                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog

Version 7.31.0 (22 Jun 2013)

Daniel Stenberg (22 Jun 2013)
- RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0

- unit1396: unit tests to verify curl_easy_(un)escape

- Curl_urldecode: no peeking beyond end of input buffer
  
  Security problem: CVE-2013-2174
  
  If a program would give a string like "%FF" to curl_easy_unescape() but
  ask for it to decode only the first byte, it would still parse and
  decode the full hex sequence. The function then not only read beyond the
  allowed buffer but it would also deduct the *unsigned* counter variable
  for how many more bytes there's left to read in the buffer by two,
  making the counter wrap. Continuing this, the function would go on
  reading beyond the buffer and soon writing beyond the allocated target
  buffer...
  
  Bug: http://curl.haxx.se/docs/adv_20130622.html
  Reported-by: Timo Sirainen

Guenter Knauf (20 Jun 2013)
- Use opened body.out file and write content to it.

Daniel Stenberg (20 Jun 2013)
- multi_socket: react on socket close immediately
  
  As a remedy to the problem when a socket gets closed and a new one is
  opened with the same file descriptor number and as a result
  multi.c:singlesocket() doesn't detect the difference, the new function
  Curl_multi_closed() gets told when a socket is closed so that it can be
  removed from the socket hash. When the old one has been removed, a new
  socket should be detected fine by the singlesocket() on next invoke.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1248
  Reported-by: Erik Johansson

- RELEASE-NOTES: synced with e305f5ec715f

- TODO: mention the DANE patch from March

- CURLOPT_COOKIELIST: take cookie share lock
  
  When performing COOKIELIST operations the cookie lock needs to be taken
  for the cases where the cookies are shared among multiple handles!
  
  Verified by Benjamin Gilbert's updated test 506
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1215
  Reported-by: Benjamin Gilbert

- [Benjamin Gilbert brought this change]

  test506: verify that CURLOPT_COOKIELIST takes share lock
  
  It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215

- TODO: HTTP2/SPDY support

- curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency
  
  Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be
  called more frequently than once per second when things are happening.

- RELEASE-NOTES: synced with 9c3e098259b82
  
  Mention 7 recent bug fixes and their associated contributors

- curl_multi_wait.3: clarify the numfds counter

- curl_easy_perform: avoid busy-looping
  
  When curl_multi_wait() finds no file descriptor to wait for, it returns
  instantly and this must be handled gracefully within curl_easy_perform()
  or cause a busy-loop. Starting now, repeated fast returns without any
  file descriptors is detected and a gradually increasing sleep will be
  used (up to a max of 1000 milliseconds) before continuing the loop.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1238
  Reported-by: Miguel Angel

- [YAMADA Yasuharu brought this change]

  cookies: follow-up fix for path checking
  
  The initial fix to only compare full path names were done in commit
  04f52e9b4db0 but found out to be incomplete. This takes should make the
  change more complete and there's now two additional tests to verify
  (test 31 and 62).

- [Sergei Nikulov brought this change]

  lib1900: use tutil_tvnow instead of gettimeofday
  
  Makes it build on windows

- [Eric Hu brought this change]

  axtls: now done non-blocking

- [Eric Hu brought this change]

  test2033: requires NTLM support

- KNOWN_BUGS: #82 failed build with Borland compiler

- Curl_output_digest: support auth-int for empty entity body
  
  By always returning the md5 for an empty body when auth-int is asked
  for, libcurl now at least sometimes does the right thing.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1235
  Patched-by: Nach M. S.

- multi_socket: reduce timeout inaccuracy margin
  
  Allow less room for "triggered too early" mistakes by applications /
  timers on non-windows platforms. Starting now, we assume that a timeout
  call is never made earlier than 3 milliseconds before the actual
  timeout. This greatly improves timeout accuracy on Linux.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1228
  Reported-by: Hang Su

- cert_stuff: avoid double free in the PKCS12 code
  
  In the pkcs12 code, we get a list of x509 records returned from
  PKCS12_parse but when iterating over the list and passing each to
  SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from
  the "stack", which made them get freed twice (both in sk_X509_pop_free()
  and then later in SSL_CTX_free).
  
  This isn't really documented anywhere...
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1236
  Reported-by: Nikaiw

- cert_stuff: remove code duplication in the pkcs12 logic

- [Aleksey Tulinov brought this change]

  axtls: honor disabled VERIFYHOST
  
  When VERIFYHOST == 0, libcurl should let invalid certificates to pass.

- [Peter Gal brought this change]

  curl_easy_setopt.3: HTTP header with no content
  
  Update the documentation on how to specify a HTTP header with no
  content.

- RELEASE-NOTES: synced with 87cf677eca55
  
  Added 11 bugs and 7 contributors

- lib1500: remove bad check
  
  After curl_multi_wait() returns, this test checked that we got exactly
  one file descriptor told to read from, but we cannot be sure that is
  true. curl_multi_wait() will sometimes return earlier without any file
  descriptor to handle, just just because it is a suitable time to call
  *perform().
  
  This problem showed up with commit 29bf0598.
  
  Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html
  Reported-by: Fabian Keil

- tests/Makefile: typo in the perlcheck target
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1239
  Reported-by: Christian Weisgerber

- test1230: verify CONNECT to a numerical ipv6-address

- sws: support extracting test number from CONNECT ipv6-address!
  
  If an ipv6-address is provided to CONNECT, the last hexadecimal group in
  the address will be used as the test number! For example the address
  "[1234::ff]" would be treated as test case 255.

- curl_multi_wait: only use internal timer if not -1
  
  commit 29bf0598aad5 introduced a problem when the "internal" timeout is
  prefered to the given if shorter, as it didn't consider the case where
  -1 was returned. Now the internal timeout is only considered if not -1.
  
  Reported-by: Tor Arntsen
  Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html

Dan Fandrich (3 Jun 2013)
- libcurl-tutorial.3: added a section on IPv6
  
  Also added a (correctly-escaped) backslash to the autoexec.bat
  example file and a new Windows character device name with
  a colon as examples of other characters that are special
  and potentially dangerous (this reverts and reworks commit
  7d8d2a54).

Daniel Stenberg (3 Jun 2013)
- curl_multi_wait: reduce timeout if the multi handle wants to
  
  If the multi handle's pending timeout is less than what is passed into
  this function, it will now opt to use the shorter time anyway since it
  is a very good hint that the handle wants to process something in a
  shorter time than what otherwise would happen.
  
  curl_multi_wait.3 was updated accordingly to clarify
  
  This is the reason for bug #1224
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1224
  Reported-by: Andrii Moiseiev

- multi_runsingle: switch an if() condition for readability
  
  ... because there's an identical check right next to it so using the
  operators in the check in the same order increases readability.

Marc Hoersken (2 Jun 2013)
- curl_schannel.c: Removed variable unused since 35874298e4

- curl_setup.h: Fixed redefinition warning using mingw-w64

Daniel Stenberg (30 May 2013)
- multi_runsingle: add braces to clarify the code

- libcurl-tutorial.3: remove incorrect backslash
  
  A single backslash in the content is not legal nroff syntax.
  
  Reported and fixed by: Eric S. Raymond
  Bug: http://curl.haxx.se/bug/view.cgi?id=1234

- curl_formadd.3: fixed wrong "end-marker" syntax
  
  Reported and fixed by: Eric S. Raymond
  Bug: http://curl.haxx.se/bug/view.cgi?id=1233

- curl.1: clarify that --silent still outputs data

- Digest auth: escape user names with \ or " in them
  
  When sending the HTTP Authorization: header for digest, the user name
  needs to be escaped if it contains a double-quote or backslash.
  
  Test 1229 was added to verify
  
  Reported and fixed by: Nach M. S
  Bug: http://curl.haxx.se/bug/view.cgi?id=1230

- [Mike Giancola brought this change]

  ossl_recv: SSL_read() returning 0 is an error too
  
  SSL_read can return 0 for "not successful", according to the open SSL
  documentation: http://www.openssl.org/docs/ssl/SSL_read.html

- [Mike Giancola brought this change]

  ossl_send: SSL_write() returning 0 is an error too
  
  We found that in specific cases if the connection is abruptly closed,
  the underlying socket is listed in a close_wait state. We continue to
  call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs
  report the socket closed / connection finished.  Since we have cases
  where the multi connection is only used once, this can pose a problem
  for us. I've read that if another connection was to come in, curl would
  see the socket as bad and attempt to close it at that time -
  unfortunately, this does not work for us.
  
  I found that in specific situations, if SSL_write returns 0, curl did
  not recognize the socket as closed (or errored out) and did not report
  it to the application. I believe we need to change the code slightly, to
  check if ssl_write returns 0. If so, treat it as an error - the same as
  a negative return code.
  
  For OpenSSL - the ssl_write documentation is here:
  http://www.openssl.org/docs/ssl/SSL_write.html

- KNOWN_BUGS: curl -OJC- fails to resume
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1169

- Curl_cookie_add: handle IPv6 hosts
  
  1 - don't skip host names with a colon in them in an attempt to bail out
  on HTTP headers in the cookie file parser. It was only a shortcut anyway
  and trying to parse a file with HTTP headers will still be handled, only
  slightly slower.
  
  2 - don't skip domain names based on number of dots. The original
  netscape cookie spec had this oddity mentioned and while our code
  decreased the check to only check for two, the existing cookie spec has
  no such dot counting required.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1221
  Reported-by: Stefan Neis

- curl_easy_setopt.3: expand the PROGRESSFUNCTION section
  
  Explain the callback and its arguments better and with more descriptive
  text.

- tests: add test1394 file to the tarball

- tarball: include the xmlstream example

- [David Strauss brought this change]

  xmlstream: XML stream parsing example source code
  
  Add an XML stream parsing example using Expat. Add missing ignore for
  the binary from an unrelated example.

- [YAMADA Yasuharu brought this change]

  cookies: only consider full path matches
  
  I found a bug which cURL sends cookies to the path not to aim at.
  For example:
  - cURL sends a request to http://example.fake/hoge/
  - server returns cookie which with path=/hoge;
    the point is there is NOT the '/' end of path string.
  - cURL sends a request to http://example.fake/hogege/ with the cookie.
  
  The reason for this old "feature" is because that behavior is what is
  described in the original netscape cookie spec:
  http://curl.haxx.se/rfc/cookie_spec.html
  
  The current cookie spec (RFC6265) clarifies the situation:
  http://tools.ietf.org/html/rfc6265#section-5.2.4

- [Eric Hu brought this change]

  axtls: prevent memleaks on SSL handshake failures

- Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage"
  
  This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab.
  
  We don't have any code anywhere in libcurl (or the curl tool) that use
  wcsdup so there's no such memory use to track. It seems to cause mild
  problems with the Borland compiler though that we may avoid by reverting
  this change again.
  
  Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html

- RELEASE-NOTES: synced with ae26ee3489588f0

Guenter Knauf (11 May 2013)
- Updated zlib version in build files.

Daniel Stenberg (9 May 2013)
- [Renaud Guillard brought this change]

  OS X framework: fix invalid symbolic link

Kamil Dudka (9 May 2013)
- [Daniel Stenberg brought this change]

  nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send
  
  Reported by: David Strauss
  Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html

Daniel Stenberg (8 May 2013)
- libtest: gitignore more binary files

- servercert: allow empty subject
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1220
  Patch by: John Gardiner Myers

- [Steve Holme brought this change]

  tests: Added new SMTP tests to verify commit 99b40451836d

- runtests.pl: support nonewline="yes" in client/stdin sections

- build: fixed unit1394 for debug and metlink builds

Kamil Dudka (6 May 2013)
- unit1394.c: plug the curl tool unit test in

- [Jared Jennings brought this change]

  unit1394.c: basis of a unit test for parse_cert_parameter()

- src/Makefile.am: build static lib for unit tests if enabled

- tool_getparam: ensure string termination in parse_cert_parameter()

- tool_getparam: fix memleak in handling the -E option

- tool_getparam: describe what parse_cert_parameter() does
  
  ... and de-duplicate the code initializing *passphrase

- curl.1: document escape sequences recognized by -E

- [Jared Jennings brought this change]

  curl -E: allow to escape ':' in cert nickname

Marc Hoersken (5 May 2013)
- curl_schannel.c: Fixed invalid memory access during SSL shutdown

Steve Holme (4 May 2013)
- smtp: Fix trailing whitespace warning

- smtp: Fix compilation warning
  
  comparison between signed and unsigned integer expressions

- RELEASE-NOTES: synced with 92ef5f19c801

- smtp: Updated RFC-2821 references to RFC-5321

- smtp: Fixed sending of double CRLF caused by first in EOB
  
  If the mail sent during the transfer contains a terminating <CRLF> then
  we should not send the first <CRLF> of the EOB as specified in RFC-5321.
  
  Additionally don't send the <CRLF> if there is "no mail data" as the
  DATA command already includes it.

- tests: Corrected MAIL SIZE for CRLF line endings
  
  ... which was missed in commit: f5c3d9538452

- tests: Corrected infilesize for CRLF line endings
  
  ... which was missed in commit: f5c3d9538452

- tests: Corrected test1406 to be RFC2821 compliant

- tests: Corrected test1320 to be RFC2821 compliant

- tests: Corrected typo in test909
  
  Introduced in commit: 514817669e9e

- tests: Corrected test909 to be RFC2821 compliant

- tests: Updated test references to 909 from 1411
  
  ...and removed references to libcurl and test1406.

- tests: Renamed test1411 to test909 as this is a main SMTP test

Daniel Stenberg (1 May 2013)
- [Lars Johannesen brought this change]

  bindlocal: move brace out of #ifdef
  
  The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two
  closing braces when it should only have one, so builds without that
  define would fail.
  
  Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html

Steve Holme (30 Apr 2013)
- smtp: Tidy up to move the eob counter to the per-request structure
  
  Move the eob counter from the smtp_conn structure to the SMTP structure
  as it is associated with a SMTP payload on a per-request basis.

- TODO: Updated following the addition of CURLOPT_SASL_IR

- smtp: Fixed unknown percentage complete in progress bar
  
  The curl command line utility would display the the completed progress
  bar with a percentage of zero as the progress routines didn't know the
  size of the transfer.

Daniel Stenberg (29 Apr 2013)
- ftpserver: silence warnings
  
  Fix regressions in commit b56e3d43e5d. Make @data local and filter off
  non-numerical digits from $testno in STATUS_imap.

Steve Holme (29 Apr 2013)
- ftpserver.pl: Corrected the imap LOGIN response
  
  ...to be more realistic and consistent with the other imap responses.

- tests: Added imap STATUS command test

- tests: Corrected the SMTP tests to be RFC2821 compliant
  
  The emails that are sent to the server during these tests were
  incorrectly formatted as they contained one or more LF terminated lines
  rather than being CRLF terminated as per Section 2.3.7 of RFC-2821.
  
  This wasn't a problem for the test suite as the <stdin> data matched the
  <upload> data but anyone using these tests as reference would be sending
  incorrect data to a server.

- email: Tidy up of *_perform_authenticate()
  
  Removed the hard returns from imap and pop3 by using the same style for
  sending the authentication string as smtp. Moved the "Other mechanisms
  not supported" check in smtp to match that of imap and pop3 to provide
  consistency between the three email protocols.

- smtp: Updated limit check to be more readable like the check in pop3

- pop3: Added 255 octet limit check when sending initial response
  
  Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034.

- DOCS: Corrected line length of recent Secure Transport changes

Nick Zitzmann (27 Apr 2013)
- darwinssl: add TLS crypto authentication
  
  Users using the Secure Transport (darwinssl) back-end can now use a
  certificate and private key to authenticate with a site using TLS. Because
  Apple's security system is based around the keychain and does not have any
  non-public function to create a SecIdentityRef data structure from data
  loaded outside of the Keychain, the certificate and private key have to be
  loaded into the Keychain first (using the certtool command line tool or
  the Security framework's C API) before we can find it and use it.

Steve Holme (27 Apr 2013)
- Corrected version numbers after bump

Daniel Stenberg (27 Apr 2013)
- bump version
  
  Since we're adding new stuff, the next release will bump the minor
  version and we're looking forward to 7.31.0

Steve Holme (27 Apr 2013)
- RELEASE-NOTES: synced with f4e6e201b146

- DOCS: Updated following the addition of CURLOPT_SASL_IR
  
  Documented the the option in curl_easy_setopt() and added it to
  symbols-in-versions.

- tests: Corrected command line arguments in test907 and test908

- tests: Added SMTP AUTH with initial response tests

- tests: Updated SMTP tests to decouple client initial response
  
  Updated test903 and test904 following the addition of CURLOPT_SASL_IR
  as the default behaviour of SMTP AUTH responses is now to not include
  the initial response. New tests with --sasl-ir support to follow.

- imap: Added support for overriding the SASL initial response
  
  In addition to checking for the SASL-IR capability the user can override
  the sending of the client's initial response in the AUTHENTICATION
  command with the use of CURLOPT_SASL_IR should the server erroneously
  not report SASL-IR when it does support it.

- smtp: Added support for disabling the SASL initial response
  
  Updated the default behaviour of sending the client's initial response in the AUTH
  command to not send it and added support for CURLOPT_SASL_IR to allow the user to
  specify including the response.
  
  Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html
  Reported-by: Gokhan Sengun

- pop3: Added support for enabling the SASL initial response
  
  Allowed the user to specify whether to send the client's intial response
  in the AUTH command via CURLOPT_SASL_IR.

- sasl-ir: Added --sasl-ir option to curl command line tool

- sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response

Daniel Stenberg (26 Apr 2013)
- curl_easy_init: use less mallocs
  
  By introducing an internal alternative to curl_multi_init() that accepts
  parameters to set the hash sizes, easy handles will now use tiny socket
  and connection hash tables since it will only ever add a single easy
  handle to that multi handle.
  
  This decreased the number mallocs in test 40 (which is a rather simple
  and typical easy interface use case) from 1142 to 138. The maximum
  amount of memory allocated used went down from 118969 to 78805.

Steve Holme (26 Apr 2013)
- ftpserver.pl: Fixed imap logout confirmation data
  
  An IMAP server should response with the BYE continuation response before
  confirming the LOGOUT command was successful.

Daniel Stenberg (26 Apr 2013)
- ftp_state_pasv_resp: connect through proxy also when set by env
  
  When connecting back to an FTP server after having sent PASV/EPSV,
  libcurl sometimes didn't use the proxy properly even though the proxy
  was used for the initial connect.
  
  The function wrongly checked for the CURLOPT_PROXY variable to be set,
  which made it act wrongly if the proxy information was set with an
  environment variable.
  
  Added test case 711 to verify (based on 707 which uses --socks5). Also
  added test712 to verify another variation of setting the proxy: with
  --proxy socks5://
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1218
  Reported-by: Zekun Ni

Kamil Dudka (26 Apr 2013)
- [Zdenek Pavlas brought this change]

  url: initialize speed-check data for file:// protocol
  
  ... in order to prevent an artificial timeout event based on stale
  speed-check data from a previous network transfer.  This commit fixes
  a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e.
  
  Bug: https://bugzilla.redhat.com/906031

Daniel Stenberg (25 Apr 2013)
- test709: clarify the test in the name

- sshserver: disable StrictHostKeyChecking
  
  I couldn't figure out why the host key logic isn't working, but having
  it set to yes prevents my SSH-based test cases to run. I also don't see
  a strong need to use strict host key checking on this test server.
  
  So I disabled it.

- runtests: log more commands in verbose mode
  
  ... to aid tracking down failures

Steve Holme (25 Apr 2013)
- TODO: Corrected copy/paste typo

- TODO: Added new ideas for future SMTP, POP3 and IMAP features

- TODO: Updated following the addition of ;auth=<MECH> support

- DOCS: Minor rewording / clarification of host name protocol detection

- RELEASE-NOTES: synced with a8c92cb60890

- DOCS: Added reference to IETF draft for SMTP URL Interface
  
  ...when mentioning login options. Additional minor clarification of
  "Windows builds" to be "Windows builds with SSPI"as a way of enabling
  NTLM as Windows builds may be built with OpenSSL to enable NTLM or
  without NTLM support altogether.

Linus Nielsen Feltzing (23 Apr 2013)
- HISTORY: Fix spelling error.

Steve Holme (23 Apr 2013)
- DOCS: Reworked the scheme calculation explanation under CURLOPT_URL

- url: Added smtp and pop3 hostnames to the protocol detection list

Daniel Stenberg (23 Apr 2013)
- HISTORY: correct some years/dates
  
  Thanks to archive.org's wayback machine I updated this document with
  some facts from the early httpget/urlget web page:
  
  http://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html

- [Alessandro Ghedini brought this change]

  tests: add test1511 to check timecond clean-up
  
  Verifies the timecond fix in commit c49ed0b6c0f

- [Alessandro Ghedini brought this change]

  getinfo.c: reset timecond when clearing session-info variables
  
  Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
  Reported-by: Ludovico Cavedon <cavedon@debian.org>

Steve Holme (22 Apr 2013)
- DOCS: Added information about login options to CURLOPT_USERPWD

- DOCS: Added information about login options in the URL

- url: Fixed missing length check in parse_proxy()
  
  Commit 11332577b3cb removed the length check that was performed by the
  old scanf() code.

- url: Fixed crash when no username or password supplied for proxy
  
  Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb,
  where an empty username or password (For example: http://:@example.com)
  would cause a crash.

- url: Removed unused text length constants

- url: Updated proxy URL parsing to use parse_login_details()

- url: Tidy up of setstropt_userpwd() parameters
  
  Updated the naming convention of the login parameters to match those of
  other functions.

- url: Tidy up of code and comments following recent changes
  
  Tidy up of variable names and comments in setstropt_userpwd() and
  parse_login_details().

- url: Simplified setstropt_userpwd() following recent changes
  
  There is no need to perform separate clearing of data if a NULL option
  pointer is passed in. Instead this operation can be performed by simply
  not calling parse_login_details() and letting the rest of the code do
  the work.

- url: Correction to scope of if statements when setting data

- url: Fixed memory leak in setstropt_userpwd()
  
  setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to
  set each of the login details which would duplicate the strings and
  subsequently cause a memory leak.

- RELEASE-NOTES: synced with d535c4a2e1f7

- url: Added overriding of URL login options from CURLOPT_USERPWD

- tool_paramhlp: Fixed options being included in username
  
  Fix to prevent the options from being displayed when curl requests the
  user's password if the following command line is specified:
  
  --user username;options

- url: Added support for parsing login options from the CURLOPT_USERPWD
  
  In addition to parsing the optional login options from the URL, added
  support for parsing them from CURLOPT_USERPWD, to allow the following
  supported command line:
  
  --user username:password;options

- url: Added bounds checking to parse_login_details()
  
  Added bounds checking when searching for the separator characters within
  the login string as this string may not be NULL terminated (For example
  it is the login part of a URL). We do this in preference to allocating a
  new string to copy the login details into which could then be passed to
  parse_login_details() for performance reasons.

- url: Added size_t cast to pointer based length calculations

- url: Corrected minor typo in comment

Daniel Stenberg (18 Apr 2013)
- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
  
  When cross-compiling we can't scan and detect existing files or paths.
  
  Bug: http://curl.haxx.se/mail/lib-2013-04/0294.html

- [Ishan SinghLevett brought this change]

  usercertinmem.c: add example showing user cert in memory
  
  Relies on CURLOPT_SSL_CTX_FUNCTION, which is OpenSSL specific

Steve Holme (18 Apr 2013)
- url: Fix chksrc longer than 79 columns warning

- url: Fix incorrect variable type for result code

- url: Fix compiler warning
  
  signed and unsigned type in conditional expression

- url: Moved parsing of login details out of parse_url_login()
  
  Separated the parsing of login details from the processing of them in
  parse_url_login() ready for use by setstropt_userpwd().

- url: Re-factored set_userpass() and parse_url_userpass()
  
  Re-factored these functions to reflect their new behaviour following the
  addition of login options.

- url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD

Daniel Stenberg (18 Apr 2013)
- maketgz: make bzip2 creation work with Parallel BZIP2 too
  
  Apparently the previous usage didn't work with that implementation,
  while this updated version works with at least both Parallel BZIP2
  v1.1.8 and regular bzip "Version 1.0.6, 6-Sept-2010".

Linus Nielsen Feltzing (18 Apr 2013)
- Add tests/http_pipe.py to the tarball build

Steve Holme (16 Apr 2013)
- smtp: Re-factored all perform based functions
  
  Standardised the naming of all perform based functions to be in the form
  smtp_perform_something().

- smtp: Added description comments to all perform based functions

- smtp: Moved smtp_quit() to be with the other perform functions

- smtp: Moved smtp_rcpt_to() to be with the other perform functions

- smtp: Moved smtp_mail() to be with the other perform functions

Daniel Stenberg (16 Apr 2013)
- [Wouter Van Rooy brought this change]

  curl-config: don't output static libs when they are disabled
  
  Curl-config outputs static libraries even when they are disabled in
  configure.
  
  This causes problems with the build of pycurl.

- [Dave Reisner brought this change]

  docs/libcurl: fix formatting in manpage
  
  Commit c3ea3eb6 introduced some minor cosmetic errors in
  curl_mutli_socket_action(3).

- [Paul Howarth brought this change]

  Add extra libs for lib1900 and lib2033 test programs
  
  These are needed in cases where clock_gettime is used, from librt.

Dan Fandrich (15 Apr 2013)
- FAQ: mention that the network connection can be monitored
  
  Also note the prohibition on sharing handles across threads.

Steve Holme (15 Apr 2013)
- pop3: Added missing comment for pop3_state_apop_resp()

- smtp: Updated the coding style of smtp_state_servergreet_resp()
  
  Updated the coding style, in this function, to be consistant with other
  response functions rather then performing a hard return on failure.

- pop3: Updated the coding style of pop3_state_servergreet_resp()
  
  Updated the coding style, in this function, to be consistent with other
  response functions rather then performing a hard return on failure.

- pop3: Re-factored all perform based functions
  
  Standardised the naming of all perform based functions to be in the form
  pop3_perform_something() following the changes made to IMAP.

- pop3: Added description comments to all perform based functions

- pop3: Moved pop3_quit() to be with the other perform functions

- pop3: Moved pop3_command() to be with the other perform functions
  
  Started to apply the same tidy up to the POP3 code as applied to the
  IMAP code in the 7.30.0 release.

- RELEASE-NOTES: Removed erroneous spaces

- RELEASE-NOTES: synced with 8723cade21fb

- smtp: Added support for ;auth=<mech> in the URL
  
  Added support for specifying the preferred authentication mechanism in
  the URL as per Internet-Draft 'draft-earhart-url-smtp-00'.

- pop3: Reworked authentication type constants
  
  ... to use left-shifted values, like those defined in curl.h, rather
  than 16-bit hexadecimal values.

- pop3: Small consistency tidy up

- pop3: Added support for ;auth=<mech> in the URL
  
  Added support for specifying the preferred authentication type and SASL
  mechanism in the URL as per RFC-2384.

- imap: Added support for ;auth=<mech> in the URL
  
  Added support for specifying the preferred authentication mechanism in
  the URL as per RFC-5092.

- sasl: Reworked SASL mechanism constants
  
  ... to use left-shifted values, like those defined in curl.h, rather
  than 16-bit hexadecimal values.

- sasl: Added predefined preferred mechanism values
  
  In preparation for the upcoming changes to IMAP, POP3 and SMTP added
  preferred mechanism values.

- url: Added support for parsing login options from the URL
  
  As well as parsing the username and password from the URL, added support
  for parsing the optional options part from the login details, to allow
  the following supported URL format:
  
  schema://username:password;options@example.com/path?q=foobar
  
  This will only be used by IMAP, POP3 and SMTP at present but any
  protocol that may be given login options in the URL will be able to
  add support for them.

- smtp: Fix compiler warning
  
  warning: unused variable 'smtp' introduced in commit 73cbd21b5ee6.

- smtp: Moved parsing of url path into separate function

Daniel Stenberg (12 Apr 2013)
- FTP: handle a 230 welcome response
  
  ...instead of the 220 we otherwise expect.
  
  Made the ftpserver.pl support sending a custom "welcome" and then
  created test 1219 to verify this fix with such a 230 welcome.
  
  Bug: http://curl.haxx.se/mail/lib-2013-02/0102.html
  Reported by: Anders Havn

- configure: try pthread_create without -lpthread
  
  For libc variants without a spearate pthread lib (like bionic), try
  using pthreads without the pthreads lib first and only if that fails try
  the -lpthread linker flag.
  
  Bug: http://curl.haxx.se/bug/view.cgi?id=1216
  Reported by: Duncan

- FTP: access files in root dir correctly
  
  Accessing a file with an absolute path in the root dir but with no
  directory specified was not handled correctly. This fix comes with four
  new test cases that verify it.
  
  Bug: http://curl.haxx.se/mail/lib-2013-04/0142.html
  Reported by: Sam Deane

Steve Holme (12 Apr 2013)
- pop3: Reworked the function description for Curl_pop3_write()

- pop3: Added function description to pop3_parse_custom_request()

- pop3: Moved utility functions to end of pop3.c

Nick Zitzmann (12 Apr 2013)
- darwinssl: add TLS session resumption
  
  This ought to speed up additional TLS handshakes, at least in theory.

Steve Holme (12 Apr 2013)
- imap: Added function description to imap_parse_custom_request()

- imap: Moved utility functions to end of imap.c (Part 3/3)
  
  Moved imap_is_bchar() be with the other utility based functions.

- imap: Moved utility functions to end of imap.c (Part 2/3)
  
  Moved imap_parse_url_path() and imap_parse_custom_request() to the end of the
  file allowing all utility functions to be grouped together.

- imap: Moved utility functions to end of imap.c (Part 1/3)
  
  Moved imap_atom() and imap_sendf() to the end of the file allowing all
  utility functions to be grouped together.

- imap: Corrected function description for imap_connect()
[--snip--]
