CHANGES

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog



Daniel (17 November 2005)
- I extended a patch from David Shaw to make libcurl _always_ provide an error
  string in the given error buffer to address the flaw mention on 21 sep 2005.

Daniel (16 November 2005)
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
  installed on 'make install' time.

Daniel (14 November 2005)
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
  properly for a case, and so we did. We raised it even for non-SSPI builds
  but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715

- Jan Kunder's debian bug report
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird
  error message for when you try to upload a file and the requested directory
  doesn't exist on the target server.

- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
  lib/memdebug.h that showed up in his msvc builds.

Daniel (13 November 2005)
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
  bad limit-rate units:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return
  error if a bad unit is used.

- Thanks to this nice summary of poll() implementations:
  http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene
  Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
  connectin closure so we check for that case (too) and re-enable poll for
  cygwin builds.

Daniel (12 November 2005)
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
  right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable
  poll() and use select() on cygwin too (we already do the same choice on Mac
  OS X)

- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
  client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).

Daniel (10 November 2005)
- David Lang fixed IPv6 support for TFTP!

- Introducing range stepping to the curl globbing support. Now you can specify
  step counter by adding :[num] within the brackets when specifying a range:

   [1-100:10]
   [a-z:2]

  If no step counter is set, it defaults to 1 as before:

   [1-100]
   [d-h]

Daniel (8 November 2005)
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
  we really have no use for reverse lookups of the address.

  I truly hope these are the last reverse lookups we had lingering in the
  code!

- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
  version of libcurl with different Windows versions. Current version of
  libcurl imports SSPI functions from secur32.dll. However, under Windows NT
  4.0 these functions are located in security.dll, under Windows 9x - in
  secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
  just forwards calls to secur32.dll).

  Dmitry's patch loads proper library dynamically depending on Windows
  version. Function InitSecurityInterface() is used to obtain pointers to all
  of SSPI function in one structure.

Daniel (31 October 2005)
- Vilmos Nebehaj improved libcurl's LDAP abilities:

  The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
  attributes in LDAP objects. So, I made a quick patch to address these
  problems.

  The solution is simple: if we connect to an LDAP server, first try LDAPv3
  (which is the preferred protocol as of now) and then fall back to LDAPv2.
  In case of binary attributes, we first convert them to base64, just like the
  openldap client does. It uses ldap_get_values_len() instead of
  ldap_get_values() to be able to retrieve binary attributes correctly. I
  defined the necessary LDAP macros in lib/ldap.c to be able to compile
  libcurl without the presence of libldap

Daniel (27 October 2005)
- Nis Jorgensen filed bug report #1338648
  (http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a
  feature request, but anyway. It pointed out that --max-redirs did not allow
  it to be set to 0, which then would return an error code on the first
  Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
  set to 0, or -1 for infinity. Added test case 274 to verify.

- tommink[at]post.pl reported in bug report #1337723
  (http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload
  binary data from stdin on Windows if the data contained control-Z (hex 1a)
  since that is treated as end-of-file when read in text mode. Gisle Vanem
  pointed out the fix, and I made both -T and --data-binary take advantage of
  it.

- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
  in the man page, curl would send an invalid HTTP Range: header. The correct
  way would be to use "-r [number]-" or even "-r -[number]". Starting now,
  curl will warn if this is discovered, and automatically append a dash to the
  range before passing it to libcurl.

Daniel (25 October 2005)
- Amol Pattekar reported a bug with great detail and a fine example in bug
  #1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi
  interface and connecting to a host with multiple IP addresses, and one of
  the addresses fails to connect (the server must exist and respond, just not
  accept connections) libcurl leaks a socket descriptor. Thanks to the fine
  report, I could find and fix this.

Daniel (22 October 2005)
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
  #1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL
  stream from a server and the server requests a "rehandshake", the current
  code simply returns this as an error. I have no good way to test this, but
  I've added a crude attempt of dealing with this situation slightly better -
  it makes a blocking handshake if this happens. Done like this because fixing
  this the "proper" way (that would handshake asynchronously) will require
  quite some work and I really need a good way to test this to do such a
  change.

Daniel (21 October 2005)
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
  it, it could then accidentally actually crash. Presumably, this concerns FTP
  connections.  http://curl.haxx.se/bug/view.cgi?id=1330310

- Temprimus improved the MSVC makefile so that the static debug SSL libs are
  linked to the executable and not to the libcurld.lib
  http://curl.haxx.se/bug/view.cgi?id=1326676

- Bradford Bruce made the windows resolver code properly return
  CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving
  errors (as documented).

Daniel (20 October 2005)
- Dave Dribin made libcurl understand and handle cases when the server
  (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
  never happen in a sane world, libcurl previously got into an infinite loop
  when this occurred. Dave added test 273 to verify this.

- Temprimus improved the MSVC makefile: "makes a build option available so if
  you set rtlibcfg=static for the make, then it would build with /MT. The
  default behaviour is /MD (the original)."
  http://curl.haxx.se/bug/view.cgi?id=1326665

Daniel (14 October 2005)
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
  reported, the define is used by the configure script and is assumed to use
  the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
  release version.

Version 7.15.0 (13 October 2005)

Daniel (12 October 2005)
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
  code that would overflow a buffer if given a too long user name or domain
  name. This would happen if you enable NTLM authentication and either

  A - pass in a user name and domain name to libcurl that together are longer
      than 192 bytes

  B - allow (lib)curl to follow HTTP "redirects" (Location: and the
      appropriate HTTP 30x response code) and the new URL contains a URL with
      a user name and domain name that together are longer than 192 bytes

  See http://curl.haxx.se/docs/security.html for further details and updates

Daniel (5 October 2005)
- Darryl House reported a problem with using -z to download files from FTP.
  It turned out that if the given time stamp was exact the same as the remote
  time stamp, the file would still wrongly be downloaded. Added test case 272
  to verify.

Daniel (4 October 2005)
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
  from the configure script.

- Michael Wallner reported that the date parser had wrong offset stored for
  the MEST and CEST time zones.

Daniel (27 September 2005)
- David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181)