                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.86.0 (26 Oct 2022)

Daniel Stenberg (26 Oct 2022)
- RELEASE: synced

  The 7.86.0 release

- THANKS: added from the 7.86.0 release

Viktor Szakats (25 Oct 2022)
- noproxy: include netinet/in.h for htonl()

  Solve the Amiga build warning by including `netinet/in.h`.

  `krb5.c` and `socketpair.c` are using `htonl()` too. This header is
  already included in those sources.

  Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309

  Reviewed-by: Daniel Stenberg
  Closes #9787

Marc Hoersken (24 Oct 2022)
- CI: fix AppVeyor status failing for starting jobs

Daniel Stenberg (24 Oct 2022)
- test445: verifies the protocols-over-http-proxy flaw and fix

- http_proxy: restore the protocol pointer on error

  Reported-by: Trail of Bits

  Closes #9790

- multi: remove duplicate include of connect.h

  Reported-by: Martin Strunz
  Fixes #9794
  Closes #9795

Daniel Gustafsson (24 Oct 2022)
- idn: fix typo in test description

  s/enabked/enabled/i

Daniel Stenberg (24 Oct 2022)
- url: use IDN decoded names for HSTS checks

  Reported-by: Hiroki Kurosawa

  Closes #9791

- unit1614: fix disabled-proxy build

  Follow-up to 1e9a538e05c01

  Closes #9792

Daniel Gustafsson (24 Oct 2022)
- cookies: optimize control character check

  When checking for invalid octets the strcspn() call will return the
  position of the first found invalid char or the first NULL byte.
  This means that we can check the indicated position in the search-
  string saving a strlen() call.

  Closes: #9736
  Reviewed-by: Jay Satiro <raysatiro@yahoo.com>

Daniel Stenberg (24 Oct 2022)
- netrc: replace fgets with Curl_get_line

  Make the parser only accept complete lines and avoid problems with
  overly long lines.

  Reported-by: Hiroki Kurosawa

  Closes #9789

- RELEASE-NOTES: add "Planned upcoming removals include"

  URL: https://curl.se/mail/archive-2022-10/0001.html

  Suggested-by: Dan Fandrich

Viktor Szakats (23 Oct 2022)
- ci: bump to gcc-11 for macos

  Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/
  Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md

  Reviewed-by: Max Dymond
  Closes #9785

- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip]

  - Reintroduce `CROSSPREFIX`:

    If set, we add it to the `CC` and `AR` values, and to the _default_
    value of `RC`, which is `windres`. This allows to control each of
    these individidually, while also allowing to simplify configuration
    via `CROSSPREFIX`.

    This variable worked differently earlier. Hopefully this new solution
    hits a better compromise in usefulness/complexity/flexibility.

    Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50

  - Enable warnings again:

    This time with an option to override it via `CFLAGS`. Warnings are
    also enabled by default in CMake, `makefile.dj` and `makefile.amiga`
    builds (not in autotools though).

    Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3

  Closes #9784

- noproxy: silence unused variable warnings with no ipv6

  Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d

  Reviewed-by: Daniel Stenberg
  Closes #9782

Daniel Stenberg (22 Oct 2022)
- test644: verify --xattr (with redirect)

- tool_xattr: save the original URL, not the final redirected one

  Adjusted test 1621 accordingly.

  Reported-by: Viktor Szakats
  Fixes #9766
  Closes #9768

- docs: make sure libcurl opts examples pass in long arguments

  Reported-by: Sergey
  Fixes #9779
  Closes #9780

Marc Hoersken (21 Oct 2022)
- CI: fix AppVeyor job links only working for most recent build

  Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916
  Reported-by: Daniel Stenberg

  Follow up to #9769

Viktor Szakats (21 Oct 2022)
- noproxy: fix builds without AF_INET6

  Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309

  Reviewed-by: Daniel Stenberg

  Closes #9778

Daniel Stenberg (21 Oct 2022)
- noproxy: support proxies specified using cidr notation

  For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly"
  and not with string comparisons.

  Split out the noproxy checks and functionality into noproxy.c

  Added unit test 1614 to verify checking functions.

  Reported-by: Mathieu Carbonneaux

  Fixes #9773
  Fixes #5745
  Closes #9775

- urlapi: remove two variable assigns

  To please scan-build:

  urlapi.c:1163:9: warning: Value stored to 'qlen' is never read
          qlen = Curl_dyn_len(&enc);
          ^      ~~~~~~~~~~~~~~~~~~
  urlapi.c:1164:9: warning: Value stored to 'query' is never read
          query = u->query = Curl_dyn_ptr(&enc);
          ^       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Follow-up to 7d6cf06f571d57

  Closes #9777

- [Jeremy Maitin-Shepard brought this change]

  cmake: improve usability of CMake build as a sub-project

  - Renames `uninstall` -> `curl_uninstall`
  - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET

  Closes #9638

- [Don J Olmstead brought this change]

  easy_lock: check for HAVE_STDATOMIC_H as well

  The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h`
  header is present.

  Closes #9755

- RELEASE-NOTES: synced

- [Brad Harder brought this change]

  CURLMOPT_PIPELINING.3: dedup manpage xref

  Closes #9776

Marc Hoersken (20 Oct 2022)
- CI: report AppVeyor build status for each job

  Also give each job on AppVeyor CI a human-readable name.

  This aims to make job and therefore build failures more visible.

  Reviewed-by: Marcel Raad
  Closes #9769

Viktor Szakats (20 Oct 2022)
- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip]

  Reviewed-by: Daniel Stenberg

  Closes #9771

- connect: fix builds without AF_INET6

  Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9

  Reviewed-by: Daniel Stenberg
  Reviewed-by: Jay Satiro

  Closes #9770

Daniel Stenberg (20 Oct 2022)
- test1105: adjust <data> to work with a hyper build

  Closes #9767

- urlapi: fix parsing URL without slash with CURLU_URLENCODE

  When CURLU_URLENCODE is set, the parser would mistreat the path
  component if the URL was specified without a slash like in
  http://local.test:80?-123

  Extended test 1560 to reproduce and verify the fix.

  Reported-by: Trail of Bits

  Closes #9763

Marc Hoersken (19 Oct 2022)
- tests: avoid CreateThread if _beginthreadex is available

  CreateThread is not threadsafe if mixed with CRT calls.
  _beginthreadex on the other hand can be mixed with CRT.

  Reviewed-by: Marcel Raad
  Closes #9705

Jay Satiro (19 Oct 2022)
- [Joel Depooter brought this change]

  schannel: Don't reset recv/send function pointers on renegotiation

  These function pointers will have been set when the initial TLS
  handshake was completed. If they are unchanged, there is no need to set
  them again. If they have been changed, as is the case with HTTP/2, we
  don't want to override that change. That would result in the
  http22_recv/send functions being completely bypassed.

  Prior to this change a connection that uses Schannel with HTTP/2 would
  fail on renegotiation with error "Received HTTP/0.9 when not allowed".

  Fixes https://github.com/curl/curl/issues/9451
  Closes https://github.com/curl/curl/pull/9756

Viktor Szakats (18 Oct 2022)
- hostip: guard PF_INET6 use

  Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code
  for these.

  ```
  hostip.c: In function 'fetch_addr':
  hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function)
         pf = PF_INET6;
              ^~~~~~~~
  ```

  Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d

  Reviewed-by: Daniel Stenberg

  Closes #9760

- amiga: do not hardcode openssl/zlib into the os config [ci skip]

  Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead.

  This allows builds without openssl and/or zlib. E.g. with the
  <https://github.com/bebbo/amiga-gcc> cross-compiler.

  Reviewed-by: Daniel Stenberg

  Closes #9762

- amigaos: add missing curl header [ci skip]

  Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and
  conditional local code need them.

  Reviewed-by: Daniel Stenberg

  Closes #9761

Daniel Stenberg (18 Oct 2022)
- cmdline/docs: add a required 'multi' keyword for each option

  The keyword specifies how option works when specified multiple times:

   - single: the last provided value replaces the earlier ones
   - append: it supports being provided multiple times
   - boolean: on/off values
   - mutex: flag-like option that disable anoter flag

  The 'gen.pl' script then outputs the proper and unified language for
  each option's multi-use behavior in the generated man page.

  The multi: header is requires in each .d file and will cause build error
  if missing or set to an unknown value.

  Closes #9759

- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk

  Closes #9757

- mprintf: reject two kinds of precision for the same argument

  An input like "%.*1$.9999d" would first use the precision taken as an
  argument *and* then the precision specified in the string, which is
  confusing and wrong. pass1 will now instead return error on this double
  use.

  Adjusted unit test 1398 to verify

  Reported-by: Peter Goodman

  Closes #9754

- ftp: remove redundant if

  Reported-by: Trail of Bits

  Closes #9753

- tool_operate: more transfer cleanup after parallel transfer fail

  In some circumstances when doing parallel transfers, the
  single_transfer_cleanup() would not be called and then 'inglob' could
  leak.

  Test 496 verifies

  Reported-by: Trail of Bits
  Closes #9749

- mqtt: spell out CONNECT in comments

  Instead of calling it 'CONN' in several comments, use the full and
  correct protocol packet name.

  Suggested by Trail of Bits

  Closes #9751

- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST

  Not the deprecated CURLOPT_HTTPPOST option.

  Also added two see-alsos.

  Reported-by: Trail of Bits
  Closes #9752

- RELEASE-NOTES: synced

Jay Satiro (17 Oct 2022)
- ngtcp2: Fix build errors due to changes in ngtcp2 library

  ngtcp2/ngtcp2@b0d86f60 changed:

  - ngtcp2_conn_get_max_udp_payload_size =>
    ngtcp2_conn_get_max_tx_udp_payload_size

  - ngtcp2_conn_get_path_max_udp_payload_size =>
    ngtcp2_conn_get_path_max_tx_udp_payload_size

  ngtcp2/ngtcp2@ec59b873 changed:

  - 'early_data_rejected' member added to ng_callbacks.

  Assisted-by: Daniel Stenberg
  Reported-by: jurisuk@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/9747
  Closes https://github.com/curl/curl/pull/9748

Daniel Stenberg (16 Oct 2022)
- curl_path: return error if given a NULL homedir

  Closes #9740

- libssh: if sftp_init fails, don't get the sftp error code

  This flow extracted the wrong code (sftp code instead of ssh code), and
  the code is sometimes (erroneously) returned as zero anyway, so skip
  getting it and set a generic error.

  Reported-by: David McLaughlin
  Fixes #9737
  Closes #9740

- mqtt: return error for too long topic

  Closes #9744

- [Rickard Hallerbäck brought this change]

  tool_paramhlp: make the max argument a 'double'

  To fix compiler warnings "Implicit conversion from 'long' to 'double'
  may lose precision"

  Closes #9700

Marc Hoersken (15 Oct 2022)
- [Philip Heiduck brought this change]

  cirrus-ci: add more macOS builds with m1 based on x86_64 builds

  Also refactor macOS builds to use task matrix.

  Assisted-by: Marc Hörsken
  Closes #9565

Viktor Szakats (14 Oct 2022)
- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows

  `lib/config-win32.h` enables this configuration option unconditionally.
  Make it apply to CMake builds as well.

  While here, delete a broken check for
  `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with
  the initial commit [1], but did not include the actual verification code
  inside `CMake/CurlTests.c`, so it always failed. A later commit [2]
  added a second test, for non-Windows platforms.

  Enabling this flag causes test 1056 to fail with CMake builds, as they
  do with autotools builds. Let's apply the same solution and ignore the
  results here as well.

  [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
  [2] aec7c5a87c8482b6ddffa352d7d220698652262e

  Reviewed-by: Daniel Stenberg
  Assisted-by: Marcel Raad

  Closes #9726

- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows

  autotools enables this configuration option unconditionally for Windows
  [^1]. Do the same in CMake.

  The above will make this work for all reasonably recent environments.
  The logic present in `lib/config-win32.h` [^2] has the following
  exceptions which we did not cover in this CMake update:

  - Builds targeting Windows 2000 and earlier
  - MS Visual C++ 5.0 (1997) and earlier

  Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't
  set, to avoid a broken build. We might want to handle that in the C
  sources in a future commit.

  [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070

  [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528

  Closes #9727

- cmake: sync HAVE_SIGNAL detection with autotools

  `HAVE_SIGNAL` means the availability of the `signal()` function in
  autotools, while in CMake it meant the availability of that function
  _and_ the symbol `SIGALRM`.

  The latter is not available on Windows, but the function is, which means
  on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not,
  introducing a slight difference into the binaries.

  This patch syncs CMake behaviour with autotools to look for the function
  only.

  The logic came with the initial commit adding CMake support to curl, so
  the commit history doesn't reveal the reason behind it. In any case,
  it's best to check the existence of `SIGALRM` directly in the source
  before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and
  `SIGALRM` missing.

  Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6

  Closes #9725

- cmake: delete duplicate HAVE_GETADDRINFO test

  A custom `HAVE_GETADDRINFO` check came with the initial CMake commit
  [1]. A later commit [2] added a standard check for it as well. The
  standard check run before the custom one, so CMake ignored the latter.

  The custom check was also non-portable, so this patch deletes it in
  favor of the standard check.

  [1] 4c5307b45655ba75ab066564afdc0c111a8b9291
  [2] aec7c5a87c8482b6ddffa352d7d220698652262e

  Closes #9731

Daniel Stenberg (14 Oct 2022)
- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros

  To make the code read more obvious

  Assisted-by: Jay Satiro

  Closes #9710

- [Christopher Sauer brought this change]

  docs/INSTALL: update Android Instructions for newer NDKs

  Closes #9732

- markdown-uppercase: ignore quoted sections

  Sections within the markdown ~~~ or ``` are now ignored.

  Closes #9733

- RELEASE-NOTES: synced

- test8: update as cookies no longer can have "embedded" TABs in content

- test1105: extend to verify TAB in name/content discarding cookies

- cookie: reject cookie names or content with TAB characters

  TABs in name and content seem allowed by RFC 6265: "the algorithm strips
  leading and trailing whitespace from the cookie name and value (but
  maintains internal whitespace)"

  Cookies with TABs in the names are rejected by Firefox and Chrome.

  TABs in content are stripped out by Firefox, while Chrome discards the
  whole cookie.

  TABs in cookies also cause issues in saved netscape cookie files.

  Reported-by: Trail of Bits

  URL: https://curl.se/mail/lib-2022-10/0032.html
  URL: https://github.com/httpwg/http-extensions/issues/2262

  Closes #9659

- curl/add_parallel_transfers: better error handling

  1 - consider the transfer handled at once when in the function, to avoid
      the same list entry to get added more than once in rare error
      situations

  2 - set the ERRORBUFFER for the handle first after it has been added
      successfully

  Reported-by: Trail of Bits

  Closes #9729

- netrc: remove the two 'changed' arguments

  As no user of these functions used the returned content.

- test495: verify URL encoded user name + netrc-optional

  Reproduced issue #9709

- netrc: use the URL-decoded user

  When the user name is provided in the URL it is URL encoded there, but
  when used for authentication the encoded version should be used.

  Regression introduced after 7.83.0

  Reported-by: Jonas Haag
  Fixes #9709
  Closes #9715

- [Shaun Mirani brought this change]

  url: allow non-HTTPS HSTS-matching for debug builds

  Closes #9728

- test1275: remove the check of stderr

  To avoid the mysterious test failures on Windows, instead rely on the
  error code returned on failure.

  Fixes #9716
  Closes #9723

Viktor Szakats (13 Oct 2022)
- lib: set more flags in config-win32.h

  The goal is to add any flag that affect the created binary, to get in
  sync with the ones built with CMake and autotools.

  I took these flags from curl-for-win [0], where they've been tested with
  mingw-w64 and proven to work well.

  This patch brings them to curl as follows:

  - Enable unconditionally those force-enabled via
    `CMake/WindowsCache.cmake`:

    - `HAVE_SETJMP_H`
    - `HAVE_STRING_H`
    - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`)

  - Expand existing guards with mingw-w64:

    - `HAVE_STDBOOL_H`
    - `HAVE_BOOL_T`

  - Enable Win32 API functions for Windows Vista and later:

    - `HAVE_INET_NTOP`
    - `HAVE_INET_PTON`

  - Set sizes, if not already set:

    - `SIZEOF_OFF_T = 8`
    - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set,
      and using mingw-w64.

  - Add the remaining for mingw-w64 only. Feel free to expand as desired:

    - `HAVE_LIBGEN_H`
    - `HAVE_FTRUNCATE`
    - `HAVE_BASENAME`
    - `HAVE_STRTOK_R`

  Future TODO:

  - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both
    the `signal()` function and the `SIGALRM` macro are found. In
    autotools and this header, it means the function only. For the
    function alone, CMake uses `HAVE_SIGNAL_FUNC`.

  [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58

  Reviewed-by: Daniel Stenberg

  Closes #9712

Daniel Stenberg (13 Oct 2022)
- tests: add tests/markdown-uppercase.pl to dist tarball

  Follow-up to aafb06c5928183d

  Closes #9722

- tool_paramhelp: asserts verify maximum sizes for string loading

  The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest
  strings accepted when loading files into memory, but as the size is
  later used as input to functions that take the size as 'int' as
  argument, the sizes must not be larger than INT_MAX.

  These two new assert()s make the code error out if someone would bump
  the sizes without this consideration.

  Reported-by Trail of Bits

  Closes #9719

- http: try parsing Retry-After: as a number first

  Since the date parser allows YYYYMMDD as a date format (due to it being
  a bit too generic for parsing this particular header), a large integer
  number could wrongly match that pattern and cause the parser to generate
  a wrong value.

  No date format accepted for this header starts with a decimal number, so
  by reversing the check and trying a number first we can deduct that if
  that works, it was not a date.

  Reported-by Trail of Bits

  Closes #9718

- [Patrick Monnerat brought this change]

  doc: fix deprecation versions inconsistencies

  Ref: https://curl.se/mail/lib-2022-10/0026.html

  Closes #9711

- http_aws_sigv4: fix strlen() check

  The check was off-by-one leading to buffer overflow.

  Follow-up to 29c4aa00a16872

  Detected by OSS-Fuzz

  Closes #9714

- curl/main_checkfds: check the fcntl return code better

  fcntl() can (in theory) return a non-zero number for success, so a
  better test for error is checking for -1 explicitly.

  Follow-up to 41e1b30ea1b77e9ff

  Mentioned-by: Dominik Klemba

  Closes #9708

Viktor Szakats (12 Oct 2022)
- tidy-up: delete unused HAVE_STRUCT_POLLFD

  It was only defined in `lib/config-win32.h`, when building for Vista.

  It was only used in `select.h`, in a condition that also included a
  check for `POLLIN` which is a superior choice for this detection and
  which was already used by cmake and autotools builds.

  Delete both instances of this macro.

  Closes #9707

Daniel Stenberg (12 Oct 2022)
- test1275: verify upercase after period in markdown

  Script based on the #9474 pull-request logic, but implemented in perl.

  Updated docs/URL-SYNTAX.md accordingly.

  Suggested-by: Dan Fandrich

  Closes #9697

- [12932 brought this change]

  misc: nitpick grammar in comments/docs

  because the 'u' in URL is actually a consonant *sound* it is only
  correct to write "a URL"

  sorry this is a bit nitpicky :P

  https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an
  https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL

  Closes #9699

Viktor Szakats (11 Oct 2022)
- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip]

  This patch aimed to fix a regression [0], where `CC` initialization
  moved beyond its first use. But, on closer inspection it turned out that
  the `CC` initialization does not work as expected due to GNU Make
  filling it with `cc` by default. So unless implicit values were
  explicitly disabled via a GNU Make option, the default value of
  `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit
  value `cc` maps to `gcc` in (most/all?) MinGW envs.

  `AR` has the same issue, with a default value of `ar`.

  We could reintroduce a separate variable to fix this without ill
  effects, but for simplicity and flexibility, it seems better to drop
  support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and
  require the caller to initialize `CC`, `AR` and `RC` to the full
  (prefixed if necessary) names of these tools, as desired.

  We keep `RC ?= windres` because `RC` is empty by default.

  Also fix grammar in a comment.

  [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3

  Closes #9698

- smb: replace CURL_WIN32 with WIN32

  PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the
  `CURL_WIN32` macro, but that one is not defined here, while compiling
  curl itself. This patch changes this to `WIN32`, assuming this was the
  original intent.

  Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a

  Reviewed-by: Marcel Raad

  Closes #9701

Daniel Stenberg (11 Oct 2022)
- [Matthias Gatto brought this change]

  aws_sigv4: fix header computation

  Handle canonical headers and signed headers creation as explained here:
  https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

  The algo tells that signed and canonical must contain at last host and
  x-amz-date.

  So we check whatever thoses are present in the curl http headers list.
  If they are, we use the one enter by curl user, otherwise we generate
  them.  then we to lower, and remove space from each http headers plus
  host and x-amz-date, then sort them all by alphabetical order.

  This patch also fix a bug with host header, which was ignoring the port.

  Closes #7966

Jay Satiro (11 Oct 2022)
- [Aftab Alam brought this change]

  README.md: link the curl logo to the website

  - Link the curl:// image to https://curl.se/

  Closes https://github.com/curl/curl/pull/9675

- [Dustin Howett brought this change]

  schannel: when importing PFX, disable key persistence

  By default, the PFXImportCertStore API persists the key in the user's
  key store (as though the certificate was being imported for permanent,
  ongoing use.)

  The documentation specifies that keys that are not to be persisted
  should be imported with the flag PKCS12_NO_PERSIST_KEY.
  NOTE: this flag is only supported on versions of Windows newer than XP
  and Server 2003.

  --

  This is take 2 of the original fix. It extends the lifetime of the
  client certificate store to that of the credential handle. The original
  fix which landed in 70d010d and was later reverted in aec8d30 failed to
  work properly because it did not do that.

  Minor changes were made to the schannel credential context to support
  closing the client certificate store handle at the end of an SSL session.

  --

  Reported-by: ShadowZzj@users.noreply.github.com

  Fixes https://github.com/curl/curl/issues/9300
  Supersedes https://github.com/curl/curl/pull/9363
  Closes https://github.com/curl/curl/pull/9460

Viktor Szakats (11 Oct 2022)
- Makefile.m32: support more options [ci skip]

  - Add support for these options:
    `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl`

    Caveats:
    - `-wolfssh` requires `-wolfssl`.
    - `-wolfssl` cannot be used with OpenSSL backends in parallel.
    - `-libssh` has build issues with BoringSSL and LibreSSL, and also
       what looks like a world-writable-config vulnerability on Windows.
       Consider it experimental.
    - `-psl` requires `-idn2` and extra libs passed via
      `LIBS=-liconv -lunistring`.

  - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly.
  - Generalize MultiSSL detection.
  - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01).
  - Document more customization options.

  This brings over some configuration logic from `curl-for-win`.

  Closes #9680

- cmake: enable more detection on Windows

  Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection
  on Windows, instead of having predefined values.

  With these features detected correctly, CMake Windows builds get closer
  to the autotools and `config-win32.h` ones.

  This also fixes detecting `HAVE_FTRUNCATE` correctly, which required
  `unistd.h`.

  Fixing `ftruncate()` in turn causes a build warning/error with legacy
  MinGW/MSYS1 due to an offset type size mismatch. This env misses to
  detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch
  force-disables `HAVE_FTRUNCATE` for this platform.

  Reviewed-by: Daniel Stenberg

  Closes #9687

- autotools: allow unix sockets on Windows

  Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47

  On Windows this feature is present, but not the header used in the
  detection logic. It also requires an elaborate enabler logic
  (as seen in `lib/curl_setup.h`). Let's always allow it and let the
  lib code deal with the details.

  Closes #9688

- cmake: add missing inet_ntop check

  This adds the missing half of the check, next to the other half
  already present in `lib/curl_config.h.cmake`.

  Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler
  warnings.

  Reviewed-by: Daniel Stenberg

  Closes #9689

Daniel Stenberg (11 Oct 2022)
- RELEASE-NOTES: synced

- [bsergean on github brought this change]

  asyn-ares: set hint flags when calling ares_getaddrinfo

  The hint flag is ARES_AI_NUMERICSERV, and it will save a call to
  getservbyname or getservbyname_r to set it.

  Closes #9694

- header.d: add category smtp and imap

  They were previously (erroneously) added manually to tool_listhelp.c
  which would make them get removed again when the file is updated next
  time, unless added correctly here in header.d

  Follow-up to 2437fac01

  Closes #9690

- curl/get_url_file_name: use libcurl URL parser

  To avoid URL tricks, use the URL parser for this.

  This update changes curl's behavior slightly in that it will ignore the
  possible query part from the URL and only use the file name from the
  actual path from the URL. I consider it a bugfix.

  "curl -O localhost/name?giveme-giveme" will now save the output in the
  local file named 'name'

  Updated test 1210 to verify

  Assisted-by: Jay Satiro

