Changes in 7.88.0 - February 15 2023

Changes:

• curl.h: add CURL_HTTP_VERSION_3ONLY
• share: add sharing of HSTS cache among handles
• src: add --http3-only
• tool_operate: share HSTS between handles
• urlapi: add CURLU_PUNYCODE
• writeout: add %{certs} and %{num_certs}

Bugfixes:

• cf-socket: fix build when not HAVE_GETPEERNAME
• cf-socket: keep sockaddr local in the socket filters
• cfilters:Curl_conn_get_select_socks: use the first non-connected filter
• CI: add a workflow to automatically label pull requests
• CI: add pytest GHA to CI test/tests-httpd on an HTTP/3 setup
• CI: Retry failed downloads to reduce spurious failures
• CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
• cmake: bump requirement to 3.7
• cmake: check for sendmsg
• cmake: delete redundant macro definition `SECURITY_WIN32`
• cmake: fix dev warning due to mismatched arg
• cmake: fix the snprintf detection
• cmake: remove deprecated symbols check
• cmake: set SOVERSION also for macOS
• cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
• cmdline-opts/Makefile: on error, do not leave a partial
• CODEOWNERS: remove the peeps mentioned as CI owners
• connect: fix access of pointer before NULL check
• connect: fix build when not ENABLE_IPV6
• connect: fix strategy testing for attempts, timeouts and happy-eyeball
• connections: introduce http/3 happy eyeballs
• content_encoding: do not reset stage counter for each header
• CONTRIBUTE: More formally specify the commit description
• cookies: fp is always not NULL
• copyright.pl: cease doing year verifications
• copyright: update all copyright lines and remove year ranges
• curl.1: make help, version and manual sections "custom"
• curl.h: allow up to 10M buffer size
• curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
• curl/websockets.h: extend the websocket frame struct
• curl: output warning at --verbose output for debug-enabled version
• curl_free.3: fix return type of `curl_free`
• curl_global_sslset.3: clarify the openssl situation
• curl_log: for failf/infof and debug logging implementations
• curl_setup: Disable by default recv-before-send in Windows
• curl_version_info.3: fix typo
• curl_ws_send.3: clarify how to send multi-frame messages
• CURLOPT_HEADERDATA.3: warn DLL users must set write function
• CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
• CURLOPT_WRITEFUNCTION.3: fix memory leak in example
• dict: URL decode the entire path always
• docs/DEPRECATE.md: deprecate gskit
• docs: add link to GitHub Discussions
• docs: mention indirect effects of --insecure
• docs: POSTFIELDSIZE must be set to -1 with read function
• doh: ifdef IPv6 code
• easyoptions: fix header printing in generation script
• escape: hex decode with a lookup-table
• escape: use table lookup when adding %-codes to output
• examples: remove the curlgtk.c example
• fopen: remove unnecessary assignment
• ftpserver: lower the DATA connect timeout to speed up torture tests
• GHA/macos.yml: bump to gcc-12
• GHA/macos: use Xcode_14.0.1 for cmake builds
• GHA: add job on Slackware 15.0
• GHA: bump ngtcp2 workflow dependencies
• GHA: enable websockets in the torture job
• GHA: move the quiche job here from zuul
• GHA: use designated ngtcp2 and its dependencies versions
• haxproxy: send before TLS handhshake
• header.d: add a header file example
• hsts.d: explain hsts more
• hsts: handle adding the same hostname again
• HTTP/[23]: continue upload when state.drain is set
• http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
• http2: fix compiler warning due to uninitialized variable
• http2: minor buffer and error path fixes
• http2: when using printf %.*s, the length arg must be 'int'
• HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
• http: add additional condition for including stdint.h
• http: decode transfer encoding first
• http: fix "part of conditional expression is always false"
• http: remove the trace message "Mark bundle... multiuse"
• http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
• http_proxy: do not assign data->req.p.http use local copy
• INSTALL: document how to use multiple TLS backends
• lib670: make test.h the first include
• lib: connect/h2/h3 refactor
• lib: fix typos
• lib: fix typos in comments which repeat a word
• libssh2: try sha2 algos for hostkey methods
• libtest: add a sleep macro for Windows
• Linux CI: update some dependecies to latest tag
• Makefile.mk: fix wolfssl and mbedtls default paths
• manpages: call the custom user pointer 'clientp' consistently
• md4: fix build with GnuTLS + OpenSSL v1
• misc: fix grammar and spelling
• misc: fix spelling
• misc: reduce struct and struct field sizes
• msh3: add support for request payload
• msh3: update to v0.5 Release
• msh3: update to v0.6
• multi: stop sending empty HTTP/3 UDP datagrams on Windows
• multihandle: turn bool struct fields into bits
• ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
• ngtcp2: fix the build without 'sendmsg'
• ngtcp2: replace removed define and stop using removed function
• no-clobber.d: only use long form options in manpage text
• noproxy: support for space-separated names is deprecated
• nss: implement data_pending method
• openldap: fix missing sasl symbols at build in specific configs
• openssl: adapt to boringssl's error code type
• openssl: don't ignore CA paths when using Windows CA store (redux)
• openssl: don't log raw record headers
• openssl: make the BIO_METHOD a local variable in the connection filter
• openssl: only use CA_BLOB if verifying peer
• openssl: remove attached easy handles from SSL instances
• openssl: store the CA after first send (ClientHello)
• os400: fixes to make-lib.sh and initscript.sh
• packages: remove Android, update README
• release-notes.pl: check fixes/closes lines better
• Revert "x509asn1: avoid freeing unallocated pointers"
• runtest.pl: add expected fourth return value
• runtests: tear down http2/http3 servers when https server is stopped
• runtests: consider warnings fatal and error on them
• runtests: fix detection of TLS backends
• runtests: make 'mbedtls' a testable feature
• rustls: improve error messages
• scripts/delta: show percent of number of files changed since last tag
• scripts: fix Appveyor job detection in cijobs.pl
• scripts: set file mode +x on all perl and shell scripts
• sectransp: fix for incomplete read/writes
• SECURITY-PROCESS.md: document severity levels
• setopt: Address undefined behaviour by checking for null
• setopt: move the SHA256 opt within #ifdef libssh2
• setopt: use >, not >=, when checking if uarg is larger than uint-max
• smb: return error on upload without size
• socketpair: allow localhost MITM sniffers
• strdup: name it Curl_strdup
• system.h: assume OS400 is always built with ILEC compiler
• test1560: use a UTF8-using locale when run
• test2304: remove stdout verification
• tests-httpd: basic infra to run curl against an apache httpd
• tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
• tests: add tests for HTTP/2 and HTTP/3 to verify the header API
• tests: avoid use of sha1 in certificates
• tls: fixes for wolfssl + openssl combo builds
• tool_getparam: fix hiding of command line secrets
• tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
• tool_operate: fix error codes during DOS filename sanitize
• tool_operate: fix error codes on bad URL & OOM
• tool_operate: fix headerfile writing
• tool_operate: repair --rate
• transfer: break the read loop when RECV is cleared
• typecheck: accept expressions for option/info parameters
• url: fix part of conditional expression is always true
• urlapi: avoid Curl_dyn_addf() for hex outputs
• urlapi: fix part of conditional expression is always true: qlen
• urlapi: skip path checks if path is just "/"
• urlapi: skip the extra dedotdot alloc if no dot in path
• urldata: cease storing TLS auth type
• urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
• urldata: make set.http200aliases conditional on HTTP being present
• urldata: move the cookefilelist to the 'set' struct
• urldata: remove unused struct fields, made more conditional
• vquic: stabilization and improvements
• vtls: fix hostname handling in filters
• vtls: manage current easy handle in nested cfilter calls
• vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
• winbuild: document that arm64 is supported
• windows: always use curl's basename() implementation
• wolfssl: remove deprecated post-quantum algorithms
• workflows/linux.yml: merge 3 common packages
• write-out.d: add 'since version' to %{header_json} documentation
• write-out.d: clarify Windows % symbol escaping
• ws: fix autoping handling
• ws: fix multiframe send handling
• ws: fix recv of larger frames
• ws: remove bad assert
• ws: unstick connect-only shutdown
• ws: use %Ou for outputting curl_off_t with info()
• x509asn1: fix compile errors and warnings
• zuul: stop using this CI service

Further