Command line options: 273
curl_easy_setopt() options: 308
Public functions in libcurl: 100
- Contributors: 3562
+ Contributors: 3563
This release includes the following changes:
o alt-svc: more flexibility on same destination [298]
o altsvc: make it one malloc instead of three per entry [266]
o AmigaOS: increase minimum stack size for tool_main [137]
+ o apple sectrust: fix ancient evaluation [327]
o apple-sectrust: always ask when `native_ca_store` is in use [162]
o asyn-ares: handle Curl_dnscache_mk_entry() OOM error [199]
o asyn-ares: remove hostname free on OOM [122]
o build: set `-Wno-format-signedness` [288]
o build: tidy-up MSVC CRT warning suppression macros [140]
o ccsidcurl: make curl_mime_data_ccsid() use the converted size [74]
+ o cf-h1-proxy: support folded headers in CONNECT responses [296]
o cf-https-connect: allocate ctx at first in cf_hc_create() [79]
o cf-socket: drop feature check for `IPV6_V6ONLY` on Windows [210]
o cf-socket: enable Win10 `TCP_KEEP*` options with old SDKs [323]
o checksrc.pl: detect assign followed by more than one space [26]
o cmake: adjust defaults for target platforms not supporting shared libs [35]
o cmake: define dependencies as `IMPORTED` interface targets [223]
+ o cmake: delete unused file `CMake/CMakeConfigurableFile.in` [363]
o cmake: disable `CURL_CA_PATH` auto-detection if `USE_APPLE_SECTRUST=ON` [16]
o cmake: fix `ws2_32` reference in `curl-config.cmake` [201]
o cmake: honor `CURL_DISABLE_INSTALL` and `CURL_ENABLE_EXPORT_TARGET` [106]
o conncontrol: reuse handling [170]
o connect: reshuffle Curl_timeleft_ms to avoid 'redundant condition' [100]
o connection: attached transfer count [228]
+ o content_encoding: avoid strcpy [331]
o cookie. return proper error on OOM [330]
o cookie: allocate the main struct once cookie is fine [259]
+ o cookie: flush better [218]
o cookie: only keep and use the canonical cleaned up path [256]
o cookie: propagate errors better, cleanup the internal API [118]
o cookie: return error on OOM [131]
o curl: fix progress meter in parallel mode [15]
o curl_fopen: do not pass invalid mode flags to `open()` on Windows [84]
o curl_gssapi: make sure Curl_gss_log_error() has an initialized buffer [257]
+ o curl_ntlm_core: fix DES_* symbols for some wolfSSL builds [281]
o curl_sasl: if redirected, require permission to use bearer [250]
o curl_sasl: make Curl_sasl_decode_mech compare case insensitively [160]
o curl_setup.h: document more funcs flagged by `_CRT_SECURE_NO_WARNINGS` [124]
o CURLMOPT_SOCKETFUNCTION.md: fix the callback argument use [206]
o CURLOPT_ACCEPT_ENCODING.md: warn about the expansion [224]
o CURLOPT_FOLLOWLOCATION.md: s/Authentication:/Authorization:/ [283]
+ o CURLOPT_HAPROXY_CLIENT_IP.md: emphasize reused connection use [328]
o CURLOPT_READFUNCTION.md: clarify the size of the buffer [47]
o CURLOPT_SSH_KEYFUNCTION.md: fix minor indent mistake in example
o curlx/fopen: replace open CRT functions their with `_s` counterparts (Windows) [204]
o curlx/multibyte: stop setting macros for non-Windows [226]
o curlx/strerr: use `strerror_s()` on Windows [75]
+ o curlx: add `curlx_rename()`, fix to support long filenames on Windows [354]
+ o curlx: curlx_strcopy() instead of strcpy() [326]
o curlx: limit use of system allocators to the minimum possible [169]
o curlx: replace `mbstowcs`/`wcstombs` with `_s` counterparts (Windows) [143]
o curlx: replace `sprintf` with `snprintf` [194]
+ o curlx: use curl alloc in `curlx_win32_stat()` (Windows) [360]
o curlx: use curlx allocators in non-memdebug builds (Windows) [155]
o DEPRECATE: add CMake <3.18 deprecation for April 2026 [291]
o digest_sspi: fix a memory leak on error path [149]
o docs: switch more URLs to https:// [229]
o docs: use .example URLs for proxies
o docs: use mresult as variable name for CURLMcode
+ o escape: add a length check in curl_easy_escape [284]
o example: fix formatting nits [232]
o examples/crawler: fix variable [92]
o examples/multi-uv: fix invalid req->data access [177]
o lib/sendf.h: forward declare two structs [221]
o lib: cleanup for some typos about spaces and code style [3]
o lib: create unitprotos.h in the builddir, not srcdir [322]
+ o lib: drop unused protocol headers [270]
o lib: eliminate size_t casts [112]
o lib: error for OOM when extracting URL query [127]
o lib: fix formatting nits (part 2) [253]
o lib: refactor the type of funcs which have useless return and checks [1]
o lib: replace `_tcsncpy`/`wcsncpy`/`wcscpy` with `_s` counterparts (Windows) [164]
o lib: timer stats improvements [190]
+ o lib: use `SOCKET_WRITABLE()`/`SOCKET_READABLE()` where possible [350]
o libssh2: add paths to error messages for quote commands [114]
o libssh2: cleanup ssh_force_knownhost_key_type [64]
o libssh2: consider strdup() failures OOM and return correctly [72]
o libssh2: replace atoi() in ssh_force_knownhost_key_type [63]
o libssh: fix state machine loop to progress as it should
o libssh: properly free sftp_attributes [153]
+ o libssh: set both knownhosts options to the same file [271]
o libtests: replace `atoi()` with `curlx_str_number()` [120]
o limit-rate: add example using --limit-rate and --max-time together [89]
o localtime: detect thread-safe alternatives and use them [325]
o m4/sectrust: fix test(1) operator [4]
o manage: expand the 'libcurl support required' message [208]
+ o mbedTLS: cleanup insecure/deprecated code [351]
o mbedtls: fix potential use of uninitialized `nread` [8]
o mbedtls: sync format across log messages [213]
o mbedtls_threadlock: avoid calloc, use array [244]
o multibyte: limit `curlx_convert_*wchar*()` functions to Unicode builds [135]
o ngtcp2+openssl: fix leak of session [172]
o ngtcp2: remove the unused Curl_conn_is_ngtcp2 function [85]
+ o ngtcp2: retune window sizes [365]
o noproxy: fix build on systems without IPv6 [264]
o noproxy: fix ipv6 handling [239]
o noproxy: replace atoi with curlx_str_number [67]
o openssl: toggling CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache [313]
o OS400/ccsidcurl: fix curl_easy_setopt_ccsid for non-converted blobs [94]
o OS400/makefile.sh: fix shellcheck warning SC2038 [86]
+ o os400sys: replace `strcpy()` with `memcpy()` [273]
o osslq: code readability [5]
o progress: show fewer digits [78]
o projects/README.md: Markdown fixes [148]
o sftp: fix range downloads in both SSH backends [82]
o slist: constify Curl_slist_append_nodup() string argument [195]
o smb: fix a size check to be overflow safe [161]
+ o socketpair: drop redundant `_WIN32` branch and include [367]
o socks_sspi: use free() not FreeContextBuffer() [93]
o speedcheck: do not trigger low speed cancel on transfers with CURL_READFUNC_PAUSE [113]
o speedlimit: also reset on send unpausing [197]
o test568: fix codespell, catch it next time early in CI [299]
o test568: remove what looks like an email and a URL [304]
o test787: fix possible typo `&` -> `%` in curl option [241]
+ o test96: fix to accept non-unity memdump content with MSVC [339]
o tests/data: move `--libcurl` output to external data files [34]
o tests/data: replace hard-coded test numbers with `%TESTNUMBER` [33]
o tests/data: support using native newlines on disk, drop `.gitattributes` [91]
o tool_paramhlp: refuse --proto remove all protocols [10]
o tool_urlglob: acknowledge OOM in peek_ipv6 [175]
o tool_urlglob: clean up used memory on errors better [44]
+ o tool_urlglob: constify an argument [361]
o tool_urlglob: support globs as long as config line lengths [282]
o tool_writeout: bail out proper on OOM [104]
o url: fix return code for OOM in parse_proxy() [193]
o vquic: do not pass invalid mode flags to `open()` (Windows) [58]
o vquic: do_sendmsg full init [171]
o vquic: ignore 0-length UDP packets [336]
+ o vquic: initialize new callback in nghttp3 1.14.0+ [317]
o vtls: fix CURLOPT_CAPATH use [51]
o vtls: handle possible malicious certs_num from peer [53]
o vtls: pinned key check [98]
o wcurl: import v2025.11.09 [29]
o windows: assume `USE_WIN32_LARGE_FILES` [292]
+ o windows: fix `CreateFile()` calls to support long filenames [356]
o windows: use `_strdup()` instead of `strdup()` where missing [145]
o wolfSSL: able to differentiate between IP and DNS in alt names [13]
o wolfssl: avoid NULL dereference in OOM situation [77]
o wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds [261]
o wolfssl: proof use of wolfSSL_i2d_SSL_SESSION [314]
o wolfssl: simplify wssl_send_earlydata [111]
+ o x509asn1: drop unused `hostcheck.h`, `vtls_int.h` includes [340]
This release includes the following known bugs:
This release would not have looked like this without help, code, reports and
advice from friends like these:
- Aleksandr Sergeev, Aleksei Bavshin, Andrew Kirillov,
+ Aleksandr Sergeev, Aleksei Bavshin, Alexander Batischev, Andrew Kirillov,
anonymous237 on hackerone, BANADDA, boingball, Brad King, bttrfl on github,
- Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Stenberg,
- Denis Goleshchikhin, Deniz Parlak, dependabot[bot], Fabian Keil,
- Fd929c2CE5fA on github, ffath-vo on github, Gabriel Marin,
- Georg Schulz-Allgaier, Gisle Vanem, Greg Hudson, Harry Sintonen, Jeff King,
- Jiyong Yang, John Haugabook, Juliusz Sosinowicz, Kai Pastor,
- Leonardo Taccari, letshack9707 on hackerone, Marc Aldorasi, Marcel Raad,
- Max Faxälv, nait-furry, ncaklovic on github, Nick Korepanov,
- Omdahake on github, Patrick Monnerat, pelioro on hackerone, Ray Satiro,
- renovate[bot], Robert W. Van Kirk, Samuel Henrique, Sergey Katsubo,
- st751228051 on github, Stanislav Fort, Stefan Eissing, Sunny, Theo Buehler,
- Thomas Klausner, Viktor Szakats, Wesley Moore, Xiaoke Wang, Yedaya Katsman,
- Yuhao Jiang, yushicheng7788 on github
- (56 contributors)
+ Christian Schmitz, Dan Fandrich, Daniel McCarney, Daniel Pouzzner,
+ Daniel Santos, Daniel Stenberg, Denis Goleshchikhin, Deniz Parlak,
+ dependabot[bot], Fabian Keil, Fd929c2CE5fA on github, ffath-vo on github,
+ Gabriel Marin, Georg Schulz-Allgaier, Gisle Vanem, Greg Hudson,
+ Harry Sintonen, Jeff King, Jiyong Yang, John Haugabook, Juliusz Sosinowicz,
+ Kai Pastor, koujaz on github, Leonardo Taccari, letshack9707 on hackerone,
+ Marc Aldorasi, Marcel Raad, Mathesh V, Max Faxälv, nait-furry,
+ ncaklovic on github, Nick Korepanov, Omdahake on github, Patrick Monnerat,
+ pelioro on hackerone, Ray Satiro, renovate[bot], Robert W. Van Kirk,
+ Samuel Henrique, Sergey Katsubo, st751228051 on github, Stanislav Fort,
+ Stefan Eissing, Sunny, Theo Buehler, Thomas Klausner, Viktor Szakats,
+ Wesley Moore, Wyatt O'Day, Xiaoke Wang, Yedaya Katsman, Yuhao Jiang,
+ yushicheng7788 on github
+ (62 contributors)
References to bug reports and discussions on issues:
[215] = https://curl.se/bug/?i=19764
[216] = https://curl.se/bug/?i=18009
[217] = https://curl.se/bug/?i=19763
+ [218] = https://curl.se/bug/?i=20090
[219] = https://curl.se/bug/?i=19759
[220] = https://curl.se/bug/?i=19756
[221] = https://curl.se/bug/?i=19761
[267] = https://curl.se/bug/?i=19858
[268] = https://curl.se/bug/?i=19753
[269] = https://curl.se/bug/?i=19965
+ [270] = https://curl.se/bug/?i=20093
+ [271] = https://curl.se/bug/?i=20092
[272] = https://curl.se/bug/?i=20026
+ [273] = https://curl.se/bug/?i=20089
[274] = https://curl.se/bug/?i=19964
[275] = https://curl.se/bug/?i=18189
[276] = https://curl.se/bug/?i=19922
[278] = https://curl.se/bug/?i=19920
[279] = https://curl.se/bug/?i=19918
[280] = https://curl.se/bug/?i=19770
+ [281] = https://curl.se/bug/?i=20083
[282] = https://curl.se/bug/?i=19960
[283] = https://curl.se/bug/?i=19915
+ [284] = https://curl.se/bug/?i=20086
[285] = https://curl.se/bug/?i=19911
[286] = https://curl.se/bug/?i=19900
[288] = https://curl.se/bug/?i=19907
[292] = https://curl.se/bug/?i=19888
[294] = https://curl.se/bug/?i=19901
[295] = https://curl.se/bug/?i=19899
+ [296] = https://curl.se/bug/?i=20080
[297] = https://curl.se/bug/?i=19894
[298] = https://curl.se/bug/?i=19740
[299] = https://curl.se/bug/?i=19945
[313] = https://curl.se/bug/?i=20009
[314] = https://curl.se/bug/?i=20008
[316] = https://curl.se/bug/?i=19997
+ [317] = https://curl.se/bug/?i=20077
[318] = https://curl.se/bug/?i=20002
[319] = https://curl.se/bug/?i=19995
[320] = https://curl.se/bug/?i=20001
[323] = https://curl.se/bug/?i=19999
[324] = https://curl.se/bug/?i=19980
[325] = https://curl.se/bug/?i=19957
+ [326] = https://curl.se/bug/?i=20067
+ [327] = https://curl.se/bug/?i=20074
+ [328] = https://curl.se/bug/?i=20075
[329] = https://curl.se/bug/?i=19996
[330] = https://curl.se/bug/?i=19992
+ [331] = https://curl.se/bug/?i=20072
[334] = https://curl.se/bug/?i=19984
[335] = https://curl.se/bug/?i=19986
[336] = https://curl.se/bug/?i=19978
+ [339] = https://curl.se/bug/?i=20064
+ [340] = https://curl.se/bug/?i=20063
+ [350] = https://curl.se/bug/?i=20052
+ [351] = https://curl.se/bug/?i=19983
+ [354] = https://curl.se/bug/?i=20042
+ [356] = https://curl.se/bug/?i=19286
+ [360] = https://curl.se/bug/?i=20043
+ [361] = https://curl.se/bug/?i=20045
+ [363] = https://curl.se/bug/?i=20038
+ [365] = https://curl.se/bug/?i=20030
+ [367] = https://curl.se/bug/?i=20032
projects / thirdparty / curl.git / commitdiff
