CHANGES.0

    similar to ftp, where two slashes after the host name means an absolute
    reference seems a reasonable extension to fix this.

  * Failures in EBCDIC conversion are not propagated up to the caller but are
    silently ignored

- Fixed known bug #28. The TFTP code no longer assumes a packed struct and
  thus works reliably on more platforms.

Daniel (5 May 2006)
- Roland Blom filed bug report #1481217
  (http://curl.haxx.se/bug/view.cgi?id=1481217), with follow-ups by Michele
  Bini and David Byron. libcurl previously wrongly used GetLastError() on
  windows to get error details after socket-related function calls, when it
  really should use WSAGetLastError() instead.

  When changing to this, the former function Curl_ourerrno() is now instead
  called Curl_sockerrno() as it is necessary to only use it to get errno from
  socket-related functions as otherwise it won't work as intended on Windows.

Daniel (4 May 2006)
- Mark Eichin submitted bug report #1480821
  (http://curl.haxx.se/bug/view.cgi?id=1480821) He found and identified a
  problem with how libcurl dealt with GnuTLS and a case where gnutls returned
  GNUTLS_E_AGAIN indicating it would block. It would then return an unexpected
  return code, making Curl_ssl_send() confuse the upper layer - causing random
  28 bytes trash data to get inserted in the transfered stream.

  The proper fix was to make the Curl_gtls_send() function return the proper
  return codes that the callers would expect. The Curl_ossl_send() function
  already did this.

Daniel (2 May 2006)
- Added a --checkfor option to curl-config to allow users to easier
  write for example shell scripts that test for the presence of a
  new-enough libcurl version. If --checkfor is given a version string
  newer than what is currently installed, curl-config will return a
  non-zero exit code and output a string about the unfulfilled
  requirement.

Daniel (26 April 2006)
- David McCreedy brought initial line end conversions when doing FTP ASCII
  transfers. They are done on non-windows systems and translate CRLF to LF.

  I modified the 15 LIST-using test cases accordingly. The downside is that now
  we'll have even more trouble to get the tests to run on Windows since they
  should get CRLF newlines left intact which the *nix versions don't. I figure
  the only sane thing to do is to add some kind of [newline] macro for the test
  case files and have them expanded to the proper native line ending when the
  test cases are run. This is however left to implement.

Daniel (25 April 2006)
- Paul Querna fixed libcurl to better deal with deflate content encoding
  when the stream (wrongly) lacks a proper zlib header. This seems to be the
  case on too many actual server implementations.

Daniel (21 April 2006)
- Ale Vesely fixed CURLOPT_INTERFACE when using a hostname.

Daniel (19 April 2006)
- Based on previous info from Tor Arntsen, I made configure detect the Intel
  ICC compiler to add a compiler option for it, in order for configure to
  properly be able to detect function prototypes.

- Robson Braga Araujo provided a patch that makes libcurl less eager to close
  the control connection when using FTP, for example when you remove an easy
  handle from a multi stack.

- Applied a patch by Ates Goral and Katie Wang that corrected my bad fix
  attempt from April 10.

Daniel (11 April 2006)
- #1468330 (http://curl.haxx.se/bug/view.cgi?id=1468330) pointed out a bad
  typecast in the curl tool leading to a crash with (64bit?) VS2005 (at least)
  since the struct timeval field tv_sec is an int while time_t is 64bit.

Daniel (10 April 2006)
- Ates Goral found out that if you specified both CURLOPT_CONNECTTIMEOUT and
  CURLOPT_TIMEOUT, the _longer_ time would wrongly be used for the SSL
  connection time-out!

- I merged my hiper patch (http://curl.haxx.se/libcurl/hiper/) into the main
  sources. See the lib/README.multi_socket for implementation story with
  details. Don't expect it to work fully yet. I don't intend to blow any
  whistles or ring any bells about it until I'm more convinced it works at
  least somewhat reliably.

Daniel (7 April 2006)
- David McCreedy's EBCDIC and TPF changes. Three new curl_easy_setopt()
  options (callbacks) were added:

  CONV_FROM_NETWORK_FUNCTION
  CONV_TO_NETWORK_FUNCTION
  CONV_FROM_UTF8_FUNCTION

Daniel (5 April 2006)
- Michele Bini modified the NTLM code to work for his "weird IIS case"
  (http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
  function in addition to the LM one and making some other adjustments in the
  order the different parts of the data block are sent in the Type-2 reply.
  Inspiration for this work was taken from the Firefox NTLM implementation.

  I edited the existing 21(!) NTLM test cases to run fine with these news. Due
  to the fact that we now properly include the host name in the Type-2 message
  the test cases now only compare parts of that chunk.

Daniel (28 March 2006)
- #1451929 (http://curl.haxx.se/bug/view.cgi?id=1451929) detailed a bug that
  occurred when asking libcurl to follow HTTP redirects and the original URL
  had more than one question mark (?). Added test case 276 to verify.

Daniel (27 March 2006)
- David Byron found a problem multiple -d options when libcurl was built with
  --enable-debug, as then curl used free() on memory allocated both with
  normal malloc() and with libcurl-provided functions, when the latter MUST be
  freed with curl_free() in debug builds.

Daniel (26 March 2006)
- Tor Arntsen figured out that TFTP was broken on a lot of systems since we
  called bind() with a too big argument in the 3rd parameter and at least
  Tru64, AIX and IRIX seem to be very picky about it.

Daniel (21 March 2006)
- David McCreedy added CURLINFO_FTP_ENTRY_PATH.

- Xavier Bouchoux made the SSL connection non-blocking for the multi interface
  (when using OpenSSL).

- Tor Arntsen fixed the AIX Toolbox RPM spec

Daniel (20 March 2006)
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
  reacts properly according to the CURLOPT_FTP_SSL setting.

- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
  whose length was a multiple of 512 bytes could have random garbage
  appended. Also, stop processing TFTP packets which are too short to be
  legal.

- Ilja van Sprundel reported a possible crash in the curl tool when using
  "curl hostwithoutslash -d data -G"

Version 7.15.3 (20 March 2006)

Daniel (20 March 2006)
- VULNERABILITY reported to us by Ulf Harnhammar.

  libcurl uses the given file part of a TFTP URL in a manner that allows a
  malicious user to overflow a heap-based memory buffer due to the lack of
  boundary check.

  This overflow happens if you pass in a URL with a TFTP protocol prefix
  ("tftp://"), using a valid host and a path part that is longer than 512
  bytes.

  The affected flaw can be triggered by a redirect, if curl/libcurl is told to
  follow redirects and an HTTP server points the client to a tftp URL with the
  characteristics described above.

  The Common Vulnerabilities and Exposures (CVE) project has assigned the name
  CVE-2006-1061 to this issue.

Daniel (16 March 2006)
- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
  in the release archive.

Daniel (14 March 2006)
- David McCreedy fixed:

  a bad SSL error message when OpenSSL certificates are verified fine.

  a missing return code assignment in the FTP code

Daniel (7 March 2006)
- Markus Koetter filed debian bug report #355715 which identified a problem
  with the multi interface and multi-part formposts. The fix from February
  22nd could make the Curl_done() function get called twice on the same
  connection and it was not designed for that and thus tried to call free() on
  an already freed memory area!

- Peter Heuchert made sure the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL
  is used properly.

Daniel (6 March 2006)
- Lots of users on Windows have reported getting the "SSL: couldn't set
  callback" error message so I've now made the setting of that callback not be
  as critical as before. The function is only used for additional loggging/
  trace anyway so a failure just means slightly less data. It should still be
  able to proceed and connect fine to the server.

Daniel (4 March 2006)
- Thomas Klausner provided a patch written by Todd Vierling in bug report
  #1442471 that fixes a build problem on Interix.

Daniel (2 March 2006)
- FTP upload without a file name part in the URL now causes
  curl_easy_perform() to return CURLE_URL_MALFORMAT. Previously it allowed the
  upload but named the file "(nil)" (without the quotes). Test case 524
  verifies.

- Added a check for getprotobyname in configure so that it'll be used, thanks
  to Gisle Vanem's change the other day.

Daniel (28 February 2006)
- Dan Fandrich prevented curl from getting stuck in an endless loop in case we
  are out of file handles very early in curl's code where it makes sure that
  0, 1 and 2 aren't gonna be used by the lib for transfers.

Daniel (27 February 2006)
- Marty Kuhrt pointed out that there were two VMS-specific files missing in
  the release archive.

Version 7.15.2 (27 February 2006)

Daniel (22 February 2006)
- Lots of work and analysis by "xbx___" in bug #1431750
  (http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
  different but related bugs:

  1) Removing an easy handle from a multi handle before the transfer is done
     could leave a connection in the connection cache for that handle that is
     in a state that isn't suitable for re-use. A subsequent re-use could then
     read from a NULL pointer and segfault.

  2) When an easy handle was removed from the multi handle, there could be an
     outstanding c-ares DNS name resolve request. When the response arrived,
     it caused havoc since the connection struct it "belonged" to could've
     been freed already.

  Now Curl_done() is called when an easy handle is removed from a multi handle
  pre-maturely (that is, before the transfer was complteted). Curl_done() also
  makes sure to cancel all (if any) outstanding c-ares requests.

Daniel (21 February 2006)
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
  type to the already provided type CURLPROXY_SOCKS4.

  I added a --socks4 option that works like the current --socks5 option but
  instead use the socks4 protocol.

Daniel (20 February 2006)
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
  content when libcurl didn't honor the internal ignorebody flag.

Daniel (18 February 2006)
- Ulf Härnhammar fixed a format string (printf style) problem in the Negotiate
  code. It should however not be the cause of any troubles. He also fixed a
  few similar problems in the HTTP test server code.

Daniel (17 February 2006)
- Shmulik Regev provided a fix for the DNS cache when using short life times,
  as previously it could be holding on to old cached entries longer than
  requested.

Daniel (11 February 2006)
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
  that an app can use to let libcurl only connect to a remote host and then
  extract the socket from libcurl. libcurl will then not attempt to do any
  transfer at all after the connect is done.

- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
  instead of LDFLAGS.

Daniel (8 February 2006)
- Philippe Vaucher provided a brilliant piece of test code that show a problem
  with re-used FTP connections. If the second request on the same connection
  was set not to fetch a "body", libcurl could get confused and consider it an
  attempt to use a dead connection and would go acting mighty strange.

Daniel (2 February 2006)
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
  change done in November 2005.

Daniel (30 January 2006)
- Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
  curl tool with --local-port. Plain and simply set the range of ports to bind
  the local end of connections to. Implemented on to popular demand.

- Based on an error report by Philippe Vaucher, we no longer count a retried
  connection setup as a follow-redirect. It turns out 1) this fails when a FTP
  connection is re-setup and 2) it does make the max-redirs counter behave
  wrong.

Daniel (24 January 2006)
- Michal Marek provided a patch for FTP that makes libcurl continue to try
  PASV even after EPSV returned a positive response code, if libcurl failed to
  connect to the port number the EPSV response said. Obviously some people are
  going through protocol-sensitive firewalls (or similar) that don't
  understand EPSV and then they don't allow the second connection unless PASV
  was used. This also called for a minor fix of test case 238.

Daniel (20 January 2006)
- Duane Cathey was one of our friends who reported that curl -P [IP]
  (CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
  "native" IP while it works fine for ipv6-disabled builds!

  In the process of fixing this, I removed the support for LPRT since I can't
  think of many reasons to keep doing it and asking on the mailing list didn't
  reveal anyone else that could either. The code that sends EPRT and PORT is
  now also a lot simpler than before (IMHO).

Daniel (19 January 2006)
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
  (built ipv4-only) didn't work.

Daniel (18 January 2006)
- As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
  the configure script complained about a missing "missing" script if you ran
  configure within a path whose name included one or more spaces. This is due
  to a flaw in automake (1.9.6 and earlier). I've now worked around it by
  including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
  be used instead of the one automake ships with. This kludge needs to be
  removed once we get an automake version with this problem corrected.
  Possibly we'll then need to convert this into a kludge depending on what
  automake version that is used and that is gonna be painful and I don't even
  want to think about that now...!

Daniel (17 January 2006)
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
  the latest features and protocols that libcurl supports and has a minor fix
  to better deal with the obscure case where someone has more than one libcurl
  installed at the same time.

Daniel (16 January 2006)
- David Shaw finally removed all traces of Gopher and we are now officially
  not supporting it. It hasn't been functioning for years anyway, so this is
  just finally stating what already was true. And a cleanup at the same time.

- Bryan Henderson turned the 'initialized' variable for curl_global_init()
  into a counter, and thus you can now do multiple curl_global_init() and you
  are then supposed to do the same amount of calls to curl_global_cleanup().
  Bryan has also updated the docs accordingly.

Daniel (13 January 2006)
- Andrew Benham fixed a race condition in the test suite that could cause the
  test script to kill all processes in the current process group!

Daniel (12 January 2006)
- Michael Jahn:

  Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
  HTTP proxy.

  Fixed PROXYTUNNEL to work fine when you do ftp through a proxy.  It would
  previously overwrite internal memory and cause unpredicted behaviour!

Daniel (11 January 2006)
- I decided to document the "secret option" here now, as I've received *NO*
  feedback at all on my mailing list requests from November 2005:

  I'm looking for feedback and comments. I added some experimental code the
  other day, that allows a libcurl user to select what method libcurl should
  use to reach a file on a FTP(S) server.

  This functionality is available in CVS code and in recent daily snapshots.

  Let me explain...

  The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
  the command line tool) and you set it to a long (there are currenly no
  defines for the argument values, just plain numericals). You can set three
  different "methods" that do this:

  1 multicwd - like today, curl will do a single CWD operation for each path
           part in the given URL. For deep hierarchies this means very many
           commands. This is how RFC1738 says it should be done. This is the
           default.

  2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
           a full path to the server.

  3 singlecwd - make one CWD with the full target directory and then operate
            on the file "normally".

  (With the command line tool you do --ftp-method [METHOD], where [METHOD] is
  one of "multicwd", "nocwd" or "singlecwd".)

  What feedback I'm interested in:

  1 - Do they work at all? Do you find servers where one of these don't work?

  2 - What would proper names for the option and its arguments be, if we
      consider this feature good enough to get included and documented in
      upcoming releases?

  3 - Should we make libcurl able to "walk through" these options in case of
      (path related) failures, or should it fail and let the user redo any
      possible retries?

  (This option is not documented in any man page just yet since I'm not sure
  these names will be used or if the functionality will end up exactly like
  this.  And for the same reasons we have no test cases for these yet.)

Daniel (10 January 2006)
- When using a bad path over FTP, as in when libcurl couldn't CWD into all
  given subdirs, libcurl would still "remember" the full path as if it is the
  current directory libcurl is in so that the next curl_easy_perform() would
  get really confused if it tried the same path again - as it would not issue
  any CWD commands at all, assuming it is already in the "proper" dir.

  Starting now, a failed CWD command sets a flag that prevents the path to be
  "remembered" after returning.

Daniel (7 January 2006)
- Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP
  proxy actually used a new connection and not sent the second request on the
  first socket!

Daniel (6 January 2006)
- Alexander Lazic made the buildconf run the buildconf in the ares dir if that
  is present instead of trying to mimic that script in curl's buildconf
  script.

Daniel (3 January 2006)
- Andres Garcia made the TFTP test server build with mingw.
Daniel (16 December 2005)
- Jean Jacques Drouin pointed out that you could only have a user name or
  password of 127 bytes or less embedded in a URL, where actually the code
  uses a 255 byte buffer for it! Modified now to use the full buffer size.

Daniel (12 December 2005)
- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly

Version 7.15.1 (7 December 2005)

Daniel (6 December 2005)
- Full text here: http://curl.haxx.se/docs/adv_20051207.html Pointed out by
  Stefan Esser.

  VULNERABILITY

  libcurl's URL parser function can overflow a malloced buffer in two ways, if
  given a too long URL.

  These overflows happen if you
 
  1 - pass in a URL with no protocol (like "http://") prefix, using no slash
      and the string is 256 bytes or longer. This leads to a single zero byte
      overflow of the malloced buffer.

  2 - pass in a URL with only a question mark as separator (no slash) between
      the host and the query part of the URL. This leads to a single zero byte
      overflow of the malloced buffer.

  Both overflows can be made with the same input string, leading to two single
  zero byte overwrites.

  The affected flaw cannot be triggered by a redirect, but the long URL must
  be passed in "directly" to libcurl. It makes this a "local" problem. Of
  course, lots of programs may still pass in user-provided URLs to libcurl
  without doing much syntax checking of their own, allowing a user to exploit
  this vulnerability.

  There is no known exploit at the time of this writing.


Daniel (2 December 2005)
- Jamie Newton pointed out that libcurl's file:// code would close() a zero
  file descriptor if given a non-existing file.

Daniel (24 November 2005)
- Doug Kaufman provided a set of patches to make curl build fine on DJGPP
  again using configure.

- Yang Tse provided a whole series of patches to clear up compiler warnings on
  MSVC 6.

Daniel (17 November 2005)
- I extended a patch from David Shaw to make libcurl _always_ provide an error
  string in the given error buffer to address the flaw mention on 21 sep 2005.

Daniel (16 November 2005)
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
  installed on 'make install' time.

Daniel (14 November 2005)
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
  properly for a case, and so we did. We raised it even for non-SSPI builds
  but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715

- Jan Kunder's debian bug report
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird
  error message for when you try to upload a file and the requested directory
  doesn't exist on the target server.

- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
  lib/memdebug.h that showed up in his msvc builds.

Daniel (13 November 2005)
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
  bad limit-rate units:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return
  error if a bad unit is used.

- Thanks to this nice summary of poll() implementations:
  http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene
  Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
  connectin closure so we check for that case (too) and re-enable poll for
  cygwin builds.

Daniel (12 November 2005)
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
  right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable
  poll() and use select() on cygwin too (we already do the same choice on Mac
  OS X)

- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
  client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).

Daniel (10 November 2005)
- David Lang fixed IPv6 support for TFTP!

- Introducing range stepping to the curl globbing support. Now you can specify
  step counter by adding :[num] within the brackets when specifying a range:

   [1-100:10]
   [a-z:2]

  If no step counter is set, it defaults to 1 as before:

   [1-100]
   [d-h]

Daniel (8 November 2005)
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
  we really have no use for reverse lookups of the address.

  I truly hope these are the last reverse lookups we had lingering in the
  code!

- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
  version of libcurl with different Windows versions. Current version of
  libcurl imports SSPI functions from secur32.dll. However, under Windows NT
  4.0 these functions are located in security.dll, under Windows 9x - in
  secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
  just forwards calls to secur32.dll).

  Dmitry's patch loads proper library dynamically depending on Windows
  version. Function InitSecurityInterface() is used to obtain pointers to all
  of SSPI function in one structure.

Daniel (31 October 2005)
- Vilmos Nebehaj improved libcurl's LDAP abilities:

  The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
  attributes in LDAP objects. So, I made a quick patch to address these
  problems.

  The solution is simple: if we connect to an LDAP server, first try LDAPv3
  (which is the preferred protocol as of now) and then fall back to LDAPv2.
  In case of binary attributes, we first convert them to base64, just like the
  openldap client does. It uses ldap_get_values_len() instead of
  ldap_get_values() to be able to retrieve binary attributes correctly. I
  defined the necessary LDAP macros in lib/ldap.c to be able to compile
  libcurl without the presence of libldap

Daniel (27 October 2005)
- Nis Jorgensen filed bug report #1338648
  (http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a
  feature request, but anyway. It pointed out that --max-redirs did not allow
  it to be set to 0, which then would return an error code on the first
  Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
  set to 0, or -1 for infinity. Added test case 274 to verify.

- tommink[at]post.pl reported in bug report #1337723
  (http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload
  binary data from stdin on Windows if the data contained control-Z (hex 1a)
  since that is treated as end-of-file when read in text mode. Gisle Vanem
  pointed out the fix, and I made both -T and --data-binary take advantage of
  it.

- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
  in the man page, curl would send an invalid HTTP Range: header. The correct
  way would be to use "-r [number]-" or even "-r -[number]". Starting now,
  curl will warn if this is discovered, and automatically append a dash to the
  range before passing it to libcurl.

Daniel (25 October 2005)
- Amol Pattekar reported a bug with great detail and a fine example in bug
  #1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi
  interface and connecting to a host with multiple IP addresses, and one of
  the addresses fails to connect (the server must exist and respond, just not
  accept connections) libcurl leaks a socket descriptor. Thanks to the fine
  report, I could find and fix this.

Daniel (22 October 2005)
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
  #1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL
  stream from a server and the server requests a "rehandshake", the current
  code simply returns this as an error. I have no good way to test this, but
  I've added a crude attempt of dealing with this situation slightly better -
  it makes a blocking handshake if this happens. Done like this because fixing
  this the "proper" way (that would handshake asynchronously) will require
  quite some work and I really need a good way to test this to do such a
  change.

Daniel (21 October 2005)
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
  it, it could then accidentally actually crash. Presumably, this concerns FTP
  connections.  http://curl.haxx.se/bug/view.cgi?id=1330310

- Temprimus improved the MSVC makefile so that the static debug SSL libs are
  linked to the executable and not to the libcurld.lib
  http://curl.haxx.se/bug/view.cgi?id=1326676

- Bradford Bruce made the windows resolver code properly return
  CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving
  errors (as documented).

Daniel (20 October 2005)
- Dave Dribin made libcurl understand and handle cases when the server
  (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
  never happen in a sane world, libcurl previously got into an infinite loop
  when this occurred. Dave added test 273 to verify this.

- Temprimus improved the MSVC makefile: "makes a build option available so if
  you set rtlibcfg=static for the make, then it would build with /MT. The
  default behaviour is /MD (the original)."
  http://curl.haxx.se/bug/view.cgi?id=1326665

Daniel (14 October 2005)
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
  reported, the define is used by the configure script and is assumed to use
  the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
  release version.

Version 7.15.0 (13 October 2005)

Daniel (12 October 2005)
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
  code that would overflow a buffer if given a too long user name or domain
  name. This would happen if you enable NTLM authentication and either

  A - pass in a user name and domain name to libcurl that together are longer
      than 192 bytes

  B - allow (lib)curl to follow HTTP "redirects" (Location: and the
      appropriate HTTP 30x response code) and the new URL contains a URL with
      a user name and domain name that together are longer than 192 bytes

  See http://curl.haxx.se/docs/security.html for further details and updates

Daniel (5 October 2005)
- Darryl House reported a problem with using -z to download files from FTP.
  It turned out that if the given time stamp was exact the same as the remote
  time stamp, the file would still wrongly be downloaded. Added test case 272
  to verify.

Daniel (4 October 2005)
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
  from the configure script.

- Michael Wallner reported that the date parser had wrong offset stored for
  the MEST and CEST time zones.

Daniel (27 September 2005)
- David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181)
  that identified a silly problem with Content-Range: headers with the 'bytes'
  keyword written in a different case than all lowercase! It would cause a
  segfault!

- TJ Saunders of the proftpd project identified and pointed out problems with
  the modified FTPS negotiation change of August 19 2005. Thus, we revert the
  change back to pre-7.14.1 status.

Daniel (21 September 2005)
- Fixed "cut off" sentence in the libcurl-tutorial man page:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329305

- Clarified in the curl_easy_setopt man page what the default
  CURLOPT_WRITEFUNCTION and CURLOPT_WRITEDATA mean:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329311

- Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER
  sometimes doesn't fill in the buffer even though it is supposed to:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329313

- When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an
  error string set.

Daniel (19 September 2005)
- Dmitry Bartsevich made the SSPI support work on Windows 9x as well.

Daniel (15 September 2005)
- Added a TFTP server to the test suite and made the test suite capable of
  using it.

Daniel (7 September 2005)
- Ben Madsen's detailed reports that funnily enough only occurred with certain
  glibc versions turned out to be curl using an already closed file handle
  during certain conditions (like when saving FTP server "headers").

- Scott Davis helped me track down a problem in the test HTTP server that made
  test case 56 wrongly fail at times. It turned out it was due to the server
  finding the end of a chunked-encoded POST too early.

Daniel (6 September 2005)
- Now curl warns if an unknown variable is used in the -w/--writeout argument.

Daniel (4 September 2005)
- I applied Nicolas François' man page patch he posted to the Debian bug
  tracker. It corrected two lines that started with apostrophes, which isn't
  legal nroff format. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326511

- Added --ftp-skip-pasv-ip to the command line tool, that sets the new
  CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control
  connection's IP address when setting up the data connection instead of
  extractting the IP address from the PASV response. It has turned out this
  feature is frequently needed by people to circumvent silly servers and silly
  firewalls, especially when FTPS is used and the PASV command-response is
  sent encrtyped.

  Sponsored by CU*Answers

Daniel (1 September 2005)
- John Kelly added TFTP support to libcurl. A bunch of new error codes was
  added. TODO: add them to docs. add TFTP server to test suite. add TFTP to
  list of protocols whereever those are mentioned.

Version 7.14.1 (1 September 2005)

Daniel (29 August 2005)
- Kevin Lussier pointed out a problem with curllib.dsp and how to fix it.

- Igor Polyakov fixed a rather nasty problem with the threaded name resolver
  for Windows, that could lead to an Access Violation when the multi interface
  was used due to an issue with how the resolver thread was and was not
  terminated.

- Simon Josefsson brought a patch that allows curl to get built to use GNU GSS
  instead of MIT/Heimdal for GSS capabilities.

Daniel (24 August 2005)
- Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible
  from the command line tool with --ignore-content-length. This will make it
  easier to download files from Apache 1.x (and similar) servers that are
  still having problems serving files larger than 2 or 4 GB. When this option
  is enabled, curl will simply have to wait for the server to close the
  connection to signal end of transfer. I wrote test case 269 that runs a
  simple test to verify that this works.

- (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed
  the --logfile command line option to --log-file, and thus the test script
  valgrind autodetection now has yet another version check to do and then it
  alters the valgrind command line accordingly.

- Fixed CA cert verification using GnuTLS with the default bundle, which
  previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
  Ralph Mitchell reported.

Daniel (19 August 2005)
- Norbert Novotny had problems with FTPS and he helped me work out a patch
  that made curl run fine in his end. The key was to make sure we do the
  SSL/TLS negotiation immediately after the TCP connect is done and not after
  a few other commands have been sent like we did previously. I don't consider
  this change necessary to obey the standards, I think this server is pickier
  than what the specs allow it to be, but I can't see how this modified
  libcurl code can add any problems to those who are interpreting the
  standards more liberally.

Daniel (17 August 2005)
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with
  CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
  write the result to a given cookie jar and then never actually call
  curl_easy_perform() - the given file(s) to read was never read but the
  output file was written and thus it caused a "funny" result.

- While doing some tests for the bug above, I noticed that Firefox generates
  large numbers (for the expire time) in the cookies.txt file and libcurl
  didn't treat them properly. Now it does.

Daniel (15 August 2005)
- Added more verbose "warning" messages to the curl client for cases where it
  fails to open/read files etc to help users diagnose why it doesn't do what
  you'd expect it to. Converted lots of old messages to use the new generic
  function I wrote for this purpose.

Daniel (13 August 2005)
- James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a
  site responds with bad HTTP response that doesn't contain any header at all,
  only a response body, and the write callback returns 0 to abort the
  transfer, it didn't have any real effect but the write callback would be
  called once more anyway.

Daniel (12 August 2005)
- Based on Richard Clayton's reports, I found out that using curl -d @filename
  when 'filename' was not possible to access made curl use a GET request
  instead.

- The time condition illegal syntax warning is now inhibited if -s is used.

Daniel (10 August 2005)
- Mario Schroeder found out that one of the debug callbacks calls that regards
  SSL data with the CURLINFO_TEXT type claimed that the data was one byte
  larger than it actually is, thus falsely telling the application that the
  terminating zero was part of the data.

Daniel (9 August 2005)
- Christopher R. Palmer fixed the offsets used for date parsings when the time
  zone name of a daylight savings time was used. For example, PDT vs PDS. This
  flaw was introduced with the new date parser (11 sep 2004 - 7.12.2).
  Fortunately, no web server or cookie string etc should be using such time
  zone names thus limiting the effect of this bug.

Daniel (8 August 2005)
- Jon Grubbs filed bug report #1249962
  (http://curl.haxx.se/bug/view.cgi?id=1249962) which identified a problem
  with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly
  switches to pure HTTP internally when an HTTP proxy is used, even for FTP
  URLs. The problem would also occur with other multi-pass auth methods.

Daniel (7 August 2005)
- When curl is built with GnuTLS, curl-config didn't include "SSL" when
  --features was used.

Daniel (28 July 2005)
- If any of the options CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST is
  set to 1, CURLOPT_NOBODY will now automatically be set to 0.

Daniel (27 July 2005)
- Dan Fandrich changes over the last week: fixed numerous minor configure
  option parsing flaws: --without-gnutls, --without-spnego --without-gssapi
  and --without-krb4. Spellfixed several error messages.

- Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a
  simple interface to extracting and setting cookies in libcurl's internal
  "cookie jar". See the new cookie_interface.c example code.

Daniel (13 July 2005)
- Diego Casorran provided patches to make curl build fine on Amiga again.

Daniel (12 July 2005)
- Adrian Schuur added trailer support in the chunked encoding stream. The
  trailer is then sent to the normal header callback/stream. I wrote up test
  case 266 to verify the basic functionality. Do note that test case 34
  contains a flawed chunked encoding stream that still works the same.

Daniel (5 July 2005)
- Gisle Vanem came up with a nice little work-around for bug #1230118
  (http://curl.haxx.se/bug/view.cgi?id=1230118). It seems the Windows (MSVC)
  libc time functions may return data one hour off if TZ is not set and
  automatic DST adjustment is enabled. This made curl_getdate() return wrong
  value, and it also concerned internal cookie expirations etc.

Daniel (4 July 2005)
- Andrew Bushnell provided enough info for me to tell that we badly needed to
  fix the CONNECT authentication code with multi-pass auth methods (such as
  NTLM) as it didn't previously properly ignore response-bodies - in fact it
  stopped reading after all response headers had been received. This could
  lead to libcurl sending the next request and reading the body from the first
  request as response to the second request. (I also renamed the function,
  which wasn't strictly necessary but...)

  The best fix would to once and for all make the CONNECT code use the
  ordinary request sending/receiving code, treating it as any ordinary request
  instead of the special-purpose function we have now. It should make it
  better for multi-interface too. And possibly lead to less code...

  Added test case 265 for this. It doesn't work as a _really_ good test case
  since the test proxy is too stupid, but the test case helps when running the
  debugger to verify.

Daniel (30 June 2005)
- Dan Fandrich improved the configure script's ability to figure out what kind
  of strerror_r() API that is used when cross-compiling. If __GLIB__ is
  defined, it assumes the glibc API. If not, it issues a notice as before that
  the user needs to manually edit lib/config.h for this.

Daniel (23 June 2005)
- David Shaw's fix that unifies proxy string treatment so that a proxy given
  with CURLOPT_PROXY can use a http:// prefix and user + password. The user
  and password fields are now also URL decoded properly. Test case 264 added
  to verify.

Daniel (22 June 2005)
- David Shaw updated libcurl.m4

Daniel (14 June 2005)
- Gisle Vanem fixed a potential thread handle leak. Bug report #1216500
  (http://curl.haxx.se/bug/view.cgi?id=1216500).  Comment in
  http://curl.haxx.se/mail/lib-2005-06/0059.html

Daniel (13 June 2005)
- Made buildconf run libtoolize in the ares dir too (inspired by Tupone's
  reverted patch).

Daniel (9 June 2005)
- Incorporated Tupone's findtool fix in buildconf (slightly edited)

- Incorporated Tupone's head -n fix in buildconf.

Daniel (8 June 2005)
- Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it
  in pieces, one by one and see what we need to adjust to work all over.

Daniel (6 June 2005)
- Tupone Alfredo fixed three problems in buildconf:

  1) findtool does look per tool in PATH and think ./perl is the perl
  executable, while is just a local directory (I have . in the PATH)

  2) I got several warning for head -1 deprecated in favour of head -n 1
 
  3) ares directory is missing some file (missing is missing :-) ) because
  automake and friends is not run.

Daniel (3 June 2005)
- Added docs/libcurl/getinfo-times, based on feedback from 'Edi':
  http://curl.haxx.se/feedback/display.cgi?id=11178325798299&support=yes

- Andres Garcia provided yet another text mode patch for several test cases so
  that they do text comparisions better on Windows (newline-wise).

Daniel (1 June 2005)
- The configure check for c-ares now adds the cares lib before the other libs,
  to make it build fine with mingw. Inspired by Tupone Alfredo's bug report
  and patch: http://curl.haxx.se/bug/view.cgi?id=1212940

Daniel (31 May 2005)
- Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6
  address was not possible to use. It is now, but requires it written
  RFC2732-style, within brackets - which incidently is how you enter numerical
  IPv6 addresses in URLs. Test case 263 added to verify.

Daniel (30 May 2005)
- Eric Cooper reported about a problem with HTTP servers that responds with
  binary zeroes within the headers. They confused libcurl to do wrong so the
  downloaded headers become incomplete. The fix is now verified with test case
  262. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310948

Daniel (25 May 2005)
- Fixed problems with the test suite, and in particular the FTP test cases
  since it previously was failing every now and then in a nonsense manner.

- --trace-time now outputs the full microsecond, all 6 digits.

Daniel (24 May 2005)
- Andres Garcia provided a text mode patch for several test cases so that they
  do text comparisions better on Windows (newline-wise).

- Any 2xx response (and not just 200) is now considered a fine response to
  TYPE, as some servers obviously sends a 226 there. Added test case 261 to
  verify. Based on a question/report by Georg Wicherski.

Daniel (20 May 2005)
- Improved runtests.pl to allow stdout tests to be mode=text as well, just
  as file comparisons already supports. Added this info to the FILEFORMAT
  docs.

Daniel (18 May 2005)
- John McGowan identified a problem in bug report #1204435
  (http://curl.haxx.se/bug/view.cgi?id=1204435) with malformed URLs like
  "http://somehost?data" as it added a slash too much in the request ("GET
  /?data/"...). Added test case 260 to verify.

- The configure check for strerror_r() failed to detect the proper API at
  times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc
  version if the posix define wasn't set (since it _had_ found a strerror_r).

Daniel (16 May 2005)
- The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail
  due to this. There's now a configure check that attempts to detect the bad
  function and not use it on such systems.

Version 7.14.0 (16 May 2005)

Daniel (13 May 2005)
- Grigory Entin reported that curl's configure detects a fine poll() for Mac
  OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable
  doesn't work as good as if built without poll(). I've adjusted the configure
  to always skip the fine-poll() test on Mac OS X (darwin).

Daniel (12 May 2005)
- When doing a second request (after a disconnect) using the same easy handle,
  over a proxy that uses NTLM authentication, libcurl failed to use NTLM again
  properly (the auth method was accidentally reset to the same as had been set
  for host auth, which defaults to Basic). Bug report #1200661
  (http://curl.haxx.se/bug/view.cgi?id=1200661) identified the the problem and
  the fix.

- If -z/--time-cond is used with an invalid date syntax, this is no longer
  silently discarded. Instead a proper warning message is diplayed that
  informs about it. But it still continues without the condition.

Version 7.14.0-pre2 (11 May 2005)

Daniel (11 May 2005)
- Starting now, libcurl sends a little different set of headers in its default
  HTTP requests:
  
  A) Normal non-proxy HTTP:
    - no more "Pragma: no-cache" (this only makes sense to proxies)

  B) Non-CONNECT HTTP request over proxy:
    - "Pragma: no-cache" is used (like before)
    - "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)

  C) CONNECT HTTP request over proxy:
    - "Host: [name]:[port]"
    - "Proxy-Connection: Keep-alive"