CHANGES

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog


Daniel (4 March 2005)
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
  the cookie "engine" without having to provide an empty or non-existing file.

- Rene Rebe fixed a -# crash when more data than expected was retrieved.

Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
  http://www.securityfocus.com/archive/1/391042 and the CAN report here:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490

  If these security guys were serious, we'd been notified in advance and we
  could've saved a few of you a little surprise, but now we weren't.

Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
  requested data from a host and then followed a redirect to another
  host. libcurl then didn't use the proxy-auth properly in the second request,
  due to the host-only check for original host name wrongly being extended to
  the proxy auth as well. Added test case 233 to verify the flaw and that the
  fix removed the problem.

Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
  BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
  configure when mingw is used.

Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
  didn't close the socket properly when returning error due to failing
  localbind

Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
  that picks NTLM. Thanks to David Byron letting me test NTLM against his
  servers, I could quickly repeat and fix the problem. It turned out to be:

  When libcurl POSTs without knowing/using an authentication and it gets back
  a list of types from which it picks NTLM, it needs to either continue
  sending its data if it keeps the connection alive, or not send the data but
  close the connection. Then do the first step in the NTLM auth. libcurl
  didn't send the data nor close the connection but simply read the
  response-body and then sent the first negotiation step. Which then failed
  miserably of course. The fixed version forces a connection if there is more
  than 2000 bytes left to send.

Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
  was never used.

Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
  week day names and month names and servers don't like that.

Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
  libcurl is built shared. Otherwise valgrind only tests the shell that runs
  the wrapper-script named 'curl' that is a front-end to curl in this case.
  This should also fix the huge amount of reports of false positives when
  valgrind has identified leaks in (ba)sh and not in curl and people report
  that as curl bugs. Bug report #1116672 is one example.

  Also, the valgrind report parser has been adapted to check that at least one
  of the sources in a stack strace is one of (lib)curl's source files or
  otherwise it will not consider the problem to concern (lib)curl.

- Marty Kuhrt streamlined the VMS build.

Daniel (9 February 2005)
- David Byron fixed his SSL problems, initially mentioned here:
  http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
  SSL_pending() as we should.

- Converted lots of FTP code to a statemachine, so that the multi interface
  doesn't block while communicating commands-responses with an FTP server.

  I've added a comment like BLOCKING in the code on all spots I could find
  where we still have blocking operations. When we change curl_easy_perform()
  to use the multi interface, we'll also be able to simplify the code since
  there will only be one "internal interface".

  While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
  new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
  like changing directory or retrieving a file, while the second means that we
  were denied login.

  The CVS tag 'before_ftp_statemachine' was set just before this went in, in
  case of future need.

- Gisle made the DICT code send CRLF and not just LF as the spec says so.

Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
  sure the proper error code is returned for those occations.

Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
  contents.

Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
  PORT on ipv6-enabled hosts.

- David Byron pointed out we could use BUFSIZE to read data (in
  lib/transfer.c) instead of using BUFSIZE -1.

Version 7.13.0 (1 February 2005)

Daniel (31 January 2005)
- Added Lars Nilsson's htmltitle.cc example

Daniel (30 January 2005)
- Fixed a memory leak when using the multi interface and the DO operation
  failed (as in test case 205).

- Fixed a valgrind warning for file:// operations.

- Fixed a valgrind report in the url globbing code for the curl command line
  tool.

- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
  I noticed that it previously didn't detect and report the "Conditional jump
  or move depends on uninitialised value(s)" error. When I fixed this, I
  caught a few curl bugs with it. And then I had to spend time to make the
  test suite IGNORE these errors when OpenSSL is used since it produce massive
  amounts of valgrind warnings (but only of the "Conditional..." kind it
  seems). So, if a test that requires SSL is run, it ignores the
  "Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
  of "valgrind OK".

Daniel (29 January 2005)
- Using the multi interface, and doing a requsted a re-used connection that
  gets closed just after the request has been sent failed and did not re-issue
  a request on a fresh reconnect like the easy interface did. Now it does!

- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
  my new curl_easy_perform() that uses the multi interface to run the
  request. It is a great testbed for the multi interface and I believe we
  shall do it this way for real in the future when we have a successor to
  curl_multi_fdset(). I've used this approach to detect and fix several of the
  recent multi-interfaces issues.

- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
  bad assumptions.

- multi interface: when a request is denied due to "Maximum redirects
  followed" libcurl leaked the last Location: URL.

- Connect failures with the multi interface was often returned as "connect()
  timed out" even though the reason was different.

Daniel (28 January 2005)
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
  curl_easy_perform() invokes. It was previously unlocked at disconnect, which
  could mean that it remained locked between multiple transfers. The DNS cache
  may not live as long as the connection cache does, as they are separate.

  To deal with the lack of DNS (host address) data availability in re-used
  connections, libcurl now keeps a copy of the IP adress as a string, to be
  able to show it even on subsequent requests on the same connection.

  The problem could be made to appear with this stunt:

  1. create a multi handle
  2. add an easy handle
  3. fetch a URL that is persistent (leaves the connection alive)
  4. remove the easy handle from the multi
  5. kill the multi handle
  6. create a multi handle
  7. add the same easy handle to the new multi handle
  8. fetch a URL from the same server as before (re-using the connection)

- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
  when built ipv6-enabled. I've now made a fix for it. Writing test cases for
  custom port hosts turned too tricky so unfortunately there's none.

Daniel (25 January 2005)
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
  is present in RFC959... so now (lib)curl supports it as well. --ftp-account
  and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
  account string after PASS have been sent away. The client responds
  with "ACCT [account string]".) Added test case 228 and 229 to verify the
  functionality. Updated the test FTP server to support ACCT somewhat.

- David Shaw contributed a fairly complete and detailed autoconf test you can
  use to detect libcurl and setup variables for the protocols the installed
  libcurl supports: docs/libcurl/libcurl.m4

Daniel (21 January 2005)
- Major FTP third party transfer overhaul.