2019-04-05  Darshit Shah  <darnir@gnu.org>

	* NEWS: Update NEWS for new release

2019-04-05  Tim Ruehsen  <tim.ruehsen@gmx.de>

	Fix a buffer overflow vulnerability
	* src/iri.c(do_conversion): Reallocate the output buffer to a larger
	  size if it is already full

2019-04-05  Darshit Shah  <darnir@gnu.org>

	* NEWS: Update NEWS for new release

2019-04-03  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/openssl.c (ssl_init): Check for X509_V_FLAG_PARTIAL_CHAIN

2019-04-01  Darshit Shah  <darnir@gnu.org>

	* gnulib: Pull forward

2019-03-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/main.c (test_all_from): Fix indentation

2019-03-25  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix corner case in processing server response
	* src/http.c (response_head_terminator): Don't access uninitialized data
	* fuzz/wget_read_hunk_fuzzer.c: Sync response_head_terminator()

	Add new fuzzer wget_read_hunk_fuzzer.c
	* fuzz/Makefile.am: Add wget_read_hunk_fuzzer
	* fuzz/wget_read_hunk_fuzzer.c: New file
	* fuzz/wget_read_hunk_fuzzer.in/*: Fuzz corpora
	* src/connect.c: Add connect_cleanup()
	* src/connect.h: Add prototype for connect_cleanup()

2019-03-03  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/wget_netrc_fuzzer.c: Fix fuzzer

	* fuzz/wget_ftpls_fuzzer.c: Fix fuzzer

2019-02-22  Jeffrey Walton  <noloader@gmail.com>

	* src/openssl.c (ssl_init): Trust partial cert chain

2019-02-20  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/ftp-ls.c (ftp_parse_vms_ls): Use snprintf instead of strcpy/strcat

2019-02-19  Darshit Shah  <darnir@gnu.org>

	* src/html-url.c(get_urls_html_fm): Add message in verbose mode with no-follow attribute

2019-02-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix fuzz/ tests for OpenBSD
	* fuzz/wget_*_fuzzer.c: Take care when calling exit()

	* fuzz/Makefile.am: Remove hard-coded gcc flags

	Fix STDERR closing/restoring in fuzzers
	* fuzz/fuzzer.h: Add CLOSE_STDERR and RESTORE_STDERR
	* fuzz/wget_*_fuzzer.c: Use CLOSE_STDERR and RESTORE_STDERR

	* configure.ac: Rearrange AM_ICONV before gl_INIT

2019-02-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	Do not hard-code -ldl in fuzz/Makefile.am
	* configure.ac: Search for dlopen and add library to $FUZZ_LIBS
	* fuzz/Makefile.am: Link with $FUZZ_LIBS instead of -ldl

	This fixes linking on BSD systems.

	Reported-by: Nam Nguyen

2019-02-14  Tim Rühsen  <tim.ruehsen@gmx.de>

	* doc/wget.texi: Correct --logfile -> --output-file

2019-02-10  Darshit Shah  <darnir@gnu.org>

	Update gnulib

	Update copyright statements

2019-01-23  Leon Klingele  <git@leonklingele.de>  (tiny change)

	docs: --no-cache also sets the 'Cache-Control: no-cache' header
	* doc/wget.texi: Add Cache-Control to docs
	* src/wget.h: Add Cache-Control to comment of SEND_NOCACHE

2019-01-20  Tim Rühsen  <tim.ruehsen@gmx.de>

	* .gitlab-ci.yml: Add minimal build

	* src/init.c (cleanup): Check HAVE_HSTS
	Reported-by: Simon Dales

2018-12-31  André Wolski  <andre@dena-design.de>

	NTLM restart authentication (trivial change)
	* src/http-ntlm.c (ntlm_input): Continue on NTLMSTATE_LAST,
	  error on NTLMSTATE_TYPE3

	The code comes from the cURL project. Thanks to Daniel Stenberg
	for donating the code.

	https://lists.gnu.org/archive/html/bug-wget/2018-12/msg00030.html

2018-12-28  Tim Rühsen  <tim.ruehsen@gmx.de>

	* contrib/spell-checker: Remove trailing whitespace

	Fix typos detected by codespell (via contrib/spell-checker)

	* contrib/spell-checker: Add script for spell checking

2018-12-27  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/Makefile.am: Fix order of libraries for linking

	* src/wget.h: #undef _Noreturn when building with C++

	* src/gnutls.c (ssl_connect_wget): Fix call to gnutls_set_default_priority()

2018-12-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	* NEWS: Add release changes for 1.20.1

2018-12-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Don't save user/pw with --xattr
	Also the Referer info is reduced to scheme+host+port.

	* src/ftp.c (getftp): Change params of set_file_metadata()
	* src/http.c (gethttp): Change params of set_file_metadata()
	* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
	  reduce Referer value to scheme/host/port.
	* src/xattr.h: Change prototype of set_file_metadata()

2018-12-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Don't use extended attributes (--xattr) by default
	* src/init.c (defaults): Set enable_xattr to false by default
	* src/main.c (print_help): Reverse option logic of --xattr
	* doc/wget.texi: Add description for --xattr

	Users may not be aware that the origin URL and Referer are saved
	including credentials, and possibly access tokens within
	the urls.

2018-12-13  Tim Rühsen  <tim.ruehsen@gmx.de>

	* .travis.yml: Email to wget-dev instead bug-wget mailing list

2018-11-30  Darshit Shah  <darnir@gnu.org>

	* NEWS: Prepare for new version

2018-11-13  Darshit Shah  <darnir@gnu.org>

	* contrib/make-release: Add a small checklist for pending tasks

	Prepare NEWS for new release

	* configure.ac: gnulib now expects autoconf >=2.63

	* gnulib: Update library

2018-11-13  Jay Satiro  <raysatiro@yahoo.com>

	* src/init.c: Stop freeing the pointer returned by ws_mypath()
	.. since ws_mypath() saves the address it returns in a static pointer
	for reuse, to also be returned in later calls.

2018-11-13  Darshit Shah  <darnir@gnu.org>

	* src/ftp.c(ftp_retrieve_glob): Honor {accept,reject}-regex switches as well

	* src/ftp.c (ftp_retrieve_glob): Refactor to prevent looping over listing multiple times

2018-11-11  Tim Rühsen  <tim.ruehsen@gmx.de>

	* .gitlab-ci.yml: Split into GnuTLS and OpenSSL build

	* Makefile.am: dist clean po/stamp-po

	Remove auto-generated files from po/

	Add VPATH build

2018-11-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Revert "Bail out on unexpected 416 server errors"
	This reverts commit 6f3b9959935ad7640bcf48a0a93848ed25ff8963.

	The code is obviously wrong, see https://savannah.gnu.org/bugs/?54963
	Also, the example from the original post doesn't work any more.
	With other words, the broken server behavior has been fixed meanwhile.

2018-11-09  Rosen Penev  <rosenp@gmail.com>  (tiny change)

	openssl: Do not use engines when OpenSSL does not support
	* src/openssl.c: Check for OPENSSL_NO_ENGINE before
	 including openssl/engine.h and before calling ENGINE_load_builtin_engines()

	Fixes compilation with no engines compiled.

2018-11-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix HTTPS Perl tests
	* tests/SSLTest.pm: Rename server cert and key file
	* tests/Test-https*.px: Fix and remove OpenSSL hard-coding
	* tests/certs/create-certs.sh: Script to generate test files
	* tests/certs/*-template.txt: GnuTLS template files for certs and crl
	* tests/certs/*.pem: Keys, certs, crls
	* tests/certs/README: Removed commands, link to create-certs.sh

2018-10-28  Kapus, Timotej  <timotej.kapus13@imperial.ac.uk>  (tiny change)

	Replace some loops with string.h functions
	* src/init.c: Replace loop with strspn
	* src/url.c: Replace loop with strrchr

2018-10-26  Luiz Angelo Daros de Luca  <luizluca@gmail.com>  (tiny change)

	* .gitmodules: Use https:// instead of git:// for gnulib
	git:// does not work over http proxy

	* src/host.c (sufmatch): Fix dot-prefixed domain matching
	Current sufmatch does not match when domain is dot-prefixed.
	The example of no_proxy in man (.mit.edu) does use a dot-prefixed
	domain.

2018-10-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/convert.c (convert_links): Fix fallthrough

2018-10-22  Darshit Shah  <darnir@gnu.org>

	* bootstrap: Update script from gnulib

	* gnulib: Update library

2018-10-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	* .lgtm.yml: New file to add LGTM to Gitlab.com CI

2018-10-16  Tim Rühsen  <tim.ruehsen@gmx.de>

	* configure.ac: Fix build issue with libgpgme

2018-10-14  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/*_fuzzer.in/*: Update fuzzer corpora

2018-10-08  Nikos Mavrogiannopoulos  <nmav@redhat.com>

	Enable post-handshake auth under gnutls on TLS1.3

2018-09-20  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c (resp_new): Fix code to avoid false positive by clang

	* src/convert.c (convert_links): Fix code to avoid false positive by clang

2018-09-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add support for PCRE2 pattern matching
	* configure.ac: Check for libpcre2-8
	* src/init.c (choices): Test for HAVE_LIBPCRE2
	* src/main.c (main): Set regex compile and match functions
	* src/options.h: Test for HAVE_LIBPCRE2
	* src/utils.c: Include pcre2.h, add functions
	  compile_pcre2_regex() and match_pcre2_regex()
	* src/utils.h: Declare compile_pcre2_regex() and match_pcre2_regex()

	Fixes #54677
	Reported-by: Noël Köthe

2018-09-07  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add . to perl path for all perl tests
	* tests/*.px: Add -I . to the shebang

	This allows perl test to be run from tests/ directory, e.g. via
	  ./Test--post-file.px

2018-09-07  Tomas Hozza  <thozza@redhat.com>

	Add TLS 1.3 support for GnuTLS
	* doc/wget.texi: Add "TLSv1_3" to --secure-protocol
	* src/gnutls.c (set_prio_default): Use GNUTLS_TLS1_3 where needed

	Wget currently allows specifying "TLSv1_3" as the parameter for
	--secure-protocol option. However it is only implemented for OpenSSL
	and in case wget is compiled with GnuTLS, it causes wget to abort with:
	GnuTLS: unimplemented 'secure-protocol' option value 6

	GnuTLS contains TLS 1.3 implementation since version 3.6.3 [1]. However
	currently it must be enabled explicitly in the application of it to be
	used. This will change after the draft is finalized. [2] However for
	the time being, I enabled it explicitly in case "TLSv1_3" is used with
	--secure-protocol.

	I also fixed man page to contain "TLSv1_3" in all listings of available
	parameters for --secure-protocol

	[1] https://lists.gnupg.org/pipermail/gnutls-devel/2018-July/008584.html
	[2] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html

2018-08-29  Tomas Korbar  <tkorbar@redhat.com>

	Avoid creating empty wget-log when using -O and -q in background
	* src/log.c (check_redirect_output): Check for quiet mode

2018-08-27  Tomas Hozza  <thozza@redhat.com>

	* src/warc.c (warc_write_cdx_record): Fix RESOURCE LEAK found by Coverity
	Error: RESOURCE_LEAK (CWE-772): - REAL ERROR
	wget-1.19.5/src/warc.c:1376: alloc_fn: Storage is returned from allocation function "url_escape".
	wget-1.19.5/src/url.c:284:3: alloc_fn: Storage is returned from allocation function "url_escape_1".
	wget-1.19.5/src/url.c:255:3: alloc_fn: Storage is returned from allocation function "xmalloc".
	wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
	wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
	wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
	wget-1.19.5/src/url.c:255:3: var_assign: Assigning: "newstr" = "xmalloc(newlen + 1)".
	wget-1.19.5/src/url.c:258:3: var_assign: Assigning: "p2" = "newstr".
	wget-1.19.5/src/url.c:275:3: return_alloc: Returning allocated memory "newstr".
	wget-1.19.5/src/url.c:284:3: return_alloc_fn: Directly returning storage allocated by "url_escape_1".
	wget-1.19.5/src/warc.c:1376: var_assign: Assigning: "redirect_location" = storage returned from "url_escape(redirect_location)".
	wget-1.19.5/src/warc.c:1381: noescape: Resource "redirect_location" is not freed or pointed-to in "fprintf".
	wget-1.19.5/src/warc.c:1387: leaked_storage: Returning without freeing "redirect_location" leaks the storage that it points to.
	\# 1385|     fflush (warc_current_cdx_file);
	\# 1386|
	\# 1387|->   return true;
	\# 1388|   }
	\# 1389|

	url_escape() really returns a newly allocated memory and it leaks when the warc_write_cdx_record() returns. The memory returned from url_escape() is usually stored in a temporary variable in other parts of the project and then freed. I took the same approach.

2018-08-27  Tomas Hozza  <thozza@redhat.com>

	* src/warc.c (warc_write_start_record): Fix potential RESOURCE LEAK
	In warc_write_start_record() function, the reutrn value of dup() is
	directly used in gzdopen() call and not stored anywhere. However the
	zlib documentation says that "The duplicated descriptor should be saved
	to avoid a leak, since gzdopen does not close fd if it fails." [1].
	This change stores the FD in a variable and closes it in case gzopen()
	fails.

	[1] https://www.zlib.net/manual.html

	Error: RESOURCE_LEAK (CWE-772):
	wget-1.19.5/src/warc.c:217: open_fn: Returning handle opened by "dup".
	wget-1.19.5/src/warc.c:217: leaked_handle: Failing to save or close handle opened by "dup(fileno(warc_current_file))" leaks it.
	\#  215|
	\#  216|         /* Start a new GZIP stream. */
	\#  217|->       warc_current_gzfile = gzdopen (dup (fileno (warc_current_file)), "wb9");
	\#  218|         warc_current_gzfile_uncompressed_size = 0;
	\#  219|

2018-08-27  Tomas Hozza  <thozza@redhat.com>

	* src/utils.c (open_stat): Fix RESOURCE LEAK found by Coverity
	Error: RESOURCE_LEAK (CWE-772):
	wget-1.19.5/src/utils.c:914: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
	wget-1.19.5/src/utils.c:914: var_assign: Assigning: "fd" = handle returned from "open(fname, flags, mode)".
	wget-1.19.5/src/utils.c:921: noescape: Resource "fd" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.]
	wget-1.19.5/src/utils.c:924: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
	\#  922|     {
	\#  923|       logprintf (LOG_NOTQUIET, _("Failed to stat file %s, error: %s\n"), fname, strerror(errno));
	\#  924|->     return -1;
	\#  925|     }
	\#  926|   #if !(defined(WINDOWS) || defined(__VMS))

	This seems to be a real issue, since the opened file descriptor in "fd"
	would leak. There is also additional check below the "fstat" call, which
	closes the opened "fd".

2018-08-27  Tomas Hozza  <thozza@redhat.com>

	* src/http.c (http_loop): Fix RESOURCE LEAK found by Coverity
	Error: RESOURCE_LEAK (CWE-772):
	wget-1.19.5/src/http.c:4486: alloc_fn: Storage is returned from allocation function "url_string".
	wget-1.19.5/src/url.c:2248:3: alloc_fn: Storage is returned from allocation function "xmalloc".
	wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
	wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
	wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
	wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "result" = "xmalloc(size)".
	wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "p" = "result".
	wget-1.19.5/src/url.c:2250:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
	wget-1.19.5/src/url.c:2253:7: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
	wget-1.19.5/src/url.c:2257:11: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
	wget-1.19.5/src/url.c:2264:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
	wget-1.19.5/src/url.c:2270:7: identity_transfer: Passing "p" as argument 1 to function "number_to_string", which returns an offset off that argument.
	wget-1.19.5/src/utils.c:1776:11: var_assign_parm: Assigning: "p" = "buffer".
	wget-1.19.5/src/utils.c:1847:3: return_var: Returning "p", which is a copy of a parameter.
	wget-1.19.5/src/url.c:2270:7: noescape: Resource "p" is not freed or pointed-to in function "number_to_string".
	wget-1.19.5/src/utils.c:1774:25: noescape: "number_to_string(char *, wgint)" does not free or save its parameter "buffer".
	wget-1.19.5/src/url.c:2270:7: var_assign: Assigning: "p" = "number_to_string(p, url->port)".
	wget-1.19.5/src/url.c:2273:3: noescape: Resource "p" is not freed or pointed-to in function "full_path_write".
	wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where".
	wget-1.19.5/src/url.c:2287:3: return_alloc: Returning allocated memory "result".
	wget-1.19.5/src/http.c:4486: var_assign: Assigning: "hurl" = storage returned from "url_string(u, URL_AUTH_HIDE_PASSWD)".
	wget-1.19.5/src/http.c:4487: noescape: Resource "hurl" is not freed or pointed-to in "logprintf".
	wget-1.19.5/src/http.c:4513: leaked_storage: Variable "hurl" going out of scope leaks the storage it points to.
	\# 4511|               {
	\# 4512|                 printwhat (count, opt.ntry);
	\# 4513|->               continue;
	\# 4514|               }
	\# 4515|             else

	There are two conditional branches, which call continue, without freeing memory potentially allocated and pointed to by"hurl" pointer. In fase "!opt.verbose" is True and some of the appropriate conditions in the following if/else if construction, in which "continue" is called, are also true, then the memory allocated to "hurl" will leak.

2018-08-27  Tomas Hozza  <thozza@redhat.com>

	* src/http.c (check_auth): Fix RESOURCE LEAK found by Coverity
	Error: RESOURCE_LEAK (CWE-772):
	wget-1.19.5/src/http.c:2434: alloc_fn: Storage is returned from allocation function "xmalloc".
	wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
	wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
	wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
	wget-1.19.5/src/http.c:2434: var_assign: Assigning: "auth_stat" = storage returned from "xmalloc(4UL)".
	wget-1.19.5/src/http.c:2446: noescape: Resource "auth_stat" is not freed or pointed-to in "create_authorization_line".
	wget-1.19.5/src/http.c:5203:70: noescape: "create_authorization_line(char const *, char const *, char const *, char const *, char const *, _Bool *, uerr_t *)" does not free or save its parameter "auth_err".
	wget-1.19.5/src/http.c:2476: leaked_storage: Variable "auth_stat" going out of scope leaks the storage it points to.
	\# 2474|                 /* Creating the Authorization header went wrong */
	\# 2475|               }
	\# 2476|->         }
	\# 2477|         else
	\# 2478|           {

	Error: RESOURCE_LEAK (CWE-772):
	wget-1.19.5/src/http.c:2431: alloc_fn: Storage is returned from allocation function "url_full_path".
	wget-1.19.5/src/url.c:1105:19: alloc_fn: Storage is returned from allocation function "xmalloc".
	wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc".
	wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)".
	wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p".
	wget-1.19.5/src/url.c:1105:19: var_assign: Assigning: "full_path" = "xmalloc(length + 1)".
	wget-1.19.5/src/url.c:1107:3: noescape: Resource "full_path" is not freed or pointed-to in function "full_path_write".
	wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where".
	wget-1.19.5/src/url.c:1110:3: return_alloc: Returning allocated memory "full_path".
	wget-1.19.5/src/http.c:2431: var_assign: Assigning: "pth" = storage returned from "url_full_path(u)".
	wget-1.19.5/src/http.c:2446: noescape: Resource "pth" is not freed or pointed-to in "create_authorization_line".
	wget-1.19.5/src/http.c:5203:40: noescape: "create_authorization_line(char const *, char const *, char const *, char const *, char const *, _Bool *, uerr_t *)" does not free or save its parameter "path".
	wget-1.19.5/src/http.c:2476: leaked_storage: Variable "pth" going out of scope leaks the storage it points to.
	\# 2474|                 /* Creating the Authorization header went wrong */
	\# 2475|               }
	\# 2476|->         }
	\# 2477|         else
	\# 2478|           {

	Both "pth" and "auth_stat" are allocated in "check_auth()" function. These are used for creating the HTTP Authorization Request header via "create_authorization_line()" function. In case the creation went OK (auth_err == RETROK), then the memory previously allocated to "pth" and "auth_stat" is freed. However if the creation failed, then the memory is never freed and it leaks.

2018-08-27  Tomas Hozza  <thozza@redhat.com>

	* src/ftp.c (getftp): Fix RESOURCE LEAK found by Coverity
	Error: RESOURCE_LEAK (CWE-772):
	wget-1.19.5/src/ftp.c:1493: alloc_fn: Storage is returned from allocation function "fopen".
	wget-1.19.5/src/ftp.c:1493: var_assign: Assigning: "fp" = storage returned from "fopen(con->target, "wb")".
	wget-1.19.5/src/ftp.c:1811: leaked_storage: Variable "fp" going out of scope leaks the storage it points to.
	\# 1809|     if (fp && !output_stream)
	\# 1810|       fclose (fp);
	\# 1811|->   return err;
	\# 1812|   }
	\# 1813|

	It can happen, that "if (!output_stream || con->cmd & DO_LIST)" on line #1398 can be true, even though "output_stream != NULL". In this case a new file is opened to "fp". Later it may happen in the FTPS branch, that some error will occure and code will jump to label "exit_error". In "exit_error", the "fp" is closed only if "output_stream == NULL". However this may not be true as described earlier and "fp" leaks.

	On line #1588, there is the following conditional free of "fp":

	  /* Close the local file.  */
	  if (!output_stream || con->cmd & DO_LIST)
	    fclose (fp);

	Therefore the conditional at the end of the function after "exit_error" label should be modified to:

	  if (fp && (!output_stream || con->cmd & DO_LIST))
	    fclose (fp);

	This will ensure that "fp" does not leak in any case it sould be opened.

2018-08-11  Tomas Hozza  <thozza@redhat.com>

	Don't limit the test suite HTTPS server to TLSv1
	In Fedora, we are implementing crypto policies, in order to enhance the
	security of user systems. This is done on the system level by global
	configuration. It may happen that due to the active policy, only
	TLSv1.2 or higher will be available in crypto libraries. While wget as
	a client will by default determine the minimal TLS version supported by
	both client and server, the HTTPS server implementation in testenv/
	hardcodes use of TLSv1. As a result all HTTPS related tests fail in
	case a more hardened crypto policy is set on the Fedora system.

	This change removes the explicit TLS version setting and leaves the
	determination of the minimal supported TLS version on the server and
	client.

	More information about Fedora change can be found here:
	https://fedoraproject.org/wiki/Changes/StrongCryptoSettings

2018-06-13  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/gnutls.c (ssl_check_certificate): Fix grammar of error msg
	Reported-by: Nicholas Sielicki

	* fuzz/Makefile.am: Remove libtool LTLIB... from LDADD

	* src/http.c (http_loop): Fix --retry-on-host-error

2018-06-13  ethus3h  <kolubat@gmail.com>  (tiny change)

	Add new option --retry-on-host-error
	* doc/wget.texi: Add docs for --retry-on-host-error
	* src/http.c (http_loop): Add code for HOSTERR
	* src/init.c: Add option --retry-on-host-error
	* src/main.c: Likewise
	* src/options.h: Add options.retry_on_host_error

2018-05-29  Tim Rühsen  <tim.ruehsen@gmx.de>

	Save original data to WARC file
	* src/retr.c (write_data): Cleanup,
	  (fd_read_body): Write to WARC before uncompressing

	Fixes: #53968

2018-05-10  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/get_ossfuzz_corpora: Speed up corpora download

2018-05-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/main.c (print_version): Silence UBSAN message

	* src/utils.ci (file_exists_p): Fix stat(NULL,...)

	* src/hsts.c (open_hsts_test_store): Fix unlink(NULL)

	* src/hash.c: Silence UBSAN for hash functions

	* fuzz/*_fuzzer.in: Update corpora from OSS-Fuzz

	* fuzz/get_ossfuzz_corpora: Fix path

2018-05-08  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/hsts.h: Fix header guard

	* src/version.h: Add header guard

	* src/host.c (wait_ares): Remove void assignment
	Reported-by: Josef Moellers

2018-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	Update NEWS file for new release

2018-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix cookie injection (CVE-2018-0494)
	* src/http.c (resp_new): Replace \r\n by space in continuation lines

	Fixes #53763
	 "Malicious website can write arbitrary cookie entries to cookie jar"

	HTTP header parsing left the \r\n from continuation line intact.
	The Set-Cookie code didn't check and could be tricked to write
	\r\n into the cookie jar, allowing a server to generate cookies at will.

2018-05-06  Tim Rühsen  <tim.ruehsen@gmx.de>

	* tests/Test-https-weboftrust.px: Skip test, needs cert regen

	Fix make syntax-check
	* cfg.mk: Add fuzzer reproducers to exception list
	* po/POTFILES.in: Add src/spider.c

	Fix HTTPS tests
	* tests/Test-https-badcerts.px: Fix test return value
	* tests/Test-https-crl.px: Likewise
	* README: How to create certs with GnuTLS's certtool
	* tests/certs/revokedcrl.pem: Recreated revocation
	* tests/certs/server.crt: Recreated server cert with no expiry
	* tests/certs/test-ca-cert.pem: Recreated CA cert with no expiry

	* src/init.c: Bring new --ciphers into right order in options array

2018-05-05  Ander Juaristi  <a@juaristi.eus>

	* doc/wget.texi: Add description for --ciphers

2018-05-05  Ander Juarist  <a@juaristi.eus>

	OpenSSL: Better seeding of PRNG
	 * src/openssl.c (init_prng): keep gathering entropy even though we
	                              already have enough
	   (ssl_connect_with_timeout_callback): reseed PRNG again just before
	                                        the handshake

	Reported-by: Jeffrey Walton <noloader@gmail.com>

2018-05-05  Ander Juaristi  <a@juaristi.eus>

	Enhance SSL/TLS security
	This commit hardens SSL/TLS a bit more in the following ways:

	 * Explicitly exclude NULL authentication and the 'MEDIUM' cipher list
	   category. Ciphers in the 'HIGH' level are only considered - this
	   includes all symmetric ciphers with key lengths larger than 128 bits,
	   and some ('modern') 128-bit ciphers, such as AES in GCM mode.
	 * Allow RSA key exchange by default, but exclude it when
	   Perfect Forward Secrecy is desired (with --secure-protocol=PFS).
	 * Introduce new option --ciphers to set the cipher list that the SSL/TLS
	   engine will favor. This string is fed directly to the underlying TLS
	   library (GnuTLS or OpenSSL) without further processing, and hence its
	   format and syntax are directly dependent on the specific library.

	Reported-by: Jeffrey Walton <noloader@gmail.com>

2018-04-28  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/netrc.c (parse_netrc_fp): Fix two memleaks

	Add new fuzzer for the .netrc parser
	* fuzz/wget_netrc_fuzzer.c: New fuzzer
	* fuzz/wget_netrc_fuzzer.dict: Fuzzer dictionary
	* fuzz/wget_netrc_fuzzer.in: Initial corpora
	* src/ftp.c (getftp): Amend call to search_netrc()
	* src/http.c (initialize_request): Likewise
	* src/netrc.c: Cleanup, prepare code for fuzzing
	* src/netrc.h: Cleanup

2018-04-27  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/utils.c (match_tail): Fix unsigned integer overflow

	Add new fuzzer for the Set-Cookie parser
	* fuzz/Makefile.am: Add wget_cookie_fuzzer
	* fuzz/wget_cookie_fuzzer.c: New fuzzer
	* fuzz/wget_cookie_fuzzer.dict: Fuzzers dictionary
	* fuzz/wget_cookie_fuzzer.in: Initial corpora

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix buffer overflow in CSS parser
	* src/css-url.c (get_uri_string): Check input length
	* fuzz/wget_css_fuzzer.repro/buffer-overflow-6600180399865856:
	  Add reproducer corpus

	Fixes OSS-Fuzz issue #8033.
	This is a long standing bug affecting all versions <= 1.19.4.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix buffer overflow in CSS parser
	* src/css-url.c (get_urls_css): Check input string length
	* fuzz/wget_css_fuzzer.repro/negative-size-param-5724866467594240:
	  Add reproducer corpus

	Fixes OSS-Fuzz issue #8032.
	This is a long standing bug affecting all versions <= 1.19.4.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Exclude fuzz corpora from tarball
	* fuzz/Makefile.am: Do not include corpora in tarball
	* fuzz/main.c: SKIP if corpora directory isn't found (make check)

	The fuzz corpora are thousands of files, not needed for a standard build
	from a distribution tarball. The reproducers of former issues are being
	included for regression testing.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	* tests/Makefile.am: Add -I/src to AM_CPPFLAGS

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add CSS slowness reproducer (fixed)
	* fuzz/wget_css_fuzzer.repro/slowness-6275836549267456: New file

	This file created an extreme CPU usage with the old CSS parser.

2018-04-26  Tim Rühsen  <tim.ruehsen@gmx.de>

	Update CSS grammar from 1.x to 2.2
	* src/css-tokens.h: Add enums and fixate values
	* src/css.l: Include config.h,
	  ignore several compiler warnings,
	  update the grammar to CSS 2.2

	Fixes OSS-Fuzz issue #8010 (slowness issue).
	This is a long standing bug affecting all versions <= 1.19.4.

	Some crafted CSS input was extremely slow / CPU wasting, so it could
	be used as a DOS attack against website scanning.

	The code/grammar changes were backported from Wget2.x.

2018-04-25  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/res.c (add_path): Fix memleak (parsing robots.txt)
	Fixes OSS-Fuzz issue #8005.
	This is a long standing bug affecting all versions <= 1.19.4.

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix integer overflow
	Fixes OSS-Fuzz issue #7999.
	This is a long standing bug affecting all versions <= 1.19.4.

2018-04-24  Tim Rühsen  <tim.ruehsen@gmx.de>

	Add new fuzzer for the URL parser
	* fuzz/Makefile.am: Add wget_url_fuzzer
	* fuzz/wget_url_fuzzer.c: New fuzzer
	* fuzz/wget_url_fuzzer.in: Initial corpora

	Add new fuzzer for robots.txt parsing
	* fuzz/Makefile.am: Add wget_robots_fuzzer
	* fuzz/wget_robots_fuzzer.c: New fuzzer
	* fuzz/wget_robots_fuzzer.in: Initial corpora

	* fuzz/README.md: Add CFLAGS for undefined sanitizer

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix integer overflow

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix integer overflow by left shift

	* src/ftp-ls.c (ftp_parse_unix_ls): Fix integer overflow in date parsing

2018-04-22  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix heap-buffer-overflow
	Fixes OSS-Fuzz issue #7931.
	This is a long standing bug affecting all versions <= 1.19.4.

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix heap-buffer-overflow
	Fixes OSS-Fuzz issue #7930.
	This is a long standing bug affecting all versions <= 1.19.4.

	* fuzz/wget_ftpls_fuzzer.in: Update corpora

2018-04-21  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/ftp-ls.c (eat_carets): Fix heap-buffer-overflow

	* src/ftp-ls.c (ftp_parse_winnt_ls): Fix memleak

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix heap-buffer-overflow

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix heap-buffer-overflow

	* src/ftp-ls.c (ftp_parse_vms_ls): Fix memleak

	Add new fuzzer for the FTP listing parsers
	* fuzz/Makefile.am: Add wget_ftpls_fuzzer
	* fuzz/wget_ftpls_fuzzer.c: New fuzzer
	* fuzz/wget_ftpls_fuzzer.dict: Fuzzer dictionary
	* fuzz/wget_ftpls_fuzzer.in/starter: Starting corpus
	* src/ftp-ls.c: Parsing function take FILE * as argument,
	  new function ftp_parse_ls_fp()
	* src/ftp.c: Remove static from freefileinfo()
	* src/ftp.h: Add ftp_parse_ls_fp() and freefileinfo()

	* fuzz/run-clang.sh: Remove -detect_leaks=0 from fuzzer command line

	* src/main.c (main): Fix memleak for fuzzing/testing

	* src/init.c: Fix fuzzing in case ~/.wgetrc doesn't exist

2018-04-20  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix fuzzer build for C++
	* fuzz/wget_css_fuzzer.c: Include wget.h outside 'extern "C"',
	  undef fopen_wgetrc directly after wget.h
	* fuzz/wget_html_fuzzer.c: Likewise

	* fuzz/Makefile.am: Add -I/lib to oss-fuzz builds

	Add new HTML parser fuzzer
	* fuzz/Makefile.am: Add wget_html_fuzzer
	* fuzz/wget_html_fuzzer.c: New fuzzer
	* fuzz/wget_html_fuzzer.dict: HTML dictionary for fuzzing
	* fuzz/wget_html_fuzzer.in: Initial corpora
	* src/html-url.c: Add new function get_urls_html_fm()
	* src/html-url.h: Add ne function get_urls_html_fm()
	* src/wget.h: Fix define for fopen_wgetrc()

	* fuzz/wget_css_fuzzer.c: Fix build

	* fuzz/wget_css_fuzzer.in/*: Update fuzzer corpora

	* src/css-url.c (get_uri_string): Fix buffer overflow (read)

	* src/iri.h: Fix C++ compile error

2018-04-19  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/http.c: Download and scan CSS files in spider mode

	* src/css-url.c (get_urls_css): Call yylex_destroy() to reset CSS scanner

	Add new fuzzer wget_css_fuzzer.c
	* fuzz/Makefile.am: Add wget_css_fuzzer.c
	* fuzz/wget_css_fuzzer.c: New fuzzer

2018-04-18  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/html-url.h: Include needed header files

	* wget_options_fuzzer.in/*: Update fuzzer corpora

	* fuzz/README.md: Add CXXFLAGS and more configure options

	Fix oss-fuzz issue with exit()
	* src/wget.h: Define exit() as exit_wget()
	* fuzz/wget_options_fuzzer.c: Implement exit_wget() and cleanup

2018-04-17  Tim Rühsen  <tim.ruehsen@gmx.de>

	* fuzz/wget_options_fuzzer.c: Declare fopen_* as C functions

	Fix fopen/stdin issues with fuzzing
	* fuzz/wget_options_fuzzer.c: Add fopen_wget() and fopen_wgetrc()
	* src/utils.c: Use fopen_wgetrc() for config files,
	  don't read from stdin when fuzzing
	* src/wget.h: Define fopen as fopen_wget when fuzzing,
	  define fopen_wgetrc as fopen when not fuzzing

	* configure.ac: AC_DEFINE FUZZING if --enable-fuzzing was given

	* fuzz/wget_options_fuzzer.c: Write fuzzer crash reports

	* src/log.c: Don't check_redirect_output() when fuzzing

	* src/main.c (promt_for_password): Avoid getpass() when fuzzing

	Fix double fclose() with -d while fuzzing
	* src/ftp.c (ftp_loop_internal): Set warc_tmp to NULL after ffclose()
	* src/init.c (cleanup): Set output_stream to NULL after fclose()
	* src/log.c (log_close): Set global stream vars to NULL after closing
	* src/recur.c (retrieve_tree): Set rejectedlog to NULL after closing
	* src/warc.c (warc_close): Set stream vars to NULL after closing

	* src/main.c (main): Don't background if TESTING

	* src/init.c (initialize): Return error, don't exit()

2018-04-16  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/init.c (cmd_use_askpass): Return false on error

	* src/utils.c (compile_posix_regex): Hard-code string to regcomp
	regcomp() may be too cpu + memory intensive for fuzzing.
	See https://sourceware.org/glibc/wiki/Security%20Exceptions

	Fix 2 more memleaks
	* src/init.c (initialize): Use global var for wgetrc filename
	* src/iri.c (find_locale): Return strdup'ed locale string
	* src/options.h (struct options): Add wgetrcfile

	* src/init.c (cleanup): Set output_stream to NULL after closing

	Fix homedir memory leaks
	* src/hsts.c: Use opt.homedir
	* src/init.c: Likewise
	* src/main.c: Likewise
	* src/netrc.c: Likewise
	* src/options.h (struct options): Add homedir

	* src/main.c (main): Free opt.encoding_remote properly

	* src/host.c (wait_ares): Free ptimer

	* src/init.c (cleanup): Free regex objects properly

	* src/init.c (cleanup): Never call cleanup() twice

	* src/init.c (cmd_bytes_sum): Fix integer over- and underflow

	* src/main.c (save_hsts): Free hsts_store after closing

	Use strtol() instead of selfmade function
	* src/init.c (cmd_number): Use strtol() instead of selfmade function
	* bootstrap.conf: Add strtol gnulib module

	* src/hsts.c (hsts_hash_func): Allow integer overflow

	* init.c (cmd_spec_mirror): Fix uninitialzed stack variable

	* src/init.c (cleanup): Free more variables

	* wget_options_fuzzer.in: Add corpora directory

	* fuzz/wget_options_fuzzer.c: Suppress error messages from wget

	* src/utils.c (fopen_stat): Early return to allow fuzzing/fmemopen

	* src/init.c (initialize): Free mem before exit()

	Add OSS-Fuzz infrastruture
	* Makefile.am: Add fuzz/ to SUBDIRS
	* cfg.mk: Fix 'make syntax-check'
	* configure.ac: Add --enable-fuzzing
	* fuzz/Makefile.am: New file
	* fuzz/README.md: New file
	* fuzz/fuzzer.h: New file
	* fuzz/get_all_corpora: New file
	* fuzz/get_ossfuzz_corpora: New file
	* fuzz/glob_crash.c: New file
	* fuzz/main.c: New file
	* fuzz/run-afl.sh: New file
	* fuzz/run-clang.sh: New file
	* fuzz/view-coverage.sh: New file
	* fuzz/wget_options_fuzzer.c: New file
	* fuzz/wget_options_fuzzer.dict: New file
	* src/init.c (cleanup): Free more resources
	* src/main.c (init_switches): Initialize only once,
	  (print_usage): Don't print if TESTING is defined
	* src/utils.h: Include wget.h

2018-04-05  Tim Rühsen  <tim.ruehsen@gmx.de>

	Move unit-test code to tests/
	* src/Makefile.am: Remove test.c and test.h
	* src/test.c: Rename to tests/unit-tests.c
	* src/test.h: Rename to tests/unit-tests.h
	* tests/Makefile.am: Add unit-tests.c and unit-tests.h
	* src/hsts.c: Amend #include
	* src/http.c: Likewise
	* src/init.c: Likewise
	* src/metalink.c: Likewise
	* src/res.c: Likewise
	* src/url.c: Likewise
	* src/utils.c: Likewise

	* src/main.c: Rename main() -> main_wget() for unit tests

2018-03-14  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix some issues found by 'infer'

2018-03-08  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/openssl.c: Fix build for OpenSSL 1.1.0 without TLS1_3_VERSION

	Add docs for --secure-protocol=TLSv1_3
	* doc/wget.texi: Likewise

2018-03-08  Loganaden Velvindron  <logan@hackers.mu>  (tiny change)

	Add TLS1.3 support for OpenSSL build
	* src/init.c: Add 'tlsv1_3 for --secure-protocol
	* src/openssl.c (ssl_init): Enable TLS1.3 if possible
	* src/options.h: Add secure_protocol_tlsv1_3
	* doc/wget.texi: Add description of TLSv1_3

2018-03-07  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/main.c: Add help text for --retry-on-http-error
	Reported-by: Giovanni Tirloni

2018-03-01  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/url.c (convert_fname): Fix invalid free on iconv_open() failure
	Reported-by: Volkmar Klatt

2018-02-21  Tim Rühsen  <tim.ruehsen@gmx.de>

	* src/mswindows.c: Fix prototype of fork_to_background()
	Reported-by: Gisle Vanem

2018-02-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix warning to not print binary IP address
	* tests/Test-https-badcerts.px: Likewise
	* tests/Test-https-clientcert.px: Likewise
	* tests/Test-https-crl.px: Likewise
	* tests/Test-https-pfs.px: Likewise
	* tests/Test-https-selfsigned.px: Likewise
	* tests/Test-https-tlsv1.px: Likewise
	* tests/Test-https-tlsv1x.px: Likewise
	* tests/Test-https-weboftrust.px: Likewise

	Use gnulib's utime()
	* bootstrap.conf: Add modules utime and utime-h
	* src/utils.c (touch): Remove own code for gnulib's utime()

2018-02-09  Tim Rühsen  <tim.ruehsen@gmx.de>

	Fix logging in background mode
	* ../src/main.c: Re-init logfile if changed for background mode
	* ../src/utils.c: fork_to_background() returns whether logfile changed
	* ../src/utils.h: Set return type bool for fork_to_background()
