                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 8.3.0 (13 Sep 2023)

Daniel Stenberg (13 Sep 2023)

- RELEASE-NOTES: syn ced

  curl 8.3.0 release

- THANKS: contributors from 8.3.0

Thorsten Klein (12 Sep 2023)

- cmake: set SIZEOF_LONG_LONG in curl_config.h

  in order to support 32bit builds regarding wolfssl CTC_SETTINGS

  Closes #11839

Jay Satiro (12 Sep 2023)

- curl_ngtcp2: fix error message

- http_aws_sigv4: handle no-value user header entries

  - Handle user headers in format 'name:' and 'name;' with no value.

  The former is used when the user wants to remove an internal libcurl
  header and the latter is used when the user actually wants to send a
  no-value header in the format 'name:' (note the semi-colon is converted
  by libcurl to a colon).

  Prior to this change the AWS header import code did not special case
  either of those and the generated AWS SignedHeaders would be incorrect.

  Reported-by: apparentorder@users.noreply.github.com

  Ref: https://curl.se/docs/manpage.html#-H

  Fixes https://github.com/curl/curl/issues/11664
  Closes https://github.com/curl/curl/pull/11668

Dan Fandrich (11 Sep 2023)

- CI: run pytest with the -v option

  This lists of the test cases being run so it can be tracked over time.

  Closes #11824

Daniel Stenberg (11 Sep 2023)

- HTTP3: the msquic backend is not functional

  I ask that we do not submit bugs for this backend just yet as we know it
  does not fully work.

  Closes #11831
  Closes #11819

- aws_sigv4: the query canon code miscounted URL encoded input

  Added some extra ampersands to test 439 to verify "blank" query parts

  Follow-up to fc76a24c53b08cdf

  Closes #11829

vvb2060 (11 Sep 2023)

- quic: don't set SNI if hostname is an IP address

  We already do this for TLS connections.

  RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
  "HostName".

  Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3

  Fixes https://github.com/curl/curl/issues/11827
  Closes https://github.com/curl/curl/pull/11828

Daniel Stenberg (10 Sep 2023)

- RELEASE-NOTES: synced

Benoit Pierre (10 Sep 2023)

- configure: fix `HAVE_TIME_T_UNSIGNED` check

  The syntax was incorrect (need a proper main body), and the test
  condition was wrong (resulting in a signed `time_t` detected as
  unsigned).

  Closes #11825

Daniel Stenberg (9 Sep 2023)

- THANKS-filter: pszlazak on github

pszlazak (9 Sep 2023)

- include.d: explain headers not printed with --fail before 7.75.0

  Prior to 7.75.0 response headers were not printed if -f/--fail was used
  and an error was reported by server.  This was fixed in ab525c0
  (precedes 7.75.0).

  Closes #11822

Daniel Stenberg (8 Sep 2023)

- http_aws_sigv4: skip the op if the query pair is zero bytes

  Follow-up to fc76a24c53b08cdf

  Spotted by OSS-Fuzz

  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
  Closes #11823

- cmdline-docs: use present tense, not future

  + some smaller cleanups

  Closes #11821

- cmdline-docs: make sure to phrase it as "added in ...."

  References to things that were added or changed in a specific version
  should be specified as "(added in [version]) for two reasons:

  1 - consistency

  2 - to allow gen.pl to strip them out if deemed referring to too old
      versions

  Closes #11821

Jay Satiro (8 Sep 2023)

- docs: mark --ssl-revoke-best-effort as Schannel specific

  Closes https://github.com/curl/curl/pull/11760

Nathan Moinvaziri (8 Sep 2023)

- schannel: fix ordering of cert chain info

  - Use CERT_CONTEXT's pbCertEncoded to determine chain order.

  CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains
  end-entity/server certificate in pbCertEncoded. We can use this pointer
  to determine the order of certificates when enumerating hCertStore using
  CertEnumCertificatesInStore.

  This change is to help ensure that the ordering of the certificate chain
  requested by the user via CURLINFO_CERTINFO has the same ordering on all
  versions of Windows.

  Prior to this change Schannel certificate order was reversed in 8986df80
  but that was later reverted in f540a39b when it was discovered that
  Windows 11 22H2 does the reversal on its own.

  Ref: https://github.com/curl/curl/issues/9706

  Closes https://github.com/curl/curl/pull/11632

Chris Talbot (8 Sep 2023)

- digest: Use hostname to generate spn instead of realm

  In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

  digest-uri-value should be serv-type "/" host , where host is:

        The DNS host name or IP address for the service requested.  The
        DNS host name must be the fully-qualified canonical name of the
        host. The DNS host name is the preferred form; see notes on server
        processing of the digest-uri.

  Realm may not be the host, so we must specify the host explicitly.

  Note this change only affects the non-SSPI digest code. The digest code
  used by SSPI builds already uses the hostname to generate the spn.

  Ref: https://github.com/curl/curl/issues/11369

  Closes https://github.com/curl/curl/pull/11395

Daniel Stenberg (7 Sep 2023)

- docs: remove use of the word 'very'

  It is mostly superfluous. proselint would complain.

  Closes #11818

- curl_multi_remove_handle.3: clarify what happens with connection

  Closes #11817

- RELEASE-NOTES: synced

- test439: verify query canonization for aws-sigv4

- tool_operate: make aws-sigv4 not require TLS to be used

  Maybe not used too often, but we want it for testing and it should work.

- http_aws_sigv4: canonicalize the query

  Percent encoding needs to be done using uppercase, and most
  non-alphanumerical must be percent-encoded.

  Fixes #11794
  Reported-by: John Walker
  Closes #11806

Wyatt O'Day (7 Sep 2023)

- lib: add ability to disable auths individually

  Both with configure and cmake

  Closes #11490

Stefan Eissing (7 Sep 2023)

- ngtcp2: fix handling of large requests

  - requests >64K are send in parts to the filter
  - fix parsing of the request to assemble it correctly
    from several sends
  - open a QUIC stream only when the complete request has
    been collected

  Closes #11815

- openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before

  - we delay loading the x509 store to shorten the handshake time.
    However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
    may need to have the store loaded and try to manipulate it.
  - load the x509 store before invoking the app callback

  Fixes #11800
  Reported-by: guoxinvmware on github
  Cloes #11805

Daniel Stenberg (7 Sep 2023)

- krb5: fix "implicit conversion loses integer precision" warnings

  conversions to/from enum and unsigned chars

  Closes #11814

Stefan Eissing (7 Sep 2023)

- pytest: improvements

  - set CURL_CI for pytest runs in CI environments
  - exclude timing sensitive tests from CI runs
  - for failed results, list only the log and stat of
    the failed transfer

  - fix type in http.c comment

  Closes #11812

- CI: move on to ngtcp2 v0.19.1

  Closes #11809

Dan Fandrich (5 Sep 2023)

- CI: run Circle macOS builds on x86 for now

  The ARM machines aren't ready for us and requesting them now causes
  warnings e-mails to be sent to some PR pushers.

  Ref: #11771

Viktor Szakats (5 Sep 2023)

- http3: adjust cast for ngtcp2 v0.19.0

  ngtcp2 v0.19.0 made size of `ecn` member of `ngtcp2_pkt_info`
  an `uint8_t` (was: `uint32_t`). Adjust our local cast accordingly.

  Fixes:
  ```
  ./curl/lib/vquic/curl_ngtcp2.c:1912:12: warning: implicit conversion loses in
  teger precision: 'uint32_t' (aka 'unsigned int') to 'uint8_t' (aka 'unsigned 
  char') [-Wimplicit-int-conversion]
    pi.ecn = (uint32_t)ecn;
           ~ ^~~~~~~~~~~~~
  ```

  Also bump ngtcp2, nghttp3 and nghttp2 to their latest versions in our
  docs and CI.

  Ref: https://github.com/ngtcp2/ngtcp2/commit/80447281bbc94af53f8aa7a4cfc19175
  782894a3
  Ref: https://github.com/ngtcp2/ngtcp2/pull/877
  Closes #11798

Stefan Eissing (5 Sep 2023)

- http: fix sending of large requests

  - refs #11342 where errors with git https interactions
    were observed
  - problem was caused by 1st sends of size larger than 64KB
    which resulted in later retries of 64KB only
  - limit sending of 1st block to 64KB
  - adjust h2/h3 filters to cope with parsing the HTTP/1.1
    formatted request in chunks

  - introducing Curl_nwrite() as companion to Curl_write()
    for the many cases where the sockindex is already known

  Fixes #11342 (again)
  Closes #11803

- pytest: fix check for slow_network skips to only apply when intended

  Closes #11801

Daniel Stenberg (5 Sep 2023)

- curl_url_get/set.3: add missing semicolon in SYNOPSIS

- CURLOPT_URL.3: explain curl_url_set() uses the same parser

- CURLOPT_URL.3: add two URL API calls in the see-also section

Dan Fandrich (4 Sep 2023)

- CI: add a 32-bit i686 Linux build

  This is done by cross-compiling under regular x86_64 Linux.  Since the
  kernel offers backwards compatibility, the binaries can be tested as
  normal.

  Closes #11799

- tests: fix a type warning on 32-bit x86

Viktor Szakats (4 Sep 2023)

- tests: delete stray `.orig` file

  Follow-up to 331b89a319d0067fa1e6441719307cfef9c7960f
  Closes #11797

Daniel Stenberg (4 Sep 2023)

- RELEASE-NOTES: synced

Viktor Szakats (4 Sep 2023)

- lib: silence compiler warning in inet_ntop6

  ```
  ./curl/lib/inet_ntop.c:121:21: warning: possible misuse of comma operator her
  e [-Wcomma]
          cur.base = i, cur.len = 1;
                      ^
  ./curl/lib/inet_ntop.c:121:9: note: cast expression to void to silence warnin
  g
          cur.base = i, cur.len = 1;
          ^~~~~~~~~~~~
          (void)(     )
  ```

  Closes #11790

Daniel Stenberg (4 Sep 2023)

- transfer: also stop the sending on closed connection

  Previously this cleared the receiving bit only but in some cases it is
  also still sending (like a request-body) when disconnected and neither
  direction can continue then.

  Fixes #11769
  Reported-by: Oleg Jukovec
  Closes #11795

John Bampton (4 Sep 2023)

- docs: change `sub-domain` to `subdomain`

  https://en.wikipedia.org/wiki/Subdomain

  Closes #11793

Stefan Eissing (4 Sep 2023)

- multi: more efficient pollfd count for poll

  - do not use separate pollfds for sockets that have POLLIN+POLLOUT

  Closes #11792

- http2: polish things around POST

  - added test cases for various code paths
  - fixed handling of blocked write when stream had
    been closed inbetween attempts
  - re-enabled DEBUGASSERT on send with smaller data size

  - in debug builds, environment variables can be set to simulate a slow
    network when sending data. cf-socket.c and vquic.c support
    * CURL_DBG_SOCK_WBLOCK: percentage of send() calls that should be
      answered with a EAGAIN. TCP/UNIX sockets.
      This is chosen randomly.
    * CURL_DBG_SOCK_WPARTIAL: percentage of data that shall be written
      to the network. TCP/UNIX sockets.
      Example: 80 means a send with 1000 bytes would only send 800
      This is applied to every send.
    * CURL_DBG_QUIC_WBLOCK: percentage of send() calls that should be
      answered with EAGAIN. QUIC only.
      This is chosen randomly.

  Closes #11756

Daniel Stenberg (4 Sep 2023)

- docs: add curl_global_trace to some SEE ALSO sections

  Closes #11791

- os400: fix checksrc nits

  Closes #11789

Nicholas Nethercote (3 Sep 2023)

- hyper: remove `hyptransfer->endtask`

  `Curl_hyper_stream` needs to distinguish between two kinds of
  `HYPER_TASK_EMPTY` tasks: (a) the `foreach` tasks it creates itself, and
  (b) background tasks that hyper produces. It does this by recording the
  address of any `foreach` task in `hyptransfer->endtask` before pushing
  it into the executor, and then comparing that against the address of
  tasks later polled out of the executor.

  This works right now, but there is no guarantee from hyper that the
  addresses are stable. `hyper_executor_push` says "The executor takes
  ownership of the task, which should not be accessed again unless
  returned back to the user with `hyper_executor_poll`". That wording is a
  bit ambiguous but with my Rust programmer's hat on I read it as meaning
  the task returned with `hyper_executor_poll` may be conceptually the
  same as a task that was pushed, but that there are no other guarantees
  and comparing addresses is a bad idea.

  This commit instead uses `hyper_task_set_userdata` to mark the `foreach`
  task with a `USERDATA_RESP_BODY` value which can then be checked for,
  removing the need for `hyptransfer->endtask`. This makes the code look
  more like that hyper C API examples, which use userdata for every task
  and never look at task addresses.

  Closes #11779

Dave Cottlehuber (3 Sep 2023)

- ws: fix spelling mistakes in examples and tests

  Closes #11784

Daniel Stenberg (3 Sep 2023)

- tool_filetime: make -z work with file dates before 1970

  Fixes #11785
  Reported-by: Harry Sintonen
  Closes #11786

Dan Fandrich (1 Sep 2023)

- build: fix portability of mancheck and checksrc targets

  At least FreeBSD preserves cwd across makefile lines, so rules
  consisting of more than one "cd X; do_something" must be explicitly run
  in a subshell to avoid this. This problem caused the Cirrus FreeBSD
  build to fail when parallel make jobs were enabled.

- CI: adjust labeler match patterns for new & obsolete files

- configure: trust pkg-config when it's used for zlib

  The library flags retrieved from pkg-config were later thrown out and
  harded-coded, which negates the whole reason to use pkg-config.
  Also, previously, the assumption was made that --libs-only-l and
  --libs-only-L are the full decomposition of --libs, which is untrue and
  would not allow linking against a static zlib. The new approach is
  better in that it uses --libs, although only if --libs-only-l returns
  nothing.

  Bug: https://curl.se/mail/lib-2023-08/0081.html
  Reported-by: Randall
  Closes #11778

Stefan Eissing (1 Sep 2023)

- CI/ngtcp2: clear wolfssl for when cache is ignored

  Closes #11783

Daniel Stenberg (1 Sep 2023)

- RELEASE-NOTES: synced

Nicholas Nethercote (1 Sep 2023)

- hyper: fix a progress upload counter bug

  `Curl_pgrsSetUploadCounter` should be a passed a total count, not an
  increment.

  This changes the failing diff for test 579 with hyper from this:
  ```
   Progress callback called with UL 0 out of 0[LF]
  -Progress callback called with UL 8 out of 0[LF]
  -Progress callback called with UL 16 out of 0[LF]
  -Progress callback called with UL 26 out of 0[LF]
  -Progress callback called with UL 61 out of 0[LF]
  -Progress callback called with UL 66 out of 0[LF]
  +Progress callback called with UL 29 out of 0[LF]
  ```
  to this:
  ```
   Progress callback called with UL 0 out of 0[LF]
  -Progress callback called with UL 8 out of 0[LF]
  -Progress callback called with UL 16 out of 0[LF]
  -Progress callback called with UL 26 out of 0[LF]
  -Progress callback called with UL 61 out of 0[LF]
  -Progress callback called with UL 66 out of 0[LF]
  +Progress callback called with UL 40 out of 0[LF]
  ```
  Presumably a step in the right direction.

  Closes #11780

Daniel Stenberg (1 Sep 2023)

- awssiv4: avoid freeing the date pointer on error

  Since it was not allocated, don't free it even if it was wrong syntax

  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61908

  Follow-up to b137634ba3adb

  Closes #11782

Stefan Eissing (1 Sep 2023)

- CI: ngtcp2-linux: use separate caches for tls libraries

  allow ever changing master for wolfssl

  Closes #11766

- replace `master` as wolfssl-version with recent commit

- wolfssl, use master again in CI

  - with the shared session update fix landed in master, it
    is time to use that in our CI again

Nicholas Nethercote (31 Aug 2023)

- tests: fix formatting errors in `FILEFORMAT.md`.

  Without the surrounding backticks, these tags get swallowed when the
  markdown is rendered.

  Closes #11777

Viktor Szakats (31 Aug 2023)

- cmake: add support for `CURL_DEFAULT_SSL_BACKEND`

  Allow overriding the default TLS backend via a CMake setting.

  E.g.:
  `cmake [...] -DCURL_DEFAULT_SSL_BACKEND=mbedtls`

  Accepted values: bearssl, gnutls, mbedtls, openssl, rustls,
  schannel, secure-transport, wolfssl

  The passed string is baked into the curl/libcurl binaries.
  The value is case-insensitive.

  We added a similar option to autotools in 2017 via
  c7170e20d0a18ec8a514b4daa53bcdbb4dcb3a05.

  TODO: Convert to lowercase to improve reproducibility.

  Closes #11774

- sectransp: fix compiler warnings

  https://github.com/curl/curl-for-win/actions/runs/6037489221/job/16381860220#
  step:3:11046
  ```
  /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:2435:1
  4: warning: unused variable 'success' [-Wunused-variable]
      OSStatus success;
               ^
  /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:3300:4
  4: warning: unused parameter 'sha256len' [-Wunused-parameter]
                                      size_t sha256len)
                                             ^
  ```

  Closes #11773

- tidy-up: mostly whitespace nits

  - delete completed TODO from `./CMakeLists.txt`.
  - convert a C++ comment to C89 in `./CMake/CurlTests.c`.
  - delete duplicate EOLs from EOF.
  - add missing EOL at EOF.
  - delete whitespace at EOL (except from expected test results).
  - convert tabs to spaces.
  - convert CRLF EOLs to LF in GHA yaml.
  - text casing fixes in `./CMakeLists.txt`.
  - fix a codespell typo in `packages/OS400/initscript.sh`.

  Closes #11772

Dan Fandrich (31 Aug 2023)

- CI: remove Windows builds from Cirrus, without replacement

  If we don't do this, all coverage on Cirrus will cease in a few days. By
  removing the Windows builds, the FreeBSD one should still continue
  as before. The Windows builds will need be moved to another service to
  maintain test coverage.

  Closes #11771

- CI: switch macOS ARM build from Cirrus to Circle CI

  Cirrus is drastically reducing their free tier on Sept. 1, so they will
  no longer perform all these builds for us. All but one build has been
  moved, with the LibreSSL one being dropped because of linking problems
  on Circle.

  One important note about this change is that Circle CI is currently
  directing all these builds to x86_64 hardware, despite them requesting
  ARM. This is because ARM nodes are scheduled to be available on the
  free tier only in December. This reduces our architectural diversity
  until then but it should automatically come back once those machines are
  enabled.

- CI: use the right variable for BSD make

  BSD uses MAKEFLAGS instead of MAKE_FLAGS so it wasn't doing parallel
  builds before.

- CI: drop the FreeBSD 12.X build

  Cirrus' new free tier won't let us have many builds, so drop the
  nonessential ones. The FreeBSD 13.X build will still give us the most
  relevant FreeBSD coverage.

- CI: move the Alpine build from Cirrus to GHA

  Cirrus is reducing their free tier to next to nothing, so we must move
  builds elsewhere.

Stefan Eissing (30 Aug 2023)

- test_07_upload.py: fix test_07_34 curl args

  - Pass correct filename to --data-binary.

  Prior to this change --data-binary was passed an incorrect filename due
  to a missing separator in the arguments list. Since aacbeae7 curl will
  error on incorrect filenames for POST.

  Fixes https://github.com/curl/curl/issues/11761
  Closes https://github.com/curl/curl/pull/11763

Nicholas Nethercote (30 Aug 2023)

- tests: document which tests fail due to hyper's lack of trailer support.

  Closes #11762

- docs: removing "pausing transfers" from HYPER.md.

  It's a reference to #8600, which was fixed by #9070.

  Closes #11764

Patrick Monnerat (30 Aug 2023)

- os400: handle CURL_TEMP_PRINTF() while building bind source

  Closes #11547

- os400: build test servers

  Also fix a non-compliant main prototype in disabled.c.

  Closes #11547

- tests: fix compilation error for os400

  OS400 uses BSD 4.3 setsockopt() prototype by default: this does not
  define parameter as const, resulting in an error if actual parameter is
  const. Remove the const keyword from the actual parameter cast: this
  works in all conditions, even if the formal parameter uses it.

  Closes #11547

- os400: make programs and command name configurable

  Closes #11547

- os400: move build configuration parameters to a separate script

  They can then easily be overriden in a script named "config400.override"
  that is not part of the distribution.

  Closes #11547

- os400: implement CLI tool

  This is provided as a QADRT (ascii) program, a link to it in the IFS and
  a minimal CL command.

  Closes #11547

Matthias Gatto (30 Aug 2023)

- lib: fix aws-sigv4 having date header twice in some cases

  When the user was providing the header X-XXX-Date, the header was
  re-added during signature computation, and we had it twice in the
  request.

  Reported-by: apparentorder@users.noreply.github.com

  Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>

  Fixes: https://github.com/curl/curl/issues/11738
  Closes: https://github.com/curl/curl/pull/11754

Jay Satiro (30 Aug 2023)

- multi: remove 'processing: <url>' debug message

  - Remove debug message added by e024d566.

  Closes https://github.com/curl/curl/pull/11759

- ftp: fix temp write of ipv6 address

  - During the check to differentiate between a port and IPv6 address
    without brackets, write the binary IPv6 address to an in6_addr.

  Prior to this change the binary IPv6 address was erroneously written to
  a sockaddr_in6 'sa6' when it should have been written to its in6_addr
  member 'sin6_addr'. There's no fallout because no members of 'sa6' are
  accessed before it is later overwritten.

  Closes https://github.com/curl/curl/pull/11747

- tool: change some fopen failures from warnings to errors

  - Error on missing input file for --data, --data-binary,
    --data-urlencode, --header, --variable, --write-out.

  Prior to this change if a user of the curl tool specified an input file
  for one of the above options and that file could not be opened then it
  would be treated as zero length data instead of an error. For example, a
  POST using `--data @filenametypo` would cause a zero length POST which
  is probably not what the user intended.

  Closes https://github.com/curl/curl/pull/11677

- hostip: fix typo

Davide Masserut (29 Aug 2023)

- tool: avoid including leading spaces in the Location hyperlink

  Co-authored-by: Dan Fandrich <dan@coneharvesters.com>

  Closes #11735

Daniel Stenberg (29 Aug 2023)

- SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline

  Closes #11757

- connect: stop halving the remaining timeout when less than 600 ms left

  When curl wants to connect to a host, it always has a TIMEOUT. The
  maximum time it is allowed to spend until a connect is confirmed.

  curl will try to connect to each of the IP adresses returned for the
  host. Two loops, one for each IP family.

  During the connect loop, while curl has more than one IP address left to
  try within a single address family, curl has traditionally allowed (time
  left/2) for *this* connect attempt. This, to not get stuck on the
  initial addresses in case the timeout but still allow later addresses to
  get attempted.

  This has the downside that when users set a very short timeout and the
  host has a large number of IP addresses, the effective result might be
  that every attempt gets a little too short time.

  This change stop doing the divided-by-two if the total time left is
  below a threshold. This threshold is 600 milliseconds.

  Closes #11693

- asyn-ares: reduce timeout to 2000ms

  When UDP packets get lost this makes for slightly faster retries. This
  lower timeout is used by @c-ares itself by default starting next
  release.

  Closes #11753

John Bampton (29 Aug 2023)

- misc: remove duplicate words

  Closes #11740

Daniel Stenberg (29 Aug 2023)

- RELEASE-NOTES: synced

- wolfSSL: avoid the OpenSSL compat API when not needed

  ... and instead call wolfSSL functions directly.

  Closes #11752

Viktor Szakats (28 Aug 2023)

- lib: fix null ptr derefs and uninitialized vars (h2/h3)

  Fixing compiler warnings with gcc 13.2.0 in unity builds.

  Assisted-by: Jay Satiro
  Assisted-by: Stefan Eissing
  Closes #11739

Jay Satiro (28 Aug 2023)

- secureserver.pl: fix stunnel version parsing

  - Allow the stunnel minor-version version part to be zero.

  Prior to this change with the stunnel version scheme of <major>.<minor>
  if either part was 0 then version parsing would fail, causing
  secureserver.pl to fail with error "No stunnel", causing tests that use
  the SSL protocol to be skipped. As a practical matter this bug can only
  be caused by a minor-version part of 0, since the major-version part is
  always greater than 0.

  Closes https://github.com/curl/curl/pull/11722

- secureserver.pl: fix stunnel path quoting

  - Store the stunnel path in the private variable $stunnel unquoted and
    instead quote it in the command strings.

  Prior to this change the quoted stunnel path was passed to perl's file
  operators which cannot handle quoted paths. For example:

  $stunnel = "\"/C/Program Files (x86)/stunnel/bin/tstunnel\"";
  if(-x $stunnel or -x "$stunnel")
  # false even if path exists and is executable

  Our other test scripts written in perl, unlike this one, use servers.pm
  which has a global $stunnel variable with the path stored unquoted and
  therefore those scripts don't have this problem.

  Closes https://github.com/curl/curl/pull/11721

Daniel Stenberg (28 Aug 2023)

- altsvc: accept and parse IPv6 addresses in response headers

  Store numerical IPv6 addresses in the alt-svc file with the brackets
  present.

  Verify with test 437 and 438

  Fixes #11737
  Reported-by: oliverpool on github
  Closes #11743

- libtest: use curl_free() to free libcurl allocated data

  In several test programs. These mistakes are not detected or a problem
  as long as memdebug.h is included, as that provides the debug wrappers
  for all memory functions in the same style libcurl internals do it,
  which makes curl_free and free effectively the same call.

  Reported-by: Nicholas Nethercote
  Closes #11746

Jay Satiro (28 Aug 2023)

- disable.d: explain --disable not implemented prior to 7.50.0

  Option -q/--disable was added in 5.0 but only -q was actually
  implemented. Later --disable was implemented in e200034 (precedes
  7.49.0), but incorrectly, and fixed in 6dbc23c (precedes 7.50.0).

  Reported-by: pszlazak@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/11710
  Closes #11712

Nicholas Nethercote (28 Aug 2023)

- hyper: fix ownership problems

  Some of these changes come from comparing `Curl_http` and
  `start_CONNECT`, which are similar, and adding things to them that are
  present in one and missing in another.

  The most important changes:
  - In `start_CONNECT`, add a missing `hyper_clientconn_free` call on the
    happy path.
  - In `start_CONNECT`, add a missing `hyper_request_free` on the error
    path.
  - In `bodysend`, add a missing `hyper_body_free` on an early-exit path.
  - In `bodysend`, remove an unnecessary `hyper_body_free` on a different
    error path that would cause a double-free.
    https://docs.rs/hyper/latest/hyper/ffi/fn.hyper_request_set_body.html
    says of `hyper_request_set_body`: "This takes ownership of the
    hyper_body *, you must not use it or free it after setting it on the
    request." This is true even if `hyper_request_set_body` returns an
    error; I confirmed this by looking at the hyper source code.

  Other changes are minor but make things slightly nicer.

  Closes #11745

Daniel Stenberg (28 Aug 2023)

- multi.h: the 'revents' field of curl_waitfd is supported

  Since 6d30f8ebed34e7276

  Reported-by: Nicolás Ojeda Bär
  Ref: #11748
  Closes #11749

Gerome Fournier (27 Aug 2023)

- tool_paramhlp: improve str2num(): avoid unnecessary call to strlen()

  Closes #11742

Daniel Stenberg (27 Aug 2023)

- docs: mention critical files in same directories as curl saves

  ... cannot be fully protected. Don't do it.

  Co-authored-by: Jay Satiro
  Reported-by: Harry Sintonen
  Fixes #11530
  Closes #11701

John Hawthorn (26 Aug 2023)

- OpenSSL: clear error queue after SSL_shutdown

  We've seen errors left in the OpenSSL error queue (specifically,
  "shutdown while in init") by adding some logging it revealed that the
  source was this file.

  Since we call SSL_read and SSL_shutdown here, but don't check the return
