... as we're HTTPS on the main site now, there's no point in that
extra step

Extract the filename from the last slash or backslash. Prior to this
change backslashes could be part of the filename.

This change needed for the curl tool built for Cygwin. Refer to the
CYGWIN addendum in advisory 20160127B.

Bug: https://curl.haxx.se/docs/adv_20160127B.html

sk_X509_EXTENSION_num may return an unsigned integer, however the value
will fit in an int.

Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
Reported-by: Gisle Vanem

.. also fix a conversion bug in the unused function
curl_win32_ascii_to_idn().

And remove wprintfs on error (Jay).

Bug: https://github.com/curl/curl/pull/637

closesocket => close_socket
Winsock already has the former.

Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html

Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html

... done on request and as it is a fair point.

- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc5 because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.


Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder

Free an existing domain before replacing it.

Bug: https://github.com/curl/curl/issues/635


Reported-by:  <silveja1@users.noreply.github.com>

Closes #632

I removed the scheme prefix from the URLs references this host name, as
we don't own/run that anymore but the name is kept for historic reasons.

It isn't used by the code in current conditions but for safety it seems
sensible to at least not crash on such input.

Extended unit test 1395 to verify this too as well as a plain "/" input.

Closes #621

Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a8 until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: https://github.com/bagder/curl/issues/624
Reported-by: Octavio Schroeder

.. also warn about letting the server pick the filename.

Closes #617

Closes https://github.com/bagder/curl/pull/618

tool_doswin.c:185:14: warning: 'msdosify' defined but not used
[-Wunused-function]

Closes https://github.com/bagder/curl/pull/616

Reported-by: Bernard Spil

Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html

curl does not sanitize colons in a remote file name that is used as the
local file name. This may lead to a vulnerability on systems where the
colon is a special path character. Currently Windows/DOS is the only OS
where this vulnerability applies.

CVE-2016-0754

Bug: http://curl.haxx.se/docs/adv_20160127B.html