2018-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	Update NEWS file for new release

2018-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix cookie injection (CVE-2018-0494)
	* src/http.c (resp_new): Replace \r\n by space in continuation lines

	Fixes #53763
	 "Malicious website can write arbitrary cookie entries to cookie jar"

	HTTP header parsing left the \r\n from continuation line intact.
	The Set-Cookie code didn't check and could be tricked to write
	\r\n into the cookie jar, allowing a server to generate cookies at will.

2018-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	* tests/Test-https-weboftrust.px: Skip test, needs cert regen

	Fix make syntax-check
	* cfg.mk: Add fuzzer reproducers to exception list
	* po/POTFILES.in: Add src/spider.c

	Fix HTTPS tests
	* tests/Test-https-badcerts.px: Fix test return value
	* tests/Test-https-crl.px: Likewise
	* README: How to create certs with GnuTLS's certtool
	* tests/certs/revokedcrl.pem: Recreated revocation
	* tests/certs/server.crt: Recreated server cert with no expiry
	* tests/certs/test-ca-cert.pem: Recreated CA cert with no expiry

	* src/init.c: Bring new --ciphers into right order in options array

2018-05-05  Ander Juaristi  <a@juaristi.eus>

	* doc/wget.texi: Add description for --ciphers

2018-05-05  Ander Juarist  <a@juaristi.eus>

	OpenSSL: Better seeding of PRNG
	 * src/openssl.c (init_prng): keep gathering entropy even though we
	                              already have enough
	   (ssl_connect_with_timeout_callback): reseed PRNG again just before
	                                        the handshake

	Reported-by: Jeffrey Walton <noloader@gmail.com>

2018-05-05  Ander Juaristi  <a@juaristi.eus>

	Enhance SSL/TLS security
	This commit hardens SSL/TLS a bit more in the following ways:

	 * Explicitly exclude NULL authentication and the 'MEDIUM' cipher list
	   category. Ciphers in the 'HIGH' level are only considered - this
	   includes all symmetric ciphers with key lengths larger than 128 bits,
	   and some ('modern') 128-bit ciphers, such as AES in GCM mode.
	 * Allow RSA key exchange by default, but exclude it when
	   Perfect Forward Secrecy is desired (with --secure-protocol=PFS).
	 * Introduce new option --ciphers to set the cipher list that the SSL/TLS
	   engine will favor. This string is fed directly to the underlying TLS
	   library (GnuTLS or OpenSSL) without further processing, and hence its
	   format and syntax are directly dependent on the specific library.

	Reported-by: Jeffrey Walton <noloader@gmail.com>

2018-04-28  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/netrc.c (parse_netrc_fp): Fix two memleaks

	Add new fuzzer for the .netrc parser
	* fuzz/wget_netrc_fuzzer.c: New fuzzer
	* fuzz/wget_netrc_fuzzer.dict: Fuzzer dictionary
	* fuzz/wget_netrc_fuzzer.in: Initial corpora
	* src/ftp.c (getftp): Amend call to search_netrc()
	* src/http.c (initialize_request): Likewise
	* src/netrc.c: Cleanup, prepare code for fuzzing
	* src/netrc.h: Cleanup

2018-04-27  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/utils.c (match_tail): Fix unsigned integer overflow

	Add new fuzzer for the Set-Cookie parser
	* fuzz/Makefile.am: Add wget_cookie_fuzzer
	* fuzz/wget_cookie_fuzzer.c: New fuzzer
	* fuzz/wget_cookie_fuzzer.dict: Fuzzers dictionary
	* fuzz/wget_cookie_fuzzer.in: Initial corpora

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix buffer overflow in CSS parser
	* src/css-url.c (get_uri_string): Check input length
	* fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856:
	  Add reproducer corpus

	Fixes OSS-Fuzz issue #8033.
	This is a long standing bug affecting all versions <= 1.19.4.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix buffer overflow in CSS parser
	* src/css-url.c (get_urls_css): Check input string length
	* fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240:
	  Add reproducer corpus

	Fixes OSS-Fuzz issue #8032.
	This is a long standing bug affecting all versions <= 1.19.4.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Exclude fuzz corpora from tarball
	* fuzz/Makefile.am: Do not include corpora in tarball
	* fuzz/main.c: SKIP if corpora directory isn't found (make check)

	The fuzz corpora are thousands of files, not needed for a standard build
	from a distribution tarball. The reproducers of former issues are being
	included for regression testing.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	* tests/Makefile.am: Add -I/src to AM_CPPFLAGS

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add CSS slowness reproducer (fixed)
	* fuzz/wget_css_fuzzer.repro/slowness-6275836549267456: New file

	This file created an extreme CPU usage with the old CSS parser.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Update CSS grammar from 1.x to 2.2
	* src/css-tokens.h: Add enums and fixate values
	* src/css.l: Include config.h,
	  ignore several compiler warnings,
	  update the grammar to CSS 2.2

	Fixes OSS-Fuzz issue #8010 (slowness issue).
	This is a long standing bug affecting all versions <= 1.19.4.

	Some crafted CSS input was extremely slow / CPU wasting, so it could
	be used as a DOS attack against website scanning.

	The code/grammar changes were backported from Wget2.x.

2018-04-25  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/res.c (add_path): Fix memleak (parsing robots.txt)
	Fixes OSS-Fuzz issue #8005.
	This is a long standing bug affecting all versions <= 1.19.4.

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix integer overflow
	Fixes OSS-Fuzz issue #7999.
	This is a long standing bug affecting all versions <= 1.19.4.

2018-04-24  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add new fuzzer for the URL parser
	* fuzz/Makefile.am: Add wget_url_fuzzer
	* fuzz/wget_url_fuzzer.c: New fuzzer
	* fuzz/wget_url_fuzzer.in: Initial corpora

	Add new fuzzer for robots.txt parsing
	* fuzz/Makefile.am: Add wget_robots_fuzzer
	* fuzz/wget_robots_fuzzer.c: New fuzzer
	* fuzz/wget_robots_fuzzer.in: Initial corpora

	* fuzz/README.md: Add CFLAGS for undefined sanitizer

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix integer overflow

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix integer overflow by left shift

	* src/ftp-ls.c (ftp_parse_unix_ls): Fix integer overflow in date parsing

2018-04-22  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix heap-buffer-overflow
	Fixes OSS-Fuzz issue #7931.
	This is a long standing bug affecting all versions <= 1.19.4.

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix heap-buffer-overflow
	Fixes OSS-Fuzz issue #7930.
	This is a long standing bug affecting all versions <= 1.19.4.

	* fuzz/wget_ftpls_fuzzer.in: Update corpora

2018-04-21  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/ftp-ls.c (eat_carets): Fix heap-buffer-overflow

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix memleak

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix heap-buffer-overflow

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix heap-buffer-overflow

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix memleak

	Add new fuzzer for the FTP listing parsers
	* fuzz/Makefile.am: Add wget_ftpls_fuzzer
	* fuzz/wget_ftpls_fuzzer.c: New fuzzer
	* fuzz/wget_ftpls_fuzzer.dict: Fuzzer dictionary
	* fuzz/wget_ftpls_fuzzer.in/starter: Starting corpus
	* src/ftp-ls.c: Parsing function take FILE * as argument,
	  new function ftp_parse_ls_fp()
	* src/ftp.c: Remove static from freefileinfo()
	* src/ftp.h: Add ftp_parse_ls_fp() and freefileinfo()

	* fuzz/run-clang.sh: Remove -detect_leaks=0 from fuzzer command line

	* src/main.c (main): Fix memleak for fuzzing/testing

	* src/init.c: Fix fuzzing in case ~/.wgetrc doesn't exist

2018-04-20  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix fuzzer build for C++
	* fuzz/wget_css_fuzzer.c: Include wget.h outside 'extern "C"',
	  undef fopen_wgetrc directly after wget.h
	* fuzz/wget_html_fuzzer.c: Likewise

	* fuzz/Makefile.am: Add -I/lib to oss-fuzz builds

	Add new HTML parser fuzzer
	* fuzz/Makefile.am: Add wget_html_fuzzer
	* fuzz/wget_html_fuzzer.c: New fuzzer
	* fuzz/wget_html_fuzzer.dict: HTML dictionary for fuzzing
	* fuzz/wget_html_fuzzer.in: Initial corpora
	* src/html-url.c: Add new function get_urls_html_fm()
	* src/html-url.h: Add ne function get_urls_html_fm()
	* src/wget.h: Fix define for fopen_wgetrc()

	* fuzz/wget_css_fuzzer.c: Fix build

	* fuzz/wget_css_fuzzer.in/*: Update fuzzer corpora

	* src/css-url.c (get_uri_string): Fix buffer overflow (read)

	* src/iri.h: Fix C++ compile error

2018-04-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c: Download and scan CSS files in spider mode

	* src/css-url.c (get_urls_css): Call yylex_destroy() to reset CSS scanner

	Add new fuzzer wget_css_fuzzer.c
	* fuzz/Makefile.am: Add wget_css_fuzzer.c
	* fuzz/wget_css_fuzzer.c: New fuzzer

2018-04-18  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/html-url.h: Include needed header files

	* wget_options_fuzzer.in/*: Update fuzzer corpora

	* fuzz/README.md: Add CXXFLAGS and more configure options

	Fix oss-fuzz issue with exit()
	* src/wget.h: Define exit() as exit_wget()
	* fuzz/wget_options_fuzzer.c: Implement exit_wget() and cleanup

2018-04-17  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/wget_options_fuzzer.c: Declare fopen_* as C functions

	Fix fopen/stdin issues with fuzzing
	* fuzz/wget_options_fuzzer.c: Add fopen_wget() and fopen_wgetrc()
	* src/utils.c: Use fopen_wgetrc() for config files,
	  don't read from stdin when fuzzing
	* src/wget.h: Define fopen as fopen_wget when fuzzing,
	  define fopen_wgetrc as fopen when not fuzzing

	* configure.ac: AC_DEFINE FUZZING if --enable-fuzzing was given

	* fuzz/wget_options_fuzzer.c: Write fuzzer crash reports

	* src/log.c: Don't check_redirect_output() when fuzzing

	* src/main.c (promt_for_password): Avoid getpass() when fuzzing

	Fix double fclose() with -d while fuzzing
	* src/ftp.c (ftp_loop_internal): Set warc_tmp to NULL after ffclose()
	* src/init.c (cleanup): Set output_stream to NULL after fclose()
	* src/log.c (log_close): Set global stream vars to NULL after closing
	* src/recur.c (retrieve_tree): Set rejectedlog to NULL after closing
	* src/warc.c (warc_close): Set stream vars to NULL after closing

	* src/main.c (main): Don't background if TESTING

	* src/init.c (initialize): Return error, don't exit()

2018-04-16  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/init.c (cmd_use_askpass): Return false on error

	* src/utils.c (compile_posix_regex): Hard-code string to regcomp
	regcomp() may be too cpu + memory intensive for fuzzing.
	See https://sourceware.org/glibc/wiki/Security%20Exceptions

	Fix 2 more memleaks
	* src/init.c (initialize): Use global var for wgetrc filename
	* src/iri.c (find_locale): Return strdup'ed locale string
	* src/options.h (struct options): Add wgetrcfile

	* src/init.c (cleanup): Set output_stream to NULL after closing

	Fix homedir memory leaks
	* src/hsts.c: Use opt.homedir
	* src/init.c: Likewise
	* src/main.c: Likewise
	* src/netrc.c: Likewise
	* src/options.h (struct options): Add homedir

	* src/main.c (main): Free opt.encoding_remote properly

	* src/host.c (wait_ares): Free ptimer

	* src/init.c (cleanup): Free regex objects properly

	* src/init.c (cleanup): Never call cleanup() twice

	* src/init.c (cmd_bytes_sum): Fix integer over- and underflow

	* src/main.c (save_hsts): Free hsts_store after closing

	Use strtol() instead of selfmade function
	* src/init.c (cmd_number): Use strtol() instead of selfmade function
	* bootstrap.conf: Add strtol gnulib module

	* src/hsts.c (hsts_hash_func): Allow integer overflow

	* init.c (cmd_spec_mirror): Fix uninitialzed stack variable

	* src/init.c (cleanup): Free more variables

	* wget_options_fuzzer.in: Add corpora directory

	* fuzz/wget_options_fuzzer.c: Suppress error messages from wget

	* src/utils.c (fopen_stat): Early return to allow fuzzing/fmemopen

	* src/init.c (initialize): Free mem before exit()

	Add OSS-Fuzz infrastruture
	* Makefile.am: Add fuzz/ to SUBDIRS
	* cfg.mk: Fix 'make syntax-check'
	* configure.ac: Add --enable-fuzzing
	* fuzz/Makefile.am: New file
	* fuzz/README.md: New file
	* fuzz/fuzzer.h: New file
	* fuzz/get_all_corpora: New file
	* fuzz/get_ossfuzz_corpora: New file
	* fuzz/glob_crash.c: New file
	* fuzz/main.c: New file
	* fuzz/run-afl.sh: New file
	* fuzz/run-clang.sh: New file
	* fuzz/view-coverage.sh: New file
	* fuzz/wget_options_fuzzer.c: New file
	* fuzz/wget_options_fuzzer.dict: New file
	* src/init.c (cleanup): Free more resources
	* src/main.c (init_switches): Initialize only once,
	  (print_usage): Don't print if TESTING is defined
	* src/utils.h: Include wget.h

2018-04-05  Tim Rühsen  <tim.ruehsen@gmx.de>

	Move unit-test code to tests/
	* src/Makefile.am: Remove test.c and test.h
	* src/test.c: Rename to tests/unit-tests.c
	* src/test.h: Rename to tests/unit-tests.h
	* tests/Makefile.am: Add unit-tests.c and unit-tests.h
	* src/hsts.c: Amend #include
	* src/http.c: Likewise
	* src/init.c: Likewise
	* src/metalink.c: Likewise
	* src/res.c: Likewise
	* src/url.c: Likewise
	* src/utils.c: Likewise

	* src/main.c: Rename main() -> main_wget() for unit tests

2018-03-14  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix some issues found by 'infer'

2018-03-08  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/openssl.c: Fix build for OpenSSL 1.1.0 without TLS1_3_VERSION

	Add docs for --secure-protocol=TLSv1_3
	* doc/wget.texi: Likewise

2018-03-08  Loganaden Velvindron  <logan@hackers.mu>  (tiny change)

	Add TLS1.3 support for OpenSSL build
	* src/init.c: Add 'tlsv1_3 for --secure-protocol
	* src/openssl.c (ssl_init): Enable TLS1.3 if possible
	* src/options.h: Add secure_protocol_tlsv1_3
	* doc/wget.texi: Add description of TLSv1_3

2018-03-07  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/main.c: Add help text for --retry-on-http-error
	Reported-by: Giovanni Tirloni

2018-03-01  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/url.c (convert_fname): Fix invalid free on iconv_open() failure
	Reported-by: Volkmar Klatt

2018-02-21  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/mswindows.c: Fix prototype of fork_to_background()
	Reported-by: Gisle Vanem

2018-02-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix warning to not print binary IP address
	* tests/Test-https-badcerts.px: Likewise
	* tests/Test-https-clientcert.px: Likewise
	* tests/Test-https-crl.px: Likewise
	* tests/Test-https-pfs.px: Likewise
	* tests/Test-https-selfsigned.px: Likewise
	* tests/Test-https-tlsv1.px: Likewise
	* tests/Test-https-tlsv1x.px: Likewise
	* tests/Test-https-weboftrust.px: Likewise

	Use gnulib's utime()
	* bootstrap.conf: Add modules utime and utime-h
	* src/utils.c (touch): Remove own code for gnulib's utime()

2018-02-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix logging in background mode
	* ../src/main.c: Re-init logfile if changed for background mode
	* ../src/utils.c: fork_to_background() returns whether logfile changed
	* ../src/utils.h: Set return type bool for fork_to_background()

	Fixes: #53020
	Reported-by: Noël Köthe

2018-02-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c: Fix two typos in comments

2018-01-31  Tim Rühsen  <tim.ruehsen@gmx.de>

	* testenv/conf/expected_files.py: Ignore pubring.gpg
	Reported-by: Arkadiusz Miśkiewicz

	* bootstrap.conf: Replace gnulib module gettext by gettext-h

2018-01-22  Tim Rühsen  <tim.ruehsen@gmx.de>

	Mention list and bugtracker for --help and in man page
	* doc/wget.texi: Mention list and bugtracker in man page
	* src/main.c: Mention list and bugtracker for --help

2018-01-21  Darshit Shah  <darnir@gnu.org>

	* contrib/make-release: Add another release script

	Update NEWS file for new release

	Fix typo in documentation

2018-01-21  Darshit Shah  <darnir@gnu.org>

	Switch off compression by default
	Gzip compression has a number of bugs which need to be ironed out before
	we can support it by default. Some of these stem from a misunderstanding
	of the HTTP spec, but a lot of them are also due to many web servers not
	being compliant with RFC 7231.

	With this commit, I am marking GZip compression support as experimental
	in GNU Wget pending further investigation and the addition of tests.

	* src/init.c (defaults): Switch of compression support by default
	* docs/wget.texi: State that compression is experimental

2018-01-21  Darshit Shah  <darnir@gnu.org>

	Pull gnulib module forward

	Revert "* src/init.c (defaults): Set compression_none as the default compression"
	This reverts commit 8283ac08467016283277578b96533febb8ce1adb.

	* src/init.c (defaults): Set compression_none as the default compression

2018-01-20  Reiji  <gey3dr@gmail.com>

	* src/http.c (gethttp): Fix bug that prevented all files from being decompressed

2018-01-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/host.c (sufmatch): Fix to domain matching

2018-01-17  Gisle Vanem  <gvanem@yahoo.no>

	* src/netrc.c: Fix Standalone compilation of netrc file

2018-01-14  Darshit Shah  <darnir@gnu.org>

	* NEWS: Update NEWS file for new release

	* bootstrap: Use the faster gnulib-tool.py script if possible

	Sync the bootstrap script from gnulib

	Update Copyright years

	Replace HTTP urls with HTTPS where valid

	Update gnulib

	* src/netrc.c: Search for the correct netrc file on Windows

2018-01-10  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c: Exclude *.gz and *.tgz from decompression

2017-12-31  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/utils.c (wg_pin_peer_pubkey): Fix format warning

2017-12-31  Peter Wu  <peter@lekensteyn.nl>

	Avoid redirecting output to file when tcgetpgrp fails
	* src/log.c (check_redirect_output): tcgetpgrp can return -1 (ENOTTY),
	be sure to check whether a valid controlling terminal exists before
	redirecting.

	Fixes: #51181

2017-12-11  Darshit Shah  <darnir@gnu.org>

	Add new test for 416 responses
	* testenv/server/http/http_server.py: If there are multiple requests in
	which the requested range is unsatisfiable, then send a body in the in
	the 2nd response onwards
	* testenv/Test-416.py: New test to check how Wget handles 416 responses

2017-12-08  Darshit Shah  <darnir@gnu.org>

	Don't assume a 416 response has no body
	* http.c(gethttp): In case of a 416 response, try to drain the socket of
	any bytes before reusing the connection

	Reported-By: Iru Cai <mytbk920423@gmail.com>

2017-11-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Support building with OpenSSL 1.1 w/o deprecated features
	* src/openssl.c (ssl_init): Fix code for the subject's issue

	Reported-by: Matthew Thode

2017-11-25  Tim Rühsen  <tim.ruehsen@gmx.de>

	Avoid link conversion after 304 Not Modified
	* src/http.c (gethttp): Handle 304 before setting document content type

	Fixes: #52404
	Reported-by: Ben Fuchs

2017-11-16  YX Hao  <lifenjoiner@163.com>

	Fix printing mutibyte chars as unprintable chars on Windows
	* src/log.c (get_warc_log_fp): Fix return value to stderr
	* src/main.c (main): Init logging as soon as possible,
	  fix locale/charset on Windows

2017-11-16  Tim Rühsen  <tim.ruehsen@gmx.de>

	* tests/Test-https-weboftrust.px: Fix/add sslport

2017-11-15  YX Hao  <lifenjoiner@163.com>

	Convert remote path to local encoding
	* src/url.c (url_file_name): Convert remote path to local encoding

2017-11-10  Tim Rühsen  <tim.ruehsen@gmx.de>

	Do not use must-revalidate in Cache-Control header
	As the bug report states, 'must-revalidate' is a request directive.

	Fixes #52379

2017-11-06  Darshit Shah  <darnir@gnu.org>

	Fix Segfault due to derefencing null ptr
	* src/http.c(gethttp): When Encoding is gzip, ensure that the
	Content-Type Header was actually seen. Without this, the "type" variable
	is null causing a Segfault.

	Reported-By: Noël Köthe <noel@debian.org>

2017-11-03  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c: Fix H_REDIRECTED

	* src/http.c: Add support for HTTP status code 308

2017-10-30  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix uninitialized value messages in tests
	* tests/Test-https-*.px: Use correct variable in error message

	Reported-by: Jeffrey Walton

2017-10-30  Tim Rühsen  <tim.ruehsen@gmx.de>

	Ignore dirmngr.conf, gpg.conf in test directories
	* testenv/conf/expected_files.py: Ignore dirmngr.conf, gpg.conf

	Libgpgme creates certain files if $HOME doesn't contain the .gnupg directory.
	These files disturb some metalink tests if we don't ignore them.

	Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>

2017-10-27  Tim Rühsen  <tim.ruehsen@gmx.de>

	* contrib/release: Cleanup, use lzip instead of xz

2017-10-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix heap overflow in HTTP protocol handling (CVE-2017-13090)
	* src/retr.c (fd_read_body): Stop processing on negative chunk size

	Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
	Reported-by: Juhani Eronen from Finnish National Cyber Security Centre

2017-10-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix stack overflow in HTTP protocol handling (CVE-2017-13089)
	* src/http.c (skip_short_body): Return error on negative chunk size

	Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
	Reported-by: Juhani Eronen from Finnish National Cyber Security Centre

2017-10-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Update for release 1.19.2
	* NEWS: Add news for 1.19.2
	* doc/wget.texi: Fix 1.20 to 1.19.2

2017-10-25  YX Hao  <lifenjoiner@163.com>

	Avoid unnecessary UTF-8 encoded fallback (trivial change)
	* src/retr.c (retrieve_url): Check for changed URL on redirect

2017-09-27  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add GNU extensions to .netrc parsing
	src/netrc.c (parse_netrc): Add 'port' and 'force' extensions

	Reported-by: September 20Tim Landscheidt

2017-09-18  Josef Moellers  <jmoellers@suse.de>

	Bail out on unexpected 416 server errors
	* src/http.c (gethttp): Stop on 416 if file is incomplete

2017-08-04  Tim Schlueter  <schlueter.tim@linux.com>

	Add gzip Content-Encoding decompression
	* src/http.c (struct http_stat): Add remote_encoding field.
	(read_response_body): Enable gzip decompression.
	(initialize_request): Send gzip Accept-Encoding header.
	(gethttp): Decompress files with gzip Content-Encoding.
	* src/retr.c: include zlib.h.
	(zalloc): New function.
	(zfree): New function.
	(fd_read_body): Decompress gzip data.
	* src/retr.h (fd_read_body enum): Add rb_compressed_gzip flag.

	Add --compression option
	* doc/wget.texi: Add --compression documentation.
	* src/init.c (cmd_spec_compression): New function.
	(commands[]): Add opt.compression.
	(defaults): Set default opt.compression value.
	* src/main.c (option_data[]): Add struct for --compression.
	(print_help, help[]): Add description for --compression.
	(main): Add incompatibility checks for --compression.
	* src/options.h (struct options): Add compression enum and field.

	Adjust Extension based on Content-Encoding
	* doc/wget.texi (--adjust-extension, adjust_extension): Updated documentation.
	* src/http.c (encoding_t): New enum.
	(struct http_stat): Add local_encoding field.
	(gethttp): --adjust-extension based on Content-Encoding.

2017-07-31  Darshit Shah  <darnir@gnu.org>

	Document gperf as a requirement

2017-07-28  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/url.c (url_scheme): Use ASCII version of strncasecmp

2017-07-28  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix misuse of strncasecmp
	* src/http.c (set_content_type): Use c_strcasecmp instead of strncasecmp

	See issue bug #51576

2017-07-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix python test suite for GnuTLS 3.5.12+
	* testenv/Test-*.py: Replace 127.0.0.1 by localhost
	* testenv/certs/server-template.cfg: Likewise
	* testenv/certs/server-cert.pem: Regenerate
	* testenv/certs/server-crl.pem: Likewise
	* testenv/test/base_test.py: Hardcode 'localhost' as server domain

	Reported-by: Ludovic Courtès <ludo@gnu.org>

2017-06-13  Tim Rühsen  <tim.ruehsen@gmx.de>

	Check for 304 response before applying --adjust-extension
	* src/http.c (gethttp): Move 304 code before --adjust-extension code

	This fixes applying --adjust-extension in combination with 304
	HTTP responses. It could lead to .html extensions to arbitrary
	files.

	Reported-by: anfractuosity

2017-06-13  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix buffer overflow in Public Key Pinning
	* src/utils.c (wget_base64_decode): Add param for destination size,
	  (wg_pubkey_pem_to_der): Amend call to wget_base64_decode(),
	  (wg_pin_peer_pubkey): Likewise and fix code style.
	* src/utils.h: Add param to wget_base64_decode()
	* src/http-ntlm.c (ntlm_input): Amend call to wget_base64_decode()
	* src/http.c (skip_content_type): Likewise

	Fixes #51227

2017-06-02  Tim Rühsen  <tim.ruehsen@gmx.de>

	* doc/wget.texi: Mention --no-config

2017-05-16  Tim Rühsen  <tim.ruehsen@gmx.de>

	* testenv/Test-recursive-basic.py: Check crawled files

	Fix two Metalink tests if $HOME is changed
	* conf/expected_files.py (gen_local_fs_snapshot): Skip processing
	  of 'pubring.kbx'

2017-05-15  Tomas Hozza  <thozza@redhat.com>

	Add command line option to disable use of .netrc
	Although internally code uses option for (not) reading .netrc for
	credentials, it was not possible to turn this behavior off on command
	line. Note that it was possible to turn it off using wgetrc.

	Idea for this change came from Bruce Jerrick (bmj001@gmail.com).
	Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1425097

2017-05-15  Tomas Hozza  <thozza@redhat.com>

	Fixed getting of credentials from .netrc
	There seemed to be a copy&paste error in http.c code, which decides
	whether to get credentials from .netrc. In ftp.c "user" and "pass"
	variables are char*, while in http.c, these are char**. For this reason
	they should be dereferenced when determining if password and user login
	is set to some value.

	Also since both variables are dereferenced on lines above the changed
	code, it does not really make sense to check if they are NULL.

	This patch is based on fix from Bruce Jerrick <bmj001@gmail.com>.
	Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1425097

2017-05-15  Tomas Hozza  <thozza@redhat.com>

	Added tests for HTTP authentication using credentials from .netrc
	Getting credentials from .netrc has been broken from time to time, thus
	adding a test coverage to prevent regressions.

	Also added setting of "HOME" environment variable when executing wget,
	to make sure LocalFiles like .netrc, which are created just for the
	test, are actually used.

2017-05-15  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix Test-https-badcerts.px
	* util/createcerts.sh: Set date of invalid cert to +20 years
	* tests/certs/invalid.crt: Re-generated
	* tests/certs/invalid.key: Re-generated

2017-05-14  Tim Rühsen  <tim.ruehsen@gmx.de>

	* util/createcerts.sh: Fix double equal (syntax-check)

	Fix Test-https-badcerts.px to work with GnuTLS
	* tests/Test-https-badcerts.px: Remove OpenSSL requirement
	* tests/certs/expired.crt: Re-created with valid dates
	* tests/certs/expired.key: Likewise
	* tests/certs/invalid.crt: Likewise
	* tests/certs/invalid.key: Likewise

2017-05-14  Vijo Cherian  <codervijo@gmail.com>

	New shell script to create the certs and keys required for TLS tests
	* util/createcerts.sh: New file

2017-05-11  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix HTTPS testing for stricter OpenSSL
	* testenv/certs/README: Amend cert creation extensions
	* testenv/certs/ca-cert.pem: Created without OCSP signing purpose

	Having the OCSP signing purpose set made newer versions of OpenSSL
	fail due to stricter checking. Test version of OpenSSL was 1.1.0e.

2017-05-11  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/iri.c (idn_encode): Better IDNA 2003 compatibility

2017-05-10  Tim Rühsen  <tim.ruehsen@gmx.de>

	* .gitlab-ci.yml: Also test OpenSSL build

	* .gitlab-ci.yml: Remove installation of texlive

2017-05-10  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add certs/wotca.pem to avoid temp. file creation
	* tests/certs/wotca.pem: New file
	* tests/Test-https-weboftrust.px: Remove creation of wotca.pem

	This change let Test-https-weboftrust.px survive VPATH builds.

2017-05-10  Tim Rühsen  <tim.ruehsen@gmx.de>

	* cfg.mk: Exclude ^tests/certs/.* from syntax-check

	* po/POTFILES.in: Remove spider.c (syntax-check)

	* tests/Test-https-selfsigned.px: Add newline at EOF (syntax-check)

2017-05-10  Vijo Cherian  <codervijo@gmail.com>

	Removed all uses of temp files. Added needed files to GIT

	Made CRL related files in the repo, instead of trying to generate them

2017-05-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Cleanup on exit in Test-https-*.px
	* tests/Test-https-*.px: Cleanup on exit

	Auto-generate interca.conf and rootca.conf
	* configure.ac: Add interca.conf.in and rootca.conf.in to AC_CONFIG_FILES
	* tests/certs/interca.conf: Removed
	* tests/certs/rootca.conf: Removed
	* tests/certs/interca.conf.in: New file
	* tests/certs/rootca.conf.in: New file

	Fix path and VPATH issues of new https/TLS tests
	* tests/SSLTest.pm: Use $srcdir in read-only files,
	  (_setup_server): Remove unneeded path fixation code
	* tests/Test-https-*.px: Use $srcdir for read-only files,
	  use $cdir for writable files
	* tests/certs/interca.conf: Adjust paths
	* tests/certs/rootca.conf: Adjust paths

	Check for test server name resolution in tests
	* tests/Test-https-*.px: Skip if test server name resolution fails

	* tests/Makefile.am: Enable Test-https-badcerts again

	Fix WgetFeature.pm to allow multiple required features
	* tests/WgetFeature.cfg: Remove file
	* tests/WgetFeature.pm: Extend to multiple features, cleanup

	* .gitlab-ci.yml: Add wgettestingserver to /etc/hosts

	* tests/SSLServer.pm: Check for IO::Socket::SSL

	* tests/Test-https-*: Change server port to <= 32767

	Move https test server ports from >32767 to <= 32767
	* Test-https-badcerts.px: Change port
	* Test-https-crl.px: Likewise
	* Test-https-weboftrust.px: Likewise

	* tests/Makefile.am: Add SSLTest.pm and SSLServer.pm to EXTRA_DIST

	* tests//Makefile.am: Disable Test-https-badcerts.px

	Add Gitlab CI (Debian)
	* .gitlab-ci.yml: New file

2017-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	* .travis.yml: Use trusty for libidn2-dev

2017-05-04  Tim Rühsen  <tim.ruehsen@gmx.de>

	* tests/certs/test-ca-key.pem: Add newline at EOF

	Add static HOSTSALIAS file
	* tests/certs/wgethosts: New file
	* tests/Test-https-*.px: Remove creation of wgethosts file

2017-05-04  Vijo Cherian  <codervijo@gmail.com>

	Added new tests for SSL
	* tests/Test-https-badcerts.px : New file
	* tests/Test-https-clientcert.px : New file
	* tests/Test-https-crl.px : New file
	* tests/Test-https-weboftrust.px : New file
	* tests/certs/interca.conf : New file
	* tests/certs/rootca.conf : New file
	* tests/certs/test-ca-key.pem : New file

	Added all new SSL / HTTPS tests to make check
	Added Test for SSL Web of Trust, accept only if CA chain of trust is intact.
	Added a test script for client certificate
	Added Test for crlfile option of wget
	Added test to make sure that wget doesn't accept expired or invalid certs

	Some clean up : 1, Removed cause of warnings from perl & other cosmetic changes
	                2, Fix  make -j 4 check such that it passes all tests

2017-05-04  Tomas Hozza  <thozza@redhat.com>

	Mention TLSv1_1 and TLSv1_2 as secure-protocol values in help
	* src/main.c: The --secure-protocol option accepts also values TLSv1_1
	and TLSv1_2, as mentioned in the man page. However the help message
	doesn't mention these two values. This patch adds TLSv1_1 and TLSv1_2 as
	possible values to the help message.

2017-05-03  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c (gethttp): Support Wayback Machine's X-Archive-Orig-last-modified

2017-04-28  Vijo Cherian  <codervijo@gmail.com>

	Added new tests for SSL
	* tests/Test-https-badcerts.px : New file
	* tests/Test-https-clientcert.px : New file
	* tests/Test-https-crl.px : New file
	* tests/Test-https-weboftrust.px : New file
	* tests/certs/interca.conf : New file
	* tests/certs/rootca.conf : New file
	* tests/certs/test-ca-key.pem : New file

	Added all new SSL / HTTPS tests to make check
	Added Test for SSL Web of Trust, accept only if CA chain of trust is intact.
	Added a test script for client certificate
	Added Test for crlfile option of wget
	Added test to make sure that wget doesn't accept expired or invalid certs

	Some clean up : Removed cause of warnings from perl & other cosmetic changes

2017-04-19  Vijo Cherian  <codervijo@gmail.com>

	Added new tests for SSL
	* tests/SSLServer.pm: New file
	* tests/SSLTest.pm: New file
	* tests/Test-https-pfs.px: New file
	* tests/Test-https-selfsigned.px: New file
	* tests/Test-https-tlsv1.px: New file
	* tests/Test-https-tlsv1x.px: New file
	* tests/certs/server.crt: New file
	* tests/certs/server.key: New file
	* tests/certs/test-ca-cert.pem: New file

	Added 4 new test scripts all for SSL.
	Added base pm for SSL testing.
	Added SSL tests for TLSv1, TLSv1_1 and PFS.
	Added test for self signed cert : check that it fails without
	--no-check-certificate and passes with that flag.

2017-04-18  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/utils.c: Remove non-portable __builtin_unreachable()

2017-04-18  Tim Rühsen  <tim.ruehsen@gmx.de>

	Skip iconv() usage if HAVE_ICONV is not defined
	This helps on broken iconv implementations, e.g. Solaris.

	Reported-by: Mojca Miklavec

2017-04-18  Tim Rühsen  <tim.ruehsen@gmx.de>

	Mention 'bash' for executing ./bootstrap
	Reported-by: Mojca Miklavec

