Update curl from 7.64.1 to 7.65.0

[patrikjuvonen]

Summary

• Contains various bug and security fixes and some other minor changes, most shouldn't have an effect on us, but nice to have anyhow
• Gets rid of our custom config-linux.h code from curl_setup.h now that we use curl_config.h for our custom configs (cheers @qaisjp!)
• Latest changelog: https://curl.haxx.se/changes.html#7_65_0
• 7.65.0: maintainer's blog post

Tests

• fetchRemote
  • Download test script (v1.0.1): test_fetchRemote.zip
    • Preferable not to run client and server simultaneously
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-fetchRemote-auth
• callRemote
  • Download test script (v1.0.2): test_callRemote.zip
  • URL for unauthenticated requests: http://ptsv2.com/t/mtasa-test-callRemote
  • URL for authenticated requests: http://ptsv2.com/t/mtasa-test-callRemote-auth
• Please flush all your requests from ptsv2.com after testing!

Validation

To help validate the integrity of the update I have created the following bash script that diffs between my PR branch and the official package provided from the curl website.

#!/bin/bash

CURL_UPDATE_VERSION=7.65.0
CURL_PATH_NAME=curl-$CURL_UPDATE_VERSION

GIT_REPO_BRANCH=vendor/curl-$CURL_UPDATE_VERSION
GIT_REPO_URL=git@github.com:patrikjuvonen/mtasa-blue.git
GIT_DEST_DIR=mtasa-blue
GIT_REPO_CURL_PATH=$GIT_DEST_DIR/vendor/curl/

echo 1. Download and extract $CURL_PATH_NAME...
curl https://curl.haxx.se/download/$CURL_PATH_NAME.tar.xz | tar -xJ

echo 2. Clone the vendor update branch $GIT_REPO_BRANCH from $GIT_REPO_URL into $GIT_DEST_DIR...
git clone --depth 1 -b $GIT_REPO_BRANCH $GIT_REPO_URL $GIT_DEST_DIR

echo 3. Start checking integrity...
diff -r $GIT_REPO_CURL_PATH $CURL_PATH_NAME

echo 4. Completed.

Past curl updates in MTA

Date	From	To	Link
April 2019	7.64.0	7.64.1 (current)	#898
February 2019	7.63.0	7.64.0	#819
January 2019	7.61.1	7.63.0	#744
September 2018	7.61.0	7.61.1	#428
August 2018	7.59.0	7.61.0	#271
March 2018	7.54.0	7.59.0	b99e343
June 2017	7.32.0	7.54.0	c15d999
August 2013	7.19.4	7.32.0	aaf3e21

Copy of curl changelog

Fixed in 7.65.0 - May 22 2019

Changes:

CURLOPT_DNS_USE_GLOBAL_CACHE: removed
CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
pipelining: removed

Bugfixes:

CVE-2019-5435: Integer overflows in curl_url_set
CVE-2019-5436: tftp: use the current blksize for recvfrom()
--config: clarify that initial : and = might need quoting
AppVeyor: enable testing for WinSSL build
CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk
CURLOPT_ADDRESS_SCOPE: fix range check and more
CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later
CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
INTERNALS: Add code highlighting
OS400/ccsidcurl: replace use of Curl_vsetopt
OpenSSL: Report -fips in version if OpenSSL is built with FIPS
README.md: fix no-consecutive-blank-lines Codacy warning
VC15 project: remove MinimalRebuild
VS projects: use Unicode for VC10+
WRITEFUNCTION: add missing set_in_callback around callback
altsvc: Fix building with cookies disabled
auth: Rename the various authentication clean up functions
base64: build conditionally if there are users
build-openssl.bat: lots of improvements and polish
build: fix "clarify calculation precedence" warnings
checksrc.bat: ignore snprintf warnings in docs/examples
cirrus: Customize the disabled tests per FreeBSD version
cleanup: remove FIXME and TODO comments
cmake: avoid linking executable for some tests with cmake 3.6+
cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
cmake: set SSL_BACKENDS
configure: avoid unportable `==' test(1) operator
configure: error out if OpenSSL wasn't detected when asked for
configure: fix default location for fish completions
cookie: Guard against possible NULL ptr deref
curl: make code work with protocol-disabled libcurl
curl: report error for "--no-" on non-boolean options
curl_easy_getinfo.3: fix minor formatting mistake
curlver.h: use parenthesis in CURL_VERSION_BITS macro
docs/BUG-BOUNTY: bug bounty time
docs/INSTALL: fix broken link
docs/RELEASE-PROCEDURE: link to live iCalendar
documentation: Fix several typos
doh: acknowledge CURL_DISABLE_DOH
doh: disable DOH for the cases it doesn't work
examples: remove unused variables
ftplistparser: fix LGTM alert "Empty block without comment"
hostip: acknowledge CURL_DISABLE_SHUFFLE_DNS
http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
http: acknowledge CURL_DISABLE_HTTP_AUTH
http: mark bundle as not for multiuse on < HTTP/2 response
http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
http_negotiate: do not treat failure of gss_init_sec_context() as fatal
http_ntlm: Corrected the name of the include guard
http_ntlm_wb: Handle auth for only a single request
http_ntlm_wb: Return the correct error on receiving an empty auth message
lib509: add missing include for strdup
lib557: initialize variables
makedebug: Fix ERRORLEVEL detection after running where.exe
mbedtls: enable use of EC keys
mime: acknowledge CURL_DISABLE_MIME
multi: improved HTTP_1_1_REQUIRED handling
netrc: acknowledge CURL_DISABLE_NETRC
nss: allow fifos and character devices for certificates
nss: provide more specific error messages on failed init
ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup
ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
openssl: mark connection for close on TLS close_notify
openvms: Remove pre-processor for SecureTransport
openvms: Remove pre-processors for Windows
parse_proxy: use the URL parser API
parsedate: disabled on CURL_DISABLE_PARSEDATE
pingpong: disable more when no pingpong protocols are enabled
polarssl_threadlock: remove conditionally unused code
progress: acknowledge CURL_DISABLE_PROGRESS_METER
proxy: acknowledge DISABLE_PROXY more
resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
revert "multi: support verbose conncache closure handle"
sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
sasl: only enable if there's a protocol enabled using it
scripts: fix typos
singleipconnect: show port in the verbose "Trying ..." message
smtp: fix compiler warning
socks5: user name and passwords must be shorter than 256
socks: fix error message
socksd: new SOCKS 4+5 server for tests
spnego_gssapi: fix return code on gss_init_sec_context() failure
ssh-libssh: remove unused variable
ssh: define USE_SSH if SSH is enabled (any backend)
ssh: move variable declaration to where it's used
test1002: correct the name
test2100: Fix typos in test description
tests/server/util: fix Windows Unicode build
tests: Run global cleanup at end of tests
tests: make Impacket (SMB server) Python 3 compatible
tool_cb_wrt: fix bad-function-cast warning
tool_formparse: remove redundant assignment
tool_help: Warn if curl and libcurl versions do not match
tool_help: include for strcasecmp
transfer: fix LGTM alert "Comparison is always true"
travis: add an osx http-only build
travis: allow builds on branches named "ci"
travis: install dependencies only when needed
travis: update some builds do Xenial
travis: updated mesalink builds
url: always clone the CUROPT_CURLU handle
url: convert the zone id from a IPv6 URL to correct scope id
urlapi: add CURLUPART_ZONEID to set and get
urlapi: increase supported scheme length to 40 bytes
urlapi: require a non-zero host name length when parsing URL
urlapi: stricter CURLUPART_PORT parsing
urlapi: strip off zone id from numerical IPv6 addresses
urlapi: urlencode characters above 0x7f correctly
vauth/cleartext: update the PLAIN login to match RFC 4616
vauth/oauth2: Fix OAUTHBEARER token generation
vauth: Fix incorrect function description for Curl_auth_user_contains_domain
vtls: fix potential ssl_buffer stack overflow
wildcard: disable from build when FTP isn't present
winbuild: Support MultiSSL builds
xattr: skip unittest on unsupported platforms

[qaisjp]

LGTM