{"id":22926,"date":"2023-09-13T08:26:26","date_gmt":"2023-09-13T06:26:26","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=22926"},"modified":"2023-09-22T09:46:33","modified_gmt":"2023-09-22T07:46:33","slug":"curl-8-3-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2023\/09\/13\/curl-8-3-0\/","title":{"rendered":"curl 8.3.0"},"content":{"rendered":"\n<p>Welcome to this new curl release!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release video<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.3.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/DmyuEV8cUaU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 251st release<br>9 changes<br>49 days (total: 9,308)<\/strong><br><strong>174 bug-fixes (total: 9,415)<\/strong><br><strong>296 commits (total: 30,942)<br>1 new public libcurl function (total: 92)<br>0 new curl_easy_setopt() option (total: 303)<\/strong><br><strong>2 new curl command line option (total: 257)<\/strong><br><strong>80 contributors, 50 new (total: 2,977)<\/strong><br><strong>40 authors, 20 new (total: 1,193)<\/strong><br><strong>1 security fix (total: 146)<\/strong><\/p>\n\n\n\n<p>Numbers notes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>the release counter now also includes project releases done <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/08\/15\/changes-from-before-it-was-curl\/\" data-type=\"post\" data-id=\"22890\">before the name was changed<\/a> to curl.<\/li>\n\n\n\n<li>The number of security fixes is adjusted due to the recently rejected <a href=\"https:\/\/curl.se\/docs\/CVE-2023-32001.html\">CVE-2023-32001<\/a><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>We publish a security advisory in association with today&#8217;s release.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">HTTP headers eat all memory<\/h3>\n\n\n\n<p>[<a href=\"https:\/\/curl.se\/docs\/CVE-2023-38039.html\">CVE-2023-38039<\/a>] When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.<\/p>\n\n\n\n<p>However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">curl: make %output{} in -w specify a file to write to<\/h3>\n\n\n\n<p>The super handy option <a href=\"https:\/\/everything.curl.dev\/usingcurl\/verbose\/writeout\">&#8211;write-out<\/a> become even more convenient now as it can redirect its output into a specific file and not just stdout and stderr.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">curl: add &#8220;variable&#8221; support<\/h3>\n\n\n\n<p>The new <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/07\/31\/introducing-curl-command-line-variables\/\" data-type=\"post\" data-id=\"22692\">variable<\/a> concept now only lets users use environment variables on config files but also opens up for new ways to use curl command lines effectively.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">remove gskit support<\/h3>\n\n\n\n<p>The gskit TLS library is no longer a provided option when building curl.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">remove NSS support<\/h3>\n\n\n\n<p>The NSS TLS library is no longer a provided option when building curl. curl still supports building with twelve different TLS libraries even after the removal of these two.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">configure &#8211;disable-bindlocal builds curl without local binding support<\/h3>\n\n\n\n<p>As a next step in the gradual movement to allow more and more features to get enabled\/disabled at build time, the time came to the bindlocal function, which is the feature that binds the local end of a connection. Primarily intended for tiny-curl purposes when you aim for a minimal footprint build.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">make tracing available in non-debug builds<\/h3>\n\n\n\n<p>Starting now, libcurl offers <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_global_trace.html\">curl_global_trace<\/a> and curl offers <a href=\"https:\/\/curl.se\/docs\/manpage.html#--trace-config\">&#8211;trace-config<\/a> to ask for what specific details to include in the verbose logging output. This is a way for a non-debug build to provide more protocol level details from transfers in ways that were previously not possible. Allows for users to report bugs better and provide more insights from real-world problematic scenarios.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CURLOPT_MAXREDIRS defaults to 30<\/h3>\n\n\n\n<p>As a precaution, we change the default from unlimited to 30.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CURLU_PUNY2IDN &#8211; convert punycode to IDN<\/h3>\n\n\n\n<p>The URL API gets the ability to convert to an International Domain Name when given a punycode version. Previously it could only do the conversion in the other direction.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">wolfssl: support loading system CA certificates<\/h3>\n\n\n\n<p>curl built with wolfSSL now can use the &#8220;native CA&#8221; option which then makes it possible to use the native CA store on several platforms instead of using a separately provided external file.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>More than 160 bugfixes are logged for this release, but here are a few selected highlights.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">accept and parse IPv6 addresses in alt-svc response headers<\/h3>\n\n\n\n<p>Previously curl would not parse and accept such hosts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">c-ares: reduce timeout to 2000ms<\/h3>\n\n\n\n<p>The default c-ares DNS timeout is set to the same time that c-ares itself has changed to in their next pending release.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">make CURLOPT_HAPROXY_CLIENT_IP set the <em>source<\/em> IP<\/h3>\n\n\n\n<p>It was wrongly set as <em>destination<\/em> instead of source.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">cmake: ten separate improvements<\/h3>\n\n\n\n<p>Numerous smaller and larger fixes that made the cmake build of curl several notches better.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">stop halving the remaining connect timeout when less than 600 ms left<\/h3>\n\n\n\n<p>When curl connects to a host that resolves to multiple IP addresses, it allows half the timeout time for the current IP before it moves on to attempt the next IP in the list. That &#8220;halving&#8221; is now stopped when there is less than 600 milliseconds left to reduce problems with too short times.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">docs: rewrite to present tense<\/h3>\n\n\n\n<p>Most of the curl documentation now says &#8220;this option does this&#8221; instead of &#8220;this option <em>will do<\/em> this&#8221;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">escape all dashes (ASCII minus) to avoid Unicode hyphens in curl.1 man page<\/h3>\n\n\n\n<p>It turns out the curl man page as generated previously, would make the man command use a Unicode hyphen instead of ASCII minus when displayed. This broke copy and paste and it made it impossible to properly search for minus\/dash when viewing the man page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">accept leading whitespace on first HTTP response header<\/h3>\n\n\n\n<p>curl is now less strict if the first HTTP\/1 response header starts with space or tab, thus looking like it is a &#8220;fold&#8221; when it not. Other commonly used tools\/browsers accept this kind of bad syntax and so does curl now.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">avoid too early HTTP\/2 connection re-use\/multiplexing<\/h3>\n\n\n\n<p>When doing lots of parallel transfers curl might need to create a second connection when the first reaches its maximum number of streams. In that situation, curl would try to multiplex on that new connection too early, already before it was properly setup and be ready for use, leading to transfer errors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">http\/http2\/http3: fix sending large requests<\/h3>\n\n\n\n<p>Logic for all supported HTTP versions had (different) issues in handling sending very large requests.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">aws-sigv4: canonicalize the query<\/h3>\n\n\n\n<p>Using aws-sigv4 authentication would fail if the query part was not manually crafted to be correct: sorted, uppercase %-encoding and all the name\/value pairs alpha-sorted. Now curl does this itself.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">make aws-sigv4 not require TLS to be used<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/curl.se\/docs\/manpage.html#--aws-sigv4\">&#8211;aws-sigv4<\/a> option no longer requires an HTTPS:\/\/ URL to be used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">lib: move mimepost data from -&gt;req.p.http to -&gt;state<\/h3>\n\n\n\n<p>The moving of internal data from one struct to another made data survive between two requests and thus fixed a bug involving redirects with MIMEPOST that needed to rewind.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set<\/h3>\n\n\n\n<p>Turns out curl would still resolve both IPv4 and IPv6 names even if ipv6-only connections were being requested, thus getting some extra names in vein.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">system.h: add CURL_OFF_T definitions on HP-UX with HP aCC<\/h3>\n\n\n\n<p>Starting now, curl builds properly on more HP-UX machines.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tests: update cookie expiry dates to far in the future<\/h3>\n\n\n\n<p>curl&#8217;s test suite now runs fine even when executed in a year after 2038.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tool_filetime: make -z work with file dates before 1970<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/curl.se\/docs\/manpage.html#-z\">-z<\/a> option can get the file date off a local file and use that in a HTTP time condition request, but if the file was older than January 1 1970 it would act wrongly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">transfer: also stop the sending on closed connection<\/h3>\n\n\n\n<p>When curl sent off a HTTP\/1 request and the connection was closed before the sending was complete, curl could end up not detecting that and ending the transfer correctly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">don&#8217;t set TIMER_STARTTRANSFER on first send<\/h3>\n\n\n\n<p>Adjustments were made to make this timestamp work as actually documented.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">make zoneid duplicated in curl_url_dup<\/h3>\n\n\n\n<p>This dup function did not correctly duplicate the zone id from the source handle, making it an incomplete duplicate.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">quic: don&#8217;t set SNI if hostname is an IP address<\/h3>\n\n\n\n<p>curl would wrongly populate the SNI field with the IP address when doing QUIC connections to such.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Next<\/h2>\n\n\n\n<p>This is a dot-zero release. If there are any important enough regressions shipped in this version, we will do a follow-up release within shortly. Report all and any problems you spot.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to this new curl release! Release video Numbers the 251st release9 changes49 days (total: 9,308)174 bug-fixes (total: 9,415)296 commits (total: 30,942)1 new public libcurl function (total: 92)0 new curl_easy_setopt() option (total: 303)2 new curl command line option (total: 257)80 contributors, 50 new (total: 2,977)40 authors, 20 new (total: 1,193)1 security fix (total: 146) Numbers &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/09\/13\/curl-8-3-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.3.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":22930,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-22926","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=22926"}],"version-history":[{"count":44,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22926\/revisions"}],"predecessor-version":[{"id":23189,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/22926\/revisions\/23189"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/22930"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=22926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=22926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=22926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}