Subject: CVS commit: pkgsrc/www/curl
To: None <pkgsrc-changes@NetBSD.org>
From: Thomas Klausner <wiz@netbsd.org>
List: pkgsrc-changes
Date: 01/03/2005 11:00:51
Module Name:	pkgsrc
Committed By:	wiz
Date:		Mon Jan  3 11:00:51 UTC 2005

Modified Files:
	pkgsrc/www/curl: Makefile PLIST distinfo

Log Message:
Update to 7.12.3. Enable libidn support.

Version 7.12.3 (20 December 2004)

Daniel (19 December 2004)
- I investigated our PKCS12 build problem on Solaris 2.7 with OpenSSL 0.9.7e,
  and it turned out to be the fault of the zlib 1.1.4 headers doing a typedef
  named 'free_func' and the OpenSSL headers have a prototype that uses
  'free_func' in one of its arguments. This is why the compile errors out.

  In other words, we need to include the openssl/pkcs12.h header before the
  zlib.h header and it builds fine. The configure script now checks for this
  file and it then gets included early in lib/urldata.h.

Daniel (18 December 2004)
- Samuel Listopad added support for PKCS12 formatted certificates.

- Samuel Listopad fixed -E to support "C:/path" (with forward slash) as well.

Daniel (16 December 2004)
- Gisle found and fixed a problem in the directory re-use for FTP.

  I added test case 215 and 216 to better verify the functionality.

- Dinar in bug report #1086121, found a file handle leak when a multipart
  formpost (including a file upload part) was aborted before the whole file
  was sent.

Daniel (15 December 2004)
- Tom Lee found out that globbing of strings with backslashes didn't work as
  you'd expect. Backslashes are such a central part of windows file names that
  forcing backslashes to have to be escaped with backslashes is a bit too
  awkward to users. Starting now, you only need to escape globbing characters
  such as the five letters: "[]{},". Added test case 214 to verify this.

Daniel (14 December 2004)
- Harshal Pradhan patched a HTTP persistent connection flaw: if the user name
  and/or password were modified between two requests on a persistent
  connection, the second request were still made with the first setup!

  I added test case 519 to verify the fix.

Daniel (13 December 2004)
- Gisle added CURLINFO_SSL_ENGINES to curl_easy_getinfo() to allow an app
  to list all available crypto ENGINES.

- Gisle fixed bug report #1083542, which pointed out a problem with resuming
  large file (>4GB) file:// transfers on windows.

Daniel (11 December 2004)
- Made the test suite HTTP server (sws) capable of using IPv6, and then
  extended the test environment to support that and also added three test
  cases (240, 241, 242) that run tests using IPv6. Test 242 uses a URL that
  didn't work before the 10 dec fix by Kai Sommerfeld.

- Made a failed file:// resume output an error message

- Corrected the CURLE_BAD_DOWNLOAD_RESUME error message in lib/strerror.c

- Dan Fandrich:

  simplified and consolidated the SSL checks in configure and the usage of the
  defines in lib/setup.h

  provided a first libcurl.pc.in file for pkg-config (but the result is not
  installed anywhere at this point)

  extended the cross compile section in the docs/INSTALL file

Daniel (10 December 2004)
- When providing user name in the URL and a IPv6-style IP-address (like in
  "ftp://user@[::1]/tmp"), the URL parser didn't get the host extracted
  properly.  Reported and fixed by Kai Sommerfeld.

Daniel (9 December 2004)
- Ton Voon provided a configure fix that should fix the notorious (mostly
  reported on Solaris) problem where the size_t check fails due to the SSL
  libs being found in a dir not searched through by the run-time linker.
  patch-tracker entry #1081707.

- Bryan Henderson pointed out in bug report #1081788 that the curl-config
  --vernum output wasn't zero prefixed properly (as claimed in documentation).
  This is fixed in maketgz now.

Daniel (8 December 2004)
- Matt Veenstra updated the mach-O framework files for Mac OS X.

- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
  libcurl always and unconditionally overwrote a stack-based array with 3 zero
  bytes. This is not an exploitable buffer overflow. No need to get alarmed.

Daniel (7 December 2004)
- Fixed so that the final error message is sent to the verbose info "stream"
  even if no errorbuffer is set.

Daniel (6 December 2004)
- Dan Fandrich added the --disable-cookies option to configure to build
  libcurl without cookie support. This is mainly useful if you want to build a
  minimalistic libcurl with no cookies support at all. Like for embedded
  systems or similar.

- Richard Atterer fixed libcurl's way of dealing with the EPSV
  response. Previously, libcurl would re-resolve the host name with the new
  port number and attempt to connect to that, while it should use the IP from
  the control channel. This bug made it hard to EPSV from an FTP server with
  multiple IP addresses!

Daniel (3 December 2004)
- Bug report #1078066: when a chunked transfer was pre-maturely closed exactly
  at a chunk boundary it was not considered an error and thus went unnoticed.
  Fixed by Maurice Barnum.

  Added test case 207 to verify.

Daniel (2 December 2004)
- Fixed the CONNECT loop to default timeout to 3600 seconds.

  Added test case 206 that makes CONNECT with Digest.

  Fixed a flaw that prepended "(nil)" to the initial CONNECT rqeuest's user-
  agent field.

Daniel (30 November 2004)
- Dan Fandrich's fix for libz 1.1 and "extra field" usage in a gzip stream

- Dan also helped me with input data to create three more test cases for the
  --compressed option.

Daniel (29 November 2004)
- I improved the test suite to enable binary contents in the tests (by proving
  it base64 encoded), like for testing decompress etc. Added test 220 and 221
  for this purpose. Tests can now also depend on libz to run.

- As reported by Reinout van Schouwen in Mandrake's bug tracker bug 12285
  (http://qa.mandrakesoft.com/show_bug.cgi?id=12285), when connecting to an
  IPv6 host with FTP, --disable-epsv (or --disable-eprt) effectively disables
  the ability to transfer a file. Now, when connected to an FTP server with
  IPv6, these FTP commands can't be disabled even if asked to with the
  available libcurl options.

Daniel (26 November 2004)
- As reported in Mandrake's bug tracker bug 12289
  (http://qa.mandrakesoft.com/show_bug.cgi?id=12289), curl would print a
  newline to "finish" the progress meter after each redirect and not only
  after a completed transfer.

Daniel (25 November 2004)
- FTP improvements:

  If EPSV, EPRT or LPRT is tried and doesn't work, it will not be retried on
  the same server again even if a following request is made using a persistent
  connection.

  If a second request is made to a server, requesting a file from the same
  directory as the previous request operated on, libcurl will no longer make
  that long series of CWD commands just to end up on the same spot. Note that
  this is only for *exactly* the same dir. There is still room for improvements
  to optimize the CWD-sending when the dirs are only slightly different.

  Added test 210, 211 and 212 to verify these changes. Had to improve the
  test script too and added a new primitive to the test file format.

Daniel (24 November 2004)
- Andrés García fixed the configure script to detect select properly when run
  with Msys/Mingw on Windows.

Daniel (22 November 2004)
- Made HTTP PUT and POST requests no longer use HEAD when doing multi-pass
  auth negotiation (NTLM, Digest and Negotiate), but instead use the request
  keyword "properly". Details in lib/README.httpauth. This also introduces
  CURLOPT_IOCTLFUNCTION and CURLOPT_IOCTLDATA, to be used by apps that use the
  "any" auth alternative as then libcurl may need to send the PUT/POST data
  more than once and thus may need to ask the app to "rewind" the read data
  stream to start.

  See also the new example using this: docs/examples/anyauthput.c

- David Phillips enhanced test 518. I made it depend on a "feature" so that
  systems without getrlimit() won't attempt to test 518. configure now checks
  for getrlimit() and setrlimit() for this test case.

Daniel (18 November 2004)
- David Phillips fixed libcurl to not crash anymore when more than FD_SETSIZE
  file descriptors are in use. Test case 518 added to verify.

Daniel (15 November 2004)
- To test my fix for the CURLINFO_REDIRECT_TIME bug, I added time_redirect and
  num_redirects support to the -w writeout option for the command line tool.

- Wojciech Zwiefka found out that CURLINFO_REDIRECT_TIME didn't work as
  documented.

Daniel (12 November 2004)
- Gisle Vanem modigied the MSVC and Netware makefiles to build without
  libcurl.def

- Dan Fandrich added the --disable-crypto-auth option to configure to allow
  libcurl to build without Digest support. (I figure it should also explicitly
  disable Negotiate and NTLM.)

-                 *** Modified Behaviour Alert ***

  Setting CURLOPT_POSTFIELDS to NULL will no longer do a GET.

  Setting CURLOPT_POSTFIELDS to "" will send a zero byte POST and setting
  CURLOPT_POSTFIELDS to NULL and CURLOPT_POSTFIELDSIZE to zero will also make
  a zero byte POST. Added test case 515 to verify this.

  Setting CURLOPT_HTTPPOST to NULL makes a zero byte post. Added test case 516
  to verify this.

  CURLOPT_POSTFIELDSIZE must now be set to -1 to signal "we don't know".
  Setting it to zero simply says this is a zero byte POST.

  When providing POST data with a read callback, setting the size up front
  is now made with CURLOPT_POSTFIELDSIZE and not with CURLOPT_INFILESIZE.

Daniel (11 November 2004)
- Dan Fandrich added --disable-verbose to the configure script to allow builds
  without verbose strings in the code, to save some 12KB space. Makes sense
  only for systems with very little memory resources.

- Jeff Phillips found out that a date string with a year beyond 2038 could
  crash the new date parser on systems with 32bit time_t. We now check for
  this case and deal with it.

Daniel (10 November 2004)
- I installed Heimdal on my Debian box (using the debian package) and noticed
  that configure --with-gssapi failed to create a nice build. Fixed now.

Daniel (9 November 2004)
- Gisle Vanem marked all external function calls with CURL_EXTERN so that now
  the Windows, Netware and other builds no longer need libcurl.def or similar
  files.

Daniel (8 November 2004)
- Made the configure script check for tld.h if libidn was detected, since
  libidn 0.3.X didn't have such a header and we don't work with anything
  before libidn 0.4.1 anyway! Suse 9.1 apparently ships with a 0.3.X version
  of libidn which makes the curl 7.12.2 build fail. Jean-Philippe
  Barrette-LaPierre helped pointing this out.

- Ian Gulliver reported in debian bug report #278691: if curl is invoked in an
  environment where stderr is closed the -v output will still be sent to file
  descriptor 2 which then might be the network socket handle! Now we have a
  weird hack instead that attempts to make sure that file descriptor 2 is
  opened (with a call to pipe()) before libcurl is called to do the transfer.
  configure now checks for pipe() and systems without pipe don't get the weird
  hack done.

Daniel (5 November 2004)
- Tim Sneddon made libcurl send no more than 64K in a single first chunk when
  doing a huge POST on VMS, as this is a system limitation. Default on general
  systems is 100K.

Daniel (4 November 2004)
- Andres Garcia made it build on mingw againa, my --retry code broke the build.

Daniel (2 November 2004)
- Added --retry-max-time that allows a maximum time that may not have been
  reached for a retry to be made. If not set there is no maximum time, only
  the amount of retries set with --retry.

- Paul Nolan provided a patch to make libcurl build nicely on Windows CE.

Daniel (1 November 2004)
- When cross-compiling, the configure script no longer attempts to use
  pkg-config on the build host in order to detect OpenSSL compiler options.

Daniel (27 October 2004)
- Dan Fandrich:

  An improvement to the gzip handling of libcurl. There were two problems with
  the old version: it was possible for a malicious gzip file to cause libcurl
  to leak memory, as a buffer was malloced to hold the header and never freed
  if the header ended with no file contents.  The second problem is that the
  64 KiB decompression buffer was allocated on the stack, which caused
  unexpectedly high stack usage and overflowed the stack on some systems
  (someone complained about that in the mailing list about a year ago).

  Both problems are fixed by this patch. The first one is fixed when a recent
  (1.2) version of zlib is used, as it takes care of gzip header parsing
  itself.  A check for the version number is done at run-time and libcurl uses
  that feature if it's present. I've created a define OLD_ZLIB_SUPPORT that
  can be commented out to save some code space if libcurl is guaranteed to be
  using a 1.2 version of zlib.

  The second problem is solved by dynamically allocating the memory buffer
  instead of storing it on the stack. The allocation/free is done for every
  incoming packet, which is suboptimal, but should be dwarfed by the actual
  decompression computation.

  I've also factored out some common code between deflate and gzip to reduce
  the code footprint somewhat.  I've tested the gzip code on a few test files
  and I tried deflate using the freshmeat.net server, and it all looks OK. I
  didn't try running it with valgrind, however.

- Added a --retry option to curl that takes a numerical option for the number
  of times the operation should be retried. It is retried if a transient error
  is detected or if a timeout occurred. By default, it will first wait one
  second between the retries and then double the delay time between each retry
  until the delay time is ten minutes which then will be the delay time
  between all forthcoming retries. You can set a static delay time with
  "--retry-delay [num]" where [num] is the number of seconds to wait between
  each retry.

Daniel (25 October 2004)
- Tomas Pospisek filed bug report #1053287 that proved -C - and --fail on a
  file that was already completely downloaded caused an error, while it
  doesn't if you don't use --fail! I added test case 194 to verify the fix.
  Grrr. CURLOPT_FAILONERROR is now added to the list stuff to remove in
  libcurl v8 due to all the kludges needed to support it.

- Mohun Biswas found out that formposting a zero-byte file didn't work very
  good. I fixed.

Daniel (19 October 2004)
- Alexander Krasnostavsky made it possible to make FTP 3rd party transfers
  with both source and destination being the same host. It can be useful if
  you want to move a file on a server or similar.

- Guillaume Arluison added CURLINFO_NUM_CONNECTS to allow an app to figure
  out how many new connects a previous transfer required.

  I added %{num_connects} to the curl tool and added test case 192 and 193
  to verify the new code.

Daniel (18 October 2004)
- Peter Wullinger pointed out that curl should call setlocale() properly to
  initiate the specific language operations, to make the IDN stuff work
  better.


To generate a diff of this commit:
cvs rdiff -r1.45 -r1.46 pkgsrc/www/curl/Makefile
cvs rdiff -r1.13 -r1.14 pkgsrc/www/curl/PLIST
cvs rdiff -r1.28 -r1.29 pkgsrc/www/curl/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.