transfer: maintain --path-as-is after redirects

Reported-by: Marcus T
Fixes #8974
Closes #8975

test391: verify --path-as-is with redirect

curl_global_init.3: Separate the Windows loader lock warning

This is a slight correction of the parent commit which implied the
loader lock warning only applied if not thread-safe. In fa

curl_global_init.3: Separate the Windows loader lock warning

This is a slight correction of the parent commit which implied the
loader lock warning only applied if not thread-safe. In fact the loader
lock warning applies either way.

Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030

show more ...

curl_global_init.3: this is now (usually) thread-safe

Follow-up to 23af112f5556

Closes #8972

libcurl-security.3: Document CRLF header injection

- Document that user input to header options is not sanitized, which
could result in CRLF used to modify the request in a way other t

libcurl-security.3: Document CRLF header injection

- Document that user input to header options is not sanitized, which
could result in CRLF used to modify the request in a way other than
what was intended.

Ref: https://hackerone.com/reports/1589877
Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545

Closes https://github.com/curl/curl/pull/8964

show more ...

CURLOPT_RANGE.3: remove ranged upload advice

The e-mail link in the advice contains instructions that are prone to
error. We need an example that works and can demonstrate how to properl

CURLOPT_RANGE.3: remove ranged upload advice

The e-mail link in the advice contains instructions that are prone to
error. We need an example that works and can demonstrate how to properly
perform a ranged upload, and then we can refer to that example instead.

Bug: https://github.com/curl/curl/issues/8969
Reported-by: Simon Berger

Closes https://github.com/curl/curl/pull/8970

show more ...

curl_version_info: add CURL_VERSION_THREADSAFE_INIT

This flag can be used to make sure that curl_global_init() is
thread-safe.

This can be useful for libraries that can't contro

curl_version_info: add CURL_VERSION_THREADSAFE_INIT

This flag can be used to make sure that curl_global_init() is
thread-safe.

This can be useful for libraries that can't control what other
dependencies are doing with Curl.

Closes #8680

show more ...

lib: make curl_global_init() threadsafe when possible

Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and
curl_global_cleanup().

Closes #8680

RELEASE-NOTES: synced

test414: add the '--resolve' keyword

... so the test can be automatically skipped when
using an external proxy like Privoxy.

Closes #8959

test{440,441,493,977}: add "HTTP proxy" keywords

... so the tests can be automatically skipped when
using an external proxy like Privoxy.

Closes #8959

runtests.pl: add the --repeat parameter to the --help output

Closes #8959

test 2081: add a valid reply for the second request

... so the test works when using a HTTP proxy like
Privoxy that sends an error message if the server
doesn't send data.

C

test 2081: add a valid reply for the second request

... so the test works when using a HTTP proxy like
Privoxy that sends an error message if the server
doesn't send data.

Closes #8959

show more ...

test 675: add missing CR so the test passes when run through Privoxy

Closes #8959

ftp: when failing to do a secure GSSAPI login, fail hard

... instead of switching to cleartext. For the sake of security.

Reported-by: Harry Sintonen
Bug: https://hackerone.com/

ftp: when failing to do a secure GSSAPI login, fail hard

... instead of switching to cleartext. For the sake of security.

Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1590102
Closes #8963

show more ...

http2: reject overly many push-promise headers

Getting more than a thousand of them is rather a sign of some kind of
attack.

Reported-by: Harry Sintonen
Bug: https://hackero

http2: reject overly many push-promise headers

Getting more than a thousand of them is rather a sign of some kind of
attack.

Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1589847
Closes #8962

show more ...

misc: spelling improvements

Closes #8956

ngtcp2: fix assertion failure on EMSGSIZE

Closes #8958

easy/transfer: fix cookie-disabled build

Follow-up from 45de940cebf6a
Reported-by: Marcel Raad
Fixes #8953
Closes #8954

examples/crawler.c: use the curl license

With permission from Jeroen Ooms

URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731
Closes #8950

speed-limit/time.d: mention these affect transfers in either direction

Reported-by: Ladar Levison
Fixes #8948
Closes #8951

scripts/copyright.pl: fix the exclusion to not ignore man pages

Ref: #8869
Closes #8952

examples: remove fopen.c and rtsp.c

To simplify the license situation, as they were the only files in the
source tree using these specific BSD-3 clause licenses.

For an fopen st

examples: remove fopen.c and rtsp.c

To simplify the license situation, as they were the only files in the
source tree using these specific BSD-3 clause licenses.

For an fopen style API, we recommend instead going
https://github.com/curl/fcurl

Ref: #8869
Closes #8949

show more ...

netrc: check %USERPROFILE% as well on Windows

Closes #8855

CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish