RELEASE-NOTES: 7.42.1 ready

Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.

Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon

RELEASE-NOTES

@@ -1,141 +1,22 @@
-Curl and libcurl 7.42.0
+Curl and libcurl 7.42.1
 
- Public curl releases:         145
+ Public curl releases:         146
  Command line options:         173
  curl_easy_setopt() options:   216
  Public functions in libcurl:  58
  Contributors:                 1265
 
-This release includes the following changes:
-
- o openssl: show the cipher selection to use in verbose text
- o gtls: implement CURLOPT_CERTINFO
- o add CURLOPT_SSL_FALSESTART option (darwinssl and NSS)
- o curl: add --false-start option
- o add CURLOPT_PATH_AS_IS
- o curl: add --path-as-is option
- o curl: create output file on successful download of an empty file [21]
-
 This release includes the following bugfixes:
 
- o ConnectionExists: for NTLM re-use, require credentials to match [26]
+ o CURLOPT_HEADEROPT: default to separate [5]
- o cookie: cookie parser out of boundary memory access [27]
+ o dist: include {src,lib}/checksrc.whitelist [1]
- o fix_hostname: zero length host name caused -1 index offset [28]
+ o connectionexists: fix build without NTLM [2]
- o http_done: close Negotiate connections when done [29]
+ o docs: distribute the CURLOPT_PINNEDPUBLICKEY(3) man page, too
- o sws: timeout idle CONNECT connections
+ o curl -z: do not write empty file on unmet condition [3]
- o nss: improve error handling in Curl_nss_random()
+ o openssl: fix serial number output [4]
- o nss: do not skip Curl_nss_seed() if data is NULL
+ o curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
- o curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
+ o sws: init http2 state properly
- o http2: move lots of verbose output to be debug-only
+ o curl.1: fix typo
- o dist: add extern-scan.pl to the tarball
- o http2: return recv error on unexpected EOF [1]
- o build: Use default RandomizedBaseAddress directive in VC9+ project files
- o build: Removed DataExecutionPrevention directive from VC9+ project files
- o tool: Updated the warnf() function to use the GlobalConfig structure
- o http2: Return error if stream was closed with other than NO_ERROR
- o mprintf.h: remove #ifdef CURLDEBUG
- o libtest: fixed linker errors on msvc [6]
- o tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
- o curl.1: fix "The the" typo
- o cmake: handle build definitions CURLDEBUG/DEBUGBUILD
- o openssl: remove all uses of USE_SSLEAY
- o multi: fix memory-leak on timeout (regression) [4]
- o curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
- o metalink: add some error checks [3]
- o TLS: make it possible to enable ALPN/NPN without HTTP/2
- o http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
- o conncontrol: only log changes to the connection bit
- o multi: fix *getsock() with CONNECT [2]
- o symbols.pl: handle '-' in the deprecated field [5]
- o MacOSX-Framework: use @rpath instead of @executable_path [7]
- o GnuTLS: add support for CURLOPT_CAPATH
- o GnuTLS: print negotiated TLS version and full cipher suite name
- o GnuTLS: don't print double newline after certificate dates
- o memanalyze.pl: handle free(NULL)
- o proxy: re-use proxy connections (regression) [8]
- o mk-ca-bundle: Don't report SHA1 numbers with "-q"
- o http: always send Host: header as first header [9]
- o openssl: sort ciphers to use based on strength [10]
- o openssl: use colons properly in the ciphers list
- o http2: detect premature close without data transfered [11]
- o hostip: Fix signal race in Curl_resolv_timeout
- o closesocket: call multi socket cb on close even with custom close [12]
- o mksymbolsmanpage.pl: use std header and generate better nroff header
- o connect: Fix happy eyeballs logic for IPv4-only builds [13]
- o curl_easy_perform.3: remove superfluous close brace from example
- o HTTP: don't use Expect: headers when on HTTP/2 [14]
- o Curl_sh_entry: remove unused 'timestamp'
- o docs/libcurl: makefile portability fix
- o mkhelp: Remove trailing carriage return from every line of input
- o nss: explicitly tell NSS to disable NPN/ALPN when libcurl disables it
- o curl_easy_setopt.3: added a few missing options
- o metalink: fix resource leak in OOM
- o axtls: version 1.5.2 now requires that config.h be manually included
- o HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
- o cyassl: detect the library as renamed wolfssl
- o CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
- o CURLOPT_URL.3: Added "SECURITY CONCERNS
- o openssl: try to avoid accessing OCSP structs when possible
- o test938: added missing closing tags
- o testcurl: Allow '=' in values given on command line
- o tests/certs: added make target to rebuild certificates
- o tests/certs: rebuild certificates with modified key usage bits
- o gtls: avoid uninitialized variable
- o gtls: dereferencing NULL pointer
- o gtls: add check of return code
- o test1513: eliminated race condition in test run
- o dict: rename byte to avoid compiler shadowed declaration warning
- o curl_easy_recv/send: make them work with the multi interface
- o vtls: fix compile with --disable-crypto-auth but with SSL
- o openssl: adapt to ASN1/X509 things gone opaque in 1.1
- o openssl: verifystatus: only use the OCSP work-around <= 1.0.2a [15]
- o curl_memory: make curl_memory.h the second-last header file loaded
- o testcurl.pl: add the --notes option to supply more info about a build
- o cyassl: If wolfSSL then identify as such in version string
- o cyassl: Check for invalid length parameter in Curl_cyassl_random
- o cyassl: default to highest possible TLS version
- o Curl_ssl_md5sum: return CURLcode (fixes OOM)
- o polarssl: remove dead code
- o polarssl: called mbedTLS in 1.3.10 and later
- o globbing: fix step parsing for character globbing ranges
- o globbing: fix url number calculation when using range with step
- o multi: on a request completion, check all CONNECT_PEND transfers [16]
- o build: link curl to openssl libraries when openssl support is enabled
- o url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
- o vtls: Don't accept unknown CURLOPT_SSLVERSION values
- o build: Fix libcurl.sln erroneous mixed configurations
- o cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
- o cyassl: add SSL context callback support for CyaSSL
- o tool: only set SSL options if SSL is enabled
- o multi: remove_handle: move pending connections [17]
- o configure: Use KRB5CONFIG for krb5-config [18]
- o axtls: add timeout within Curl_axtls_connect
- o CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
- o cyassl: Fix library initialization return value
- o cookie: handle spaces after the name in Set-Cookie [19]
- o http2: Fix missing nghttp2_session_send call in Curl_http2_switched [20]
- o cyassl: Fix certificate load check
- o build-openssl.bat: Fix mixed line endings
- o checksrc.bat: Check lib\vtls source
- o DNS: fix refreshing of obsolete dns cache entries
- o CURLOPT_RESOLVE: actually implement removals
- o checksrc.bat: quotes to support an SRC_DIR with spaces
- o cyassl: Remove 'Connecting to' message from cyassl_connect_step2
- o cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
- o lib/transfer.c: Remove factor of 8 from sleep time calculation
- o lib/makefile.m32: add missing libs to build libcurl.dll
- o build: Generate source prerequisites for Visual Studio in generate.bat
- o cyassl: Include the CyaSSL build config
- o firefox-db2pem: fix wildcard to find Firefox default profile
- o BUGS: refer to the github issue tracker now as primary
- o vtls_openssl: improve several certificate error messages
- o cyassl: Add support for TLS extension SNI
- o parsecfg: do not continue past a zero termination
- o configure --with-nss=PATH: query pkg-config if available [22]
- o configure --with-nss: drop redundant if statement
- o cyassl: Fix include order [23]
- o HTTP: fix PUT regression with Negotiate [24]
- o curl_version_info.3: fixed the 'protocols' variable type [25]
 
 This release includes the following known bugs:
 
@@ -144,49 +25,17 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Alessandro Ghedini, Alexander Pepper, Ben Darnell, Brad King,
+  Alessandro Ghedini, Alexander Elgert, Daniel Stenberg, Kamil Dudka,
-  Charles Romestant, Christian Weisgerber, Dagobert Michelsen, Dan Fandrich,
+  Oren Souroujon, Patrick Rapin, Viktor Szakáts, Yehezkel Horowitz,
-  Daniel Stenberg, Da-Yoon Chung, Emil Lerner, Fabian Keil, Frank Gevaerts,
+  (8 contributors)
-  Frank Meier, Hanno Böck, Isaac Boukris, Jeroen Ooms, Jiri Dvorak,
-  John Marshall, Jonathan Cardoso Machado, Jon Seymour, Kamil Dudka,
-  Kyle L. Huff, Markus Elfring, Matthew Hall, Michael Osipov,
-  Michael Stapelberg, Michel Promonet, Mostyn Bramley-Moore, Nick Zitzmann,
-  Paras Sethia, Patrick Monnerat, Paul Howarth, Peter Laser, Rainer Canavan,
-  Ray Satiro, Richard Moore, Sergei Nikulov, Stefan Bühler, Stefan Eissing,
-  Steve Havelka, Steve Holme, Tatsuhiro Tsujikawa, Thomas Ruecker,
-  Tobias Stoeckmann, Viktor Szakáts, Yamada Yasuharu,
-  (47 contributors)
 
         Thanks! (and sorry if I forgot to mention someone)
 
 References to bug reports and discussions on issues:
 
- [1] = http://curl.haxx.se/bug/view.cgi?id=1487
+ [1] = http://curl.haxx.se/mail/archive-2015-04/0046.html
- [2] = http://curl.haxx.se/mail/lib-2015-01/0170.html
+ [2] = http://curl.haxx.se/bug/?i=231
- [3] = https://github.com/bagder/curl/issues/150
+ [3] = https://github.com/bagder/curl/issues/237
- [4] = https://github.com/bagder/curl/issues/147
+ [4] = https://github.com/bagder/curl/issues/235
- [5] = http://curl.haxx.se/mail/lib-2015-03/0052.html
+ [5] = http://curl.haxx.se/docs/adv_20150429.html
- [6] = https://github.com/bagder/curl/pull/144
+ 
- [7] = https://github.com/bagder/curl/pull/157
- [8] = http://curl.haxx.se/bug/view.cgi?id=1492
- [9] = http://curl.haxx.se/bug/view.cgi?id=1491
- [10] = http://curl.haxx.se/bug/view.cgi?id=1487
- [11] = https://github.com/bagder/curl/issues/166
- [12] = http://curl.haxx.se/bug/view.cgi?id=1493
- [13] = https://github.com/bagder/curl/pull/168
- [14] = https://github.com/bagder/curl/issues/169
- [15] = http://curl.haxx.se/mail/lib-2015-03/0205.html
- [16] = http://curl.haxx.se/bug/view.cgi?id=1465
- [17] = http://curl.haxx.se/bug/view.cgi?id=1465
- [18] = http://curl.haxx.se/bug/view.cgi?id=1486
- [19] = https://github.com/bagder/curl/issues/195
- [20] = https://github.com/bagder/curl/issues/192
- [21] = https://github.com/bagder/curl/issues/183
- [22] = https://github.com/bagder/curl/pull/171
- [23] = http://curl.haxx.se/mail/lib-2015-04/0069.html
- [24] = https://github.com/bagder/curl/issues/223
- [25] = https://github.com/bagder/curl/issues/225
- [26] = http://curl.haxx.se/docs/adv_20150422A.html
- [27] = http://curl.haxx.se/docs/adv_20150422C.html
- [28] = http://curl.haxx.se/docs/adv_20150422D.html
- [29] = http://curl.haxx.se/docs/adv_20150422B.html

docs/THANKS

@@ -36,6 +36,7 @@ Alex Suykov
 Alex Vinnik
 Alex aka WindEagle
 Alexander Beedie
+Alexander Elgert
 Alexander Klauer
 Alexander Kourakos
 Alexander Krasnostavsky
@@ -885,6 +886,7 @@ Oliver Gondža
 Oliver Kuckertz
 Oliver Schindler
 Olivier Berger
+Oren Souroujon
 Oren Tirosh
 Ori Avtalion
 Oscar Koeroo
@@ -901,6 +903,7 @@ Patricia Muscalu
 Patrick Bihan-Faou
 Patrick McManus
 Patrick Monnerat
+Patrick Rapin
 Patrick Scott
 Patrick Smith
 Patrick Watson

docs/curl.1

@@ -1708,7 +1708,7 @@ impossible to use a colon in the user name with this option. The password can,
 still.
 
 When using Kerberos V5 with a Windows based server you should include the
-Windows domain name in the user name, in order for the server to succesfully
+Windows domain name in the user name, in order for the server to successfully
 obtain a Kerberos Ticket. If you don't then the initial authentication
 handshake may fail.
 

docs/libcurl/curl_easy_getinfo.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -236,6 +236,26 @@ option may not be available for all SSL backends; unsupported SSL backends
 will return 'CURLSSLBACKEND_NONE' to indicate that they are not supported;
 this does not mean that no SSL backend was used. (Added in 7.34.0)
 
+.nf
+struct curl_tlssessioninfo {
+  curl_sslbackend backend;
+  void *internals;
+};
+.fi
+
+The \fIinternals\fP struct member will point to a TLS library specific pointer
+with the following underlying types:
+.RS
+.IP OpenSSL
+SSL_CTX *
+.IP GnuTLS
+gnutls_session_t
+.IP NSS
+PRFileDesc *
+.IP gskit
+gsk_handle
+.RE
+
 .IP CURLINFO_CONDITION_UNMET
 Pass a pointer to a long to receive the number 1 if the condition provided in
 the previous request didn't match (see \fICURLOPT_TIMECONDITION(3)\fP). Alas,

docs/libcurl/opts/CURLOPT_HEADEROPT.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -31,10 +31,10 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_HEADEROPT, long bitmask);
 Pass a long that is a bitmask of options of how to deal with headers. The two
 mutually exclusive options are:
 
-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
+\fBCURLHEADER_UNIFIED\fP - the headers specified in
-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
+\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
+proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
-have any effect.
+any effect.
 
 \fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
 sent to a server and not to a proxy. Proxy headers must be set with
@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl will send \fICURLOPT_PROXYHEADER(3)\fP
 headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
 the server.
 .SH DEFAULT
-CURLHEADER_UNIFIED
+CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
 .SH PROTOCOLS
 HTTP
 .SH EXAMPLE

docs/libcurl/opts/Makefile.am

@@ -66,7 +66,8 @@ man_MANS = CURLOPT_ACCEPT_ENCODING.3 CURLOPT_ACCEPTTIMEOUT_MS.3		\
  CURLOPT_NEW_DIRECTORY_PERMS.3 CURLOPT_NEW_FILE_PERMS.3			\
  CURLOPT_NOBODY.3 CURLOPT_NOPROGRESS.3 CURLOPT_NOPROXY.3		\
  CURLOPT_NOSIGNAL.3 CURLOPT_OPENSOCKETDATA.3				\
- CURLOPT_OPENSOCKETFUNCTION.3 CURLOPT_PASSWORD.3 CURLOPT_PORT.3		\
+ CURLOPT_OPENSOCKETFUNCTION.3 CURLOPT_PASSWORD.3 			\
+ CURLOPT_PINNEDPUBLICKEY.3 CURLOPT_PORT.3				\
  CURLOPT_POST.3 CURLOPT_POSTFIELDS.3 CURLOPT_POSTFIELDSIZE.3		\
  CURLOPT_POSTFIELDSIZE_LARGE.3 CURLOPT_POSTQUOTE.3 CURLOPT_POSTREDIR.3	\
  CURLOPT_PREQUOTE.3 CURLOPT_PRIVATE.3 CURLOPT_PROGRESSDATA.3		\
@@ -167,7 +168,8 @@ HTMLPAGES = CURLOPT_ACCEPT_ENCODING.html CURLOPT_ACCEPTTIMEOUT_MS.html	\
  CURLOPT_NEW_FILE_PERMS.html CURLOPT_NOBODY.html			\
  CURLOPT_NOPROGRESS.html CURLOPT_NOPROXY.html CURLOPT_NOSIGNAL.html	\
  CURLOPT_OPENSOCKETDATA.html CURLOPT_OPENSOCKETFUNCTION.html		\
- CURLOPT_PASSWORD.html CURLOPT_PORT.html CURLOPT_POST.html		\
+ CURLOPT_PASSWORD.html CURLOPT_PINNEDPUBLICKEY.html CURLOPT_PORT.html	\
+ CURLOPT_POST.html							\
  CURLOPT_POSTFIELDS.html CURLOPT_POSTFIELDSIZE.html			\
  CURLOPT_POSTFIELDSIZE_LARGE.html CURLOPT_POSTQUOTE.html		\
  CURLOPT_POSTREDIR.html CURLOPT_PREQUOTE.html CURLOPT_PRIVATE.html	\
@@ -270,7 +272,8 @@ PDFPAGES = CURLOPT_ACCEPT_ENCODING.pdf CURLOPT_ACCEPTTIMEOUT_MS.pdf	\
  CURLOPT_NEW_DIRECTORY_PERMS.pdf CURLOPT_NEW_FILE_PERMS.pdf		\
  CURLOPT_NOBODY.pdf CURLOPT_NOPROGRESS.pdf CURLOPT_NOPROXY.pdf		\
  CURLOPT_NOSIGNAL.pdf CURLOPT_OPENSOCKETDATA.pdf			\
- CURLOPT_OPENSOCKETFUNCTION.pdf CURLOPT_PASSWORD.pdf CURLOPT_PORT.pdf	\
+ CURLOPT_OPENSOCKETFUNCTION.pdf CURLOPT_PASSWORD.pdf 			\
+ CURLOPT_PINNEDPUBLICKEY.pdf CURLOPT_PORT.pdf				\
  CURLOPT_POST.pdf CURLOPT_POSTFIELDS.pdf CURLOPT_POSTFIELDSIZE.pdf	\
  CURLOPT_POSTFIELDSIZE_LARGE.pdf CURLOPT_POSTQUOTE.pdf			\
  CURLOPT_POSTREDIR.pdf CURLOPT_PREQUOTE.pdf CURLOPT_PRIVATE.pdf		\

lib/Makefile.am

@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -34,7 +34,7 @@ EXTRA_DIST = Makefile.b32 Makefile.m32 Makefile.vc6 config-win32.h	\
  config-os400.h setup-os400.h config-symbian.h Makefile.Watcom		\
  config-tpf.h $(DOCS) mk-ca-bundle.pl mk-ca-bundle.vbs $(CMAKE_DIST)	\
  firefox-db2pem.sh config-vxworks.h Makefile.vxworks checksrc.pl	\
- objnames-test08.sh objnames-test10.sh objnames.inc
+ objnames-test08.sh objnames-test10.sh objnames.inc checksrc.whitelist
 
 lib_LTLIBRARIES = libcurl.la
 

lib/url.c

@@ -605,6 +605,7 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
   set->ssl_enable_alpn = TRUE;
 
   set->expect_100_timeout = 1000L; /* Wait for a second by default. */
+  set->sep_headers = TRUE; /* separated header lists by default */
   return result;
 }
 
@@ -3069,9 +3070,11 @@ ConnectionExists(struct SessionHandle *data,
   struct connectdata *check;
   struct connectdata *chosen = 0;
   bool canPipeline = IsPipeliningPossible(data, needle);
+#ifdef USE_NTLM
   bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
                        (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
     (needle->handler->protocol & PROTO_FAMILY_HTTP) ? TRUE : FALSE;
+#endif
   struct connectbundle *bundle;
 
   *force_reuse = FALSE;
@@ -3208,8 +3211,11 @@ ConnectionExists(struct SessionHandle *data,
           continue;
       }
 
-      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+      if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST))
-         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+#ifdef USE_NTLM
+         || (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)
+#endif
+        ) {
         /* This protocol requires credentials per connection or is HTTP+NTLM,
            so verify that we're using the same name and password as well */
         if(!strequal(needle->user, check->user) ||

lib/vtls/openssl.c

@@ -2472,25 +2472,19 @@ static CURLcode get_cert_chain(struct connectdata *conn,
     Curl_ssl_push_certinfo(data, i, "Version", bufp); /* hex */
 
     num=X509_get_serialNumber(x);
-    if(num->length <= 4) {
+    {
-      value = ASN1_INTEGER_get(num);
-      infof(data, "   Serial Number: %ld (0x%lx)\n", value, value);
-      snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
-    }
-    else {
       int left = CERTBUFFERSIZE;
 
       ptr = bufp;
-      *ptr++ = 0;
+      if(num->type == V_ASN1_NEG_INTEGER) {
-      if(num->type == V_ASN1_NEG_INTEGER)
         *ptr++='-';
+        left--;
+      }
 
-      for(j=0; (j<num->length) && (left>=4); j++) {
+      for(j=0; (j<num->length) && (left>=3); j++) {
-        /* TODO: length restrictions */
+        snprintf(ptr, left, "%02x", num->data[j]);
-        snprintf(ptr, 3, "%02x%c",num->data[j],
+        ptr += 2;
-                 ((j+1 == num->length)?'\n':':'));
+        left -= 2;
-        ptr += 3;
-        left-=4;
       }
       if(num->length)
         infof(data, "   Serial Number: %s\n", bufp);

src/Makefile.am

@@ -5,7 +5,7 @@
 #                            | (__| |_| |  _ <| |___
 #                             \___|\___/|_| \_\_____|
 #
-# Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+# Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # This software is licensed as described in the file COPYING, which
 # you should have received as part of this distribution. The terms
@@ -84,11 +84,11 @@ CLEANFILES = tool_hugehelp.c
 # embedded text.
 NROFF=env LC_ALL=C @NROFF@ @MANOPT@ # figured out by the configure script
 
-EXTRA_DIST = mkhelp.pl makefile.dj Makefile.vc6 Makefile.b32 Makefile.m32 \
+EXTRA_DIST = mkhelp.pl makefile.dj Makefile.vc6 Makefile.b32		\
-	macos/curl.mcp.xml.sit.hqx                                        \
+ Makefile.m32 macos/curl.mcp.xml.sit.hqx macos/MACINSTALL.TXT		\
-	macos/MACINSTALL.TXT macos/src/curl_GUSIConfig.cpp \
+ macos/src/curl_GUSIConfig.cpp macos/src/macos_main.cpp makefile.amiga	\
-	macos/src/macos_main.cpp makefile.amiga curl.rc                   \
+ curl.rc Makefile.netware Makefile.inc Makefile.Watcom CMakeLists.txt	\
-	Makefile.netware Makefile.inc Makefile.Watcom CMakeLists.txt
+ checksrc.whitelist
 
 MANPAGE=$(top_srcdir)/docs/curl.1
 README=$(top_srcdir)/docs/MANUAL

src/tool_operate.c

@@ -1388,12 +1388,17 @@ static CURLcode operate_do(struct GlobalConfig *global,
 #endif
           result = curl_easy_perform(curl);
 
-          if(!result && !outs.stream && !outs.bytes
+          if(!result && !outs.stream && !outs.bytes) {
-              /* we have received no data despite the transfer was successful
+            /* we have received no data despite the transfer was successful
-                 ==> force cration of an empty output file (if an output file
+               ==> force cration of an empty output file (if an output file
-                 was specified) */
+               was specified) */
-              && !tool_create_output_file(&outs))
+            long cond_unmet = 0L;
-            result = CURLE_WRITE_ERROR;
+            /* do not create (or even overwrite) the file in case we get no
+               data because of unmet condition */
+            curl_easy_getinfo(curl, CURLINFO_CONDITION_UNMET, &cond_unmet);
+            if(!cond_unmet && !tool_create_output_file(&outs))
+              result = CURLE_WRITE_ERROR;
+          }
 
           if(outs.is_cd_filename && outs.stream && !global->mute &&
              outs.filename)

tests/data/Makefile.inc

@@ -143,7 +143,7 @@ test1396 test1397 test1398 \
 test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \
 test1408 test1409 test1410 test1411 test1412 test1413 test1414 test1415 \
 test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
-\
+test1424 \
 test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
 test1436 \
 \

tests/data/test1424

@@ -0,0 +1,76 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+If-Modified-Since
+-z
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 200 OK
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 1990 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+-foo-
+</data>
+<datacheck>
+HTTP/1.1 200 OK
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 1990 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Content-Type: text/html
+Funny-head: yesyes
+
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+HTTP GET -o fname without Content-Disposition (unmet time condition)
+</name>
+<file name="log/outfile1424">
+original contents
+</file>
+<command option="no-output,no-include">
+http://%HOSTIP:%HTTPPORT/1424 -z "dec 12 11:00:00 1999 GMT" -o log/outfile1424
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /1424 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+If-Modified-Since: Sun, 12 Dec 1999 11:00:00 GMT
+
+</protocol>
+
+<file1 name="log/outfile1424">
+original contents
+</file1>
+
+</verify>
+</testcase>

tests/data/test1527

@@ -45,7 +45,7 @@ http-proxy
 lib1527
 </tool>
  <name>
-Check same headers are generated without CURLOPT_PROXYHEADER
+Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
  </name>
  <command>
  http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT

tests/data/test287

@@ -28,7 +28,7 @@ http
 HTTP proxy CONNECT with custom User-Agent header
  </name>
  <command>
-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
+http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
 </command>
 </client>
 

tests/libtest/lib1527.c

@@ -83,6 +83,7 @@ int test(char *URL)
   test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
   test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
   test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
+  test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
 
   res = curl_easy_perform(curl);
 

tests/server/sws.c

@@ -913,6 +913,8 @@ static void init_httprequest(struct httprequest *req)
   req->callcount = 0;
   req->connect_port = 0;
   req->done_processing = 0;
+  req->upgrade = 0;
+  req->upgrade_request = 0;
 }
 
 /* returns 1 if the connection should be serviced again immediately, 0 if there