... for the pending 7.34.0 release

Upped the contributor count

24 new great friends

Security flaw CVE-2013-6422

This is conceptually the same problem and fix that 3c3622b6 brought to the
OpenSSL backend and that resulted in CVE-2013-4545.

This version of the problem was independently introduced to the GnuTLS
backend with commit 59cf93cc, present in the code since the libcurl
7.21.4 release.

Advisory: http://curl.haxx.se/docs/adv_20131217.html
Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html
Reported-by: Marc Deslauriers

...also added as KNOWN_BUG #87 with reference to bug #1294

Since all systems have inaccuracy in the timeout handling it is
imperative that we add an inaccuracy margin to the general timeout and
connecttimeout handling with the multi interface. This way, when the
timeout fires we should be fairly sure that it has passed the timeout
value and will be suitably detected.

For cases where the timeout fire before the actual timeout, we would
otherwise consume the timeout action and still not run the timeout code
since the condition wasn't met.

Reported-by: He Qin
Bug: http://curl.haxx.se/bug/view.cgi?id=1298

To avoid the regression when users pass in passwords containing semi-
colons, we now drop the ability to set the login options with the same
options. Support for login options in CURLOPT_USERPWD was added in
7.31.0.

Test case 83 was modified to verify that colons and semi-colons can be
used as part of the password when using -u (CURLOPT_USERPWD).

Bug: http://curl.haxx.se/bug/view.cgi?id=1311


Reported-by: Petr Bahula
Assisted-by: Steve Holme
Signed-off-by: Daniel Stenberg <daniel@haxx.se>

It is not 100% clear whether * should include clear text LOGIN or not
from RFC-5092, however, including it is then consistent with current
POP3 behaviour where clear text, APOP or SASL may be chosen.

If a specific SASL authentication mechanism was requested by the user
as part of the login options but wasn't supported by the server then
curl would fallback to clear text, when it shouldn't, rather than
reporting "No known authentication mechanisms supported" as the POP3
and SMTP protocols do.

In C, signed integer overflow is undefined behavior. Thus, the compiler
is allowed to assume that it will not occur. In the check for an
overflow, the developer assumes that the signed integer of type time_t
will wrap around if it overflows. However, this behavior is undefined in
the C standard. Thus, when the compiler sees this, it simplifies t +
delta < t to delta < 0. Since delta > 0 and delta < 0 can't both be
true, the entire if statement is optimized out under certain
optimization levels. Thus, the parsedate function would return
PARSEDATE_OK with an undefined value in the time, instead of return -1 =
PARSEDATE_FAIL.

Commit 0db811b6 made some existing config files pass on unexpected
values to libcurl that made it somewhat hard to track down what was
really going on.

This code detects unquoted white spaces in the parameter when parsing a
config file as that would be one symptom and it is generally a bad
syntax anyway.

It would otherwise always clobber the return code with new function
calls and it couldn't return timeout etc.

Bug: http://curl.haxx.se/bug/view.cgi?id=1310

The comment here says that SecKeychainSearch causes a deprecation
warning when used with a minimum Mac OS X SDK version of 10.7.0, which
is correct.  However, the #if guard did not match.  It was intended to
only use the code if 10.6.0 support was enabled, but it had 10.7.0
instead.  This caused a warning if the minimum was exactly 10.7.0.

curl.h should also include <sys/select.h> on OpenBSD to reliably
pull in select().  Typically, including <sys/time.h> will be enough,
but not if strict standards-compliance is requested (e.g. by defining
_XOPEN_SOURCE).

The URI that is passed in as part of the Authorization: header needs to
be cut off at '?' if CURLAUTH_DIGEST_IE is set. Previously the code only
did when calculating the MD5sum.

Bug: http://curl.haxx.se/bug/view.cgi?id=1308
Patched-by: Sergey Tatarincev

(bug introduced in 255826c4, never present in a release)

Reported-by: Dima Tisnek
Bug: http://curl.haxx.se/mail/lib-2013-12/0006.html

POP3_TYPE_ANY, or ~0, is written to pop3c->preftype in lib/pop3c.c, an
unsigned int variable.  The result of ~0 is -1, which caused a warning
due to writing a negative number to an unsigned variable.  To fix this,
make the expression ~0U so that its value is considered the unsigned
number UINT_MAX which is what SASL_AUTH_ANY does in curl_sasl.h.

... no longer provided by the configure script

... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway

Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html

This change introduces a dependency on NSS 3.14+.

warning: declaration of 'pipe' shadows a global declaration

Reduced the separate processing of the last quantum to be performed in
the main decoding loop and renamed some variables for consistency.

Extended the basic validation in commit e17c1b25 to return a
failure when invalid base64 characters are included.

Due to the length checks introduced in commit e17c1b25 there is no
need to allow for extra space in the output buffer for a non-padded last
quantum.

1) Renamed curl_tlsinfo to curl_tlssessioninfo as discussed on the
mailing list.
2) Renamed curl_ssl_backend to curl_sslbackend so it doesn't follow our
function naming convention.
3) Updated sessioninfo.c example accordingly.

Bug: http://curl.haxx.se/bug/view.cgi?id=1297
Reported-by: Michael Osipov

The "fixed string" function wrongly bumped the "urlnum" counter which
made curl output the total number of URLs wrong when using
{one,two,three} lists in globs.

Reported-by: Michael-O
Bug: http://curl.haxx.se/bug/view.cgi?id=1305

Added a simple example to show how one can use CURLINFO_TLS_SESSION for
obtaining extensive TLS certificate information.

Systems that define SIGPIPE_VARIABLE as a noop would not compile as
restore_pipe was defined afterwards.