🠰 7.78.0 all changes 7.79.1 🠲
Changes in 7.79.0 - September 15 2021
Changes:
- bearssl: support CURLOPT_CAINFO_BLOB
- http: consider cookies over localhost to be secure
- secure transport: support CURLINFO_CERTINFO
Bugfixes:
- CVE-2021-22945: clear the leftovers pointer when sending succeeds
- CVE-2021-22946: do not ignore --ssl-reqd
- CVE-2021-22947: reject STARTTLS server response pipelining
- ares: use ares_getaddrinfo()
- asyn-ares.c: move all version number checks to the top
- auth: do not append zero-terminator to authorisation id in kerberos
- auth: properly handle byte order in kerberos security message
- auth: use sasl authzid option in kerberos
- auth: we do not support a security layer after kerberos authentication
- BINDINGS.md: update links to use https where available
- build: fix compiler warnings
- c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
- c-hyper: fix header value passed to debug callback
- c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
- c-hyper: initial step for 100-continue support
- c-hyper: initial support for "dumping" 1xx HTTP responses
- c-hyper: remove the hyper_executor_poll() loop from Curl_http
- CI/cirrus: reduce compile time with increased parallism
- CI: use GitHub Container Registry instead of Docker Hub
- cirrus: Add FreeBSD 13.0 job and disable sanitizer build
- cmake: avoid poll() on macOS
- cmake: sync CURL_DISABLE options
- codeql: fix error "Resource not accessible by integration"
- compressed.d: it's a request, not an order
- config.d: escape the backslash properly
- config.d: note that curlrc is used even when --config
- config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
- configure.ac: revert bad nghttp2 library detection improvements
- configure: error out if both ngtcp2 and quiche are specified
- configure: make --disable-hsts work
- configure: set classic mingw minimum OS version to XP
- configure: tweak nghttp2 library name fix
- connect: get local port + ip also when reusing connections
- connect: remove superfluous conditional
- curl-openssl.m4: check lib64 for the pkg-config file
- curl-openssl.m4: show correct output for OpenSSL v3
- curl.1: mention "global" flags
- curl.1: provide examples for each option
- curl: add warning for ignored data after quoted form parameter
- curl: add warning for incompatible parameters usage
- curl: better error message when -O fails to get a good name
- curl: stop retry if Retry-After: is longer than allowed
- curl_easy_setopt.3: improve the string copy wording
- Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
- curl_setup.h: sync values for HTTP_ONLY
- curl_url_get.3: clarify about path and query
- CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
- CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
- CURLOPT_SSL_CTX_*.3: tidy up the example
- CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
- docs/MQTT: update state of username/password support
- docs: remove experimental mentions from HSTS and MQTT
- docs: the security list is reached at security at curl.se now
- easy: use a custom implementation of wcsdup on Windows
- examples/*hiperfifo.c: fix calloc arguments to match function proto
- examples/cookie_interface: avoid printfing time_t directly
- examples/cookie_interface: fix scan-build printf warning
- examples/ephiperfifo.c: simplify signal handler
- FAQ: add two dev related questions
- getparameter: fix the --local-port number parser
- happy-eyeballs-timeout-ms.d: polish the wording
- hostip: Make Curl_ipv6works function independent of getaddrinfo
- http2: Curl_http2_setup needs to init stream data in all invokes
- http2: revert a change that broke upgrade to h2c
- http2: revert call the handle-closed function correctly on closed stream
- http: disallow >3-digit response codes
- http: ignore content-length if any transfer-encoding is used
- http_proxy: clear 'sending' when the outgoing request is sent
- http_proxy: fix the User-Agent inclusion in CONNECT
- http_proxy: fix user-agent and custom headers for CONNECT with hyper
- http_proxy: only wait for writable socket while sending request
- INTERNALS: bump c-ares requirement to 1.16.0
- INTERNALS: c-ares has a new home: c-ares.org
- lib: don't use strerror()
- libcurl-errors.3: clarify two CURLUcode errors
- limit-rate.d: clarify base unit
- mailing lists: move from cool.haxx.se to lists.haxx.se
- mbedtls: avoid using a large buffer on the stack
- mbedTLS: initial 3.0.0 support
- mbedtls_threadlock: fix unused variable warning
- mksymbolsmanpage.pl: Fix showing symbol's last used version
- mksymbolsmanpage.pl: match symbols case insenitively
- multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
- ngtcp2: compile with the latest ngtcp2 and nghttp3
- ngtcp2: fix build with ngtcp2 and nghttp3
- ngtcp2: remove the acked_crypto_offset struct field init
- ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
- ngtcp2: reset the oustanding send buffer again when drained
- ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
- ngtcp2: stop buffering crypto data
- ngtcp2: utilize crypto API functions to simplify
- openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
- openssl: when creating a new context, there cannot be an old one
- opt-docs: make sure all manpages have examples
- opt-docs: verify manpage sections + order
- opts docs: unify phrasing in NAME header
- output.d: add method to suppress response bodies
- page-header: add GOPHERS, simplify wording in the 1st para
- progress: fix a compile warning on some systems
- progress: make trspeed avoid floats
- runtests: add option -u to error on server unexpectedly alive
- schannel: Work around typo in classic mingw macro
- scripts: invoke interpreters through /usr/bin/env
- setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
- strerror.h: remove the #include from files not using it
- symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
- test1138: remove trailing space to make work with hyper
- test1173: check references to libcurl options
- test1280: CRLFify the response to please hyper
- test1565: fix windows build errors
- test365: verify response with chunked AND Content-Length headers
- tests/*server.pl: flush output before executing subprocess
- tests/*server.py: remove pidfile on server termination
- tests/runtests.pl: cleanup copy&paste mistakes and unused code
- tests/server/*.c: align handling of portfile argument and file
- tests: adjust the tftpd output to work with hyper mode
- tests: be explicit about using 'python3' instead of 'python'
- tests: enable test 1129 for hyper builds
- tests: make three tests pass until 2037
- tool/tests: fix potential year 2038 issues
- tool_operate: Fix --fail-early with parallel transfers
- url: fix compiler warning in no-verbose builds
- urlapi.c:seturl: assert URL instead of using if-check
- vtls: fix typo in schannel_verify.c
- winbuild/README.md: clarify GEN_PDB option
- wolfssl: clean up wolfcrypt error queue
- write-out.d: clarify size_download/upload
- x509asn1: fix heap over-read when parsing x509 certificates