diff -Nru curl-7.60.0/acinclude.m4 curl-7.61.0/acinclude.m4 --- curl-7.60.0/acinclude.m4 2018-05-07 09:18:02.000000000 +0000 +++ curl-7.61.0/acinclude.m4 2018-07-09 06:42:12.000000000 +0000 @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. +# Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -960,212 +960,6 @@ fi ]) - -dnl CURL_CHECK_FUNC_GETNAMEINFO -dnl ------------------------------------------------- -dnl Test if the getnameinfo function is available, -dnl and check the types of five of its arguments. -dnl If the function succeeds HAVE_GETNAMEINFO will be -dnl defined, defining the types of the arguments in -dnl GETNAMEINFO_TYPE_ARG1, GETNAMEINFO_TYPE_ARG2, -dnl GETNAMEINFO_TYPE_ARG46 and GETNAMEINFO_TYPE_ARG7, -dnl and also defining the type qualifier of first -dnl argument in GETNAMEINFO_QUAL_ARG1. - -AC_DEFUN([CURL_CHECK_FUNC_GETNAMEINFO], [ - AC_REQUIRE([CURL_CHECK_HEADER_WS2TCPIP])dnl - AC_CHECK_HEADERS(sys/types.h sys/socket.h netdb.h) - # - AC_MSG_CHECKING([for getnameinfo]) - AC_LINK_IFELSE([ - AC_LANG_FUNC_LINK_TRY([getnameinfo]) - ],[ - AC_MSG_RESULT([yes]) - curl_cv_getnameinfo="yes" - ],[ - AC_MSG_RESULT([no]) - curl_cv_getnameinfo="no" - ]) - # - if test "$curl_cv_getnameinfo" != "yes"; then - AC_MSG_CHECKING([deeper for getnameinfo]) - AC_LINK_IFELSE([ - AC_LANG_PROGRAM([[ - ]],[[ - getnameinfo(); - ]]) - ],[ - AC_MSG_RESULT([yes]) - curl_cv_getnameinfo="yes" - ],[ - AC_MSG_RESULT([but still no]) - curl_cv_getnameinfo="no" - ]) - fi - # - if test "$curl_cv_getnameinfo" != "yes"; then - AC_MSG_CHECKING([deeper and deeper for getnameinfo]) - AC_LINK_IFELSE([ - AC_LANG_PROGRAM([[ -#undef inline -#ifdef HAVE_WINDOWS_H -#ifndef WIN32_LEAN_AND_MEAN -#define WIN32_LEAN_AND_MEAN -#endif -#include -#ifdef HAVE_WINSOCK2_H -#include -#ifdef HAVE_WS2TCPIP_H -#include -#endif -#endif -#else -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#endif - ]],[[ - getnameinfo(0, 0, 0, 0, 0, 0, 0); - ]]) - ],[ - AC_MSG_RESULT([yes]) - curl_cv_getnameinfo="yes" - ],[ - AC_MSG_RESULT([but still no]) - curl_cv_getnameinfo="no" - ]) - fi - # - if test "$curl_cv_getnameinfo" = "yes"; then - AC_CACHE_CHECK([types of arguments for getnameinfo], - [curl_cv_func_getnameinfo_args], [ - curl_cv_func_getnameinfo_args="unknown" - for gni_arg1 in 'struct sockaddr *' 'const struct sockaddr *' 'void *'; do - for gni_arg2 in 'socklen_t' 'size_t' 'int'; do - for gni_arg46 in 'size_t' 'int' 'socklen_t' 'unsigned int' 'DWORD'; do - for gni_arg7 in 'int' 'unsigned int'; do - if test "$curl_cv_func_getnameinfo_args" = "unknown"; then - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM([[ -#undef inline -#ifdef HAVE_WINDOWS_H -#ifndef WIN32_LEAN_AND_MEAN -#define WIN32_LEAN_AND_MEAN -#endif -#if (!defined(_WIN32_WINNT)) || (_WIN32_WINNT < 0x0501) -#undef _WIN32_WINNT -#define _WIN32_WINNT 0x0501 -#endif -#include -#ifdef HAVE_WINSOCK2_H -#include -#ifdef HAVE_WS2TCPIP_H -#include -#endif -#endif -#define GNICALLCONV WSAAPI -#else -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#define GNICALLCONV -#endif - extern int GNICALLCONV -#ifdef __ANDROID__ -__attribute__((overloadable)) -#endif - getnameinfo($gni_arg1, $gni_arg2, - char *, $gni_arg46, - char *, $gni_arg46, - $gni_arg7); - ]],[[ - $gni_arg2 salen=0; - $gni_arg46 hostlen=0; - $gni_arg46 servlen=0; - $gni_arg7 flags=0; - int res = getnameinfo(0, salen, 0, hostlen, 0, servlen, flags); - ]]) - ],[ - curl_cv_func_getnameinfo_args="$gni_arg1,$gni_arg2,$gni_arg46,$gni_arg7" - ]) - fi - done - done - done - done - ]) # AC-CACHE-CHECK - if test "$curl_cv_func_getnameinfo_args" = "unknown"; then - AC_MSG_WARN([Cannot find proper types to use for getnameinfo args]) - AC_MSG_WARN([HAVE_GETNAMEINFO will not be defined]) - else - gni_prev_IFS=$IFS; IFS=',' - set dummy `echo "$curl_cv_func_getnameinfo_args" | sed 's/\*/\*/g'` - IFS=$gni_prev_IFS - shift - # - gni_qual_type_arg1=$[1] - # - AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG2, $[2], - [Define to the type of arg 2 for getnameinfo.]) - AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG46, $[3], - [Define to the type of args 4 and 6 for getnameinfo.]) - AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG7, $[4], - [Define to the type of arg 7 for getnameinfo.]) - # - prev_sh_opts=$- - # - case $prev_sh_opts in - *f*) - ;; - *) - set -f - ;; - esac - # - case "$gni_qual_type_arg1" in - const*) - gni_qual_arg1=const - gni_type_arg1=`echo $gni_qual_type_arg1 | sed 's/^const //'` - ;; - *) - gni_qual_arg1= - gni_type_arg1=$gni_qual_type_arg1 - ;; - esac - # - AC_DEFINE_UNQUOTED(GETNAMEINFO_QUAL_ARG1, $gni_qual_arg1, - [Define to the type qualifier of arg 1 for getnameinfo.]) - AC_DEFINE_UNQUOTED(GETNAMEINFO_TYPE_ARG1, $gni_type_arg1, - [Define to the type of arg 1 for getnameinfo.]) - # - case $prev_sh_opts in - *f*) - ;; - *) - set +f - ;; - esac - # - AC_DEFINE_UNQUOTED(HAVE_GETNAMEINFO, 1, - [Define to 1 if you have the getnameinfo function.]) - curl_cv_func_getnameinfo="yes" - fi - fi -]) - - dnl TYPE_SOCKADDR_STORAGE dnl ------------------------------------------------- dnl Check for struct sockaddr_storage. Most IPv6-enabled @@ -1203,107 +997,6 @@ ]) ]) - -dnl CURL_CHECK_NI_WITHSCOPEID -dnl ------------------------------------------------- -dnl Check for working NI_WITHSCOPEID in getnameinfo() - -AC_DEFUN([CURL_CHECK_NI_WITHSCOPEID], [ - AC_REQUIRE([CURL_CHECK_FUNC_GETNAMEINFO])dnl - AC_REQUIRE([TYPE_SOCKADDR_STORAGE])dnl - AC_CHECK_HEADERS(stdio.h sys/types.h sys/socket.h \ - netdb.h netinet/in.h arpa/inet.h) - # - AC_CACHE_CHECK([for working NI_WITHSCOPEID], - [curl_cv_working_ni_withscopeid], [ - AC_RUN_IFELSE([ - AC_LANG_PROGRAM([[ -#ifdef HAVE_STDLIB_H -#include -#endif -#ifdef HAVE_STDIO_H -#include -#endif -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#ifdef HAVE_SYS_SOCKET_H -#include -#endif -#ifdef HAVE_NETDB_H -#include -#endif -#ifdef HAVE_NETINET_IN_H -#include -#endif -#ifdef HAVE_ARPA_INET_H -#include -#endif - ]],[[ -#if defined(NI_WITHSCOPEID) && defined(HAVE_GETNAMEINFO) -#ifdef HAVE_STRUCT_SOCKADDR_STORAGE - struct sockaddr_storage sa; -#else - unsigned char sa[256]; -#endif - char hostbuf[NI_MAXHOST]; - int rc; - GETNAMEINFO_TYPE_ARG2 salen = (GETNAMEINFO_TYPE_ARG2)sizeof(sa); - GETNAMEINFO_TYPE_ARG46 hostlen = (GETNAMEINFO_TYPE_ARG46)sizeof(hostbuf); - GETNAMEINFO_TYPE_ARG7 flags = NI_NUMERICHOST | NI_NUMERICSERV | NI_WITHSCOPEID; - int fd = socket(AF_INET6, SOCK_STREAM, 0); - if(fd < 0) { - perror("socket()"); - return 1; /* Error creating socket */ - } - rc = getsockname(fd, (GETNAMEINFO_TYPE_ARG1)&sa, &salen); - if(rc) { - perror("getsockname()"); - return 2; /* Error retrieving socket name */ - } - rc = getnameinfo((GETNAMEINFO_TYPE_ARG1)&sa, salen, hostbuf, hostlen, NULL, 0, flags); - if(rc) { - printf("rc = %s\n", gai_strerror(rc)); - return 3; /* Error translating socket address */ - } - return 0; /* Ok, NI_WITHSCOPEID works */ -#else - return 4; /* Error, NI_WITHSCOPEID not defined or no getnameinfo() */ -#endif - ]]) # AC-LANG-PROGRAM - ],[ - # Exit code == 0. Program worked. - curl_cv_working_ni_withscopeid="yes" - ],[ - # Exit code != 0. Program failed. - curl_cv_working_ni_withscopeid="no" - ],[ - # Program is not run when cross-compiling. So we assume - # NI_WITHSCOPEID will work if we are able to compile it. - AC_COMPILE_IFELSE([ - AC_LANG_PROGRAM([[ -#include -#include -#include - ]],[[ - unsigned int dummy= NI_NUMERICHOST | NI_NUMERICSERV | NI_WITHSCOPEID; - ]]) - ],[ - curl_cv_working_ni_withscopeid="yes" - ],[ - curl_cv_working_ni_withscopeid="no" - ]) # AC-COMPILE-IFELSE - ]) # AC-RUN-IFELSE - ]) # AC-CACHE-CHECK - case "$curl_cv_working_ni_withscopeid" in - yes) - AC_DEFINE(HAVE_NI_WITHSCOPEID, 1, - [Define to 1 if NI_WITHSCOPEID exists and works.]) - ;; - esac -]) - - dnl CURL_CHECK_FUNC_RECV dnl ------------------------------------------------- dnl Test if the socket recv() function is available, @@ -2464,7 +2157,7 @@ dnl just run a program to verify that the libs checked for previous to this dnl point also is available run-time! AC_MSG_CHECKING([run-time libs availability]) - AC_TRY_RUN([ + CURL_RUN_IFELSE([ main() { return 0; diff -Nru curl-7.60.0/aclocal.m4 curl-7.61.0/aclocal.m4 --- curl-7.60.0/aclocal.m4 2018-05-14 12:20:29.000000000 +0000 +++ curl-7.61.0/aclocal.m4 2018-07-09 06:52:17.000000000 +0000 @@ -1187,6 +1187,7 @@ ]) # _AM_PROG_TAR m4_include([m4/ax_code_coverage.m4]) +m4_include([m4/ax_compile_check_sizeof.m4]) m4_include([m4/curl-compilers.m4]) m4_include([m4/curl-confopts.m4]) m4_include([m4/curl-functions.m4]) diff -Nru curl-7.60.0/CHANGES curl-7.61.0/CHANGES --- curl-7.60.0/CHANGES 2018-05-16 06:18:13.000000000 +0000 +++ curl-7.61.0/CHANGES 2018-07-11 06:01:06.000000000 +0000 @@ -6,7166 +6,7266 @@ Changelog -Version 7.60.0 (15 May 2018) +Version 7.61.0 (11 Jul 2018) -Daniel Stenberg (15 May 2018) -- RELEASE-NOTES: 7.60.0 release +Daniel Stenberg (11 Jul 2018) +- release: 7.61.0 -- THANKS: added people from the curl 7.60.0 release +- TODO: Configurable loading of OpenSSL configuration file + + Closes #2724 -- docs/libcurl/index.html: removed +- post303.d: clarify that this is an RFC violation - The HTML files are long gone from the dist, now remove the last HTML - file pointing to those missing files. + ... and not the other way around, which this previously said. - d + Reported-by: Vasiliy Faronov + Fixes #2723 + Closes #2726 -- [steini2000 brought this change] +- [Ruslan Baratov brought this change] - http2: remove unused variable + CMake: remove redundant and old end-of-block syntax - Closes #2570 + Reviewed-by: Jakub Zakrzewski + Closes #2715 -- [steini2000 brought this change] +Jay Satiro (9 Jul 2018) +- lib/curl_setup.h: remove unicode character + + Follow-up to 82ce416. + + Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818 - http2: use easy handle of stream for logging +Daniel Stenberg (9 Jul 2018) +- lib/curl_setup.h: remove unicode bom from 8272ec50f02 -- gcc: disable picky gcc-8 function pointer warnings in two places +Marcel Raad (9 Jul 2018) +- schannel: fix -Wsign-compare warning - Reported-by: Rikard Falkeborn - Bug: #2560 - Closes #2569 + MinGW warns: + /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in + conditional expression [-Wsign-compare] + + Fix this by casting the ptrdiff_t to size_t as we know it's positive. + + Closes https://github.com/curl/curl/pull/2721 -- http2: use the correct function pointer typedef +- schannel: workaround for wrong function signature in w32api - Fixes gcc-8 picky compiler warnings - Reported-by: Rikard Falkeborn - Bug: #2560 - Closes #2568 + Original MinGW's w32api has CryptHashData's second parameter as BYTE * + instead of const BYTE *. + + Closes https://github.com/curl/curl/pull/2721 -- CODE_STYLE: mention return w/o parens, but sizeof with +- schannel: make more cipher options conditional - ... and remove the github markdown syntax so that it renders better on - the web site. Also, don't use back-ticks inlined to allow the CSS to - highlight source code better. + They are not defined in the original MinGW's . + + Closes https://github.com/curl/curl/pull/2721 -- [Rikard Falkeborn brought this change] +- curl_setup: include before + + Otherwise, only part of it gets pulled in through on + original MinGW. + + Fixes https://github.com/curl/curl/issues/2361 + Closes https://github.com/curl/curl/pull/2721 - examples: Fix format specifiers +- examples: fix -Wformat warnings - Closes #2561 + When size_t is not a typedef for unsigned long (as usually the case on + Windows), GCC emits -Wformat warnings when using lu and lx format + specifiers with size_t. Silence them with explicit casts to + unsigned long. + + Closes https://github.com/curl/curl/pull/2721 -- [Rikard Falkeborn brought this change] +Daniel Stenberg (9 Jul 2018) +- smtp: use the upload buffer size for scratch buffer malloc + + ... not the read buffer size, as that can be set smaller and thus cause + a buffer overflow! CVE-2018-0500 + + Reported-by: Peter Wu + Bug: https://curl.haxx.se/docs/adv_2018-70a2.html - tool: Fix format specifiers +- [Dave Reisner brought this change] -- [Rikard Falkeborn brought this change] + scripts: include _curl as part of CLEANFILES + + Closes #2718 - ntlm: Fix format specifiers +- [Nick Zitzmann brought this change] -- [Rikard Falkeborn brought this change] + darwinssl: allow High Sierra users to build the code using GCC + + ...but GCC users lose out on TLS 1.3 support, since we can't weak-link + enumeration constants. + + Fixes #2656 + Closes #2703 - tests: Fix format specifiers +- [Ruslan Baratov brought this change] -- [Rikard Falkeborn brought this change] + CMake: Remove unused 'output_var' from 'collect_true' + + Variable 'output_var' is not used and can be removed. + Function 'collect_true' renamed to 'count_true'. - lib: Fix format specifiers +- [Ruslan Baratov brought this change] -- contributors.sh: use "on github", not at + CMake: Remove unused functions + + Closes #2711 -- http2: getsock fix for uploads +- KNOWN_BUGS: Stick to same family over SOCKS proxy + +- libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE - When there's an upload in progress, make sure to wait for the socket to - become writable. + ... because otherwise not everything get closed down correctly. - Detected-by: steini2000 on github - Bug: #2520 - Closes #2567 + Fixes #2708 + Closes #2712 -- pingpong: fix response cache memcpy overflow +- libssh: include line number in state change debug messages - Response data for a handle with a large buffer might be cached and then - used with the "closure" handle when it has a smaller buffer and then the - larger cache will be copied and overflow the new smaller heap based - buffer. + Closes #2713 + +- KNOWN_BUGS: Borland support is dropped, AIX problem is too old + +- [Jeroen Ooms brought this change] + + example/crawler.c: simple crawler based on libxml2 - Reported-by: Dario Weisser - CVE: CVE-2018-1000300 - Bug: https://curl.haxx.se/docs/adv_2018-82c2.html + Closes #2706 -- http: restore buffer pointer when bad response-line is parsed +- RELEASE-NOTES: synced + +- DEPRECATE: include year when specifying date + +- DEPRECATE: linkified + +- DEPRECATE: mention the PR that disabled axTLS + +- docs/DEPRECATE.md: spelling and minor formatting + +- DEPRECATE: new doc describing planned item removals - ... leaving the k->str could lead to buffer over-reads later on. + Closes #2704 + +- [Gisle Vanem brought this change] + + telnet: fix clang warnings - CVE: CVE-2018-1000301 - Assisted-by: Max Dymond + telnet.c(1401,28): warning: cast from function call of type 'int' to + non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast] - Detected by OSS-Fuzz. - Bug: https://curl.haxx.se/docs/adv_2018-b138.html - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 + Fixes #2696 + Closes #2700 -Patrick Monnerat (13 May 2018) -- cookies: do not take cookie name as a parameter +- docs: fix missed option name markups + +- [Gaurav Malhotra brought this change] + + openssl: Remove some dead code - RFC 6265 section 4.2.1 does not set restrictions on cookie names. - This is a follow-up to commit 7f7fcd0. - Also explicitly check proper syntax of cookie name/value pair. + Closes #2698 + +- openssl: make the requested TLS version the *minimum* wanted - New test 1155 checks that cookie names are not reserved words. + The code treated the set version as the *exact* version to require in + the TLS handshake, which is not what other TLS backends do and probably + not what most people expect either. - Reported-By: anshnd at github - Fixes #2564 - Closes #2566 + Reported-by: Andreas Olsson + Assisted-by: Gaurav Malhotra + Fixes #2691 + Closes #2694 -Daniel Stenberg (12 May 2018) -- smb: reject negative file sizes +- RELEASE-NOTES: synced + +- openssl: allow TLS 1.3 by default - Assisted-by: Max Dymond + Reported-by: Andreas Olsson + Fixes #2692 + Closes #2693 + +- [Adrian Peniak brought this change] + + CURLINFO_TLS_SSL_PTR.3: improve the example - Detected by OSS-Fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245 + The previous example was a little bit confusing, because SSL* structure + (or other "in use" SSL connection pointer) is not accessible after the + transfer is completed, therefore working with the raw TLS library + specific pointer needs to be done during transfer. + + Closes #2690 -- setup_transfer: deal with both sockets being -1 +- travis: add a build using the synchronous name resolver - Detected by Coverity; CID 1435559. Follow-up to f8d608f38d00. It would - index the array with -1 if neither index was a socket. + ... since default uses the threaded one and we test the c-ares build + already. + + Closes #2689 -- travis: add build using NSS +- configure: remove CURL_CHECK_NI_WITHSCOPEID too - Closes #2558 + Since it isn't used either and requires the getnameinfo check + + Follow-up to 0aeca41702d2 -- [Sunny Purushe brought this change] +- getnameinfo: not used + + Closes #2687 - openssl: change FILE ops to BIO ops +- easy_perform: use *multi_timeout() to get wait times - To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES - handling is causing problems. This fix changes the OpenSSL backend code - to use BIO functions instead of FILE I/O functions to circumvent those - problems. + ... and trim the threaded Curl_resolver_getsock() to return zero + millisecond wait times during the first three milliseconds so that + localhost or names in the OS resolver cache gets detected and used + faster. - Closes #2512 + Closes #2685 -- travis: add a build using WolfSSL +Max Dymond (27 Jun 2018) +- configure: Add dependent libraries after crypto - Assisted-by: Dan Fandrich + The linker is pretty dumb and processes things left to right, keeping a + tally of symbols it hasn't resolved yet. So, we need -ldl to appear + after -lcrypto otherwise the linker won't find the dl functions. - Closes #2528 + Closes #2684 -- RELEASE-NOTES: typo +Daniel Stenberg (27 Jun 2018) +- GOVERNANCE: linkify, changed some titles + +- GOVERNANCE: add maintainer details/duties + +- url: check Curl_conncache_add_conn return code + + ... it was previously unchecked in two places and thus errors could + remain undetected and cause trouble. + + Closes #2681 + +- include/README: remove "hacking" advice, not the right place - RELEASE-NOTES: synced -- [Daniel Gustafsson brought this change] +- CURLOPT_SSL_VERIFYPEER.3: fix syntax mistake + + Follow-up to b6a16afa0aa5 - URLs: fix one more http url +- netrc: use a larger buffer - This file wasn't included in commit 4af40b3646d3b09 which updated all - haxx.se http urls to https. The file was committed prior to that update, - but may have been merged after it and hence didn't get updated. + ... to work with longer passwords etc. Grow it from a 256 to a 4096 + bytes buffer. - Closes #2550 + Reported-by: Dario Nieuwenhuis + Fixes #2676 + Closes #2680 -- github/lock: auto-lock closed issues after 90 days of inactivity +- [Patrick Schlangen brought this change] -- vtls: fix missing commas + CURLOPT_SSL_VERIFYPEER.3: Add performance note - follow-up to e66cca046cef + Closes #2673 -- vtls: use unified "supports" bitfield member in backends - - ... instead of previous separate struct fields, to make it easier to - extend and change individual backends without having to modify them all. +- [Javier Blazquez brought this change] + + multi: fix crash due to dangling entry in connect-pending list - closes #2547 + Fixes #2677 + Closes #2679 -- transfer: don't unset writesockfd on setup of multiplexed conns +- ConnectionExists: make sure conn->data is set when "taking" a connection - Curl_setup_transfer() can be called to setup a new individual transfer - over a multiplexed connection so it shouldn't unset writesockfd. + Follow-up to 2c15693. - Bug: #2520 - Closes #2549 + Bug #2674 + Closes #2675 -- [Frank Gevaerts brought this change] +- [Kevin R. Bulgrien brought this change] - configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h + system.h: fix for gcc on 32 bit OpenServer - They are removed from the compiler flags. + Bug: https://curl.haxx.se/mail/lib-2018-06/0100.html + +- [Raphael Gozzo brought this change] + + cmake: allow multiple SSL backends - This ensures that make dependency tracking will force a rebuild whenever - configure --enable-debug or --enable-curldebug changes. + This will make possible to select the SSL backend (using + curl_global_sslset()) even when the libcurl is built using CMake - Closes #2548 + Closes #2665 -- http: don't set the "rewind" flag when not uploading anything +- url: fix dangling conn->data pointer - It triggers an assert. + By masking sure to use the *current* easy handle with extracted + connections from the cache, and make sure to NULLify the ->data pointer + when the connection is put into the cache to make this mistake easier to + detect in the future. - Detected by OSS-Fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 - Closes #2546 + Reported-by: Will Dietz + Fixes #2669 + Closes #2672 -- travis: add an mbedtls build - - Closes #2531 +- CURLOPT_INTERFACE.3: interface names not supported on Windows -- configure: only check for CA bundle for file-using SSL backends +- travis: run more tests for coverage check - When only building with SSL backends that don't use the CA bundle file - (by default), skip the check. + ... run a few more tortured based and run all tests event-based. - Fixes #2543 - Fixes #2180 - Closes #2545 + Closes #2664 -- ssh-libssh.c: fix left shift compiler warning +- multi: fix memory leak when stopped during name resolve - ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to - represent, but 'int' only has 32 bits [-Wshift-overflow=] + When the application just started the transfer and then stops it while + the name resolve in the background thread hasn't completed, we need to + wait for the resolve to complete and then cleanup data accordingly. - 'len' will never be that big anyway so I converted the run-time check to - a regular assert. - -- [Stephan Mühlstrasser brought this change] - - URL: fix ASCII dependency in strcpy_url and strlen_url + Enabled test 1553 again and added test 1590 to also check when the host + name resolves successfully. - Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the - changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of - the problem that strcpy_url() was modified unilaterally without also - modifying strlen_url(). As a consequence strcpy_url() was again - depending on ASCII encoding. + Detected by OSS-fuzz. + Closes #1968 + +Viktor Szakats (15 Jun 2018) +- maketgz: delete .bak files, fix indentation - This change fixes strlen_url() and strcpy_url() in parallel to use a - common host-encoding independent criterion for deciding whether an URL - character must be %-escaped. + Ref: https://github.com/curl/curl/pull/2660 - Closes #2535 + Closes https://github.com/curl/curl/pull/2662 -- [Denis Ollier brought this change] +Daniel Stenberg (15 Jun 2018) +- runtests.pl: remove debug leftover from bb9a340c73f3 - docs: remove extraneous commas in man pages +- curl-confopts.m4: fix typo from ed224f23d5beb - Closes #2544 + Fixes my local configure to detect a custom installed c-ares without + pkgconfig. + +- docs/RELEASE-PROCEDURE.md: renamed to use .md extension + + Closes #2663 + +- RELEASE-PROCEDURE: gpg sign the tags - RELEASE-NOTES: synced -- Revert "TODO: remove configure --disable-pthreads" +- CURLOPT_HTTPAUTH.3: CURLAUTH_BEARER was added in 7.61.0 + +- [Mamta Upadhyay brought this change] + + maketgz: fix sed issues on OSX - This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3. + maketgz creates release tarballs and removes the -DEV string in curl + version (e.g. 7.58.0-DEV), else -DEV shows up on command line when curl + is run. maketgz works fine on linux but fails on OSX. Problem is with + the sed commands that use option -i without an extension. Maketgz + expects GNU sed instead of BSD and this simply won't work on OSX. Adding + a backup extension .bak after -i fixes this issue - --disable-pthreads can be used to disable pthreads and get the threaded - resolver to use the windows threading when building with mingw. + Running the script as if on OSX gives this error: + + sed: -e: No such file or directory + + Adding a .bak extension resolves it + + Closes #2660 -- vtls: don't define MD5_DIGEST_LENGTH for wolfssl +- configure: enhance ability to detect/build with static openssl - ... as it defines it (too) + Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for + building with static libs without pkg-config. + + Reported-by: Marcel Raad + Fixes #2199 + Closes #2659 -- TODO: remove configure --disable-pthreads +- configure: use pkg-config for c-ares detection + + First check if there's c-ares information given as pkg-config info and use + that as first preference. + + Reported-by: pszemus on github + Fixes #2203 + Closes #2658 -Jay Satiro (2 May 2018) -- [David Garske brought this change] +- GOVERNANCE.md: explains how this project is run + + Closes #2657 - wolfssl: Fix non-blocking connect +- KNOWN_BUGS: NTLM doen't support password with § character - Closes https://github.com/curl/curl/pull/2542 + Closes #2120 -Daniel Stenberg (30 Apr 2018) -- CURLOPT_URL.3: add ENCODING section [ci skip] +- KNOWN_BUGS: slow connect to localhost on Windows - Feedback-by: Michael Kilburn + Closes #2281 -- KNOWN_BUGS: Client cert with Issuer DN differs between backends +- [Matteo Bignotti brought this change] + + mk-ca-bundle.pl: make -u delete certdata.txt if found not changed - Closes #1411 + certdata.txt should be deleted also when the process is interrupted by + "same certificate downloaded, exiting" + + The certdata.txt is currently kept on disk even if you give the -u + option + + Closes #2655 -- KNOWN_BUGS: Passive transfer tries only one IP address +- progress: remove a set of unused defines - Closes #1508 + Reported-by: Peter Wu + Closes #2654 -- KNOWN_BUGS: --upload-file . hang if delay in STDIN +- TODO: "Option to refuse usernames in URLs" done - Closes #2051 + Implemented by Björn in 946ce5b61f -- KNOWN_BUGS: Connection information when using TCP Fast Open +- [Lyman Epp brought this change] + + Curl_init_do: handle NULL connection pointer passed in - Closes #1332 + Closes #2653 -- travis: enable libssh2 on both macos and Linux +- runtests: support variables in - It seems to not be detected by default anymore (which is a bug I - believe) + ... and make use of that to make 1455 work better without using a fixed + local port number. - Closes #2541 + Fixes #2649 + Closes #2650 -- TODO: Support the clienthello extension +- Curl_debug: remove dead printhost code - Closes #2299 - -- TODO: CLOEXEC + The struct field is never set (since 5e0d9aea3) so remove the use of it + and remove the connectdata pointer from the prototype. - Closes #2252 + Reported-by: Tejas + Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html + Closes #2647 -- tests: provide 'manual' as a feature to optionally require +Viktor Szakats (12 Jun 2018) +- schannel: avoid incompatible pointer warning - ... and make test 1026 rely on that feature so that --disable-manual - builds don't cause test failures. + with clang-6.0: + ``` + vtls/schannel_verify.c: In function 'add_certs_to_store': + vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types] + &cert_context)) { + ^ + In file included from /usr/share/mingw-w64/include/schannel.h:10:0, + from /usr/share/mingw-w64/include/schnlsp.h:9, + from vtls/schannel.h:29, + from vtls/schannel_verify.c:40: + /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}' + WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags, + ^~~~~~~~~~~~~~~~ + ``` + Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264 - Reported-by: Max Dymond and Anders Roxell - Fixes #2533 - Closes #2540 - -- CURLINFO_PROTOCOL.3: mention the existing defined names + Closes https://github.com/curl/curl/pull/2648 -Jay Satiro (27 Apr 2018) -- [Daniel Gustafsson brought this change] +Daniel Stenberg (12 Jun 2018) +- [Robert Prag brought this change] - cookies: remove unused macro + schannel: support selecting ciphers - Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused, - so remove as it's not part of the published API. + Given the contstraints of SChannel, I'm exposing these as the algorithms + themselves instead; while replicating the ciphersuite as specified by + OpenSSL would have been preferable, I found no way in the SChannel API + to do so. - Closes https://github.com/curl/curl/pull/2537 + To use this from the commandline, you need to pass the names of contants + defining the desired algorithms. For example, curl --ciphers + "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM" + https://github.com The specific names come from wincrypt.h + + Closes #2630 -Daniel Stenberg (27 Apr 2018) -- [Daniel Gustafsson brought this change] +- [Bernhard M. Wiedemann brought this change] - checksrc: force indentation of lines after an else + test 46: make test pass after 2025 - This extends the INDENTATION case to also handle 'else' statements - and require proper indentation on the following line. Also fixes the - offending cases found in the codebase. + shifting the expiry date to 2037 for now + to be before the possibly problematic year 2038 - Closes #2532 + similar in spirit to commit e6293cf8764e9eecb + + Closes #2646 -- http2: fix null pointer dereference in http2_connisdead +- [Marian Klymov brought this change] + + cppcheck: fix warnings - This function can get called on a connection that isn't setup enough to - have the 'recv_underlying' function pointer initialized so it would try - to call the NULL pointer. + - Get rid of variable that was generating false positive warning + (unitialized) - Reported-by: Dario Weisser + - Fix issues in tests - Follow-up to db1b2c7fe9b093f8 (never shipped in a release) - Closes #2536 - -- http2: get rid of another strstr() + - Reduce scope of several variables all over - Follow-up to 1514c44655e12e: replace another strstr() call done on a - buffer that might not be zero terminated - with a memchr() call, even if - we know the substring will be found. + etc - Assisted-by: Max Dymond + Closes #2631 + +- openssl: assume engine support in 1.0.1 or later - Detected by OSS-Fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 + Previously it was checked for in configure/cmake, but that would then + leave other build systems built without engine support. - Closes #2534 - -- cyassl: adapt to libraries without TLS 1.0 support built-in + While engine support probably existed prior to 1.0.1, I decided to play + safe. If someone experience a problem with this, we can widen the + version check. - WolfSSL doesn't enable it by default anymore - -- configure: provide --with-wolfssl as an alias for --with-cyassl + Fixes #2641 + Closes #2644 - RELEASE-NOTES: synced -- [Daniel Gustafsson brought this change] +- RELEASE-PROCEDURE: update the release calendar for 2019 - os400.c: fix ASSIGNWITHINCONDITION checksrc warnings - - All occurrences of assignment within conditional expression in - os400sys.c rewritten into two steps: first assignment and then the check - on the success of the assignment. Also adjust related incorrect brace - positions to match project indentation style. +- [Gisle Vanem brought this change] + + boringssl + schannel: undef X509_NAME in lib/schannel.h - This was spurred by seeing "if((inp = input_token))", but while in there - all warnings were fixed. + Fixes the build problem when both boringssl and schannel are enabled. - There should be no functional change from these changes. + Fixes #2634 + Closes #2643 + +- [Vladimir Kotal brought this change] + + mk-ca-bundle.pl: leave certificate name untouched in decode() - Closes #2525 + Closes #2640 -- [Daniel Gustafsson brought this change] +- [Rikard Falkeborn brought this change] - cookies: ensure that we have cookies before writing jar + tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES - The jar should be written iff there are cookies, so ensure that we still - have cookies after expiration to avoid creating an empty file. + This removes the generated lib1521.c when running make clean. - Closes #2529 + Closes #2633 -- strcpy_url: only %-encode values >= 0x80 - - OSS-Fuzz detected +- [Rikard Falkeborn brought this change] + + tests/libtest: Add lib1521 to nodist_SOURCES - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000 + Since 467da3af0, lib1521.c is generated instead of checked in. According + to the commit message, the intention was to remove it from the tarball + as well. However, it is still present when running make dist. To remove + it, add it to nodist_lib1521_SOURCES. This also means there is no need + for the manually added dist-rule in the Makefile. - Broke in dd7521bcc1b7 + Also update CMakelists.txt to handle the fact that we now may have + nodist_SOURCES. -- mime: avoid NULL pointer dereference risk +- [Stephan Mühlstrasser brought this change] + + system.h: add support for IBM xlc C compiler - Coverity detected, CID 1435120 + Added a section to system.h guarded with __xlc__ for the IBM xml C + compiler. Before this change the section titled 'generic "safe guess" on + old 32 bit style' was used, which resulted in a wrong definition of + CURL_TYPEOF_CURL_SOCKLEN_T, and for 64-bit also CURL_TYPEOF_CURL_OFF_T + was wrong. + + Compilation warnings fixed with this change: + + CC libcurl_la-ftp.lo + "ftp.c", line 290.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 293.48: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 1070.49: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 1154.53: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "ftp.c", line 1187.51: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + CC libcurl_la-connect.lo + "connect.c", line 448.56: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "connect.c", line 516.66: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "connect.c", line 687.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + "connect.c", line 696.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. + CC libcurl_la-tftp.lo + "tftp.c", line 1115.33: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. - Closes #2527 + Closes #2637 -- [Stephan Mühlstrasser brought this change] +- cmdline-opts/cert-type.d: mention "p12" as a recognized type as well - ctype: restore character classification for non-ASCII platforms +Viktor Szakats (3 Jun 2018) +- spelling fixes - With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic - character classification macros and functions were introduced in - curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on - non-ASCII, e.g. EBCDIC platforms. This change restores the previous set - of character classification macros when CURL_DOES_CONVERSIONS is - defined. + Detected using the `codespell` tool (version 1.13.0). - Closes #2494 + Also secure and fix an URL. -- ftplistparser: keep state between invokes +Daniel Stenberg (2 Jun 2018) +- axtls: follow-up spell fix of comment + +- axTLS: not considered fit for use - Fixes FTP wildcard parsing when done over a number of read buffers. + URL: https://curl.haxx.se/mail/lib-2018-06/0000.html - Regression from f786d1f14 + This is step one. It adds #error statements that require source edits to + make curl build again if asked to use axTLS. At a later stage we might + remove the axTLS specific code completely. - Reported-by: wncboy on github - Fixes #2445 - Closes #2526 + Closes #2628 -- examples/http2-upload: expand buffer to avoid silly warning +- build: remove the Borland specific makefiles - http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated - writing between 2 and 11 bytes into a region of size between 8 and 17 + According to the user survey 2018, not even one out of 670 users use + them. Nobody on the mailing list spoke up for them either. + + Closes #2629 -- examples/sftpuploadresume: typecast fseek argument to long +- curl_addrinfo: use same #ifdef conditions in source as header - /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long - int' from 'curl_off_t {aka long long int}' may alter its value + ... for curl_dofreeaddrinfo -- Revert "ftplistparser: keep state between invokes" +- multi: remove a DEBUGF() - This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934. + ... it might call infof() with a NULL first argument that isn't harmful + but makes it not do anything. The infof() line is not very useful + anymore, it has served it purpose. Good riddance! - Caused fuzzer problems on travis not seen when this was a PR! + Fixes #2627 -- Curl_memchr: zero length input can't match +- [Alibek.Jorajev brought this change] + + CURLOPT_RESOLVE: always purge old entry first - Avoids undefined behavior. + If there's an existing entry using the selected name. - Reported-by: Geeknik Labs + Closes #2622 -- ftplistparser: keep state between invokes +- fnmatch: use the system one if available - Fixes FTP wildcard parsing when doing over a number of read buffers. + If configure detects fnmatch to be available, use that instead of our + custom one for FTP wildcard pattern matching. For standard compliance, + to reduce our footprint and to use already well tested and well + exercised code. - Regression from f786d1f14 + A POSIX fnmatch behaves slightly different than the internal function + for a few test patterns currently and the macOS one yet slightly + different. Test case 1307 is adjusted for these differences. - Reported-by: wncboy on github - Fixes #2445 - Closes #2519 + Closes #2626 -- ftplistparser: renamed some members and variables +Patrick Monnerat (31 May 2018) +- os400: add new option in ILE/RPG binding - ... to make them better spell out what they're for. - -- RELEASE-NOTES: synced + Follow-up to commit 946ce5b -- [Christian Schmitz brought this change] +Daniel Stenberg (31 May 2018) +- tests/libtest/.gitignore: follow-up fix to ignore lib5* too - curl_global_sslset: always provide available backends +- KNOWN_BUGS: CURL_GLOBAL_SSL - Closes #2499 + Closes #2276 -- http2: convert an assert to run-time check +- [Bernhard Walle brought this change] + + configure: check for declaration of getpwuid_r - Fuzzing has proven we can reach code in on_frame_recv with status_code - not having been set, so let's detect that in run-time (instead of with - assert) and error error accordingly. + On our x86 Android toolchain, getpwuid_r is implemented but the header + is missing: - (This should no longer happen with the latest nghttp2) + netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration] - Detected by OSS-Fuzz - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 - Closes #2514 + Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved + the prototype to curl_setup.h. + + Signed-off-by: Bernhard Walle + Closes #2609 -- curl.1: clarify that options and URLs can be mixed +- [Rikard Falkeborn brought this change] + + tests: update .gitignore for libtests - Fixes #2515 - Closes #2517 + Closes #2624 -Jay Satiro (23 Apr 2018) -- [Archangel_SDY brought this change] +- [Rikard Falkeborn brought this change] - CURLOPT_SSLCERT.3: improve WinSSL-specific usage info + strictness: correct {infof, failf} format specifiers - Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780 + Closes #2623 + +- [Björn Stenberg brought this change] + + option: disallow username in URL - Closes https://github.com/curl/curl/pull/2504 + Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes + libcurl reject URLs with a username in them. + + Closes #2340 -- [Archangel_SDY brought this change] +- libcurl-security.3: improved layout for two rememdy lists - schannel: fix build error on targets <= XP +- libcurl-security.3: refer to URL instead of in-source markdown file + +Viktor Szakats (30 May 2018) +- curl.rc: embed manifest for correct Windows version detection - - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't - support the latter. + * enable it in `src/Makefile.m32` + * enable it in `winbuild/MakefileBuild.vc` if a custom manifest is + _not_ enabled via the existing `EMBED_MANIFEST` option + * enable it for all Windows CMake builds (also disable the built-in + minimal manifest, added by CMake by default.) - Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 + For other build systems, add the `-DCURL_EMBED_MANIFEST` option to + the list of RC (Resource Compiler) flags to enable the manifest + included in `src/curl.rc`. This may require to disable whatever + automatic or other means in which way another manifest is added to + `curl.exe`. - Closes https://github.com/curl/curl/pull/2504 + Notice that Borland C doesn't support this method due to a + long-pending resource compiler bug. Watcom C may also not handle + it correctly when the `-zm` `wrc` option is used (this option may + be unnecessary though) and regardless of options in certain earlier + revisions of the 2.0 beta version. + + Closes https://github.com/curl/curl/pull/1221 + Fixes https://github.com/curl/curl/issues/2591 -Daniel Stenberg (23 Apr 2018) -- Revert "ftplistparser: keep state between invokes" +Patrick Monnerat (30 May 2018) +- os400: sync EBCDIC wrappers and ILE/RPG binding with latest options + +- os400: implement mime api EBCDIC wrappers - This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9. + Also sync ILE/RPG binding to define the new functions. + +Daniel Stenberg (29 May 2018) +- setopt: add TLS 1.3 ciphersuites - Unfortunately this fix introduces memory leaks I've not been able to fix - in several days. Reverting this for now to get the leaks fixed. + Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. + + curl: added --tls13-ciphers and --proxy-tls13-ciphers + + Fixes #2435 + Reported-by: zzq1015 on github + Closes #2607 -Jay Satiro (21 Apr 2018) -- tool_help: clarify --max-time unit of time is seconds +- configure: override AR_FLAGS to silence warning - Before: - -m, --max-time