Version 7.16.0 (30 October 2006)
Daniel (25 October 2006)
- Fixed CURLOPT_FAILONERROR to return CURLE_HTTP_RETURNED_ERROR even for the
case when 401 or 407 are returned, *IF* no auth credentials have been given.
The CURLOPT_FAILONERROR option is not possible to make fool-proof for 401
and 407 cases when auth credentials is given, but we've now covered this
somewhat more.
You might get some amounts of headers transferred before this situation is
detected, like for when a "100-continue" is received as a response to a
POST/PUT and a 401 or 407 is received immediately afterwards.
Added test 281 to verify this change.
Daniel (23 October 2006)
- Ravi Pratap provided a major update with pipelining fixes. We also no longer
re-use connections (for pipelining) before the name resolving is done.
Daniel (21 October 2006)
- Nir Soffer made the tests/libtest/Makefile.am use a proper variable for all
the single test applications' link and dependences, so that you easier can
override those from the command line when using make.
- Armel Asselin separated CA cert verification problems from problems with
reading the (local) CA cert file to let users easier pinpoint the actual
problem. CURLE_SSL_CACERT_BADFILE (77) is the new libcurl error code.
Daniel (18 October 2006)
- Removed the "protocol-guessing" for URLs with host names starting with FTPS
or TELNET since they are practically non-existant. This leaves us with only
three different prefixes that would assume the protocol is anything but
HTTP, and they are host names starting with "ftp.", "dict." or "ldap.".
Daniel (17 October 2006)
- Bug report #1579171 pointed out code flaws detected with "prefast", and they
were 1 - a too small memory clear with memset() in the threaded resolver and
2 - a range of potentially bad uses of the ctype family of is*() functions
such as isdigit(), isalnum(), isprint() and more. The latter made me switch
to using our own set of these functions/macros using uppercase letters, and
with some extra set of crazy typecasts to avoid mistakingly passing in
negative numbers to the underlying is*() functions.
- With Jeff Pohlmeyer's help, I fixed the expire timer when using
curl_multi_socket() during name resolves with c-ares and the LOW_SPEED
options now work fine with curl_multi_socket() as well.
Daniel (16 October 2006)
- Added a check in configure that simply tries to run a program (not when
cross-compiling) in order to detect problems with run-time libraries that
otherwise would occur when the sizeof tests for curl_off_t would run and
thus be much more confusing to users. The check of course should run after
all lib-checks are done and before any other test is used that would run an
executable built for testing-purposes.
Dan F (13 October 2006)
- The tagging of application/x-www-form-urlencoded POST body data sent
to the CURLOPT_DEBUGFUNCTION callback has been fixed (it was erroneously
included as part of the header). A message was also added to the
command line tool to show when data is being sent, enabled when
--verbose is used.
Daniel (12 October 2006)
- Starting now, adding an easy handle to a multi stack that was already added
to a multi stack will cause CURLM_BAD_EASY_HANDLE to get returned.
- Jeff Pohlmeyer has been working with the hiperfifo.c example source code,
and while doing so it became apparent that the current timeout system for
the socket API really was a bit awkward since it become quite some work to
be sure we have the correct timeout set.
Jeff then provided the new CURLMOPT_TIMERFUNCTION that is yet another
callback the app can set to get to know when the general timeout time
changes and thus for an application like hiperfifo.c it makes everything a
lot easier and nicer. There's a CURLMOPT_TIMERDATA option too of course in
good old libcurl tradition.
Jeff has also updated the hiperfifo.c example code to use this news.
Daniel (9 October 2006)
- Bogdan Nicula's second test case (posted Sun, 08 Oct 2006) converted to test
case 535 and it now runs fine. Again a problem with the pipelining code not
taking all possible (error) conditions into account.
Daniel (6 October 2006)
- Bogdan Nicula's hanging test case (posted Wed, 04 Oct 2006) was converted to
test case 533 and the test now runs fine.
Daniel (4 October 2006)
- Dmitriy Sergeyev provided an example source code that crashed CVS libcurl
but that worked nicely in 7.15.5. I converted it into test case 532 and
fixed the problem.
Daniel (29 September 2006)
- Removed a few other no-longer present options from the header file.
- Support for FTP third party transfers was removed. Here's why:
o The recent multi interface changes broke it and the design of the 3rd party
transfers made it very hard to fix the problems
o It was still blocking and thus nasty for the multi interface
o It was a lot of extra code for a very rarely used feature
o It didn't use the same code as for "plain" FTP transfers, so it didn't work
fine for IPv6 and it didn't properly re-use connections and more
o There's nobody around who's willing to work on and improve the existing
code
This does not mean that third party transfers are banned forever, only that
they need to be done better if they are to be re-added in the future.
The CURLOPT_SOURCE_* options are removed from the lib and so are the --3p*
options from the command line tool. For this reason, I also bumped the
version info for the lib.
Daniel (28 September 2006)
- Reported in #1561470 (http://curl.haxx.se/bug/view.cgi?id=1561470), libcurl
would crash if a bad function sequence was used when shutting down after
using the multi interface (i.e using easy_cleanup after multi_cleanup) so
precautions have been added to make sure it doesn't any more - test case 529
was added to verify.
Daniel (27 September 2006)
- The URL in the cookie jar file is now changed since it was giving a 404.
Reported by Timothy Stone. The new URL will take the visitor to a curl web
site mirror with the document.
Daniel (24 September 2006)
- Bernard Leak fixed configure --with-gssapi-libs.
- Cory Nelson made libcurl use the WSAPoll() function if built for Windows
Vista (_WIN32_WINNT >= 0x0600)
Daniel (23 September 2006)
- Mike Protts added --ftp-ssl-control to make curl use FTP-SSL, but only
encrypt the control connection and use the data connection "plain".
- Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better
as it now will read the full data sent from servers. The SOCKS-related code
was also moved to the new lib/socks.c source file.
Daniel (21 September 2006)
- Added test case 531 in an attempt to repeat bug report #1561470
(http://curl.haxx.se/bug/view.cgi?id=1561470) that is said to crash when an
FTP upload fails with the multi interface. It did not, but I made a failed
upload still assume the control connection to be fine.
Daniel (20 September 2006)
- Armel Asselin fixed problems when you gave a proxy URL with user name and
empty password or no password at all. Test case 278 and 279 were added to
verify.
Daniel (12 September 2006)
- Added docs/examples/10-at-a-time.c by Michael Wallner
- Added docs/examples/hiperfifo.c by Jeff Pohlmeyer
Daniel (11 September 2006)
- Fixed my breakage from earlier today so that doing curl_easy_cleanup() on a
handle that is part of a multi handle first removes the handle from the
stack.
- Added CURLOPT_SSL_SESSIONID_CACHE and --no-sessionid to disable SSL
session-ID re-use on demand since there obviously are broken servers out
there that misbehave with session-IDs used.
- Jeff Pohlmeyer presented a *multi_socket()-using program that exposed a
problem with it (SIGSEGV-style). It clearly showed that the existing
socket-state and state-difference function wasn't good enough so I rewrote
it and could then re-run Jeff's program without any crash. The previous
version clearly could miss to tell the application when a handle changed
from using one socket to using another.
While I was at it (as I could use this as a means to track this problem
down), I've now added a 'magic' number to the easy handle struct that is
inited at curl_easy_init() time and cleared at curl_easy_cleanup() time that
we can use internally to detect that an easy handle seems to be fine, or at
least not closed or freed (freeing in debug builds fill the area with 0x13
bytes but in normal builds we can of course not assume any particular data
in the freed areas).
Daniel (9 September 2006)
- Michele Bini fixed how the hostname is put in NTLM packages. As servers
don't expect fully qualified names we need to cut them off at the first dot.
- Peter Sylvester cleaned up and fixed the getsockname() uses in ftp.c. Some
of them can be completetly removed though...
Daniel (6 September 2006)
- Ravi Pratap and I have implemented HTTP Pipelining support. Enable it for a
multi handle using CURLMOPT_PIPELINING and all HTTP connections done on that
handle will be attempted to get pipelined instead of done in parallell as
they are performed otherwise.
As a side-effect from this work, connections are now shared between all easy
handles within a multi handle, so if you use N easy handles for transfers,
each of them can pick up and re-use a connection that was previously used by
any of the handles, be it the same or one of the others.
This separation of the tight relationship between connections and easy
handles is most noticable when you close easy handles that have been used in
a multi handle and check amount of used memory or watch the debug output, as
there are times when libcurl will keep the easy handle around for a while
longer to be able to close it properly. Like for sending QUIT to close down
an FTP connection.
This is a major change.
Daniel (4 September 2006)
- Dmitry Rechkin (http://curl.haxx.se/bug/view.cgi?id=1551412) provided a
patch that while not fixing things very nicely, it does make the SOCKS5
proxy connection slightly better as it now acknowledges the timeout for
connection and it no longer segfaults in the case when SOCKS requires
authentication and you did not specify username:password.
Daniel (31 August 2006)
- Dmitriy Sergeyev found and fixed a multi interface flaw when using asynch
name resolves. It could get stuck in the wrong state.
Gisle (29 August 2006)
- Added support for other MS-DOS compilers (desides djgpp). All MS-DOS
compiler now uses the same config.dos file (renamed to config.h by
make). libcurl now builds fine using Watcom and Metaware's High-C
using the Watt-32 tcp/ip-stack.
Daniel (29 August 2006)
- David McCreedy added CURLOPT_SOCKOPTFUNCTION and CURLOPT_SOCKOPTDATA to
allow applications to set their own socket options.
Daniel (25 August 2006)
- Armel Asselin reported that the 'running_handles' counter wasn't updated
properly if you removed a "live" handle from a multi handle with
curl_multi_remove_handle().
Daniel (22 August 2006)
- David McCreedy fixed a remaining mistake from the August 19 TYPE change.
- Peter Sylvester pointed out a flaw in the AllowServerConnect() in the FTP
code when doing pure ipv6 EPRT connections.
Daniel (19 August 2006)
- Based on a patch by Armel Asselin, the FTP code no longer re-issues the TYPE
command on subsequent requests on a re-used connection unless it has to.
- Armel Asselin fixed a crash in the FTP code when using SINGLECWD mode and
files in the root directory.
- Andrew Biggs pointed out a "Expect: 100-continue" flaw where libcurl didn't
send the whole request at once, even though the Expect: header was disabled
by the application. An effect of this change is also that small (< 1024
bytes) POSTs are now always sent without Expect: header since we deem it
more costly to bother about that than the risk that we send the data in
vain.
Daniel (9 August 2006)
- Armel Asselin made the CURLOPT_PREQUOTE option work fine even when
CURLOPT_NOBODY is set true. PREQUOTE is then run roughly at the same place
in the command sequence as it would have run if there would've been a
transfer.
Daniel (8 August 2006)
- Fixed a flaw in the "Expect: 100-continue" treatment. If you did two POSTs
on a persistent connection and allowed the first to use that header, you
could not disable it for the second request.
Daniel (7 August 2006)
- Domenico Andreolfound a quick build error which happened because
src/config.h.in was not a proper duplcate of lib/config.h.in which it
should've been and this was due to the maketgz script not doing the cp
properly.
Version 7.15.5 (7 August 2006)
Daniel (2 August 2006)
- Mark Lentczner fixed how libcurl was not properly doing chunked encoding
if the header "Transfer-Encoding: chunked" was set by the application.
http://curl.haxx.se/bug/view.cgi?id=1531838
Daniel (1 August 2006)
- Maciej Karpiuk fixed a crash that would occur if we passed Curl_strerror()
an unknown error number on glibc systems.
http://curl.haxx.se/bug/view.cgi?id=1532289
Daniel (31 July 2006)
- *ALERT* curl_multi_socket() and curl_multi_socket_all() got modified
prototypes: they both now provide the number of running handles back to the
calling function. It makes the functions resemble the good old
curl_multi_perform() more and provides a nice way to know when the multi
handle goes empty.
ALERT2: don't use the curl_multi_socket*() functionality in anything
production-like until I say it's somewhat settled, as I suspect there might
be some further API changes before I'm done...
Daniel (28 July 2006)
- Yves Lejeune fixed so that replacing Content-Type: when doing multipart
formposts work exactly the way you want it (and the way you'd assume it
works).
Daniel (27 July 2006)
- David McCreedy added --ftp-ssl-reqd which makes curl *require* SSL for both
control and data connection, as the existing --ftp-ssl option only requests
it.
- [Hiper-related work] Added a function called curl_multi_assign() that will
set a private pointer added to the internal libcurl hash table for the
particular socket passed in to this function:
CURLMcode curl_multi_assign(CURLM *multi_handle,
curl_socket_t sockfd,
void *sockp);
'sockp' being a custom pointer set by the application to be associated with
this socket. The socket has to be already existing and in-use by libcurl,
like having already called the callback telling about its existance.
The set hashp pointer will then be passed on to the callback in upcoming
calls when this same socket is used (in the brand new 'socketp' argument).
Daniel (26 July 2006)
- Dan Nelson added the CURLOPT_FTP_ALTERNATIVE_TO_USER libcurl option and curl
tool option named --ftp-alternative-to-user. It provides a mean to send a
particular command if the normal USER/PASS approach fails.
- Michael Jerris added magic that builds lib/curllib.vcproj automatically for
newer MSVC.
Daniel (25 July 2006)
- Georg Horn made the transfer timeout error message include more details.
Daniel (20 July 2006)
- David McCreedy fixed a build error when building libcurl with HTTP disabled,
problem added with the curl_formget() patch.
Daniel (17 July 2006)
- Jari Sundell did some excellent research and bug tracking, figured out that
we did wrong and patched it: When nodes were removed from the splay tree,
and we didn't properly remove it from the splay tree when an easy handle was
removed from a multi stack and thus we could wrongly leave a node in the
splay tree pointing to (bad) memory.
Daniel (14 July 2006)
- David McCreedy fixed a flaw where the CRLF counter wasn't properly cleared
for FTP ASCII transfers.
Daniel (8 July 2006)
- Ates Goral pointed out that libcurl's cookie parser did case insensitive
string comparisons on the path which is incorrect and provided a patch that
fixes this. I edited test case 8 to include details that test for this.
- Ingmar Runge provided a source snippet that caused a crash. The reason for
the crash was that libcurl internally was a bit confused about who owned the
DNS cache at all times so if you created an easy handle that uses a shared
DNS cache and added that to a multi handle it would crash. Now we keep more
careful internal track of exactly what kind of DNS cache each easy handle
uses: None, Private (allocated for and used only by this single handle),
Shared (points to a cache held by a shared object), Global (points to the
global cache) or Multi (points to the cache within the multi handle that is
automatically shared between all easy handles that are added with private
caches).
Daniel (4 July 2006)
- Toshiyuki Maezawa fixed a problem where you couldn't override the
Proxy-Connection: header when using a proxy and not doing CONNECT.
Daniel (24 June 2006)
- Michael Wallner added curl_formget(), which allows an application to extract
(serialise) a previously built formpost (as with curl_formadd()).
Daniel (23 June 2006)
- Arve Knudsen found a flaw in curl_multi_fdset() for systems where
curl_socket_t is unsigned (like Windows) that could cause it to wrongly
return a max fd of -1.
Daniel (20 June 2006)
- Peter Silva introduced CURLOPT_MAX_SEND_SPEED_LARGE and
CURLOPT_MAX_RECV_SPEED_LARGE that limit tha maximum rate libcurl is allowed
to send or receive data. This kind of adds the the command line tool's
option --limit-rate to the library.
The rate limiting logic in the curl app is now removed and is instead
provided by libcurl itself. Transfer rate limiting will now also work for -d
and -F, which it didn't before.
Daniel (19 June 2006)
- Made -K on a file that couldn't be read cause a warning to be displayed.
Daniel (13 June 2006)
- Dan Fandrich implemented --enable-hidden-symbols configure option to enable
-fvisibility=hidden on gcc >= 4.0. This reduces the size of the libcurl
binary and speeds up dynamic linking by hiding all the internal symbols from
the symbol table.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
Version 7.15.4 (12 June 2006)
Daniel (8 June 2006)
- Brian Dessent fixed the code for cygwin in three distinct ways:
The first modifies {lib,src}/setup.h to not include the winsock headers
under Cygwin. This fixes the reported build problem. Cygwin attempts as
much as possible to emulate a posix environment under Windows. This means
that WIN32 is *not* #defined and (to the extent possible) everything is done
as it would be on a *ix type system. Thus <sys/socket.h> is the proper
include, and even though winsock2.h is present, including it just introduces
a whole bunch of incompatible socket API stuff.
The second is a patch I've included in the Cygwin binary packages for a
while. It skips two unnecessary library checks (-lwinmm and -lgdi32). The
checks are innocuous and they do succeed, but they pollute LIBS with
unnecessary stuff which gets recorded as such in the libcurl.la file, which
brings them into the build of any libcurl-downstream. As far as I know
these libs are really only necessary for mingw, so alternatively they could
be designed to only run if $host matches *-*-mingw* but I took the safer
route of skipping them for *-*-cygwin*.
The third patch replaces all uses of the ancient and obsolete __CYGWIN32__
with __CYGWIN__. Ref: <http://cygwin.com/ml/cygwin/2003-09/msg01520.html>.
Daniel (7 June 2006)
- Mikael Sennerholm provided a patch that added NTLM2 session response support
to libcurl. The 21 NTLM test cases were again modified to comply...
Daniel (27 May 2006)
- Óscar Morales Vivó updated the libcurl.framework.make file.
Daniel (26 May 2006)
- Olaf Stüben fixed a bug that caused Digest authentication with md5-sess to
fail. When using the md5-sess, the result was not Md5 encoded and Base64
transformed.
Daniel (25 May 2006)
- Michael Wallner provided a patch that allows "SESS" to be set with
CURLOPT_COOKIELIST, which then makes all session cookies get cleared.
Daniel (24 May 2006)
- Tor Arntsen made test 271 run fine again since the TFTP path fix.
Daniel (23 May 2006)
- Martin Michlmayr filed debian bug report #367954, but the same error also
showed up in the autobuilds. It seems a rather long-since introduced shell
script flaw in the configure script suddenly was detected by the bash
version in Debian Unstable. It had previously passed undetected by all
shells used so far...
- David McCreedy updated lib/config-tpf.h
Daniel (11 May 2006)
- Fixed the configure's check for old-style SSLeay headers since I fell over a
case with a duplicate file name (a krb4 implementation with an err.h
file). I converted the check to manually make sure three of the headers are
present before considering them fine.
- David McCreedy provided a fix for CURLINFO_LASTSOCKET that does extended
checks on the to-be-returned socket to make sure it truly seems to be alive
and well. For SSL connection it (only) uses OpenSSL functions.
Daniel (10 May 2006)
- Fixed DICT in two aspects:
1 - allow properly URL-escaped words, like using %20 for spaces
2 - properly escape certain letters within a word to comply to the RFC2229
Daniel (9 May 2006)
- Andreas Ntaflos reported a bug in libcurl.m4: When configuring my GNU
autotools project, which optionally (default=yes) uses libcurl on a system
without a (usable) libcurl installation, but not specifying
`--without-libcurl', configure determines correctly that no libcurl is
available, however, the LIBCURL variable gets expanded to `LIBCURL = -lcurl'
in the resulting Makefiles.
David Shaw fixed the flaw.
- Robson Braga Araujo fixed two problems in the recently added non-blocking SSL
connects. The state machine was not reset properly so that subsequent
connects using the same handle would fail, and there were two memory leaks.
- Robson Braga Araujo fixed a memory leak when you added an easy handle to a
multi stack and that easy handle had already been used to do one or more
easy interface transfers, as then the code threw away the previously used
DNS cache without properly freeing it.
Daniel (8 May 2006)
- Dan Fandrich went over the TFTP code and he pointed out and fixed numerous
problems:
* The received file is corrupted when a packet is lost and retransmitted
(this is a serious problem!)
* Transmitting a file aborts if a block is lost and retransmitted
* Data is stored in the wrong location in the buffer for uploads, so uploads
always fail (I don't see how it could have ever worked, but it did on x86
at least)
* A number of calls are made to strerror instead of Curl_strerror, making
the code not thread safe
* There are references to errno instead of Curl_sockerrno(), causing
incorrect error messages on Windows
* The file name includes a leading / which violates RFC3617. Doing something
similar to ftp, where two slashes after the host name means an absolute
reference seems a reasonable extension to fix this.
* Failures in EBCDIC conversion are not propagated up to the caller but are
silently ignored
- Fixed known bug #28. The TFTP code no longer assumes a packed struct and
thus works reliably on more platforms.
Daniel (5 May 2006)
- Roland Blom filed bug report #1481217
(http://curl.haxx.se/bug/view.cgi?id=1481217), with follow-ups by Michele
Bini and David Byron. libcurl previously wrongly used GetLastError() on
windows to get error details after socket-related function calls, when it
really should use WSAGetLastError() instead.
When changing to this, the former function Curl_ourerrno() is now instead
called Curl_sockerrno() as it is necessary to only use it to get errno from
socket-related functions as otherwise it won't work as intended on Windows.
Daniel (4 May 2006)
- Mark Eichin submitted bug report #1480821
(http://curl.haxx.se/bug/view.cgi?id=1480821) He found and identified a
problem with how libcurl dealt with GnuTLS and a case where gnutls returned
GNUTLS_E_AGAIN indicating it would block. It would then return an unexpected
return code, making Curl_ssl_send() confuse the upper layer - causing random
28 bytes trash data to get inserted in the transfered stream.
The proper fix was to make the Curl_gtls_send() function return the proper
return codes that the callers would expect. The Curl_ossl_send() function
already did this.
Daniel (2 May 2006)
- Added a --checkfor option to curl-config to allow users to easier
write for example shell scripts that test for the presence of a
new-enough libcurl version. If --checkfor is given a version string
newer than what is currently installed, curl-config will return a
non-zero exit code and output a string about the unfulfilled
requirement.
Daniel (26 April 2006)
- David McCreedy brought initial line end conversions when doing FTP ASCII
transfers. They are done on non-windows systems and translate CRLF to LF.
I modified the 15 LIST-using test cases accordingly. The downside is that now
we'll have even more trouble to get the tests to run on Windows since they
should get CRLF newlines left intact which the *nix versions don't. I figure
the only sane thing to do is to add some kind of [newline] macro for the test
case files and have them expanded to the proper native line ending when the
test cases are run. This is however left to implement.
Daniel (25 April 2006)
- Paul Querna fixed libcurl to better deal with deflate content encoding
when the stream (wrongly) lacks a proper zlib header. This seems to be the
case on too many actual server implementations.
Daniel (21 April 2006)
- Ale Vesely fixed CURLOPT_INTERFACE when using a hostname.
Daniel (19 April 2006)
- Based on previous info from Tor Arntsen, I made configure detect the Intel
ICC compiler to add a compiler option for it, in order for configure to
properly be able to detect function prototypes.
- Robson Braga Araujo provided a patch that makes libcurl less eager to close
the control connection when using FTP, for example when you remove an easy
handle from a multi stack.
- Applied a patch by Ates Goral and Katie Wang that corrected my bad fix
attempt from April 10.
Daniel (11 April 2006)
- #1468330 (http://curl.haxx.se/bug/view.cgi?id=1468330) pointed out a bad
typecast in the curl tool leading to a crash with (64bit?) VS2005 (at least)
since the struct timeval field tv_sec is an int while time_t is 64bit.
Daniel (10 April 2006)
- Ates Goral found out that if you specified both CURLOPT_CONNECTTIMEOUT and
CURLOPT_TIMEOUT, the _longer_ time would wrongly be used for the SSL
connection time-out!
- I merged my hiper patch (http://curl.haxx.se/libcurl/hiper/) into the main
sources. See the lib/README.multi_socket for implementation story with
details. Don't expect it to work fully yet. I don't intend to blow any
whistles or ring any bells about it until I'm more convinced it works at
least somewhat reliably.
Daniel (7 April 2006)
- David McCreedy's EBCDIC and TPF changes. Three new curl_easy_setopt()
options (callbacks) were added:
CONV_FROM_NETWORK_FUNCTION
CONV_TO_NETWORK_FUNCTION
CONV_FROM_UTF8_FUNCTION
Daniel (5 April 2006)
- Michele Bini modified the NTLM code to work for his "weird IIS case"
(http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
function in addition to the LM one and making some other adjustments in the
order the different parts of the data block are sent in the Type-2 reply.
Inspiration for this work was taken from the Firefox NTLM implementation.
I edited the existing 21(!) NTLM test cases to run fine with these news. Due
to the fact that we now properly include the host name in the Type-2 message
the test cases now only compare parts of that chunk.
Daniel (28 March 2006)
- #1451929 (http://curl.haxx.se/bug/view.cgi?id=1451929) detailed a bug that
occurred when asking libcurl to follow HTTP redirects and the original URL
had more than one question mark (?). Added test case 276 to verify.
Daniel (27 March 2006)
- David Byron found a problem multiple -d options when libcurl was built with
--enable-debug, as then curl used free() on memory allocated both with
normal malloc() and with libcurl-provided functions, when the latter MUST be
freed with curl_free() in debug builds.
Daniel (26 March 2006)
- Tor Arntsen figured out that TFTP was broken on a lot of systems since we
called bind() with a too big argument in the 3rd parameter and at least
Tru64, AIX and IRIX seem to be very picky about it.
Daniel (21 March 2006)
- David McCreedy added CURLINFO_FTP_ENTRY_PATH.
- Xavier Bouchoux made the SSL connection non-blocking for the multi interface
(when using OpenSSL).
- Tor Arntsen fixed the AIX Toolbox RPM spec
Daniel (20 March 2006)
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
reacts properly according to the CURLOPT_FTP_SSL setting.
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
whose length was a multiple of 512 bytes could have random garbage
appended. Also, stop processing TFTP packets which are too short to be
legal.
- Ilja van Sprundel reported a possible crash in the curl tool when using
"curl hostwithoutslash -d data -G"
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
Fixes a TFTP packet buffer overflow vulnerability.
See http://curl.haxx.se/docs/adv_20060320.html for details.
Changes:
- added docs for --ftp-method and CURLOPT_FTP_FILEMETHOD
Bugfixes:
- TFTP Packet Buffer Overflow Vulnerability
- properly detecting problems with sending the FTP command USER
- wrong error message shown when certificate verification failed
- multi-part formpost with multi interface crash
- the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL is acknowledged
- "SSL: couldn't set callback" is now treated as a less serious problem
- Interix build fix
- fixed curl "hang" when out of file handles at start
- prevent FTP uploads to URLs with trailing slash
Version 7.15.2 (27 February 2005)
Daniel (22 February 2006)
- Lots of work and analysis by "xbx___" in bug #1431750
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
different but related bugs:
1) Removing an easy handle from a multi handle before the transfer is done
could leave a connection in the connection cache for that handle that is
in a state that isn't suitable for re-use. A subsequent re-use could then
read from a NULL pointer and segfault.
2) When an easy handle was removed from the multi handle, there could be an
outstanding c-ares DNS name resolve request. When the response arrived,
it caused havoc since the connection struct it "belonged" to could've
been freed already.
Now Curl_done() is called when an easy handle is removed from a multi handle
pre-maturely (that is, before the transfer was complteted). Curl_done() also
makes sure to cancel all (if any) outstanding c-ares requests.
Daniel (21 February 2006)
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
type to the already provided type CURLPROXY_SOCKS4.
I added a --socks4 option that works like the current --socks5 option but
instead use the socks4 protocol.
Daniel (20 February 2006)
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
content when libcurl didn't honor the internal ignorebody flag.
Daniel (18 February 2006)
- Ulf Härnhammar fixed a format string (printf style) problem in the Negotiate
code. It should however not be the cause of any troubles. He also fixed a
few similar problems in the HTTP test server code.
Daniel (17 February 2006)
- Shmulik Regev provided a fix for the DNS cache when using short life times,
as previously it could be holding on to old cached entries longer than
requested.
Daniel (11 February 2006)
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
that an app can use to let libcurl only connect to a remote host and then
extract the socket from libcurl. libcurl will then not attempt to do any
transfer at all after the connect is done.
- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
instead of LDFLAGS.
Daniel (8 February 2006)
- Philippe Vaucher provided a brilliant piece of test code that show a problem
with re-used FTP connections. If the second request on the same connection
was set not to fetch a "body", libcurl could get confused and consider it an
attempt to use a dead connection and would go acting mighty strange.
Daniel (2 February 2006)
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
change done in November 2005.
Daniel (30 January 2006)
- Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
curl tool with --local-port. Plain and simply set the range of ports to bind
the local end of connections to. Implemented on to popular demand.
- Based on an error report by Philippe Vaucher, we no longer count a retried
connection setup as a follow-redirect. It turns out 1) this fails when a FTP
connection is re-setup and 2) it does make the max-redirs counter behave
wrong.
Daniel (24 January 2006)
- Michal Marek provided a patch for FTP that makes libcurl continue to try
PASV even after EPSV returned a positive response code, if libcurl failed to
connect to the port number the EPSV response said. Obviously some people are
going through protocol-sensitive firewalls (or similar) that don't
understand EPSV and then they don't allow the second connection unless PASV
was used. This also called for a minor fix of test case 238.
Daniel (20 January 2006)
- Duane Cathey was one of our friends who reported that curl -P [IP]
(CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
"native" IP while it works fine for ipv6-disabled builds!
In the process of fixing this, I removed the support for LPRT since I can't
think of many reasons to keep doing it and asking on the mailing list didn't
reveal anyone else that could either. The code that sends EPRT and PORT is
now also a lot simpler than before (IMHO).
Daniel (19 January 2006)
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
(built ipv4-only) didn't work.
Daniel (18 January 2006)
- As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
the configure script complained about a missing "missing" script if you ran
configure within a path whose name included one or more spaces. This is due
to a flaw in automake (1.9.6 and earlier). I've now worked around it by
including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
be used instead of the one automake ships with. This kludge needs to be
removed once we get an automake version with this problem corrected.
Possibly we'll then need to convert this into a kludge depending on what
automake version that is used and that is gonna be painful and I don't even
want to think about that now...!
Daniel (17 January 2006)
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
the latest features and protocols that libcurl supports and has a minor fix
to better deal with the obscure case where someone has more than one libcurl
installed at the same time.
Daniel (16 January 2006)
- David Shaw finally removed all traces of Gopher and we are now officially
not supporting it. It hasn't been functioning for years anyway, so this is
just finally stating what already was true. And a cleanup at the same time.
- Bryan Henderson turned the 'initialized' variable for curl_global_init()
into a counter, and thus you can now do multiple curl_global_init() and you
are then supposed to do the same amount of calls to curl_global_cleanup().
Bryan has also updated the docs accordingly.
Daniel (13 January 2006)
- Andrew Benham fixed a race condition in the test suite that could cause the
test script to kill all processes in the current process group!
Daniel (12 January 2006)
- Michael Jahn:
Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
HTTP proxy.
Fixed PROXYTUNNEL to work fine when you do ftp through a proxy. It would
previously overwrite internal memory and cause unpredicted behaviour!
Daniel (11 January 2006)
- I decided to document the "secret option" here now, as I've received *NO*
feedback at all on my mailing list requests from November 2005:
I'm looking for feedback and comments. I added some experimental code the
other day, that allows a libcurl user to select what method libcurl should
use to reach a file on a FTP(S) server.
This functionality is available in CVS code and in recent daily snapshots.
Let me explain...
The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
the command line tool) and you set it to a long (there are currenly no
defines for the argument values, just plain numericals). You can set three
different "methods" that do this:
1 multicwd - like today, curl will do a single CWD operation for each path
part in the given URL. For deep hierarchies this means very many
commands. This is how RFC1738 says it should be done. This is the
default.
2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
a full path to the server.
3 singlecwd - make one CWD with the full target directory and then operate
on the file "normally".
(With the command line tool you do --ftp-method [METHOD], where [METHOD] is
one of "multicwd", "nocwd" or "singlecwd".)
What feedback I'm interested in:
1 - Do they work at all? Do you find servers where one of these don't work?
2 - What would proper names for the option and its arguments be, if we
consider this feature good enough to get included and documented in
upcoming releases?
3 - Should we make libcurl able to "walk through" these options in case of
(path related) failures, or should it fail and let the user redo any
possible retries?
(This option is not documented in any man page just yet since I'm not sure
these names will be used or if the functionality will end up exactly like
this. And for the same reasons we have no test cases for these yet.)
Daniel (10 January 2006)
- When using a bad path over FTP, as in when libcurl couldn't CWD into all
given subdirs, libcurl would still "remember" the full path as if it is the
current directory libcurl is in so that the next curl_easy_perform() would
get really confused if it tried the same path again - as it would not issue
any CWD commands at all, assuming it is already in the "proper" dir.
Starting now, a failed CWD command sets a flag that prevents the path to be
"remembered" after returning.
Daniel (7 January 2006)
- Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP
proxy actually used a new connection and not sent the second request on the
first socket!
Daniel (6 January 2006)
- Alexander Lazic made the buildconf run the buildconf in the ares dir if that
is present instead of trying to mimic that script in curl's buildconf
script.
Daniel (3 January 2006)
- Andres Garcia made the TFTP test server build with mingw.
Daniel (16 December 2005)
- Jean Jacques Drouin pointed out that you could only have a user name or
password of 127 bytes or less embedded in a URL, where actually the code
uses a 255 byte buffer for it! Modified now to use the full buffer size.
Daniel (12 December 2005)
- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly
Changes:
- the libcurl.pc pkgconfig file now gets installed on make install
- URL globbing now offers "range steps": [1-100:10]
- LDAPv3 is now the preferred LDAP protocol version
- --max-redirs and CURLOPT_MAXREDIRS set to 0 limits redirects
- improved MSVC makefile
Bugfixes:
- URL buffer overflow problem (CVE-2005-4077)
- using file:// on non-existing files are properly handled
- builds fine on DJGPP
- CURLOPT_ERRORBUFFER is now always filled in on errors
- curl outputs error on bad --limit-rate units
- fixed libcurl's use of poll() on cygwin
- the GnuTLS code didn't support client certificates
- TFTP over IPv6 works
- no reverse lookups on IP addresses when ipv6-enabled
- SSPI compatibility fix: using the proper DLLs
- binary LDAP properties are now shown base64 encoded
- Windows uploads from stdin using curl can now contain ctrl-Z bytes
- -r [num] would produce an invalid HTTP Range: header
- multi interface with multi IP hosts could leak socket descriptors
- the GnuTLS code didn't handle rehandshakes
- re-use of a dead FTP connection
- name resolve error codes fixed for Windows builds
- double WWW-Authenticate Digest headers are now handled
- curl-config --vernum fixed
* GNU GSS support
* --ignore-content-length and CURLOPT_IGNORE_CONTENT_LENGTH added
* negotiates data connection SSL earlier when doing FTPS with PASV
* CURLOPT_COOKIELIST and CURLINFO_COOKIELIST
* trailer support for chunked encoded data streams
* -x/CURL_PROXY strings may now contain user+password
* --trace-time now outputs the full microsecond, all 6 digits
* Bugfixes
using it (such as the new drivel-2.0.0). Bump PKGREVISION to 1.
The problem is that this header file requires the fd_set definitions, but
it only pulls in <sys/select.h> on AIX and NETWARE systems. Instead, change
the inclusion to only happen if configure script detected it during build
time.
- Grigory Entin reported that curl's configure detects a fine poll() for Mac
OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable
doesn't work as good as if built without poll(). I've adjusted the configure
to always skip the fine-poll() test on Mac OS X (darwin).
- When doing a second request (after a disconnect) using the same easy handle,
over a proxy that uses NTLM authentication, libcurl failed to use NTLM again
properly (the auth method was accidentally reset to the same as had been set
for host auth, which defaults to Basic).
- If -z/--time-cond is used with an invalid date syntax, this is no longer
silently discarded. Instead a proper warning message is diplayed that
informs about it. But it still continues without the condition.
Version 7.13.1 (4 March 2005)
Daniel (4 March 2005)
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
the cookie "engine" without having to provide an empty or non-existing file.
- Rene Rebe fixed a -# crash when more data than expected was retrieved.
Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
http://www.securityfocus.com/archive/1/391042 and the CAN report here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490
If these security guys were serious, we'd been notified in advance and we
could've saved a few of you a little surprise, but now we weren't.
Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
requested data from a host and then followed a redirect to another
host. libcurl then didn't use the proxy-auth properly in the second request,
due to the host-only check for original host name wrongly being extended to
the proxy auth as well. Added test case 233 to verify the flaw and that the
fix removed the problem.
Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
configure when mingw is used.
Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
didn't close the socket properly when returning error due to failing
localbind
Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
that picks NTLM. Thanks to David Byron letting me test NTLM against his
servers, I could quickly repeat and fix the problem. It turned out to be:
When libcurl POSTs without knowing/using an authentication and it gets back
a list of types from which it picks NTLM, it needs to either continue
sending its data if it keeps the connection alive, or not send the data but
close the connection. Then do the first step in the NTLM auth. libcurl
didn't send the data nor close the connection but simply read the
response-body and then sent the first negotiation step. Which then failed
miserably of course. The fixed version forces a connection if there is more
than 2000 bytes left to send.
Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
was never used.
Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
week day names and month names and servers don't like that.
Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
libcurl is built shared. Otherwise valgrind only tests the shell that runs
the wrapper-script named 'curl' that is a front-end to curl in this case.
This should also fix the huge amount of reports of false positives when
valgrind has identified leaks in (ba)sh and not in curl and people report
that as curl bugs. Bug report #1116672 is one example.
Also, the valgrind report parser has been adapted to check that at least one
of the sources in a stack strace is one of (lib)curl's source files or
otherwise it will not consider the problem to concern (lib)curl.
- Marty Kuhrt streamlined the VMS build.
Daniel (9 February 2005)
- David Byron fixed his SSL problems, initially mentioned here:
http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
SSL_pending() as we should.
- Converted lots of FTP code to a statemachine, so that the multi interface
doesn't block while communicating commands-responses with an FTP server.
I've added a comment like BLOCKING in the code on all spots I could find
where we still have blocking operations. When we change curl_easy_perform()
to use the multi interface, we'll also be able to simplify the code since
there will only be one "internal interface".
While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
like changing directory or retrieving a file, while the second means that we
were denied login.
The CVS tag 'before_ftp_statemachine' was set just before this went in, in
case of future need.
- Gisle made the DICT code send CRLF and not just LF as the spec says so.
Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
sure the proper error code is returned for those occations.
Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
contents.
Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
PORT on ipv6-enabled hosts.
- David Byron pointed out we could use BUFSIZE to read data (in
lib/transfer.c) instead of using BUFSIZE -1.
This release includes the following changes:
o added --ftp-account and CURLOPT_FTP_ACCOUNT
o added CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE
o obsoleted CURLOPT_SOURCE_HOST, CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT
and CURLOPT_PASV_HOST
o added --3p-url, --3p-user and --3p-quote
o -Q "+[command]" was added
o src/getpass.c license issue sorted (code was rewritten)
o curl -w now supports 'http_connect' for the proxy's response to CONNECT
o introducing "curl-config --protocols"
This release includes the following bugfixes:
o re-sending a request when retrying on a fresh connection with multi
interface
o improved valgrind report parser in the test suite
o several valgrind reports
o CURLOPT_FTPPORT and -P work when built ipv6-enabled
o FTP third party transfers was much improved
o proxy environment variables are now ignored when built HTTP-disabled
o CURLOPT_PROXY can now disable HTTP proxy even when built HTTP-disabled
o "curl dictionary.com" no longer assumes DICT protocol
o re-invoke some system calls on EINTR
o duplicate Host: when failed connection re-use
o SOCKS5 version check
o memory problem with cleaning up multi interface
o SSL certificate name memory leak
o -d with -G to multiple URLs crashed
o double va_list access crash fixed
o minor memory leak when "version" is set in a cookie header
o builds fine on BeOS and NetBSD
o builds and runs fine on FreeBSD
Version 7.12.3 (20 December 2004)
Daniel (19 December 2004)
- I investigated our PKCS12 build problem on Solaris 2.7 with OpenSSL 0.9.7e,
and it turned out to be the fault of the zlib 1.1.4 headers doing a typedef
named 'free_func' and the OpenSSL headers have a prototype that uses
'free_func' in one of its arguments. This is why the compile errors out.
In other words, we need to include the openssl/pkcs12.h header before the
zlib.h header and it builds fine. The configure script now checks for this
file and it then gets included early in lib/urldata.h.
Daniel (18 December 2004)
- Samuel Listopad added support for PKCS12 formatted certificates.
- Samuel Listopad fixed -E to support "C:/path" (with forward slash) as well.
Daniel (16 December 2004)
- Gisle found and fixed a problem in the directory re-use for FTP.
I added test case 215 and 216 to better verify the functionality.
- Dinar in bug report #1086121, found a file handle leak when a multipart
formpost (including a file upload part) was aborted before the whole file
was sent.
Daniel (15 December 2004)
- Tom Lee found out that globbing of strings with backslashes didn't work as
you'd expect. Backslashes are such a central part of windows file names that
forcing backslashes to have to be escaped with backslashes is a bit too
awkward to users. Starting now, you only need to escape globbing characters
such as the five letters: "[]{},". Added test case 214 to verify this.
Daniel (14 December 2004)
- Harshal Pradhan patched a HTTP persistent connection flaw: if the user name
and/or password were modified between two requests on a persistent
connection, the second request were still made with the first setup!
I added test case 519 to verify the fix.
Daniel (13 December 2004)
- Gisle added CURLINFO_SSL_ENGINES to curl_easy_getinfo() to allow an app
to list all available crypto ENGINES.
- Gisle fixed bug report #1083542, which pointed out a problem with resuming
large file (>4GB) file:// transfers on windows.
Daniel (11 December 2004)
- Made the test suite HTTP server (sws) capable of using IPv6, and then
extended the test environment to support that and also added three test
cases (240, 241, 242) that run tests using IPv6. Test 242 uses a URL that
didn't work before the 10 dec fix by Kai Sommerfeld.
- Made a failed file:// resume output an error message
- Corrected the CURLE_BAD_DOWNLOAD_RESUME error message in lib/strerror.c
- Dan Fandrich:
simplified and consolidated the SSL checks in configure and the usage of the
defines in lib/setup.h
provided a first libcurl.pc.in file for pkg-config (but the result is not
installed anywhere at this point)
extended the cross compile section in the docs/INSTALL file
Daniel (10 December 2004)
- When providing user name in the URL and a IPv6-style IP-address (like in
"ftp://user@[::1]/tmp"), the URL parser didn't get the host extracted
properly. Reported and fixed by Kai Sommerfeld.
Daniel (9 December 2004)
- Ton Voon provided a configure fix that should fix the notorious (mostly
reported on Solaris) problem where the size_t check fails due to the SSL
libs being found in a dir not searched through by the run-time linker.
patch-tracker entry #1081707.
- Bryan Henderson pointed out in bug report #1081788 that the curl-config
--vernum output wasn't zero prefixed properly (as claimed in documentation).
This is fixed in maketgz now.
Daniel (8 December 2004)
- Matt Veenstra updated the mach-O framework files for Mac OS X.
- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
libcurl always and unconditionally overwrote a stack-based array with 3 zero
bytes. This is not an exploitable buffer overflow. No need to get alarmed.
Daniel (7 December 2004)
- Fixed so that the final error message is sent to the verbose info "stream"
even if no errorbuffer is set.
Daniel (6 December 2004)
- Dan Fandrich added the --disable-cookies option to configure to build
libcurl without cookie support. This is mainly useful if you want to build a
minimalistic libcurl with no cookies support at all. Like for embedded
systems or similar.
- Richard Atterer fixed libcurl's way of dealing with the EPSV
response. Previously, libcurl would re-resolve the host name with the new
port number and attempt to connect to that, while it should use the IP from
the control channel. This bug made it hard to EPSV from an FTP server with
multiple IP addresses!
Daniel (3 December 2004)
- Bug report #1078066: when a chunked transfer was pre-maturely closed exactly
at a chunk boundary it was not considered an error and thus went unnoticed.
Fixed by Maurice Barnum.
Added test case 207 to verify.
Daniel (2 December 2004)
- Fixed the CONNECT loop to default timeout to 3600 seconds.
Added test case 206 that makes CONNECT with Digest.
Fixed a flaw that prepended "(nil)" to the initial CONNECT rqeuest's user-
agent field.
Daniel (30 November 2004)
- Dan Fandrich's fix for libz 1.1 and "extra field" usage in a gzip stream
- Dan also helped me with input data to create three more test cases for the
--compressed option.
Daniel (29 November 2004)
- I improved the test suite to enable binary contents in the tests (by proving
it base64 encoded), like for testing decompress etc. Added test 220 and 221
for this purpose. Tests can now also depend on libz to run.
- As reported by Reinout van Schouwen in Mandrake's bug tracker bug 12285
(http://qa.mandrakesoft.com/show_bug.cgi?id=12285), when connecting to an
IPv6 host with FTP, --disable-epsv (or --disable-eprt) effectively disables
the ability to transfer a file. Now, when connected to an FTP server with
IPv6, these FTP commands can't be disabled even if asked to with the
available libcurl options.
Daniel (26 November 2004)
- As reported in Mandrake's bug tracker bug 12289
(http://qa.mandrakesoft.com/show_bug.cgi?id=12289), curl would print a
newline to "finish" the progress meter after each redirect and not only
after a completed transfer.
Daniel (25 November 2004)
- FTP improvements:
If EPSV, EPRT or LPRT is tried and doesn't work, it will not be retried on
the same server again even if a following request is made using a persistent
connection.
If a second request is made to a server, requesting a file from the same
directory as the previous request operated on, libcurl will no longer make
that long series of CWD commands just to end up on the same spot. Note that
this is only for *exactly* the same dir. There is still room for improvements
to optimize the CWD-sending when the dirs are only slightly different.
Added test 210, 211 and 212 to verify these changes. Had to improve the
test script too and added a new primitive to the test file format.
Daniel (24 November 2004)
- Andrés García fixed the configure script to detect select properly when run
with Msys/Mingw on Windows.
Daniel (22 November 2004)
- Made HTTP PUT and POST requests no longer use HEAD when doing multi-pass
auth negotiation (NTLM, Digest and Negotiate), but instead use the request
keyword "properly". Details in lib/README.httpauth. This also introduces
CURLOPT_IOCTLFUNCTION and CURLOPT_IOCTLDATA, to be used by apps that use the
"any" auth alternative as then libcurl may need to send the PUT/POST data
more than once and thus may need to ask the app to "rewind" the read data
stream to start.
See also the new example using this: docs/examples/anyauthput.c
- David Phillips enhanced test 518. I made it depend on a "feature" so that
systems without getrlimit() won't attempt to test 518. configure now checks
for getrlimit() and setrlimit() for this test case.
Daniel (18 November 2004)
- David Phillips fixed libcurl to not crash anymore when more than FD_SETSIZE
file descriptors are in use. Test case 518 added to verify.
Daniel (15 November 2004)
- To test my fix for the CURLINFO_REDIRECT_TIME bug, I added time_redirect and
num_redirects support to the -w writeout option for the command line tool.
- Wojciech Zwiefka found out that CURLINFO_REDIRECT_TIME didn't work as
documented.
Daniel (12 November 2004)
- Gisle Vanem modigied the MSVC and Netware makefiles to build without
libcurl.def
- Dan Fandrich added the --disable-crypto-auth option to configure to allow
libcurl to build without Digest support. (I figure it should also explicitly
disable Negotiate and NTLM.)
- *** Modified Behaviour Alert ***
Setting CURLOPT_POSTFIELDS to NULL will no longer do a GET.
Setting CURLOPT_POSTFIELDS to "" will send a zero byte POST and setting
CURLOPT_POSTFIELDS to NULL and CURLOPT_POSTFIELDSIZE to zero will also make
a zero byte POST. Added test case 515 to verify this.
Setting CURLOPT_HTTPPOST to NULL makes a zero byte post. Added test case 516
to verify this.
CURLOPT_POSTFIELDSIZE must now be set to -1 to signal "we don't know".
Setting it to zero simply says this is a zero byte POST.
When providing POST data with a read callback, setting the size up front
is now made with CURLOPT_POSTFIELDSIZE and not with CURLOPT_INFILESIZE.
Daniel (11 November 2004)
- Dan Fandrich added --disable-verbose to the configure script to allow builds
without verbose strings in the code, to save some 12KB space. Makes sense
only for systems with very little memory resources.
- Jeff Phillips found out that a date string with a year beyond 2038 could
crash the new date parser on systems with 32bit time_t. We now check for
this case and deal with it.
Daniel (10 November 2004)
- I installed Heimdal on my Debian box (using the debian package) and noticed
that configure --with-gssapi failed to create a nice build. Fixed now.
Daniel (9 November 2004)
- Gisle Vanem marked all external function calls with CURL_EXTERN so that now
the Windows, Netware and other builds no longer need libcurl.def or similar
files.
Daniel (8 November 2004)
- Made the configure script check for tld.h if libidn was detected, since
libidn 0.3.X didn't have such a header and we don't work with anything
before libidn 0.4.1 anyway! Suse 9.1 apparently ships with a 0.3.X version
of libidn which makes the curl 7.12.2 build fail. Jean-Philippe
Barrette-LaPierre helped pointing this out.
- Ian Gulliver reported in debian bug report #278691: if curl is invoked in an
environment where stderr is closed the -v output will still be sent to file
descriptor 2 which then might be the network socket handle! Now we have a
weird hack instead that attempts to make sure that file descriptor 2 is
opened (with a call to pipe()) before libcurl is called to do the transfer.
configure now checks for pipe() and systems without pipe don't get the weird
hack done.
Daniel (5 November 2004)
- Tim Sneddon made libcurl send no more than 64K in a single first chunk when
doing a huge POST on VMS, as this is a system limitation. Default on general
systems is 100K.
Daniel (4 November 2004)
- Andres Garcia made it build on mingw againa, my --retry code broke the build.
Daniel (2 November 2004)
- Added --retry-max-time that allows a maximum time that may not have been
reached for a retry to be made. If not set there is no maximum time, only
the amount of retries set with --retry.
- Paul Nolan provided a patch to make libcurl build nicely on Windows CE.
Daniel (1 November 2004)
- When cross-compiling, the configure script no longer attempts to use
pkg-config on the build host in order to detect OpenSSL compiler options.
Daniel (27 October 2004)
- Dan Fandrich:
An improvement to the gzip handling of libcurl. There were two problems with
the old version: it was possible for a malicious gzip file to cause libcurl
to leak memory, as a buffer was malloced to hold the header and never freed
if the header ended with no file contents. The second problem is that the
64 KiB decompression buffer was allocated on the stack, which caused
unexpectedly high stack usage and overflowed the stack on some systems
(someone complained about that in the mailing list about a year ago).
Both problems are fixed by this patch. The first one is fixed when a recent
(1.2) version of zlib is used, as it takes care of gzip header parsing
itself. A check for the version number is done at run-time and libcurl uses
that feature if it's present. I've created a define OLD_ZLIB_SUPPORT that
can be commented out to save some code space if libcurl is guaranteed to be
using a 1.2 version of zlib.
The second problem is solved by dynamically allocating the memory buffer
instead of storing it on the stack. The allocation/free is done for every
incoming packet, which is suboptimal, but should be dwarfed by the actual
decompression computation.
I've also factored out some common code between deflate and gzip to reduce
the code footprint somewhat. I've tested the gzip code on a few test files
and I tried deflate using the freshmeat.net server, and it all looks OK. I
didn't try running it with valgrind, however.
- Added a --retry option to curl that takes a numerical option for the number
of times the operation should be retried. It is retried if a transient error
is detected or if a timeout occurred. By default, it will first wait one
second between the retries and then double the delay time between each retry
until the delay time is ten minutes which then will be the delay time
between all forthcoming retries. You can set a static delay time with
"--retry-delay [num]" where [num] is the number of seconds to wait between
each retry.
Daniel (25 October 2004)
- Tomas Pospisek filed bug report #1053287 that proved -C - and --fail on a
file that was already completely downloaded caused an error, while it
doesn't if you don't use --fail! I added test case 194 to verify the fix.
Grrr. CURLOPT_FAILONERROR is now added to the list stuff to remove in
libcurl v8 due to all the kludges needed to support it.
- Mohun Biswas found out that formposting a zero-byte file didn't work very
good. I fixed.
Daniel (19 October 2004)
- Alexander Krasnostavsky made it possible to make FTP 3rd party transfers
with both source and destination being the same host. It can be useful if
you want to move a file on a server or similar.
- Guillaume Arluison added CURLINFO_NUM_CONNECTS to allow an app to figure
out how many new connects a previous transfer required.
I added %{num_connects} to the curl tool and added test case 192 and 193
to verify the new code.
Daniel (18 October 2004)
- Peter Wullinger pointed out that curl should call setlocale() properly to
initiate the specific language operations, to make the IDN stuff work
better.
* the IDN code now verifies that only TLD-legitmate letters are used in the
name or a warning is displayed (when verbose is enabled)
* provides error texts for IDN errors
* file upload parts in formposts now get their directory names cut off
* added CURLINFO_OS_ERRNO
* added CURLOPT_FTPSSLAUTH to allow ftp connects to attempt "AUTH TLS" instead
before "AUTH SSL"
* curl_getdate() completely rewritten: may affect rare curl -z use cases
* bugfixes
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
Changes:
* the version string now only contains info about (sub) package versions,
while for example krb4 and ipv6 now only are available as 'features'
* added curl_easy_reset()
* socks proxy support even when libcurl is built ipv6-enabled
* read callbacks can stop the transfer by returning CURL_READFUNC_ABORT
* libcurl-tutorial.3 is the new man page formerly known as
libcurl-the-guide
* additional SSL trace data might be sent to the debug callback using two
new types: CURLINFO_SSL_DATA_IN and CURLINFO_SSL_DATA_OUT
* multipart formposts can upload files larger than system memory
* the curl tool continues with the next URL even if one transfer fails
* FTP 3rd party transfer support - seven new setopt() options
Bugfixes:
* UTF-8 encoded certificate names can now be verified properly
* krb4 link problem
* HTTP Negotiate service name now provided in uppercase
* no longer accepts any cookies with domain set to just a TLD
* HTTP Digest properties without quotes in the header
* bad Host: header case on re-used connections over proxy
* duplicate Host: header case on re-used connections
* curl -o name#[num] now works when no globbing for [num] exists
* test suite runs fine with valgrind 2.1.x
* negative Content-Length is ignored
* test 505 runs fine on windows
* curl_share_cleanup() crash
* --trace files now get the final info lines too
* multi interface connects fine to multi-IP resolving hosts
* --limit-rate works on Mac OS X (and other systems with bad poll()s)
* cookies can now hold 4999 bytes of content
* HTTP POST/PUT with NTLM/Digest/Negotiate to a URL returning 3XX
* HTTPS POST/PUT over a proxy requiring NTLM/Digest/Negotiate
* less restrictive libidn requirements, 0.4.1 or later is fine
* HTTP POST or PUT with Digest/Negotiate/NTLM selected but the server
didn't require any authentication
* win32 file:// transfer free memory bug
* configure --disable-http builds a libcurl without HTTP support
* CURLOPT_FILETIME had wrong type in curl.h, it expects a long argument
* builds fine with Borland on Windows
* the msvc curllib.dsp now builds the libcurl.lib file
* builds fine on VMS
* builds fine on NetWare
* HTTP Digest authentication with proxies uses correct user name + password
* builds fine with lcc-win32
o added ability to "upload" to file:// URLs
o added curl_global_init_mem()
o removed curl_formparse()
o the MSVC project file in the release archive is automatically built
o curl --proxy-digest is a new command line option
o the Windows version of libcurl can use wldap32.dll for LDAP
o added curl_easy_strerror(), curl_multi_strerror() and curl_share_strerror()
o IPv6-enabled Windows hosts now resolves names threaded/asynch as well
o configure --with-libidn can be used to point out the root dir of a libidn
installation (version 0.4.5 or later) for curl to use, then libcurl can
resolve and use IDNA names (domain names with "international" letters)
Bugfixes:
o incoming cookies with domains set with a prefixed dot now works better
o CURLOPT_COOKIEFILE and CURLOPT_COOKIE can be used in the same request
o improved peer certificate name verification
o allocation failures cause no leaks nor crashes
o the progress meter display now handles file sizes up to full 8 exabytes
(which is as high a signed 64 bit number can reach)
o general HTTP authentication improvements
o HTTP Digest authentication with the proxy works
o mulipart formposting with -F and file names with spaces work again
o curl_easy_duphandle() now works when ares-enabled
o HTTP Digest authentication works a lot more like the RFC says
o curl works with telnet and stdin properly on Windows
o configure --without-ssl works even when pkg-config has OpenSSL details
o src/hugehelp.c builds correct again in non-configure build environments
* removed maximum user+password+hostname size limit
* removed maximum dir depth limit for FTP
* the ares build now requires c-ares 1.2.0 or later
* --tcp-nodelay and CURLOPT_TCP_NODELAY were added
* curl/curlver.h contains the libcurl version info now
* bugfixes
This release includes the following changes:
o CURLOPT_POSTFIELDSIZE_LARGE added to offer POSTs larger than 2GB
o CURL_VERSION_LARGEFILE is a feature bit returned by libcurls that feature
large file support
o libcurl only requires winsock 1.1 on windows now
o when doing FTP, curl now sends QUIT before disconnecting
o name resolves can now timeout on windows too
o $HOME is now recognized better when looking for .netrc files
o now re-uses the ares handle when re-using curl handles
o SO_BINDTODEVICE is used for network interface binding
o configure --disable-manual disables the built-in huge manual from the
command line tool
o the default Accept: header used in HTTP requests changed
o asynch dns lookups now require the c-ares library
o curl --socks can be used to set a SOCKS5 proxy to use
o response-headers received after a (proxy) CONNECT request are now passed
to the header callback just like other headers
This release includes the following bugfixes:
o builds and runs on Novell NetWare
o Windows builds now report OS as "i386-pc-win32"
o received signals during SSL connect is handled better
o improved PUT/POST with NTLM/Digest authentication
o following redirects and doing NTLM/Digest (where the first connection gets
closed) with the multi interface work better now
o file: progress meter and getinfo variables work now
o CURLOPT_FRESH_CONNECT and CURLAUTH_NTLM now work when set together
o share interface usage without (un)lock functions segfaulted
o --limit-rate no longer cripples the --speed-limit feature
o fixed verbose output problem with ipv6-enabled re-used connections
o fixed the socks5 code to check version in the socks response properly
o dns cache bug - fixed the 'inuse' counter
o large file fix for Content-Length
o better docs for the share interface
o several configure fixes for mingw/msys
o setting a Host: header is no longer affecting the Host: header used when
libcurl follows a Location:
o fixed numerous compiler warnings on several operating systems and compilers
o PUTing from stdin couldn't disable chunked transfer-encoding
o corrected the mingw makefiles
o improved the configure libz detection
o fixed EPRT/PORT use when doing FTP on ipv6-enabled AIX hosts
o *nroff commands that only support -mandoc and not -man are now supported
(for the built-in manual text in the command line tool)
o fixed the unconditional #include of config.h in hugehelp.c
o builds fine on MPE/iX
o upload using chunked transfer-encoding now sends the last chunk properly
teriminated with an extra CRLF
o Fixed the progress meter display for files >2GB
o persistant connections over a proxy messed up the proxy name/password
o the socks5 code segfaulted if no username/password was set
o the *_LARGE options now take curl_off_t types as parameters and this will
make it possible to handle large files on windows too
o builds with large file support even on systems without strtoll()
by moving the inclusion of buildlink3.mk files outside of the protected
region. This bug would be seen by users that have set PREFER_PKGSRC
or PREFER_NATIVE to non-default values.
BUILDLINK_PACKAGES should be ordered so that for any package in the
list, that package doesn't depend on any packages to the left of it
in the list. This ordering property is used to check for builtin
packages in the correct order. The problem was that including a
buildlink3.mk file for <pkg> correctly ensured that <pkg> was removed
from BUILDLINK_PACKAGES and appended to the end. However, since the
inclusion of any other buildlink3.mk files within that buildlink3.mk
was in a region that was protected against multiple inclusion, those
dependencies weren't also moved to the end of BUILDLINK_PACKAGES.
