- Add new option CURLOPT_SUPPRESS_CONNECT_HEADERS to allow suppressing
  proxy CONNECT response headers from the user callback functions
  CURLOPT_HEADERFUNCTION and CURLOPT_WRITEFUNCTION.

- Add new tool option --suppress-connect-headers to expose
  CURLOPT_SUPPRESS_CONNECT_HEADERS and allow suppressing proxy CONNECT
  response headers from --dump-header and --include.

Assisted-by: Jay Satiro
Assisted-by:  <CarloCannas@users.noreply.github.com>
Closes https://github.com/curl/curl/pull/783

A client MUST ignore any Content-Length or Transfer-Encoding header
fields received in a successful response to CONNECT.
"Successful" described as: 2xx (Successful). RFC 7231 4.3.6

Prior to this change such a case would cause an error.

In some ways this bug appears to be a regression since c50b878c. Prior to
that libcurl may have appeared to function correctly in such cases by
acting on those headers instead of causing an error. But that behavior
was also incorrect.

Bug: https://github.com/curl/curl/issues/1317


Reported-by:  <mkzero@users.noreply.github.com>

Broken a few days ago in 6448f98c.

Bug: https://curl.haxx.se/mail/lib-2017-03/0015.html

This prevents a "Descriptor is not a socket" error for WinSSL.

Reported-by:  <Antony74@users.noreply.github.com>
Reviewed-by: Jay Satiro

Fixes https://github.com/curl/curl/issues/1239

Follow-up to 5278462c
See https://github.com/curl/curl/issues/1095

This flag is meant for the current request based on authentication
state, once the request is done we can clear the flag.

Also change auth.multi to auth.multipass for better readability.

Fixes https://github.com/curl/curl/issues/1095
Closes https://github.com/curl/curl/pull/1326



Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reported-by: Michael Kaufmann

CID 1402159 and 1402158

Verified with OpenSSL 1.1.0e and OpenSSL master (1.1.1)

This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.

Closes https://github.com/curl/curl/pull/1166

This fixes assertion error which occurs when redirect is done with 0
length body via HTTP/2, and the easy handle is reused, but new
connection is established due to hostname change:

    curl: http2.c:1572: ssize_t http2_recv(struct connectdata *,
      int, char *, size_t, CURLcode *):
    Assertion `httpc->drain_total >= data->state.drain' failed.

To fix this bug, ensure that http2_handle_stream is called.

Fixes #1286
Closes #1302

Assisted-by: Ray Satiro

Bug: https://curl.haxx.se/mail/lib-2017-03/0009.html

... because it causes confusion with users. Example URLs:

"http://[127.0.0.1]:11211:80" which a lot of languages' URL parsers will
parse and claim uses port number 80, while libcurl would use port number
11211.

"http://user@example.com:80@localhost" which by the WHATWG URL spec will
be treated to contain user name 'user@example.com' but according to
RFC3986 is user name 'user' for the host 'example.com' and then port 80
is followed by "@localhost"

Both these formats are now rejected, and verified so in test 1260.

Reported-by: Orange Tsai

Pointed-out-by: Ray Satiro
Bug: https://curl.haxx.se/mail/lib-2017-03/0004.html

Assisted-by: Simon Warta <simon@kullo.net>
Ref: https://github.com/curl/curl/pull/1228

MSVC with LTCG detects this at warning level 4.

Closes #1304

Move the proxy parse/init into helper create_conn_helper_init_proxy to
mitigate the chances some non-proxy code will be mistakenly added to it.

Ref: https://github.com/curl/curl/issues/1274#issuecomment-281556510
Ref: https://github.com/curl/curl/pull/1293

Closes https://github.com/curl/curl/pull/1298

Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know
it's expected and won't warn on [-Wimplicit-fallthrough=].

Closes https://github.com/curl/curl/pull/1297

In DarwinSSL the SSLSetPeerDomainName function is used to enable both
sending SNI and verifying the host. When host verification is disabled
the function cannot be called, therefore SNI is disabled as well.

Closes https://github.com/curl/curl/pull/1240

If size_t is 32 bits, MSVC warns:
warning C4310: cast truncates constant value
The warning is harmless as CURL_MASK_SCOFFT gets
truncated to the maximum value of size_t.

MSVC complains:
warning C4701: potentially uninitialized local variable 'output_token_len' used

wolfSSL >= 3.6.0 supports getting its library version string at runtime.

Prior to this change if curl was built with Unix Socket support
(--enable-unix-sockets) and without Proxy support (--disable-proxy) then
unix socket options would erroneously be ignored.

Regression introduced in:
0b8d682f

Bug: https://github.com/curl/curl/issues/1274


Reported-by:  <mccormickt12@users.noreply.github.com>

Closes https://github.com/curl/curl/pull/1289

If the compile-time CURL_CA_BUNDLE location is defined use it as the
default value for the proxy CA bundle location, which is the same as
what we already do for the regular CA bundle location.

Ref: https://github.com/curl/curl/pull/1257

Closes #1285

Reported-by:  <shachaf@users.noreply.github.com>

Fixes #1281

f77dabef broke builds in Windows using Windows SSPI but not Windows SSL.

Bug: https://github.com/curl/curl/issues/1276


Reported-by:  <jveazey@users.noreply.github.com>

- Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
  is not supported, which is the same as what we already do for
  CURLOPT_CAPATH.

- Change the curl tool to handle CURLOPT_PROXY_CAPATH error
  CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
  same as what we already do for CURLOPT_CAPATH.

- Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
  respective CAPATH option is not supported by the SSL library.

Ref: https://github.com/curl/curl/pull/1257

The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
and thus even if the status couldn't be verified, the connection would
be allowed and the user would not be told about the failed verification.

Regression since cb4e2be7

CVE-2017-2629
Bug: https://curl.haxx.se/docs/adv_20170222.html

Reported-by: Marcus Hoffmann

- If the server has provided another challenge use it as the replacement
  input token if stale=TRUE. Otherwise previous credentials have failed
  so return CURLE_LOGIN_DENIED.

Prior to this change the stale directive was ignored and if another
challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.

Ref: https://tools.ietf.org/html/rfc2617#page-10

Bug: https://github.com/curl/curl/issues/928


Reported-by:  <tarek112@users.noreply.github.com>

Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch

Since negative values are errors and not only -1. This makes SFTP upload
with --create-dirs work (again).

Closes #1269