GHA: add scorecard.yml

add a "scorecard" scanner job

test3100: RTSP Basic authentication

Closes #9449

rtsp: fix RTSP auth

Verified with test 3100

Fixes #4750
Closes #9870

KNOWN_BUGS: remove eight entries

- 1.2 Multiple methods in a single WWW-Authenticate: header

This is not considered a bug anymore but a restriction and one that we
keep because

KNOWN_BUGS: remove eight entries

- 1.2 Multiple methods in a single WWW-Authenticate: header

This is not considered a bug anymore but a restriction and one that we
keep because we have NEVER gotten this reported by users in the wild and
because of this I consider this a fringe edge case we don't need to
support.

- 1.6 Unnecessary close when 401 received waiting for 100

This is not a bug, but possibly an optimization that *can* be done.

- 1.7 Deflate error after all content was received

This is not a curl bug. This happens due to broken servers.

- 2.1 CURLINFO_SSL_VERIFYRESULT has limited support

This is not a bug. This is just the nature of the implementation.

- 2.2 DER in keychain

This is not a bug.

- 5.7 Visual Studio project gaps

This is not a bug.

- 15.14 cmake build is not thread-safe

Fixed in 109e9730ee5e2b

- 11.3 Disconnects do not do verbose

This is not a bug.

Closes #9871

show more ...

headers: add endif comments

Closes #9853

test1221: verify --url-query

curl: add --url-query

This option adds a piece of data, usually a name + value pair, to the
end of the URL query part. The syntax is identical to that used for
--data-urlencode with

curl: add --url-query

This option adds a piece of data, usually a name + value pair, to the
end of the URL query part. The syntax is identical to that used for
--data-urlencode with one extension:

If the argument starts with a '+' (plus), the rest of the string is
provided as-is unencoded.

This allows users to "build" query parts with options and URL encoding
even when not doing GET requests, which the already provided option -G
(--get) is limited to.

This idea was born in a Twitter thread.

Closes #9691

show more ...

maketgz: set the right version in lib/libcurl.plist

Follow-up to e498a9b1fe5964a18eb2a3a99dc52

Make sure the tarball gets a version of the libcurl.plist file that is
updated wit

maketgz: set the right version in lib/libcurl.plist

Follow-up to e498a9b1fe5964a18eb2a3a99dc52

Make sure the tarball gets a version of the libcurl.plist file that is
updated with the new version string.

Reported-by: jvreelanda on github
Fixes #9866
Closes #9867

show more ...

RELEASE-NOTES: synced

Bumped version to 7.87.0

curl.h: add CURLOPT_CA_CACHE_TIMEOUT option

Adds a new option to control the maximum time that a cached
certificate store may be retained for.

Currently only the OpenSSL backend

curl.h: add CURLOPT_CA_CACHE_TIMEOUT option

Adds a new option to control the maximum time that a cached
certificate store may be retained for.

Currently only the OpenSSL backend implements support for
caching certificate stores.

Closes #9620

show more ...

openssl: reduce CA certificate bundle reparsing by caching

Closes #9620

lib: fix some type mismatches and remove unneeded typecasts

Many of these castings are unneeded if we change the variables to work
better with each other.

Ref: https://github.co

lib: fix some type mismatches and remove unneeded typecasts

Many of these castings are unneeded if we change the variables to work
better with each other.

Ref: https://github.com/curl/curl/pull/9823

Closes https://github.com/curl/curl/pull/9835

show more ...

cookie: compare cookie prefixes case insensitively

Adapted to language in rfc6265bis draft-11.

Closes #9863

Reviewed-by: Daniel Gustafsson

tool_operate: when aborting, make sure there is a non-NULL error buffer

To store custom errors in. Or SIGSEGVs will follow.

Reported-by: Trail of Bits
Closes #9865

WEBSOCKET.md: fix broken link

Reported-by: Felipe Gasper
Bug: https://curl.se/mail/lib-2022-10/0097.html
Closes #9864

CURLOPT_DEBUGFUNCTION.3: do not assume nul-termination in example

Reported-by: Oskar Sigvardsson

Bug: https://curl.se/mail/lib-2022-11/0016.html

Closes #9862

websockets: fix handling of partial frames

buffer used and send length calculations are fixed when a partial
websocket frame has been received.

Closes #9861

mailmap: unify Stefan Eissing

hyper: fix handling of hyper_task's when reusing the same address

Fixes #9840
Closes #9860

ws: return CURLE_NOT_BUILT_IN when websockets not built in

- Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
websockets support is not built in.

Prior to

ws: return CURLE_NOT_BUILT_IN when websockets not built in

- Change curl_ws_recv & curl_ws_send to return CURLE_NOT_BUILT_IN when
websockets support is not built in.

Prior to this change they returned CURLE_OK.

Closes #9851

show more ...

noproxy: tailmatch like in 7.85.0 and earlier

A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
differently than before. This restores the logic to how it used to work

noproxy: tailmatch like in 7.85.0 and earlier

A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
differently than before. This restores the logic to how it used to work:

All names listed in NO_PROXY are tailmatched against the used domain
name, if the lengths are identical it needs a full match.

Update the docs, update test 1614.

Reported-by: Stuart Henderson
Fixes #9842
Closes #9858

show more ...

configure: require fork for NTLM-WB

Reported-by: ウさん

Fixes #9847
Closes #9856

docs/EARLY-RELEASE.md: how to determine an early release

URL: https://curl.se/mail/lib-2022-10/0079.html

Closes #9820

RELEASE-NOTES: synced

docs: add missing parameters for --retry flag

Closes #9848