commit b3976747015f28a7abc9cd76a0fb5ca4d237cf38
Author: CentOS Sources
Date: Mon Nov 9 16:09:00 2020 +0000
import curl-7.61.1-16.el8
diff --git a/.curl.metadata b/.curl.metadata
new file mode 100644
index 0000000..a1dafc9
--- /dev/null
+++ b/.curl.metadata
@@ -0,0 +1 @@
+8b56123714b4e061f0f71005c5be598b12f82483 SOURCES/curl-7.61.1.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cfbf426
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/curl-7.61.1.tar.xz
diff --git a/SOURCES/0001-curl-7.61.1-test320-gnutls.patch b/SOURCES/0001-curl-7.61.1-test320-gnutls.patch
new file mode 100644
index 0000000..a9cbaac
--- /dev/null
+++ b/SOURCES/0001-curl-7.61.1-test320-gnutls.patch
@@ -0,0 +1,63 @@
+From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Thu, 4 Oct 2018 15:34:13 +0200
+Subject: [PATCH] test320: strip out more HTML when comparing
+
+To make the test case work with different gnutls-serv versions better.
+
+Reported-by: Kamil Dudka
+Fixes #3093
+Closes #3094
+
+Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3
+Signed-off-by: Kamil Dudka
+---
+ tests/data/test320 | 24 ++++--------------------
+ 1 file changed, 4 insertions(+), 20 deletions(-)
+
+diff --git a/tests/data/test320 b/tests/data/test320
+index 457a11eb2..87311d4f2 100644
+--- a/tests/data/test320
++++ b/tests/data/test320
+@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response
+ HTTP/1.0 200 OK
+ Content-type: text/html
+
+-
+-
+-
+-
+-
+-
+-If your browser supports session resuming, then you should see the same session ID, when you press the reload button.
+-Connected as user 'jsmith'.
+-
+-
|
+-Key Exchange: | SRP |
+-Compression | NULL |
+-Cipher | AES-NNN-CBC |
+-MAC | SHA1 |
+-Ciphersuite | SRP_SHA_AES_NNN_CBC_SHA1 |
+-
Your HTTP header was:
Host: %HOSTIP:%HTTPTLSPORT
++FINE
+ User-Agent: curl-test-suite
+ Accept: */*
+
+-
+-
+-
+
+
+-s/^Session ID:.*//
++s/^
Connected as user 'jsmith'.*/FINE/
+ s/Protocol version:.*[0-9]//
+ s/GNUTLS/GnuTLS/
+ s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/
++s/^<.*\n//
++s/^\n//
+
+
+
+--
+2.17.1
+
diff --git a/SOURCES/0002-curl-7.61.1-tlsv1.0-man.patch b/SOURCES/0002-curl-7.61.1-tlsv1.0-man.patch
new file mode 100644
index 0000000..f384366
--- /dev/null
+++ b/SOURCES/0002-curl-7.61.1-tlsv1.0-man.patch
@@ -0,0 +1,28 @@
+From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001
+From: Kamil Dudka
+Date: Fri, 7 Sep 2018 16:50:45 +0200
+Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0
+
+... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
+
+Closes #2955
+
+Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e
+Signed-off-by: Kamil Dudka
+---
+ docs/cmdline-opts/tlsv1.0.d | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d
+index 8789025e0..54e259682 100644
+--- a/docs/cmdline-opts/tlsv1.0.d
++++ b/docs/cmdline-opts/tlsv1.0.d
+@@ -3,4 +3,4 @@ Help: Use TLSv1.0
+ Protocols: TLS
+ Added: 7.34.0
+ ---
+-Forces curl to use TLS version 1.0 when connecting to a remote TLS server.
++Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.
+--
+2.17.1
+
diff --git a/SOURCES/0003-curl-7.61.1-TLS-1.3-PHA.patch b/SOURCES/0003-curl-7.61.1-TLS-1.3-PHA.patch
new file mode 100644
index 0000000..99273ac
--- /dev/null
+++ b/SOURCES/0003-curl-7.61.1-TLS-1.3-PHA.patch
@@ -0,0 +1,46 @@
+From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
+From: Christian Heimes
+Date: Fri, 21 Sep 2018 10:37:43 +0200
+Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
+
+OpenSSL 1.1.1 requires clients to opt-in for post-handshake
+authentication.
+
+Fixes: https://github.com/curl/curl/issues/3026
+Signed-off-by: Christian Heimes
+
+Closes https://github.com/curl/curl/pull/3027
+
+Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
+Signed-off-by: Kamil Dudka
+---
+ lib/vtls/openssl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index a487f55..78970d1 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
+ !defined(LIBRESSL_VERSION_NUMBER) && \
+ !defined(OPENSSL_IS_BORINGSSL))
+ #define HAVE_SSL_CTX_SET_CIPHERSUITES
++#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
+ #endif
+
+ #if defined(LIBRESSL_VERSION_NUMBER)
+@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+ }
+ #endif
+
++#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
++ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
++ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
++#endif
++
+ #ifdef USE_TLS_SRP
+ if(ssl_authtype == CURL_TLSAUTH_SRP) {
+ char * const ssl_username = SSL_SET_OPTION(username);
+--
+2.17.1
+
diff --git a/SOURCES/0004-curl-7.61.1-CVE-2018-16842.patch b/SOURCES/0004-curl-7.61.1-CVE-2018-16842.patch
new file mode 100644
index 0000000..1b8a198
--- /dev/null
+++ b/SOURCES/0004-curl-7.61.1-CVE-2018-16842.patch
@@ -0,0 +1,81 @@
+From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sun, 28 Oct 2018 01:33:23 +0200
+Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to
+ stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+
+Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211
+Signed-off-by: Kamil Dudka
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c
+index 9cce806..05bec39 100644
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
+ (void)fwrite(ptr, cut + 1, 1, config->errors);
+ fputs("\n", config->errors);
+ ptr += cut + 1; /* skip the space too */
+- len -= cut;
++ len -= cut + 1;
+ }
+ else {
+ fputs(ptr, config->errors);
+--
+2.17.2
+
+
+From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sun, 28 Oct 2018 10:43:57 +0100
+Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842
+
+Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157
+Signed-off-by: Kamil Dudka
+---
+ tests/data/Makefile.inc | 4 ++--
+ tests/data/test2080 | Bin 0 -> 20659 bytes
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test2080
+
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index e045748..aa5fff0 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -198,7 +198,7 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
+ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
+ test2064 test2065 test2066 test2067 test2068 test2069 \
+ \
+-test2070 test2071 test2072 test2073 \
+-test2074 test2075 \
++test2070 test2071 test2072 test2073 test2074 test2075 \
++test2080 \
+ \
+ test3000 test3001
+diff --git a/tests/data/test2080 b/tests/data/test2080
+new file mode 100644
+index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a
+GIT binary patch
+literal 20659
+zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef
+zl6Ca+%A4K8~qdz
+zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk
+zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n!
+z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{
+z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb-+Xw`j-8D
+zzg+g?Rt8(G*s;1Sb>n1S94H%G
+Date: Thu, 18 Oct 2018 15:07:15 +0200
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
+ use-after-free
+
+Regression from b46cfbc068 (7.59.0)
+CVE-2018-16840
+Reported-by: Brian Carpenter (Geeknik Labs)
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
+
+Upstream-commit: 81d135d67155c5295b1033679c606165d4e28f3f
+Signed-off-by: Kamil Dudka
+---
+ lib/url.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index f159008..dcc1ecc 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -319,10 +319,12 @@ CURLcode Curl_close(struct Curl_easy *data)
+ and detach this handle from there. */
+ curl_multi_remove_handle(data->multi, data);
+
+- if(data->multi_easy)
++ if(data->multi_easy) {
+ /* when curl_easy_perform() is used, it creates its own multi handle to
+ use and this is the one */
+ curl_multi_cleanup(data->multi_easy);
++ data->multi_easy = NULL;
++ }
+
+ /* Destroy the timeout list that is held in the easy handle. It is
+ /normally/ done by curl_multi_remove_handle() but this is "just in
+--
+2.17.2
+
diff --git a/SOURCES/0006-curl-7.61.1-CVE-2018-16839.patch b/SOURCES/0006-curl-7.61.1-CVE-2018-16839.patch
new file mode 100644
index 0000000..949254f
--- /dev/null
+++ b/SOURCES/0006-curl-7.61.1-CVE-2018-16839.patch
@@ -0,0 +1,31 @@
+From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Fri, 28 Sep 2018 16:08:16 +0200
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+
+Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
+Signed-off-by: Kamil Dudka
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+ plen = strlen(passwdp);
+
+ /* Compute binary message length. Check for overflows. */
+- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+ return CURLE_OUT_OF_MEMORY;
+ plainlen = 2 * ulen + plen + 2;
+
+--
+2.17.2
+
diff --git a/SOURCES/0007-curl-7.63.0-JO-preserve-local-file.patch b/SOURCES/0007-curl-7.63.0-JO-preserve-local-file.patch
new file mode 100644
index 0000000..6799dfa
--- /dev/null
+++ b/SOURCES/0007-curl-7.63.0-JO-preserve-local-file.patch
@@ -0,0 +1,116 @@
+From ff74657fb645e7175971128a171ef7d5ece40d77 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Mon, 17 Dec 2018 12:51:51 +0100
+Subject: [PATCH] curl -J: do not append to the destination file
+
+Reported-by: Kamil Dudka
+Fixes #3380
+Closes #3381
+
+Upstream-commit: 4849267197682e69cfa056c2bd7a44acd123a917
+Signed-off-by: Kamil Dudka
+---
+ src/tool_cb_hdr.c | 6 +++---
+ src/tool_cb_wrt.c | 9 ++++-----
+ src/tool_cb_wrt.h | 2 +-
+ src/tool_operate.c | 2 +-
+ 4 files changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 84b0d9c..3844904 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -148,12 +148,12 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ outs->filename = filename;
+ outs->alloc_filename = TRUE;
+ hdrcbdata->honor_cd_filename = FALSE; /* done now! */
+- if(!tool_create_output_file(outs, TRUE))
++ if(!tool_create_output_file(outs))
+ return failure;
+ }
+ break;
+ }
+- if(!outs->stream && !tool_create_output_file(outs, FALSE))
++ if(!outs->stream && !tool_create_output_file(outs))
+ return failure;
+ }
+
+@@ -162,7 +162,7 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ /* bold headers only happen for HTTP(S) and RTSP */
+ char *value = NULL;
+
+- if(!outs->stream && !tool_create_output_file(outs, FALSE))
++ if(!outs->stream && !tool_create_output_file(outs))
+ return failure;
+
+ if(hdrcbdata->global->isatty && hdrcbdata->global->styled_output)
+diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c
+index 2cb5e1b..195d6e7 100644
+--- a/src/tool_cb_wrt.c
++++ b/src/tool_cb_wrt.c
+@@ -32,8 +32,7 @@
+ #include "memdebug.h" /* keep this as LAST include */
+
+ /* create a local file for writing, return TRUE on success */
+-bool tool_create_output_file(struct OutStruct *outs,
+- bool append)
++bool tool_create_output_file(struct OutStruct *outs)
+ {
+ struct GlobalConfig *global = outs->config->global;
+ FILE *file;
+@@ -43,7 +42,7 @@ bool tool_create_output_file(struct OutStruct *outs,
+ return FALSE;
+ }
+
+- if(outs->is_cd_filename && !append) {
++ if(outs->is_cd_filename) {
+ /* don't overwrite existing files */
+ file = fopen(outs->filename, "rb");
+ if(file) {
+@@ -55,7 +54,7 @@ bool tool_create_output_file(struct OutStruct *outs,
+ }
+
+ /* open file for writing */
+- file = fopen(outs->filename, append?"ab":"wb");
++ file = fopen(outs->filename, "wb");
+ if(!file) {
+ warnf(global, "Failed to create the file %s: %s\n", outs->filename,
+ strerror(errno));
+@@ -142,7 +141,7 @@ size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata)
+ }
+ #endif
+
+- if(!outs->stream && !tool_create_output_file(outs, FALSE))
++ if(!outs->stream && !tool_create_output_file(outs))
+ return failure;
+
+ if(is_tty && (outs->bytes < 2000) && !config->terminal_binary_ok) {
+diff --git a/src/tool_cb_wrt.h b/src/tool_cb_wrt.h
+index 51e002b..188d3ea 100644
+--- a/src/tool_cb_wrt.h
++++ b/src/tool_cb_wrt.h
+@@ -30,7 +30,7 @@
+ size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata);
+
+ /* create a local file for writing, return TRUE on success */
+-bool tool_create_output_file(struct OutStruct *outs, bool append);
++bool tool_create_output_file(struct OutStruct *outs);
+
+ #endif /* HEADER_CURL_TOOL_CB_WRT_H */
+
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index e53a9d8..429e9cf 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -1581,7 +1581,7 @@ static CURLcode operate_do(struct GlobalConfig *global,
+ /* do not create (or even overwrite) the file in case we get no
+ data because of unmet condition */
+ curl_easy_getinfo(curl, CURLINFO_CONDITION_UNMET, &cond_unmet);
+- if(!cond_unmet && !tool_create_output_file(&outs, FALSE))
++ if(!cond_unmet && !tool_create_output_file(&outs))
+ result = CURLE_WRITE_ERROR;
+ }
+
+--
+2.17.2
+
diff --git a/SOURCES/0008-curl-7.61.1-CVE-2018-20483.patch b/SOURCES/0008-curl-7.61.1-CVE-2018-20483.patch
new file mode 100644
index 0000000..8b20ff6
--- /dev/null
+++ b/SOURCES/0008-curl-7.61.1-CVE-2018-20483.patch
@@ -0,0 +1,4776 @@
+From 907da069c450ca20442839d9e95e3661a5c06b61 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sun, 5 Aug 2018 11:51:07 +0200
+Subject: [PATCH 01/14] URL-API
+
+See header file and man pages for API. All documented API details work
+and are tested in the 1560 test case.
+
+Closes #2842
+
+Upstream-commit: fb30ac5a2d63773c529c19259754e2b306ac2e2e
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/Makefile.inc | 1 +
+ docs/libcurl/curl_url.3 | 61 ++
+ docs/libcurl/curl_url_cleanup.3 | 44 +
+ docs/libcurl/curl_url_dup.3 | 52 ++
+ docs/libcurl/curl_url_get.3 | 110 +++
+ docs/libcurl/curl_url_set.3 | 120 +++
+ docs/libcurl/symbols-in-versions | 30 +
+ include/curl/Makefile.am | 4 +-
+ include/curl/curl.h | 1 +
+ include/curl/urlapi.h | 121 +++
+ lib/Makefile.inc | 5 +-
+ lib/escape.c | 20 +-
+ lib/escape.h | 3 +-
+ lib/imap.c | 3 +-
+ lib/transfer.c | 314 +------
+ lib/url.c | 44 +-
+ lib/url.h | 2 +
+ lib/{escape.h => urlapi-int.h} | 22 +-
+ lib/urlapi.c | 1315 ++++++++++++++++++++++++++++++
+ tests/data/Makefile.inc | 2 +
+ tests/data/test1560 | 28 +
+ tests/libtest/Makefile.am | 5 +
+ tests/libtest/Makefile.inc | 4 +
+ tests/libtest/lib1560.c | 760 +++++++++++++++++
+ 24 files changed, 2716 insertions(+), 355 deletions(-)
+ create mode 100644 docs/libcurl/curl_url.3
+ create mode 100644 docs/libcurl/curl_url_cleanup.3
+ create mode 100644 docs/libcurl/curl_url_dup.3
+ create mode 100644 docs/libcurl/curl_url_get.3
+ create mode 100644 docs/libcurl/curl_url_set.3
+ create mode 100644 include/curl/urlapi.h
+ copy lib/{escape.h => urlapi-int.h} (66%)
+ create mode 100644 lib/urlapi.c
+ create mode 100644 tests/data/test1560
+ create mode 100644 tests/libtest/lib1560.c
+
+diff --git a/docs/libcurl/Makefile.inc b/docs/libcurl/Makefile.inc
+index eea48c4..955492c 100644
+--- a/docs/libcurl/Makefile.inc
++++ b/docs/libcurl/Makefile.inc
+@@ -22,4 +22,5 @@ man_MANS = curl_easy_cleanup.3 curl_easy_getinfo.3 curl_easy_init.3 \
+ curl_mime_data.3 curl_mime_data_cb.3 curl_mime_filedata.3 \
+ curl_mime_filename.3 curl_mime_subparts.3 \
+ curl_mime_type.3 curl_mime_headers.3 curl_mime_encoder.3 libcurl-env.3 \
++ curl_url.3 curl_url_cleanup.3 curl_url_dup.3 curl_url_get.3 curl_url_set.3 \
+ libcurl-security.3
+diff --git a/docs/libcurl/curl_url.3 b/docs/libcurl/curl_url.3
+new file mode 100644
+index 0000000..0a56264
+--- /dev/null
++++ b/docs/libcurl/curl_url.3
+@@ -0,0 +1,61 @@
++.\" **************************************************************************
++.\" * _ _ ____ _
++.\" * Project ___| | | | _ \| |
++.\" * / __| | | | |_) | |
++.\" * | (__| |_| | _ <| |___
++.\" * \___|\___/|_| \_\_____|
++.\" *
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++.\" *
++.\" * This software is licensed as described in the file COPYING, which
++.\" * you should have received as part of this distribution. The terms
++.\" * are also available at https://curl.haxx.se/docs/copyright.html.
++.\" *
++.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++.\" * copies of the Software, and permit persons to whom the Software is
++.\" * furnished to do so, under the terms of the COPYING file.
++.\" *
++.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++.\" * KIND, either express or implied.
++.\" *
++.\" **************************************************************************
++.TH curl_url 3 "6 Aug 2018" "libcurl" "libcurl Manual"
++.SH NAME
++curl_url - returns a new CURLU handle
++.SH SYNOPSIS
++.B #include
++
++CURLU *curl_url();
++.SH EXPERIMENTAL
++The URL API is considered \fBEXPERIMENTAL\fP until further notice. Please test
++it, report bugs and help us perfect it. Once proven to be reliable, the
++experimental label will be removed.
++
++While this API is marked experimental, we reserve the right to modify the API
++slightly if we deem it necessary and it makes it notably better or easier to
++use.
++.SH DESCRIPTION
++This function will allocates and returns a pointer to a fresh CURLU handle, to
++be used for further use of the URL API.
++.SH RETURN VALUE
++Returns a \fBCURLU *\fP if successful, or NULL if out of memory.
++.SH EXAMPLE
++.nf
++ CURLUcode rc;
++ CURLU *url = curl_url();
++ rc = curl_url_set(url, CURLUPART_URL, "https://example.com", 0);
++ if(!rc) {
++ char *scheme;
++ rc = curl_url_get(url, CURLUPART_SCHEME, &scheme, 0);
++ if(!rc) {
++ printf("the scheme is %s\n", scheme);
++ curl_free(scheme);
++ }
++ curl_url_cleanup(url);
++ }
++.fi
++.SH AVAILABILITY
++Added in curl 7.63.0
++.SH "SEE ALSO"
++.BR curl_url_cleanup "(3), " curl_url_get "(3), " curl_url_set "(3), "
++.BR curl_url_dup "(3), "
+diff --git a/docs/libcurl/curl_url_cleanup.3 b/docs/libcurl/curl_url_cleanup.3
+new file mode 100644
+index 0000000..a8158b7
+--- /dev/null
++++ b/docs/libcurl/curl_url_cleanup.3
+@@ -0,0 +1,44 @@
++.\" **************************************************************************
++.\" * _ _ ____ _
++.\" * Project ___| | | | _ \| |
++.\" * / __| | | | |_) | |
++.\" * | (__| |_| | _ <| |___
++.\" * \___|\___/|_| \_\_____|
++.\" *
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++.\" *
++.\" * This software is licensed as described in the file COPYING, which
++.\" * you should have received as part of this distribution. The terms
++.\" * are also available at https://curl.haxx.se/docs/copyright.html.
++.\" *
++.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++.\" * copies of the Software, and permit persons to whom the Software is
++.\" * furnished to do so, under the terms of the COPYING file.
++.\" *
++.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++.\" * KIND, either express or implied.
++.\" *
++.\" **************************************************************************
++.TH curl_url_cleanup 3 "6 Aug 2018" "libcurl" "libcurl Manual"
++.SH NAME
++curl_url_cleanup - free a CURLU handle
++.SH SYNOPSIS
++.B #include
++
++void curl_url_cleanup(CURLU *handle);
++.fi
++.SH DESCRIPTION
++Frees all the resources associated with the given CURLU handle!
++.SH RETURN VALUE
++none
++.SH EXAMPLE
++.nf
++ CURLU *url = curl_url();
++ curl_url_set(url, CURLUPART_URL, "https://example.com", 0);
++ curl_url_cleanup(url);
++.fi
++.SH AVAILABILITY
++Added in curl 7.63.0
++.SH "SEE ALSO"
++.BR curl_url_dup "(3), " curl_url "(3), " curl_url_set "(3), "
++.BR curl_url_get "(3), "
+diff --git a/docs/libcurl/curl_url_dup.3 b/docs/libcurl/curl_url_dup.3
+new file mode 100644
+index 0000000..4815dbd
+--- /dev/null
++++ b/docs/libcurl/curl_url_dup.3
+@@ -0,0 +1,52 @@
++.\" **************************************************************************
++.\" * _ _ ____ _
++.\" * Project ___| | | | _ \| |
++.\" * / __| | | | |_) | |
++.\" * | (__| |_| | _ <| |___
++.\" * \___|\___/|_| \_\_____|
++.\" *
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++.\" *
++.\" * This software is licensed as described in the file COPYING, which
++.\" * you should have received as part of this distribution. The terms
++.\" * are also available at https://curl.haxx.se/docs/copyright.html.
++.\" *
++.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++.\" * copies of the Software, and permit persons to whom the Software is
++.\" * furnished to do so, under the terms of the COPYING file.
++.\" *
++.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++.\" * KIND, either express or implied.
++.\" *
++.\" **************************************************************************
++.TH curl_url_dup 3 "6 Aug 2018" "libcurl" "libcurl Manual"
++.SH NAME
++curl_url_dup - duplicate a CURLU handle
++.SH SYNOPSIS
++.B #include
++
++CURLU *curl_url_dup(CURLU *inhandle);
++.fi
++.SH DESCRIPTION
++Duplicates a given CURLU \fIinhandle\fP and all its contents and returns a
++pointer to a new CURLU handle. The new handle also needs to be freed with
++\fIcurl_url_cleanup(3)\fP.
++.SH RETURN VALUE
++Returns a new handle or NULL if out of memory.
++.SH EXAMPLE
++.nf
++ CURLUcode rc;
++ CURLU *url = curl_url();
++ CURLU *url2;
++ rc = curl_url_set(url, CURLUPART_URL, "https://example.com", 0);
++ if(!rc) {
++ url2 = curl_url_dup(url); /* clone it! */
++ curl_url_cleanup(url2);
++ }
++ curl_url_cleanup(url);
++.fi
++.SH AVAILABILITY
++Added in curl 7.63.0
++.SH "SEE ALSO"
++.BR curl_url_cleanup "(3), " curl_url "(3), " curl_url_set "(3), "
++.BR curl_url_get "(3), "
+diff --git a/docs/libcurl/curl_url_get.3 b/docs/libcurl/curl_url_get.3
+new file mode 100644
+index 0000000..824d496
+--- /dev/null
++++ b/docs/libcurl/curl_url_get.3
+@@ -0,0 +1,110 @@
++.\" **************************************************************************
++.\" * _ _ ____ _
++.\" * Project ___| | | | _ \| |
++.\" * / __| | | | |_) | |
++.\" * | (__| |_| | _ <| |___
++.\" * \___|\___/|_| \_\_____|
++.\" *
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++.\" *
++.\" * This software is licensed as described in the file COPYING, which
++.\" * you should have received as part of this distribution. The terms
++.\" * are also available at https://curl.haxx.se/docs/copyright.html.
++.\" *
++.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++.\" * copies of the Software, and permit persons to whom the Software is
++.\" * furnished to do so, under the terms of the COPYING file.
++.\" *
++.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++.\" * KIND, either express or implied.
++.\" *
++.\" **************************************************************************
++.TH curl_url_get 3 "6 Aug 2018" "libcurl" "libcurl Manual"
++.SH NAME
++curl_url_get - extract a part from a URL
++.SH SYNOPSIS
++.B #include
++
++.nf
++CURLUcode curl_url_get(CURLU *url,
++ CURLUPart what,
++ char **part,
++ unsigned int flags)
++.fi
++.SH DESCRIPTION
++Given the \fIurl\fP handle of an already parsed URL, this function lets the
++user extract individual pieces from it.
++
++The \fIwhat\fP argument should be the particular part to extract (see list
++below) and \fIpart\fP points to a 'char *' to get updated to point to a newly
++allocated string with the contents.
++
++The \fIflags\fP argument is a bitmask with individual features.
++
++The returned part pointer must be freed with \fIcurl_free(3)\fP after use.
++.SH FLAGS
++The flags argument is zero, one or more bits set in a bitmask.
++.IP CURLU_DEFAULT_PORT
++If the handle has no port stored, this option will make \fIcurl_url_get(3)\fP
++return the default port for the used scheme.
++.IP CURLU_DEFAULT_SCHEME
++If the handle has no scheme stored, this option will make
++\fIcurl_url_get(3)\fP return the default scheme instead of error.
++.IP CURLU_NO_DEFAULT_PORT
++Instructs \fIcurl_url_get(3)\fP to not return a port number if it matches the
++default port for the scheme.
++.IP CURLU_URLDECODE
++Asks \fIcurl_url_get(3)\fP to URL decode the contents before returning it. It
++will not attempt to decode the scheme, the port number or the full URL.
++
++The query component will also get plus-to-space convertion as a bonus when
++this bit is set.
++
++Note that this URL decoding is charset unaware and you will get a zero
++terminated string back with data that could be intended for a particular
++encoding.
++
++If there's any byte values lower than 32 in the decoded string, the get
++operation will return an error instead.
++.SH PARTS
++.IP CURLUPART_URL
++When asked to return the full URL, \fIcurl_url_get(3)\fP will return a
++normalized and possibly cleaned up version of what was previously parsed.
++.IP CURLUPART_SCHEME
++Scheme cannot be URL decoded on get.
++.IP CURLUPART_USER
++.IP CURLUPART_PASSWORD
++.IP CURLUPART_OPTIONS
++.IP CURLUPART_HOST
++.IP CURLUPART_PORT
++Port cannot be URL decoded on get.
++.IP CURLUPART_PATH
++.IP CURLUPART_QUERY
++The query part will also get pluses converted to space when asked to URL
++decode on get with the CURLU_URLDECODE bit.
++.IP CURLUPART_FRAGMENT
++.SH RETURN VALUE
++Returns a CURLUcode error value, which is CURLUE_OK (0) if everything went
++fine.
++
++If this function returns an error, no URL part is returned.
++.SH EXAMPLE
++.nf
++ CURLUcode rc;
++ CURLU *url = curl_url();
++ rc = curl_url_set(url, CURLUPART_URL, "https://example.com", 0);
++ if(!rc) {
++ char *scheme;
++ rc = curl_url_get(url, CURLUPART_SCHEME, &scheme, 0);
++ if(!rc) {
++ printf("the scheme is %s\n", scheme);
++ curl_free(scheme);
++ }
++ curl_url_cleanup(url);
++ }
++.fi
++.SH AVAILABILITY
++Added in curl 7.63.0
++.SH "SEE ALSO"
++.BR curl_url_cleanup "(3), " curl_url "(3), " curl_url_set "(3), "
++.BR curl_url_dup "(3), "
+diff --git a/docs/libcurl/curl_url_set.3 b/docs/libcurl/curl_url_set.3
+new file mode 100644
+index 0000000..75fc0d9
+--- /dev/null
++++ b/docs/libcurl/curl_url_set.3
+@@ -0,0 +1,120 @@
++.\" **************************************************************************
++.\" * _ _ ____ _
++.\" * Project ___| | | | _ \| |
++.\" * / __| | | | |_) | |
++.\" * | (__| |_| | _ <| |___
++.\" * \___|\___/|_| \_\_____|
++.\" *
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++.\" *
++.\" * This software is licensed as described in the file COPYING, which
++.\" * you should have received as part of this distribution. The terms
++.\" * are also available at https://curl.haxx.se/docs/copyright.html.
++.\" *
++.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++.\" * copies of the Software, and permit persons to whom the Software is
++.\" * furnished to do so, under the terms of the COPYING file.
++.\" *
++.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++.\" * KIND, either express or implied.
++.\" *
++.\" **************************************************************************
++.TH curl_url_set 3 "6 Aug 2018" "libcurl" "libcurl Manual"
++.SH NAME
++curl_url_set - set a part from a URL
++.SH SYNOPSIS
++.B #include
++
++CURLUcode curl_url_set(CURLU *url,
++ CURLUPart part,
++ const char *content,
++ unsigned int flags)
++.fi
++.SH DESCRIPTION
++Given the \fIurl\fP handle of an already parsed URL, this function lets the
++user set/update individual pieces of it.
++
++The \fIpart\fP argument should identify the particular URL part (see list
++below) to set or change, with \fIcontent\fP pointing to a zero terminated
++string with the new contents for that URL part. The contents should be in the
++form and encoding they'd use in a URL: URL encoded.
++
++Setting a part to a NULL pointer will effectively remove that part's contents
++from the CURLU handle.
++
++The \fIflags\fP argument is a bitmask with independent features.
++.SH PARTS
++.IP CURLUPART_URL
++Allows the full URL of the handle to be replaced. If the handle already is
++populated with a URL, the new URL can be relative to the previous.
++
++When successfully setting a new URL, relative or absolute, the handle contents
++will be replaced with the information of the newly set URL.
++
++Pass a pointer to a zero terminated string to the \fIurl\fP parameter. The
++string must point to a correctly formatted "RFC 3986+" URL or be a NULL
++pointer.
++.IP CURLUPART_SCHEME
++Scheme cannot be URL decoded on set.
++.IP CURLUPART_USER
++.IP CURLUPART_PASSWORD
++.IP CURLUPART_OPTIONS
++.IP CURLUPART_HOST
++The host name can use IDNA. The string must then be encoded as your locale
++says or UTF-8 (when winidn is used).
++.IP CURLUPART_PORT
++Port cannot be URL encoded on set.
++.IP CURLUPART_PATH
++If a path is set in the URL without a leading slash, a slash will be inserted
++automatically when this URL is read from the handle.
++.IP CURLUPART_QUERY
++The query part will also get spaces converted to pluses when asked to URL
++encode on set with the CURLU_URLENCODE bit.
++
++If used in with \fICURLU_APPENDQUERY\fP, the provided part will be appended on
++the end of the existing query - and if the previous part didn't end with an
++ampersand (&), an ampersand will be inserted before the new appended part.
++
++When \fCURLU_APPENDQUERY\fP is used together with \fICURLU_URLENCODE\fP,
++the '=' symbols will not be URL encoded.
++
++The question mark in the URL is not part of the actual query contents.
++.IP CURLUPART_FRAGMENT
++The hash sign in the URL is not part of the actual fragment contents.
++.SH FLAGS
++The flags argument is zero, one or more bits set in a bitmask.
++.IP CURLU_NON_SUPPORT_SCHEME
++If set, allows \fIcurl_url_set(3)\fP to set a non-supported scheme.
++.IP CURLU_URLENCODE
++When set, \fIcurl_url_set(3)\fP URL encodes the part on entry, except for
++scheme, port and URL.
++
++When setting the path component with URL encoding enabled, the slash character
++will be skipped.
++
++The query part gets space-to-plus conversion before the URL conversion.
++
++This URL encoding is charset unaware and will convert the input on a
++byte-by-byte manner.
++.SH RETURN VALUE
++Returns a CURLUcode error value, which is CURLUE_OK (0) if everything went
++fine.
++
++If this function returns an error, no URL part is returned.
++.SH EXAMPLE
++.nf
++ CURLUcode rc;
++ CURLU *url = curl_url();
++ rc = curl_url_set(url, CURLUPART_URL, "https://example.com", 0);
++ if(!rc) {
++ char *scheme;
++ /* change it to an FTP URL */
++ rc = curl_url_set(url, CURLUPART_SCHEME, "ftp", 0);
++ }
++ curl_url_cleanup(url);
++.fi
++.SH AVAILABILITY
++Added in curl 7.63.0
++.SH "SEE ALSO"
++.BR curl_url_cleanup "(3), " curl_url "(3), " curl_url_get "(3), "
++.BR curl_url_dup "(3), "
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 7448b4f..c797cb7 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -718,6 +718,36 @@ CURLSSLSET_NO_BACKENDS 7.56.0
+ CURLSSLSET_OK 7.56.0
+ CURLSSLSET_TOO_LATE 7.56.0
+ CURLSSLSET_UNKNOWN_BACKEND 7.56.0
++CURLUPART_FRAGMENT 7.62.0
++CURLUPART_HOST 7.62.0
++CURLUPART_OPTIONS 7.62.0
++CURLUPART_PASSWORD 7.62.0
++CURLUPART_PATH 7.62.0
++CURLUPART_PORT 7.62.0
++CURLUPART_QUERY 7.62.0
++CURLUPART_SCHEME 7.62.0
++CURLUPART_URL 7.62.0
++CURLUPART_USER 7.62.0
++CURLUE_BAD_HANDLE 7.62.0
++CURLUE_BAD_PARTPOINTER 7.62.0
++CURLUE_BAD_PORT_NUMBER 7.62.0
++CURLUE_MALFORMED_INPUT 7.62.0
++CURLUE_NO_FRAGMENT 7.62.0
++CURLUE_NO_HOST 7.62.0
++CURLUE_NO_OPTIONS 7.62.0
++CURLUE_NO_PASSWORD 7.62.0
++CURLUE_NO_PATH 7.62.0
++CURLUE_NO_PORT 7.62.0
++CURLUE_NO_QUERY 7.62.0
++CURLUE_NO_SCHEME 7.62.0
++CURLUE_NO_USER 7.62.0
++CURLUE_OK 7.62.0
++CURLUE_OUT_OF_MEMORY 7.62.0
++CURLUE_RELATIVE 7.62.0
++CURLUE_UNKNOWN_PART 7.62.0
++CURLUE_UNSUPPORTED_SCHEME 7.62.0
++CURLUE_URLDECODE 7.62.0
++CURLUE_USER_NOT_ALLOWED 7.62.0
+ CURLUSESSL_ALL 7.17.0
+ CURLUSESSL_CONTROL 7.17.0
+ CURLUSESSL_NONE 7.17.0
+diff --git a/include/curl/Makefile.am b/include/curl/Makefile.am
+index 989d4a2..bf5f061 100644
+--- a/include/curl/Makefile.am
++++ b/include/curl/Makefile.am
+@@ -5,7 +5,7 @@
+ # | (__| |_| | _ <| |___
+ # \___|\___/|_| \_\_____|
+ #
+-# Copyright (C) 1998 - 2017, Daniel Stenberg, , et al.
++# Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
+ #
+ # This software is licensed as described in the file COPYING, which
+ # you should have received as part of this distribution. The terms
+@@ -21,7 +21,7 @@
+ ###########################################################################
+ pkginclude_HEADERS = \
+ curl.h curlver.h easy.h mprintf.h stdcheaders.h multi.h \
+- typecheck-gcc.h system.h
++ typecheck-gcc.h system.h urlapi.h
+
+ pkgincludedir= $(includedir)/curl
+
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 067b34d..8f473e2 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -2779,6 +2779,7 @@ CURL_EXTERN CURLcode curl_easy_pause(CURL *handle, int bitmask);
+ stuff before they can be included! */
+ #include "easy.h" /* nothing in curl is fun without the easy stuff */
+ #include "multi.h"
++#include "urlapi.h"
+
+ /* the typechecker doesn't work in C++ (yet) */
+ #if defined(__GNUC__) && defined(__GNUC_MINOR__) && \
+diff --git a/include/curl/urlapi.h b/include/curl/urlapi.h
+new file mode 100644
+index 0000000..b16cfce
+--- /dev/null
++++ b/include/curl/urlapi.h
+@@ -0,0 +1,121 @@
++#ifndef __CURL_URLAPI_H
++#define __CURL_URLAPI_H
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 2018, Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++/* the error codes for the URL API */
++typedef enum {
++ CURLUE_OK,
++ CURLUE_BAD_HANDLE, /* 1 */
++ CURLUE_BAD_PARTPOINTER, /* 2 */
++ CURLUE_MALFORMED_INPUT, /* 3 */
++ CURLUE_BAD_PORT_NUMBER, /* 4 */
++ CURLUE_UNSUPPORTED_SCHEME, /* 5 */
++ CURLUE_URLDECODE, /* 6 */
++ CURLUE_RELATIVE, /* 7 */
++ CURLUE_USER_NOT_ALLOWED, /* 8 */
++ CURLUE_UNKNOWN_PART, /* 9 */
++ CURLUE_NO_SCHEME, /* 10 */
++ CURLUE_NO_USER, /* 11 */
++ CURLUE_NO_PASSWORD, /* 12 */
++ CURLUE_NO_OPTIONS, /* 13 */
++ CURLUE_NO_HOST, /* 14 */
++ CURLUE_NO_PORT, /* 15 */
++ CURLUE_NO_PATH, /* 16 */
++ CURLUE_NO_QUERY, /* 17 */
++ CURLUE_NO_FRAGMENT, /* 18 */
++ CURLUE_OUT_OF_MEMORY /* 19 */
++} CURLUcode;
++
++typedef enum {
++ CURLUPART_URL,
++ CURLUPART_SCHEME,
++ CURLUPART_USER,
++ CURLUPART_PASSWORD,
++ CURLUPART_OPTIONS,
++ CURLUPART_HOST,
++ CURLUPART_PORT,
++ CURLUPART_PATH,
++ CURLUPART_QUERY,
++ CURLUPART_FRAGMENT
++} CURLUPart;
++
++#define CURLU_DEFAULT_PORT (1<<0) /* return default port number */
++#define CURLU_NO_DEFAULT_PORT (1<<1) /* act as if no port number was set,
++ if the port number matches the
++ default for the scheme */
++#define CURLU_DEFAULT_SCHEME (1<<2) /* return default scheme if
++ missing */
++#define CURLU_NON_SUPPORT_SCHEME (1<<3) /* allow non-supported scheme */
++#define CURLU_PATH_AS_IS (1<<4) /* leave dot sequences */
++#define CURLU_DISALLOW_USER (1<<5) /* no user+password allowed */
++#define CURLU_URLDECODE (1<<6) /* URL decode on get */
++#define CURLU_URLENCODE (1<<7) /* URL encode on set */
++#define CURLU_APPENDQUERY (1<<8) /* append a form style part */
++
++typedef struct Curl_URL CURLU;
++
++/*
++ * curl_url() creates a new CURLU handle and returns a pointer to it.
++ * Must be freed with curl_url_cleanup().
++ */
++CURL_EXTERN CURLU *curl_url(void);
++
++/*
++ * curl_url_cleanup() frees the CURLU handle and related resources used for
++ * the URL parsing. It will not free strings previously returned with the URL
++ * API.
++ */
++CURL_EXTERN void curl_url_cleanup(CURLU *handle);
++
++/*
++ * curl_url_dup() duplicates a CURLU handle and returns a new copy. The new
++ * handle must also be freed with curl_url_cleanup().
++ */
++CURL_EXTERN CURLU *curl_url_dup(CURLU *in);
++
++/*
++ * curl_url_get() extracts a specific part of the URL from a CURLU
++ * handle. Returns error code. The returned pointer MUST be freed with
++ * curl_free() afterwards.
++ */
++CURL_EXTERN CURLUcode curl_url_get(CURLU *handle, CURLUPart what,
++ char **part, unsigned int flags);
++
++/*
++ * curl_url_set() sets a specific part of the URL in a CURLU handle. Returns
++ * error code. The passed in string will be copied. Passing a NULL instead of
++ * a part string, clears that part.
++ */
++CURL_EXTERN CURLUcode curl_url_set(CURLU *handle, CURLUPart what,
++ const char *part, unsigned int flags);
++
++
++#ifdef __cplusplus
++} /* end of extern "C" */
++#endif
++
++#endif
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index 76ca6d0..1ff82e1 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -54,7 +54,8 @@ LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
+ http_ntlm.c curl_ntlm_wb.c curl_ntlm_core.c curl_sasl.c rand.c \
+ curl_multibyte.c hostcheck.c conncache.c pipeline.c dotdot.c \
+ x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \
+- mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c
++ mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \
++ urlapi.c
+
+ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
+ formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h \
+@@ -74,7 +75,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
+ curl_setup_once.h multihandle.h setup-vms.h pipeline.h dotdot.h \
+ x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \
+ curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \
+- curl_path.h curl_ctype.h curl_range.h psl.h
++ curl_path.h curl_ctype.h curl_range.h psl.h urlapi-int.h
+
+ LIB_RCFILES = libcurl.rc
+
+diff --git a/lib/escape.c b/lib/escape.c
+index 10774f0..afd3899 100644
+--- a/lib/escape.c
++++ b/lib/escape.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -41,7 +41,7 @@
+ its behavior is altered by the current locale.
+ See https://tools.ietf.org/html/rfc3986#section-2.3
+ */
+-static bool Curl_isunreserved(unsigned char in)
++bool Curl_isunreserved(unsigned char in)
+ {
+ switch(in) {
+ case '0': case '1': case '2': case '3': case '4':
+@@ -141,6 +141,8 @@ char *curl_easy_escape(struct Curl_easy *data, const char *string,
+ * Returns a pointer to a malloced string in *ostring with length given in
+ * *olen. If length == 0, the length is assumed to be strlen(string).
+ *
++ * 'data' can be set to NULL but then this function can't convert network
++ * data to host for non-ascii.
+ */
+ CURLcode Curl_urldecode(struct Curl_easy *data,
+ const char *string, size_t length,
+@@ -151,7 +153,7 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
+ char *ns = malloc(alloc);
+ size_t strindex = 0;
+ unsigned long hex;
+- CURLcode result;
++ CURLcode result = CURLE_OK;
+
+ if(!ns)
+ return CURLE_OUT_OF_MEMORY;
+@@ -171,11 +173,13 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
+
+ in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */
+
+- result = Curl_convert_from_network(data, (char *)&in, 1);
+- if(result) {
+- /* Curl_convert_from_network calls failf if unsuccessful */
+- free(ns);
+- return result;
++ if(data) {
++ result = Curl_convert_from_network(data, (char *)&in, 1);
++ if(result) {
++ /* Curl_convert_from_network calls failf if unsuccessful */
++ free(ns);
++ return result;
++ }
+ }
+
+ string += 2;
+diff --git a/lib/escape.h b/lib/escape.h
+index 638666f..666f1ad 100644
+--- a/lib/escape.h
++++ b/lib/escape.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -24,6 +24,7 @@
+ /* Escape and unescape URL encoding in strings. The functions return a new
+ * allocated string or NULL if an error occurred. */
+
++bool Curl_isunreserved(unsigned char in);
+ CURLcode Curl_urldecode(struct Curl_easy *data,
+ const char *string, size_t length,
+ char **ostring, size_t *olen,
+diff --git a/lib/imap.c b/lib/imap.c
+index 942fe7d..28962c1 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -159,7 +159,8 @@ const struct Curl_handler Curl_handler_imaps = {
+ ZERO_NULL, /* connection_check */
+ PORT_IMAPS, /* defport */
+ CURLPROTO_IMAPS, /* protocol */
+- PROTOPT_CLOSEACTION | PROTOPT_SSL /* flags */
++ PROTOPT_CLOSEACTION | PROTOPT_SSL | /* flags */
++ PROTOPT_URLOPTIONS
+ };
+ #endif
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 7159d5c..ecd1063 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -75,6 +75,7 @@
+ #include "http2.h"
+ #include "mime.h"
+ #include "strcase.h"
++#include "urlapi-int.h"
+
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1453,311 +1454,6 @@ CURLcode Curl_posttransfer(struct Curl_easy *data)
+ return CURLE_OK;
+ }
+
+-#ifndef CURL_DISABLE_HTTP
+-/*
+- * Find the separator at the end of the host name, or the '?' in cases like
+- * http://www.url.com?id=2380
+- */
+-static const char *find_host_sep(const char *url)
+-{
+- const char *sep;
+- const char *query;
+-
+- /* Find the start of the hostname */
+- sep = strstr(url, "//");
+- if(!sep)
+- sep = url;
+- else
+- sep += 2;
+-
+- query = strchr(sep, '?');
+- sep = strchr(sep, '/');
+-
+- if(!sep)
+- sep = url + strlen(url);
+-
+- if(!query)
+- query = url + strlen(url);
+-
+- return sep < query ? sep : query;
+-}
+-
+-/*
+- * Decide in an encoding-independent manner whether a character in an
+- * URL must be escaped. The same criterion must be used in strlen_url()
+- * and strcpy_url().
+- */
+-static bool urlchar_needs_escaping(int c)
+-{
+- return !(ISCNTRL(c) || ISSPACE(c) || ISGRAPH(c));
+-}
+-
+-/*
+- * strlen_url() returns the length of the given URL if the spaces within the
+- * URL were properly URL encoded.
+- * URL encoding should be skipped for host names, otherwise IDN resolution
+- * will fail.
+- */
+-static size_t strlen_url(const char *url, bool relative)
+-{
+- const unsigned char *ptr;
+- size_t newlen = 0;
+- bool left = TRUE; /* left side of the ? */
+- const unsigned char *host_sep = (const unsigned char *) url;
+-
+- if(!relative)
+- host_sep = (const unsigned char *) find_host_sep(url);
+-
+- for(ptr = (unsigned char *)url; *ptr; ptr++) {
+-
+- if(ptr < host_sep) {
+- ++newlen;
+- continue;
+- }
+-
+- switch(*ptr) {
+- case '?':
+- left = FALSE;
+- /* FALLTHROUGH */
+- default:
+- if(urlchar_needs_escaping(*ptr))
+- newlen += 2;
+- newlen++;
+- break;
+- case ' ':
+- if(left)
+- newlen += 3;
+- else
+- newlen++;
+- break;
+- }
+- }
+- return newlen;
+-}
+-
+-/* strcpy_url() copies a url to a output buffer and URL-encodes the spaces in
+- * the source URL accordingly.
+- * URL encoding should be skipped for host names, otherwise IDN resolution
+- * will fail.
+- */
+-static void strcpy_url(char *output, const char *url, bool relative)
+-{
+- /* we must add this with whitespace-replacing */
+- bool left = TRUE;
+- const unsigned char *iptr;
+- char *optr = output;
+- const unsigned char *host_sep = (const unsigned char *) url;
+-
+- if(!relative)
+- host_sep = (const unsigned char *) find_host_sep(url);
+-
+- for(iptr = (unsigned char *)url; /* read from here */
+- *iptr; /* until zero byte */
+- iptr++) {
+-
+- if(iptr < host_sep) {
+- *optr++ = *iptr;
+- continue;
+- }
+-
+- switch(*iptr) {
+- case '?':
+- left = FALSE;
+- /* FALLTHROUGH */
+- default:
+- if(urlchar_needs_escaping(*iptr)) {
+- snprintf(optr, 4, "%%%02x", *iptr);
+- optr += 3;
+- }
+- else
+- *optr++=*iptr;
+- break;
+- case ' ':
+- if(left) {
+- *optr++='%'; /* add a '%' */
+- *optr++='2'; /* add a '2' */
+- *optr++='0'; /* add a '0' */
+- }
+- else
+- *optr++='+'; /* add a '+' here */
+- break;
+- }
+- }
+- *optr = 0; /* zero terminate output buffer */
+-
+-}
+-
+-/*
+- * Returns true if the given URL is absolute (as opposed to relative)
+- */
+-static bool is_absolute_url(const char *url)
+-{
+- char prot[16]; /* URL protocol string storage */
+- char letter; /* used for a silly sscanf */
+-
+- return (2 == sscanf(url, "%15[^?&/:]://%c", prot, &letter)) ? TRUE : FALSE;
+-}
+-
+-/*
+- * Concatenate a relative URL to a base URL making it absolute.
+- * URL-encodes any spaces.
+- * The returned pointer must be freed by the caller unless NULL
+- * (returns NULL on out of memory).
+- */
+-static char *concat_url(const char *base, const char *relurl)
+-{
+- /***
+- TRY to append this new path to the old URL
+- to the right of the host part. Oh crap, this is doomed to cause
+- problems in the future...
+- */
+- char *newest;
+- char *protsep;
+- char *pathsep;
+- size_t newlen;
+- bool host_changed = FALSE;
+-
+- const char *useurl = relurl;
+- size_t urllen;
+-
+- /* we must make our own copy of the URL to play with, as it may
+- point to read-only data */
+- char *url_clone = strdup(base);
+-
+- if(!url_clone)
+- return NULL; /* skip out of this NOW */
+-
+- /* protsep points to the start of the host name */
+- protsep = strstr(url_clone, "//");
+- if(!protsep)
+- protsep = url_clone;
+- else
+- protsep += 2; /* pass the slashes */
+-
+- if('/' != relurl[0]) {
+- int level = 0;
+-
+- /* First we need to find out if there's a ?-letter in the URL,
+- and cut it and the right-side of that off */
+- pathsep = strchr(protsep, '?');
+- if(pathsep)
+- *pathsep = 0;
+-
+- /* we have a relative path to append to the last slash if there's one
+- available, or if the new URL is just a query string (starts with a
+- '?') we append the new one at the end of the entire currently worked
+- out URL */
+- if(useurl[0] != '?') {
+- pathsep = strrchr(protsep, '/');
+- if(pathsep)
+- *pathsep = 0;
+- }
+-
+- /* Check if there's any slash after the host name, and if so, remember
+- that position instead */
+- pathsep = strchr(protsep, '/');
+- if(pathsep)
+- protsep = pathsep + 1;
+- else
+- protsep = NULL;
+-
+- /* now deal with one "./" or any amount of "../" in the newurl
+- and act accordingly */
+-
+- if((useurl[0] == '.') && (useurl[1] == '/'))
+- useurl += 2; /* just skip the "./" */
+-
+- while((useurl[0] == '.') &&
+- (useurl[1] == '.') &&
+- (useurl[2] == '/')) {
+- level++;
+- useurl += 3; /* pass the "../" */
+- }
+-
+- if(protsep) {
+- while(level--) {
+- /* cut off one more level from the right of the original URL */
+- pathsep = strrchr(protsep, '/');
+- if(pathsep)
+- *pathsep = 0;
+- else {
+- *protsep = 0;
+- break;
+- }
+- }
+- }
+- }
+- else {
+- /* We got a new absolute path for this server */
+-
+- if((relurl[0] == '/') && (relurl[1] == '/')) {
+- /* the new URL starts with //, just keep the protocol part from the
+- original one */
+- *protsep = 0;
+- useurl = &relurl[2]; /* we keep the slashes from the original, so we
+- skip the new ones */
+- host_changed = TRUE;
+- }
+- else {
+- /* cut off the original URL from the first slash, or deal with URLs
+- without slash */
+- pathsep = strchr(protsep, '/');
+- if(pathsep) {
+- /* When people use badly formatted URLs, such as
+- "http://www.url.com?dir=/home/daniel" we must not use the first
+- slash, if there's a ?-letter before it! */
+- char *sep = strchr(protsep, '?');
+- if(sep && (sep < pathsep))
+- pathsep = sep;
+- *pathsep = 0;
+- }
+- else {
+- /* There was no slash. Now, since we might be operating on a badly
+- formatted URL, such as "http://www.url.com?id=2380" which doesn't
+- use a slash separator as it is supposed to, we need to check for a
+- ?-letter as well! */
+- pathsep = strchr(protsep, '?');
+- if(pathsep)
+- *pathsep = 0;
+- }
+- }
+- }
+-
+- /* If the new part contains a space, this is a mighty stupid redirect
+- but we still make an effort to do "right". To the left of a '?'
+- letter we replace each space with %20 while it is replaced with '+'
+- on the right side of the '?' letter.
+- */
+- newlen = strlen_url(useurl, !host_changed);
+-
+- urllen = strlen(url_clone);
+-
+- newest = malloc(urllen + 1 + /* possible slash */
+- newlen + 1 /* zero byte */);
+-
+- if(!newest) {
+- free(url_clone); /* don't leak this */
+- return NULL;
+- }
+-
+- /* copy over the root url part */
+- memcpy(newest, url_clone, urllen);
+-
+- /* check if we need to append a slash */
+- if(('/' == useurl[0]) || (protsep && !*protsep) || ('?' == useurl[0]))
+- ;
+- else
+- newest[urllen++]='/';
+-
+- /* then append the new piece on the right side */
+- strcpy_url(&newest[urllen], useurl, !host_changed);
+-
+- free(url_clone);
+-
+- return newest;
+-}
+-#endif /* CURL_DISABLE_HTTP */
+-
+ /*
+ * Curl_follow() handles the URL redirect magic. Pass in the 'newurl' string
+ * as given by the remote server and set up the new URL to request.
+@@ -1809,12 +1505,12 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ }
+ }
+
+- if(!is_absolute_url(newurl)) {
++ if(!Curl_is_absolute_url(newurl, NULL, 8)) {
+ /***
+ *DANG* this is an RFC 2068 violation. The URL is supposed
+ to be absolute and this doesn't seem to be that!
+ */
+- char *absolute = concat_url(data->change.url, newurl);
++ char *absolute = Curl_concat_url(data->change.url, newurl);
+ if(!absolute)
+ return CURLE_OUT_OF_MEMORY;
+ newurl = absolute;
+@@ -1823,7 +1519,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ /* The new URL MAY contain space or high byte values, that means a mighty
+ stupid redirect URL but we still make an effort to do "right". */
+ char *newest;
+- size_t newlen = strlen_url(newurl, FALSE);
++ size_t newlen = Curl_strlen_url(newurl, FALSE);
+
+ /* This is an absolute URL, don't allow the custom port number */
+ disallowport = TRUE;
+@@ -1832,7 +1528,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
+ if(!newest)
+ return CURLE_OUT_OF_MEMORY;
+
+- strcpy_url(newest, newurl, FALSE); /* create a space-free URL */
++ Curl_strcpy_url(newest, newurl, FALSE); /* create a space-free URL */
+ newurl = newest; /* use this instead now */
+
+ }
+diff --git a/lib/url.c b/lib/url.c
+index dcc1ecc..4f75f11 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1939,30 +1939,37 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+ return NULL;
+ }
+
+-static CURLcode findprotocol(struct Curl_easy *data,
+- struct connectdata *conn,
+- const char *protostr)
++/* returns the handdler if the given scheme is built-in */
++const struct Curl_handler *Curl_builtin_scheme(const char *scheme)
+ {
+ const struct Curl_handler * const *pp;
+ const struct Curl_handler *p;
+-
+- /* Scan protocol handler table and match against 'protostr' to set a few
+- variables based on the URL. Now that the handler may be changed later
+- when the protocol specific setup function is called. */
+- for(pp = protocols; (p = *pp) != NULL; pp++) {
+- if(strcasecompare(p->scheme, protostr)) {
++ /* Scan protocol handler table and match against 'scheme'. The handler may
++ be changed later when the protocol specific setup function is called. */
++ for(pp = protocols; (p = *pp) != NULL; pp++)
++ if(strcasecompare(p->scheme, scheme))
+ /* Protocol found in table. Check if allowed */
+- if(!(data->set.allowed_protocols & p->protocol))
+- /* nope, get out */
+- break;
++ return p;
++ return NULL; /* not found */
++}
+
+- /* it is allowed for "normal" request, now do an extra check if this is
+- the result of a redirect */
+- if(data->state.this_is_a_follow &&
+- !(data->set.redir_protocols & p->protocol))
+- /* nope, get out */
+- break;
+
++static CURLcode findprotocol(struct Curl_easy *data,
++ struct connectdata *conn,
++ const char *protostr)
++{
++ const struct Curl_handler *p = Curl_builtin_scheme(protostr);
++
++ if(p && /* Protocol found in table. Check if allowed */
++ (data->set.allowed_protocols & p->protocol)) {
++
++ /* it is allowed for "normal" request, now do an extra check if this is
++ the result of a redirect */
++ if(data->state.this_is_a_follow &&
++ !(data->set.redir_protocols & p->protocol))
++ /* nope, get out */
++ ;
++ else {
+ /* Perform setup complement if some. */
+ conn->handler = conn->given = p;
+
+@@ -1971,7 +1978,6 @@ static CURLcode findprotocol(struct Curl_easy *data,
+ }
+ }
+
+-
+ /* The protocol was not found in the table, but we don't have to assign it
+ to anything since it is already assigned to a dummy-struct in the
+ create_conn() function when the connectdata struct is allocated. */
+diff --git a/lib/url.h b/lib/url.h
+index ef3ebf0..0034f82 100644
+--- a/lib/url.h
++++ b/lib/url.h
+@@ -69,6 +69,8 @@ void Curl_getoff_all_pipelines(struct Curl_easy *data,
+
+ void Curl_close_connections(struct Curl_easy *data);
+
++const struct Curl_handler *Curl_builtin_scheme(const char *scheme);
++
+ #define CURL_DEFAULT_PROXY_PORT 1080 /* default proxy port unless specified */
+ #define CURL_DEFAULT_HTTPS_PROXY_PORT 443 /* default https proxy port unless
+ specified */
+diff --git a/lib/escape.h b/lib/urlapi-int.h
+similarity index 66%
+copy from lib/escape.h
+copy to lib/urlapi-int.h
+index 638666f..7ac09fd 100644
+--- a/lib/escape.h
++++ b/lib/urlapi-int.h
+@@ -1,5 +1,5 @@
+-#ifndef HEADER_CURL_ESCAPE_H
+-#define HEADER_CURL_ESCAPE_H
++#ifndef HEADER_CURL_URLAPI_INT_H
++#define HEADER_CURL_URLAPI_INT_H
+ /***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al.
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -21,13 +21,9 @@
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+-/* Escape and unescape URL encoding in strings. The functions return a new
+- * allocated string or NULL if an error occurred. */
+-
+-CURLcode Curl_urldecode(struct Curl_easy *data,
+- const char *string, size_t length,
+- char **ostring, size_t *olen,
+- bool reject_crlf);
+-
+-#endif /* HEADER_CURL_ESCAPE_H */
+-
++#include "curl_setup.h"
++bool Curl_is_absolute_url(const char *url, char *scheme, size_t buflen);
++char *Curl_concat_url(const char *base, const char *relurl);
++size_t Curl_strlen_url(const char *url, bool relative);
++void Curl_strcpy_url(char *output, const char *url, bool relative);
++#endif
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+new file mode 100644
+index 0000000..8287861
+--- /dev/null
++++ b/lib/urlapi.c
+@@ -0,0 +1,1315 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#include "urldata.h"
++#include "urlapi-int.h"
++#include "strcase.h"
++#include "dotdot.h"
++#include "url.h"
++#include "escape.h"
++#include "curl_ctype.h"
++
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/* Internal representation of CURLU. Point to URL-encoded strings. */
++struct Curl_URL {
++ char *scheme;
++ char *user;
++ char *password;
++ char *options; /* IMAP only? */
++ char *host;
++ char *port;
++ char *path;
++ char *query;
++ char *fragment;
++
++ char *scratch; /* temporary scratch area */
++ long portnum; /* the numerical version */
++};
++
++#define DEFAULT_SCHEME "https"
++
++/* scheme is not URL encoded, the longest libcurl supported ones are 6
++ letters */
++#define MAX_SCHEME_LEN 8
++
++static void free_urlhandle(struct Curl_URL *u)
++{
++ free(u->scheme);
++ free(u->user);
++ free(u->password);
++ free(u->options);
++ free(u->host);
++ free(u->port);
++ free(u->path);
++ free(u->query);
++ free(u->fragment);
++ free(u->scratch);
++}
++
++/* move the full contents of one handle onto another and
++ free the original */
++static void mv_urlhandle(struct Curl_URL *from,
++ struct Curl_URL *to)
++{
++ free_urlhandle(to);
++ *to = *from;
++ free(from);
++}
++
++/*
++ * Find the separator at the end of the host name, or the '?' in cases like
++ * http://www.url.com?id=2380
++ */
++static const char *find_host_sep(const char *url)
++{
++ const char *sep;
++ const char *query;
++
++ /* Find the start of the hostname */
++ sep = strstr(url, "//");
++ if(!sep)
++ sep = url;
++ else
++ sep += 2;
++
++ query = strchr(sep, '?');
++ sep = strchr(sep, '/');
++
++ if(!sep)
++ sep = url + strlen(url);
++
++ if(!query)
++ query = url + strlen(url);
++
++ return sep < query ? sep : query;
++}
++
++/*
++ * Decide in an encoding-independent manner whether a character in an
++ * URL must be escaped. The same criterion must be used in strlen_url()
++ * and strcpy_url().
++ */
++static bool urlchar_needs_escaping(int c)
++{
++ return !(ISCNTRL(c) || ISSPACE(c) || ISGRAPH(c));
++}
++
++/*
++ * strlen_url() returns the length of the given URL if the spaces within the
++ * URL were properly URL encoded.
++ * URL encoding should be skipped for host names, otherwise IDN resolution
++ * will fail.
++ */
++size_t Curl_strlen_url(const char *url, bool relative)
++{
++ const unsigned char *ptr;
++ size_t newlen = 0;
++ bool left = TRUE; /* left side of the ? */
++ const unsigned char *host_sep = (const unsigned char *) url;
++
++ if(!relative)
++ host_sep = (const unsigned char *) find_host_sep(url);
++
++ for(ptr = (unsigned char *)url; *ptr; ptr++) {
++
++ if(ptr < host_sep) {
++ ++newlen;
++ continue;
++ }
++
++ switch(*ptr) {
++ case '?':
++ left = FALSE;
++ /* FALLTHROUGH */
++ default:
++ if(urlchar_needs_escaping(*ptr))
++ newlen += 2;
++ newlen++;
++ break;
++ case ' ':
++ if(left)
++ newlen += 3;
++ else
++ newlen++;
++ break;
++ }
++ }
++ return newlen;
++}
++
++/* strcpy_url() copies a url to a output buffer and URL-encodes the spaces in
++ * the source URL accordingly.
++ * URL encoding should be skipped for host names, otherwise IDN resolution
++ * will fail.
++ */
++void Curl_strcpy_url(char *output, const char *url, bool relative)
++{
++ /* we must add this with whitespace-replacing */
++ bool left = TRUE;
++ const unsigned char *iptr;
++ char *optr = output;
++ const unsigned char *host_sep = (const unsigned char *) url;
++
++ if(!relative)
++ host_sep = (const unsigned char *) find_host_sep(url);
++
++ for(iptr = (unsigned char *)url; /* read from here */
++ *iptr; /* until zero byte */
++ iptr++) {
++
++ if(iptr < host_sep) {
++ *optr++ = *iptr;
++ continue;
++ }
++
++ switch(*iptr) {
++ case '?':
++ left = FALSE;
++ /* FALLTHROUGH */
++ default:
++ if(urlchar_needs_escaping(*iptr)) {
++ snprintf(optr, 4, "%%%02x", *iptr);
++ optr += 3;
++ }
++ else
++ *optr++=*iptr;
++ break;
++ case ' ':
++ if(left) {
++ *optr++='%'; /* add a '%' */
++ *optr++='2'; /* add a '2' */
++ *optr++='0'; /* add a '0' */
++ }
++ else
++ *optr++='+'; /* add a '+' here */
++ break;
++ }
++ }
++ *optr = 0; /* zero terminate output buffer */
++
++}
++
++/*
++ * Returns true if the given URL is absolute (as opposed to relative) within
++ * the buffer size. Returns the scheme in the buffer if TRUE and 'buf' is
++ * non-NULL.
++ */
++bool Curl_is_absolute_url(const char *url, char *buf, size_t buflen)
++{
++ size_t i;
++ for(i = 0; i < buflen && url[i]; ++i) {
++ char s = url[i];
++ if(s == ':') {
++ if(buf)
++ buf[i] = 0;
++ return TRUE;
++ }
++ /* RFC 3986 3.1 explains:
++ scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
++ */
++ else if(ISALNUM(s) || (s == '+') || (s == '-') || (s == '.') ) {
++ if(buf)
++ buf[i] = (char)TOLOWER(s);
++ }
++ else
++ break;
++ }
++ return FALSE;
++}
++
++/*
++ * Concatenate a relative URL to a base URL making it absolute.
++ * URL-encodes any spaces.
++ * The returned pointer must be freed by the caller unless NULL
++ * (returns NULL on out of memory).
++ */
++char *Curl_concat_url(const char *base, const char *relurl)
++{
++ /***
++ TRY to append this new path to the old URL
++ to the right of the host part. Oh crap, this is doomed to cause
++ problems in the future...
++ */
++ char *newest;
++ char *protsep;
++ char *pathsep;
++ size_t newlen;
++ bool host_changed = FALSE;
++
++ const char *useurl = relurl;
++ size_t urllen;
++
++ /* we must make our own copy of the URL to play with, as it may
++ point to read-only data */
++ char *url_clone = strdup(base);
++
++ if(!url_clone)
++ return NULL; /* skip out of this NOW */
++
++ /* protsep points to the start of the host name */
++ protsep = strstr(url_clone, "//");
++ if(!protsep)
++ protsep = url_clone;
++ else
++ protsep += 2; /* pass the slashes */
++
++ if('/' != relurl[0]) {
++ int level = 0;
++
++ /* First we need to find out if there's a ?-letter in the URL,
++ and cut it and the right-side of that off */
++ pathsep = strchr(protsep, '?');
++ if(pathsep)
++ *pathsep = 0;
++
++ /* we have a relative path to append to the last slash if there's one
++ available, or if the new URL is just a query string (starts with a
++ '?') we append the new one at the end of the entire currently worked
++ out URL */
++ if(useurl[0] != '?') {
++ pathsep = strrchr(protsep, '/');
++ if(pathsep)
++ *pathsep = 0;
++ }
++
++ /* Check if there's any slash after the host name, and if so, remember
++ that position instead */
++ pathsep = strchr(protsep, '/');
++ if(pathsep)
++ protsep = pathsep + 1;
++ else
++ protsep = NULL;
++
++ /* now deal with one "./" or any amount of "../" in the newurl
++ and act accordingly */
++
++ if((useurl[0] == '.') && (useurl[1] == '/'))
++ useurl += 2; /* just skip the "./" */
++
++ while((useurl[0] == '.') &&
++ (useurl[1] == '.') &&
++ (useurl[2] == '/')) {
++ level++;
++ useurl += 3; /* pass the "../" */
++ }
++
++ if(protsep) {
++ while(level--) {
++ /* cut off one more level from the right of the original URL */
++ pathsep = strrchr(protsep, '/');
++ if(pathsep)
++ *pathsep = 0;
++ else {
++ *protsep = 0;
++ break;
++ }
++ }
++ }
++ }
++ else {
++ /* We got a new absolute path for this server */
++
++ if((relurl[0] == '/') && (relurl[1] == '/')) {
++ /* the new URL starts with //, just keep the protocol part from the
++ original one */
++ *protsep = 0;
++ useurl = &relurl[2]; /* we keep the slashes from the original, so we
++ skip the new ones */
++ host_changed = TRUE;
++ }
++ else {
++ /* cut off the original URL from the first slash, or deal with URLs
++ without slash */
++ pathsep = strchr(protsep, '/');
++ if(pathsep) {
++ /* When people use badly formatted URLs, such as
++ "http://www.url.com?dir=/home/daniel" we must not use the first
++ slash, if there's a ?-letter before it! */
++ char *sep = strchr(protsep, '?');
++ if(sep && (sep < pathsep))
++ pathsep = sep;
++ *pathsep = 0;
++ }
++ else {
++ /* There was no slash. Now, since we might be operating on a badly
++ formatted URL, such as "http://www.url.com?id=2380" which doesn't
++ use a slash separator as it is supposed to, we need to check for a
++ ?-letter as well! */
++ pathsep = strchr(protsep, '?');
++ if(pathsep)
++ *pathsep = 0;
++ }
++ }
++ }
++
++ /* If the new part contains a space, this is a mighty stupid redirect
++ but we still make an effort to do "right". To the left of a '?'
++ letter we replace each space with %20 while it is replaced with '+'
++ on the right side of the '?' letter.
++ */
++ newlen = Curl_strlen_url(useurl, !host_changed);
++
++ urllen = strlen(url_clone);
++
++ newest = malloc(urllen + 1 + /* possible slash */
++ newlen + 1 /* zero byte */);
++
++ if(!newest) {
++ free(url_clone); /* don't leak this */
++ return NULL;
++ }
++
++ /* copy over the root url part */
++ memcpy(newest, url_clone, urllen);
++
++ /* check if we need to append a slash */
++ if(('/' == useurl[0]) || (protsep && !*protsep) || ('?' == useurl[0]))
++ ;
++ else
++ newest[urllen++]='/';
++
++ /* then append the new piece on the right side */
++ Curl_strcpy_url(&newest[urllen], useurl, !host_changed);
++
++ free(url_clone);
++
++ return newest;
++}
++
++/*
++ * parse_hostname_login()
++ *
++ * Parse the login details (user name, password and options) from the URL and
++ * strip them out of the host name
++ *
++ */
++static CURLUcode parse_hostname_login(struct Curl_URL *u,
++ const struct Curl_handler *h,
++ char **hostname,
++ unsigned int flags)
++{
++ CURLUcode result = CURLUE_OK;
++ CURLcode ccode;
++ char *userp = NULL;
++ char *passwdp = NULL;
++ char *optionsp = NULL;
++
++ /* At this point, we're hoping all the other special cases have
++ * been taken care of, so conn->host.name is at most
++ * [user[:password][;options]]@]hostname
++ *
++ * We need somewhere to put the embedded details, so do that first.
++ */
++
++ char *ptr = strchr(*hostname, '@');
++ char *login = *hostname;
++
++ if(!ptr)
++ goto out;
++
++ /* We will now try to extract the
++ * possible login information in a string like:
++ * ftp://user:password@ftp.my.site:8021/README */
++ *hostname = ++ptr;
++
++ /* We could use the login information in the URL so extract it. Only parse
++ options if the handler says we should. */
++ ccode = Curl_parse_login_details(login, ptr - login - 1,
++ &userp, &passwdp,
++ h->flags & PROTOPT_URLOPTIONS ?
++ &optionsp:NULL);
++ if(ccode) {
++ result = CURLUE_MALFORMED_INPUT;
++ goto out;
++ }
++
++ if(userp) {
++ if(flags & CURLU_DISALLOW_USER) {
++ /* Option DISALLOW_USER is set and url contains username. */
++ result = CURLUE_USER_NOT_ALLOWED;
++ goto out;
++ }
++
++ u->user = userp;
++ }
++
++ if(passwdp)
++ u->password = passwdp;
++
++ if(optionsp)
++ u->options = optionsp;
++
++ return CURLUE_OK;
++ out:
++
++ free(userp);
++ free(passwdp);
++ free(optionsp);
++
++ return result;
++}
++
++static CURLUcode parse_port(struct Curl_URL *u, char *hostname)
++{
++ char *portptr;
++ char endbracket;
++ int len;
++
++ if((1 == sscanf(hostname, "[%*45[0123456789abcdefABCDEF:.]%c%n",
++ &endbracket, &len)) &&
++ (']' == endbracket)) {
++ /* this is a RFC2732-style specified IP-address */
++ portptr = &hostname[len];
++ if (*portptr != ':')
++ return CURLUE_MALFORMED_INPUT;
++ }
++ else
++ portptr = strchr(hostname, ':');
++
++ if(portptr) {
++ char *rest;
++ long port;
++ char portbuf[7];
++
++ if(!ISDIGIT(portptr[1]))
++ return CURLUE_BAD_PORT_NUMBER;
++
++ port = strtol(portptr + 1, &rest, 10); /* Port number must be decimal */
++
++ if((port <= 0) || (port > 0xffff))
++ /* Single unix standard says port numbers are 16 bits long, but we don't
++ treat port zero as OK. */
++ return CURLUE_BAD_PORT_NUMBER;
++
++ if(rest[0])
++ return CURLUE_BAD_PORT_NUMBER;
++
++ if(rest != &portptr[1]) {
++ *portptr++ = '\0'; /* cut off the name there */
++ *rest = 0;
++ /* generate a new to get rid of leading zeroes etc */
++ snprintf(portbuf, sizeof(portbuf), "%ld", port);
++ u->portnum = port;
++ u->port = strdup(portbuf);
++ if(!u->port)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++ else {
++ /* Browser behavior adaptation. If there's a colon with no digits after,
++ just cut off the name there which makes us ignore the colon and just
++ use the default port. Firefox and Chrome both do that. */
++ *portptr = '\0';
++ }
++ }
++
++ return CURLUE_OK;
++}
++
++/* scan for byte values < 31 or 127 */
++static CURLUcode junkscan(char *part)
++{
++ char badbytes[]={
++ /* */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++ 0x7f,
++ 0x00 /* zero terminate */
++ };
++ if(part) {
++ size_t n = strlen(part);
++ size_t nfine = strcspn(part, badbytes);
++ if(nfine != n)
++ /* since we don't know which part is scanned, return a generic error
++ code */
++ return CURLUE_MALFORMED_INPUT;
++ }
++ return CURLUE_OK;
++}
++
++static CURLUcode hostname_check(char *hostname, unsigned int flags)
++{
++ const char *l; /* accepted characters */
++ size_t len;
++ size_t hlen = strlen(hostname);
++ (void)flags;
++
++ if(hostname[0] == '[') {
++ hostname++;
++ l = "0123456789abcdefABCDEF::.";
++ hlen -= 2;
++ }
++ else /* % for URL escaped letters */
++ l = "0123456789abcdefghijklimnopqrstuvwxyz-_.ABCDEFGHIJKLIMNOPQRSTUVWXYZ%";
++
++ len = strspn(hostname, l);
++ if(hlen != len)
++ /* hostname with bad content */
++ return CURLUE_MALFORMED_INPUT;
++
++ return CURLUE_OK;
++}
++
++#define HOSTNAME_END(x) (((x) == '/') || ((x) == '?') || ((x) == '#'))
++
++static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
++{
++ char *path;
++ bool path_alloced = FALSE;
++ char *hostname;
++ char *query = NULL;
++ char *fragment = NULL;
++ CURLUcode result;
++ bool url_has_scheme = FALSE;
++ char schemebuf[MAX_SCHEME_LEN];
++ char *schemep;
++ size_t schemelen = 0;
++ size_t urllen;
++ const struct Curl_handler *h = NULL;
++
++ if(!url)
++ return CURLUE_MALFORMED_INPUT;
++
++ /*************************************************************
++ * Parse the URL.
++ ************************************************************/
++ /* allocate scratch area */
++ urllen = strlen(url);
++ path = u->scratch = malloc(urllen * 2 + 2);
++ if(!path)
++ return CURLUE_OUT_OF_MEMORY;
++
++ hostname = &path[urllen + 1];
++ hostname[0] = 0;
++
++ /* MSDOS/Windows style drive prefix, eg c: in c:foo */
++#define STARTS_WITH_DRIVE_PREFIX(str) \
++ ((('a' <= str[0] && str[0] <= 'z') || \
++ ('A' <= str[0] && str[0] <= 'Z')) && \
++ (str[1] == ':'))
++
++ /* MSDOS/Windows style drive prefix, optionally with
++ * a '|' instead of ':', followed by a slash or NUL */
++#define STARTS_WITH_URL_DRIVE_PREFIX(str) \
++ ((('a' <= (str)[0] && (str)[0] <= 'z') || \
++ ('A' <= (str)[0] && (str)[0] <= 'Z')) && \
++ ((str)[1] == ':' || (str)[1] == '|') && \
++ ((str)[2] == '/' || (str)[2] == '\\' || (str)[2] == 0))
++
++ if(Curl_is_absolute_url(url, schemebuf, sizeof(schemebuf))) {
++ url_has_scheme = TRUE;
++ schemelen = strlen(schemebuf);
++ }
++
++ /* handle the file: scheme */
++ if(url_has_scheme && strcasecompare(schemebuf, "file")) {
++ /* path has been allocated large anough to hold this */
++ strcpy(path, &url[5]);
++
++ hostname = NULL; /* no host for file: URLs */
++ u->scheme = strdup("file");
++ if(!u->scheme)
++ return CURLUE_OUT_OF_MEMORY;
++
++ /* Extra handling URLs with an authority component (i.e. that start with
++ * "file://")
++ *
++ * We allow omitted hostname (e.g. file:/) -- valid according to
++ * RFC 8089, but not the (current) WHAT-WG URL spec.
++ */
++ if(path[0] == '/' && path[1] == '/') {
++ /* swallow the two slashes */
++ char *ptr = &path[2];
++
++ /*
++ * According to RFC 8089, a file: URL can be reliably dereferenced if:
++ *
++ * o it has no/blank hostname, or
++ *
++ * o the hostname matches "localhost" (case-insensitively), or
++ *
++ * o the hostname is a FQDN that resolves to this machine.
++ *
++ * For brevity, we only consider URLs with empty, "localhost", or
++ * "127.0.0.1" hostnames as local.
++ *
++ * Additionally, there is an exception for URLs with a Windows drive
++ * letter in the authority (which was accidentally omitted from RFC 8089
++ * Appendix E, but believe me, it was meant to be there. --MK)
++ */
++ if(ptr[0] != '/' && !STARTS_WITH_URL_DRIVE_PREFIX(ptr)) {
++ /* the URL includes a host name, it must match "localhost" or
++ "127.0.0.1" to be valid */
++ if(!checkprefix("localhost/", ptr) &&
++ !checkprefix("127.0.0.1/", ptr)) {
++ /* Invalid file://hostname/, expected localhost or 127.0.0.1 or
++ none */
++ return CURLUE_MALFORMED_INPUT;
++ }
++ ptr += 9; /* now points to the slash after the host */
++ }
++
++ path = ptr;
++ }
++
++#if !defined(MSDOS) && !defined(WIN32) && !defined(__CYGWIN__)
++ /* Don't allow Windows drive letters when not in Windows.
++ * This catches both "file:/c:" and "file:c:" */
++ if(('/' == path[0] && STARTS_WITH_URL_DRIVE_PREFIX(&path[1])) ||
++ STARTS_WITH_URL_DRIVE_PREFIX(path)) {
++ /* File drive letters are only accepted in MSDOS/Windows */
++ return CURLUE_MALFORMED_INPUT;
++ }
++#else
++ /* If the path starts with a slash and a drive letter, ditch the slash */
++ if('/' == path[0] && STARTS_WITH_URL_DRIVE_PREFIX(&path[1])) {
++ /* This cannot be done with strcpy, as the memory chunks overlap! */
++ memmove(path, &path[1], strlen(&path[1]) + 1);
++ }
++#endif
++
++ }
++ else {
++ /* clear path */
++ const char *p;
++ const char *hostp;
++ size_t len;
++ path[0] = 0;
++
++ if(url_has_scheme) {
++ int i = 0;
++ p = &url[schemelen + 1];
++ while(p && (*p == '/') && (i < 4)) {
++ p++;
++ i++;
++ }
++ if((i < 1) || (i>3))
++ /* less than one or more than three slashes */
++ return CURLUE_MALFORMED_INPUT;
++
++ schemep = schemebuf;
++ if(!Curl_builtin_scheme(schemep) &&
++ !(flags & CURLU_NON_SUPPORT_SCHEME))
++ return CURLUE_UNSUPPORTED_SCHEME;
++
++ if(junkscan(schemep))
++ return CURLUE_MALFORMED_INPUT;
++ }
++ else {
++ /* no scheme! */
++
++ if(!(flags & CURLU_DEFAULT_SCHEME))
++ return CURLUE_MALFORMED_INPUT;
++ schemep = (char *) DEFAULT_SCHEME;
++
++ /*
++ * The URL was badly formatted, let's try without scheme specified.
++ */
++ p = url;
++ }
++ hostp = p; /* host name starts here */
++
++ while(*p && !HOSTNAME_END(*p)) /* find end of host name */
++ p++;
++
++ len = p - hostp;
++ if(!len)
++ return CURLUE_MALFORMED_INPUT;
++
++ memcpy(hostname, hostp, len);
++ hostname[len] = 0;
++
++ len = strlen(p);
++ memcpy(path, p, len);
++ path[len] = 0;
++
++ u->scheme = strdup(schemep);
++ if(!u->scheme)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++
++ /* if this is a known scheme, get some details */
++ h = Curl_builtin_scheme(u->scheme);
++
++ if(junkscan(path))
++ return CURLUE_MALFORMED_INPUT;
++
++ query = strchr(path, '?');
++ if(query)
++ *query++ = 0;
++
++ fragment = strchr(query?query:path, '#');
++ if(fragment)
++ *fragment++ = 0;
++
++ if(!path[0])
++ /* if there's no path set, unset */
++ path = NULL;
++ else if(!(flags & CURLU_PATH_AS_IS)) {
++ /* sanitise paths and remove ../ and ./ sequences according to RFC3986 */
++ char *newp = Curl_dedotdotify(path);
++ if(!newp)
++ return CURLUE_OUT_OF_MEMORY;
++
++ if(strcmp(newp, path)) {
++ /* if we got a new version */
++ path = newp;
++ path_alloced = TRUE;
++ }
++ else
++ free(newp);
++ }
++ if(path) {
++ u->path = path_alloced?path:strdup(path);
++ if(!u->path)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++
++ if(hostname) {
++ /*
++ * Parse the login details and strip them out of the host name.
++ */
++ if(junkscan(hostname))
++ return CURLUE_MALFORMED_INPUT;
++
++ result = parse_hostname_login(u, h, &hostname, flags);
++ if(result)
++ return result;
++
++ result = parse_port(u, hostname);
++ if(result)
++ return result;
++
++ result = hostname_check(hostname, flags);
++ if(result)
++ return result;
++
++ u->host = strdup(hostname);
++ if(!u->host)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++
++ if(query && query[0]) {
++ u->query = strdup(query);
++ if(!u->query)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++ if(fragment && fragment[0]) {
++ u->fragment = strdup(fragment);
++ if(!u->fragment)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++
++ free(u->scratch);
++ u->scratch = NULL;
++
++ return CURLUE_OK;
++}
++
++/*
++ * Parse the URL and set the relevant members of the Curl_URL struct.
++ */
++static CURLUcode parseurl(const char *url, CURLU *u, unsigned int flags)
++{
++ CURLUcode result = seturl(url, u, flags);
++ if(result) {
++ free_urlhandle(u);
++ memset(u, 0, sizeof(struct Curl_URL));
++ }
++ return result;
++}
++
++/*
++ */
++CURLU *curl_url(void)
++{
++ return calloc(sizeof(struct Curl_URL), 1);
++}
++
++void curl_url_cleanup(CURLU *u)
++{
++ if(u) {
++ free_urlhandle(u);
++ free(u);
++ }
++}
++
++#define DUP(dest, src, name) \
++ if(src->name) { \
++ dest->name = strdup(src->name); \
++ if(!dest->name) \
++ goto fail; \
++ }
++
++CURLU *curl_url_dup(CURLU *in)
++{
++ struct Curl_URL *u = calloc(sizeof(struct Curl_URL), 1);
++ if(u) {
++ DUP(u, in, scheme);
++ DUP(u, in, user);
++ DUP(u, in, password);
++ DUP(u, in, options);
++ DUP(u, in, host);
++ DUP(u, in, port);
++ DUP(u, in, path);
++ DUP(u, in, query);
++ DUP(u, in, fragment);
++ u->portnum = in->portnum;
++ }
++ return u;
++ fail:
++ curl_url_cleanup(u);
++ return NULL;
++}
++
++CURLUcode curl_url_get(CURLU *u, CURLUPart what,
++ char **part, unsigned int flags)
++{
++ char *ptr;
++ CURLUcode ifmissing = CURLUE_UNKNOWN_PART;
++ char portbuf[7];
++ bool urldecode = (flags & CURLU_URLDECODE)?1:0;
++ bool plusdecode = FALSE;
++ (void)flags;
++ if(!u)
++ return CURLUE_BAD_HANDLE;
++ if(!part)
++ return CURLUE_BAD_PARTPOINTER;
++ *part = NULL;
++
++ switch(what) {
++ case CURLUPART_SCHEME:
++ ptr = u->scheme;
++ ifmissing = CURLUE_NO_SCHEME;
++ urldecode = FALSE; /* never for schemes */
++ break;
++ case CURLUPART_USER:
++ ptr = u->user;
++ ifmissing = CURLUE_NO_USER;
++ break;
++ case CURLUPART_PASSWORD:
++ ptr = u->password;
++ ifmissing = CURLUE_NO_PASSWORD;
++ break;
++ case CURLUPART_OPTIONS:
++ ptr = u->options;
++ ifmissing = CURLUE_NO_OPTIONS;
++ break;
++ case CURLUPART_HOST:
++ ptr = u->host;
++ ifmissing = CURLUE_NO_HOST;
++ break;
++ case CURLUPART_PORT:
++ ptr = u->port;
++ ifmissing = CURLUE_NO_PORT;
++ urldecode = FALSE; /* never for port */
++ if(!ptr && (flags & CURLU_DEFAULT_PORT) && u->scheme) {
++ /* there's no stored port number, but asked to deliver
++ a default one for the scheme */
++ const struct Curl_handler *h =
++ Curl_builtin_scheme(u->scheme);
++ if(h) {
++ snprintf(portbuf, sizeof(portbuf), "%ld", h->defport);
++ ptr = portbuf;
++ }
++ }
++ else if(ptr && u->scheme) {
++ /* there is a stored port number, but ask to inhibit if
++ it matches the default one for the scheme */
++ const struct Curl_handler *h =
++ Curl_builtin_scheme(u->scheme);
++ if(h && (h->defport == u->portnum) &&
++ (flags & CURLU_NO_DEFAULT_PORT))
++ ptr = NULL;
++ }
++ break;
++ case CURLUPART_PATH:
++ ptr = u->path;
++ if(!ptr) {
++ ptr = u->path = strdup("/");
++ if(!u->path)
++ return CURLUE_OUT_OF_MEMORY;
++ }
++ break;
++ case CURLUPART_QUERY:
++ ptr = u->query;
++ ifmissing = CURLUE_NO_QUERY;
++ plusdecode = urldecode;
++ break;
++ case CURLUPART_FRAGMENT:
++ ptr = u->fragment;
++ ifmissing = CURLUE_NO_FRAGMENT;
++ break;
++ case CURLUPART_URL: {
++ char *url;
++ char *scheme;
++ char *options = u->options;
++ char *port = u->port;
++ urldecode = FALSE; /* not for the whole thing */
++ if(u->scheme && strcasecompare("file", u->scheme)) {
++ url = aprintf("file://%s%s%s",
++ u->path,
++ u->fragment? "#": "",
++ u->fragment? u->fragment : "");
++ }
++ else if(!u->host)
++ return CURLUE_NO_HOST;
++ else {
++ const struct Curl_handler *h = NULL;
++ if(u->scheme)
++ scheme = u->scheme;
++ else if(flags & CURLU_DEFAULT_SCHEME)
++ scheme = (char *) DEFAULT_SCHEME;
++ else
++ return CURLUE_NO_SCHEME;
++
++ if(scheme) {
++ h = Curl_builtin_scheme(scheme);
++ if(!port && (flags & CURLU_DEFAULT_PORT)) {
++ /* there's no stored port number, but asked to deliver
++ a default one for the scheme */
++ if(h) {
++ snprintf(portbuf, sizeof(portbuf), "%ld", h->defport);
++ port = portbuf;
++ }
++ }
++ else if(port) {
++ /* there is a stored port number, but asked to inhibit if it matches
++ the default one for the scheme */
++ if(h && (h->defport == u->portnum) &&
++ (flags & CURLU_NO_DEFAULT_PORT))
++ port = NULL;
++ }
++ }
++ if(h && !(h->flags & PROTOPT_URLOPTIONS))
++ options = NULL;
++
++ url = aprintf("%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
++ scheme,
++ u->user ? u->user : "",
++ u->password ? ":": "",
++ u->password ? u->password : "",
++ options ? ";" : "",
++ options ? options : "",
++ (u->user || u->password || options) ? "@": "",
++ u->host,
++ port ? ":": "",
++ port ? port : "",
++ (u->path && (u->path[0] != '/')) ? "/": "",
++ u->path ? u->path : "/",
++ u->query? "?": "",
++ u->query? u->query : "",
++ u->fragment? "#": "",
++ u->fragment? u->fragment : "");
++ }
++ if(!url)
++ return CURLUE_OUT_OF_MEMORY;
++ *part = url;
++ return CURLUE_OK;
++ break;
++ }
++ default:
++ ptr = NULL;
++ }
++ if(ptr) {
++ *part = strdup(ptr);
++ if(!*part)
++ return CURLUE_OUT_OF_MEMORY;
++ if(plusdecode) {
++ /* convert + to space */
++ char *plus;
++ for(plus = *part; *plus; ++plus) {
++ if(*plus == '+')
++ *plus = ' ';
++ }
++ }
++ if(urldecode) {
++ char *decoded;
++ size_t dlen;
++ CURLcode res = Curl_urldecode(NULL, *part, 0, &decoded, &dlen, TRUE);
++ free(*part);
++ if(res) {
++ *part = NULL;
++ return CURLUE_URLDECODE;
++ }
++ *part = decoded;
++ }
++ return CURLUE_OK;
++ }
++ else
++ return ifmissing;
++}
++
++CURLUcode curl_url_set(CURLU *u, CURLUPart what,
++ const char *part, unsigned int flags)
++{
++ char **storep = NULL;
++ long port = 0;
++ bool urlencode = (flags & CURLU_URLENCODE)? 1 : 0;
++ bool plusencode = FALSE;
++ bool urlskipslash = FALSE;
++ bool appendquery = FALSE;
++
++ if(!u)
++ return CURLUE_BAD_HANDLE;
++ if(!part) {
++ /* setting a part to NULL clears it */
++ switch(what) {
++ case CURLUPART_URL:
++ break;
++ case CURLUPART_SCHEME:
++ storep = &u->scheme;
++ break;
++ case CURLUPART_USER:
++ storep = &u->user;
++ break;
++ case CURLUPART_PASSWORD:
++ storep = &u->password;
++ break;
++ case CURLUPART_OPTIONS:
++ storep = &u->options;
++ break;
++ case CURLUPART_HOST:
++ storep = &u->host;
++ break;
++ case CURLUPART_PORT:
++ storep = &u->port;
++ break;
++ case CURLUPART_PATH:
++ storep = &u->path;
++ break;
++ case CURLUPART_QUERY:
++ storep = &u->query;
++ break;
++ case CURLUPART_FRAGMENT:
++ storep = &u->fragment;
++ break;
++ default:
++ return CURLUE_UNKNOWN_PART;
++ }
++ if(storep && *storep) {
++ free(*storep);
++ *storep = NULL;
++ }
++ return CURLUE_OK;
++ }
++
++ switch(what) {
++ case CURLUPART_SCHEME:
++ if(!(flags & CURLU_NON_SUPPORT_SCHEME) &&
++ /* verify that it is a fine scheme */
++ !Curl_builtin_scheme(part))
++ return CURLUE_UNSUPPORTED_SCHEME;
++ storep = &u->scheme;
++ urlencode = FALSE; /* never */
++ break;
++ case CURLUPART_USER:
++ storep = &u->user;
++ break;
++ case CURLUPART_PASSWORD:
++ storep = &u->password;
++ break;
++ case CURLUPART_OPTIONS:
++ storep = &u->options;
++ break;
++ case CURLUPART_HOST:
++ storep = &u->host;
++ break;
++ case CURLUPART_PORT:
++ urlencode = FALSE; /* never */
++ port = strtol(part, NULL, 10); /* Port number must be decimal */
++ if((port <= 0) || (port > 0xffff))
++ return CURLUE_BAD_PORT_NUMBER;
++ storep = &u->port;
++ break;
++ case CURLUPART_PATH:
++ urlskipslash = TRUE;
++ storep = &u->path;
++ break;
++ case CURLUPART_QUERY:
++ plusencode = urlencode;
++ appendquery = (flags & CURLU_APPENDQUERY)?1:0;
++ storep = &u->query;
++ break;
++ case CURLUPART_FRAGMENT:
++ storep = &u->fragment;
++ break;
++ case CURLUPART_URL: {
++ /*
++ * Allow a new URL to replace the existing (if any) contents.
++ *
++ * If the existing contents is enough for a URL, allow a relative URL to
++ * replace it.
++ */
++ CURLUcode result;
++ char *oldurl;
++ char *redired_url;
++ CURLU *handle2;
++
++ if(Curl_is_absolute_url(part, NULL, MAX_SCHEME_LEN)) {
++ handle2 = curl_url();
++ if(!handle2)
++ return CURLUE_OUT_OF_MEMORY;
++ result = parseurl(part, handle2, flags);
++ if(!result)
++ mv_urlhandle(handle2, u);
++ else
++ curl_url_cleanup(handle2);
++ return result;
++ }
++ /* extract the full "old" URL to do the redirect on */
++ result = curl_url_get(u, CURLUPART_URL, &oldurl, flags);
++ if(result) {
++ /* couldn't get the old URL, just use the new! */
++ handle2 = curl_url();
++ if(!handle2)
++ return CURLUE_OUT_OF_MEMORY;
++ result = parseurl(part, handle2, flags);
++ if(!result)
++ mv_urlhandle(handle2, u);
++ else
++ curl_url_cleanup(handle2);
++ return result;
++ }
++
++ /* apply the relative part to create a new URL */
++ redired_url = Curl_concat_url(oldurl, part);
++ free(oldurl);
++ if(!redired_url)
++ return CURLUE_OUT_OF_MEMORY;
++
++ /* now parse the new URL */
++ handle2 = curl_url();
++ if(!handle2) {
++ free(redired_url);
++ return CURLUE_OUT_OF_MEMORY;
++ }
++ result = parseurl(redired_url, handle2, flags);
++ free(redired_url);
++ if(!result)
++ mv_urlhandle(handle2, u);
++ else
++ curl_url_cleanup(handle2);
++ return result;
++ }
++ default:
++ return CURLUE_UNKNOWN_PART;
++ }
++ if(storep) {
++ const char *newp = part;
++ size_t nalloc = strlen(part);
++
++ if(urlencode) {
++ const char *i;
++ char *o;
++ bool free_part = FALSE;
++ char *enc = malloc(nalloc * 3 + 1); /* for worst case! */
++ if(!enc)
++ return CURLUE_OUT_OF_MEMORY;
++ if(plusencode) {
++ /* space to plus */
++ i = part;
++ for(o = enc; *i; ++o, ++i)
++ *o = (*i == ' ') ? '+' : *i;
++ *o = 0; /* zero terminate */
++ part = strdup(enc);
++ if(!part) {
++ free(enc);
++ return CURLUE_OUT_OF_MEMORY;
++ }
++ free_part = TRUE;
++ }
++ for(i = part, o = enc; *i; i++) {
++ if(Curl_isunreserved(*i) ||
++ ((*i == '/') && urlskipslash) ||
++ ((*i == '=') && appendquery) ||
++ ((*i == '+') && plusencode)) {
++ *o = *i;
++ o++;
++ }
++ else {
++ snprintf(o, 4, "%%%02x", *i);
++ o += 3;
++ }
++ }
++ *o = 0; /* zero terminate */
++ newp = enc;
++ if(free_part)
++ free((char *)part);
++ }
++ else {
++ char *p;
++ newp = strdup(part);
++ if(!newp)
++ return CURLUE_OUT_OF_MEMORY;
++ p = (char *)newp;
++ while(*p) {
++ /* make sure percent encoded are lower case */
++ if((*p == '%') && ISXDIGIT(p[1]) && ISXDIGIT(p[2]) &&
++ (ISUPPER(p[1]) || ISUPPER(p[2]))) {
++ p[1] = (char)TOLOWER(p[1]);
++ p[2] = (char)TOLOWER(p[2]);
++ p += 3;
++ }
++ else
++ p++;
++ }
++ }
++
++ if(appendquery) {
++ /* Append the string onto the old query. Add a '&' separator if none is
++ present at the end of the exsting query already */
++ size_t querylen = u->query ? strlen(u->query) : 0;
++ bool addamperand = querylen && (u->query[querylen -1] != '&');
++ if(querylen) {
++ size_t newplen = strlen(newp);
++ char *p = malloc(querylen + addamperand + newplen + 1);
++ if(!p) {
++ free((char *)newp);
++ return CURLUE_OUT_OF_MEMORY;
++ }
++ strcpy(p, u->query); /* original query */
++ if(addamperand)
++ p[querylen] = '&'; /* ampersand */
++ strcpy(&p[querylen + addamperand], newp); /* new suffix */
++ free((char *)newp);
++ free(*storep);
++ *storep = p;
++ return CURLUE_OK;
++ }
++ }
++
++ free(*storep);
++ *storep = (char *)newp;
++ }
++ /* set after the string, to make it not assigned if the allocation above
++ fails */
++ if(port)
++ u->portnum = port;
++ return CURLUE_OK;
++}
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index aa5fff0..0f6ac44 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -178,6 +178,8 @@ test1533 test1534 test1535 test1536 test1537 test1538 \
+ test1540 \
+ test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
+ \
++test1560 \
++\
+ test1590 \
+ test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \
+ test1608 test1609 \
+diff --git a/tests/data/test1560 b/tests/data/test1560
+new file mode 100644
+index 0000000..720df03
+--- /dev/null
++++ b/tests/data/test1560
+@@ -0,0 +1,28 @@
++
++
++
++unittest
++URL API
++
++
++
++#
++# Client-side
++
++
++none
++
++
++file
++https
++http
++
++
++URL API
++
++
++lib1560
++
++
++
++
+diff --git a/tests/libtest/Makefile.am b/tests/libtest/Makefile.am
+index d14f37d..dc97e32 100644
+--- a/tests/libtest/Makefile.am
++++ b/tests/libtest/Makefile.am
+@@ -133,3 +133,8 @@ lib1521.c: $(top_srcdir)/tests/libtest/mk-lib1521.pl $(top_srcdir)/include/curl/
+
+ checksrc:
+ @PERL@ $(top_srcdir)/lib/checksrc.pl $(srcdir)/*.c
++
++if CURLDEBUG
++# for debug builds, we scan the sources on all regular make invokes
++all-local: checksrc
++endif
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 238ef97..7a3cd16 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -30,6 +30,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
+ lib1534 lib1535 lib1536 lib1537 lib1538 \
+ lib1540 \
+ lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \
++ lib1560 \
+ lib1900 \
+ lib2033
+
+@@ -507,6 +508,9 @@ lib1557_SOURCES = lib1557.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1557_LDADD = $(TESTUTIL_LIBS)
+ lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557
+
++lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
++lib1560_LDADD = $(TESTUTIL_LIBS)
++
+ lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1900_LDADD = $(TESTUTIL_LIBS)
+ lib1900_CPPFLAGS = $(AM_CPPFLAGS)
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+new file mode 100644
+index 0000000..669ea9a
+--- /dev/null
++++ b/tests/libtest/lib1560.c
+@@ -0,0 +1,760 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++
++/*
++ * Note:
++ *
++ * Since the URL parser by default only accepts schemes that *this instance*
++ * of libcurl supports, make sure that the test1560 file lists all the schemes
++ * that this test will assume to be present!
++ */
++
++#include "test.h"
++
++#include "testutil.h"
++#include "warnless.h"
++#include "memdebug.h" /* LAST include file */
++
++struct part {
++ CURLUPart part;
++ const char *name;
++};
++
++
++static int checkparts(CURLU *u, const char *in, const char *wanted,
++ unsigned int getflags)
++{
++ int i;
++ CURLUcode rc;
++ char buf[256];
++ char *bufp = &buf[0];
++ size_t len = sizeof(buf);
++ struct part parts[] = {
++ {CURLUPART_SCHEME, "scheme"},
++ {CURLUPART_USER, "user"},
++ {CURLUPART_PASSWORD, "password"},
++ {CURLUPART_OPTIONS, "options"},
++ {CURLUPART_HOST, "host"},
++ {CURLUPART_PORT, "port"},
++ {CURLUPART_PATH, "path"},
++ {CURLUPART_QUERY, "query"},
++ {CURLUPART_FRAGMENT, "fragment"},
++ {0, NULL}
++ };
++ buf[0] = 0;
++
++ for(i = 0; parts[i].name; i++) {
++ char *p = NULL;
++ size_t n;
++ rc = curl_url_get(u, parts[i].part, &p, getflags);
++ if(!rc && p) {
++ snprintf(bufp, len, "%s%s", buf[0]?" | ":"", p);
++ }
++ else
++ snprintf(bufp, len, "%s[%d]", buf[0]?" | ":"", (int)rc);
++
++ n = strlen(bufp);
++ bufp += n;
++ len -= n;
++ curl_free(p);
++ }
++ if(strcmp(buf, wanted)) {
++ fprintf(stderr, "in: %s\nwanted: %s\ngot: %s\n", in, wanted, buf);
++ return 1;
++ }
++ return 0;
++}
++
++struct redircase {
++ const char *in;
++ const char *set;
++ const char *out;
++ unsigned int urlflags;
++ unsigned int setflags;
++ CURLUcode ucode;
++};
++
++struct setcase {
++ const char *in;
++ const char *set;
++ const char *out;
++ unsigned int urlflags;
++ unsigned int setflags;
++ CURLUcode ucode;
++};
++
++struct testcase {
++ const char *in;
++ const char *out;
++ unsigned int urlflags;
++ unsigned int getflags;
++ CURLUcode ucode;
++};
++
++struct urltestcase {
++ const char *in;
++ const char *out;
++ unsigned int urlflags; /* pass to curl_url() */
++ unsigned int getflags; /* pass to curl_url_get() */
++ CURLUcode ucode;
++};
++
++struct querycase {
++ const char *in;
++ const char *q;
++ const char *out;
++ unsigned int urlflags; /* pass to curl_url() */
++ unsigned int qflags; /* pass to curl_url_get() */
++ CURLUcode ucode;
++};
++
++static struct testcase get_parts_list[] ={
++ {"https://127.0.0.1:443",
++ "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [17] | [18]",
++ 0, CURLU_NO_DEFAULT_PORT, CURLUE_OK},
++ {"http://%3a:%3a@ex%0ample/%3f+?+%3f+%23#+%23%3f%g7",
++ "http | : | : | [13] | [6] | [15] | /?+ | ? # | +#?%g7",
++ 0, CURLU_URLDECODE, CURLUE_OK},
++ {"http://%3a:%3a@ex%0ample/%3f?%3f%35#%35%3f%g7",
++ "http | %3a | %3a | [13] | ex%0ample | [15] | /%3f | %3f%35 | %35%3f%g7",
++ 0, 0, CURLUE_OK},
++ {"http://HO0_-st%41/",
++ "http | [11] | [12] | [13] | HO0_-st%41 | [15] | / | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"file://hello.html",
++ "",
++ 0, 0, CURLUE_MALFORMED_INPUT},
++ {"http://HO0_-st/",
++ "http | [11] | [12] | [13] | HO0_-st | [15] | / | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"imap://user:pass;option@server/path",
++ "imap | user | pass | option | server | [15] | /path | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"http://user:pass;option@server/path",
++ "http | user | pass;option | [13] | server | [15] | /path | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"file:/hello.html",
++ "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"file://127.0.0.1/hello.html",
++ "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"file:////hello.html",
++ "file | [11] | [12] | [13] | [14] | [15] | //hello.html | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"file:///hello.html",
++ "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [17] | [18]",
++ 0, 0, CURLUE_OK},
++ {"https://127.0.0.1",
++ "https | [11] | [12] | [13] | 127.0.0.1 | 443 | / | [17] | [18]",
++ 0, CURLU_DEFAULT_PORT, CURLUE_OK},
++ {"https://127.0.0.1",
++ "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [17] | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"https://[::1]:1234",
++ "https | [11] | [12] | [13] | [::1] | 1234 | / | [17] | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"https://127abc.com",
++ "https | [11] | [12] | [13] | 127abc.com | [15] | / | [17] | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"https:// example.com?check",
++ "",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
++ {"https://e x a m p l e.com?check",
++ "",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
++ {"https://example.com?check",
++ "https | [11] | [12] | [13] | example.com | [15] | / | check | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"https://example.com:65536",
++ "",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_BAD_PORT_NUMBER},
++ {"https://example.com:0#moo",
++ "",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_BAD_PORT_NUMBER},
++ {"https://example.com:01#moo",
++ "https | [11] | [12] | [13] | example.com | 1 | / | "
++ "[17] | moo",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"https://example.com:1#moo",
++ "https | [11] | [12] | [13] | example.com | 1 | / | "
++ "[17] | moo",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://example.com#moo",
++ "http | [11] | [12] | [13] | example.com | [15] | / | "
++ "[17] | moo",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://example.com",
++ "http | [11] | [12] | [13] | example.com | [15] | / | "
++ "[17] | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://example.com/path/html",
++ "http | [11] | [12] | [13] | example.com | [15] | /path/html | "
++ "[17] | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://example.com/path/html?query=name",
++ "http | [11] | [12] | [13] | example.com | [15] | /path/html | "
++ "query=name | [18]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://example.com/path/html?query=name#anchor",
++ "http | [11] | [12] | [13] | example.com | [15] | /path/html | "
++ "query=name | anchor",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://example.com:1234/path/html?query=name#anchor",
++ "http | [11] | [12] | [13] | example.com | 1234 | /path/html | "
++ "query=name | anchor",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http:///user:password@example.com:1234/path/html?query=name#anchor",
++ "http | user | password | [13] | example.com | 1234 | /path/html | "
++ "query=name | anchor",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"https://user:password@example.com:1234/path/html?query=name#anchor",
++ "https | user | password | [13] | example.com | 1234 | /path/html | "
++ "query=name | anchor",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://user:password@example.com:1234/path/html?query=name#anchor",
++ "http | user | password | [13] | example.com | 1234 | /path/html | "
++ "query=name | anchor",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http:/user:password@example.com:1234/path/html?query=name#anchor",
++ "http | user | password | [13] | example.com | 1234 | /path/html | "
++ "query=name | anchor",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http:////user:password@example.com:1234/path/html?query=name#anchor",
++ "",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
++ {NULL, NULL, 0, 0, CURLUE_OK},
++};
++
++static struct urltestcase get_url_list[] = {
++ {"HTTP://test/", "http://test/", 0, 0, CURLUE_OK},
++ {"http://HO0_-st..~./", "", 0, 0, CURLUE_MALFORMED_INPUT},
++ {"http:/@example.com: 123/", "", 0, 0, CURLUE_BAD_PORT_NUMBER},
++ {"http:/@example.com:123 /", "", 0, 0, CURLUE_BAD_PORT_NUMBER},
++ {"http:/@example.com:123a/", "", 0, 0, CURLUE_BAD_PORT_NUMBER},
++ {"http://host/file\r", "", 0, 0, CURLUE_MALFORMED_INPUT},
++ {"http://host/file\n\x03", "", 0, 0, CURLUE_MALFORMED_INPUT},
++ {"htt\x02://host/file", "",
++ CURLU_NON_SUPPORT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
++ {" http://host/file", "", 0, 0, CURLUE_MALFORMED_INPUT},
++ /* here the password ends at the semicolon and options is 'word' */
++ {"imap://user:pass;word@host/file",
++ "imap://user:pass;word@host/file",
++ 0, 0, CURLUE_OK},
++ /* here the password has the semicolon */
++ {"http://user:pass;word@host/file",
++ "http://user:pass;word@host/file",
++ 0, 0, CURLUE_OK},
++ {"file:///file.txt#moo",
++ "file:///file.txt#moo",
++ 0, 0, CURLUE_OK},
++ {"file:////file.txt",
++ "file:////file.txt",
++ 0, 0, CURLUE_OK},
++ {"file:///file.txt",
++ "file:///file.txt",
++ 0, 0, CURLUE_OK},
++ {"http://example.com/hello/../here",
++ "http://example.com/hello/../here",
++ CURLU_PATH_AS_IS, 0, CURLUE_OK},
++ {"http://example.com/hello/../here",
++ "http://example.com/here",
++ 0, 0, CURLUE_OK},
++ {"http://example.com:80",
++ "http://example.com/",
++ 0, CURLU_NO_DEFAULT_PORT, CURLUE_OK},
++ {"tp://example.com/path/html",
++ "",
++ 0, 0, CURLUE_UNSUPPORTED_SCHEME},
++ {"http://hello:fool@example.com",
++ "",
++ CURLU_DISALLOW_USER, 0, CURLUE_USER_NOT_ALLOWED},
++ {"http:/@example.com:123",
++ "http://example.com:123/",
++ 0, 0, CURLUE_OK},
++ {"http:/:password@example.com",
++ "http://:password@example.com/",
++ 0, 0, CURLUE_OK},
++ {"http://user@example.com?#",
++ "http://user@example.com/",
++ 0, 0, CURLUE_OK},
++ {"http://user@example.com?",
++ "http://user@example.com/",
++ 0, 0, CURLUE_OK},
++ {"http://user@example.com#anchor",
++ "http://user@example.com/#anchor",
++ 0, 0, CURLUE_OK},
++ {"example.com/path/html",
++ "https://example.com/path/html",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"example.com/path/html",
++ "",
++ 0, 0, CURLUE_MALFORMED_INPUT},
++ {"http://user:password@example.com:1234/path/html?query=name#anchor",
++ "http://user:password@example.com:1234/path/html?query=name#anchor",
++ 0, 0, CURLUE_OK},
++ {"http://example.com:1234/path/html?query=name#anchor",
++ "http://example.com:1234/path/html?query=name#anchor",
++ 0, 0, CURLUE_OK},
++ {"http://example.com/path/html?query=name#anchor",
++ "http://example.com/path/html?query=name#anchor",
++ 0, 0, CURLUE_OK},
++ {"http://example.com/path/html?query=name",
++ "http://example.com/path/html?query=name",
++ 0, 0, CURLUE_OK},
++ {"http://example.com/path/html",
++ "http://example.com/path/html",
++ 0, 0, CURLUE_OK},
++ {"tp://example.com/path/html",
++ "tp://example.com/path/html",
++ CURLU_NON_SUPPORT_SCHEME, 0, CURLUE_OK},
++ {NULL, NULL, 0, 0, 0}
++};
++
++static int checkurl(const char *url, const char *out)
++{
++ if(strcmp(out, url)) {
++ fprintf(stderr, "Wanted: %s\nGot : %s\n",
++ out, url);
++ return 1;
++ }
++ return 0;
++}
++
++/* !checksrc! disable SPACEBEFORECOMMA 1 */
++static struct setcase set_parts_list[] = {
++ {"https://host/",
++ "path=%4A%4B%4C,",
++ "https://host/%4a%4b%4c",
++ 0, 0, CURLUE_NO_HOST},
++ {"https://host/mooo?q#f",
++ "path=NULL,query=NULL,fragment=NULL,",
++ "https://host/",
++ 0, 0, CURLUE_NO_HOST},
++ {"https://user:secret@host/",
++ "user=NULL,password=NULL,",
++ "https://host/",
++ 0, 0, CURLUE_NO_HOST},
++ {NULL,
++ "scheme=https,user= @:,host=foobar,",
++ "https://%20%20%20%40%3a@foobar/",
++ 0, CURLU_URLENCODE, CURLUE_OK},
++ {NULL,
++ "scheme=https,host= ,path= ,user= ,password= ,query= ,fragment= ,",
++ "https://%20:%20@%20%20/%20?+#%20",
++ 0, CURLU_URLENCODE, CURLUE_OK},
++ {NULL,
++ "scheme=https,host=foobar,path=/this /path /is /here,",
++ "https://foobar/this%20/path%20/is%20/here",
++ 0, CURLU_URLENCODE, CURLUE_OK},
++ {"imap://user:secret;opt@host/",
++ "options=updated,scheme=imaps,password=p4ssw0rd,",
++ "imaps://user:p4ssw0rd;updated@host/",
++ 0, 0, CURLUE_NO_HOST},
++ {"imap://user:secret;optit@host/",
++ "scheme=https,",
++ "https://user:secret@host/",
++ 0, 0, CURLUE_NO_HOST},
++ {"file:///file#anchor",
++ "scheme=https,host=example,",
++ "https://example/file#anchor",
++ 0, 0, CURLUE_NO_HOST},
++ {NULL, /* start fresh! */
++ "scheme=file,host=127.0.0.1,path=/no,user=anonymous,",
++ "file:///no",
++ 0, 0, CURLUE_OK},
++ {NULL, /* start fresh! */
++ "scheme=ftp,host=127.0.0.1,path=/no,user=anonymous,",
++ "ftp://anonymous@127.0.0.1/no",
++ 0, 0, CURLUE_OK},
++ {NULL, /* start fresh! */
++ "scheme=https,host=example.com,",
++ "https://example.com/",
++ 0, CURLU_NON_SUPPORT_SCHEME, CURLUE_OK},
++ {"http://user:foo@example.com/path?query#frag",
++ "fragment=changed,",
++ "http://user:foo@example.com/path?query#changed",
++ 0, CURLU_NON_SUPPORT_SCHEME, CURLUE_OK},
++ {"http://example.com/",
++ "scheme=foo,", /* not accepted */
++ "http://example.com/",
++ 0, 0, CURLUE_OK},
++ {"http://example.com/",
++ "scheme=https,path=/hello,fragment=snippet,",
++ "https://example.com/hello#snippet",
++ 0, 0, CURLUE_OK},
++ {"http://example.com:80",
++ "user=foo,port=1922,",
++ "http://foo@example.com:1922/",
++ 0, 0, CURLUE_OK},
++ {"http://example.com:80",
++ "user=foo,password=bar,",
++ "http://foo:bar@example.com:80/",
++ 0, 0, CURLUE_OK},
++ {"http://example.com:80",
++ "user=foo,",
++ "http://foo@example.com:80/",
++ 0, 0, CURLUE_OK},
++ {"http://example.com",
++ "host=www.example.com,",
++ "http://www.example.com/",
++ 0, 0, CURLUE_OK},
++ {"http://example.com:80",
++ "scheme=ftp,",
++ "ftp://example.com:80/",
++ 0, 0, CURLUE_OK},
++ {NULL, NULL, NULL, 0, 0, 0}
++};
++
++static CURLUPart part2id(char *part)
++{
++ if(!strcmp("url", part))
++ return CURLUPART_URL;
++ if(!strcmp("scheme", part))
++ return CURLUPART_SCHEME;
++ if(!strcmp("user", part))
++ return CURLUPART_USER;
++ if(!strcmp("password", part))
++ return CURLUPART_PASSWORD;
++ if(!strcmp("options", part))
++ return CURLUPART_OPTIONS;
++ if(!strcmp("host", part))
++ return CURLUPART_HOST;
++ if(!strcmp("port", part))
++ return CURLUPART_PORT;
++ if(!strcmp("path", part))
++ return CURLUPART_PATH;
++ if(!strcmp("query", part))
++ return CURLUPART_QUERY;
++ if(!strcmp("fragment", part))
++ return CURLUPART_FRAGMENT;
++ return 9999; /* bad input => bad output */
++}
++
++static void updateurl(CURLU *u, const char *cmd, unsigned int setflags)
++{
++ const char *p = cmd;
++
++ /* make sure the last command ends with a comma too! */
++ while(p) {
++ char *e = strchr(p, ',');
++ if(e) {
++ size_t n = e-p;
++ char buf[80];
++ char part[80];
++ char value[80];
++ memcpy(buf, p, n);
++ buf[n] = 0;
++ if(2 == sscanf(buf, "%79[^=]=%79[^,]", part, value)) {
++ CURLUPart what = part2id(part);
++#if 0
++ /* for debugging this */
++ fprintf(stderr, "%s = %s [%d]\n", part, value, (int)what);
++#endif
++ if(!strcmp("NULL", value))
++ curl_url_set(u, what, NULL, setflags);
++ else
++ curl_url_set(u, what, value, setflags);
++ }
++ p = e + 1;
++ continue;
++ }
++ break;
++ }
++
++}
++
++static struct redircase set_url_list[] = {
++ {"file://localhost/path?query#frag",
++ "foo#another",
++ "file:///foo#another",
++ 0, 0, 0},
++ {"http://example.com/path?query#frag",
++ "https://two.example.com/bradnew",
++ "https://two.example.com/bradnew",
++ 0, 0, 0},
++ {"http://example.com/path?query#frag",
++ "../../newpage#foo",
++ "http://example.com/newpage#foo",
++ 0, 0, 0},
++ {"http://user:foo@example.com/path?query#frag",
++ "../../newpage",
++ "http://user:foo@example.com/newpage",
++ 0, 0, 0},
++ {"http://user:foo@example.com/path?query#frag",
++ "../newpage",
++ "http://user:foo@example.com/newpage",
++ 0, 0, 0},
++ {NULL, NULL, NULL, 0, 0, 0}
++};
++
++static int set_url(void)
++{
++ int i;
++ CURLUcode rc;
++ CURLU *urlp;
++ int error = 0;
++
++ for(i = 0; set_url_list[i].in && !error; i++) {
++ char *url = NULL;
++ urlp = curl_url();
++ if(!urlp)
++ break;
++ rc = curl_url_set(urlp, CURLUPART_URL, set_url_list[i].in,
++ set_url_list[i].urlflags);
++ if(!rc) {
++ rc = curl_url_set(urlp, CURLUPART_URL, set_url_list[i].set,
++ set_url_list[i].setflags);
++ if(rc) {
++ fprintf(stderr, "%s:%d Set URL %s returned %d\n",
++ __FILE__, __LINE__, set_url_list[i].set,
++ (int)rc);
++ error++;
++ }
++ else {
++ rc = curl_url_get(urlp, CURLUPART_URL, &url, 0);
++ if(rc) {
++ fprintf(stderr, "%s:%d Get URL returned %d\n",
++ __FILE__, __LINE__, (int)rc);
++ error++;
++ }
++ else {
++ if(checkurl(url, set_url_list[i].out)) {
++ error++;
++ }
++ }
++ }
++ curl_free(url);
++ }
++ else if(rc != set_url_list[i].ucode) {
++ fprintf(stderr, "Set URL\nin: %s\nreturned %d (expected %d)\n",
++ set_url_list[i].in, (int)rc, set_url_list[i].ucode);
++ error++;
++ }
++ curl_url_cleanup(urlp);
++ }
++ return error;
++}
++
++static int set_parts(void)
++{
++ int i;
++ CURLUcode rc;
++ int error = 0;
++
++ for(i = 0; set_parts_list[i].set && !error; i++) {
++ char *url = NULL;
++ CURLU *urlp = curl_url();
++ if(!urlp) {
++ error++;
++ break;
++ }
++ if(set_parts_list[i].in)
++ rc = curl_url_set(urlp, CURLUPART_URL, set_parts_list[i].in,
++ set_parts_list[i].urlflags);
++ else
++ rc = CURLUE_OK;
++ if(!rc) {
++ updateurl(urlp, set_parts_list[i].set, set_parts_list[i].setflags);
++ rc = curl_url_get(urlp, CURLUPART_URL, &url, 0);
++
++ if(rc) {
++ fprintf(stderr, "%s:%d Get URL returned %d\n",
++ __FILE__, __LINE__, (int)rc);
++ error++;
++ }
++ else if(checkurl(url, set_parts_list[i].out)) {
++ error++;
++ }
++ }
++ else if(rc != set_parts_list[i].ucode) {
++ fprintf(stderr, "Set parts\nin: %s\nreturned %d (expected %d)\n",
++ set_parts_list[i].in, (int)rc, set_parts_list[i].ucode);
++ error++;
++ }
++ curl_free(url);
++ curl_url_cleanup(urlp);
++ }
++ return error;
++}
++
++static int get_url(void)
++{
++ int i;
++ CURLUcode rc;
++ int error = 0;
++ for(i = 0; get_url_list[i].in && !error; i++) {
++ char *url = NULL;
++ CURLU *urlp = curl_url();
++ if(!urlp) {
++ error++;
++ break;
++ }
++ rc = curl_url_set(urlp, CURLUPART_URL, get_url_list[i].in,
++ get_url_list[i].urlflags);
++ if(!rc) {
++ rc = curl_url_get(urlp, CURLUPART_URL, &url, get_url_list[i].getflags);
++
++ if(rc) {
++ fprintf(stderr, "%s:%d returned %d\n",
++ __FILE__, __LINE__, (int)rc);
++ error++;
++ }
++ else {
++ if(checkurl(url, get_url_list[i].out)) {
++ error++;
++ }
++ }
++ }
++ else if(rc != get_url_list[i].ucode) {
++ fprintf(stderr, "Get URL\nin: %s\nreturned %d (expected %d)\n",
++ get_url_list[i].in, (int)rc, get_url_list[i].ucode);
++ error++;
++ }
++ curl_free(url);
++ curl_url_cleanup(urlp);
++ }
++ return error;
++}
++
++static int get_parts(void)
++{
++ int i;
++ CURLUcode rc;
++ CURLU *urlp;
++ int error = 0;
++ for(i = 0; get_parts_list[i].in && !error; i++) {
++ urlp = curl_url();
++ if(!urlp) {
++ error++;
++ break;
++ }
++ rc = curl_url_set(urlp, CURLUPART_URL,
++ get_parts_list[i].in,
++ get_parts_list[i].urlflags);
++ if(rc != get_parts_list[i].ucode) {
++ fprintf(stderr, "Get parts\nin: %s\nreturned %d (expected %d)\n",
++ get_parts_list[i].in, (int)rc, get_parts_list[i].ucode);
++ error++;
++ }
++ else if(get_parts_list[i].ucode) {
++ /* the expected error happened */
++ }
++ else if(checkparts(urlp, get_parts_list[i].in, get_parts_list[i].out,
++ get_parts_list[i].getflags))
++ error++;
++ curl_url_cleanup(urlp);
++ }
++ return error;
++}
++
++static struct querycase append_list[] = {
++ {"HTTP://test/?s", "name=joe\x02", "http://test/?s&name=joe%02",
++ 0, CURLU_URLENCODE, CURLUE_OK},
++ {"HTTP://test/?size=2#f", "name=joe=", "http://test/?size=2&name=joe=#f",
++ 0, CURLU_URLENCODE, CURLUE_OK},
++ {"HTTP://test/?size=2#f", "name=joe doe",
++ "http://test/?size=2&name=joe+doe#f",
++ 0, CURLU_URLENCODE, CURLUE_OK},
++ {"HTTP://test/", "name=joe", "http://test/?name=joe", 0, 0, CURLUE_OK},
++ {"HTTP://test/?size=2", "name=joe", "http://test/?size=2&name=joe",
++ 0, 0, CURLUE_OK},
++ {"HTTP://test/?size=2&", "name=joe", "http://test/?size=2&name=joe",
++ 0, 0, CURLUE_OK},
++ {"HTTP://test/?size=2#f", "name=joe", "http://test/?size=2&name=joe#f",
++ 0, 0, CURLUE_OK},
++ {NULL, NULL, NULL, 0, 0, 0}
++};
++
++static int append(void)
++{
++ int i;
++ CURLUcode rc;
++ CURLU *urlp;
++ int error = 0;
++ for(i = 0; append_list[i].in && !error; i++) {
++ urlp = curl_url();
++ if(!urlp) {
++ error++;
++ break;
++ }
++ rc = curl_url_set(urlp, CURLUPART_URL,
++ append_list[i].in,
++ append_list[i].urlflags);
++ if(rc)
++ error++;
++ else
++ rc = curl_url_set(urlp, CURLUPART_QUERY,
++ append_list[i].q,
++ append_list[i].qflags | CURLU_APPENDQUERY);
++ if(error)
++ ;
++ else if(rc != append_list[i].ucode) {
++ fprintf(stderr, "Append\nin: %s\nreturned %d (expected %d)\n",
++ append_list[i].in, (int)rc, append_list[i].ucode);
++ error++;
++ }
++ else if(append_list[i].ucode) {
++ /* the expected error happened */
++ }
++ else {
++ char *url;
++ rc = curl_url_get(urlp, CURLUPART_URL, &url, 0);
++ if(rc) {
++ fprintf(stderr, "%s:%d Get URL returned %d\n",
++ __FILE__, __LINE__, (int)rc);
++ error++;
++ }
++ else {
++ if(checkurl(url, append_list[i].out)) {
++ error++;
++ }
++ curl_free(url);
++ }
++ }
++ curl_url_cleanup(urlp);
++ }
++ return error;
++}
++
++int test(char *URL)
++{
++ (void)URL; /* not used */
++
++ if(append())
++ return 5;
++
++ if(set_url())
++ return 1;
++
++ if(set_parts())
++ return 2;
++
++ if(get_url())
++ return 3;
++
++ if(get_parts())
++ return 4;
++
++ printf("success\n");
++ return 0;
++}
+--
+2.17.2
+
+
+From 581a3b902b949f090776c5295a8aa0786edba773 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sat, 8 Sep 2018 16:02:25 +0200
+Subject: [PATCH 02/14] curl_url-docs: fix AVAILABILITY as Added in curl 7.62.0
+
+Upstream-commit: 890eea5aade0fc4ee167e83948d53351c11dd1ae
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/curl_url.3 | 2 +-
+ docs/libcurl/curl_url_cleanup.3 | 2 +-
+ docs/libcurl/curl_url_dup.3 | 2 +-
+ docs/libcurl/curl_url_get.3 | 2 +-
+ docs/libcurl/curl_url_set.3 | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/docs/libcurl/curl_url.3 b/docs/libcurl/curl_url.3
+index 0a56264..a14c45b 100644
+--- a/docs/libcurl/curl_url.3
++++ b/docs/libcurl/curl_url.3
+@@ -55,7 +55,7 @@ Returns a \fBCURLU *\fP if successful, or NULL if out of memory.
+ }
+ .fi
+ .SH AVAILABILITY
+-Added in curl 7.63.0
++Added in curl 7.62.0
+ .SH "SEE ALSO"
+ .BR curl_url_cleanup "(3), " curl_url_get "(3), " curl_url_set "(3), "
+ .BR curl_url_dup "(3), "
+diff --git a/docs/libcurl/curl_url_cleanup.3 b/docs/libcurl/curl_url_cleanup.3
+index a8158b7..4d095a9 100644
+--- a/docs/libcurl/curl_url_cleanup.3
++++ b/docs/libcurl/curl_url_cleanup.3
+@@ -38,7 +38,7 @@ none
+ curl_url_cleanup(url);
+ .fi
+ .SH AVAILABILITY
+-Added in curl 7.63.0
++Added in curl 7.62.0
+ .SH "SEE ALSO"
+ .BR curl_url_dup "(3), " curl_url "(3), " curl_url_set "(3), "
+ .BR curl_url_get "(3), "
+diff --git a/docs/libcurl/curl_url_dup.3 b/docs/libcurl/curl_url_dup.3
+index 4815dbd..c0259e0 100644
+--- a/docs/libcurl/curl_url_dup.3
++++ b/docs/libcurl/curl_url_dup.3
+@@ -46,7 +46,7 @@ Returns a new handle or NULL if out of memory.
+ curl_url_cleanup(url);
+ .fi
+ .SH AVAILABILITY
+-Added in curl 7.63.0
++Added in curl 7.62.0
+ .SH "SEE ALSO"
+ .BR curl_url_cleanup "(3), " curl_url "(3), " curl_url_set "(3), "
+ .BR curl_url_get "(3), "
+diff --git a/docs/libcurl/curl_url_get.3 b/docs/libcurl/curl_url_get.3
+index 824d496..b1313ea 100644
+--- a/docs/libcurl/curl_url_get.3
++++ b/docs/libcurl/curl_url_get.3
+@@ -104,7 +104,7 @@ If this function returns an error, no URL part is returned.
+ }
+ .fi
+ .SH AVAILABILITY
+-Added in curl 7.63.0
++Added in curl 7.62.0
+ .SH "SEE ALSO"
+ .BR curl_url_cleanup "(3), " curl_url "(3), " curl_url_set "(3), "
+ .BR curl_url_dup "(3), "
+diff --git a/docs/libcurl/curl_url_set.3 b/docs/libcurl/curl_url_set.3
+index 75fc0d9..79272e8 100644
+--- a/docs/libcurl/curl_url_set.3
++++ b/docs/libcurl/curl_url_set.3
+@@ -114,7 +114,7 @@ If this function returns an error, no URL part is returned.
+ curl_url_cleanup(url);
+ .fi
+ .SH AVAILABILITY
+-Added in curl 7.63.0
++Added in curl 7.62.0
+ .SH "SEE ALSO"
+ .BR curl_url_cleanup "(3), " curl_url "(3), " curl_url_get "(3), "
+ .BR curl_url_dup "(3), "
+--
+2.17.2
+
+
+From 9c33cac88a9d94557ba48df7c290afc950895bc4 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sat, 8 Sep 2018 19:39:57 +0200
+Subject: [PATCH 03/14] curl_url_set.3: correct description
+
+Upstream-commit: 8b85a3cac516a302a8ce3911cf8b9a229b62a59d
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/curl_url_set.3 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/libcurl/curl_url_set.3 b/docs/libcurl/curl_url_set.3
+index 79272e8..0d6e9aa 100644
+--- a/docs/libcurl/curl_url_set.3
++++ b/docs/libcurl/curl_url_set.3
+@@ -21,7 +21,7 @@
+ .\" **************************************************************************
+ .TH curl_url_set 3 "6 Aug 2018" "libcurl" "libcurl Manual"
+ .SH NAME
+-curl_url_set - set a part from a URL
++curl_url_set - set a URL part
+ .SH SYNOPSIS
+ .B #include
+
+--
+2.17.2
+
+
+From dc2c1d978ec78a5f278d194e1b258015e8bfd664 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sat, 8 Sep 2018 22:57:36 +0200
+Subject: [PATCH 04/14] urlapi: avoid derefencing a possible NULL pointer
+
+Coverity CID 1439134
+
+Upstream-commit: 01dedc99fc8d386fe955421ab05a1c4094c9190b
+Signed-off-by: Kamil Dudka
+---
+ lib/urlapi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index 8287861..3183598 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -438,10 +438,10 @@ static CURLUcode parse_hostname_login(struct Curl_URL *u,
+ *hostname = ++ptr;
+
+ /* We could use the login information in the URL so extract it. Only parse
+- options if the handler says we should. */
++ options if the handler says we should. Note that 'h' might be NULL! */
+ ccode = Curl_parse_login_details(login, ptr - login - 1,
+ &userp, &passwdp,
+- h->flags & PROTOPT_URLOPTIONS ?
++ (h && (h->flags & PROTOPT_URLOPTIONS)) ?
+ &optionsp:NULL);
+ if(ccode) {
+ result = CURLUE_MALFORMED_INPUT;
+--
+2.17.2
+
+
+From 6684d372c20609afd21f21399deda6deedea911e Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson
+Date: Sat, 8 Sep 2018 23:05:21 +0200
+Subject: [PATCH 05/14] url.c: fix comment typo and indentation
+
+Closes #2960
+
+Upstream-commit: 6e4b8c5073c3985cef98656c3b375981d25a8898
+Signed-off-by: Kamil Dudka
+---
+ lib/url.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 4f75f11..dcc6cc8 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1939,7 +1939,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
+ return NULL;
+ }
+
+-/* returns the handdler if the given scheme is built-in */
++/* returns the handler if the given scheme is built-in */
+ const struct Curl_handler *Curl_builtin_scheme(const char *scheme)
+ {
+ const struct Curl_handler * const *pp;
+@@ -2245,7 +2245,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+ the host-name part */
+ memmove(path + hostlen + 1, path, pathlen + 1);
+
+- /* now copy the trailing host part in front of the existing path */
++ /* now copy the trailing host part in front of the existing path */
+ memcpy(path + 1, query, hostlen);
+
+ path[0]='/'; /* prepend the missing slash */
+--
+2.17.2
+
+
+From 0f8d6ab26abd00459d1364a69d7771a6b3a58ce3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Mon, 10 Sep 2018 10:09:18 +0200
+Subject: [PATCH 06/14] libcurl-url.3: overview man page for the URL API
+
+Closes #2967
+
+Upstream-commit: 11e8a43f853b9bf050db58f073e6f2411821ce60
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/Makefile.inc | 1 +
+ docs/libcurl/libcurl-url.3 | 137 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 138 insertions(+)
+ create mode 100644 docs/libcurl/libcurl-url.3
+
+diff --git a/docs/libcurl/Makefile.inc b/docs/libcurl/Makefile.inc
+index 955492c..97cb50c 100644
+--- a/docs/libcurl/Makefile.inc
++++ b/docs/libcurl/Makefile.inc
+@@ -23,4 +23,5 @@ man_MANS = curl_easy_cleanup.3 curl_easy_getinfo.3 curl_easy_init.3 \
+ curl_mime_filename.3 curl_mime_subparts.3 \
+ curl_mime_type.3 curl_mime_headers.3 curl_mime_encoder.3 libcurl-env.3 \
+ curl_url.3 curl_url_cleanup.3 curl_url_dup.3 curl_url_get.3 curl_url_set.3 \
++ libcurl-url.3 \
+ libcurl-security.3
+diff --git a/docs/libcurl/libcurl-url.3 b/docs/libcurl/libcurl-url.3
+new file mode 100644
+index 0000000..4ad0a15
+--- /dev/null
++++ b/docs/libcurl/libcurl-url.3
+@@ -0,0 +1,137 @@
++.\" **************************************************************************
++.\" * _ _ ____ _
++.\" * Project ___| | | | _ \| |
++.\" * / __| | | | |_) | |
++.\" * | (__| |_| | _ <| |___
++.\" * \___|\___/|_| \_\_____|
++.\" *
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++.\" *
++.\" * This software is licensed as described in the file COPYING, which
++.\" * you should have received as part of this distribution. The terms
++.\" * are also available at https://curl.haxx.se/docs/copyright.html.
++.\" *
++.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++.\" * copies of the Software, and permit persons to whom the Software is
++.\" * furnished to do so, under the terms of the COPYING file.
++.\" *
++.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++.\" * KIND, either express or implied.
++.\" *
++.\" **************************************************************************
++.TH libcurl 3 "10 Sep 2018" "libcurl" "libcurl url interface"
++.SH NAME
++libcurl-url \- URL interface overview
++.SH DESCRIPTION
++The URL interface provides a set of functions for parsing and generating URLs.
++.SH INCLUDE
++You still only include in your code. Note that the URL API was
++introduced in 7.62.0.
++.SH CREATE
++Create a handle that holds URL info and resources with \fIcurl_url(3)\fP:
++
++ CURLU *h = curl_url();
++.SH CLEANUP
++When done with it, clean it up with \fIcurl_url_cleanup(3)\fP:
++
++ curl_url_cleanup(h);
++.SH DUPLICATE
++When you need a copy of a handle, just duplicate it with \fIcurl_url_dup(3)\fP:
++
++ CURLU *nh = curl_url_dup(h);
++.SH PARSING
++By "setting" a URL to the handle with \fIcurl_url_set(3)\fP, the URL is parsed
++and stored in the handle. If the URL is not syntactically correct it will
++return an error instead.
++
++.nf
++ rc = curl_url_set(h, CURLUPART_URL,
++ "https://example.com:449/foo/bar?name=moo", 0);
++.fi
++
++The zero in the fourth argument is a bitmask for changing specific features.
++
++If successful, this stores the URL in its individual parts within the handle.
++.SH REDIRECT
++When a handle already contains info about a URL, setting a relative URL will
++make it "redirect" to adapt to it.
++
++ rc = curl_url_set(h, CURLUPART_URL, "../test?another", 0);
++.SH "GET URL"
++The `CURLU` handle represents a URL and you can easily extract that with
++\fIcurl_url_get(3)\fP:
++
++ char *url;
++ rc = curl_url_get(h, CURLUPART_URL, &url, 0);
++ curl_free(url);
++
++The zero in the fourth argument is a bitmask for changing specific features.
++.SH "GET PARTS"
++When a URL has been parsed or parts have been set, you can extract those
++pieces from the handle at any time.
++
++.nf
++ rc = curl_url_get(h, CURLUPART_HOST, &host, 0);
++ rc = curl_url_get(h, CURLUPART_SCHEME, &scheme, 0);
++ rc = curl_url_get(h, CURLUPART_USER, &user, 0);
++ rc = curl_url_get(h, CURLUPART_PASSWORD, &password, 0);
++ rc = curl_url_get(h, CURLUPART_PORT, &port, 0);
++ rc = curl_url_get(h, CURLUPART_PATH, &path, 0);
++ rc = curl_url_get(h, CURLUPART_QUERY, &query, 0);
++ rc = curl_url_get(h, CURLUPART_FRAGMENT, &fragment, 0);
++.fi
++
++Extracted parts are not URL decoded unless the user also asks for it with the
++CURLU_URLDECODE flag set in the fourth bitmask argument.
++
++Remember to free the returned string with \fIcurl_free(3)\fP when you're done
++with it!
++.SH "SET PARTS"
++A user set individual URL parts, either after having parsed a full URL or
++instead of parsing such.
++
++.nf
++ rc = curl_url_set(urlp, CURLUPART_HOST, "www.example.com", 0);
++ rc = curl_url_set(urlp, CURLUPART_SCHEME, "https", 0);
++ rc = curl_url_set(urlp, CURLUPART_USER, "john", 0);
++ rc = curl_url_set(urlp, CURLUPART_PASSWORD, "doe", 0);
++ rc = curl_url_set(urlp, CURLUPART_PORT, "443", 0);
++ rc = curl_url_set(urlp, CURLUPART_PATH, "/index.html", 0);
++ rc = curl_url_set(urlp, CURLUPART_QUERY, "name=john", 0);
++ rc = curl_url_set(urlp, CURLUPART_FRAGMENT, "anchor", 0);
++.fi
++
++Set parts are not URL encoded unless the user asks for it with the
++`CURLU_URLENCODE` flag.
++.SH "APPENDQUERY"
++An application can append a string to the right end of the query part with the
++`CURLU_APPENDQUERY` flag to \fIcurl_url_set(3)\fP.
++
++Imagine a handle that holds the URL `https://example.com/?shoes=2`. An
++application can then add the string `hat=1` to the query part like this:
++
++.nf
++ rc = curl_url_set(urlp, CURLUPART_QUERY, "hat=1", CURLU_APPENDQUERY);
++.fi
++
++It will even notice the lack of an ampersand (`&`) separator so it will inject
++one too, and the handle's full URL will then equal
++`https://example.com/?shoes=2&hat=1`.
++
++The appended string can of course also get URL encoded on add, and if asked to
++URL encode, the encoding process will skip the '=' character. For example,
++append `candy=N&N` to what we already have, and URL encode it to deal with the
++ampersand in the data:
++
++.nf
++ rc = curl_url_set(urlp, CURLUPART_QUERY, "candy=N&N",
++ CURLU_APPENDQUERY | CURLU_URLENCODE);
++.fi
++
++Now the URL looks like
++.nf
++ https://example.com/?shoes=2&hat=1&candy=N%26N`
++.fi
++.SH "SEE ALSO"
++.BR curl_url "(3), " curl_url_cleanup "(3), " curl_url_get "(3), "
++.BR curl_url_dup "(3), " curl_url_set "(3), " CURLOPT_URL "(3), "
+--
+2.17.2
+
+
+From 4c235b460cf40f8ce0c6ad06b44ecb4dddc128e4 Mon Sep 17 00:00:00 2001
+From: Dave Reisner
+Date: Mon, 10 Sep 2018 09:38:46 -0400
+Subject: [PATCH 07/14] curl_url_set.3: fix typo in reference to
+ CURLU_APPENDQUERY
+
+Upstream-commit: 04110573801feb2f278e2f774087a0525d5e8d0a
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/curl_url_set.3 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/libcurl/curl_url_set.3 b/docs/libcurl/curl_url_set.3
+index 0d6e9aa..b2b273f 100644
+--- a/docs/libcurl/curl_url_set.3
++++ b/docs/libcurl/curl_url_set.3
+@@ -75,7 +75,7 @@ If used in with \fICURLU_APPENDQUERY\fP, the provided part will be appended on
+ the end of the existing query - and if the previous part didn't end with an
+ ampersand (&), an ampersand will be inserted before the new appended part.
+
+-When \fCURLU_APPENDQUERY\fP is used together with \fICURLU_URLENCODE\fP,
++When \fICURLU_APPENDQUERY\fP is used together with \fICURLU_URLENCODE\fP,
+ the '=' symbols will not be URL encoded.
+
+ The question mark in the URL is not part of the actual query contents.
+--
+2.17.2
+
+
+From fb07ea0cf9c612b2fad6a113b1d40aa7896fe43a Mon Sep 17 00:00:00 2001
+From: Dave Reisner
+Date: Mon, 10 Sep 2018 09:39:33 -0400
+Subject: [PATCH 08/14] curl_url_set.3: properly escape \n in example code
+
+This yields
+
+ "the scheme is %s\n"
+
+instead of
+
+ "the scheme is %s0
+
+Closes #2970
+
+Upstream-commit: c1e5980f6672a2bd2d26894f093b435f2deb04e0
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/curl_url_get.3 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/libcurl/curl_url_get.3 b/docs/libcurl/curl_url_get.3
+index b1313ea..53f7954 100644
+--- a/docs/libcurl/curl_url_get.3
++++ b/docs/libcurl/curl_url_get.3
+@@ -97,7 +97,7 @@ If this function returns an error, no URL part is returned.
+ char *scheme;
+ rc = curl_url_get(url, CURLUPART_SCHEME, &scheme, 0);
+ if(!rc) {
+- printf("the scheme is %s\n", scheme);
++ printf("the scheme is %s\\n", scheme);
+ curl_free(scheme);
+ }
+ curl_url_cleanup(url);
+--
+2.17.2
+
+
+From 376ae7de5a5a5f5b5513e6055700d010f21d4da3 Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson
+Date: Wed, 19 Sep 2018 13:44:10 +0200
+Subject: [PATCH 09/14] urlapi: don't set value which is never read
+
+In the CURLUPART_URL case, there is no codepath which invokes url
+decoding so remove the assignment of the urldecode variable. This
+fixes the deadstore bug-report from clang static analysis.
+
+Closes #3015
+Reviewed-by: Daniel Stenberg
+
+Upstream-commit: 522e647cc52c45ebdb58d57f242204f9a72c45dd
+Signed-off-by: Kamil Dudka
+---
+ lib/urlapi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index 3183598..127f390 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -970,7 +970,6 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what,
+ char *scheme;
+ char *options = u->options;
+ char *port = u->port;
+- urldecode = FALSE; /* not for the whole thing */
+ if(u->scheme && strcasecompare("file", u->scheme)) {
+ url = aprintf("file://%s%s%s",
+ u->path,
+--
+2.17.2
+
+
+From 26dd137f3ca894e6402a98889d3b182f608d3c7f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Wed, 19 Sep 2018 10:17:03 +0200
+Subject: [PATCH 10/14] urlapi: add CURLU_GUESS_SCHEME and fix hostname
+ acceptance
+
+In order for this API to fully work for libcurl itself, it now offers a
+CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
+name prefix just like libcurl always did. If there's no known prefix, it
+will guess "http://".
+
+Separately, it relaxes the check of the host name so that IDN host names
+can be passed in as well.
+
+Both these changes are necessary for libcurl itself to use this API.
+
+Assisted-by: Daniel Gustafsson
+Closes #3018
+
+Upstream-commit: 9307c219ad4741db860b864c860ac2f8bf9fad9d
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/curl_url_set.3 | 10 ++++++++
+ include/curl/urlapi.h | 1 +
+ lib/urlapi.c | 48 ++++++++++++++++++++++++++++---------
+ tests/data/test1560 | 6 +++++
+ tests/libtest/lib1560.c | 26 +++++++++++++++++++-
+ 5 files changed, 79 insertions(+), 12 deletions(-)
+
+diff --git a/docs/libcurl/curl_url_set.3 b/docs/libcurl/curl_url_set.3
+index b2b273f..95b76bd 100644
+--- a/docs/libcurl/curl_url_set.3
++++ b/docs/libcurl/curl_url_set.3
+@@ -96,6 +96,16 @@ The query part gets space-to-plus conversion before the URL conversion.
+
+ This URL encoding is charset unaware and will convert the input on a
+ byte-by-byte manner.
++.IP CURLU_DEFAULT_SCHEME
++If set, will make libcurl allow the URL to be set without a scheme and then
++sets that to the default scheme: HTTPS. Overrides the \fICURLU_GUESS_SCHEME\fP
++option if both are set.
++.IP CURLU_GUESS_SCHEME
++If set, will make libcurl allow the URL to be set without a scheme and it
++instead "guesses" which scheme that was intended based on the host name. If
++the outermost sub-domain name matches DICT, FTP, IMAP, LDAP, POP3 or SMTP then
++that scheme will be used, otherwise it picks HTTP. Conflicts with the
++\fICURLU_DEFAULT_SCHEME\fP option which takes precendence if both are set.
+ .SH RETURN VALUE
+ Returns a CURLUcode error value, which is CURLUE_OK (0) if everything went
+ fine.
+diff --git a/include/curl/urlapi.h b/include/curl/urlapi.h
+index b16cfce..319de35 100644
+--- a/include/curl/urlapi.h
++++ b/include/curl/urlapi.h
+@@ -75,6 +75,7 @@ typedef enum {
+ #define CURLU_URLDECODE (1<<6) /* URL decode on get */
+ #define CURLU_URLENCODE (1<<7) /* URL encode on set */
+ #define CURLU_APPENDQUERY (1<<8) /* append a form style part */
++#define CURLU_GUESS_SCHEME (1<<9) /* legacy curl-style guessing */
+
+ typedef struct Curl_URL CURLU;
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index 127f390..45f1e14 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -554,7 +554,7 @@ static CURLUcode junkscan(char *part)
+
+ static CURLUcode hostname_check(char *hostname, unsigned int flags)
+ {
+- const char *l; /* accepted characters */
++ const char *l = NULL; /* accepted characters */
+ size_t len;
+ size_t hlen = strlen(hostname);
+ (void)flags;
+@@ -564,14 +564,21 @@ static CURLUcode hostname_check(char *hostname, unsigned int flags)
+ l = "0123456789abcdefABCDEF::.";
+ hlen -= 2;
+ }
+- else /* % for URL escaped letters */
+- l = "0123456789abcdefghijklimnopqrstuvwxyz-_.ABCDEFGHIJKLIMNOPQRSTUVWXYZ%";
+-
+- len = strspn(hostname, l);
+- if(hlen != len)
+- /* hostname with bad content */
+- return CURLUE_MALFORMED_INPUT;
+
++ if(l) {
++ /* only valid letters are ok */
++ len = strspn(hostname, l);
++ if(hlen != len)
++ /* hostname with bad content */
++ return CURLUE_MALFORMED_INPUT;
++ }
++ else {
++ /* letters from the second string is not ok */
++ len = strcspn(hostname, " ");
++ if(hlen != len)
++ /* hostname with bad content */
++ return CURLUE_MALFORMED_INPUT;
++ }
+ return CURLUE_OK;
+ }
+
+@@ -587,7 +594,7 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
+ CURLUcode result;
+ bool url_has_scheme = FALSE;
+ char schemebuf[MAX_SCHEME_LEN];
+- char *schemep;
++ char *schemep = NULL;
+ size_t schemelen = 0;
+ size_t urllen;
+ const struct Curl_handler *h = NULL;
+@@ -723,9 +730,10 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
+ else {
+ /* no scheme! */
+
+- if(!(flags & CURLU_DEFAULT_SCHEME))
++ if(!(flags & (CURLU_DEFAULT_SCHEME|CURLU_GUESS_SCHEME)))
+ return CURLUE_MALFORMED_INPUT;
+- schemep = (char *) DEFAULT_SCHEME;
++ if(flags & CURLU_DEFAULT_SCHEME)
++ schemep = (char *) DEFAULT_SCHEME;
+
+ /*
+ * The URL was badly formatted, let's try without scheme specified.
+@@ -744,6 +752,24 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
+ memcpy(hostname, hostp, len);
+ hostname[len] = 0;
+
++ if((flags & CURLU_GUESS_SCHEME) && !schemep) {
++ /* legacy curl-style guess based on host name */
++ if(checkprefix("ftp.", hostname))
++ schemep = (char *)"ftp";
++ else if(checkprefix("dict.", hostname))
++ schemep = (char *)"dict";
++ else if(checkprefix("ldap.", hostname))
++ schemep = (char *)"ldap";
++ else if(checkprefix("imap.", hostname))
++ schemep = (char *)"imap";
++ else if(checkprefix("smtp.", hostname))
++ schemep = (char *)"smtp";
++ else if(checkprefix("pop3.", hostname))
++ schemep = (char *)"pop3";
++ else
++ schemep = (char *)"http";
++ }
++
+ len = strlen(p);
+ memcpy(path, p, len);
+ path[len] = 0;
+diff --git a/tests/data/test1560 b/tests/data/test1560
+index 720df03..4b6c97a 100644
+--- a/tests/data/test1560
++++ b/tests/data/test1560
+@@ -16,6 +16,12 @@ none
+ file
+ https
+ http
++pop3
++smtp
++imap
++ldap
++dict
++ftp
+
+
+ URL API
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 669ea9a..30fb582 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -246,8 +246,32 @@ static struct testcase get_parts_list[] ={
+ };
+
+ static struct urltestcase get_url_list[] = {
++ {"smtp.example.com/path/html",
++ "smtp://smtp.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"https.example.com/path/html",
++ "http://https.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"dict.example.com/path/html",
++ "dict://dict.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"pop3.example.com/path/html",
++ "pop3://pop3.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"ldap.example.com/path/html",
++ "ldap://ldap.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"imap.example.com/path/html",
++ "imap://imap.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"ftp.example.com/path/html",
++ "ftp://ftp.example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
++ {"example.com/path/html",
++ "http://example.com/path/html",
++ CURLU_GUESS_SCHEME, 0, CURLUE_OK},
+ {"HTTP://test/", "http://test/", 0, 0, CURLUE_OK},
+- {"http://HO0_-st..~./", "", 0, 0, CURLUE_MALFORMED_INPUT},
++ {"http://HO0_-st..~./", "http://HO0_-st..~./", 0, 0, CURLUE_OK},
+ {"http:/@example.com: 123/", "", 0, 0, CURLUE_BAD_PORT_NUMBER},
+ {"http:/@example.com:123 /", "", 0, 0, CURLUE_BAD_PORT_NUMBER},
+ {"http:/@example.com:123a/", "", 0, 0, CURLUE_BAD_PORT_NUMBER},
+--
+2.17.2
+
+
+From 4e335817d4ac0ee5596363004bfcaaad15bc6127 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Wed, 19 Sep 2018 11:28:40 +0200
+Subject: [PATCH 11/14] urlapi: document the error codes, remove two unused
+ ones
+
+Assisted-by: Daniel Gustafsson
+Closes #3019
+
+Upstream-commit: 5c73093edb3bd527db9c8abdee53d0f18e6a4cc1
+Signed-off-by: Kamil Dudka
+---
+ docs/libcurl/libcurl-errors.3 | 37 ++++++++++++++++++++++++++++-
+ docs/libcurl/symbols-in-versions | 2 --
+ include/curl/urlapi.h | 8 +++----
+ tests/libtest/lib1560.c | 40 ++++++++++++++++----------------
+ 4 files changed, 59 insertions(+), 28 deletions(-)
+
+diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3
+index 30c57b3..411a272 100644
+--- a/docs/libcurl/libcurl-errors.3
++++ b/docs/libcurl/libcurl-errors.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al.
++.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -307,6 +307,41 @@ Not enough memory was available.
+ .IP "CURLSHE_NOT_BUILT_IN (5)"
+ The requested sharing could not be done because the library you use don't have
+ that particular feature enabled. (Added in 7.23.0)
++.SH "CURLUcode"
++.IP "CURLUE_BAD_HANDLE (1)"
++An argument that should be a CURLU pointer was passed in as a NULL.
++.IP "CURLUE_BAD_PARTPOINTER (2)"
++A NULL pointer was passed to the 'part' argument of \fIcurl_url_get(3)\fP.
++.IP "CURLUE_MALFORMED_INPUT (3)"
++A malformed input was passed to a URL API function.
++.IP "CURLUE_BAD_PORT_NUMBER (4)"
++The port number was not a decimal number between 0 and 65535.
++.IP "CURLUE_UNSUPPORTED_SCHEME (5)"
++This libcurl build doesn't support the given URL scheme.
++.IP "CURLUE_URLDECODE (6)"
++URL decode error, most likely because of rubbish in the input.
++.IP "CURLUE_OUT_OF_MEMORY (7)"
++A memory function failed.
++.IP "CURLUE_USER_NOT_ALLOWED (8)"
++Credentials was passed in the URL when prohibited.
++.IP "CURLUE_UNKNOWN_PART (9)"
++An unknown part ID was passed to a URL API function.
++.IP "CURLUE_NO_SCHEME (10)"
++There is no scheme part in the URL.
++.IP "CURLUE_NO_USER (11)"
++There is no user part in the URL.
++.IP "CURLUE_NO_PASSWORD (12)"
++There is no password part in the URL.
++.IP "CURLUE_NO_OPTIONS (13)"
++There is no options part in the URL.
++.IP "CURLUE_NO_HOST (14)"
++There is no host part in the URL.
++.IP "CURLUE_NO_PORT (15)"
++There is no port part in the URL.
++.IP "CURLUE_NO_QUERY (16)"
++There is no query part in the URL.
++.IP "CURLUE_NO_FRAGMENT (17)"
++There is no fragment part in the URL.
+ .SH "SEE ALSO"
+ .BR curl_easy_strerror "(3), " curl_multi_strerror "(3), "
+ .BR curl_share_strerror "(3), " CURLOPT_ERRORBUFFER "(3), "
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index c797cb7..3b3861f 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -736,14 +736,12 @@ CURLUE_NO_FRAGMENT 7.62.0
+ CURLUE_NO_HOST 7.62.0
+ CURLUE_NO_OPTIONS 7.62.0
+ CURLUE_NO_PASSWORD 7.62.0
+-CURLUE_NO_PATH 7.62.0
+ CURLUE_NO_PORT 7.62.0
+ CURLUE_NO_QUERY 7.62.0
+ CURLUE_NO_SCHEME 7.62.0
+ CURLUE_NO_USER 7.62.0
+ CURLUE_OK 7.62.0
+ CURLUE_OUT_OF_MEMORY 7.62.0
+-CURLUE_RELATIVE 7.62.0
+ CURLUE_UNKNOWN_PART 7.62.0
+ CURLUE_UNSUPPORTED_SCHEME 7.62.0
+ CURLUE_URLDECODE 7.62.0
+diff --git a/include/curl/urlapi.h b/include/curl/urlapi.h
+index 319de35..90dd56c 100644
+--- a/include/curl/urlapi.h
++++ b/include/curl/urlapi.h
+@@ -35,7 +35,7 @@ typedef enum {
+ CURLUE_BAD_PORT_NUMBER, /* 4 */
+ CURLUE_UNSUPPORTED_SCHEME, /* 5 */
+ CURLUE_URLDECODE, /* 6 */
+- CURLUE_RELATIVE, /* 7 */
++ CURLUE_OUT_OF_MEMORY, /* 7 */
+ CURLUE_USER_NOT_ALLOWED, /* 8 */
+ CURLUE_UNKNOWN_PART, /* 9 */
+ CURLUE_NO_SCHEME, /* 10 */
+@@ -44,10 +44,8 @@ typedef enum {
+ CURLUE_NO_OPTIONS, /* 13 */
+ CURLUE_NO_HOST, /* 14 */
+ CURLUE_NO_PORT, /* 15 */
+- CURLUE_NO_PATH, /* 16 */
+- CURLUE_NO_QUERY, /* 17 */
+- CURLUE_NO_FRAGMENT, /* 18 */
+- CURLUE_OUT_OF_MEMORY /* 19 */
++ CURLUE_NO_QUERY, /* 16 */
++ CURLUE_NO_FRAGMENT /* 17 */
+ } CURLUcode;
+
+ typedef enum {
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 30fb582..224cb88 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -129,7 +129,7 @@ struct querycase {
+
+ static struct testcase get_parts_list[] ={
+ {"https://127.0.0.1:443",
+- "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [17] | [18]",
++ "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [16] | [17]",
+ 0, CURLU_NO_DEFAULT_PORT, CURLUE_OK},
+ {"http://%3a:%3a@ex%0ample/%3f+?+%3f+%23#+%23%3f%g7",
+ "http | : | : | [13] | [6] | [15] | /?+ | ? # | +#?%g7",
+@@ -138,43 +138,43 @@ static struct testcase get_parts_list[] ={
+ "http | %3a | %3a | [13] | ex%0ample | [15] | /%3f | %3f%35 | %35%3f%g7",
+ 0, 0, CURLUE_OK},
+ {"http://HO0_-st%41/",
+- "http | [11] | [12] | [13] | HO0_-st%41 | [15] | / | [17] | [18]",
++ "http | [11] | [12] | [13] | HO0_-st%41 | [15] | / | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"file://hello.html",
+ "",
+ 0, 0, CURLUE_MALFORMED_INPUT},
+ {"http://HO0_-st/",
+- "http | [11] | [12] | [13] | HO0_-st | [15] | / | [17] | [18]",
++ "http | [11] | [12] | [13] | HO0_-st | [15] | / | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"imap://user:pass;option@server/path",
+- "imap | user | pass | option | server | [15] | /path | [17] | [18]",
++ "imap | user | pass | option | server | [15] | /path | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"http://user:pass;option@server/path",
+- "http | user | pass;option | [13] | server | [15] | /path | [17] | [18]",
++ "http | user | pass;option | [13] | server | [15] | /path | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"file:/hello.html",
+- "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [17] | [18]",
++ "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"file://127.0.0.1/hello.html",
+- "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [17] | [18]",
++ "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"file:////hello.html",
+- "file | [11] | [12] | [13] | [14] | [15] | //hello.html | [17] | [18]",
++ "file | [11] | [12] | [13] | [14] | [15] | //hello.html | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"file:///hello.html",
+- "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [17] | [18]",
++ "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [16] | [17]",
+ 0, 0, CURLUE_OK},
+ {"https://127.0.0.1",
+- "https | [11] | [12] | [13] | 127.0.0.1 | 443 | / | [17] | [18]",
++ "https | [11] | [12] | [13] | 127.0.0.1 | 443 | / | [16] | [17]",
+ 0, CURLU_DEFAULT_PORT, CURLUE_OK},
+ {"https://127.0.0.1",
+- "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [17] | [18]",
++ "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [16] | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https://[::1]:1234",
+- "https | [11] | [12] | [13] | [::1] | 1234 | / | [17] | [18]",
++ "https | [11] | [12] | [13] | [::1] | 1234 | / | [16] | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https://127abc.com",
+- "https | [11] | [12] | [13] | 127abc.com | [15] | / | [17] | [18]",
++ "https | [11] | [12] | [13] | 127abc.com | [15] | / | [16] | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https:// example.com?check",
+ "",
+@@ -183,7 +183,7 @@ static struct testcase get_parts_list[] ={
+ "",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
+ {"https://example.com?check",
+- "https | [11] | [12] | [13] | example.com | [15] | / | check | [18]",
++ "https | [11] | [12] | [13] | example.com | [15] | / | check | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https://example.com:65536",
+ "",
+@@ -193,27 +193,27 @@ static struct testcase get_parts_list[] ={
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_BAD_PORT_NUMBER},
+ {"https://example.com:01#moo",
+ "https | [11] | [12] | [13] | example.com | 1 | / | "
+- "[17] | moo",
++ "[16] | moo",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https://example.com:1#moo",
+ "https | [11] | [12] | [13] | example.com | 1 | / | "
+- "[17] | moo",
++ "[16] | moo",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"http://example.com#moo",
+ "http | [11] | [12] | [13] | example.com | [15] | / | "
+- "[17] | moo",
++ "[16] | moo",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"http://example.com",
+ "http | [11] | [12] | [13] | example.com | [15] | / | "
+- "[17] | [18]",
++ "[16] | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"http://example.com/path/html",
+ "http | [11] | [12] | [13] | example.com | [15] | /path/html | "
+- "[17] | [18]",
++ "[16] | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"http://example.com/path/html?query=name",
+ "http | [11] | [12] | [13] | example.com | [15] | /path/html | "
+- "query=name | [18]",
++ "query=name | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"http://example.com/path/html?query=name#anchor",
+ "http | [11] | [12] | [13] | example.com | [15] | /path/html | "
+--
+2.17.2
+
+
+From 88dfdac2fc1b34a321a323868ea06116c72fe6d2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Fri, 21 Sep 2018 08:17:39 +0200
+Subject: [PATCH 12/14] urlapi: fix support for address scope in IPv6 numerical
+ addresses
+
+Closes #3024
+
+Upstream-commit: 2097cd515289581df5dfb6eeb5942d083a871fa4
+Signed-off-by: Kamil Dudka
+---
+ lib/urlapi-int.h | 4 ++++
+ lib/urlapi.c | 8 ++------
+ tests/libtest/lib1560.c | 3 +++
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lib/urlapi-int.h b/lib/urlapi-int.h
+index 7ac09fd..a5bb8ea 100644
+--- a/lib/urlapi-int.h
++++ b/lib/urlapi-int.h
+@@ -22,6 +22,10 @@
+ *
+ ***************************************************************************/
+ #include "curl_setup.h"
++/* scheme is not URL encoded, the longest libcurl supported ones are 6
++ letters */
++#define MAX_SCHEME_LEN 8
++
+ bool Curl_is_absolute_url(const char *url, char *scheme, size_t buflen);
+ char *Curl_concat_url(const char *base, const char *relurl);
+ size_t Curl_strlen_url(const char *url, bool relative);
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index 45f1e14..a12112e 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -53,10 +53,6 @@ struct Curl_URL {
+
+ #define DEFAULT_SCHEME "https"
+
+-/* scheme is not URL encoded, the longest libcurl supported ones are 6
+- letters */
+-#define MAX_SCHEME_LEN 8
+-
+ static void free_urlhandle(struct Curl_URL *u)
+ {
+ free(u->scheme);
+@@ -480,7 +476,7 @@ static CURLUcode parse_port(struct Curl_URL *u, char *hostname)
+ char endbracket;
+ int len;
+
+- if((1 == sscanf(hostname, "[%*45[0123456789abcdefABCDEF:.]%c%n",
++ if((1 == sscanf(hostname, "[%*45[0123456789abcdefABCDEF:.%%]%c%n",
+ &endbracket, &len)) &&
+ (']' == endbracket)) {
+ /* this is a RFC2732-style specified IP-address */
+@@ -561,7 +557,7 @@ static CURLUcode hostname_check(char *hostname, unsigned int flags)
+
+ if(hostname[0] == '[') {
+ hostname++;
+- l = "0123456789abcdefABCDEF::.";
++ l = "0123456789abcdefABCDEF::.%";
+ hlen -= 2;
+ }
+
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 224cb88..7a5be81 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -128,6 +128,9 @@ struct querycase {
+ };
+
+ static struct testcase get_parts_list[] ={
++ {"https://[::1%252]:1234",
++ "https | [11] | [12] | [13] | [::1%252] | 1234 | / | [16] | [17]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https://127.0.0.1:443",
+ "https | [11] | [12] | [13] | 127.0.0.1 | [15] | / | [16] | [17]",
+ 0, CURLU_NO_DEFAULT_PORT, CURLUE_OK},
+--
+2.17.2
+
+
+From 6c9f3f4bc604ba06a4f43807ace9189503a5e9fc Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Fri, 2 Nov 2018 15:11:16 +0100
+Subject: [PATCH 13/14] URL: fix IPv6 numeral address parser
+
+Regression from 46e164069d1a52. Extended test 1560 to verify.
+
+Reported-by: tpaukrt on github
+Fixes #3218
+Closes #3219
+
+Upstream-commit: b28094833a971870fd8c07960b3b12bf6fbbaad3
+Signed-off-by: Kamil Dudka
+---
+ lib/urlapi.c | 8 ++++++--
+ tests/libtest/lib1560.c | 9 +++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/lib/urlapi.c b/lib/urlapi.c
+index a12112e..8626052 100644
+--- a/lib/urlapi.c
++++ b/lib/urlapi.c
+@@ -481,8 +481,12 @@ static CURLUcode parse_port(struct Curl_URL *u, char *hostname)
+ (']' == endbracket)) {
+ /* this is a RFC2732-style specified IP-address */
+ portptr = &hostname[len];
+- if (*portptr != ':')
+- return CURLUE_MALFORMED_INPUT;
++ if(*portptr) {
++ if(*portptr != ':')
++ return CURLUE_MALFORMED_INPUT;
++ }
++ else
++ portptr = NULL;
+ }
+ else
+ portptr = strchr(hostname, ':');
+diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
+index 7a5be81..483035c 100644
+--- a/tests/libtest/lib1560.c
++++ b/tests/libtest/lib1560.c
+@@ -128,6 +128,15 @@ struct querycase {
+ };
+
+ static struct testcase get_parts_list[] ={
++ {"http://[fd00:a41::50]:8080",
++ "http | [11] | [12] | [13] | [fd00:a41::50] | 8080 | / | [16] | [17]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://[fd00:a41::50]/",
++ "http | [11] | [12] | [13] | [fd00:a41::50] | [15] | / | [16] | [17]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
++ {"http://[fd00:a41::50]",
++ "http | [11] | [12] | [13] | [fd00:a41::50] | [15] | / | [16] | [17]",
++ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+ {"https://[::1%252]:1234",
+ "https | [11] | [12] | [13] | [::1%252] | 1234 | / | [16] | [17]",
+ CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
+--
+2.17.2
+
+
+From 9fa7298750c1d66331dc55a202277b131868c048 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Wed, 2 Jan 2019 20:18:27 +0100
+Subject: [PATCH 14/14] xattr: strip credentials from any URL that is stored
+
+Both user and password are cleared uncondtitionally.
+
+Added unit test 1621 to verify.
+
+Fixes #3423
+Closes #3433
+
+Upstream-commit: 98e6629154044e4ab1ee7cff8351c7ebcb131e88
+Signed-off-by: Kamil Dudka
+---
+ src/tool_xattr.c | 63 +++++++++++++++++++++++++----
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test1621 | 27 +++++++++++++
+ tests/unit/Makefile.inc | 6 ++-
+ tests/unit/unit1621.c | 89 +++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 177 insertions(+), 10 deletions(-)
+ create mode 100644 tests/data/test1621
+ create mode 100644 tests/unit/unit1621.c
+
+diff --git a/src/tool_xattr.c b/src/tool_xattr.c
+index 92b99db..730381b 100644
+--- a/src/tool_xattr.c
++++ b/src/tool_xattr.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -49,6 +49,46 @@ static const struct xattr_mapping {
+ { NULL, CURLINFO_NONE } /* last element, abort loop here */
+ };
+
++/* returns TRUE if a new URL is returned, that then needs to be freed */
++/* @unittest: 1621 */
++#ifdef UNITTESTS
++bool stripcredentials(char **url);
++#else
++static
++#endif
++bool stripcredentials(char **url)
++{
++ CURLU *u;
++ CURLUcode uc;
++ char *nurl;
++ u = curl_url();
++ if(u) {
++ uc = curl_url_set(u, CURLUPART_URL, *url, 0);
++ if(uc)
++ goto error;
++
++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++ if(uc)
++ goto error;
++
++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++ if(uc)
++ goto error;
++
++ uc = curl_url_get(u, CURLUPART_URL, &nurl, 0);
++ if(uc)
++ goto error;
++
++ curl_url_cleanup(u);
++
++ *url = nurl;
++ return TRUE;
++ }
++ error:
++ curl_url_cleanup(u);
++ return FALSE;
++}
++
+ /* store metadata from the curl request alongside the downloaded
+ * file using extended attributes
+ */
+@@ -62,17 +102,24 @@ int fwrite_xattr(CURL *curl, int fd)
+ char *value = NULL;
+ CURLcode result = curl_easy_getinfo(curl, mappings[i].info, &value);
+ if(!result && value) {
++ bool freeptr = FALSE;
++ if(CURLINFO_EFFECTIVE_URL == mappings[i].info)
++ freeptr = stripcredentials(&value);
++ if(value) {
+ #ifdef HAVE_FSETXATTR_6
+- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0);
++ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0);
+ #elif defined(HAVE_FSETXATTR_5)
+- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0);
++ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0);
+ #elif defined(__FreeBSD_version)
+- err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, value,
+- strlen(value));
+- /* FreeBSD's extattr_set_fd returns the length of the extended attribute
+- */
+- err = err < 0 ? err : 0;
++ err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr,
++ value, strlen(value));
++ /* FreeBSD's extattr_set_fd returns the length of the extended
++ attribute */
++ err = err < 0 ? err : 0;
+ #endif
++ if(freeptr)
++ curl_free(value);
++ }
+ }
+ i++;
+ }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index dd38f89..6172b77 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -182,7 +182,7 @@ test1560 \
+ \
+ test1590 \
+ test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \
+-test1608 test1609 \
++test1608 test1609 test1621 \
+ \
+ test1700 test1701 test1702 \
+ \
+diff --git a/tests/data/test1621 b/tests/data/test1621
+new file mode 100644
+index 0000000..1117d1b
+--- /dev/null
++++ b/tests/data/test1621
+@@ -0,0 +1,27 @@
++
++
++
++unittest
++stripcredentials
++
++
++
++#
++# Client-side
++
++
++none
++
++
++unittest
++https
++
++
++unit tests for stripcredentials from URL
++
++
++unit1621
++
++
++
++
+diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc
+index 8b1a607..82eaec7 100644
+--- a/tests/unit/Makefile.inc
++++ b/tests/unit/Makefile.inc
+@@ -10,7 +10,7 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \
+ unit1330 unit1394 unit1395 unit1396 unit1397 unit1398 \
+ unit1399 \
+ unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
+- unit1608 unit1609
++ unit1608 unit1609 unit1621
+
+ unit1300_SOURCES = unit1300.c $(UNITFILES)
+ unit1300_CPPFLAGS = $(AM_CPPFLAGS)
+@@ -95,3 +95,7 @@ unit1608_CPPFLAGS = $(AM_CPPFLAGS)
+
+ unit1609_SOURCES = unit1609.c $(UNITFILES)
+ unit1609_CPPFLAGS = $(AM_CPPFLAGS)
++
++unit1621_SOURCES = unit1621.c $(UNITFILES)
++unit1621_CPPFLAGS = $(AM_CPPFLAGS)
++unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la
+diff --git a/tests/unit/unit1621.c b/tests/unit/unit1621.c
+new file mode 100644
+index 0000000..6e07b6e
+--- /dev/null
++++ b/tests/unit/unit1621.c
+@@ -0,0 +1,89 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "curlcheck.h"
++
++#include "urldata.h"
++#include "url.h"
++
++#include "memdebug.h" /* LAST include file */
++
++static CURLcode unit_setup(void)
++{
++ return CURLE_OK;
++}
++
++static void unit_stop(void)
++{
++}
++
++#ifdef __MINGW32__
++UNITTEST_START
++{
++ return 0;
++}
++UNITTEST_STOP
++#else
++
++bool stripcredentials(char **url);
++
++struct checkthis {
++ const char *input;
++ const char *output;
++};
++
++static struct checkthis tests[] = {
++ { "ninja://foo@example.com", "ninja://foo@example.com" },
++ { "https://foo@example.com", "https://example.com/" },
++ { "https://localhost:45", "https://localhost:45/" },
++ { "https://foo@localhost:45", "https://localhost:45/" },
++ { "http://daniel:password@localhost", "http://localhost/" },
++ { "http://daniel@localhost", "http://localhost/" },
++ { "http://localhost/", "http://localhost/" },
++ { NULL, NULL } /* end marker */
++};
++
++UNITTEST_START
++{
++ bool cleanup;
++ char *url;
++ int i;
++ int rc = 0;
++
++ for(i = 0; tests[i].input; i++) {
++ url = (char *)tests[i].input;
++ cleanup = stripcredentials(&url);
++ printf("Test %u got input \"%s\", output: \"%s\"\n",
++ i, tests[i].input, url);
++
++ if(strcmp(tests[i].output, url)) {
++ fprintf(stderr, "Test %u got input \"%s\", expected output \"%s\"\n"
++ " Actual output: \"%s\"\n", i, tests[i].input, tests[i].output,
++ url);
++ rc++;
++ }
++ if(cleanup)
++ curl_free(url);
++ }
++ return rc;
++}
++UNITTEST_STOP
++#endif
+--
+2.17.2
+
diff --git a/SOURCES/0009-curl-7.61.1-CVE-2018-16890.patch b/SOURCES/0009-curl-7.61.1-CVE-2018-16890.patch
new file mode 100644
index 0000000..0a15ade
--- /dev/null
+++ b/SOURCES/0009-curl-7.61.1-CVE-2018-16890.patch
@@ -0,0 +1,36 @@
+From 81c0e81531623251a0e78f7779c049f530abe733 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+
+Upstream-commit: b780b30d1377adb10bbe774835f49e9b237fb9bb
+Signed-off-by: Kamil Dudka
+---
+ lib/vauth/ntlm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index cdb8d8f..b614cda 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+ target_info_len = Curl_read16_le(&buffer[40]);
+ target_info_offset = Curl_read32_le(&buffer[44]);
+ if(target_info_len > 0) {
+- if(((target_info_offset + target_info_len) > size) ||
++ if((target_info_offset >= size) ||
++ ((target_info_offset + target_info_len) > size) ||
+ (target_info_offset < 48)) {
+ infof(data, "NTLM handshake failure (bad type-2 message). "
+- "Target Info Offset Len is set incorrect by the peer\n");
++ "Target Info Offset Len is set incorrect by the peer\n");
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
+
+--
+2.17.2
+
diff --git a/SOURCES/0010-curl-7.61.1-CVE-2019-3822.patch b/SOURCES/0010-curl-7.61.1-CVE-2019-3822.patch
new file mode 100644
index 0000000..c860817
--- /dev/null
+++ b/SOURCES/0010-curl-7.61.1-CVE-2019-3822.patch
@@ -0,0 +1,41 @@
+From ab22e3a00f04b458039c21111cfa448051e5777d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+
+Upstream-commit: 50c9484278c63b958655a717844f0721263939cc
+Signed-off-by: Kamil Dudka
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index b614cda..a3a55d9 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+ });
+
+ #ifdef USE_NTRESPONSES
+- if(size < (NTLM_BUFSIZE - ntresplen)) {
+- DEBUGASSERT(size == (size_t)ntrespoff);
+- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+- size += ntresplen;
++ /* ntresplen + size should not be risking an integer overflow here */
++ if(ntresplen + size > sizeof(ntlmbuf)) {
++ failf(data, "incoming NTLM message too big");
++ return CURLE_OUT_OF_MEMORY;
+ }
++ DEBUGASSERT(size == (size_t)ntrespoff);
++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++ size += ntresplen;
+
+ DEBUG_OUT({
+ fprintf(stderr, "\n ntresp=");
+--
+2.17.2
+
diff --git a/SOURCES/0011-curl-7.61.1-CVE-2019-3823.patch b/SOURCES/0011-curl-7.61.1-CVE-2019-3823.patch
new file mode 100644
index 0000000..d1d259f
--- /dev/null
+++ b/SOURCES/0011-curl-7.61.1-CVE-2019-3823.patch
@@ -0,0 +1,50 @@
+From d26f1025d0a0a6c602d758a2e0917759492473e9 Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson
+Date: Sat, 19 Jan 2019 00:42:47 +0100
+Subject: [PATCH] smtp: avoid risk of buffer overflow in strtol
+
+If the incoming len 5, but the buffer does not have a termination
+after 5 bytes, the strtol() call may keep reading through the line
+buffer until is exceeds its boundary. Fix by ensuring that we are
+using a bounded read with a temporary buffer on the stack.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
+Reported-by: Brian Carpenter (Geeknik Labs)
+CVE-2019-3823
+
+Upstream-commit: 39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
+Signed-off-by: Kamil Dudka
+---
+ lib/smtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smtp.c b/lib/smtp.c
+index ecf10a4..1b9f92d 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len,
+ Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
+ only send the response code instead as per Section 4.2. */
+ if(line[3] == ' ' || len == 5) {
++ char tmpline[6];
++
+ result = TRUE;
+- *resp = curlx_sltosi(strtol(line, NULL, 10));
++ memset(tmpline, '\0', sizeof(tmpline));
++ memcpy(tmpline, line, (len == 5 ? 5 : 3));
++ *resp = curlx_sltosi(strtol(tmpline, NULL, 10));
+
+ /* Make sure real server never sends internal value */
+ if(*resp == 1)
+--
+2.17.2
+
diff --git a/SOURCES/0014-curl-7.61.1-libssh-socket.patch b/SOURCES/0014-curl-7.61.1-libssh-socket.patch
new file mode 100644
index 0000000..83c9cc7
--- /dev/null
+++ b/SOURCES/0014-curl-7.61.1-libssh-socket.patch
@@ -0,0 +1,66 @@
+From 095d4cf3b1c388b2871e3783f8c41b1e01200a25 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Felix=20H=C3=A4dicke?=
+Date: Wed, 23 Jan 2019 23:47:55 +0100
+Subject: [PATCH] libssh: do not let libssh create socket
+
+By default, libssh creates a new socket, instead of using the socket
+created by curl for SSH connections.
+
+Pass the socket created by curl to libssh using ssh_options_set() with
+SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
+instead of creating a new one.
+
+This approach is very similar to what is done in the libssh2 code, where
+the socket created by curl is passed to libssh2 when
+libssh2_session_startup() is called.
+
+Fixes #3491
+Closes #3495
+
+Upstream-commit: 15c94b310bf9e0c92d71fca5a88eb67a1e2548a6
+Signed-off-by: Kamil Dudka
+---
+ lib/ssh-libssh.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
+index 7d59089..4110be2 100644
+--- a/lib/ssh-libssh.c
++++ b/lib/ssh-libssh.c
+@@ -549,6 +549,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+ struct Curl_easy *data = conn->data;
+ struct SSHPROTO *protop = data->req.protop;
+ struct ssh_conn *sshc = &conn->proto.sshc;
++ curl_socket_t sock = conn->sock[FIRSTSOCKET];
+ int rc = SSH_NO_ERROR, err;
+ char *new_readdir_line;
+ int seekerr = CURL_SEEKFUNC_OK;
+@@ -792,7 +793,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
+
+ Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSH is connected */
+
+- conn->sockfd = ssh_get_fd(sshc->ssh_session);
++ conn->sockfd = sock;
+ conn->writesockfd = CURL_SOCKET_BAD;
+
+ if(conn->handler->protocol == CURLPROTO_SFTP) {
+@@ -2048,6 +2049,7 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done)
+ {
+ struct ssh_conn *ssh;
+ CURLcode result;
++ curl_socket_t sock = conn->sock[FIRSTSOCKET];
+ struct Curl_easy *data = conn->data;
+ int rc;
+
+@@ -2076,6 +2078,8 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done)
+ return CURLE_FAILED_INIT;
+ }
+
++ ssh_options_set(ssh->ssh_session, SSH_OPTIONS_FD, &sock);
++
+ if(conn->user) {
+ infof(data, "User: %s\n", conn->user);
+ ssh_options_set(ssh->ssh_session, SSH_OPTIONS_USER, conn->user);
+--
+2.17.2
+
diff --git a/SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch b/SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch
new file mode 100644
index 0000000..8b0e453
--- /dev/null
+++ b/SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch
@@ -0,0 +1,31 @@
+From 55a27027d5f024a0ecc2c23c81ed99de6192c9f3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Fri, 3 May 2019 22:20:37 +0200
+Subject: [PATCH] tftp: use the current blksize for recvfrom()
+
+bug: https://curl.haxx.se/docs/CVE-2019-5436.html
+Reported-by: l00p3r on hackerone
+CVE-2019-5436
+
+Upstream-commit: 2576003415625d7b5f0e390902f8097830b82275
+Signed-off-by: Kamil Dudka
+---
+ lib/tftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 269b3cd..4f2a131 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ state->sockfd = state->conn->sock[FIRSTSOCKET];
+ state->state = TFTP_STATE_START;
+ state->error = TFTP_ERR_NONE;
+- state->blksize = TFTP_BLKSIZE_DEFAULT;
++ state->blksize = blksize;
+ state->requested_blksize = blksize;
+
+ ((struct sockaddr *)&state->local_addr)->sa_family =
+--
+2.20.1
+
diff --git a/SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch b/SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch
new file mode 100644
index 0000000..f3785ec
--- /dev/null
+++ b/SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch
@@ -0,0 +1,158 @@
+From 63f9837b4ccf600da79314e8667f91bda69988fc Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 16:59:56 +0200
+Subject: [PATCH 1/2] tftp: return error when packet is too small for options
+
+Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b
+Signed-off-by: Kamil Dudka
+---
+ lib/tftp.c | 53 +++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 289cda2..4532170 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -404,13 +404,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state,
+ return CURLE_OK;
+ }
+
+-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize,
+- char *buf, const char *option)
++static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize,
++ char *buf, const char *option)
+ {
+- if(( strlen(option) + csize + 1) > (size_t)state->blksize)
+- return 0;
++ if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
++ return CURLE_TFTP_ILLEGAL;
+ strcpy(buf, option);
+- return strlen(option) + 1;
++ *csize += strlen(option) + 1;
++ return CURLE_OK;
+ }
+
+ static CURLcode tftp_connect_for_tx(tftp_state_data_t *state,
+@@ -511,26 +512,38 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
+ else
+ strcpy(buf, "0"); /* the destination is large enough */
+
+- sbytes += tftp_option_add(state, sbytes,
+- (char *)state->spacket.data + sbytes,
+- TFTP_OPTION_TSIZE);
+- sbytes += tftp_option_add(state, sbytes,
+- (char *)state->spacket.data + sbytes, buf);
++ result = tftp_option_add(state, &sbytes,
++ (char *)state->spacket.data + sbytes,
++ TFTP_OPTION_TSIZE);
++ if(result == CURLE_OK)
++ result = tftp_option_add(state, &sbytes,
++ (char *)state->spacket.data + sbytes, buf);
++
+ /* add blksize option */
+ snprintf(buf, sizeof(buf), "%d", state->requested_blksize);
+- sbytes += tftp_option_add(state, sbytes,
+- (char *)state->spacket.data + sbytes,
+- TFTP_OPTION_BLKSIZE);
+- sbytes += tftp_option_add(state, sbytes,
+- (char *)state->spacket.data + sbytes, buf);
++ if(result == CURLE_OK)
++ result = tftp_option_add(state, &sbytes,
++ (char *)state->spacket.data + sbytes,
++ TFTP_OPTION_BLKSIZE);
++ if(result == CURLE_OK)
++ result = tftp_option_add(state, &sbytes,
++ (char *)state->spacket.data + sbytes, buf);
+
+ /* add timeout option */
+ snprintf(buf, sizeof(buf), "%d", state->retry_time);
+- sbytes += tftp_option_add(state, sbytes,
+- (char *)state->spacket.data + sbytes,
+- TFTP_OPTION_INTERVAL);
+- sbytes += tftp_option_add(state, sbytes,
+- (char *)state->spacket.data + sbytes, buf);
++ if(result == CURLE_OK)
++ result = tftp_option_add(state, &sbytes,
++ (char *)state->spacket.data + sbytes,
++ TFTP_OPTION_INTERVAL);
++ if(result == CURLE_OK)
++ result = tftp_option_add(state, &sbytes,
++ (char *)state->spacket.data + sbytes, buf);
++
++ if(result != CURLE_OK) {
++ failf(data, "TFTP buffer too small for options");
++ free(filename);
++ return CURLE_TFTP_ILLEGAL;
++ }
+ }
+
+ /* the typecase for the 3rd argument is mostly for systems that do
+--
+2.20.1
+
+
+From b6b12a4cfe00c4850a1d6cee4cf267f00dee5987 Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK
+ is received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+
+Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d
+Signed-off-by: Kamil Dudka
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 4532170..5651b62 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -982,6 +982,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+ tftp_state_data_t *state;
+ int blksize;
++ int need_blksize;
+
+ blksize = TFTP_BLKSIZE_DEFAULT;
+
+@@ -996,15 +997,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ return CURLE_TFTP_ILLEGAL;
+ }
+
++ need_blksize = blksize;
++ /* default size is the fallback when no OACK is received */
++ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++ need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+ if(!state->rpacket.data) {
+- state->rpacket.data = calloc(1, blksize + 2 + 2);
++ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+
+ if(!state->rpacket.data)
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+ if(!state->spacket.data) {
+- state->spacket.data = calloc(1, blksize + 2 + 2);
++ state->spacket.data = calloc(1, need_blksize + 2 + 2);
+
+ if(!state->spacket.data)
+ return CURLE_OUT_OF_MEMORY;
+@@ -1018,7 +1024,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ state->sockfd = state->conn->sock[FIRSTSOCKET];
+ state->state = TFTP_STATE_START;
+ state->error = TFTP_ERR_NONE;
+- state->blksize = blksize;
++ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+ state->requested_blksize = blksize;
+
+ ((struct sockaddr *)&state->local_addr)->sa_family =
+--
+2.20.1
+
diff --git a/SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch b/SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch
new file mode 100644
index 0000000..2cd79df
--- /dev/null
+++ b/SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch
@@ -0,0 +1,46 @@
+From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+
+Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
+Signed-off-by: Kamil Dudka
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2d..c5e4e13 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+ struct krb5buffer *buf)
+ {
+ int len;
+- void *tmp = NULL;
+ CURLcode result;
+
+ result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+ if(len) {
+ /* only realloc if there was a length */
+ len = ntohl(len);
+- tmp = Curl_saferealloc(buf->data, len);
++ buf->data = Curl_saferealloc(buf->data, len);
+ }
+- if(tmp == NULL)
++ if(!len || !buf->data)
+ return CURLE_OUT_OF_MEMORY;
+
+- buf->data = tmp;
+ result = socket_read(fd, buf->data, len);
+ if(result)
+ return result;
+--
+2.20.1
+
diff --git a/SOURCES/0020-curl-7.61.1-openssl-engines.patch b/SOURCES/0020-curl-7.61.1-openssl-engines.patch
new file mode 100644
index 0000000..d8c5579
--- /dev/null
+++ b/SOURCES/0020-curl-7.61.1-openssl-engines.patch
@@ -0,0 +1,33 @@
+From 032843be4cefcb163d15573d15a228680e771106 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Mon, 24 Sep 2018 08:26:58 +0200
+Subject: [PATCH] openssl: load built-in engines too
+
+Regression since 38203f1
+
+Reported-by: Jean Fabrice
+Fixes #3023
+Closes #3040
+
+Upstream-commit: e2dd435d473cdc97785df95d032276fafb4b7746
+Signed-off-by: Kamil Dudka
+---
+ lib/vtls/openssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
+index 78970d1..d8bcc4f 100644
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -979,7 +979,7 @@ static int Curl_ossl_init(void)
+
+ OPENSSL_load_builtin_modules();
+
+-#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
++#ifdef USE_OPENSSL_ENGINE
+ ENGINE_load_builtin_engines();
+ #endif
+
+--
+2.25.4
+
diff --git a/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
new file mode 100644
index 0000000..388e0c4
--- /dev/null
+++ b/SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
@@ -0,0 +1,59 @@
+From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH] tool_getparam: -i is not OK if -J is used
+
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+
+Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
+Signed-off-by: Kamil Dudka
+---
+ src/tool_cb_hdr.c | 13 ++++---------
+ src/tool_getparam.c | 5 +++++
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3b10238..b80707f 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
+ filename = parse_filename(p, len);
+ if(filename) {
+ if(outs->stream) {
+- /* already opened and possibly written to */
+- if(outs->fopened)
+- fclose(outs->stream);
+- outs->stream = NULL;
+-
+- /* rename the initial file name to the new file name */
+- rename(outs->filename, filename);
+- if(outs->alloc_filename)
+- free(outs->filename);
++ /* indication of problem, get out! */
++ free(filename);
++ return failure;
+ }
++
+ outs->is_cd_filename = TRUE;
+ outs->s_isreg = TRUE;
+ outs->fopened = FALSE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 764caa2..c5c7429 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+ }
+ break;
+ case 'i':
++ if(config->content_disposition) {
++ warnf(global,
++ "--include and --remote-header-name cannot be combined.\n");
++ return PARAM_BAD_USE;
++ }
+ config->show_headers = toggle; /* show the headers as well in the
+ general output stream */
+ break;
+--
+2.21.3
+
diff --git a/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
new file mode 100644
index 0000000..6d0c10c
--- /dev/null
+++ b/SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
@@ -0,0 +1,143 @@
+From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sun, 16 Aug 2020 11:34:35 +0200
+Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
+
+CVE-2020-8231
+
+Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
+
+Reported-by: Marc Aldorasi
+Closes #5824
+
+Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
+Signed-off-by: Kamil Dudka
+---
+ lib/connect.c | 19 ++++++++++---------
+ lib/easy.c | 3 +--
+ lib/multi.c | 5 +++--
+ lib/url.c | 2 +-
+ lib/urldata.h | 2 +-
+ 5 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/lib/connect.c b/lib/connect.c
+index 41f2202..f724646 100644
+--- a/lib/connect.c
++++ b/lib/connect.c
+@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
+ }
+
+ struct connfind {
+- struct connectdata *tofind;
+- bool found;
++ long id_tofind;
++ struct connectdata *found;
+ };
+
+ static int conn_is_conn(struct connectdata *conn, void *param)
+ {
+ struct connfind *f = (struct connfind *)param;
+- if(conn == f->tofind) {
+- f->found = TRUE;
++ if(conn->connection_id == f->id_tofind) {
++ f->found = conn;
+ return 1;
+ }
+ return 0;
+@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
+ * - that is associated with a multi handle, and whose connection
+ * was detached with CURLOPT_CONNECT_ONLY
+ */
+- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
+- struct connectdata *c = data->state.lastconnect;
++ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
++ struct connectdata *c;
+ struct connfind find;
+- find.tofind = data->state.lastconnect;
+- find.found = FALSE;
++ find.id_tofind = data->state.lastconnect_id;
++ find.found = NULL;
+
+ Curl_conncache_foreach(data, data->multi_easy?
+ &data->multi_easy->conn_cache:
+ &data->multi->conn_cache, &find, conn_is_conn);
+
+ if(!find.found) {
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ return CURL_SOCKET_BAD;
+ }
+
++ c = find.found;
+ if(connp) {
+ /* only store this if the caller cares for it */
+ *connp = c;
+diff --git a/lib/easy.c b/lib/easy.c
+index 027d0be..fe61cdd 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
+
+ /* the connection cache is setup on demand */
+ outcurl->state.conn_cache = NULL;
+-
+- outcurl->state.lastconnect = NULL;
++ outcurl->state.lastconnect_id = -1;
+
+ outcurl->progress.flags = data->progress.flags;
+ outcurl->progress.callback = data->progress.callback;
+diff --git a/lib/multi.c b/lib/multi.c
+index 0caf943..0f57fd5 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
+ data->state.conn_cache = &data->share->conn_cache;
+ else
+ data->state.conn_cache = &multi->conn_cache;
++ data->state.lastconnect_id = -1;
+
+ #ifdef USE_LIBPSL
+ /* Do the same for PSL. */
+@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
+ /* the connection is no longer in use by this transfer */
+ if(Curl_conncache_return_conn(conn)) {
+ /* remember the most recently used connection */
+- data->state.lastconnect = conn;
++ data->state.lastconnect_id = conn->connection_id;
+ infof(data, "%s\n", buffer);
+ }
+ else
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+ }
+
+ *connp = NULL; /* to make the caller of this function better detect that
+diff --git a/lib/url.c b/lib/url.c
+index dcc6cc8..d65d17d 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
+ Curl_initinfo(data);
+
+ /* most recent connection is not yet defined */
+- data->state.lastconnect = NULL;
++ data->state.lastconnect_id = -1;
+
+ data->progress.flags |= PGRS_HIDE;
+ data->state.current_speed = -1; /* init to negative == impossible */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 67db3b2..4b70cc5 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1219,7 +1219,7 @@ struct UrlState {
+ /* buffers to store authentication data in, as parsed from input options */
+ struct curltime keeps_speed; /* for the progress meter really */
+
+- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
++ long lastconnect_id; /* The last connection, -1 if undefined */
+
+ char *headerbuff; /* allocated buffer to store headers in */
+ size_t headersize; /* size of the allocation */
+--
+2.25.4
+
diff --git a/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
new file mode 100644
index 0000000..f6bcb01
--- /dev/null
+++ b/SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
@@ -0,0 +1,60 @@
+From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Ba=C5=A1ti?=
+Date: Thu, 27 Aug 2020 23:09:56 +0200
+Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
+
+... in case NO_PROXY takes an effect
+
+Without this patch, the following command crashes:
+
+ $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
+ git clone https://github.com/curl/curl.git
+
+Minimal libcurl-based reproducer:
+
+ #include
+
+ int main() {
+ CURL *curl = curl_easy_init();
+ if(curl) {
+ CURLcode ret;
+ curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
+ curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
+ /* set the proxy type */
+ curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
+ curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
+ curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+ ret = curl_easy_perform(curl);
+ curl_easy_cleanup(curl);
+ return ret;
+ }
+ return -1;
+ }
+
+Assisted-by: Kamil Dudka
+Bug: https://bugzilla.redhat.com/1873327
+Closes #5902
+
+Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
+Signed-off-by: Kamil Dudka
+---
+ lib/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/url.c b/lib/url.c
+index d65d17d..e77f391 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
+ conn->bits.socksproxy = FALSE;
+ conn->bits.proxy_user_passwd = FALSE;
+ conn->bits.tunnel_proxy = FALSE;
++ /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
++ to signal that CURLPROXY_HTTPS is not used for this connection */
++ conn->http_proxy.proxytype = CURLPROXY_HTTP;
+ }
+
+ out:
+--
+2.25.4
+
diff --git a/SOURCES/0101-curl-7.32.0-multilib.patch b/SOURCES/0101-curl-7.32.0-multilib.patch
new file mode 100644
index 0000000..532980e
--- /dev/null
+++ b/SOURCES/0101-curl-7.32.0-multilib.patch
@@ -0,0 +1,89 @@
+From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka
+Date: Fri, 12 Apr 2013 12:04:05 +0200
+Subject: [PATCH] prevent multilib conflicts on the curl-config script
+
+---
+ curl-config.in | 21 +++------------------
+ docs/curl-config.1 | 4 +++-
+ libcurl.pc.in | 1 +
+ 3 files changed, 7 insertions(+), 19 deletions(-)
+
+diff --git a/curl-config.in b/curl-config.in
+index 150004d..95d0759 100644
+--- a/curl-config.in
++++ b/curl-config.in
+@@ -76,7 +76,7 @@ while test $# -gt 0; do
+ ;;
+
+ --cc)
+- echo "@CC@"
++ echo "gcc"
+ ;;
+
+ --prefix)
+@@ -143,32 +143,17 @@ while test $# -gt 0; do
+ ;;
+
+ --libs)
+- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
+- CURLLIBDIR="-L@libdir@ "
+- else
+- CURLLIBDIR=""
+- fi
+- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
+- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
+- else
+- echo ${CURLLIBDIR}-lcurl
+- fi
++ echo -lcurl
+ ;;
+ --ssl-backends)
+ echo "@SSL_BACKENDS@"
+ ;;
+
+ --static-libs)
+- if test "X@ENABLE_STATIC@" != "Xno" ; then
+- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
+- else
+- echo "curl was built with static libraries disabled" >&2
+- exit 1
+- fi
+ ;;
+
+ --configure)
+- echo @CONFIGURE_OPTIONS@
++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+ ;;
+
+ *)
+diff --git a/docs/curl-config.1 b/docs/curl-config.1
+index 14a9d2b..ffcc004 100644
+--- a/docs/curl-config.1
++++ b/docs/curl-config.1
+@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
+ .IP "--static-libs"
+ Shows the complete set of libs and other linker options you will need in order
+-to link your application with libcurl statically. (Added in 7.17.1)
++to link your application with libcurl statically. Note that Fedora/RHEL libcurl
++packages do not provide any static libraries, thus cannot be linked statically.
++(Added in 7.17.1)
+ .IP "--version"
+ Outputs version information about the installed libcurl.
+ .IP "--vernum"
+diff --git a/libcurl.pc.in b/libcurl.pc.in
+index 2ba9c39..f8f8b00 100644
+--- a/libcurl.pc.in
++++ b/libcurl.pc.in
+@@ -29,6 +29,7 @@ libdir=@libdir@
+ includedir=@includedir@
+ supported_protocols="@SUPPORT_PROTOCOLS@"
+ supported_features="@SUPPORT_FEATURES@"
++configure_options=@CONFIGURE_OPTIONS@
+
+ Name: libcurl
+ URL: https://curl.haxx.se/
+--
+2.5.0
+
diff --git a/SOURCES/0102-curl-7.36.0-debug.patch b/SOURCES/0102-curl-7.36.0-debug.patch
new file mode 100644
index 0000000..bbb253f
--- /dev/null
+++ b/SOURCES/0102-curl-7.36.0-debug.patch
@@ -0,0 +1,65 @@
+From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka
+Date: Wed, 31 Oct 2012 11:38:30 +0100
+Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
+
+---
+ configure | 13 +++----------
+ m4/curl-compilers.m4 | 13 +++----------
+ 2 files changed, 6 insertions(+), 20 deletions(-)
+
+diff --git a/configure b/configure
+index 8f079a3..53b4774 100755
+--- a/configure
++++ b/configure
+@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; }
+ gccvhi=`echo $gccver | cut -d . -f1`
+ gccvlo=`echo $gccver | cut -d . -f2`
+ compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+- flags_dbg_all="-g -g0 -g1 -g2 -g3"
+- flags_dbg_all="$flags_dbg_all -ggdb"
+- flags_dbg_all="$flags_dbg_all -gstabs"
+- flags_dbg_all="$flags_dbg_all -gstabs+"
+- flags_dbg_all="$flags_dbg_all -gcoff"
+- flags_dbg_all="$flags_dbg_all -gxcoff"
+- flags_dbg_all="$flags_dbg_all -gdwarf-2"
+- flags_dbg_all="$flags_dbg_all -gvms"
++ flags_dbg_all=""
+ flags_dbg_yes="-g"
+ flags_dbg_off=""
+- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+- flags_opt_yes="-O2"
++ flags_opt_all=""
++ flags_opt_yes=""
+ flags_opt_off="-O0"
+
+ OLDCPPFLAGS=$CPPFLAGS
+diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
+index 0cbba7a..9175b5b 100644
+--- a/m4/curl-compilers.m4
++++ b/m4/curl-compilers.m4
+@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+ gccvhi=`echo $gccver | cut -d . -f1`
+ gccvlo=`echo $gccver | cut -d . -f2`
+ compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+- flags_dbg_all="-g -g0 -g1 -g2 -g3"
+- flags_dbg_all="$flags_dbg_all -ggdb"
+- flags_dbg_all="$flags_dbg_all -gstabs"
+- flags_dbg_all="$flags_dbg_all -gstabs+"
+- flags_dbg_all="$flags_dbg_all -gcoff"
+- flags_dbg_all="$flags_dbg_all -gxcoff"
+- flags_dbg_all="$flags_dbg_all -gdwarf-2"
+- flags_dbg_all="$flags_dbg_all -gvms"
++ flags_dbg_all=""
+ flags_dbg_yes="-g"
+ flags_dbg_off=""
+- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
+- flags_opt_yes="-O2"
++ flags_opt_all=""
++ flags_opt_yes=""
+ flags_opt_off="-O0"
+ CURL_CHECK_DEF([_WIN32], [], [silent])
+ else
+--
+1.7.1
+
diff --git a/SOURCES/0103-curl-7.59.0-python3.patch b/SOURCES/0103-curl-7.59.0-python3.patch
new file mode 100644
index 0000000..f66b6c0
--- /dev/null
+++ b/SOURCES/0103-curl-7.59.0-python3.patch
@@ -0,0 +1,140 @@
+From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka
+Date: Thu, 15 Mar 2018 13:21:40 +0100
+Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3
+
+---
+ tests/http_pipe.py | 4 ++--
+ tests/runtests.pl | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/http_pipe.py b/tests/http_pipe.py
+index bc32173..75ac165 100755
+--- a/tests/http_pipe.py
++++ b/tests/http_pipe.py
+@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler):
+ self.request.setblocking(True)
+ if not new_data:
+ return
+- new_requests = self._request_parser.ParseAdditionalData(new_data)
++ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8'))
+ self._response_builder.QueueRequests(
+ new_requests, self._request_parser.were_all_requests_http_1_1)
+ self._num_queued += len(new_requests)
+ self._last_queued_time = time.time()
+ elif fileno in wlist:
+- num_bytes_sent = self.request.send(self._send_buffer[0:4096])
++ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8'))
+ self._send_buffer = self._send_buffer[num_bytes_sent:]
+ time.sleep(0.05)
+
+diff --git a/tests/runtests.pl b/tests/runtests.pl
+index d6aa5ca..4d395ef 100755
+--- a/tests/runtests.pl
++++ b/tests/runtests.pl
+@@ -1439,7 +1439,7 @@ sub runhttpserver {
+ elsif($alt eq "pipe") {
+ # basically the same, but another ID
+ $idnum = 3;
+- $exe = "python $srcdir/http_pipe.py";
++ $exe = "python3 $srcdir/http_pipe.py";
+ $verbose_flag .= "1 ";
+ }
+ elsif($alt eq "unix") {
+--
+2.14.3
+
+
+From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka
+Date: Thu, 15 Mar 2018 14:49:56 +0100
+Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3
+
+Unfortunately, smbserver.py does not work with Python 3 because
+there is no 'impacket' module available for Python 3:
+
+https://github.com/CoreSecurity/impacket/issues/61
+---
+ tests/negtelnetserver.py | 12 ++++++------
+ tests/smbserver.py | 4 ++--
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
+index 8cfd409..72ee771 100755
+--- a/tests/negtelnetserver.py
++++ b/tests/negtelnetserver.py
+@@ -23,7 +23,7 @@ IDENT = "NTEL"
+
+ # The strings that indicate the test framework is checking our aliveness
+ VERIFIED_REQ = b"verifiedserver"
+-VERIFIED_RSP = b"WE ROOLZ: {pid}"
++VERIFIED_RSP = "WE ROOLZ: {pid}"
+
+
+ def telnetserver(options):
+@@ -34,7 +34,7 @@ def telnetserver(options):
+ if options.pidfile:
+ pid = os.getpid()
+ with open(options.pidfile, "w") as f:
+- f.write(b"{0}".format(pid))
++ f.write("{0}".format(pid))
+
+ local_bind = (HOST, options.port)
+ log.info("Listening on %s", local_bind)
+@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
+ response_data = VERIFIED_RSP.format(pid=os.getpid())
+ else:
+ log.debug("Received normal request - echoing back")
+- response_data = data.strip()
++ response_data = data.decode('utf8').strip()
+
+ if response_data:
+ log.debug("Sending %r", response_data)
+- self.request.sendall(response_data)
++ self.request.sendall(response_data.encode('utf8'))
+
+ except IOError:
+ log.exception("IOError hit during request")
+@@ -132,7 +132,7 @@ class Negotiator(object):
+ return buffer
+
+ def byte_to_int(self, byte):
+- return struct.unpack(b'B', byte)[0]
++ return int(byte)
+
+ def no_neg(self, byte, byte_int, buffer):
+ # Not negotiating anything thus far. Check to see if we
+@@ -197,7 +197,7 @@ class Negotiator(object):
+ self.tcp.sendall(packed_message)
+
+ def pack(self, arr):
+- return struct.pack(b'{0}B'.format(len(arr)), *arr)
++ return struct.pack('{0}B'.format(len(arr)), *arr)
+
+ def send_iac(self, arr):
+ message = [NegTokens.IAC]
+diff --git a/tests/smbserver.py b/tests/smbserver.py
+index 195ae39..b09cd44 100755
+--- a/tests/smbserver.py
++++ b/tests/smbserver.py
+@@ -24,7 +24,7 @@
+ from __future__ import (absolute_import, division, print_function)
+ # unicode_literals)
+ import argparse
+-import ConfigParser
++import configparser
+ import os
+ import sys
+ import logging
+@@ -58,7 +58,7 @@ def smbserver(options):
+ f.write("{0}".format(pid))
+
+ # Here we write a mini config for the server
+- smb_config = ConfigParser.ConfigParser()
++ smb_config = configparser.ConfigParser()
+ smb_config.add_section("global")
+ smb_config.set("global", "server_name", "SERVICE")
+ smb_config.set("global", "server_os", "UNIX")
+--
+2.14.3
+
diff --git a/SOURCES/0104-curl-7.19.7-localhost6.patch b/SOURCES/0104-curl-7.19.7-localhost6.patch
new file mode 100644
index 0000000..4f664d3
--- /dev/null
+++ b/SOURCES/0104-curl-7.19.7-localhost6.patch
@@ -0,0 +1,51 @@
+diff --git a/tests/data/test1083 b/tests/data/test1083
+index e441278..b0958b6 100644
+--- a/tests/data/test1083
++++ b/tests/data/test1083
+@@ -33,13 +33,13 @@ ipv6
+ http-ipv6
+
+
+-HTTP-IPv6 GET with ip6-localhost --interface
++HTTP-IPv6 GET with localhost6 --interface
+
+
+--g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost
++-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
+
+
+-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
+
+
+
+diff --git a/tests/data/test241 b/tests/data/test241
+index 46eae1f..4e1632c 100644
+--- a/tests/data/test241
++++ b/tests/data/test241
+@@ -30,13 +30,13 @@ ipv6
+ http-ipv6
+
+
+-HTTP-IPv6 GET (using ip6-localhost)
++HTTP-IPv6 GET (using localhost6)
+
+
+--g "http://ip6-localhost:%HTTP6PORT/241"
++-g "http://localhost6:%HTTP6PORT/241"
+
+
+-./server/resolve --ipv6 ip6-localhost
++./server/resolve --ipv6 localhost6
+
+
+
+@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost)
+
+
+ GET /241 HTTP/1.1
+-Host: ip6-localhost:%HTTP6PORT
++Host: localhost6:%HTTP6PORT
+ Accept: */*
+
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
new file mode 100644
index 0000000..d32e5ed
--- /dev/null
+++ b/SPECS/curl.spec
@@ -0,0 +1,1780 @@
+Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
+Name: curl
+Version: 7.61.1
+Release: 16%{?dist}
+License: MIT
+Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
+
+# test320: update expected output for gnutls-3.6.4
+Patch1: 0001-curl-7.61.1-test320-gnutls.patch
+
+# update the documentation of --tlsv1.0 in curl(1) man page (#1620217)
+Patch2: 0002-curl-7.61.1-tlsv1.0-man.patch
+
+# enable TLS 1.3 post-handshake auth in OpenSSL (#1636900)
+Patch3: 0003-curl-7.61.1-TLS-1.3-PHA.patch
+
+# fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
+Patch4: 0004-curl-7.61.1-CVE-2018-16842.patch
+# we need `git apply` to apply this patch
+BuildRequires: git
+
+# fix use-after-free in handle close (CVE-2018-16840)
+Patch5: 0005-curl-7.61.1-CVE-2018-16840.patch
+
+# SASL password overflow via integer overflow (CVE-2018-16839)
+Patch6: 0006-curl-7.61.1-CVE-2018-16839.patch
+
+# curl -J: do not append to the destination file (#1660827)
+Patch7: 0007-curl-7.63.0-JO-preserve-local-file.patch
+
+# xattr: strip credentials from any URL that is stored (CVE-2018-20483)
+Patch8: 0008-curl-7.61.1-CVE-2018-20483.patch
+
+# fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890)
+Patch9: 0009-curl-7.61.1-CVE-2018-16890.patch
+
+# fix NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822)
+Patch10: 0010-curl-7.61.1-CVE-2019-3822.patch
+
+# fix SMTP end-of-response out-of-bounds read (CVE-2019-3823)
+Patch11: 0011-curl-7.61.1-CVE-2019-3823.patch
+
+# do not let libssh create a new socket for SCP/SFTP (#1669156)
+Patch14: 0014-curl-7.61.1-libssh-socket.patch
+
+# fix TFTP receive buffer overflow (CVE-2019-5436)
+Patch17: 0017-curl-7.64.0-CVE-2019-5436.patch
+
+# fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
+Patch18: 0018-curl-7.65.3-CVE-2019-5482.patch
+
+# double free due to subsequent call of realloc() (CVE-2019-5481)
+Patch19: 0019-curl-7.65.3-CVE-2019-5481.patch
+
+# load built-in openssl engines (#1854369)
+Patch20: 0020-curl-7.61.1-openssl-engines.patch
+
+# avoid overwriting a local file with -J (CVE-2020-8177)
+Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch
+
+# libcurl: wrong connect-only connection (CVE-2020-8231)
+Patch22: 0022-curl-7.61.1-CVE-2020-8231.patch
+
+# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+Patch23: 0023-curl-7.61.1-no-https-proxy-crash.patch
+
+# patch making libcurl multilib ready
+Patch101: 0101-curl-7.32.0-multilib.patch
+
+# prevent configure script from discarding -g in CFLAGS (#496778)
+Patch102: 0102-curl-7.36.0-debug.patch
+
+# migrate tests/http_pipe.py to Python 3
+Patch103: 0103-curl-7.59.0-python3.patch
+
+# use localhost6 instead of ip6-localhost in the curl test-suite
+Patch104: 0104-curl-7.19.7-localhost6.patch
+
+Provides: curl-full = %{version}-%{release}
+Provides: webclient
+URL: https://curl.haxx.se/
+BuildRequires: automake
+BuildRequires: brotli-devel
+BuildRequires: coreutils
+BuildRequires: gcc
+BuildRequires: groff
+BuildRequires: krb5-devel
+BuildRequires: libidn2-devel
+BuildRequires: libmetalink-devel
+BuildRequires: libnghttp2-devel
+BuildRequires: libpsl-devel
+BuildRequires: libssh-devel
+BuildRequires: make
+BuildRequires: openldap-devel
+BuildRequires: openssh-clients
+BuildRequires: openssh-server
+BuildRequires: openssl-devel
+BuildRequires: pkgconfig
+BuildRequires: python3-devel
+BuildRequires: sed
+BuildRequires: stunnel
+BuildRequires: zlib-devel
+
+# needed to compress content of tool_hugehelp.c after changing curl.1 man page
+BuildRequires: perl(IO::Compress::Gzip)
+
+# gnutls-serv is used by the upstream test-suite
+BuildRequires: gnutls-utils
+
+# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
+BuildRequires: nghttp2
+
+# perl modules used in the test suite
+BuildRequires: perl(Cwd)
+BuildRequires: perl(Digest::MD5)
+BuildRequires: perl(Exporter)
+BuildRequires: perl(File::Basename)
+BuildRequires: perl(File::Copy)
+BuildRequires: perl(File::Spec)
+BuildRequires: perl(IPC::Open2)
+BuildRequires: perl(MIME::Base64)
+BuildRequires: perl(strict)
+BuildRequires: perl(Time::Local)
+BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(warnings)
+BuildRequires: perl(vars)
+
+# The test-suite runs automatically through valgrind if valgrind is available
+# on the system. By not installing valgrind into mock's chroot, we disable
+# this feature for production builds on architectures where valgrind is known
+# to be less reliable, in order to avoid unnecessary build failures (see RHBZ
+# #810992, #816175, and #886891). Nevertheless developers are free to install
+# valgrind manually to improve test coverage on any architecture.
+%ifarch x86_64 %{ix86}
+BuildRequires: valgrind
+%endif
+
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
+
+# require at least the version of libpsl that we were built against,
+# to ensure that we have the necessary symbols available (#1631804)
+%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
+
+# require at least the version of libssh that we were built against,
+# to ensure that we have the necessary symbols available (#525002, #642796)
+%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
+
+# require at least the version of openssl-libs that we were built against,
+# to ensure that we have the necessary symbols available (#1462184, #1462211)
+%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0)
+
+%description
+curl is a command line tool for transferring data with URL syntax, supporting
+FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
+SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
+uploading, HTTP form based upload, proxies, cookies, user+password
+authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
+resume, proxy tunneling and a busload of other useful tricks.
+
+%package -n libcurl
+Summary: A library for getting files from web servers
+Requires: libpsl%{?_isa} >= %{libpsl_version}
+Requires: libssh%{?_isa} >= %{libssh_version}
+Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
+Provides: libcurl-full = %{version}-%{release}
+Provides: libcurl-full%{?_isa} = %{version}-%{release}
+
+%description -n libcurl
+libcurl is a free and easy-to-use client-side URL transfer library, supporting
+FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
+SMTP, POP3 and RTSP. libcurl supports SSL certificates, HTTP POST, HTTP PUT,
+FTP uploading, HTTP form based upload, proxies, cookies, user+password
+authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer
+resume, http proxy tunneling and more.
+
+%package -n libcurl-devel
+Summary: Files needed for building applications with libcurl
+Requires: libcurl%{?_isa} = %{version}-%{release}
+
+Provides: curl-devel = %{version}-%{release}
+Provides: curl-devel%{?_isa} = %{version}-%{release}
+Obsoletes: curl-devel < %{version}-%{release}
+
+%description -n libcurl-devel
+The libcurl-devel package includes header files and libraries necessary for
+developing programs which use the libcurl library. It contains the API
+documentation of the library, too.
+
+%package -n curl-minimal
+Summary: Conservatively configured build of curl for minimal installations
+Provides: curl = %{version}-%{release}
+Conflicts: curl
+RemovePathPostfixes: .minimal
+
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
+
+%description -n curl-minimal
+This is a replacement of the 'curl' package for minimal installations. It
+comes with a limited set of features compared to the 'curl' package. On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
+%package -n libcurl-minimal
+Summary: Conservatively configured build of libcurl for minimal installations
+Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
+Provides: libcurl = %{version}-%{release}
+Provides: libcurl%{?_isa} = %{version}-%{release}
+Conflicts: libcurl%{?_isa}
+RemovePathPostfixes: .minimal
+# needed for RemovePathPostfixes to work with shared libraries
+%undefine __brp_ldconfig
+
+%description -n libcurl-minimal
+This is a replacement of the 'libcurl' package for minimal installations. It
+comes with a limited set of features compared to the 'libcurl' package. On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
+%prep
+%setup -q
+
+# upstream patches
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+git init
+git apply %{PATCH4}
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch14 -p1
+
+# Fedora patches
+%patch101 -p1
+%patch102 -p1
+%patch103 -p1
+%patch104 -p1
+
+# upstream patches
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+
+# make tests/*.py use Python 3
+sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
+
+# regenerate Makefile.in files
+aclocal -I m4
+automake
+
+# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
+# with errno 98: Address already in use' in Koji environment), and test 1801
+#
+# and test 1900, which is flaky and covers a deprecated feature of libcurl
+#
+printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED
+
+# disable test 1319 on ppc64 (server times out)
+%ifarch ppc64
+echo "1319" >> tests/data/DISABLED
+%endif
+
+# temporarily disable test 582 on s390x (client times out)
+%ifarch s390x
+echo "582" >> tests/data/DISABLED
+%endif
+
+# adapt test 323 for updated OpenSSL
+sed -e 's/^35$/35,52/' -i tests/data/test323
+
+%build
+mkdir build-{full,minimal}
+export common_configure_opts=" \
+ --cache-file=../config.cache \
+ --disable-static \
+ --enable-symbol-hiding \
+ --enable-ipv6 \
+ --enable-threaded-resolver \
+ --with-gssapi \
+ --with-nghttp2 \
+ --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
+
+%global _configure ../configure
+
+# configure minimal build
+(
+ cd build-minimal
+ %configure $common_configure_opts \
+ --disable-ldap \
+ --disable-ldaps \
+ --disable-manual \
+ --without-brotli \
+ --without-libidn2 \
+ --without-libmetalink \
+ --without-libpsl \
+ --without-libssh
+)
+
+# configure full build
+(
+ cd build-full
+ %configure $common_configure_opts \
+ --enable-ldap \
+ --enable-ldaps \
+ --enable-manual \
+ --with-brotli \
+ --with-libidn2 \
+ --with-libmetalink \
+ --with-libpsl \
+ --with-libssh
+)
+
+# avoid using rpath
+sed -e 's/^runpath_var=.*/runpath_var=/' \
+ -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
+ -i build-{full,minimal}/libtool
+
+make %{?_smp_mflags} V=1 -C build-minimal
+make %{?_smp_mflags} V=1 -C build-full
+
+%check
+# we have to override LD_LIBRARY_PATH because we eliminated rpath
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
+export LD_LIBRARY_PATH
+
+# compile upstream test-cases
+cd build-full/tests
+make %{?_smp_mflags} V=1
+
+# relax crypto policy for the test-suite to make it pass again (#1611712)
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
+export OPENSSL_CONF=
+
+# run the upstream test-suite
+srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
+
+%install
+# install and rename the library that will be packaged as libcurl-minimal
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
+rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
+for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
+ mv -v $i $i.minimal
+done
+
+# install and rename the executable that will be packaged as curl-minimal
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
+mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
+
+# install libcurl.m4
+install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
+install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
+
+# install the executable and library that will be packaged as curl and libcurl
+cd build-full
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
+
+# install zsh completion for curl
+# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
+ make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
+
+rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
+
+%ldconfig_scriptlets -n libcurl
+
+%ldconfig_scriptlets -n libcurl-minimal
+
+%files
+%doc CHANGES README*
+%doc docs/BUGS docs/FAQ docs/FEATURES
+%doc docs/MANUAL docs/RESOURCES
+%doc docs/TheArtOfHttpScripting docs/TODO
+%{_bindir}/curl
+%{_mandir}/man1/curl.1*
+%{_datadir}/zsh/site-functions
+
+%files -n libcurl
+%license COPYING
+%{_libdir}/libcurl.so.4
+%{_libdir}/libcurl.so.4.[0-9].[0-9]
+
+%files -n libcurl-devel
+%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI
+%{_bindir}/curl-config*
+%{_includedir}/curl
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+%{_mandir}/man1/curl-config.1*
+%{_mandir}/man3/*
+%{_datadir}/aclocal/libcurl.m4
+
+%files -n curl-minimal
+%{_bindir}/curl.minimal
+%{_mandir}/man1/curl.1*
+
+%files -n libcurl-minimal
+%license COPYING
+%{_libdir}/libcurl.so.4.minimal
+%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
+
+%changelog
+* Fri Nov 06 2020 Kamil Dudka - 7.61.1-16
+- fix multiarch conflicts in libcurl-minimal (#1895391)
+
+* Tue Nov 03 2020 Kamil Dudka - 7.61.1-15
+- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
+- libcurl: wrong connect-only connection (CVE-2020-8231)
+
+* Tue Jul 28 2020 Kamil Dudka - 7.61.1-14
+- avoid overwriting a local file with -J (CVE-2020-8177)
+
+* Wed Jul 15 2020 Kamil Dudka - 7.61.1-13
+- load built-in openssl engines (#1854369)
+
+* Wed Sep 11 2019 Kamil Dudka - 7.61.1-12
+- double free due to subsequent call of realloc() (CVE-2019-5481)
+- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)
+- fix TFTP receive buffer overflow (CVE-2019-5436)
+
+* Mon May 13 2019 Kamil Dudka - 7.61.1-11
+- rebuild with updated annobin to prevent Execshield RPMDiff check from failing
+
+* Fri May 10 2019 Kamil Dudka - 7.61.1-10
+- fix SMTP end-of-response out-of-bounds read (CVE-2019-3823)
+- fix NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822)
+- fix NTLM type-2 out-of-bounds buffer read (CVE-2018-16890)
+- xattr: strip credentials from any URL that is stored (CVE-2018-20483)
+
+* Mon Feb 18 2019 Kamil Dudka - 7.61.1-9
+- do not let libssh create a new socket for SCP/SFTP (#1669156)
+
+* Fri Jan 11 2019 Kamil Dudka - 7.61.1-8
+- curl -J: do not append to the destination file (#1660827)
+
+* Thu Nov 15 2018 Kamil Dudka - 7.61.1-7
+- make the patch for CVE-2018-16842 apply properly (CVE-2018-16842)
+
+* Mon Nov 05 2018 Kamil Dudka - 7.61.1-6
+- SASL password overflow via integer overflow (CVE-2018-16839)
+- fix use-after-free in handle close (CVE-2018-16840)
+- fix bad arethmetic when outputting warnings to stderr (CVE-2018-16842)
+
+* Thu Oct 11 2018 Kamil Dudka - 7.61.1-5
+- enable TLS 1.3 post-handshake auth in OpenSSL (#1636900)
+
+* Mon Oct 08 2018 Kamil Dudka - 7.61.1-4
+- make the built-in manual compressed again (#1620217)
+
+* Mon Oct 08 2018 Kamil Dudka - 7.61.1-3
+- update the documentation of --tlsv1.0 in curl(1) man page (#1620217)
+
+* Thu Oct 04 2018 Kamil Dudka - 7.61.1-2
+- enforce versioned libpsl dependency for libcurl (#1631804)
+
+* Thu Oct 04 2018 Kamil Dudka - 7.61.1-1
+- test320: update expected output for gnutls-3.6.4
+- new upstream release (#1625677)
+
+* Thu Aug 09 2018 Kamil Dudka - 7.61.0-5
+- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
+
+* Tue Aug 07 2018 Kamil Dudka - 7.61.0-4
+- relax crypto policy for the test-suite to make it pass again (#1611712)
+
+* Tue Jul 31 2018 Kamil Dudka - 7.61.0-3
+- disable flaky test 1900, which covers deprecated HTTP pipelining
+- adapt test 323 for updated OpenSSL
+
+* Tue Jul 17 2018 Kamil Dudka - 7.61.0-2
+- rebuild against against brotli-1.0.5
+
+* Wed Jul 11 2018 Kamil Dudka - 7.61.0-1
+- new upstream release, which fixes the following vulnerability
+ CVE-2018-0500 - SMTP send heap buffer overflow
+
+* Tue Jul 10 2018 Kamil Dudka - 7.60.0-3
+- enable support for brotli compression in libcurl-full
+
+* Wed Jul 04 2018 Kamil Dudka - 7.60.0-2
+- do not hard-wire path of the Python 3 interpreter
+
+* Wed May 16 2018 Kamil Dudka - 7.60.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-1000300 - FTP shutdown response buffer overflow
+ CVE-2018-1000301 - RTSP bad headers buffer over-read
+
+* Thu Mar 15 2018 Kamil Dudka - 7.59.0-3
+- make the test-suite use Python 3
+
+* Wed Mar 14 2018 Kamil Dudka - 7.59.0-2
+- ftp: fix typo in recursive callback detection for seeking
+
+* Wed Mar 14 2018 Kamil Dudka - 7.59.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write
+ CVE-2018-1000121 - LDAP NULL pointer dereference
+ CVE-2018-1000122 - RTSP RTP buffer over-read
+
+* Mon Mar 12 2018 Kamil Dudka - 7.58.0-8
+- http2: mark the connection for close on GOAWAY
+
+* Mon Feb 19 2018 Paul Howarth - 7.58.0-7
+- Add explicity-used build requirements
+- Fix libcurl soname version number in %%files list to avoid accidental soname
+ bumps
+
+* Thu Feb 15 2018 Paul Howarth - 7.58.0-6
+- switch to %%ldconfig_scriptlets
+- drop legacy BuildRoot: and Group: tags
+- enforce versioned libssh dependency for libcurl
+
+* Tue Feb 13 2018 Kamil Dudka - 7.58.0-5
+- drop temporary workaround for #1540549
+
+* Wed Feb 07 2018 Fedora Release Engineering - 7.58.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Jan 31 2018 Kamil Dudka - 7.58.0-3
+- temporarily work around internal compiler error on x86_64 (#1540549)
+- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again
+
+* Wed Jan 24 2018 Andreas Schneider - 7.58.0-2
+- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483)
+
+* Wed Jan 24 2018 Kamil Dudka - 7.58.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
+ CVE-2018-1000007 - curl: HTTP authentication leak in redirects
+
+* Wed Nov 29 2017 Kamil Dudka - 7.57.0-1
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow
+ CVE-2017-8817 - curl: FTP wildcard out of bounds read
+ CVE-2017-8818 - curl: SSL out of buffer access
+
+* Mon Oct 23 2017 Kamil Dudka - 7.56.1-1
+- new upstream release (fixes CVE-2017-1000257)
+
+* Wed Oct 04 2017 Kamil Dudka - 7.56.0-1
+- new upstream release (fixes CVE-2017-1000254)
+
+* Mon Aug 28 2017 Kamil Dudka - 7.55.1-5
+- apply the patch for the previous commit and fix its name (#1485702)
+
+* Mon Aug 28 2017 Bastien Nocera - 7.55.1-4
+- Fix NetworkManager connectivity check not working (#1485702)
+
+* Tue Aug 22 2017 Kamil Dudka 7.55.1-3
+- utilize system wide crypto policies for TLS (#1483972)
+
+* Tue Aug 15 2017 Kamil Dudka 7.55.1-2
+- make zsh completion work again
+
+* Mon Aug 14 2017 Kamil Dudka 7.55.1-1
+- new upstream release
+
+* Wed Aug 09 2017 Kamil Dudka 7.55.0-1
+- drop multilib fix for libcurl header files no longer needed
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2017-1000099 - FILE buffer read out of bounds
+ CVE-2017-1000100 - TFTP sends more than buffer size
+ CVE-2017-1000101 - URL globbing out of bounds read
+
+* Wed Aug 02 2017 Fedora Release Engineering - 7.54.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Fri Jul 28 2017 Florian Weimer - 7.54.1-7
+- Rebuild with fixed binutils (#1475636)
+
+* Fri Jul 28 2017 Igor Gnatenko - 7.54.1-6
+- Enable separate debuginfo back
+
+* Thu Jul 27 2017 Kamil Dudka 7.54.1-5
+- rebuild to fix broken linkage of cmake on ppc64le
+
+* Wed Jul 26 2017 Kamil Dudka 7.54.1-4
+- avoid build failure caused broken RPM code that produces debuginfo packages
+
+* Wed Jul 26 2017 Fedora Release Engineering - 7.54.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 19 2017 Kamil Dudka 7.54.1-2
+- enforce versioned openssl-libs dependency for libcurl (#1462184)
+
+* Wed Jun 14 2017 Kamil Dudka 7.54.1-1
+- new upstream release
+
+* Tue May 16 2017 Kamil Dudka 7.54.0-5
+- add *-full provides for curl and libcurl to make them explicitly installable
+
+* Thu May 04 2017 Kamil Dudka 7.54.0-4
+- make curl-minimal require a new enough version of libcurl
+
+* Thu Apr 27 2017 Kamil Dudka 7.54.0-3
+- switch the TLS backend back to OpenSSL (#1445153)
+
+* Tue Apr 25 2017 Kamil Dudka 7.54.0-2
+- nss: use libnssckbi.so as the default source of trust
+- nss: do not leak PKCS #11 slot while loading a key (#1444860)
+
+* Thu Apr 20 2017 Kamil Dudka 7.54.0-1
+- new upstream release (fixes CVE-2017-7468)
+
+* Thu Apr 13 2017 Paul Howarth 7.53.1-7
+- add %%post and %%postun scriptlets for libcurl-minimal
+- libcurl-minimal provides both libcurl and libcurl%%{?_isa}
+- remove some legacy spec file cruft
+
+* Wed Apr 12 2017 Kamil Dudka 7.53.1-6
+- provide (lib)curl-minimal subpackages with lightweight build of (lib)curl
+
+* Mon Apr 10 2017 Kamil Dudka 7.53.1-5
+- disable upstream test 2033 (flaky test for HTTP/1 pipelining)
+
+* Fri Apr 07 2017 Kamil Dudka 7.53.1-4
+- fix out of bounds read in curl --write-out (CVE-2017-7407)
+
+* Mon Mar 06 2017 Kamil Dudka 7.53.1-3
+- make the dependency on nss-pem arch-specific (#1428550)
+
+* Thu Mar 02 2017 Kamil Dudka 7.53.1-2
+- re-enable valgrind on ix86 because sqlite is fixed (#1428286)
+
+* Fri Feb 24 2017 Kamil Dudka 7.53.1-1
+- new upstream release
+
+* Wed Feb 22 2017 Kamil Dudka 7.53.0-1
+- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434)
+- new upstream release (fixes CVE-2017-2629)
+
+* Fri Feb 10 2017 Fedora Release Engineering - 7.52.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Dec 23 2016 Kamil Dudka 7.52.1-1
+- new upstream release (fixes CVE-2016-9586)
+
+* Mon Nov 21 2016 Kamil Dudka 7.51.0-3
+- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+
+* Tue Nov 15 2016 Kamil Dudka 7.51.0-2
+- stricter host name checking for file:// URLs
+- ssh: check md5 fingerprints case insensitively
+
+* Wed Nov 02 2016 Kamil Dudka 7.51.0-1
+- temporarily disable failing libidn2 test-cases
+- new upstream release, which fixes the following vulnerabilities
+ CVE-2016-8615 - Cookie injection for other servers
+ CVE-2016-8616 - Case insensitive password comparison
+ CVE-2016-8617 - Out-of-bounds write via unchecked multiplication
+ CVE-2016-8618 - Double-free in curl_maprintf
+ CVE-2016-8619 - Double-free in krb5 code
+ CVE-2016-8620 - Glob parser write/read out of bounds
+ CVE-2016-8621 - curl_getdate out-of-bounds read
+ CVE-2016-8622 - URL unescape heap overflow via integer truncation
+ CVE-2016-8623 - Use-after-free via shared cookies
+ CVE-2016-8624 - Invalid URL parsing with '#'
+ CVE-2016-8625 - IDNA 2003 makes curl use wrong host
+
+* Thu Oct 20 2016 Kamil Dudka 7.50.3-3
+- drop 0103-curl-7.50.0-stunnel.patch no longer needed
+
+* Fri Oct 07 2016 Kamil Dudka 7.50.3-2
+- use the just built version of libcurl while generating zsh completion
+
+* Wed Sep 14 2016 Kamil Dudka 7.50.3-1
+- new upstream release (fixes CVE-2016-7167)
+
+* Wed Sep 07 2016 Kamil Dudka 7.50.2-1
+- new upstream release
+
+* Fri Aug 26 2016 Kamil Dudka 7.50.1-2
+- work around race condition in PK11_FindSlotByName()
+- fix incorrect use of a previously loaded certificate from file
+ (related to CVE-2016-5420)
+
+* Wed Aug 03 2016 Kamil Dudka 7.50.1-1
+- new upstream release (fixes CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421)
+
+* Tue Jul 26 2016 Kamil Dudka 7.50.0-2
+- run HTTP/2 tests on all architectures (#1360319 now worked around in nghttp2)
+
+* Thu Jul 21 2016 Kamil Dudka 7.50.0-1
+- run HTTP/2 tests only on Intel for now to work around #1358845
+- require nss-pem because it is no longer included in the nss package (#1347336)
+- fix HTTPS and FTPS tests (work around stunnel bug #1358810)
+- new upstream release
+
+* Fri Jun 17 2016 Kamil Dudka 7.49.1-3
+- use multilib-rpm-config to install arch-dependent header files
+
+* Fri Jun 03 2016 Kamil Dudka 7.49.1-2
+- fix SIGSEGV of the curl tool while parsing URL with too many globs (#1340757)
+
+* Mon May 30 2016 Kamil Dudka 7.49.1-1
+- new upstream release
+
+* Wed May 18 2016 Kamil Dudka 7.49.0-1
+- new upstream release
+
+* Wed Mar 23 2016 Kamil Dudka 7.48.0-1
+- new upstream release
+
+* Wed Mar 02 2016 Kamil Dudka 7.47.1-4
+- do not refuse cookies for localhost (#1308791)
+
+* Wed Feb 17 2016 Kamil Dudka 7.47.1-3
+- make SCP and SFTP test-cases work with up2date OpenSSH
+
+* Wed Feb 10 2016 Kamil Dudka 7.47.1-2
+- enable support for Public Suffix List (#1305701)
+
+* Mon Feb 08 2016 Kamil Dudka 7.47.1-1
+- new upstream release
+
+* Wed Feb 03 2016 Fedora Release Engineering - 7.47.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jan 27 2016 Kamil Dudka 7.47.0-1
+- new upstream release (fixes CVE-2016-0755)
+
+* Fri Dec 4 2015 Kamil Dudka 7.46.0-2
+- own /usr/share/zsh/site-functions instead of requiring zsh (#1288529)
+
+* Wed Dec 2 2015 Kamil Dudka 7.46.0-1
+- disable silent builds (suggested by Paul Howarth)
+- use default port numbers when running the upstream test-suite
+- install zsh completion script
+- new upstream release
+
+* Wed Oct 7 2015 Paul Howarth 7.45.0-1
+- new upstream release
+- drop %%defattr, redundant since rpm 4.4
+
+* Fri Sep 18 2015 Kamil Dudka 7.44.0-2
+- prevent NSS from incorrectly re-using a session (#1104597)
+
+* Wed Aug 12 2015 Kamil Dudka 7.44.0-1
+- new upstream release
+
+* Thu Jul 30 2015 Kamil Dudka 7.43.0-3
+- prevent dnf from crashing when using both FTP and HTTP (#1248389)
+
+* Thu Jul 16 2015 Kamil Dudka 7.43.0-2
+- build support for the HTTP/2 protocol
+
+* Wed Jun 17 2015 Kamil Dudka 7.43.0-1
+- new upstream release (fixes CVE-2015-3236 and CVE-2015-3237)
+
+* Wed Jun 17 2015 Fedora Release Engineering - 7.42.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Jun 05 2015 Kamil Dudka 7.42.1-2
+- curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363)
+
+* Wed Apr 29 2015 Kamil Dudka 7.42.1-1
+- new upstream release (fixes CVE-2015-3153)
+
+* Wed Apr 22 2015 Kamil Dudka 7.42.0-1
+- new upstream release (fixes CVE-2015-3143, CVE-2015-3144, CVE-2015-3145,
+ and CVE-2015-3148)
+- implement public key pinning for NSS backend (#1195771)
+- do not run flaky test-cases in %%check
+
+* Wed Feb 25 2015 Kamil Dudka 7.41.0-1
+- new upstream release
+- include extern-scan.pl to make test1135 succeed (upstream commit 1514b718)
+
+* Mon Feb 23 2015 Kamil Dudka 7.40.0-3
+- fix a spurious connect failure on dual-stacked hosts (#1187531)
+
+* Sat Feb 21 2015 Till Maas - 7.40.0-2
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Thu Jan 08 2015 Kamil Dudka 7.40.0-1
+- new upstream release (fixes CVE-2014-8150)
+
+* Wed Nov 05 2014 Kamil Dudka 7.39.0-1
+- new upstream release (fixes CVE-2014-3707)
+
+* Tue Oct 21 2014 Kamil Dudka 7.38.0-2
+- fix a connection failure when FTPS handle is reused
+
+* Wed Sep 10 2014 Kamil Dudka 7.38.0-1
+- new upstream release (fixes CVE-2014-3613 and CVE-2014-3620)
+
+* Sat Aug 16 2014 Fedora Release Engineering - 7.37.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Aug 13 2014 Rex Dieter 7.37.1-2
+- include arch'd Requires/Provides
+
+* Wed Jul 16 2014 Kamil Dudka 7.37.1-1
+- new upstream release
+- fix endless loop with GSSAPI proxy auth (patches by David Woodhouse, #1118751)
+
+* Fri Jul 11 2014 Tom Callaway 7.37.0-4
+- fix license handling
+
+* Fri Jul 04 2014 Kamil Dudka 7.37.0-3
+- various SSL-related fixes (mainly crash on connection failure)
+
+* Sat Jun 07 2014 Fedora Release Engineering - 7.37.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 21 2014 Kamil Dudka 7.37.0-1
+- new upstream release
+
+* Fri May 09 2014 Kamil Dudka 7.36.0-4
+- auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348)
+
+* Fri Apr 25 2014 Kamil Dudka 7.36.0-3
+- nss: implement non-blocking SSL handshake
+
+* Wed Apr 02 2014 Kamil Dudka 7.36.0-2
+- extend URL parser to support IPv6 zone identifiers (#680996)
+
+* Wed Mar 26 2014 Kamil Dudka 7.36.0-1
+- new upstream release (fixes CVE-2014-0138)
+
+* Mon Mar 17 2014 Paul Howarth 7.35.0-5
+- add all perl build requirements for the test suite, in a portable way
+
+* Mon Mar 17 2014 Kamil Dudka 7.35.0-4
+- add BR for perl-Digest-MD5, which is required by the test-suite
+
+* Wed Mar 05 2014 Kamil Dudka 7.35.0-3
+- avoid spurious failure of test1086 on s390(x) koji builders (#1072273)
+
+* Tue Feb 25 2014 Kamil Dudka 7.35.0-2
+- refresh expired cookie in test172 from upstream test-suite (#1068967)
+
+* Wed Jan 29 2014 Kamil Dudka 7.35.0-1
+- new upstream release (fixes CVE-2014-0015)
+
+* Wed Dec 18 2013 Kamil Dudka 7.34.0-1
+- new upstream release
+
+* Mon Dec 02 2013 Kamil Dudka 7.33.0-2
+- allow to use TLS > 1.0 if built against recent NSS
+
+* Mon Oct 14 2013 Kamil Dudka 7.33.0-1
+- new upstream release
+- fix missing initialization in NTLM code causing test 906 to fail
+- fix missing initialization in SSH code causing test 619 to fail
+
+* Fri Oct 11 2013 Kamil Dudka 7.32.0-3
+- do not limit the speed of SCP upload on a fast connection
+
+* Mon Sep 09 2013 Kamil Dudka 7.32.0-2
+- avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686)
+
+* Mon Aug 12 2013 Kamil Dudka 7.32.0-1
+- new upstream release
+- make sure that NSS is initialized prior to calling PK11_GenerateRandom()
+
+* Sat Aug 03 2013 Fedora Release Engineering - 7.31.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jul 09 2013 Kamil Dudka 7.31.0-4
+- mention all option listed in 'curl --help' in curl.1 man page
+
+* Tue Jul 02 2013 Kamil Dudka 7.31.0-3
+- restore the functionality of 'curl -u :'
+
+* Wed Jun 26 2013 Kamil Dudka 7.31.0-2
+- build the curl tool with metalink support
+
+* Sat Jun 22 2013 Kamil Dudka 7.31.0-1
+- new upstream release (fixes CVE-2013-2174)
+
+* Fri Apr 26 2013 Kamil Dudka 7.30.0-2
+- prevent an artificial timeout event due to stale speed-check data (#906031)
+
+* Fri Apr 12 2013 Kamil Dudka 7.30.0-1
+- new upstream release (fixes CVE-2013-1944)
+- prevent test-suite failure due to using non-default port ranges in tests
+
+* Tue Mar 12 2013 Kamil Dudka 7.29.0-4
+- do not ignore poll() failures other than EINTR (#919127)
+- curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag (#919127)
+
+* Wed Mar 06 2013 Kamil Dudka 7.29.0-3
+- switch SSL socket into non-blocking mode after handshake
+- drop the hide_selinux.c hack no longer needed in %%check
+
+* Fri Feb 22 2013 Kamil Dudka 7.29.0-2
+- fix a SIGSEGV when closing an unused multi handle (#914411)
+
+* Wed Feb 06 2013 Kamil Dudka 7.29.0-1
+- new upstream release (fixes CVE-2013-0249)
+
+* Tue Jan 15 2013 Kamil Dudka 7.28.1-3
+- require valgrind for build only on i386 and x86_64 (#886891)
+
+* Tue Jan 15 2013 Kamil Dudka 7.28.1-2
+- prevent NSS from crashing on client auth hook failure
+- clear session cache if a client cert from file is used
+- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
+
+* Tue Nov 20 2012 Kamil Dudka 7.28.1-1
+- new upstream release
+
+* Wed Oct 31 2012 Kamil Dudka