THANKS: added names from the 7.79.1 release

test897: verify delivery of IMAP post-body header content

The "content" is delivered as "body" by curl, but the envelope continues
after the body and the rest of it should be delivered a

test897: verify delivery of IMAP post-body header content

The "content" is delivered as "body" by curl, but the envelope continues
after the body and the rest of it should be delivered as header.

The IMAP server can now get 'POSTFETCH' set to include more data to
include after the body and test 897 is done to verify that such "extra"
header data is in fact delivered by curl as header.

Ref: #7284 but fails to reproduce the issue

Closes #7748

show more ...

KNOWN_BUGS: connection migration doesn't work

Closes #7695

RELEASE-NOTES: synced

http: fix the broken >3 digit response code detection

When the "reason phrase" in the HTTP status line starts with a digit,
that was treated as the forth response code digit and curl wou

http: fix the broken >3 digit response code detection

When the "reason phrase" in the HTTP status line starts with a digit,
that was treated as the forth response code digit and curl would claim
the response to be non-compliant.

Added test 1466 to verify this case.

Regression brought by 5dc594e44f73b17
Reported-by: Glenn de boer
Fixes #7738
Closes #7739

show more ...

strerror: use sys_errlist instead of strerror on Windows

- Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
retrieve the error message on Windows.

Window

strerror: use sys_errlist instead of strerror on Windows

- Change Curl_strerror to use sys_errlist[errnum] instead of strerror to
retrieve the error message on Windows.

Windows' strerror writes to a static buffer and is not thread-safe.

Follow-up to 2f0bb86 which removed most instances of strerror in favor
of calling Curl_strerror (which calls strerror_r for other platforms).

Ref: https://github.com/curl/curl/pull/7685
Ref: https://github.com/curl/curl/commit/2f0bb86

Closes https://github.com/curl/curl/pull/7735

show more ...

dist: provide lib/.checksrc in the tarball

So that debug builds work (checksrc really)

Reported-by: Marcel Raad
Reported-by: tawmoto on github
Fixes #7733
Closes #7734

TODO: Improve documentation about fork safety

Closes #6968

hsts: CURLSTS_FAIL from hsts read callback should fail transfer

... and have CURLE_ABORTED_BY_CALLBACK returned.

Extended test 1915 to verify.

Reported-by: Jonathan Cardoso

hsts: CURLSTS_FAIL from hsts read callback should fail transfer

... and have CURLE_ABORTED_BY_CALLBACK returned.

Extended test 1915 to verify.

Reported-by: Jonathan Cardoso
Fixes #7726
Closes #7729

show more ...

test1184: disable

The test should be fine and it works for me repeated when run manually,
but clearly it causes CI failures and it needs more research.

Reported-by: RiderALT on

test1184: disable

The test should be fine and it works for me repeated when run manually,
but clearly it causes CI failures and it needs more research.

Reported-by: RiderALT on github
Fixes #7725
Closes #7732

show more ...

Curl_http2_setup: don't change connection data on repeat invokes

Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
transfer oriented inits to before the check but

Curl_http2_setup: don't change connection data on repeat invokes

Regression from 3cb8a748670ab88c (releasde in 7.79.0). That change moved
transfer oriented inits to before the check but also erroneously moved a
few connection oriented ones, which causes problems.

Reported-by: Evangelos Foutras
Fixes #7730
Closes #7731

show more ...

RELEASE-NOTES: synced

and bump to 7.79.1

tests/sshserver.pl: make it work with openssh-8.7p1

... by not using options with no argument where an argument is required:

=== Start of file tests/log/ssh_server.log
curl_sshd

tests/sshserver.pl: make it work with openssh-8.7p1

... by not using options with no argument where an argument is required:

=== Start of file tests/log/ssh_server.log
curl_sshd_config line 6: no argument after keyword "DenyGroups"
curl_sshd_config line 7: no argument after keyword "AllowGroups"
curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
curl_sshd_config line 40: Deprecated option RSAAuthentication
curl_sshd_config line 41: Deprecated option ServerKeyBits
curl_sshd_config line 45: Deprecated option UseLogin
curl_sshd_config line 56: no argument after keyword "AcceptEnv"
curl_sshd_config: terminating, 3 bad configuration options
=== End of file tests/log/ssh_server.log

=== Start of file log/sftp_server.log
curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
curl_sftp_config line 34: Unsupported option "rsaauthentication"
curl_sftp_config line 52: no argument after keyword "sendenv"
curl_sftp_config: terminating, 1 bad configuration options
Connection closed.
Connection closed
=== End of file log/sftp_server.log

Closes #7724

show more ...

hsts: handle unlimited expiry

When setting a blank expire string, meaning unlimited, curl would pass
TIME_T_MAX to getime_r() when creating the output, while on 64 bit
systems such a

hsts: handle unlimited expiry

When setting a blank expire string, meaning unlimited, curl would pass
TIME_T_MAX to getime_r() when creating the output, while on 64 bit
systems such a large value cannot be convetered to a tm struct making
curl to exit the loop with an error instead. It can't be converted
because the year it would represent doesn't fit in the 'int tm_year'
field!

Starting now, unlimited expiry is instead handled differently by using a
human readable expiry date spelled out as "unlimited" instead of trying
to use a distant actual date.

Test 1660 and 1915 have been updated to help verify this change.

Reported-by: Jonathan Cardoso
Fixes #7720
Closes #7721

show more ...

curl_multi_fdset: make FD_SET() not operate on sockets out of range

The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
built to use select(), even though the curl_m

curl_multi_fdset: make FD_SET() not operate on sockets out of range

The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
built to use select(), even though the curl_multi_fdset() function
always and unconditionally uses FD_SET and needs the check.

Reported-by: 0xee on github
Fixes #7718
Closes #7719

show more ...

FAQ: add GOPHERS + curl works on data, not files

RELEASE-NOTES: synced

For the 7.79.0 release

THANKS: add contributors from 7.79.0 release cycle

FAQ: add two dev related questions

8.1 Why does curl use C89?
8.2 Will curl be rewritten?

Spell-checked-by: Paul Johnson
Closes #7715

zuul.d/jobs: disable three tests for *-openssl-disable-proxy

... as they mysteriously seem to permfail without being related to
proxy.

Closes #7714

ftp,imap,pop3,smtp: reject STARTTLS server response pipelining

If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across

ftp,imap,pop3,smtp: reject STARTTLS server response pipelining

If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across TLS negotiation and
used as responses to the encrypted commands.

This fix detects pipelined STARTTLS responses and rejects them with an
error.

CVE-2021-22947

Bug: https://curl.se/docs/CVE-2021-22947.html

show more ...

ftp,imap,pop3: do not ignore --ssl-reqd

In imap and pop3, check if TLS is required even when capabilities
request has failed.

In ftp, ignore preauthentication (230 status of ser

ftp,imap,pop3: do not ignore --ssl-reqd

In imap and pop3, check if TLS is required even when capabilities
request has failed.

In ftp, ignore preauthentication (230 status of server greeting) if TLS
is required.

Bug: https://curl.se/docs/CVE-2021-22946.html

CVE-2021-22946

show more ...

mqtt: clear the leftovers pointer when sending succeeds

CVE-2021-22945

Bug: https://curl.se/docs/CVE-2021-22945.html

zuul: bump the rustls job to use v0.7.2

... and add -lm when using a rust library.

Closes #7701

RELEASE-PROCEDURE: add release dates from now to 8.0.0 in 2023