                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.60.0 (15 May 2018)

Daniel Stenberg (15 May 2018)
- RELEASE-NOTES: 7.60.0 release

- THANKS: added people from the curl 7.60.0 release

- docs/libcurl/index.html: removed
  
  The HTML files are long gone from the dist, now remove the last HTML
  file pointing to those missing files.
  
  d

- [steini2000 brought this change]

  http2: remove unused variable
  
  Closes #2570

- [steini2000 brought this change]

  http2: use easy handle of stream for logging

- gcc: disable picky gcc-8 function pointer warnings in two places
  
  Reported-by: Rikard Falkeborn
  Bug: #2560
  Closes #2569

- http2: use the correct function pointer typedef
  
  Fixes gcc-8 picky compiler warnings
  Reported-by: Rikard Falkeborn
  Bug: #2560
  Closes #2568

- CODE_STYLE: mention return w/o parens, but sizeof with
  
  ... and remove the github markdown syntax so that it renders better on
  the web site. Also, don't use back-ticks inlined to allow the CSS to
  highlight source code better.

- [Rikard Falkeborn brought this change]

  examples: Fix format specifiers
  
  Closes #2561

- [Rikard Falkeborn brought this change]

  tool: Fix format specifiers

- [Rikard Falkeborn brought this change]

  ntlm: Fix format specifiers

- [Rikard Falkeborn brought this change]

  tests: Fix format specifiers

- [Rikard Falkeborn brought this change]

  lib: Fix format specifiers

- contributors.sh: use "on github", not at

- http2: getsock fix for uploads
  
  When there's an upload in progress, make sure to wait for the socket to
  become writable.
  
  Detected-by: steini2000 on github
  Bug: #2520
  Closes #2567

- pingpong: fix response cache memcpy overflow
  
  Response data for a handle with a large buffer might be cached and then
  used with the "closure" handle when it has a smaller buffer and then the
  larger cache will be copied and overflow the new smaller heap based
  buffer.
  
  Reported-by: Dario Weisser
  CVE: CVE-2018-1000300
  Bug: https://curl.haxx.se/docs/adv_2018-82c2.html

- http: restore buffer pointer when bad response-line is parsed
  
  ... leaving the k->str could lead to buffer over-reads later on.
  
  CVE: CVE-2018-1000301
  Assisted-by: Max Dymond
  
  Detected by OSS-Fuzz.
  Bug: https://curl.haxx.se/docs/adv_2018-b138.html
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105

Patrick Monnerat (13 May 2018)
- cookies: do not take cookie name as a parameter
  
  RFC 6265 section 4.2.1 does not set restrictions on cookie names.
  This is a follow-up to commit 7f7fcd0.
  Also explicitly check proper syntax of cookie name/value pair.
  
  New test 1155 checks that cookie names are not reserved words.
  
  Reported-By: anshnd at github
  Fixes #2564
  Closes #2566

Daniel Stenberg (12 May 2018)
- smb: reject negative file sizes
  
  Assisted-by: Max Dymond
  
  Detected by OSS-Fuzz
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245

- setup_transfer: deal with both sockets being -1
  
  Detected by Coverity; CID 1435559.  Follow-up to f8d608f38d00. It would
  index the array with -1 if neither index was a socket.

- travis: add build using NSS
  
  Closes #2558

- [Sunny Purushe brought this change]

  openssl: change FILE ops to BIO ops
  
  To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES
  handling is causing problems. This fix changes the OpenSSL backend code
  to use BIO functions instead of FILE I/O functions to circumvent those
  problems.
  
  Closes #2512

- travis: add a build using WolfSSL
  
  Assisted-by: Dan Fandrich
  
  Closes #2528

- RELEASE-NOTES: typo

- RELEASE-NOTES: synced

- [Daniel Gustafsson brought this change]

  URLs: fix one more http url
  
  This file wasn't included in commit 4af40b3646d3b09 which updated all
  haxx.se http urls to https. The file was committed prior to that update,
  but may have been merged after it and hence didn't get updated.
  
  Closes #2550

- github/lock: auto-lock closed issues after 90 days of inactivity

- vtls: fix missing commas
  
  follow-up to e66cca046cef

- vtls: use unified "supports" bitfield member in backends
  
  ... instead of previous separate struct fields, to make it easier to
  extend and change individual backends without having to modify them all.
  
  closes #2547

- transfer: don't unset writesockfd on setup of multiplexed conns
  
  Curl_setup_transfer() can be called to setup a new individual transfer
  over a multiplexed connection so it shouldn't unset writesockfd.
  
  Bug: #2520
  Closes #2549

- [Frank Gevaerts brought this change]

  configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
  
  They are removed from the compiler flags.
  
  This ensures that make dependency tracking will force a rebuild whenever
  configure --enable-debug or --enable-curldebug changes.
  
  Closes #2548

- http: don't set the "rewind" flag when not uploading anything
  
  It triggers an assert.
  
  Detected by OSS-Fuzz
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
  Closes #2546

- travis: add an mbedtls build
  
  Closes #2531

- configure: only check for CA bundle for file-using SSL backends
  
  When only building with SSL backends that don't use the CA bundle file
  (by default), skip the check.
  
  Fixes #2543
  Fixes #2180
  Closes #2545

- ssh-libssh.c: fix left shift compiler warning
  
  ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to
  represent, but 'int' only has 32 bits [-Wshift-overflow=]
  
  'len' will never be that big anyway so I converted the run-time check to
  a regular assert.

- [Stephan Mühlstrasser brought this change]

  URL: fix ASCII dependency in strcpy_url and strlen_url
  
  Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the
  changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of
  the problem that strcpy_url() was modified unilaterally without also
  modifying strlen_url(). As a consequence strcpy_url() was again
  depending on ASCII encoding.
  
  This change fixes strlen_url() and strcpy_url() in parallel to use a
  common host-encoding independent criterion for deciding whether an URL
  character must be %-escaped.
  
  Closes #2535

- [Denis Ollier brought this change]

  docs: remove extraneous commas in man pages
  
  Closes #2544

- RELEASE-NOTES: synced

- Revert "TODO: remove configure --disable-pthreads"
  
  This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3.
  
  --disable-pthreads can be used to disable pthreads and get the threaded
  resolver to use the windows threading when building with mingw.

- vtls: don't define MD5_DIGEST_LENGTH for wolfssl
  
  ... as it defines it (too)

- TODO: remove configure --disable-pthreads

Jay Satiro (2 May 2018)
- [David Garske brought this change]

  wolfssl: Fix non-blocking connect
  
  Closes https://github.com/curl/curl/pull/2542

Daniel Stenberg (30 Apr 2018)
- CURLOPT_URL.3: add ENCODING section [ci skip]
  
  Feedback-by: Michael Kilburn

- KNOWN_BUGS: Client cert with Issuer DN differs between backends
  
  Closes #1411

- KNOWN_BUGS: Passive transfer tries only one IP address
  
  Closes #1508

- KNOWN_BUGS: --upload-file . hang if delay in STDIN
  
  Closes #2051

- KNOWN_BUGS: Connection information when using TCP Fast Open
  
  Closes #1332

- travis: enable libssh2 on both macos and Linux
  
  It seems to not be detected by default anymore (which is a bug I
  believe)
  
  Closes #2541

- TODO: Support the clienthello extension
  
  Closes #2299

- TODO: CLOEXEC
  
  Closes #2252

- tests: provide 'manual' as a feature to optionally require
  
  ... and make test 1026 rely on that feature so that --disable-manual
  builds don't cause test failures.
  
  Reported-by: Max Dymond and Anders Roxell
  Fixes #2533
  Closes #2540

- CURLINFO_PROTOCOL.3: mention the existing defined names

Jay Satiro (27 Apr 2018)
- [Daniel Gustafsson brought this change]

  cookies: remove unused macro
  
  Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
  so remove as it's not part of the published API.
  
  Closes https://github.com/curl/curl/pull/2537

Daniel Stenberg (27 Apr 2018)
- [Daniel Gustafsson brought this change]

  checksrc: force indentation of lines after an else
  
  This extends the INDENTATION case to also handle 'else' statements
  and require proper indentation on the following line. Also fixes the
  offending cases found in the codebase.
  
  Closes #2532

- http2: fix null pointer dereference in http2_connisdead
  
  This function can get called on a connection that isn't setup enough to
  have the 'recv_underlying' function pointer initialized so it would try
  to call the NULL pointer.
  
  Reported-by: Dario Weisser
  
  Follow-up to db1b2c7fe9b093f8 (never shipped in a release)
  Closes #2536

- http2: get rid of another strstr()
  
  Follow-up to 1514c44655e12e: replace another strstr() call done on a
  buffer that might not be zero terminated - with a memchr() call, even if
  we know the substring will be found.
  
  Assisted-by: Max Dymond
  
  Detected by OSS-Fuzz
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021
  
  Closes #2534

- cyassl: adapt to libraries without TLS 1.0 support built-in
  
  WolfSSL doesn't enable it by default anymore

- configure: provide --with-wolfssl as an alias for --with-cyassl

- RELEASE-NOTES: synced

- [Daniel Gustafsson brought this change]

  os400.c: fix ASSIGNWITHINCONDITION checksrc warnings
  
  All occurrences of assignment within conditional expression in
  os400sys.c rewritten into two steps: first assignment and then the check
  on the success of the assignment. Also adjust related incorrect brace
  positions to match project indentation style.
  
  This was spurred by seeing "if((inp = input_token))", but while in there
  all warnings were fixed.
  
  There should be no functional change from these changes.
  
  Closes #2525

- [Daniel Gustafsson brought this change]

  cookies: ensure that we have cookies before writing jar
  
  The jar should be written iff there are cookies, so ensure that we still
  have cookies after expiration to avoid creating an empty file.
  
  Closes #2529

- strcpy_url: only %-encode values >= 0x80
  
  OSS-Fuzz detected
  
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000
  
  Broke in dd7521bcc1b7

- mime: avoid NULL pointer dereference risk
  
  Coverity detected, CID 1435120
  
  Closes #2527

- [Stephan Mühlstrasser brought this change]

  ctype: restore character classification for non-ASCII platforms
  
  With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic
  character classification macros and functions were introduced in
  curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on
  non-ASCII, e.g. EBCDIC platforms. This change restores the previous set
  of character classification macros when CURL_DOES_CONVERSIONS is
  defined.
  
  Closes #2494

- ftplistparser: keep state between invokes
  
  Fixes FTP wildcard parsing when done over a number of read buffers.
  
  Regression from f786d1f14
  
  Reported-by: wncboy on github
  Fixes #2445
  Closes #2526

- examples/http2-upload: expand buffer to avoid silly warning
  
  http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated
  writing between 2 and 11 bytes into a region of size between 8 and 17

- examples/sftpuploadresume: typecast fseek argument to long
  
  /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long
  int' from 'curl_off_t {aka long long int}' may alter its value

- Revert "ftplistparser: keep state between invokes"
  
  This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934.
  
  Caused fuzzer problems on travis not seen when this was a PR!

- Curl_memchr: zero length input can't match
  
  Avoids undefined behavior.
  
  Reported-by: Geeknik Labs

- ftplistparser: keep state between invokes
  
  Fixes FTP wildcard parsing when doing over a number of read buffers.
  
  Regression from f786d1f14
  
  Reported-by: wncboy on github
  Fixes #2445
  Closes #2519

- ftplistparser: renamed some members and variables
  
  ... to make them better spell out what they're for.

- RELEASE-NOTES: synced

- [Christian Schmitz brought this change]

  curl_global_sslset: always provide available backends
  
  Closes #2499

- http2: convert an assert to run-time check
  
  Fuzzing has proven we can reach code in on_frame_recv with status_code
  not having been set, so let's detect that in run-time (instead of with
  assert) and error error accordingly.
  
  (This should no longer happen with the latest nghttp2)
  
  Detected by OSS-Fuzz
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
  Closes #2514

- curl.1: clarify that options and URLs can be mixed
  
  Fixes #2515
  Closes #2517

Jay Satiro (23 Apr 2018)
- [Archangel_SDY brought this change]

  CURLOPT_SSLCERT.3: improve WinSSL-specific usage info
  
  Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780
  
  Closes https://github.com/curl/curl/pull/2504

- [Archangel_SDY brought this change]

  schannel: fix build error on targets <= XP
  
  - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
    support the latter.
  
  Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668
  
  Closes https://github.com/curl/curl/pull/2504

Daniel Stenberg (23 Apr 2018)
- Revert "ftplistparser: keep state between invokes"
  
  This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9.
  
  Unfortunately this fix introduces memory leaks I've not been able to fix
  in several days. Reverting this for now to get the leaks fixed.

Jay Satiro (21 Apr 2018)
- tool_help: clarify --max-time unit of time is seconds
  
  Before:
   -m, --max-time <time> Maximum time allowed for the transfer
  
  After:
   -m, --max-time <seconds> Maximum time allowed for the transfer

Daniel Stenberg (20 Apr 2018)
- http2: handle GOAWAY properly
  
  When receiving REFUSED_STREAM, mark the connection for close and retry
  streams accordingly on another/fresh connection.
  
  Reported-by: Terry Wu
  Fixes #2416
  Fixes #1618
  Closes #2510

- http2: clear the "drain counter" when a stream is closed
  
  This fixes the notorious "httpc->drain_total >= data->state.drain"
  assert.
  
  Reported-by: Anders Bakken
  
  Fixes #1680
  Closes #2509

- http2: avoid strstr() on data not zero terminated
  
  It's not strictly clear if the API contract allows us to call strstr()
  on a string that isn't zero terminated even when we know it will find
  the substring, and clang's ASAN check dislikes us for it.
  
  Also added a check of the return code in case it fails, even if I can't
  think of a situation how that can trigger.
  
  Detected by OSS-Fuzz
  Closes #2513
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760

- [Stephan Mühlstrasser brought this change]

  openssl: fix subjectAltName check on non-ASCII platforms
  
  Curl_cert_hostcheck operates with the host character set, therefore the
  ASCII subjectAltName string retrieved with OpenSSL must be converted to
  the host encoding before comparison.
  
  Closes #2493

Jay Satiro (20 Apr 2018)
- openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
  
  - Support handling verbose-mode trace messages of type
    SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
    SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
    SSL3_MT_MESSAGE_HASH
  
  Reported-by: iz8mbw@users.noreply.github.com
  
  Fixes https://github.com/curl/curl/issues/2403

Daniel Stenberg (19 Apr 2018)
- ftplistparser: keep state between invokes
  
  Regression from f786d1f14
  
  Reported-by: wncboy on github
  Fixes #2445
  Closes #2508

- detect_proxy: only show proxy use if it had contents

- http2: handle on_begin_headers() called more than once
  
  This triggered an assert if called more than once in debug mode (and a
  memory leak if not debug build). With the right sequence of HTTP/2
  headers incoming it can happen.
  
  Detected by OSS-Fuzz
  
  Closes #2507
  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764

Jay Satiro (18 Apr 2018)
- [Dan McNulty brought this change]

  schannel: add support for CURLOPT_CAINFO
  
  - Move verify_certificate functionality in schannel.c into a new
    file called schannel_verify.c. Additionally, some structure defintions
    from schannel.c have been moved to schannel.h to allow them to be
    used in schannel_verify.c.
  
  - Make verify_certificate functionality for Schannel available on
    all versions of Windows instead of just Windows CE. verify_certificate
    will be invoked on Windows CE or when the user specifies
    CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
  
  - In verify_certificate, create a custom certificate chain engine that
    exclusively trusts the certificate store backed by the CURLOPT_CAINFO
    file.
  
  - doc updates of --cacert/CAINFO support for schannel
  
  - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
    when available. This implements a TODO in schannel.c to improve
    handling of multiple SANs in a certificate. In particular, all SANs
    will now be searched instead of just the first name.
  
  - Update tool_operate.c to not search for the curl-ca-bundle.crt file
    when using Schannel to maintain backward compatibility. Previously,
    any curl-ca-bundle.crt file found in that search would have been
    ignored by Schannel. But, with CAINFO support, the file found by
    that search would have been used as the certificate store and
    could cause issues for any users that have curl-ca-bundle.crt in
    the search path.
  
  - Update url.c to not set the build time CURL_CA_BUNDLE if the selected
    SSL backend is Schannel. We allow setting CA location for schannel
    only when explicitly specified by the user via CURLOPT_CAINFO /
    --cacert.
  
  - Add new test cases 3000 and 3001. These test cases check that the first
    and last SAN, respectively, matches the connection hostname. New test
    certificates have been added for these cases. For 3000, the certificate
    prefix is Server-localhost-firstSAN and for 3001, the certificate
    prefix is Server-localhost-secondSAN.
  
  - Remove TODO 15.2 (Add support for custom server certificate
    validation), this commit addresses it.
  
  Closes https://github.com/curl/curl/pull/1325

- schannel: fix warning
  
  - Fix warning 'integer from pointer without a cast' on 3rd arg in
    CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
    type of the same size.
  
  Follow-up to e35b025.
  
  Caught by Marc's CI builds.

- [Jakub Wilk brought this change]

  docs: fix typos
  
  Closes https://github.com/curl/curl/pull/2503

Daniel Stenberg (17 Apr 2018)
- RELEASE-NOTES: synced

Jay Satiro (17 Apr 2018)
- [Kees Dekker brought this change]

  winbuild: Support custom devel paths for each dependency
  
  - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
    OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
    NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
  
  - Use lib.exe for making the static library instead of link.exe /lib.
    The latter is undocumented and could cause problems as noted in the
    comments.
  
  - Remove a dangling URL that no longer worked. (I was not able to find
    the IDN download at MSDN/microsoft.com, so it seems to be removed.)
  
  - Remove custom override for release-ssh2-ssl-dll-zlib configuration.
    Nobody knows why it was there and as far as we can see is unnecessary.
  
  Closes https://github.com/curl/curl/pull/2474

Daniel Stenberg (17 Apr 2018)
- [Jess brought this change]

  README.md: add backers and sponsors
  
  Closes #2484

- [Archangel_SDY brought this change]

  schannel: add client certificate authentication
  
  Users can now specify a client certificate in system certificates store
  explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`
  
  Closes #2376

Marcel Raad (16 Apr 2018)
- [toughengineer brought this change]

  ntlm_sspi: fix authentication using Credential Manager
  
  If you pass empty user/pass asking curl to use Windows Credential
  Storage (as stated in the docs) and it has valid credentials for the
  domain, e.g.
  curl -v -u : --ntlm example.com
  currently authentication fails.
  This change fixes it by providing proper SPN string to the SSPI API
  calls.
  
  Fixes https://github.com/curl/curl/issues/1622
  Closes https://github.com/curl/curl/pull/1660

Daniel Stenberg (16 Apr 2018)
- configure: keep LD_LIBRARY_PATH changes local
  
  ... only set it when we actually have to run tests to reduce its impact
  on for example build commands etc.
  
  Fixes #2490
  Closes #2492
  
  Reported-by: Dmitry Mikhirev

Marcel Raad (16 Apr 2018)
- urldata: make service names unconditional
  
  The ifdefs have become quite long. Also, the condition for the
  definition of CURLOPT_SERVICE_NAME and for setting it from
  CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
  options for NTLM, at least when using SSPI, for
  https://github.com/curl/curl/pull/1660.
  Just make the definitions unconditional to make that easier.
  
  Closes https://github.com/curl/curl/pull/2479

Daniel Stenberg (16 Apr 2018)
- test1148: tolerate progress updates better
  
  Fixes #2446
  Closes #2488

- [Christian Schmitz brought this change]

  ssh: show libSSH2 error code when closing fails
  
  Closes #2500

Jay Satiro (15 Apr 2018)
- [Daniel Gustafsson brought this change]

  vauth: Fix typo
  
  Address various spellings of "credentials".
  
  Closes https://github.com/curl/curl/pull/2496

- [Dagobert Michelsen brought this change]

  system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
  
  With specific compiler options selecting the arch like -xarch=sparc on
  newer compilers like Oracle Studio 12.4 there is no definition of
  __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the
  32ÎíÎñbit subset defined by the V8plus ISA specification, without the
  Visual Instruction Set (VIS), and without other implementation-specific
  ISA extensions. So it should be the same as __sparcv8.
  
  Closes https://github.com/curl/curl/pull/2491

- [Daniel Gustafsson brought this change]

  checksrc: Fix typo
  
  Fix typo in "semicolon" spelling and remove stray tab character.
  
  Closes https://github.com/curl/curl/pull/2498

- [Daniel Gustafsson brought this change]

  all: Refactor malloc+memset to use calloc
  
  When a zeroed out allocation is required, use calloc() rather than
  malloc() followed by an explicit memset(). The result will be the
  same, but using calloc() everywhere increases consistency in the
  codebase and avoids the risk of subtle bugs when code is injected
  between malloc and memset by accident.
  
  Closes https://github.com/curl/curl/pull/2497

Daniel Stenberg (12 Apr 2018)
- duphandle: make sure CURLOPT_RESOLVE is duplicated fine too
  
  Verified in test 1502 now
  
  Fixes #2485
  Closes #2486
  Reported-by: Ernst Sjöstrand

- mailmap: add a monnerat fixup [ci skip]

- proxy: show getenv proxy use in verbose output
  
  ... to aid debugging etc as it sometimes isn't immediately obvious why
  curl uses or doesn't use a proxy.
  
  Inspired by #2477
  
  Closes #2480

- travis: build libpsl and make builds use it
  
  closes #2471

- travis: bump to clang 6 and gcc 7
  
  Extra-eye-on-this-by: Marcel Raad
  
  Closes #2478

Marcel Raad (10 Apr 2018)
- travis: use trusty for coverage build
  
  This works now and precise is in the process of being decommissioned.
  
  Closes https://github.com/curl/curl/pull/2476

- lib: silence null-dereference warnings
  
  In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
  when dereferencing pointers after DEBUGASSERT-ing that they are not
  NULL.
  Fix this by removing the DEBUGASSERTs.
  
  Suggested-by: Daniel Stenberg
  Ref: https://github.com/curl/curl/pull/2463

- [Kees Dekker brought this change]

  winbuild: fix URL
  
  Follow up on https://github.com/curl/curl/pull/2472.
  Now using en-us instead of nl-nl as language code in the URL.
  
  Closes https://github.com/curl/curl/pull/2475

Daniel Stenberg (9 Apr 2018)
- [Kees Dekker brought this change]

  winbuild: updated the documentation
  
  The setenv command no longer exists and visual studio build prompts got
  changed. Used Visual Studio 2015/2017 as reference.
  
  Closes #2472

- test1136: fix cookie order after commit c990eadd1277

- build: cleanup to fix clang warnings/errors
  
  unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
  cast from integer to pointer is a GNU extension
  
  Reported-by: Rikard Falkeborn
  
  Fixes #2466
  Closes #2468

Jay Satiro (7 Apr 2018)
- examples/sftpuploadresmue: Fix Windows large file seek
  
  - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows.
  
  - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print
    curl_off_t.
  
  Caught by Marc's CI builds.

Daniel Stenberg (7 Apr 2018)
- curl_setup: provide a CURL_SA_FAMILY_T type if none exists
  
  ... and use this type instead of 'sa_family_t' in the code since several
  platforms don't have it.
  
  Closes #2463

- [Eric Gallager brought this change]

  build: add picky compiler warning flags for gcc 6 and 7

- configure: detect sa_family_t

Jay Satiro (7 Apr 2018)
- [Stefan Agner brought this change]

  tool_operate: Fix retry on FTP 4xx to ignore other protocols
  
  Only treat response code as FTP response codes in case the
  protocol type is FTP.
  
  This fixes an issue where an HTTP download was treated as FTP
  in case libcurl returned with 33. This happens when the
  download has already finished and the server responses 416:
    HTTP/1.1 416 Requested Range Not Satisfiable
  
  This should not be treated as an FTP error.
  
  Fixes #2464
  Closes #2465

Daniel Stenberg (6 Apr 2018)
- hash: calculate sizes with size_t instead of longs
  
  ... since they return size_t anyway!
  
  closes #2462

- RELEASE-NOTES: synced

- [Jay Satiro brought this change]

  build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
  
  .. and do the same for build-wolfssl.bat.
  
  Because MS calls it VC14.1.
  
  Closes https://github.com/curl/curl/pull/2189

- [Kees Dekker brought this change]

  winbuild: make the clean target work without build-type
  
  Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
  be invoked unless a build-type was specified. However, a clean target
  only existed when a build type was specified. As a result, the clean
  target was unreachable. Made clean target unconditional.
  
  Closes #2455

- [patelvivekv1993 brought this change]

  build-openssl.bat: allow custom paths for VS and perl
  
  Fixes #2430
  Closes #2457

- [Laurie Clark-Michalek brought this change]

  FTP: allow PASV on IPv6 connections when a proxy is being used
  
  In the situation of a client connecting to an FTP server using an IPv6
  tunnel proxy, the connection info will indicate that the connection is
  IPv6. However, because the server behing the proxy is IPv4, it is
  permissable to attempt PSV mode. In the case of the FTP server being
  IPv4 only, EPSV will always fail, and with the current logic curl will
  be unable to connect to the server, as the IPv6 fwdproxy causes curl to
  think that EPSV is impossible.
  
  Closes #2432

- [Jon DeVree brought this change]

  file: restore old behavior for file:////foo/bar URLs
  
  curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
  8089 but then returns an error saying this is unimplemented. This is
  actually a regression in behavior on both Windows and Unix.
  
  Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
  then passed to the relevant OS API. This means that the behavior of this
  case is actually OS dependent.
  
  The Unix path resolution rules say that the OS must handle swallowing
  the extra "/" and so this path is the same as "/foo/bar"
  
  The Windows path resolution rules say that this is a UNC path and
  automatically handles the SMB access for the program. So curl on Windows
  was already doing Appendix E.3.2 without any special code in curl.
  
  Regression
