CHANGES

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog


Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
  http://www.securityfocus.com/archive/1/391042 and the CAN report here:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490

  If these security guys were serious, we'd been notified in advance and we
  could've saved a few of you a little surprise, but now we weren't.

Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
  requested data from a host and then followed a redirect to another
  host. libcurl then didn't use the proxy-auth properly in the second request,
  due to the host-only check for original host name wrongly being extended to
  the proxy auth as well. Added test case 233 to verify the flaw and that the
  fix removed the problem.

Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
  BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
  configure when mingw is used.

Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
  didn't close the socket properly when returning error due to failing
  localbind

Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
  that picks NTLM. Thanks to David Byron letting me test NTLM against his
  servers, I could quickly repeat and fix the problem. It turned out to be:

  When libcurl POSTs without knowing/using an authentication and it gets back
  a list of types from which it picks NTLM, it needs to either continue
  sending its data if it keeps the connection alive, or not send the data but
  close the connection. Then do the first step in the NTLM auth. libcurl
  didn't send the data nor close the connection but simply read the
  response-body and then sent the first negotiation step. Which then failed
  miserably of course. The fixed version forces a connection if there is more
  than 2000 bytes left to send.

Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
  was never used.

Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
  week day names and month names and servers don't like that.

Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
  libcurl is built shared. Otherwise valgrind only tests the shell that runs
  the wrapper-script named 'curl' that is a front-end to curl in this case.
  This should also fix the huge amount of reports of false positives when
  valgrind has identified leaks in (ba)sh and not in curl and people report
  that as curl bugs. Bug report #1116672 is one example.

  Also, the valgrind report parser has been adapted to check that at least one
  of the sources in a stack strace is one of (lib)curl's source files or
  otherwise it will not consider the problem to concern (lib)curl.

- Marty Kuhrt streamlined the VMS build.

Daniel (9 February 2005)
- David Byron fixed his SSL problems, initially mentioned here:
  http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
  SSL_pending() as we should.

- Converted lots of FTP code to a statemachine, so that the multi interface
  doesn't block while communicating commands-responses with an FTP server.

  I've added a comment like BLOCKING in the code on all spots I could find
  where we still have blocking operations. When we change curl_easy_perform()
  to use the multi interface, we'll also be able to simplify the code since
  there will only be one "internal interface".

  While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
  new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
  like changing directory or retrieving a file, while the second means that we
  were denied login.

  The CVS tag 'before_ftp_statemachine' was set just before this went in, in
  case of future need.

- Gisle made the DICT code send CRLF and not just LF as the spec says so.

Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
  sure the proper error code is returned for those occations.

Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
  contents.

Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
  PORT on ipv6-enabled hosts.

- David Byron pointed out we could use BUFSIZE to read data (in
  lib/transfer.c) instead of using BUFSIZE -1.

Version 7.13.0 (1 February 2005)

Daniel (31 January 2005)
- Added Lars Nilsson's htmltitle.cc example

Daniel (30 January 2005)
- Fixed a memory leak when using the multi interface and the DO operation
  failed (as in test case 205).

- Fixed a valgrind warning for file:// operations.

- Fixed a valgrind report in the url globbing code for the curl command line
  tool.

- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
  I noticed that it previously didn't detect and report the "Conditional jump
  or move depends on uninitialised value(s)" error. When I fixed this, I
  caught a few curl bugs with it. And then I had to spend time to make the
  test suite IGNORE these errors when OpenSSL is used since it produce massive
  amounts of valgrind warnings (but only of the "Conditional..." kind it
  seems). So, if a test that requires SSL is run, it ignores the
  "Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
  of "valgrind OK".

Daniel (29 January 2005)
- Using the multi interface, and doing a requsted a re-used connection that
  gets closed just after the request has been sent failed and did not re-issue
  a request on a fresh reconnect like the easy interface did. Now it does!

- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
  my new curl_easy_perform() that uses the multi interface to run the
  request. It is a great testbed for the multi interface and I believe we
  shall do it this way for real in the future when we have a successor to
  curl_multi_fdset(). I've used this approach to detect and fix several of the
  recent multi-interfaces issues.

- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
  bad assumptions.

- multi interface: when a request is denied due to "Maximum redirects
  followed" libcurl leaked the last Location: URL.

- Connect failures with the multi interface was often returned as "connect()
  timed out" even though the reason was different.

Daniel (28 January 2005)
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
  curl_easy_perform() invokes. It was previously unlocked at disconnect, which
  could mean that it remained locked between multiple transfers. The DNS cache
  may not live as long as the connection cache does, as they are separate.

  To deal with the lack of DNS (host address) data availability in re-used
  connections, libcurl now keeps a copy of the IP adress as a string, to be
  able to show it even on subsequent requests on the same connection.

  The problem could be made to appear with this stunt:

  1. create a multi handle
  2. add an easy handle
  3. fetch a URL that is persistent (leaves the connection alive)
  4. remove the easy handle from the multi
  5. kill the multi handle
  6. create a multi handle
  7. add the same easy handle to the new multi handle
  8. fetch a URL from the same server as before (re-using the connection)

- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
  when built ipv6-enabled. I've now made a fix for it. Writing test cases for
  custom port hosts turned too tricky so unfortunately there's none.

Daniel (25 January 2005)
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
  is present in RFC959... so now (lib)curl supports it as well. --ftp-account
  and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
  account string after PASS have been sent away. The client responds
  with "ACCT [account string]".) Added test case 228 and 229 to verify the
  functionality. Updated the test FTP server to support ACCT somewhat.

- David Shaw contributed a fairly complete and detailed autoconf test you can
  use to detect libcurl and setup variables for the protocols the installed
  libcurl supports: docs/libcurl/libcurl.m4

Daniel (21 January 2005)
- Major FTP third party transfer overhaul.

  These four options are now obsolete: CURLOPT_SOURCE_HOST,
  CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
  and CURLOPT_PASV_HOST.

  These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.

  The target-side didn't use the proper path with RETR, and thus this only
  worked correctly in the login path (i.e without doing any CWD). The source-
  side still uses a wrong path, but the fix for this will need to wait. Verify
  the flaw by using a source URL with included %XX-codes.

  Made CURLOPT_FTPPORT control weather the target operation should use PORT
  (or not). The other side thus uses passive (PASV) mode.

  Updated the ftp3rdparty.c example source to use the updated options.

  Added support for a second FTP server in the test suite. Named... ftp2.
  Added test cases 230, 231 and 232 as a few first basic tests of very simple
  3rd party transfers.

  Changed the debug output to include 'target' and 'source' when a 3rd party
  is being made, to make it clearer what commands/responses came on what
  connection.

  Added three new command line options: --3p-url, --3p-user and --3p-quote.

  Documented the command line options and the curl_easy_setopt options related
  to third party transfers.

  (Temporarily) disabled the ability to re-use an existing connection for the
  source connection. This is because it needs to force a new in case the
  source and target is the same host, and the host name check is trickier now
  when the source is identified with a full URL instead of a plain host name
  like before.

  TODO (short-term) for 3rd party transfers: quote support. The options are
  there, we need to add test cases to verify their functionality.

  TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
  and SSL/TSL support.

Daniel (20 January 2005)
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
  code was written for it. I fixed and added test case 227 to verify it.
  The curl.1 man page didn't mention the '+' so I added it.

Daniel (19 January 2005)
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
  contains %0a or %0d in the user, password or CWD parts. (A future fix would
  include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
  225 and 226 were added to verify this

- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:

  1) the proxy environment variables are still read and used to set HTTP proxy

  2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
     disabled). This is important since apps may want to disable HTTP proxy
     without actually knowing if libcurl was built to disable HTTP or not.

  Based on Stephan's patch, both these issues should now be fixed.

Daniel (18 January 2005)
- Cody Jones' enhanced version of Samuel Díaz García's MSVC makefile patch was
  applied.

Daniel (16 January 2005)
- Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl
  assumed this used the DICT protocol. While guessing protocols will remain
  fuzzy, I've now made sure that the host names must start with "[protocol]."
  for them to be a valid guessable name. I also removed "https" as a prefix
  that indicates HTTPS, since we hardly ever see any host names using that.

Daniel (13 January 2005)
- Inspired by Martijn Koster's patch and example source at
  http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the
  select() and poll() calls properly loop if they return -1 and errno is
  EINTR. glibc docs for this is found here:
  http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html

  This last link says BSD doesn't have this "effect". Will there be a problem
  if we do this unconditionally?

Daniel (11 January 2005)
- Dan Torop cleaned up a few no longer used variables from David Phillips'
  select() overhaul fix.

- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
  using a custom Host: header and curl fails to send a request on a re-used
  persistent connection and thus creates a new connection and resends it. It
  then sent two Host: headers. Cyrill's analysis was posted here:
  http://curl.haxx.se/mail/archive-2005-01/0022.html

- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
  problem with the version byte and the check for bad versions. Bruce has lots
  of clues on this, and based on his suggestion I've now removed the check of
  that byte since it seems to be able to contain 1 or 5.

Daniel (10 January 2005)
- Pavel Orehov reported memory problems with the multi interface in bug report
  #1098843. In short, a shared DNS cache was setup for a multi handle and when
  the shared cache was deleted before the individual easy handles, the latter
  cleanups caused read/writes to already freed memory.

- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
  remote certificate name when it didn't match the used host name.

Gisle (8 January 2005)
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.

Daniel (7 January 2005)
- Improved the test script's valgrind log parser to actually work! Also added
  the ability to disable the log scanner for specific test cases. Test case
  509 results in numerous problems and leaks in OpenSSL and has to get it
  disabled.

Daniel (6 January 2005)
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
  (i.e not in the library).

- Bug report #1097019 identified a problem when doing -d "data" with -G and
  sending it to two URLs with {}. Added test 199 to verify the fix.

Daniel (4 January 2005)
- Marty Kuhrt adjusted a VMS build script slightly

- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
  Win2000.

Daniel (2 January 2005)
- Alex Neblett updated the MSVC makefiles slightly.

Daniel (25 December 2004)
- Removed src/config.h.in from CVS, it is now copied from the (generated)
  lib/config.h.in instead, as they can very well be the same. This removes a
  "manual hassle". You may want to re-run buildconf now.

- Werner Koch filed Debian bug report #286794, mentioning that curl contained
  non-free (by Debian's view) source code. This was Angus Mackay's
  src/getpass.c source code. I tried to contact him about it to quickly solve
  this issue, but his email addresses bounce and I got some time "over" and
  reimplemented the functionality once brought by Angus. We no longer use any
  of Angus' original code and the new function is much simpler (IMO). Issue
  solved.

Daniel (24 December 2004)
- David Shaw added --protocols to curl-config, so that it now lists all
  protocols libcurl was built to support. --feature no longer lists disabled
  protocols.

Daniel (23 December 2004)
- David Shaw fixed the configure --disable-[protocol] variables so that
  curl-config --feature now works correctly!

Daniel (22 December 2004)
- Rune Kleveland fixed a minor memory leak for received cookies with the
  (rare) version attribute set.

- Marcin Konicki provided two configure fixes and a source fix to make curl
  build out-of-the-box on BeOS.

Daniel (21 December 2004)
- Added test case 217 that verified CURLINFO_HTTP_CONNECTCODE, and I made the
  -w option support 'http_connect' to make it easier to verify!

- Fixed lib/select.c include order to build fine on FreeBSD

- Fixed failf()'s reuse of the va_list variable that crashed on FreeBSD.
  Pointed out by Peter Pentchev.

Version 7.12.3 (20 December 2004)

Daniel (19 December 2004)
- I investigated our PKCS12 build problem on Solaris 2.7 with OpenSSL 0.9.7e,
  and it turned out to be the fault of the zlib 1.1.4 headers doing a typedef
  named 'free_func' and the OpenSSL headers have a prototype that uses
  'free_func' in one of its arguments. This is why the compile errors out.

  In other words, we need to include the openssl/pkcs12.h header before the
  zlib.h header and it builds fine. The configure script now checks for this
  file and it then gets included early in lib/urldata.h.

Daniel (18 December 2004)
- Samuel Listopad added support for PKCS12 formatted certificates.

- Samuel Listopad fixed -E to support "C:/path" (with forward slash) as well.

Daniel (16 December 2004)
- Gisle found and fixed a problem in the directory re-use for FTP.

  I added test case 215 and 216 to better verify the functionality.

- Dinar in bug report #1086121, found a file handle leak when a multipart
  formpost (including a file upload part) was aborted before the whole file
  was sent.

Daniel (15 December 2004)
- Tom Lee found out that globbing of strings with backslashes didn't work as
  you'd expect. Backslashes are such a central part of windows file names that
  forcing backslashes to have to be escaped with backslashes is a bit too
  awkward to users. Starting now, you only need to escape globbing characters
  such as the five letters: "[]{},". Added test case 214 to verify this.

Daniel (14 December 2004)
- Harshal Pradhan patched a HTTP persistent connection flaw: if the user name
  and/or password were modified between two requests on a persistent
  connection, the second request were still made with the first setup!

  I added test case 519 to verify the fix.

Daniel (13 December 2004)
- Gisle added CURLINFO_SSL_ENGINES to curl_easy_getinfo() to allow an app
  to list all available crypto ENGINES.

- Gisle fixed bug report #1083542, which pointed out a problem with resuming
  large file (>4GB) file:// transfers on windows.

Daniel (11 December 2004)
- Made the test suite HTTP server (sws) capable of using IPv6, and then
  extended the test environment to support that and also added three test
  cases (240, 241, 242) that run tests using IPv6. Test 242 uses a URL that
  didn't work before the 10 dec fix by Kai Sommerfeld.

- Made a failed file:// resume output an error message

- Corrected the CURLE_BAD_DOWNLOAD_RESUME error message in lib/strerror.c

- Dan Fandrich:

  simplified and consolidated the SSL checks in configure and the usage of the
  defines in lib/setup.h

  provided a first libcurl.pc.in file for pkg-config (but the result is not
  installed anywhere at this point)

  extended the cross compile section in the docs/INSTALL file

Daniel (10 December 2004)
- When providing user name in the URL and a IPv6-style IP-address (like in
  "ftp://user@[::1]/tmp"), the URL parser didn't get the host extracted
  properly.  Reported and fixed by Kai Sommerfeld.

Daniel (9 December 2004)
- Ton Voon provided a configure fix that should fix the notorious (mostly
  reported on Solaris) problem where the size_t check fails due to the SSL
  libs being found in a dir not searched through by the run-time linker.
  patch-tracker entry #1081707.

- Bryan Henderson pointed out in bug report #1081788 that the curl-config
  --vernum output wasn't zero prefixed properly (as claimed in documentation).
  This is fixed in maketgz now.

Daniel (8 December 2004)
- Matt Veenstra updated the mach-O framework files for Mac OS X.

- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
  libcurl always and unconditionally overwrote a stack-based array with 3 zero
  bytes. This is not an exploitable buffer overflow. No need to get alarmed.

Daniel (7 December 2004)
- Fixed so that the final error message is sent to the verbose info "stream"
  even if no errorbuffer is set.

Daniel (6 December 2004)
- Dan Fandrich added the --disable-cookies option to configure to build
  libcurl without cookie support. This is mainly useful if you want to build a
  minimalistic libcurl with no cookies support at all. Like for embedded
  systems or similar.

- Richard Atterer fixed libcurl's way of dealing with the EPSV
  response. Previously, libcurl would re-resolve the host name with the new
  port number and attempt to connect to that, while it should use the IP from
  the control channel. This bug made it hard to EPSV from an FTP server with
  multiple IP addresses!

Daniel (3 December 2004)
- Bug report #1078066: when a chunked transfer was pre-maturely closed exactly
  at a chunk boundary it was not considered an error and thus went unnoticed.
  Fixed by Maurice Barnum.

  Added test case 207 to verify.

Daniel (2 December 2004)
- Fixed the CONNECT loop to default timeout to 3600 seconds.

  Added test case 206 that makes CONNECT with Digest.

  Fixed a flaw that prepended "(nil)" to the initial CONNECT rqeuest's user-
  agent field.

Daniel (30 November 2004)
- Dan Fandrich's fix for libz 1.1 and "extra field" usage in a gzip stream

- Dan also helped me with input data to create three more test cases for the
  --compressed option.

Daniel (29 November 2004)
- I improved the test suite to enable binary contents in the tests (by proving
  it base64 encoded), like for testing decompress etc. Added test 220 and 221
  for this purpose. Tests can now also depend on libz to run.

- As reported by Reinout van Schouwen in Mandrake's bug tracker bug 12285
  (http://qa.mandrakesoft.com/show_bug.cgi?id=12285), when connecting to an
  IPv6 host with FTP, --disable-epsv (or --disable-eprt) effectively disables
  the ability to transfer a file. Now, when connected to an FTP server with
  IPv6, these FTP commands can't be disabled even if asked to with the
  available libcurl options.

Daniel (26 November 2004)
- As reported in Mandrake's bug tracker bug 12289
  (http://qa.mandrakesoft.com/show_bug.cgi?id=12289), curl would print a
  newline to "finish" the progress meter after each redirect and not only
  after a completed transfer.

Daniel (25 November 2004)
- FTP improvements:

  If EPSV, EPRT or LPRT is tried and doesn't work, it will not be retried on
  the same server again even if a following request is made using a persistent
  connection.

  If a second request is made to a server, requesting a file from the same
  directory as the previous request operated on, libcurl will no longer make
  that long series of CWD commands just to end up on the same spot. Note that
  this is only for *exactly* the same dir. There is still room for improvements
  to optimize the CWD-sending when the dirs are only slightly different.

  Added test 210, 211 and 212 to verify these changes. Had to improve the
  test script too and added a new primitive to the test file format.

Daniel (24 November 2004)
- Andrés García fixed the configure script to detect select properly when run
  with Msys/Mingw on Windows.

Daniel (22 November 2004)
- Made HTTP PUT and POST requests no longer use HEAD when doing multi-pass
  auth negotiation (NTLM, Digest and Negotiate), but instead use the request
  keyword "properly". Details in lib/README.httpauth. This also introduces
  CURLOPT_IOCTLFUNCTION and CURLOPT_IOCTLDATA, to be used by apps that use the
  "any" auth alternative as then libcurl may need to send the PUT/POST data
  more than once and thus may need to ask the app to "rewind" the read data
  stream to start.

  See also the new example using this: docs/examples/anyauthput.c

- David Phillips enhanced test 518. I made it depend on a "feature" so that
  systems without getrlimit() won't attempt to test 518. configure now checks
  for getrlimit() and setrlimit() for this test case.

Daniel (18 November 2004)
- David Phillips fixed libcurl to not crash anymore when more than FD_SETSIZE
  file descriptors are in use. Test case 518 added to verify.

Daniel (15 November 2004)
- To test my fix for the CURLINFO_REDIRECT_TIME bug, I added time_redirect and
  num_redirects support to the -w writeout option for the command line tool.

- Wojciech Zwiefka found out that CURLINFO_REDIRECT_TIME didn't work as
  documented.

Daniel (12 November 2004)
- Gisle Vanem modigied the MSVC and Netware makefiles to build without
  libcurl.def

- Dan Fandrich added the --disable-crypto-auth option to configure to allow
  libcurl to build without Digest support. (I figure it should also explicitly
  disable Negotiate and NTLM.)

-                 *** Modified Behaviour Alert ***

  Setting CURLOPT_POSTFIELDS to NULL will no longer do a GET.

  Setting CURLOPT_POSTFIELDS to "" will send a zero byte POST and setting
  CURLOPT_POSTFIELDS to NULL and CURLOPT_POSTFIELDSIZE to zero will also make
  a zero byte POST. Added test case 515 to verify this.

  Setting CURLOPT_HTTPPOST to NULL makes a zero byte post. Added test case 516
  to verify this.

  CURLOPT_POSTFIELDSIZE must now be set to -1 to signal "we don't know".
  Setting it to zero simply says this is a zero byte POST.

  When providing POST data with a read callback, setting the size up front
  is now made with CURLOPT_POSTFIELDSIZE and not with CURLOPT_INFILESIZE.

Daniel (11 November 2004)
- Dan Fandrich added --disable-verbose to the configure script to allow builds
  without verbose strings in the code, to save some 12KB space. Makes sense
  only for systems with very little memory resources.

- Jeff Phillips found out that a date string with a year beyond 2038 could
  crash the new date parser on systems with 32bit time_t. We now check for
  this case and deal with it.

Daniel (10 November 2004)
- I installed Heimdal on my Debian box (using the debian package) and noticed
  that configure --with-gssapi failed to create a nice build. Fixed now.

Daniel (9 November 2004)
- Gisle Vanem marked all external function calls with CURL_EXTERN so that now
  the Windows, Netware and other builds no longer need libcurl.def or similar
  files.

Daniel (8 November 2004)
- Made the configure script check for tld.h if libidn was detected, since
  libidn 0.3.X didn't have such a header and we don't work with anything
  before libidn 0.4.1 anyway! Suse 9.1 apparently ships with a 0.3.X version
  of libidn which makes the curl 7.12.2 build fail. Jean-Philippe
  Barrette-LaPierre helped pointing this out.

- Ian Gulliver reported in debian bug report #278691: if curl is invoked in an
  environment where stderr is closed the -v output will still be sent to file
  descriptor 2 which then might be the network socket handle! Now we have a
  weird hack instead that attempts to make sure that file descriptor 2 is
  opened (with a call to pipe()) before libcurl is called to do the transfer.
  configure now checks for pipe() and systems without pipe don't get the weird
  hack done.

Daniel (5 November 2004)
- Tim Sneddon made libcurl send no more than 64K in a single first chunk when
  doing a huge POST on VMS, as this is a system limitation. Default on general
  systems is 100K.

Daniel (4 November 2004)
- Andres Garcia made it build on mingw againa, my --retry code broke the build.

Daniel (2 November 2004)
- Added --retry-max-time that allows a maximum time that may not have been
  reached for a retry to be made. If not set there is no maximum time, only
  the amount of retries set with --retry.

- Paul Nolan provided a patch to make libcurl build nicely on Windows CE.

Daniel (1 November 2004)
- When cross-compiling, the configure script no longer attempts to use
  pkg-config on the build host in order to detect OpenSSL compiler options.

Daniel (27 October 2004)
- Dan Fandrich:

  An improvement to the gzip handling of libcurl. There were two problems with
  the old version: it was possible for a malicious gzip file to cause libcurl
  to leak memory, as a buffer was malloced to hold the header and never freed
  if the header ended with no file contents.  The second problem is that the
  64 KiB decompression buffer was allocated on the stack, which caused
  unexpectedly high stack usage and overflowed the stack on some systems
  (someone complained about that in the mailing list about a year ago).

  Both problems are fixed by this patch. The first one is fixed when a recent
  (1.2) version of zlib is used, as it takes care of gzip header parsing
  itself.  A check for the version number is done at run-time and libcurl uses
  that feature if it's present. I've created a define OLD_ZLIB_SUPPORT that
  can be commented out to save some code space if libcurl is guaranteed to be
  using a 1.2 version of zlib.

  The second problem is solved by dynamically allocating the memory buffer
  instead of storing it on the stack. The allocation/free is done for every
  incoming packet, which is suboptimal, but should be dwarfed by the actual
  decompression computation.

  I've also factored out some common code between deflate and gzip to reduce
  the code footprint somewhat.  I've tested the gzip code on a few test files
  and I tried deflate using the freshmeat.net server, and it all looks OK. I
  didn't try running it with valgrind, however.

- Added a --retry option to curl that takes a numerical option for the number
  of times the operation should be retried. It is retried if a transient error
  is detected or if a timeout occurred. By default, it will first wait one
  second between the retries and then double the delay time between each retry
  until the delay time is ten minutes which then will be the delay time
  between all forthcoming retries. You can set a static delay time with
  "--retry-delay [num]" where [num] is the number of seconds to wait between
  each retry.

Daniel (25 October 2004)
- Tomas Pospisek filed bug report #1053287 that proved -C - and --fail on a
  file that was already completely downloaded caused an error, while it
  doesn't if you don't use --fail! I added test case 194 to verify the fix.
  Grrr. CURLOPT_FAILONERROR is now added to the list stuff to remove in
  libcurl v8 due to all the kludges needed to support it.

- Mohun Biswas found out that formposting a zero-byte file didn't work very
  good. I fixed.

Daniel (19 October 2004)
- Alexander Krasnostavsky made it possible to make FTP 3rd party transfers
  with both source and destination being the same host. It can be useful if
  you want to move a file on a server or similar.

- Guillaume Arluison added CURLINFO_NUM_CONNECTS to allow an app to figure
  out how many new connects a previous transfer required.

  I added %{num_connects} to the curl tool and added test case 192 and 193
  to verify the new code.

Daniel (18 October 2004)
- Peter Wullinger pointed out that curl should call setlocale() properly to
  initiate the specific language operations, to make the IDN stuff work
  better.

Version 7.12.2 (18 October 2004)

Daniel (16 October 2004)
- Alexander Krasnostavsky made the CURLOPT_FTP_CREATE_MISSING_DIRS option work
  fine even for third party transfers.

- runekl at opoint.com found out (and provided a fix) that libcurl leaked
  memory for cookies with the "max-age" field set.

Gisle (16 October 2004)
- Issue 50 in TODO-RELEASE; Added Traian Nicolescu's patches for threaded
  resolver on Windows. Plugged some potential handle and memory leaks.

Daniel (14 October 2004)
- Eric Vergnaud pointed out that libcurl didn't treat ?-letters in the user
  name and password fields properly in URLs, like
  ftp://us?er:pass?word@site.com/. Added test 191 to verify the fix.

Daniel (11 October 2004)
- libcurl now uses SO_NOSIGPIPE for systems that support it (Mac OS X 10.2 or
  later is one) to inhibit the SIGPIPE signal when writing to a socket while
  the peer dies. The same effect is provide by the MSG_NOSIGNAL parameter to
  send() on other systems. Alan Pinstein verified the fix.

Daniel (10 October 2004)
- Systems with 64bit longs no longer use strtoll() or our strtoll- replacement
  to parse 64 bit numbers. strtol() works fine. Added a configure check to
  detect if [constant]LL works and if so, use that in the strtoll replacement
  code to work around compiler warnings reported by Andy Cedilnik.

Gisle (6 October 2004)
- For USE_LIBIDN builds: Added Top-Level-Domain (TLD) check of host-name
  used in fix_hostname(). Checks if characters in 'host->name' (indirectly
  via 'ace_hostname') are legal according to the TLD tables in libidn.

Daniel (6 October 2004)
- Chih-Chung Chang reported that if you use CURLOPT_RESUME_FROM and enabled
  CURLOPT_FOLLOWLOCATION, libcurl reported error if a redirect happened even
  if the new URL would provide the resumed file. Test case 188 added to verify
  the fix (together with existing test 99).

- Dan Fandrich fixed a configure flaw for systems that need both nsl and socket
  libs to use gethostbyname().

- Removed tabs and trailing whitespace from lots of source files.

Daniel (5 October 2004)
- Made configure --with-libidn=PATH try the given PATH before the default
  paths to make it possible to override.

- If idna_strerror() is present in libidn, we can use that instead of our
  internal replacement. This function was added by Simon in libidn 0.5.6 and
  is detected by configure.

- It seems basename() on IRIX is in the libgen library and since we don't use
  that, configure finds libgen.h but not basename and then we get a compiler
  error because our basename() replacement doesn't match the proto in
  libgen.h. Starting now, we don't include the file if basename wasn't found
  as well.

Daniel (4 October 2004)
- Chris found a race condition resulting in CURLE_COULDNT_RESOLVE_HOST and
  potential crash, in the windows threaded name resolver code.

Daniel (3 October 2004)
- Replaced the use of isspace() in cookie.c with our own version instead since
  we have most data as 'char *' and that makes us pass in negative values if
  there is 8bit data in the string. Changing to unsigned causes too much
  warnings or too many required typecasts to the normal string functions.
  Harshal Pradhan identified this problem.

Daniel (2 October 2004)
- Bertrand Demiddelaer found a case where libcurl could read already freed
  data when CURLOPT_VERBOSE is used and a (very) persistent connection. It
  happened when the dns cache entry for the connection was pruned while the
  connection was still alive and then again re-used. We worked together on
  this fix.

- Gisle Vanem provided code that displays an error message when the (libidn
  based) IDN conversion fails. This is really due to a missing suitable
  function in the libidn API that I hope we can remove once libidn gets a
  function like this.

Daniel (1 October 2004)
- Aleksandar Milivojevic reported a problem in the Redhat bugzilla (see
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134133) and not to
  anyone involved in the curl project! This happens when you try to curl a
  file from a proftpd site using SSL. It seems proftpd sends a somewhat
  unorthodox response code (232 instead of 230). I relaxed the response code
  check to deal with this and similar cases.

- Based on Fedor Karpelevitch's formpost path basename patch, file parts in
  formposts no longer include the path part. If you _really_ want them, you
  must provide your preferred full file name with CURLFORM_FILENAME.

  Added detection for libgen.h and basename() to configure. My custom
  basename() replacement function for systems without it, might be a bit too
  naive...

  Updated 6 test cases to make them work with the stripped paths.

Daniel (30 September 2004)
- Larry Campbell added CURLINFO_OS_ERRNO to curl_easy_getinfo() that allows an
  app to retrieve the errno variable after a (connect) failure. It will make
  sense to provide this for more failures in a more generic way, but let's
  start like this.

- Günter Knauf and Casey O'Donnell worked out an extra #if condition for the
  curl/multi.h header to work better in winsock-using apps.

- Jean-Philippe Barrette-LaPierre made buildconf run better on Mac OS X by
  properly using glibtoolize instead of plain libtoolize. (This is made if
  glibtool was found and used instead of plain libtool.)

Daniel (29 September 2004)
- Bertrand Demiddelaer fixed curl_easy_reset() so that it doesn't mistakingly
  enable the progress meter.

Daniel (28 September 2004)
- "Mekonikum" found out that if you built curl without SSL support, although
  your current SSL installation supports Engine, the compile fails.

Daniel (27 September 2004)
- When --with-ssl=PATH is used to the configure script, it no longer uses
  pkg-config to figure out extra details. That is now only done if no PATH is
  included or if SSL is checked for by default without the --with-ssl option.

Daniel (25 September 2004)
- Peter Sylvester pointed out that CURLOPT_SSLENGINE couldn't even be set to
  NULL when no engine was supported. It can now.

Daniel (22 September 2004)
- Dan Fandrich fixed three test cases to no longer use "localhost" but instead
  use "127.0.0.1" to avoid requiring that localhost resolves nicely.

- Jean-Claude Chauve fixed an LDAP crash when more than one record was
  retrieved.

Daniel (19 September 2004)
- Andreas Rieke pointed out that when attempting to connect to a host without
  a service on the specified port, curl_easy_perform() didn't properly provide
  an error message in the CURLOPT_ERRORBUFFER buffer.

Daniel (16 September 2004)
- Daniel at touchtunes uses the FTP+SSL server "BSDFTPD-SSL from
  http://bsdftpd-ssl.sc.ru/" which accordingly doesn't properly work with curl
  when "AUTH SSL" is issued (although the server responds fine and everything)
  but requires that curl issues "AUTH TLS" instead. See
  http://curl.haxx.se/feedback/display.cgi?id=10951944937603&support=yes

  Introducing CURLOPT_FTPSSLAUTH that allows the application to select which
  of the AUTH strings to attempt first.

- Anonymous filed bug report #1029478 which identified a bug when you 1) used
  a URL without properly seperating the host name and the parameters with a
  slash. 2) the URL had parameters to the right of a ? that contains a slash
  3) curl was told to follow Location:s 4) the request got a response that
  contained a Location: to redirect to "/dir". curl then appended the new path
  on the wrong position of the original URL.

  Test case 187 was added to verify that this was fixed properly.

Daniel (11 September 2004)
- Added parsedate.c that contains a rewrite of the date parser currently
  provided by getdate.y. The new one is MUCH smaller and will allow us to run
  away from the yacc/bison jungle. It is also slightly lacking in features
  compared to the old one, but it supports parsing of all date formats HTTP
  involves (and a fair bunch of others).

Daniel (10 September 2004)
- As found out by Jonas Forsman, curl didn't allow -F to set Content-Type on
  text-parts. Starting now, we can do -F "name=daniel;type=text/extra". Added
  test case 186 to verify.

- Bug report #1025986. When following a Location: with a custom Host: header
  replacement, curl only replaced the Host: header on the initial request
  and didn't replace it on the following ones. This resulted in requests with
  two Host: headers.

  Now, curl checks if the location is on the same host as the initial request
  and then continues to replace the Host: header. And when it moves to another
  host, it doesn't replace the Host: header but it also doesn't make the
  second Host: header get used in the request.

  This change is verified by the two new test cases 184 and 185.

Daniel (8 September 2004)
- Modified the test suite to be able to use and run with customized port
  numbers. This was always intended but never before possible. Now a simple
  change in the runtests.pl script can make all tests use different ports.
  The default ports in use from now on are 8990 to 8993.

Daniel (2 September 2004)
- Minor modification of an SSL-related error message.

Daniel (31 August 2004)
- David Tarendash found out that curl_multi_add_handle() returned
  CURLM_CALL_MULTI_PERFORM instead of CURLM_OK.

Daniel (30 August 2004)
- Make "Proxy-Connection: close" close the current proxy connection, as Roman
  Koifman found out.

Daniel (24 August 2004)
- Fixed a getdate problem by post-replacing the getdate.c file after the
  bison/yacc process to add the fix Harshal Pradhan suggested. The problem
  caused a crash on Windows when parsing some dates.

Daniel (23 August 2004)
- Roman Koifman pointed out that libcurl send Expect: 100-continue on POSTs
  even when told to use HTTP 1.0, which is not correct. Test case 180 and
  181 verify this.

- Added test case 182 to verify that zero byte transfers call the callback
  properly.

Daniel (20 August 2004)
- Alexander Krasnostavsky made the write callback get called even when a zero
  byte file is downloaded.

Daniel (18 August 2004)
- Ling Thio pointed out that when libcurl is built ipv6-enabled, it still did
  reverse DNS lookups when fed with a numerical IP-address (like
  http://127.0.0.1/), although it doesn't when built ipv6-disabled. libcurl
  should never do reverse lookups.

Daniel (17 August 2004)
- Kjetil Jacobsen noticed that when transferring a file:// URL pointing to an
  empty file, libcurl would return with the file still open.

- Alexander Krasnostavsky pointed out that the configure script needs to define
  _THREAD_SAFE for AIX systems to make libcurl built really thread-safe.

  Also added a check for the xlc compiler on AIX, and if that is detect we use
  the -qthreaded compiler option

Daniel (16 August 2004)
- libcurl now allows a custom "Accept-Encoding:" header override the
  internally set one that gets set with CURLOPT_ENCODING. Pointed out by Alex.

- Roland Krikava found and fixed a cookie problem when using a proxy (the
  path matching was wrong). I added test case 179 to verify that we now do
  right.

Daniel (15 August 2004)
- Casey O'Donnell fixed some MSVC makefile targets to link properly.

Daniel (11 August 2004)
- configure now defines _XOPEN_SOURCE to 500 on systems that need it to build
  warning-free (the only known one so far is non-gcc builds on 64bit SGI
  IRIX). (Reverted this change later as it caused compiler errors.)

- the FTP code now includes the server response in the error message when the
  server gives back a 530 after the password is provided, as it isn't
  necessary because of a bad user name or password.

Version 7.12.1 (10 August 2004)

Daniel (10 August 2004)
- In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input is
  already UTF-8 encoded. This made the certificate verification fail if the
  remote server used a certificate with the name UTF-8 encoded.

  Work-around brought by Alexis S. L. Carvalho.

Daniel (9 August 2004)
- I fixed the configure script for krb4 to use -lcom_err as well, as I started
  to get link problems with it unless I did that on my Solaris 2.7 box. I
  don't understand why I started to get problems with this now!

Daniel (5 August 2004)
- Enrico Scholz fixed the HTTP-Negotiate service name to be uppercase as
  reported in bug report #1004105

Daniel (4 August 2004)
- Gisle Vanem provided a fix for the multi interface and connecting to a host
  using multiple IP (bad) addresses.

- Dylan Salisbury made libcurl no longer accept cookies set to a TLD only (it
  previously allowed that on the seven three-letter domains).

Daniel (31 July 2004)
- Joel Chen reported that the digest code assumed quotes around the contents a
  bit too much.

Daniel (28 July 2004)
- Bertrand Demiddelaer fixed the host name to get setup properly even when a
  connection is re-used, when a proxy is in use. Previously the wrong Host:
  header could get sent when re-using a proxy connection to a different target
  host.

- Fixed Brian Akins' reported problems with duplicate Host: headers on re-used
  connections. If you attempted to replace the Host: header in the second
  request, you got two such headers!

- src/Makefile.am now includes the Makefile.inc file to get info about files

Daniel (26 July 2004)
- Made "curl [URL] -o name#2" work as expected. If there's no globbing for the
  #-number, it will simply be used as #2 in the file name.

- Bertrand Demiddelaer fixed testing with valgrind 2.1.x and added two missing
  newlines in the cookie informationals.

Daniel (24 July 2004)
- I fixed the autobuilds with ares, since they now need to have buildconf run