{"id":21466,"date":"2023-02-15T08:29:18","date_gmt":"2023-02-15T07:29:18","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=21466"},"modified":"2023-02-15T12:26:47","modified_gmt":"2023-02-15T11:26:47","slug":"curl-7-88-0-seven-stops-here","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2023\/02\/15\/curl-7-88-0-seven-stops-here\/","title":{"rendered":"curl 7.88.0 seven stops here"},"content":{"rendered":"\n<p>Welcome to the final and last release in the series seven. The next release is planned and intended to become version 8.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 213th release<br>5 changes<br>56 days (total: 9,098)<\/strong><br><strong>173 bug-fixes (total: 8,665)<\/strong><br><strong>250 commits (total: 29,821)<br>0 new public libcurl function (total: 91)<br>0 new curl_easy_setopt() option (total: 302)<\/strong><br><strong>1 new curl command line option (total: 250)<\/strong><br><strong>78 contributors, 41 new (total: 2,812)<\/strong><br><strong>42 authors, 18 new (total: 1,119)<\/strong><br><strong>3 security fixes (total: 135)<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 7.88.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/9zff4hWOxPE?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>This time we bring you three security fixes. All of them covering cases for which we have had problems reported and fixed before, but these are new subtle variations.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2023-23914.html\">CVE-2023-23914<\/a>: HSTS ignored on multiple requests<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2023-23915.html\">CVE-2023-23915<\/a>: HSTS amnesia with &#8211;parallel<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2023-23916.html\">CVE-2023-23916<\/a>: HTTP multi-header compression denial of service<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Two changes for HTTP\/3: <code><a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_HTTP_VERSION.html\">CURL_HTTP_VERSION_3ONLY<\/a><\/code> was added for the library and <code><a href=\"https:\/\/curl.se\/docs\/manpage.html#--http3-only\">--http3-only<\/a><\/code> was added to the tool.<\/li>\n\n\n\n<li>Two changes for HSTS: <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLSHOPT_SHARE.html\">the HSTS cache can now be shared<\/a> between libcurl handles, and subsequently the curl tool now shares the HSTS between transfers.<\/li>\n\n\n\n<li>The URL API got the new flag <code>CURLU_PUNYCODE<\/code> which allows  and application to <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_url_get.html\">get the punycode version<\/a> of a host name\/URL.<\/li>\n\n\n\n<li>curl <code>-w<\/code> now offers %{certs} and %{num_certs} which  <a href=\"https:\/\/daniel.haxx.se\/blog\/2022\/12\/28\/curl-w-certs\/\">outputs the server certificate<\/a>(s).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>While we count over 140 individual bugfixes merged for this release, here follows a curated subset of some of the more interesting ones.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http\/3 happy eyeballs<\/h3>\n\n\n\n<p>When asking for HTTP\/3, curl will now also try older HTTP versions with a slight delay so that if HTTP\/3 does not work, it might still succeed with and use an older version.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">update all copyright lines and remove year ranges<\/h3>\n\n\n\n<p><a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/01\/08\/copyright-without-years\/\" data-type=\"post\" data-id=\"21201\">Mentioned separately<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">allow up to 10M buffer size<\/h3>\n\n\n\n<p>An application can now set drastically larger download buffers. For high speed\/localhost transfers of some protocols this might sometimes make a difference.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl: output warning at &#8211;verbose output for debug-enabled version<\/h3>\n\n\n\n<p>To help users realize when they use a debug build of curl, it now outputs a warning at the top of the <code>--verbose<\/code> output. We strongly discourage users to ship or use such builds in production.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">websocket: multiple bugfixes<\/h3>\n\n\n\n<p>WebSocket support remains an experimental feature in curl but it is getting better. Several smaller and bigger bugs were squashed. Please continue to try it and report any problems and we can probably consider removing the experimental label soon.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">dict: URL decode the entire path always<\/h3>\n\n\n\n<p>If you used a DICT URL it would sometimes do wrong as it previously only URL decoded parts of the path when using it. Now it correctly decodes the entire thing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">URL-encode\/decode much faster<\/h3>\n\n\n\n<p>The libcurl functions for doing these conversions were sped up significantly. In the order of 3x and 7x.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">haxproxy: send before TLS handhshake<\/h3>\n\n\n\n<p>The haproxy details are now properly sent before the TLS handshake takes place.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">HTTP\/[23]: continue upload when state.drain is set<\/h3>\n\n\n\n<p>Fixes a stalling problem when data is being uploaded and downloaded at the same time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http2: aggregate small SETTINGS\/PRIO\/WIN_UPDATE frames<\/h3>\n\n\n\n<p>Optimizes outgoing frames for HTTP\/2 into doing more in fewer sends.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">openssl: store the CA after first send (ClientHello)<\/h3>\n\n\n\n<p>By changing the order of things, curl is better off spending CPU cycles while waiting for the server&#8217;s response and thereby making the entire handshake process complete faster.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl: repair &#8211;rate<\/h3>\n\n\n\n<p>A regression in 7.87.0 made this feature completely broken. Now back on track again.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">HTTP\/2 much faster multiplexed transfers<\/h3>\n\n\n\n<p>By improving the handling of multiple concurrent streams over a single connection, curl now performs such transfers <em>much<\/em> faster than before. Sometimes an almost 3x speedup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">noproxy: support for space-separated names is deprecated<\/h3>\n\n\n\n<p>The parser that parses the &#8220;noproxy&#8221; string accepts plain space (without comma) as separators, while hardly any other tool or library does. This matters because it can be set in an environment variable. This accepted space-only separation is now marked as <strong>deprecated<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">nss: implement data_pending method<\/h3>\n\n\n\n<p>The NSS backend was improved to work better for cases when the socket has been drained of data and only the NSS internal buffers has it, which could lead to curl getting stalled or losing data. Note: <strong>NSS support is marked for removal<\/strong> later in 2023.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">socketpair: allow localhost MITM sniffers<\/h3>\n\n\n\n<p>curl has an internal socketpair emulation function for Windows. The way it worked did not allow MITM sniffers, but instead return error if such a thing was detected. It turns out too many users run tools on Windows that do this, so we have changed the logic to accept their presence and use.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tests-httpd: infra to run curl against an apache httpd<\/h3>\n\n\n\n<p>An entirely new line of tests that opens up new ways to test and verify our HTTP implementations in ways we could not do before. It uses pytest and an apache httpd server with special test modules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl: fix hiding of command line secrets<\/h3>\n\n\n\n<p>A regression.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl: fix error code on bad URL<\/h3>\n\n\n\n<p>If you would use an invalid URL for upload, curl would erroneously report the problem as &#8220;out of memory&#8221; which unsurprisingly greatly confused users.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the final and last release in the series seven. The next release is planned and intended to become version 8. Numbers the 213th release5 changes56 days (total: 9,098)173 bug-fixes (total: 8,665)250 commits (total: 29,821)0 new public libcurl function (total: 91)0 new curl_easy_setopt() option (total: 302)1 new curl command line option (total: 250)78 contributors, &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/02\/15\/curl-7-88-0-seven-stops-here\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 7.88.0 seven stops here<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":21637,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-21466","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/21466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=21466"}],"version-history":[{"count":25,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/21466\/revisions"}],"predecessor-version":[{"id":21766,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/21466\/revisions\/21766"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/21637"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=21466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=21466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=21466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}