curl/RELEASE-NOTES

curl and libcurl 7.84.0

 Public curl releases:         209
 Command line options:         248
 curl_easy_setopt() options:   297
 Public functions in libcurl:  88
 Contributors:                 2652

This release includes the following changes:

 o curl: add --rate to set max request rate per time unit [69]
 o curl: deprecate --random-file and --egd-file [12]
 o curl_version_info: add CURL_VERSION_THREADSAFE [100]
 o CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl [9]
 o lib: make curl_global_init() threadsafe when possible [101]
 o libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION [78]
 o opts: deprecate RANDOM_FILE and EGDSOCKET [13]
 o socks: support unix sockets for socks proxy [2]

This release includes the following bugfixes:

 o aws-sigv4: fix potentional NULL pointer arithmetic [48]
 o bindlocal: don't use a random port if port number would wrap [14]
 o c-hyper: mark status line as status for Curl_client_write() [58]
 o ci: avoid `cmake -Hpath` [114]
 o CI: bump FreeBSD 13.0 to 13.1 [127]
 o ci: update github actions [36]
 o cmake: add libpsl support [3]
 o cmake: do not add libcurl.rc to the static libcurl library [53]
 o cmake: enable curl.rc for all Windows targets [55]
 o cmake: fix detecting libidn2 [56]
 o cmake: support adding a suffix to the OS value [54]
 o configure: skip libidn2 detection when winidn is used [89]
 o configure: use the SED value to invoke sed [28]
 o configure: warn about rustls being experimental [103]
 o content_encoding: return error on too many compression steps [106]
 o cookie: address secure domain overlay [7]
 o cookie: apply limits [83]
 o copyright.pl: parse and use .reuse/dep5 for skips [105]
 o copyright: make repository REUSE compliant [119]
 o curl.1: add a few see also --tls-max [52]
 o curl.1: mention exit code zero too [44]
 o curl: re-enable --no-remote-name [31]
 o curl_easy_pause.3: remove explanation of progress function [97]
 o curl_getdate.3: document that some illegal dates pass through [34]
 o Curl_parsenetrc: don't access local pwbuf outside of scope [27]
 o curl_url_set.3: clarify by default using known schemes only [120]
 o CURLOPT_ALTSVC.3: document the file format [118]
 o CURLOPT_FILETIME.3: fix the protocols this works with
 o CURLOPT_HTTPHEADER.3: improve comment in example [66]
 o CURLOPT_NETRC.3: document the .netrc file format
 o CURLOPT_PORT.3: We discourage using this option [92]
 o CURLOPT_RANGE.3: remove ranged upload advice [99]
 o digest: added detection of more syntax error in server headers [81]
 o digest: tolerate missing "realm" [80]
 o digest: unquote realm and nonce before processing [82]
 o DISABLED: disable 1021 for hyper again
 o docs/cmdline-opts: add copyright and license identifier to each file [112]
 o docs/CONTRIBUTE.md: document the 'needs-votes' concept [79]
 o docs: clarify data replacement policy for MIME API [16]
 o doh: remove UNITTEST macro definition [67]
 o examples/crawler.c: use the curl license [73]
 o examples: remove fopen.c and rtsp.c [76]
 o FAQ: Clarify Windows double quote usage [42]
 o fopen: add Curl_fopen() for better overwriting of files [72]
 o ftp: restore protocol state after http proxy CONNECT [110]
 o ftp: when failing to do a secure GSSAPI login, fail hard [62]
 o GHA/hyper: enable debug in the build
 o gssapi: improve handling of errors from gss_display_status [45]
 o gssapi: initialize gss_buffer_desc strings
 o headers api: remove EXPERIMENTAL tag [35]
 o http2: always debug print stream id in decimal with %u [46]
 o http2: reject overly many push-promise headers [63]
 o http: restore header folding behavior [64]
 o hyper: use 'alt-used' [71]
 o krb5: return error properly on decode errors [107]
 o lib: make more protocol specific struct fields #ifdefed [84]
 o libcurl-security.3: add "Secrets in memory" [30]
 o libcurl-security.3: document CRLF header injection [98]
 o libssh: skip the fake-close when libssh does the right thing [102]
 o links: update dead links to the curl-wiki [21]
 o log2changes: do not indent empty lines [ci skip] [37]
 o macos9: remove partial support [22]
 o Makefile.am: fix portability issues [1]
 o Makefile.m32: delete obsolete options, improve -On [ci skip] [65]
 o Makefile.m32: delete two obsolete OpenSSL options [ci skip] [39]
 o Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] [116]
 o max-time.d: clarify max-time sets max transfer time [70]
 o mprintf: ignore clang non-literal format string [19]
 o netrc: check %USERPROFILE% as well on Windows [77]
 o netrc: support quoted strings [33]
 o ngtcp2: allow curl to send larger UDP datagrams [29]
 o ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types [25]
 o ngtcp2: enable Linux GSO [91]
 o ngtcp2: extend QUIC transport parameters buffer [4]
 o ngtcp2: fix alert_read_func return value [26]
 o ngtcp2: fix typo in preprocessor condition [121]
 o ngtcp2: handle error from ngtcp2_conn_submit_crypto_data [5]
 o ngtcp2: send appropriate connection close error code [6]
 o ngtcp2: support boringssl crypto backend [17]
 o ngtcp2: use helper funcs to simplify TLS handshake integration [68]
 o ntlm: provide a fixed fake host name [32]
 o projects: fix third-party SSL library build paths for Visual Studio [125]
 o quic: add Curl_quic_idle [18]
 o quiche: support ca-fallback [49]
 o rand: stop detecting /dev/urandom in cross-builds [113]
 o remote-name.d: mention --output-dir [88]
 o runtests.pl: add the --repeat parameter to the --help output [43]
 o runtests: fix skipping tests not done event-based [95]
 o runtests: skip starting the ssh server if user name is lacking [104]
 o scripts/copyright.pl: fix the exclusion to not ignore man pages [75]
 o sectransp: check for a function defined when __BLOCKS__ is undefined [20]
 o select: return error from "lethal" poll/select errors [93]
 o server/sws: support spaces in the HTTP request path
 o speed-limit/time.d: mention these affect transfers in either direction [74]
 o strcase: some optimisations [8]
 o test 2081: add a valid reply for the second request [60]
 o test 675: add missing CR so the test passes when run through Privoxy [61]
 o test414: add the '--resolve' keyword [23]
 o test681: verify --no-remote-name [90]
 o tests 266, 116 and 1540: add a small write delay
 o tests/data/test1501: kill ftp server after slow LIST response [59]
 o tests/getpart: fix getpartattr to work with "data" and "data2"
 o tests/server/sws.c: change the HTTP writedelay unit to milliseconds [47]
 o test{440,441,493,977}: add "HTTP proxy" keywords [40]
 o tool_getparam: fix --parallel-max maximum value constraint [51]
 o tool_operate: make sure --fail-with-body works with --retry [24]
 o transfer: fix potential NULL pointer dereference [15]
 o transfer: maintain --path-as-is after redirects [96]
 o transfer: upload performance; avoid tiny send [124]
 o url: free old conn better on reuse [41]
 o url: remove redundant #ifdefs in allocate_conn()
 o url: URL encode the path when extracted, if spaces were set
 o urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts [126]
 o urlapi: support CURLU_URLENCODE for curl_url_get()
 o urldata: reduce size of a few struct fields [86]
 o urldata: remove three unused booleans from struct UserDefined [87]
 o urldata: store tcp_keepidle and tcp_keepintvl as ints [85]
 o version: allow stricmp() for sorting the feature list [57]
 o vtls: make curl_global_sslset thread-safe [94]
 o wolfssh.h: removed [10]
 o wolfssl: correct the failf() message when a handle can't be made [38]
 o wolfSSL: explicitly use compatibility layer [11]
 o x509asn1: mark msnprintf return as unchecked [50]

This release includes the following known bugs:

 o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
advice from friends like these:

  Andrea Pappacoda, Balakrishnan Balasubramanian, Boris Verkhovskiy,
  Carlo Alberto, Christian Weisgerber, Dan Fandrich, Daniel Gustafsson,
  Daniel Stenberg, Egor Pugin, Emanuele Torre, Emil Engler, Evgeny Grin,
  Fabian Keil, Frank Gevaerts, Frazer Smith, Gisle Vanem, Glenn Strauss,
  Gregor Jasny, Harry Sintonen, Illarion Taev, ImpatientHippo on GitHub,
  Jakub Bochenski, Kamil Dudka, Karlson2k on github, KotlinIsland on github,
  Ladar Levison, Marcel Raad, Marc Hörsken, Marcus T, Max Mehl, michael musset,
  Nick Zitzmann, Nuru on github, Patrick Monnerat, Petr Pisar, Philip H,
  Pierrick Charron, Ray Satiro, Ricardo M. Correia, Simon Berger,
  Stefan Eissing, Steve Holme, Tatsuhiro Tsujikawa, Thomas Guillem, Tom Eccles,
  Viktor Szakats, Vincent Torri, vvb2060 on github, Willem Hoek,
  Wolf Vollprecht, Elms
  (51 contributors)

References to bug reports and discussions on issues:

 [1] = https://curl.se/mail/lib-2022-05/0024.html
 [2] = https://curl.se/bug/?i=8668
 [3] = https://curl.se/bug/?i=8865
 [4] = https://curl.se/bug/?i=8872
 [5] = https://curl.se/bug/?i=8871
 [6] = https://curl.se/bug/?i=8870
 [7] = https://hackerone.com/reports/1560324
 [8] = https://curl.se/bug/?i=8875
 [9] = https://curl.se/bug/?i=8888
 [10] = https://curl.se/bug/?i=8863
 [11] = https://curl.se/bug/?i=8864
 [12] = https://curl.se/bug/?i=8670
 [13] = https://curl.se/bug/?i=8670
 [14] = https://curl.se/bug/?i=8862
 [15] = https://curl.se/bug/?i=8857
 [16] = https://curl.se/bug/?i=8860
 [17] = https://curl.se/bug/?i=8789
 [18] = https://curl.se/bug/?i=8698
 [19] = https://curl.se/bug/?i=8740
 [20] = https://curl.se/bug/?i=8846
 [21] = https://curl.se/bug/?i=8897
 [22] = https://curl.se/bug/?i=8836
 [23] = https://curl.se/bug/?i=8959
 [24] = https://curl.se/bug/?i=8845
 [25] = https://curl.se/bug/?i=8851
 [26] = https://curl.se/bug/?i=8852
 [27] = https://curl.se/bug/?i=8850
 [28] = https://curl.se/bug/?i=8891
 [29] = https://curl.se/bug/?i=8883
 [30] = https://curl.se/bug/?i=8881
 [31] = https://curl.se/bug/?i=8931
 [32] = https://curl.se/bug/?i=8859
 [33] = https://curl.se/bug/?i=8908
 [34] = https://curl.se/bug/?i=8938
 [35] = https://curl.se/bug/?i=8900
 [36] = https://curl.se/bug/?i=8843
 [37] = https://curl.se/bug/?i=8887
 [38] = https://curl.se/bug/?i=8885
 [39] = https://curl.se/bug/?i=8884
 [40] = https://curl.se/bug/?i=8959
 [41] = https://curl.se/bug/?i=8841
 [42] = https://curl.se/bug/?i=8823
 [43] = https://curl.se/bug/?i=8959
 [44] = https://curl.se/bug/?i=8833
 [45] = https://curl.se/bug/?i=8832
 [46] = https://curl.se/bug/?i=8808
 [47] = https://curl.se/bug/?i=8827
 [48] = https://curl.se/bug/?i=8814
 [49] = https://curl.se/bug/?i=8696
 [50] = https://curl.se/bug/?i=8831
 [51] = https://curl.se/bug/?i=8930
 [52] = https://curl.se/bug/?i=8929
 [53] = https://curl.se/bug/?i=8918
 [54] = https://curl.se/bug/?i=8919
 [55] = https://curl.se/bug/?i=8918
 [56] = https://curl.se/bug/?i=8917
 [57] = https://curl.se/bug/?i=8916
 [58] = https://curl.se/bug/?i=8894
 [59] = https://curl.se/bug/?i=8907
 [60] = https://curl.se/bug/?i=8959
 [61] = https://curl.se/bug/?i=8959
 [62] = https://hackerone.com/reports/1590102
 [63] = https://hackerone.com/reports/1589847
 [64] = https://curl.se/bug/?i=8844
 [65] = https://curl.se/bug/?i=8904
 [66] = https://curl.se/bug/?i=9025
 [67] = https://curl.se/bug/?i=8902
 [68] = https://curl.se/bug/?i=8968
 [69] = https://curl.se/bug/?i=8671
 [70] = https://curl.se/bug/?i=8877
 [71] = https://curl.se/bug/?i=8898
 [72] = https://curl.se/docs/CVE-2022-32207.html
 [73] = https://curl.se/bug/?i=8950
 [74] = https://curl.se/bug/?i=8948
 [75] = https://curl.se/bug/?i=8952
 [76] = https://curl.se/bug/?i=8949
 [77] = https://curl.se/bug/?i=8855
 [78] = https://curl.se/bug/?i=7959
 [79] = https://curl.se/bug/?i=8910
 [80] = https://curl.se/bug/?i=8912
 [81] = https://curl.se/bug/?i=8912
 [82] = https://curl.se/bug/?i=8912
 [83] = https://curl.se/docs/CVE-2022-32205.html
 [84] = https://curl.se/bug/?i=8944
 [85] = https://curl.se/bug/?i=8940
 [86] = https://curl.se/bug/?i=8940
 [87] = https://curl.se/bug/?i=8940
 [88] = https://curl.se/bug/?i=8945
 [89] = https://curl.se/bug/?i=8934
 [90] = https://curl.se/bug/?i=8942
 [91] = https://curl.se/bug/?i=8909
 [92] = https://curl.se/bug/?i=8941
 [93] = https://curl.se/bug/?i=8921
 [94] = https://curl.se/bug/?i=9016
 [95] = https://curl.se/bug/?i=8977
 [96] = https://curl.se/bug/?i=8974
 [97] = https://curl.se/bug/?i=9015
 [98] = https://curl.se/bug/?i=8964
 [99] = https://curl.se/bug/?i=8969
 [100] = https://curl.se/bug/?i=8680
 [101] = https://curl.se/bug/?i=8680
 [102] = https://curl.se/bug/?i=9021
 [103] = https://curl.se/bug/?i=9019
 [104] = https://curl.se/bug/?i=9013
 [105] = https://curl.se/bug/?i=9006
 [106] = https://curl.se/docs/CVE-2022-32206.html
 [107] = https://curl.se/docs/CVE-2022-32208.html
 [110] = https://curl.se/bug/?i=8737
 [112] = https://curl.se/bug/?i=9002
 [113] = https://curl.se/bug/?i=9038
 [114] = https://curl.se/bug/?i=9008
 [116] = https://curl.se/bug/?i=9035
 [118] = https://curl.se/bug/?i=9033
 [119] = https://curl.se/bug/?i=8869
 [120] = https://curl.se/bug/?i=8994
 [121] = https://curl.se/bug/?i=8981
 [124] = https://curl.se/bug/?i=8965
 [125] = https://curl.se/bug/?i=8991
 [126] = https://curl.se/bug/?i=9028
 [127] = https://curl.se/bug/?i=8815