Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.

Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon

It would otherwise cause problems when running tests after 1801 etc.

... as it was previouly undocumented what the pointer was.

The code extracting the cert serial number was broken and didn't display
it properly.

Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89

This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
It also introduces a regression test 1424 based on tests 78 and 1423.

Reported-by: Viktor Szakats
Bug: https://github.com/bagder/curl/issues/237

PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.

Mistake-caught-by: Kamil Dudka

Do not access NTLM-specific struct fields when built without NTLM
enabled!

bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin

When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

CVE-2015-3148

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris

If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.

CVE-2015-3144

Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck

CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia

Bug: https://github.com/bagder/curl/issues/229
Reported-by: bsammon

Reported-by: John Marshall
Bug: https://github.com/bagder/curl/issues/225

... and some minor edits

This reverts commit 5dc68dd6.

Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov

Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html

Bug: https://github.com/bagder/curl/pull/171

When a config file line ends without newline, the parsing function could
continue reading beyond that point in memory.

Reported-by: Hanno Böck