Update curl from 7.65.3 to 7.66.0

vendor/curl/RELEASE-NOTES

@@ -1,14 +1,103 @@
-curl and libcurl 7.65.3
+curl and libcurl 7.66.0
 
- Public curl releases:         184
- Command line options:         221
- curl_easy_setopt() options:   268
- Public functions in libcurl:  80
+ Public curl releases:         185
+ Command line options:         225
+ curl_easy_setopt() options:   269
+ Public functions in libcurl:  81
  Contributors:                 1991
 
+This release includes the following changes:
+
+ o CURLINFO_RETRY_AFTER: parse the Retry-After header value [35]
+ o HTTP3: initial (experimental still not working) support [5]
+ o curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool [27]
+ o curl: support parallel transfers with -Z [4]
+ o curl_multi_poll: a sister to curl_multi_wait() that waits more [28]
+ o sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID [27]
+
 This release includes the following bugfixes:
 
- o progress: make the progress meter appear again [1]
+ o CVE-2019-5481: FTP-KRB double-free [64]
+ o CVE-2019-5482: TFTP small blocksize heap buffer overflow [65]
+ o CI: remove duplicate configure flag for LGTM.com
+ o CMake: remove needless newlines at end of gss variables
+ o CMake: use platform dependent name for dlopen() library [62]
+ o CURLINFO docs: mention that in redirects times are added [55]
+ o CURLOPT_ALTSVC.3: use a "" file name to not load from a file
+ o CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
+ o CURLOPT_HEADERFUNCTION.3: clarify [54]
+ o CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly [33]
+ o CURLOPT_READFUNCTION.3: provide inline example
+ o CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 [51]
+ o Curl_addr2string: take an addrlen argument too [61]
+ o Curl_fillreadbuffer: avoid double-free trailer buf on error [66]
+ o HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown [10]
+ o alt-svc: add protocol version selection masking [31]
+ o alt-svc: fix removal of expired cache entry [30]
+ o alt-svc: make it use h3-22 with ngtcp2 as well
+ o alt-svc: more liberal ALPN name parsing [17]
+ o alt-svc: send Alt-Used: in redirected requests [32]
+ o alt-svc: with quiche, use the quiche h3 alpn string [16]
+ o appveyor: pass on -k to make
+ o asyn-thread: create a socketpair to wait on [14]
+ o build-openssl: fix build with Visual Studio 2019 [45]
+ o cleanup: move functions out of url.c and make them static [58]
+ o cleanup: remove the 'numsocks' argument used in many places [25]
+ o configure: avoid undefined check_for_ca_bundle [37]
+ o curl.h: add CURL_HTTP_VERSION_3 to the version enum
+ o curl.h: fix outdated comment [23]
+ o curl: cap the maximum allowed values for retry time arguments [13]
+ o curl: handle a libcurl build without netrc support [63]
+ o curl: make use of CURLINFO_RETRY_AFTER when retrying [35]
+ o curl: remove outdated comment [24]
+ o curl: use .curlrc (with a dot) on Windows [52]
+ o curl: use CURLINFO_PROTOCOL to check for HTTP(s)
+ o curl_global_init_mem.3: mention it was added in 7.12.0
+ o curl_version: bump string buffer size to 250
+ o curl_version_info.3: mentioned ALTSVC and HTTP3
+ o curl_version_info: offer quic (and h3) library info [38]
+ o curl_version_info: provide nghttp2 details [2]
+ o defines: avoid underscore-prefixed defines [47]
+ o docs/ALTSVC: remove what works and the experimental explanation [34]
+ o docs/EXPERIMENTAL: explain what it means and what's experimental now
+ o docs/MANUAL.md: converted to markdown from plain text [3]
+ o docs/examples/curlx: fix errors [48]
+ o docs: s/curl_debug/curl_dbg_debug in comments and docs [36]
+ o easy: resize receive buffer on easy handle reset [9]
+ o examples: Avoid reserved names in hiperfifo examples [8]
+ o examples: add http3.c, altsvc.c and http3-present.c [40]
+ o getenv: support up to 4K environment variable contents on windows [21]
+ o http09: disable HTTP/0.9 by default in both tool and library [29]
+ o http2: when marked for closure and wanted to close == OK [56]
+ o http2_recv: trigger another read when the last data is returned [11]
+ o http: fix use of credentials from URL when using HTTP proxy [44]
+ o http_negotiate: improve handling of gss_init_sec_context() failures [18]
+ o md4: Use our own MD4 when no crypto libraries are available [15]
+ o multi: call detach_connection before Curl_disconnect [6]
+ o netrc: make the code try ".netrc" on Windows [52]
+ o nss: use TLSv1.3 as default if supported [39]
+ o openssl: build warning free with boringssl [50]
+ o openssl: use SSL_CTX_set_<min|max>_proto_version() when available [68]
+ o plan9: add support for running on Plan 9 [22]
+ o progress: reset download/uploaded counter between transfers [12]
+ o readwrite_data: repair setting the TIMER_STARTTRANSFER stamp [26]
+ o scp: fix directory name length used in memcpy [46]
+ o smb: init *msg to NULL in smb_send_and_recv() [60]
+ o smtp: check for and bail out on too short EHLO response [59]
+ o source: remove names from source comments [1]
+ o spnego_sspi: add typecast to fix build warning [49]
+ o src/makefile: fix uncompressed hugehelp.c generation [19]
+ o ssh-libssh: do not specify O_APPEND when not in append mode [7]
+ o ssh: move code into vssh for SSH backends [53]
+ o sspi: fix memory leaks [67]
+ o tests: Replace outdated test case numbering documentation [43]
+ o tftp: return error when packet is too small for options
+ o timediff: make it 64 bit (if possible) even with 32 bit time_t [20]
+ o travis: reduce number of torture tests in 'coverage' [42]
+ o url: make use of new HTTP version if alt-svc has one [16]
+ o urlapi: verify the IPv6 numerical address [69]
+ o urldata: avoid 'generic', use dedicated pointers [57]
+ o vauth: Use CURLE_AUTH_ERROR for auth function errors [41]
 
 This release includes the following known bugs:
 
@@ -17,11 +106,89 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Chih-Hsuan Yen, Daniel Stenberg,
-  (2 contributors)
+  Alessandro Ghedini, Alex Mayorga, Amit Katyal, Balazs Kovacsics,
+  Brad Spencer, Brandon Dong, Carlo Marcelo Arenas Belón, Christopher Head,
+  Clément Notin, codesniffer13 on github, Daniel Gustafsson, Daniel Stenberg,
+  Dominik Hölzl, Eric Wong, Felix Hädicke, Gergely Nagy, Gisle Vanem,
+  Igor Makarov, Ironbars13 on github, Jason Lee, Jeremy Lainé,
+  Jonathan Cardoso Machado, Junho Choi, Kamil Dudka, Kyle Abramowitz,
+  Kyohei Kadota, Lance Ware, Marcel Raad, Max Dymond, Michael Lee,
+  Michal Čaplygin, migueljcrum on github, Mike Crowe, niallor on github,
+  osabc on github, patnyb on github, Patrick Monnerat, Peter Wu, Ray Satiro,
+  Rolf Eike Beer, Steve Holme, Tatsuhiro Tsujikawa, The Infinnovation team,
+  Thomas Vegas, Tom van der Woerdt, Yiming Jing,
+  (46 contributors)
 
         Thanks! (and sorry if I forgot to mention someone)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.haxx.se/bug/?i=4122
+ [1] = https://curl.haxx.se/bug/?i=4129
+ [2] = https://curl.haxx.se/bug/?i=4121
+ [3] = https://curl.haxx.se/bug/?i=4131
+ [4] = https://curl.haxx.se/bug/?i=3804
+ [5] = https://curl.haxx.se/bug/?i=3500
+ [6] = https://curl.haxx.se/bug/?i=4144
+ [7] = https://curl.haxx.se/bug/?i=4147
+ [8] = https://curl.haxx.se/bug/?i=4153
+ [9] = https://curl.haxx.se/bug/?i=4143
+ [10] = https://curl.haxx.se/bug/?i=4138
+ [11] = https://curl.haxx.se/bug/?i=4043
+ [12] = https://curl.haxx.se/bug/?i=4084
+ [13] = https://curl.haxx.se/bug/?i=4166
+ [14] = https://curl.haxx.se/bug/?i=4157
+ [15] = https://curl.haxx.se/bug/?i=3780
+ [16] = https://curl.haxx.se/bug/?i=4183
+ [17] = https://curl.haxx.se/bug/?i=4182
+ [18] = https://curl.haxx.se/bug/?i=3992
+ [19] = https://curl.haxx.se/bug/?i=4176
+ [20] = https://curl.haxx.se/bug/?i=4165
+ [21] = https://curl.haxx.se/bug/?i=4174
+ [22] = https://curl.haxx.se/bug/?i=3701
+ [23] = https://curl.haxx.se/bug/?i=4167
+ [24] = https://curl.haxx.se/bug/?i=4172
+ [25] = https://curl.haxx.se/bug/?i=4169
+ [26] = https://curl.haxx.se/bug/?i=4136
+ [27] = https://curl.haxx.se/bug/?i=3653
+ [28] = https://curl.haxx.se/bug/?i=4163
+ [29] = https://curl.haxx.se/bug/?i=4191
+ [30] = https://curl.haxx.se/bug/?i=4192
+ [31] = https://curl.haxx.se/bug/?i=4201
+ [32] = https://curl.haxx.se/bug/?i=4199
+ [33] = https://curl.haxx.se/bug/?i=4197
+ [34] = https://curl.haxx.se/bug/?i=4198
+ [35] = https://curl.haxx.se/bug/?i=3794
+ [36] = https://curl.haxx.se/bug/?i=3794
+ [37] = https://curl.haxx.se/bug/?i=4213
+ [38] = https://curl.haxx.se/bug/?i=4216
+ [39] = https://curl.haxx.se/bug/?i=4187
+ [40] = https://curl.haxx.se/bug/?i=4221
+ [41] = https://curl.haxx.se/bug/?i=3848
+ [42] = https://curl.haxx.se/bug/?i=4223
+ [43] = https://curl.haxx.se/bug/?i=4227
+ [44] = https://curl.haxx.se/bug/?i=4228
+ [45] = https://curl.haxx.se/bug/?i=4188
+ [46] = https://curl.haxx.se/bug/?i=4258
+ [47] = https://curl.haxx.se/bug/?i=4254
+ [48] = https://curl.haxx.se/bug/?i=4248
+ [49] = https://curl.haxx.se/bug/?i=4245
+ [50] = https://curl.haxx.se/bug/?i=4244
+ [51] = https://curl.haxx.se/bug/?i=4241
+ [52] = https://curl.haxx.se/bug/?i=4230
+ [53] = https://curl.haxx.se/bug/?i=4235
+ [54] = https://curl.haxx.se/bug/?i=4273
+ [55] = https://curl.haxx.se/bug/?i=4250
+ [56] = https://curl.haxx.se/bug/?i=4267
+ [57] = https://curl.haxx.se/bug/?i=4290
+ [58] = https://curl.haxx.se/bug/?i=4289
+ [59] = https://curl.haxx.se/bug/?i=4287
+ [60] = https://curl.haxx.se/bug/?i=4286
+ [61] = https://curl.haxx.se/bug/?i=4283
+ [62] = https://curl.haxx.se/bug/?i=4279
+ [63] = https://curl.haxx.se/bug/?i=4302
+ [64] = https://curl.haxx.se/docs/CVE-2019-5481.html
+ [65] = https://curl.haxx.se/docs/CVE-2019-5482.html
+ [66] = https://curl.haxx.se/bug/?i=4307
+ [67] = https://curl.haxx.se/bug/?i=4299
+ [68] = https://curl.haxx.se/bug/?i=4304
+ [69] = https://curl.haxx.se/bug/?i=4315

vendor/curl/include/curl/curl.h

@@ -1,5 +1,5 @@
-#ifndef __CURL_CURL_H
-#define __CURL_CURL_H
+#ifndef CURLINC_CURL_H
+#define CURLINC_CURL_H
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
@@ -284,10 +284,7 @@ typedef enum {
 #define CURLFINFOFLAG_KNOWN_SIZE        (1<<6)
 #define CURLFINFOFLAG_KNOWN_HLINKCOUNT  (1<<7)
 
-/* Content of this structure depends on information which is known and is
-   achievable (e.g. by FTP LIST parsing). Please see the url_easy_setopt(3) man
-   page for callbacks returning this structure -- some fields are mandatory,
-   some others are optional. The FLAG field has special meaning. */
+/* Information about a single file, used when doing FTP wildcard matching */
 struct curl_fileinfo {
   char *filename;
   curlfiletype filetype;
@@ -603,6 +600,8 @@ typedef enum {
                                     */
   CURLE_RECURSIVE_API_CALL,      /* 93 - an api function was called from
                                     inside a callback */
+  CURLE_AUTH_ERROR,              /* 94 - an authentication function returned an
+                                    error */
   CURL_LAST /* never use! */
 } CURLcode;
 
@@ -886,7 +885,7 @@ typedef enum {
 
 /* CURLALTSVC_* are bits for the CURLOPT_ALTSVC_CTRL option */
 #define CURLALTSVC_IMMEDIATELY  (1<<0)
-#define CURLALTSVC_ALTUSED      (1<<1)
+
 #define CURLALTSVC_READONLYFILE (1<<2)
 #define CURLALTSVC_H1           (1<<3)
 #define CURLALTSVC_H2           (1<<4)
@@ -1925,6 +1924,9 @@ typedef enum {
   /* maximum age of a connection to consider it for reuse (in seconds) */
   CINIT(MAXAGE_CONN, LONG, 288),
 
+  /* SASL authorisation identity */
+  CINIT(SASL_AUTHZID, STRINGPOINT, 289),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -1978,7 +1980,8 @@ enum {
   CURL_HTTP_VERSION_2TLS, /* use version 2 for HTTPS, version 1.1 for HTTP */
   CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE,  /* please use HTTP 2 without HTTP/1.1
                                            Upgrade */
-
+  CURL_HTTP_VERSION_3 = 30, /* Makes use of explicit HTTP/3 without fallback.
+                               Use CURLOPT_ALTSVC to enable HTTP/3 upgrade */
   CURL_HTTP_VERSION_LAST /* *ILLEGAL* http version */
 };
 
@@ -2614,8 +2617,9 @@ typedef enum {
   CURLINFO_STARTTRANSFER_TIME_T = CURLINFO_OFF_T + 54,
   CURLINFO_REDIRECT_TIME_T  = CURLINFO_OFF_T + 55,
   CURLINFO_APPCONNECT_TIME_T = CURLINFO_OFF_T + 56,
+  CURLINFO_RETRY_AFTER      = CURLINFO_OFF_T + 57,
 
-  CURLINFO_LASTONE          = 56
+  CURLINFO_LASTONE          = 57
 } CURLINFO;
 
 /* CURLINFO_RESPONSE_CODE is the new name for the option previously known as
@@ -2714,6 +2718,7 @@ typedef enum {
   CURLVERSION_THIRD,
   CURLVERSION_FOURTH,
   CURLVERSION_FIFTH,
+  CURLVERSION_SIXTH,
   CURLVERSION_LAST /* never actually use this */
 } CURLversion;
 
@@ -2722,7 +2727,7 @@ typedef enum {
    meant to be a built-in version number for what kind of struct the caller
    expects. If the struct ever changes, we redefine the NOW to another enum
    from above. */
-#define CURLVERSION_NOW CURLVERSION_FIFTH
+#define CURLVERSION_NOW CURLVERSION_SIXTH
 
 typedef struct {
   CURLversion age;          /* age of the returned struct */
@@ -2751,11 +2756,16 @@ typedef struct {
   const char *libssh_version; /* human readable string */
 
   /* These fields were added in CURLVERSION_FIFTH */
-
   unsigned int brotli_ver_num; /* Numeric Brotli version
                                   (MAJOR << 24) | (MINOR << 12) | PATCH */
   const char *brotli_version; /* human readable string. */
 
+  /* These fields were added in CURLVERSION_SIXTH */
+  unsigned int nghttp2_ver_num; /* Numeric nghttp2 version
+                                   (MAJOR << 16) | (MINOR << 8) | PATCH */
+  const char *nghttp2_version; /* human readable string. */
+  const char *quic_version;    /* human readable quic (+ HTTP/3) library +
+                                  version or NULL */
 } curl_version_info_data;
 
 #define CURL_VERSION_IPV6         (1<<0)  /* IPv6-enabled */
@@ -2788,6 +2798,7 @@ typedef struct {
 #define CURL_VERSION_MULTI_SSL    (1<<22) /* Multiple SSL backends available */
 #define CURL_VERSION_BROTLI       (1<<23) /* Brotli features are present. */
 #define CURL_VERSION_ALTSVC       (1<<24) /* Alt-Svc handling built-in */
+#define CURL_VERSION_HTTP3        (1<<25) /* HTTP3 support built-in */
 
  /*
  * NAME curl_version_info()
@@ -2868,4 +2879,4 @@ CURL_EXTERN CURLcode curl_easy_pause(CURL *handle, int bitmask);
 #endif /* __STDC__ >= 1 */
 #endif /* gcc >= 4.3 && !__cplusplus */
 
-#endif /* __CURL_CURL_H */
+#endif /* CURLINC_CURL_H */

vendor/curl/include/curl/curlver.h

@@ -1,5 +1,5 @@
-#ifndef __CURL_CURLVER_H
-#define __CURL_CURLVER_H
+#ifndef CURLINC_CURLVER_H
+#define CURLINC_CURLVER_H
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
@@ -30,13 +30,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.65.3"
+#define LIBCURL_VERSION "7.66.0"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
-#define LIBCURL_VERSION_MINOR 65
-#define LIBCURL_VERSION_PATCH 3
+#define LIBCURL_VERSION_MINOR 66
+#define LIBCURL_VERSION_PATCH 0
 
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparions by programs. The LIBCURL_VERSION_NUM define will
@@ -57,7 +57,7 @@
    CURL_VERSION_BITS() macro since curl's own configure script greps for it
    and needs it to contain the full number.
 */
-#define LIBCURL_VERSION_NUM 0x074103
+#define LIBCURL_VERSION_NUM 0x074200
 
 /*
  * This is the date and time when the full source package was created. The
@@ -68,10 +68,10 @@
  *
  * "2007-11-23"
  */
-#define LIBCURL_TIMESTAMP "2019-07-19"
+#define LIBCURL_TIMESTAMP "2019-09-11"
 
 #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
 #define CURL_AT_LEAST_VERSION(x,y,z) \
   (LIBCURL_VERSION_NUM >= CURL_VERSION_BITS(x, y, z))
 
-#endif /* __CURL_CURLVER_H */
+#endif /* CURLINC_CURLVER_H */

vendor/curl/include/curl/easy.h

@@ -1,13 +1,13 @@
-#ifndef __CURL_EASY_H
-#define __CURL_EASY_H
+#ifndef CURLINC_EASY_H
+#define CURLINC_EASY_H
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
  *                             / __| | | | |_) | |
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms