Welcome to another curl release. You know how this dance goes…
the 220th release
50 days (total: 9,252)
122 bug-fixes (total: 9,167)
177 commits (total: 30,606)
0 new public libcurl function (total: 91)
1 new curl_easy_setopt() option (total: 303)
4 new curl command line option (total: 255)
55 contributors, 34 new (total: 2,922)
35 authors, 20 new (total: 1,170)
1 security fixes (total: 146)
fopen race condition (medium)
CVE-2023-32001. libcurl can be told to save cookies, HSTS and/or alt-svc data to files. When doing this, it called
stat() followed by
fopen() in a way that made it vulnerable to a TOCTOU (Time of Check, Time of Use) race condition problem.
By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.
curl: add –ca-native and –proxy-ca-native
The command line tool (and library) got new options to ask it to use the systems “native” CA storage. Currently only work on Windows when curl is built to use an OpenSSL fork.
curl: add –trace-ids
This option makes the trace log files include connection and transfer identifiers, which greatly helps debugging transfers doing many (parallel) transfers.
CURLOPT_MAIL_RCPT_ALLOWFAILS replaces CURLOPT_MAIL_RCPT_ALLLOWFAILS
Provide the option without the typo!
add –haproxy-clientip flag to set client IPs
Now users of the tool (and library) pass on specific IP addresses instead of simply using the current one.
add CURLINFO_CONN_ID and CURLINFO_XFER_ID
Two options that allows the application to extract the connection and transfer “Id” of the current transfer, presumably from a debugfunction callback and the likes.
We have again fixed more than a hundred problems in this release cycle. Here follows a subset that I suspect might be among the most interesting ones.
examples: we’ve added and extended numerous
The ambition is to gradually over time provide examples that show use of all curl_easy_setopt options. We are still way off from that.
http2: numerous smaller and larger fixes
Several regressions and cleanups have been done that improves how HTTP/2 works compared to previous releases.
http2: send HEADER and DATA together
When sending POST requests, libcurl now does a better job in putting the initial outgoing HEADER and DATA frames together, most likely in the same TLS frame.
http3: upload EAGAIN handling
EAGAIN handling for HTTP/3 uploads was fixed, like it was for HTTP/2 as well.
http: fix the outgoing Cookie: header length check
The check that would prevent too long outgoing cookie headers was off by up to a few hundred bytes.
libssh2: use custom memory functions (again)
Bring back use of custom memory functions with libssh2 as otherwise it actually cannot be used with a debug build of curl (or when libssh2 is used as a DLL on windows) due to naive presumptions in the libssh2 API.
runtests: many improvements, leading to -j
Introducing parallel tests.
sectransp: fix EOF handling
A regression caused curl misbehave on end of connection using TLS when built to use Secure Transport.
timeval: use CLOCK_MONOTONIC_RAW if available
For platforms with this clock option, curl now prefers that in an effort to avoid a time that can go backwards.
tool_writeout_json: fix encoding of control characters
The output of control codes in the generated JSON with
--json now works better.
urlapi: have *set(PATH) prepend a slash if one is missing
Setting a path using the URL API without a leading slash would previously generate a broken URL when it was extracted. Starting now, libcurl will prepend a slash if there is none.
urlapi: scheme must start with alpha
The URL parser would previously allow a few other characters to start a scheme as well. No more.
tool_parsecfg: accept line lengths up to 10M
The config file parser now allows lines to be up to 10 megabytes. For those odd users generating files with huge data components embedded.