_ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | | (__| |_| | _ <| |___ \___|\___/|_| \_\_____| Changelog Version 7.35.0 (29 Jan 2014) Daniel Stenberg (29 Jan 2014) - RELEASE-NOTES: done for 7.35.0 Dan Fandrich (29 Jan 2014) - tests: make a few lib15?? tests pass the OOM torture tests - lib1900: make the test pass the OOM torture tests - oauth2: Fixed a memory leak in an OOM condition - unit1304: make the test pass the OOM torture tests - unit1396: make the test pass the OOM torture tests Daniel Stenberg (28 Jan 2014) - [Romulo A. Ceccon brought this change] hostip: don't remove DNS entries that are in use hostcache_timestamp_remove() should remove old *unused* entries from the host cache, but it never checked whether the entry was actually in use. This complements commit 030a2b8cb. Bug: http://curl.haxx.se/bug/view.cgi?id=1327 Dan Fandrich (28 Jan 2014) - RELEASE-NOTES: changed encoding to UTF-8 like previous releases Daniel Stenberg (28 Jan 2014) - TFTP: fix crash on time-out tftp_done() can get called with its TFTP state pointer still being NULL on an early time-out, which caused a segfault when dereferenced. Reported-by: Glenn Sheridan Bug: http://curl.haxx.se/mail/lib-2014-01/0246.html Steve Holme (28 Jan 2014) - RELEASE-NOTES: Synced with 5a47062cada9 Daniel Stenberg (28 Jan 2014) - [Maks Naumov brought this change] getpass: fix password parsing from console Incorrect password if use backspace while entered the password. Regression from f7bfdbabf2d5398f4c266eabb0992a04af661f22 The '?:' operator has lower priority than the '-' operator Dan Fandrich (26 Jan 2014) - docs/INSTALL: Updated example minimal binary sizes Marc Hoersken (26 Jan 2014) - testsuite: visualize line-endings in output comparison diffs - sockfilt.c: follow up cleanup commit on 49b63cf3 - http-pipe tests: use text as output data mode to support Windows - sockfilt.c: fixed and simplified Windows select function Since the previous complex select function with initial support for non-socket file descriptors, did not actually work correctly for Console handles, this change simplifies the whole procedure by using an internal waiting thread for the stdin console handle. The previous implementation made it continuously trigger for the stdin handle if it was being redirected to a parent process instead of an actual Console input window. This approach supports actual Console input handles as well as anonymous Pipe handles which are used during input redirection. It depends on the fact that ReadFile supports trying to read zero bytes which makes it wait for the handle to become ready for reading. - http_pipe.py: replaced epoll with select to support Windows Removed Unix-specific functionality in order to support Windows: - select.epoll replaced with select.select - SocketServer.ForkingMixIn replaced with SocketServer.ForkingMixIn - socket.MSG_DONTWAIT replaced with socket.setblocking(False) Even though epoll has a better performance and improved socket handling than select, this change should not affect the actual test case. Dan Fandrich (25 Jan 2014) - tests: Added missing HTTP proxy keywords - tests: added missing http to a number of tests - tests: Added a keyword for tests depending on internal info logs - runtests: Don't log command every torture iteration in verbose - tests: Added missing http feature to tests 509 & 1513 - netrc: Fixed a memory and file descriptor leak on OOM - test1514: Used the macros for host and port number - multi: Fixed a memory leak on OOM condition Daniel Stenberg (23 Jan 2014) - curl_easy_setopt.3: remove what auth types that work for CURLOPT_PROXYAUTH The list was out of date and the paragraph already refers to the CURLOPT_HTTPAUTH explanation. All the auth bits are explained properly there. It also removes the ambiguity for what the "added" phrase refers to. This change based on pull request #85 on github URL: https://github.com/bagder/curl/pull/85 Reported-by: gnawhleinad Dan Fandrich (22 Jan 2014) - test1514: Got rid of a non-const initializer C99ism Steve Holme (21 Jan 2014) - RELEASE-NOTES: added another missing bug ref Daniel Stenberg (21 Jan 2014) - RELEASE-NOTES: added missing bug ref - [Fabian Frank brought this change] axtls: fix compiler warning on conversion ssize_t => int - [Fabian Frank brought this change] SFTP: stat remote file also when CURLOPT_NOBODY is 1 Make it possible to call curl_easy_getinfo(curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &filesize) and related functions on remote sftp:// files, without downloading them. Reported-by: Yingwei Liu Bug: http://curl.haxx.se/mail/lib-2014-01/0139.html - RELEASE-NOTES: synced with 12ecd56da77 - contributors.sh: output list RELEASE-NOTES formatted - [Cédric Deltheil brought this change] test1514: added - no more negative Content-Length (HTTP POST) This covers changes from commit afd288b2. - [Cédric Deltheil brought this change] HTTP POST: omit Content-Length if data size is unknown This prevents sending a `Content-Length: -1` header, e.g this ocurred with the following combination: * standard HTTP POST (no chunked encoding), * user-defined read function set, * `CURLOPT_POSTFIELDSIZE(_LARGE)` NOT set. With this fix it now behaves like HTTP PUT. - [Fabian Frank brought this change] disable GnuTLS insecure ciphers Make GnuTLS old and new consistent, specify the desired protocol, cipher and certificate type in always in both modes. Disable insecure ciphers as reported by howsmyssl.com. Honor not only --sslv3, but also the --tlsv1[.N] switches. Related Bug: http://curl.haxx.se/bug/view.cgi?id=1323 - curl_getdate.3: edited, removed references to pre 7.12.2 functionality - gtls: fix compiler warnings on conversions size_t => unsigned int Steve Holme (19 Jan 2014) - tool: Fixed incorrect return code if password prompting runs out of memory Due to the changes in commit 3c929ff9f6ea and lack of subsequent updates, curl could return a CURLE_FTP_ACCEPT_FAILED error if checkpasswd() ran out of memory in versions 7.33.0 and 7.34.0. Updated the function declaration and return code to return CURLE_OUT_OF_MEMORY and CURLE_OK where appropriate. - RELEASE-NOTES: Synced with 2cac75c4e400 - http_chunks.c: Fixed compilation warnings under some 32-bit systems conversion from 'curl_off_t' to 'size_t', possible loss of data Where curl_off_t is a 64-bit word and size_t is 32-bit - for example with 32-bit Windows builds. - tool: Fixed incorrect return code if command line parser runs out of memory In the rare instance where getparameter() may return PARAM_NO_MEM whilst parsing a URL, cURL would return this error code, which is equivalent to CURLE_FTP_ACCEPT_FAILED in cURL error codes terms. Instead, return CURLE_FAILED_INIT and output the failure reason as per the other usage of getparameter(). Daniel Stenberg (18 Jan 2014) - [Tobias Markus brought this change] Subject: progress bar: increase update frequency to 10Hz Increasing the update frequency of the progress bar to 10Hz greatly improves the visual appearance of the progress bar (at least in my impression). Signed-off-by: Tobias Markus - [Tobias Markus brought this change] progress bar: always update when at 100% Currently, the progress bar is updated at 5Hz. Because it is often not updated to 100% when the download is finished and curl exits, the bar is often "stuck" at 90-something, thus irritating the user. This patch fixes this by always updating the progress bar (instead of waiting for 200ms to have elapsed) while the download is finished but curl has not yet exited. This should not greatly affect performance because that moment is rather short. Signed-off-by: Tobias Markus Steve Holme (18 Jan 2014) - win32: Added additional preprocessor check for Version Helper API A follow up patch to commit d2671340a613 as _WIN32_WINNT_WIN2K and _WIN32_WINNT_WIN2K may not be defined on all systems. - win32: Corrected the preprocessor check for Version Helper API Following some auto build failures after commit c7a76bb056f31e changed the preprocessor check to use _WIN32_WINNT. Daniel Stenberg (17 Jan 2014) - cookie: max-age fixes 1 - allow >31 bit max-age values 2 - don't overflow on extremely large max-age values when we add the value to the current time 3 - make sure max-age takes precedence over expires as dictated by RFC6265 Bug: http://curl.haxx.se/mail/lib-2014-01/0130.html Reported-by: Chen Prog - test1417: verify chunked-encoding transfer without CR As was introduced in 8f6b4be8af04 - chunked parsing: relax the CR strictness Allow for chunked-encoding data to get parsed with only LF line endings. This is allowed by browsers. - test1416: verify the chunked size overflow detection - chunked-parser: abort on overflows, allow 64 bit chunks Dan Fandrich (17 Jan 2014) - Fixed some XML syntax issues in the test data Also, make the ftp server return a canned response that doesn't cause XML verification problems. Although the test file format isn't technically XML, it's still handy to be able to use XML tools to verify and manipulate them. Daniel Stenberg (16 Jan 2014) - [Michael Osipov brought this change] configure: fix gssapi linking on HP-UX The issue is with HP-UX that is comes with HP flavor of MIT Kerberos. This means that there is no krb5-config and the lib is called libgss.so Bug: http://curl.haxx.se/bug/view.cgi?id=1321 - Curl_cookie_add: remove 'now' from curl_getdate() call The now argument is unused by curl_getdate() Steve Holme (15 Jan 2014) - pop3-dele.c: Added missing CURLOPT_NOBODY following feedback Daniel Stenberg (16 Jan 2014) - connect.c:942:84: warning: Longer than 79 columns Steve Holme (15 Jan 2014) - connect.c: Corrected version compare in commit c7a76bb056f31e - RELEASE-NOTES: Synced with c7a76bb056f31e - win32: Fixed use of deprecated function 'GetVersionInfoEx' for VC12 Starting with Visual Studio 2013 (VC12) and Windows 8.1 the GetVersionInfoEx() function has been marked as deprecated and it's return value atered. Updated connect.c and curl_sspi.c to use VerifyVersionInfo() where possible, which has been available since Windows 2000. Daniel Stenberg (14 Jan 2014) - curl_easy_setopt.3: mention how to unset CURLOPT_INFILESIZE* - TODO: Allow SSL (HTTPS) to proxy - TODO: remove FTP proxy and more SSL libraries - TODO: Detect when called from witin callbacks Marc Hoersken (13 Jan 2014) - secureserver.pl: follow up fix for 87ade5f Since /dev/stdout is not always emulated on Windows, just skip the output option on Windows. MinGW/msys support /dev/stdout only from a new login shell. Daniel Stenberg (13 Jan 2014) - [Colin Hogben brought this change] error message: Sensible message on timeout when transfer size unknown A transfer timeout could result in an error message such as "Operation timed out after 3000 milliseconds with 19 bytes of -1 received". This patch removes the non-sensical "of -1" when the size of the transfer is unknown, mirroring the logic in lib/transfer.c Marc Hoersken (13 Jan 2014) - secureserver.pl: added full support for tstunnel on Windows tstunnel on Windows does not support the pid option and is unable to write to an output log that is already being used as a redirection target for stdout. Therefore it does now output all log data to stdout by default and secureserver.pl creates a fake pidfile on Windows. Steve Holme (12 Jan 2014) - examples: Fixed compilation errors error: 'MULTI_PERFORM_HANG_TIMEOUT' undeclared - imap-multi.c: Corrected typo - smtp-multi.c: Minor coding style tidyup following POP3 and IMAP additions - examples: Added IMAP multi example - pop3-multi.c: Corrected copy/paste typo - examples: Added POP3 multi example - examples: Added comments to SMTP multi example based on other MAIL examples - examples: Removed user information and TLS setup from SMTP multi example Simplified the SMTP multi example as this example should demonstrate the differences the easy and multi interfaces rather than introduce new concepts such as user authentication and TLS which are shown in the TLS and SSL examples. - examples: Updated SMTP MAIL example to return libcurl result code - examples: Synchronised comments between SMTP MAIL examples - examples: Updated SMTP MAIL example to use a read function for data Updated to read data from a callback rather than from stdio as this is more realistic to most use cases. Daniel Stenberg (12 Jan 2014) - OpenSSL: deselect weak ciphers by default By default even recent versions of OpenSSL support and accept both "export strength" ciphers, small-bitsize ciphers as well as downright deprecated ones. This change sets a default cipher set that avoids the worst ciphers, and subsequently makes https://www.howsmyssl.com/a/check no longer grade curl/OpenSSL connects as 'Bad'. Bug: http://curl.haxx.se/bug/view.cgi?id=1323 Reported-by: Jeff Hodges - multi: remove MULTI_TIMEOUT_INACCURACY With the recently added timeout "reminder" functionality, there's no reason left for us to execute timeout code before the time is ripe. Simplifies the handling too. This will make the *TIMEOUT and *CONNECTTIMEOUT options more accurate again, which probably is most important when the *_MS versions are used. In multi_socket, make sure to update 'now' after having handled activity on a socket. Steve Holme (11 Jan 2014) - Makefile.dist: Added support for VC7 Currently VC7 and VC7.1 builds have to be ran with the VC variable set to vc6 which is not only inconsistent with the nmake winbuild system but also with newer versions of Visual Studio supported by this file. Note: This doesn't break the build for anyone still running with the VC variable set to vc6 or not set (which defaults to vc6). - RELEASE-NOTES: Synced with 980659a2caa285 Daniel Stenberg (10 Jan 2014) - multi_socket: remind app if timeout didn't run BACKGROUND: We have learned that on some systems timeout timers are inaccurate and might occasionally fire off too early. To make the multi_socket API work with this, we made libcurl execute timeout actions a bit early too if they are within our MULTI_TIMEOUT_INACCURACY. (added in commit 2c72732ebf, present since 7.21.0) Switching everything to the multi API made this inaccuracy problem slightly more notable as now everyone can be affected. Recently (commit 21091549c02) we tweaked that inaccuracy value to make timeouts more accurate and made it platform specific. We also figured out that we have code at places that check for fixed timeout values so they MUST NOT run too early as then they will not trigger at all (see commit be28223f35 and a691e044705) - so there are definitately problems with running timeouts before they're supposed to run. (We've handled that so far by adding the inaccuracy margin to those specific timeouts.) The libcurl multi_socket API tells the application with a callback that a timeout expires in N milliseconds (and it explicitly will not tell it again for the same timeout), and the application is then supposed to call libcurl when that timeout expires. When libcurl subsequently gets called with curl_multi_socket_action(...CURL_SOCKET_TIMEOUT...), it knows that the application thinks the timeout expired - and alas, if it is within the inaccuracy level libcurl will run code handling that handle. If the application says CURL_SOCKET_TIMEOUT to libcurl and _isn't_ within the inaccuracy level, libcurl will not consider the timeout expired and it will not tell the application again since the timeout value is still the same. NOW: This change introduces a modified behavior here. If the application says CURL_SOCKET_TIMEOUT and libcurl finds no timeout code to run, it will inform the application about the timeout value - *again* even if it is the same timeout that it already told about before (although libcurl will of course tell it the updated time so that it'll still get the correct remaining time). This way, we will not risk that the application believes it has done its job and libcurl thinks the time hasn't come yet to run any code and both just sit waiting. This also allows us to decrease the MULTI_TIMEOUT_INACCURACY margin, but that will be handled in a separate commit. A repeated timeout update to the application risk that the timeout will then fire again immediately and we have what basically is a busy-loop until the time is fine even for libcurl. If that becomes a problem, we need to address it. - threaded-resolver: never use NULL hints with getaddrinfo The net effect of this bug as it appeared to users, would be that libcurl would timeout in the connect phase. When disabling IPv6 use but still using getaddrinfo, libcurl would wrongly not init the "hints" struct field in init_thread_sync() which would subsequently lead to a getaddrinfo() invoke with a zeroed hints with ai_socktype set to 0 instead of SOCK_STREAM. This would lead to different behaviors on different platforms but basically incorrect output. This code was introduced in 483ff1ca75cbea, released in curl 7.20.0. This bug became a problem now due to the happy eyeballs code and how libcurl now traverses the getaddrinfo() results differently. Bug: http://curl.haxx.se/mail/lib-2014-01/0061.html Reported-by: Fabian Frank Debugged-by: Fabian Frank Nick Zitzmann (9 Jan 2014) - darwinssl: un-break Leopard build after PKCS#12 change It turns out errSecDecode wasn't defined in Leopard's headers. So we use the enum's value instead. Bug: http://curl.haxx.se/mail/lib-2013-12/0150.html Reported by: Abram Pousada Daniel Stenberg (8 Jan 2014) - Curl_updateconninfo: don't do anything for UDP "connections" getpeername() doesn't work for UDP sockets since they're not connected Reported-by: Priyanka Shah Bug: http://curl.haxx.se/mail/archive-2014-01/0016.html - info: remove debug output Removed some of the infof() calls that were added with the recent pipeline improvements but they're not useful to the vast majority of readers and the pipelining seems to fundamentaly work - the debugging outputs can easily be added there if debugging these functions is needed again. - runtests: disable memory tracking with threaded resolver The built-in memory debug system doesn't work with multi-threaded use so instead of causing annoying false positives, disable the memory tracking if the threaded resolver is used. - trynextip: fix build for non-IPV6 capable systems AF_INET6 may not exist then Patched-by: Iida Yosiaki Bug: http://curl.haxx.se/bug/view.cgi?id=1322 Steve Holme (8 Jan 2014) - makefile: Added support for VC12 - makefile: Added support for VC11 - winbuild: Follow up fix for a47c142a88c0, 11e8066ef956 and 92b9ae5c5d59 Daniel Stenberg (7 Jan 2014) - mk-ca-bundle.1: document -d Steve Holme (7 Jan 2014) - RELEASE-NOTES: Synced with 8ae35102c43d8d Daniel Stenberg (7 Jan 2014) - ConnectionExists: fix NTLM check for new connection When the requested authentication bitmask includes NTLM, we cannot re-use a connection for another username/password as we then risk re-using NTLM (connection-based auth). This has the unfortunate downside that if you include NTLM as a possible auth, you cannot re-use connections for other usernames/passwords even if NTLM doesn't end up the auth type used. Reported-by: Paras S Patched-by: Paras S Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html Steve Holme (5 Jan 2014) - examples: Added required libcurl version information to SMTP examples Daniel Stenberg (5 Jan 2014) - mk-ca-bundle.pl: avoid warnings with -d without parameter - [Leif W brought this change] mk-ca-bundle: introduces -d and warns about using this script Steve Holme (5 Jan 2014) - Makefile: Added missing WinSSL and x64 configurations Marc Hoersken (5 Jan 2014) - docs/INTERNALS: follow up fix for 11e8066 and 92b9ae5 - packages: follow up fix for a47c142, 11e8066 and 92b9ae5 - multi.c: fix possible dereference of null pointer Steve Holme (5 Jan 2014) - Examples: Renamed SMTP MAIL example to match other email examples - examples: Added POP3 TLS example - examples: Added IMAP NOOP example - examples: Added POP3 NOOP example - pop3-stat.c: Corrected small typo from commit 91d62e9abd761c - examples: Added POP3 STAT example - examples: Added POP3 TOP example - examples: Added POP3 DELE example - examples: Added POP3 UIDL example - examples: Added POP3 RETR example - examples: Added return of error code in POP3 examples - runtests.pl: Updated copyright year after edit from d718abd968aeb4 - examples: Reworked POP3 examples for additional upcoming POP3 examples - examples: Added SMTP SSL example - examples: Added IMAP SSL and TLS examples Marc Hoersken (5 Jan 2014) - runtests.pl: check for tstunnel command on Windows The Windows console version of stunnel is called "tstunnel", while running "stunnel" on Windows spawns a new console window which cannot be handled by the testsuite. - testcurl.pl: always show the last 5 commits even with --nogitpull Daniel Stenberg (4 Jan 2014) - ftp tests: provide LIST responses in the test file itself Previously LIST always returned a fixed hardcoded list that the ftp server code knew about, mostly since the server didn't get any test case number in the LIST scenario. Starting now, doing a CWD to a directory named test-[number] will make the test server remember that number and consider it a test case so that a subsequent LIST command will send the section of that test case back. It allows LIST tests to be made more similar to how all other tests work. Test 100 was updated to provide its own directory listing. Steve Holme (4 Jan 2014) - examples: Standardised username and password settings for all email examples Replaced the use of CURLOPT_USERPWD for the preferred CURLOPT_USERNAME and CURLOPT_PASSWORD options and used the same username and password for all email examples which is the same as that used in the test suite. - Updated copyright year for recent changes Marc Hoersken (4 Jan 2014) - secureserver.pl: support for stunnel-path with nun-alphanum chars This is desired to support stunnel installations on Windows. - conncache.c: fix possible dereference of null pointer - docs: primarily refer to schannel as WinSSL Steve Holme (4 Jan 2014) - examples: Added IMAP COPY example - examples: Added IMAP DELETE example - examples: Added IMAP CREATE example Daniel Stenberg (4 Jan 2014) - FTP parselist: fix "total" parser A regression introduced in 7f3b87d8782eae1 (present in the 7.21.4 release) broke the total parser. Now skip the whitespace and the digits. Reported-by: Justin Maggard Bug: http://curl.haxx.se/mail/lib-2014-01/0019.html - test1513: fix spelling Marc Hoersken (3 Jan 2014) - Makefile.vc6: follow up fix for 11e8066 and 92b9ae5 Daniel Stenberg (3 Jan 2014) - test1513: added - verify early progress callback return fail Verify the change brought in commit 8e11731653061. It makes sure that returning a failure from the progress callback even very early results in the correct return code. - progresscallback: make CURLE_ABORTED_BY_CALLBACK get returned better When the progress callback returned 1 at a very early state, the code would not make CURLE_ABORTED_BY_CALLBACK get returned but the process would still be interrupted. In the HTTP case, this would then cause a CURLE_GOT_NOTHING to erroneously get returned instead. Reported-by: Petr Novak Bug: http://curl.haxx.se/bug/view.cgi?id=1318 Marc Hoersken (3 Jan 2014) - unittests: do not include curl_memory.h memdebug.h already contains all required definitions and including curl_memory.h causes errors like the following: tests/unit/unit1394.c:119: undefined reference to `Curl_cfree' tests/unit/unit1394.c:120: undefined reference to `Curl_cfree' Daniel Stenberg (3 Jan 2014) - pipeline: remove print_pipeline() This is a debug function only and serves no purpose in production code, it only slows things down. I left the code #ifdef'ed for possible future pipeline debugging. Also, this was a global function without proper namespace usage. Reported-by: He Qin Bug: http://curl.haxx.se/bug/view.cgi?id=1320 - openssl: allow explicit sslv2 selection If OpenSSL is built to support SSLv2 this brings back the ability to explicitly select that as a protocol level. Reported-by: Steve Holme Bug: http://curl.haxx.se/mail/lib-2014-01/0013.html Steve Holme (2 Jan 2014) - Bumped copyright year to 2014 - Updated copyright year for recent changes Marc Hoersken (3 Jan 2014) - vtls/nssg.h: fixed include references to moved file Daniel Stenberg (3 Jan 2014) - [Christian Weisgerber brought this change] curl_easy_setopt.3: fix formatting mistakes This fixes two markup typos I noticed in curl_easy_setopt.3. (The use of bold vs. italics seems a bit inconsistent in that page, but it should at least be valid man syntax.) - [Barry Abrahamson brought this change] OpenSSL: Fix forcing SSLv3 connections Some feedback provided by byte_bucket on IRC pointed out that commit db11750cfa5b1 wasn’t really correct because it allows for “upgrading” to a newer protocol when it should be only allowing for SSLv3. This change fixes that. When SSLv3 connection is forced, don't allow SSL negotiations for newer versions. Feedback provided by byte_bucket in #curl. This behavior is also consistent with the other force flags like --tlsv1.1 which doesn't allow for TLSv1.2 negotiation, etc Feedback-by: byte_bucket Bug: http://curl.haxx.se/bug/view.cgi?id=1319 Guenter Knauf (2 Jan 2014) - Trial to fix the nmake Makefile for vtls files. Steve Holme (2 Jan 2014) - examples: Added IMAP SEARCH example - examples: Added IMAP EXAMINE mailbox folder example Guenter Knauf (2 Jan 2014) - Fix NetWare build for vtls files. Daniel Stenberg (1 Jan 2014) - CMakeLists.txt: add standard curl source code header - CMakeLists.txt: add warning about the cmake build's state Steve Holme (1 Jan 2014) - examples: Updated SMTP multi example to be more realistic Updated the contents of the email and payload callback as per the IMAP and other SMTP examples. Daniel Stenberg (1 Jan 2014) - [Barry Abrahamson brought this change] OpenSSL: Fix forcing SSLv3 connections Since ad34a2d5c87c7f4b14e8dded3 (present in 7.34.0 release) forcing SSLv3 will always return the error "curl: (35) Unsupported SSL protocol version" Can be replicated with `curl -I -3 https://www.google.com/`. This fix simply allows for v3 to be forced. Steve Holme (1 Jan 2014) - examples: Corrected unescaped backslash in imap-store.c - examples: Update SMTP TLS example mail content to be RFC-2821 compliant ...and made some minor coding style changes to better match the curl coding standards as well as the other email related examples. - examples: Added IMAP APPEND example - examples: Added IMAP STORE example - RELEASE-NOTES: Synced with 7de2e032584d44 - examples: Added IMAP LIST mailbox example - examples: Updated IMAP fetch example for libcurl 7.30.0 - examples: Rename before adding additional email examples - examples: Added SMTP EXPN command example - examples: Added SMTP email verification example - imap: Fixed line length warning - mprintf: Replaced internal usage of FORMAT_OFF_T and FORMAT_OFF_TU Following commit 0aafd77fa4c6f2, replaced the internal usage of FORMAT_OFF_T and FORMAT_OFF_TU with the external versions that we expect API programmers to use. This negates the need for separate definitions which were subtly different under different platforms/compilers. - examples: Updated copyright year for recent edits - examples: Corrected incorrect indentation in smtp-multi.c - examples: Updated SMTP examples to set CURLOPT_UPLOAD - mprintf: Added support for I, I32 and I64 size specifiers Added support to the built-in printf() replacement functions, for these non-ANSI extensions when compiling under Visual Studio, Borland, Watcom and MinGW. This fixes problems when generating libcurl source code that contains curl_off_t variables. - curl_easy_setopt.3: Added SMTP information to CURLOPT_INFILESIZE_LARGE Although added to CURLOPT_INFILESIZE in commit ee3d3adc6fe155 it was never added to CURLOPT_INFILESIZE_LARGE. - tests: Disabled NTLM tests when running with SSPI enabled - connect.c: Fixed compilation warning warning: 'res' may be used uninitialized in this function - runtests.pl: Fixed slightly incorrect regex in commit 28dd47d4d41900 - [Björn Stenberg brought this change] connect: Try all addresses in first connection attempt Fixes a bug when all addresses in the first family fail immediately, due to "Network unreachable" for example, curl would hang and never try the next address family. Iterate through all address families when to trying establish the first connection attempt. Bug: http://curl.haxx.se/bug/view.cgi?id=1315 Reported-by: Michal Górny and Anthony G. Basile - runtests.pl: Optimised feature present checking code ...to exclude not present features. - runtests.pl: Added the ability to run tests when a feature is not present - ftpserver.pl: Fixed compilation error Unmatched right curly bracket at line 758, at end of line - ftpserver.pl: Reworked SMTP verified server detection Following the addition of informational commands to the SMTP protocol, the test server is no longer required to return the verified server information in responses that curl only outputs in verbose mode. Instead, a similar detection mechanism to that used by FTP, IMAP and POP3 can now be used. - sendf.c: Fixed compilation warning from f2d234a4dd9bcc sendf.c:450:81: warning: Longer than 79 columns - FILE: Fixed sending of data would always return CURLE_WRITE_ERROR Introduced in commit 2a4ee0d2215556 sending of data via the FILE protocol would always return CURLE_WRITE_ERROR regardless of whether CURL_WRITEFUNC_PAUSE was returned from the callback function or not. Daniel Stenberg (26 Dec 2013) - FILE: we don't support paused transfers using this protocol Make sure that we detect such attempts and return a proper error code instead of silently handling this in problematic ways. Updated the documentation to mention this limitation. Bug: http://curl.haxx.se/bug/view.cgi?id=1286 Steve Holme (26 Dec 2013) - vtls: Updated comments referencing sslgen.c and ssluse.c - vtls: Fixed up include of vtls.h Daniel Stenberg (25 Dec 2013) - curl_dofree: allow free(NULL) Previously this memdebug free() replacement didn't properly work with a NULL argument which has made us write code that avoids calling free(NULL) - which causes some extra nuisance and unnecessary code. Starting now, we should allow free(NULL) even when built with the memdebug system enabled. free(NULL) is permitted by POSIX Steve Holme (25 Dec 2013) - RELEASE-NOTES: Synced with 0ff0a994ada62a Daniel Stenberg (25 Dec 2013) - Curl_thread_create: use Curl_safefree to allow NULL better free() itself allows a NULL input but our memory debug system requires Curl_safefree() to be used instead when a "legitimate" NULL may be freed. Like in the code here. Pointed-out-by: Steve Holme - [Luke Dashjr brought this change] threaded resolver: Use pthread_t * for curl_thread_t ... since pthread_t may be non-scalar and/or may represent a real thread with scalar 0. Bug: http://curl.haxx.se/bug/view.cgi?id=1314 Steve Holme (24 Dec 2013) - imap: Fixed auth preference not being honored when CAPABILITY not supported If a user indicated they preferred to authenticate using a SASL mechanism, but SASL authentication wasn't supported by the server, curl would always fall back to clear text when CAPABILITY wasn't supported, even though the user didn't want to use this. - pop3: Fixed auth preference not being honored when CAPA not supported If a user indicated they preferred to authenticate using APOP or a SASL mechanism, but neither were supported by the server, curl would always fall back to clear text when CAPA wasn't supported, even though the user didn't want to use this. This also fixes the auto build failure caused by commit 6f2d5f0562f64a. Daniel Stenberg (24 Dec 2013) - TheArtOfHttpScripting: major update, converted layout and more - Curl_pp_readresp: use memmove not memcpy, possibly overlapping areas Fixes commit 1deac31eba7 Steve Holme (24 Dec 2013) - RELEASE-NOTES: Corrected copy/paste typo - pop3: Fixed APOP being determined by CAPA response rather than by timestamp This commit replaces that of 9f260b5d6610f3 because according to RFC-2449, section 6, there is no APOP capability "...even though APOP is an optional command in [POP3]. Clients discover server support of APOP by the presence in the greeting banner of an initial challenge enclosed in angle brackets." - tests: Removed APOP timestamp from default server greeting - test936: Corrected login details from commit 7246255416617a - ftpserver.pl: Updated custom full text REPLY regex SASL downgrade tests: 833, 835, 879, 881, 935 and 937 would fail as they contained a minus sign in their authentication mechanism and this would be missed by the custom reply parser. - tests: Corrected syntax error from commit 7246255416617a - tests: Added SMTP SASL downgrade tests - tests: Added POP3 SASL downgrade tests - tests: Added IMAP SASL downgrade tests Daniel Stenberg (22 Dec 2013) - docs: mention CURLOPT_MAX_RECV/SEND_SPEED_LARGE don't work for FILE:// - FILE: don't wait due to CURLOPT_MAX_RECV_SPEED_LARGE The FILE:// code doesn't support this option - and it doesn't make sense to support it as long as it works as it does since then it'd only block even longer. But: setting CURLOPT_MAX_RECV_SPEED_LARGE would make the transfer first get done and then libcurl would wait until the average speed would get low enough. This happened because the transfer happens completely in the DO state for FILE:// but then it would still unconditionally continue in to the PERFORM state where the speed check is made. Starting now, the code will skip from DO_DONE to DONE immediately if no socket is set to be recv()ed or send()ed to. Bug: http://curl.haxx.se/bug/view.cgi?id=1312 Reported-by: Mohammad AlSaleh Steve Holme (22 Dec 2013) - ftpserver.pl: Fixed runtime warning from commit 7da9c95bcf1fe6 Use of uninitialized value $FTPARG in concatenation (.) or string at line 3255. - ftpserver.pl: Added the ability to send custom full text replies - ftpserver.pl: Added the ability to specify custom full text replies - ftpserver.pl: Renamed commandreply variable from customreply - tests: Added SASL cancellation keywords Added SASL CANCELLATION keywords to differentiate these tests from the upcoming SASL downgrade tests. - email: Fixed segfault introduced in commit 195b63f99c2fe3 Daniel Stenberg (22 Dec 2013) - code police: fix indent level to silence checksrc complaints Steve Holme (21 Dec 2013) - email: Extended the login options to support multiple auth mechanisms Daniel Stenberg (22 Dec 2013) - Curl_pp_readresp: replace stupid loop with memcpy - Curl_pp_readresp: zero terminate line The comment in the code mentions the zero terminating after having copied data, but it mistakingly zero terminated the source data and not the destination! This caused the test 864 problem discussed on the list: http://curl.haxx.se/mail/lib-2013-12/0113.html Signed-off-by: Daniel Stenberg Steve Holme (21 Dec 2013) - Revert "pop3: Added debug information to assist with test864 failure" This reverts commit 727d798d680f29c8b3cb7d7f03d6b6a3eb4356da. - pop3: Added debug information to assist with test864 failure - RELEASE-NOTES: Synced with 812c5ace759d04 - pop3: Fixed APOP timestamp detection from commit 1cfb436a2f1795 Daniel Stenberg (20 Dec 2013) - Makefile.inc: use standard source header - Makefile.inc: specify the vtls sources+headers separately - vtls: renamed sslgen.[ch] to vtls.[ch] - openssl: renamed backend files to openssl.[ch] - vtls: moved all TLS/SSL source and header files into subdir - vtls: created subdir, moved sslgen.[ch] there, updated all include lines Steve Holme (20 Dec 2013) - pop3: Fixed selection of APOP when server replies with an invalid timestamp Although highlighted by a bug in commit 1cfb436a2f1795, APOP authentication could be chosen if the server was to reply with an empty or missing timestamp in the server greeting and APOP was given in the capability list by the server. - pop3: Fixed processing of more than one response when sent in same packet Added a loop to pop3_statemach_act() in which Curl_pp_readresp() is called until the cache is drained. Without this multiple responses received in a single packet could result in a hang or delay. - pop3: Moved CAPA response handling to pop3_state_capa_resp() Similar to the processing of untagged CAPABILITY responses in IMAP and multi-line EHLO responses in SMTP, moved the processing of multi-line CAPA responses to pop3_state_capa_resp(). - pop3: Moved APOP detection into pop3_state_servergreet_resp() In an effort to reduce what pop3_endofresp() does and bring the POP3 source back inline with the IMAP and SMTP protocols, moved the APOP detection into pop3_state_servergreet_resp(). - curl_easy_setopt: Fixed OAuth 2.0 Bearer option name Bug: http://curl.haxx.se/bug/view.cgi?id=1313 Reported-by: Viktor Szakáts Daniel Stenberg (18 Dec 2013) - curl.1: remove URL encoding phrase from --data description ... it could be misleading a reader into thinking it _has_ to be encoded. Steve Holme (18 Dec 2013) - imap/pop3/smtp: Added support for SASL authentication downgrades Added support for downgrading the SASL authentication mechanism when the decoding of CRAM-MD5, DIGEST-MD5 and NTLM messages fails. This enhances the previously added support for graceful cancellation by allowing the client to retry a lesser SASL mechanism such as LOGIN or PLAIN, or even APOP / clear text (in the case of POP3 and IMAP) when supported by the server. Daniel Stenberg (18 Dec 2013) - RELEASE-PROCEDURE: new document - gitignore: ignore .dirstamp files - smtp: fix compiler warning smtp.c:478:21: error: unused variable 'smtpc' [-Werror=unused-variable] Steve Holme (18 Dec 2013) - smtp: Moved the calculation of SASL login details into a separate function - pop3: Moved the calculation of SASL login details into a separate function - imap: Moved the calculation of SASL login details into a separate function - smtp: Moved the sending of the AUTH command into a separate function - pop3: Moved the sending of the AUTH command into a separate function - imap: Moved the sending of the AUTHENICATE command into a separate function - email: Renamed *_perform_authenticate() functions In preparation for the upcoming SASL downgrade feature renamed the imap__perform_authenticate(), pop3__perform_authenticate() and smtp__perform_authenticate() functions. Daniel Stenberg (17 Dec 2013) - bump: start working on the next release Version 7.34.0 (16 Dec 2013) Daniel Stenberg (16 Dec 2013) - RELEASE-NOTES: synced with c0ef05e67 ... for the pending 7.34.0 release Upped the contributor count - THANKS: add contributors from 7.34.0 release 24 new great friends - gtls: respect *VERIFYHOST independently of *VERIFYPEER Security flaw CVE-2013-6422 This is conceptually the same problem and fix that 3c3622b6 brought to the OpenSSL backend and that resulted in CVE-2013-4545. This version of the problem was independently introduced to the GnuTLS backend with commit 59cf93cc, present in the code since the libcurl 7.21.4 release. Advisory: http://curl.haxx.se/docs/adv_20131217.html Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html Reported-by: Marc Deslauriers - curl.1 document -J doesn't %-decode ...also added as KNOWN_BUG #87 with reference to bug #1294 - multi: add timer inaccuracy margin to timeout/connecttimeout Since all systems have inaccuracy in the timeout handling it is imperative that we add an inaccuracy margin to the general timeout and connecttimeout handling with the multi interface. This way, when the timeout fires we should be fairly sure that it has passed the timeout value and will be suitably detected. For cases where the timeout fire before the actual timeout, we would otherwise consume the timeout action and still not run the timeout code since the condition wasn't met. Reported-by: He Qin Bug: http://curl.haxx.se/bug/view.cgi?id=1298 - RELEASE-NOTES: synced with dd4d9ea542 - curl_easy_setopt: clarify some USERPWD and PROXYUSERPWD details - login options: remove the ;[options] support from CURLOPT_USERPWD To avoid the regression when users pass in passwords containing semi- colons, we now drop the ability to set the login options with the same options. Support for login options in CURLOPT_USERPWD was added in 7.31.0. Test case 83 was modified to verify that colons and semi-colons can be used as part of the password when using -u (CURLOPT_USERPWD). Bug: http://curl.haxx.se/bug/view.cgi?id=1311 Reported-by: Petr Bahula Assisted-by: Steve Holme Signed-off-by: Daniel Stenberg Steve Holme (14 Dec 2013) - imap: Fixed exclude of clear text when using auth=* in commit 75cd7fd66762bb It is not 100% clear whether * should include clear text LOGIN or not from RFC-5092, however, including it is then consistent with current POP3 behaviour where clear text, APOP or SASL may be chosen. - imap: Fixed incorrect fallback to clear text authentication If a specific SASL authentication mechanism was requested by the user as part of the login options but wasn't supported by the server then curl would fallback to clear text, when it shouldn't, rather than reporting "No known authentication mechanisms supported" as the POP3 and SMTP protocols do. Daniel Stenberg (11 Dec 2013) - [Eric Lubin brought this change] parsedate: avoid integer overflow In C, signed integer overflow is undefined behavior. Thus, the compiler is allowed to assume that it will not occur. In the check for an overflow, the developer assumes that the signed integer of type time_t will wrap around if it overflows. However, this behavior is undefined in the C standard. Thus, when the compiler sees this, it simplifies t + delta < t to delta < 0. Since delta > 0 and delta < 0 can't both be true, the entire if statement is optimized out under certain optimization levels. Thus, the parsedate function would return PARSEDATE_OK with an undefined value in the time, instead of return -1 = PARSEDATE_FAIL. - parseconfig: warn if unquoted white spaces are detected Commit 0db811b6 made some existing config files pass on unexpected values to libcurl that made it somewhat hard to track down what was really going on. This code detects unquoted white spaces in the parameter when parsing a config file as that would be one symptom and it is generally a bad syntax anyway. - RELEASE-NOTES: recount contributors and libcurl options - RELEASE-NOTES: synced with c4f46e97ca6c - [James Dury brought this change] TFTP: let tftp_multi_statemach()'s return codes through It would otherwise always clobber the return code with new function calls and it couldn't return timeout etc. Bug: http://curl.haxx.se/bug/view.cgi?id=1310 Nick Zitzmann (7 Dec 2013) - [Melissa Mears brought this change] darwinssl: Fix #if 10.6.0 for SecKeychainSearch The comment here says that SecKeychainSearch causes a deprecation warning when used with a minimum Mac OS X SDK version of 10.7.0, which is correct. However, the #if guard did not match. It was intended to only use the code if 10.6.0 support was enabled, but it had 10.7.0 instead. This caused a warning if the minimum was exactly 10.7.0. Daniel Stenberg (6 Dec 2013) - [Christian Weisgerber brought this change] curl.h: for OpenBSD curl.h should also include on OpenBSD to reliably pull in select(). Typically, including will be enough, but not if strict standards-compliance is requested (e.g. by defining _XOPEN_SOURCE). - digest: fix CURLAUTH_DIGEST_IE The URI that is passed in as part of the Authorization: header needs to be cut off at '?' if CURLAUTH_DIGEST_IE is set. Previously the code only did when calculating the MD5sum. Bug: http://curl.haxx.se/bug/view.cgi?id=1308 Patched-by: Sergey Tatarincev - Curl_is_connected: use proxy name in error message when proxy is used (bug introduced in 255826c4, never present in a release) Reported-by: Dima Tisnek Bug: http://curl.haxx.se/mail/lib-2013-12/0006.html Steve Holme (4 Dec 2013) - imap/pop3: Post graceful cancellation consistency changes - [Melissa Mears brought this change] pop3: Fix POP3_TYPE_ANY signed compilation warning POP3_TYPE_ANY, or ~0, is written to pop3c->preftype in lib/pop3c.c, an unsigned int variable. The result of ~0 is -1, which caused a warning due to writing a negative number to an unsigned variable. To fix this, make the expression ~0U so that its value is considered the unsigned number UINT_MAX which is what SASL_AUTH_ANY does in curl_sasl.h. Kamil Dudka (2 Dec 2013) - tool_metalink: do not use HAVE_NSS_INITCONTEXT ... no longer provided by the configure script - nss: make sure that 'sslver' is always initialized - nss: unconditionally require NSS_InitContext() ... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway - nss: allow to use TLS > 1.0 if built against recent NSS Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html - nss: put SSL version selection into separate fnc - nss: use a better API for controlling SSL version This change introduces a dependency on NSS 3.14+. Patrick Monnerat (2 Dec 2013) - OS400: sync wrappers and RPG binding. Steve Holme (1 Dec 2013) - multi.c: Fixed compilation warning warning: declaration of 'pipe' shadows a global declaration - RELEASE-NOTES: Synced with ad3836448efbb7 - base64: Corrected typo from commit f3ee587775c88a - base64: Post extended extended validation tidy up Reduced the separate processing of the last quantum to be performed in the main decoding loop and renamed some variables for consistency. - base64: Extended validation to look for invalid characters Extended the basic validation in commit e17c1b25bc33eb to return a failure when invalid base64 characters are included. - base64: Post basic validation tidy up Due to the length checks introduced in commit e17c1b25bc33eb there is no need to allow for extra space in the output buffer for a non-padded last quantum. - curl_easy_getinfo: Post CURLINFO_TLS_SESSION tidy up 1) Renamed curl_tlsinfo to curl_tlssessioninfo as discussed on the mailing list. 2) Renamed curl_ssl_backend to curl_sslbackend so it doesn't follow our function naming convention. 3) Updated sessioninfo.c example accordingly. Daniel Stenberg (29 Nov 2013) - parseconfig: dash options can't specified with colon or equals Bug: http://curl.haxx.se/bug/view.cgi?id=1297 Reported-by: Michael Osipov - curl.1: -G also takes --data-urlencode data - globbing: curl glob counter mismatch with {} list use The "fixed string" function wrongly bumped the "urlnum" counter which made curl output the total number of URLs wrong when using {one,two,three} lists in globs. Reported-by: Michael-O Bug: http://curl.haxx.se/bug/view.cgi?id=1305 Steve Holme (28 Nov 2013) - [Christian Grothoff brought this change] sessioninfo.c: Added sample code for CURLINFO_TLS_SESSION Added a simple example to show how one can use CURLINFO_TLS_SESSION for obtaining extensive TLS certificate information. - multi.c: Fixed compilation error introduced in commit a900d45489fc14 Systems that define SIGPIPE_VARIABLE as a noop would not compile as restore_pipe was defined afterwards. - [Christian Grothoff brought this change] curl_easy_getopt: Handle API violation gracefully This fixes a NULL dereference in the case where the client asks for CURLINFO_TLS_SESSION data after the (TLS) session has already been destroyed (i.e. curl_easy_perform has already completed for this handle). Instead of crashing, we now return a CURLSSLBACKEND_NONE error. - KNOWN_BUGS: #86: Disconnect commands may not be sent by IMAP, POP3 and SMTP Daniel Stenberg (27 Nov 2013) - [Jeff King brought this change] curl_multi_cleanup: ignore SIGPIPE This is an extension to the fix in 7d80ed64e43515. We may call Curl_disconnect() while cleaning up the multi handle, which could lead to openssl sending packets, which could get a SIGPIPE. Signed-off-by: Jeff King - [Jeff King brought this change] sigpipe: factor out sigpipe_reset from easy.c Commit 7d80ed64e43515 introduced some helpers to handle sigpipe in easy.c. However, that fix was incomplete, and we need to add more callers in other files. The first step is making the helpers globally accessible. Since the functions are small and should generally end up inlined anyway, we simply define them in the header as static functions. Signed-off-by: Jeff King - [Björn Stenberg brought this change] connect: Try next ip directly after immediate connect fail This fixes a rare Happy Eyeballs bug where if the first IP family runs out of addresses before the second-family-timer fires, and the second IP family's first connect fails immediately, no further IPs of the second family are attempted. - hostip: don't prune DNS cache entries that are in use When adding entries to the DNS cache with CURLOPT_RESOLVE, they are marked 'inuse' forever to prevent them from ever being removed in normal operations. Still, the code that pruned out-of-date DNS entries didn't care for the 'inuse' struct field and pruned it anyway! Reported-by: Romulo A. Ceccon Bug: http://curl.haxx.se/bug/view.cgi?id=1303 Steve Holme (24 Nov 2013) - RELEASE-NOTES: Synced with 35e476a3f6cdd5 - tests: Re-ordered test arguments to match other IMAP tests - tests: Corrected login "username" authentication responses - tests: Added error code explanation comments - tests: Removed expected QUIT response from graceful cancellation tests A failure during authentication, which is performed as part of the CONNECT phrase (for IMAP, POP3 and SMTP) is considered by the multi- interface as being closed prematurely (aka a dead connection). As such these protocols cannot issue the relevant QUIT or LOGOUT command. Temporarily fixed the test cases until we can fix this properly. - tests: Added SMTP graceful authentication cancellation tests - tests: Added POP3 graceful authentication cancellation tests - ftpserver.pl: Reworked fix from commit 7a36b2abc06862 - ftpserver.pl: Fixed unknown IMAP command "*" - ftpserver.pl: Fixed servercmd REPLY with * detection - tests: Added IMAP graceful authentication cancellation tests - tests: Moved CR LF in URL tests to their respective protocol groups - smtp: Post SMTP command expansion tidy up Removed unnecessary SMTP_STOP state changes on failure. Removed hard return on failure in smtp_state_data_resp(). - symbols-in-versions: Added missing CURLSSLBACKEND_* symbols - symbols-in-versions: Fixed missing CURLINFO_TLS_SESSION - [Christian Grothoff brought this change] curl_easy_getinfo: Added CURLINFO_TLS_SESSION for accessing TLS internals Added new API for returning a SSL backend type and pointer, in order to allow access to the TLS internals, that may then be used to obtain X509 certificate information for example. - RELEASE-NOTES: Synced with 8191800a0c8ff7 - smtp: Fixed space being sent in non --mail-rcpt based requests Commands such as NOOP, RSET and HELP would be sent with a space at the end of the command, for example: "NOOP ". - tests: Added SMTP NOOP and RSET tests - test928: Corrected typo in expected data from commit df58084695ce9b - tests: Added SMTP HELP test - smtp: Changed the default command to HELP when no options are specified Otherwise a NOOP operation would be performed which a) only returns a single line response and not a multiline response where -I needs to be used, and b) provides an inconsistent user experience compared to that of the POP3 and IMAP protocols. - smtp:Fixed memory leak from commit dac01ff6d788b2 The buffer allocated by smtp_parse_custom_request() was not freed. - connect: Close open but unconnected socket in singleipconnect() singleipconnect() could return the file descriptor of an open socket even though the function returned a CURLE_COULDNT_CONNECT error code from commit ed1662c374361a and 02fbc26d59c591. This could cause tests 19, 704 and 1233 to fail on FreeBSD, AIX and Solaris. - tests: Added SMTP EXPN command test - test926: Corrected unknown user reply from commit 0d735c29f92748 The error code should not be sent as data as it isn't passed onto the client as body data, so cannot be compared in the test suite against expected data. - tests: Corrected missing data reply sections from 3d50e91aeef8cc - tests: Added SMTP VRFY command tests - ftpserver.pl: Added support for new SMTP commands - smtp: Fixed broken RCPT TO from commit 0ea4a80bb23666 Daniel Stenberg (15 Nov 2013) - smtp_state_mail_resp: removed unused variable 'smtp' Steve Holme (15 Nov 2013) - DOCS: Updated curl_easy_setopt.3 following recent SMTP changes * Added information about the verify and expand commands to CURLOPT_MAIL_RCPT. * Reworked CURLOPT_CUSTOMREQUEST section, adding information about IMAP and SMTP custom commands. - DOCS: Updated manpage following recent SMTP modifications * Added SMTP section to --request * Expanded --mail-rcpt to describe the usage when using the verify and expand commands. - smtp: Simplified the next RCPT TO logic - lib1507.c: Added missing set of CURLOPT_UPLOAD option Although this option should have already been set, the SMTP module can now download information from and send instructional commands to, an SMTP server, requiring the option to be set in order to perform a mail transfer. - smtp.c: Fixed trailing whitespace - smtp: Added support for VRFY and EXPN commands - smtp: Added support for NOOP and RSET commands - smtp: Fixed handling of multiline server greeting responses Incorrectly processed multiline server greeting responses as "wanted" continue responses in smtp_endofresp(), from commit f16c0de4e9bbe3, which in turn broke the SMTP server detection in the test suite, because the EHLO command would not be sent. - smtp.c: Fixed compilation error from commit f16c0de4e9bbe3 warning: unused variable 'smtpc' - smtp: Fixed processing of more than one response when sent in same packet Added a loop to smtp_statemach_act() in which Curl_pp_readresp() is called until the cache is drained. Without this multiple responses received in a single packet could result in a hang or delay. - smtp: Moved EHLO response handling to smtp_state_ehlo_resp() Similar to the processing of untagged CAPABILITY responses in IMAP moved the processing of multiline EHLO responses to smtp_state_ehlo_resp() and introduced an internal response code of one to differentiate a multiline continuation from the end of command. This also allows for the separate processing of multiline responses from commands such as VRFY and EXPN. - connect: Forgot to correct line endings before push in commit ed1662c374361a - [Björn Stenberg brought this change] connect: Return the socket descriptor even on fail singleipconnect() did not return the open socket descriptor on some errors, thereby sometimes causing a socket leak. This patch ensures the socket is always returned. Daniel Stenberg (13 Nov 2013) - configure: Fix test with -Werror=implicit-function-declaration The ipv6 auto-detect test in configure returns a false negative when CFLAGS contains -Werror=implicit-function-declaration. (I have been using this flag to detect code issues that would result in SEGVs on x86_64-cygwin.) Patch-by: Yaakov Selkowitz Bug: http://curl.haxx.se/bug/view.cgi?id=1304 Steve Holme (13 Nov 2013) - test825: Corrected typo from commit b29217d0d682d4 - RELEASE-NOTES: Synced with bde901ad89a6f1 - test922: Corrected title to match other OAuth 2.0 tests - tests: Added IMAP OAuth 2.0 authentication with initial response test - tests: Added IMAP NTLM authentication with initial response test - tests: Added IMAP login authentication with initial response test - tests: Added IMAP plain authentication with initial response test - test873: Use proper padding in NTLM responses Nick Zitzmann (12 Nov 2013) - darwinssl: check for SSLSetSessionOption() presence when toggling BEAST Even though this is only a formality (since not many people build on Mavericks while targeting Leopard), since we still support Leopard at the earliest, we might as well be pedantic. - darwinssl: PKCS#12 import feature now requires Lion or later It turns out that some of the constants necessary to make this feature work are missing from Snow Leopard's Security framework even though they are defined in the headers. Bug: http://curl.haxx.se/mail/lib-2013-11/0076.html Reported by: myriachan Steve Holme (13 Nov 2013) - tests: Added POP3 OAuth 2.0 authentication with initial response test - tests: Added POP3 NTLM authentication with initial response test - tests: Added POP3 login authentication with initial response test - tests: Added POP3 plain authentication with initial response test - TODO: Added auth= in URLs to the wish list for HTTP - curl_easy_setopt: Added the ability to set the login options separately Rather than set the authentication options as part of the login details specified in the URL, or via the older CURLOPT_USERPWD option, added a new libcurl option to allow the login options to be set separately. Daniel Stenberg (12 Nov 2013) - curl.1: mention that -O does no URL decoding Kamil Dudka (12 Nov 2013) - [Tomas Hoger brought this change] curl_easy_setopt.3: clarify CURLOPT_SSL_VERIFYHOST documentation - better describe what happens when 1 is specified as parameter - clarify what "is ignored" means for NSS builds Steve Holme (12 Nov 2013) - runtests.pl: Added SSPI detection - multi: Small code tidy up to avoid hard return - tests: Updated CRAM-MD5 tests to use test user details - [Björn Stenberg brought this change] multi: Set read socket when returning READSOCK(0) This patch fixes and issue introduced in commit 7d7df831981fee, if the tunnel state was TUNNEL_CONNECT, waitconnect_getsock() would return a bitmask indicating a readable socket but never stored the socket in the return array. Daniel Stenberg (11 Nov 2013) - bump: next release will be 7.34.0 Due to all the news and changes. Steve Holme (10 Nov 2013) - [Björn Stenberg brought this change] connect: Close temporary sockets in conn_free() The temporary sockets used for Happy Eyeballs were not closed properly, if curl exited prematurely, which this patch fixes. - tests: Corrected titles of POP3 and SMTP OAuth 2.0 tests - test823: Fixed expected authentication text from commit e10a26a9d6d6de Fixed authentication text due to incorrect digest-uri property. - test821: Fixed expected authentication text from commit 2d5455feac9984 - RELEASE-NOTES: Synced with 0f81fbe5da6643 - [Kim Vandry brought this change] ares: Fixed compilation under Visual Studio 2012 - tests: Added IMAP OAuth 2.0 authentication test - tests: Added IMAP DIGEST-MD5 authentication test - tests: Added IMAP NTLM authentication test - tests: Added IMAP CRAM-MD5 authentication test - test819: Fixed expected authentication text from commit 76f924131c9fd3 - ftpserver.pl: Reworked custom reply handling code 1) To fix issues with IMAP custom replies 2) So initial space is not required in IMAP display text 3) To be more readable and understandable - ftpserver.pl: Reworked unrecognised command responses As the IMAP regex could fail and $1 would not contain the command id updated the unrecognised command response to be more generic and realistic (like those used in the command handlers). Additionally updated the POP3, SMTP and FTP responses. - ftpserver.pl: Fixed processing of IMAP authentication strings Daniel Stenberg (9 Nov 2013) - cmake: fix Windows build with IPv6 support Patch-by: "Z98" Steve Holme (6 Nov 2013) - Revert "ftpserver.pl: Corrected logic from commit 27b7b1062f9d97" This reverts commit 558034ab7002d1 as it appears to break the auto builds. More thought is required for this! - ftpserver.pl: Corrected logic from commit 27b7b1062f9d97 - ftpserver.pl: Fixed IMAP cmdid being sent on custom responses - tests: Added IMAP login authentication test - tests: Added IMAP plain authentication test - url.c: Very small amount of policing - [Björn Stenberg brought this change] url.c: Remove superfluous for loop The reason for this loop's existence was removed in commit 02fbc26d59c591. Daniel Stenberg (5 Nov 2013) - KNOWN_BUGS: STARTTRANSFER for POST requests added 85. Wrong STARTTRANSFER timer accounting for POST requests - Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string Our own printf() replacement clearly can't properly handle %.*s with a string that isn't zero terminated. Instead of fixing the printf code or even figuring out what the proper posix behavior is, I reverted this piece of the code back to the previous version where it does malloc + memcpy instead. Regression added in e839446c2a5, released in curl 7.32.0. Reported-by: Felix Yan Bug: http://curl.haxx.se/bug/view.cgi?id=1295 Steve Holme (5 Nov 2013) - RELEASE-NOTES: Synced with 7fc3b2ce382ed6 - connect.h: Updated copyright year for last edit Daniel Stenberg (4 Nov 2013) - [Björn Stenberg brought this change] connect: Add connection delay to Happy Eyeballs. This patch adds a 200ms delay between the first and second address family socket connection attempts. It also iterates over IP addresses in the order returned by the system, meaning most dual-stack systems will try IPv6 first. Additionally, it refactors the connect code, removing most code that handled synchronous connects. Since all sockets are now non-blocking, the logic can be made simpler. Steve Holme (4 Nov 2013) - winbind: Fixed ntlm_auth expecting eol following commit e17c1b25bc33eb - nss.c: Fixed compilation warnings (Take Two) nss.c:702: warning: pointer targets in passing argument 3 of 'Curl_extract_certinfo' differ in signedness nss.c:702: warning: pointer targets in passing argument 4 of 'Curl_extract_certinfo' differ in signedness Made sure the cast was correctly "unsigned char *" to "char *" and not "unsigned char *" to "unsigned char *". - nss.c: Fixed compilation warnings nss.c:700: warning: pointer targets in passing argument 3 of 'Curl_extract_certinfo' differ in signedness nss.c:700: warning: pointer targets in passing argument 4 of 'Curl_extract_certinfo' differ in signedness - tests: Added test for IMAP NOOP command - tests: Added test for IMAP COPY command - tests: Disable IMAP CLOSE and EXPUNGE command tests This is temporary until curl supports either multiple custom commands or post-quote commands in IMAP. - tests: Added tests for IMAP CLOSE and EXPUNGE commands - connect.c: Code policing on commit 5094bb53f4a027 No need for a rhs condition on a bitwise compare. - nss.c: Fixed compilation warnings warning: implicit declaration of function 'Curl_extract_certinfo' - x509asn1.c: Fixed compilation warnings warning: declaration of 'chsize' shadows a global declaration - DOCS: Expanded --request description to include POP3 and IMAP details - tool_help: Updated --list-only description to include POP3 - DOCS: Updated --list-only description to include POP3 Additionally corrected typos in --oauth2-bearer protocol list. - base64: Fixed compilation warnings when using Curl_base64_decode() curl_sasl.c:294: warning: dereferencing type-punned pointer will break strict-aliasing rules getpart.c:201: warning: dereferencing type-punned pointer will break strict-aliasing rules - connect: Fixed "Whut?" no server connection failures Introduced in commit 7d7df831981fee curl would loop displaying "Whut?" if it was trying to connect to an address and port that didn't have anything listening on it. - http: Post base64 decoding tidy up Renamed copy_header_value() to Curl_copy_header_value() as this function is now non static. Simplified proxy flag in Curl_http_input_auth() when calling sub-functions. Removed unnecessary white space removal when using negotiate as it had been missed in commit cdccb422671aeb. Daniel Stenberg (3 Nov 2013) - glob_range: pass the closing bracket for a-z ranges Regression since commit 5ca96cb844102 (release in 7.33.0) Reported-by: Marcin Gryszkalis Steve Holme (2 Nov 2013) - getpart: Fixed base64 encoded parts following commit e17c1b25bc33eb - http: Added proxy tunnel authentication message header value extraction ...following recent changes to Curl_base64_decode() rather than trying to parse a header line for the authentication mechanisms which is CRLF terminated and inline zero terminate it. - http: Added authentication message header value extraction ...following recent changes to Curl_base64_decode() rather than trying to parse a header line for the authentication mechanisms which is CRLF terminated and inline zero terminate it. Daniel Stenberg (30 Oct 2013) - curl_multi_wait: accept 0 from multi_timeout() as valid timeout The code rejected 0 as a valid timeout while in fact the function could indeed legitimately return that and it should be respected. Reported-by: Bjorn Stenberg Steve Holme (30 Oct 2013) - email: Corrected a couple of typos from commit aa0eaef4838ccd - TODO: Removed the 'Graceful base64 decoding failure' sections Updated following the recent changes to support graceful failures during the authentication phrase. - email: Post graceful SASL authentication cancellation tidy up - [Kamil Dudka brought this change] tests: use proper padding in NTLM responses Patrick Monnerat (30 Oct 2013) - NSS: support for CERTINFO feature Daniel Stenberg (30 Oct 2013) - base64: removed trailing white space and updated copyright year Steve Holme (30 Oct 2013) - base64: Added basic validation to base64 input string when decoding A base64 string should be a multiple of 4 characters in length, not contain any more than 2 padding characters and only contain padding characters at the end of string. For example: Y3VybA== Strings such as the following are considered invalid: Y= - Invalid length Y== - Invalid length Y=== - More than two padding characters Y=x= - Padding character contained within string Daniel Stenberg (29 Oct 2013) - RELEASE-NOTES: synced with 255826c40f9316 - [Björn Stenberg brought this change] bugfix: Don't block waiting for socket1 connect. This patch fixes a bug in Happy Eyeballs where curl would wait for a connect response from socket1 before checking socket2. Also, it updates error messages for failed connections, showing the ip addresses that failed rather than just the host name repeatedly. Bug: http://curl.haxx.se/mail/lib-2013-10/0236.html Reported-by: Paul Marks Steve Holme (28 Oct 2013) - sasl: Updated create_digest_md5_message() to use a dynamic buffer Daniel Stenberg (28 Oct 2013) - SECURITY: "curl security for developers" Describes our security process from a project and curl developer's perspective. Patrick Monnerat (28 Oct 2013) - OS400: coding style standards Steve Holme (27 Oct 2013) - email: Added support for cancelling NTLM authentication - sasl: Removed unused variables from commit b87ba2c94217c0 - email: Added support for cancelling DIGEST-MD5 authentication - email: Corrected a couple of typos from 1e39b95682781f Daniel Stenberg (27 Oct 2013) - [Gisle Vanem brought this change] docs/examples/httpput.c: fix build for MSVC "Dan Fandrich" wrote: >> But I'm not sure is needed at all. > > It's needed for close(2). But the only reason that's needed is because fstat > is used instead of stat(2); if you fix that, then you could remove that > include altogether. Okay. I've tested the following with MSVC and MingW. htttput.c now simply uses stat(): Steve Holme (27 Oct 2013) - email: Added support for canceling CRAM-MD5 authentication Daniel Stenberg (27 Oct 2013) - [Björn Stenberg brought this change] Typo fix in trynextip(). - TODO: remove "Happy Eyeball dual stack connect" ... as it was just merged in commit 7d7df - [Björn Stenberg brought this change] Add "Happy Eyeballs" for IPv4/IPv6. This patch invokes two socket connect()s nearly simultaneously, and the socket that is first connected "wins" and is subsequently used for the connection. The other is terminated. There is a very slight IPv4 preference, in that if both sockets connect simultaneously IPv4 is checked first and thus will win. Steve Holme (27 Oct 2013) - email: Added initial support for cancelling authentication Should a client application fail to decode an authentication message received from a server, or not support any of the parameters given by the server in the message, then the authentication phrase should be cancelled gracefully by the client rather than simply terminating the connection. The authentication phrase should be cancelled by simply sending a '*' to the server, in response to erroneous data being received, as per RFC-3501, RFC-4954 and RFC-5034. This patch adds the necessary state machine constants and appropriate response handlers in order to add this functionality for the CRAM-MD5, DIGEST-MD5 and NTLM authentication mechanisms. - email: Moved authentication message parsing into a separate function ...in preparation for upcoming modifications. - ftp: Fixed compiler warning warning: 'result' may be used uninitialized in this function Daniel Stenberg (26 Oct 2013) - FTP: make the data connection work when going through proxy This is a regression since the switch to always-multi internally c43127414d89c. Test 1316 was modified since we now clearly call the Curl_client_write() function when doing the LIST transfer part and then the handler->protocol says FTP and ftpc.transfertype is 'A' which implies text converting even though that the response is initially a HTTP CONNECT response in this case. Steve Holme (26 Oct 2013) - tool_help: Added login options to --user description - email: Added references to SASL LOGIN authentication draft proposal - tests: Tidy up of SMTP and POP3 tests Corrected line endings, RFC references and standardised on user names and passwords used in the tests. - tool_help: Added clarity to the --oauth2-bearer option ...as XOAUTH2 is the extended (or non-standard) SASL identifier and OAuth 2 is the protocol name (and version). - smtp: Fixed response code parsing for bad AUTH continuation responses This workaround had been previously been implemented for IMAP and POP3 but not SMTP. Some of the recent test case additions implemented this behaviour to emulate a bad server and the SMTP code didn't cope with it. - gskit.c: Code policing following commit 2cc9246477285d Corrected 80 character line length error and pointer declarations (some of which were previously incorrect) - test907: Corrected DIGEST-MD5 response given in commit 820ed48a0088cd As the URI, which is contained within the DIGEST-MD5 response, is constructed from the service and realm, the encoded message differs from that generated under POP3. - RELEASE-NOTES: Synced with d24b7953c2132a - tests: Added SMTP OAUTH2 authentication with initial response test - tests: Added SMTP NTLM authentication with initial response test - tests: Added SMTP OAUTH2 authentication test - tests: Added SMTP DIGEST-MD5 authentication test - tests: Regrouped SMTP authentication tests Patrick Monnerat (25 Oct 2013) - OS400: sync RPG wrapper, zlib support, fix header file names, ... IFS compilation support, SSL GSKit backend by default, TLSv1.[12] support in GSKit for OS400 >= V7R1, no more tabs in make scripts. Steve Holme (24 Oct 2013) - sasl: Fixed memory leak in OAUTH2 message creation - ftpserver.pl: Added support for empty pop3 authentication data Daniel Stenberg (23 Oct 2013) - CURLOPT_RESOLVE: mention they don't time-out Clarify in the documentation that DNS entries added with CURLOPT_RESOLVE won't time-out. Bug: http://curl.haxx.se/mail/lib-2013-10/0062.html Reported-by: Romulo Ceccon Steve Holme (23 Oct 2013) - tests: Added POP3 OAUTH2 authentication test - tests: Added empty response support to custom replies ...and fixed up test869 as DIGEST-MD transcript is as follows: S: Challenge C: Authentication String S: Continue Response C: Empty String Daniel Stenberg (23 Oct 2013) - sasl: fix compiler warning error: unused variable 'table16' Steve Holme (23 Oct 2013) - tests: Added POP3 DIGEST-MD5 authentication test Daniel Stenberg (22 Oct 2013) - configure: check for long long when building with cyassl cyassl/ctaocrypt/types.h needs SIZEOF_LONG_LONG Reported-by: Chris Conlon - test1240: verify 867b52a7ac52 (glob ranges with text to the right) - glob: fix regression from commit 5ca96cb844 Plain strings after glob ranges/lists weren't treated correctly but caused broken URLs to get used. Reported-by: Javier Barroso - [Rémy Léone brought this change] Adding a .travis.yml file to use the travis-ci.org From wikipedia: Travis CI is a hosted, distributed continuous integration service used to build and test projects hosted at GitHub. Travis CI is configured by adding a file named .travis.yml, which is a YAML format text file, to the root directory of the GitHub repository. Travis CI automatically detects when a commit has been made and pushed to a GitHub repository that is using Travis CI, and each time this happens, it will try to build the project and run tests. This includes commits to all branches, not just to the master branch. When that process has completed, it will notify a developer in the way it has been configured to do so — for example, by sending an email containing the test results (showing success or failure), or by posting a message on an IRC channel. It can be configured to run the tests on a range of different machines, with different software installed (such as older versions of a programming language, to test for compatibility). Kamil Dudka (21 Oct 2013) - ssh: initialize per-handle data in ssh_connect() ... if not already initialized. This fixes a regression introduced by commit 4ad8e142da463ab208d5b5565e53291c8e5ef038, which caused test619 to intermittently fail on certain machines (namely Fedora build hosts). Daniel Stenberg (20 Oct 2013) - [Gisle Vanem brought this change] curl.1: add missing exit-code I noted a missing text for exit-code 89 in docs/curl.1 - cmake: unbreak for non-Windows platforms Patch-by: Oliver Kuckertz Bug: http://curl.haxx.se/bug/view.cgi?id=1292 Steve Holme (20 Oct 2013) - ftpserver.pl: Fixed syntax error from commit 5b31b38c27bb7a - test866: Fixed user response from commit 7f7fbe7fbdb449 - ftpserver.pl: Fixed processing of POP3 authentication strings ...and corrected response when check fails from 500 to -ERR. - tests: Added POP3 NTLM authentication test - tests: Added POP3 CRAM-MD5 authentication test - tests: Added POP3 login authentication test - tests: Added POP3 plain authentication test - tests: Added POP3 APOP authentication test - ftpserver.pl: Added support for APOP POP3 authentication - tests: Added POP3 RSET test - RELEASE-NOTES: Synced with ce61510127ea60 - email: Fixed QUIT / LOGOUT being sent when SSL connect fails Kamil Dudka (18 Oct 2013) - curl_sasl: initialize NSS before using crypto Steve Holme (17 Oct 2013) - SSL: Follow up work to commits 6a1363128f1107 and 87861c9b0e8155 Changed the failure code when TLS v1.1 and v1.2 is requested but not supported by older OpenSSL versions, following review from libcurl peers, and reduced the number of required preprocessor if statements. - SSL: Added unsupported cipher version check for OpenSSL ...with the use of CURL_SSLVERSION_TLSv1_1 and CURL_SSLVERSION_TLSv1_2 being conditional on OpenSSL v1.0.1 as the appropriate flags are not supported under earlier versions. - DOCS: Added libcurl version number to CURLOPT_SSLVERSION - SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f - SSL: Corrected typo from commit 87861c9b0e8155 - SSL: Fixed OpenSSL builds prior to v1.0.1 Commit ad34a2d5c87c7f relies on definitions that are only present in OpenSSL v1.0.1 and up. This quick fix allows the builds that use older versions of OpenSSL to continue building. - test906: Fixed failing test on some platforms Bug: http://sourceforge.net/p/curl/bugs/1291 Reported-by: David Walser Daniel Stenberg (15 Oct 2013) - [Paul Donohue brought this change] NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option - [Tyler Hall brought this change] ssh: Handle successful SSH_USERAUTH_NONE According to the documentation for libssh2_userauth_list(), a NULL return value is not necessarily an error. You must call libssh2_userauth_authenticated() to determine if the SSH_USERAUTH_NONE request was successful. This fixes a segv when using sftp on a server that allows logins with an empty password. When NULL was interpreted as an error, it would free the session but not flag an error since the libssh2 errno would be clear. This resulted in dereferencing a NULL session pointer. Signed-off-by: Tyler Hall - [Ishan SinghLevett brought this change] usercertinmem: fix memory leaks - [Dave Reisner brought this change] build: distribute and install libcurl.m4 by default - [Dave Reisner brought this change] tool: use XFERFUNCTION to save some casts - [Alessandro Ghedini brought this change] curl.1: fix typo conjuction -> conjunction - curl: document the new --tlsv1.[012] options - [Gergely Nagy brought this change] SSL: protocol version can be specified more precisely CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version (CURL_SSLVERSION_TLSv1 means TLS 1.x). axTLS: axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one of these should be used, so we don't allow the new enum values. darwinssl: Added support for the new enum values. SChannel: Added support for the new enum values. CyaSSL: Added support for the new enum values. Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it did the same before this commit), because CyaSSL cannot be configured to use TLS 1.0-1.2. GSKit: GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow those values. Bugfix: There was a typo that caused wrong SSL versions to be passed to GSKit. NSS: TLS minor version cannot be set, so we don't allow the new enum values. QsoSSL: TLS minor version cannot be set, so we don't allow the new enum values. OpenSSL: Added support for the new enum values. Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, now it enables 1.0-1.2. Command-line tool: Added command line options for the new values. Nick Zitzmann (14 Oct 2013) - darwinssl: un-break iOS build after PKCS#12 feature added SecPKCS12Import() returns a few errors that are enumerated in OS X's headers but not in iOS' headers for some reason. Daniel Stenberg (14 Oct 2013) - bump: start working on 7.33.1 - THANKS: added contributors from the 7.33.0 announcement Version 7.33.0 (13 Oct 2013) Daniel Stenberg (13 Oct 2013) - RELEASE-NOTES: synced with 92cf6141ed0de - curl: fix --oauth2-bearer in the --help output After the option rename in 5df04bfafd1 - OpenSSL: improve the grammar of the language in 39beaa5ffbcc Reported-by: Petr Pisar - [Andrej E Baranov brought this change] OpenSSL: use failf() when subjectAltName mismatches Write to CURLOPT_ERRORBUFFER information about mismatch alternative certificate subject names. Signed-off-by: Andrej E Baranov - curl: rename --bearer to --oauth2-bearer The option '--bearer' might be slightly ambiguous in name. It doesn't create any conflict that I am aware of at the moment, however, OAUTH v2 is not the only authentication mechanism which uses "bearer" tokens. Reported-by: Kyle L. Huff URL: http://curl.haxx.se/mail/lib-2013-10/0064.html - [Kamil Dudka brought this change] ssh: improve the logic for detecting blocking direction This fixes a regression introduced by commit 0feeab78 limiting the speed of SCP upload to 16384 B/s on a fast connection (such as localhost). Dan Fandrich (12 Oct 2013) - Fixed typo in Makefile.inc that left http2.h out of the tar ball Daniel Stenberg (11 Oct 2013) - [Heinrich Schaefer brought this change] minor fix in doc - [Gisle Vanem brought this change] curl_setup_once: fix errno access for lwip on Windows lib/curl_setup_once.h assumed lwIP on Windows uses 'SetLastError()' to set network errors. It doesn't; it uses 'errno'. - test1239: verify 4cd444e01ad and the simulated 304 response - [Derek Higgins brought this change] HTTP: Output http response 304 when modified time is too old When using the -w '%{http_code}' flag and simulating a Not Modified then 304 should be output. - contributors: helper script to dig out contributors from git - RELEASE-NOTES: add twos refs to bug reports - RELEASE-NOTES: synced with 173160c0d068 Nick Zitzmann (2 Oct 2013) - darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipher Credit (for catching a cipher I forgot to add to the blocked ciphers list): https://www.ssllabs.com/ssltest/viewMyClient.html Daniel Stenberg (2 Oct 2013) - OpenSSL: acknowledge CURLOPT_SSL_VERIFYHOST without VERIFYPEER Setting only CURLOPT_SSL_VERIFYHOST without CURLOPT_SSL_VERIFYPEER set should still verify that the host name fields in the server certificate is fine or return failure. Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html Reported-by: Ishan SinghLevett - KNOWN_BUGS: #84: CURLINFO_SSL_VERIFYRESULT CURLINFO_SSL_VERIFYRESULT is only implemented for the OpenSSL and NSS backends and not for any other! - [François Charlier brought this change] xattr: add support for FreeBSD xattr API - curl_easy_setopt.3: slight clarification of SEEKFUNCTION Steve Holme (29 Sep 2013) - tests: Fixed typos from commit 25a0c96a494297 - tests: Updated email addresses in SMTP tests following recent changes - test909: Removed custom EHLO response after recent changes ...as it is no longer required following capability and authentication changes and is now causing problems following commit 49341628b50007 as the test number is obtained from the client address in the EHLO. - ftpserver.pl: Fixed compilation error from commit 49341628b50007 - ftpserver.pl: Moved specifying the test number from the RCPT address ...to the client address as this frees the RCPT strings to contain just an email address and by passing the test number into curl as the client address remains consistent with POP3 and IMAP tests as they are specified in the URL. - ftpserver.pl: Added unwanted argument check to SMTP DATA command handler Daniel Stenberg (29 Sep 2013) - getinmemory: remove a comment The comment mentioned the need to free the data, but the example already does that free - postinmemory: new example This is similar to getinmemory.c but with an initial POST. Combined-by: Ulf Samuelsson - win32: fix Visual Studio 2010 build with WINVER >= 0x600 If no WINVER and/or _WIN32_IWNNT define was set, the Windows platform SDK often defaults to high value, e.g. 0x601 (whoch may probably depend on the Windows version being used, in my case Windows 7). If WINVER >= 0x600 then winsock2.h includes some defines for WSAPoll(), e.g. POLLIN, POLLPRI, POLLOUT etc. These defines clash with cURL's lib/select.h. Make sure HAVE_STRUCT_POLLFD is defined then. Bug: http://curl.haxx.se/bug/view.cgi?id=1282 Reported-by: "kdekker" Patch-by: Marcel Raad Steve Holme (28 Sep 2013) - ssluse.c: Fixed compilation warnings when ENGINE not supported The function "ssl_ui_reader" was declared but never referenced The function "ssl_ui_writer" was declared but never referenced Daniel Stenberg (27 Sep 2013) - configure: use icc options without space The latest version(s) of the icc compiler no longer accept the extra space in the -we (warning enable), -wd (warning disable), etc. Reported-by: Elmira A Semenova Bug: http://curl.haxx.se/mail/lib-2013-09/0182.html Steve Holme (25 Sep 2013) - imap: Added clarification to the code about odd continuation responses - ftp.c: Fixed compilation warning There is an implicit conversion from "unsigned long" to "long" - sasl: Centralised the authentication mechanism strings Moved the standard SASL mechanism strings into curl_sasl.h rather than hard coding the same values over and over again in the protocols that use SASL authentication. For more information about the mechanism strings see: http://www.iana.org/assignments/sasl-mechanisms Daniel Stenberg (23 Sep 2013) - RELEASE-NOTES: added recent contributors missing Steve Holme (23 Sep 2013) - test906: Fixed type-2 response - test915: Corrected test number from commit 22bccb0edaf041 - test906: Fixed type-1 message not handled error ...from commit f81d1e16664976 due to copy paste error. - tests: Added SMTP AUTH NTLM test - tests: Added SMTP multiple and invalid --mail-rcpt test - tests: Added SMTP multiple --mail-rcpt test - tests: Added SMTP invalid --mail-rcpt test - tests: Regrouping of SMTP tests Daniel Stenberg (22 Sep 2013) - [Benoit Sigoure brought this change] test1112: Increase the timeout from 7s to 16s As someone reported on the mailing list a while back, the hard-coded arbitrary timeout of 7s in test 1112 is not sufficient in some build environments. At Arista Networks we build and test curl as part of our automated build system, and we've run into this timeout 170 times so far. Our build servers are typically quite busy building and testing a lot of code in parallel, so despite being beefy machines with 32 cores and 128GB of RAM we still hit this 7s timeout regularly. URL: http://curl.haxx.se/mail/lib-2010-02/0200.html Steve Holme (22 Sep 2013) - tests: Fixed smtp rcpt to addresses - ftpserver.pl: Expanded the SMTP RCPT handler to validate TO addresses RCPT_smtp() will now check for a correctly formatted TO address which allows for invalid recipient addresses to be added. - ftpserver.pl: Added cURL SMTP server detection to HELO command handler As curl will send a HELO command after an negative EHLO response, added the same detection from commit b07709f7417c3e to the HELO handler to ensure the test server is identified correctly and an upload isn't performed. - ftpserver.pl: Corrected response code for successful RCPT command - ftpserver.pl: Moved invalid RCPT TO: address detection to RCPT handler Rather than detecting the TO address as missing in the DATA handler, moved the detection to the RCPT command handler where an error response can be generated. - RELEASE-NOTES: Corrected missed addition Somehow commit 60a20461629fda missed the last item in the sync list even though I'm sure I added it during editing. - RELEASE-NOTES: Synced with 6dd8bd8d2f9729 - curl.1: Added information about optional login options to --user in manpage Added missing information, from curl 7.31.0, regarding the use of the optional login options that may be specified as part of --user. For example: --user 'user:password;auth=NTLM' in IMAP, POP3 and SMTP protocols. - ftpserver.pl: Moved cURL SMTP server detection into EHLO command handler Moved the special SMTP server detection code from the DATA command handler, which happens further down the operation chain after EHLO, MAIL and RCPT commands, to the EHLO command as it is the first command to be generated by a SMTP operation as well as containing the special "verifiedserver" string from the URL. This not only makes it easier and quicker to detect but also means that cURL doesn't need to specify "verifiedserver" as --mail-from and --mail-rcpt arguments. More importantly, this also makes the upcoming verification changes to the RCPT handler easier to implement. Daniel Stenberg (21 Sep 2013) - openssl: use correct port number in error message In ossl_connect_step2() when the "Unknown SSL protocol error" occurs, it would output the local port number instead of the remote one which showed when doing SSL over a proxy (but with the correct remote host name). As libcurl only speaks SSL to the remote we know it is the remote port. Bug: http://curl.haxx.se/bug/view.cgi?id=1281 Reported-by: Gordon Marler - test1415: adjusted to work for 32bit time_t The libcurl date parser returns INT_MAX for all dates > 2037 so this test is now made to use 2037 instead of 2038 to work the same for both 32bit and 64bit time_t systems. Steve Holme (21 Sep 2013) - tests: Reworked existing SMTP tests to be single recipient based ...in preparation of upcoming multiple recipient tests. - ftpserver.pl: Corrected SMTP QUIT response to be more realistic Daniel Stenberg (20 Sep 2013) - curl_easy_setopt.3: clarify that TIMEOUT and TIMEOUT_MS set the same value - [Kim Vandry brought this change] Documented --dns-* options in curl manpage Steve Holme (20 Sep 2013) - pop3: Added basic SASL XOAUTH2 support Added the ability to use an XOAUTH2 bearer token [RFC6750] with POP3 for authentication using RFC6749 "OAuth 2.0 Authorization Framework". The bearer token is expected to be valid for the user specified in conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has an advertised auth mechanism of "XOAUTH2", the user and access token are formatted as a base64 encoded string and sent to the server as "AUTH XOAUTH2 ". - curl: Added clarification to the --mail options in the --help output ... that these options apply to SMTP only. - ftpserver.pl: Moved SMTP RCPT response text into command handler - tests: Added SMTP invalid --mail-from test Nick Zitzmann (19 Sep 2013) - darwinssl: enable BEAST workaround on iOS 7 & later iOS 7 finally added the option to enable 1/n-1 when using TLS 1.0 and a CBC cipher, so we now always turn that on unless the user manually turns it off using CURLSSLOPT_ALLOW_BEAST. It appears Apple also added some new PSK ciphers, but no interface to use them yet, so we at least support printing them if we find them. Steve Holme (19 Sep 2013) - tests: Updated SMTP AUTH tests to use the new AUTH directive ...rather than specify a customised EHLO response. - tests: Corrected test913 as the QUIT response is received - tests: Added SMTP large message SIZE test - ftpserver.pl: Updated email regex from commit 98f7ca7e971006 ...to not be as strict as it was rejecting valid numeric email addresses. - tests: Fixed smtp mail from addresses - ftpserver.pl: Standardised CAPA and AUTH responses - ftpserver.pl: Corrected POP3 QUIT reply to be more realistic - runtests.pl: Fixed syntax error in commit c873375123343e Possible unintended interpolation in string at line 796 - runtests.pl: Fixed smtp mail from address Following changes to ftpserver.pl fixed the mail from address to be a correctly formatted address otherwise the server response will be 501 Invalid address. - ftpserver.pl: Fixed syntax error in commit 98f7ca7e971006 Can't modify constant item in scalar assignment line 779, near "0;" - ftpserver.pl: Expanded the SMTP MAIL handler to validate messages MAIl_smtp() will now check for a correctly formatted FROM address as well as the optional SIZE parameter comparing it against the server capability when specified. Daniel Stenberg (17 Sep 2013) - [YAMADA Yasuharu brought this change] cookies: add expiration Implement: Expired Cookies These following situation, curl removes cookie(s) from struct CookieInfo if the cookie expired. - Curl_cookie_add() - Curl_cookie_getlist() - cookie_output() Steve Holme (17 Sep 2013) - ftpserver.pl: Corrected response code for successful MAIL command - ftpserver.pl: Moved SMTP MAIL handler into own function - dns: fix compilation with MinGW from commit df69440d05f113 Avoid 'interface' literal that some MinGW versions define as a macro Additionally, corrected some very, very minor coding style errors. - tests: Fixed test 1406 following recent changes in ftpserver.pl By default the mail server doesn't send the SIZE capability but instead it has to be specified as a supported capability. - tests: Added test for SMTP SIZE capability - ftpserver.pl: Added the ability to include spaces in capabilities For example: CAPA "SIZE 1048576" 8BITMIME BINARYMIME will populate the capabilities list with the following in: SIZE 1048576 8BITMIME BINARYMIME - ftpserver.pl: Corrected response code for successful SMTP QUIT command - ftpserver.pl: Fixed syntax error in commit 33c1f2876b9029 Can't modify constant item in postincrement line 727, near "i++" - ftpserver.pl: Added CAPA & AUTH directive support to the SMTP EHLO handler - ftpserver.pl: Fixed SMTP QUIT handler from dadc495540946e - ftpserver.pl: Moved SMTP EHLO and QUIT handlers in own functions - ftpserver.pl: Added support for SMTP HELO command ...and updated test902 as explicit HELO response is no longer required. - ftpserver.pl: Added mailbox check to IMAP SELECT handler - ftpserver.pl: Corrected invalid user details check ...in both the IMAP LOGIN and POP3 PASS handlers introduced in commit 187ac693744949 and 84ad1569e5fc93 respectively. - ftpserver.pl: Moved IMAP LOGIN handler into own function - ftpserver.pl: Moved POP3 USER and PASS handlers into own functions - ftpserver.pl: Corrected invalid argument check in POP3 TOP handler ...which was accidentally introduced in commit 4d6ef6297ae9b6. - ftpserver.pl: Added capability prerequisite for extended POP3 commands - tests: Updated descriptions to be more meaningful - ftpserver.pl: Added support for IMAP NOOP command - imap: Fixed response check for NOOP command - tests: Updated descriptions to be more meaningful Daniel Stenberg (13 Sep 2013) - curl.1: detail how short/long options work URL: http://curl.haxx.se/bug/view.cgi?id=1279 Suggested-by: Jerry Krinock Steve Holme (13 Sep 2013) - curl: Fixed usage of DNS options when not using c-ares resolver Commit 32352ed6adddcb introduced various DNS options, however, these would cause curl to exit with CURLE_NOT_BUILT_IN when c-ares wasn't being used as the backend resolver even if the options weren't set by the user. Additionally corrected some minor coding style errors from the same commit. Daniel Stenberg (13 Sep 2013) - curl_easy_setopt.3: mention RTMP URL quirks URL: http://curl.haxx.se/bug/view.cgi?id=1278 Reported-by: Gorilla Maguila - [Ben Greear brought this change] curl: Add support for various DNS binding options. (Passed on to c-ares.) Allows something like this: curl --dns-interface sta8 --dns-ipv4-addr 8.8.1.111 --interface sta8 \ --localaddr 8.8.1.111 --dns-servers 8.8.8.1 www.google.com Signed-off-by: Ben Greear - [Kim Vandry brought this change] libcurl: New options to bind DNS to local interfaces or IP addresses - libcurl.3: for multi interface connections are held in the multi handle ... and a few more cleanups/clarifications Steve Holme (12 Sep 2013) - ftpserver.pl: Fixed missing comma from 7fd84b14d219b1 - ftpserver.pl: Fixed variable error introduced in 7fd84b14d219b1 Global symbol "$mailbox" requires explicit package name - ftpserver.pl: Added support for UID command - ftpserver.pl: Added support for LSUB command - imap: Fixed response check for LSUB and UID commands - ftpserver.pl: Added support for IMAP COPY command - ftpserver.pl: Added support for IMAP CLOSE and EXPUNGE commands - ftpserver.pl: Added support for POP3 RSET command - ftpserver.pl: Added the ability to remember what messages are deleted ...as this will be required for IMAP CLOSE and EXPUNGE commands as well as the POP3 RSET command. Daniel Stenberg (10 Sep 2013) - NI_MAXSERV: remove all use of it Solaris with the SunStudio Compiler is reportedly missing this define, but as we're using it without any good reason on all the places it was used I've now instead switched to just use sensible buffer sizes that fit a 32 bit decimal number. Which also happens to be smaller than the common NI_MAXSERV value which is 32 on most machines. Bug: http://curl.haxx.se/bug/view.cgi?id=1277 Reported-by: D.Flinkmann - http2: use the support HTTP2 draft version in the upgrade header ... instead of HTTP/2.0 to work fine with the nghttpx proxy/server. Steve Holme (10 Sep 2013) - ldap.c: Fix compilation warning warning: comparison between signed and unsigned integer expressions - [Jiri Hruska brought this change] imap/pop3/smtp: Speed up SSL connection initialization Don't wait for the next callback call (usually 1 second) before continuing with protocol specific connection initialization. - ldap.c: Corrected build error from commit 857f999353f333 - RELEASE-NOTES: Corrected duplicate in bfefe2400a16b8 - RELEASE-NOTES: Corrected typo from bfefe2400a16b8 - RELEASE-NOTES: synced with 25c68903756d6b Daniel Stenberg (10 Sep 2013) - README.http2: explain nghttp2 a little Steve Holme (9 Sep 2013) - tests: Added test for POP3 TOP command - ftpserver.pl: Added support for POP3 TOP command - tests: Added test for POP3 UIDL command - ftpserver.pl: Added support for POP3 UIDL command Daniel Stenberg (9 Sep 2013) - http2: adjust to new nghttp2_pack_settings_payload proto This function was modified in nghttp2 git commit a1c3f89c72e51 Kamil Dudka (9 Sep 2013) - url: handle abortion by read/write callbacks, too Otherwise, the FTP protocol would unnecessarily hang 60 seconds if aborted in the CURLOPT_HEADERFUNCTION callback. Reported by: Tomas Mlcoch Bug: https://bugzilla.redhat.com/1005686 Daniel Stenberg (9 Sep 2013) - ldap: fix the build for systems with ldap_url_parse() Make sure that the custom struct fields are only used by code that doesn't use a struct defintion from the outside. Attempts to fix the problem introduced in 3dc6fc42bfc61b Steve Holme (9 Sep 2013) - [Jiri Hruska brought this change] pingpong: Check SSL library buffers for already read data Otherwise the connection can get stuck during various phases, waiting for new data on the socket using select() etc., but it will never be received as the data has already been read into SSL library. - imap: Fixed calculation of transfer when partial FETCH received The transfer size would be calculated incorrectly if the email contained within the FETCH response, had been partially received by the pingpong layer. As such the following, example output, would be seen if the amount remaining was smaller than the amount received: * Excess found in a non pipelined read: excess = 1394, size = 262, maxdownload = 262, bytecount = 1374 * transfer closed with -1112 bytes remaining to read Bug: http://curl.haxx.se/mail/lib-2013-08/0170.html Reported-by: John Dunn - ftpserver.pl: Fixed empty array checks ...from commits 28427b408326a1 and e8313697b6554b. - ftpserver: Reworked AUTH support to allow for specifying the mechanisms Renamed SUPPORTAUTH to AUTH and added support for specifying a list of supported SASL mechanisms to return to the client. Additionally added the directive to the FILEFORMAT document. - ftpserver: Reworked CAPA support to allow for specifying the capabilities Renamed SUPPORTCAPA to CAPA and added support for specifying a list of supported capabilities to return to the client. Additionally added the directive to the FILEFORMAT document. - ftpserver.pl: Corrected POP3 LIST as message numbers should be contiguous The message numbers given in the LIST response are an index into the list, which are only valid for the current session, rather than being a unique message identifier. An index would only be missing from the LIST response if a DELE command had been issued within the same session and had not been committed by the end of session QUIT command. Once committed the POP3 server will regenerate the message numbers in the next session to be contiguous again. As such our LIST response should list message numbers contiguously until we support a DELE command in the same session. Should a POP3 user require the unique message ID for any or all messages then they should use the extended UIDL command. This command will be supported by the test ftpserver in an upcoming commit. Daniel Stenberg (8 Sep 2013) - [Clemens Gruber brought this change] curl_easy_pause: suggest one way to unpause Steve Holme (8 Sep 2013) - tests: Updated descriptions to be more meaningful - tests: Added test for POP3 NOOP command - ftpserver.pl: Added support for POP3 NOOP command - ftpserver.pl: Fixed 'Use of uninitialized value $args in string ne' - tests: Added test for POP3 STAT command - ftpserver.pl: Added support for POP STAT command - ftpserver.pl: Moved POP3 QUIT handler into own function - ftpserver.pl: Reordered the POP3 handlers to be alphabetical In preparation for additional POP3 tests, re-ordered the command function defintions to be sorted alphabetically. - ftpserver.pl: Corrected misaligned indentation in POP3 handlers Fixed incorrect indentation used in both the RETR_pop3 and LIST_pop3 functions which was 5 and 9 characters rather than 4 and 8. - tests: Added test for POP3 DELE command unknown (7 Sep 2013) - [Steve Holme brought this change] ftpserver.pl: Added support for POP3 DELE command Daniel Stenberg (7 Sep 2013) - http2: include curl_memory.h Detected by test 1132 Nick Zitzmann (7 Sep 2013) - http: fix build warning under LLVM When building the code using LLVM Clang without NGHTTP2, I was getting this warning: ../lib/http.h:155:1: warning: empty struct is a GNU extension [-Wgnu] Placing a dummy variable into the data structure silenced the warning. Daniel Stenberg (7 Sep 2013) - http2: actually init nghttp2 and send HTTP2-Settings properly - README.http2: how to use it best with the multi API? - http2: first embryo toward Upgrade: - http: rename use_http_1_1 to use_http_1_1plus Since it now actually says if 1.1 or a later version should be used. - configure: improve CURL_CHECK_COMPILER_PROTOTYPE_MISMATCH The compiler test used a variable before it was assigned when it tried to see how it acts on a mismatching prototype, which could cause a false positive. - [Petr Písař brought this change] Pass password to OpenSSL engine by user interface Recent OpenSSL uses user interface abstraction to negotiate access to private keys in the cryprographical engines. An OpenSSL application is expected to implement the user interface. Otherwise a default one provided by OpenSSL (interactive standard I/O) will be used and the aplication will have no way how to pass a password to the engine. Longer-desc: http://curl.haxx.se/mail/lib-2013-08/0265.html - urlglob: improved error messages and column number on bad use Introduce a convenience macro and keep of the column better so that it can point out the offending column better. Updated test 75 accordingly. - urlglob: avoid error code translation By using the correct values from the start we don't have to translate them! - urlglob: avoid NULL pointer dereference Thanks to clang-analyzer - [Gisle Vanem brought this change] http2: use correct include for snprintf Using the first little merge of nghttp2 into libcurl, I stumbeled on the missing 'snprintf' in MSVCRT. Isn't this how we do it for other libcurl files? I.e. use 'curl_msnprintf' and not 'snprintf' directly: - --data: mention CRLF treatment when reading from file - [Geoff Beier brought this change] LDAP: fix bad free() when URL parsing failed When an error occurs parsing an LDAP URL, The ludp->lud_attrs[i] entries could be freed even though they sometimes point to data within an allocated area. This change introduces a lud_attrs_dup[] array for the duplicated string pointers, and it removes the unused lud_exts array. Bug: http://curl.haxx.se/mail/lib-2013-08/0209.html Nick Zitzmann (5 Sep 2013) - darwinssl: add support for PKCS#12 files for client authentication I also documented the fact that the OpenSSL engine also supports them. Daniel Stenberg (5 Sep 2013) - symbols: added HTTP2 symbols and sorted list CURL_HTTP_VERSION_2_0 and CURL_VERSION_HTTP2 are new - configure: add HTTP2 as a curl-config --feature output Fixes the test 1014 failure - curl: unbreak --http1.0 again I broke it in 2eabb7d590 - SASL: fix compiler warnings comparison between signed and unsigned integer expressions suggest parentheses around '&&' within '||' (twice) - curl: add --http1.1 and --http2.0 options - Curl_setopt: refuse CURL_HTTP_VERSION_2_0 if built without support - http2: add http2.[ch] and add nghttp2 version output - curl -V: output HTTP2 as a feature if present - curl.h: add CURL_VERSION_HTTP2 as a feature It isn't added as a separate protocol as HTTP2 will be done over HTTP:// URLs that can be upgraded to HTTP2 if the server supports it as well. Steve Holme (4 Sep 2013) - imap/smtp: Fixed incorrect SASL mechanism selection with XOAUTH2 servers XOAUTH2 would be selected in preference to LOGIN and PLAIN if the IMAP or SMTP server advertised support for it even though a user's password was supplied but bearer token wasn't. Modified the selection logic so that XOAUTH2 will only be selected if the server supports it and A) The curl user/libcurl programmer has specifically asked for XOAUTH via the ;AUTH=XOAUTH login option or 2) The bearer token is specified. Obviously if XOAUTH is asked for via the login option but no token is specified the user will receive a authentication failure which makes more sense than no known authentication mechanisms supported! Daniel Stenberg (4 Sep 2013) - curl.h: added CURL_HTTP_VERSION_2_0 Initial library considerations documented in lib/README.http2 - configure: added --with-nghttp2 - acinclude: fix --without-ca-path when cross-compiling The commit 7b074a460b64811 to CURL_CHECK_CA_BUNDLE in 7.31 (don't check for paths when cross-compiling) causes --without-ca-path to no longer works when cross-compiling, since ca and capath only ever get set to "no" when not cross-compiling, I attach a patch that works for me. Also in the cross-compilation case, no ca-path seems to be a better default (IMVHO) than empty ca-path. Bug: http://curl.haxx.se/bug/view.cgi?id=1273 Patch-by: Stefan Neis Steve Holme (2 Sep 2013) - lib1512.c: Fixed compilation warning An enumerated type is mixed with another type. ...as well as a small coding style error. Guenter Knauf (1 Sep 2013) - Killed warning 'res' might be used uninitialized. Steve Holme (1 Sep 2013) - url.c: Fixed compilation warning An enumerated type is mixed with another type - easy.c: Fixed compilation warning warning: `code' might be used uninitialized in this function Daniel Stenberg (31 Aug 2013) - -x: rephrased the --proxy section somewhat Steve Holme (31 Aug 2013) - tests: Added test for IMAP CHECK command - ftpserver.pl: Added support for the IMAP CHECK command Guenter Knauf (31 Aug 2013) - Removed reference to krb4.c. Steve Holme (31 Aug 2013) - ftpserver.pl: Corrected flawed logic in commit 1ca6ed7b75cad0 - imap: Fixed response check for EXPUNGE command - ftpserver.pl: Added argument check to IMAP command handlers Added BAD argument check to the following IMAP command handlers: APPEND, STORE, LIST, EXAMINE, STATUS and SEARCH - ftpserver.pl: More whitespace corrections LIST_imap() had a second level of indentation at 9 characters and not 8. - ftpserver.pl: Small correction tidy up Corrected some IMAP variable names and whitespace issues. - [Kyle L. Huff brought this change] docs: Added documentation for CURLOPT_BEARER - [Kyle L. Huff brought this change] curl.1: Add usage of '--bearer' option - tests: Added tests for IMAP CREATE, DELETE and RENAME commands Daniel Stenberg (30 Aug 2013) - ftpserver: Bareword "to_mailbox" not allowed Added missing $ Steve Holme (30 Aug 2013) - ftpserver.pl: Added support for IMAP CREATE, DELETE and RENAME commands Daniel Stenberg (29 Aug 2013) - FTP: fix getsock during DO_MORE state ... when doing upload it would return the wrong values at times. This commit attempts to cleanup the mess. Bug: http://curl.haxx.se/mail/lib-2013-08/0109.html Reported-by: Mike Mio - curl_multi_remove_handle: allow multiple removes When removing an already removed handle, avoid that to ruin the internals and just return OK instead. Steve Holme (29 Aug 2013) - ftpserver.pl: Updated IMAP EXAMINE handler to use dynamic test data Daniel Stenberg (29 Aug 2013) - unit1304: include memdebug and free everything correctly - Curl_parsenetrc: document that the arguments must be allocated - easy: rename struct monitor to socketmonitor 'struct monitor', introduced in 6cf8413e, already exists in an IRIX header file (sys/mon.h) which gets included via various standard headers by lib/easy.c cc-1101 cc: ERROR File = ../../curl/lib/easy.c, Line = 458 "monitor" has already been declared in the current scope. Reported-by: Tor Arntsen Steve Holme (29 Aug 2013) - ftpserver.pl: Added SELECT check to IMAP FETCH and STORE handlers - ftpserver.pl: Corrected accidental move of logmsg() call Corrected the call to logmsg() in the IMAP SEARCH handler from commit 4ae7b7ea691497 as it should have been outputting the what argument and not the test number. Daniel Stenberg (28 Aug 2013) - ftpserver: add missing '}' from 4ae7b7ea69149 Steve Holme (28 Aug 2013) - ftpserver.pl: Added SELECT check to IMAP SEARCH command - ftpserver.pl: Fixed IMAP SEARCH command Daniel Stenberg (28 Aug 2013) - bump: next release is 7.33.0 due to added features - symbols-in-versions: add CURLOPT_XOAUTH2_BEARER Steve Holme (28 Aug 2013) - tests: Added test for IMAP SEARCH command Daniel Stenberg (28 Aug 2013) - valgrind.supp: fix for regular curl_easy_perform too When we introduced curl_easy_perform_ev, this got a slightly modified call trace. Without this, test 165 causes a false positive valgrind error. - valgrind.supp: add the event-based call stack-trace too Without this, test 165 triggers a valgrind error when ran with curl_easy_perform_ev - multi_socket: improved 100-continue timeout handling When waiting for a 100-continue response from the server, the Curl_readwrite() will refuse to run if called until the timeout has been reached. We timeout code in multi_socket() allows code to run slightly before the actual timeout time, so for test 154 it could lead to the function being executed but refused in Curl_readwrite() and then the application would just sit idling forever. This was detected with runtests.pl -e on test 154. Steve Holme (27 Aug 2013) - ftpserver.pl: Added support for IMAP SEARCH command - tool_operate.c: Fixed compilation warning warning: implicit declaration of function 'checkpasswd' - curl: Moved check for password out of get parameter loop Moved the calls to checkpasswd() out of the getparameter() function which allows for any related arguments to be specified on the command line before or after --user (and --proxy-user). For example: --bearer doesn't need to be specified before --user to prevent curl from asking for an unnecessary password as is the case with commit e7dcc454c67a2f. - RELEASE-NOTES: synced with acf59be7f09a7 - [Kyle L. Huff brought this change] curl: added --bearer option to help Added the --bearer option to the help output - [Kyle L. Huff brought this change] curl: added basic SASL XOAUTH2 support Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the --bearer option. Example usage: curl --url "imaps://imap.gmail.com:993/INBOX/;UID=1" --ssl-reqd --bearer ya29.AHES6Z...OMfsHYI --user username@example.com - tool_urlglob.c: Fixed compiler warnings warning: 'variable' may be used uninitialized in this function Daniel Stenberg (26 Aug 2013) - security.h: rename to curl_sec.h to avoid name collision I brought back security.h in commit bb5529331334e. As we actually already found out back in 2005 in commit 62970da675249, the file name security.h causes problems so I renamed it curl_sec.h instead. - runtests.pl: allow -vc point to a separate curl binary to verify with The specified curl binary will then be used to verify the running server(s) instead of the development version. This is very useful in some cases when the development version fails to verify correctly as then the test case may not run at all. The actual test will still be run with the "normal" curl executable (unless the test case specifies something differently). Steve Holme (26 Aug 2013) - [Kyle L. Huff brought this change] smtp: added basic SASL XOAUTH2 support Added the ability to use an XOAUTH2 bearer token [RFC6750] with SMTP for authentication using RFC6749 "OAuth 2.0 Authorization Framework". The bearer token is expected to be valid for the user specified in conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has an advertised auth mechanism of "XOAUTH2", the user and access token are formatted as a base64 encoded string and sent to the server as "AUTH XOAUTH2 ". - [Kyle L. Huff brought this change] imap: added basic SASL XOAUTH2 support Added the ability to use an XOAUTH2 bearer token [RFC6750] with IMAP for authentication using RFC6749 "OAuth 2.0 Authorization Framework". The bearer token is expected to be valid for the user specified in conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has an advertised auth mechanism of "XOAUTH2", the user and access token are formatted as a base64 encoded string and sent to the server as "A001 AUTHENTICATE XOAUTH2 ". - security.h: Fixed compilation warning ISO C forbids forward references to 'enum' types Daniel Stenberg (26 Aug 2013) - KNOWN_BUGS: refer to bug numbers with the existing number series The old numbers would still redirect but who knows for how long... Steve Holme (25 Aug 2013) - [Kyle L. Huff brought this change] options: added basic SASL XOAUTH2 support Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth 2.0 Authorization Framework". - [Kyle L. Huff brought this change] sasl: added basic SASL XOAUTH2 support Added the ability to generated a base64 encoded XOAUTH2 token containing: "user=^Aauth=Bearer ^A^A" as per RFC6749 "OAuth 2.0 Authorization Framework". Daniel Stenberg (25 Aug 2013) - FTP: remove krb4 support We've announced this pending removal for a long time and we've repeatedly asked if anyone would care or if anyone objects. Nobody has objected. It has probably not even been working for a good while since nobody has tested/used this code recently. The stuff in krb4.h that was generic enough to be used by other sources is now present in security.h - easy: define away easy_events() for non-debug builds - FAQ: editorial updates Several language fixes. Several reformats that should make the HTML generation of this document look better. Reported-by: Dave Thompson - RELEASE-NOTES: synced with 22adb46a32bee - multi: move on from STATE_DONE faster Make sure we always return CURLM_CALL_MULTI_PERFORM when we reach CURLM_STATE_DONE since the state is transient and it can very well continue executing as there is nothing to wait for. Bug: http://curl.haxx.se/mail/lib-2013-08/0211.html Reported-by: Yi Huang - curl.h: name space pollution by "enum type" Renamed to "enum curl_khtype" now. Will break compilation for programs that rely on the enum name. Bug: https://github.com/bagder/curl/pull/76 Reported-by: Shawn Landden - TFTP: make the CURLOPT_LOW_SPEED* options work ... this also makes sure that the progess callback gets called more often during TFTP transfers. Added test 1238 to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=1269 Reported-by: Jo3 - tftpd: support "writedelay" within - tftpd: convert 6 global variables into local ones - [Gisle Vanem brought this change] curl_easy_perform_ev: make it CURL_EXTERN I build curl.exe (using MingW) with '-DCURLDEBUG' and by importing from libcurl.dll. Which means the new curl_easy_perform_ev() must be exported from libcurl.dll. - CURLM_ADDED_ALREADY: new error code Doing curl_multi_add_handle() on an easy handle that is already added to a multi handle now returns this error code. It previously returned CURLM_BAD_EASY_HANDLE for this condition. - multi_init: moved init code here from add_handle The closure_handle is "owned" by the multi handle and it is unconditional so the setting up of it should be in the Curl_multi_handle function rather than curl_multi_add_handle. - multi: remove dns cache creation code from *add_handle As it is done unconditionally in multi_init() this code will never run! - curl_easy_perform_ev: debug/test function This function is meant to work *exactly* as curl_easy_perform() but will use the event-based libcurl API internally instead of curl_multi_perform(). To avoid relying on an actual event-based library and to not use non-portable functions (like epoll or similar), there's a rather inefficient emulation layer implemented on top of Curl_poll() instead. There's currently some convenience logging done in curl_easy_perform_ev which helps when tracking down problems. They may be suitable to remove or change once things seem to be fine enough. curl has a new --test-event option when built with debug enabled that then uses curl_easy_perform_ev() instead of curl_easy_perform(). If built without debug, using --test-event will only output a warning message. NOTE: curl_easy_perform_ev() is not part if the public API on purpose. It is only present in debug builds of libcurl and MUST NOT be considered stable even then. Use it for libcurl-testing purposes only. runtests.pl now features an -e command line option that makes it use --test-event for all curl command line tests. The man page is updated. - [Gisle Vanem brought this change] transfer: the recent sessionhandle change broke CURL_DOES_CONVERSIONS - test1237: verify 1000+ letter user name + passwords - [Jonathan Nieder brought this change] url: handle arbitrary-length username and password before '@' libcurl quietly truncates usernames, passwords, and options from before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters to fit in fixed-size buffers on the stack. Allocate a buffer large enough to fit the parsed fields on the fly instead to support longer passwords. After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH left, so stop defining that constant while at it. The hardcoded max username and password length constants, on the other hand, are still used in HTTP proxy credential handling (which this patch doesn't touch). Reported-by: Colby Ranger - [Jonathan Nieder brought this change] url: handle exceptional cases first in parse_url_login() Instead of nesting "if(success)" blocks and leaving the reader in suspense about what happens in the !success case, deal with failure cases early, usually with a simple goto to clean up and return from the function. No functional change intended. The main effect is to decrease the indentation of this function slightly. - [Jonathan Nieder brought this change] Curl_setopt: handle arbitrary-length username and password libcurl truncates usernames, passwords, and options set with curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. This doesn't affect the return value from curl_easy_setopt(), so from the caller's point of view, there is no sign anything strange has happened, except that authentication fails. For example: # Prepare a long (300-char) password. s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; # Start a server. nc -l -p 8888 | tee out & pid=$! # Tell curl to pass the password to the server. curl --user me:$s http://localhost:8888 & sleep 1; kill $pid # Extract the password. userpass=$( awk '/Authorization: Basic/ {print $3}' setup_connection. Some protocol handlers had to get this function added. 2 - always free at the end of a request. This is also an attempt to keep less memory in the handle after it is completed. - version number: bump to 7.32.1 for now Start working on the next version and up some counters. Version 7.32.0 (11 Aug 2013) Daniel Stenberg (11 Aug 2013) - THANKS: added contributors from the 7.32.0 release notes - [Fabian Keil brought this change] test1228: add 'HTTP proxy' to the keywords - [Fabian Keil brought this change] tests: add keywords for a couple of FILE tests - [Fabian Keil brought this change] tests: add 'FAILURE' keywords to tests 1409 and 1410 - [Fabian Keil brought this change] tests: add keywords for a couple of HTTP tests - [Fabian Keil brought this change] tests: add keywords for a couple of FTP tests - [Fabian Keil brought this change] test1511: consistently terminate headers with CRLF - DISABLED: shut of test 1512 for now It shows intermittent failures and I haven't been able to track them down yet. Disable this test for now. - curl_multi_add_handle.3: ... that timer callback is for event-based - comments: remove old and wrong multi/easy interface statements - curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION use - [John E. Malmberg brought this change] KNOWN_BUGS: 22 and 57 have been fixed and committed - RELEASE-NOTES: synced with d20def20462e7 - global dns cache: fix memory leak The take down of the global dns cache didn't take CURLOPT_RESOLVE names into account. - global dns cache: didn't work [regression] CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been broken since the libcurl 7.29.0 release). While this option has been documented as deprecated for almost a decade and nobody even reported this bug, it should remain functional. Added test case 1512 to verify Yang Tse (8 Aug 2013) - [John Malmberg brought this change] packages/vms: update VMS build files VMS modified files either missing from a previous commit and changes to remove references to CVS repositories. Daniel Stenberg (8 Aug 2013) - FTP: renamed several local functions The previous naming scheme ftp_state_post_XXXX() wasn't really helpful as it wasn't always immediately after 'xxxx' and it wasn't easy to understand what it does based on such a name. This new one is instead ftp_state_yyyy() where yyyy describes what it does or sends. - mk-ca-bundle.1: don't install on make install Since the mk-ca-bundle tool itself isn't installed with make install, there's no point in installing its documentation. Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html Reported-by: Guenter Knauf Yang Tse (7 Aug 2013) - packages/vms/Makefile.am: add latest file additions to EXTRA_DIST - [John Malmberg brought this change] Building_vms_pcsi_kit These are the files needed to build VMS distribution packages known as PCSI kits. Also minor update to the existing files, mainly to the documentation and file clean up code. Daniel Stenberg (6 Aug 2013) - LIBCURL-STRUCTS: new document This is the first version of this new document, detailing the seven perhaps most important internal structs in libcurl source code: 1.1 SessionHandle 1.2 connectdata 1.3 Curl_multi 1.4 Curl_handler 1.5 conncache 1.6 Curl_share 1.7 CookieInfo - CONTRIBUTE: minor language polish - FTP: when EPSV gets a 229 but fails to connect, retry with PASV This is a regression as this logic used to work. It isn't clear when it broke, but I'm assuming in 7.28.0 when we went all-multi internally. This likely never worked with the multi interface. As the failed connection is detected once the multi state has reached DO_MORE, the Curl_do_more() function was now expanded somewhat so that the ftp_do_more() function can request to go "back" to the previous state when it makes another attempt - using PASV. Added test case 1233 to verify this fix. It has the little issue that it assumes no service is listening/accepting connections on port 1... Reported-by: byte_bucket in the #curl IRC channel Nick Zitzmann (5 Aug 2013) - md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of Leopard For some reason, OS X 10.5's GCC suddenly stopped working correctly with macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I worked around this by removing use of the macros and inserting static functions that just call CommonCrypto's implementations of the functions instead. Guenter Knauf (5 Aug 2013) - Simplify check for trusted certificates. This changes the previous check for untrusted certs to a check for certs explicitely marked as trusted. The change is backward-compatible (tested with certdata.txt v1.80). Daniel Stenberg (5 Aug 2013) - configure: warn on bad env variable use, don't error Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS. - Revert "configure: don't error out on variable confusions, just warn" This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a. - formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used The internal function that's used to detect known file extensions for the default Content-Type got the the wrong pointer passed in when CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that strlen() would be used which could lead to an out-of-bounds read (and thus segfault). In most cases it would only lead to it not finding or using the correct default content-type. It also showed that test 554 and test 587 were testing for the previous/wrong behavior and now they're updated as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1262 Reported-by: Konstantin Isakov Guenter Knauf (4 Aug 2013) - Skip more untrusted certificates. Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html Daniel Stenberg (4 Aug 2013) - configure: don't error out on variable confusions, just warn - configure: rephrase the notice in _XC_CHECK_VAR_* Instead of claiming it is an error, we call it a "note" to reduce the severity level. But the following text now says the [variable] "*should* only be used to specify"... instead of previously having said "may". - multi: remove data->state.current_conn struct field Not needed - multi: remove the one_easy struct field Since the merge of SessionHandle with Curl_one_easy, this indirection isn't used anymore. - multi: rename all Curl_one_easy to SessionHandle - multi: remove the multi_pos struct field Since Curl_one_easy is really a SessionHandle now, this indirection doesn't exist anymore. - multi: remove easy_handle struct field It isn't needed anymore - multi: remove 'Curl_one_easy' struct, phase 1 The motivation for having a separate struct that keep track of an easy handle when using the multi handle was removed when we switched to always using the multi interface internally. Now they were just two separate struct that was always allocated for each easy handle. This first step just moves the Curl_one_easy struct members into the SessionHandle struct and hides this somehow (== keeps the source code changes to a minimum) by defining Curl_one_easy to SessionHandle The biggest changes in this commit are: 1 - the linked list of easy handles had to be changed somewhat due to the new struct layout. This made the main linked list pointer get renamed to 'easyp' and there's also a new pointer to the last node, called easylp. It is no longer circular but ends with ->next pointing to NULL. New nodes are still added last. 2 - easy->state is now called easy->mstate to avoid name collision Steve Holme (2 Aug 2013) - Revert "DOCS: Added IMAP URL example for listing new messages" This reverts commit 82ab5f1b0c7c3f as this was the wrong place to document the complexity of IMAP URLs and Custom Requests. - DOCS: Added IMAP URL example for listing new messages In addition to listing the folder contents, in the URL examples, added an example to list the new messages waiting in the user's inbox. Yang Tse (1 Aug 2013) - packages/vms/Makefile.am: add latest file additions to EXTRA_DIST - [John Malmberg brought this change] Add in the files needed to build libcurl shared images on VMS. Update the packages/vms/readme file to be current. Also some files for the GNV based build were either missing or needed an update. curl_crtl_init.c is a special file that is run before main() to set up the proper C runtime behavior. generate_vax_transfer.com generates the VAX transfer vector modules from the gnv_libcurl_symbols.opt file. gnv_conftest.c_first is a helper file needed for configure scripts to come up with the expected answers on VMS. gnv_libcurl_symbols.opt is the public symbols for the libcurl shared image. gnv_link_curl.com builds the shared libcurl image and rebuilds other programs to use it. macro32_exactcase.patch is a hack to make a local copy of the VMS Macro32 assembler case sensitive, which is needed to build the VAX transfer modules. report_openssl_version.c is a tool for help verify that the libcurl shared image is being built for a minium version of openssl. - curl: second follow-up for commit 5af2bfb9 Display progress-bar unconditionally on first call - curl: follow-up for commit 5af2bfb9 Use tvnow() and tvdiff() to avoid introducing new linkage issues Daniel Stenberg (31 Jul 2013) - curl: --progress-bar max update frequency now at 5Hz - curl: make --progress-bar update the line less frequently Also, use memset() instead of a lame loop. The previous logic that tried to avoid too many updates were very ineffective for really fast transfers, as then it could easily end up doing hundreds of updates per second that would make a significant impact in transfer performance! Bug: http://curl.haxx.se/mail/archive-2013-07/0031.html Reported-by: Marc Doughty Nick Zitzmann (30 Jul 2013) - darwinssl: added LFs to some strings passed into infof() (This doesn't need to appear in the release notes.) I noticed a few places where infof() was called, and there should've been an LF at the end of the string, but there wasn't. - darwinssl: fix build error in crypto authentication under Snow Leopard It turns out Snow Leopard not only has SecItemCopyMatching() defined in a header not included by the omnibus header, but it won't work for our purposes, because searching for SecIdentityRef objects wasn't added to that API until Lion. So we now use the old SecKeychainSearch API instead if the user is building under, or running under, Snow Leopard. Bug: http://sourceforge.net/p/curl/bugs/1255/ Reported by: Edward Rudd - md5 & metalink: use better build macros on Apple operating systems Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating code that was specific to OS X and iOS. Now we use __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED instead of those macros. Bug: http://sourceforge.net/p/curl/bugs/1255/ Reported by: Edward Rudd Yang Tse (29 Jul 2013) - tool_operhlp.c: fix add_file_name_to_url() OOM handling - tool_operate.c: fix brace placement for vi/emacs delimiter matching - tool_operate.c: move header inclusion location Daniel Stenberg (29 Jul 2013) - RELEASE-NOTES: synced with b5478a0e033e7 - curl_easy_pause: on unpause, trigger mulit-socket handling When the multi-socket API is used, we need the handle to be checked again when it gets unpaused. Bug: http://curl.haxx.se/mail/lib-2013-07/0239.html Reported-by: Justin Karneges - [John E. Malmberg brought this change] curl_formadd: fix file upload on VMS For the standard VMS text file formats, VMS needs to read the file to get the actual file size. For the standard VMS binary file formats, VMS needs a special format of fopen() call so that it stops reading at the logical end of file instead of at the end of the blocks allocated to the file. I structured the patch this way as I was not sure about changing the structures or parameters to the routines, but would prefer to only call the stat() function once and pass the information to where the fopen() call is made. Bug: https://sourceforge.net/p/curl/bugs/758/ - formadd: CURLFORM_FILECONTENT wrongly rejected some option combos The code for CURLFORM_FILECONTENT had its check for duplicate options wrong so that it would reject CURLFORM_PTRNAME if used in combination with it (but not CURLFORM_COPYNAME)! The flags field used for this purpose cannot be interpreted that broadly. Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html Reported-by: Byrial Jensen Yang Tse (25 Jul 2013) - packages/vms/Makefile.am: add latest file additions to EXTRA_DIST - [John E. Malmberg brought this change] VMS: intial set of files to allow building using GNV toolkit. - string formatting: fix too many arguments for format - string formatting: fix zero-length printf format string - easy.c: curl_easy_getinfo() fix va_start/va_end matching - imap.c: imap_sendf() fix va_start/va_end matching - string formatting: fix 15+ printf-style format strings Patrick Monnerat (24 Jul 2013) - OS400: sync ILE/RPG binding with current curl.h Yang Tse (24 Jul 2013) - string formatting: fix 25+ printf-style format strings Daniel Stenberg (23 Jul 2013) - Makefile.am: use LDFLAGS as well when linking libcurl Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded automake for the release builds. Bug: http://curl.haxx.se/bug/view.cgi?id=1217 Reported-by: Dagobert Michelsen - [Fabian Keil brought this change] url.c: Fix dot file path cleanup when using an HTTP proxy Previously the path was cleaned, but the URL wasn't properly updated. - [Fabian Keil brought this change] tests: test1232 verifies dotdot removal from path with proxy - [Fabian Keil brought this change] dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify() - [John E. Malmberg brought this change] build_vms.com: fix debug and float options In the reorganization of the build_vms.com the debug and float options were not fixed up correctly. - [John E. Malmberg brought this change] curl: fix upload of a zip file in OpenVMS Two fixes: 1. Force output file format to be stream-lf so that partial downloads can be continued. This should have minor impact as if the file does not exist, it was created with stream-lf format. The only time this was an issue is if there was already an existing file with a different format. 2. Fix file uploads are now fixed. a. VMS binary files such as ZIP archives are now uploaded correctly. b. VMS text files are read once to get the correct size and then converted to line-feed terminated records as they are read into curl. The default VMS text formats do not contain either line-feed or carriage-return terminated records. Those delimiters are added by the operating system file read calls if the application requests them. Bug: http://curl.haxx.se/bug/view.cgi?id=496 Yang Tse (22 Jul 2013) - libtest: fix data type of some *_setopt() 'long' arguments - curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output - curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output - tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs We no longer pass our 'bool' data type variables nor constants as an argument to my_setopt(), instead we use proper 1L or 0L values. This also fixes macro used to pass string argument for CURLOPT_SSLCERT, CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of my_setopt(). This also casts enum or int argument data types to long when passed to my_setopt_enum(). Daniel Stenberg (21 Jul 2013) - curl_multi_wait: fix revents Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong array index, but this fix also: 1 - only does the copying if indeed there was any activity 2 - makes sure to properly translate between internal and external bitfields, which are not guaranteed to match Reported-by: Evgeny Turnaev - RELEASE-NOTES: synced with d529f3882b9bca - curl_easy_perform: gradually increase the delay time Instead of going 50,100,150 etc millisecond delay time when nothing has been found to do or wait for, we now start lower and double each loop as in 4,8,16,32 etc. This lowers the minimum wait without sacrifizing the longer wait too much with unnecessary CPU cycles burnt. Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html Reported-by: Andreas Malzahn - ftp_do_more: consider DO_MORE complete when server connects back In the case of an active connection when ftp_do_more() detects that the server has connected back, it must make sure to mark it as complete so that the multi_runsingle() function will detect this and move on to the next state. Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html Reported-by: Clemens Gruber Yang Tse (19 Jul 2013) - Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1 - WIN32 MemoryTracking: require UNICODE for wide strdup code support Daniel Stenberg (18 Jul 2013) - CURLOPT_XFERINFOFUNCTION: introducing a new progress callback CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function and CURLOPT_PROGRESSFUNCTION is considered deprecated. This new callback uses pure 'curl_off_t' arguments to pass on full resolution sizes. It otherwise retains the same characteristics: the same call rate, the same meanings for the arguments and the return code is used the same way. The progressfunc.c example is updated to show how to use the new callback for newer libcurls while supporting the older one if built with an older libcurl or even built with a newer libcurl while running with an older. Yang Tse (18 Jul 2013) - Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage". This reverts commit 7ed25cc, reinstating commit 8ec2cb5. As of 18-jul-2013 we still do have code in libcurl that makes use of these memory functions. Commit 8ec2cb5 comment still applies and is yet valid. These memory functions are solely used in Windows builds, so all related code is protected with '#ifdef WIN32' preprocessor conditional compilation directives. Specifically, wcsdup() _wcsdup() are used when building a Windows target with UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case when building a Windows UNICODE target with Windows native SSL/TLS support enabled. Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage of these is hidden behind _tcsdup() which is MS way of dealing with code that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS header files and those compatible from other compilers use this preprocessor conditional compilation directive in order to select at compilation time whether 'wide' or 'ansi' MS API functions are used. Without this code, Windows build targets with Windows native SSL/TLS support enabled and MemoryTracking support enabled misbehave in tracking memory usage, regardless of being a UNICODE enabled build or not. - xc-am-iface.m4: comments refinement - configure: fix 'subdir-objects' distclean related issue See XC_AMEND_DISTCLEAN comments for details. Daniel Stenberg (18 Jul 2013) - [Evgeny Turnaev brought this change] curl_multi_wait: set revents for extra fds Pass back the revents that happened for the user-provided file descriptors. - [Ben Greear brought this change] asyn-ares: Don't blank ares servers if none configured. Best to just let c-ares use it's defaults if none are configured in (lib)curl. Signed-off-by: Ben Greear - [Sergei Nikulov brought this change] cmake: Fix for MSVC2010 project generation Fixed issue with static build for MSVC2010. After some investigation I've discovered known issue http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked to static lib it fails with following linker error LINK : warning LNK4068: /MACHINE not specified; defaulting to X86 file.obj : fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'X86' Fix add target property /MACHINE: for MSVC generation. Also removed old workarounds - it caused errors during msvc build. Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html - mk-ca-bundle.1: point out certdata.txt format docs Yang Tse (16 Jul 2013) - slist.c: Curl_slist_append_nodup() OOM handling fix Daniel Stenberg (16 Jul 2013) - test1414: FTP PORT download without SIZE support Yang Tse (16 Jul 2013) - tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES Patrick Monnerat (15 Jul 2013) - curl_slist_append(): fix error detection - slist.c: fix indentation - OS400: new SSL backend GSKit - OS400: add slist and certinfo EBCDIC support - config-os400.h: enable system strdup(), strcmpi(), etc. - x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract Use from qssl backend - ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL - Merge branch 'master' of github.com:bagder/curl Merge for resync - slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup() Yang Tse (15 Jul 2013) - sslgen.c: fix Curl_rand() compiler warning Use simple seeding method upon RANDOM_FILE seeding method failure. - sslgen.c: fix unreleased Curl_rand() infinite recursion Daniel Stenberg (14 Jul 2013) - [Dave Reisner brought this change] src/tool: allow timeouts to accept decimal values Implement wrappers around strtod to convert the user argument to a double with sane error checking. Use this to allow --max-time and --connect-timeout to accept decimal values instead of strictly integers. The manpage is updated to make mention of this feature and, additionally, forewarn that the actual timeout of the operation can vary in its precision (particularly as the value increases in its decimal precision). - [Dave Reisner brought this change] curl.1: fix long line, found by checksrc.pl - [Dave Reisner brought this change] src/tool_paramhlp: try harder to catch negatives strto* functions happily chomp off leading whitespace, so simply checking for str[0] can lead to false negatives. Do the full parse and check the out value instead. - [John E. Malmberg brought this change] build_vms.com: detect and use zlib shared image Update the build_vms.com to detect and use zlib shared image installed by the ZLIB kit produced by Jean-Francois Pieronne, and the also the future ZLIB 1.2.8 kit in addition to the older ZLIB kits. Also fix the indentation to match one of the common standards used for VMS DCL command files and removed the hard tab characters. Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX. Yang Tse (14 Jul 2013) - url.c: fix parse_url_login() OOM handling - http_digest.c: SIGSEGV and OOM handling fixes - url.c: fix parse_login_details() OOM handling - [John E. Malmberg brought this change] setup-vms.h: sk_pop symbol tweak Newer versions of curl are referencing a sk_pop symbol while the HP OpenSSL library has the symbol in uppercase only. - getinfo.c: fix enumerated type mixed with another type - test 1511: fix enumerated type mixed with another type - url.c: fix SIGSEGV - dotdot.c: fix global declaration shadowing - easy.c: fix global declaration shadowing Kamil Dudka (9 Jul 2013) - Revert "curl.1: document the --time-cond option in the man page" This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because the documentation of --time-cond was duplicated by mistake. Reported by: Dave Reisner - curl.1: document the --sasl-ir option in the man page - curl.1: document the --post303 option in the man page - curl.1: document the --time-cond option in the man page Yang Tse (9 Jul 2013) - configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE) - xc-am-iface.m4: provide XC_AUTOMAKE macro Guenter Knauf (8 Jul 2013) - Added winssl-zlib target to VC builds. - Synced Makefile.vc6 with recent changes. Issue posted to the list by malinowsky AT FTW DOT at. - Added libmetalink URL; added Android versions. Dan Fandrich (3 Jul 2013) - examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES This prevents it from being built during a "make check" since it depends on OpenSSL. Nick Zitzmann (2 Jul 2013) - Merge branch 'master' of https://github.com/bagder/curl - darwinssl: SSLv2 connections are aborted if unsupported by the OS I just noticed that OS X no longer supports SSLv2. Other TLS engines return an error if the requested protocol isn't supported by the underlying engine, so we do that now for SSLv2 if the framework returns an error when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is only enabled in curl when starting the app with the -2 argument; it's off by default. SSLv2 is really old and insecure.) Marc Hoersken (1 Jul 2013) - lib506.c: Fixed possible use of uninitialized variables Kamil Dudka (30 Jun 2013) - url: restore the functionality of 'curl -u :' This commit fixes a regression introduced in fddb7b44a79d78e05043e1c97e069308b6b85f79. Reported by: Markus Moeller Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html Daniel Stenberg (25 Jun 2013) - digest: append the timer to the random for the nonce - digest: improve nonce generation Use the new improved Curl_rand() to generate better random nonce for Digest auth. - curl.1: fix typo in --xattr description Bug: http://curl.haxx.se/bug/view.cgi?id=1252 Reported-by: Jean-Noël Rouvignac - RELEASE-NOTES: synced with 365c5ba39591 The 10 first bug fixes for the pending release... - formpost: better random boundaries When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris" - printf: make sure %x are treated unsigned When using %x, the number must be treated as unsigned as otherwise it would get sign-extended on for example 64bit machines and do wrong output. This problem showed when doing printf("%08x", 0xffeeddcc) on a 64bit host. - tests: add test1395 to the tarball - SIGPIPE: don't use 'data' in sigpipe restore Follow-up fix from 7d80ed64e43515. The SessionHandle may not be around to use when we restore the sigpipe sighandler so we store the no_signal boolean in the local struct to know if/how to restore. - TODO: 1.8 Modified buffer size approach Thoughts around buffer sizes and what might be possible to do... - c-ares: improve error message on failed resolve When the c-ares based resolver backend failed to resolve a name, it tried to show the name that failed from existing structs. This caused the wrong output and shown hostname when for example --interface [hostname] was used and that name resolving failed. Now we use the hostname used in the actual resolve attempt in the error message as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1191 Reported-by: Kim Vandry - ossl_recv: check for an OpenSSL error, don't assume When we recently started to treat a zero return code from SSL_read() as an error we also got false positives - which primarily looks to be because the OpenSSL documentation is wrong and a zero return code is not at all an error case in many situations. Now ossl_recv() will check with ERR_get_error() to see if there is a stored error and only then consider it to be a true error if SSL_read() returned zero. Bug: http://curl.haxx.se/bug/view.cgi?id=1249 Reported-by: Nach M. S. Patch-by: Nach M. S. Nick Zitzmann (22 Jun 2013) - Merge branch 'master' of https://github.com/bagder/curl - darwinssl: fix crash that started happening in Lion Something (a recent security update maybe?) changed in Lion, and now it has changed SSLCopyPeerTrust such that it may return noErr but also give us a null trust, which caught us off guard and caused an eventual crash. Daniel Stenberg (22 Jun 2013) - SIGPIPE: ignored while inside the library ... and restore the ordinary handling again when it returns. This is done for curl_easy_perform() and curl_easy_cleanup() only for now - and only when built to use OpenSSL as backend as this is the known culprit for the spurious SIGPIPEs people have received. Bug: http://curl.haxx.se/bug/view.cgi?id=1180 Reported by: Lluís Batlle i Rossell - KNOWN_BUGS: #83 unable to load non-default openssl engines - test1396: invoke the correct test tool! This erroneously run unit test 1310 instead of 1396! Kamil Dudka (22 Jun 2013) - test1230: avoid using hard-wired port number ... to prevent failure when a non-default -b option is given - curl-config.in: replace tabs by spaces Nick Zitzmann (22 Jun 2013) - darwinssl: reform OS-specific #defines This doesn't need to be in the release notes. I cleaned up a lot of the #if lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like __MAC_10_6 or whatever were defined, because for some SDKs Apple has released they were defined out of place. Daniel Stenberg (22 Jun 2013) - [Alessandro Ghedini brought this change] docs: fix typo in curl_easy_getinfo manpage - dotdot: introducing dot file path cleanup RFC3986 details how a path part passed in as part of a URI should be "cleaned" from dot sequences before getting used. The described algorithm is now implemented in lib/dotdot.c with the accompanied test case in test 1395. Bug: http://curl.haxx.se/bug/view.cgi?id=1200 Reported-by: Alex Vinnik - bump: start working towards what most likely will become 7.32.0 - THANKS: added 24 new contributors from the 7.31.0 release Version 7.31.0 (22 Jun 2013) Daniel Stenberg (22 Jun 2013) - RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0 - unit1396: unit tests to verify curl_easy_(un)escape - Curl_urldecode: no peeking beyond end of input buffer Security problem: CVE-2013-2174 If a program would give a string like "%FF" to curl_easy_unescape() but ask for it to decode only the first byte, it would still parse and decode the full hex sequence. The function then not only read beyond the allowed buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Bug: http://curl.haxx.se/docs/adv_20130622.html Reported-by: Timo Sirainen Guenter Knauf (20 Jun 2013) - Use opened body.out file and write content to it. Daniel Stenberg (20 Jun 2013) - multi_socket: react on socket close immediately As a remedy to the problem when a socket gets closed and a new one is opened with the same file descriptor number and as a result multi.c:singlesocket() doesn't detect the difference, the new function Curl_multi_closed() gets told when a socket is closed so that it can be removed from the socket hash. When the old one has been removed, a new socket should be detected fine by the singlesocket() on next invoke. Bug: http://curl.haxx.se/bug/view.cgi?id=1248 Reported-by: Erik Johansson - RELEASE-NOTES: synced with e305f5ec715f - TODO: mention the DANE patch from March - CURLOPT_COOKIELIST: take cookie share lock When performing COOKIELIST operations the cookie lock needs to be taken for the cases where the cookies are shared among multiple handles! Verified by Benjamin Gilbert's updated test 506 Bug: http://curl.haxx.se/bug/view.cgi?id=1215 Reported-by: Benjamin Gilbert - [Benjamin Gilbert brought this change] test506: verify that CURLOPT_COOKIELIST takes share lock It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215 - TODO: HTTP2/SPDY support - curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be called more frequently than once per second when things are happening. - RELEASE-NOTES: synced with 9c3e098259b82 Mention 7 recent bug fixes and their associated contributors - curl_multi_wait.3: clarify the numfds counter - curl_easy_perform: avoid busy-looping When curl_multi_wait() finds no file descriptor to wait for, it returns instantly and this must be handled gracefully within curl_easy_perform() or cause a busy-loop. Starting now, repeated fast returns without any file descriptors is detected and a gradually increasing sleep will be used (up to a max of 1000 milliseconds) before continuing the loop. Bug: http://curl.haxx.se/bug/view.cgi?id=1238 Reported-by: Miguel Angel - [YAMADA Yasuharu brought this change] cookies: follow-up fix for path checking The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62). - [Sergei Nikulov brought this change] lib1900: use tutil_tvnow instead of gettimeofday Makes it build on windows - [Eric Hu brought this change] axtls: now done non-blocking - [Eric Hu brought this change] test2033: requires NTLM support - KNOWN_BUGS: #82 failed build with Borland compiler - Curl_output_digest: support auth-int for empty entity body By always returning the md5 for an empty body when auth-int is asked for, libcurl now at least sometimes does the right thing. Bug: http://curl.haxx.se/bug/view.cgi?id=1235 Patched-by: Nach M. S. - multi_socket: reduce timeout inaccuracy margin Allow less room for "triggered too early" mistakes by applications / timers on non-windows platforms. Starting now, we assume that a timeout call is never made earlier than 3 milliseconds before the actual timeout. This greatly improves timeout accuracy on Linux. Bug: http://curl.haxx.se/bug/view.cgi?id=1228 Reported-by: Hang Su - cert_stuff: avoid double free in the PKCS12 code In the pkcs12 code, we get a list of x509 records returned from PKCS12_parse but when iterating over the list and passing each to SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from the "stack", which made them get freed twice (both in sk_X509_pop_free() and then later in SSL_CTX_free). This isn't really documented anywhere... Bug: http://curl.haxx.se/bug/view.cgi?id=1236 Reported-by: Nikaiw - cert_stuff: remove code duplication in the pkcs12 logic - [Aleksey Tulinov brought this change] axtls: honor disabled VERIFYHOST When VERIFYHOST == 0, libcurl should let invalid certificates to pass. - [Peter Gal brought this change] curl_easy_setopt.3: HTTP header with no content Update the documentation on how to specify a HTTP header with no content. - RELEASE-NOTES: synced with 87cf677eca55 Added 11 bugs and 7 contributors - lib1500: remove bad check After curl_multi_wait() returns, this test checked that we got exactly one file descriptor told to read from, but we cannot be sure that is true. curl_multi_wait() will sometimes return earlier without any file descriptor to handle, just just because it is a suitable time to call *perform(). This problem showed up with commit 29bf0598. Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html Reported-by: Fabian Keil - tests/Makefile: typo in the perlcheck target Bug: http://curl.haxx.se/bug/view.cgi?id=1239 Reported-by: Christian Weisgerber - test1230: verify CONNECT to a numerical ipv6-address - sws: support extracting test number from CONNECT ipv6-address! If an ipv6-address is provided to CONNECT, the last hexadecimal group in the address will be used as the test number! For example the address "[1234::ff]" would be treated as test case 255. - curl_multi_wait: only use internal timer if not -1 commit 29bf0598aad5 introduced a problem when the "internal" timeout is prefered to the given if shorter, as it didn't consider the case where -1 was returned. Now the internal timeout is only considered if not -1. Reported-by: Tor Arntsen Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html Dan Fandrich (3 Jun 2013) - libcurl-tutorial.3: added a section on IPv6 Also added a (correctly-escaped) backslash to the autoexec.bat example file and a new Windows character device name with a colon as examples of other characters that are special and potentially dangerous (this reverts and reworks commit 7d8d2a54). Daniel Stenberg (3 Jun 2013) - curl_multi_wait: reduce timeout if the multi handle wants to If the multi handle's pending timeout is less than what is passed into this function, it will now opt to use the shorter time anyway since it is a very good hint that the handle wants to process something in a shorter time than what otherwise would happen. curl_multi_wait.3 was updated accordingly to clarify This is the reason for bug #1224 Bug: http://curl.haxx.se/bug/view.cgi?id=1224 Reported-by: Andrii Moiseiev - multi_runsingle: switch an if() condition for readability ... because there's an identical check right next to it so using the operators in the check in the same order increases readability. Marc Hoersken (2 Jun 2013) - curl_schannel.c: Removed variable unused since 35874298e4 - curl_setup.h: Fixed redefinition warning using mingw-w64 Daniel Stenberg (30 May 2013) - multi_runsingle: add braces to clarify the code - libcurl-tutorial.3: remove incorrect backslash A single backslash in the content is not legal nroff syntax. Reported and fixed by: Eric S. Raymond Bug: http://curl.haxx.se/bug/view.cgi?id=1234 - curl_formadd.3: fixed wrong "end-marker" syntax Reported and fixed by: Eric S. Raymond Bug: http://curl.haxx.se/bug/view.cgi?id=1233 - curl.1: clarify that --silent still outputs data - Digest auth: escape user names with \ or " in them When sending the HTTP Authorization: header for digest, the user name needs to be escaped if it contains a double-quote or backslash. Test 1229 was added to verify Reported and fixed by: Nach M. S Bug: http://curl.haxx.se/bug/view.cgi?id=1230 - [Mike Giancola brought this change] ossl_recv: SSL_read() returning 0 is an error too SSL_read can return 0 for "not successful", according to the open SSL documentation: http://www.openssl.org/docs/ssl/SSL_read.html - [Mike Giancola brought this change] ossl_send: SSL_write() returning 0 is an error too We found that in specific cases if the connection is abruptly closed, the underlying socket is listed in a close_wait state. We continue to call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs report the socket closed / connection finished. Since we have cases where the multi connection is only used once, this can pose a problem for us. I've read that if another connection was to come in, curl would see the socket as bad and attempt to close it at that time - unfortunately, this does not work for us. I found that in specific situations, if SSL_write returns 0, curl did not recognize the socket as closed (or errored out) and did not report it to the application. I believe we need to change the code slightly, to check if ssl_write returns 0. If so, treat it as an error - the same as a negative return code. For OpenSSL - the ssl_write documentation is here: http://www.openssl.org/docs/ssl/SSL_write.html - KNOWN_BUGS: curl -OJC- fails to resume Bug: http://curl.haxx.se/bug/view.cgi?id=1169 - Curl_cookie_add: handle IPv6 hosts 1 - don't skip host names with a colon in them in an attempt to bail out on HTTP headers in the cookie file parser. It was only a shortcut anyway and trying to parse a file with HTTP headers will still be handled, only slightly slower. 2 - don't skip domain names based on number of dots. The original netscape cookie spec had this oddity mentioned and while our code decreased the check to only check for two, the existing cookie spec has no such dot counting required. Bug: http://curl.haxx.se/bug/view.cgi?id=1221 Reported-by: Stefan Neis - curl_easy_setopt.3: expand the PROGRESSFUNCTION section Explain the callback and its arguments better and with more descriptive text. - tests: add test1394 file to the tarball - tarball: include the xmlstream example - [David Strauss brought this change] xmlstream: XML stream parsing example source code Add an XML stream parsing example using Expat. Add missing ignore for the binary from an unrelated example. - [YAMADA Yasuharu brought this change] cookies: only consider full path matches I found a bug which cURL sends cookies to the path not to aim at. For example: - cURL sends a request to http://example.fake/hoge/ - server returns cookie which with path=/hoge; the point is there is NOT the '/' end of path string. - cURL sends a request to http://example.fake/hogege/ with the cookie. The reason for this old "feature" is because that behavior is what is described in the original netscape cookie spec: http://curl.haxx.se/rfc/cookie_spec.html The current cookie spec (RFC6265) clarifies the situation: http://tools.ietf.org/html/rfc6265#section-5.2.4 - [Eric Hu brought this change] axtls: prevent memleaks on SSL handshake failures - Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage" This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab. We don't have any code anywhere in libcurl (or the curl tool) that use wcsdup so there's no such memory use to track. It seems to cause mild problems with the Borland compiler though that we may avoid by reverting this change again. Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html - RELEASE-NOTES: synced with ae26ee3489588f0 Guenter Knauf (11 May 2013) - Updated zlib version in build files. Daniel Stenberg (9 May 2013) - [Renaud Guillard brought this change] OS X framework: fix invalid symbolic link Kamil Dudka (9 May 2013) - [Daniel Stenberg brought this change] nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send Reported by: David Strauss Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html Daniel Stenberg (8 May 2013) - libtest: gitignore more binary files - servercert: allow empty subject Bug: http://curl.haxx.se/bug/view.cgi?id=1220 Patch by: John Gardiner Myers - [Steve Holme brought this change] tests: Added new SMTP tests to verify commit 99b40451836d - runtests.pl: support nonewline="yes" in client/stdin sections - build: fixed unit1394 for debug and metlink builds Kamil Dudka (6 May 2013) - unit1394.c: plug the curl tool unit test in - [Jared Jennings brought this change] unit1394.c: basis of a unit test for parse_cert_parameter() - src/Makefile.am: build static lib for unit tests if enabled - tool_getparam: ensure string termination in parse_cert_parameter() - tool_getparam: fix memleak in handling the -E option - tool_getparam: describe what parse_cert_parameter() does ... and de-duplicate the code initializing *passphrase - curl.1: document escape sequences recognized by -E - [Jared Jennings brought this change] curl -E: allow to escape ':' in cert nickname Marc Hoersken (5 May 2013) - curl_schannel.c: Fixed invalid memory access during SSL shutdown Steve Holme (4 May 2013) - smtp: Fix trailing whitespace warning - smtp: Fix compilation warning comparison between signed and unsigned integer expressions - RELEASE-NOTES: synced with 92ef5f19c801 - smtp: Updated RFC-2821 references to RFC-5321 - smtp: Fixed sending of double CRLF caused by first in EOB If the mail sent during the transfer contains a terminating then we should not send the first of the EOB as specified in RFC-5321. Additionally don't send the if there is "no mail data" as the DATA command already includes it. - tests: Corrected MAIL SIZE for CRLF line endings ... which was missed in commit: f5c3d9538452 - tests: Corrected infilesize for CRLF line endings ... which was missed in commit: f5c3d9538452 - tests: Corrected test1406 to be RFC2821 compliant - tests: Corrected test1320 to be RFC2821 compliant - tests: Corrected typo in test909 Introduced in commit: 514817669e9e - tests: Corrected test909 to be RFC2821 compliant - tests: Updated test references to 909 from 1411 ...and removed references to libcurl and test1406. - tests: Renamed test1411 to test909 as this is a main SMTP test Daniel Stenberg (1 May 2013) - [Lars Johannesen brought this change] bindlocal: move brace out of #ifdef The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two closing braces when it should only have one, so builds without that define would fail. Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html Steve Holme (30 Apr 2013) - smtp: Tidy up to move the eob counter to the per-request structure Move the eob counter from the smtp_conn structure to the SMTP structure as it is associated with a SMTP payload on a per-request basis. - TODO: Updated following the addition of CURLOPT_SASL_IR - smtp: Fixed unknown percentage complete in progress bar The curl command line utility would display the the completed progress bar with a percentage of zero as the progress routines didn't know the size of the transfer. Daniel Stenberg (29 Apr 2013) - ftpserver: silence warnings Fix regressions in commit b56e3d43e5d. Make @data local and filter off non-numerical digits from $testno in STATUS_imap. Steve Holme (29 Apr 2013) - ftpserver.pl: Corrected the imap LOGIN response ...to be more realistic and consistent with the other imap responses. - tests: Added imap STATUS command test - tests: Corrected the SMTP tests to be RFC2821 compliant The emails that are sent to the server during these tests were incorrectly formatted as they contained one or more LF terminated lines rather than being CRLF terminated as per Section 2.3.7 of RFC-2821. This wasn't a problem for the test suite as the data matched the data but anyone using these tests as reference would be sending incorrect data to a server. - email: Tidy up of *_perform_authenticate() Removed the hard returns from imap and pop3 by using the same style for sending the authentication string as smtp. Moved the "Other mechanisms not supported" check in smtp to match that of imap and pop3 to provide consistency between the three email protocols. - smtp: Updated limit check to be more readable like the check in pop3 - pop3: Added 255 octet limit check when sending initial response Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034. - DOCS: Corrected line length of recent Secure Transport changes Nick Zitzmann (27 Apr 2013) - darwinssl: add TLS crypto authentication Users using the Secure Transport (darwinssl) back-end can now use a certificate and private key to authenticate with a site using TLS. Because Apple's security system is based around the keychain and does not have any non-public function to create a SecIdentityRef data structure from data loaded outside of the Keychain, the certificate and private key have to be loaded into the Keychain first (using the certtool command line tool or the Security framework's C API) before we can find it and use it. Steve Holme (27 Apr 2013) - Corrected version numbers after bump Daniel Stenberg (27 Apr 2013) - bump version Since we're adding new stuff, the next release will bump the minor version and we're looking forward to 7.31.0 Steve Holme (27 Apr 2013) - RELEASE-NOTES: synced with f4e6e201b146 - DOCS: Updated following the addition of CURLOPT_SASL_IR Documented the the option in curl_easy_setopt() and added it to symbols-in-versions. - tests: Corrected command line arguments in test907 and test908 - tests: Added SMTP AUTH with initial response tests - tests: Updated SMTP tests to decouple client initial response Updated test903 and test904 following the addition of CURLOPT_SASL_IR as the default behaviour of SMTP AUTH responses is now to not include the initial response. New tests with --sasl-ir support to follow. - imap: Added support for overriding the SASL initial response In addition to checking for the SASL-IR capability the user can override the sending of the client's initial response in the AUTHENTICATION command with the use of CURLOPT_SASL_IR should the server erroneously not report SASL-IR when it does support it. - smtp: Added support for disabling the SASL initial response Updated the default behaviour of sending the client's initial response in the AUTH command to not send it and added support for CURLOPT_SASL_IR to allow the user to specify including the response. Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html Reported-by: Gokhan Sengun