Skip to content
CHANGES 63.4 KiB
Newer Older
                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
Daniel Stenberg's avatar
Daniel Stenberg committed
                             \___|\___/|_| \_\_____|

Daniel Stenberg's avatar
Daniel Stenberg committed
                                  Changelog
Daniel S (29 Nov 2007)
- A bug report on the curl-library list showed a HTTP Digest session going on
  with a 700+ letter nonce. Previously libcurl only support 127 letter ones
  and now I bumped it to 1023.

- Fixed the resumed FTP upload loop to now require that the read callback
  returns a full buffer on each invoke.

Daniel S (25 Nov 2007)
- Added test case 1015 that tests --data-urlencode in multiple ways

- Fixed --data-urlencode for when no @ or = are used

- Extended the user-agent buffer curl uses, since we can hit the 128 byte
  border with plenty development libraries used. Like my current set: "curl
  7.17.2-CVS (i686-pc-linux-gnu) libcurl/7.17.2-CVS OpenSSL/0.9.8g
  zlib/1.2.3.3 c-ares/1.5.2-CVS libidn/1.1 libssh2/0.19.0-CVS"

Daniel S (24 Nov 2007)
- Internal rearrangements, so that the previous struct HandleData is no more.
  It is now known is SingleRequest and the Curl_transfer_keeper struct within
  that was remove entirely. This has the upside that there are less duplicate
  struct members that made it hard to see and remember what struct that was
  used to store what data. The transfer_keeper thing was once stored on a
  per-connection basis and then it made sense to have the duplicate info but
  since it was moved to the SessionHandle (in 7.16.0) it just added weirdness.
  The SingleRequest struct is used by data that only is valid for this single
  request.

Yang Tse (22 Nov 2007)
- Provide a socklen_t definition in curl.h for Win32 API build targets
  which don't have one.

Daniel S (22 Nov 2007)
- Alessandro Vesely helped me improve the --data-urlencode's syntax, parser
  and documentation.

Daniel S (21 Nov 2007)
- While inspecting the Negotiate code, I noticed how the proxy auth was using
  the same state struct as the host auth, so both could never be used at the
  same time! I fixed it (without being able to check) to use two separate
  structs to allow authentication using Negotiate on host and proxy
  simultaneously.
- Emil Romanus pointed out a bug that made an easy handle get the cookie
  engine activated when set to use a share (even if the share doesn't share
  cookies). I fixed it.

- Fixed a very long-lasting mprintf() bug that occurred when we did "%.*s%s",
  since the second %s would then wrongly used the numerical precision argument
  instead and crash.

- Introduced --data-urlencode to the curl tool for easier url encoding of the
Daniel S (18 Nov 2007)
- Rob Crittenden fixed SSL connections with NSS done with the multi-interface

Daniel S (17 Nov 2007)
- Michal Marek made the test suite remember what test servers that fail to
  start so that subsequent tries are simply skipped.

- Andres Garcia made the examples build fine on Windows (mingw + msys) when
  the lib was built staticly.

Daniel S (16 Nov 2007)
- Ates Goral identified a problem in http.c:add_buffer_send() when a debug
  callback was used, as it could wrongly pass on a bad size for the outgoing
  HTTP header. The bad size would be a very large value as it was a wrapped
  size_t content. This happened when the whole HTTP request failed to get sent
  in one single send.  http://curl.haxx.se/mail/lib-2007-11/0165.html

Daniel S (15 Nov 2007)
- Fixed yet another remaining problem with doing SFTP directory listings on a
  re-used persistent connection. Mentioned by Immanuel Gregoire on the mailing
  list.

- Michal Marek fixed the test suite to better deal with the case when the HTTP
  ipv6 server can't run.

Yang Tse (14 Nov 2007)
- Fix a variable potential wrapping in add_buffer() when using absolutely
  huge send buffer sizes.

Daniel S (13 Nov 2007)
- Fixed a remaining problem with doing SFTP directory listings on a re-used
  persistent connection. Mentioned by Immanuel Gregoire on the mailing list.

Daniel S (12 Nov 2007)
- Bug report #1830637 (http://curl.haxx.se/bug/view.cgi?id=1830637), which was
  forwarded from the Gentoo bug tracker by Daniel Black and was originally
  submitted by Robin Johnson, pointed out that libcurl would do bad memory
  references when it failed and bailed out before the handler thing was
  setup. My fix is not done like the provided patch does it, but instead I
  make sure that there's never any chance for a NULL pointer in that struct
  member.

Daniel S (8 Nov 2007)
- Bug report #1823487 (http://curl.haxx.se/bug/view.cgi?id=1823487) pointed
  out that SFTP requests didn't use persistent connections. Neither did SCP
  ones.  I gave the SSH code a good beating and now both SCP and SFTP should
  use persistent connections fine. I also did a bunch of indent changes as
  well as a bug fix for the "keyboard interactive" auth.

Dan F (6 Nov 2007)
- Improved telnet support by drastically reducing the number of write
  callbacks needed to pass a buffer to the user.  Instead one per byte it
  is now as little as one per segment.

Yang Tse (6 Nov 2007)
- Bug report #1824894 (http://curl.haxx.se/bug/view.cgi?id=1824894) pointed
  out a problem in curl.h when building C++ apps with MSVC. To fix it, the
  inclusion of header files in curl.h is moved outside of the C++ extern "C"
  linkage block.

Daniel S (1 Nov 2007)
- Toby Peterson patched a memory problem in the command line tool that
  happened when a user had a home dir as an empty string. curl would then do
  free() on a wrong area.

Dan F (1 Nov 2007)
- Fixed curl-config --features to not display libz when it wasn't used
  due to a missing header file.

Dan F (31 October 2007)
- Fixed the output of curl-config --protocols which showed SCP and SFTP
  always, except when --without-libssh2 was given

- Added test cases 1013 and 1014 to check that curl-config --protocols and
  curl-config --features matches the output of curl --version
Dan F (30 October 2007)
- Fixed an OOM problem with file: URLs

- Moved Curl_file_connect into the protocol handler struct

Dan F (29 October 2007)
- Added test case 546 to check that subsequent FTP transfers work after a
  failed one using the multi interface

Daniel S (29 October 2007)
- Based on one of those bug reports that are intercepted by a distro's bug
  tracker (https://bugzilla.redhat.com/show_bug.cgi?id=316191), I now made
  curl-config --features and --protocols show the correct output when built
  with NSS.

Daniel Stenberg's avatar
Daniel Stenberg committed
Version 7.17.1 (29 October 2007)

Dan F (25 October 2007)
- Added the --static-libs option to curl-config

Daniel S (25 October 2007)
- Made libcurl built with NSS possible to ignore the peer verification.
  Previously it would fail if the ca bundle wasn't present, even if the code
  ignored the verification results.

Patrick M (25 October 2007)
- Fixed test server to allow null bytes in binary posts.
_ Added tests 35, 544 & 545 to check binary data posts, both static (in place)
  and dynamic (copied).

- Michal Marek fixed the test script to be able to use valgrind even when the
  lib is built shared with libtool.

- Fixed a few memory leaks when the same easy handle is re-used to request
  URLs with different protocols. FTP and TFTP related leaks. Caught thanks to
  Dan F's new test cases.

- Fixed the test FTP and TFTP servers to support the >10000 test number
  notation
- Added test cases 2000 through 2003 which test multiple protocols using the
  same easy handle

- Fixed the filecheck: make target to work outside the source tree

Daniel S (24 October 2007)
- Vladimir Lazarenko pointed out that we should do some 'mt' magic when
  building with VC8 to get the "manifest" embedded to make fine stand-alone
  binaries. The maketgz and the src/Makefile.vc6 files were adjusted
  accordingly.

Daniel S (23 October 2007)
- Bug report #1812190 (http://curl.haxx.se/bug/view.cgi?id=1812190) points out
  that libcurl tried to re-use connections a bit too much when using non-SSL
  protocols tunneled over a HTTP proxy.

- Michal Marek forwarded the bug report
  https://bugzilla.novell.com/show_bug.cgi?id=332917 about a HTTP redirect to
  FTP that caused memory havoc. His work together with my efforts created two
  fixes:

  #1 - FTP::file was moved to struct ftp_conn, because is has to be dealt with
       at connection cleanup, at which time the struct HandleData could be
       used by another connection.
       Also, the unused char *urlpath member is removed from struct FTP.
 
  #2 - provide a Curl_reset_reqproto() function that frees
       data->reqdata.proto.* on connection setup if needed (that is if the
       SessionHandle was used by a different connection).

  A long-term goal is of course to somehow get rid of how the reqdata struct
  is used, as it is too error-prone.
 
- Bug report #1815530 (http://curl.haxx.se/bug/view.cgi?id=1815530) points out
  that specifying a proxy with a trailing slash didn't work (unless it also
  contained a port number).

Patrick M (15 October 2007)
- Fixed the dynamic CURLOPT_POSTFIELDS problem: this option is now static again
  and option CURLOPT_COPYPOSTFIELDS has been added to support dynamic mode.

Patrick M (12 October 2007)
- Added per-protocol callback static tables, replacing callback ptr storage
  in the connectdata structure by a single handler table ptr.

Dan F (11 October 2007)
- Fixed the -l option of runtests.pl

- Added support for skipping tests based on key words.

Daniel S (9 October 2007)
- Michal Marek removed the no longer existing return codes from the curl.1
  man page.

Daniel S (7 October 2007)
- Known bug #47, which confused libcurl if doing NTLM auth over a proxy with
  a response that was larger than 16KB is now improved slightly so that now
  the restriction at 16KB is for the headers only and it should be a rare
  situation where the response-headers exceed 16KB. Thus, I consider #47 fixed
  and the header limitation is now known as known bug #48.

- Michael Wallner made the CULROPT_COOKIELIST option support a new magic
  string: "FLUSH". Using that will cause libcurl to flush its cookies to the
  CURLOPT_COOKIEJAR file.

- The new file docs/libcurl/ABI describes how we view ABI breakages, soname
  bumps and what the version number's significance to all that is.

- I enabled test 1009 and made the --local-port use a wide range to reduce the
  risk of failures.

- Kim Rinnewitz reported that --local-port didn't work with TFTP transfers.
  This happened because the tftp code always uncondionally did a bind()
  without caring if one already had been done and then it failed. I wrote a
  test case (1009) to verify this, but it is a bit error-prone since it will
  have to pick a fixed local port number and since the tests are run on so
  many different hosts in different situations I'll add it in disabled state.

Yang Tse (3 October 2007)
- Fixed issue related with the use of ares_timeout() result.

- Alexey Pesternikov introduced CURLOPT_OPENSOCKETFUNCTION and
  CURLOPT_OPENSOCKETDATA to set a callback that allows an application to
  replace the socket() call used by libcurl. It basically allows the app to
  change address, protocol or whatever of the socket.

- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
  CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made
  this return code get used by the previous SSH MD5 fingerprint check in case
  it fails.

- Based on a patch brought by Johnny Luong, libcurl now offers
  CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both
  make the SCP or SFTP connection verify the remote host's md5 checksum of the
  public key before doing a connect, to reduce the risk of a man-in-the-middle
  attack.

Daniel S (2 October 2007)
- libcurl now handles chunked-encoded CONNECT responses

Daniel S (1 October 2007)
- Alex Fishman reported a curl_easy_escape() problem that was made the
  function do wrong on all input bytes that are >= 0x80 (decimal 128) due to a
  signed / unsigned mistake in the code. I fixed it and added test case 543 to
  verify.

Daniel S (29 September 2007)
- Immanuel Gregoire fixed a problem with persistent transfers over SFTP.

Daniel S (28 September 2007)
- Adapted the c-ares code to the API change c-ares 1.5.0 brings in the
  notifier callback(s).

Dan F (26 September 2007)
- Enabled a few more gcc warnings with --enable-debug.  Renamed a few
  variables to avoid shadowing global declarations.

- Philip Langdale provided the new CURLOPT_POST301 option for
  curl_easy_setopt() that alters how libcurl functions when following
  redirects. It makes libcurl obey the RFC2616 when a 301 response is received
  after a non-GET request is made. Default libcurl behaviour is to change
  method to GET in the subsequent request (like it does for response code 302
  - because that's what many/most browsers do), but with this CURLOPT_POST301
  option enabled it will do what the spec says and do the next request using
  the same method again. I.e keep POST after 301. 

  The curl tool got this option as --post301

  Test case 1011 and 1012 were added to verify.

- Max Katsev reported that when doing a libcurl FTP request with
  CURLOPT_NOBODY enabled but not CURLOPT_HEADER, libcurl wouldn't do TYPE
  before it does SIZE which makes it less useful. I walked over the code and
  made it do this properly, and added test case 542 to verify it.

Daniel S (24 September 2007)
- Immanuel Gregoire fixed KNOWN_BUGS #44: --ftp-method nocwd did not handle
  URLs ending with a slash properly (it should list the contents of that
  directory). Test case 351 brought back and also test 1010 was added.

Daniel S (21 September 2007)
- Mark Davies fixed Negotiate authentication over proxy, and also introduced
  the --proxy-negotiate command line option to allow a user to explicitly
  select it.

Daniel S (19 September 2007)
- Rob Crittenden provided an NSS update with the following highlights:

  o It looks for the NSS database first in the environment variable SSL_DIR,
    then in /etc/pki/nssdb, then it initializes with no database if neither of
    those exist.

  o If the NSS PKCS#11 libnspsem.so driver is available then PEM files may be
    loaded, including the ca-bundle. If it is not available then only
    certificates already in the NSS database are used.

  o Tries to detect whether a file or nickname is being passed in so the right
    thing is done

  o Added a bit of code to make the output more like the OpenSSL module,
    including displaying the certificate information when connecting in
    verbose mode

  o Improved handling of certificate errors (expired, untrusted, etc)

  The libnsspem.so PKCS#11 module is currently only available in Fedora
  8/rawhide. Work will be done soon to upstream it. The NSS module will work
  with or without it, all that changes is the source of the certificates and
  keys.

- Immanuel Gregoire pointed out that public key SSH auth failed if no
  public/private key was specified and there was no HOME environment variable,
  and then it didn't continue to try the other auth methods. Now it will
  instead try to get the files id_dsa.pub and id_dsa from the current
  directory if none of the two conditions were met.
Dan F (17 September 2007)
- Added hooks to the test suite to make it possible to test a curl running
  on a remote host.

- Changed some FTP tests to validate the format of the PORT and EPRT commands
  sent by curl, if not the addresses themselves.

Daniel S (15 September 2007)
- Michal Marek made libcurl automatically append ";type=<a|i>" when using HTTP
  proxies for FTP urls.

- Günter Knauf fixed LDAP builds in the Windows makefiles and fixed LDAPv3
  support on Windows.

Dan F (13 September 2007)
- Added LDAPS, SCP and SFTP to curl-config --protocols. Removed and
  fixed some AC_SUBST configure entries.

Version 7.17.0 (13 September 2007)

Daniel S (12 September 2007)
- Bug report #1792649 (http://curl.haxx.se/bug/view.cgi?id=1792649) pointed
  out a problem with doing an empty upload over FTP on a re-used connection.
  I added test case 541 to reproduce it and to verify the fix.

- I noticed while writing test 541 that the FTP code wrongly did a CWD on the
  second transfer as it didn't store and remember the "" path from the
  previous transfer so it would instead CWD to the entry path as stored. This
  worked, but did a superfluous command. Thus, test case 541 now also verifies
  this fix.

Dan F (5 September 2007)
- Added test case 1007 to test permission problem when uploading with TFTP
  (to validate bug #1790403).

- TFTP now reports the "not defined" TFTP error code 0 as an error,
  not success.

Daniel S (5 September 2007)
- Continued the work on a fix for #1779054
  (http://curl.haxx.se/bug/view.cgi?id=1779054). My previous fix from August
  24 was not complete (either) but could accidentally "forget" parts of a
  server response which led to faulty server response time-out errors.

Dan F (5 September 2007)
- Minix doesn't support getsockopt on UDP sockets or send/recv on TCP
  sockets.

Dan F (31 August 2007)
- Made some of the error strings returned by the *strerror functions more
  generic, and more consistent with each other.

- Renamed the curl_ftpssl enum to curl_usessl and its enumerated constants,
  creating macros for backward compatibility:

    CURLFTPSSL_NONE => CURLUSESSL_NONE
    CURLFTPSSL_TRY => CURLUSESSL_TRY
    CURLFTPSSL_CONTROL => CURLUSESSL_CONTROL
    CURLFTPSSL_ALL => CURLUSESSL_ALL
    CURLFTPSSL_LAST => CURLUSESSL_LAST

Dan F (30 August 2007)
- Renamed several libcurl error codes and options to make them more general
  and allow reuse by multiple protocols. Several unused error codes were
  removed.  In all cases, macros were added to preserve source (and binary)
  compatibility with the old names.  These macros are subject to removal at
  a future date, but probably not before 2009.  An application can be
  tested to see if it is using any obsolete code by compiling it with the
  CURL_NO_OLDIES macro defined.

  The following unused error codes were removed:

    CURLE_BAD_CALLING_ORDER
    CURLE_BAD_PASSWORD_ENTERED
    CURLE_FTP_CANT_RECONNECT
    CURLE_FTP_COULDNT_GET_SIZE
    CURLE_FTP_COULDNT_SET_ASCII
    CURLE_FTP_USER_PASSWORD_INCORRECT
    CURLE_FTP_WEIRD_USER_REPLY
    CURLE_FTP_WRITE_ERROR
    CURLE_LIBRARY_NOT_FOUND
    CURLE_MALFORMAT_USER
    CURLE_OBSOLETE
    CURLE_SHARE_IN_USE
    CURLE_URL_MALFORMAT_USER

  The following error codes were renamed:

    CURLE_FTP_ACCESS_DENIED =>      CURLE_REMOTE_ACCESS_DENIED
    CURLE_FTP_COULDNT_SET_BINARY => CURLE_FTP_COULDNT_SET_TYPE
    CURLE_FTP_SSL_FAILED =>         CURLE_USE_SSL_FAILED
    CURLE_FTP_QUOTE_ERROR =>        CURLE_QUOTE_ERROR
    CURLE_TFTP_DISKFULL =>          CURLE_REMOTE_DISK_FULL
    CURLE_TFTP_EXISTS =>            CURLE_REMOTE_FILE_EXISTS
    CURLE_HTTP_RANGE_ERROR =>       CURLE_RANGE_ERROR 

  The following options were renamed:

    CURLOPT_SSLKEYPASSWD => CURLOPT_KEYPASSWD 
    CURLOPT_FTPAPPEND =>    CURLOPT_APPEND
    CURLOPT_FTPLISTONLY =>  CURLOPT_DIRLISTONLY
    CURLOPT_FTP_SSL =>      CURLOPT_USE_SSL

  A few more changes will take place with the next SONAME bump of the
  library.  These are documented in docs/TODO

- Documented some newer error codes in libcurl-error(3)

- Added more accurate error code returns from SFTP operations.  Added test
  case 615 to test an SFTP upload failure.

Dan F (28 August 2007)
- Some minor internal type and const changes based on a splint scan.

Daniel S (24 August 2007)
- Bug report #1779054 (http://curl.haxx.se/bug/view.cgi?id=1779054) pointed
  out that libcurl didn't deal with large responses from server commands, when
  the single response was consisting of multiple lines but of a total size of
  16KB or more. Dan Fandrich improved the ftp test script and provided test
  case 1006 to repeat the problem, and I fixed the code to make sure this new
  test case runs fine.

Patrick M (23 August 2007)
- OS/400 port: new files lib/config-os400.h lib/setup-os400.h packages/OS400/*.
  See packages/OS400/README.OS400.

Daniel S (23 August 2007)
- Bug report #1779751 (http://curl.haxx.se/bug/view.cgi?id=1779751) pointed
  out that doing first a file:// upload and then an FTP upload crashed libcurl
  or at best caused furious valgrind complaints. Fixed now!

Daniel S (22 August 2007)
- Bug report #1779054 (http://curl.haxx.se/bug/view.cgi?id=1779054) pointed
  out that libcurl didn't deal with very long (>16K) FTP server response lines
  properly. Starting now, libcurl will chop them off (thus the client app will
  not get the full line) but survive and deal with them fine otherwise. Test
  case 1003 was added to verify this.

Daniel S (20 August 2007)
- Based on a patch by Christian Vogt, the FTP code now sets the upcoming
  download transfer size much earlier to be possible to get read with
  CURLINFO_CONTENT_LENGTH_DOWNLOAD as soon as possible. This is very much in a
  similar spirit to the HTTP size change from August 11 2007.

Daniel S (18 August 2007)
- Robson Braga Araujo filed bug report #1776232
  (http://curl.haxx.se/bug/view.cgi?id=1776232) about libcurl calling
  Curl_client_write(), passing on a const string that the caller may not
  modify and yet it does (on some platforms).

- Robson Braga Araujo filed bug report #1776235
  (http://curl.haxx.se/bug/view.cgi?id=1776235) about ftp requests with NOBODY
  on a directory would do a "SIZE (null)" request. This is now fixed and test
  case 1000 was added to verify.

Daniel S (17 August 2007)
- Song Ma provided a patch that cures a problem libcurl has when doing resume
  HTTP PUT using Digest authentication. Test case 5320 and 5322 were also
  added to verify the functionality.

Daniel S (14 August 2007)
- Andrew Wansink provided an NTLM bugfix: in the case the server sets the flag
  NTLMFLAG_NEGOTIATE_UNICODE, we need to filter it off because libcurl doesn't
  UNICODE encode the strings it packs into the NTLM authenticate packet.

- Allen Pulsifer provided a patch that makes libcurl set the expected download
  size earlier when doing HTTP downloads, so that applications and the
  progress meter etc know get the info earlier in the flow than before.

- Patrick Monnerat modified the LDAP code and approach in curl. Starting now,
  the configure script checks for openldap and friends and we link with those
  libs just like we link all other third party libraries, and we no longer
  dlopen() those libraries. Our private header file lib/ldap.h was renamed to
  lib/curl_ldap.h due to this. I set a tag in CVS (curl-7_17_0-preldapfix)
  just before this commit, just in case.

Dan F (8 August 2007)
- Song Ma noted a zlib memory leak in the illegal compressed header
  countermeasures code path.

Daniel S (4 August 2007)
- Patrick Monnerat fixed curl_easy_escape() and curlx_strtoll() to work on
  non-ASCII systems.

Daniel S (3 August 2007)
- I cut out support for libssh2 versions older than 0.16 to make our code a
  lot simpler, and to avoid getting trouble with the LIBSSH2_APINO define
  that 1) didn't work properly since it was >32 bits and 2) is removed in
  libssh2 0.16...

- Scott Cantor filed bug report #1766320
  (http://curl.haxx.se/bug/view.cgi?id=1766320) pointing out that the libcurl
  code accessed two curl_easy_setopt() options (CURLOPT_DNS_CACHE_TIMEOUT and
  CURLOPT_DNS_USE_GLOBAL_CACHE) as ints even though they're documented to be
  passed in as longs, and that makes a difference on 64 bit architectures.

- Dmitriy Sergeyev reported a regression: resumed file:// transfers broke
  after 7.16.2. This is much due to the different treatment file:// gets
  internally, but now I added test 231 to make it less likely to happen again
  without us noticing!

- Patrick Monnerat and I modified libcurl so that now it *copies* all strings
  passed to it with curl_easy_setopt()! Previously it has always just refered
  to the data, forcing the user to keep the data around until libcurl is done
  with it. That is now history and libcurl will instead clone the given
  strings and keep private copies. This is also part of Patrick Monnerat's
  OS/400 port.

  Due to this being a somewhat interesting change API wise, I've decided to
  bump the version of the upcoming release to 7.17.0. Older applications will
  of course not notice this change nor do they have to care, but new
  applications can be written to take advantage of this.

- Greg Morse reported a problem with POSTing using ANYAUTH to a server
  requiring NTLM, and he provided test code and a test server and we worked
  out a bug fix. We failed to count sent body data at times, which then caused
  internal confusions when libcurl tried to send the rest of the data in order
  to maintain the same connection alive.

Daniel S (31 July 2007)
- Peter O'Gorman pointed out (and fixed) that the non-blocking check in
  configure made libcurl use blocking sockets on AIX 4 and 5, while that
  wasn't the intention.

Daniel S (29 July 2007)
- Jayesh A Shah filed bug report #1759542
  (http://curl.haxx.se/bug/view.cgi?id=1759542) identifying a rather serious
  problem with FTPS: libcurl closed the data connection socket and then later
  in the flow it would call the SSL layer to do SSL shutdown which then would
  use a socket that had already been closed - so if the application had opened
  a new one in the mean time, libcurl could send gibberish that way! I worked
  with Greg Zavertnik to properly diagnose and fix this. The fix affects code
  for all SSL libraries we support, but it has only been truly verified to
  work fine for the OpenSSL version. The others have only been code reviewed.
Daniel S (23 July 2007)
- Implemented the parts of Patrick Monnerat's OS/400 patch that introduces
  support for the OS/400 Secure Sockets Layer library.

Dan F (23 July 2007)
- Implemented only the parts of Patrick Monnerat's OS/400 patch that renamed
  some few internal identifiers to avoid conflicts, which could be useful on
  other platforms.

- HTTP Digest bug fix by Chris Flerackers:

  Scenario

  - Perfoming a POST request with body
  - With authentication (only Digest)
  - Re-using a connection

  libcurl would send a HTTP POST with an Authorization header but without
  body. Our server would return 400 Bad Request in that case (because
  authentication passed, but the body was empty).

  Cause

  1) http_digest.c -> Curl_output_digest
  - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is
  filled in (and no errors)
  - authp->done = TRUE if d->nonce is filled in
  2) http.c -> Curl_http
  - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL
  3) http.c -> Curl_http, Curl_http_output_auth

  So what happens is that Curl_output_digest cannot yet update the
  Authorization header (allocptr.userpwd) which results in authhost->done=0 ->
  authhost->multi=1 -> conn->bits.authneg = TRUE.  The body is not
  added. *However*, allocptr.userpwd is still used when building the request

- Added test case 354 that makes a simple FTP retrieval without password, which
  verifies the bug fix in #1757328.

Daniel S (21 July 2007)
- To allow more flexibility in FTP test cases, I've removed the enforced states
  from the test server code as they served no real purpose. The test server
  is here to serve for the test cases, not to attempt to function as a real
  server! While at it, I modified test case 141 to better test and verify
  curl -I on a single FTP file.

Daniel S (20 July 2007)
Daniel Stenberg's avatar
Daniel Stenberg committed
- James Housley fixed the SFTP PWD command to work.

- Ralf S. Engelschall filed bug report #1757328
  (http://curl.haxx.se/bug/view.cgi?id=1757328) and submitted a patch. It
  turns out we broke login to FTP servers that don't require (nor understand)
  PASS after the USER command. The breakage was done as part of the krb5
  commit so a krb-using person needs to verify that the current version now
  works or if we need to fix it (in a different way of course).

Dan F (17 July 2007)
- Fixed test cases 613 and 614 by improving the log postprocessor to handle
  a new directory listing format that newer libssh2's can provide.  This
  is probably NOT sufficient to handle all directory listing formats that
  server's can provide, and should be revisited.

Daniel Stenberg's avatar
Daniel Stenberg committed
- Daniel Johnson fixed a bug in how libssh2_session_last_error() was used, in
  two places.

- Jofell Gallardo posted a libcurl log using FTP that exposed a bug which made
  a control connection that was deemed "dead" to yet be re-used in a following
  request.

- Colin Hogben filed bug report #1750274
  (http://curl.haxx.se/bug/view.cgi?id=1750274) and submitted a patch for the
  case where libcurl did a connect attempt to a non-listening port and didn't
  provide a human readable error string back.

- Daniel Cater fixes:
  1 - made 'make vc8' work on windows.
  2 - made libcurl itself built with CURL_NO_OLDIES defined (which doesn't
      define the symbols for backwards source compatibility)
  3 - updated libcurl-errors.3
  4 - added CURL_DISABLE_TFTP to docs/INSTALL
Daniel S (12 July 2007)
- Made the krb5 code build with Heimdal's GSSAPI lib.

Dan F (12 July 2007)
- Compile most of the example apps in docs/examples when doing a 'make check'.
  Fixed some compile warnings and errors in those examples.

- Removed the example program ftp3rdparty.c since libcurl doesn't support
  3rd party FTP transfers any longer.

- Shmulik Regev found an (albeit rare) case where the proxy CONNECT operation
  could in fact get stuck in an endless loop.

- Made CURLOPT_SSL_VERIFYHOST set to 1 acts as described in the documentation:
  fail to connect if there is no Common Name field found in the remote cert.
  We should deprecate the support for this set to 1 anyway soon, since the
  feature is pointless and most likely never really used by anyone.

Daniel Stenberg's avatar
Daniel Stenberg committed
- Shmulik Regev fixed a bug with transfer-encoding skipping during the 407
  error pages for proxy authentication.

- Giancarlo Formicuccia reported and fixed a problem with a closed connection
  to a proxy during CONNECT auth negotiation.

Dan F (10 July 2007)
- Fixed a curl memory leak reported by Song Ma with a modified version
  of the patch he suggested.  Added his test case as test289 to verify.

- Force the time zone to GMT in the cookie tests in case the user is
  using one of the so-called 'right' time zones that take into account
  leap seconds, which causes the tests to fail (as reported by
  Daniel Black in bug report #1745964).

Daniel Stenberg's avatar
Daniel Stenberg committed
Version 7.16.4 (10 July 2007)

Daniel S (10 July 2007)
- Kees Cook notified us about a security flaw
  (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to
  properly reject some outdated or not yet valid server certificates when
  built with GnuTLS. Kees also provided the patch.

James H (5 July 2007)
- Gavrie Philipson provided a patch that will use a more specific error
  message for an scp:// upload failure.  If libssh2 has his matching
  patch, then the error message return by the server will be used instead
  of a more generic error.

- Thomas J. Moore provided a patch that introduces Kerberos5 support in
  libcurl. This also makes the options change name to --krb (from --krb4) and
  CURLOPT_KRBLEVEL (from CURLOPT_KRB4LEVEL) but the old names are still 

- Song Ma helped me verify and extend a fix for doing FTP over a SOCKS4/5
  proxy.

Daniel Stenberg's avatar
Daniel Stenberg committed
Daniel S (27 June 2007)
- James Housley: Add two new options for the SFTP/SCP/FILE protocols:
  CURLOPT_NEW_FILE_PERMS and CURLOPT_NEW_DIRECTORY_PERMS. These control the
  premissions for files and directories created on the remote
  server. CURLOPT_NEW_FILE_PERMS defaults to 0644 and
  CURLOPT_NEW_DIRECTORY_PERMS defaults to 0755

- I corrected the 10-at-a-time.c example and applied a patch for it by James
  Bursa.

Daniel S (26 June 2007)
- Robert Iakobashvili re-arranged the internal hash code to work with a custom
  hash function for different hashes, and also expanded the default size for
  the socket hash table used in multi handles to greatly enhance speed when
  very many connections are added and the socket API is used.

Daniel Stenberg's avatar
Daniel Stenberg committed
- James Housley made the CURLOPT_FTPLISTONLY mode work for SFTP directory
  listings as well

Daniel S (25 June 2007)
- Adjusted how libcurl treats HTTP 1.1 responses without content-lenth or
  chunked encoding (that also lacks "Connection: close"). It now simply
  assumes that the connection WILL be closed to signal the end, as that is how
  RFC2616 section 4.4 point #5 says we should behave.
  
Daniel Stenberg's avatar
Daniel Stenberg committed
Version 7.16.3 (25 June 2007)

Daniel S (23 June 2007)
- As reported by "Tro" in http://curl.haxx.se/mail/lib-2007-06/0161.html and
  http://curl.haxx.se/mail/lib-2007-06/0238.html, libcurl didn't properly do
  no-body requests on FTP files on re-used connections properly, or at least
  it didn't provide the info back in the header callback properly in the
  subsequent requests.

Daniel S (21 June 2007)
- Gerrit Bruchhäuser pointed out a warning that the Intel(R) Thread Checker
  tool reports and it was indeed a legitimate one and it is one fixed. It was
  a use of a share without doing the proper locking first.
  
Daniel S (20 June 2007)
- Adam Piggott filed bug report #1740263
  (http://curl.haxx.se/bug/view.cgi?id=1740263). Adam discovered that when
  getting a large amount of URLs with curl, they were fetched slower and
  slower... which turned out to be because the --libcurl data collecting which
  wrongly always was enabled, but no longer is...

Daniel S (18 June 2007)
- Robson Braga Araujo filed bug report #1739100
  (http://curl.haxx.se/bug/view.cgi?id=1739100) that mentioned that libcurl
  could not actually list the contents of the root directory of a given FTP
  server if the login directory isn't root. I fixed the problem and added
  three test cases (one is disabled for now since I identified KNOWN_BUGS #44,
  we cannot use --ftp-method nocwd and list ftp directories).

Daniel S (14 June 2007)
- Shmulik Regev:

  I've encountered (and hopefully fixed) a problem involving proxy CONNECT
  requests and easy handles state management. The problem isn't simple to
  reproduce since it depends on socket state. It only manifests itself when
  working with non-blocking sockets.

  Here is the scenario:

  1. in multi_runsingle the easy handle is in the CURLM_STATE_WAITCONNECT and
  calls Curl_protocol_connect

  2. in Curl_proxyCONNECT, line 1247, if the socket isn't ready the function
  returns and conn->bits.tunnel_connecting is TRUE

  3. when the call to Curl_protocol_connect returns the protocol_connect flag
  is false and the easy state is changed to CURLM_STATE_PROTOCONNECT which
  isn't correct if a proxy is used.  Rather CURLM_STATE_WAITPROXYCONNECT
  should be used.

  I discovered this while performing an HTTPS request through a proxy (squid)
  on my local network. The problem caused openssl to fail as it read the proxy
  response to the CONNECT call ('HTTP/1.0 Established') rather than the SSL
  handshake (the exact openssl error was 'wrong ssl version' but this isn't
  very important)

- Dave Vasilevsky filed bug report #1736875
  (http://curl.haxx.se/bug/view.cgi?id=1736875) almost simultanouesly as Dan
  Fandrich mentioned a related build problem on the libcurl mailing list:
  http://curl.haxx.se/mail/lib-2007-06/0131.html. Both problems had the same
  reason: the definitions of the POLL* defines and the pollfd struct in the
  libcurl code was depending on HAVE_POLL instead of HAVE_SYS_POLL_H.

Daniel S (13 June 2007)
- Tom Regner provided a patch and worked together with James Housley, so now
  CURLOPT_FTP_CREATE_MISSING_DIRS works for SFTP connections as well as FTP
  ones.

- Rich Rauenzahn filed bug report #1733119
  (http://curl.haxx.se/bug/view.cgi?id=1733119) and we collaborated on the
  fix.  The problem is that for 64bit HPUX builds, several socket-related
  functions would still assume int (32 bit) arguments and not socklen_t (64
  bit) ones.

Daniel S (12 June 2007)
- James Housley brought his revamped SSH code that is state-machine driven to
  really take advantage of the now totally non-blocking libssh2 (in CVS).

Dan F (8 June 2007)
- Incorporated Daniel Black's test706 and test707 SOCKS test cases.

- Fixed a few problems when starting the SOCKS server.

- Reverted some recent changes to runtests.pl that weren't compatible with
  perl 5.0.

- Fixed the test harness so that it actually kills the ssh being used as
  the SOCKS server.

Daniel Stenberg's avatar
Daniel Stenberg committed
Daniel S (6 June 2007)
- -s/--silent can now be used to toggle off the silence again if used a second
  time.

Daniel S (5 June 2007)
- Added Daniel Black's work that adds the first few SOCKS test cases. I also
  fixed two minor SOCKS problems to make the test cases run fine.

Daniel S (31 May 2007)
- Feng Tu made (lib)curl support "upload" resuming work for file:// URLs.

- I modified the 10-at-a-time.c example to transfer 500 downloads in parallel
  with a c-ares enabled build only to find that it crashed miserably, and this
  was due to some select()isms left in the code. This was due to API
  restrictions in c-ares 1.3.x, but with the upcoming c-ares 1.4.0 this is no
  longer the case so now libcurl runs much better with c-ares and the multi
  interface with > 1024 file descriptors in use.

  Extra note: starting now we require c-ares 1.4.0 for asynchronous name
  resolves.

- Added CURLMOPT_MAXCONNECTS which is a curl_multi_setopt() option for setting
  the maximum size of the connection cache maximum size of the multi handle.

Daniel S (27 May 2007)
- When working with a problem Stefan Becker had, I found an off-by-one buffer
  overwrite in Curl_select(). While fixing it, I also improved its performance
  somewhat by changing calloc to malloc and breaking out of a loop earlier
  (when possible).

Daniel S (25 May 2007)
- Rob Crittenden fixed bug #1705802
  (http://curl.haxx.se/bug/view.cgi?id=1705802), which was filed by Daniel
  Black identifying several FTP-SSL test cases fail when we build libcurl with
  NSS for TLS/SSL. Listed as #42 in KNOWN_BUGS.

- Song Ma filed bug report #1724016
  (http://curl.haxx.se/bug/view.cgi?id=1724016) noticing that downloading
  glob-ranges for TFTP was broken in CVS. Fixed now.
  
- 'mytx' in bug report #1723194 (http://curl.haxx.se/bug/view.cgi?id=1723194)
  pointed out that the warnf() function in the curl tool didn't properly deal
  with the cases when excessively long words were used in the string to chop
  up.

Daniel S (22 May 2007)
- Andre Guibert de Bruet fixed a memory leak in the function that verifies the
  peer's name in the SSL certificate when built for OpenSSL. The leak happens
  for libcurls with CURL_DOES_CONVERSIONS enabled that fail to convert the CN
  name from UTF8. He also fixed a leak when PKCS #12 parsing failed.
- Feng Tu reported that curl -w did wrong on TFTP transfers in bug report
  #1715394 (http://curl.haxx.se/bug/view.cgi?id=1715394), and the
  transfer-related info "variables" were indeed overwritten with zeroes
  wrongly and have now been adjusted. The upload size still isn't accurate.
Daniel S (17 May 2007)
- Feng Tu pointed out a division by zero error in the TFTP connect timeout
  code for timeouts less than five seconds, and also provided a fix for it.
  Bug report #1715392 (http://curl.haxx.se/bug/view.cgi?id=1715392)
Dan F (16 May 2007)
- Added support for compiling under Minix 3.1.3 using ACK.

Dan F (14 May 2007)
- Added SFTP directory listing test case 613.

- Added support for quote commands before a transfer using SFTP and test
  case 614.

- Changed the post-quote commands to occur after the transferred file is
  closed.

- Allow SFTP quote commands chmod, chown, chgrp to set a value of 0.

Dan F (9 May 2007)
- Kristian Gunstone fixed a problem where overwriting an uploaded file with
  sftp didn't truncate it first, which would corrupt the file if the new
  file was shorter than the old.
Dan F (8 May 2007)
- Added FTPS test cases 406 and 407

Daniel S (8 May 2007)
- CURLE_FTP_COULDNT_STOR_FILE is now known as CURLE_UPLOAD_FAILED. This is
  because I just made SCP uploads return this value if the file size of
  the upload file isn't given with CURLOPT_INFILESIZE*. Docs updated to
  reflect this news, and a define for the old name was added to the public
  header file.

Daniel S (7 May 2007)
- James Bursa fixed a bug in the multi handle code that made the connection
  cache grow a bit too much, beyond the normal 4 * easy_handles.

- Anders Gustafsson remarked that requiring CURLOPT_HTTP_VERSION set to 1.0
  when CURLOPT_HTTP200ALIASES is used to avoid the problem mentioned below is
  not very nice if the client wants to be able to use _either_ a HTTP 1.1
  server or one within the aliases list... so starting now, libcurl will
  simply consider 200-alias matches the to be HTTP 1.0 compliant.

- Tobias Rundström reported a problem they experienced with xmms2 and recent
  libcurls, which turned out to be the 25-nov-2006 change which treats HTTP
  responses without Content-Length or chunked encoding as without bodies. We
  now added the conditional that the above mentioned response is only without
  body if the response is HTTP 1.1.

- Jeff Pohlmeyer improved the hiperfifo.c example to use the
  CURLMOPT_TIMERFUNCTION callback option.

- Set the timeout for easy handles to expire really soon after addition or
  when CURLM_CALL_MULTI_PERFORM is returned from curl_multi_socket*/perform,
  to make applications using only curl_multi_socket() to properly function
  when adding easy handles "on the fly". Bug report and test app provided by
  Michael Wallner.

Dan F (30 April 2007)
- Improved the test harness to allow running test servers on other than
  the default port numbers, allowing more than one test suite to run
  simultaneously on the same host.

- Peter O'Gorman fixed libcurl to not init GnuTLS as early as we did before,
  since it then inits libgcrypt and libgcrypt is being evil and EXITS the
  application if it fails to get a fine random seed. That's really not a nice
  thing to do by a library.

- Frank Hempel fixed a curl_easy_duphandle() crash on a handle that had
  been removed from a multi handle, and then fixed another flaw that prevented
  curl_easy_duphandle() to work even after the first fix - the handle was
  still marked as using the multi interface.

Daniel S (26 April 2007)
- Peter O'Gorman found a problem with SCP downloads when the downloaded file
  was 16385 bytes (16K+1) and it turned out we didn't properly always "suck
  out" all data from libssh2. The effect being that libcurl would hang on the
  socket waiting for data when libssh2 had in fact already read it all...