aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES2378
-rw-r--r--CHANGES.02379
2 files changed, 2382 insertions, 2375 deletions
diff --git a/CHANGES b/CHANGES
index bfbe2f8bb..fe0fb8c0b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,2378 +6,10 @@
Changelog
-Kamil Dudka (17 June 2010)
-- Improve test575 in order to not fail with threaded DNS resolver.
+This file no longer holds the changelog. Now you can generate it yourself
+like this:
-Version 7.21.0 (16 June 2010)
-
-Daniel Stenberg (5 June 2010)
-- Constantine Sapuntzakis fixed a case of spurious SSL connection aborts using
- libcurl and OpenSSL. "I tracked it down to uncleared error state on the
- OpenSSL error stack - patch attached deals with that."
-
-Daniel Stenberg (5 June 2010)
-- Frank Meier added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and
- CURLINFO_LOCAL_PORT to curl_easy_getinfo().
-
-Yang Tse (4 June 2010)
-- Enabled OpenLDAP support for cygwin builds. This support was disabled back
- in 2008 due to incompatibilities between OpenSSL and OpenLDAP headers.
- cygwin's OpenSSL 0.9.8l and OpenLDAP 2.3.43 versions on cygwin 1.5.25
- allow building an OpenLDAP enabled libcurl supporting back to Windows 95.
-
- Removed the non-functional CURL_LDAP_HYBRID code and references.
-
-Daniel Stenberg (2 June 2010)
-- Jason McDonald posted bug report #3006786 when he found that the SFTP code
- didn't timeout properly in several places in the code even if a timeout was
- set properly.
-
- Based on his suggested patch, I wrote a different implementation that I
- think addressed the issue better and also uses the connect timeout for the
- initial part of the SSH/SFTP done during the "protocol connect" phase.
-
- (http://curl.haxx.se/bug/view.cgi?id=3006786)
-
-Yang Tse (2 June 2010)
-- Added missing new libcurl files to non-configure targets. Adjusted
- libcurl standard internal header inclusions in new files. Fixed an
- SPNEGO related memory leak. Fixed several LDAP related compilation
- issues, and fixed some compiler warnings.
-
-Daniel Stenberg (1 June 2010)
-- Igor Novoseltsev reported a problem with the multi socket API and using
- timeouts and timers. It boiled down to a problem with libcurl's use of
- GetTickCount() interally to figure out the current time, while Igor's own
- application code used another function call.
-
- It made his app call the socket API timeout function a bit _before_ libcurl
- would consider the timeout to trigger, and that could easily lead to
- timeouts or stalls in the app. It seems GetTickCount() in general often has
- no better resolution than 16ms and switching to the alternative function
- QueryPerformanceCounter has its share of problems:
- http://www.virtualdub.org/blog/pivot/entry.php?id=106
-
- We address this problem by simply having libcurl treat timers that already
- has occured or will occur within 40ms subject for treatment. I'm confident
- that there are other implementations and operating systems with similarly in
- accurate timer functions so it makes sense to have applied generically and I
- don't believe we sacrifice much by adding a 40ms inaccuracy on these
- timeouts.
-
-Kamil Dudka (27 May 2010)
-- added a new test for CRL support (test313)
-
-- Tor Arntsen changed the alternative definition of bool to use enum instead
- of unsigned char.
-
-Daniel Stenberg (25 May 2010)
-- Julien Chaffraix fixed the warning seen when compiling lib/rtmp.c: one
- unused variables, several unused arguments and some missing #include.
-
-- Julien Chaffraix fixed 2 OOM errors: a missing NULL-check in
- lib/http_negociate.c and a potential NULL dereferencing in lib/splay.c
-
-- Howard Chu brought a patch that makes the LDAP code much cleaner, nicer and
- in general being a better libcurl citizen. If a new enough OpenLDAP version
- is detect, the new and shiny lib/openldap.c code is then used instead of the
- old cruft.
-
-Daniel Stenberg (21 May 2010)
-- Eric Mertens posted bug #3003705: when we made TFTP use the correct timeout
- option when sent to the server (fixed May 18th 2010) it became obvious that
- libcurl used invalid timeout values (300 by default while the RFC allows
- nothing above 255). While of course it is obvious that as TFTP has worked
- thus far without being able to set timeout at all, just removing the setting
- wouldn't make any difference in behavior. I decided to still keep it (but
- fix the problem) as it now actually allows for easier (future) customization
- of the timeout.
-
- (http://curl.haxx.se/bug/view.cgi?id=3003705)
-
-- Douglas Kilpatrick filed bug report #3004787 and pointed out that the TFTP
- code didn't handle block id wraps correctly. His suggested fix inspired the
- fix I committed.
-
- (http://curl.haxx.se/bug/view.cgi?id=3004787)
-
-Daniel Stenberg (20 May 2010)
-- Tanguy Fautre brought a fix to allow curl to build with Microsoft VC10.
-
-Daniel Stenberg (18 May 2010)
-- Eric Mertens posted bug report #3003005 pointing out that the libcurl TFTP
- code was not sending the timeout option properly to the server, and
- suggested a fix.
-
- (http://curl.haxx.se/bug/view.cgi?id=3003005)
-
-Kamil Dudka (16 May 2010)
-- Pavel Raiskup introduced a new option CURLOPT_FNMATCH_DATA in order to pass
- a custom data pointer to the callback specified by CURLOPT_FNMATCH_FUNCTION.
-
-Daniel Stenberg (14 May 2010)
-- John-Mark Bell filed bug #3000052 that identified a problem (with an
- associated patch) with the OpenSSL handshake state machine when the multi
- interface is used:
-
- Performing an https request using a curl multi handle and using select or
- epoll to wait for events results in a hang. It appears that the cause is the
- fix for bug #2958179, which makes ossl_connect_common unconditionally return
- from the step 2 loop when fetching from a multi handle.
-
- When ossl_connect_step2 has completed, it updates connssl->connecting_state
- to ssl_connect_3. ossl_connect_common will then return to the caller, as a
- multi handle is in use. Eventually, the client code will call
- curl_multi_fdset to obtain an updated fdset to select or epoll on. For https
- requests, curl_multi_fdset will cause https_getsock to be called.
- https_getsock will only return a socket handle if the connecting_state is
- ssl_connect_2_reading or ssl_connect_2_writing. Therefore, the client will
- never obtain a valid fdset, and thus not drive the multi handle, resulting
- in a hang.
-
- (http://curl.haxx.se/bug/view.cgi?id=3000052)
-
-- Sebastian V reported bug #3000056 identifying a problem with redirect
- following. It showed that when curl followed redirects it didn't properly
- ignore the response body of the 30X response if that response was using
- compressed Content-Encoding!
-
- (http://curl.haxx.se/bug/view.cgi?id=3000056)
-
-Daniel Stenberg (12 May 2010)
-- Howard Chu brought support for RTMP. This is powered by the underlying
- librtmp library. It supports a range of variations and "sub-protocols"
- within the RTMP family.
-
-- Pavel Raiskup brought support for FTP directory wildcard matching to allow
- selective downloading. To provide that, a set of new options were added:
-
- CURLOPT_WILDCARDMATCH
- CURLOPT_CHUNK_BGN_FUNCTION
- CURLOPT_CHUNK_END_FUNCTION
- CURLOPT_CHUNK_DATA
- CURLOPT_FNMATCH_FUNCTION
-
- There were also a set of new tests added (574 - 577) to verify this.
-
-Kamil Dudka (11 May 2010)
-- CRL support in libcurl-NSS has been completely broken. Now it works. Original
- bug report: https://bugzilla.redhat.com/581926
-
-Daniel Stenberg (7 May 2010)
-- Dirk Manske reported a regression. When connecting with the multi interface,
- there were situations where libcurl wouldn't store connect time correctly as
- it used to (and is documented to) do.
-
- Using his fine sample program we could repeat it, and I wrote up test case
- 573 using that code. The problem does not easily show itself using the local
- test suite though.
-
- The fix, also as suggested by Dirk, is a bit on the ugly side as it adds yet
- another call to Curl_verboseconnect() and setting the TIMER_CONNECT time.
- That situation is subject for some closer inspection in the future.
-
-- Howard Chu split the I/O handling functions into private handlers.
-
- Howard Chu brought the bulk work of this patch that properly moves out the
- sending and recving of data to the parts of the code that are properly
- responsible for the various ways of doing so.
-
- Daniel Stenberg assisted with polishing a few bits and fixed some minor
- flaws in the original patch.
-
- Another upside of this patch is that we now abuse CURLcodes less with the
- "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
-
-Daniel Stenberg (5 May 2010)
-- Hoi-Ho Chan introduced support for using the PolarSSL library. You control
- this with the new configure option --with-polarssl.
-
-Daniel Stenberg (29 Apr 2010)
-- Ben Greear made telnet a lot better/easier to use by an application:
-
- The main change is to allow input from user-specified methods, when they are
- specified with CURLOPT_READFUNCTION. All calls to fflush(stdout) in
- telnet.c were removed, which makes using 'curl telnet://foo.com' painful
- since prompts and other data are not always returned to the user promptly.
- Use 'curl --no-buffer telnet://foo.com' instead. In general, the user
- should have their CURLOPT_WRITEFUNCTION do a fflush for interactive use.
-
- Also fix assumption that reading from stdin never returns < 0.
- Old code could crash in that case.
-
- Call progress functions in telnet main loop.
-
-Daniel Stenberg (26 Apr 2010)
-- Make use of the libssh2_init/exit functions that libssh2 added in version
- 1.2.5. Using them will improve how libcurl works in threaded situations when
- SCP and SFTP are transfered.
-
-Daniel Stenberg (25 Apr 2010)
-- Based on work by Kamil Dudka, I've introduced the new configure option
- --enable-threaded-resolver. When used, the configure script will check for
- pthreads and if around, it will build libcurl to use pthreads to do name
- resolving in a threaded manner. Note that this is just a fix to offer an
- option that can enable the code that already included. The threader resolver
- code was mostly added on Jan 26 2010.
-
-Daniel Stenberg (24 Apr 2010)
-- Alex Bligh introduced the --proto and -proto-redir options that limit what
- protocols curl accepts for the requests and when following redirects.
-
-Kamil Dudka (24 Apr 2010)
-- Fixed test536 in order to not fail with threaded DNS resolver and tweaked
- comments in certain examples using curl_multi_fdset().
-
-- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405
- to hang on a slow machine.
-
-Daniel Stenberg (21 Apr 2010)
-- The -O option caused curl to crash on windows and DOS due to the tool
- writing out of boundary memory.
-
-Yang Tse (20 Apr 2010)
-- Ruslan Gazizov detected that MSVC makefiles were using wsock32.lib instead
- of ws2_32.lib, this generated linking issues on MSVC IPv6 enabled builds
- that were done using those makefiles.
-
-Daniel Stenberg (19 Apr 2010)
-- -J/--remote-header-name didn't strip trailing carriage returns or linefeeds
- properly, so they could be used in the file name.
-
-Daniel Stenberg (16 Apr 2010)
-- Jerome Vouillon made the GnuTLS SSL handshake phase non-blocking.
-
-- The recent overhaul of the SSL recv function made the GnuTLS specific code
- treat a zero returned from gnutls_record_recv() as an error, and this caused
- our HTTPS test cases to fail. We leave it to upper layer code to detect if
- an EOF is a problem or not.
-
-- I reverted the resolver fix from yesterday and instead removed all uses of
- AI_CANONNAME all over libcurl and made the only user of that info (krb5.c)
- use the host name from the URL instead. No reverse resolving is a good
- thing.
-
-- Paul Howarth made configure properly detect GSS "on ancient Linux distros"
- by editing in which order we use headers to detect GSS.
-
-Daniel Stenberg (15 Apr 2010)
-- Rainer Canavan filed bug report #2987196 that identified libcurl doing
- unnecesary reverse name lookups in many cases when built to use IPv4 and
- getaddrinfo(). The logic for ipv6 is now used for ipv4 too.
-
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
-
-Version 7.20.1 (14 April 2010)
-
-Daniel Stenberg (9 Apr 2010)
-- Prefixing the FTP quote commands with an asterisk really only worked for the
- postquote actions. This is now fixed and test case 227 has been extended to
- verify.
-
-Kamil Dudka (4 Apr 2010)
-- Eliminated a race condition in Curl_resolv_timeout().
-
-- Refactorized interface of Curl_ssl_recv()/Curl_ssl_send().
-
-- libcurl-NSS now provides more accurate messages and error codes in case of
- client certificate problem. Either during connection, or transfer phase.
-
-Daniel Stenberg (1 Apr 2010)
-- Matt Wixson found and fixed a bug in the SCP/SFTP area where the code
- treated a 0 return code from libssh2 to be the same as EAGAIN while in
- reality it isn't. The problem caused a hang in SFTP transfers from a
- MessageWay server.
-
-Daniel Stenberg (28 Mar 2010)
-- Ben Greear: If you pass a URL to pop3 that does not contain a message ID as
- part of the URL, it would previously ask for 'INBOX' which just causes the
- pop3 server to return an error.
-
- Now libcurl treats en empty message ID as a request for LIST (list of pop3
- message IDs). User's code could then parse this and download individual
- messages as desired.
-
-Daniel Stenberg (27 Mar 2010)
-- Ben Greear brought a patch that from now on allows all protocols to specify
- name and user within the URL, in the same manner HTTP and FTP have been
- allowed to in the past - although far from all of the libcurl supported
- protocls actually have that feature in their URL definition spec.
-
-Daniel Stenberg (26 Mar 2010)
-- Ben Greear brought code that makes the rate limiting code for the easy
- interface a bit smoother as it introduces sub-second sleeps during it and it
- also takes the buffer sizes into account.
-
-Daniel Stenberg (24 Mar 2010)
-- Bob Richmond: There's an annoying situation where libcurl will read new HTTP
- response data from a socket, then check if it's a timeout if one is set. If
- the last packet received constitutes the end of the response body, libcurl
- still treats it as a timeout condition and reports a message like:
-
- "Operation timed out after 3000 milliseconds with 876 out of 876 bytes
- received"
-
- It should only a timeout if the timer lapsed and we DIDN'T receive the end
- of the response body yet.
-
-- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER reported
- to us by Massimo Callegari. There's a new test case 572 that verifies this
- now.
-
-- The 'ares' subtree has been removed from the source repository. It was
- always a separate project that sort of piggybacked on the curl project since
- the dawn of times and now the time has come for it to go stand on its own
- legs and continue living its own life. All details on c-ares and its new
- source code repository is found at http://c-ares.haxx.se/
-
-Daniel Stenberg (23 Mar 2010)
-- Kenny To filed the bug report #2963679 with patch to fix a problem he
- experienced with doing multi interface HTTP POST over a proxy using
- PROXYTUNNEL. He found a case where it would connect fine but bits.tcpconnect
- was not set correct so libcurl didn't work properly.
-
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
-
-- Akos Pasztory filed debian bug report #572276
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276 mentioning a problem
- with a resource that returns chunked-encoded _and_ with a Content-Length
- and libcurl failed to properly ignore the latter information.
-
-- Hauke Duden provided an example program that made the multi interface crash.
- His example simply used the multi interface and did first one FTP transfer
- and after completion it used a second easy handle and did another FTP
- transfer on the same FTP server.
-
- This triggered a bug in the "delayed easy handle kill" system that curl
- uses: when an FTP connection is left alive it must keep an easy handle
- around internally - only for the purpose of having an easy handle when it
- later disconnects it. The code assumed that when the easy handle was removed
- and an internal reference was made, that version could be killed later on
- when a new easy handle came using the same connection. This was wrong as
- Hauke's example showed that the removed handle wasn't killed for real until
- later. This caused a double close attempt => segfault.
-
-Daniel Stenberg (22 Mar 2010)
-- Thomas Lopatic fixed the alarm()-based DNS timeout:
-
- Looking at the code of Curl_resolv_timeout() in hostip.c, I think that in
- case of a timeout, the signal handler for SIGALRM never gets removed. I
- think that in my case it gets executed at some point later on when execution
- has long left Curl_resolv_timeout() or even the cURL library.
-
- The code that is jumped to with siglongjmp() simply sets the error message
- to "name lookup timed out" and then returns with CURLRESOLV_ERROR. I guess
- that instead of simply returning without cleaning up, the code should have a
- goto that jumps to the spot right after the call to Curl_resolv().
-
-Kamil Dudka (22 Mar 2010)
-- Douglas Steinwand contributed a patch fixing insufficient initialization in
- Curl_clone_ssl_config()
-
-Daniel Stenberg (21 Mar 2010)
-- Ben Greear improved TFTP: the error code returning and the treatment
- of TSIZE == 0 when uploading.
-
-- We've switched from CVS to git. See http://curl.haxx.se/source.html
-
-Kamil Dudka (19 Mar 2010)
-- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
-
-Daniel Stenberg (15 Mar 2010)
-- Constantine Sapuntzakis brought a patch:
-
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
-
-Daniel Stenberg (6 Mar 2010)
-- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
-
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building curl with the clang compiler.
-
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
-
-Daniel Stenberg (2 Mar 2010)
-- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
-
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
-
-- Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
-
-- Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
-
- http://curl.haxx.se/bug/view.cgi?id=2956698
-
-- Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
-
- http://curl.haxx.se/bug/view.cgi?id=2961796
-
-- Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
-
- http://curl.haxx.se/bug/view.cgi?id=2956437
-
-Daniel Stenberg (1 Mar 2010)
-- Ben Greear provided an update for TFTP that fixes upload.
-
-- Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
-
- http://curl.haxx.se/bug/view.cgi?id=2958179
-
-Daniel Stenberg (26 Feb 2010)
-- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
-
- http://curl.haxx.se/bug/view.cgi?id=2958474
-
-Daniel Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.
-
-Yang Tse (25 Feb 2010)
-- I fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
-
-Patrick Monnerat (22 Feb 2010)
-- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
-- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
-- Use of true local host name (i.e.: via gethostname()) when available, as
- default argument to SMTP HELO/EHLO.
-- Test case 804 for HELO fallback.
-
-Daniel Stenberg (20 Feb 2010)
-- Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
-
-- I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
-
-Yang Tse (14 Feb 2010)
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
-
-Daniel Stenberg (13 Feb 2010)
-- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
-
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
-
-- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
-
- (http://curl.haxx.se/bug/view.cgi?id=2951269)
-
-Daniel Stenberg (12 Feb 2010)
-- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
-
-- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
-
-Yang Tse (11 Feb 2010)
-- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job,
- removed obsolete batch_compile.com and defines.com and updated VMS readme.
-
-Version 7.20.0 (9 February 2010)
-
-Daniel Stenberg (9 Feb 2010)
-- When downloading compressed content over HTTP and the app asked libcurl to
- automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
- wrongly provide the callback with more data than the maximum documented
- amount. An application could thus get tricked into badness if the maximum
- limit was trusted to be enforced by libcurl itself (as it is documented).
-
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
-
- http://curl.haxx.se/docs/adv_20100209.html
-
-Daniel Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
-
-Yang Tse (2 Feb 2010)
-- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
-
-Daniel Stenberg (1 Feb 2010)
-- Using the multi_socket API, it turns out at times it seemed to "forget"
- connections (which caused a hang). It turned out to be an existing (7.19.7)
- bug in libcurl (that's been around for a long time) and it happened like
- this:
-
- The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
- then set it to timeout in 1 millisecond so libcurl will tell the app about
- it.
-
- The app's timeout fires off that there's a timeout, the app calls libcurl as
- we so often document it:
-
- do {
- res = curl_multi_socket_action(... TIMEOUT ...);
- } while(CURLM_CALL_MULTI_PERFORM == res);
-
- And this is the problem number one:
-
- When curl_multi_socket_action() is called with no specific handle, but only
- a timeout-action, it will *only* perform actions within libcurl that are
- marked to run at this time. In this case, the request would go from INIT to
- CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
- again, there's no timer set for this handle so it remains in the CONNECT
- state. The CONNECT state is a transitional state in libcurl so it reports no
- sockets there, and thus libcurl never tells the app anything more about that
- easy handle/connection.
-
- libcurl _does_ set a 1ms timeout for the handle at the end of
- multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
- is instant the new job is not ready to run at that point (and there's no
- code that makes libcurl call the app to update the timout for this new
- timeout). It will simply rely on that some other timeout will trigger later
- on or that something else will update the timeout callback. This makes the
- bug fairly hard to repeat.
-
- The fix made to adress this issue:
-
- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
-
- The downside of this fix, is that the counter we return in 'running_handles'
- in several of our public functions then gets a slightly new and possibly
- confusing behavior during times:
-
- If an app adds a handle that fails to connect (very quickly) it may just
- as well never appear as a 'running_handle' with this fix. Previously it
- would first bump the counter only to get it decreased again at next call.
- Even I have used that change in handle counter to signal "end of a
- transfer". The only *good* way to find the end of a individual transfer
- is calling curl_multi_info_read() to see if it returns one.
-
- Of course, if the app previously did the looping before it checked the
- counter, it really shouldn't be any new effect.
-
-Yang Tse (26 Jan 2010)
-- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
- relative to the asynchronous DNS lookups, along with with some integration
- adjustments I have done are finally committed to CVS.
-
- Currently these enhancements will benefit builds done using c-ares on any
- platform as well as Windows builds using the default threaded resolver.
-
- This release does not make generally available POSIX threaded DNS lookups
- yet. There is no configure option to enable this feature yet. It is possible
- to experimantally try this feature running configure with compiler flags that
- make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
- HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
- are required to link and properly use pthread_* functions on each platform.
-
-Daniel Stenberg (26 Jan 2010)
-- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
-
-Björn Stenberg (23 Jan 2010)
-- Added a new flag: -J/--remote-header-name. This option tells the
- -O/--remote-name option to use the server-specified Content-Disposition
- filename instead of extracting a filename from the URL.
-
-Daniel Stenberg (21 Jan 2010)
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data.
-
-Daniel Stenberg (20 Jan 2010)
-- As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
-
- Test case 8 was the only one that broke due to this change and I updated it
- accordingly.
-
-Daniel Stenberg (19 Jan 2010)
-- David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
-
-Kamil Dudka (14 Jan 2010)
-- Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
-
-Daniel Stenberg (12 Jan 2010)
-- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
- transfers: curl_multi_fdset() would return -1 and not set and file
- descriptors several times during a transfer of a single file. It turned out
- to be due to two different flaws now fixed. Gil's excellent recipe helped me
- nail this.
-
-Daniel Stenberg (11 Jan 2010)
-- Made sure that the progress callback is repeatedly called at a regular
- interval even during very slow connects.
-
-- The tests/runtests.pl script now checks to see if the test case that runs is
- present in the tests/data/Makefile.am and outputs a notice message on the
- screen if not. Each test file has to be included in that Makefile.am to get
- included in release archives and forgetting to add files there is a common
- mistake. This is an attempt to make it harder to forget.
-
-Daniel Stenberg (9 Jan 2010)
-- Johan van Selst found and fixed a OpenSSL session ref count leak:
-
- ossl_connect_step3() increments an SSL session handle reference counter on
- each call. When sessions are re-used this reference counter may be
- incremented many times, but it will be decremented only once when done (by
- Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
- if this reference count remains positive. When a session is re-used the
- reference counter should be corrected by explicitly calling
- SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
- introducing a memory leak.
-
- (http://curl.haxx.se/bug/view.cgi?id=2926284)
-
-Daniel Stenberg (7 Jan 2010)
-- Make sure the progress callback is called repeatedly even during very slow
- name resolves when c-ares is used for resolving.
-
-Claes Jakobsson (6 Jan 2010)
-- Julien Chaffraix fixed so that the fragment part in an URL is not sent
- to the server anymore.
-
-Kamil Dudka (3 Jan 2010)
-- Julien Chaffraix eliminated a duplicated initialization in singlesocket().
-
-Daniel Stenberg (2 Jan 2010)
-- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
- versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
- control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
- option names are still working but the new ones are the ones listed and
- documented.
-
-Daniel Stenberg (1 Jan 2010)
-- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
- command is a special "hack" used by the drftpd server, but even though it is
- a custom extension I've deemed it fine to add to libcurl since this server
- seems to survive and people keep using it and want libcurl to support
- it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
- usable from the curl tool with --ftp-pret. Using this option on a server
- that doesn't support this command will make libcurl fail.
-
- I added test cases 1107 and 1108 to verify the functionality.
-
- The PRET command is documented at
- http://www.drftpd.org/index.php/Distributed_PASV
-
-Yang Tse (30 Dec 2009)
-- Steven M. Schweda improved VMS build system, and Craig A. Berry helped
- with the patch and testing.
-
-Daniel Stenberg (26 Dec 2009)
-- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
- headers work correctly even on FreeBSD systems before v8.
-
- (http://curl.haxx.se/bug/view.cgi?id=2916915)
-
-Daniel Stenberg (17 Dec 2009)
-- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
- available.
-
-- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
- was a bit too quick and broke test case 1101 with that change. The order of
- some of the setups is sensitive. I now changed it slightly again to make
- sure we do them in this order:
-
- 1 - parse URL and figure out what protocol is used in the URL
- 2 - prepend protocol:// to URL if missing
- 3 - parse name+password off URL, which needs to know what protocol is used
- (since only some allows for name+password in the URL)
- 4 - figure out if a proxy should be used set by an option
- 5 - if no proxy option, check proxy environment variables
- 6 - run the protocol-specific setup function, which needs to have the proxy
- already set
-
-Daniel Stenberg (15 Dec 2009)
-- Jon Nelson found a regression that turned out to be a flaw in how libcurl
- detects and uses proxies based on the environment variables. If the proxy
- was given as an explicit option it worked, but due to the setup order
- mistake proxies would not be used fine for a few protocols when picked up
- from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
- test case 1106 that verifies this functionality.
-
- (http://curl.haxx.se/bug/view.cgi?id=2913886)
-
-Daniel Stenberg (12 Dec 2009)
-- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
- and SMTPS) are now supported. The current state may not yet be solid, but
- the foundation is in place and the test suite has some initial support for
- these protocols. Work will now persue to make them nice libcurl citizens
- until release.
-
- The work with supporting these new protocols was sponsored by
- networking4all.com - thanks!
-
-Daniel Stenberg (10 Dec 2009)
-- Siegfried Gyuricsko found out that the curl manual said --retry would retry
- on FTP errors in the transient 5xx range. Transient FTP errors are in the
- 4xx range. The code itself only tried on 5xx errors that occured _at login_.
- Now the retry code retries on all FTP transfer failures that ended with a
- 4xx response.
-
- (http://curl.haxx.se/bug/view.cgi?id=2911279)
-
-- Constantine Sapuntzakis figured out a case which would lead to libcurl
- accessing alredy freed memory and thus crash when using HTTPS (with
- OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
- of cleaning things up. I fixed it.
-
- (http://curl.haxx.se/bug/view.cgi?id=2905220)
-
-Daniel Stenberg (7 Dec 2009)
-- Martin Storsjo made libcurl use the Expect: 100-continue header for posts
- with unknown size. Previously it was only used for posts with a known size
- larger than 1024 bytes.
-
-Daniel Stenberg (1 Dec 2009)
-- If the Expect: 100-continue header has been set by the application through
- curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
- data->state.expect100header accordingly - the current code (in 7.19.7 at
- least) doesn't handle this properly. Martin Storsjo provided the fix!
-
-Yang Tse (28 Nov 2009)
-- Added Diffie-Hellman parameters to several test harness certificate files in
- PEM format. Required by several stunnel versions used by our test harness.
-
-Daniel Stenberg (28 Nov 2009)
-- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
- rework patch that now integrates TFTP properly into libcurl so that it can
- be used non-blocking with the multi interface and more. BLKSIZE also works.
-
- The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
- the command line.
-
-Daniel Stenberg (26 Nov 2009)
-- Extended and fixed the change I did on Dec 11 for the the progress
- meter/callback during FTP command/response sequences. It turned out it was
- really lame before and now the progress meter SHOULD get called at least
- once per second.
-
-Daniel Stenberg (23 Nov 2009)
-- Bjorn Augustsson reported a bug which made curl not report any problems even
- though it failed to write a very small download to disk (done in a single
- fwrite call). It turned out to be because fwrite() returned success, but
- there was insufficient error-checking for the fclose() call which tricked
- curl to believe things were fine.
-
-Yang Tse (23 Nov 2009)
-- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
- finer granularity control when generating src and lib makefiles.
-
-Yang Tse (22 Nov 2009)
-- I modified configure to force removal of the curlbuild.h file included in
- distribution tarballs for use by non-configure systems. As intended, this
- would get overwriten when doing in-tree builds. But VPATH builds would end
- having two curlbuild.h files, one in the source tree and another in the
- build tree. With the modification I introduced 5 Nov 2009 this could become
- an issue when running libcurl's test suite.
-
-Daniel Stenberg (20 Nov 2009)
-- Constantine Sapuntzakis identified a write after close, as the sockets were
- closed by libcurl before the SSL lib were shutdown and they may write to its
- socket. Detected to at least happen with OpenSSL builds.
-
-- Jad Chamcham pointed out a bug with connection re-use. If a connection had
- CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
- same proxy with the tunnel option disabled would still wrongly re-use that
- previous connection and the outcome would only be badness.
-
-Yang Tse (18 Nov 2009)
-- I modified the memory tracking system to make it intolerant with zero sized
- malloc(), calloc() and realloc() function calls.
-
-Daniel Stenberg (17 Nov 2009)
-- Constantine Sapuntzakis provided another fix for the DNS cache that could
- end up with entries that wouldn't time-out:
-
- 1. Set up a first web server that redirects (307) to a http://server:port
- that's down
- 2. Have curl connect to the first web server using curl multi
-
- After the curl_easy_cleanup call, there will be curl dns entries hanging
- around with in_use != 0.
-
- (http://curl.haxx.se/bug/view.cgi?id=2891591)
-
-- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
- its pkg-config file. So -Wl stuff ended up in the .pc file, which is really
- bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
- PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
-
-Kamil Dudka (15 Nov 2009)
-- David Byron improved the configure script to use pkg-config to find OpenSSL
- (and in particular the list of required libraries) even if a path is given
- as argument to --with-ssl
-
-Yang Tse (15 Nov 2009)
-- I removed enable-thread / disable-thread configure option. These were only
- placebo options. The library is always built as thread safe as possible on
- every system.
-
-Claes Jakobsson (14 Nov 2009)
-- curl-config now accepts '--configure' to see what arguments was
- passed to the configure script when building curl.
-
-Daniel Stenberg (14 Nov 2009)
-- Claes Jakobsson restored the configure functionality to detect NSS when
- --with-nss is set but not "yes".
-
- I think we can still improve that to check for pkg-config in that path etc,
- but at least this patch brings back the same functionality we had before.
-
-- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
- the client certificate. It also disable the key name test as some engines
- can select a private key/cert automatically (When there is only one key
- and/or certificate on the hardware device used by the engine)
-
-Yang Tse (14 Nov 2009)
-- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
- won't be reused unless protection level for peer and host verification match.
-
- I refactored how preprocessor symbol _THREAD_SAFE definition is done.
-
-Kamil Dudka (12 Nov 2009)
-- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
- closed NSPR descriptor. The issue was hard to find, reported several times
- before and always closed unresolved. More info at the RH bug:
- https://bugzilla.redhat.com/534176
-
-- libcurl-NSS now tries to reconnect with TLS disabled in case it detects
- a broken TLS server. However it does not happen if SSL version is selected
- manually. The approach was originally taken from PSM. Kaspar Brand helped me
- to complete the patch. Original bug reports:
- https://bugzilla.redhat.com/525496
- https://bugzilla.redhat.com/527771
-
-Yang Tse (12 Nov 2009)
-- I modified configure script to make the getaddrinfo function check also
- verify if the function is thread safe.
-
-Yang Tse (11 Nov 2009)
-- Marco Maggi reported that compilation failed when configured --with-gssapi
- and GNU GSS installed due to a missing mutual exclusion of header files in
- the Kerberos 5 code path. He also verified that my patch worked for him.
-
-Daniel Stenberg (11 Nov 2009)
-- Constantine Sapuntzakis posted bug #2891595
- (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
- in the DNS cache would linger too long if the request that added it was in
- use that long. He also provided the patch that now makes libcurl capable of
- still doing a request while the DNS hash entry may get timed out.
-
-- Christian Schmitz noticed that the progress meter/callback was not properly
- used during the FTP connection phase (after the actual TCP connect), while
- it of course should be. I also made the speed check get called correctly so
- that really slow servers will trigger that properly too.
-
-Kamil Dudka (5 Nov 2009)
-- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
- in non-blocking mode.
-
-Yang Tse (5 Nov 2009)
-- I removed leading 'curl' path on the 'curlbuild.h' include statement in
- curl.h, adjusting auto-makefiles include path, to enhance portability to
- OS's without an orthogonal directory tree structure such as OS/400.
-
-Daniel Stenberg (4 Nov 2009)
-- I fixed several problems with the transfer progress meter. It showed the
- wrong percentage for small files, most notable for <1000 bytes and could
- easily end up showing more than 100% at the end. It also didn't show any
- percentage, transfer size or estimated transfer times when transferring
- less than 100 bytes.
-
-Version 7.19.7 (4 November 2009)
-
-Daniel Stenberg (2 Nov 2009)
-- As reported independent by both Stan van de Burgt and Didier Brisebourg,
- CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when
- getting data from ldap!
-
-Daniel Stenberg (31 Oct 2009)
-- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the
- download was 0 bytes, as libcurl would then return the size as unknown (-1)
- and not 0. I wrote a fix and test case 566 to verify it.
-
-Daniel Stenberg (30 Oct 2009)
-- Liza Alenchery mentioned a problem with re-used SCP connection when a bad
- auth is used, as it caused a crash. I failed to repeat the issue, but still
- made a change that now forces the TCP connection used for a freed SCP
- session to get closed and not be re-used.
-
-- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a
- POST using a read callback, with Digest authentication and
- "Transfer-Encoding: chunked" enforced. I would then cause the first request
- to be wrongly sent and then basically hang until the server closed the
- connection. I fixed the problem and added test case 565 to verify it.
-
-Daniel Stenberg (25 Oct 2009)
-- Dima Barsky made the curl cookie parser accept cookies even with blank or
- unparsable expiry dates and then treat them as session cookies - previously
- libcurl would reject cookies with a date format it couldn't parse. Research
- shows that the major browser treat such cookies as session cookies. I
- modified test 8 and 31 to verify this.
-
-Daniel Stenberg (21 Oct 2009)
-- Attempt to use pkg-config for finding out libssh2 installation details
- during configure.
-
-- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177)
- by Johan van Selst introduced the --crlfile option to curl, which makes curl
- tell libcurl about a file with CRL (certificate revocation list) data to
- read.
-
-Daniel Stenberg (18 Oct 2009)
-- Ray Dassen provided a patch in Debian's bug tracker (bug number #551461)
- that now makes curl_getdate(3) actually handles RFC 822 formatted dates that
- use the "single letter military timezones".
- http://www.rfc-ref.org/RFC-TEXTS/822/chapter5.html has the details.
-
-- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts
- data!
-
-- John Dennis filed bug report #2873666
- (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem
- which made libcurl loop infinitely when given incorrect credentials when
- using HTTP GSS negotiate authentication. He also provided a small and simple
- patch for it.
-
-- Kevin Baughman found a double close() problem with libcurl-NSS, as when
- libcurl called NSS to close the SSL "session" it also closed the actual
- socket.
-
-Yang Tse (17 Oct 2009)
-- Bug report #2866724 indicated
- (http://curl.haxx.se/bug/view.cgi?id=2866724) that curl on Windows failed
- when writing files whose file names originally contained characters which
- are not valid for file names on Windows. Dan Fandrich provided an initial
- patch and another revised one to fix this issue.
-
-Daniel Stenberg (1 Oct 2009)
-- Tom Mueller correctly reported in bug report #2870221
- (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an
- incorrect return code from the internal trynextip() function which caused
- him grief. This is a regression that was introduced in 7.19.1 and I find it
- strange it hasn't hit us harder, but I won't persue into figuring out
- exactly why.
-
-- Constantine Sapuntzakis: The current implementation will always set
- SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The
- patch doesn't do a setsockopt if SO_SNDBUF is already greater than
- CURL_WRITE_SIZE. This should help folks who have set up their computer with
- large send buffers.
-
-Daniel Stenberg (27 Sep 2009)
-- I introduced a maximum limit for received HTTP headers. It is controlled by
- the define CURL_MAX_HTTP_HEADER which is even exposed in the public header
- file to allow for users to fairly easy rebuild libcurl with a modified
- limit. The rationale for a fixed limit is that libcurl is realloc()ing a
- buffer to be able to put a full header into it, so that it can call the
- header callback with the entire header, but that also risk getting it into
- trouble if a server by mistake or willingly sends a header that is more or
- less without an end. The limit is set to 100K.
-
-Daniel Stenberg (26 Sep 2009)
-- John P. McCaskey posted a bug report that showed how libcurl did wrong when
- saving received cookies with no given path, if the path in the request had a
- query part. That is means a question mark (?) and characters on the right
- side of that. I wrote test case 1105 and fixed this problem.
-
-Kamil Dudka (26 Sep 2009)
-- Implemented a protocol independent way to specify blocking direction, used by
- transfer.c for blocking. It is currently used only by SCP and SFTP protocols.
- This enhancement resolves an issue with 100% CPU usage during SFTP upload,
- reported by Vourhey.
-
-Daniel Stenberg (25 Sep 2009)
-- Chris Mumford filed bug report #2861587
- (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
- the OpenSSL function X509_load_crl_file() wrongly and failed if it would
- load a CRL file with more than one certificate within. This is now fixed.
-
-Daniel Stenberg (16 Sep 2009)
-- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
- powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
- field in the certficate it had to match and so even if non-DNS and non-IP
- entry was present it caused the verification to fail.
-
-Daniel Fandrich (15 Sep 2009)
-- Moved the libssh2 checks after the SSL library checks. This helps when
- statically linking since libssh2 needs the SSL library link flags to be
- set up already to satisfy its dependencies. This wouldn't be necessary if
- the libssh2 configure check was changed to use pkg-config since the
- --static flag would add the dependencies automatically.
-
-Yang Tse (14 Sep 2009)
-- Revert Joshua Kwan's patch committed 11 Sep 2009.
-
- Some systems poll function sets POLLHUP in revents without setting
- POLLIN, and sets POLLERR without setting POLLIN and POLLOUT. In some
- libcurl code execution paths this could trigger busy wait loops with
- high CPU usage until a timeout condition aborted the loop.
-
- The reverted patch addressed the above issue for a very specific case,
- when awaiting c-ares to resolve. A libcurl-wide fix for Curl_poll now
- superceeds this one.
-
-Guenter Knauf (11 Sep 2009)
-- Joshua Kwan provided a patch to pass POLLERR / POLLHUP back to c-ares.
- This fixes a loop problem with high CPU usage.
-
-Daniel Stenberg (10 Sep 2009)
-- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch
- start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0
- which internally then is treated as a session cookie. That particular date
- is now made to get the value of 1.
-
-Daniel Stenberg (2 Sep 2009)
-- Daniel Johnson found a flaw in the code converting sftp-errors to libcurl
- errors.
-
-Daniel Stenberg (1 Sep 2009)
-- Peter Sylvester made a debug feature for Curl_resolv() that now will force
- libcurl to resolve 'localhost' whatever name you use in the URL *if* you set
- the --interface option to (exactly) "LocalHost". This will enable us to
- write tests for custom hosts names but still use a local host server.
-
-- configure now tries to use pkg-config for a number of sub-dependencies even
- when cross-compiling. The key to success is then you properly setup
- PKG_CONFIG_PATH before invoking configure.
-
- I also improved how NSS is detected by trying nss-config if pkg-config isn't
- present, and as a last resort just use the lib name and force the user to
- setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would
- add a range of various libs that would almost never be quite correct.
-
-Daniel Stenberg (31 Aug 2009)
-- When using the multi interface with FTP and you asked for NOBODY, you did no
- QUOTE commands and the request used the same path as the connection had
- already changed to, it would decide that no commands would be necessary for
- the "DO" action and that was not handled properly but libcurl would instead
- hang.
-
-Kamil Dudka (28 Aug 2009)
-- Improved error message for not matching certificate subject name in
- libcurl-NSS. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
-
-Patrick Monnerat (24 Aug 2009)
-- Introduced a SYST-based test to properly set-up name format when dealing
- with the OS/400 FTP server.
-
-- Fixed an ftp_readresp() bug preventing detection of failing control socket
- and causing FTP client to loop forever.
-
-Daniel Stenberg (24 Aug 2009)
-- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work
- properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008
-
-- Eric Wong introduced support for the new option -T. (dot) that makes curl
- read stdin in a non-blocking fashion. This also brings back -T- (minus) to
- the previous blocking behavior since it could break stuff for people at
- times.
-
-Michal Marek (21 Aug 2009)
-- With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs like
- ftp://example.com;type=i if the user specified ftp://example.com without the
- slash.
-
-Daniel Stenberg (21 Aug 2009)
-- Andre Guibert de Bruet pointed out a missing return code check for a
- strdup() that could lead to segfault if it returned NULL. I extended his
- suggest patch to now have Curl_retry_request() return a regular return code
- and better check that.
-
-- Lots of good work by Krister Johansen, mostly related to pipelining:
-
- Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks
- Fix data corruption issue with re-connected transfers
- Fix use after free if we're completed but easy_conn not NULL
-
-Kamil Dudka (13 Aug 2009)
-- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
- verbose error messages. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056
-
-Daniel Stenberg (12 Aug 2009)
-- Karl Moerder fixed the Makefile.vc* makefiles to include the new file
- nonblock.c so that they work fine again
-
-- I expanded test 517 with a bunch of more dates that originate from the
- Chrome browser test suite. It turns out most of them get parsed the same
- way.
-
-Version 7.19.6 (12 August 2009)
-
-Daniel Stenberg (12 Aug 2009)
-- Carsten Lange reported a bug and provided a patch for TFTP upload and the
- sending of the TSIZE option. I don't like fixing bugs just hours before
- a release, but since it was broken and the patch fixes this for him I decided
- to get it in anyway.
-
-Daniel Stenberg (11 Aug 2009)
-- Peter Sylvester made the HTTPS test server use specific certificates for
- each test, so that the test suite can now be used to actually test the
- verification of cert names etc. This made an error show up in the OpenSSL-
- specific code where it would attempt to match the CN field even if a
- subjectAltName exists that doesn't match. This is now fixed and verified
- in test 311.
-
-- Benbuck Nason posted the bug report #2835196
- (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
- warnings when mixing ints and bools.
-
-Daniel Fandrich (10 Aug 2009)
-- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
-
-Daniel Fandrich (9 Aug 2009)
-- Fixed some memory leaks in the command-line tool that caused most of the
- torture tests to fail.
-
-Daniel Stenberg (2 Aug 2009)
-- Curt Bogmine reported a problem with SNI enabled on a particular server. We
- should introduce an option to disable SNI, but as we're in feature freeze
- now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
- shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
- Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
- option for SNI, or are we simply not using it?
-
-Daniel Stenberg (1 Aug 2009)
-- Scott Cantor posted the bug report #2829955
- (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
- verification flaw found and exploited by Moxie Marlinspike. The presentation
- he did at Black Hat is available here:
- https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
-
- Apparently at least one CA allowed a subjectAltName or CN that contain a
- zero byte, and thus clients that assumed they would never have zero bytes
- were exploited to OK a certificate that didn't actually match the site. Like
- if the name in the cert was "example.com\0theatualsite.com", libcurl would
- happily verify that cert for example.com.
-
- libcurl now better uses the length of the extracted name, not using the zero
- termination for getting the string length.
-
- This fixing only made and needed in OpenSSL interfacing code.
-
-- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
- only in some OpenSSL installs - like on Windows) isn't thread-safe and we
- agreed that moving it to the global_init() function is a decent way to deal
- with this situation.
-
-- Alexander Beedie provided the patch for a noproxy problem: If I have set
- CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
- could still end up using a proxy if a proxy environment variable was set.
-
-Daniel Stenberg (27 Jul 2009)
-- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
- CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
- send when using FTP, as a sign that libcurl shall simply ignore the response
- from the server instead of treating it as an error. Not treating a 400+ FTP
- response code as an error means that failed commands will not abort the
- chain of commands, nor will they cause the connection to get disconnected.
-
-Daniel Stenberg (26 Jul 2009)
-- Johan van Selst posted bug report #2825989
- (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
- OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
- provided the solution too: to use OpenSSL_add_all_algorithms() in addition
- to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
- OpenSSL 0.9.5
-
-Daniel Stenberg (23 Jul 2009)
-- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
- They introduce known_host support for SSH keys to libcurl. See docs for
- details. Note that this feature depends on a new enough libssh2 version, to
- be supported in libssh2 1.2 and later (or current git repo at this time).
-
-Michal Marek (22 Jul 2009)
-- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
- (https://bugzilla.novell.com/523919). When looking at the code, I found that
- also the ptr pointer can leak.
-
-Kamil Dudka (20 Jul 2009)
-- Claes Jakobsson improved the support for client certificates handling in
- NSS-powered libcurl. Now the client certificates can be selected
- automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
- slots is no more performed. It used to cause problems with HW tokens.
-
-- Fixed reference counting for NSS client certificates. Now the PEM reader
- module should be always properly unloaded on Curl_nss_cleanup(). If the
- unload fails though, libcurl will try to reuse the already loaded instance.
-
-Daniel Fandrich (15 Jul 2009)
-- Added nonblock.c to the non-automake makefiles (note that the dependencies
- in the Watcom makefiles aren't quite correct).
-
-Michal Marek (15 Jul 2009)
-- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
- errno is not reset on success.
-
-Guenter Knauf (14 Jul 2009)
-- renamed generated config.h to curl_config.h to avoid any future clashes
- with config.h from other projects.
-
-Daniel Stenberg (9 Jul 2009)
-- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
- setting a file descriptor non-blocking. Used by the functionality Eric
- himself brough on June 15th.
-
-Daniel Stenberg (8 Jul 2009)
-- Constantine Sapuntzakis posted bug report #2813123
- (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
- problem:
-
- Url A is accessed using auth. Url A redirects to Url B (on a different
- server0. Url B reuses a persistent connection. Url B has auth, even though
- it's on a different server.
-
- Note: if Url B does not reuse a persistent connection, auth is not sent.
-
- reason:
-
- data->state.first_host is not initialized becuase Curl_http_connect is not
- called when a connection is reused.
-
- Solution:
-
- move initialization of data->state.first_host to Curl_http. No code before
- Curl_http uses data->state.first_host anyway.
-
-Guenter Knauf (4 Jul 2009)
-- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
- couple of both IPv4 and IPv6 autobuilds.
-
-Daniel Stenberg (29 Jun 2009)
-- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
- range if given colon-separated after the host name/address part. Like
- "192.168.0.1:2000-10000"
-
-- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
- don't know how they got wrong in the first place, but using this output
- format makes it possible to quite easily separate the string into an array
- of multiple items.
-
-Daniel Fandrich (16 June 2009)
-- Added a few more compiler warning options for gcc.
-
-Daniel Stenberg (16 Jun 2009)
-- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
- (no newline translations). Use -B/--use-ascii if you rather get the ascii
- approach.
-
-Michal Marek (16 Jun 2009)
-- When doing non-anonymous ftp via http proxies and the password is not
- provided in the url, add it there (squid needs this).
-
-Daniel Stenberg (15 Jun 2009)
-- Eric Wong's patch:
-
- This allows curl(1) to be used as a client-side tunnel for arbitrary stream
- protocols by abusing chunked transfer encoding in both the HTTP request and
- HTTP response. This requires server support for sending a response while a
- request is still being read, of course.
-
- If attempting to read from stdin returns EAGAIN, then we pause our sender.
- This leaves curl to attempt to read from the socket while reading from stdin
- (and thus sending) is paused.
-
- This change was needed to allow successfully tunneling the git protocol over
- HTTP (--no-buffer is needed, as well).
-
-Patrick Monnerat (15 Jun 2009)
-- Replaced use of standard C library rand()/srand() by our own pseudo-random
- number generator.
-
-Yang Tse (11 Jun 2009)
-- I adapted testcurl script to allow building test harness programs when
- cross-compiling for a *-*-mingw* host.
-
-Daniel Stenberg (10 Jun 2009)
-- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
- contributed a range of patches to fix them.
-
-Yang Tse (10 Jun 2009)
-- I introduced configure script option --enable-curldebug which now allows
- the decoupled enabling or disabling of the curl debug memory tracking
- feature from the --enable-debug option which no longer controls this.
-
- curl --version will list 'Debug' feature for debug enabled builds, and
- will list 'TrackMemory' feature for curl debug memory tracking capable
- builds. These features are independent and can be controlled when running
- the configure script. When --enable-debug is given both features will be
- enabled, unless some restriction prevents memory tracking from being used.
-
- Internally, definition of preprocessor symbol DEBUGBUILD restricts code
- which is only compiled for debug enabled builds. And symbol CURLDEBUG is
- used to differentiate code which is _only_ used for memory tracking.
-
-Yang Tse (9 Jun 2009)
-- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
- initializing the fread callback pointer and this triggered a compiler
- warning, also provided a friendly suggestion on how to fix it.
-
-Daniel Stenberg (8 Jun 2009)
-- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
- issue with client certs that caused issues like segfaults.
- http://curl.haxx.se/mail/lib-2009-05/0316.html
-
-- Triggered by bug report #2798852 and the patch in there, I fixed configure
- to detect gnutls build options with pkg-config only and not libgnutls-config
- anymore since GnuTLS has stopped distributing that tool. If an explicit path
- is given to configure, we will instead guess on how to link and use that
- lib. I did not use the patch from the bug report.
-
-Yang Tse (8 Jun 2009)
-- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
- included from Makefile.inc, and provided docs\INSTALL VxWorks section.
-
-- I removed buildconf.bat from release and daily snapshot archives. This
- file is only for CVS tree checkout builds.
-
-Daniel Stenberg (8 Jun 2009)
-- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
- broken since 7.19.0
-
-Bill Hoffman (6 Jun 2009)
-- Added some cmake docs and fixed socklen_t in the build.
-
-Yang Tse (5 Jun 2009)
-- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
- in urlglob.c where it was not converting the Curl Unix exit code to a VMS
- DCL compatible exit code. This fix required the enhancement described next.
- This also adds an enhancement to main.c so that when curl is run under a
- Unix shell like Bash on VMS, it will return the standard Unix exit codes
- and messages." And another patch for docs/examples.
-
- I introduced os-specific.c and os-specific.h for use in curl tool code
- and adjusted John E. Malmberg's patch placement to use these new files
- as an effort to prevent main.c from growing ad infinitum. Code already
- existing in main.c which is OS specific should be moved into these files.
-
-Daniel Stenberg (4 June 2009)
-- Setting the Content-Length: header from your app when you do a POST or PUT
- is almost always a VERY BAD IDEA. Yet there are still apps out there doing
- this, and now recently it triggered a bug/side-effect in libcurl as when
- libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
- knows it will just get a 401/407 back. If the app then replaced the
- Content-Length header, it caused the server to wait for input that libcurl
- wouldn't send. Aaron Oneal reported this problem in bug report #2799008
- (http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
-
-Yang Tse (4 Jun 2009)
-- Igor Novoseltsev provided patches and information, that after some
- adjustments to better fit curl's way of doing things, have resulted
- in the posibility of building libcurl for VxWorks.
-
-Daniel Fandrich (2 June 2009)
-- Checked in a Google Android make file. To use it, you must first
- create a config.h file by running configure in the Android environment,
- which doesn't seem to be easy to do. If no easy way can be found, a
- static config-android.h may need to be created and checked in to the
- libcurl source tree.
-
-Daniel Stenberg (1 June 2009)
-- Claes Jakobsson fixed the configure script to better find and use NSS
- without pkg-config.
-
-Yang Tse (1 Jun 2009)
-- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
- out that the configure script was failing to detect the timeval struct on
- VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
- taking place in socket.h instead of time.h. I have adjusted configure
- script to also include this header when checking struct timeval.
-
-Daniel Stenberg (27 May 2009)
-- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
- fine with Nokia 5th edition 1.0 SDK for Symbian.
-
-- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
- for a failure properly.
-
-- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
- the auth credentials back in 7.19.0 and earlier while now you have to set ""
- to get the same effect. His patch brings back the ability to use NULL.
-
-- Claes Jakobsson fixed libcurl-NSS to build fine even without the
- PK11_CreateGenericObject() function.
-
-Daniel Stenberg (25 May 2009)
-- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
- out that the cookie parser would leak memory when it parses cookies that are
- received with domain, path etc set multiple times in the same header. While
- such a cookie is questionable, they occur in the wild and libcurl no longer
- leaks memory for them. I added such a header to test case 8.
-
-Daniel Fandrich (22 May 2009)
-- Removed some obsolete digest code that caused a valgrind error in test 551.
-
-Daniel Fandrich (20 May 2009)
-- Added "non-existing host" test keywords to make it easy to skip those
- tests on machines that have broken DNS configurations (such as
- those configured to use OpenDNS).
-
-Daniel Stenberg (19 May 2009)
-- Kamil Dudka brought the patch from the Redhat bug entry
- https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
- a bad file descriptor when closing down the FTP data connection. Caolan
- McNamara seems to be the original author of it.
-
-Version 7.19.5 (18 May 2009)
-
-Daniel Stenberg (17 May 2009)
-- James Bursa posted a patch to the mailing list that fixed a problem with
- no_proxy which made it not skip the proxy if the URL entered contained a
- user name. I added test case 1101 to verify.
-
-Daniel Stenberg (11 May 2009)
-- Balint Szilakszi reported a memory leak when libcurl did gzip decompression
- of streams that had some parts (legitimately) missing. We now provide and use
- a proper cleanup function for the content encoding submodule.
- http://curl.haxx.se/mail/lib-2009-05/0092.html
-
-- Kamil Dudka provided a fix for libcurl-NSS reported by Michael Cronenworth
- at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12
-
- If an incorrect password is given while loading a private key, libcurl ends
- up in an infinite loop consuming memory. The bug is critical.
-
-- I fixed the problem with doing NTLM, POST and then following a 302 redirect,
- as reported by Ebenezer Ikonne (on curl-users) and Laurent Rabret (on
- curl-library). The transfer was mistakenly marked to get more data to send
- but since it didn't actually have that, it just hung there...
-
-Daniel Stenberg (10 May 2009)
-- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted
- byte in the digest code.
-
-Yang Tse (9 May 2009)
-- Removed DOS and TPF package's subdirectory Makefile.am, it was only used
- to include some files in the distribution tarball serving no other purpose.
- Files from the DOS and TPF subdirectories are now included in the EXTRA_DIST
- of the Makefile in the parent subdirectory.
-
-Yang Tse (8 May 2009)
-- Changed host name literal in several tests to one under the haxx.se domain.
-
-- Renamed vc6 workspace and project files to avoid filename clash when used
- for conversion to later VS versions.
-
-Daniel Stenberg (8 May 2009)
-- Constantine Sapuntzakis fixed bug report #2784055
- (http://curl.haxx.se/bug/view.cgi?id=2784055) identifying a problem to
- connect to SOCKS proxies when using the multi interface. It turned out to
- almost not work at all previously. We need to wait for the TCP connect to
- be properly verified before doing the SOCKS magic.
-
- There's still a flaw in the FTP code for this.
-
-Daniel Stenberg (7 May 2009)
-- Made the SO_SNDBUF setting for the data connection socket for ftp uploads as
- well. See change 28 Apr 2009.
-
-Yang Tse (7 May 2009)
-- Fixed an issue affecting FTP transfers, introduced with the transfer.c
- patch committed May 4.
-
-Daniel Stenberg (7 May 2009)
-- Man page *roff problems fixed thanks to input from Colin Watson. Problems
- reported in the Debian package.
-
-- Vijay G filed bug report #2723236
- (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
- libcurl's TFTP code and its lack of dealing with the OACK packet.
-
-Yang Tse (5 May 2009)
-- Fixed the --ftp-port address of test #251 to the CLIENTIP address, and
- reverted the change affecting test suite harness committed 4 May.
-
-Daniel Stenberg (5 May 2009)
-- Inspired by Michael Smith's session id fix for OpenSSL, I did the
- corresponding fix in the GnuTLS code: make sure to store the new session id
- in case the previous re-used one is rejected.
-
-Daniel Stenberg (4 May 2009)
-- Michael Smith posted bug report #2786255
- (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
- libcurl did not deal with SSL session ids properly if the server rejected a
- re-use of one. Starting now, it will forget the rejected one and remember
- the new. This change was for OpenSSL only, it is likely that other SSL lib
- code needs similar fixes.
-
-Yang Tse (4 May 2009)
-- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
- non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
- 1) On non-ASCII platforms not all of the protocol portions of the PUT are
- being translated to ASCII. 2) On all platforms the line endings of part of
- the protocol portions are mangled from CRLF to CRCRLF if data->set.crlf or
- data->set.prefer_ascii are set (depending on CURL_DO_LINEEND_CONV).
-
-- Applied David McCreedy's patch to fix test suite harness to allow test FTP
- server and client on different machines, providing FTP client address when
- running the FTP test server.
-
-Daniel Fandrich (3 May 2009)
-- Added and disabled test case 563 which shows KNOWN_BUGS #59. The bug
- report failed to mention that a proxy must be used to reproduce it.
-
-Yang Tse (2 May 2009)
-- Use a build-time configured curl_socklen_t data type instead of socklen_t.
-
-Yang Tse (1 May 2009)
-- Applied David McCreedy's patches "TPF-platform specific changes to various
- files" and "http.c fix to Curl_proxyCONNECT for non-ASCII platforms", the
- former with minor edits.
-
-Daniel Stenberg (30 Apr 2009)
-- I was going to fix issue #59 in KNOWN_BUGS
-
- If the CURLOPT_PORT option is used on an FTP URL like
- "ftp://example.com/file;type=A" the ";type=A" is stripped off.
-
- I added test case 562 to verify, only to find out that I couldn't repeat
- this bug so I hereby consider it not a bug anymore!
-
-Daniel Stenberg (29 Apr 2009)
-- Based on bug report #2723219 (http://curl.haxx.se/bug/view.cgi?id=2723219)
- I've now made TFTP "connections" not being kept for re-use within libcurl.
- TFTP is UDP-based so the benefit was really low (if even existing) to begin
- with so instead of tracking down to fix this problem we instead removed the
- re-use. I also enabled test case 1099 that I wrote a few days ago to verify
- that this change fixes the reported problem.
-
-Daniel Stenberg (28 Apr 2009)
-- Constantine Sapuntzakis filed bug report #2783090
- (http://curl.haxx.se/bug/view.cgi?id=2783090) pointing out that on windows
- we need to grow the SO_SNDBUF buffer somewhat to get really good upload
- speeds. http://support.microsoft.com/kb/823764 has the details. Friends
- confirmed that simply adding 32 to CURL_MAX_WRITE_SIZE is enough.
-
-- Bug report #2709004 (http://curl.haxx.se/bug/view.cgi?id=2709004) by Tim
- Chen pointed out how curl couldn't upload with resume when reading from a
- pipe.
-
- This ended up with the introduction of a new return code for the
- CURLOPT_SEEKFUNCTION callback that basically says that the seek failed but
- that libcurl may try to resolve the situation anyway. In our case this means
- libcurl will attempt to instead read that much data from the stream instead
- of seeking and that way curl can now upload with resume when data is read
- from a stream!
-
-Daniel Stenberg (26 Apr 2009)
-- Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven
- Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi
- interface and provided a patch that fixed the problem!
-
-Daniel Stenberg (24 Apr 2009)
-- Kamil Dudka fixed another NSS-related leak when client certs were used.
-
-- Bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
- Koenig pointed out that the man page didn't tell that the *_proxy
- environment variables can be specified lower case or UPPER CASE and the
- lower case takes precedence,
-
-Daniel Fandrich (21 Apr 2009)
-- Added new libcurl source files to Amiga, RiscOS and VC6 build files.
-
-Yang Tse (21 Apr 2009)
-- Moved potential inclusion of system's malloc.h and memory.h header files to
- setup_once.h. Inclusion of each header file is based on the definition of
- NEED_MALLOC_H and NEED_MEMORY_H respectively.
-
- Renamed libcurl's memory.h to curl_memory.h
-
-Daniel Stenberg (20 Apr 2009)
-- Leanic Lefever reported a crash and did some detailed research on why and
- how it occurs (http://curl.haxx.se/mail/lib-2009-04/0289.html). The
- conclusion was that if an error is detected and Curl_done() is called for
- the connection, ftp_done() could at times return another error code that
- then would take precedence and that new code confused existing logic that
- works for the first error code (CURLE_SEND_ERROR) only.
-
-- Gisle Vanem noticed that --libtool would produce bogus strings at times for
- OBJECTPOINT options. Now we've introduced a new function - my_setopt_str -
- within the app for setting plain string options to avoid the risk of this
- mistake happening.
-
-Daniel Stenberg (17 Apr 2009)
-- Pramod Sharma reported and tracked down a bug when doing FTP over a HTTP
- proxy. libcurl would then wrongly close the connection after each
- request. In his case it had the weird side-effect that it killed NTLM auth
- for the proxy causing an inifinite loop!
-
- I added test case 1098 to verify this fix. The test case does however not
- properly verify that the transfers are done persistently - as I couldn't
- think of a clever way to achieve it right now - but you need to read the
- stderr output after a test run to see that it truly did the right thing.
-
-Daniel Stenberg (13 Apr 2009)
-- bug report #2727981 (http://curl.haxx.se/bug/view.cgi?id=2727981) by Martin
- Storsjö pointed out how setting CURLOPT_NOBODY to 0 could be downright
- confusing as it set the method to either GET or HEAD. The example he showed
- looked like:
-
- curl_easy_setopt(curl, CURLOPT_PUT, 1);
- curl_easy_setopt(curl, CURLOPT_NOBODY, 0);
-
- The new way doesn't alter the method until the request is about to start. If
- CURLOPT_NOBODY is then 1 the HTTP request will be HEAD. If CURLOPT_NOBODY is
- 0 and the request happens to have been set to HEAD, it will then instead be
- set to GET. I believe this will be less surprising to users, and hopefully
- not hit any existing users badly.
-
-- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turned
- out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue
- is found in Redhat's bug tracker:
- https://bugzilla.redhat.com/show_bug.cgi?id=453612
-
- There are still memory leaks present, but they seem to have other reasons.
-
-Daniel Fandrich (11 Apr 2009)
-- Added new libcurl source files to Symbian OS build files.
-- Improved Symbian support for SSL.
-
-Yang Tse (10 Apr 2009)
-- Daniel Johnson improved the MacOSX-Framework shell script to now perform all
- the steps required to build a Mac OS X four way fat ppc/i386/ppc64/x86_64
- libcurl.framework. Four way fat framework requires OS X 10.5 SDK or later.
-
-Yang Tse (8 Apr 2009)
-- Removed Sun compilers preprocessor block from curlbuild.h.dist, this also
- removes it from the curlbuild.h file originally distributed by the cURL
- project as this file is intended for systems not capable of running the
- configure script. For those who have been building curl out of the source
- code curl distribution tarball provided by curl.haxx.se the change implies
- nothing. Previous change in this area committed 2 Apr becomes irrelevant.
-
-Daniel Stenberg (6 Apr 2009)
-- I clarified in the docs that CURLOPT_SEEKFUNCTION should return 0 on success
- and 1 on fatal errors. Previously it only mentioned non-zero on fatal
- errors. This is a slight change in meaning, but it follows what we've done
- elsewhere before and it opens up for LOTS of more useful return codes
- whenever we can think of them...
-
-Yang Tse (2 Apr 2009)
-- Fix curl_off_t definition for builds done using Sun compilers and a
- non-configured libcurl. In this case curl_off_t data type was gated
- to the off_t data type which depends on the _FILE_OFFSET_BITS. This
- configuration is exactly the unwanted configuration for our curl_off_t
- data type which must not depend on such setting. This breaks ABI for
- libcurl libraries built with Sun compilers which were built without
- having run the configure script with _FILE_OFFSET_BITS different than
- 64 and using the ILP32 data model.
-
-Daniel Stenberg (1 Apr 2009)
-- Andre Guibert de Bruet fixed a NULL pointer use in an infof() call if a
- strdup() call failed.
-
-Daniel Fandrich (31 Mar 2009)
-- Properly return an error code in curl_easy_recv (reported by Jim Freeman).
-
-Daniel Stenberg (18 Mar 2009)
-- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
- NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
- explicitly.
-
-Daniel Stenberg (13 Mar 2009)
-- Use libssh2_version() to present the libssh2 version in case the libssh2
- library is found to support it.
-
-Yang Tse (12 Mar 2009)
-- Added missing Curl_read() return code checking in TELNET transfers.
-
-- Pierre Brico found and fixed TELNET transfers not being aborted upon
- a write callback failure.
-
-Daniel Stenberg (11 Mar 2009)
-- Kamil Dudka made the curl tool properly call curl_global_init() before any
- other libcurl function.
-
-Yang Tse (11 Mar 2009)
-- Added missing TELNET timeout support for Windows builds. This issue was
- reported by Pierre Brico.
-
-Daniel Stenberg (9 Mar 2009)
-- Frank Hempel found out a bug and provided the fix:
-
- curl_easy_duphandle did not necessarily duplicate the CURLOPT_COOKIEFILE
- option. It only enabled the cookie engine in the destination handle if
- data->cookies is not NULL (where data is the source handle). In case of a
- newly initialized handle which just had the cookie support enabled by a
- curl_easy_setopt(handle, CURL_COOKIEFILE, "")-call, handle->cookies was
- still NULL because the setopt-call only appends the value to
- data->change.cookielist, hence duplicating this handle would not have the
- cookie engine switched on.
-
- We also concluded that the slist-functionality would be suitable for being
- put in its own module rather than simply hanging out in lib/sendf.c so I
- created lib/slist.[ch] for them.
-
-- Andreas Farber made the 'buildconf' script check for the presence of m4
- scripts to make it detect a bad checkout earlier. People with older
- checkouts who don't do cvs update with the -d option won't get the new dirs
- and then will get funny outputs that can be a bit hard to understand and
- fix.
-
-Daniel Stenberg (8 Mar 2009)
-- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where the
- allocation of the memory BIO was not being properly checked.
-
-- Andre Guibert de Bruet fixed the gnutls-using code: There are a few places
- in the gnutls code where we were checking for negative values for errors,
- when the man pages state that GNUTLS_E_SUCCESS is returned on success and
- other values indicate error conditions.
-
-- Bill Egert pointed out (http://curl.haxx.se/bug/view.cgi?id=2671602) that
- curl didn't use sprintf() in a way that is documented to work in POSIX but
- since we use our own printf() code (from libcurl) that shouldn't be a
- problem. Nonetheless I modified the code to not rely on such particular
- features and to not cause further raised eyebrowse with no good reason.
-
-Daniel Fandrich (5 Mar 2009)
-- Expanded the security section of the libcurl-tutorial man page to cover
- more issues for authors to consider when writing robust libcurl-using
- applications.
-
-Yang Tse (5 Mar 2009)
-- Fixed NTLM authentication memory leak on SSPI enabled Windows builds. This
- issue was noticed by Chris Deidun.
-
-Daniel Fandrich (4 Mar 2009)
-- Fixed a problem with m4 quoting in the OpenSSL configure check reported
- by Daniel Johnson.
-
-Daniel Stenberg (3 Mar 2009)
-- David James brought a patch that make libcurl close (all) dead connections
- whenever you attempt to open a new connection.
-
- 1. After cleaning up a dead connection, "continue" instead of
- returning FALSE. This ensures that we clean up all dead connections,
- rather than just cleaning up the first dead connection.
- 2. Move up the cleanup for dead connections so that it occurs for
- all connections, rather than just the connections which have the same
- preferences as our current new connection.
-
-Version 7.19.4 (3 March 2009)
-
-Daniel Stenberg (3 Mar 2009)
-- David Kierznowski notified us about a security flaw
- (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
- which previous libcurl versions (by design) can be tricked to access an
- arbitrary local/different file instead of a remote one when
- CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
- together this the addition of two new setopt options for controlling this
- new behavior:
-
- o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
- follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
- excludes the FILE and SCP protocols and thus you nee to explicitly allow
- them in your app if you really want that behavior.
-
- o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
- using the primary URL option. This is useful if you want to allow a user or
- other outsiders control what URL to pass to libcurl and yet not allow all
- protocols libcurl may have been built to support.
-
-Daniel Stenberg (27 Feb 2009)
-- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and
- CURLOPT_LOCALPORT were used together (the local port bind failed), and
- Markus Koetter provided the fix!
-
-Daniel Stenberg (25 Feb 2009)
-- As Daniel Fandrich figured out, we must do the GnuTLS initing in the
- curl_global_init() function to properly maintain the performing functions
- thread-safe. We've previously (28 April 2007) moved the init to a later time
- just to avoid it to fail very early when libgcrypt dislikes the situation,
- but that move was bad and the fix should rather be in libgcrypt or
- elsewhere.
-
-Daniel Stenberg (24 Feb 2009)
-- Brian J. Murrell found out that Negotiate proxy authentication didn't work.
- It happened because the code used the struct for server-based auth all the
- time for both proxy and server auth which of course was wrong.
-
-Daniel Stenberg (23 Feb 2009)
-- After a bug reported by James Cheng I've made curl_easy_getinfo() for
- CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return
- -1 if the sizes aren't know. Previously these returned 0, make it impossible
- to detect the difference between actually zero and unknown.
-
-Yang Tse (23 Feb 2009)
-- Daniel Johnson provided a shell script that will perform all the steps needed
- to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
-
-Daniel Stenberg (23 Feb 2009)
-- I renamed everything in the windows builds files that used the name 'curllib'
- to the proper 'libcurl' as clearly this caused confusion.
-
-Yang Tse (20 Feb 2009)
-- Do not halt compilation when using VS2008 to build a Windows 2000 target.
-
-Daniel Stenberg (20 Feb 2009)
-- Linus Nielsen Feltzing reported and helped me repeat and fix a problem with
- FTP with the multi interface: when a transfer fails, like when aborted by a
- write callback, the control connection was wrongly closed and thus not
- re-used properly.
-
- This change is also an attempt to cleanup the code somewhat in this area, as
- now the FTP code attempts to keep (better) track on pending responses
- necessary to get read in ftp_done().
-
-Daniel Stenberg (19 Feb 2009)
-- Patrik Thunstrom reported a problem and helped me repeat it. It turned out
- libcurl did a superfluous 1000ms wait when doing SFTP downloads!
-
- We read data with libssh2 while doing the "DO" operation for SFTP and then
- when we were about to start getting data for the actual file part, the
- "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
- libssh2-read. But in this case libssh2 had already read and buffered the
- data so we ended up always just waiting 1000ms before we get working on the
- data!
-
-Patrick Monnerat (18 Feb 2009)
-- FTP downloads (i.e.: RETR) ending with code 550 now return error
- CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE.
-
-Daniel Stenberg (17 Feb 2009)
-- Kamil Dudka made NSS-powered builds compile and run again!
-
-- A second follow-up change by Andre Guibert de Bruet to fix a related memory
- leak like that fixed on the 14th. When zlib returns failure, we need to
- cleanup properly before returning error.
-
-- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for
- plain FTP connections, and it will then allow MKD to fail once and retry the
- CWD afterwards. This is especially useful if you're doing many simultanoes
- connections against the same server and they all have this option enabled,
- as then CWD may first fail but then another connection does MKD before this
- connection and thus MKD fails but trying CWD works! The numbers can
- (should?) now be set with the convenience enums now called
- CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY.
-
- Tests has proven that if you're making an application that uploads a set of
- files to an ftp server, you will get a noticable gain in speed if you're
- using multiple connections and this option will be then be very useful.
-
-Daniel Stenberg (14 Feb 2009)
-- Andre Guibert de Bruet found and fixed a memory leak in the content encoding
- code, which could happen on libz errors.
-
-Daniel Fandrich (12 Feb 2009)
-- Added support for Digest and NTLM authentication using GnuTLS.
-
-Daniel Stenberg (11 Feb 2009)
-- CURLINFO_CONDITION_UNMET was added to allow an application to get to know if
- the condition in the previous request was unmet. This is typically a time
- condition set with CURLOPT_TIMECONDITION and was previously not possible to
- reliably figure out. From bug report #2565128
- (http://curl.haxx.se/bug/view.cgi?id=2565128) filed by Jocelyn Jaubert.
-
-Daniel Fandrich (4 Feb 2009)
-- Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
- (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
-
-- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
- This couldn't ever overflow in curl, but might if the code were used
- elsewhere or under different conditions.
-
-Daniel Stenberg (3 Feb 2009)
-- Hidemoto Nakada provided a small fix that makes it possible to get the
- CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
- CURLOPT_NOBODY set true.
-
-Daniel Stenberg (2 Feb 2009)
-- Patrick Scott found a rather large memory leak when using the multi
- interface and setting CURLMOPT_MAXCONNECTS to something less than the number
- of handles you add to the multi handle. All the connections that didn't fit
- in the cache would not be properly disconnected nor freed!
-
-- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP
- version 1.1 instead of 1.0 like before. This change also introduces the new
- proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
- switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
- option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.
-
- I updated all test cases cases that use CONNECT and I tried to do some using
- --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
-
-Daniel Stenberg (31 Jan 2009)
-- When building with c-ares 1.6.1 (not yet released) or later and IPv6 support
- enabled, we can now take advantage of its brand new AF_UNSPEC support in
- ares_gethostbyname(). This makes test case 241 finally run fine for me with
- this setup since it now parses the "::1 ip6-localhost" line fine in my
- /etc/hosts file!
-
-Daniel Stenberg (30 Jan 2009)
-- Scott Cantor filed bug report #2550061
- (http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to
- properly make sure that the VC9 makefiles got included in the latest
- release. I've now fixed the release script and verified it so next release
- will hopefully include them properly!
-
-Daniel Fandrich (30 Jan 2009)
-- Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for
- reporting.
-
-Yang Tse (29 Jan 2009)
-- Introduced curl_sspi.c and curl_sspi.h for the implementation of functions
- Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
- named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
- Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
- SSPI library using it now in the same way as it was done in http_ntlm.c.
-
-Daniel Stenberg (28 Jan 2009)
-- Markus Moeller introduced two new options to libcurl:
- CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl
- to do GSS-style authentication with SOCKS5 proxies. The curl tool got the
- options called --socks5-gssapi-service and --socks5-gssapi-nec to enable
- these.
-
-Daniel Stenberg (26 Jan 2009)
-- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
- to set desired block size to use for TFTP transfers instead of the default
- 512 bytes.
-
-- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
- disable "rfc4507bis session ticket support". rfc4507bis was later turned
- into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
-
- The enabled extension concerns the session management. I wonder how often
- libcurl stops a connection and then resumes a TLS session. also, sending the
- session data is some overhead. .I suggest that you just use your proposed
- patch (which explicitly disables TICKET).
-
- If someone writes an application with libcurl and openssl who wants to
- enable the feature, one can do this in the SSL callback.
-
- Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
- on the proper action.
-
-- Alexey Borzov filed bug report #2535504
- (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
- quoted quotation marks in HTTP Digest headers didn't work. I've now added
- test case 1095 that verifies my fix.
-
-- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.
- They basically offer the same thing the NO_PROXY environment variable only
- offered previously: list a set of host names that shall not use the proxy
- even if one is specified.
-
-Daniel Fandrich (20 Jan 2009)
-- Call setlocale() for libtest tests to test the effects of locale-induced
- libc changes on libcurl.
-
-- Fixed a couple more locale-dependent toupper conversions, mainly for
- clarity. This does fix one problem that causes ;type=i FTP URLs
- to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
- used (test case 561)
-
-- Added tests 561 and 1091 through 1094 to test various combinations
- of ;type= and ;mode= URLs that could potentially fail in the Turkish
- locale.
-
-Daniel Stenberg (20 Jan 2009)
-- Lisa Xu pointed out that the ssh.obj file was missing from the
- lib/Makefile.vc6 file (and thus from the vc8 and vc9 ones too).
-
-Version 7.19.3 (19 January 2009)
-
-Daniel Stenberg (16 Jan 2009)
-- Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both
- 32 bit and 64 bit.
-
-Daniel Stenberg (15 Jan 2009)
-- Tim Ansell fixed a compiler warning in lib/cookie.c
-
-Daniel Stenberg (14 Jan 2009)
-- Grant Erickson fixed timeouts for TFTP such that specifying a
- connect-timeout, a max-time or both options work correctly and as expected
- by passing the correct boolean value to Curl_timeleft via the
- 'duringconnect' parameter.
-
- With this small change, curl TFTP now behaves as expected (and likely as
- originally-designed):
-
- 1) For non-existent or unreachable dotted IP addresses:
-
- a) With no options, follows the default curl 300s timeout...
- b) With --connect-timeout only, follows that value...
- c) With --max-time only, follows that value...
- d) With both --connect-timeout and --max-time, follows the smaller value...
-
- and times out with a "curl: (7) Couldn't connect to server" error.
-
- 2) For transfers to/from a valid host:
-
- a) With no options, follows default curl 300s timeout for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- b) With --connect-time only, follows that value for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- c) With --max-time only, follows that value for the first
- XRQ/DATA/ACK transaction and for the remainder of the
- transfer...
-
- d) With both --connect-timeout and --max-time, follows the former
- for the first XRQ/DATA/ACK transaction and the latter for the
- remainder of the transfer...
-
- and times out with a "curl: (28) Timeout was reached" error as
- appropriate.
-
-Daniel Stenberg (13 Jan 2009)
-- Michael Wallner fixed a NULL pointer deref when calling
- curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no
- cookies data.
-
-- Stefan Teleman brought a patch to fix the default curlbuild.h file for the
- SunPro compilers.
-
-Daniel Stenberg (12 Jan 2009)
-- Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665)
- by Daniel Black, I've now added magic to the configure script that makes it
- use pkg-config to detect gnutls details as well if the existing method
- (using libgnutls-config) fails. While doing this, I cleaned up and unified
- the pkg-config usage when detecting openssl and nss as well.
-
-Daniel Stenberg (11 Jan 2009)
-- Karl Moerder brought the patch that creates vc9 Makefiles, and I made
- 'maketgz' now use the actual makefile targets to do the VC8 and VC9
- makefiles.
-
-Daniel Stenberg (10 Jan 2009)
-- Emil Romanus fixed:
-
- When using the multi interface over HTTP and the server returns a Location
- header, the running easy handle will get stuck in the CURLM_STATE_PERFORM
- state, leaving the external event loop stuck waiting for data from the
- ingoing socket (when using the curl_multi_socket_action stuff). While this
- bug was pretty hard to find, it seems to require only a one-line fix. The
- break statement on line 1374 in multi.c caused the function to skip the call
- to multistate().
-
- How to reproduce this bug? Well, that's another question. evhiperfifo.c in
- the examples directory chokes on this bug only _sometimes_, probably
- depending on how fast the URLs are added. One way of testing the bug out is
- writing to hiper.fifo from more than one source at the same time.
-
-Daniel Fandrich (7 Jan 2009)
-- Unified much of the SessionHandle initialization done in Curl_open() and
- curl_easy_reset() by creating Curl_init_userdefined(). This had the side
- effect of fixing curl_easy_reset() so it now also resets
- CURLOPT_FTP_FILEMETHOD and CURLOPT_SSL_SESSIONID_CACHE
-
-Daniel Stenberg (7 Jan 2009)
-- Rob Crittenden did once again provide an NSS update:
-
- I have to jump through a few hoops now with the NSS library initialization
- since another part of an application may have already initialized NSS by the
- time Curl gets invoked. This patch is more careful to only shutdown the NSS
- library if Curl did the initialization.
-
- It also adds in a bit of code to set the default ciphers if the app that
- call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
- ciphers. One might argue that this lets other application developers get
- lazy and/or they aren't using the NSS API correctly, and you'd be right.
- But still, this will avoid terribly difficult-to-trace crashes and is
- generally helpful.
-
-Daniel Stenberg (1 Jan 2009)
-- 'reconf' is removed since we rather have users use 'buildconf'
-
-Daniel Stenberg (31 Dec 2008)
-- Bas Mevissen reported http://curl.haxx.se/bug/view.cgi?id=2479030 pointing
- out that 'reconf' didn't properly point out the m4 subdirectory when running
- aclocal.
-
-Daniel Stenberg (29 Dec 2008)
- - Phil Lisiecki filed bug report #2413067
- (http://curl.haxx.se/bug/view.cgi?id=2413067) that identified a problem that
- would cause libcurl to mark a DNS cache entry "in use" eternally if the
- subsequence TCP connect failed. It would thus never get pruned and refreshed
- as it should've been.
-
- Phil provided his own patch to this problem that while it seemed to work
- wasn't complete and thus I wrote my own fix to the problem.
-
-Daniel Stenberg (28 Dec 2008)
-- Peter Korsgaard fixed building libcurl with "configure --with-ssl
- --disable-verbose".
-
-- Anthony Bryan fixed more language and spelling flaws in man pages.
-
-Daniel Stenberg (22 Dec 2008)
-- Given a recent enough libssh2, libcurl can now seek/resume with SFTP even
- on file indexes beyond 2 or 4GB.
-
-- Anthony Bryan provided a set of patches that cleaned up manual language,
- corrected spellings and more.
-
-Daniel Stenberg (20 Dec 2008)
-- Igor Novoseltsev fixed a bad situation for the multi_socket() API when doing
- pipelining, as libcurl could then easily get confused and A) work on the
- handle that was not "first in queue" on a pipeline, or even B) tell the app
- to REMOVE a socket while it was in use by a second handle in a pipeline. Both
- errors caused hanging or stalling applications.
-
-Daniel Stenberg (19 Dec 2008)
-- curl_multi_timeout() could return a timeout value of 0 even though nothing
- was actually ready to get done, as the internal time resolution is higher
- than the returned millisecond timer. Therefore it could cause applications
- running on fast processors to do short bursts of busy-loops.
- curl_multi_timeout() will now only return 0 if the timeout is actually
- alreay triggered.
-
-- Using the libssh2 0.19 function libssh2_session_block_directions(), libcurl
- now has an improved ability to do right when the multi interface (both
- "regular" and multi_socket) is used for SCP and SFTP transfers. This should
- result in (much) less busy-loop situations and thus less CPU usage with no
- speed loss.
-
-Daniel Stenberg (17 Dec 2008)
-- SCP and SFTP with the multi interface had the same flaw: the 'DONE'
- operation didn't complete properly if the EAGAIN equivalent was returned but
- libcurl would simply continue with a half-completed close operation
- performed. This ruined persistent connection re-use and cause some
- SSH-protocol errors in general. The correction is unfortunately adding a
- blocking function - doing it entirely non-blocking should be considered for
- a better fix.
-
-Gisle Vanem (16 Dec 2008)
-- Added the possibility to use the Watt-32 tcp/ip stack under Windows.
- The change simply involved adding a USE_WATT32 section in the
- config-win32.h files (under ./lib and ./src). This section disables
- the use of any Winsock headers.
-
-Daniel Stenberg (16 Dec 2008)
-- libssh2_sftp_last_error() was wrongly used at some places in libcurl which
- made libcurl sometimes not properly abort problematic SFTP transfers.
-
-Daniel Stenberg (12 Dec 2008)
-- More work with Igor Novoseltsev to first fix the remaining stuff for
- removing easy handles from multi handles when the easy handle is/was within
- a HTTP pipeline. His bug report #2351653
- (http://curl.haxx.se/bug/view.cgi?id=2351653) was also related and was
- eventually fixed by a patch by Igor himself.
-
-Yang Tse (12 Dec 2008)
-- Patrick Monnerat fixed a build regression, introduced in 7.19.2, affecting
- OS/400 compilations with IPv6 enabled.
-
-Daniel Stenberg (12 Dec 2008)
-- Mark Karpeles filed bug report #2416182 titled "crash in ConnectionExists
- when using duphandle+curl_mutli"
- (http://curl.haxx.se/bug/view.cgi?id=2416182) which showed that
- curl_easy_duphandle() wrongly also copied the pointer to the connection
- cache, which was plain wrong and caused a segfault if the handle would be
- used in a different multi handle than the handle it was duplicated from.
-
-Daniel Stenberg (11 Dec 2008)
-- Keshav Krity found out that libcurl failed to deal with dotted IPv6
- addresses if they were very long (>39 letters) due to a too strict address
- validity parser. It now accepts addresses up to 45 bytes long.
-
-Daniel Stenberg (11 Dec 2008)
-- Internet Explorer had a broken HTTP digest authentication before v7 and
- there are servers "out there" that relies on the client doing this broken
- Digest authentication. Apache even comes with an option to work with such
- broken clients.
-
- The difference is only for URLs that contain a query-part (a '?'-letter and
- text to the right of it).
-
- libcurl now supports this quirk, and you enable it by setting the
- CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or
- CURLOPT_PROXYAUTH options. They are thus individually controlled to server
- and proxy.
-
- (note that there's no way to activate this with the curl tool yet)
-
-Daniel Fandrich (9 Dec 2008)
-- Added test cases 1089 and 1090 to test --write-out after a redirect to
- test a report that the size didn't work, but these test cases pass.
-
-- Documented CURLOPT_CONNECT_ONLY as being useful only on HTTP URLs.
-
-Daniel Stenberg (9 Dec 2008)
-- Ken Hirsch simplified how libcurl does FTPS: now it doesn't assume any
- particular state for the control connection like it did before for implicit
- FTPS (libcurl assumed such control connections to be encrypted while some
- FTPS servers such as FileZilla assumes such connections to be clear
- mode). Use the CURLOPT_USE_SSL option to set your desired level.
-
-Daniel Stenberg (8 Dec 2008)
-- Fred Machado posted about a weird FTP problem on the curl-users list and when
- researching it, it turned out he got a 550 response back from a SIZE command
- and then I fell over the text in RFC3659 that says:
-
- The presence of the 550 error response to a SIZE command MUST NOT be taken
- by the client as an indication that the file cannot be transferred in the
- current MODE and TYPE.
-
- In other words: the change I did on September 30th 2008 and that has been
- included in the last two releases were a regression and a bad idea. We MUST
- NOT take a 550 response from SIZE as a hint that the file doesn't exist.
-
-- Christian Krause filed bug #2221237
- (http://curl.haxx.se/bug/view.cgi?id=2221237) that identified an infinite
- loop during GSS authentication given some specific conditions. With his
- patience and great feedback I managed to narrow down the problem and
- eventually fix it although I can't test any of this myself!
-
-Daniel Fandrich (3 Dec 2008)
-- Fixed the getifaddrs version of Curl_if2ip to work on systems without IPv6
- support (e.g. Minix)
-
-Daniel Stenberg (3 Dec 2008)
-- Igor Novoseltsev filed bug #2351645
- (http://curl.haxx.se/bug/view.cgi?id=2351645) that identified a problem with
- the multi interface that occured if you removed an easy handle while in
- progress and the handle was used in a HTTP pipeline.
-
-- Pawel Kierski pointed out a mistake in the cookie code that could lead to a
- bad fclose() after a fatal error had occured.
- (http://curl.haxx.se/bug/view.cgi?id=2382219)
-
-Daniel Fandrich (25 Nov 2008)
-- If a HTTP request is Basic and num is already >=1000, the HTTP test
- server adds 1 to num to get the data section to return. This allows
- testing authentication negotiations using the Basic authentication
- method.
-
-- Added tests 1087 and 1088 to test Basic authentication on a redirect
- with and without --location-trusted
-
-Daniel Stenberg (24 Nov 2008)
-- Based on a patch by Vlad Grachov, libcurl now uses a new libssh2 0.19
- function when built to support SCP and SFTP that helps the library to know
- in which direction a particular libssh2 operation would return EAGAIN so
- that libcurl knows what socket conditions to wait for before trying the
- function call again. Previously (and still when using libssh2 0.18 or
- earlier), libcurl will busy-loop in this situation when the easy interface
- is used!
-
-Daniel Fandrich (20 Nov 2008)
-- Automatically detect OpenBSD's CA cert bundle.
-
-Daniel Stenberg (19 Nov 2008)
-- I removed the default use of "Pragma: no-cache" from libcurl when a proxy is
- used. It has been used since forever but it was never a good idea to use
- unless explicitly asked for.
-
-- Josef Wolf's extension that allows a $TESTDIR/gdbinit$testnum file that when
- you use runtests.pl -g, will be sourced by gdb to allow additional fancy or
- whatever you see fit
-
-- Christian Krause reported and fixed a memory leak that would occur with HTTP
- GSS/kerberos authentication (http://curl.haxx.se/bug/view.cgi?id=2284386)
-
-- Andreas Wurf and Markus Koetter helped me analyze a problem that Andreas got
- when uploading files to a single FTP server using multiple easy handle
- handles with the multi interface. Occasionally a handle would stall in
- mysterious ways.
-
- The problem turned out to be a side-effect of the ConnectionExists()
- function's eagerness to re-use a handle for HTTP pipelining so it would
- select it even if already being in use, due to an inadequate check for its
- chances of being used for pipelnining.
-
-Daniel Fandrich (17 Nov 2008)
-- Added more compiler warning options for gcc 4.3
-
-Yang Tse (17 Nov 2008)
-- Fix a remaining problem in the inet_pton() runtime configure check. And
- fix internal Curl_inet_pton() failures to reject certain malformed literals.
-
-- Make configure script check if ioctl with the SIOCGIFADDR command can be
- used, and define HAVE_IOCTL_SIOCGIFADDR if appropriate.
-
-Daniel Stenberg (16 Nov 2008)
-- Christian Krause fixed a build failure when building with gss support
- enabled and FTP disabled.
-
-- Added check for NULL returns from strdup() in src/main.c and lib/formdata.c
- - reported by Jim Meyering also prevent buffer overflow on MSDOS when you do
- for example -O on a url with a file name part longer than PATH_MAX letters
-
-- lib/nss.c fixes based on the report by Jim Meyering: I went over and added
- checks for return codes for all calls to malloc and strdup that were
- missing. I also changed a few malloc(13) to use arrays on the stack and a
- few malloc(PATH_MAX) to instead use aprintf() to lower memory use.
-
-- I fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is
- in use.
-
-Daniel Fandrich (14 Nov 2008)
-- Added .xml as one of the few common file extensions known by the multipart
- form generator.
-
-- Added some #ifdefs around header files and change the EAGAIN test to
- fix compilation on Cell (reported by Jeff Curley).
-
-Yang Tse (14 Nov 2008)
-- Fixed several configure script issues affecting checks for inet_ntoa_r(),
- inet_ntop(), inet_pton(), getifaddrs(), fcntl() and getaddrinfo().
-
-Yang Tse (13 Nov 2008)
-- Refactored configure script detection of functions used to set sockets into
- non-blocking mode, and decouple function detection from function capability.
+$ git log --pretty=fuller --no-color --date=short --decorate=full | \
+ ./log2changes.pl
+The older, manually edited, changelog is found in git named CHANGES.0
diff --git a/CHANGES.0 b/CHANGES.0
index bba77fb14..d0d09e366 100644
--- a/CHANGES.0
+++ b/CHANGES.0
@@ -6,8 +6,2383 @@
Old Changelog
-Changes done to curl and libcurl from 1997 to 2008. The most recent changes are
-always kept in the CHANGES file.
+Changes done to curl and libcurl from 1997 to 2010, edited manually. The most
+recent changes are always generated into the CHANGES file straight from git.
+
+Kamil Dudka (17 June 2010)
+- Improve test575 in order to not fail with threaded DNS resolver.
+
+Version 7.21.0 (16 June 2010)
+
+Daniel Stenberg (5 June 2010)
+- Constantine Sapuntzakis fixed a case of spurious SSL connection aborts using
+ libcurl and OpenSSL. "I tracked it down to uncleared error state on the
+ OpenSSL error stack - patch attached deals with that."
+
+Daniel Stenberg (5 June 2010)
+- Frank Meier added CURLINFO_PRIMARY_PORT, CURLINFO_LOCAL_IP and
+ CURLINFO_LOCAL_PORT to curl_easy_getinfo().
+
+Yang Tse (4 June 2010)
+- Enabled OpenLDAP support for cygwin builds. This support was disabled back
+ in 2008 due to incompatibilities between OpenSSL and OpenLDAP headers.
+ cygwin's OpenSSL 0.9.8l and OpenLDAP 2.3.43 versions on cygwin 1.5.25
+ allow building an OpenLDAP enabled libcurl supporting back to Windows 95.
+
+ Removed the non-functional CURL_LDAP_HYBRID code and references.
+
+Daniel Stenberg (2 June 2010)
+- Jason McDonald posted bug report #3006786 when he found that the SFTP code
+ didn't timeout properly in several places in the code even if a timeout was
+ set properly.
+
+ Based on his suggested patch, I wrote a different implementation that I
+ think addressed the issue better and also uses the connect timeout for the
+ initial part of the SSH/SFTP done during the "protocol connect" phase.
+
+ (http://curl.haxx.se/bug/view.cgi?id=3006786)
+
+Yang Tse (2 June 2010)
+- Added missing new libcurl files to non-configure targets. Adjusted
+ libcurl standard internal header inclusions in new files. Fixed an
+ SPNEGO related memory leak. Fixed several LDAP related compilation
+ issues, and fixed some compiler warnings.
+
+Daniel Stenberg (1 June 2010)
+- Igor Novoseltsev reported a problem with the multi socket API and using
+ timeouts and timers. It boiled down to a problem with libcurl's use of
+ GetTickCount() interally to figure out the current time, while Igor's own
+ application code used another function call.
+
+ It made his app call the socket API timeout function a bit _before_ libcurl
+ would consider the timeout to trigger, and that could easily lead to
+ timeouts or stalls in the app. It seems GetTickCount() in general often has
+ no better resolution than 16ms and switching to the alternative function
+ QueryPerformanceCounter has its share of problems:
+ http://www.virtualdub.org/blog/pivot/entry.php?id=106
+
+ We address this problem by simply having libcurl treat timers that already
+ has occured or will occur within 40ms subject for treatment. I'm confident
+ that there are other implementations and operating systems with similarly in
+ accurate timer functions so it makes sense to have applied generically and I
+ don't believe we sacrifice much by adding a 40ms inaccuracy on these
+ timeouts.
+
+Kamil Dudka (27 May 2010)
+- added a new test for CRL support (test313)
+
+- Tor Arntsen changed the alternative definition of bool to use enum instead
+ of unsigned char.
+
+Daniel Stenberg (25 May 2010)
+- Julien Chaffraix fixed the warning seen when compiling lib/rtmp.c: one
+ unused variables, several unused arguments and some missing #include.
+
+- Julien Chaffraix fixed 2 OOM errors: a missing NULL-check in
+ lib/http_negociate.c and a potential NULL dereferencing in lib/splay.c
+
+- Howard Chu brought a patch that makes the LDAP code much cleaner, nicer and
+ in general being a better libcurl citizen. If a new enough OpenLDAP version
+ is detect, the new and shiny lib/openldap.c code is then used instead of the
+ old cruft.
+
+Daniel Stenberg (21 May 2010)
+- Eric Mertens posted bug #3003705: when we made TFTP use the correct timeout
+ option when sent to the server (fixed May 18th 2010) it became obvious that
+ libcurl used invalid timeout values (300 by default while the RFC allows
+ nothing above 255). While of course it is obvious that as TFTP has worked
+ thus far without being able to set timeout at all, just removing the setting
+ wouldn't make any difference in behavior. I decided to still keep it (but
+ fix the problem) as it now actually allows for easier (future) customization
+ of the timeout.
+
+ (http://curl.haxx.se/bug/view.cgi?id=3003705)
+
+- Douglas Kilpatrick filed bug report #3004787 and pointed out that the TFTP
+ code didn't handle block id wraps correctly. His suggested fix inspired the
+ fix I committed.
+
+ (http://curl.haxx.se/bug/view.cgi?id=3004787)
+
+Daniel Stenberg (20 May 2010)
+- Tanguy Fautre brought a fix to allow curl to build with Microsoft VC10.
+
+Daniel Stenberg (18 May 2010)
+- Eric Mertens posted bug report #3003005 pointing out that the libcurl TFTP
+ code was not sending the timeout option properly to the server, and
+ suggested a fix.
+
+ (http://curl.haxx.se/bug/view.cgi?id=3003005)
+
+Kamil Dudka (16 May 2010)
+- Pavel Raiskup introduced a new option CURLOPT_FNMATCH_DATA in order to pass
+ a custom data pointer to the callback specified by CURLOPT_FNMATCH_FUNCTION.
+
+Daniel Stenberg (14 May 2010)
+- John-Mark Bell filed bug #3000052 that identified a problem (with an
+ associated patch) with the OpenSSL handshake state machine when the multi
+ interface is used:
+
+ Performing an https request using a curl multi handle and using select or
+ epoll to wait for events results in a hang. It appears that the cause is the
+ fix for bug #2958179, which makes ossl_connect_common unconditionally return
+ from the step 2 loop when fetching from a multi handle.
+
+ When ossl_connect_step2 has completed, it updates connssl->connecting_state
+ to ssl_connect_3. ossl_connect_common will then return to the caller, as a
+ multi handle is in use. Eventually, the client code will call
+ curl_multi_fdset to obtain an updated fdset to select or epoll on. For https
+ requests, curl_multi_fdset will cause https_getsock to be called.
+ https_getsock will only return a socket handle if the connecting_state is
+ ssl_connect_2_reading or ssl_connect_2_writing. Therefore, the client will
+ never obtain a valid fdset, and thus not drive the multi handle, resulting
+ in a hang.
+
+ (http://curl.haxx.se/bug/view.cgi?id=3000052)
+
+- Sebastian V reported bug #3000056 identifying a problem with redirect
+ following. It showed that when curl followed redirects it didn't properly
+ ignore the response body of the 30X response if that response was using
+ compressed Content-Encoding!
+
+ (http://curl.haxx.se/bug/view.cgi?id=3000056)
+
+Daniel Stenberg (12 May 2010)
+- Howard Chu brought support for RTMP. This is powered by the underlying
+ librtmp library. It supports a range of variations and "sub-protocols"
+ within the RTMP family.
+
+- Pavel Raiskup brought support for FTP directory wildcard matching to allow
+ selective downloading. To provide that, a set of new options were added:
+
+ CURLOPT_WILDCARDMATCH
+ CURLOPT_CHUNK_BGN_FUNCTION
+ CURLOPT_CHUNK_END_FUNCTION
+ CURLOPT_CHUNK_DATA
+ CURLOPT_FNMATCH_FUNCTION
+
+ There were also a set of new tests added (574 - 577) to verify this.
+
+Kamil Dudka (11 May 2010)
+- CRL support in libcurl-NSS has been completely broken. Now it works. Original
+ bug report: https://bugzilla.redhat.com/581926
+
+Daniel Stenberg (7 May 2010)
+- Dirk Manske reported a regression. When connecting with the multi interface,
+ there were situations where libcurl wouldn't store connect time correctly as
+ it used to (and is documented to) do.
+
+ Using his fine sample program we could repeat it, and I wrote up test case
+ 573 using that code. The problem does not easily show itself using the local
+ test suite though.
+
+ The fix, also as suggested by Dirk, is a bit on the ugly side as it adds yet
+ another call to Curl_verboseconnect() and setting the TIMER_CONNECT time.
+ That situation is subject for some closer inspection in the future.
+
+- Howard Chu split the I/O handling functions into private handlers.
+
+ Howard Chu brought the bulk work of this patch that properly moves out the
+ sending and recving of data to the parts of the code that are properly
+ responsible for the various ways of doing so.
+
+ Daniel Stenberg assisted with polishing a few bits and fixed some minor
+ flaws in the original patch.
+
+ Another upside of this patch is that we now abuse CURLcodes less with the
+ "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
+
+Daniel Stenberg (5 May 2010)
+- Hoi-Ho Chan introduced support for using the PolarSSL library. You control
+ this with the new configure option --with-polarssl.
+
+Daniel Stenberg (29 Apr 2010)
+- Ben Greear made telnet a lot better/easier to use by an application:
+
+ The main change is to allow input from user-specified methods, when they are
+ specified with CURLOPT_READFUNCTION. All calls to fflush(stdout) in
+ telnet.c were removed, which makes using 'curl telnet://foo.com' painful
+ since prompts and other data are not always returned to the user promptly.
+ Use 'curl --no-buffer telnet://foo.com' instead. In general, the user
+ should have their CURLOPT_WRITEFUNCTION do a fflush for interactive use.
+
+ Also fix assumption that reading from stdin never returns < 0.
+ Old code could crash in that case.
+
+ Call progress functions in telnet main loop.
+
+Daniel Stenberg (26 Apr 2010)
+- Make use of the libssh2_init/exit functions that libssh2 added in version
+ 1.2.5. Using them will improve how libcurl works in threaded situations when
+ SCP and SFTP are transfered.
+
+Daniel Stenberg (25 Apr 2010)
+- Based on work by Kamil Dudka, I've introduced the new configure option
+ --enable-threaded-resolver. When used, the configure script will check for
+ pthreads and if around, it will build libcurl to use pthreads to do name
+ resolving in a threaded manner. Note that this is just a fix to offer an
+ option that can enable the code that already included. The threader resolver
+ code was mostly added on Jan 26 2010.
+
+Daniel Stenberg (24 Apr 2010)
+- Alex Bligh introduced the --proto and -proto-redir options that limit what
+ protocols curl accepts for the requests and when following redirects.
+
+Kamil Dudka (24 Apr 2010)
+- Fixed test536 in order to not fail with threaded DNS resolver and tweaked
+ comments in certain examples using curl_multi_fdset().
+
+- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405
+ to hang on a slow machine.
+
+Daniel Stenberg (21 Apr 2010)
+- The -O option caused curl to crash on windows and DOS due to the tool
+ writing out of boundary memory.
+
+Yang Tse (20 Apr 2010)
+- Ruslan Gazizov detected that MSVC makefiles were using wsock32.lib instead
+ of ws2_32.lib, this generated linking issues on MSVC IPv6 enabled builds
+ that were done using those makefiles.
+
+Daniel Stenberg (19 Apr 2010)
+- -J/--remote-header-name didn't strip trailing carriage returns or linefeeds
+ properly, so they could be used in the file name.
+
+Daniel Stenberg (16 Apr 2010)
+- Jerome Vouillon made the GnuTLS SSL handshake phase non-blocking.
+
+- The recent overhaul of the SSL recv function made the GnuTLS specific code
+ treat a zero returned from gnutls_record_recv() as an error, and this caused
+ our HTTPS test cases to fail. We leave it to upper layer code to detect if
+ an EOF is a problem or not.
+
+- I reverted the resolver fix from yesterday and instead removed all uses of
+ AI_CANONNAME all over libcurl and made the only user of that info (krb5.c)
+ use the host name from the URL instead. No reverse resolving is a good
+ thing.
+
+- Paul Howarth made configure properly detect GSS "on ancient Linux distros"
+ by editing in which order we use headers to detect GSS.
+
+Daniel Stenberg (15 Apr 2010)
+- Rainer Canavan filed bug report #2987196 that identified libcurl doing
+ unnecesary reverse name lookups in many cases when built to use IPv4 and
+ getaddrinfo(). The logic for ipv6 is now used for ipv4 too.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2963679)
+
+Version 7.20.1 (14 April 2010)
+
+Daniel Stenberg (9 Apr 2010)
+- Prefixing the FTP quote commands with an asterisk really only worked for the
+ postquote actions. This is now fixed and test case 227 has been extended to
+ verify.
+
+Kamil Dudka (4 Apr 2010)
+- Eliminated a race condition in Curl_resolv_timeout().
+
+- Refactorized interface of Curl_ssl_recv()/Curl_ssl_send().
+
+- libcurl-NSS now provides more accurate messages and error codes in case of
+ client certificate problem. Either during connection, or transfer phase.
+
+Daniel Stenberg (1 Apr 2010)
+- Matt Wixson found and fixed a bug in the SCP/SFTP area where the code
+ treated a 0 return code from libssh2 to be the same as EAGAIN while in
+ reality it isn't. The problem caused a hang in SFTP transfers from a
+ MessageWay server.
+
+Daniel Stenberg (28 Mar 2010)
+- Ben Greear: If you pass a URL to pop3 that does not contain a message ID as
+ part of the URL, it would previously ask for 'INBOX' which just causes the
+ pop3 server to return an error.
+
+ Now libcurl treats en empty message ID as a request for LIST (list of pop3
+ message IDs). User's code could then parse this and download individual
+ messages as desired.
+
+Daniel Stenberg (27 Mar 2010)
+- Ben Greear brought a patch that from now on allows all protocols to specify
+ name and user within the URL, in the same manner HTTP and FTP have been
+ allowed to in the past - although far from all of the libcurl supported
+ protocls actually have that feature in their URL definition spec.
+
+Daniel Stenberg (26 Mar 2010)
+- Ben Greear brought code that makes the rate limiting code for the easy
+ interface a bit smoother as it introduces sub-second sleeps during it and it
+ also takes the buffer sizes into account.
+
+Daniel Stenberg (24 Mar 2010)
+- Bob Richmond: There's an annoying situation where libcurl will read new HTTP
+ response data from a socket, then check if it's a timeout if one is set. If
+ the last packet received constitutes the end of the response body, libcurl
+ still treats it as a timeout condition and reports a message like:
+
+ "Operation timed out after 3000 milliseconds with 876 out of 876 bytes
+ received"
+
+ It should only a timeout if the timer lapsed and we DIDN'T receive the end
+ of the response body yet.
+
+- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER reported
+ to us by Massimo Callegari. There's a new test case 572 that verifies this
+ now.
+
+- The 'ares' subtree has been removed from the source repository. It was
+ always a separate project that sort of piggybacked on the curl project since
+ the dawn of times and now the time has come for it to go stand on its own
+ legs and continue living its own life. All details on c-ares and its new
+ source code repository is found at http://c-ares.haxx.se/
+
+Daniel Stenberg (23 Mar 2010)
+- Kenny To filed the bug report #2963679 with patch to fix a problem he
+ experienced with doing multi interface HTTP POST over a proxy using
+ PROXYTUNNEL. He found a case where it would connect fine but bits.tcpconnect
+ was not set correct so libcurl didn't work properly.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2963679)
+
+- Akos Pasztory filed debian bug report #572276
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276 mentioning a problem
+ with a resource that returns chunked-encoded _and_ with a Content-Length
+ and libcurl failed to properly ignore the latter information.
+
+- Hauke Duden provided an example program that made the multi interface crash.
+ His example simply used the multi interface and did first one FTP transfer
+ and after completion it used a second easy handle and did another FTP
+ transfer on the same FTP server.
+
+ This triggered a bug in the "delayed easy handle kill" system that curl
+ uses: when an FTP connection is left alive it must keep an easy handle
+ around internally - only for the purpose of having an easy handle when it
+ later disconnects it. The code assumed that when the easy handle was removed
+ and an internal reference was made, that version could be killed later on
+ when a new easy handle came using the same connection. This was wrong as
+ Hauke's example showed that the removed handle wasn't killed for real until
+ later. This caused a double close attempt => segfault.
+
+Daniel Stenberg (22 Mar 2010)
+- Thomas Lopatic fixed the alarm()-based DNS timeout:
+
+ Looking at the code of Curl_resolv_timeout() in hostip.c, I think that in
+ case of a timeout, the signal handler for SIGALRM never gets removed. I
+ think that in my case it gets executed at some point later on when execution
+ has long left Curl_resolv_timeout() or even the cURL library.
+
+ The code that is jumped to with siglongjmp() simply sets the error message
+ to "name lookup timed out" and then returns with CURLRESOLV_ERROR. I guess
+ that instead of simply returning without cleaning up, the code should have a
+ goto that jumps to the spot right after the call to Curl_resolv().
+
+Kamil Dudka (22 Mar 2010)
+- Douglas Steinwand contributed a patch fixing insufficient initialization in
+ Curl_clone_ssl_config()
+
+Daniel Stenberg (21 Mar 2010)
+- Ben Greear improved TFTP: the error code returning and the treatment
+ of TSIZE == 0 when uploading.
+
+- We've switched from CVS to git. See http://curl.haxx.se/source.html
+
+Kamil Dudka (19 Mar 2010)
+- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
+
+Daniel Stenberg (15 Mar 2010)
+- Constantine Sapuntzakis brought a patch:
+
+ The problem mentioned on Dec 10 2009
+ (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
+ Partially because an easy handle can be associated with many connections in
+ the cache (e.g. if there is a redirect during the lifetime of the easy
+ handle). The previous patch only cleaned up the first one. The new fix now
+ removes the easy handle from all connections, not just the first one.
+
+Daniel Stenberg (6 Mar 2010)
+- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
+ the easy interface was used.
+
+Daniel Stenberg (5 Mar 2010)
+- Daniel Johnson provided fixes for building curl with the clang compiler.
+
+Yang Tse (5 Mar 2010)
+- Constantine Sapuntzakis detected and fixed a double free in builds done
+ with threaded resolver enabled (Windows default configuration) that would
+ get triggered when a curl handle is closed while doing DNS resolution.
+
+Daniel Stenberg (2 Mar 2010)
+- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
+ ran into some issues with the GSSAPI tests in configure.ac. The tests first
+ try to determine the include dirs and libs and set CPPFLAGS and LIBS
+ accordingly. It then checks for the headers and finally sets LIBS a second
+ time, causing the libs to be included twice. The first setting of LIBS seems
+ redundant and should be left out, since the first part is otherwise just
+ about finding headers.
+
+ My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
+ useless and returns junk that, while it happens to work with gcc, causes
+ clang to choke. For example, --libs returns $CFLAGS along with the libs,
+ which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
+ -lresolv"' on Darwin is sufficient.
+
+- Based on patch provided by Jacob Moshenko, the transfer logic now properly
+ makes sure that when using sub-second timeouts, there's no final bad 1000ms
+ wait. Previously, a sub-second timeout would often make the elapsed time end
+ up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
+
+- Andrei Benea filed bug report #2956698 and pointed out that the
+ CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
+ call. He provided the patch to fix it too.
+
+ http://curl.haxx.se/bug/view.cgi?id=2956698
+
+- Markus Duft pointed out in bug #2961796 that even though Interix has a
+ poll() function it doesn't quite work the way we want it so we must disable
+ it, and he also provided a patch for it.
+
+ http://curl.haxx.se/bug/view.cgi?id=2961796
+
+- Made the pingpong timeout code properly deal with the response timeout AND
+ the global timeout if set. Also, as was reported in the bug report #2956437
+ by Ryan Chan, the time stamp to use as basis for the per command timeout was
+ not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
+ that just now. This was a regression compared to 7.19.7 due to the
+ conversion of FTP code over to the generic pingpong concepts.
+
+ http://curl.haxx.se/bug/view.cgi?id=2956437
+
+Daniel Stenberg (1 Mar 2010)
+- Ben Greear provided an update for TFTP that fixes upload.
+
+- Wesley Miaw reported bug #2958179 which identified a case of looping during
+ OpenSSL based SSL handshaking even though the multi interface was used and
+ there was no good reason for it.
+
+ http://curl.haxx.se/bug/view.cgi?id=2958179
+
+Daniel Stenberg (26 Feb 2010)
+- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
+ chunked-encoding trailer.
+
+ http://curl.haxx.se/bug/view.cgi?id=2958474
+
+Daniel Fandrich (25 Feb 2010)
+- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.
+
+Yang Tse (25 Feb 2010)
+- I fixed bug report #2958074 indicating
+ (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
+ option --trace-time did not use local time when timestamping trace lines.
+ This could also happen on other systems depending on time souurce.
+
+Patrick Monnerat (22 Feb 2010)
+- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
+- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
+- Use of true local host name (i.e.: via gethostname()) when available, as
+ default argument to SMTP HELO/EHLO.
+- Test case 804 for HELO fallback.
+
+Daniel Stenberg (20 Feb 2010)
+- Fixed the SMTP compliance by making sure RCPT TO addresses are specified
+ properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
+ get angle bracket wrapping automatically by libcurl unless the recipient
+ starts with an angle bracket as then the app is assumed to deal with that
+ properly on its own.
+
+- I made the SMTP code expect a 250 response back from the server after the
+ full DATA has been sent, and I modified the test SMTP server to also send
+ that response. As usual, the DONE operation that is made after a completed
+ transfer is still not doable in a non-blocking way so this waiting for 250
+ is unfortunately made blockingly.
+
+Yang Tse (14 Feb 2010)
+- Overhauled test suite getpart() function. Fixing potential out of bounds
+ stack and memory overwrites triggered with huge test case definitions.
+
+Daniel Stenberg (13 Feb 2010)
+- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
+
+ (http://curl.haxx.se/bug/view.cgi?id=2951319)
+
+- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2951269)
+
+Daniel Stenberg (12 Feb 2010)
+- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
+ in the same RCPT TO line, when they should be sent in separate single
+ commands. I updated test case 802 to verify this.
+
+- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
+ tool which made it try to output it as string for the --libcurl feature
+ which could lead to crashes.
+
+Yang Tse (11 Feb 2010)
+- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job,
+ removed obsolete batch_compile.com and defines.com and updated VMS readme.
+
+Version 7.20.0 (9 February 2010)
+
+Daniel Stenberg (9 Feb 2010)
+- When downloading compressed content over HTTP and the app asked libcurl to
+ automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
+ wrongly provide the callback with more data than the maximum documented
+ amount. An application could thus get tricked into badness if the maximum
+ limit was trusted to be enforced by libcurl itself (as it is documented).
+
+ This is further detailed and explained in the libcurl security advisory
+ 20100209 at
+
+ http://curl.haxx.se/docs/adv_20100209.html
+
+Daniel Fandrich (3 Feb 2010)
+- Changed the Watcom makefiles to make them easier to keep in sync with
+ Makefile.inc since that can't be included directly.
+
+Yang Tse (2 Feb 2010)
+- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
+ symbol will not be available when building with CURL_NO_OLDIES defined. Use
+ of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
+
+Daniel Stenberg (1 Feb 2010)
+- Using the multi_socket API, it turns out at times it seemed to "forget"
+ connections (which caused a hang). It turned out to be an existing (7.19.7)
+ bug in libcurl (that's been around for a long time) and it happened like
+ this:
+
+ The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
+ then set it to timeout in 1 millisecond so libcurl will tell the app about
+ it.
+
+ The app's timeout fires off that there's a timeout, the app calls libcurl as
+ we so often document it:
+
+ do {
+ res = curl_multi_socket_action(... TIMEOUT ...);
+ } while(CURLM_CALL_MULTI_PERFORM == res);
+
+ And this is the problem number one:
+
+ When curl_multi_socket_action() is called with no specific handle, but only
+ a timeout-action, it will *only* perform actions within libcurl that are
+ marked to run at this time. In this case, the request would go from INIT to
+ CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
+ again, there's no timer set for this handle so it remains in the CONNECT
+ state. The CONNECT state is a transitional state in libcurl so it reports no
+ sockets there, and thus libcurl never tells the app anything more about that
+ easy handle/connection.
+
+ libcurl _does_ set a 1ms timeout for the handle at the end of
+ multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
+ is instant the new job is not ready to run at that point (and there's no
+ code that makes libcurl call the app to update the timout for this new
+ timeout). It will simply rely on that some other timeout will trigger later
+ on or that something else will update the timeout callback. This makes the
+ bug fairly hard to repeat.
+
+ The fix made to adress this issue:
+
+ We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
+ simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
+ benefit that this goes in line with my long-term wishes to get rid of the
+ CURLM_CALL_MULTI_PERFORM all together from the public API.
+
+ The downside of this fix, is that the counter we return in 'running_handles'
+ in several of our public functions then gets a slightly new and possibly
+ confusing behavior during times:
+
+ If an app adds a handle that fails to connect (very quickly) it may just
+ as well never appear as a 'running_handle' with this fix. Previously it
+ would first bump the counter only to get it decreased again at next call.
+ Even I have used that change in handle counter to signal "end of a
+ transfer". The only *good* way to find the end of a individual transfer
+ is calling curl_multi_info_read() to see if it returns one.
+
+ Of course, if the app previously did the looping before it checked the
+ counter, it really shouldn't be any new effect.
+
+Yang Tse (26 Jan 2010)
+- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
+ relative to the asynchronous DNS lookups, along with with some integration
+ adjustments I have done are finally committed to CVS.
+
+ Currently these enhancements will benefit builds done using c-ares on any
+ platform as well as Windows builds using the default threaded resolver.
+
+ This release does not make generally available POSIX threaded DNS lookups
+ yet. There is no configure option to enable this feature yet. It is possible
+ to experimantally try this feature running configure with compiler flags that
+ make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
+ HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
+ are required to link and properly use pthread_* functions on each platform.
+
+Daniel Stenberg (26 Jan 2010)
+- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
+ proxy that cannot be resolved when using c-ares. This matches the behaviour
+ when not using c-ares.
+
+Björn Stenberg (23 Jan 2010)
+- Added a new flag: -J/--remote-header-name. This option tells the
+ -O/--remote-name option to use the server-specified Content-Disposition
+ filename instead of extracting a filename from the URL.
+
+Daniel Stenberg (21 Jan 2010)
+- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
+ libcurl options for controlling what to get and how to receive posssibly
+ interleaved RTP data.
+
+Daniel Stenberg (20 Jan 2010)
+- As was pointed out on the http-state mailing list, the order of cookies in a
+ HTTP Cookie: header _needs_ to be sorted on the path length in the cases
+ where two cookies using the same name are set more than once using
+ (overlapping) paths. Realizing this, identically named cookies must be
+ sorted correctly. But detecting only identically named cookies and take care
+ of them individually is harder than just to blindly and unconditionally sort
+ all cookies based on their path lengths. All major browsers also already do
+ this, so this makes our behavior one step closer to them in the cookie area.
+
+ Test case 8 was the only one that broke due to this change and I updated it
+ accordingly.
+
+Daniel Stenberg (19 Jan 2010)
+- David McCreedy brought a fix and a new test case (129) to make libcurl work
+ again when downloading files over FTP using ASCII and it turns out that the
+ final size of the file is not the same as the initial size the server
+ reported. This is very common since servers don't take the newline
+ conversions into account.
+
+Kamil Dudka (14 Jan 2010)
+- Suppressed side effect of OpenSSL configure checks, which prevented NSS from
+ being properly detected under certain circumstances. It had been caused by
+ strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
+ distinguishes among empty and non-existent environment variable in that case.
+
+Daniel Stenberg (12 Jan 2010)
+- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
+ transfers: curl_multi_fdset() would return -1 and not set and file
+ descriptors several times during a transfer of a single file. It turned out
+ to be due to two different flaws now fixed. Gil's excellent recipe helped me
+ nail this.
+
+Daniel Stenberg (11 Jan 2010)
+- Made sure that the progress callback is repeatedly called at a regular
+ interval even during very slow connects.
+
+- The tests/runtests.pl script now checks to see if the test case that runs is
+ present in the tests/data/Makefile.am and outputs a notice message on the
+ screen if not. Each test file has to be included in that Makefile.am to get
+ included in release archives and forgetting to add files there is a common
+ mistake. This is an attempt to make it harder to forget.
+
+Daniel Stenberg (9 Jan 2010)
+- Johan van Selst found and fixed a OpenSSL session ref count leak:
+
+ ossl_connect_step3() increments an SSL session handle reference counter on
+ each call. When sessions are re-used this reference counter may be
+ incremented many times, but it will be decremented only once when done (by
+ Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
+ if this reference count remains positive. When a session is re-used the
+ reference counter should be corrected by explicitly calling
+ SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
+ introducing a memory leak.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2926284)
+
+Daniel Stenberg (7 Jan 2010)
+- Make sure the progress callback is called repeatedly even during very slow
+ name resolves when c-ares is used for resolving.
+
+Claes Jakobsson (6 Jan 2010)
+- Julien Chaffraix fixed so that the fragment part in an URL is not sent
+ to the server anymore.
+
+Kamil Dudka (3 Jan 2010)
+- Julien Chaffraix eliminated a duplicated initialization in singlesocket().
+
+Daniel Stenberg (2 Jan 2010)
+- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
+ versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
+ control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
+ option names are still working but the new ones are the ones listed and
+ documented.
+
+Daniel Stenberg (1 Jan 2010)
+- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
+ command is a special "hack" used by the drftpd server, but even though it is
+ a custom extension I've deemed it fine to add to libcurl since this server
+ seems to survive and people keep using it and want libcurl to support
+ it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
+ usable from the curl tool with --ftp-pret. Using this option on a server
+ that doesn't support this command will make libcurl fail.
+
+ I added test cases 1107 and 1108 to verify the functionality.
+
+ The PRET command is documented at
+ http://www.drftpd.org/index.php/Distributed_PASV
+
+Yang Tse (30 Dec 2009)
+- Steven M. Schweda improved VMS build system, and Craig A. Berry helped
+ with the patch and testing.
+
+Daniel Stenberg (26 Dec 2009)
+- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
+ headers work correctly even on FreeBSD systems before v8.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2916915)
+
+Daniel Stenberg (17 Dec 2009)
+- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
+ available.
+
+- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
+ was a bit too quick and broke test case 1101 with that change. The order of
+ some of the setups is sensitive. I now changed it slightly again to make
+ sure we do them in this order:
+
+ 1 - parse URL and figure out what protocol is used in the URL
+ 2 - prepend protocol:// to URL if missing
+ 3 - parse name+password off URL, which needs to know what protocol is used
+ (since only some allows for name+password in the URL)
+ 4 - figure out if a proxy should be used set by an option
+ 5 - if no proxy option, check proxy environment variables
+ 6 - run the protocol-specific setup function, which needs to have the proxy
+ already set
+
+Daniel Stenberg (15 Dec 2009)
+- Jon Nelson found a regression that turned out to be a flaw in how libcurl
+ detects and uses proxies based on the environment variables. If the proxy
+ was given as an explicit option it worked, but due to the setup order
+ mistake proxies would not be used fine for a few protocols when picked up
+ from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
+ test case 1106 that verifies this functionality.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2913886)
+
+Daniel Stenberg (12 Dec 2009)
+- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
+ and SMTPS) are now supported. The current state may not yet be solid, but
+ the foundation is in place and the test suite has some initial support for
+ these protocols. Work will now persue to make them nice libcurl citizens
+ until release.
+
+ The work with supporting these new protocols was sponsored by
+ networking4all.com - thanks!
+
+Daniel Stenberg (10 Dec 2009)
+- Siegfried Gyuricsko found out that the curl manual said --retry would retry
+ on FTP errors in the transient 5xx range. Transient FTP errors are in the
+ 4xx range. The code itself only tried on 5xx errors that occured _at login_.
+ Now the retry code retries on all FTP transfer failures that ended with a
+ 4xx response.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2911279)
+
+- Constantine Sapuntzakis figured out a case which would lead to libcurl
+ accessing alredy freed memory and thus crash when using HTTPS (with
+ OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
+ of cleaning things up. I fixed it.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2905220)
+
+Daniel Stenberg (7 Dec 2009)
+- Martin Storsjo made libcurl use the Expect: 100-continue header for posts
+ with unknown size. Previously it was only used for posts with a known size
+ larger than 1024 bytes.
+
+Daniel Stenberg (1 Dec 2009)
+- If the Expect: 100-continue header has been set by the application through
+ curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
+ data->state.expect100header accordingly - the current code (in 7.19.7 at
+ least) doesn't handle this properly. Martin Storsjo provided the fix!
+
+Yang Tse (28 Nov 2009)
+- Added Diffie-Hellman parameters to several test harness certificate files in
+ PEM format. Required by several stunnel versions used by our test harness.
+
+Daniel Stenberg (28 Nov 2009)
+- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
+ rework patch that now integrates TFTP properly into libcurl so that it can
+ be used non-blocking with the multi interface and more. BLKSIZE also works.
+
+ The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
+ the command line.
+
+Daniel Stenberg (26 Nov 2009)
+- Extended and fixed the change I did on Dec 11 for the the progress
+ meter/callback during FTP command/response sequences. It turned out it was
+ really lame before and now the progress meter SHOULD get called at least
+ once per second.
+
+Daniel Stenberg (23 Nov 2009)
+- Bjorn Augustsson reported a bug which made curl not report any problems even
+ though it failed to write a very small download to disk (done in a single
+ fwrite call). It turned out to be because fwrite() returned success, but
+ there was insufficient error-checking for the fclose() call which tricked
+ curl to believe things were fine.
+
+Yang Tse (23 Nov 2009)
+- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
+ finer granularity control when generating src and lib makefiles.
+
+Yang Tse (22 Nov 2009)
+- I modified configure to force removal of the curlbuild.h file included in
+ distribution tarballs for use by non-configure systems. As intended, this
+ would get overwriten when doing in-tree builds. But VPATH builds would end
+ having two curlbuild.h files, one in the source tree and another in the
+ build tree. With the modification I introduced 5 Nov 2009 this could become
+ an issue when running libcurl's test suite.
+
+Daniel Stenberg (20 Nov 2009)
+- Constantine Sapuntzakis identified a write after close, as the sockets were
+ closed by libcurl before the SSL lib were shutdown and they may write to its
+ socket. Detected to at least happen with OpenSSL builds.
+
+- Jad Chamcham pointed out a bug with connection re-use. If a connection had
+ CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
+ same proxy with the tunnel option disabled would still wrongly re-use that
+ previous connection and the outcome would only be badness.
+
+Yang Tse (18 Nov 2009)
+- I modified the memory tracking system to make it intolerant with zero sized
+ malloc(), calloc() and realloc() function calls.
+
+Daniel Stenberg (17 Nov 2009)
+- Constantine Sapuntzakis provided another fix for the DNS cache that could
+ end up with entries that wouldn't time-out:
+
+ 1. Set up a first web server that redirects (307) to a http://server:port
+ that's down
+ 2. Have curl connect to the first web server using curl multi
+
+ After the curl_easy_cleanup call, there will be curl dns entries hanging
+ around with in_use != 0.
+
+ (http://curl.haxx.se/bug/view.cgi?id=2891591)
+
+- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
+ its pkg-config file. So -Wl stuff ended up in the .pc file, which is really
+ bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
+ PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
+
+Kamil Dudka (15 Nov 2009)
+- David Byron improved the configure script to use pkg-config to find OpenSSL
+ (and in particular the list of required libraries) even if a path is given
+ as argument to --with-ssl
+
+Yang Tse (15 Nov 2009)
+- I removed enable-thread / disable-thread configure option. These were only
+ placebo options. The library is always built as thread safe as possible on
+ every system.
+
+Claes Jakobsson (14 Nov 2009)
+- curl-config now accepts '--configure' to see what arguments was
+ passed to the configure script when building curl.
+
+Daniel Stenberg (14 Nov 2009)
+- Claes Jakobsson restored the configure functionality to detect NSS when
+ --with-nss is set but not "yes".
+
+ I think we can still improve that to check for pkg-config in that path etc,
+ but at least this patch brings back the same functionality we had before.
+
+- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
+ the client certificate. It also disable the key name test as some engines
+ can select a private key/cert automatically (When there is only one key
+ and/or certificate on the hardware device used by the engine)
+
+Yang Tse (14 Nov 2009)
+- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
+ won't be reused unless protection level for peer and host verification match.
+
+ I refactored how preprocessor symbol _THREAD_SAFE definition is done.
+
+Kamil Dudka (12 Nov 2009)
+- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
+ closed NSPR descriptor. The issue was hard to find, reported several times
+ before and always closed unresolved. More info at the RH bug:
+ https://bugzilla.redhat.com/534176
+
+- libcurl-NSS now tries to reconnect with TLS disabled in case it detects
+ a broken TLS server. However it does not happen if SSL version is selected
+ manually. The approach was originally taken from PSM. Kaspar Brand helped me
+ to complete the patch. Original bug reports:
+ https://bugzilla.redhat.com/525496
+ https://bugzilla.redhat.com/527771
+
+Yang Tse (12 Nov 2009)
+- I modified configure script to make the getaddrinfo function check also
+ verify if the function is thread safe.
+
+Yang Tse (11 Nov 2009)
+- Marco Maggi reported that compilation failed when configured --with-gssapi
+ and GNU GSS installed due to a missing mutual exclusion of header files in
+ the Kerberos 5 code path. He also verified that my patch worked for him.
+
+Daniel Stenberg (11 Nov 2009)
+- Constantine Sapuntzakis posted bug #2891595
+ (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
+ in the DNS cache would linger too long if the request that added it was in
+ use that long. He also provided the patch that now makes libcurl capable of
+ still doing a request while the DNS hash entry may get timed out.
+
+- Christian Schmitz noticed that the progress meter/callback was not properly
+ used during the FTP connection phase (after the actual TCP connect), while
+ it of course should be. I also made the speed check get called correctly so
+ that really slow servers will trigger that properly too.
+
+Kamil Dudka (5 Nov 2009)
+- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
+ in non-blocking mode.
+
+Yang Tse (5 Nov 2009)
+- I removed leading 'curl' path on the 'curlbuild.h' include statement in
+ curl.h, adjusting auto-makefiles include path, to enhance portability to
+ OS's without an orthogonal directory tree structure such as OS/400.
+
+Daniel Stenberg (4 Nov 2009)
+- I fixed several problems with the transfer progress meter. It showed the
+ wrong percentage for small files, most notable for <1000 bytes and could
+ easily end up showing more than 100% at the end. It also didn't show any
+ percentage, transfer size or estimated transfer times when transferring
+ less than 100 bytes.
+
+Version 7.19.7 (4 November 2009)
+
+Daniel Stenberg (2 Nov 2009)
+- As reported independent by both Stan van de Burgt and Didier Brisebourg,
+ CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when
+ getting data from ldap!
+
+Daniel Stenberg (31 Oct 2009)
+- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the
+ download was 0 bytes, as libcurl would then return the size as unknown (-1)
+ and not 0. I wrote a fix and test case 566 to verify it.
+
+Daniel Stenberg (30 Oct 2009)
+- Liza Alenchery mentioned a problem with re-used SCP connection when a bad
+ auth is used, as it caused a crash. I failed to repeat the issue, but still
+ made a change that now forces the TCP connection used for a freed SCP
+ session to get closed and not be re-used.
+
+- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a
+ POST using a read callback, with Digest authentication and
+ "Transfer-Encoding: chunked" enforced. I would then cause the first request
+ to be wrongly sent and then basically hang until the server closed the
+ connection. I fixed the problem and added test case 565 to verify it.
+
+Daniel Stenberg (25 Oct 2009)
+- Dima Barsky made the curl cookie parser accept cookies even with blank or
+ unparsable expiry dates and then treat them as session cookies - previously
+ libcurl would reject cookies with a date format it couldn't parse. Research
+ shows that the major browser treat such cookies as session cookies. I
+ modified test 8 and 31 to verify this.
+
+Daniel Stenberg (21 Oct 2009)
+- Attempt to use pkg-config for finding out libssh2 installation details
+ during configure.
+
+- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177)
+ by Johan van Selst introduced the --crlfile option to curl, which makes curl
+ tell libcurl about a file with CRL (certificate revocation list) data to
+ read.
+
+Daniel Stenberg (18 Oct 2009)
+- Ray Dassen provided a patch in Debian's bug tracker (bug number #551461)
+ that now makes curl_getdate(3) actually handles RFC 822 formatted dates that
+ use the "single letter military timezones".
+ http://www.rfc-ref.org/RFC-TEXTS/822/chapter5.html has the details.
+
+- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts
+ data!
+
+- John Dennis filed bug report #2873666
+ (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem
+ which made libcurl loop infinitely when given incorrect credentials when
+ using HTTP GSS negotiate authentication. He also provided a small and simple
+ patch for it.
+
+- Kevin Baughman found a double close() problem with libcurl-NSS, as when
+ libcurl called NSS to close the SSL "session" it also closed the actual
+ socket.
+
+Yang Tse (17 Oct 2009)
+- Bug report #2866724 indicated
+ (http://curl.haxx.se/bug/view.cgi?id=2866724) that curl on Windows failed
+ when writing files whose file names originally contained characters which
+ are not valid for file names on Windows. Dan Fandrich provided an initial
+ patch and another revised one to fix this issue.
+
+Daniel Stenberg (1 Oct 2009)
+- Tom Mueller correctly reported in bug report #2870221
+ (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an
+ incorrect return code from the internal trynextip() function which caused
+ him grief. This is a regression that was introduced in 7.19.1 and I find it
+ strange it hasn't hit us harder, but I won't persue into figuring out
+ exactly why.
+
+- Constantine Sapuntzakis: The current implementation will always set
+ SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The
+ patch doesn't do a setsockopt if SO_SNDBUF is already greater than
+ CURL_WRITE_SIZE. This should help folks who have set up their computer with
+ large send buffers.
+
+Daniel Stenberg (27 Sep 2009)
+- I introduced a maximum limit for received HTTP headers. It is controlled by
+ the define CURL_MAX_HTTP_HEADER which is even exposed in the public header
+ file to allow for users to fairly easy rebuild libcurl with a modified
+ limit. The rationale for a fixed limit is that libcurl is realloc()ing a
+ buffer to be able to put a full header into it, so that it can call the
+ header callback with the entire header, but that also risk getting it into
+ trouble if a server by mistake or willingly sends a header that is more or
+ less without an end. The limit is set to 100K.
+
+Daniel Stenberg (26 Sep 2009)
+- John P. McCaskey posted a bug report that showed how libcurl did wrong when
+ saving received cookies with no given path, if the path in the request had a
+ query part. That is means a question mark (?) and characters on the right
+ side of that. I wrote test case 1105 and fixed this problem.
+
+Kamil Dudka (26 Sep 2009)
+- Implemented a protocol independent way to specify blocking direction, used by
+ transfer.c for blocking. It is currently used only by SCP and SFTP protocols.
+ This enhancement resolves an issue with 100% CPU usage during SFTP upload,
+ reported by Vourhey.
+
+Daniel Stenberg (25 Sep 2009)
+- Chris Mumford filed bug report #2861587
+ (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
+ the OpenSSL function X509_load_crl_file() wrongly and failed if it would
+ load a CRL file with more than one certificate within. This is now fixed.
+
+Daniel Stenberg (16 Sep 2009)
+- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
+ powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
+ field in the certficate it had to match and so even if non-DNS and non-IP
+ entry was present it caused the verification to fail.
+
+Daniel Fandrich (15 Sep 2009)
+- Moved the libssh2 checks after the SSL library checks. This helps when
+ statically linking since libssh2 needs the SSL library link flags to be
+ set up already to satisfy its dependencies. This wouldn't be necessary if
+ the libssh2 configure check was changed to use pkg-config since the
+ --static flag would add the dependencies automatically.
+
+Yang Tse (14 Sep 2009)
+- Revert Joshua Kwan's patch committed 11 Sep 2009.
+
+ Some systems poll function sets POLLHUP in revents without setting
+ POLLIN, and sets POLLERR without setting POLLIN and POLLOUT. In some
+ libcurl code execution paths this could trigger busy wait loops with
+ high CPU usage until a timeout condition aborted the loop.
+
+ The reverted patch addressed the above issue for a very specific case,
+ when awaiting c-ares to resolve. A libcurl-wide fix for Curl_poll now
+ superceeds this one.
+
+Guenter Knauf (11 Sep 2009)
+- Joshua Kwan provided a patch to pass POLLERR / POLLHUP back to c-ares.
+ This fixes a loop problem with high CPU usage.
+
+Daniel Stenberg (10 Sep 2009)
+- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch
+ start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0
+ which internally then is treated as a session cookie. That particular date
+ is now made to get the value of 1.
+
+Daniel Stenberg (2 Sep 2009)
+- Daniel Johnson found a flaw in the code converting sftp-errors to libcurl
+ errors.
+
+Daniel Stenberg (1 Sep 2009)
+- Peter Sylvester made a debug feature for Curl_resolv() that now will force
+ libcurl to resolve 'localhost' whatever name you use in the URL *if* you set
+ the --interface option to (exactly) "LocalHost". This will enable us to
+ write tests for custom hosts names but still use a local host server.
+
+- configure now tries to use pkg-config for a number of sub-dependencies even
+ when cross-compiling. The key to success is then you properly setup
+ PKG_CONFIG_PATH before invoking configure.
+
+ I also improved how NSS is detected by trying nss-config if pkg-config isn't
+ present, and as a last resort just use the lib name and force the user to
+ setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would
+ add a range of various libs that would almost never be quite correct.
+
+Daniel Stenberg (31 Aug 2009)
+- When using the multi interface with FTP and you asked for NOBODY, you did no
+ QUOTE commands and the request used the same path as the connection had
+ already changed to, it would decide that no commands would be necessary for
+ the "DO" action and that was not handled properly but libcurl would instead
+ hang.
+
+Kamil Dudka (28 Aug 2009)
+- Improved error message for not matching certificate subject name in
+ libcurl-NSS. Originally reported at:
+ https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
+
+Patrick Monnerat (24 Aug 2009)
+- Introduced a SYST-based test to properly set-up name format when dealing
+ with the OS/400 FTP server.
+
+- Fixed an ftp_readresp() bug preventing detection of failing control socket
+ and causing FTP client to loop forever.
+
+Daniel Stenberg (24 Aug 2009)
+- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work
+ properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008
+
+- Eric Wong introduced support for the new option -T. (dot) that makes curl
+ read stdin in a non-blocking fashion. This also brings back -T- (minus) to
+ the previous blocking behavior since it could break stuff for people at
+ times.
+
+Michal Marek (21 Aug 2009)
+- With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs like
+ ftp://example.com;type=i if the user specified ftp://example.com without the
+ slash.
+
+Daniel Stenberg (21 Aug 2009)
+- Andre Guibert de Bruet pointed out a missing return code check for a
+ strdup() that could lead to segfault if it returned NULL. I extended his
+ suggest patch to now have Curl_retry_request() return a regular return code
+ and better check that.
+
+- Lots of good work by Krister Johansen, mostly related to pipelining:
+
+ Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks
+ Fix data corruption issue with re-connected transfers
+ Fix use after free if we're completed but easy_conn not NULL
+
+Kamil Dudka (13 Aug 2009)
+- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
+ verbose error messages. Originally reported at:
+ https://bugzilla.redhat.com/show_bug.cgi?id=516056
+
+Daniel Stenberg (12 Aug 2009)
+- Karl Moerder fixed the Makefile.vc* makefiles to include the new file
+ nonblock.c so that they work fine again
+
+- I expanded test 517 with a bunch of more dates that originate from the
+ Chrome browser test suite. It turns out most of them get parsed the same
+ way.
+
+Version 7.19.6 (12 August 2009)
+
+Daniel Stenberg (12 Aug 2009)
+- Carsten Lange reported a bug and provided a patch for TFTP upload and the
+ sending of the TSIZE option. I don't like fixing bugs just hours before
+ a release, but since it was broken and the patch fixes this for him I decided
+ to get it in anyway.
+
+Daniel Stenberg (11 Aug 2009)
+- Peter Sylvester made the HTTPS test server use specific certificates for
+ each test, so that the test suite can now be used to actually test the
+ verification of cert names etc. This made an error show up in the OpenSSL-
+ specific code where it would attempt to match the CN field even if a
+ subjectAltName exists that doesn't match. This is now fixed and verified
+ in test 311.
+
+- Benbuck Nason posted the bug report #2835196
+ (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
+ warnings when mixing ints and bools.
+
+Daniel Fandrich (10 Aug 2009)
+- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
+
+Daniel Fandrich (9 Aug 2009)
+- Fixed some memory leaks in the command-line tool that caused most of the
+ torture tests to fail.
+
+Daniel Stenberg (2 Aug 2009)
+- Curt Bogmine reported a problem with SNI enabled on a particular server. We
+ should introduce an option to disable SNI, but as we're in feature freeze
+ now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
+ shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
+ Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
+ option for SNI, or are we simply not using it?
+
+Daniel Stenberg (1 Aug 2009)
+- Scott Cantor posted the bug report #2829955
+ (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
+ verification flaw found and exploited by Moxie Marlinspike. The presentation
+ he did at Black Hat is available here:
+ https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
+
+ Apparently at least one CA allowed a subjectAltName or CN that contain a
+ zero byte, and thus clients that assumed they would never have zero bytes
+ were exploited to OK a certificate that didn't actually match the site. Like
+ if the name in the cert was "example.com\0theatualsite.com", libcurl would
+ happily verify that cert for example.com.
+
+ libcurl now better uses the length of the extracted name, not using the zero
+ termination for getting the string length.
+
+ This fixing only made and needed in OpenSSL interfacing code.
+
+- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
+ only in some OpenSSL installs - like on Windows) isn't thread-safe and we
+ agreed that moving it to the global_init() function is a decent way to deal
+ with this situation.
+
+- Alexander Beedie provided the patch for a noproxy problem: If I have set
+ CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
+ could still end up using a proxy if a proxy environment variable was set.
+
+Daniel Stenberg (27 Jul 2009)
+- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
+ CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
+ send when using FTP, as a sign that libcurl shall simply ignore the response
+ from the server instead of treating it as an error. Not treating a 400+ FTP
+ response code as an error means that failed commands will not abort the
+ chain of commands, nor will they cause the connection to get disconnected.
+
+Daniel Stenberg (26 Jul 2009)
+- Johan van Selst posted bug report #2825989
+ (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
+ OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
+ provided the solution too: to use OpenSSL_add_all_algorithms() in addition
+ to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
+ OpenSSL 0.9.5
+
+Daniel Stenberg (23 Jul 2009)
+- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
+ They introduce known_host support for SSH keys to libcurl. See docs for
+ details. Note that this feature depends on a new enough libssh2 version, to
+ be supported in libssh2 1.2 and later (or current git repo at this time).
+
+Michal Marek (22 Jul 2009)
+- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
+ (https://bugzilla.novell.com/523919). When looking at the code, I found that
+ also the ptr pointer can leak.
+
+Kamil Dudka (20 Jul 2009)
+- Claes Jakobsson improved the support for client certificates handling in
+ NSS-powered libcurl. Now the client certificates can be selected
+ automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
+ slots is no more performed. It used to cause problems with HW tokens.
+
+- Fixed reference counting for NSS client certificates. Now the PEM reader
+ module should be always properly unloaded on Curl_nss_cleanup(). If the
+ unload fails though, libcurl will try to reuse the already loaded instance.
+
+Daniel Fandrich (15 Jul 2009)
+- Added nonblock.c to the non-automake makefiles (note that the dependencies
+ in the Watcom makefiles aren't quite correct).
+
+Michal Marek (15 Jul 2009)
+- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
+ errno is not reset on success.
+
+Guenter Knauf (14 Jul 2009)
+- renamed generated config.h to curl_config.h to avoid any future clashes
+ with config.h from other projects.
+
+Daniel Stenberg (9 Jul 2009)
+- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
+ setting a file descriptor non-blocking. Used by the functionality Eric
+ himself brough on June 15th.
+
+Daniel Stenberg (8 Jul 2009)
+- Constantine Sapuntzakis posted bug report #2813123
+ (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
+ problem:
+
+ Url A is accessed using auth. Url A redirects to Url B (on a different
+ server0. Url B reuses a persistent connection. Url B has auth, even though
+ it's on a different server.
+
+ Note: if Url B does not reuse a persistent connection, auth is not sent.
+
+ reason:
+
+ data->state.first_host is not initialized becuase Curl_http_connect is not
+ called when a connection is reused.
+
+ Solution:
+
+ move initialization of data->state.first_host to Curl_http. No code before
+ Curl_http uses data->state.first_host anyway.
+
+Guenter Knauf (4 Jul 2009)
+- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
+ couple of both IPv4 and IPv6 autobuilds.
+
+Daniel Stenberg (29 Jun 2009)
+- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
+ range if given colon-separated after the host name/address part. Like
+ "192.168.0.1:2000-10000"
+
+- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
+ don't know how they got wrong in the first place, but using this output
+ format makes it possible to quite easily separate the string into an array
+ of multiple items.
+
+Daniel Fandrich (16 June 2009)
+- Added a few more compiler warning options for gcc.
+
+Daniel Stenberg (16 Jun 2009)
+- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
+ (no newline translations). Use -B/--use-ascii if you rather get the ascii
+ approach.
+
+Michal Marek (16 Jun 2009)
+- When doing non-anonymous ftp via http proxies and the password is not
+ provided in the url, add it there (squid needs this).
+
+Daniel Stenberg (15 Jun 2009)
+- Eric Wong's patch:
+
+ This allows curl(1) to be used as a client-side tunnel for arbitrary stream
+ protocols by abusing chunked transfer encoding in both the HTTP request and
+ HTTP response. This requires server support for sending a response while a
+ request is still being read, of course.
+
+ If attempting to read from stdin returns EAGAIN, then we pause our sender.
+ This leaves curl to attempt to read from the socket while reading from stdin
+ (and thus sending) is paused.
+
+ This change was needed to allow successfully tunneling the git protocol over
+ HTTP (--no-buffer is needed, as well).
+
+Patrick Monnerat (15 Jun 2009)
+- Replaced use of standard C library rand()/srand() by our own pseudo-random
+ number generator.
+
+Yang Tse (11 Jun 2009)
+- I adapted testcurl script to allow building test harness programs when
+ cross-compiling for a *-*-mingw* host.
+
+Daniel Stenberg (10 Jun 2009)
+- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
+ contributed a range of patches to fix them.
+
+Yang Tse (10 Jun 2009)
+- I introduced configure script option --enable-curldebug which now allows
+ the decoupled enabling or disabling of the curl debug memory tracking
+ feature from the --enable-debug option which no longer controls this.
+
+ curl --version will list 'Debug' feature for debug enabled builds, and
+ will list 'TrackMemory' feature for curl debug memory tracking capable
+ builds. These features are independent and can be controlled when running
+ the configure script. When --enable-debug is given both features will be
+ enabled, unless some restriction prevents memory tracking from being used.
+
+ Internally, definition of preprocessor symbol DEBUGBUILD restricts code
+ which is only compiled for debug enabled builds. And symbol CURLDEBUG is
+ used to differentiate code which is _only_ used for memory tracking.
+
+Yang Tse (9 Jun 2009)
+- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
+ initializing the fread callback pointer and this triggered a compiler
+ warning, also provided a friendly suggestion on how to fix it.
+
+Daniel Stenberg (8 Jun 2009)
+- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
+ issue with client certs that caused issues like segfaults.
+ http://curl.haxx.se/mail/lib-2009-05/0316.html
+
+- Triggered by bug report #2798852 and the patch in there, I fixed configure
+ to detect gnutls build options with pkg-config only and not libgnutls-config
+ anymore since GnuTLS has stopped distributing that tool. If an explicit path
+ is given to configure, we will instead guess on how to link and use that
+ lib. I did not use the patch from the bug report.
+
+Yang Tse (8 Jun 2009)
+- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
+ included from Makefile.inc, and provided docs\INSTALL VxWorks section.
+
+- I removed buildconf.bat from release and daily snapshot archives. This
+ file is only for CVS tree checkout builds.
+
+Daniel Stenberg (8 Jun 2009)
+- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
+ broken since 7.19.0
+
+Bill Hoffman (6 Jun 2009)
+- Added some cmake docs and fixed socklen_t in the build.
+
+Yang Tse (5 Jun 2009)
+- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
+ in urlglob.c where it was not converting the Curl Unix exit code to a VMS
+ DCL compatible exit code. This fix required the enhancement described next.
+ This also adds an enhancement to main.c so that when curl is run under a
+ Unix shell like Bash on VMS, it will return the standard Unix exit codes
+ and messages." And another patch for docs/examples.
+
+ I introduced os-specific.c and os-specific.h for use in curl tool code
+ and adjusted John E. Malmberg's patch placement to use these new files
+ as an effort to prevent main.c from growing ad infinitum. Code already
+ existing in main.c which is OS specific should be moved into these files.
+
+Daniel Stenberg (4 June 2009)
+- Setting the Content-Length: header from your app when you do a POST or PUT
+ is almost always a VERY BAD IDEA. Yet there are still apps out there doing
+ this, and now recently it triggered a bug/side-effect in libcurl as when
+ libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
+ knows it will just get a 401/407 back. If the app then replaced the
+ Content-Length header, it caused the server to wait for input that libcurl
+ wouldn't send. Aaron Oneal reported this problem in bug report #2799008
+ (http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
+
+Yang Tse (4 Jun 2009)
+- Igor Novoseltsev provided patches and information, that after some
+ adjustments to better fit curl's way of doing things, have resulted
+ in the posibility of building libcurl for VxWorks.
+
+Daniel Fandrich (2 June 2009)
+- Checked in a Google Android make file. To use it, you must first
+ create a config.h file by running configure in the Android environment,
+ which doesn't seem to be easy to do. If no easy way can be found, a
+ static config-android.h may need to be created and checked in to the
+ libcurl source tree.
+
+Daniel Stenberg (1 June 2009)
+- Claes Jakobsson fixed the configure script to better find and use NSS
+ without pkg-config.
+
+Yang Tse (1 Jun 2009)
+- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
+ out that the configure script was failing to detect the timeval struct on
+ VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
+ taking place in socket.h instead of time.h. I have adjusted configure
+ script to also include this header when checking struct timeval.
+
+Daniel Stenberg (27 May 2009)
+- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
+ fine with Nokia 5th edition 1.0 SDK for Symbian.
+
+- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
+ for a failure properly.
+
+- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
+ the auth credentials back in 7.19.0 and earlier while now you have to set ""
+ to get the same effect. His patch brings back the ability to use NULL.
+
+- Claes Jakobsson fixed libcurl-NSS to build fine even without the
+ PK11_CreateGenericObject() function.
+
+Daniel Stenberg (25 May 2009)
+- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
+ out that the cookie parser would leak memory when it parses cookies that are
+ received with domain, path etc set multiple times in the same header. While
+ such a cookie is questionable, they occur in the wild and libcurl no longer
+ leaks memory for them. I added such a header to test case 8.
+
+Daniel Fandrich (22 May 2009)
+- Removed some obsolete digest code that caused a valgrind error in test 551.
+
+Daniel Fandrich (20 May 2009)
+- Added "non-existing host" test keywords to make it easy to skip those
+ tests on machines that have broken DNS configurations (such as
+ those configured to use OpenDNS).
+
+Daniel Stenberg (19 May 2009)
+- Kamil Dudka brought the patch from the Redhat bug entry
+ https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
+ a bad file descriptor when closing down the FTP data connection. Caolan
+ McNamara seems to be the original author of it.
+
+Version 7.19.5 (18 May 2009)
+
+Daniel Stenberg (17 May 2009)
+- James Bursa posted a patch to the mailing list that fixed a problem with
+ no_proxy which made it not skip the proxy if the URL entered contained a
+ user name. I added test case 1101 to verify.
+
+Daniel Stenberg (11 May 2009)
+- Balint Szilakszi reported a memory leak when libcurl did gzip decompression
+ of streams that had some parts (legitimately) missing. We now provide and use
+ a proper cleanup function for the content encoding submodule.
+ http://curl.haxx.se/mail/lib-2009-05/0092.html
+
+- Kamil Dudka provided a fix for libcurl-NSS reported by Michael Cronenworth
+ at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12
+
+ If an incorrect password is given while loading a private key, libcurl ends
+ up in an infinite loop consuming memory. The bug is critical.
+
+- I fixed the problem with doing NTLM, POST and then following a 302 redirect,
+ as reported by Ebenezer Ikonne (on curl-users) and Laurent Rabret (on
+ curl-library). The transfer was mistakenly marked to get more data to send
+ but since it didn't actually have that, it just hung there...
+
+Daniel Stenberg (10 May 2009)
+- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted
+ byte in the digest code.
+
+Yang Tse (9 May 2009)
+- Removed DOS and TPF package's subdirectory Makefile.am, it was only used
+ to include some files in the distribution tarball serving no other purpose.
+ Files from the DOS and TPF subdirectories are now included in the EXTRA_DIST
+ of the Makefile in the parent subdirectory.
+
+Yang Tse (8 May 2009)
+- Changed host name literal in several tests to one under the haxx.se domain.
+
+- Renamed vc6 workspace and project files to avoid filename clash when used
+ for conversion to later VS versions.
+
+Daniel Stenberg (8 May 2009)
+- Constantine Sapuntzakis fixed bug report #2784055
+ (http://curl.haxx.se/bug/view.cgi?id=2784055) identifying a problem to
+ connect to SOCKS proxies when using the multi interface. It turned out to
+ almost not work at all previously. We need to wait for the TCP connect to
+ be properly verified before doing the SOCKS magic.
+
+ There's still a flaw in the FTP code for this.
+
+Daniel Stenberg (7 May 2009)
+- Made the SO_SNDBUF setting for the data connection socket for ftp uploads as
+ well. See change 28 Apr 2009.
+
+Yang Tse (7 May 2009)
+- Fixed an issue affecting FTP transfers, introduced with the transfer.c
+ patch committed May 4.
+
+Daniel Stenberg (7 May 2009)
+- Man page *roff problems fixed thanks to input from Colin Watson. Problems
+ reported in the Debian package.
+
+- Vijay G filed bug report #2723236
+ (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
+ libcurl's TFTP code and its lack of dealing with the OACK packet.
+
+Yang Tse (5 May 2009)
+- Fixed the --ftp-port address of test #251 to the CLIENTIP address, and
+ reverted the change affecting test suite harness committed 4 May.
+
+Daniel Stenberg (5 May 2009)
+- Inspired by Michael Smith's session id fix for OpenSSL, I did the
+ corresponding fix in the GnuTLS code: make sure to store the new session id
+ in case the previous re-used one is rejected.
+
+Daniel Stenberg (4 May 2009)
+- Michael Smith posted bug report #2786255
+ (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
+ libcurl did not deal with SSL session ids properly if the server rejected a
+ re-use of one. Starting now, it will forget the rejected one and remember
+ the new. This change was for OpenSSL only, it is likely that other SSL lib
+ code needs similar fixes.
+
+Yang Tse (4 May 2009)
+- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
+ non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
+ 1) On non-ASCII platforms not all of the protocol portions of the PUT are
+ being translated to ASCII. 2) On all platforms the line endings of part of
+ the protocol portions are mangled from CRLF to CRCRLF if data->set.crlf or
+ data->set.prefer_ascii are set (depending on CURL_DO_LINEEND_CONV).
+
+- Applied David McCreedy's patch to fix test suite harness to allow test FTP
+ server and client on different machines, providing FTP client address when
+ running the FTP test server.
+
+Daniel Fandrich (3 May 2009)
+- Added and disabled test case 563 which shows KNOWN_BUGS #59. The bug
+ report failed to mention that a proxy must be used to reproduce it.
+
+Yang Tse (2 May 2009)
+- Use a build-time configured curl_socklen_t data type instead of socklen_t.
+
+Yang Tse (1 May 2009)
+- Applied David McCreedy's patches "TPF-platform specific changes to various
+ files" and "http.c fix to Curl_proxyCONNECT for non-ASCII platforms", the
+ former with minor edits.
+
+Daniel Stenberg (30 Apr 2009)
+- I was going to fix issue #59 in KNOWN_BUGS
+
+ If the CURLOPT_PORT option is used on an FTP URL like
+ "ftp://example.com/file;type=A" the ";type=A" is stripped off.
+
+ I added test case 562 to verify, only to find out that I couldn't repeat
+ this bug so I hereby consider it not a bug anymore!
+
+Daniel Stenberg (29 Apr 2009)
+- Based on bug report #2723219 (http://curl.haxx.se/bug/view.cgi?id=2723219)
+ I've now made TFTP "connections" not being kept for re-use within libcurl.
+ TFTP is UDP-based so the benefit was really low (if even existing) to begin
+ with so instead of tracking down to fix this problem we instead removed the
+ re-use. I also enabled test case 1099 that I wrote a few days ago to verify
+ that this change fixes the reported problem.
+
+Daniel Stenberg (28 Apr 2009)
+- Constantine Sapuntzakis filed bug report #2783090
+ (http://curl.haxx.se/bug/view.cgi?id=2783090) pointing out that on windows
+ we need to grow the SO_SNDBUF buffer somewhat to get really good upload
+ speeds. http://support.microsoft.com/kb/823764 has the details. Friends
+ confirmed that simply adding 32 to CURL_MAX_WRITE_SIZE is enough.
+
+- Bug report #2709004 (http://curl.haxx.se/bug/view.cgi?id=2709004) by Tim
+ Chen pointed out how curl couldn't upload with resume when reading from a
+ pipe.
+
+ This ended up with the introduction of a new return code for the
+ CURLOPT_SEEKFUNCTION callback that basically says that the seek failed but
+ that libcurl may try to resolve the situation anyway. In our case this means
+ libcurl will attempt to instead read that much data from the stream instead
+ of seeking and that way curl can now upload with resume when data is read
+ from a stream!
+
+Daniel Stenberg (26 Apr 2009)
+- Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven
+ Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi
+ interface and provided a patch that fixed the problem!
+
+Daniel Stenberg (24 Apr 2009)
+- Kamil Dudka fixed another NSS-related leak when client certs were used.
+
+- Bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
+ Koenig pointed out that the man page didn't tell that the *_proxy
+ environment variables can be specified lower case or UPPER CASE and the
+ lower case takes precedence,
+
+Daniel Fandrich (21 Apr 2009)
+- Added new libcurl source files to Amiga, RiscOS and VC6 build files.
+
+Yang Tse (21 Apr 2009)
+- Moved potential inclusion of system's malloc.h and memory.h header files to
+ setup_once.h. Inclusion of each header file is based on the definition of
+ NEED_MALLOC_H and NEED_MEMORY_H respectively.
+
+ Renamed libcurl's memory.h to curl_memory.h
+
+Daniel Stenberg (20 Apr 2009)
+- Leanic Lefever reported a crash and did some detailed research on why and
+ how it occurs (http://curl.haxx.se/mail/lib-2009-04/0289.html). The
+ conclusion was that if an error is detected and Curl_done() is called for
+ the connection, ftp_done() could at times return another error code that
+ then would take precedence and that new code confused existing logic that
+ works for the first error code (CURLE_SEND_ERROR) only.
+
+- Gisle Vanem noticed that --libtool would produce bogus strings at times for
+ OBJECTPOINT options. Now we've introduced a new function - my_setopt_str -
+ within the app for setting plain string options to avoid the risk of this
+ mistake happening.
+
+Daniel Stenberg (17 Apr 2009)
+- Pramod Sharma reported and tracked down a bug when doing FTP over a HTTP
+ proxy. libcurl would then wrongly close the connection after each
+ request. In his case it had the weird side-effect that it killed NTLM auth
+ for the proxy causing an inifinite loop!
+
+ I added test case 1098 to verify this fix. The test case does however not
+ properly verify that the transfers are done persistently - as I couldn't
+ think of a clever way to achieve it right now - but you need to read the
+ stderr output after a test run to see that it truly did the right thing.
+
+Daniel Stenberg (13 Apr 2009)
+- bug report #2727981 (http://curl.haxx.se/bug/view.cgi?id=2727981) by Martin
+ Storsjö pointed out how setting CURLOPT_NOBODY to 0 could be downright
+ confusing as it set the method to either GET or HEAD. The example he showed
+ looked like:
+
+ curl_easy_setopt(curl, CURLOPT_PUT, 1);
+ curl_easy_setopt(curl, CURLOPT_NOBODY, 0);
+
+ The new way doesn't alter the method until the request is about to start. If
+ CURLOPT_NOBODY is then 1 the HTTP request will be HEAD. If CURLOPT_NOBODY is
+ 0 and the request happens to have been set to HEAD, it will then instead be
+ set to GET. I believe this will be less surprising to users, and hopefully
+ not hit any existing users badly.
+
+- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turned
+ out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue
+ is found in Redhat's bug tracker:
+ https://bugzilla.redhat.com/show_bug.cgi?id=453612
+
+ There are still memory leaks present, but they seem to have other reasons.
+
+Daniel Fandrich (11 Apr 2009)
+- Added new libcurl source files to Symbian OS build files.
+- Improved Symbian support for SSL.
+
+Yang Tse (10 Apr 2009)
+- Daniel Johnson improved the MacOSX-Framework shell script to now perform all
+ the steps required to build a Mac OS X four way fat ppc/i386/ppc64/x86_64
+ libcurl.framework. Four way fat framework requires OS X 10.5 SDK or later.
+
+Yang Tse (8 Apr 2009)
+- Removed Sun compilers preprocessor block from curlbuild.h.dist, this also
+ removes it from the curlbuild.h file originally distributed by the cURL
+ project as this file is intended for systems not capable of running the
+ configure script. For those who have been building curl out of the source
+ code curl distribution tarball provided by curl.haxx.se the change implies
+ nothing. Previous change in this area committed 2 Apr becomes irrelevant.
+
+Daniel Stenberg (6 Apr 2009)
+- I clarified in the docs that CURLOPT_SEEKFUNCTION should return 0 on success
+ and 1 on fatal errors. Previously it only mentioned non-zero on fatal
+ errors. This is a slight change in meaning, but it follows what we've done
+ elsewhere before and it opens up for LOTS of more useful return codes
+ whenever we can think of them...
+
+Yang Tse (2 Apr 2009)
+- Fix curl_off_t definition for builds done using Sun compilers and a
+ non-configured libcurl. In this case curl_off_t data type was gated
+ to the off_t data type which depends on the _FILE_OFFSET_BITS. This
+ configuration is exactly the unwanted configuration for our curl_off_t
+ data type which must not depend on such setting. This breaks ABI for
+ libcurl libraries built with Sun compilers which were built without
+ having run the configure script with _FILE_OFFSET_BITS different than
+ 64 and using the ILP32 data model.
+
+Daniel Stenberg (1 Apr 2009)
+- Andre Guibert de Bruet fixed a NULL pointer use in an infof() call if a
+ strdup() call failed.
+
+Daniel Fandrich (31 Mar 2009)
+- Properly return an error code in curl_easy_recv (reported by Jim Freeman).
+
+Daniel Stenberg (18 Mar 2009)
+- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
+ NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
+ explicitly.
+
+Daniel Stenberg (13 Mar 2009)
+- Use libssh2_version() to present the libssh2 version in case the libssh2
+ library is found to support it.
+
+Yang Tse (12 Mar 2009)
+- Added missing Curl_read() return code checking in TELNET transfers.
+
+- Pierre Brico found and fixed TELNET transfers not being aborted upon
+ a write callback failure.
+
+Daniel Stenberg (11 Mar 2009)
+- Kamil Dudka made the curl tool properly call curl_global_init() before any
+ other libcurl function.
+
+Yang Tse (11 Mar 2009)
+- Added missing TELNET timeout support for Windows builds. This issue was
+ reported by Pierre Brico.
+
+Daniel Stenberg (9 Mar 2009)
+- Frank Hempel found out a bug and provided the fix:
+
+ curl_easy_duphandle did not necessarily duplicate the CURLOPT_COOKIEFILE
+ option. It only enabled the cookie engine in the destination handle if
+ data->cookies is not NULL (where data is the source handle). In case of a
+ newly initialized handle which just had the cookie support enabled by a
+ curl_easy_setopt(handle, CURL_COOKIEFILE, "")-call, handle->cookies was
+ still NULL because the setopt-call only appends the value to
+ data->change.cookielist, hence duplicating this handle would not have the
+ cookie engine switched on.
+
+ We also concluded that the slist-functionality would be suitable for being
+ put in its own module rather than simply hanging out in lib/sendf.c so I
+ created lib/slist.[ch] for them.
+
+- Andreas Farber made the 'buildconf' script check for the presence of m4
+ scripts to make it detect a bad checkout earlier. People with older
+ checkouts who don't do cvs update with the -d option won't get the new dirs
+ and then will get funny outputs that can be a bit hard to understand and
+ fix.
+
+Daniel Stenberg (8 Mar 2009)
+- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where the
+ allocation of the memory BIO was not being properly checked.
+
+- Andre Guibert de Bruet fixed the gnutls-using code: There are a few places
+ in the gnutls code where we were checking for negative values for errors,
+ when the man pages state that GNUTLS_E_SUCCESS is returned on success and
+ other values indicate error conditions.
+
+- Bill Egert pointed out (http://curl.haxx.se/bug/view.cgi?id=2671602) that
+ curl didn't use sprintf() in a way that is documented to work in POSIX but
+ since we use our own printf() code (from libcurl) that shouldn't be a
+ problem. Nonetheless I modified the code to not rely on such particular
+ features and to not cause further raised eyebrowse with no good reason.
+
+Daniel Fandrich (5 Mar 2009)
+- Expanded the security section of the libcurl-tutorial man page to cover
+ more issues for authors to consider when writing robust libcurl-using
+ applications.
+
+Yang Tse (5 Mar 2009)
+- Fixed NTLM authentication memory leak on SSPI enabled Windows builds. This
+ issue was noticed by Chris Deidun.
+
+Daniel Fandrich (4 Mar 2009)
+- Fixed a problem with m4 quoting in the OpenSSL configure check reported
+ by Daniel Johnson.
+
+Daniel Stenberg (3 Mar 2009)
+- David James brought a patch that make libcurl close (all) dead connections
+ whenever you attempt to open a new connection.
+
+ 1. After cleaning up a dead connection, "continue" instead of
+ returning FALSE. This ensures that we clean up all dead connections,
+ rather than just cleaning up the first dead connection.
+ 2. Move up the cleanup for dead connections so that it occurs for
+ all connections, rather than just the connections which have the same
+ preferences as our current new connection.
+
+Version 7.19.4 (3 March 2009)
+
+Daniel Stenberg (3 Mar 2009)
+- David Kierznowski notified us about a security flaw
+ (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
+ which previous libcurl versions (by design) can be tricked to access an
+ arbitrary local/different file instead of a remote one when
+ CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
+ together this the addition of two new setopt options for controlling this
+ new behavior:
+
+ o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
+ follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
+ excludes the FILE and SCP protocols and thus you nee to explicitly allow
+ them in your app if you really want that behavior.
+
+ o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
+ using the primary URL option. This is useful if you want to allow a user or
+ other outsiders control what URL to pass to libcurl and yet not allow all
+ protocols libcurl may have been built to support.
+
+Daniel Stenberg (27 Feb 2009)
+- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and
+ CURLOPT_LOCALPORT were used together (the local port bind failed), and
+ Markus Koetter provided the fix!
+
+Daniel Stenberg (25 Feb 2009)
+- As Daniel Fandrich figured out, we must do the GnuTLS initing in the
+ curl_global_init() function to properly maintain the performing functions
+ thread-safe. We've previously (28 April 2007) moved the init to a later time
+ just to avoid it to fail very early when libgcrypt dislikes the situation,
+ but that move was bad and the fix should rather be in libgcrypt or
+ elsewhere.
+
+Daniel Stenberg (24 Feb 2009)
+- Brian J. Murrell found out that Negotiate proxy authentication didn't work.
+ It happened because the code used the struct for server-based auth all the
+ time for both proxy and server auth which of course was wrong.
+
+Daniel Stenberg (23 Feb 2009)
+- After a bug reported by James Cheng I've made curl_easy_getinfo() for
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return
+ -1 if the sizes aren't know. Previously these returned 0, make it impossible
+ to detect the difference between actually zero and unknown.
+
+Yang Tse (23 Feb 2009)
+- Daniel Johnson provided a shell script that will perform all the steps needed
+ to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
+
+Daniel Stenberg (23 Feb 2009)
+- I renamed everything in the windows builds files that used the name 'curllib'
+ to the proper 'libcurl' as clearly this caused confusion.
+
+Yang Tse (20 Feb 2009)
+- Do not halt compilation when using VS2008 to build a Windows 2000 target.
+
+Daniel Stenberg (20 Feb 2009)
+- Linus Nielsen Feltzing reported and helped me repeat and fix a problem with
+ FTP with the multi interface: when a transfer fails, like when aborted by a
+ write callback, the control connection was wrongly closed and thus not
+ re-used properly.
+
+ This change is also an attempt to cleanup the code somewhat in this area, as
+ now the FTP code attempts to keep (better) track on pending responses
+ necessary to get read in ftp_done().
+
+Daniel Stenberg (19 Feb 2009)
+- Patrik Thunstrom reported a problem and helped me repeat it. It turned out
+ libcurl did a superfluous 1000ms wait when doing SFTP downloads!
+
+ We read data with libssh2 while doing the "DO" operation for SFTP and then
+ when we were about to start getting data for the actual file part, the
+ "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
+ libssh2-read. But in this case libssh2 had already read and buffered the
+ data so we ended up always just waiting 1000ms before we get working on the
+ data!
+
+Patrick Monnerat (18 Feb 2009)
+- FTP downloads (i.e.: RETR) ending with code 550 now return error
+ CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE.
+
+Daniel Stenberg (17 Feb 2009)
+- Kamil Dudka made NSS-powered builds compile and run again!
+
+- A second follow-up change by Andre Guibert de Bruet to fix a related memory
+ leak like that fixed on the 14th. When zlib returns failure, we need to
+ cleanup properly before returning error.
+
+- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for
+ plain FTP connections, and it will then allow MKD to fail once and retry the
+ CWD afterwards. This is especially useful if you're doing many simultanoes
+ connections against the same server and they all have this option enabled,
+ as then CWD may first fail but then another connection does MKD before this
+ connection and thus MKD fails but trying CWD works! The numbers can
+ (should?) now be set with the convenience enums now called
+ CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY.
+
+ Tests has proven that if you're making an application that uploads a set of
+ files to an ftp server, you will get a noticable gain in speed if you're
+ using multiple connections and this option will be then be very useful.
+
+Daniel Stenberg (14 Feb 2009)
+- Andre Guibert de Bruet found and fixed a memory leak in the content encoding
+ code, which could happen on libz errors.
+
+Daniel Fandrich (12 Feb 2009)
+- Added support for Digest and NTLM authentication using GnuTLS.
+
+Daniel Stenberg (11 Feb 2009)
+- CURLINFO_CONDITION_UNMET was added to allow an application to get to know if
+ the condition in the previous request was unmet. This is typically a time
+ condition set with CURLOPT_TIMECONDITION and was previously not possible to
+ reliably figure out. From bug report #2565128
+ (http://curl.haxx.se/bug/view.cgi?id=2565128) filed by Jocelyn Jaubert.
+
+Daniel Fandrich (4 Feb 2009)
+- Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
+ (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
+
+- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
+ This couldn't ever overflow in curl, but might if the code were used
+ elsewhere or under different conditions.
+
+Daniel Stenberg (3 Feb 2009)
+- Hidemoto Nakada provided a small fix that makes it possible to get the
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
+ CURLOPT_NOBODY set true.
+
+Daniel Stenberg (2 Feb 2009)
+- Patrick Scott found a rather large memory leak when using the multi
+ interface and setting CURLMOPT_MAXCONNECTS to something less than the number
+ of handles you add to the multi handle. All the connections that didn't fit
+ in the cache would not be properly disconnected nor freed!
+
+- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP
+ version 1.1 instead of 1.0 like before. This change also introduces the new
+ proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
+ switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
+ option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.
+
+ I updated all test cases cases that use CONNECT and I tried to do some using
+ --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
+
+Daniel Stenberg (31 Jan 2009)
+- When building with c-ares 1.6.1 (not yet released) or later and IPv6 support
+ enabled, we can now take advantage of its brand new AF_UNSPEC support in
+ ares_gethostbyname(). This makes test case 241 finally run fine for me with
+ this setup since it now parses the "::1 ip6-localhost" line fine in my
+ /etc/hosts file!
+
+Daniel Stenberg (30 Jan 2009)
+- Scott Cantor filed bug report #2550061
+ (http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to
+ properly make sure that the VC9 makefiles got included in the latest
+ release. I've now fixed the release script and verified it so next release
+ will hopefully include them properly!
+
+Daniel Fandrich (30 Jan 2009)
+- Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for
+ reporting.
+
+Yang Tse (29 Jan 2009)
+- Introduced curl_sspi.c and curl_sspi.h for the implementation of functions
+ Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
+ named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
+ Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
+ SSPI library using it now in the same way as it was done in http_ntlm.c.
+
+Daniel Stenberg (28 Jan 2009)
+- Markus Moeller introduced two new options to libcurl:
+ CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl
+ to do GSS-style authentication with SOCKS5 proxies. The curl tool got the
+ options called --socks5-gssapi-service and --socks5-gssapi-nec to enable
+ these.
+
+Daniel Stenberg (26 Jan 2009)
+- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
+ to set desired block size to use for TFTP transfers instead of the default
+ 512 bytes.
+
+- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
+ disable "rfc4507bis session ticket support". rfc4507bis was later turned
+ into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
+
+ The enabled extension concerns the session management. I wonder how often
+ libcurl stops a connection and then resumes a TLS session. also, sending the
+ session data is some overhead. .I suggest that you just use your proposed
+ patch (which explicitly disables TICKET).
+
+ If someone writes an application with libcurl and openssl who wants to
+ enable the feature, one can do this in the SSL callback.
+
+ Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
+ on the proper action.
+
+- Alexey Borzov filed bug report #2535504
+ (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
+ quoted quotation marks in HTTP Digest headers didn't work. I've now added
+ test case 1095 that verifies my fix.
+
+- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.
+ They basically offer the same thing the NO_PROXY environment variable only
+ offered previously: list a set of host names that shall not use the proxy
+ even if one is specified.
+
+Daniel Fandrich (20 Jan 2009)
+- Call setlocale() for libtest tests to test the effects of locale-induced
+ libc changes on libcurl.
+
+- Fixed a couple more locale-dependent toupper conversions, mainly for
+ clarity. This does fix one problem that causes ;type=i FTP URLs
+ to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
+ used (test case 561)
+
+- Added tests 561 and 1091 through 1094 to test various combinations
+ of ;type= and ;mode= URLs that could potentially fail in the Turkish
+ locale.
+
+Daniel Stenberg (20 Jan 2009)
+- Lisa Xu pointed out that the ssh.obj file was missing from the
+ lib/Makefile.vc6 file (and thus from the vc8 and vc9 ones too).
+
+Version 7.19.3 (19 January 2009)
+
+Daniel Stenberg (16 Jan 2009)
+- Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both
+ 32 bit and 64 bit.
+
+Daniel Stenberg (15 Jan 2009)
+- Tim Ansell fixed a compiler warning in lib/cookie.c
+
+Daniel Stenberg (14 Jan 2009)
+- Grant Erickson fixed timeouts for TFTP such that specifying a
+ connect-timeout, a max-time or both options work correctly and as expected
+ by passing the correct boolean value to Curl_timeleft via the
+ 'duringconnect' parameter.
+
+ With this small change, curl TFTP now behaves as expected (and likely as
+ originally-designed):
+
+ 1) For non-existent or unreachable dotted IP addresses:
+
+ a) With no options, follows the default curl 300s timeout...
+ b) With --connect-timeout only, follows that value...
+ c) With --max-time only, follows that value...
+ d) With both --connect-timeout and --max-time, follows the smaller value...
+
+ and times out with a "curl: (7) Couldn't connect to server" error.
+
+ 2) For transfers to/from a valid host:
+
+ a) With no options, follows default curl 300s timeout for the
+ first XRQ/DATA/ACK transaction and the default TFTP 3600s
+ timeout for the remainder of the transfer...
+
+ b) With --connect-time only, follows that value for the
+ first XRQ/DATA/ACK transaction and the default TFTP 3600s
+ timeout for the remainder of the transfer...
+
+ c) With --max-time only, follows that value for the first
+ XRQ/DATA/ACK transaction and for the remainder of the
+ transfer...
+
+ d) With both --connect-timeout and --max-time, follows the former
+ for the first XRQ/DATA/ACK transaction and the latter for the
+ remainder of the transfer...
+
+ and times out with a "curl: (28) Timeout was reached" error as
+ appropriate.
+
+Daniel Stenberg (13 Jan 2009)
+- Michael Wallner fixed a NULL pointer deref when calling
+ curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no
+ cookies data.
+
+- Stefan Teleman brought a patch to fix the default curlbuild.h file for the
+ SunPro compilers.
+
+Daniel Stenberg (12 Jan 2009)
+- Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665)
+ by Daniel Black, I've now added magic to the configure script that makes it
+ use pkg-config to detect gnutls details as well if the existing method
+ (using libgnutls-config) fails. While doing this, I cleaned up and unified
+ the pkg-config usage when detecting openssl and nss as well.
+
+Daniel Stenberg (11 Jan 2009)
+- Karl Moerder brought the patch that creates vc9 Makefiles, and I made
+ 'maketgz' now use the actual makefile targets to do the VC8 and VC9
+ makefiles.
+
+Daniel Stenberg (10 Jan 2009)
+- Emil Romanus fixed:
+
+ When using the multi interface over HTTP and the server returns a Location
+ header, the running easy handle will get stuck in the CURLM_STATE_PERFORM
+ state, leaving the external event loop stuck waiting for data from the
+ ingoing socket (when using the curl_multi_socket_action stuff). While this
+ bug was pretty hard to find, it seems to require only a one-line fix. The
+ break statement on line 1374 in multi.c caused the function to skip the call
+ to multistate().
+
+ How to reproduce this bug? Well, that's another question. evhiperfifo.c in
+ the examples directory chokes on this bug only _sometimes_, probably
+ depending on how fast the URLs are added. One way of testing the bug out is
+ writing to hiper.fifo from more than one source at the same time.
+
+Daniel Fandrich (7 Jan 2009)
+- Unified much of the SessionHandle initialization done in Curl_open() and
+ curl_easy_reset() by creating Curl_init_userdefined(). This had the side
+ effect of fixing curl_easy_reset() so it now also resets
+ CURLOPT_FTP_FILEMETHOD and CURLOPT_SSL_SESSIONID_CACHE
+
+Daniel Stenberg (7 Jan 2009)
+- Rob Crittenden did once again provide an NSS update:
+
+ I have to jump through a few hoops now with the NSS library initialization
+ since another part of an application may have already initialized NSS by the
+ time Curl gets invoked. This patch is more careful to only shutdown the NSS
+ library if Curl did the initialization.
+
+ It also adds in a bit of code to set the default ciphers if the app that
+ call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
+ ciphers. One might argue that this lets other application developers get
+ lazy and/or they aren't using the NSS API correctly, and you'd be right.
+ But still, this will avoid terribly difficult-to-trace crashes and is
+ generally helpful.
+
+Daniel Stenberg (1 Jan 2009)
+- 'reconf' is removed since we rather have users use 'buildconf'
+
+Daniel Stenberg (31 Dec 2008)
+- Bas Mevissen reported http://curl.haxx.se/bug/view.cgi?id=2479030 pointing
+ out that 'reconf' didn't properly point out the m4 subdirectory when running
+ aclocal.
+
+Daniel Stenberg (29 Dec 2008)
+ - Phil Lisiecki filed bug report #2413067
+ (http://curl.haxx.se/bug/view.cgi?id=2413067) that identified a problem that
+ would cause libcurl to mark a DNS cache entry "in use" eternally if the
+ subsequence TCP connect failed. It would thus never get pruned and refreshed
+ as it should've been.
+
+ Phil provided his own patch to this problem that while it seemed to work
+ wasn't complete and thus I wrote my own fix to the problem.
+
+Daniel Stenberg (28 Dec 2008)
+- Peter Korsgaard fixed building libcurl with "configure --with-ssl
+ --disable-verbose".
+
+- Anthony Bryan fixed more language and spelling flaws in man pages.
+
+Daniel Stenberg (22 Dec 2008)
+- Given a recent enough libssh2, libcurl can now seek/resume with SFTP even
+ on file indexes beyond 2 or 4GB.
+
+- Anthony Bryan provided a set of patches that cleaned up manual language,
+ corrected spellings and more.
+
+Daniel Stenberg (20 Dec 2008)
+- Igor Novoseltsev fixed a bad situation for the multi_socket() API when doing
+ pipelining, as libcurl could then easily get confused and A) work on the
+ handle that was not "first in queue" on a pipeline, or even B) tell the app
+ to REMOVE a socket while it was in use by a second handle in a pipeline. Both
+ errors caused hanging or stalling applications.
+
+Daniel Stenberg (19 Dec 2008)
+- curl_multi_timeout() could return a timeout value of 0 even though nothing
+ was actually ready to get done, as the internal time resolution is higher
+ than the returned millisecond timer. Therefore it could cause applications
+ running on fast processors to do short bursts of busy-loops.
+ curl_multi_timeout() will now only return 0 if the timeout is actually
+ alreay triggered.
+
+- Using the libssh2 0.19 function libssh2_session_block_directions(), libcurl
+ now has an improved ability to do right when the multi interface (both
+ "regular" and multi_socket) is used for SCP and SFTP transfers. This should
+ result in (much) less busy-loop situations and thus less CPU usage with no
+ speed loss.
+
+Daniel Stenberg (17 Dec 2008)
+- SCP and SFTP with the multi interface had the same flaw: the 'DONE'
+ operation didn't complete properly if the EAGAIN equivalent was returned but
+ libcurl would simply continue with a half-completed close operation
+ performed. This ruined persistent connection re-use and cause some
+ SSH-protocol errors in general. The correction is unfortunately adding a
+ blocking function - doing it entirely non-blocking should be considered for
+ a better fix.
+
+Gisle Vanem (16 Dec 2008)
+- Added the possibility to use the Watt-32 tcp/ip stack under Windows.
+ The change simply involved adding a USE_WATT32 section in the
+ config-win32.h files (under ./lib and ./src). This section disables
+ the use of any Winsock headers.
+
+Daniel Stenberg (16 Dec 2008)
+- libssh2_sftp_last_error() was wrongly used at some places in libcurl which
+ made libcurl sometimes not properly abort problematic SFTP transfers.
+
+Daniel Stenberg (12 Dec 2008)
+- More work with Igor Novoseltsev to first fix the remaining stuff for
+ removing easy handles from multi handles when the easy handle is/was within
+ a HTTP pipeline. His bug report #2351653
+ (http://curl.haxx.se/bug/view.cgi?id=2351653) was also related and was
+ eventually fixed by a patch by Igor himself.
+
+Yang Tse (12 Dec 2008)
+- Patrick Monnerat fixed a build regression, introduced in 7.19.2, affecting
+ OS/400 compilations with IPv6 enabled.
+
+Daniel Stenberg (12 Dec 2008)
+- Mark Karpeles filed bug report #2416182 titled "crash in ConnectionExists
+ when using duphandle+curl_mutli"
+ (http://curl.haxx.se/bug/view.cgi?id=2416182) which showed that
+ curl_easy_duphandle() wrongly also copied the pointer to the connection
+ cache, which was plain wrong and caused a segfault if the handle would be
+ used in a different multi handle than the handle it was duplicated from.
+
+Daniel Stenberg (11 Dec 2008)
+- Keshav Krity found out that libcurl failed to deal with dotted IPv6
+ addresses if they were very long (>39 letters) due to a too strict address
+ validity parser. It now accepts addresses up to 45 bytes long.
+
+Daniel Stenberg (11 Dec 2008)
+- Internet Explorer had a broken HTTP digest authentication before v7 and
+ there are servers "out there" that relies on the client doing this broken
+ Digest authentication. Apache even comes with an option to work with such
+ broken clients.
+
+ The difference is only for URLs that contain a query-part (a '?'-letter and
+ text to the right of it).
+
+ libcurl now supports this quirk, and you enable it by setting the
+ CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or
+ CURLOPT_PROXYAUTH options. They are thus individually controlled to server
+ and proxy.
+
+ (note that there's no way to activate this with the curl tool yet)
+
+Daniel Fandrich (9 Dec 2008)
+- Added test cases 1089 and 1090 to test --write-out after a redirect to
+ test a report that the size didn't work, but these test cases pass.
+
+- Documented CURLOPT_CONNECT_ONLY as being useful only on HTTP URLs.
+
+Daniel Stenberg (9 Dec 2008)
+- Ken Hirsch simplified how libcurl does FTPS: now it doesn't assume any
+ particular state for the control connection like it did before for implicit
+ FTPS (libcurl assumed such control connections to be encrypted while some
+ FTPS servers such as FileZilla assumes such connections to be clear
+ mode). Use the CURLOPT_USE_SSL option to set your desired level.
+
+Daniel Stenberg (8 Dec 2008)
+- Fred Machado posted about a weird FTP problem on the curl-users list and when
+ researching it, it turned out he got a 550 response back from a SIZE command
+ and then I fell over the text in RFC3659 that says:
+
+ The presence of the 550 error response to a SIZE command MUST NOT be taken
+ by the client as an indication that the file cannot be transferred in the
+ current MODE and TYPE.
+
+ In other words: the change I did on September 30th 2008 and that has been
+ included in the last two releases were a regression and a bad idea. We MUST
+ NOT take a 550 response from SIZE as a hint that the file doesn't exist.
+
+- Christian Krause filed bug #2221237
+ (http://curl.haxx.se/bug/view.cgi?id=2221237) that identified an infinite
+ loop during GSS authentication given some specific conditions. With his
+ patience and great feedback I managed to narrow down the problem and
+ eventually fix it although I can't test any of this myself!
+
+Daniel Fandrich (3 Dec 2008)
+- Fixed the getifaddrs version of Curl_if2ip to work on systems without IPv6
+ support (e.g. Minix)
+
+Daniel Stenberg (3 Dec 2008)
+- Igor Novoseltsev filed bug #2351645
+ (http://curl.haxx.se/bug/view.cgi?id=2351645) that identified a problem with
+ the multi interface that occured if you removed an easy handle while in
+ progress and the handle was used in a HTTP pipeline.
+
+- Pawel Kierski pointed out a mistake in the cookie code that could lead to a
+ bad fclose() after a fatal error had occured.
+ (http://curl.haxx.se/bug/view.cgi?id=2382219)
+
+Daniel Fandrich (25 Nov 2008)
+- If a HTTP request is Basic and num is already >=1000, the HTTP test
+ server adds 1 to num to get the data section to return. This allows
+ testing authentication negotiations using the Basic authentication
+ method.
+
+- Added tests 1087 and 1088 to test Basic authentication on a redirect
+ with and without --location-trusted
+
+Daniel Stenberg (24 Nov 2008)
+- Based on a patch by Vlad Grachov, libcurl now uses a new libssh2 0.19
+ function when built to support SCP and SFTP that helps the library to know
+ in which direction a particular libssh2 operation would return EAGAIN so
+ that libcurl knows what socket conditions to wait for before trying the
+ function call again. Previously (and still when using libssh2 0.18 or
+ earlier), libcurl will busy-loop in this situation when the easy interface
+ is used!
+
+Daniel Fandrich (20 Nov 2008)
+- Automatically detect OpenBSD's CA cert bundle.
+
+Daniel Stenberg (19 Nov 2008)
+- I removed the default use of "Pragma: no-cache" from libcurl when a proxy is
+ used. It has been used since forever but it was never a good idea to use
+ unless explicitly asked for.
+
+- Josef Wolf's extension that allows a $TESTDIR/gdbinit$testnum file that when
+ you use runtests.pl -g, will be sourced by gdb to allow additional fancy or
+ whatever you see fit
+
+- Christian Krause reported and fixed a memory leak that would occur with HTTP
+ GSS/kerberos authentication (http://curl.haxx.se/bug/view.cgi?id=2284386)
+
+- Andreas Wurf and Markus Koetter helped me analyze a problem that Andreas got
+ when uploading files to a single FTP server using multiple easy handle
+ handles with the multi interface. Occasionally a handle would stall in
+ mysterious ways.
+
+ The problem turned out to be a side-effect of the ConnectionExists()
+ function's eagerness to re-use a handle for HTTP pipelining so it would
+ select it even if already being in use, due to an inadequate check for its
+ chances of being used for pipelnining.
+
+Daniel Fandrich (17 Nov 2008)
+- Added more compiler warning options for gcc 4.3
+
+Yang Tse (17 Nov 2008)
+- Fix a remaining problem in the inet_pton() runtime configure check. And
+ fix internal Curl_inet_pton() failures to reject certain malformed literals.
+
+- Make configure script check if ioctl with the SIOCGIFADDR command can be
+ used, and define HAVE_IOCTL_SIOCGIFADDR if appropriate.
+
+Daniel Stenberg (16 Nov 2008)
+- Christian Krause fixed a build failure when building with gss support
+ enabled and FTP disabled.
+
+- Added check for NULL returns from strdup() in src/main.c and lib/formdata.c
+ - reported by Jim Meyering also prevent buffer overflow on MSDOS when you do
+ for example -O on a url with a file name part longer than PATH_MAX letters
+
+- lib/nss.c fixes based on the report by Jim Meyering: I went over and added
+ checks for return codes for all calls to malloc and strdup that were
+ missing. I also changed a few malloc(13) to use arrays on the stack and a
+ few malloc(PATH_MAX) to instead use aprintf() to lower memory use.
+
+- I fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is
+ in use.
+
+Daniel Fandrich (14 Nov 2008)
+- Added .xml as one of the few common file extensions known by the multipart
+ form generator.
+
+- Added some #ifdefs around header files and change the EAGAIN test to
+ fix compilation on Cell (reported by Jeff Curley).
+
+Yang Tse (14 Nov 2008)
+- Fixed several configure script issues affecting checks for inet_ntoa_r(),
+ inet_ntop(), inet_pton(), getifaddrs(), fcntl() and getaddrinfo().
+
+Yang Tse (13 Nov 2008)
+- Refactored configure script detection of functions used to set sockets into
+ non-blocking mode, and decouple function detection from function capability.
Version 7.19.2 (13 November 2008)