{"id":24740,"date":"2024-05-22T08:00:59","date_gmt":"2024-05-22T06:00:59","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=24740"},"modified":"2024-05-22T13:19:43","modified_gmt":"2024-05-22T11:19:43","slug":"curl-8-8-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2024\/05\/22\/curl-8-8-0\/","title":{"rendered":"curl 8.8.0"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\"><strong>the 257th release<br>8 changes<br>56 days (total: 9,560)<\/strong><br><strong>220 bug-fixes (total: 10,271)<\/strong><br><strong>348 commits (total: 32,280)<br>1 new public libcurl function (total: 94)<br>1 new curl_easy_setopt() option (total: 305)<\/strong><br><strong>1 new curl command line option (total: 259)<\/strong><br><strong>84 contributors, 41 new (total: 3,173)<\/strong><br><strong>49 authors, 20 new (total: 1,272)<\/strong><br><strong>0 security fixes (total: 155)<\/strong><\/p>\n\n\n\n<p>Download the new curl release from <a href=\"https:\/\/curl.se\/\">curl.se<\/a> as always.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.8.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/QuEcJkjvI_Q?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>It feels good to be able to say that this time around we do not have a single security vulnerability to announce and we in fact do not have any in the queue either.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/libcurl\/c\/curl_version_info.html\">curl_version_info<\/a>() provides librtmp version<\/li>\n\n\n\n<li>file:\/\/ supports directory listings<\/li>\n\n\n\n<li>AppleIDN support for macOS\/iOS<\/li>\n\n\n\n<li>add <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_multi_waitfds.html\">curl_multi_waitfds<\/a><\/li>\n\n\n\n<li>mbedTLS supports <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_SSL_CIPHER_LIST.html\">CURLOPT_SSL_CIPHER_LIST<\/a><\/li>\n\n\n\n<li>drop support for NTLM_WB<\/li>\n\n\n\n<li>experimental <a href=\"https:\/\/curl.se\/libcurl\/c\/CURLOPT_ECH.html\">ECH<\/a> (Encrypted Client Hello)<\/li>\n\n\n\n<li>add <a href=\"https:\/\/curl.se\/libcurl\/c\/curl_url_get.html\">CURLU_GET_EMPTY<\/a> for empty queries and fragments<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>Some of the bugfixes from this cycle that might be worth noticing:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">dist and build<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>reproducible tarballs<\/strong>. I will do a separate post with details later, but now it is easy for anyone who wants to, to generate an identical copy to verify what we ship.<\/li>\n\n\n\n<li><strong>docs\/RELEASE-TOOLS.md into the tarball<\/strong>. This documents the tools and versions used to generate the files included in the tarball that are not present in git.<\/li>\n\n\n\n<li><strong>drop MSVC project files for recent versions<\/strong>. If you need to generate them for more recent versions, cmake can do it for you.<\/li>\n\n\n\n<li><strong>configure fix <code>HAVE_IOCTLSOCKET_FIONBIO<\/code> test for gcc 14<\/strong>. It runs more picky by default so it would always fail the check.<\/li>\n\n\n\n<li><strong>add -q as first option when invoking curl for tests<\/strong>. To reduce the risk of people having a ~\/.curlrc file that ruins things.<\/li>\n\n\n\n<li><strong>fix make install with configure &#8211;disable-docs<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">tool<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>make &#8211;help adapt to the terminal width<\/strong>. Makes it easier on the eye when the terminal is wider.<\/li>\n\n\n\n<li><strong>limit rate unpause for -T . uploads<\/strong>. Avoids busy-looping<\/li>\n\n\n\n<li><strong>curl output warning for leading unicode quote character<\/strong>. Because it seems like a fairly common mistake when people copy and paste command lines from random sources<\/li>\n\n\n\n<li><strong>don&#8217;t truncate the etag save file by default<\/strong>. A regression less.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">TLS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>bearssl: use common code for cipher suite lookup<\/strong><\/li>\n\n\n\n<li><strong>mbedtls: call mbedtls_ssl_setup() after RNG callback is set<\/strong>. Otherwise, more recent versions of mbedTLS will just return error.<\/li>\n\n\n\n<li><strong>mbedtls: support TLS 1.3<\/strong>. If you use a new enough version.<\/li>\n\n\n\n<li><strong>openssl: do not set SSL_MODE_RELEASE_BUFFERS<\/strong>. Uses slightly more memory, but uses fewer memory allocation calls.<\/li>\n\n\n\n<li><strong>wolfssl: plug memory leak in wolfssl_connect_step2<\/strong>()<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">bindings<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>openldap: create ldap URLs correctly for IPv6 addresses<\/strong>, doing LDAP with IPv6 numerical IP addresses in the URL just did not work previously.<\/li>\n\n\n\n<li><strong>quiche: expire all active transfers on connection close<\/strong><\/li>\n\n\n\n<li><strong>quiche: trust its timeout handling<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">libcurl<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>fix curl_global_cleanup crash in Windows<\/strong>. A regression coming from the introduction of the async name resolver function.<\/li>\n\n\n\n<li><strong>brotli and others, pass through 0-length writes<\/strong><\/li>\n\n\n\n<li><strong>ignore duplicate chunked encoding<\/strong>. Apparently some sites do this and browsers let them so we need to let it slide&#8230;<\/li>\n\n\n\n<li><strong>CURLINFO_REQUEST_SIZE: fixed<\/strong><\/li>\n\n\n\n<li><strong>ftp: add tracing support<\/strong>. Gives us better tooling to track down FTP problems.<\/li>\n\n\n\n<li><strong>http2: emit RST when client write fails<\/strong>. Previously it would just silently leave the stream there&#8230;<\/li>\n\n\n\n<li><strong>http: reject HTTP major version switch mid connection<\/strong>. This should of course never happen, but if it does, curl will error out correctly.<\/li>\n\n\n\n<li><strong>multi: introduce SETUP state for better timeouts<\/strong>. This adds a proper separation for when the existing transfer is retried or when the state machine is restarted because it make as a new transfer.<\/li>\n\n\n\n<li><strong>multi: timeout handles even without connection<\/strong>. They would previously often be exempted from checks and would linger for too long until stopped.<\/li>\n\n\n\n<li><strong>fix handling of paused upload on completed download<\/strong><\/li>\n\n\n\n<li><strong>do not URL decode proxy credentials<\/strong><\/li>\n\n\n\n<li><strong>allow setting port number zero<\/strong>. Remember this <a href=\"https:\/\/daniel.haxx.se\/blog\/2014\/10\/25\/pretending-port-zero-is-a-normal-one\/\" data-type=\"post\" data-id=\"6635\">old post<\/a>?<\/li>\n\n\n\n<li><strong>fix relative redirects to fragment-only<\/strong><\/li>\n\n\n\n<li><strong>fix memory leak in websocket error path<\/strong><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Numbers the 257th release8 changes56 days (total: 9,560)220 bug-fixes (total: 10,271)348 commits (total: 32,280)1 new public libcurl function (total: 94)1 new curl_easy_setopt() option (total: 305)1 new curl command line option (total: 259)84 contributors, 41 new (total: 3,173)49 authors, 20 new (total: 1,272)0 security fixes (total: 155) Download the new curl release from curl.se as always. &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2024\/05\/22\/curl-8-8-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.8.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":24774,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-24740","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/24740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=24740"}],"version-history":[{"count":20,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/24740\/revisions"}],"predecessor-version":[{"id":24813,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/24740\/revisions\/24813"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/24774"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=24740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=24740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=24740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}