curl and libcurl 7.84.0 Public curl releases: 209 Command line options: 248 curl_easy_setopt() options: 297 Public functions in libcurl: 88 Contributors: 2648 This release includes the following changes: o curl: add --rate to set max request rate per time unit [69] o curl: deprecate --random-file and --egd-file [12] o curl_version_info: add CURL_VERSION_THREADSAFE [100] o CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl [9] o lib: make curl_global_init() threadsafe when possible [101] o libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION [78] o opts: deprecate RANDOM_FILE and EGDSOCKET [13] o socks: support unix sockets for socks proxy [2] This release includes the following bugfixes: o aws-sigv4: fix potentional NULL pointer arithmetic [48] o bindlocal: don't use a random port if port number would wrap [14] o c-hyper: mark status line as status for Curl_client_write() [58] o ci: update github actions [36] o cmake: add libpsl support [3] o cmake: do not add libcurl.rc to the static libcurl library [53] o cmake: enable curl.rc for all Windows targets [55] o cmake: fix detecting libidn2 [56] o cmake: support adding a suffix to the OS value [54] o configure: skip libidn2 detection when winidn is used [89] o configure: use the SED value to invoke sed [28] o configure: warn about rustls being experimental [103] o cookie: address secure domain overlay [7] o copyright.pl: parse and use .reuse/dep5 for skips [105] o copyright: make repository REUSE compliant [119] o curl.1: add a few see also --tls-max [52] o curl.1: mention exit code zero too [44] o curl: re-enable --no-remote-name [31] o curl_easy_pause.3: remove explanation of progress function [97] o curl_getdate.3: document that some illegal dates pass through [34] o Curl_parsenetrc: don't access local pwbuf outside of scope [27] o curl_url_set.3: clarify by default using known schemes only [120] o CURLOPT_FILETIME.3: fix the protocols this works with o CURLOPT_HTTPHEADER.3: improve comment in example [66] o CURLOPT_NETRC.3: document the .netrc file format o CURLOPT_PORT.3: We discourage using this option [92] o CURLOPT_RANGE.3: remove ranged upload advice [99] o digest: added detection of more syntax error in server headers [81] o digest: tolerate missing "realm" [80] o digest: unquote realm and nonce before processing [82] o DISABLED: disable 1021 for hyper again o docs/cmdline-opts: add copyright and license identifier to each file [112] o docs/CONTRIBUTE.md: document the 'needs-votes' concept [79] o docs: clarify data replacement policy for MIME API [16] o doh: remove UNITTEST macro definition [67] o examples/crawler.c: use the curl license [73] o examples: remove fopen.c and rtsp.c [76] o FAQ: Clarify Windows double quote usage [42] o ftp: when failing to do a secure GSSAPI login, fail hard [62] o GHA/hyper: enable debug in the build o gssapi: improve handling of errors from gss_display_status [45] o gssapi: initialize gss_buffer_desc strings o headers api: remove EXPERIMENTAL tag [35] o http2: always debug print stream id in decimal with %u [46] o http2: reject overly many push-promise headers [63] o http: restore header folding behavior [64] o hyper: use 'alt-used' [71] o lib: make more protocol specific struct fields #ifdefed [84] o libcurl-security.3: add "Secrets in memory" [30] o libcurl-security.3: document CRLF header injection [98] o libssh: skip the fake-close when libssh does the right thing [102] o links: update dead links to the curl-wiki [21] o log2changes: do not indent empty lines [ci skip] [37] o macos9: remove partial support [22] o Makefile.am: fix portability issues [1] o Makefile.m32: delete obsolete options, improve -On [ci skip] [65] o Makefile.m32: delete two obsolete OpenSSL options [ci skip] [39] o max-time.d: clarify max-time sets max transfer time [70] o mprintf: ignore clang non-literal format string [19] o netrc: check %USERPROFILE% as well on Windows [77] o netrc: support quoted strings [33] o ngtcp2: allow curl to send larger UDP datagrams [29] o ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types [25] o ngtcp2: enable Linux GSO [91] o ngtcp2: extend QUIC transport parameters buffer [4] o ngtcp2: fix alert_read_func return value [26] o ngtcp2: fix typo in preprocessor condition [121] o ngtcp2: handle error from ngtcp2_conn_submit_crypto_data [5] o ngtcp2: send appropriate connection close error code [6] o ngtcp2: support boringssl crypto backend [17] o ngtcp2: use helper funcs to simplify TLS handshake integration [68] o ntlm: provide a fixed fake host name [32] o quic: add Curl_quic_idle [18] o quiche: support ca-fallback [49] o remote-name.d: mention --output-dir [88] o runtests.pl: add the --repeat parameter to the --help output [43] o runtests: fix skipping tests not done event-based [95] o runtests: skip starting the ssh server if user name is lacking [104] o scripts/copyright.pl: fix the exclusion to not ignore man pages [75] o sectransp: check for a function defined when __BLOCKS__ is undefined [20] o select: return error from "lethal" poll/select errors [93] o server/sws: support spaces in the HTTP request path o speed-limit/time.d: mention these affect transfers in either direction [74] o strcase: some optimisations [8] o test 2081: add a valid reply for the second request [60] o test 675: add missing CR so the test passes when run through Privoxy [61] o test414: add the '--resolve' keyword [23] o test681: verify --no-remote-name [90] o tests 266, 116 and 1540: add a small write delay o tests/data/test1501: kill ftp server after slow LIST response [59] o tests/getpart: fix getpartattr to work with "data" and "data2" o tests/server/sws.c: change the HTTP writedelay unit to milliseconds [47] o test{440,441,493,977}: add "HTTP proxy" keywords [40] o tool_getparam: fix --parallel-max maximum value constraint [51] o tool_operate: make sure --fail-with-body works with --retry [24] o transfer: fix potential NULL pointer dereference [15] o transfer: maintain --path-as-is after redirects [96] o url: free old conn better on reuse [41] o url: remove redundant #ifdefs in allocate_conn() o url: URL encode the path when extracted, if spaces were set o urlapi: support CURLU_URLENCODE for curl_url_get() o urldata: reduce size of a few struct fields [86] o urldata: remove three unused booleans from struct UserDefined [87] o urldata: store tcp_keepidle and tcp_keepintvl as ints [85] o version: allow stricmp() for sorting the feature list [57] o vtls: make curl_global_sslset thread-safe [94] o wolfssh.h: removed [10] o wolfssl: correct the failf() message when a handle can't be made [38] o wolfSSL: explicitly use compatibility layer [11] o x509asn1: mark msnprintf return as unchecked [50] This release includes the following known bugs: o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html) This release would not have looked like this without help, code, reports and advice from friends like these: Andrea Pappacoda, Balakrishnan Balasubramanian, Boris Verkhovskiy, Carlo Alberto, Christian Weisgerber via curl-library, Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Egor Pugin, Emil Engler, Evgeny Grin, Fabian Keil, Frank Gevaerts, Frazer Smith, Gisle Vanem, Gregor Jasny, Harry Sintonen, Illarion Taev, ImpatientHippo on GitHub, Jakub Bochenski, Kamil Dudka, Karlson2k on github, KotlinIsland on github, Ladar Levison, Marcel Raad, Marc Hörsken, Marcus T, Max Mehl, michael musset, Nick Zitzmann, Nuru on github, Patrick Monnerat, Petr Pisar, Ray Satiro, Ricardo M. Correia, Simon Berger, Tatsuhiro Tsujikawa, Thomas Guillem, Viktor Szakats, Vincent Torri, vvb2060 on github, Wolf Vollprecht, Elms (43 contributors) References to bug reports and discussions on issues: [1] = https://curl.se/mail/lib-2022-05/0024.html [2] = https://curl.se/bug/?i=8668 [3] = https://curl.se/bug/?i=8865 [4] = https://curl.se/bug/?i=8872 [5] = https://curl.se/bug/?i=8871 [6] = https://curl.se/bug/?i=8870 [7] = https://hackerone.com/reports/1560324 [8] = https://curl.se/bug/?i=8875 [9] = https://curl.se/bug/?i=8888 [10] = https://curl.se/bug/?i=8863 [11] = https://curl.se/bug/?i=8864 [12] = https://curl.se/bug/?i=8670 [13] = https://curl.se/bug/?i=8670 [14] = https://curl.se/bug/?i=8862 [15] = https://curl.se/bug/?i=8857 [16] = https://curl.se/bug/?i=8860 [17] = https://curl.se/bug/?i=8789 [18] = https://curl.se/bug/?i=8698 [19] = https://curl.se/bug/?i=8740 [20] = https://curl.se/bug/?i=8846 [21] = https://curl.se/bug/?i=8897 [22] = https://curl.se/bug/?i=8836 [23] = https://curl.se/bug/?i=8959 [24] = https://curl.se/bug/?i=8845 [25] = https://curl.se/bug/?i=8851 [26] = https://curl.se/bug/?i=8852 [27] = https://curl.se/bug/?i=8850 [28] = https://curl.se/bug/?i=8891 [29] = https://curl.se/bug/?i=8883 [30] = https://curl.se/bug/?i=8881 [31] = https://curl.se/bug/?i=8931 [32] = https://curl.se/bug/?i=8859 [33] = https://curl.se/bug/?i=8908 [34] = https://curl.se/bug/?i=8938 [35] = https://curl.se/bug/?i=8900 [36] = https://curl.se/bug/?i=8843 [37] = https://curl.se/bug/?i=8887 [38] = https://curl.se/bug/?i=8885 [39] = https://curl.se/bug/?i=8884 [40] = https://curl.se/bug/?i=8959 [41] = https://curl.se/bug/?i=8841 [42] = https://curl.se/bug/?i=8823 [43] = https://curl.se/bug/?i=8959 [44] = https://curl.se/bug/?i=8833 [45] = https://curl.se/bug/?i=8832 [46] = https://curl.se/bug/?i=8808 [47] = https://curl.se/bug/?i=8827 [48] = https://curl.se/bug/?i=8814 [49] = https://curl.se/bug/?i=8696 [50] = https://curl.se/bug/?i=8831 [51] = https://curl.se/bug/?i=8930 [52] = https://curl.se/bug/?i=8929 [53] = https://curl.se/bug/?i=8918 [54] = https://curl.se/bug/?i=8919 [55] = https://curl.se/bug/?i=8918 [56] = https://curl.se/bug/?i=8917 [57] = https://curl.se/bug/?i=8916 [58] = https://curl.se/bug/?i=8894 [59] = https://curl.se/bug/?i=8907 [60] = https://curl.se/bug/?i=8959 [61] = https://curl.se/bug/?i=8959 [62] = https://hackerone.com/reports/1590102 [63] = https://hackerone.com/reports/1589847 [64] = https://curl.se/bug/?i=8844 [65] = https://curl.se/bug/?i=8904 [66] = https://curl.se/bug/?i=9025 [67] = https://curl.se/bug/?i=8902 [68] = https://curl.se/bug/?i=8968 [69] = https://curl.se/bug/?i=8671 [70] = https://curl.se/bug/?i=8877 [71] = https://curl.se/bug/?i=8898 [73] = https://curl.se/bug/?i=8950 [74] = https://curl.se/bug/?i=8948 [75] = https://curl.se/bug/?i=8952 [76] = https://curl.se/bug/?i=8949 [77] = https://curl.se/bug/?i=8855 [78] = https://curl.se/bug/?i=7959 [79] = https://curl.se/bug/?i=8910 [80] = https://curl.se/bug/?i=8912 [81] = https://curl.se/bug/?i=8912 [82] = https://curl.se/bug/?i=8912 [84] = https://curl.se/bug/?i=8944 [85] = https://curl.se/bug/?i=8940 [86] = https://curl.se/bug/?i=8940 [87] = https://curl.se/bug/?i=8940 [88] = https://curl.se/bug/?i=8945 [89] = https://curl.se/bug/?i=8934 [90] = https://curl.se/bug/?i=8942 [91] = https://curl.se/bug/?i=8909 [92] = https://curl.se/bug/?i=8941 [93] = https://curl.se/bug/?i=8921 [94] = https://curl.se/bug/?i=9016 [95] = https://curl.se/bug/?i=8977 [96] = https://curl.se/bug/?i=8974 [97] = https://curl.se/bug/?i=9015 [98] = https://curl.se/bug/?i=8964 [99] = https://curl.se/bug/?i=8969 [100] = https://curl.se/bug/?i=8680 [101] = https://curl.se/bug/?i=8680 [102] = https://curl.se/bug/?i=9021 [103] = https://curl.se/bug/?i=9019 [104] = https://curl.se/bug/?i=9013 [105] = https://curl.se/bug/?i=9006 [112] = https://curl.se/bug/?i=9002 [119] = https://curl.se/bug/?i=8869 [120] = https://curl.se/bug/?i=8994 [121] = https://curl.se/bug/?i=8981