                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.84.0 (27 Jun 2022)

Daniel Stenberg (27 Jun 2022)
- RELEASE-NOTES: synced

  Version 7.84.0 release

- THANKS: contributors from 7.84.0 release notes

- hsts: use Curl_fopen()

- altsvc: use Curl_fopen()

- fopen: add Curl_fopen() for better overwriting of files

  Bug: https://curl.se/docs/CVE-2022-32207.html
  CVE-2022-32207
  Reported-by: Harry Sintonen
  Closes #9050

- test444: test many received Set-Cookie:

  The amount of sent cookies in the test is limited to 80 because hyper
  has its own strict limits in how many headers it allows to be received
  which triggers at some point beyond this number.

- test442/443: test cookie caps

  442 - verify that only 150 cookies are sent
  443 - verify that the cookie: header remains less than 8K in size

- cookie: apply limits

  - Send no more than 150 cookies per request
  - Cap the max length used for a cookie: header to 8K
  - Cap the max number of received Set-Cookie: headers to 50

  Bug: https://curl.se/docs/CVE-2022-32205.html
  CVE-2022-32205
  Reported-by: Harry Sintonen
  Closes #9048

- test387: verify rejection of compression chain attack

- content_encoding: return error on too many compression steps

  The max allowed steps is arbitrarily set to 5.

  Bug: https://curl.se/docs/CVE-2022-32206.html
  CVE-2022-32206
  Reported-by: Harry Sintonen
  Closes #9049

- krb5: return error properly on decode errors

  Bug: https://curl.se/docs/CVE-2022-32208.html
  CVE-2022-32208
  Reported-by: Harry Sintonen
  Closes #9051

- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro

  clang 14 warns about its use. It is being deprecated by the working
  group for the programming language C: "The macro ATOMIC_VAR_INIT is
  basically useless for the purpose for which it was designed"

  Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm

  Reported-by: Tatsuhiro Tsujikawa
  Fixes #9041
  Closes #9042

- [Stefan Eissing brought this change]

  ngtcp2: avoid supplying 0 length `msg_control` to sendmsg()

  Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control
  buffer is provided in sengmsg(), even though msg_controllen was set to
  0.

  Initialize msg.msg_controllen just as needed and also perform the size
  assertion only when needed.

  Closes #9039

- [Tom Eccles brought this change]

  ftp: restore protocol state after http proxy CONNECT

  connect_init() (lib/http_proxy.c) swaps out the protocol state while
  working on the proxy connection, this is then restored by
  Curl_connect_done() after the connection completes.

  ftp_do_more() extracted the protocol state pointer to a local variable
  at the start of the function then calls Curl_proxy_connect(). If the proxy
  connection completes, Curl_proxy_connect() will call Curl_connect_done()
  (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
  protocol state instead of the http proxy protocol state, but the local
  variable in ftp_do_more still pointed to the old value.

  Ultimately this meant that the state worked on by ftp_do_more() was the
  http proxy state not the ftp state initialised by ftp_connect(), but
  subsequent calls to any ftp_ function would use the original state.

  For my use-case, the visible consequence was that ftp->downloadsize was
  never set and so downloaded data was never returned to the application.

  This commit updates the ftp protocol state pointer in ftp_do_more() after
  Curl_proxy_connect() returns, ensuring that the correct state pointer is
  used.

  Fixes #8737
  Closes #9043

Jay Satiro (23 Jun 2022)
- THANKS: add contributor missing from aea8ac1

  aea8ac1 fixed #8980 which was reported by Sgharat on github, but that
  info was not included in the commit message.

- curl_setup: include _mingw.h

  Prior to this change _mingw.h needed to be included in each unit before
  evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
  is included only in some mingw headers (eg stdio.h) and not others
  (eg windows.h) so it's better to explicitly include it once.

  Closes https://github.com/curl/curl/pull/9036

Viktor Szakats (22 Jun 2022)
- rand: stop detecting /dev/urandom in cross-builds

  - Prevent CMake to auto-detect /dev/urandom when cross-building.
    Before this patch, it would detect it in a cross-build scenario on *nix
    hosts with this device present. This was a problem for example with
    Windows builds, but it could affect any target system with this device
    missing. This also syncs detection behaviour with autotools, which also
    skips it for cross-builds.
  - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
    fallback random number generator on Windows. Windows does not have the
    concept of reading a random stream from a filename, nor any guaranteed
    non-world-writable path on disk. With this, a manual misconfiguration or
    an overeager auto-detection can no longer result in a user-controllable
    seed source.

  Reviewed-by: Daniel Stenberg
  Closes #9038

Daniel Stenberg (22 Jun 2022)
- [Emanuele Torre brought this change]

  ci: avoid `cmake -Hpath`

  This is an undocumented option similar to the `-Spath' option introduced
  in cmake 3.13.
  Replace all instances of `-Hpath' with `-Spath' in macos workflow.
  Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul
  scripts since it runs an older version of cmake.

  Fixes #9008
  Closes #9014

- INTERNALS: bring back the "Library symbols" section

  Most contents was moved, but this text should remain here.

  Follow-up to: d324ac8
  Reported-by: Viktor Szakats
  Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326
  Closes #9037

Viktor Szakats (22 Jun 2022)
- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]

  Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
  XP when the `-ipv6` option is selected. Maybe this was added to support
  pre-XP Windows versions (?). These days libcurl builds fine for both XP
  and post-XP versions with IPv6 support enabled. The relevance of pre-XP
  version is also low by now. Other build methods also do not impose such
  limitation for a similar configuration. So, drop this hard-wired
  `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
  Windows version set by the compiler. This is Vista for recent MinGW
  versions.

  Old behaviour can be restored by setting this envvar:
  export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501

  [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7

  Closes #9035

Daniel Stenberg (21 Jun 2022)
- CONTRIBUTE: mention how we maintain REUSE compliance

  for copyright and license information of all files stored in git

  Closes #9032

- CURLOPT_ALTSVC.3: document the file format

  Closes #9033

Jay Satiro (21 Jun 2022)
- runtests: add "threadsafe" to detected features

  Follow-up to recent commits which added thread-safety support.

  Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782
  Reported-by: Marc Hörsken

  Closes https://github.com/curl/curl/pull/9030

Daniel Stenberg (20 Jun 2022)
- easy: remove dead code

  Follow-up from 5912da253b64d

  Detected by Coverity (CID 1506519)

  Closes #9029

- [Glenn Strauss brought this change]

  transfer: upload performance; avoid tiny send

  Append to the upload buffer when only small amount remains in buffer
  rather than performing a separate tiny send to empty buffer.

  Avoid degenerative upload behavior which might cause curl to send mostly
  1-byte DATA frames after exhausing the h2 send window size

  Related discussion: https://github.com/nghttp2/nghttp2/issues/1722

  Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
  Closes #8965

- [Steve Holme brought this change]

  projects: fix third-party SSL library build paths for Visual Studio

  The paths used by the build batch files were inconsistent with those in
  the Visual Studio project files.

  Closes #8991

- [Pierrick Charron brought this change]

  urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts

  As per the documentation :

  > Setting a part to a NULL pointer will effectively remove that
  > part's contents from the CURLU handle.

  But currently clearing CURLUPART_URL does nothing and returns
  CURLUE_OK. This change will clear all parts of the URL at once.

  Closes #9028

- [Philip H brought this change]

  CI: bump FreeBSD 13.0 to 13.1

  Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
  Closes #8815

- RELEASE-NOTES: synced

  and updated release date in RELEASE-PROCEDURE.md

- [divinity76 brought this change]

  CURLOPT_HTTPHEADER.3: improve comment in example

  Closes #9025

Marc Hoersken (16 Jun 2022)
- CI/azure: reduce flakiness by retrying install/prepare steps

  Closes #9010

- CI/cirrus: align Windows timeout with Azure CI at 120 minutes

  Closes #9009

Jay Satiro (16 Jun 2022)
- vtls: make curl_global_sslset thread-safe

  .. and update some docs to explain curl_global_* is now thread-safe.

  Follow-up to 23af112 which made curl_global_init/cleanup thread-safe.

  Closes https://github.com/curl/curl/pull/9016

- curl_easy_pause.3: remove explanation of progress function

  - Remove misleading text that says progress function "gets called at
    least once per second, even if the connection is paused."

  The progress function behavior is more nuanced and the user is better
  served reading the progress function doc rather than attempt to explain
  it in the curl_easy_pause doc.

  The progress function can only be called at least once per second if an
  appropriate multi transfer function is called (eg curl_multi_perform) in
  that time. For a paused transfer there may not be such a call. Rather
  than explain this in detail in the curl_easy_pause doc, rely on the user
  reading the CURLOPT_PROGRESSFUNCTION doc.

  Ref: https://github.com/curl/curl/issues/8983

  Closes https://github.com/curl/curl/pull/9015

Daniel Stenberg (15 Jun 2022)
- libssh: skip the fake-close when libssh does the right thing

  Starting in libssh 0.10.0 ssh_disconnect() will no longer close our
  socket. Instead it will be kept alive as we want it, and it is our
  responsibility to close it later.

  Ref: #8718
  Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240
  Closes #9021

- configure: warn about rustls being experimental

  Right now a dozen test cases are disabled because they don't work with
  rustls.

  Closes #9019

- runtests: skip starting the ssh server if user name is lacking

  Because the ssh server startup script *requires* a user name there's no
  point in invoking it if no name was found.

  Reported-by: Ricardo M. Correia
  Ref: #9007
  Closes #9013

- copyright.pl: parse and use .reuse/dep5 for skips

  Also scan skipped files to be able to find superfluous ignores, shown with -v.

  Closes #9006

- reuse/dep5: adjusted to parse better

  ... adjusted a few files to contain copyright and license info.

  Closes #9006

- buildconf.bat: update copyright year range

  Closes #9006

- README.md: use the common "Copyright" style formatting

  Closes #9006

- reuse: move license info from .mailmap.license to .reuse/dep5

  Closes #9006

- README.md: add a REUSE badge

  Closes #9004

- .reuse/dep5: remove recursive docs ignore, only skip markdown files

  ... and some additional non-markdown individual files in docs/

  Closes #9005

- docs/cmdline-opts: add copyright and license identifier to each file

  gen.pl now insists on C: and SPDX-License-Identifier: fields to be
  present in all files.

  Closes #9002

- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md

  Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that
  file broke site functionality.

  Closes #9001

- bug_report.md: revert the REUSE template to see if it works again

Viktor Szakats (13 Jun 2022)
- version: rename threadsafe-init to threadsafe

  Referring to Daniel's article [1], making the init function thread-safe
  was the last bit to make libcurl thread-safe as a whole. So the name of
  the feature may as well be the more concise 'threadsafe', also telling
  the story that libcurl is now fully thread-safe, not just its init
  function. Chances are high that libcurl wants to remain so in the
  future, so there is little likelihood of ever needing any other distinct
  `threadsafe-<name>` feature flags.

  For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
  `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
  thread safety documentation.

  [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro
  Closes #8989

Daniel Stenberg (13 Jun 2022)
- test3026: disable on win32

  ... as it's not likely to have working pthreads

  Closes #8996

- GHA: shorten the reuse CI job name

  "REUSE compliance / check" should be good enough

  Closes #9000

- misc: add missing SPDX-License-Identifier info

  For some reason the REUSE CI job did not find these.

  Closes #8999

- copyright: verify SPDX-License-Identifier presence as well

- easy_lock: add SPDX license identifier

  Closes #8998

- mailmap: Max Mehl

- [Max Mehl brought this change]

  git: ignore large commit making the curl REUSE compliant

- [Max Mehl brought this change]

  copyright: make repository REUSE compliant

  Add licensing and copyright information for all files in this repository. This
  either happens in the file itself as a comment header or in the file
  `.reuse/dep5`.

  This commit also adds a Github workflow to check pull requests and adapts
  copyright.pl to the changes.

  Closes #8869

- curl_url_set.3: clarify by default using known schemes only

  Closes #8994

- scripts/copyright.pl: ignore leading spaces

Viktor Szakats (10 Jun 2022)
- ngtcp2: fix typo in preprocessor condition

  Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7

  Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185
  Reported-by: Emil Engler
  Closes #8987

Daniel Stenberg (10 Jun 2022)
- RELEASE-NOTES: synced

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: build without sendmsg

  Closes #8981

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: use handshake helper funcs to simplify TLS handshake integration

  Closes #8968

- test390: verify --parallel

  Closes #8985

- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set

  Triggered by a bug report from Adam Light:
  https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly
  a misunderstanding of how CURLINFO_EFFECTIVE_URL works.

  Closes #8971

- url: URL encode the path when extracted, if spaces were set

- urlapi: support CURLU_URLENCODE for curl_url_get()

- server/sws: support spaces in the HTTP request path

- tests/getpart: fix getpartattr to work with "data" and "data2"

- select: return error from "lethal" poll/select errors

  Adds two new error codes: CURLE_UNRECOVERABLE_POLL and
  CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces.

  Reported-by: Harry Sintonen
  Fixes #8921
  Closes #8961

- test3026: add missing control file

  Follow-up from 2ed101256414ea5

  Makes the test run, makes 'make dist' work

  This single test takes 24-25 seconds on my machine (with valgrind). For
  this reason I tag it with a "slow" keyword.

  Closes #8976

- runtests: fix skipping tests not done event-based

  ... and call timestampskippedevents() to avoid the flood of
  uninitialized variable warnings.

  Closes #8977

- transfer: maintain --path-as-is after redirects

  Reported-by: Marcus T
  Fixes #8974
  Closes #8975

- test391: verify --path-as-is with redirect

Jay Satiro (8 Jun 2022)
- curl_global_init.3: Separate the Windows loader lock warning

  This is a slight correction of the parent commit which implied the
  loader lock warning only applied if not thread-safe. In fact the loader
  lock warning applies either way.

  Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030

Daniel Stenberg (8 Jun 2022)
- curl_global_init.3: this is now (usually) thread-safe

  Follow-up to 23af112f5556

  Closes #8972

Jay Satiro (8 Jun 2022)
- [Haxatron brought this change]

  libcurl-security.3: Document CRLF header injection

  - Document that user input to header options is not sanitized, which
    could result in CRLF used to modify the request in a way other than
    what was intended.

  Ref: https://hackerone.com/reports/1589877
  Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545

  Closes https://github.com/curl/curl/pull/8964

- CURLOPT_RANGE.3: remove ranged upload advice

  The e-mail link in the advice contains instructions that are prone to
  error. We need an example that works and can demonstrate how to properly
  perform a ranged upload, and then we can refer to that example instead.

  Bug: https://github.com/curl/curl/issues/8969
  Reported-by: Simon Berger

  Closes https://github.com/curl/curl/pull/8970

Daniel Stenberg (7 Jun 2022)
- [Thomas Guillem brought this change]

  curl_version_info: add CURL_VERSION_THREADSAFE_INIT

  This flag can be used to make sure that curl_global_init() is
  thread-safe.

  This can be useful for libraries that can't control what other
  dependencies are doing with Curl.

  Closes #8680

- [Thomas Guillem brought this change]

  lib: make curl_global_init() threadsafe when possible

  Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and
  curl_global_cleanup().

  Closes #8680

- RELEASE-NOTES: synced

- [Fabian Keil brought this change]

  test414: add the '--resolve' keyword

  ... so the test can be automatically skipped when
  using an external proxy like Privoxy.

  Closes #8959

- [Fabian Keil brought this change]

  test{440,441,493,977}: add "HTTP proxy" keywords

  ... so the tests can be automatically skipped when
  using an external proxy like Privoxy.

  Closes #8959

- [Fabian Keil brought this change]

  runtests.pl: add the --repeat parameter to the --help output

  Closes #8959

- [Fabian Keil brought this change]

  test 2081: add a valid reply for the second request

  ... so the test works when using a HTTP proxy like
  Privoxy that sends an error message if the server
  doesn't send data.

  Closes #8959

- [Fabian Keil brought this change]

  test 675: add missing CR so the test passes when run through Privoxy

  Closes #8959

- ftp: when failing to do a secure GSSAPI login, fail hard

  ... instead of switching to cleartext. For the sake of security.

  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1590102
  Closes #8963

- http2: reject overly many push-promise headers

  Getting more than a thousand of them is rather a sign of some kind of
  attack.

  Reported-by: Harry Sintonen
  Bug: https://hackerone.com/reports/1589847
  Closes #8962

- [Fabian Keil brought this change]

  misc: spelling improvements

  Closes #8956

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: fix assertion failure on EMSGSIZE

  Closes #8958

- easy/transfer: fix cookie-disabled build

  Follow-up from 45de940cebf6a
  Reported-by: Marcel Raad
  Fixes #8953
  Closes #8954

- examples/crawler.c: use the curl license

  With permission from Jeroen Ooms

  URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731
  Closes #8950

- speed-limit/time.d: mention these affect transfers in either direction

  Reported-by: Ladar Levison
  Fixes #8948
  Closes #8951

- scripts/copyright.pl: fix the exclusion to not ignore man pages

  Ref: #8869
  Closes #8952

- examples: remove fopen.c and rtsp.c

  To simplify the license situation, as they were the only files in the
  source tree using these specific BSD-3 clause licenses.

  For an fopen style API, we recommend instead going
  https://github.com/curl/fcurl

  Ref: #8869
  Closes #8949

- [Wolf Vollprecht brought this change]

  netrc: check %USERPROFILE% as well on Windows

  Closes #8855

- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish

- [michael musset brought this change]

  libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION

  The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check
  wether or not the connection should continue.

  The host key is passed in argument with a custom handle for the
  application.

  It overrides CURLOPT_SSH_KNOWNHOSTS

  Closes #7959

- docs/CONTRIBUTE.md: document the 'needs-votes' concept

  A pull request sent to the project might get labeled `needs-votes` by a
  project maintainer. This label means that in addition to meeting all
  other checks and qualifications this pull request must also receive
  proven support/thumbs-ups from more community members to be considered
  for merging.

  Closes #8910

- [Evgeny Grin brought this change]

  digest: tolerate missing "realm"

  Server headers may not define "realm", avoid NULL pointer dereference
  in such cases.

  Closes #8912

- [Evgeny Grin brought this change]

  digest: added detection of more syntax error in server headers

  Invalid headers should not be processed otherwise they may create
  a security risk.

  Closes #8912

- [Evgeny Grin brought this change]

  digest: unquote realm and nonce before processing

  RFC 7616 (and 2617) requires values to be "unquoted" before used for
  digest calculations. The only place where unquoting can be done
  correctly is header parsing function (realm="DOMAIN\\host" and
  realm=DOMAN\\host are different realms).

  This commit adds unquoting (de-escaping) of all values during header
  parsing and quoting of the values during header forming. This approach
  should be most straightforward and easy to read/maintain as all values
  are processed in the same way as required by RFC.

  Closes #8912

- headers: handle unfold of space-cleansed headers

  Detected by OSS-fuzz

  Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767

  Updated test 1274

  Closes #8947

- lib: make more protocol specific struct fields #ifdefed

  ... so that they don't take up space if the protocols are disabled in
  the build.

  Closes #8944

- DISABLED: disable 1021 for hyper again

  due to flakiness in the CI builds

- urldata: store tcp_keepidle and tcp_keepintvl as ints

  They can't be set larger than INT_MAX in the setsocket API calls.

  Also document the max values in their respective man pages.

  Closes #8940

- urldata: reduce size of a few struct fields

  When the values are never larger than 32 bit, ints are better than longs.

  Closes #8940

- urldata: remove three unused booleans from struct UserDefined

  - is_fwrite_set
  - free_referer
  - strip_path_slash

  Closes #8940

- remote-name.d: mention --output-dir

  plus add two see-alsos

  Closes #8945

Jay Satiro (1 Jun 2022)
- configure: skip libidn2 detection when winidn is used

  Prior to this change --with-winidn could be overridden by libidn2
  detection.

  Closes https://github.com/curl/curl/pull/8934

Daniel Stenberg (31 May 2022)
- CURLOPT_FILETIME.3: fix the protocols this works with

- test681: verify --no-remote-name

  Follow-up to 83ee5c428d960 (from #8931)

  Closes #8942

- [Tatsuhiro Tsujikawa brought this change]

  ngtcp2: enable Linux GSO

  Enable Linux GSO in ngtcp2 QUIC.  In order to recover from the
  EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
  packet buffer is now held by struct quicsocket.  GSO write might fail in
  runtime depending on NIC.  Disable GSO if sendmsg returns EIO.

  Closes #8909

- CURLOPT_PORT.3: We discourage using this option

  Closes #8941

- RELEASE-NOTES: synced

- headers_push: error out if a folded header has no previous header

  As that would indicate an illegal header. The fuzzer reached the assert
  in unfold_value() proving that this case can happen.

  Follow-up to c9b60f005358a364

  Closes #8939

- [Boris Verkhovskiy brought this change]

  curl: re-enable --no-remote-name

  Closes #8931

- test680: require 'http' since it uses such a URL

  Follow-up to d1b376c03524

- CURLOPT_NETRC.3: document the .netrc file format

- test680: verify rejection of malformatted .netrc quoted password

- test679: verify netrc quoted string

- netrc: support quoted strings

  The .netrc parser now accepts strings within double-quotes in order to
  deal with for example passwords containing white space - which
  previously was not possible.

  A password that starts with a double-quote also ends with one, and
  double-quotes themselves are escaped with backslashes, like \". It also
  supports \n, \r and \t for newline, carriage return and tabs
  respectively.

  If the password does not start with a double quote, it will end at first
  white space and no escaping is performed.

  WARNING: this change is not entirely backwards compatible. If anyone
  previously used a double-quote as the first letter of their password,
  the parser will now get it differently compared to before. This is
  highly unfortunate but hard to avoid.

  Reported-by: ImpatientHippo on GitHub
  Fixes #8908
  Closes #8937

- curl_getdate.3: document that some illegal dates pass through

  Closes #8938

- CI: remove configure --enable-headers-api flags

- headers api: remove EXPERIMENTAL tag

  Closes #8900

Daniel Gustafsson (30 May 2022)
- cookies: fix documentation comment

  Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but
  missed updating the documentation comment at the head of the file.

Daniel Stenberg (30 May 2022)
- [Marc Hoersken brought this change]

  tests/data/test1940: use binary mode for expected stdout

  The generated stdout data is written in binary mode with [LF]
  line endings, therefore we also need to do a binary comparison.

  Assisted-by: Jay Satiro
  Assisted-by: Daniel Stenberg

  Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84
  Fixes #8920
  Closes #8936

- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation

  Spell out the multi-TLS situation.

  Reported-by: Dan Fandrich
  Fixes #8926
  Closes #8932

Jay Satiro (28 May 2022)
- [JustAnotherArchivist brought this change]

  tool_getparam: fix --parallel-max maximum value constraint

  - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to
    default value.

  Previously, --parallel-max 300 would use 300 concurrent transfers, but
  --parallel-max 301 would unexpectedly use only 50. This change clamps
  higher values to the maximum (ie --parallel-max 301 would use 300).

  Closes https://github.com/curl/curl/pull/8930

Daniel Stenberg (27 May 2022)
- curl.1: add a few see also --tls-max

  Closes #8929

Viktor Szakats (26 May 2022)
- cmake: do not add libcurl.rc to the static libcurl library

  Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855

  Reviewed-By: Karlson2k@users.noreply.github.com
  Closes #8923

- cmake: support adding a suffix to the OS value

  CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS
  string appearing in the --version output after the curl version number,
  for example:

    'curl 7.83.1 (Windows)'

  This patchs adds the ability to pass a suffix that is appended to this
  value. It's useful to add CPU info or other platform details,
  for example:

    'curl 7.83.1 (Windows-x64)'

  Closes #8919

- cmake: enable curl.rc for all Windows targets

  Before this patch, it was only enabled for MSVC. This syncs this
