-
Notifications
You must be signed in to change notification settings - Fork 0
/
RELEASE-NOTES
288 lines (277 loc) · 12.9 KB
/
RELEASE-NOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
curl and libcurl 7.84.0
Public curl releases: 209
Command line options: 248
curl_easy_setopt() options: 297
Public functions in libcurl: 88
Contributors: 2652
This release includes the following changes:
o curl: add --rate to set max request rate per time unit [69]
o curl: deprecate --random-file and --egd-file [12]
o curl_version_info: add CURL_VERSION_THREADSAFE [100]
o CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl [9]
o lib: make curl_global_init() threadsafe when possible [101]
o libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION [78]
o opts: deprecate RANDOM_FILE and EGDSOCKET [13]
o socks: support unix sockets for socks proxy [2]
This release includes the following bugfixes:
o aws-sigv4: fix potentional NULL pointer arithmetic [48]
o bindlocal: don't use a random port if port number would wrap [14]
o c-hyper: mark status line as status for Curl_client_write() [58]
o ci: avoid `cmake -Hpath` [114]
o CI: bump FreeBSD 13.0 to 13.1 [127]
o ci: update github actions [36]
o cmake: add libpsl support [3]
o cmake: do not add libcurl.rc to the static libcurl library [53]
o cmake: enable curl.rc for all Windows targets [55]
o cmake: fix detecting libidn2 [56]
o cmake: support adding a suffix to the OS value [54]
o configure: skip libidn2 detection when winidn is used [89]
o configure: use the SED value to invoke sed [28]
o configure: warn about rustls being experimental [103]
o content_encoding: return error on too many compression steps [106]
o cookie: address secure domain overlay [7]
o cookie: apply limits [83]
o copyright.pl: parse and use .reuse/dep5 for skips [105]
o copyright: make repository REUSE compliant [119]
o curl.1: add a few see also --tls-max [52]
o curl.1: mention exit code zero too [44]
o curl: re-enable --no-remote-name [31]
o curl_easy_pause.3: remove explanation of progress function [97]
o curl_getdate.3: document that some illegal dates pass through [34]
o Curl_parsenetrc: don't access local pwbuf outside of scope [27]
o curl_url_set.3: clarify by default using known schemes only [120]
o CURLOPT_ALTSVC.3: document the file format [118]
o CURLOPT_FILETIME.3: fix the protocols this works with
o CURLOPT_HTTPHEADER.3: improve comment in example [66]
o CURLOPT_NETRC.3: document the .netrc file format
o CURLOPT_PORT.3: We discourage using this option [92]
o CURLOPT_RANGE.3: remove ranged upload advice [99]
o digest: added detection of more syntax error in server headers [81]
o digest: tolerate missing "realm" [80]
o digest: unquote realm and nonce before processing [82]
o DISABLED: disable 1021 for hyper again
o docs/cmdline-opts: add copyright and license identifier to each file [112]
o docs/CONTRIBUTE.md: document the 'needs-votes' concept [79]
o docs: clarify data replacement policy for MIME API [16]
o doh: remove UNITTEST macro definition [67]
o examples/crawler.c: use the curl license [73]
o examples: remove fopen.c and rtsp.c [76]
o FAQ: Clarify Windows double quote usage [42]
o fopen: add Curl_fopen() for better overwriting of files [72]
o ftp: restore protocol state after http proxy CONNECT [110]
o ftp: when failing to do a secure GSSAPI login, fail hard [62]
o GHA/hyper: enable debug in the build
o gssapi: improve handling of errors from gss_display_status [45]
o gssapi: initialize gss_buffer_desc strings
o headers api: remove EXPERIMENTAL tag [35]
o http2: always debug print stream id in decimal with %u [46]
o http2: reject overly many push-promise headers [63]
o http: restore header folding behavior [64]
o hyper: use 'alt-used' [71]
o krb5: return error properly on decode errors [107]
o lib: make more protocol specific struct fields #ifdefed [84]
o libcurl-security.3: add "Secrets in memory" [30]
o libcurl-security.3: document CRLF header injection [98]
o libssh: skip the fake-close when libssh does the right thing [102]
o links: update dead links to the curl-wiki [21]
o log2changes: do not indent empty lines [ci skip] [37]
o macos9: remove partial support [22]
o Makefile.am: fix portability issues [1]
o Makefile.m32: delete obsolete options, improve -On [ci skip] [65]
o Makefile.m32: delete two obsolete OpenSSL options [ci skip] [39]
o Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] [116]
o max-time.d: clarify max-time sets max transfer time [70]
o mprintf: ignore clang non-literal format string [19]
o netrc: check %USERPROFILE% as well on Windows [77]
o netrc: support quoted strings [33]
o ngtcp2: allow curl to send larger UDP datagrams [29]
o ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types [25]
o ngtcp2: enable Linux GSO [91]
o ngtcp2: extend QUIC transport parameters buffer [4]
o ngtcp2: fix alert_read_func return value [26]
o ngtcp2: fix typo in preprocessor condition [121]
o ngtcp2: handle error from ngtcp2_conn_submit_crypto_data [5]
o ngtcp2: send appropriate connection close error code [6]
o ngtcp2: support boringssl crypto backend [17]
o ngtcp2: use helper funcs to simplify TLS handshake integration [68]
o ntlm: provide a fixed fake host name [32]
o projects: fix third-party SSL library build paths for Visual Studio [125]
o quic: add Curl_quic_idle [18]
o quiche: support ca-fallback [49]
o rand: stop detecting /dev/urandom in cross-builds [113]
o remote-name.d: mention --output-dir [88]
o runtests.pl: add the --repeat parameter to the --help output [43]
o runtests: fix skipping tests not done event-based [95]
o runtests: skip starting the ssh server if user name is lacking [104]
o scripts/copyright.pl: fix the exclusion to not ignore man pages [75]
o sectransp: check for a function defined when __BLOCKS__ is undefined [20]
o select: return error from "lethal" poll/select errors [93]
o server/sws: support spaces in the HTTP request path
o speed-limit/time.d: mention these affect transfers in either direction [74]
o strcase: some optimisations [8]
o test 2081: add a valid reply for the second request [60]
o test 675: add missing CR so the test passes when run through Privoxy [61]
o test414: add the '--resolve' keyword [23]
o test681: verify --no-remote-name [90]
o tests 266, 116 and 1540: add a small write delay
o tests/data/test1501: kill ftp server after slow LIST response [59]
o tests/getpart: fix getpartattr to work with "data" and "data2"
o tests/server/sws.c: change the HTTP writedelay unit to milliseconds [47]
o test{440,441,493,977}: add "HTTP proxy" keywords [40]
o tool_getparam: fix --parallel-max maximum value constraint [51]
o tool_operate: make sure --fail-with-body works with --retry [24]
o transfer: fix potential NULL pointer dereference [15]
o transfer: maintain --path-as-is after redirects [96]
o transfer: upload performance; avoid tiny send [124]
o url: free old conn better on reuse [41]
o url: remove redundant #ifdefs in allocate_conn()
o url: URL encode the path when extracted, if spaces were set
o urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts [126]
o urlapi: support CURLU_URLENCODE for curl_url_get()
o urldata: reduce size of a few struct fields [86]
o urldata: remove three unused booleans from struct UserDefined [87]
o urldata: store tcp_keepidle and tcp_keepintvl as ints [85]
o version: allow stricmp() for sorting the feature list [57]
o vtls: make curl_global_sslset thread-safe [94]
o wolfssh.h: removed [10]
o wolfssl: correct the failf() message when a handle can't be made [38]
o wolfSSL: explicitly use compatibility layer [11]
o x509asn1: mark msnprintf return as unchecked [50]
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)
This release would not have looked like this without help, code, reports and
advice from friends like these:
Andrea Pappacoda, Balakrishnan Balasubramanian, Boris Verkhovskiy,
Carlo Alberto, Christian Weisgerber, Dan Fandrich, Daniel Gustafsson,
Daniel Stenberg, Egor Pugin, Emanuele Torre, Emil Engler, Evgeny Grin,
Fabian Keil, Frank Gevaerts, Frazer Smith, Gisle Vanem, Glenn Strauss,
Gregor Jasny, Harry Sintonen, Illarion Taev, ImpatientHippo on GitHub,
Jakub Bochenski, Kamil Dudka, Karlson2k on github, KotlinIsland on github,
Ladar Levison, Marcel Raad, Marc Hörsken, Marcus T, Max Mehl, michael musset,
Nick Zitzmann, Nuru on github, Patrick Monnerat, Petr Pisar, Philip H,
Pierrick Charron, Ray Satiro, Ricardo M. Correia, Simon Berger,
Stefan Eissing, Steve Holme, Tatsuhiro Tsujikawa, Thomas Guillem, Tom Eccles,
Viktor Szakats, Vincent Torri, vvb2060 on github, Willem Hoek,
Wolf Vollprecht, Elms
(51 contributors)
References to bug reports and discussions on issues:
[1] = https://curl.se/mail/lib-2022-05/0024.html
[2] = https://curl.se/bug/?i=8668
[3] = https://curl.se/bug/?i=8865
[4] = https://curl.se/bug/?i=8872
[5] = https://curl.se/bug/?i=8871
[6] = https://curl.se/bug/?i=8870
[7] = https://hackerone.com/reports/1560324
[8] = https://curl.se/bug/?i=8875
[9] = https://curl.se/bug/?i=8888
[10] = https://curl.se/bug/?i=8863
[11] = https://curl.se/bug/?i=8864
[12] = https://curl.se/bug/?i=8670
[13] = https://curl.se/bug/?i=8670
[14] = https://curl.se/bug/?i=8862
[15] = https://curl.se/bug/?i=8857
[16] = https://curl.se/bug/?i=8860
[17] = https://curl.se/bug/?i=8789
[18] = https://curl.se/bug/?i=8698
[19] = https://curl.se/bug/?i=8740
[20] = https://curl.se/bug/?i=8846
[21] = https://curl.se/bug/?i=8897
[22] = https://curl.se/bug/?i=8836
[23] = https://curl.se/bug/?i=8959
[24] = https://curl.se/bug/?i=8845
[25] = https://curl.se/bug/?i=8851
[26] = https://curl.se/bug/?i=8852
[27] = https://curl.se/bug/?i=8850
[28] = https://curl.se/bug/?i=8891
[29] = https://curl.se/bug/?i=8883
[30] = https://curl.se/bug/?i=8881
[31] = https://curl.se/bug/?i=8931
[32] = https://curl.se/bug/?i=8859
[33] = https://curl.se/bug/?i=8908
[34] = https://curl.se/bug/?i=8938
[35] = https://curl.se/bug/?i=8900
[36] = https://curl.se/bug/?i=8843
[37] = https://curl.se/bug/?i=8887
[38] = https://curl.se/bug/?i=8885
[39] = https://curl.se/bug/?i=8884
[40] = https://curl.se/bug/?i=8959
[41] = https://curl.se/bug/?i=8841
[42] = https://curl.se/bug/?i=8823
[43] = https://curl.se/bug/?i=8959
[44] = https://curl.se/bug/?i=8833
[45] = https://curl.se/bug/?i=8832
[46] = https://curl.se/bug/?i=8808
[47] = https://curl.se/bug/?i=8827
[48] = https://curl.se/bug/?i=8814
[49] = https://curl.se/bug/?i=8696
[50] = https://curl.se/bug/?i=8831
[51] = https://curl.se/bug/?i=8930
[52] = https://curl.se/bug/?i=8929
[53] = https://curl.se/bug/?i=8918
[54] = https://curl.se/bug/?i=8919
[55] = https://curl.se/bug/?i=8918
[56] = https://curl.se/bug/?i=8917
[57] = https://curl.se/bug/?i=8916
[58] = https://curl.se/bug/?i=8894
[59] = https://curl.se/bug/?i=8907
[60] = https://curl.se/bug/?i=8959
[61] = https://curl.se/bug/?i=8959
[62] = https://hackerone.com/reports/1590102
[63] = https://hackerone.com/reports/1589847
[64] = https://curl.se/bug/?i=8844
[65] = https://curl.se/bug/?i=8904
[66] = https://curl.se/bug/?i=9025
[67] = https://curl.se/bug/?i=8902
[68] = https://curl.se/bug/?i=8968
[69] = https://curl.se/bug/?i=8671
[70] = https://curl.se/bug/?i=8877
[71] = https://curl.se/bug/?i=8898
[72] = https://curl.se/docs/CVE-2022-32207.html
[73] = https://curl.se/bug/?i=8950
[74] = https://curl.se/bug/?i=8948
[75] = https://curl.se/bug/?i=8952
[76] = https://curl.se/bug/?i=8949
[77] = https://curl.se/bug/?i=8855
[78] = https://curl.se/bug/?i=7959
[79] = https://curl.se/bug/?i=8910
[80] = https://curl.se/bug/?i=8912
[81] = https://curl.se/bug/?i=8912
[82] = https://curl.se/bug/?i=8912
[83] = https://curl.se/docs/CVE-2022-32205.html
[84] = https://curl.se/bug/?i=8944
[85] = https://curl.se/bug/?i=8940
[86] = https://curl.se/bug/?i=8940
[87] = https://curl.se/bug/?i=8940
[88] = https://curl.se/bug/?i=8945
[89] = https://curl.se/bug/?i=8934
[90] = https://curl.se/bug/?i=8942
[91] = https://curl.se/bug/?i=8909
[92] = https://curl.se/bug/?i=8941
[93] = https://curl.se/bug/?i=8921
[94] = https://curl.se/bug/?i=9016
[95] = https://curl.se/bug/?i=8977
[96] = https://curl.se/bug/?i=8974
[97] = https://curl.se/bug/?i=9015
[98] = https://curl.se/bug/?i=8964
[99] = https://curl.se/bug/?i=8969
[100] = https://curl.se/bug/?i=8680
[101] = https://curl.se/bug/?i=8680
[102] = https://curl.se/bug/?i=9021
[103] = https://curl.se/bug/?i=9019
[104] = https://curl.se/bug/?i=9013
[105] = https://curl.se/bug/?i=9006
[106] = https://curl.se/docs/CVE-2022-32206.html
[107] = https://curl.se/docs/CVE-2022-32208.html
[110] = https://curl.se/bug/?i=8737
[112] = https://curl.se/bug/?i=9002
[113] = https://curl.se/bug/?i=9038
[114] = https://curl.se/bug/?i=9008
[116] = https://curl.se/bug/?i=9035
[118] = https://curl.se/bug/?i=9033
[119] = https://curl.se/bug/?i=8869
[120] = https://curl.se/bug/?i=8994
[121] = https://curl.se/bug/?i=8981
[124] = https://curl.se/bug/?i=8965
[125] = https://curl.se/bug/?i=8991
[126] = https://curl.se/bug/?i=9028
[127] = https://curl.se/bug/?i=8815