blob: b73d239fd235f644b354ee5e6997f499e6510747 [file] [log] [blame]
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
Old Changelog
Changes done to curl and libcurl from 1997 to 2006. The most recent changes are
always kept in the CHANGES file.
Daniel (29 December 2006)
- Make curl_easy_duphandle() set the magic number in the new handle.
Daniel (22 December 2006)
- Robert Foreman provided a prime example snippet showing how libcurl would
get confused and not acknowledge the 'no_proxy' variable properly once it
had used the proxy and you re-used the same easy handle. I made sure the
proxy name is properly stored in the connect struct rather than the
sessionhandle/easy struct.
- David McCreedy fixed a bad call to getsockname() that wrongly used a size_t
variable to point to when it should be a socklen_t.
- When setting a proxy with environment variables and (for example) running
'curl [URL]' with a URL without a protocol prefix, curl would not send a
correct request as it failed to add the protocol prefix.
Daniel (21 December 2006)
- Robson Braga Araujo reported bug #1618359
( and subsequently provided a
patch for it: when downloading 2 zero byte files in a row, curl 7.16.0
enters an infinite loop, while curl 7.16.1-20061218 does one additional
unnecessary request.
Fix: During the "Major overhaul introducing http pipelining support and
shared connection cache within the multi handle." change, headerbytecount
was moved to live in the Curl_transfer_keeper structure. But that structure
is reset in the Transfer method, losing the information that we had about
the header size. This patch moves it back to the connectdata struct.
Daniel (16 December 2006)
- Brendan Jurd provided a fix that now prevents libcurl from getting a SIGPIPE
during certain conditions when GnuTLS is used.
Daniel (11 December 2006)
- Alexey Simak found out that when doing FTP with the multi interface and
something went wrong like it got a bad response code back from the server,
libcurl would leak memory. Added test case 538 to verify the fix.
I also noted that the connection would get cached in that case, which
doesn't make sense since it cannot be re-use when the authentication has
failed. I fixed that issue too at the same time, and also that the path
would be "remembered" in vain for cases where the connection was about to
get closed.
Daniel (6 December 2006)
- Sebastien Willemijns reported bug #1603712
( which is about connections
getting cut off prematurely when --limit-rate is used. While I found no such
problems in my tests nor in my reading of the code, I found that the
--limit-rate code was severly flawed (since it was moved into the lib, since
7.15.5) when used with the easy interface and it didn't work as documented
so I reworked it somewhat and now it works for my tests.
Daniel (5 December 2006)
- Stefan Krause pointed out a compiler warning with a picky MSCV compiler when
passing a curl_off_t argument to the Curl_read_rewind() function which takes
an size_t argument. Curl_read_rewind() also had debug code left in it and it
was put in a different source file with no good reason when only used from
one single spot.
- Sh Diao reported that CURLOPT_CLOSEPOLICY doesn't work, and indeed, there is
no code present in the library that receives the option. Since it was not
possible to use, we know that no current users exist and thus we simply
removed it from the docs and made the code always use the default path of
the code.
- Jared Lundell filed bug report #1604956
( which identified setting
CURLOPT_MAXCONNECTS to zero caused libcurl to SIGSEGV. Starting now, libcurl
will always internally use no less than 1 entry in the connection cache.
- Sh Diao reported that CURLOPT_FORBID_REUSE no works, and indeed it broke in
the 7.16.0 release.
- Martin Skinner brought back bug report #1230118 to haunt us once again.
( curl_getdate() did not work
properly for all input dates on Windows. It was mostly seen on some TZ time
zones using DST. Luckily, Martin also provided a fix.
- Alexey Simak filed bug report #1600447
( in which he noted that active
FTP connections don't work with the multi interface. The problem is here
that the multi interface state machine has a state during which it can wait
for the data connection to connect, but the active connection is not done in
the same step in the sequence as the passive one is so it doesn't quite work
for active. The active FTP code still use a blocking function to allow the
remote server to connect.
The fix (work-around is a better word) for this problem is to set the
boolean prematurely that the data connection is completed, so that the "wait
for connect" phase ends at once.
The proper fix, left for the future, is of course to make the active FTP
case to act in a non-blocking way too.
- Matt Witherspoon fixed a problem case when the CPU load went to 100% when a
HTTP upload was disconnected:
"What appears to be happening is that my system (Linux 2.6.17 and 2.6.13) is
setting *only* POLLHUP on poll() when the conditions in my previous mail
occur. As you can see, select.c:Curl_select() does not check for POLLHUP. So
basically what was happening, is poll() was returning immediately (with
POLLHUP set), but when Curl_select() looked at the bits, neither POLLERR or
POLLOUT was set. This still caused Curl_readwrite() to be called, which
quickly returned. Then the transfer() loop kept continuing at full speed
Daniel (1 December 2006)
- Toon Verwaest reported that there are servers that send the Content-Range:
header in a third, not suppported by libcurl, format and we agreed that we
could make the parser more forgiving to accept all the three found
Daniel (25 November 2006)
- Venkat Akella found out that libcurl did not like HTTP responses that simply
responded with a single status line and no headers nor body. Starting now, a
HTTP response on a persistent connection (i.e not set to be closed after the
response has been taken care of) must have Content-Length or chunked
encoding set, or libcurl will simply assume that there is no body.
To my horror I learned that we had no less than 57(!) test cases that did bad
HTTP responses like this, and even the test http server (sws) responded badly
when queried by the test system if it is the test system. So although the
actual fix for the problem was tiny, going through all the newly failing test
cases got really painful and boring.
Daniel (24 November 2006)
- James Housley did lots of work and introduced SFTP downloads.
Daniel (13 November 2006)
- Ron in bug #1595348 ( pointed
out a stack overwrite (and the corresponding fix) on 64bit Windows when
dealing with HTTP chunked encoding.
Daniel (9 November 2006)
- Nir Soffer updated libcurl.framework.make:
o fix symlinks, should link to Versions, not to ./Versions
o indentation improvments
- Dmitriy Sergeyev found a SIGSEGV with his test04.c example posted on 7 Nov
2006. It turned out we wrongly assumed that the connection cache was present
when tearing down a connection.
- Ciprian Badescu found a SIGSEGV when doing multiple TFTP transfers using the
multi interface, but I could also repeat it doing multiple sequential ones
with the easy interface. Using Ciprian's test case, I could fix it.
Daniel (8 November 2006)
- Bradford Bruce reported that when setting CURLOPT_DEBUGFUNCTION without
CURLOPT_VERBOSE set to non-zero, you still got a few debug messages from the
SSL handshake. This is now stopped.
Daniel (7 November 2006)
- Olaf fixed a leftover problem with the CONNECT fix of his that would leave a
wrong error message in the error message buffer.
Daniel (3 November 2006)
- Olaf Stueben provided a patch that I edited slightly. It fixes the notorious
KNOWN_BUGS #25, which happens when a proxy closes the connection when
libcurl has sent CONNECT, as part of an authentication negotiation. Starting
now, libcurl will re-connect accordingly and continue the authentication as
it should.
Daniel (2 November 2006)
- James Housley brought support for SCP transfers, based on the libssh2 library
for the actual network protocol stuff.
Added these new curl_easy_setopt() options:
Version 7.16.0 (30 October 2006)
Daniel (25 October 2006)
case when 401 or 407 are returned, *IF* no auth credentials have been given.
The CURLOPT_FAILONERROR option is not possible to make fool-proof for 401
and 407 cases when auth credentials is given, but we've now covered this
somewhat more.
You might get some amounts of headers transferred before this situation is
detected, like for when a "100-continue" is received as a response to a
POST/PUT and a 401 or 407 is received immediately afterwards.
Added test 281 to verify this change.
Daniel (23 October 2006)
- Ravi Pratap provided a major update with pipelining fixes. We also no longer
re-use connections (for pipelining) before the name resolving is done.
Daniel (21 October 2006)
- Nir Soffer made the tests/libtest/ use a proper variable for all
the single test applications' link and dependences, so that you easier can
override those from the command line when using make.
- Armel Asselin separated CA cert verification problems from problems with
reading the (local) CA cert file to let users easier pinpoint the actual
problem. CURLE_SSL_CACERT_BADFILE (77) is the new libcurl error code.
Daniel (18 October 2006)
- Removed the "protocol-guessing" for URLs with host names starting with FTPS
or TELNET since they are practically non-existant. This leaves us with only
three different prefixes that would assume the protocol is anything but
HTTP, and they are host names starting with "ftp.", "dict." or "ldap.".
Daniel (17 October 2006)
- Bug report #1579171 pointed out code flaws detected with "prefast", and they
were 1 - a too small memory clear with memset() in the threaded resolver and
2 - a range of potentially bad uses of the ctype family of is*() functions
such as isdigit(), isalnum(), isprint() and more. The latter made me switch
to using our own set of these functions/macros using uppercase letters, and
with some extra set of crazy typecasts to avoid mistakingly passing in
negative numbers to the underlying is*() functions.
- With Jeff Pohlmeyer's help, I fixed the expire timer when using
curl_multi_socket() during name resolves with c-ares and the LOW_SPEED
options now work fine with curl_multi_socket() as well.
Daniel (16 October 2006)
- Added a check in configure that simply tries to run a program (not when
cross-compiling) in order to detect problems with run-time libraries that
otherwise would occur when the sizeof tests for curl_off_t would run and
thus be much more confusing to users. The check of course should run after
all lib-checks are done and before any other test is used that would run an
executable built for testing-purposes.
Dan F (13 October 2006)
- The tagging of application/x-www-form-urlencoded POST body data sent
to the CURLOPT_DEBUGFUNCTION callback has been fixed (it was erroneously
included as part of the header). A message was also added to the
command line tool to show when data is being sent, enabled when
--verbose is used.
Daniel (12 October 2006)
- Starting now, adding an easy handle to a multi stack that was already added
to a multi stack will cause CURLM_BAD_EASY_HANDLE to get returned.
- Jeff Pohlmeyer has been working with the hiperfifo.c example source code,
and while doing so it became apparent that the current timeout system for
the socket API really was a bit awkward since it become quite some work to
be sure we have the correct timeout set.
Jeff then provided the new CURLMOPT_TIMERFUNCTION that is yet another
callback the app can set to get to know when the general timeout time
changes and thus for an application like hiperfifo.c it makes everything a
lot easier and nicer. There's a CURLMOPT_TIMERDATA option too of course in
good old libcurl tradition.
Jeff has also updated the hiperfifo.c example code to use this news.
Daniel (9 October 2006)
- Bogdan Nicula's second test case (posted Sun, 08 Oct 2006) converted to test
case 535 and it now runs fine. Again a problem with the pipelining code not
taking all possible (error) conditions into account.
Daniel (6 October 2006)
- Bogdan Nicula's hanging test case (posted Wed, 04 Oct 2006) was converted to
test case 533 and the test now runs fine.
Daniel (4 October 2006)
- Dmitriy Sergeyev provided an example source code that crashed CVS libcurl
but that worked nicely in 7.15.5. I converted it into test case 532 and
fixed the problem.
Daniel (29 September 2006)
- Removed a few other no-longer present options from the header file.
- Support for FTP third party transfers was removed. Here's why:
o The recent multi interface changes broke it and the design of the 3rd party
transfers made it very hard to fix the problems
o It was still blocking and thus nasty for the multi interface
o It was a lot of extra code for a very rarely used feature
o It didn't use the same code as for "plain" FTP transfers, so it didn't work
fine for IPv6 and it didn't properly re-use connections and more
o There's nobody around who's willing to work on and improve the existing
This does not mean that third party transfers are banned forever, only that
they need to be done better if they are to be re-added in the future.
The CURLOPT_SOURCE_* options are removed from the lib and so are the --3p*
options from the command line tool. For this reason, I also bumped the
version info for the lib.
Daniel (28 September 2006)
- Reported in #1561470 (, libcurl
would crash if a bad function sequence was used when shutting down after
using the multi interface (i.e using easy_cleanup after multi_cleanup) so
precautions have been added to make sure it doesn't any more - test case 529
was added to verify.
Daniel (27 September 2006)
- The URL in the cookie jar file is now changed since it was giving a 404.
Reported by Timothy Stone. The new URL will take the visitor to a curl web
site mirror with the document.
Daniel (24 September 2006)
- Bernard Leak fixed configure --with-gssapi-libs.
- Cory Nelson made libcurl use the WSAPoll() function if built for Windows
Vista (_WIN32_WINNT >= 0x0600)
Daniel (23 September 2006)
- Mike Protts added --ftp-ssl-control to make curl use FTP-SSL, but only
encrypt the control connection and use the data connection "plain".
- Dmitriy Sergeyev provided a patch that made the SOCKS[45] code work better
as it now will read the full data sent from servers. The SOCKS-related code
was also moved to the new lib/socks.c source file.
Daniel (21 September 2006)
- Added test case 531 in an attempt to repeat bug report #1561470
( that is said to crash when an
FTP upload fails with the multi interface. It did not, but I made a failed
upload still assume the control connection to be fine.
Daniel (20 September 2006)
- Armel Asselin fixed problems when you gave a proxy URL with user name and
empty password or no password at all. Test case 278 and 279 were added to
Daniel (12 September 2006)
- Added docs/examples/10-at-a-time.c by Michael Wallner
- Added docs/examples/hiperfifo.c by Jeff Pohlmeyer
Daniel (11 September 2006)
- Fixed my breakage from earlier today so that doing curl_easy_cleanup() on a
handle that is part of a multi handle first removes the handle from the
- Added CURLOPT_SSL_SESSIONID_CACHE and --no-sessionid to disable SSL
session-ID re-use on demand since there obviously are broken servers out
there that misbehave with session-IDs used.
- Jeff Pohlmeyer presented a *multi_socket()-using program that exposed a
problem with it (SIGSEGV-style). It clearly showed that the existing
socket-state and state-difference function wasn't good enough so I rewrote
it and could then re-run Jeff's program without any crash. The previous
version clearly could miss to tell the application when a handle changed
from using one socket to using another.
While I was at it (as I could use this as a means to track this problem
down), I've now added a 'magic' number to the easy handle struct that is
inited at curl_easy_init() time and cleared at curl_easy_cleanup() time that
we can use internally to detect that an easy handle seems to be fine, or at
least not closed or freed (freeing in debug builds fill the area with 0x13
bytes but in normal builds we can of course not assume any particular data
in the freed areas).
Daniel (9 September 2006)
- Michele Bini fixed how the hostname is put in NTLM packages. As servers
don't expect fully qualified names we need to cut them off at the first dot.
- Peter Sylvester cleaned up and fixed the getsockname() uses in ftp.c. Some
of them can be completetly removed though...
Daniel (6 September 2006)
- Ravi Pratap and I have implemented HTTP Pipelining support. Enable it for a
multi handle using CURLMOPT_PIPELINING and all HTTP connections done on that
handle will be attempted to get pipelined instead of done in parallell as
they are performed otherwise.
As a side-effect from this work, connections are now shared between all easy
handles within a multi handle, so if you use N easy handles for transfers,
each of them can pick up and re-use a connection that was previously used by
any of the handles, be it the same or one of the others.
This separation of the tight relationship between connections and easy
handles is most noticable when you close easy handles that have been used in
a multi handle and check amount of used memory or watch the debug output, as
there are times when libcurl will keep the easy handle around for a while
longer to be able to close it properly. Like for sending QUIT to close down
an FTP connection.
This is a major change.
Daniel (4 September 2006)
- Dmitry Rechkin ( provided a
patch that while not fixing things very nicely, it does make the SOCKS5
proxy connection slightly better as it now acknowledges the timeout for
connection and it no longer segfaults in the case when SOCKS requires
authentication and you did not specify username:password.
Daniel (31 August 2006)
- Dmitriy Sergeyev found and fixed a multi interface flaw when using asynch
name resolves. It could get stuck in the wrong state.
Gisle (29 August 2006)
- Added support for other MS-DOS compilers (desides djgpp). All MS-DOS
compiler now uses the same config.dos file (renamed to config.h by
make). libcurl now builds fine using Watcom and Metaware's High-C
using the Watt-32 tcp/ip-stack.
Daniel (29 August 2006)
allow applications to set their own socket options.
Daniel (25 August 2006)
- Armel Asselin reported that the 'running_handles' counter wasn't updated
properly if you removed a "live" handle from a multi handle with
Daniel (22 August 2006)
- David McCreedy fixed a remaining mistake from the August 19 TYPE change.
- Peter Sylvester pointed out a flaw in the AllowServerConnect() in the FTP
code when doing pure ipv6 EPRT connections.
Daniel (19 August 2006)
- Based on a patch by Armel Asselin, the FTP code no longer re-issues the TYPE
command on subsequent requests on a re-used connection unless it has to.
- Armel Asselin fixed a crash in the FTP code when using SINGLECWD mode and
files in the root directory.
- Andrew Biggs pointed out a "Expect: 100-continue" flaw where libcurl didn't
send the whole request at once, even though the Expect: header was disabled
by the application. An effect of this change is also that small (< 1024
bytes) POSTs are now always sent without Expect: header since we deem it
more costly to bother about that than the risk that we send the data in
Daniel (9 August 2006)
- Armel Asselin made the CURLOPT_PREQUOTE option work fine even when
CURLOPT_NOBODY is set true. PREQUOTE is then run roughly at the same place
in the command sequence as it would have run if there would've been a
Daniel (8 August 2006)
- Fixed a flaw in the "Expect: 100-continue" treatment. If you did two POSTs
on a persistent connection and allowed the first to use that header, you
could not disable it for the second request.
Daniel (7 August 2006)
- Domenico Andreolfound a quick build error which happened because
src/ was not a proper duplcate of lib/ which it
should've been and this was due to the maketgz script not doing the cp
Version 7.15.5 (7 August 2006)
Daniel (2 August 2006)
- Mark Lentczner fixed how libcurl was not properly doing chunked encoding
if the header "Transfer-Encoding: chunked" was set by the application.
Daniel (1 August 2006)
- Maciej Karpiuk fixed a crash that would occur if we passed Curl_strerror()
an unknown error number on glibc systems.
Daniel (31 July 2006)
- *ALERT* curl_multi_socket() and curl_multi_socket_all() got modified
prototypes: they both now provide the number of running handles back to the
calling function. It makes the functions resemble the good old
curl_multi_perform() more and provides a nice way to know when the multi
handle goes empty.
ALERT2: don't use the curl_multi_socket*() functionality in anything
production-like until I say it's somewhat settled, as I suspect there might
be some further API changes before I'm done...
Daniel (28 July 2006)
- Yves Lejeune fixed so that replacing Content-Type: when doing multipart
formposts work exactly the way you want it (and the way you'd assume it
Daniel (27 July 2006)
- David McCreedy added --ftp-ssl-reqd which makes curl *require* SSL for both
control and data connection, as the existing --ftp-ssl option only requests
- [Hiper-related work] Added a function called curl_multi_assign() that will
set a private pointer added to the internal libcurl hash table for the
particular socket passed in to this function:
CURLMcode curl_multi_assign(CURLM *multi_handle,
curl_socket_t sockfd,
void *sockp);
'sockp' being a custom pointer set by the application to be associated with
this socket. The socket has to be already existing and in-use by libcurl,
like having already called the callback telling about its existance.
The set hashp pointer will then be passed on to the callback in upcoming
calls when this same socket is used (in the brand new 'socketp' argument).
Daniel (26 July 2006)
- Dan Nelson added the CURLOPT_FTP_ALTERNATIVE_TO_USER libcurl option and curl
tool option named --ftp-alternative-to-user. It provides a mean to send a
particular command if the normal USER/PASS approach fails.
- Michael Jerris added magic that builds lib/curllib.vcproj automatically for
newer MSVC.
Daniel (25 July 2006)
- Georg Horn made the transfer timeout error message include more details.
Daniel (20 July 2006)
- David McCreedy fixed a build error when building libcurl with HTTP disabled,
problem added with the curl_formget() patch.
Daniel (17 July 2006)
- Jari Sundell did some excellent research and bug tracking, figured out that
we did wrong and patched it: When nodes were removed from the splay tree,
and we didn't properly remove it from the splay tree when an easy handle was
removed from a multi stack and thus we could wrongly leave a node in the
splay tree pointing to (bad) memory.
Daniel (14 July 2006)
- David McCreedy fixed a flaw where the CRLF counter wasn't properly cleared
for FTP ASCII transfers.
Daniel (8 July 2006)
- Ates Goral pointed out that libcurl's cookie parser did case insensitive
string comparisons on the path which is incorrect and provided a patch that
fixes this. I edited test case 8 to include details that test for this.
- Ingmar Runge provided a source snippet that caused a crash. The reason for
the crash was that libcurl internally was a bit confused about who owned the
DNS cache at all times so if you created an easy handle that uses a shared
DNS cache and added that to a multi handle it would crash. Now we keep more
careful internal track of exactly what kind of DNS cache each easy handle
uses: None, Private (allocated for and used only by this single handle),
Shared (points to a cache held by a shared object), Global (points to the
global cache) or Multi (points to the cache within the multi handle that is
automatically shared between all easy handles that are added with private
Daniel (4 July 2006)
- Toshiyuki Maezawa fixed a problem where you couldn't override the
Proxy-Connection: header when using a proxy and not doing CONNECT.
Daniel (24 June 2006)
- Michael Wallner added curl_formget(), which allows an application to extract
(serialise) a previously built formpost (as with curl_formadd()).
Daniel (23 June 2006)
- Arve Knudsen found a flaw in curl_multi_fdset() for systems where
curl_socket_t is unsigned (like Windows) that could cause it to wrongly
return a max fd of -1.
Daniel (20 June 2006)
- Peter Silva introduced CURLOPT_MAX_SEND_SPEED_LARGE and
CURLOPT_MAX_RECV_SPEED_LARGE that limit tha maximum rate libcurl is allowed
to send or receive data. This kind of adds the the command line tool's
option --limit-rate to the library.
The rate limiting logic in the curl app is now removed and is instead
provided by libcurl itself. Transfer rate limiting will now also work for -d
and -F, which it didn't before.
Daniel (19 June 2006)
- Made -K on a file that couldn't be read cause a warning to be displayed.
Daniel (13 June 2006)
- Dan Fandrich implemented --enable-hidden-symbols configure option to enable
-fvisibility=hidden on gcc >= 4.0. This reduces the size of the libcurl
binary and speeds up dynamic linking by hiding all the internal symbols from
the symbol table.
Version 7.15.4 (12 June 2006)
Daniel (8 June 2006)
- Brian Dessent fixed the code for cygwin in three distinct ways:
The first modifies {lib,src}/setup.h to not include the winsock headers
under Cygwin. This fixes the reported build problem. Cygwin attempts as
much as possible to emulate a posix environment under Windows. This means
that WIN32 is *not* #defined and (to the extent possible) everything is done
as it would be on a *ix type system. Thus <sys/socket.h> is the proper
include, and even though winsock2.h is present, including it just introduces
a whole bunch of incompatible socket API stuff.
The second is a patch I've included in the Cygwin binary packages for a
while. It skips two unnecessary library checks (-lwinmm and -lgdi32). The
checks are innocuous and they do succeed, but they pollute LIBS with
unnecessary stuff which gets recorded as such in the file, which
brings them into the build of any libcurl-downstream. As far as I know
these libs are really only necessary for mingw, so alternatively they could
be designed to only run if $host matches *-*-mingw* but I took the safer
route of skipping them for *-*-cygwin*.
The third patch replaces all uses of the ancient and obsolete __CYGWIN32__
with __CYGWIN__. Ref: <>.
Daniel (7 June 2006)
- Mikael Sennerholm provided a patch that added NTLM2 session response support
to libcurl. The 21 NTLM test cases were again modified to comply...
Daniel (27 May 2006)
- Óscar Morales Vivó updated the libcurl.framework.make file.
Daniel (26 May 2006)
- Olaf Stüben fixed a bug that caused Digest authentication with md5-sess to
fail. When using the md5-sess, the result was not Md5 encoded and Base64
Daniel (25 May 2006)
- Michael Wallner provided a patch that allows "SESS" to be set with
CURLOPT_COOKIELIST, which then makes all session cookies get cleared.
Daniel (24 May 2006)
- Tor Arntsen made test 271 run fine again since the TFTP path fix.
Daniel (23 May 2006)
- Martin Michlmayr filed debian bug report #367954, but the same error also
showed up in the autobuilds. It seems a rather long-since introduced shell
script flaw in the configure script suddenly was detected by the bash
version in Debian Unstable. It had previously passed undetected by all
shells used so far...
- David McCreedy updated lib/config-tpf.h
Daniel (11 May 2006)
- Fixed the configure's check for old-style SSLeay headers since I fell over a
case with a duplicate file name (a krb4 implementation with an err.h
file). I converted the check to manually make sure three of the headers are
present before considering them fine.
- David McCreedy provided a fix for CURLINFO_LASTSOCKET that does extended
checks on the to-be-returned socket to make sure it truly seems to be alive
and well. For SSL connection it (only) uses OpenSSL functions.
Daniel (10 May 2006)
- Fixed DICT in two aspects:
1 - allow properly URL-escaped words, like using %20 for spaces
2 - properly escape certain letters within a word to comply to the RFC2229
Daniel (9 May 2006)
- Andreas Ntaflos reported a bug in libcurl.m4: When configuring my GNU
autotools project, which optionally (default=yes) uses libcurl on a system
without a (usable) libcurl installation, but not specifying
`--without-libcurl', configure determines correctly that no libcurl is
available, however, the LIBCURL variable gets expanded to `LIBCURL = -lcurl'
in the resulting Makefiles.
David Shaw fixed the flaw.
- Robson Braga Araujo fixed two problems in the recently added non-blocking SSL
connects. The state machine was not reset properly so that subsequent
connects using the same handle would fail, and there were two memory leaks.
- Robson Braga Araujo fixed a memory leak when you added an easy handle to a
multi stack and that easy handle had already been used to do one or more
easy interface transfers, as then the code threw away the previously used
DNS cache without properly freeing it.
Daniel (8 May 2006)
- Dan Fandrich went over the TFTP code and he pointed out and fixed numerous
* The received file is corrupted when a packet is lost and retransmitted
(this is a serious problem!)
* Transmitting a file aborts if a block is lost and retransmitted
* Data is stored in the wrong location in the buffer for uploads, so uploads
always fail (I don't see how it could have ever worked, but it did on x86
at least)
* A number of calls are made to strerror instead of Curl_strerror, making
the code not thread safe
* There are references to errno instead of Curl_sockerrno(), causing
incorrect error messages on Windows
* The file name includes a leading / which violates RFC3617. Doing something
similar to ftp, where two slashes after the host name means an absolute
reference seems a reasonable extension to fix this.
* Failures in EBCDIC conversion are not propagated up to the caller but are
silently ignored
- Fixed known bug #28. The TFTP code no longer assumes a packed struct and
thus works reliably on more platforms.
Daniel (5 May 2006)
- Roland Blom filed bug report #1481217
(, with follow-ups by Michele
Bini and David Byron. libcurl previously wrongly used GetLastError() on
windows to get error details after socket-related function calls, when it
really should use WSAGetLastError() instead.
When changing to this, the former function Curl_ourerrno() is now instead
called Curl_sockerrno() as it is necessary to only use it to get errno from
socket-related functions as otherwise it won't work as intended on Windows.
Daniel (4 May 2006)
- Mark Eichin submitted bug report #1480821
( He found and identified a
problem with how libcurl dealt with GnuTLS and a case where gnutls returned
GNUTLS_E_AGAIN indicating it would block. It would then return an unexpected
return code, making Curl_ssl_send() confuse the upper layer - causing random
28 bytes trash data to get inserted in the transfered stream.
The proper fix was to make the Curl_gtls_send() function return the proper
return codes that the callers would expect. The Curl_ossl_send() function
already did this.
Daniel (2 May 2006)
- Added a --checkfor option to curl-config to allow users to easier
write for example shell scripts that test for the presence of a
new-enough libcurl version. If --checkfor is given a version string
newer than what is currently installed, curl-config will return a
non-zero exit code and output a string about the unfulfilled
Daniel (26 April 2006)
- David McCreedy brought initial line end conversions when doing FTP ASCII
transfers. They are done on non-windows systems and translate CRLF to LF.
I modified the 15 LIST-using test cases accordingly. The downside is that now
we'll have even more trouble to get the tests to run on Windows since they
should get CRLF newlines left intact which the *nix versions don't. I figure
the only sane thing to do is to add some kind of [newline] macro for the test
case files and have them expanded to the proper native line ending when the
test cases are run. This is however left to implement.
Daniel (25 April 2006)
- Paul Querna fixed libcurl to better deal with deflate content encoding
when the stream (wrongly) lacks a proper zlib header. This seems to be the
case on too many actual server implementations.
Daniel (21 April 2006)
- Ale Vesely fixed CURLOPT_INTERFACE when using a hostname.
Daniel (19 April 2006)
- Based on previous info from Tor Arntsen, I made configure detect the Intel
ICC compiler to add a compiler option for it, in order for configure to
properly be able to detect function prototypes.
- Robson Braga Araujo provided a patch that makes libcurl less eager to close
the control connection when using FTP, for example when you remove an easy
handle from a multi stack.
- Applied a patch by Ates Goral and Katie Wang that corrected my bad fix
attempt from April 10.
Daniel (11 April 2006)
- #1468330 ( pointed out a bad
typecast in the curl tool leading to a crash with (64bit?) VS2005 (at least)
since the struct timeval field tv_sec is an int while time_t is 64bit.
Daniel (10 April 2006)
- Ates Goral found out that if you specified both CURLOPT_CONNECTTIMEOUT and
CURLOPT_TIMEOUT, the _longer_ time would wrongly be used for the SSL
connection time-out!
- I merged my hiper patch ( into the main
sources. See the lib/README.multi_socket for implementation story with
details. Don't expect it to work fully yet. I don't intend to blow any
whistles or ring any bells about it until I'm more convinced it works at
least somewhat reliably.
Daniel (7 April 2006)
- David McCreedy's EBCDIC and TPF changes. Three new curl_easy_setopt()
options (callbacks) were added:
Daniel (5 April 2006)
- Michele Bini modified the NTLM code to work for his "weird IIS case"
( by adding the NTLM hash
function in addition to the LM one and making some other adjustments in the
order the different parts of the data block are sent in the Type-2 reply.
Inspiration for this work was taken from the Firefox NTLM implementation.
I edited the existing 21(!) NTLM test cases to run fine with these news. Due
to the fact that we now properly include the host name in the Type-2 message
the test cases now only compare parts of that chunk.
Daniel (28 March 2006)
- #1451929 ( detailed a bug that
occurred when asking libcurl to follow HTTP redirects and the original URL
had more than one question mark (?). Added test case 276 to verify.
Daniel (27 March 2006)
- David Byron found a problem multiple -d options when libcurl was built with
--enable-debug, as then curl used free() on memory allocated both with
normal malloc() and with libcurl-provided functions, when the latter MUST be
freed with curl_free() in debug builds.
Daniel (26 March 2006)
- Tor Arntsen figured out that TFTP was broken on a lot of systems since we
called bind() with a too big argument in the 3rd parameter and at least
Tru64, AIX and IRIX seem to be very picky about it.
Daniel (21 March 2006)
- David McCreedy added CURLINFO_FTP_ENTRY_PATH.
- Xavier Bouchoux made the SSL connection non-blocking for the multi interface
(when using OpenSSL).
- Tor Arntsen fixed the AIX Toolbox RPM spec
Daniel (20 March 2006)
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
reacts properly according to the CURLOPT_FTP_SSL setting.
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
whose length was a multiple of 512 bytes could have random garbage
appended. Also, stop processing TFTP packets which are too short to be
- Ilja van Sprundel reported a possible crash in the curl tool when using
"curl hostwithoutslash -d data -G"
Version 7.15.3 (20 March 2006)
Daniel (20 March 2006)
- VULNERABILITY reported to us by Ulf Harnhammar.
libcurl uses the given file part of a TFTP URL in a manner that allows a
malicious user to overflow a heap-based memory buffer due to the lack of
boundary check.
This overflow happens if you pass in a URL with a TFTP protocol prefix
("tftp://"), using a valid host and a path part that is longer than 512
The affected flaw can be triggered by a redirect, if curl/libcurl is told to
follow redirects and an HTTP server points the client to a tftp URL with the
characteristics described above.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2006-1061 to this issue.
Daniel (16 March 2006)
- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
in the release archive.
Daniel (14 March 2006)
- David McCreedy fixed:
a bad SSL error message when OpenSSL certificates are verified fine.
a missing return code assignment in the FTP code
Daniel (7 March 2006)
- Markus Koetter filed debian bug report #355715 which identified a problem
with the multi interface and multi-part formposts. The fix from February
22nd could make the Curl_done() function get called twice on the same
connection and it was not designed for that and thus tried to call free() on
an already freed memory area!
- Peter Heuchert made sure the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL
is used properly.
Daniel (6 March 2006)
- Lots of users on Windows have reported getting the "SSL: couldn't set
callback" error message so I've now made the setting of that callback not be
as critical as before. The function is only used for additional loggging/
trace anyway so a failure just means slightly less data. It should still be
able to proceed and connect fine to the server.
Daniel (4 March 2006)
- Thomas Klausner provided a patch written by Todd Vierling in bug report
#1442471 that fixes a build problem on Interix.
Daniel (2 March 2006)
- FTP upload without a file name part in the URL now causes
curl_easy_perform() to return CURLE_URL_MALFORMAT. Previously it allowed the
upload but named the file "(nil)" (without the quotes). Test case 524
- Added a check for getprotobyname in configure so that it'll be used, thanks
to Gisle Vanem's change the other day.
Daniel (28 February 2006)
- Dan Fandrich prevented curl from getting stuck in an endless loop in case we
are out of file handles very early in curl's code where it makes sure that
0, 1 and 2 aren't gonna be used by the lib for transfers.
Daniel (27 February 2006)
- Marty Kuhrt pointed out that there were two VMS-specific files missing in
the release archive.
Version 7.15.2 (27 February 2006)
Daniel (22 February 2006)
- Lots of work and analysis by "xbx___" in bug #1431750
( helped me identify and fix two
different but related bugs:
1) Removing an easy handle from a multi handle before the transfer is done
could leave a connection in the connection cache for that handle that is
in a state that isn't suitable for re-use. A subsequent re-use could then
read from a NULL pointer and segfault.
2) When an easy handle was removed from the multi handle, there could be an
outstanding c-ares DNS name resolve request. When the response arrived,
it caused havoc since the connection struct it "belonged" to could've
been freed already.
Now Curl_done() is called when an easy handle is removed from a multi handle
pre-maturely (that is, before the transfer was complteted). Curl_done() also
makes sure to cancel all (if any) outstanding c-ares requests.
Daniel (21 February 2006)
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
type to the already provided type CURLPROXY_SOCKS4.
I added a --socks4 option that works like the current --socks5 option but
instead use the socks4 protocol.
Daniel (20 February 2006)
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
content when libcurl didn't honor the internal ignorebody flag.
Daniel (18 February 2006)
- Ulf Härnhammar fixed a format string (printf style) problem in the Negotiate
code. It should however not be the cause of any troubles. He also fixed a
few similar problems in the HTTP test server code.
Daniel (17 February 2006)
- Shmulik Regev provided a fix for the DNS cache when using short life times,
as previously it could be holding on to old cached entries longer than
Daniel (11 February 2006)
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
that an app can use to let libcurl only connect to a remote host and then
extract the socket from libcurl. libcurl will then not attempt to do any
transfer at all after the connect is done.
- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
instead of LDFLAGS.
Daniel (8 February 2006)
- Philippe Vaucher provided a brilliant piece of test code that show a problem
with re-used FTP connections. If the second request on the same connection
was set not to fetch a "body", libcurl could get confused and consider it an
attempt to use a dead connection and would go acting mighty strange.
Daniel (2 February 2006)
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
change done in November 2005.
Daniel (30 January 2006)
curl tool with --local-port. Plain and simply set the range of ports to bind
the local end of connections to. Implemented on to popular demand.
- Based on an error report by Philippe Vaucher, we no longer count a retried
connection setup as a follow-redirect. It turns out 1) this fails when a FTP
connection is re-setup and 2) it does make the max-redirs counter behave
Daniel (24 January 2006)
- Michal Marek provided a patch for FTP that makes libcurl continue to try
PASV even after EPSV returned a positive response code, if libcurl failed to
connect to the port number the EPSV response said. Obviously some people are
going through protocol-sensitive firewalls (or similar) that don't
understand EPSV and then they don't allow the second connection unless PASV
was used. This also called for a minor fix of test case 238.
Daniel (20 January 2006)
- Duane Cathey was one of our friends who reported that curl -P [IP]
(CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
"native" IP while it works fine for ipv6-disabled builds!
In the process of fixing this, I removed the support for LPRT since I can't
think of many reasons to keep doing it and asking on the mailing list didn't
reveal anyone else that could either. The code that sends EPRT and PORT is
now also a lot simpler than before (IMHO).
Daniel (19 January 2006)
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
(built ipv4-only) didn't work.
Daniel (18 January 2006)
- As reported in bug #1408742 (,
the configure script complained about a missing "missing" script if you ran
configure within a path whose name included one or more spaces. This is due
to a flaw in automake (1.9.6 and earlier). I've now worked around it by
including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
be used instead of the one automake ships with. This kludge needs to be
removed once we get an automake version with this problem corrected.
Possibly we'll then need to convert this into a kludge depending on what
automake version that is used and that is gonna be painful and I don't even
want to think about that now...!
Daniel (17 January 2006)
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
the latest features and protocols that libcurl supports and has a minor fix
to better deal with the obscure case where someone has more than one libcurl
installed at the same time.
Daniel (16 January 2006)
- David Shaw finally removed all traces of Gopher and we are now officially
not supporting it. It hasn't been functioning for years anyway, so this is
just finally stating what already was true. And a cleanup at the same time.
- Bryan Henderson turned the 'initialized' variable for curl_global_init()
into a counter, and thus you can now do multiple curl_global_init() and you
are then supposed to do the same amount of calls to curl_global_cleanup().
Bryan has also updated the docs accordingly.
Daniel (13 January 2006)
- Andrew Benham fixed a race condition in the test suite that could cause the
test script to kill all processes in the current process group!
Daniel (12 January 2006)
- Michael Jahn:
Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
HTTP proxy.
Fixed PROXYTUNNEL to work fine when you do ftp through a proxy. It would
previously overwrite internal memory and cause unpredicted behaviour!
Daniel (11 January 2006)
- I decided to document the "secret option" here now, as I've received *NO*
feedback at all on my mailing list requests from November 2005:
I'm looking for feedback and comments. I added some experimental code the
other day, that allows a libcurl user to select what method libcurl should
use to reach a file on a FTP(S) server.
This functionality is available in CVS code and in recent daily snapshots.
Let me explain...
The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
the command line tool) and you set it to a long (there are currenly no
defines for the argument values, just plain numericals). You can set three
different "methods" that do this:
1 multicwd - like today, curl will do a single CWD operation for each path
part in the given URL. For deep hierarchies this means very many
commands. This is how RFC1738 says it should be done. This is the
2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
a full path to the server.
3 singlecwd - make one CWD with the full target directory and then operate
on the file "normally".
(With the command line tool you do --ftp-method [METHOD], where [METHOD] is
one of "multicwd", "nocwd" or "singlecwd".)
What feedback I'm interested in:
1 - Do they work at all? Do you find servers where one of these don't work?
2 - What would proper names for the option and its arguments be, if we
consider this feature good enough to get included and documented in
upcoming releases?
3 - Should we make libcurl able to "walk through" these options in case of
(path related) failures, or should it fail and let the user redo any
possible retries?
(This option is not documented in any man page just yet since I'm not sure
these names will be used or if the functionality will end up exactly like
this. And for the same reasons we have no test cases for these yet.)
Daniel (10 January 2006)
- When using a bad path over FTP, as in when libcurl couldn't CWD into all
given subdirs, libcurl would still "remember" the full path as if it is the
current directory libcurl is in so that the next curl_easy_perform() would
get really confused if it tried the same path again - as it would not issue
any CWD commands at all, assuming it is already in the "proper" dir.
Starting now, a failed CWD command sets a flag that prevents the path to be
"remembered" after returning.
Daniel (7 January 2006)
- Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP
proxy actually used a new connection and not sent the second request on the
first socket!
Daniel (6 January 2006)
- Alexander Lazic made the buildconf run the buildconf in the ares dir if that
is present instead of trying to mimic that script in curl's buildconf
Daniel (3 January 2006)
- Andres Garcia made the TFTP test server build with mingw.
Daniel (16 December 2005)
- Jean Jacques Drouin pointed out that you could only have a user name or
password of 127 bytes or less embedded in a URL, where actually the code
uses a 255 byte buffer for it! Modified now to use the full buffer size.
Daniel (12 December 2005)
- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly
Version 7.15.1 (7 December 2005)
Daniel (6 December 2005)
- Full text here: Pointed out by
Stefan Esser.
libcurl's URL parser function can overflow a malloced buffer in two ways, if
given a too long URL.
These overflows happen if you
1 - pass in a URL with no protocol (like "http://") prefix, using no slash
and the string is 256 bytes or longer. This leads to a single zero byte
overflow of the malloced buffer.
2 - pass in a URL with only a question mark as separator (no slash) between
the host and the query part of the URL. This leads to a single zero byte
overflow of the malloced buffer.
Both overflows can be made with the same input string, leading to two single
zero byte overwrites.
The affected flaw cannot be triggered by a redirect, but the long URL must
be passed in "directly" to libcurl. It makes this a "local" problem. Of
course, lots of programs may still pass in user-provided URLs to libcurl
without doing much syntax checking of their own, allowing a user to exploit
this vulnerability.
There is no known exploit at the time of this writing.
Daniel (2 December 2005)
- Jamie Newton pointed out that libcurl's file:// code would close() a zero
file descriptor if given a non-existing file.
Daniel (24 November 2005)
- Doug Kaufman provided a set of patches to make curl build fine on DJGPP
again using configure.
- Yang Tse provided a whole series of patches to clear up compiler warnings on
Daniel (17 November 2005)
- I extended a patch from David Shaw to make libcurl _always_ provide an error
string in the given error buffer to address the flaw mention on 21 sep 2005.
Daniel (16 November 2005)
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
installed on 'make install' time.
Daniel (14 November 2005)
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
properly for a case, and so we did. We raised it even for non-SSPI builds
but it should not do any harm.
- Jan Kunder's debian bug report identified a weird
error message for when you try to upload a file and the requested directory
doesn't exist on the target server.
- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
lib/memdebug.h that showed up in his msvc builds.
Daniel (13 November 2005)
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
bad limit-rate units: Now curl will return
error if a bad unit is used.
- Thanks to this nice summary of poll() implementations: and further tests by Eugene
Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
connectin closure so we check for that case (too) and re-enable poll for
cygwin builds.
Daniel (12 November 2005)
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
right: so we now disable
poll() and use select() on cygwin too (we already do the same choice on Mac
- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
client certificates! (
Daniel (10 November 2005)
- David Lang fixed IPv6 support for TFTP!
- Introducing range stepping to the curl globbing support. Now you can specify
step counter by adding :[num] within the brackets when specifying a range:
If no step counter is set, it defaults to 1 as before:
Daniel (8 November 2005)
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
we really have no use for reverse lookups of the address.
I truly hope these are the last reverse lookups we had lingering in the
- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
version of libcurl with different Windows versions. Current version of
libcurl imports SSPI functions from secur32.dll. However, under Windows NT
4.0 these functions are located in security.dll, under Windows 9x - in
secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
just forwards calls to secur32.dll).
Dmitry's patch loads proper library dynamically depending on Windows
version. Function InitSecurityInterface() is used to obtain pointers to all
of SSPI function in one structure.
Daniel (31 October 2005)
- Vilmos Nebehaj improved libcurl's LDAP abilities:
The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
attributes in LDAP objects. So, I made a quick patch to address these
The solution is simple: if we connect to an LDAP server, first try LDAPv3
(which is the preferred protocol as of now) and then fall back to LDAPv2.
In case of binary attributes, we first convert them to base64, just like the
openldap client does. It uses ldap_get_values_len() instead of
ldap_get_values() to be able to retrieve binary attributes correctly. I
defined the necessary LDAP macros in lib/ldap.c to be able to compile
libcurl without the presence of libldap
Daniel (27 October 2005)
- Nis Jorgensen filed bug report #1338648
( which really is more of a
feature request, but anyway. It pointed out that --max-redirs did not allow
it to be set to 0, which then would return an error code on the first
Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
set to 0, or -1 for infinity. Added test case 274 to verify.
- tommink[at] reported in bug report #1337723
( that curl could not upload
binary data from stdin on Windows if the data contained control-Z (hex 1a)
since that is treated as end-of-file when read in text mode. Gisle Vanem
pointed out the fix, and I made both -T and --data-binary take advantage of
- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
in the man page, curl would send an invalid HTTP Range: header. The correct
way would be to use "-r [number]-" or even "-r -[number]". Starting now,
curl will warn if this is discovered, and automatically append a dash to the
range before passing it to libcurl.
Daniel (25 October 2005)
- Amol Pattekar reported a bug with great detail and a fine example in bug
#1326306 ( When using the multi
interface and connecting to a host with multiple IP addresses, and one of
the addresses fails to connect (the server must exist and respond, just not
accept connections) libcurl leaks a socket descriptor. Thanks to the fine
report, I could find and fix this.
Daniel (22 October 2005)
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
#1334338 ( When reading an SSL
stream from a server and the server requests a "rehandshake", the current
code simply returns this as an error. I have no good way to test this, but
I've added a crude attempt of dealing with this situation slightly better -
it makes a blocking handshake if this happens. Done like this because fixing
this the "proper" way (that would handshake asynchronously) will require
quite some work and I really need a good way to test this to do such a
Daniel (21 October 2005)
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
it, it could then accidentally actually crash. Presumably, this concerns FTP
- Temprimus improved the MSVC makefile so that the static debug SSL libs are
linked to the executable and not to the libcurld.lib
- Bradford Bruce made the windows resolver code properly return
errors (as documented).
Daniel (20 October 2005)
- Dave Dribin made libcurl understand and handle cases when the server
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
never happen in a sane world, libcurl previously got into an infinite loop
when this occurred. Dave added test 273 to verify this.
- Temprimus improved the MSVC makefile: "makes a build option available so if
you set rtlibcfg=static for the make, then it would build with /MT. The
default behaviour is /MD (the original)."
Daniel (14 October 2005)
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
reported, the define is used by the configure script and is assumed to use
the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
release version.
Version 7.15.0 (13 October 2005)
Daniel (12 October 2005)
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
code that would overflow a buffer if given a too long user name or domain
name. This would happen if you enable NTLM authentication and either
A - pass in a user name and domain name to libcurl that together are longer
than 192 bytes
B - allow (lib)curl to follow HTTP "redirects" (Location: and the
appropriate HTTP 30x response code) and the new URL contains a URL with
a user name and domain name that together are longer than 192 bytes
See for further details and updates
Daniel (5 October 2005)
- Darryl House reported a problem with using -z to download files from FTP.
It turned out that if the given time stamp was exact the same as the remote
time stamp, the file would still wrongly be downloaded. Added test case 272
to verify.
Daniel (4 October 2005)
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
from the configure script.
- Michael Wallner reported that the date parser had wrong offset stored for
the MEST and CEST time zones.
Daniel (27 September 2005)
- David Yan filed bug #1299181 (
that identified a silly problem with Content-Range: headers with the 'bytes'
keyword written in a different case than all lowercase! It would cause a
- TJ Saunders of the proftpd project identified and pointed out problems with
the modified FTPS negotiation change of August 19 2005. Thus, we revert the
change back to pre-7.14.1 status.
Daniel (21 September 2005)
- Fixed "cut off" sentence in the libcurl-tutorial man page:
- Clarified in the curl_easy_setopt man page what the default
- Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER
sometimes doesn't fill in the buffer even though it is supposed to:
- When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an
error string set.
Daniel (19 September 2005)
- Dmitry Bartsevich made the SSPI support work on Windows 9x as well.
Daniel (15 September 2005)
- Added a TFTP server to the test suite and made the test suite capable of
using it.
Daniel (7 September 2005)
- Ben Madsen's detailed reports that funnily enough only occurred with certain
glibc versions turned out to be curl using an already closed file handle
during certain conditions (like when saving FTP server "headers").
- Scott Davis helped me track down a problem in the test HTTP server that made
test case 56 wrongly fail at times. It turned out it was due to the server
finding the end of a chunked-encoded POST too early.
Daniel (6 September 2005)
- Now curl warns if an unknown variable is used in the -w/--writeout argument.
Daniel (4 September 2005)
- I applied Nicolas François' man page patch he posted to the Debian bug
tracker. It corrected two lines that started with apostrophes, which isn't
legal nroff format.
- Added --ftp-skip-pasv-ip to the command line tool, that sets the new
CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control
connection's IP address when setting up the data connection instead of
extractting the IP address from the PASV response. It has turned out this
feature is frequently needed by people to circumvent silly servers and silly
firewalls, especially when FTPS is used and the PASV command-response is
sent encrtyped.
Sponsored by CU*Answers
Daniel (1 September 2005)
- John Kelly added TFTP support to libcurl. A bunch of new error codes was
added. TODO: add them to docs. add TFTP server to test suite. add TFTP to
list of protocols whereever those are mentioned.
Version 7.14.1 (1 September 2005)
Daniel (29 August 2005)
- Kevin Lussier pointed out a problem with curllib.dsp and how to fix it.
- Igor Polyakov fixed a rather nasty problem with the threaded name resolver
for Windows, that could lead to an Access Violation when the multi interface
was used due to an issue with how the resolver thread was and was not
- Simon Josefsson brought a patch that allows curl to get built to use GNU GSS
instead of MIT/Heimdal for GSS capabilities.
Daniel (24 August 2005)
- Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible
from the command line tool with --ignore-content-length. This will make it
easier to download files from Apache 1.x (and similar) servers that are
still having problems serving files larger than 2 or 4 GB. When this option
is enabled, curl will simply have to wait for the server to close the
connection to signal end of transfer. I wrote test case 269 that runs a
simple test to verify that this works.
- (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed
the --logfile command line option to --log-file, and thus the test script
valgrind autodetection now has yet another version check to do and then it
alters the valgrind command line accordingly.
- Fixed CA cert verification using GnuTLS with the default bundle, which
previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
Ralph Mitchell reported.
Daniel (19 August 2005)
- Norbert Novotny had problems with FTPS and he helped me work out a patch
that made curl run fine in his end. The key was to make sure we do the
SSL/TLS negotiation immediately after the TCP connect is done and not after
a few other commands have been sent like we did previously. I don't consider
this change necessary to obey the standards, I think this server is pickier
than what the specs allow it to be, but I can't see how this modified
libcurl code can add any problems to those who are interpreting the
standards more liberally.
Daniel (17 August 2005)
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
write the result to a given cookie jar and then never actually call
curl_easy_perform() - the given file(s) to read was never read but the
output file was written and thus it caused a "funny" result.
- While doing some tests for the bug above, I noticed that Firefox generates
large numbers (for the expire time) in the cookies.txt file and libcurl
didn't treat them properly. Now it does.
Daniel (15 August 2005)
- Added more verbose "warning" messages to the curl client for cases where it
fails to open/read files etc to help users diagnose why it doesn't do what
you'd expect it to. Converted lots of old messages to use the new generic
function I wrote for this purpose.
Daniel (13 August 2005)
- James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a
site responds with bad HTTP response that doesn't contain any header at all,
only a response body, and the write callback returns 0 to abort the
transfer, it didn't have any real effect but the write callback would be
called once more anyway.
Daniel (12 August 2005)
- Based on Richard Clayton's reports, I found out that using curl -d @filename
when 'filename' was not possible to access made curl use a GET request
- The time condition illegal syntax warning is now inhibited if -s is used.
Daniel (10 August 2005)
- Mario Schroeder found out that one of the debug callbacks calls that regards
SSL data with the CURLINFO_TEXT type claimed that the data was one byte
larger than it actually is, thus falsely telling the application that the
terminating zero was part of the data.
Daniel (9 August 2005)
- Christopher R. Palmer fixed the offsets used for date parsings when the time
zone name of a daylight savings time was used. For example, PDT vs PDS. This
flaw was introduced with the new date parser (11 sep 2004 - 7.12.2).
Fortunately, no web server or cookie string etc should be using such time
zone names thus limiting the effect of this bug.
Daniel (8 August 2005)
- Jon Grubbs filed bug report #1249962
( which identified a problem
with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly
switches to pure HTTP internally when an HTTP proxy is used, even for FTP
URLs. The problem would also occur with other multi-pass auth methods.
Daniel (7 August 2005)
- When curl is built with GnuTLS, curl-config didn't include "SSL" when
--features was used.
Daniel (28 July 2005)
set to 1, CURLOPT_NOBODY will now automatically be set to 0.
Daniel (27 July 2005)
- Dan Fandrich changes over the last week: fixed numerous minor configure
option parsing flaws: --without-gnutls, --without-spnego --without-gssapi
and --without-krb4. Spellfixed several error messages.
- Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a
simple interface to extracting and setting cookies in libcurl's internal
"cookie jar". See the new cookie_interface.c example code.
Daniel (13 July 2005)
- Diego Casorran provided patches to make curl build fine on Amiga again.
Daniel (12 July 2005)
- Adrian Schuur added trailer support in the chunked encoding stream. The
trailer is then sent to the normal header callback/stream. I wrote up test
case 266 to verify the basic functionality. Do note that test case 34
contains a flawed chunked encoding stream that still works the same.
Daniel (5 July 2005)
- Gisle Vanem came up with a nice little work-around for bug #1230118
( It seems the Windows (MSVC)
libc time functions may return data one hour off if TZ is not set and
automatic DST adjustment is enabled. This made curl_getdate() return wrong
value, and it also concerned internal cookie expirations etc.
Daniel (4 July 2005)
- Andrew Bushnell provided enough info for me to tell that we badly needed to
fix the CONNECT authentication code with multi-pass auth methods (such as
NTLM) as it didn't previously properly ignore response-bodies - in fact it
stopped reading after all response headers had been received. This could
lead to libcurl sending the next request and reading the body from the first
request as response to the second request. (I also renamed the function,
which wasn't strictly necessary but...)
The best fix would to once and for all make the CONNECT code use the
ordinary request sending/receiving code, treating it as any ordinary request
instead of the special-purpose function we have now. It should make it
better for multi-interface too. And possibly lead to less code...
Added test case 265 for this. It doesn't work as a _really_ good test case
since the test proxy is too stupid, but the test case helps when running the
debugger to verify.
Daniel (30 June 2005)
- Dan Fandrich improved the configure script's ability to figure out what kind
of strerror_r() API that is used when cross-compiling. If __GLIB__ is
defined, it assumes the glibc API. If not, it issues a notice as before that
the user needs to manually edit lib/config.h for this.
Daniel (23 June 2005)
- David Shaw's fix that unifies proxy string treatment so that a proxy given
with CURLOPT_PROXY can use a http:// prefix and user + password. The user
and password fields are now also URL decoded properly. Test case 264 added
to verify.
Daniel (22 June 2005)
- David Shaw updated libcurl.m4
Daniel (14 June 2005)
- Gisle Vanem fixed a potential thread handle leak. Bug report #1216500
( Comment in
Daniel (13 June 2005)
- Made buildconf run libtoolize in the ares dir too (inspired by Tupone's
reverted patch).
Daniel (9 June 2005)
- Incorporated Tupone's findtool fix in buildconf (slightly edited)
- Incorporated Tupone's head -n fix in buildconf.
Daniel (8 June 2005)
- Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it
in pieces, one by one and see what we need to adjust to work all over.
Daniel (6 June 2005)
- Tupone Alfredo fixed three problems in buildconf:
1) findtool does look per tool in PATH and think ./perl is the perl
executable, while is just a local directory (I have . in the PATH)
2) I got several warning for head -1 deprecated in favour of head -n 1
3) ares directory is missing some file (missing is missing :-) ) because
automake and friends is not run.
Daniel (3 June 2005)
- Added docs/libcurl/getinfo-times, based on feedback from 'Edi':
- Andres Garcia provided yet another text mode patch for several test cases so
that they do text comparisions better on Windows (newline-wise).
Daniel (1 June 2005)
- The configure check for c-ares now adds the cares lib before the other libs,
to make it build fine with mingw. Inspired by Tupone Alfredo's bug report
and patch:
Daniel (31 May 2005)
- Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6
address was not possible to use. It is now, but requires it written
RFC2732-style, within brackets - which incidently is how you enter numerical
IPv6 addresses in URLs. Test case 263 added to verify.
Daniel (30 May 2005)
- Eric Cooper reported about a problem with HTTP servers that responds with
binary zeroes within the headers. They confused libcurl to do wrong so the
downloaded headers become incomplete. The fix is now verified with test case
Daniel (25 May 2005)
- Fixed problems with the test suite, and in particular the FTP test cases
since it previously was failing every now and then in a nonsense manner.
- --trace-time now outputs the full microsecond, all 6 digits.
Daniel (24 May 2005)
- Andres Garcia provided a text mode patch for several test cases so that they
do text comparisions better on Windows (newline-wise).
- Any 2xx response (and not just 200) is now considered a fine response to
TYPE, as some servers obviously sends a 226 there. Added test case 261 to
verify. Based on a question/report by Georg Wicherski.
Daniel (20 May 2005)
- Improved to allow stdout tests to be mode=text as well, just
as file comparisons already supports. Added this info to the FILEFORMAT
Daniel (18 May 2005)
- John McGowan identified a problem in bug report #1204435
( with malformed URLs like
"http://somehost?data" as it added a slash too much in the request ("GET
/?data/"...). Added test case 260 to verify.
- The configure check for strerror_r() failed to detect the proper API at
times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc
version if the posix define wasn't set (since it _had_ found a strerror_r).
Daniel (16 May 2005)
- The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail
due to this. There's now a configure check that attempts to detect the bad
function and not use it on such systems.
Version 7.14.0 (16 May 2005)
Daniel (13 May 2005)
- Grigory Entin reported that curl's configure detects a fine poll() for Mac
OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable
doesn't work as good as if built without poll(). I've adjusted the configure
to always skip the fine-poll() test on Mac OS X (darwin).
Daniel (12 May 2005)
- When doing a second request (after a disconnect) using the same easy handle,
over a proxy that uses NTLM authentication, libcurl failed to use NTLM again
properly (the auth method was accidentally reset to the same as had been set
for host auth, which defaults to Basic). Bug report #1200661
( identified the the problem and
the fix.
- If -z/--time-cond is used with an invalid date syntax, this is no longer
silently discarded. Instead a proper warning message is diplayed that
informs about it. But it still continues without the condition.
Version 7.14.0-pre2 (11 May 2005)
Daniel (11 May 2005)
- Starting now, libcurl sends a little different set of headers in its default
HTTP requests:
A) Normal non-proxy HTTP:
- no more "Pragma: no-cache" (this only makes sense to proxies)
B) Non-CONNECT HTTP request over proxy:
- "Pragma: no-cache" is used (like before)
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)
C) CONNECT HTTP request over proxy:
- "Host: [name]:[port]"
- "Proxy-Connection: Keep-alive"
The A) case is mostly to reduce the default header size and remove a
pointless header.
The B) is to address (rare) problems with HTTP 1.0 proxies
The C) headers are both to address (rare) problems with some proxies. The
code in libcurl that deals with CONNECT requests need a rewrite, but it
feels like a too big a job for me to do now. Details are added in the code
comments for now.
Updated a large amount of test cases to reflect the news.
Daniel (10 May 2005)
- Half-baked attempt to bail out if select() returns _only_ errorfds when the
transfer is in progress. An attempt to fix Allan's problem. See and the rest of that thread
for details.
I'm still not sure this is the right fix, but...
Version 7.14.0-pre1 (9 May 2005)
Daniel (2 May 2005)
- Sort of "fixed" KNOWN_BUGS #4: curl now builds IPv6 enabled on AIX 4.3. At
least it should no longer cause a compiler error. However, it does not have
AI_NUMERICHOST so we cannot getaddrinfo() any numerical addresses with it
(we use that for FTP PORT/EPRT)! So, I modified the configure check that
checks if the getaddrinfo() is working, to use AI_NUMERICHOST since then
it'll fail on AIX 4.3 and it will automatically build with IPv6 support
- Added --trace-time that when used adds a time stamp to each trace line that
--trace, --trace-ascii and --verbose output. I also made the '>' display
separate each line on the linefeed so that HTTP requests etc look nicer in
the -v output.
- Made curl recognize the environment variables Lynx (and others?) support for
pointing out the CA cert path/file: SSL_CERT_DIR and SSL_CERT_FILE. If
CURL_CA_BUNDLE is not set, they are checked afterwards.
Like before: on windows if none of these are set, it checks for the ca cert
file like this:
1. application's directory
2. current working directory
3. Windows System directory (e.g. C:\windows\system32)
4. Windows Directory (e.g. C:\windows)
5. all directories along %PATH%
Daniel (1 May 2005)
- The script now starts test servers by doing fork() and exec()
instead of the previous approach. This is less complicated and should
hopefully lead to less "leaked" servers (servers that aren't stopped
properly when the tests are stopped).
- Alexander Zhuravlev found a case when you did "curl -I [URL]" and it
complained on the chunked encoding, even though a HEAD should never return a
body and thus it cannot be a chunked-encoding problem!
Daniel (30 April 2005)
- Alexander Zhuravlev found out that (lib)curl SIGSEGVed when using
--interface on an address that can't be bound.
Daniel (28 April 2005)
- Working on fixing up test cases to mark sections as 'mode=text' for things
that curl writes as text files, since then they can get different line
endings depending on OS. Andrés García helps me work this out.
Did lots of other minor tweaks on the test scripts to work better and more
reliably find test servers and also kill test servers.
- Dan Fandrich pointed out how the script killed the HTTP server
instead of the HTTPS server when closing it down.
Daniel (27 April 2005)
- Paul Moore made curl check for the .curlrc file (_curlrc on windows) on two
more places. First, CURL_HOME is a new environment variable that is used
instead of HOME if it is set, to point out where the default config file
lives. If there's no config file in the dir pointed out by one of the
environment variables, the Windows version will instead check the same
directory the executable curl is located in.
Daniel (26 April 2005)
- Cory Nelson's work on nuking compiler warnings when building on x64 with
Daniel (25 April 2005)
- Fred New reported a bug where we used Basic auth and user name and password
in .netrc, and when following a Location: the subsequent requests didn't
properly use the auth as found in the netrc file. Added test case 257 to
verify my fix.
- Based on feedback from Cory Nelson, I added some preprocessor magic in
*/setup.h and */config-win32.h to build fine with VS2005 on x64.
Daniel (23 April 2005)
- Alex Suykov made the curl tool now assume that uploads using HTTP:// or
HTTPS:// are the only ones that show output and thus motivates a switched
off progress meter if the output is sent to the terminal. This makes FTP
uploads without '>', -o or -O show the progress meter.
Daniel (22 April 2005)
- Dave Dribin's MSVC makefile fix: set CURL_STATICLIB when it builds static
library variants.
- Andres Garcia fixed configure to set the proper define when building static
libcurl on windows.
- --retry-delay didn't work.
Daniel (18 April 2005)
- Olivier reported that even though he used CURLOPT_PORT, libcurl clearly
still used the default port. He was right. I fixed the problem and added the
test cases 521, 522 and 523 to verify the fix.
- Toshiyuki Maezawa reported that when doing a POST with a read callback,
libcurl didn't properly send an Expect: 100-continue header. It does now.
- I committed by mig change in the test suite's FTP server that moves out all
socket/TCP code to a separate C program named sockfilt. And added 4 new
test cases for FTP over IPv6.
Daniel (8 April 2005)
- Cory Nelson reported a problem with a HTTP server that responded with a 304
response containing an "illegal" Content-Length: header, which was not
properly ignored by libcurl. Now it is. Test case 249 verifies.
Daniel (7 April 2005)
- Added ability to build and run with GnuTLS as an alternative to OpenSSL for
the secure layer. configure --with-gnutls enables with. Note that the
previous OpenSSL check still has preference and if it first detects OpenSSL,
it will not check for GnuTLS. You may need to explictly diable OpenSSL with
This work has been sponsored by The Written Word.
Daniel (5 April 2005)
- Christophe Legry fixed the post-upload check for FTP to not complain if the
upload was skipped due to a time-condition as set with
CURLOPT_TIMECONDITION. I added test case 247 and 248 to verify.
Version 7.13.2 (5 April 2005)
Daniel (4 April 2005)
- Marcelo Juchem fixed the MSVC makefile for libcurl
- Gisle Vanem fixed a crash in libcurl, that could happen if the easy handle
was killed before the threading resolver (windows only) still hadn't
- Hardeep Singh reported a problem doing HTTP POST with Digest. (It was
actually also affecting NTLM and Negotiate.) It turned out that if the
server responded with 100 Continue before the initial 401 response, libcurl
didn't take care of the response properly. Test case 245 and 246 added to
verify this.
Daniel (30 March 2005)
- Andres Garcia modified the configure script to check for libgdi32 before
libcrypto, to make the SSL check work fine on msys/mingw.
Daniel (29 March 2005)
- Tom Moers identified a flaw when you sent a POST with Digest authentication,
as in the first request when curl sends a POST with Content-Length: 0, it
still forcibly closed the connection before doing the next step in the auth
- Jesper Jensen found out that FTP-SSL didn't work since my FTP
rewrite. Fixing that was easy, but it also revealed a much worse problem:
the FTP server response reader function didn't properly deal with reading
responses in multiple tiny chunks properly! I modified the FTP server to
allow it to produce such split-up responses to make sure curl deals with
them as it should.
- Based on Augustus Saunders' comments and findings, the HTTP output auth
function was fixed to use the proper proxy authentication when multiple ones
are accepted. test 239 and test 243 were added to repeat the problems and
verify the fixes.
--proxy-anyauth was added to the curl tool
Daniel (16 March 2005)
- Tru64 and some IRIX boxes seem to not like test 237 as it is. Their
inet_addr() functions seems to use &255 on all numericals in a ipv4 dotted
address which makes a different failure... Now I've modified the ipv4
resolve code to use inet_pton() instead in an attempt to make these systems
better detect this as a bad IP address rather than creating a toally bogus
address that is then passed on and used.
Daniel (15 March 2005)
- Dan Fandrich made the code properly use the uClibc's version of
inet_ntoa_r() when built with it.
- Added test 237 and 238: test EPSV and PASV response handling when they get
well- formated data back but using illegal values. In 237 PASV gets an IP
address that is way bad. In 238 EPSV gets a port that is way out of range.
Daniel (14 March 2005)
- Added a few missing features to the curl-config --features list
- Modified to now offer
1 - command line options for all info it previously only read from
file: --name, --email, --desc and --configure
2 - --nocvsup makes it not attempt to do cvs update
3 - --crosscompile informs it and makes it not attempt things it can't do
- Fixed numerous win32 compiler warnings.
- Removed the lib/security.h file since it shadowed the mingw/win32 header
with the same name which is needed for SSPI builds. The contents of the
former security.h is now i krb4.h
- configure --enable-sspi now enables SSPI in the build. It only works for
windows builds (including cross-compiles for windows).
Daniel (12 March 2005)
- David Houlder added --form-string that adds that string to a multipart
formpost part, without special characters having special meanings etc like
--form features.
Daniel (11 March 2005)
- curl_version_info() returns the feature bit CURL_VERSION_SSPI if it was
built with SSPI support.
- Christopher R. Palmer made it possible to build libcurl with the
USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the
native way to do NTLM. SSPI also allows libcurl to pass on the current user
and its password in the request.
Daniel (9 March 2005)
- Dan F improved the SSL lib setup in configure.
- Nodak Sodak reported a crash when using a SOCKS4 proxy.
- Jean-Marc Ranger pointed out an embarassing debug printf() leftover in the
multi interface code.
- Adjusted the man page for the curl_getdate() return value for dates after
year 2038. For 32 bit time_t it returns 0x7fffffff but for 64bit time_t it
returns either the correct value or even -1 on some systems that still seem
to not deal with this properly. Tor Arntsen found a 64bit AIX system for us
that did the latter. Gwenole Beauchesne's Mandrake patch put the lights on
this problem in the first place.
Daniel (8 March 2005)
- Dominick Meglio reported that using CURLOPT_FILETIME when transferring a FTP
file got a Last-Modified: header written to the data stream, corrupting the
actual data. This was because some conditions from the previous FTP code was
not properly brought into the new FTP code. I fixed and I added test case
520 to verify. (This bug was introduced in 7.13.1)
- Dan Fandrich fixed the configure --with-zlib option to always consider the
given path before any standard paths.
Daniel (6 March 2005)
- Randy McMurchy was the first to report that was missing from the
release archive and thus 'make test' fails.
Daniel (5 March 2005)
- Dan Fandrich added HAVE_FTRUNCATE to several config-*.h files.
- Added test case 235 that makes a resumed upload of a file that isn't present
on the remote side. This then converts the operation to an ordinary STOR
upload. This was requested/pointed out by Ignacio Vazquez-Abrams.
It also proved (and I fixed) a bug in the newly rewritten ftp code (and
present in the 7.13.1 release) when trying to resume an upload and the
servers returns an error to the SIZE command. libcurl then loops and sends
SIZE commands infinitely.
- Dan Fandrich fixed a SSL problem introduced on February 9th that made
libcurl attempt to load the whole random file to seed the PRNG. This is
really bad since this turns out to be using /dev/urandom at times...
Version 7.13.1 (4 March 2005)
Daniel (4 March 2005)
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
the cookie "engine" without having to provide an empty or non-existing file.
- Rene Rebe fixed a -# crash when more data than expected was retrieved.
Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here: and the CAN report here:
If these security guys were serious, we'd been notified in advance and we
could've saved a few of you a little surprise, but now we weren't.
Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
requested data from a host and then followed a redirect to another
host. libcurl then didn't use the proxy-auth properly in the second request,
due to the host-only check for original host name wrongly being extended to
the proxy auth as well. Added test case 233 to verify the flaw and that the
fix removed the problem.
Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
configure when mingw is used.
Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
didn't close the socket properly when returning error due to failing
Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
that picks NTLM. Thanks to David Byron letting me test NTLM against his
servers, I could quickly repeat and fix the problem. It turned out to be:
When libcurl POSTs without knowing/using an authentication and it gets back
a list of types from which it picks NTLM, it needs to either continue
sending its data if it keeps the connection alive, or not send the data but
close the connection. Then do the first step in the NTLM auth. libcurl
didn't send the data nor close the connection but simply read the
response-body and then sent the first negotiation step. Which then failed
miserably of course. The fixed version forces a connection if there is more
than 2000 bytes left to send.
Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
was never used.
Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
week day names and month names and servers don't like that.
Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
libcurl is built shared. Otherwise valgrind only tests the shell that runs
the wrapper-script named 'curl' that is a front-end to curl in this case.
This should also fix the huge amount of reports of false positives when
valgrind has identified leaks in (ba)sh and not in curl and people report
that as curl bugs. Bug report #1116672 is one example.
Also, the valgrind report parser has been adapted to check that at least one
of the sources in a stack strace is one of (lib)curl's source files or
otherwise it will not consider the problem to concern (lib)curl.
- Marty Kuhrt streamlined the VMS build.
Daniel (9 February 2005)
- David Byron fixed his SSL problems, initially mentioned here: It turned out we didn't use
SSL_pending() as we should.
- Converted lots of FTP code to a statemachine, so that the multi interface
doesn't block while communicating commands-responses with an FTP server.
I've added a comment like BLOCKING in the code on all spots I could find
where we still have blocking operations. When we change curl_easy_perform()
to use the multi interface, we'll also be able to simplify the code since
there will only be one "internal interface".
While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
like changing directory or retrieving a file, while the second means that we
were denied login.
The CVS tag 'before_ftp_statemachine' was set just before this went in, in
case of future need.
- Gisle made the DICT code send CRLF and not just LF as the spec says so.
Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
sure the proper error code is returned for those occations.
Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
PORT on ipv6-enabled hosts.
- David Byron pointed out we could use BUFSIZE to read data (in
lib/transfer.c) instead of using BUFSIZE -1.
Version 7.13.0 (1 February 2005)
Daniel (31 January 2005)
- Added Lars Nilsson's example
Daniel (30 January 2005)
- Fixed a memory leak when using the multi interface and the DO operation
failed (as in test case 205).
- Fixed a valgrind warning for file:// operations.
- Fixed a valgrind report in the url globbing code for the curl command line
- Bugfixed the parser that scans the valgrind report outputs (in
I noticed that it previously didn't detect and report the "Conditional jump
or move depends on uninitialised value(s)" error. When I fixed this, I
caught a few curl bugs with it. And then I had to spend time to make the
test suite IGNORE these errors when OpenSSL is used since it produce massive
amounts of valgrind warnings (but only of the "Conditional..." kind it
seems). So, if a test that requires SSL is run, it ignores the
"Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
of "valgrind OK".
Daniel (29 January 2005)
- Using the multi interface, and doing a requsted a re-used connection that
gets closed just after the request has been sent failed and did not re-issue
a request on a fresh reconnect like the easy interface did. Now it does!
- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
my new curl_easy_perform() that uses the multi interface to run the
request. It is a great testbed for the multi interface and I believe we
shall do it this way for real in the future when we have a successor to
curl_multi_fdset(). I've used this approach to detect and fix several of the
recent multi-interfaces issues.
- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
bad assumptions.
- multi interface: when a request is denied due to "Maximum redirects
followed" libcurl leaked the last Location: URL.
- Connect failures with the multi interface was often returned as "connect()
timed out" even though the reason was different.
Daniel (28 January 2005)
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
curl_easy_perform() invokes. It was previously unlocked at disconnect, which
could mean that it remained locked between multiple transfers. The DNS cache
may not live as long as the connection cache does, as they are separate.
To deal with the lack of DNS (host address) data availability in re-used
connections, libcurl now keeps a copy of the IP adress as a string, to be
able to show it even on subsequent requests on the same connection.
The problem could be made to appear with this stunt:
1. create a multi handle
2. add an easy handle
3. fetch a URL that is persistent (leaves the connection alive)
4. remove the easy handle from the multi
5. kill the multi handle
6. create a multi handle
7. add the same easy handle to the new multi handle
8. fetch a URL from the same server as before (re-using the connection)
- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
when built ipv6-enabled. I've now made a fix for it. Writing test cases for
custom port hosts turned too tricky so unfortunately there's none.
Daniel (25 January 2005)
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
is present in RFC959... so now (lib)curl supports it as well. --ftp-account
and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
account string after PASS have been sent away. The client responds
with "ACCT [account string]".) Added test case 228 and 229 to verify the
functionality. Updated the test FTP server to support ACCT somewhat.
- David Shaw contributed a fairly complete and detailed autoconf test you can
use to detect libcurl and setup variables for the protocols the installed
libcurl supports: docs/libcurl/libcurl.m4
Daniel (21 January 2005)
- Major FTP third party transfer overhaul.
These four options are now obsolete: CURLOPT_SOURCE_HOST,
CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.
The target-side didn't use the proper path with RETR, and thus this only
worked correctly in the login path (i.e without doing any CWD). The source-
side still uses a wrong path, but the fix for this will need to wait. Verify
the flaw by using a source URL with included %XX-codes.
Made CURLOPT_FTPPORT control weather the target operation should use PORT
(or not). The other side thus uses passive (PASV) mode.
Updated the ftp3rdparty.c example source to use the updated options.
Added support for a second FTP server in the test suite. Named... ftp2.
Added test cases 230, 231 and 232 as a few first basic tests of very simple
3rd party transfers.
Changed the debug output to include 'target' and 'source' when a 3rd party
is being made, to make it clearer what commands/responses came on what
Added three new command line options: --3p-url, --3p-user and --3p-quote.
Documented the command line options and the curl_easy_setopt options related
to third party transfers.
(Temporarily) disabled the ability to re-use an existing connection for the
source connection. This is because it needs to force a new in case the
source and target is the same host, and the host name check is trickier now
when the source is identified with a full URL instead of a plain host name
like before.
TODO (short-term) for 3rd party transfers: quote support. The options are
there, we need to add test cases to verify their functionality.
TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
and SSL/TSL support.
Daniel (20 January 2005)
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
code was written for it. I fixed and added test case 227 to verify it.
The curl.1 man page didn't mention the '+' so I added it.
Daniel (19 January 2005)
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
contains %0a or %0d in the user, password or CWD parts. (A future fix would
include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
225 and 226 were added to verify this
- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:
1) the proxy environment variables are still read and used to set HTTP proxy
2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
disabled). This is important since apps may want to disable HTTP proxy
without actually knowing if libcurl was built to disable HTTP or not.
Based on Stephan's patch, both these issues should now be fixed.
Daniel (18 January 2005)
- Cody Jones' enhanced version of Samuel Díaz García's MSVC makefile patch was
Daniel (16 January 2005)
- Alex aka WindEagle pointed out that when doing "curl -v", curl
assumed this used the DICT protocol. While guessing protocols will remain
fuzzy, I've now made sure that the host names must start with "[protocol]."
for them to be a valid guessable name. I also removed "https" as a prefix
that indicates HTTPS, since we hardly ever see any host names using that.
Daniel (13 January 2005)
- Inspired by Martijn Koster's patch and example source at, I now made the
select() and poll() calls properly loop if they return -1 and errno is
EINTR. glibc docs for this is found here:
This last link says BSD doesn't have this "effect". Will there be a problem
if we do this unconditionally?
Daniel (11 January 2005)
- Dan Torop cleaned up a few no longer used variables from David Phillips'
select() overhaul fix.
- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
using a custom Host: header and curl fails to send a request on a re-used
persistent connection and thus creates a new connection and resends it. It
then sent two Host: headers. Cyrill's analysis was posted here:
- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
problem with the version byte and the check for bad versions. Bruce has lots
of clues on this, and based on his suggestion I've now removed the check of
that byte since it seems to be able to contain 1 or 5.
Daniel (10 January 2005)
- Pavel Orehov reported memory problems with the multi interface in bug report
#1098843. In short, a shared DNS cache was setup for a multi handle and when
the shared cache was deleted before the individual easy handles, the latter
cleanups caused read/writes to already freed memory.
- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
remote certificate name when it didn't match the used host name.
Gisle (8 January 2005)
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.
Daniel (7 January 2005)
- Improved the test script's valgrind log parser to actually work! Also added
the ability to disable the log scanner for specific test cases. Test case
509 results in numerous problems and leaks in OpenSSL and has to get it
Daniel (6 January 2005)
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
(i.e not in the library).
- Bug report #1097019 identified a problem when doing -d "data" with -G and
sending it to two URLs with {}. Added test 199 to verify the fix.
Daniel (4 January 2005)
- Marty Kuhrt adjusted a VMS build script slightly
- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
Daniel (2 January 2005)
- Alex Neblett updated the MSVC makefiles slightly.
Daniel (25 December 2004)
- Removed src/ from CVS, it is now copied from the (generated)
lib/ instead, as they can very well be the same. This removes a
"manual hassle". You may want to re-run buildconf now.
- Werner Koch filed Debian bug report #286794, mentioning that curl contained
non-free (by Debian's view) source code. This was Angus Mackay's
src/getpass.c source code. I tried to contact him about it to quickly solve
this issue, but his email addresses bounce and I got some time "over" and
reimplemented the functionality once brought by Angus. We no longer use any
of Angus' original code and the new function is much simpler (IMO). Issue
Daniel (24 December 2004)
- David Shaw added --protocols to curl-config, so that it now lists all
protocols libcurl was built to support. --feature no longer lists disabled
Daniel (23 December 2004)
- David Shaw fixed the configure --disable-[protocol] variables so that
curl-config --feature now works correctly!
Daniel (22 December 2004)
- Rune Kleveland fixed a minor memory leak for received cookies with the
(rare) version attribute set.
- Marcin Konicki provided two configure fixes and a source fix to make curl
build out-of-the-box on BeOS.
Daniel (21 December 2004)
- Added test case 217 that verified CURLINFO_HTTP_CONNECTCODE, and I made the
-w option support 'http_connect' to make it easier to verify!
- Fixed lib/select.c include order to build fine on FreeBSD
- Fixed failf()'s reuse of the va_list variable that crashed on FreeBSD.
Pointed out by Peter Pentchev.
Version 7.12.3 (20 December 2004)
Daniel (19 December 2004)
- I investigated our PKCS12 build problem on Solaris 2.7 with OpenSSL 0.9.7e,
and it turned out to be the fault of the zlib 1.1.4 headers doing a typedef
named 'free_func' and the OpenSSL headers have a prototype that uses
'free_func' in one of its arguments. This is why the compile errors out.
In other words, we need to include the openssl/pkcs12.h header before the
zlib.h header and it builds fine. The configure script now checks for this
file and it then gets included early in lib/urldata.h.
Daniel (18 December 2004)
- Samuel Listopad added support for PKCS12 formatted certificates.
- Samuel Listopad fixed -E to support "C:/path" (with forward slash) as well.
Daniel (16 December 2004)
- Gisle found and fixed a problem in the directory re-use for FTP.
I added test case 215 and 216 to better verify the functionality.
- Dinar in bug report #1086121, found a file handle leak when a multipart
formpost (including a file upload part) was aborted before the whole file
was sent.
Daniel (15 December 2004)
- Tom Lee found out that globbing of strings with backslashes didn't work as
you'd expect. Backslashes are such a central part of windows file names that
forcing backslashes to have to be escaped with backslashes is a bit too
awkward to users. Starting now, you only need to escape globbing characters
such as the five letters: "[]{},". Added test case 214 to verify this.
Daniel (14 December 2004)
- Harshal Pradhan patched a HTTP persistent connection flaw: if the user name
and/or password were modified between two requests on a persistent
connection, the second request were still made with the first setup!
I added test case 519 to verify the fix.
Daniel (13 December 2004)
- Gisle added CURLINFO_SSL_ENGINES to curl_easy_getinfo() to allow an app
to list all available crypto ENGINES.
- Gisle fixed bug report #1083542, which pointed out a problem with resuming
large file (>4GB) file:// transfers on windows.
Daniel (11 December 2004)
- Made the test suite HTTP server (sws) capable of using IPv6, and then
extended the test environment to support that and also added three test
cases (240, 241, 242) that run tests using IPv6. Test 242 uses a URL that
didn't work before the 10 dec fix by Kai Sommerfeld.
- Made a failed file:// resume output an error message
- Corrected the CURLE_BAD_DOWNLOAD_RESUME error message in lib/strerror.c
- Dan Fandrich:
simplified and consolidated the SSL checks in configure and the usage of the
defines in lib/setup.h
provided a first file for pkg-config (but the result is not
installed anywhere at this point)
extended the cross compile section in the docs/INSTALL file
Daniel (10 December 2004)
- When providing user name in the URL and a IPv6-style IP-address (like in
"ftp://user@[::1]/tmp"), the URL parser didn't get the host extracted
properly. Reported and fixed by Kai Sommerfeld.
Daniel (9 December 2004)
- Ton Voon provided a configure fix that should fix the notorious (mostly
reported on Solaris) problem where the size_t check fails due to the SSL
libs being found in a dir not searched through by the run-time linker.
patch-tracker entry #1081707.
- Bryan Henderson pointed out in bug report #1081788 that the curl-config
--vernum output wasn't zero prefixed properly (as claimed in documentation).
This is fixed in maketgz now.
Daniel (8 December 2004)
- Matt Veenstra updated the mach-O framework files for Mac OS X.
- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
libcurl always and unconditionally overwrote a stack-based array with 3 zero
bytes. This is not an exploitable buffer overflow. No need to get alarmed.
Daniel (7 December 2004)
- Fixed so that the final error message is sent to the verbose info "stream"
even if no errorbuffer is set.
Daniel (6 December 2004)
- Dan Fandrich added the --disable-cookies option to configure to build
libcurl without cookie support. This is mainly useful if you want to build a
minimalistic libcurl with no cookies support at all. Like for embedded
systems or similar.
- Richard Atterer fixed libcurl's way of dealing with the EPSV
response. Previously, libcurl would re-resolve the host name with the new
port number and attempt to connect to that, while it should use the IP from
the control channel. This bug made it hard to EPSV from an FTP server with
multiple IP addresses!
Daniel (3 December 2004)
- Bug report #1078066: when a chunked transfer was pre-maturely closed exactly
at a chunk boundary it was not considered an error and thus went unnoticed.
Fixed by Maurice Barnum.
Added test case 207 to verify.
Daniel (2 December 2004)
- Fixed the CONNECT loop to default timeout to 3600 seconds.
Added test case 206 that makes CONNECT with Digest.
Fixed a flaw that prepended "(nil)" to the initial CONNECT rqeuest's user-
agent field.
Daniel (30 November 2004)
- Dan Fandrich's fix for libz 1.1 and "extra field" usage in a gzip stream
- Dan also helped me with input data to create three more test cases for the
--compressed option.
Daniel (29 November 2004)
- I improved the test suite to enable binary contents in the tests (by proving
it base64 encoded), like for testing decompress etc. Added test 220 and 221
for this purpose. Tests can now also depend on libz to run.
- As reported by Reinout van Schouwen in Mandrake's bug tracker bug 12285
(, when connecting to an
IPv6 host with FTP, --disable-epsv (or --disable-eprt) effectively disables
the ability to transfer a file. Now, when connected to an FTP server with
IPv6, these FTP commands can't be disabled even if asked to with the
available libcurl options.
Daniel (26 November 2004)
- As reported in Mandrake's bug tracker bug 12289
(, curl would print a
newline to "finish" the progress meter after each redirect and not only
after a completed transfer.
Daniel (25 November 2004)
- FTP improvements:
If EPSV, EPRT or LPRT is tried and doesn't work, it will not be retried on
the same server again even if a following request is made using a persistent
If a second request is made to a server, requesting a file from the same
directory as the previous request operated on, libcurl will no longer make
that long series of CWD commands just to end up on the same spot. Note that
this is only for *exactly* the same dir. There is still room for improvements
to optimize the CWD-sending when the dirs are only slightly different.
Added test 210, 211 and 212 to verify these changes. Had to improve the
test script too and added a new primitive to the test file format.
Daniel (24 November 2004)
- Andrés García fixed the configure script to detect select properly when run
with Msys/Mingw on Windows.
Daniel (22 November 2004)
- Made HTTP PUT and POST requests no longer use HEAD when doing multi-pass
auth negotiation (NTLM, Digest and Negotiate), but instead use the request
keyword "properly". Details in lib/README.httpauth. This also introduces
CURLOPT_IOCTLFUNCTION and CURLOPT_IOCTLDATA, to be used by apps that use the
"any" auth alternative as then libcurl may need to send the PUT/POST data
more than once and thus may need to ask the app to "rewind" the read data
stream to start.
See also the new example using this: docs/examples/anyauthput.c
- David Phillips enhanced test 518. I made it depend on a "feature" so that
systems without getrlimit() won't attempt to test 518. configure now checks
for getrlimit() and setrlimit() for this test case.
Daniel (18 November 2004)
- David Phillips fixed libcurl to not crash anymore when more than FD_SETSIZE
file descriptors are in use. Test case 518 added to verify.
Daniel (15 November 2004)
- To test my fix for the CURLINFO_REDIRECT_TIME bug, I added time_redirect and
num_redirects support to the -w writeout option for the command line tool.
- Wojciech Zwiefka found out that CURLINFO_REDIRECT_TIME didn't work as
Daniel (12 November 2004)
- Gisle Vanem modigied the MSVC and Netware makefiles to build without
- Dan Fandrich added the --disable-crypto-auth option to configure to allow
libcurl to build without Digest support. (I figure it should also explicitly
disable Negotiate and NTLM.)
- *** Modified Behaviour Alert ***
Setting CURLOPT_POSTFIELDS to NULL will no longer do a GET.
Setting CURLOPT_POSTFIELDS to "" will send a zero byte POST and setting
a zero byte POST. Added test case 515 to verify this.
Setting CURLOPT_HTTPPOST to NULL makes a zero byte post. Added test case 516
to verify this.
CURLOPT_POSTFIELDSIZE must now be set to -1 to signal "we don't know".
Setting it to zero simply says this is a zero byte POST.
When providing POST data with a read callback, setting the size up front
Daniel (11 November 2004)
- Dan Fandrich added --disable-verbose to the configure script to allow builds
without verbose strings in the code, to save some 12KB space. Makes sense
only for systems with very little memory resources.
- Jeff Phillips found out that a date string with a year beyond 2038 could
crash the new date parser on systems with 32bit time_t. We now check for
this case and deal with it.
Daniel (10 November 2004)
- I installed Heimdal on my Debian box (using the debian package) and noticed
that configure --with-gssapi failed to create a nice build. Fixed now.
Daniel (9 November 2004)
- Gisle Vanem marked all external function calls with CURL_EXTERN so that now
the Windows, Netware and other builds no longer need libcurl.def or similar
Daniel (8 November 2004)
- Made the configure script check for tld.h if libidn was detected, since
libidn 0.3.X didn't have such a header and we don't work with anything
before libidn 0.4.1 anyway! Suse 9.1 apparently ships with a 0.3.X version
of libidn which makes the curl 7.12.2 build fail. Jean-Philippe
Barrette-LaPierre helped pointing this out.
- Ian Gulliver reported in debian bug report #278691: if curl is invoked in an
environment where stderr is closed the -v output will still be sent to file
descriptor 2 which then might be the network socket handle! Now we have a
weird hack instead that attempts to make sure that file descriptor 2 is
opened (with a call to pipe()) before libcurl is called to do the transfer.
configure now checks for pipe() and systems without pipe don't get the weird
hack done.
Daniel (5 November 2004)
- Tim Sneddon made libcurl send no more than 64K in a single first chunk when
doing a huge POST on VMS, as this is a system limitation. Default on general
systems is 100K.
Daniel (4 November 2004)
- Andres Garcia made it build on mingw againa, my --retry code broke the build.
Daniel (2 November 2004)
- Added --retry-max-time that allows a maximum time that may not have been
reached for a retry to be made. If not set there is no maximum time, only
the amount of retries set with --retry.
- Paul Nolan provided a patch to make libcurl build nicely on Windows CE.
Daniel (1 November 2004)
- When cross-compiling, the configure script no longer attempts to use
pkg-config on the build host in order to detect OpenSSL compiler options.
Daniel (27 October 2004)
- Dan Fandrich:
An improvement to the gzip handling of libcurl. There were two problems with
the old version: it was possible for a malicious gzip file to cause libcurl
to leak memory, as a buffer was malloced to hold the header and never freed
if the header ended with no file contents. The second problem is that the
64 KiB decompression buffer was allocated on the stack, which caused
unexpectedly high stack usage and overflowed the stack on some systems
(someone complained about that in the mailing list about a year ago).
Both problems are fixed by this patch. The first one is fixed when a recent
(1.2) version of zlib is used, as it takes care of gzip header parsing
itself. A check for the version number is done at run-time and libcurl uses
that feature if it's present. I've created a define OLD_ZLIB_SUPPORT that
can be commented out to save some code space if libcurl is guaranteed to be
using a 1.2 version of zlib.
The second problem is solved by dynamically allocating the memory buffer
instead of storing it on the stack. The allocation/free is done for every
incoming packet, which is suboptimal, but should be dwarfed by the actual
decompression computation.
I've also factored out some common code between deflate and gzip to reduce
the code footprint somewhat. I've tested the gzip code on a few test files
and I tried deflate using the server, and it all looks OK. I
didn't try running it with valgrind, however.
- Added a --retry option to curl that takes a numerical option for the number
of times the operation should be retried. It is retried if a transient error
is detected or if a timeout occurred. By default, it will first wait one
second between the retries and then double the delay time between each retry
until the delay time is ten minutes which then will be the delay time
between all forthcoming retries. You can set a static delay time with
"--retry-delay [num]" where [num] is the number of seconds to wait between
each retry.
Daniel (25 October 2004)
- Tomas Pospisek filed bug report #1053287 that proved -C - and --fail on a
file that was already completely downloaded caused an error, while it
doesn't if you don't use --fail! I added test case 194 to verify the fix.
Grrr. CURLOPT_FAILONERROR is now added to the list stuff to remove in
libcurl v8 due to all the kludges needed to support it.
- Mohun Biswas found out that formposting a zero-byte file didn't work very
good. I fixed.
Daniel (19 October 2004)
- Alexander Krasnostavsky made it possible to make FTP 3rd party transfers
with both source and destination being the same host. It can be useful if
you want to move a file on a server or similar.
- Guillaume Arluison added CURLINFO_NUM_CONNECTS to allow an app to figure
out how many new connects a previous transfer required.
I added %{num_connects} to the curl tool and added test case 192 and 193
to verify the new code.
Daniel (18 October 2004)
- Peter Wullinger pointed out that curl should call setlocale() properly to
initiate the specific language operations, to make the IDN stuff work
Version 7.12.2 (18 October 2004)
Daniel (16 October 2004)
- Alexander Krasnostavsky made the CURLOPT_FTP_CREATE_MISSING_DIRS option work
fine even for third party transfers.
- runekl at found out (and provided a fix) that libcurl leaked
memory for cookies with the "max-age" field set.
Gisle (16 October 2004)
- Issue 50 in TODO-RELEASE; Added Traian Nicolescu's patches for threaded
resolver on Windows. Plugged some potential handle and memory leaks.
Daniel (14 October 2004)
- Eric Vergnaud pointed out that libcurl didn't treat ?-letters in the user
name and password fields properly in URLs, like
ftp://us?er:pass? Added test 191 to verify the fix.
Daniel (11 October 2004)
- libcurl now uses SO_NOSIGPIPE for systems that support it (Mac OS X 10.2 or
later is one) to inhibit the SIGPIPE signal when writing to a socket while
the peer dies. The same effect is provide by the MSG_NOSIGNAL parameter to
send() on other systems. Alan Pinstein verified the fix.
Daniel (10 October 2004)
- Systems with 64bit longs no longer use strtoll() or our strtoll- replacement
to parse 64 bit numbers. strtol() works fine. Added a configure check to
detect if [constant]LL works and if so, use that in the strtoll replacement
code to work around compiler warnings reported by Andy Cedilnik.
Gisle (6 October 2004)
- For USE_LIBIDN builds: Added Top-Level-Domain (TLD) check of host-name
used in fix_hostname(). Checks if characters in 'host->name' (indirectly
via 'ace_hostname') are legal according to the TLD tables in libidn.
Daniel (6 October 2004)
- Chih-Chung Chang reported that if you use CURLOPT_RESUME_FROM and enabled
CURLOPT_FOLLOWLOCATION, libcurl reported error if a redirect happened even
if the new URL would provide the resumed file. Test case 188 added to verify
the fix (together with existing test 99).
- Dan Fandrich fixed a configure flaw for systems that need both nsl and socket
libs to use gethostbyname().
- Removed tabs and trailing whitespace from lots of source files.
Daniel (5 October 2004)
- Made configure --with-libidn=PATH try the given PATH before the default
paths to make it possible to override.
- If idna_strerror() is present in libidn, we can use that instead of our
internal replacement. This function was added by Simon in libidn 0.5.6 and
is detected by configure.
- It seems basename() on IRIX is in the libgen library and since we don't use
that, configure finds libgen.h but not basename and then we get a compiler
error because our basename() replacement doesn't match the proto in
libgen.h. Starting now, we don't include the file if basename wasn't found
as well.
Daniel (4 October 2004)
- Chris found a race condition resulting in CURLE_COULDNT_RESOLVE_HOST and
potential crash, in the windows threaded name resolver code.
Daniel (3 October 2004)
- Replaced the use of isspace() in cookie.c with our own version instead since
we have most data as 'char *' and that makes us pass in negative values if
there is 8bit data in the string. Changing to unsigned causes too much
warnings or too many required typecasts to the normal string functions.
Harshal Pradhan identified this problem.
Daniel (2 October 2004)
- Bertrand Demiddelaer found a case where libcurl could read already freed
data when CURLOPT_VERBOSE is used and a (very) persistent connection. It
happened when the dns cache entry for the connection was pruned while the
connection was still alive and then again re-used. We worked together on
this fix.
- Gisle Vanem provided code that displays an error message when the (libidn
based) IDN conversion fails. This is really due to a missing suitable
function in the libidn API that I hope we can remove once libidn gets a
function like this.
Daniel (1 October 2004)
- Aleksandar Milivojevic reported a problem in the Redhat bugzilla (see and not to
anyone involved in the curl project! This happens when you try to curl a
file from a proftpd site using SSL. It seems proftpd sends a somewhat
unorthodox response code (232 instead of 230). I relaxed the response code
check to deal with this and similar cases.
- Based on Fedor Karpelevitch's formpost path basename patch, file parts in
formposts no longer include the path part. If you _really_ want them, you
must provide your preferred full file name with CURLFORM_FILENAME.
Added detection for libgen.h and basename() to configure. My custom
basename() replacement function for systems without it, might be a bit too
Updated 6 test cases to make them work with the stripped paths.
Daniel (30 September 2004)
- Larry Campbell added CURLINFO_OS_ERRNO to curl_easy_getinfo() that allows an
app to retrieve the errno variable after a (connect) failure. It will make
sense to provide this for more failures in a more generic way, but let's
start like this.
- Günter Knauf and Casey O'Donnell worked out an extra #if condition for the
curl/multi.h header to work better in winsock-using apps.
- Jean-Philippe Barrette-LaPierre made buildconf run better on Mac OS X by
properly using glibtoolize instead of plain libtoolize. (This is made if
glibtool was found and used instead of plain libtool.)
Daniel (29 September 2004)
- Bertrand Demiddelaer fixed curl_easy_reset() so that it doesn't mistakingly
enable the progress meter.
Daniel (28 September 2004)
- "Mekonikum" found out that if you built curl without SSL support, although
your current SSL installation supports Engine, the compile fails.
Daniel (27 September 2004)
- When --with-ssl=PATH is used to the configure script, it no longer uses
pkg-config to figure out extra details. That is now only done if no PATH is
included or if SSL is checked for by default without the --with-ssl option.
Daniel (25 September 2004)
- Peter Sylvester pointed out that CURLOPT_SSLENGINE couldn't even be set to
NULL when no engine was supported. It can now.
Daniel (22 September 2004)
- Dan Fandrich fixed three test cases to no longer use "localhost" but instead
use "" to avoid requiring that localhost resolves nicely.
- Jean-Claude Chauve fixed an LDAP crash when more than one record was
Daniel (19 September 2004)
- Andreas Rieke pointed out that when attempting to connect to a host without
a service on the specified port, curl_easy_perform() didn't properly provide
an error message in the CURLOPT_ERRORBUFFER buffer.
Daniel (16 September 2004)
- Daniel at touchtunes uses the FTP+SSL server "BSDFTPD-SSL from" which accordingly doesn't properly work with curl
when "AUTH SSL" is issued (although the server responds fine and everything)
but requires that curl issues "AUTH TLS" instead. See
Introducing CURLOPT_FTPSSLAUTH that allows the application to select which
of the AUTH strings to attempt first.
- Anonymous filed bug report #1029478 which identified a bug when you 1) used
a URL without properly seperating the host name and the parameters with a
slash. 2) the URL had parameters to the right of a ? that contains a slash
3) curl was told to follow Location:s 4) the request got a response that
contained a Location: to redirect to "/dir". curl then appended the new path
on the wrong position of the original URL.
Test case 187 was added to verify that this was fixed properly.
Daniel (11 September 2004)
- Added parsedate.c that contains a rewrite of the date parser currently
provided by getdate.y. The new one is MUCH smaller and will allow us to run
away from the yacc/bison jungle. It is also slightly lacking in features
compared to the old one, but it supports parsing of all date formats HTTP
involves (and a fair bunch of others).
Daniel (10 September 2004)
- As found out by Jonas Forsman, curl didn't allow -F to set Content-Type on
text-parts. Starting now, we can do -F "name=daniel;type=text/extra". Added
test case 186 to verify.
- Bug report #1025986. When following a Location: with a custom Host: header
replacement, curl only replaced the Host: header on the initial request
and didn't replace it on the following ones. This resulted in requests with
two Host: headers.
Now, curl checks if the location is on the same host as the initial request
and then continues to replace the Host: header. And when it moves to another
host, it doesn't replace the Host: header but it also doesn't make the
second Host: header get used in the request.
This change is verified by the two new test cases 184 and 185.
Daniel (8 September 2004)
- Modified the test suite to be able to use and run with customized port
numbers. This was always intended but never before possible. Now a simple
change in the script can make all tests use different ports.
The default ports in use from now on are 8990 to 8993.
Daniel (2 September 2004)
- Minor modification of an SSL-related error message.
Daniel (31 August 2004)
- David Tarendash found out that curl_multi_add_handle() returned
Daniel (30 August 2004)
- Make "Proxy-Connection: close" close the current proxy connection, as Roman
Koifman found out.
Daniel (24 August 2004)
- Fixed a getdate problem by post-replacing the getdate.c file after the
bison/yacc process to add the fix Harshal Pradhan suggested. The problem
caused a crash on Windows when parsing some dates.
Daniel (23 August 2004)
- Roman Koifman pointed out that libcurl send Expect: 100-continue on POSTs
even when told to use HTTP 1.0, which is not correct. Test case 180 and
181 verify this.
- Added test case 182 to verify that zero byte transfers call the callback
Daniel (20 August 2004)
- Alexander Krasnostavsky made the write callback get called even when a zero
byte file is downloaded.
Daniel (18 August 2004)
- Ling Thio pointed out that when libcurl is built ipv6-enabled, it still did
reverse DNS lookups when fed with a numerical IP-address (like, although it doesn't when built ipv6-disabled. libcurl
should never do reverse lookups.
Daniel (17 August 2004)
- Kjetil Jacobsen noticed that when transferring a file:// URL pointing to an
empty file, libcurl would return with the file still open.
- Alexander Krasnostavsky pointed out that the configure script needs to define
_THREAD_SAFE for AIX systems to make libcurl built really thread-safe.
Also added a check for the xlc compiler on AIX, and if that is detect we use
the -qthreaded compiler option
Daniel (16 August 2004)
- libcurl now allows a custom "Accept-Encoding:" header override the
internally set one that gets set with CURLOPT_ENCODING. Pointed out by Alex.
- Roland Krikava found and fixed a cookie problem when using a proxy (the
path matching was wrong). I added test case 179 to verify that we now do
Daniel (15 August 2004)
- Casey O'Donnell fixed some MSVC makefile targets to link properly.
Daniel (11 August 2004)
- configure now defines _XOPEN_SOURCE to 500 on systems that need it to build
warning-free (the only known one so far is non-gcc builds on 64bit SGI
IRIX). (Reverted this change later as it caused compiler errors.)
- the FTP code now includes the server response in the error message when the
server gives back a 530 after the password is provided, as it isn't
necessary because of a bad user name or password.
Version 7.12.1 (10 August 2004)
Daniel (10 August 2004)
- In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input is
already UTF-8 encoded. This made the certificate verification fail if the
remote server used a certificate with the name UTF-8 encoded.
Work-around brought by Alexis S. L. Carvalho.
Daniel (9 August 2004)
- I fixed the configure script for krb4 to use -lcom_err as well, as I started
to get link problems with it unless I did that on my Solaris 2.7 box. I
don't understand why I started to get problems with this now!
Daniel (5 August 2004)
- Enrico Scholz fixed the HTTP-Negotiate service name to be uppercase as
reported in bug report #1004105
Daniel (4 August 2004)
- Gisle Vanem provided a fix for the multi interface and connecting to a host
using multiple IP (bad) addresses.
- Dylan Salisbury made libcurl no longer accept cookies set to a TLD only (it
previously allowed that on the seven three-letter domains).
Daniel (31 July 2004)
- Joel Chen reported that the digest code assumed quotes around the contents a
bit too much.
Daniel (28 July 2004)
- Bertrand Demiddelaer fixed the host name to get setup properly even when a
connection is re-used, when a proxy is in use. Previously the wrong Host:
header could get sent when re-using a proxy connection to a different target
- Fixed Brian Akins' reported problems with duplicate Host: headers on re-used
connections. If you attempted to replace the Host: header in the second
request, you got two such headers!
- src/ now includes the file to get info about files
Daniel (26 July 2004)
- Made "curl [URL] -o name#2" work as expected. If there's no globbing for the
#-number, it will simply be used as #2 in the file name.
- Bertrand Demiddelaer fixed testing with valgrind 2.1.x and added two missing
newlines in the cookie informationals.
Daniel (24 July 2004)
- I fixed the autobuilds with ares, since they now need to have buildconf run
in the ares dir before the configure script is run.
- Added Casey O'Donnell's curl_easy_reset() function. It has a proto in
curl/curl.h but we have no man page yet.
Daniel (20 July 2004)
- Added buildconf and buildconf.bat to the release archives, since they are
handy for rebuilding curl when using a daily snapshot (and not a pure CVS
Daniel (16 July 2004)
- As suggested by Toby Peterson, libcurl now ignores Content-Length data if the
given size is a negative number. Test case 178 verifies this.
Daniel (14 July 2004)
- Günter Knauf has made the Netware builds do without the config-netware.h
files, so they are now removed from the dist packages.
- Günter Knauf made curl and libcurl build with Borland again.
- Andres Garcia fixed the common test 505 failures on windows.
Daniel (6 July 2004)
- Andrés García found out why the windows tests failed on file:// "uploads".
Daniel (2 July 2004)
- Andrés García reported a curl_share_cleanup() crash that occurs when no
lock/unlock callbacks have been set and the share is cleaned up.
Daniel (1 July 2004)
- When using curl --trace or --trace-ascii, no trace messages that were sent
by curl_easy_cleanup() were included in the trace file. This made the
message "Closing connection #0" never appear in trace dumps.
Daniel (30 June 2004)
- Niels van Tongeren found that setting CURLOPT_NOBODY to TRUE doesn't disable
a previously set POST request, making a very odd request get sent (unless
you disabled the POST) a HEAD request with a POST request-body. I've now
made CURLOPT_NOBODY enforce a proper HEAD. Added test case 514 for this.
Daniel (29 June 2004)
- Günter Knauf made the script capable of using a custom setup
file to easier run multiple autobuilds on the same source tree.
- Gisle fixed the djgpp build and fixed a memory problem in some of the
reorged name resolved code.
- Fixed code to allow connects done using the multi interface to attempt the
next IP when connecting to a host that resolves to multiple IPs and a
connect attempt fails.
Daniel (27 June 2004)
- Based on Rob Stanzel's bug report #979480, I wrote a configure check that
checks if poll() can be used to wait on NULL as otherwise select() should be
used to do it. The select() usage was also fixed according to his report.
Mac OS X 10.3 says "poll() functionality for Mac OS X is implemented via an
emulation layer on top of select(), not in the kernel directly. It is
recommended that programs running under OS X 10.3 prefer select() over
poll(). Configure scripts should look for the _POLL_EMUL_H_ define (instead
of _POLL_H_ or _SYS_POLL_H_) and avoid implementations where poll is not
implemented in the kernel."
Yes, we can probably use select() on most platforms but today I prefered to
leave the code unaltered.
Daniel (24 June 2004)
- The standard curl_version() string now only includes version info about
involved libraries and not about particular features. Thus it will no longer
include info about ipv6 nor GSS. That info is of course still available in
the feature bitmask curl_version_info() offers.
- Replaced all occurances of sprintf() with snprintf(). This is mostly because
it is "A Good Thing" rather than actually fixing any known problem. This
will help preventing future possible mistakes to cause buffer overflows.
- Major reorganization in the host resolve code (again). This time, I've
modified the code to now always use a linked list of Curl_addrinfo structs
to return resolved info in, no matter what resolver method or support that
is available on the platform. It makes it a lot easier to write code that
uses or depends on resolved data.
Internally, this means amongst other things that we can stop doing the weird
"increase buffer size until it works" trick when resolving hosts on
ipv4-only with gethostbyname_r(), we support socks even on libcurls built
with ipv6 enabled (but only to socks servers that resolve to an ipv4
address) and we no longer deep-copy or relocate hostent structs (we create
Curl_addrinfo chains instead).
The new "hostent to Curl_addrinfo" converter function is named Curl_he2ai()
and is slightly naive and simple, yet I believe it is functional enough to
work for libcurl.
Daniel (22 June 2004)
- David Cohen pointed out that RFC2109 says clients should allow cookies to
contain least 4096 bytes while libcurl only allowed 2047. I raised the limit
to 4999 now and made the used buffer get malloc()ed instead of simply
allocated on stack as before. Extended test case 46 to include a cookie with
very huge content to verify the fix.
- Günter Knauf fixed getdate.y to remove a few warnings. I removed the
ifdef'ed test we never ever use anyway.
- Gisle Vanem fixed the certificate wildcard checks to support a '*'-letter
anywhere in the wildcard string, support multiple '*'-letters in the
wildcard and to allow the '*'-letter to match a string that includes a dot.
Daniel (21 June 2004)
- is now removed completely, tests/ is the script to
use when autobuilding curl!
- Kjetil Jacobsen brought my attention to the fact that you cannot properly
abort an upload with the readfunction callback, since returning 0 or -1 only
stops the upload and libcurl will continue waiting for downloaded data and
the server often waits for the rest of the upload data to arrive.
Thus, I've now added the ability for read callbacks to return
CURL_READFUNC_ABORT to abort an upload from a read callback. This will stop
the transfer immediately with a CURLE_ABORTED_BY_CALLBACK return code.
Test case 513 was added to verify that it works. I had to improve the test
HTTP server too to dump the request to a file even when the client
disconnects prematurely.
Daniel (19 June 2004)
- Luca Alteas provided a test case with a failing curl operation: when we POST
to a site with --digest (or similar) set, and the server responded with a 302
Location: to the "authprobe" request, it was not treated correctly. We still
will behave badly if FOLLOWLOCATION is enabled for this case, but I'm not
in the mood to dive into this right now and will leave it as-is for now.
Verified my fix with test case 177.
Daniel (18 June 2004)
- Gisle Vanem's patch that provides more details from the SSL layers (if you
use an OpenSSL version that supports it). It also introduces two new types
of data that can be sent to the debug callback: CURLINFO_SSL_DATA_IN and
- With David Byron's test server I could repeat his problem and make sure that
POSTing over HTTPS:// with NTLM works fine now. There was a general problem
with multi-pass authentication with non-GET operations with CONNECT.
Daniel (16 June 2004)
- Modified to keep the upload byte counter in an curl_off_t, not an int as
before. 32bits is not enough. This is most likely the bug Jean-Louis Lemaire
reported that makes 2GB FTP uploads to report error ("unaligned file sizes")
when completed.
Daniel (15 June 2004)
- Luca Alteas reported a problem that I fixed: if you did a POST with
CURLAUTH_DIGEST set but the server didn't require any authentication,
libcurl would repeatedly send HEAD lots of times until it gives up. This was
actually the case for all multi-pass authentications. Added test case 174,
175 and 176 to verify this.
Daniel (14 June 2004)
- Multipart formposts uploading files no longer inserts the files themselves
into the huge prebuilt chunk. This enables libcurl to formpost files that is
larger than the amount of system memory. When the file given is passed on
stdin, libcurl still uses the old method of reading the full fill before the
upload takes place. This approach was selected in order to not alter the
behavior for existing applications, as when using stdin libcurl can't know
the size of the upload and chunked transfer-encoding can only be used on
HTTP 1.1 servers.
Daniel (13 June 2004)
- Gisle found out that we did wildcard cert name checks wrong, so that parts
of the check wrongly was case sensitive.
Daniel (11 June 2004)
- Tim Sneddon brought a minor VMS fix to make curl build properly on his VMS
machine. He also had some interesting libcurl patches... they might be able
to do in a slightly nicer way. Discussions are in progress.
Daniel (10 June 2004)
- Gisle Vanem brought code cleanupsm better verbose output and better connect
timeout handling when attempting to connect to a host that resolves to
multiple IP addresses.
- Steven Bazyl and Seshubabu Pasam pointed out a bug on win32 when freeing the
path after a file:// transfer.
Daniel (9 June 2004)
- Alexander Krasnostavsky made 'configure --disable-http' work to build libcurl
without HTTP support. I added a new return code for curl_formadd() in case
libcurl is built with HTTP disable: CURL_FORMADD_DISABLED.
- Alexander Krasnostavsky pointed out a missing file in the generated
curllib.dsp file, and now people building with this should get a libcurl.lib
file generated as it used to do before we generated this file.
Daniel (8 June 2004)
- Marty Kuhrt fixed a minor build problem for VMS.
Daniel (7 June 2004)
- Reverted the configure check from the 4th since it obviously didn't work.
Remade it in a different manner that hopefully works better.
Daniel (4 June 2004)
- Günter Knauf brought patches to make curl build fine on NetWare again.
- Made the configure checks for strerror_r() not exit the configure script
when built for cross-compiling.
Daniel (3 June 2004)
- Chris Gaukroger pointed out that 'make test' attempts to run the tests even
if curl is built cross-compiled. I've now made it output a short message
instead, saying it isn't possible to do.
- Alexander Krasnostavsky brought FTP 3rd party transfer support to libcurl.
You can now use libcurl to transfer files between two remote hosts using
FTP. There are a bunch of new options to control this with:
(They still remain to be documented properly in the curl_easy_setopt man
When using this, the ordinary CURLOPT_URL specifies the target URL, and you
specify the source data with these additional options. ftp3rdparty.c is a
new example source code showing how to use this.
- Vincent Bronner fixed the HTTP Digest code to use the proxy user name and
password when doing proxy authentication, it previously always used the host
user name and password!
Daniel (2 June 2004)
- CURLOPT_UPLOAD and CURLOPT_PUT now do the exact same thing internally, which
fixes some old confusions on when which of these should be used and what the
differences are.
- Applied Gisle's fixes to make curl build fine with lcc-win32
Version 7.12.0 (2 June 2004)
Daniel (1 June 2004)
- I clarified the --create-dirs option somewhat in the curl man page.
- Renaud Duhaut corrected the curl_unescape man page.
- David Byron modified one of Massimiliano Ziccardi's recent MSVC makefile
changes to now again use the mm lib by default.
Daniel (26 May 2004)
- Mohun Biswas added release-zlib and debug-zlib targets to the MSVC libcurl
- David Byron reported a problem with proxy authentication when doing CONNECT,
like when accessing HTTPS sites wiht a proxy. This probably broke when I
rewrote the auth stuff recently.
- I added fileupload.c in the examples directory, showing how an upload to a
file:// URL is made.
Daniel (25 May 2004)
- Massimiliano Ziccardi updated the MSVC makefiles.
Daniel (24 May 2004)
- libcurl now supports "uploading" to file:// URLs. Test 204 and 205 were
added to verify.
- Simon Josefsson added a idn_free() function in libidn 0.4.5 as a reaction to
Gisle's previous mail. We now use this function, and thus we require libidn
0.4.5 or later. No earlier version will do.
- Robert D. Young reported that CURLOPT_COOKIEFILE and CURLOPT_COOKIE could
not be used both in one request. Fixed it and added test case 172 to verify.
Daniel (21 May 2004)
- While talking to host a.b.c, libcurl did wrongly not accept cookies that
were set to the domain .a.b.c (that is with a dot prefix). This is now fixed
and test case 171 verifies it.
Daniel (20 May 2004)
- Jesse Noller reported that the upload speed info reported by libcurl was
wrong. The same was true for the download speed. Fixed now.
Daniel (19 May 2004)
- David Byron added test case 170 - this used to crash the previous version of
Daniel (17 May 2004)
- Peter Sylvester's patch that addresses two flaws in the peer certificate
name verification:
o when multiple common names are used (as in the curl tests), the last name
needs to be selected.
o allow comparing with encoded values, at least with BMP and ISO latin1
encoded T61strings.
- All 191 test cases run through the torture test OK! 'make test-torture' is
now available in the root makefile (on configure-based environments).
Daniel (14 May 2004)
- With a slightly modified I've now run almost all tests through
with -t. This is goodness!
- Since I have been unable to contact the CVS admins for several months, I've
decided that the current CVS hosting was not good enough. I've now moved the
CVS repo once again, see README for updated cvs checkout instructions.
Daniel (13 May 2004)
- -t now runs fine all the way to test 100. I believe test case
100 fails because of an FTP server problem.
Daniel (12 May 2004)
- General cleanups all over to make libcurl survive and do well when a memory
function returns NULL. -t now works fine for the first 26 test
Daniel (11 May 2004)
- Seshubabu Pasam provided a patch that introduces curl_global_init_mem() -
like normal curl_global_init() but allows the app to replace all memory
functions with its own set. I modified it slightly.
- Based on Luca Alteas' comments, I modified the curllib.dsp generation code.
Daniel (10 May 2004)
- Gisle mailed Simon Josefsson (of libidn fame) about the benefits of a
separate free()-function by that lib to make sure the memory is freed by the
same memory subsystem that allocated it. He responded positively and this
will likely cause us to require a newer version of libidn as soon as Simon
releases one with such a libidn_free() function.
- James Bursa made's -t option work for any given test case, and I
edited to allow -g too. Not even test case 1 worked...
- Luca Altea made the nc= field not use quotes in outgoing HTTP Digest headers.
- Andrés García fixed a problem in the test script that made it fail to
recognize our own running HTTP server.
Daniel (7 May 2004)
- James Bursa fixed the script to conder malloc(0) areas OK to
free() and he made two failed-resolve error messages use the new display-
name instead of the internally-used name.
- Gisle Vanem tried curl with
which caused problems, and I fixed the single zero byte buffer overwrite
that occurred (due to a stupid protocol buffer size and parser).
- Made the lib/curllib.dsp file get generated automaticly when a distribution
package is made, with the msvcproj.* files as templates and all
win32-sources added. I think this can be made to work better than the always
lagging-behind previous approach. I'm not sure this builds a working project
file right now though!
Daniel (6 May 2004)
- Michael Benedict brought a fix that fills in the errorbuffer properly when
ares fails to resolve a name for a case not previously dealt with like this.
Daniel (5 May 2004)
- Joe Halpin fixed the annoying typecast warning in lib/ldap.c
- Gisle Vanem fixes:
o memdebug to not access NULL on several places
o libcurl.def; curl_formparse is gone.
o progress.c; fixed the percent values being trunced to 0.
o if2ip.*; constified the 'interface' argument.
- Tor Arntsen reported that many of his autobuilds froze and I found and fixed
a problem introduced with the HTTP auth overhaul that could lead to a
never-ending internal request-loop due to un-initialized variables!
- Removed several compiler warnings on various compilers/platforms.
Daniel (4 May 2004)
- curl_formparse() has been removed from the library. It has been marked and
mentioned as deprecated for several years.
Daniel (3 May 2004)
- Rewritten HTTP authentication code. The previous code could not properly
deal with the added test cases 167, 168 and 169. I've now rewritten the code
to better separate host and proxy authentication and not re-use the same
variables as much as before as it proved non working in the more involved
cases. All the current tests run OK now, and so do the new ones. The curl
tool got a new option named --proxy-digest to enable HTTP Digest
authentication with the proxy. I also made the library support it.
- Gisle Vanem made the LDAP code work with wldap32.dll as supplied with
Win-98/ME/2000/XP, so no extra .dlls are required when curl/libcurl is used
on these Windows versions.
Daniel (30 April 2004)
- now scans the valgrind log for valgrind-detected memory leaks
after each test case if valgrind was found and used.
- I modified the app-code in curl to include the new lib/curlx.h and only
access those functions using the curlx_-prefix in preparation for the future
removal of several curl_-functions from the public libcurl API.
- Introduced lib/curlx.h as a single header to provide the curlx_-functions
to apps.
- Added notices in the man pages for curl_getenv, curl_mprintf, curl_strequal
and curl_strnequal that they are subject for removal in a future release.
- Mihai Ionescu noticed he couldn't do formposts with whitespace in the file
names and yes, I broke that on April 23. Sigh. I fixed it now and added
test case 166 to verify it.
- Luca Altea pointed out a mistake left from the Digest patch of yesterday.
Daniel (29 April 2004)
- Made IDN domains work when sending requsts over HTTP proxy as well. Added
test case 165 to verify the functionality.
- Fixed a bug in the new internal host name setup when re-using connections.
- James Bursa found out that curl_easy_duphandle() with ares-built libcurl
created a bad handle that would crash in the first name resolve attempt. This
is now fixed and test case 512 was added to verify it.
- Luca Altea provided a major HTTP Digest code fix and cleanup. We now follow
the Digest RFC a lot better.
- Gisle Vanem made the SSL code use ERR_error_string_n() where applicable.
Daniel (27 April 2004)
- I remodeled Gisle's IDN code slightly and now we convert both the host name
and proxy name to the ACE encoded version to use internally for resolves and
cookies etc. They are now using one 'struct hostname' each that keep both
the original name and the possibly encoded name. IDN resolves work for me
now using ipv6, ipv4 and ares resolving. Even cookies on IDN sites seem to
do right. I got some failures at first when CHARSET wasn't set at all which
confused libidn completely and it decided by encoding of choice was
- made 'configure --without-libidn' work
Daniel (25 April 2004)
- Fixed the src/hugehelp.c file to include "setup.h" instead of "config.h" to
make the problems with USE_MANUAL on windows go away.
- configure --without-ssl could still wrongly include some OpenSSL info in the
Makefiles if pkg-config had info about OpenSSL. Bug #941762 reported by
- Since we can now build and use quite a large set of 3rd party libraries, I
decided I would make configure produce a summary at the end showing what
libraries it uses and if not, what option to use to make it use that. I also
added some other random info that is nice in a "configure summary" output.
- Applied TommyTam's patch that now make curl work with telnet and stdin
properly on Windows.
- The changes for today below were made by me and Gisle Vanem.
The file previously known as hostip.c has now undergone a huge cleanup and
hostip.c explained
The main COMPILE-TIME DEFINES to keep in mind when reading the host*.c
source file are these:
CURLRES_IPV6 - this host has getaddrinfo() and family, and thus we use
that. The host may not be able to resolve IPv6, but we don't really have to
take that into account. Hosts that aren't IPv6-enabled have CURLRES_IPV4
CURLRES_ARES - is defined if libcurl is built to use c-ares for asynchronous
name resolves. It cannot have ENABLE_IPV6 defined at the same time, as
c-ares has no ipv6 support. This can be Windows or *nix.
CURLRES_THREADED - is defined if libcurl is built to run under (native)
Windows, and then the name resolve will be done in a new thread, and the
supported asynch API will be the same as for ares-builds.
If any of the two previous are defined, CURLRES_ASYNCH is defined too. If
libcurl is not built to use an asynchronous resolver, CURLRES_SYNCH is
The host*.c sources files are split up like this:
hostip.c - method-independent resolver functions and utility functions
hostasyn.c - functions for asynchronous name resolves
hostsyn.c - functions for synchronous name resolves
hostares.c - functions for ares-using name resolves
hostthre.c - functions for threaded name resolves
hostip4.c - ipv4-specific functions
hostip6.c - ipv6-specific functions
The hostip.h is the single united header file for all this. It defines the
CURLRES_* defines based on the config*.h and setup.h defines.
- Added function header comments to many functions in an attempt to better
explain the purpose of them all.
- configure --with-libidn is now supported. It makes the configure script
check for libidn libs and include files in the prefix path given. If you
say --with-libidn=/usr/local, it will check for the lib in /usr/local/lib
and the includes in /usr/local/include etc.
- curl_version_info() now returns a struct aged CURLVERSION_THIRD including
libidn version info. The string curl_version() returns also includes libidn
version info, if available.
Version 7.11.2 (26 April 2004)
Daniel (25 April 2004)
- Erwin Authried pointed out that configure --disable-manual didn't do right
if you already had a src/hugehelp.c source file present (which most people
do I guess). It now uses the USE_MANUAL define properly.
Daniel (23 April 2004)
- Gisle Vanem found and fixed a memory leak when doing (failing) Windows
threaded name resolves.
- I also added test case 163 just to make sure -F "var=<file" works fine and
can pass on characters such as newlines, carriage-return and tabs.
- When we added test case 162 without adding the necessary requirement field
in the test meta data we could see that curl didn't complain if you used
--proxy-ntlm even if the underlying libcurl it uses has no NTLM support! I
now made it check this first, and it now exists with a "the installed
libcurl version doesn't support this" message if it happens again.
Daniel (22 April 2004)
- David Byron found and fixed a small bug with the --fail and authentication
stuff added a few weeks ago. Turns out that if you specify --proxy-ntlm and
communicate with a proxy that requires basic authentication, the proxy
properly returns a 407, but the failure detection code doesn't realize it
should give up, so curl returns with exit code 0. Test case 162 added to
verify the functionality.
- allow newlines in the contents when doing -F "var=[contents]"
Robert Marlow reported.
- If a transfer is found out to be only partial, libcurl will now treat that
as a problem serious enough to skip the final QUIT command before closing
the control connection. To avoid the risk that it will "hang" waiting for
the QUIT response. Added test case 161 to verify this.
Daniel (21 April 2004)
- Modified the heuristics for dealing with the test 160 scenario. When a
connection is re-used and nothing at all is received from it (because the
server closes the connection), we will now retry the request on a fresh new
connection. The previous ECONNRESET stuff from January 30 was removed again
as it didn't detect the situation good enough.
Daniel (20 April 2004)
- Added test case 160 to verify that curl works correctly when it gets a
connection reset when trying to re-use a connection. It should then simply
create a new connection and resend the request.
Daniel (19 April 2004)
- No more 512 byte limit for host name (inclusing name + password) in libcurl.
An added bonus is that we use less memory for the typical (shorter URL)
- Cleaned up the sources to better use the terms 'hostname' and 'path'
internally when referring to that data. The buffers used for keep that info
is called 'namebuffer' and 'pathbuffer'. Much easier to read and understand
than the previous mess.
Daniel (15 April 2004)
- Modified again to remove all log files in the log/ dir between
each test, and then made -p display all non-zero byte files in the log dir.
It should make that data more usable and contain less rubbish.
- now produces log files more similar to how the sws ones look
and they now also contains a bit more details to help debugging ftp
- Removed the fixed maximum amount of dir levels the FTP code supported.
Previously we had a fixed array for 100 levels, now we save space in each
handle by allocating only for a few level by default and then enlarging that
in case of need (with no maximum depth). Adjusted test case 142 to verify
that 150 dir levels work fine. An added bonus is that we use less memory
for the typical (not very deep) case.
Daniel (14 April 2004)
- Asking for CURL_IPRESOLVE_V6 when ipv6 addresses can't be resolved will
now cause the resolve function to return NULL immediately. This flaw was
pointed out by Gisle Vanem.
- Gisle Vanem made curl -4/-6 actually set the desired option to libcurl.
- now has a new option (-p) that will display "interesting" log
files to stdout in case of a test failure. This is primarily intended to be
used in the 'full-test' make target that is used by the autobuild tests, as
we then get a much better chance to understand (remote) test failures based
on autobuild logs alone.
Daniel (13 April 2004)
- Gisle Vanem made the multi interface work again on Windows even when built
without ares. Before this, select() would return -1 during the name resolve
phase since curl_multi_fdset() didn't return any fd_set at all which wasn't
- curl_easy_duphandle() now duplicates the tcp_nodelay info as well.
Daniel (11 April 2004)
- Applied David Byron's patch for the MSVC libcurl makefile for builds with
Daniel (9 April 2004)
- Dirk Manske improved the timer resolution for CURLINFO_*_TIME, it can now
be down to usec if the system sypports it.
Daniel (7 April 2004)
- A request that sends "Expect: 100-continue" and gets nothing but a single
100 response back will now return a CURLE_GOT_NOTHING. Test 158 verifies.
- The strtoofft() macro is now named curlx_strtoofft() to use the curlx_*
approach fully.
Daniel (6 April 2004)
- Gisle Vanem's fixed bug #927979 reported by Nathan O'Sullivan. The problem
made libcurl on Windows leak a small amount of memory in each name resolve
when not used as a DLL.
- New authentication code added, particularly noticable when doing POST or PUT
with Digest or NTLM. libcurl will now use HEAD to negotiate the
authentication and when done perform the requested POST. Previously libcurl
sent POST immediately and expected the server to reply a final status code
with an error and then libcurl would not send the request-body but instead
send then next request in the sequence.
The reason for this change is due to IIS6 barfing on libcurl when we attempt
to POST with NTLM authentication. The reason for the problems is found in
RFC2616 section 8.2.3 regarding how servers should deal with the 100
continue request-header:
If it responds with a final status code, it MAY close the transport
connection or it MAY continue to read and discard the rest of the