[installer 2407] curl-7.21.0

curl-7.21.0 出ています。

☆ curl-7.21.0

Version 7.21.0 (16 June 2010)

Daniel Stenberg (5 June 2010)
- Constantine Sapuntzakis fixed a case of spurious SSL connection aborts using
libcurl and OpenSSL. "I tracked it down to uncleared error state on the
OpenSSL error stack - patch attached deals with that."

Daniel Stenberg (5 June 2010)
CURLINFO_LOCAL_PORT to curl_easy_getinfo().

Yang Tse (4 June 2010)
- Enabled OpenLDAP support for cygwin builds. This support was disabled back
in 2008 due to incompatibilities between OpenSSL and OpenLDAP headers.
cygwin's OpenSSL 0.9.8l and OpenLDAP 2.3.43 versions on cygwin 1.5.25
allow building an OpenLDAP enabled libcurl supporting back to Windows 95.

Removed the non-functional CURL_LDAP_HYBRID code and references.

Daniel Stenberg (2 June 2010)
- Jason McDonald posted bug report #3006786 when he found that the SFTP code
didn't timeout properly in several places in the code even if a timeout was
set properly.

Based on his suggested patch, I wrote a different implementation that I
think addressed the issue better and also uses the connect timeout for the
initial part of the SSH/SFTP done during the "protocol connect" phase.


Yang Tse (2 June 2010)
- Added missing new libcurl files to non-configure targets. Adjusted
libcurl standard internal header inclusions in new files. Fixed an
SPNEGO related memory leak. Fixed several LDAP related compilation
issues, and fixed some compiler warnings.

Daniel Stenberg (1 June 2010)
- Igor Novoseltsev reported a problem with the multi socket API and using
timeouts and timers. It boiled down to a problem with libcurl's use of
GetTickCount() interally to figure out the current time, while Igor's own
application code used another function call.

It made his app call the socket API timeout function a bit _before_ libcurl
would consider the timeout to trigger, and that could easily lead to
timeouts or stalls in the app. It seems GetTickCount() in general often has
no better resolution than 16ms and switching to the alternative function
QueryPerformanceCounter has its share of problems:

We address this problem by simply having libcurl treat timers that already
has occured or will occur within 40ms subject for treatment. I'm confident
that there are other implementations and operating systems with similarly in
accurate timer functions so it makes sense to have applied generically and I
don't believe we sacrifice much by adding a 40ms inaccuracy on these

Kamil Dudka (27 May 2010)
- added a new test for CRL support (test313)

- Tor Arntsen changed the alternative definition of bool to use enum instead
of unsigned char.

Daniel Stenberg (25 May 2010)
- Julien Chaffraix fixed the warning seen when compiling lib/rtmp.c: one
unused variables, several unused arguments and some missing #include.

- Julien Chaffraix fixed 2 OOM errors: a missing NULL-check in
lib/http_negociate.c and a potential NULL dereferencing in lib/splay.c

- Howard Chu brought a patch that makes the LDAP code much cleaner, nicer and
in general being a better libcurl citizen. If a new enough OpenLDAP version
is detect, the new and shiny lib/openldap.c code is then used instead of the
old cruft.

Daniel Stenberg (21 May 2010)
- Eric Mertens posted bug #3003705: when we made TFTP use the correct timeout
option when sent to the server (fixed May 18th 2010) it became obvious that
libcurl used invalid timeout values (300 by default while the RFC allows
nothing above 255). While of course it is obvious that as TFTP has worked
thus far without being able to set timeout at all, just removing the setting
wouldn't make any difference in behavior. I decided to still keep it (but
fix the problem) as it now actually allows for easier (future) customization
of the timeout.


- Douglas Kilpatrick filed bug report #3004787 and pointed out that the TFTP
code didn't handle block id wraps correctly. His suggested fix inspired the
fix I committed.


Daniel Stenberg (20 May 2010)
- Tanguy Fautre brought a fix to allow curl to build with Microsoft VC10.

Daniel Stenberg (18 May 2010)
- Eric Mertens posted bug report #3003005 pointing out that the libcurl TFTP
code was not sending the timeout option properly to the server, and
suggested a fix.


Kamil Dudka (16 May 2010)
- Pavel Raiskup introduced a new option CURLOPT_FNMATCH_DATA in order to pass
a custom data pointer to the callback specified by CURLOPT_FNMATCH_FUNCTION.

Daniel Stenberg (14 May 2010)
- John-Mark Bell filed bug #3000052 that identified a problem (with an
associated patch) with the OpenSSL handshake state machine when the multi
interface is used:

Performing an https request using a curl multi handle and using select or
epoll to wait for events results in a hang. It appears that the cause is the
fix for bug #2958179, which makes ossl_connect_common unconditionally return
from the step 2 loop when fetching from a multi handle.

When ossl_connect_step2 has completed, it updates connssl->connecting_state
to ssl_connect_3. ossl_connect_common will then return to the caller, as a
multi handle is in use. Eventually, the client code will call
curl_multi_fdset to obtain an updated fdset to select or epoll on. For https
requests, curl_multi_fdset will cause https_getsock to be called.
https_getsock will only return a socket handle if the connecting_state is
ssl_connect_2_reading or ssl_connect_2_writing. Therefore, the client will
never obtain a valid fdset, and thus not drive the multi handle, resulting
in a hang.


- Sebastian V reported bug #3000056 identifying a problem with redirect
following. It showed that when curl followed redirects it didn't properly
ignore the response body of the 30X response if that response was using
compressed Content-Encoding!


Daniel Stenberg (12 May 2010)
- Howard Chu brought support for RTMP. This is powered by the underlying
librtmp library. It supports a range of variations and "sub-protocols"
within the RTMP family.

- Pavel Raiskup brought support for FTP directory wildcard matching to allow
selective downloading. To provide that, a set of new options were added:


There were also a set of new tests added (574 - 577) to verify this.

Kamil Dudka (11 May 2010)
- CRL support in libcurl-NSS has been completely broken. Now it works. Original
bug report: https://bugzilla.redhat.com/581926

Daniel Stenberg (7 May 2010)
- Dirk Manske reported a regression. When connecting with the multi interface,
there were situations where libcurl wouldn't store connect time correctly as
it used to (and is documented to) do.

Using his fine sample program we could repeat it, and I wrote up test case
573 using that code. The problem does not easily show itself using the local
test suite though.

The fix, also as suggested by Dirk, is a bit on the ugly side as it adds yet
another call to Curl_verboseconnect() and setting the TIMER_CONNECT time.
That situation is subject for some closer inspection in the future.

- Howard Chu split the I/O handling functions into private handlers.

Howard Chu brought the bulk work of this patch that properly moves out the
sending and recving of data to the parts of the code that are properly
responsible for the various ways of doing so.

Daniel Stenberg assisted with polishing a few bits and fixed some minor
flaws in the original patch.

Another upside of this patch is that we now abuse CURLcodes less with the
"magic" -1 return codes and instead use CURLE_AGAIN more consistently.

Daniel Stenberg (5 May 2010)
- Hoi-Ho Chan introduced support for using the PolarSSL library. You control
this with the new configure option --with-polarssl.

Daniel Stenberg (29 Apr 2010)
- Ben Greear made telnet a lot better/easier to use by an application:

The main change is to allow input from user-specified methods, when they are
specified with CURLOPT_READFUNCTION. All calls to fflush(stdout) in
telnet.c were removed, which makes using 'curl telnet://foo.com' painful
since prompts and other data are not always returned to the user promptly.
Use 'curl --no-buffer telnet://foo.com' instead. In general, the user
should have their CURLOPT_WRITEFUNCTION do a fflush for interactive use.

Also fix assumption that reading from stdin never returns < 0.
Old code could crash in that case.

Call progress functions in telnet main loop.

Daniel Stenberg (26 Apr 2010)
- Make use of the libssh2_init/exit functions that libssh2 added in version
1.2.5. Using them will improve how libcurl works in threaded situations when
SCP and SFTP are transfered.

Daniel Stenberg (25 Apr 2010)
- Based on work by Kamil Dudka, I've introduced the new configure option
--enable-threaded-resolver. When used, the configure script will check for
pthreads and if around, it will build libcurl to use pthreads to do name
resolving in a threaded manner. Note that this is just a fix to offer an
option that can enable the code that already included. The threader resolver
code was mostly added on Jan 26 2010.

Daniel Stenberg (24 Apr 2010)
- Alex Bligh introduced the --proto and -proto-redir options that limit what
protocols curl accepts for the requests and when following redirects.

Kamil Dudka (24 Apr 2010)
- Fixed test536 in order to not fail with threaded DNS resolver and tweaked
comments in certain examples using curl_multi_fdset().

- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405
to hang on a slow machine.

Daniel Stenberg (21 Apr 2010)
- The -O option caused curl to crash on windows and DOS due to the tool
writing out of boundary memory.

Yang Tse (20 Apr 2010)
- Ruslan Gazizov detected that MSVC makefiles were using wsock32.lib instead
of ws2_32.lib, this generated linking issues on MSVC IPv6 enabled builds
that were done using those makefiles.

Daniel Stenberg (19 Apr 2010)
- -J/--remote-header-name didn't strip trailing carriage returns or linefeeds
properly, so they could be used in the file name.

Daniel Stenberg (16 Apr 2010)
- Jerome Vouillon made the GnuTLS SSL handshake phase non-blocking.

- The recent overhaul of the SSL recv function made the GnuTLS specific code
treat a zero returned from gnutls_record_recv() as an error, and this caused
our HTTPS test cases to fail. We leave it to upper layer code to detect if
an EOF is a problem or not.

- I reverted the resolver fix from yesterday and instead removed all uses of
AI_CANONNAME all over libcurl and made the only user of that info (krb5.c)
use the host name from the URL instead. No reverse resolving is a good

- Paul Howarth made configure properly detect GSS "on ancient Linux distros"
by editing in which order we use headers to detect GSS.

Daniel Stenberg (15 Apr 2010)
- Rainer Canavan filed bug report #2987196 that identified libcurl doing
unnecesary reverse name lookups in many cases when built to use IPv4 and
getaddrinfo(). The logic for ipv6 is now used for ipv4 too.


Version 7.20.1 (14 April 2010)

Daniel Stenberg (9 Apr 2010)
- Prefixing the FTP quote commands with an asterisk really only worked for the
postquote actions. This is now fixed and test case 227 has been extended to

Kamil Dudka (4 Apr 2010)
- Eliminated a race condition in Curl_resolv_timeout().

- Refactorized interface of Curl_ssl_recv()/Curl_ssl_send().

- libcurl-NSS now provides more accurate messages and error codes in case of
client certificate problem. Either during connection, or transfer phase.

Daniel Stenberg (1 Apr 2010)
- Matt Wixson found and fixed a bug in the SCP/SFTP area where the code
treated a 0 return code from libssh2 to be the same as EAGAIN while in
reality it isn't. The problem caused a hang in SFTP transfers from a
MessageWay server.

Daniel Stenberg (28 Mar 2010)
- Ben Greear: If you pass a URL to pop3 that does not contain a message ID as
part of the URL, it would previously ask for 'INBOX' which just causes the
pop3 server to return an error.

Now libcurl treats en empty message ID as a request for LIST (list of pop3
message IDs). User's code could then parse this and download individual
messages as desired.

Daniel Stenberg (27 Mar 2010)
- Ben Greear brought a patch that from now on allows all protocols to specify
name and user within the URL, in the same manner HTTP and FTP have been
allowed to in the past - although far from all of the libcurl supported
protocls actually have that feature in their URL definition spec.

Daniel Stenberg (26 Mar 2010)
- Ben Greear brought code that makes the rate limiting code for the easy
interface a bit smoother as it introduces sub-second sleeps during it and it
also takes the buffer sizes into account.

Daniel Stenberg (24 Mar 2010)
- Bob Richmond: There's an annoying situation where libcurl will read new HTTP
response data from a socket, then check if it's a timeout if one is set. If
the last packet received constitutes the end of the response body, libcurl
still treats it as a timeout condition and reports a message like:

"Operation timed out after 3000 milliseconds with 876 out of 876 bytes

It should only a timeout if the timer lapsed and we DIDN'T receive the end
of the response body yet.

- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER reported
to us by Massimo Callegari. There's a new test case 572 that verifies this

- The 'ares' subtree has been removed from the source repository. It was
always a separate project that sort of piggybacked on the curl project since
the dawn of times and now the time has come for it to go stand on its own
legs and continue living its own life. All details on c-ares and its new
source code repository is found at http://c-ares.haxx.se/

Daniel Stenberg (23 Mar 2010)
- Kenny To filed the bug report #2963679 with patch to fix a problem he
experienced with doing multi interface HTTP POST over a proxy using
PROXYTUNNEL. He found a case where it would connect fine but bits.tcpconnect
was not set correct so libcurl didn't work properly.


- Akos Pasztory filed debian bug report #572276
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276 mentioning a problem
with a resource that returns chunked-encoded _and_ with a Content-Length
and libcurl failed to properly ignore the latter information.

- Hauke Duden provided an example program that made the multi interface crash.
His example simply used the multi interface and did first one FTP transfer
and after completion it used a second easy handle and did another FTP
transfer on the same FTP server.

This triggered a bug in the "delayed easy handle kill" system that curl
uses: when an FTP connection is left alive it must keep an easy handle
around internally - only for the purpose of having an easy handle when it
later disconnects it. The code assumed that when the easy handle was removed
and an internal reference was made, that version could be killed later on
when a new easy handle came using the same connection. This was wrong as
Hauke's example showed that the removed handle wasn't killed for real until
later. This caused a double close attempt => segfault.

Daniel Stenberg (22 Mar 2010)
- Thomas Lopatic fixed the alarm()-based DNS timeout:

Looking at the code of Curl_resolv_timeout() in hostip.c, I think that in
case of a timeout, the signal handler for SIGALRM never gets removed. I
think that in my case it gets executed at some point later on when execution
has long left Curl_resolv_timeout() or even the cURL library.

The code that is jumped to with siglongjmp() simply sets the error message
to "name lookup timed out" and then returns with CURLRESOLV_ERROR. I guess
that instead of simply returning without cleaning up, the code should have a
goto that jumps to the spot right after the call to Curl_resolv().

Kamil Dudka (22 Mar 2010)
- Douglas Steinwand contributed a patch fixing insufficient initialization in

Daniel Stenberg (21 Mar 2010)
- Ben Greear improved TFTP: the error code returning and the treatment
of TSIZE == 0 when uploading.

- We've switched from CVS to git. See http://curl.haxx.se/source.html

Kamil Dudka (19 Mar 2010)
- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().

Daniel Stenberg (15 Mar 2010)
- Constantine Sapuntzakis brought a patch:

The problem mentioned on Dec 10 2009
http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
Partially because an easy handle can be associated with many connections in
the cache (e.g. if there is a redirect during the lifetime of the easy
handle). The previous patch only cleaned up the first one. The new fix now
removes the easy handle from all connections, not just the first one.

Daniel Stenberg (6 Mar 2010)
- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
the easy interface was used.

Daniel Stenberg (5 Mar 2010)
- Daniel Johnson provided fixes for building curl with the clang compiler.

Yang Tse (5 Mar 2010)
- Constantine Sapuntzakis detected and fixed a double free in builds done
with threaded resolver enabled (Windows default configuration) that would
get triggered when a curl handle is closed while doing DNS resolution.

Daniel Stenberg (2 Mar 2010)
- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
ran into some issues with the GSSAPI tests in configure.ac. The tests first
try to determine the include dirs and libs and set CPPFLAGS and LIBS
accordingly. It then checks for the headers and finally sets LIBS a second
time, causing the libs to be included twice. The first setting of LIBS seems
redundant and should be left out, since the first part is otherwise just
about finding headers.

My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
useless and returns junk that, while it happens to work with gcc, causes
clang to choke. For example, --libs returns $CFLAGS along with the libs,
which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
-lresolv"' on Darwin is sufficient.

- Based on patch provided by Jacob Moshenko, the transfer logic now properly
makes sure that when using sub-second timeouts, there's no final bad 1000ms
wait. Previously, a sub-second timeout would often make the elapsed time end
up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)

- Andrei Benea filed bug report #2956698 and pointed out that the
CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
call. He provided the patch to fix it too.


- Markus Duft pointed out in bug #2961796 that even though Interix has a
poll() function it doesn't quite work the way we want it so we must disable
it, and he also provided a patch for it.


- Made the pingpong timeout code properly deal with the response timeout AND
the global timeout if set. Also, as was reported in the bug report #2956437
by Ryan Chan, the time stamp to use as basis for the per command timeout was
not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
that just now. This was a regression compared to 7.19.7 due to the
conversion of FTP code over to the generic pingpong concepts.


Daniel Stenberg (1 Mar 2010)
- Ben Greear provided an update for TFTP that fixes upload.

- Wesley Miaw reported bug #2958179 which identified a case of looping during
OpenSSL based SSL handshaking even though the multi interface was used and
there was no good reason for it.


Daniel Stenberg (26 Feb 2010)
- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
chunked-encoding trailer.


Daniel Fandrich (25 Feb 2010)
- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.

Yang Tse (25 Feb 2010)
- I fixed bug report #2958074 indicating
http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
option --trace-time did not use local time when timestamping trace lines.
This could also happen on other systems depending on time souurce.

Patrick Monnerat (22 Feb 2010)
- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
- Use of true local host name (i.e.: via gethostname()) when available, as
default argument to SMTP HELO/EHLO.
- Test case 804 for HELO fallback.

Daniel Stenberg (20 Feb 2010)
- Fixed the SMTP compliance by making sure RCPT TO addresses are specified
properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
get angle bracket wrapping automatically by libcurl unless the recipient
starts with an angle bracket as then the app is assumed to deal with that
properly on its own.

- I made the SMTP code expect a 250 response back from the server after the
full DATA has been sent, and I modified the test SMTP server to also send
that response. As usual, the DONE operation that is made after a completed
transfer is still not doable in a non-blocking way so this waiting for 250
is unfortunately made blockingly.

Yang Tse (14 Feb 2010)
- Overhauled test suite getpart() function. Fixing potential out of bounds
stack and memory overwrites triggered with huge test case definitions.

Daniel Stenberg (13 Feb 2010)
- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4


- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.


Daniel Stenberg (12 Feb 2010)
- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
in the same RCPT TO line, when they should be sent in separate single
commands. I updated test case 802 to verify this.

- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
tool which made it try to output it as string for the --libcurl feature
which could lead to crashes.

Yang Tse (11 Feb 2010)
- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job,
removed obsolete batch_compile.com and defines.com and updated VMS readme.

Version 7.20.0 (9 February 2010)

Daniel Stenberg (9 Feb 2010)
- When downloading compressed content over HTTP and the app asked libcurl to
automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
wrongly provide the callback with more data than the maximum documented
amount. An application could thus get tricked into badness if the maximum
limit was trusted to be enforced by libcurl itself (as it is documented).

This is further detailed and explained in the libcurl security advisory
20100209 at


Daniel Fandrich (3 Feb 2010)
- Changed the Watcom makefiles to make them easier to keep in sync with
Makefile.inc since that can't be included directly.

Yang Tse (2 Feb 2010)
- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
symbol will not be available when building with CURL_NO_OLDIES defined. Use
of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0

Daniel Stenberg (1 Feb 2010)
- Using the multi_socket API, it turns out at times it seemed to "forget"
connections (which caused a hang). It turned out to be an existing (7.19.7)
bug in libcurl (that's been around for a long time) and it happened like

The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
then set it to timeout in 1 millisecond so libcurl will tell the app about

The app's timeout fires off that there's a timeout, the app calls libcurl as
we so often document it:

do {
res = curl_multi_socket_action(... TIMEOUT ...);

And this is the problem number one:

When curl_multi_socket_action() is called with no specific handle, but only
a timeout-action, it will *only* perform actions within libcurl that are
marked to run at this time. In this case, the request would go from INIT to
CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
again, there's no timer set for this handle so it remains in the CONNECT
state. The CONNECT state is a transitional state in libcurl so it reports no
sockets there, and thus libcurl never tells the app anything more about that
easy handle/connection.

libcurl _does_ set a 1ms timeout for the handle at the end of
multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
is instant the new job is not ready to run at that point (and there's no
code that makes libcurl call the app to update the timout for this new
timeout). It will simply rely on that some other timeout will trigger later
on or that something else will update the timeout callback. This makes the
bug fairly hard to repeat.

The fix made to adress this issue:

We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
benefit that this goes in line with my long-term wishes to get rid of the
CURLM_CALL_MULTI_PERFORM all together from the public API.

The downside of this fix, is that the counter we return in 'running_handles'
in several of our public functions then gets a slightly new and possibly
confusing behavior during times:

If an app adds a handle that fails to connect (very quickly) it may just
as well never appear as a 'running_handle' with this fix. Previously it
would first bump the counter only to get it decreased again at next call.
Even I have used that change in handle counter to signal "end of a
transfer". The only *good* way to find the end of a individual transfer
is calling curl_multi_info_read() to see if it returns one.

Of course, if the app previously did the looping before it checked the
counter, it really shouldn't be any new effect.

Yang Tse (26 Jan 2010)
- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
relative to the asynchronous DNS lookups, along with with some integration
adjustments I have done are finally committed to CVS.

Currently these enhancements will benefit builds done using c-ares on any
platform as well as Windows builds using the default threaded resolver.

This release does not make generally available POSIX threaded DNS lookups
yet. There is no configure option to enable this feature yet. It is possible
to experimantally try this feature running configure with compiler flags that
make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
are required to link and properly use pthread_* functions on each platform.

Daniel Stenberg (26 Jan 2010)
- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
proxy that cannot be resolved when using c-ares. This matches the behaviour
when not using c-ares.

投稿者 xml-rpc : 2010年6月17日 13:29
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/96425