When proxy authentication is used in a CONNECT request (as used for all SSL
connects and otherwise enforced tunnel-thru-proxy requests), the same
authentication header is also wrongly sent to

When proxy authentication is used in a CONNECT request (as used for all SSL
connects and otherwise enforced tunnel-thru-proxy requests), the same
authentication header is also wrongly sent to the remote host.

The name and password can then be captured by an evil host and possibly get
used for malicious purposes.

show more ...

clear http->send_buffer when we have freed the memory it pointed to

Removed #include <sys/resource.h>, as pointed out by Henry Bland we don't
need it.

moved the proxyuser and proxypasswd fields from the sessionhandle to the
connectdata to work as expected

Access the user and passwd fields from the connectdata struct now instead
of the sessionhandle struct, as that was not good.

Peter Sylvester's patch was applied that introduces the following:

CURLOPT_SSL_CTX_FUNCTION to set a callback that gets called with the
OpenSSL's ssl_ctx pointer passed in and allo

Peter Sylvester's patch was applied that introduces the following:

CURLOPT_SSL_CTX_FUNCTION to set a callback that gets called with the
OpenSSL's ssl_ctx pointer passed in and allow a callback to act on it. If
anything but CURLE_OK is returned, that will also be returned by libcurl
all the way back. If this function changes the CURLOPT_URL, libcurl will
detect this and instead go use the new URL.

CURLOPT_SSL_CTX_DATA is a pointer you set to get passed to the callback set
with CURLOPT_SSL_CTX_FUNCTION.

show more ...

major adjustments to the new authentication support

CURLHTTP* renamed to CURLAUTH* and NEGOTIATE is now GSSNEGOTIATE as there's
a "plain" Negotiate as well.

Initial take at NTLM authentication. It doesn't really work at this point
but the infrastructure is there.

Daniel Kouril's patch that adds HTTP negotiation support to libcurl was
added.

When doing very big GET requests over HTTPS, we need to add some extra
funky logic in order to make re-tries work fine with OpenSSL. This corrects
the problem David Orrell noticed.

Posting static data using POST and chunked encoded now also appends the
data to the initial request buffer, if the total post data is less than
100K.

Rudy Koento experienced problems with curl's recent habit of POSTing data in
two separate send() calls, first the headers and then the data. I've now made
a fix that for static and known cont

Rudy Koento experienced problems with curl's recent habit of POSTing data in
two separate send() calls, first the headers and then the data. I've now made
a fix that for static and known content that isn't to be chunked-encoded,
everything is now sent in one single system call again. This is also better
for network performance reasons.

show more ...

Another socks5-fix. Make sure that when we use a socks-proxy, it is not the
same as using a httpproxy so we must make sure to better check for http
proxies before we do HTTP proxy stuff. This

Another socks5-fix. Make sure that when we use a socks-proxy, it is not the
same as using a httpproxy so we must make sure to better check for http
proxies before we do HTTP proxy stuff. This included authorization and
URI usage in the request etc.

show more ...

warning-free is better

Better Digest stuff

Initial Digest support. At least partly working.

incoming proxy headers shall be sent to the debug function has HEADERs not
DATA

If there is a custom Host: header specified, we use that host name to
extract the correct set of cookies to send. This functionality is verified
by test case 62.

stop parsing Host: host names at colons too

extract host name from custom Host: headers to use for cookies

Guillaume Cottenceau's patch that adds CURLOPT_UNRESTRICTED_AUTH that
disables the host name check in the FOLLOWLOCATION code. With that option
set, libcurl will send user+password to all hos

Guillaume Cottenceau's patch that adds CURLOPT_UNRESTRICTED_AUTH that
disables the host name check in the FOLLOWLOCATION code. With that option
set, libcurl will send user+password to all hosts.

show more ...

Juan F. Codagnone pointed out a missing thing from the march 2 fix

Added typecast to please the MSVC compiler.

Init postdata properly before issuing a request, so that there isn't any
lingering POST-stuff that confuses GET requests. Juan F. Codagnone reported
this problem in bug report #653859.