Update curl from 7.65.3 to 7.66.0

[patrikjuvonen]

Summary

• Contains bug fixes
• 7.66.0: curl-users mailing list archive, maintainer's blog post, changelog

Tests

• fetchRemote
  • Download test script (v1.0.1): test_fetchRemote.zip
    • Preferable not to run client and server simultaneously
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote-auth
• callRemote
  • Download test script (v1.0.2): test_callRemote.zip
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-callRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-callRemote-auth
• Please flush all your requests from ptsv2.com after testing!

Validation

To help validate the integrity of the update I have created the following bash script that diffs between my PR branch and the official package provided from the curl website.

#!/bin/bash

CURL_UPDATE_VERSION=7.66.0
CURL_PATH_NAME=curl-$CURL_UPDATE_VERSION

GIT_REPO_BRANCH=vendor/curl-$CURL_UPDATE_VERSION
GIT_REPO_URL=git@github.com:patrikjuvonen/mtasa-blue.git
GIT_DEST_DIR=mtasa-blue
GIT_REPO_CURL_PATH=$GIT_DEST_DIR/vendor/curl/

echo 1. Download and extract $CURL_PATH_NAME...
curl https://curl.haxx.se/download/$CURL_PATH_NAME.tar.xz | tar -xJ

echo 2. Clone the vendor update branch $GIT_REPO_BRANCH from $GIT_REPO_URL into $GIT_DEST_DIR...
git clone --depth 1 -b $GIT_REPO_BRANCH $GIT_REPO_URL $GIT_DEST_DIR

echo 3. Start checking integrity...
diff -r $GIT_REPO_CURL_PATH $CURL_PATH_NAME

echo 4. Completed.

Past curl updates in MTA

Date	From	To	Link
July 2019	7.65.1	7.65.3 (current)	#1027
July 2019	7.64.1	7.65.1	#1018
April 2019	7.64.0	7.64.1	#898
February 2019	7.63.0	7.64.0	#819
January 2019	7.61.1	7.63.0	#744
September 2018	7.61.0	7.61.1	#428
August 2018	7.59.0	7.61.0	#271
March 2018	7.54.0	7.59.0	b99e343
June 2017	7.32.0	7.54.0	c15d999
August 2013	7.19.4	7.32.0	aaf3e21

Copy of curl changelogs

Fixed in 7.66.0 - September 11 2019

Changes:

CURLINFO_RETRY_AFTER: parse the Retry-After header value
HTTP3: initial (experimental still not working) support
curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
curl: support parallel transfers with -Z
curl_multi_poll: a sister to curl_multi_wait() that waits more
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID

Bugfixes:

CVE-2019-5481: FTP-KRB double-free
CVE-2019-5482: TFTP small blocksize heap buffer overflow
CI: remove duplicate configure flag for LGTM.com
CMake: remove needless newlines at end of gss variables
CMake: use platform dependent name for dlopen() library
CURLINFO docs: mention that in redirects times are added
CURLOPT_ALTSVC.3: use a "" file name to not load from a file
CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
CURLOPT_HEADERFUNCTION.3: clarify
CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
CURLOPT_READFUNCTION.3: provide inline example
CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
Curl_addr2string: take an addrlen argument too
Curl_fillreadbuffer: avoid double-free trailer buf on error
HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
alt-svc: add protocol version selection masking
alt-svc: fix removal of expired cache entry
alt-svc: make it use h3-22 with ngtcp2 as well
alt-svc: more liberal ALPN name parsing
alt-svc: send Alt-Used: in redirected requests
alt-svc: with quiche, use the quiche h3 alpn string
appveyor: pass on -k to make
asyn-thread: create a socketpair to wait on
build-openssl: fix build with Visual Studio 2019
cleanup: move functions out of url.c and make them static
cleanup: remove the 'numsocks' argument used in many places
configure: avoid undefined check_for_ca_bundle
curl.h: add CURL_HTTP_VERSION_3 to the version enum
curl.h: fix outdated comment
curl: cap the maximum allowed values for retry time arguments
curl: handle a libcurl build without netrc support
curl: make use of CURLINFO_RETRY_AFTER when retrying
curl: remove outdated comment
curl: use .curlrc (with a dot) on Windows
curl: use CURLINFO_PROTOCOL to check for HTTP(s)
curl_global_init_mem.3: mention it was added in 7.12.0
curl_version: bump string buffer size to 250
curl_version_info.3: mentioned ALTSVC and HTTP3
curl_version_info: offer quic (and h3) library info
curl_version_info: provide nghttp2 details
defines: avoid underscore-prefixed defines
docs/ALTSVC: remove what works and the experimental explanation
docs/EXPERIMENTAL: explain what it means and what's experimental now
docs/MANUAL.md: converted to markdown from plain text
docs/examples/curlx: fix errors
docs: s/curl_debug/curl_dbg_debug in comments and docs
easy: resize receive buffer on easy handle reset
examples: Avoid reserved names in hiperfifo examples
examples: add http3.c, altsvc.c and http3-present.c
getenv: support up to 4K environment variable contents on windows
http09: disable HTTP/0.9 by default in both tool and library
http2: when marked for closure and wanted to close == OK
http2_recv: trigger another read when the last data is returned
http: fix use of credentials from URL when using HTTP proxy
http_negotiate: improve handling of gss_init_sec_context() failures
md4: Use our own MD4 when no crypto libraries are available
multi: call detach_connection before Curl_disconnect
netrc: make the code try ".netrc" on Windows
nss: use TLSv1.3 as default if supported
openssl: build warning free with boringssl
openssl: use SSL_CTX_set__proto_version() when available
plan9: add support for running on Plan 9
progress: reset download/uploaded counter between transfers
readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
scp: fix directory name length used in memcpy
smb: init *msg to NULL in smb_send_and_recv()
smtp: check for and bail out on too short EHLO response
source: remove names from source comments
spnego_sspi: add typecast to fix build warning
src/makefile: fix uncompressed hugehelp.c generation
ssh-libssh: do not specify O_APPEND when not in append mode
ssh: move code into vssh for SSH backends
sspi: fix memory leaks
tests: Replace outdated test case numbering documentation
tftp: return error when packet is too small for options
timediff: make it 64 bit (if possible) even with 32 bit time_t
travis: reduce number of torture tests in 'coverage'
url: make use of new HTTP version if alt-svc has one
urlapi: verify the IPv6 numerical address
urldata: avoid 'generic', use dedicated pointers
vauth: Use CURLE_AUTH_ERROR for auth function errors

[qaisjp]

Here's the version that I use (which fetches the branch into this repo, rather than re-cloning):

#!/bin/bash

CURL_UPDATE_VERSION=7.66.0
CURL_PATH_NAME=curl-$CURL_UPDATE_VERSION

GIT_REPO_BRANCH=vendor/curl-$CURL_UPDATE_VERSION
GIT_REPO_URL=git@github.com:patrikjuvonen/mtasa-blue.git
GIT_REPO_CURL_PATH=vendor/curl/

echo 1. Download and extract $CURL_PATH_NAME...
curl https://curl.haxx.se/download/$CURL_PATH_NAME.tar.xz | tar -xJ

echo 2. Clone the vendor update branch $GIT_REPO_BRANCH from $GIT_REPO_URL...
git fetch "$GIT_REPO_URL" "$GIT_REPO_BRANCH":"$GIT_REPO_BRANCH"
git checkout "$GIT_REPO_BRANCH"

echo 3. Start checking integrity...
diff -r $GIT_REPO_CURL_PATH $CURL_PATH_NAME

echo 4. Completed.