Changes in 8.5.0 - December 6 2023

Changes:

• gnutls: support CURLSSLOPT_NATIVE_CA
• HTTP3: ngtcp2 builds are no longer experimental

Bugfixes:

• appveyor: make VS2008-built curl tool runnable
• asyn-thread: use pipe instead of socketpair for IPC when available
• autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`
• autotools: avoid passing `LDFLAGS` twice to libcurl
• autotools: delete LCC compiler support bits
• autotools: fix/improve gcc and Apple clang version detection
• autotools: stop setting `-std=gnu89` with `--enable-warnings`
• autotools: update references to deleted `crypt-auth` option
• BINDINGS: add V binding
• build: add `src/.checksrc` to source tarball
• build: add more picky warnings and fix them
• build: always revert `#pragma GCC diagnostic` after use
• build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`
• build: delete support bits for obsolete Windows compilers
• build: fix 'threadsafe' feature detection for older gcc
• build: fix builds that disable protocols but not digest auth
• build: fix compiler warning with auths disabled
• build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`
• build: picky warning updates
• build: require Windows XP or newer
• cfilter: provide call to tell connection to forget a socket
• CI: add autotools, out-of-tree, debug build to distro check job
• CI: ignore test 286 on Appveyor gcc 9 build
• cmake: add `CURL_DISABLE_BINDLOCAL` option
• cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API`
• cmake: dedupe Windows system libs
• cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection
• cmake: fix CURL_DISABLE_GETOPTIONS
• cmake: fix multiple include of CURL package
• cmake: fix OpenSSL quic detection in quiche builds
• cmake: option to disable install & drop `curlu` target when unused
• cmake: pre-fill rest of detection values for Windows
• cmake: replace `check_library_exists_concat()`
• cmake: speed up threads setup for Windows
• cmake: speed up zstd detection
• config-win32: set `HAVE_SNPRINTF` for mingw-w64
• configure: better --disable-http
• configure: check for the fseeko declaration too
• conncache: use the closure handle when disconnecting surplus connections
• content_encoding: make Curl_all_content_encodings allocless
• cookie: lowercase the domain names before PSL checks
• curl.h: delete Symbian OS references
• curl.h: on FreeBSD include sys/param.h instead of osreldate.h
• curl.rc: switch out the copyright symbol for plain ASCII
• curl: improved IPFS and IPNS URL support
• curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped
• Curl_http_body: cleanup properly when Curl_getformdata errors
• curl_setup: disallow Windows IPv6 builds missing getaddrinfo
• curl_sspi: support more revocation error names in error messages
• CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation
• CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
• CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does
• CURLOPT_WRITEFUNCTION.3: clarify libcurl returns for CURL_WRITEFUNC_ERROR
• CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
• docs/example/keepalive.c: show TCP keep-alive options
• docs/example/localport.c: show off CURLOPT_LOCALPORT
• docs/examples/interface.c: show CURLOPT_INTERFACE use
• docs/libcurl: fix three minor manpage format mistakes
• docs/libcurl: SYNSOPSIS cleanup
• docs: add supported version for the json write-out
• docs: clarify that curl passes on input unfiltered
• docs: fix function typo in curl_easy_option_next.3
• docs: KNOWN_BUGS cleanup
• docs: preserve the modification date when copying the prebuilt manpage
• docs: remove bold from some manpage SYNOPSIS sections
• docs: use SOURCE_DATE_EPOCH for generated manpages
• doh: provide better return code for responses w/o addresses
• doh: use PIPEWAIT when HTTP/2 is attempted
• duphandle: also free 'outcurl->cookies' in error path
• duphandle: make dupset() not return with pointers to old alloced data
• duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
• easy: in duphandle, init the cookies for the new handle
• easy: remove duplicate wolfSSH init call
• easy_lock: add a pthread_mutex_t fallback
• fopen: create new file using old file's mode
• fopen: create short(er) temporary filename
• getenv: PlayStation doesn't have getenv()
• GHA: move mod_h2 version in CI to v2.0.25
• hostip: show the list of IPs when resolving is done
• hostip: silence compiler warning `-Wparentheses-equality`
• hsts: skip single-dot hostname
• HTTP/2, HTTP/3: handle detach of onoing transfers
• http2: header conversion tightening
• http2: provide an error callback and failf the message
• http2: safer invocation of populate_binsettings
• http: allow longer HTTP/2 request method names
• http: avoid Expect: 100-continue if Upgrade: is used
• http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine
• http: fix `-Wunused-parameter` with no auth and no proxy
• http: fix `-Wunused-variable` compiler warning
• http: fix empty-body warning
• http_aws_sigv4: canonicalise valueless query params
• hyper: temporarily remove HTTP/2 support
• INSTALL: update list of ports and CPU archs
• IPFS: fix IPFS_PATH and file parsing
• keylog: disable if unused
• lib: add and use Curl_strndup()
• lib: apache style infof and trace macros/functions
• lib: fix gcc warning in printf call
• libcurl-errors.3: sync with current public headers
• libcurl-thread.3: simplify the TLS section
• Makefile.am: drop vc10, vc11 and vc12 projects from dist
• Makefile.mk: fix `-rtmp` option for non-Windows
• mime: store "form escape" as a single bit
• misc: fix -Walloc-size warnings
• msh3: error when built with CURL_DISABLE_SOCKETPAIR set
• multi: during ratelimit multi_getsock should return no sockets
• multi: use pipe instead of socketpair to *wakeup()
• ngtcp2: fix races in stream handling
• ntlm_wb: use pipe instead of socketpair when possible
• openldap: move the alloc of ldapconninfo to *connect()
• openldap: set the callback argument in oldap_do
• openssl: avoid BN_num_bits() NULL pointer derefs
• openssl: fix building with v3 `no-deprecated` + add CI test
• openssl: fix infof() to avoid compiler warning for %s with null
• openssl: identify the "quictls" backend correctly
• openssl: include SIG and KEM algorithms in verbose
• openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
• openssl: two multi pointer checks should probably rather be asserts
• openssl: when a session-ID is reused, skip OCSP stapling
• page-footer: clarify exit code 25
• projects: add VC14.20 project files
• pytest: use lower count in repeat tests
• quic: make eyeballers connect retries stop at weird replies
• quic: manage connection idle timeouts
• quiche: use quiche_conn_peer_transport_params()
• rand: fix build error with autotools + LibreSSL
• resolve.d: drop a multi use-sentence
• RTSP: improved RTP parser
• sasl: fix `-Wunused-function` compiler warning
• schannel: add CA cache support for files and memory blobs
• setopt: check CURLOPT_TFTP_BLKSIZE range on set
• setopt: remove outdated cookie comment
• setopt: remove superfluous use of ternary expressions
• socks: better buffer size checks for socks4a user and hostname
• socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
• symbols-in-versions: the CLOSEPOLICY options are deprecated
• test1683: remove commented-out check alternatives
• test3103: add missing quotes around a test tag attribute
• test613: stop showing an error on missing output file
• tests/README: SOCKS tests are not using OpenSSH, it has its own server
• tests/server: add more SOCKS5 handshake error checking
• tests: Fix Windows test helper tool search & use it for handle64
• tidy-up: casing typos, delete unused Windows version aliases
• tool: fix --capath when proxy support is disabled
• tool: support bold headers in Windows
• tool_cb_hdr: add an additional parsing check
• tool_cb_prg: make the carriage return fit for wide progress bars
• tool_cb_wrt: fix write output for very old Windows versions
• tool_getparam: limit --rate to be smaller than number of ms
• tool_operate: do not mix memory models
• tool_operate: fix links in ipfs errors
• tool_parsecfg: make warning output propose double-quoting
• tool_urlglob: fix build for old gcc versions
• tool_urlglob: make multiply() bail out on negative values
• tool_writeout_json: fix JSON encoding of non-ascii bytes
• transfer: abort pause send when connection is marked for closing
• transfer: avoid calling the read callback again after EOF
• transfer: only reset the FTP wildcard engine in CLEAR state
• url: don't touch the multi handle when closing internal handles
• url: find scheme with a "perfect hash"
• url: fix `-Wzero-length-array` with no protocols
• url: fix builds with `CURL_DISABLE_HTTP`
• url: protocol handler lookup tidy-up
• url: proxy ssl connection reuse fix
• urlapi: avoid null deref if setting blank host to url encode
• urlapi: skip appending NULL pointer query
• urlapi: when URL encoding the fragment, pass in the right length
• urldata: make maxconnects a 32 bit value
• urldata: move async resolver state from easy handle to connectdata
• urldata: move cookielist from UserDefined to UrlState
• urldata: move hstslist from 'set' to 'state'
• urldata: move the 'internal' boolean to the state struct
• vssh: remove the #ifdef for Curl_ssh_init, use empty macro
• vtls: cleanup SSL config management
• vtls: consistently use typedef names for OpenSSL structs
• vtls: late clone of connection ssl config
• vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
• VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw
• windows: use built-in `_WIN32` macro to detect Windows
• wolfssh: remove redundant static prototypes
• wolfssl: add default case for wolfssl_connect_step1 switch
• wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA

Further