RELEASE-NOTES: synced

and bump to 7.81.0-DEV

mime: use percent-escaping for multipart form field and file names

Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails.

mime: use percent-escaping for multipart form field and file names

Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails. This commit
replaces this with the percent-escaping method for URLs.

As this may introduce incompatibilities with server-side applications, a
new libcurl option CURLOPT_MIME_OPTIONS with bitmask
CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of
backslash-escaping. This is controlled by new cli tool option
--form-escape.

New tests and documentation are provided for this feature.

Reported by: Ryan Sleevi
Fixes #7789
Closes #7805

show more ...

zuul.d: update rustls-ffi to version 0.8.2

This version fixes errors with ALPN negotiation in rustls, which is
necessary for HTTP/2 support. For more information see the rustls-ffi
c

zuul.d: update rustls-ffi to version 0.8.2

This version fixes errors with ALPN negotiation in rustls, which is
necessary for HTTP/2 support. For more information see the rustls-ffi
changelog.

Closes #8013

show more ...

configure: better diagnostics if hyper is built wrong

If hyper is indeed present in the specified directory but couldn't be
used to find the correct symbol, then offer a different error

configure: better diagnostics if hyper is built wrong

If hyper is indeed present in the specified directory but couldn't be
used to find the correct symbol, then offer a different error message to
better help the user understand the issue.

Suggested-by: Jacob Hoffman-Andrews
Fixes #8001
Closes #8005

show more ...

test1939: require proxy support to run

Follow-up to f0b7099a10d1a

Closes #8011

test302[12]: run only with the libssh2 backend

... as the others don't support --hostpubsha256

Reported-by: Paul Howarth
Fixes #8009
Closes #8010

runtests: make the SSH library a testable feature

libssh2, libssh and wolfssh

rustls: read of zero bytes might be okay

When we're reading out plaintext from rustls' internal buffers, we might
get a read of zero bytes (meaning a clean TCP close, including
close

rustls: read of zero bytes might be okay

When we're reading out plaintext from rustls' internal buffers, we might
get a read of zero bytes (meaning a clean TCP close, including
close_notify). However, we shouldn't return immediately when that
happens, since we may have already copied out some plaintext bytes.
Break out of the loop when we get a read of zero bytes, and figure out
which path we're dealing with.

Acked-by: Kevin Burke

Closes #8003

show more ...

rustls: remove incorrect EOF check

The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify.
From the CHANGELOG:

> Handling of unclean close and the close_notify

rustls: remove incorrect EOF check

The update to rustls-ffi 0.8.0 changed handling of EOF and close_notify.
From the CHANGELOG:

> Handling of unclean close and the close_notify TLS alert. Mirroring
> upstream changes, a rustls_connection now tracks TCP closed state like
> so: rustls_connection_read_tls considers a 0-length read from its
> callback to mean "TCP stream was closed by peer." If that happens
> before the peer sent close_notify, rustls_connection_read will return
> RUSTLS_RESULT_UNEXPECTED_EOF once the available plaintext bytes are
> exhausted. This is useful to protect against truncation attacks. Note:
> some TLS implementations don't send close_notify. If you are already
> getting length information from your protocol (e.g. Content-Length in
> HTTP) you may choose to ignore UNEXPECTED_EOF so long as the number of
> plaintext bytes was as expected.

That means we don't need to check for unclean EOF in `cr_recv()`,
because `process_new_packets()` will give us an error if appropriate.

Closes #8003

show more ...

lib1939: make it endure torture tests

Follow-up to f0b7099a10d1a

Closes #8007

azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper

The configure line would previously depend on a configure mistake using
--without-openssl that is fixed and now this configu

azure: make the "w/o HTTP/SMTP/IMAP" build disable SSL proper

The configure line would previously depend on a configure mistake using
--without-openssl that is fixed and now this configure line needs
adjusting to use --without-ssl.

Follow-up to b589696f0312d

Closes #8006

show more ...

configure: add -lm to configure for rustls build.

Note: The list of libraries that rustc tells us we need to include is
longer, but also includes some more platform-specific libraries th

configure: add -lm to configure for rustls build.

Note: The list of libraries that rustc tells us we need to include is
longer, but also includes some more platform-specific libraries that I
am not sure how to effectively incorporate. Adding just -lm seems to
solve an immediate problem, so I'm adding just that.

Closes #8002

show more ...

curl_share_setopt.3: refer to CURLSHOPT_USERDATA(3) properly

curl_share_setopt.3: split out options into their own manpages

CURLSHOPT_LOCKFUNC.3
CURLSHOPT_SHARE.3
CURLSHOPT_UNLOCKFUNC.3
CURLSHOPT_UNSHARE.3
CURLSHOPT_USERDATA.3

curl_share_setopt.3: split out options into their own manpages

CURLSHOPT_LOCKFUNC.3
CURLSHOPT_SHARE.3
CURLSHOPT_UNLOCKFUNC.3
CURLSHOPT_UNSHARE.3
CURLSHOPT_USERDATA.3

Closes #7998

show more ...

http_proxy: make Curl_connect_done() work for proxy disabled builds

... by making it an empty macro then.

Follow-up to f0b7099a10d1a
Reported-by: Vincent Grande
Fixes #7995

http_proxy: make Curl_connect_done() work for proxy disabled builds

... by making it an empty macro then.

Follow-up to f0b7099a10d1a
Reported-by: Vincent Grande
Fixes #7995
Closes #7996

show more ...

Curl_connect_done: handle being called twice

Follow-up to f0b7099a10d1a7c

When torture testing 1021, it turns out the Curl_connect_done function
might be called twice and that p

Curl_connect_done: handle being called twice

Follow-up to f0b7099a10d1a7c

When torture testing 1021, it turns out the Curl_connect_done function
might be called twice and that previously then wrongly cleared the HTTP
pointer in the second invoke.

Closes #7999

show more ...

configure: don't enable TLS when --without-* flags are used

Previously specifying `--without-gnutls` would unexpectedly attempt to
compile with GnuTLS, effectively interpreting this as

configure: don't enable TLS when --without-* flags are used

Previously specifying `--without-gnutls` would unexpectedly attempt to
compile with GnuTLS, effectively interpreting this as
`--with-gnutls`. This caused a significant amount of confusion when
`libcurl` was built with SSL disabled since GnuTLS wasn't present.

68d89f24 dropped the `--without-*` options from the configure help, but
`AC_ARG_WITH` still defines these flags automatically. As
https://www.gnu.org/software/autoconf/manual/autoconf-2.60/html_node/External-Software.html
describes, the `action-if-given` is called when the user specifies
`--with-*` or `--without-*` options.

To prevent this confusion, we make the `--without` flag do the right
thing by ignoring the value if it set to "no".

Closes #7994

show more ...

docs/checksrc: Add documentation for STRERROR

Closes #7991

vtls/rustls: adapt to the updated rustls_version proto

Closes #7956

vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY

Previously we'd return CURLE_READ_ERROR if we received this, instead
of triggering the error handling logic that's present in the next i

vtls/rustls: handle RUSTLS_RESULT_PLAINTEXT_EMPTY

Previously we'd return CURLE_READ_ERROR if we received this, instead
of triggering the error handling logic that's present in the next if
block down.

After this change, curl requests to https://go.googlesource.com using
HTTP/2 complete successfully.

Fixes #7949
Closes #7948

show more ...

zuul: update build environment for rustls-ffi 0.8.0

vtls/rustls: update to compile with rustls-ffi v0.8.0

Some method names, as well as the generated library name, were changed
in a recent refactoring.

Further, change the default

vtls/rustls: update to compile with rustls-ffi v0.8.0

Some method names, as well as the generated library name, were changed
in a recent refactoring.

Further, change the default configuration instructions to check for
Hyper in either "target/debug" or "target/release" - the latter
contains an optimized build configuration.

Fixes #7947
Closes #7948

show more ...

RELEASE-NOTES: synced

and bump the version to 7.80.1

multi: shut down CONNECT in Curl_detach_connnection

... to prevent a lingering pointer that would lead to a double-free.

Added test 1939 to verify.

Reported-by: Stephen M.

multi: shut down CONNECT in Curl_detach_connnection

... to prevent a lingering pointer that would lead to a double-free.

Added test 1939 to verify.

Reported-by: Stephen M. Coakley
Fixes #7982
Closes #7986

show more ...

curl_easy_cleanup.3: remove from multi handle first

Easy handles that are used by the multi interface should be removed from
the multi handle before they are cleaned up.

Reporte

curl_easy_cleanup.3: remove from multi handle first

Easy handles that are used by the multi interface should be removed from
the multi handle before they are cleaned up.

Reported-by: Stephen M. Coakley
Ref: #7982
Closes #7983

show more ...