curl/RELEASE-NOTES

Curl and libcurl 7.19.7

 Public curl releases:         113
 Command line options:         132
 curl_easy_setopt() options:   163
 Public functions in libcurl:  58
 Known libcurl bindings:       38
 Contributors:                 732

This release includes the following changes:

 o -T. is now for non-blocking uploading from stdin
 o SYST handling on FTP for OS/400 FTP server cases
 o libcurl refuses to read a single HTTP header longer than 100K
 o added the --crlfile option to curl

This release includes the following bugfixes:

 o The windows makefiles work again
 o libcurl-NSS acknowledges verifyhost
 o SIGSEGV when pipelined pipe unexpectedly breaks
 o data corruption issue with re-connected transfers
 o use after free if we're completed but easy_conn not NULL (pipelined)
 o missing strdup() return code check
 o CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
 o configure --with-gnutls=PATH fixed
 o ftp response reader bug on failed control connections
 o improved NSS error message on failed host name verifications
 o ftp NOBODY on re-used connection hang
 o configure uses pkg-config for cross-compiles as well
 o improved NSS detection in configure
 o cookie expiry date at 1970-jan-1 00:00:00
 o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
 o libcurl-OpenSSL can load CRL files with more than one certificate inside
 o received cookies without explicit path got saved wrong if the URL had a
   query part
 o don't shrink SO_SNDBUF on windows for those who have it set large already
 o connect next bug
 o invalid file name characters handling on Windows
 o double close() on the primary socket with libcurl-NSS
 o GSS negotiate infinite loop on bad credentials
 o memory leak in SCP/SFTP connections
 o use pkg-config to find out libssh2 installation details in configure
 o unparsable cookie expire dates make cookies get treated as session coookies
 o POST with Digest authentication and "Transfer-Encoding: chunked"
 o SCP connection re-use with wrong auth
 o CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
 0 CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

 Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
 Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
 Claes Jakobsson, Sven Anders, Chris Mumford, John P. McCaskey,
 Constantine Sapuntzakis, Michael Stillwell, Tom Mueller, Dan Fandrich,
 Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst, Dima Barsky,
 Liza Alenchery, Gabriel Kuri, Stan van de Burgt, Didier Brisebourg

        Thanks! (and sorry if I forgot to mention someone)
start over fresh again towards 7.19.7 2009-08-12 19:24:52 +08:00			`Curl and libcurl 7.19.7`
working draft of the upcoming 7.10.8 release notes 2003-09-23 05:38:52 +08:00
start over fresh again towards 7.19.7 2009-08-12 19:24:52 +08:00			`Public curl releases: 113`
- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP version 1.1 instead of 1.0 like before. This change also introduces the new proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0 option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0. I updated all test cases cases that use CONNECT and I tried to do some using --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run. 2009-02-03 00:19:23 +08:00			`Command line options: 132`
- David Kierznowski notified us about a security flaw (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in which previous libcurl versions (by design) can be tricked to access an arbitrary local/different file instead of a remote one when CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release together this the addition of two new setopt options for controlling this new behavior: o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option excludes the FILE and SCP protocols and thus you nee to explicitly allow them in your app if you really want that behavior. o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch using the primary URL option. This is useful if you want to allow a user or other outsiders control what URL to pass to libcurl and yet not allow all protocols libcurl may have been built to support. 2009-03-03 07:05:31 +08:00			`curl_easy_setopt() options: 163`
- Introducing curl_easy_send() and curl_easy_recv(). They can be used to send and receive data over a connection previously setup with curl_easy_perform() and its CURLOPT_CONNECT_ONLY option. The sendrecv.c example was added to show how they can be used. 2008-05-13 05:43:24 +08:00			`Public functions in libcurl: 58`
the Eiffel binding 2009-03-02 17:03:11 +08:00			`Known libcurl bindings: 38`
start over fresh again towards 7.19.7 2009-08-12 19:24:52 +08:00			`Contributors: 732`
David Hull made the file: URL parser also accept the somewhat sloppy file syntax: file:/path. I added test case 203 to verify this. 2003-10-29 17:53:21 +08:00
Armel Asselin made the CURLOPT_PREQUOTE option work fine even when CURLOPT_NOBODY is set true. PREQUOTE is then run roughly at the same place in the command sequence as it would have run if there would've been a transfer. 2006-08-09 06:56:46 +08:00			`This release includes the following changes:`
mention the curl_off_t changes first 2008-09-01 22:27:24 +08:00
- Eric Wong introduced support for the new option -T. (dot) that makes curl read stdin in a non-blocking fashion. This also brings back -T- (minus) to the previous blocking behavior since it could break stuff for people at times. 2009-08-24 18:57:17 +08:00			`o -T. is now for non-blocking uploading from stdin`
- When using the multi interface with FTP and you asked for NOBODY, you did no QUOTE commands and the request used the same path as the connection had already changed to, it would decide that no commands would be necessary for the "DO" action and that was not handled properly but libcurl would instead hang. 2009-09-01 04:49:30 +08:00			`o SYST handling on FTP for OS/400 FTP server cases`
- I introduced a maximum limit for received HTTP headers. It is controlled by the define CURL_MAX_HTTP_HEADER which is even exposed in the public header file to allow for users to fairly easy rebuild libcurl with a modified limit. The rationale for a fixed limit is that libcurl is realloc()ing a buffer to be able to put a full header into it, so that it can call the header callback with the entire header, but that also risk getting it into trouble if a server by mistake or willingly sends a header that is more or less without an end. The limit is set to 100K. 2009-09-28 05:34:13 +08:00			`o libcurl refuses to read a single HTTP header longer than 100K`
- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177) by user 'koresh' introduced the --crlfile option to curl, which makes curl tell libcurl about a file with CRL (certificate revocation list) data to read. 2009-10-21 20:29:52 +08:00			`o added the --crlfile option to curl`
Armel Asselin made the CURLOPT_PREQUOTE option work fine even when CURLOPT_NOBODY is set true. PREQUOTE is then run roughly at the same place in the command sequence as it would have run if there would've been a transfer. 2006-08-09 06:56:46 +08:00
HTTP Digest auth fix on a re-used connection 2007-07-22 18:17:52 +08:00			`This release includes the following bugfixes:`

mention yesterday's changes 2009-08-13 16:51:45 +08:00			`o The windows makefiles work again`
- Lots of good work by Krister Johansen, mostly related to pipelining: Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks Fix data corruption issue with re-connected transfers Fix use after free if we're completed but easy_conn not NULL 2009-08-21 15:11:20 +08:00			`o libcurl-NSS acknowledges verifyhost`
			`o SIGSEGV when pipelined pipe unexpectedly breaks`
			`o data corruption issue with re-connected transfers`
			`o use after free if we're completed but easy_conn not NULL (pipelined)`
- Andre Guibert de Bruet pointed out a missing return code check for a strdup() that could lead to segfault if it returned NULL. I extended his suggest patch to now have Curl_retry_request() return a regular return code and better check that. 2009-08-21 20:01:36 +08:00			`o missing strdup() return code check`
- Eric Wong introduced support for the new option -T. (dot) that makes curl read stdin in a non-blocking fashion. This also brings back -T- (minus) to the previous blocking behavior since it could break stuff for people at times. 2009-08-24 18:57:17 +08:00			`o CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax`
- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008 2009-08-24 19:38:59 +08:00			`o configure --with-gnutls=PATH fixed`
- When using the multi interface with FTP and you asked for NOBODY, you did no QUOTE commands and the request used the same path as the connection had already changed to, it would decide that no commands would be necessary for the "DO" action and that was not handled properly but libcurl would instead hang. 2009-09-01 04:49:30 +08:00			`o ftp response reader bug on failed control connections`
			`o improved NSS error message on failed host name verifications`
			`o ftp NOBODY on re-used connection hang`
- configure now tries to use pkg-config for a number of sub-dependencies even when cross-compiling. The key to success is then you properly setup PKG_CONFIG_PATH before invoking configure. I also improved how NSS is detected by trying nss-config if pkg-config isn't present, and as a last resort just use the lib name and force the user to setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would add a range of various libs that would almost never be quite correct. 2009-09-01 14:53:01 +08:00			`o configure uses pkg-config for cross-compiles as well`
			`o improved NSS detection in configure`
- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0 which internally then is treated as a session cookie. That particular date is now made to get the value of 1. 2009-09-11 05:06:50 +08:00			`o cookie expiry date at 1970-jan-1 00:00:00`
- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL- powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name field in the certficate it had to match and so even if non-DNS and non-IP entry was present it caused the verification to fail. 2009-09-17 04:44:18 +08:00			`o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name`
- Chris Mumford filed bug report #2861587 (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used the OpenSSL function X509_load_crl_file() wrongly and failed if it would load a CRL file with more than one certificate within. This is now fixed. 2009-09-26 02:09:38 +08:00			`o libcurl-OpenSSL can load CRL files with more than one certificate inside`
- John P. McCaskey posted a bug report that showed how libcurl did wrong when saving received cookies with no given path, if the path in the request had a query part. That is means a question mark (?) and characters on the right side of that. I wrote test case 1105 and fixed this problem. 2009-09-27 04:51:51 +08:00			`o received cookies without explicit path got saved wrong if the URL had a`
			`query part`
- Constantine Sapuntzakis: The current implementation will always set SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The patch doesn't do a setsockopt if SO_SNDBUF is already greater than CURL_WRITE_SIZE. This should help folks who have set up their computer with large send buffers. 2009-10-01 15:05:07 +08:00			`o don't shrink SO_SNDBUF on windows for those who have it set large already`
- Tom Mueller correctly reported in bug report #2870221 (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an incorrect return code from the internal trynextip() function which caused him grief. This is a regression that was introduced in 7.19.1 and I find it strange it hasn't hit us harder, but I won't persue into figuring out exactly why. 2009-10-01 15:59:45 +08:00			`o connect next bug`
Fix invalid file name characters handling on Windows 2009-10-18 01:33:19 +08:00			`o invalid file name characters handling on Windows`
- Kevin Baughman found a double close() problem with libcurl-NSS, as when libcurl called NSS to close the SSL "session" it also closed the actual socket. 2009-10-18 08:10:13 +08:00			`o double close() on the primary socket with libcurl-NSS`
John Dennis filed bug report #2873666 (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem which made libcurl loop infinitely when given incorrect credentials when using HTTP GSS negotiate authentication. 2009-10-18 08:18:27 +08:00			`o GSS negotiate infinite loop on bad credentials`
- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts data! 2009-10-18 09:11:25 +08:00			`o memory leak in SCP/SFTP connections`
- Attempt to use pkg-config for finding out libssh2 installation details during configure. 2009-10-21 22:56:25 +08:00			`o use pkg-config to find out libssh2 installation details in configure`
- Dima Barsky made the curl cookie parser accept cookies even with blank or unparsable expiry dates and then treat them as session cookies - previously libcurl would reject cookies with a date format it couldn't parse. Research shows that the major browser treat such cookies as session cookies. I modified test 8 and 31 to verify this. 2009-10-26 02:15:14 +08:00			`o unparsable cookie expire dates make cookies get treated as session coookies`
- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a POST using a read callback, with Digest authentication and "Transfer-Encoding: chunked" enforced. I would then cause the first request to be wrongly sent and then basically hang until the server closed the connection. I fixed the problem and added test case 565 to verify it. 2009-10-31 06:24:48 +08:00			`o POST with Digest authentication and "Transfer-Encoding: chunked"`
- Liza Alenchery mentioned a problem with re-used SCP connection when a bad auth is used, as it caused a crash. I failed to repeat the issue, but still made a change that now forces the TCP connection used for a freed SCP session to get closed and not be re-used. 2009-10-31 06:28:56 +08:00			`o SCP connection re-use with wrong auth`
- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the download was 0 bytes, as libcurl would then return the size as unknown (-1) and not 0. I wrote a fix and test case 566 to verify it. 2009-11-01 02:51:50 +08:00			`o CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers`
- As reported independent by both Stan van de Burgt and Didier Brisebourg, CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when getting data from ldap! 2009-11-03 02:49:56 +08:00			`0 CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)`
HTTP Digest auth fix on a re-used connection 2007-07-22 18:17:52 +08:00
			`This release includes the following known bugs:`

			`o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)`

			`This release would not have looked like this without help, code, reports and`
			`advice from friends like these:`

- Eric Wong introduced support for the new option -T. (dot) that makes curl read stdin in a non-blocking fashion. This also brings back -T- (minus) to the previous blocking behavior since it could break stuff for people at times. 2009-08-24 18:57:17 +08:00			`Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,`
- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0 which internally then is treated as a session cookie. That particular date is now made to get the value of 1. 2009-09-11 05:06:50 +08:00			`Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,`
- Constantine Sapuntzakis: The current implementation will always set SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The patch doesn't do a setsockopt if SO_SNDBUF is already greater than CURL_WRITE_SIZE. This should help folks who have set up their computer with large send buffers. 2009-10-01 15:05:07 +08:00			`Claes Jakobsson, Sven Anders, Chris Mumford, John P. McCaskey,`
Fix invalid file name characters handling on Windows 2009-10-18 01:33:19 +08:00			`Constantine Sapuntzakis, Michael Stillwell, Tom Mueller, Dan Fandrich,`
- Liza Alenchery mentioned a problem with re-used SCP connection when a bad auth is used, as it caused a crash. I failed to repeat the issue, but still made a change that now forces the TCP connection used for a freed SCP session to get closed and not be re-used. 2009-10-31 06:28:56 +08:00			`Kevin Baughman, John Dennis, Ray Dassen, Johan van Selst, Dima Barsky,`
- As reported independent by both Stan van de Burgt and Didier Brisebourg, CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when getting data from ldap! 2009-11-03 02:49:56 +08:00			`Liza Alenchery, Gabriel Kuri, Stan van de Burgt, Didier Brisebourg`
start over on 7.18.1 2008-01-29 05:19:15 +08:00
working draft of the upcoming 7.10.8 release notes 2003-09-23 05:38:52 +08:00			`Thanks! (and sorry if I forgot to mention someone)`