Changes:
Bugfixes:
- altsvc: reject bad port numbers
- altsvc: use 'h3' for h3
- amiga: do not hardcode openssl/zlib into the os config
- amiga: set SIZEOF_CURL_OFF_T=8 by default
- amigaos: add missing curl header
- asyn-ares: set hint flags when calling ares_getaddrinfo
- autotools: allow --enable-symbol-hiding with windows
- autotools: allow unix sockets on Windows
- autotools: reduce brute-force when detecting recv/send arg list
- aws_sigv4: fix header computation
- bearssl: make it proper C89 compliant
- CI/GHA: cancel outdated CI runs on new PR changes
- CI/GHA: merge msh3 and openssl3 builds into linux workflow
- cirrus-ci: add macOS build with m1
- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS
- cli tool: do not use disabled protocols
- cmake: add missing inet_ntop check
- cmake: add the check of HAVE_SOCKETPAIR
- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h
- cmake: delete duplicate HAVE_GETADDRINFO test
- cmake: enable more detection on Windows
- cmake: fix original MinGW builds
- cmake: improve usability of CMake build as a sub-project
- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
- cmake: sync HAVE_SIGNAL detection with autotools
- cmdline/docs: add a required 'multi' keyword for each option
- configure: correct the wording when checking grep -E
- configure: deprecate builds with small curl_off_t
- configure: fail if '--without-ssl' + explicit parameter for an ssl lib
- configure: the ngtcp2 option should default to 'no'
- connect: change verbose IPv6 address
ort to [address]
- connect: fix builds without AF_INET6
- connect: fix Curl_updateconninfo for TRNSPRT_UNIX
- connect: fix the wrong error message on connect failures
- content_encoding: use writer struct subclasses for different encodings
- cookie: reject cookie names or content with TAB characters
- ctype: remove all use of <ctype.h>, use our own versions
- curl-compilers.m4: for gcc + want warnings, set gnu89 standard
- curl-compilers.m4: use -O2 as default optimize for clang
- curl-wolfssl.m4: error out if wolfSSL is not usable
- curl.h: fix mention of wrong error code in comment
- curl/add_file_name_to_url: use the libcurl URL parser
- curl/add_parallel_transfers: better error handling
- curl/get_url_file_name: use libcurl URL parser
- curl: warn for --ssl use, considered insecure
- curl_ctype: convert to macros-only
- curl_easy_pause.3: unpausing is as fast as possible
- curl_escape.3: fix typo
- curl_setup: disable use of FLOSS for 64-bit NonStop builds
- curl_setup: include curl.h after platform setup headers
- curl_setup: include only system.h instead of curl.h
- curl_strequal.3: fix argument typo
- curl_url_set.3: document CURLU_APPENDQUERY proper
- CURLMOPT_PIPELINING.3: dedup manpage xref
- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five
- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk
- CURLOPT_COOKIEFILE: insist on "" for enable-without-file
- CURLOPT_COOKIELIST.3: fix formatting mistake
- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols
- CURLOPT_MIMEPOST.3: add an (inline) example
- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST
- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies
- CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes
- CURLSHOPT_UNLOCKFUNC.3: the callback has no 'access' argument
- DEPRECATE.md: Support for systems without 64 bit data types
- docs/examples: avoid deprecated options in examples where possible
- docs/INSTALL: update Android Instructions for newer NDKs
- docs/libcurl/symbols-in-versions: add several missing symbols
- docs: 100+ spellfixes
- docs: correct missing uppercase in Markdown files
- docs: document more server names for test files
- docs: fix deprecation versions inconsistencies
- docs: make sure libcurl opts examples pass in long arguments
- docs: remove mentions of deprecated '--without-openssl' parameter
- docs: tag curl options better in man pages
- docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR.
- docs: update sourceforge project links
- easy: fix the #include order
- easy: fix the altsvc init for curl_easy_duphandle
- easy_lock: check for HAVE_STDATOMIC_H as well
- examples/chkspeed: improve portability
- formdata: fix warning: 'CURLformoption' is promoted to 'int'
- ftp: ignore a 550 response to MDTM
- ftp: remove redundant if
- functypes: provide the recv and send arg and return types
- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled
- GHA: build tests in a separate step from the running of them
- GHA: run proselint on markdown files
- github: initial CODEOWNERS setup for CI configuration
- header: define public API functions as extern c
- headers: reset the requests counter at transfer start
- hostip: guard PF_INET6 use
- hostip: lazily wait to figure out if IPv6 works until needed
- http, vauth: always provide Curl_allow_auth_to_host() functionality
- http2: make nghttp2 less picky about field whitespace
- HTTP3.md: update Caddy example
- http: try parsing Retry-After: as a number first
- http_proxy: restore the protocol pointer on error
- httpput-postfields.c: shorten string for C89 compliance
- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference
- lib1560: extended to verify detect/reject of unknown schemes
- lib517: fix C89 constant signedness
- lib: add missing limits.h includes
- lib: add required Win32 setup definitions in setup-win32.h
- lib: prepare the incoming of additional protocols
- lib: sanitize conditional exclusion around MIME
- lib: set more flags in config-win32.h
- lib: the number four in a sequence is the "fourth"
- libssh: if sftp_init fails, don't get the sftp error code
- Makefile.m32: deduplicate build rules
- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults
- Makefile.m32: exclude libs & libpaths for shared mode exes
- Makefile.m32: fix regression with tool_hugehelp
- Makefile.m32: major rework
- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall
- Makefile.m32: support more options
- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged
- manpages: Fix spelling of "allows to" -> "allows one to"
- misc: ISSPACE() => ISBLANK()
- misc: use the term "null-terminate" consistently
- mprintf: reject two kinds of precision for the same argument
- mprintf: use snprintf if available
- mqtt: return error for too long topic
- mqtt: spell out CONNECT in comments
- msh3: change the static_assert to make the code C89
- netrc: compare user name case sensitively
- netrc: replace fgets with Curl_get_line
- netrc: use the URL-decoded user
- ngtcp2: fix build errors due to changes in ngtcp2 library
- ngtcp2: fix C89 compliance nit
- noproxy: support proxies specified using cidr notation
- openssl: make certinfo available for QUIC
- README.md: add GHA status badges for Linux and macOS builds
- RELEASE-PROCEDURE.md: mention patch releases
- resolve: make forced IPv4 resolve only use A queries
- runtests: fix uninitialized value on ignored tests
- schannel: ban server ALPN change during recv renegotiation
- schannel: don't reset recv/send function pointers on renegotiation
- schannel: when importing PFX, disable key persistence
- scripts: use `grep -E` instead of `egrep`
- setopt: use the handler table for protocol name to number conversions
- setopt: when POST is set, reset the 'upload' field
- setup-win32: no longer define UNICODE/_UNICODE implicitly
- single_transfer: use the libcurl URL parser when appending query parts
- smb: replace CURL_WIN32 with WIN32
- strcase: add and use Curl_timestrcmp
- strerror: improve two URL API error messages
- symbol-scan.pl: also check for LIBCURL* symbols
- symbol-scan.pl: scan and verify .3 man pages
- symbols-in-versions: add missing LIBCURL* symbols
- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6
- test1119: scan all public headers
- test1275: verify uppercase after period in markdown
- test972: verify the output without using external tool
- tests/certs/scripts: insert standard curl source headers
- tests/Makefile: remove run time stats from ci-test
- tests: avoid CreateThread if _beginthreadex is available
- tests: fix tag syntax errors in test files
- tests: skip mime/form tests when mime is not built-in
- tidy-up: delete parallel/unused feature flags
- tidy-up: delete unused HAVE_STRUCT_POLLFD
- TODO: provide the error body from a CONNECT response
- tool: avoid generating ambiguous escaped characters in --libcurl
- tool: remove dead code
- tool: reorganize function c_escape around a dynbuf
- tool_hugehelp: make hugehelp a blank macro when disabled
- tool_main: exit at once if out of file descriptors
- tool_operate: avoid a few #ifdefs for disabled-libcurl builds
- tool_operate: more transfer cleanup after parallel transfer fail
- tool_operate: prevent over-queuing in parallel mode
- tool_operate: reduce errorbuffer allocs
- tool_paramhelp: asserts verify maximum sizes for string loading
- tool_paramhelp: make the max argument a 'double'
- tool_progress: remove 'Qd' from the parallel progress bar
- tool_setopt: use better English in --libcurl source comments
- tool_xattr: save the original URL, not the final redirected one
- unit test 1655: make it C89-compliant
- url: a zero-length userinfo part in the URL is still a (blank) user
- url: allow non-HTTPS HSTS-matching for debug builds
- url: rename function due to name-clash in Watt-32
- url: use IDN decoded names for HSTS checks
- urlapi: detect scheme better when not guessing
- urlapi: fix parsing URL without slash with CURLU_URLENCODE
- urlapi: leaner with fewer allocs
- urlapi: reject more bad characters from the host name field
- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths
- winbuild: use NMake batch-rules for compilation
- windows: add .rc support to autotools builds
- windows: adjust name of two internal public functions
- windows: autotools .rc warnings fixup
- wolfSSL: fix session management bug.
Also fixes:
CVE-2022-42916: HSTS bypass via IDN
CVE-2022-42915: HTTP proxy double-free
CVE-2022-35260: .netrc parser out-of-bounds access
CVE-2022-32221: POST following PUT confusion
