 accidentally used the conn variable before the
+ assertion for it being NULL. Fix by moving the assignment which use
+ conn to after the assertion.
+
+ Closes: #8857
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- docs: clarify data replacement policy for MIME API
+
+ The API documentation for the MIME functions specify that the parts
+ can be set twice, with the last call winning. While true, the user
+ can set the parts n times for n > 2, reword to specify multiple API
+ calls instead.
+
+ Closes: #8860
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (16 May 2022)
+- [vvb2060 on github brought this change]
+
+ ngtcp2: support boringssl crypto backend
+
+ Closes #8789
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ quic: add Curl_quic_idle
+
+ Add Curl_quic_idle which is called when no HTTP level read or write is
+ performed. It is a good place to handle timer expiry for QUIC transport
+ (.e.g, retransmission).
+
+ Closes #8698
+
+- [Gregor Jasny brought this change]
+
+ mprintf: ignore clang non-literal format string
+
+ Closes #8740
+
+- [Nick Zitzmann brought this change]
+
+ sectransp: check for a function defined when __BLOCKS__ is undefined
+
+ SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it
+ requires Grand Central Dispatch to be supported by the compiler, and
+ some third-party macOS compilers do not support Grand Central Dispatch.
+ SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't
+ adversely affect anything.
+
+ Fixes #8846
+ Reported-by: Egor Pugin
+ Closes #8854
+
+Daniel Gustafsson (16 May 2022)
+- test412/413: Use version macro for User-Agent
+
+ Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test
+ output file which breaks when curlver is updated. Shift to using
+ the %VERSION macro instead.
+
+ Closes: #8856
+
+- macos9: remove partial support
+
+ The support for compiling on Mac OS 9 hasn't been modified since 2001
+ and has no active maintainer or packager, so it's time to remove it as
+ it's incredibly unlikely to work. If a maintainer re-emerges it can be
+ resurrected from Git history.
+
+ Closes: #8836
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (16 May 2022)
+- test1635: verify --fail-with-body with --retry
+
+ Almost a dupe of 1634
+
+ Closes #8847
+
+- tool_operate: make sure --fail-with-body works with --retry
+
+ ... in the same way --fail already does.
+
+ Reported-by: Jakub Bochenski
+ Fixes #8845
+ Closes #8847
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types
+
+ Closes #8851
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: Fix alert_read_func return value
+
+ Closes #8852
+
+- [Harry Sintonen brought this change]
+
+ Curl_parsenetrc: don't access local pwbuf outside of scope
+
+ Accessing local variables outside of the scope is forbidden and
+ depending on the compiler can result in the value being
+ overwritten. Fixed by moving the pwbuf to be in scope.
+
+ Closes #8850
+
+- RELEASE-NOTES: synced
+
+ and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon)
+
+- [Frazer Smith brought this change]
+
+ ci: update github actions
+
+ - bump actions/checkout from 2 to 3
+ - bump actions/upload-artifact from 1 to 3
+ - bump github/codeql-actions from 1 to 2
+ - use version tag for actions/checkout
+
+ Closes #8843
+
+- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix
+
+- url: free old conn better on reuse
+
+ Make use of conn_free() better and avoid duplicate code.
+
+ Reported-by: Andrea Pappacoda
+ Fixes #8841
+ Closes #8842
+
+Jay Satiro (14 May 2022)
+- FAQ: Clarify Windows double quote usage
+
+ - Windows command prompt doesn't use literal quoting via single quotes.
+
+ - Windows command prompt inner double quotes are escaped with a
+ backslash.
+
+ - Windows powershell does use single quotes but curl is not a powershell
+ script so the arguments may not be passed on correctly.
+
+ - Windows powershell inner double quotes seems can be passed to curl if
+ the outer quotes are double quotes and an escape of backslash-backtick
+ is used.
+
+ Command prompt example:
+
+ ~~~
+ getargs -v -d "\"a\""
+
+ argv[0]: getargs
+ argv[1]: -v
+ argv[2]: -d
+ argv[3]: "a"
+ ~~~
+
+ Ref: https://github.com/curl/curl/issues/8818
+ Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c
+
+ Reported-by: KotlinIsland@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/8823
+
+Daniel Stenberg (12 May 2022)
+- github/workflows/nss: apt update first
+
+ Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found"
+
+ Closes #8837
+
+- page-footer: mention exit code zero too
+
+ Success (zero) is also an "exit code" worth mentioning.
+
+ Closes #8833
+
+Daniel Gustafsson (12 May 2022)
+- gssapi: initialize gss_buffer_desc strings
+
+ Explicitly initialize gss_buffer_desc strings such that a call to
+ freeing resources will succeed even if no data has been allocated
+ to it.
+
+ Reported-by: Jay Satiro <raysatiro@yahoo.com>
+
+- gssapi: improve handling of errors from gss_display_status
+
+ In case gss_display_status() returns an error, avoid trying to add
+ it to the buffer as the message may well be a NULL pointer.
+
+ Originally this fix comes from a discussion in issue #8816.
+
+ Closes: #8832
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+Jay Satiro (12 May 2022)
+- [steini2000 brought this change]
+
+ http2: always debug print stream id in decimal with %u
+
+ Prior to this change the stream id shown could be hex or decimal which
+ was inconsistent and confusing.
+
+ Closes https://github.com/curl/curl/pull/8808
+
+Kamil Dudka (11 May 2022)
+- url: remove redundant #ifdefs in allocate_conn()
+
+ No change in behavior intended by this commit.
+
+Daniel Stenberg (11 May 2022)
+- [Fabian Keil brought this change]
+
+ tests 266, 116 and 1540: add a small write delay
+
+ This makes it more likely that the trailer is received
+ seperately from the last-chunk.
+
+ curl doesn't seem to care about this but it makes the tests
+ more useful when testing external proxies like Privoxy.
+
+- [Fabian Keil brought this change]
+
+ tests 1117,1238,1523: adjust writedelay servercmds
+
+ ... so the delays are the same now that the unit
+ is in milliseconds.
+
+- [Fabian Keil brought this change]
+
+ tests/server/sws.c: change the HTTP writedelay unit to milliseconds
+
+ This allows to use write delays for large responses without
+ resulting in the test taking an unreasonable amount of time.
+
+ In many cases delaying writes by a whole second or more isn't
+ necessary for the desired effect.
+
+ Closes #8827
+
+Daniel Gustafsson (11 May 2022)
+- aws-sigv4: fix potentional NULL pointer arithmetic
+
+ We need to check if the strchr() call returns NULL (due to missing
+ char) before we use the returned value in arithmetic. There is no
+ live bug here, but fixing it before it can become for hygiene.
+
+ Closes: #8814
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (11 May 2022)
+- quiche: support ca-fallback
+
+ Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl
+
+ Removed from KNOWN_BUGS
+
+ Fixes #8696
+ Closes #8830
+
+Daniel Gustafsson (11 May 2022)
+- x509asn1: mark msnprintf return as unchecked
+
+ We have lots of unchecked msnprintf calls, and this particular msnprintf
+ call isn't more interesting than the others, but this one yields a Coverity
+ warning so let's implicitly silence it. Going over the other invocations
+ is probably a worthwhile project, but for now let's keep the static
+ analyzers happy.
+
+ Closes: #8831
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Version 7.83.1 (11 May 2022)
+
+Daniel Stenberg (11 May 2022)
+- RELEASE-NOTES: synced
+
+ curl 7.83.1 release
+
+- THANKS: added contributors from 7.83.1
+
+- zuul: fix the ngtcp2-gnutls build
+
+ Add packages and tweak the configure options.
+
+ Use the GnuTLS 3.7.4 branch (not main).
+
+ Closes #8829
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: add ca-fallback support for OpenSSL backend
+
+ Closes #8828
+
+- url: check SSH config match on connection reuse
+
+ CVE-2022-27782
+
+ Reported-by: Harry Sintonen
+ Bug: https://curl.se/docs/CVE-2022-27782.html
+ Closes #8825
+
+- tls: check more TLS details for connection reuse
+
+ CVE-2022-27782
+
+ Reported-by: Harry Sintonen
+ Bug: https://curl.se/docs/CVE-2022-27782.html
+ Closes #8825
+
+- cookies: make bad_domain() not consider a trailing dot fine
+
+ The check for a dot in the domain must not consider a single trailing
+ dot to be fine, as then TLD + trailing dot is fine and curl will accept
+ setting cookies for it.
+
+ CVE-2022-27779
+
+ Reported-by: Axel Chong
+ Bug: https://curl.se/docs/CVE-2022-27779.html
+ Closes #8820
+
+- test977: reproduce ability to set cookie on TLD
+
+ When PSL is not enabled
+
+- scripts/contributors.sh: correct the copyright range
+
+- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates
+
+- test379: verify --remove-on-error with --no-clobber
+
+- post_per_transfer: remove the updated file name
+
+ When --remove-on-error is used with --no-clobber, it might have an
+ updated file name to remove.
+
+ Bug: https://curl.se/docs/CVE-2022-27778.html
+
+ CVE-2022-27778
+
+ Reported-by: Harry Sintonen
+
+ Closes #8824
+
+- hsts: ignore trailing dots when comparing hosts names
+
+ CVE-2022-30115
+
+ Reported-by: Axel Chong
+ Bug: https://curl.se/docs/CVE-2022-30115.html
+ Closes #8821
+
+- test440/441: verify HSTS with trailing dots
+
+- libtest/lib1560: verify the host name percent decode fix
+
+- urlapi: reject percent-decoding host name into separator bytes
+
+ CVE-2022-27780
+
+ Reported-by: Axel Chong
+ Bug: https://curl.se/docs/CVE-2022-27780.html
+ Closes #8826
+
+- nss: return error if seemingly stuck in a cert loop
+
+ CVE-2022-27781
+
+ Reported-by: Florian Kohnhäuser
+ Bug: https://curl.se/docs/CVE-2022-27781.html
+ Closes #8822
+
+- test412/413: verify alt-svc with trailing dots
+
+- altsvc: fix host name matching for trailing dots
+
+ Closes #8819
+
+- [Garrett Squire brought this change]
+
+ hyper: fix test 357
+
+ This change fixes the hyper API such that PUT requests that receive a
+ 417 response can retry without the Expect header.
+
+ Closes #8811
+
+- [Harry Sintonen brought this change]
+
+ sectransp: bail out if SSLSetPeerDomainName fails
+
+ Before the code would just warn about SSLSetPeerDomainName() errors.
+
+ Closes #8798
+
+- http_proxy/hyper: handle closed connections
+
+ Enable test 1021 for hyper builds.
+
+ Patched-by: Prithvi MK
+ Fixes #8700
+ Closes #8806
+
+- KNOWN_BUGS: timeout when reusing a http3 connection
+
+ Closes #8764
+
+- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3
+
+ Closes #8696
+
+- [Ryan Schmidt brought this change]
+
+ Makefile: fix "make ca-firefox"
+
+ Closes #8804
+
+Daniel Gustafsson (5 May 2022)
+- tests: fix markdown formatting in README
+
+ The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be
+ escaped to not mean start of italic formatting. This is consistent
+ with docs/RELEASE-PROCEDURE.md.
+
+ Closes: #8802
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (5 May 2022)
+- TODO: expand on "Expose tried IP addresses that failed"
+
+ Ref: #8794
+
+Daniel Gustafsson (5 May 2022)
+- [Fabian Keil brought this change]
+
+ tests/server: declare variable 'reqlogfile' static
+
+ Silences the warning:
+
+ CC socksd-socksd.o
+ socksd.c:143:13: warning: no previous extern declaration for
+ non-static variable 'reqlogfile' [-Wmissing-variable-declarations]
+ const char *reqlogfile = DEFAULT_REQFILE;
+ ^
+ socksd.c:143:7: note: declare 'static' if the variable is not
+ intended to be used outside of this translation unit
+ const char *reqlogfile = DEFAULT_REQFILE;
+ ^
+ 1 warning generated.
+
+ ... when compiling with clang 13.
+
+ Closes: #8799
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
+
+ Commit 980a47b42 added support for ignoring session cookies, but it
+ was never added to the documentation.
+
+ Closes: #8795
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (5 May 2022)
+- docs/THANKS: remove name duplicate
+
+- [Philip Heiduck brought this change]
+
+ .mailmap: update
+
+ Closes #8800
+
+Jay Satiro (5 May 2022)
+- mbedtls: fix some error messages
+
+ Prior to this change some of the error messages misidentified the
+ function that failed.
+
+Daniel Stenberg (5 May 2022)
+- RELEASE-NOTES: synced
+
+- [Sergey Markelov brought this change]
+
+ x509asn1: make do_pubkey handle EC public keys
+
+ Closes #8757
+
+- [Harry Sintonen brought this change]
+
+ mbedtls: bail out if rng init fails
+
+ There was a failf() call but no actual error return.
+
+ Closes #8796
+
+- [Sergey Markelov brought this change]
+
+ urlapi: address (harmless) UndefinedBehavior sanitizer warning
+
+ `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1
+ cannot be represented in type 'size_t' (aka 'unsigned long')
+
+ Closes #8797
+
+- [Fabian Keil brought this change]
+
+ test{898,974,976}: add 'HTTP proxy' keywords
+
+ ... so the tests can be automatically skipped when
+ testing external HTTP proxies like Privoxy.
+
+ Closes #8791
+
+- [Harry Sintonen brought this change]
+
+ gskit_connect_step1: fixed bogus setsockopt calls
+
+ setsockopt takes a reference to value, not value. With the current
+ code this just leads to -1 return value with errno EFAULT.
+
+ Closes #8793
+
+- CURLOPT_SSH_AUTH_TYPES.3: fix the default
+
+ The default is all possible methods.
+
+ Closes #8792
+
+- CURLOPT_DOH_URL.3: mention the known bug
+
+ It is mostly duplicating info from KNOWN_BUGS but make it easier to find
+ for users of this option.
+
+ Closes #8790
+
+- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
+
+ Reviewed-By: Daniel Gustafsson
+ Closes #8788
+
+- docs/SECURITY-PROCESS.md: "Visible command line arguments"
+
+- SECURITY-PROCESS: mention "URL inconsistencies"
+
+ ... as common problems that are *not* vulns.
+
+Daniel Gustafsson (2 May 2022)
+- contributors: strip off final comma
+
+ The final row of contributors should not end with a comma as it's the
+ end of the list.
+
+ Closes: #8785
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (2 May 2022)
+- [Philip Heiduck brought this change]
+
+ misc: use "autoreconf -fi" instead buildconf
+
+ Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
+ Closes #8777
+
+Daniel Gustafsson (2 May 2022)
+- [Philip Heiduck brought this change]
+
+ cirrus: Use pip for Python packages on FreeBSD
+
+ Using pip instead of easy_install is more in line with how other
+ CI images are being maintained.
+
+ Closes: #8783
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+- [Philip Heiduck brought this change]
+
+ cirrus: Update to FreeBSD 12.3
+
+ Closes: #8783
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+- tool_getparam: simplify conditional statement
+
+ param_place cannot be NULL here since we immediately efter this block
+ perform arithmetic on it (and use it in order to get here) so there is
+ little reason to check.
+
+ Closes: #8786
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- RELEASE-NOTES: synced
+
+- gskit: remove unused function set_callback
+
+ This function has been unused since the initial commit of the GSKit
+ backend in 0eba02fd4. The motivation for the code was getting the
+ whole certificate chain: the only place where the latter is available
+ is as a callback parameter. Unfortunately it is not possible to pass
+ a user pointer to this callback, which precludes the possibility to
+ associate the cert chain with a data/conn structure.
+
+ For further information, search for pgsk_cert_validation_callback on:
+ https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm
+
+ As the upstream library never added a parameter like that to the API,
+ we give up the wait and remove the dead code.
+
+ Closes: #8782
+ Reviewed-by: Patrick Monnerat <patrick@monnerat.net>
+
+- curl: free resource in error path
+
+ If the new filename cannot be generated due to memory pressure, free
+ the allocated aname on the way out to avoid a small leak.
+
+ Closes: #8770
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- curl: guard against size_t wraparound in no-clobber code
+
+ When generating the new filename, make sure we aren't overflowing the
+ size_t limit when calculating the new length. This is mostly academic
+ but good code hygeine nonetheless.
+
+ Closes: #8771
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Daniel Stenberg (30 Apr 2022)
+- gha: build msh3
+
+ Closes #8779
+
+- scripts/cijobs.pl: try "current branch" first then "master"
+
+- [Yusuke Nakamura brought this change]
+
+ msh3: get msh3 version from MsH3Version
+
+ Closes #8762
+
+- [Yusuke Nakamura brought this change]
+
+ msh3: psss remote_port to MsH3ConnectionOpen
+
+ MsH3 supported additional "Port" parameter to connect not hosted on
+ 443 port QUIC website.
+
+ * https://github.com/nibanks/msh3/releases/tag/v0.3.0
+ * https://github.com/nibanks/msh3/pull/37
+
+ Closes #8762
+
+- [Christian Weisgerber brought this change]
+
+ openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl
+
+ SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3,
+ released five years ago.
+
+ Bug: https://curl.se/mail/lib-2022-04/0059.html
+ Closes #8773
+
+- http: move Curl_allow_auth_to_host()
+
+ It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
+
+ Reported-by: Michael Olbrich
+ Fixes #8772
+ Closes #8775
+
+Daniel Gustafsson (29 Apr 2022)
+- msh3: print boolean value as text representation
+
+ Print the boolean value as its string representation instead of with
+ %hhu which isn't a format we typically use.
+
+ Closes: #8763
+ Reviewed-by: Nick Banks <nibanks@microsoft.com>
+
+Daniel Stenberg (29 Apr 2022)
+- data/test376: set a proper name
+
+- GHA/mbedtls: enabled nghttp2 in the build
+
+ Closes #8767
+
+- mbedtls: fix compile when h2-enabled
+
+ Fixes #8766
+ Reported-by: LigH-de on github
+ Closes #8768
+
+- RELEASE-NOTES: synced
+
+ bumped curlver to 7.83.1-dev
+
+- SECURITY-PROCESS: extended
+
+ Also clarify BUG-BOUNTY.md with IBB details.
+
+ Closes #8754
+
+- [Adam Rosenfield brought this change]
+
+ conn: fix typo 'connnection' -> 'connection' in two function names
+
+ Closes #8759
+
+Version 7.83.0 (27 Apr 2022)
+
+Daniel Stenberg (27 Apr 2022)
+- RELEASE-NOTES: synced
+
+ The 7.83.0 release
+
+- docs/THANKS: contributors from 7.83.0
+
+- test 898/974/976: require proxy to run
+
+ Fixes #8755
+ Reported-by: Marc Hörsken
+ Closes #8756
+
+- gnutls: don't leak the SRP credentials in redirects
+
+ Follow-up to 620ea21410030 and 139a54ed0a172a
+
+ Reported-by: Harry Sintonen
+ Closes #8752
+
+- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS
+
+ Closes #8753
+
+- openssl: don't leak the SRP credentials in redirects either
+
+ Follow-up to 620ea21410030
+
+ Reported-by: Harry Sintonen
+ Closes #8751
+
+- [Liam Warfield brought this change]
+
+ hyper: fix tests 580 and 581 for hyper
+
+ Hyper now has the ability to preserve header order. This commit adds a
+ few lines setting the connection options for this feature.
+
+ Related to issue #8617
+ Closes #8707
+
+- conncache: remove name arg from Curl_conncache_find_bundle
+
+ To simplify, and also since the returned name is not the full actual
+ name used for the check. The port number and zone id is also involved,
+ so just showing the name is misleading.
+
+ Closes #8750
+
+- tests: verify the fix for CVE-2022-27774
+
+ - Test 973 redirects from HTTP to FTP, clear auth
+ - Test 974 redirects from HTTP to HTTP different port, clear auth
+ - Test 975 redirects from HTTP to FTP, permitted to keep auth
+ - Test 976 redirects from HTTP to HTTP different port, permitted to keep
+ auth
+
+- transfer: redirects to other protocols or ports clear auth
+
+ ... unless explicitly permitted.
+
+ Bug: https://curl.se/docs/CVE-2022-27774.html
+ Reported-by: Harry Sintonen
+ Closes #8748
+
+- connect: store "conn_remote_port" in the info struct
+
+ To make it available after the connection ended.
+
+- cookie.d: clarify when cookies are always sent
+
+- test898: verify the fix for CVE-2022-27776
+
+ Do not pass on Authorization headers on redirects to another port
+
+- http: avoid auth/cookie on redirects same host diff port
+
+ CVE-2022-27776
+
+ Reported-by: Harry Sintonen
+ Bug: https://curl.se/docs/CVE-2022-27776.html
+ Closes #8749
+
+- libssh2: make the md5 comparison fail if wrong length
+
+ Making it just skip the check unless exactly 32 is too brittle. Even if
+ the docs says it needs to be exactly 32, it is be safer to make the
+ comparison fail here instead.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1549461
+ Closes #8745
+
+- conncache: include the zone id in the "bundle" hashkey
+
+ Make connections to two separate IPv6 zone ids create separate
+ connections.
+
+ Reported-by: Harry Sintonen
+ Bug: https://curl.se/docs/CVE-2022-27775.html
+ Closes #8747
+
+- [Patrick Monnerat brought this change]
+
+ url: check sasl additional parameters for connection reuse.
+
+ Also move static function safecmp() as non-static Curl_safecmp() since
+ its purpose is needed at several places.
+
+ Bug: https://curl.se/docs/CVE-2022-22576.html
+
+ CVE-2022-22576
+
+ Closes #8746
+
+- libssh2: compare sha256 strings case sensitively
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1549435
+ Closes #8744
+
+- tool_getparam: error out on missing -K file
+
+ Add test 411 to verify.
+
+ Reported-by: Median Median Stride
+ Bug: https://hackerone.com/reports/1542881
+ Closes #8731
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: deal with sub-millisecond timeout
+
+ Closes #8738
+
+- misc: update copyright year ranges
+
+- c_escape: escape '?' in generated --libcurl code
+
+ In order to avoid the risk of it being used in an accidental trigraph in
+ the generated code.
+
+ Reported-by: Harry Sintonen
+ Bug: https://hackerone.com/reports/1548535
+ Closes #8742
+
+- [Philip Heiduck brought this change]
+
+ mlc: curl.zuul.vexxhost.dev is reachable again
+
+ remove it from ignorelist for linkcheck
+
+ Closes #8736
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: avoid busy loop in low CWND situation
+
+ Closes #8739
+
+- TODO: telnet - exit immediately upon connection if stdin is /dev/null
+
+ Suggested-by: Robin A. Meade
+ URL: https://curl.se/mail/archive-2022-04/0027.html
+
+- [Kushal Das brought this change]
+
+ docs: updates spellings with full words
+
+ Closes #8730
+
+- tests/FILEFORMAT.md: spellfix
+
+Daniel Gustafsson (21 Apr 2022)
+- misc: fix typos
+
+ Fix a few random typos is comments and workflow names.
+
+- macos: fix .plist installation into framework
+
+ The copy command introduced in e498a9b1f had leftover '>' from the
+ previous sed command it replaced, which broke its syntax. Fix by
+ removing.
+
+ Reported-by: Emanuele Torre <torreemanuele6@gmail.com>
+
+Daniel Stenberg (21 Apr 2022)
+- [Christopher Degawa brought this change]
+
+ Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved
+
+ The script was moved in 8e22fc68e7dda43e9f but the lines that called it
+ was not changed to reflect it's new position
+
+ Signed-off-by: Christopher Degawa <ccom@randomderp.com>
+
+ Closes #8728
+
+Daniel Gustafsson (20 Apr 2022)
+- macos: set .plist version in autoconf
+
+ Set the libcurl version in libcurl.plist like how libcurl.vers is
+ created.
+
+ Closes: #8692
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
+
+- cookies: Improve errorhandling for reading cookiefile
+
+ The existing programming had some issues with errorhandling for reading
+ the cookie file. If the file failed to open, we would silently ignore it
+ and continue as if there was no file (or stdin) passed. In this case, we
+ would also call fclose() on the NULL FILE pointer, which is undefined
+ behavior. Fix by ensuring that the FILE pointer is set before calling
+ fclose on it, and issue a warning in case the file cannot be opened.
+ Erroring out on nonexisting file would break backwards compatibility of
+ very old behavior so we can't really go there.
+
+ Closes: #8699
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+ Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
+
+Daniel Stenberg (20 Apr 2022)
+- libcurl-tutorial.3: spellfix and minor polish
+
+- CURLINFO_PRIMARY_PORT.3: spellfix
+
+ Reported-by: Patrick Monnerat
+
+- [Jay Dommaschk brought this change]
+
+ libssh: fix double close
+
+ libssh closes the socket in ssh_diconnect() so make sure that libcurl
+ does not also close it.
+
+ Fixes #8708
+ Closes #8718
+
+Jay Satiro (20 Apr 2022)
+- [Gisle Vanem brought this change]
+
+ unit1620: call global_init before calling Curl_open
+
+ Curl_open calls the resolver init and on Windows if the resolver backend
+ is c-ares then the Windows sockets library (winsock) must already have
+ been initialized (via global init).
+
+ Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800
+
+ Closes https://github.com/curl/curl/pull/8719
+
+Daniel Stenberg (19 Apr 2022)
+- CURLINFO_PRIMARY_PORT.3: clarify which port this is
+
+ As it was not entirely clear previously.
+
+ Closes #8725
+
+- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
+
+ Include details about Authentication headers.
+
+ Reported-by: Brad Spencer
+ Fixes #8724
+ Closes #8726
+
+- .github/workflows/macos.yml: add a libssh job with c-ares
+
+ ... to enable the memdebug system
+
+ Closes #8720
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (17 Apr 2022)
+- [Gisle Vanem brought this change]
+
+ docs/HTTP3.md: fix typo
+
+ also fix msh3 section formatting
+
+ Ref: https://github.com/curl/curl/commit/37492ebb#r70980087
+
+Marc Hoersken (17 Apr 2022)
+- timediff.[ch]: add curlx helper functions for timeval conversions
+
+ Also move timediff_t definitions from timeval.h to timediff.h and
+ then make timeval.h include the new standalone-capable timediff.h.
+
+ Reviewed-by: Jay Satiro
+ Reviewed-by: Daniel Stenberg
+
+ Supersedes #5888
+ Closes #8595
+
+Daniel Stenberg (17 Apr 2022)
+- [Balakrishnan Balasubramanian brought this change]
+
+ tests: refactor server/socksd.c to support --unix-socket
+
+ Closes #8687
+
+- [Emanuele Torre brought this change]
+
+ tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3)
+
+ This loop was using the number of bytes read from the file as condition
+ to keep reading.
+
+ From Linux's fread(3) man page:
+ > On success, fread() and fwrite() return the number of items read or
+ > written. This number equals the number of bytes transferred only when
+ > size is 1. If an error occurs, or the end of the file is reached, the
+ > return value is a short item count (or zero).
+ >
+ > The file position indicator for the stream is advanced by the number
+ > of bytes successfully read or written.
+ >
+ > fread() does not distinguish between end-of-file and error, and
+ > callers must use feof(3) and ferror(3) to determine which occurred.
+
+ This means that nread!=0 doesn't make much sense as an end condition for
+ the loop: nread==0 doesn't necessarily mean that EOF has been reached or
+ an error has occured (but that is usually the case) and nread!=0 doesn't
+ necessarily mean that EOF has not been reached or that no read errors
+ have occured. feof(3) and ferror(3) should be uses when using fread(3).
+
+ Currently curl has to performs an extra fread(3) call to get a return
+ value equal to 0 to stop looping.
+
+ This usually "works" (even though nread==0 shouldn't be interpreted as
+ EOF) if stdin is a pipe because EOF usually marks the "real" end of the
+ stream, so the extra fread(3) call will return immediately and the extra
+ read syscall won't be noticeable:
+
+ bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 |
+ > tail -n 5
+ read(0, "a\n", 4096) = 2
+ read(0, "", 4096) = 0
+ read(0, "", 4096) = 0
+ http://0x0.st/oRs.txt
+ +++ exited with 0 +++
+ bash-5.1$
+
+ But this doesn't work if curl is reading from stdin, stdin is a
+ terminal, and the EOF is being emulated using a shell with ^D. Two
+ consecutive ^D will be required in this case to actually make curl stop
+ reading:
+
+ bash-5.1$ curl -F file=@- 0x0.st
+ a
+ ^D^D
+ http://0x0.st/oRs.txt
+ bash-5.1$
+
+ A possible workaround to this issue is to use a program that handles EOF
+ correctly to indirectly send data to curl's stdin:
+
+ bash-5.1$ cat - | curl -F file=@- 0x0.st
+ a
+ ^D
+ http://0x0.st/oRs.txt
+ bash-5.1$
+
+ This patch makes curl handle EOF properly when using fread(3) in
+ file2memory() so that the workaround is not necessary.
+
+ Since curl was previously ignoring read errors caused by this fread(3),
+ ferror(3) is also used in the condition of the loop: read errors and EOF
+ will have the same meaning; this is done to somewhat preserve the old
+ behaviour instead of making the command fail when a read error occurs.
+
+ Closes #8701
+
+- gen.pl: change wording for mutexed options
+
+ Instead of saying "This option overrides NNN", now say "This option is
+ mutually exclusive to NNN" in the generated man page ouput, as the
+ option does not in all cases actually override the others but they are
+ always mutually exclusive.
+
+ Ref: #8704
+ Closes #8716
+
+- curl: error out if -T and -d are used for the same URL
+
+ As one implies PUT and the other POST, both cannot be used
+ simultaneously.
+
+ Add test 378 to verify.
+
+ Reported-by: Boris Verkhovskiy
+ Fixes #8704
+ Closes #8715
+
+- lib: remove exclamation marks
+
+ ... from infof() and failf() calls. Make them less attention seeking.
+
+ Closes #8713
+
+- fail.d: tweak the description
+
+ Reviewed-by: Daniel Gustafsson
+ Suggested-by: Robert Charles Muir
+ Ref: https://twitter.com/rcmuir/status/1514915401574010887
+
+ Closes #8714
+
+Daniel Gustafsson (15 Apr 2022)
+- docs: Fix missing semicolon in example code
+
+ Multiple share examples were missing a semicolon on the line defining
+ the CURLSHcode variable.
+
+ Closes: #8697
+ Reported-by: Michael Kaufmann <mail@michael-kaufmann.ch>
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- infof: consistent capitalization of warning messages
+
+ Ensure that all infof calls with a warning message are capitalized
+ in the same way. At some point we should probably set up a style-
+ guide for infof but until then let's aim for a little consistenncy
+ where we can.
+
+ Closes: #8711
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+- RELEASE-NOTES: synced
+
+- [Matteo Baccan brought this change]
+
+ perl: removed a double semicolon at end of line
+
+ Remove double semicolons at end of line in Perl code.
+
+ Closes: #8709
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+- curl_easy_header: fix typos in documentation
+
+ Closes: #8694
+ Reviewed-by: Daniel Stenberg <daniel@haxx.se>
+
+Marcel Raad (11 Apr 2022)
+- appveyor: add Cygwin build
+
+ Closes https://github.com/curl/curl/pull/8693
+
+- appveyor: only add MSYS2 to PATH where required
+
+ Closes https://github.com/curl/curl/pull/8693
+
+Daniel Stenberg (10 Apr 2022)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: fix memory leak
+
+ Closes #8691
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: remove remote_addr which is not used in a meaningful way
+
+ Closes #8689
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: enlarge H3_SEND_SIZE
+
+ Make h3_SEND_SIZE larger because current value (20KiB) is too small
+ for the high latency environment.
+
+ Closes #8690
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: fix HTTP/3 upload stall and avoid busy loop
+
+ This commit fixes HTTP/3 upload stall if upload data is larger than
+ H3_SEND_SIZE. Only check writability of socket if a stream is
+ writable to avoid busy loop when QUIC flow control window is filled
+ up, or upload buffer is full.
+
+ Closes #8688
+
+- [Nick Banks brought this change]
+
+ msh3: add support for QUIC and HTTP/3 using msh3
+
+ Considered experimental, as the other HTTP/3 backends.
+
+ Closes #8517
+
+- TODO: "SFTP with SCP://"
+
+- GHA: move bearssl jobs over from zuul
+
+ Closes #8684
+
+- data/DISABLED: disable test 313 on bearssl builds
+
+ Closes #8684
+
+- runtests: add 'bearssl' as testable feature
+
+ Closes #8684
+
+- GHA: add openssl3 jobs moved over from zuul
+
+ Closes #8683
+
+- schannel: remove dead code that will never run
+
+ As the condition can't ever evaluate true
+
+ Reported-by: Andrey Alifanov
+ Ref: #8675
+ Closes #8677
+
+- connecache: remove duplicate connc->closure_handle check
+
+ The superfluous extra check could cause analyzer false positives
+ and doesn't serve any purpose.
+
+ Closes #8676
+
+- [Michał Antoniak brought this change]
+
+ mbedtls: remove server_fd from backend
+
+ Closes #8682
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: use token when detecting :status header field
+
+ Closes #8679
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: make curl 1ms faster
+
+ Pass 0 for an already expired timer.
+
+ Closes #8678
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: fix QUIC_IDLE_TIMEOUT
+
+ QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is
+ nanoseconds resolution.
+
+ Closes #8678
+
+- English: use American spelling consistently
+
+ Authorization, Initialization, Organization etc.
+
+ Closes #8673
+
+Daniel Gustafsson (5 Apr 2022)
+- [Sascha Zengler brought this change]
+
+ BUGS: Fix incorrect punctuation
+
+ Closes #8672
+ Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
+
+Daniel Stenberg (4 Apr 2022)
+- tool_listhelp.c: uppercase URL
+
+- RELEASE-NOTES: synced
+
+- http: streamclose "already downloaded"
+
+ Instead of connclose()ing, since when HTTP/2 is used it doesn't need to
+ close the connection as stopping the current transfer is enough.
+
+ Reported-by: Evangelos Foutras
+ Closes #8665
+
+Jay Satiro (1 Apr 2022)
+- ftp: fix error message for partial file upload
+
+ - Show the count of bytes written on partial file upload.
+
+ Prior to this change the error message mistakenly showed the count of
+ bytes read, not written.
+
+ Bug: https://github.com/curl/curl/discussions/8637
+ Reported-by: Taras Kushnir
+
+ Closes https://github.com/curl/curl/pull/8649
+
+Daniel Stenberg (1 Apr 2022)
+- http: correct the header error message to say colon
+
+ Not semicolon
+
+ Reported-by: Gisle Vanem
+ Ref: #8666
+ Closes #8667
+
+- lib: #ifdef on USE_HTTP2 better
+
+ ... as nghttp2 might not be the library that provides HTTP/2 support.
+
+ Closes #8661
+
+- [Michał Antoniak brought this change]
+
+ mbedtls: remove 'protocols' array from backend when ALPN is not used
+
+ Closes #8663
+
+- http2: RST the stream if we stop it on our own will
+
+ For the "simulated 304" case the done-call isn't considered "premature"
+ but since the server didn't close the stream it needs to be reset to
+ stop delivering data.
+
+ Closes #8664
+
+- http: close the stream (not connection) on time condition abort
+
+ Closes #8664
+
+- http2: handle DONE called for the paused stream
+
+ As it could otherwise stall all streams on the connection
+
+ Reported-by: Evangelos Foutras
+ Fixes #8626
+ Closes #8664
+
+- tls: make mbedtls and NSS check for h2, not nghttp2
+
+ This makes them able to also negotiate HTTP/2 even when built to use
+ hyper for h2.
+
+ Closes #8656
+
+- tests/libtest/lib670.c: fixup the copyright year range
+
+ follow-up to b54e18640ea4b7
+
+- [Leandro Coutinho brought this change]
+
+ lib670: avoid double check result
+
+ Closes #8660
+
+- vtls: use a generic "ALPN, server accepted" message
+
+ Closes #8657
+
+- vtls: use a backend standard message for "ALPN: offers %s"
+
+ I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the
+ infof() call also needs a string argument: the ALPN ID.
+
+ Closes #8657
+
+- [Christian Schmitz brought this change]
+
+ strcase.h: add comment about the return code
+
+ Tool often we run into expecting this to work like strcmp, but it
+ returns 1 instead of 0 for match.
+
+ Closes #8658
+
+- vtls: provide a unified APLN-disagree string for all backends
+
+ Also rephrase to make it sound less dangerous:
+
+ "ALPN: server did not agree on a protocol. Uses default."
+
+ Reported-by: Nick Coghlan
+ Fixes #8643
+ Closes #8651
+
+- projects/README: converted to markdown
+
+ Closes #8652
+
+- misc: spelling fixes
+
+ Mostly in comments but also in the -w documentation for headers_json.
+
+ Closes #8647
+
+- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read
+
+ "HTTP/3 does not support client certs" considered fixed, at least with
+ the ngtcp2 backend.
+
+ Closes #8523
+
+- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs
+
+ Also add to quote.d. Add to TODO as something to add in a future.
+
+ Reported-by: anon00000000 on github
+ Closes #8602
+ Closes #8648
+
+- RELEASE-NOTES: synced
+
+- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood
+
+ This leaves the CURLE_RECV_ERROR error code for explicit failure to
+ receive network data and allows users to better separate the problems.
+
+ Ref #8356
+ Reported-by: Rianov Viacheslav
+ Closes #8506
+
+- docs: lots of minor language polish
+
+ Mostly based on recent language decisions from "everything curl":
+
+ - remove contractions (isn't => is not)
+ - *an* HTTP (consistency)
+ - runtime (no hyphen)
+ - backend (no hyphen)
+ - URL is uppercase
+
+ Closes #8646
+
+Jay Satiro (29 Mar 2022)
+- projects: Update VC version names for VS2017, VS2022
+
+ - Rename VC15 -> VC14.10, VC17 -> VC14.30.
+
+ The projects directory that holds the pre-generated Visual Studio
+ project files uses VC<ver> to indicate the MSVC version. At some point
+ support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC
+ 14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17
+ which uses MSVC 14.30) project files were recently added and followed
+ that same format using VC17.
+
+ There is no such MSVC version (yet) as VC15 or VC17.
+
+ For VS 2017 for example, the name we use is correct as either VS17,
+ VS2017, VC14.10. I opted for the latter since we use VC for earlier
+ versions (eg VC10, VC12, etc).
+
+ Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192
+
+ Closes https://github.com/curl/curl/pull/8447
+
+Daniel Stenberg (29 Mar 2022)
+- mqtt: better handling of TCP disconnect mid-message
+
+ Reported-by: Jenny Heino
+ Bug: https://hackerone.com/reports/1521610
+ Closes #8644
+
+- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
+
+- [Ian Blanes brought this change]
+
+ docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr
+
+ Closes #8606
+
+- [Ian Blanes brought this change]
+
+ curl: fix segmentation fault for empty output file names.
+
+ Function glob_match_url set *result to NULL when called with filename =
+ "", producing an indirect NULL pointer dereference.
+
+ Closes #8606
+
+- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519
+
+ It would be nice to expand the list of key locations curl uses for the
+ newer key types supported by libssh2.
+
+ Closes #8586
+
+- ngtcp2: update to work after recent ngtcp2 updates
+
+ Assisted-by: Tatsuhiro Tsujikawa
+ Reported-by: jurisuk on github
+ Fixes #8638
+ Closes #8639
+
+- [Farzin brought this change]
+
+ CURLOPT_PROGRESSFUNCTION.3: fix typo in example
+
+ Closes #8636
+
+- curl/header_json: output the header names in lowercase
+
+ To better allow json[“header”].
+
+ Reported-by: Peter Korsgaard
+ Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878
+ Closes #8633
+
+- RELEASE-NOTES: synced
+
+- headers.h: make Curl_headers_push() be CURLE_OK when not built
+
+ ... to avoid errors when the function isn't there.
+
+ Reported-by: Marcel Raad
+ Fixes #8627
+ Closes #8628
+
+- scripts: move three scripts from lib/ to scripts/
+
+ Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't
+ particularly belong in lib/
+
+ Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying
+ those files in the root Makefile.am
+
+ Closes #8625
+
+Marc Hoersken (23 Mar 2022)
+- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32
+
+ curl_setup.h automatically defines WIN32 if just _WIN32 is defined.
+
+ Therefore make sure curl_setup.h is included through warnless.h.
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+
+ Closes #8594
+
+- tests/server/util.h: align WIN32 condition with util.c
+
+ There is no need to test for both _WIN32 and WIN32 as curl_setup.h
+ automatically defines the later if the first one is defined.
+
+ Also tests/server/util.c is only checking for WIN32 arouund the
+ implementation of win32_perror, so just defining _WIN32
+ would not be sufficient for a successful compilation.
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Jay Satiro
+
+ Closes #8594
+
+Daniel Stenberg (22 Mar 2022)
+- [Philip Heiduck brought this change]
+
+ firefox-db2pem.sh: make the shell script safer
+
+ Reported by lift
+
+ Closes #8616
+
+Jay Satiro (22 Mar 2022)
+- gtls: fix build for disabled TLS-SRP
+
+ Prior to this change if, at build time, the GnuTLS backend was found to
+ have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
+ via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
+
+ Bug: https://curl.se/mail/lib-2022-03/0046.html
+ Reported-by: Robert Brose
+
+ Closes https://github.com/curl/curl/pull/8604
+
+- winbuild: Add a Visual Studio example to the README
+
+ - Add an example that explains in detail how the user can add libcurl to
+ their Visual Studio project.
+
+ Ref: https://github.com/curl/curl/issues/8591
+
+ Closes https://github.com/curl/curl/pull/8592
+
+- docs/opts: Mention Schannel client cert type is P12
+
+ Schannel backend code behaves same as Secure Transport, it expects a P12
+ certificate file or the name of a certificate already in the user's OS
+ key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key)
+ because they expect the private key to already be available from the
+ keystore or P12 certificate.
+
+ Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260
+
+ Closes https://github.com/curl/curl/pull/8587
+
+Daniel Stenberg (22 Mar 2022)
+- lib1945: fix compiler warning 4706 on MSVC
+
+ Follow-up from d1e4a677340c
+
+ Closes #8623
+
+- [Philip Heiduck brought this change]
+
+ ci/event-based.yml: improve impacket install
+
+ skip python3-pip
+ install impacket with library module
+
+ Closes #8621
+
+- test1459: disable for oldlibssh
+
+ This test with libssh 0.9.3 works fine on github but fails on circleci.
+ Might as well disable this test for oldlibssh installations.
+
+ Closes #8622
+
+- test1135: sync with recent API updates
+
+ This test verifies that the order of functions in public headers remain
+ the same but hasn't been updated to care for recently added header
+ files. The order is important for some few platforms - or VERSIONINFO
+ needs to updated.
+
+ This fix also updates VERSIONINFO to be sure.
+
+ Closes #8620
+
+- curl_easy_nextheader.3: fix two typos
+
+ Reported-by: Timothe Litt
+ Bug: https://curl.se/mail/lib-2022-03/0060.html
+
+- options: remove mistaken space before paren in prototype
+
+- cirrus: add --enable-headers-api for some windows builds
+
+- GHA: --enable-headers-api in all workflows
+
+- lib: make the headers API depend on --enable-headers-api
+
+- configure: add --enable-headers-api to enable the headers API
+
+ Defaults to disabled while labeled EXPERIMENTAL.
+
+ Make all the headers API tests require 'headers-api' to run.
+
+- test1671: verify -w '%{header_json}
+
+- test1670: verify -w %header{}
+
+- curl: add %{header_json} support in -w handling
+
+ Outputs all response headers as a JSON object.
+
+- curl: add %header{name} support in -w handling
+
+ Outputs the response header 'name'
+
+- header api: add curl_easy_header and curl_easy_nextheader
+
+ Add test 1940 to 1946 to verify.
+
+ Closes #8593
+
+- test1459: remove the different exit code for oldlibssh
+
+ When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right"
+ error code.
+
+ Closes #8490
+
+- libssh: unstick SFTP transfers when done event-based
+
+ Test 604 and 606 (at least).
+
+ Closes #8490
+
+- gha: move the event-based test over from Zuul
+
+ Switched libssh2 to libssh
+
+ Closes #8490
+
+- RELEASE-NOTES: synced
+
+- http: return error on colon-less HTTP headers
+
+ It's a protocol violation and accepting them leads to no good.
+
+ Add test case 398 to verify
+
+ Closes #8610
+
+- test718: edited slightly to return better HTTP
+
+ Since hyper is picky and won't play ball otherwise.
+
+ Bug: https://github.com/hyperium/hyper/issues/2783
+ Reported-by: Daniel Valenzuela
+ Closes #8614
+
+- hyper: no h2c support
+
+ Make tests require h2c feature present to run, and only set h2c if
+ nghttp2 is used in the build. Hyper does not support it.
+
+ Remove those tests from DISABLED
+
+ Fixes #8605
+ Closes #8613
+
+- configure: bump the copyright year range int the generated output
+
+- [Andreas Falkenhahn brought this change]
+
+ BINDINGS.md: add Hollywood binding
+
+ Closes #8609
+
+- HISTORY: add some 2022 data
+
+- scripts/copyright.pl: ignore the new mlc_config.json file
+
+- [Philip Heiduck brought this change]
+
+ mlc_config.json: add file to ignore known troublesome URLs
+
+ This is the config file for the CI markdown link checker and lets us
+ filter URLs that are known to cause problems. Like
+ https://curl.zuul.vexxhost.dev/ for now.
+
+ Closes #8597
+
+- [Philip Heiduck brought this change]
+
+ winbuild/README.md: fixup dead link
+
+ Closes #8597
+
+Jay Satiro (18 Mar 2022)
+- rtsp: don't let CSeq error override earlier errors
+
+ - When done, if an error has already occurred then don't check the
+ sequence numbers for mismatch.
+
+ A sequence number may not have been received if an error occurred.
+
+ Prior to this change a sequence mismatch error would override earlier
+ errors. For example, a server that returns nothing would cause error
+ CURLE_GOT_NOTHING in Curl_http_done which was then overridden by
+ CURLE_RTSP_CSEQ_ERROR in rtsp_done.
+
+ Closes https://github.com/curl/curl/pull/8525
+
+- lib: fix some misuse of curlx_convert_wchar_to_UTF8
+
+ curlx_convert_wchar_to_UTF8 must be freed by curlx_unicodefree, but
+ prior to this change some uses mistakenly called free.
+
+ I've reviewed all other uses of curlx_convert_wchar_to_UTF8 and
+ curlx_convert_UTF8_to_wchar.
+
+ Ref: https://github.com/curl/curl/commit/1d5d0ae
+
+ Closes https://github.com/curl/curl/pull/8521
+
+- mk-ca-bundle.pl: Use stricter logic to process the certificates
+
+ .. and bump version to 1.29.
+
+ This change makes the script properly ignore unknown blocks and
+ otherwise fail when Mozilla changes the certdata format in ways we
+ don't expect. Though this is less flexible behavior it makes it far less
+ likely that an invalid certificate can slip through.
+
+ Prior to this change the state machine did not always properly reset,
+ and it was possible that a certificate marked as invalid could then
+ later be marked as valid when there was conflicting trust info or
+ an unknown block was erroneously processed as part of the certificate.
+
+ Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569
+
+ Closes https://github.com/curl/curl/pull/8411
+
+Marcel Raad (17 Mar 2022)
+- test375: fix line endings on Windows
+
+ Closes https://github.com/curl/curl/pull/8599
+
+Daniel Stenberg (17 Mar 2022)
+- http: reject header contents with nul bytes
+
+ They are not allowed by the protocol and allowing them risk that curl
+ misbehaves somewhere where C functions are used but won't work on the
+ full contents. Further, they are not supported by hyper and they cause
+ problems for the new coming headers API work.
+
+ Updated test 262 to verify and enabled it for hyper as well
+
+ Closes #8601
+
+- [Philip Heiduck brought this change]
+
+ CI: Do not use buildconf. Instead, just use: autoreconf -fi
+
+ Closes #8596
+
+- RELEASE-NOTES: synced
+
+Jay Satiro (14 Mar 2022)
+- libssh: Improve fix for missing SSH_S_ stat macros
+
+ - If building libcurl against an old libssh version missing SSH_S_IFMT
+ and SSH_S_IFLNK then use the values from a supported version.
+
+ Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK
+ then S_IFMT and S_IFLNK, respectively, were used instead. The problem
+ with that is the user's S_ stat macros don't have the same values across
+ platforms. For example Windows has values different from Linux.
+
+ Follow-up to 7b0fd39.
+
+ Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391
+ Ref: https://github.com/curl/curl/pull/8574
+
+ Closes https://github.com/curl/curl/pull/8588
+
+Marc Hoersken (13 Mar 2022)
+- tool and tests: force flush of all buffers at end of program
+
+ On Windows data can be lost in buffers in case of abnormal program
+ termination, especially in process chains as seen due to flaky tests.
+ Therefore flushing all buffers manually should avoid this data loss.
+
+ In the curl tool we play the safe game by only flushing write buffers,
+ but in the testsuite where we manage all buffers, we flush everything.
+
+ This should drastically reduce Windows CI and testsuite flakiness.
+
+ Reviewed-by: Daniel Stenberg
+
+ Supersedes #7833 and #6064
+ Closes #8516
+
+Daniel Stenberg (12 Mar 2022)
+- [Jan Venekamp brought this change]
+
+ BearSSL: add CURLOPT_SSL_CTX_FUNCTION support
+
+ Closes #8478
+
+- [Jan Venekamp brought this change]
+
+ BearSSL: add CURLOPT_SSL_CIPHER_LIST support
+
+ Closes #8477
+
+Dan Fandrich (11 Mar 2022)
+- tool_cb_hdr: Turn the Location: into a terminal hyperlink
+
+ This turns even relative URLs into clickable hyperlinks in a supported
+ terminal when --styled-output is enabled. Many terminals already turn
+ URLs into clickable links but there is not enough information in a
+ relative URL to do this automatically otherwise.
+
+- keepalive-time.d: It takes many probes to detect brokenness
+
+Daniel Stenberg (11 Mar 2022)
+- [HexTheDragon brought this change]
+
+ curl: add --no-clobber
+
+ Does not overwrite output files if they already exist
+
+ Closes #7708
+ Co-authored-by: Daniel Stenberg
+
+- RELEASE-NOTES: synced
+
+ also bump next pending version to become 7.83.0
+
+- [Jean-Philippe Menil brought this change]
+
+ openssl: check SSL_get_peer_cert_chain return value
+
+ Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
+ Closes #8579
+
+- [Jay Satiro brought this change]
+
+ mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl
+
+ mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate
+ extraction, similar to mk-ca-bundle.pl which runs on any platform. The
+ vbs version has not been maintained while the perl version has been
+ maintained with improvements and security fixes. I don't think it's
+ worth the work to maintain both versions. Windows users should be able
+ to use mk-ca-bundle.pl without any problems, as long as they have perl.
+
+ Closes #8412
+
+- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype
+
+ Copy and paste error
+
+ Reported-by: Francisco Olarte
+ Fixes #8573
+ Closes #8577
+
+- remove-on-error.d: typo
+
+ Reported-by: Colin Leroy
+ Bug: https://github.com/curl/curl/pull/8503#pullrequestreview-906520081
+
+- curl: add --remove-on-error
+
+ If a transfer returns an error, using this option makes curl remove the
+ leftover downloded (partial) local file before exiting.
+
+ Added test 376 to verify
+
+ Closes #8503
+
+- libssh: fix build with old libssh versions
+
+ ... that don't have the SSH_S_* defines. Spotted on a machine using
+ libssh 0.7.3
+
+ Closes #8574
+
+- hyper: fix status_line() return code
+
+ Detected while working on #7708 that happened to trigger an error here
+ with a new test case.
+
+ Closes #8572
+
+- [Alejandro R. Sedeño brought this change]
+
+ configure.ac: move -pthread CFLAGS setting back where it used to be
+
+ The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"`
+ earlier than it used to be set, applying it in cases where it should not
+ have been applied.
+
+ This moves the AIX XLC check to a new `case $host in` block inside of
+ the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS
+ -pthead"` used to happen.
+
+ Fixes #8541
+ Closes #8542
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ ngtcp2: add client certificate authentication for OpenSSL
+
+ Closes #8522
+
+- tool_operate: fix a scan-build warning
+
+ ... and avoid the temp storing of the return code in a diff variable.
+
+ Closes #8565
+
+- test375: verify that --proxy errors out if proxy is disabled in the build
+
+ Closes #8565
+
+- curl: error out when options need features not present in libcurl
+
+ Trying to use a proxy when libcurl was built with proxy support disabled
+ should make curl error out properly.
+
+ Remove knowledge of disabled features from the tool code and instead
+ make it properly respond to what libcurl returns. Update all tests to
+ properly require the necessary features to be present/absent so that the
+ test suite can still be run even with libcurl builds with disabled
+ features.
+
+ Ref: https://curl.se/mail/archive-2022-03/0013.html
+ Closes #8565
+
+- ngtcp2: disconnect the QUIC connection proper
+
+ Reported-by: mehatzri on github
+ Reviewed-by: Tatsuhiro Tsujikawa
+ Fixes #8534
+ closes #8569
+
+Dan Fandrich (9 Mar 2022)
+- test386: Fix an incorrect test markup tag
+
+Daniel Stenberg (9 Mar 2022)
+- [Don J Olmstead brought this change]
+
+ nonblock: restore setsockopt method to curlx_nonblock
+
+ The implementation using setsockopt was removed when BeOS support was
+ purged. However this functionality wasn't BeOS specific, it is still
+ used by for example Orbis OS (Playstation 4/5 OS).
+
+ Closes #8562
+
+- openssl: fix CN check error code
+
+ Due to a missing 'else' this returns error too easily.
+
+ Regressed in: d15692ebb
+
+ Reported-by: Kristoffer Gleditsch
+ Fixes #8559
+ Closes #8560
+
+- [Frank Meier brought this change]
+
+ connect: make Curl_getconnectinfo work with conn cache from share handle
+
+ Closes #8524