{"id":22804,"date":"2023-07-19T08:22:05","date_gmt":"2023-07-19T06:22:05","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=22804"},"modified":"2023-07-19T11:36:09","modified_gmt":"2023-07-19T09:36:09","slug":"curl-8-2-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2023\/07\/19\/curl-8-2-0\/","title":{"rendered":"curl 8.2.0"},"content":{"rendered":"\n<p>Welcome to another curl release. You know how this dance goes&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 220th release<br>5 changes<br>50 days (total: 9,252)<\/strong><br><strong>122 bug-fixes (total: 9,167)<\/strong><br><strong>177 commits (total: 30,606)<br>0 new public libcurl function (total: 91)<br>1 new curl_easy_setopt() option (total: 303)<\/strong><br><strong>4 new curl command line option (total: 255)<\/strong><br><strong>55 contributors, 34 new (total: 2,922)<\/strong><br><strong>35 authors, 20 new (total: 1,170)<\/strong><br><strong>1 security fixes (total: 146)<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.2.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/eMSD1GOCABc?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">fopen race condition (medium)<\/h3>\n\n\n\n<p><a href=\"https:\/\/curl.se\/docs\/CVE-2023-32001.html\">CVE-2023-32001<\/a>.  libcurl can be told to save cookies, HSTS and\/or alt-svc data to files. When doing this, it called <code>stat()<\/code> followed by <code>fopen()<\/code> in a way that made it vulnerable to a TOCTOU (Time of Check, Time of Use) race condition problem.<\/p>\n\n\n\n<p>By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">curl: add &#8211;ca-native and &#8211;proxy-ca-native<\/h3>\n\n\n\n<p>The command line tool (and library) got new options to ask it to use the systems &#8220;native&#8221; CA storage. Currently only work on Windows when curl is built to use an OpenSSL fork.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl: add &#8211;trace-ids<\/h3>\n\n\n\n<p>This option makes the trace log files include connection and transfer identifiers, which greatly helps debugging transfers doing many (parallel) transfers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CURLOPT_MAIL_RCPT_ALLOWFAILS replaces CURLOPT_MAIL_RCPT_ALLLOWFAILS<\/h3>\n\n\n\n<p>Provide the option without the typo!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">add &#8211;haproxy-clientip flag to set client IPs<\/h3>\n\n\n\n<p>Now users of the tool (and library) pass on specific IP addresses instead of simply using the current one.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">add CURLINFO_CONN_ID and CURLINFO_XFER_ID<\/h3>\n\n\n\n<p>Two options that allows the application to extract the connection and transfer &#8220;Id&#8221; of the current transfer, presumably from a <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_DEBUGFUNCTION.html\">debugfunction callback<\/a> and the likes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>We have again fixed more than a hundred problems in this release cycle. Here follows a subset that I suspect might be among the most interesting ones.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">examples: we&#8217;ve added and extended numerous<\/h3>\n\n\n\n<p>The ambition is to gradually over time provide examples that show use of all <a href=\"https:\/\/curl.se\/libcurl\/c\/easy_setopt_options.html\">curl_easy_setopt<\/a> options. We are still way off from that.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http2: numerous smaller and larger fixes<\/h3>\n\n\n\n<p>Several regressions and cleanups have been done that improves how HTTP\/2 works compared to previous releases.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http2: send HEADER and DATA together<\/h3>\n\n\n\n<p>When sending POST requests, libcurl now does a better job in putting the initial outgoing HEADER and DATA frames together, most likely in the same TLS frame.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http3: upload EAGAIN handling<\/h3>\n\n\n\n<p>EAGAIN handling for HTTP\/3 uploads was fixed, like it was for HTTP\/2 as well.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http: fix the outgoing Cookie: header length check<\/h3>\n\n\n\n<p>The check that would prevent too long outgoing cookie headers was off by up to a few hundred bytes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">libssh2: use custom memory functions (again)<\/h3>\n\n\n\n<p>Bring back use of custom memory functions with libssh2 as otherwise it actually cannot be used with a debug build of curl (or when libssh2 is used as a DLL on windows) due to naive presumptions in the libssh2 API.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">runtests: many improvements, leading to -j<\/h3>\n\n\n\n<p>Introducing <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/06\/08\/parallel-curl-tests\/\" data-type=\"post\" data-id=\"22130\">parallel tests<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">sectransp: fix EOF handling<\/h3>\n\n\n\n<p>A regression caused curl misbehave on end of connection using TLS when built to use Secure Transport.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">timeval: use CLOCK_MONOTONIC_RAW if available<\/h3>\n\n\n\n<p>For platforms with this clock option, curl now prefers that in an effort to avoid a time that can go backwards.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tool_writeout_json: fix encoding of control characters<\/h3>\n\n\n\n<p>The output of control codes in the generated JSON with <code>--json<\/code> now works better.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">urlapi: have *set(PATH) prepend a slash if one is missing<\/h3>\n\n\n\n<p>Setting a path using the URL API without a leading slash would previously generate a broken URL when it was extracted. Starting now, libcurl will prepend a slash if there is none.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">urlapi: scheme must start with alpha<\/h3>\n\n\n\n<p>The URL parser would previously allow a few other characters to start a scheme as well. No more.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tool_parsecfg: accept line lengths up to 10M<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/everything.curl.dev\/cmdline\/configfile\">config file<\/a> parser now allows lines to be up to 10 megabytes. For those odd users generating files with huge data components embedded.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to another curl release. You know how this dance goes&#8230; Numbers the 220th release5 changes50 days (total: 9,252)122 bug-fixes (total: 9,167)177 commits (total: 30,606)0 new public libcurl function (total: 91)1 new curl_easy_setopt() option (total: 303)4 new curl command line option (total: 255)55 contributors, 34 new (total: 2,922)35 authors, 20 new (total: 1,170)1 security fixes &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/07\/19\/curl-8-2-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.2.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":22823,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-22804","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=22804"}],"version-history":[{"count":20,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22804\/revisions"}],"predecessor-version":[{"id":22831,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22804\/revisions\/22831"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/22823"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=22804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=22804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=22804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}