Commit graph

39067 commits

Author SHA1 Message Date
Viktor Szakats
2735ef3bae
libssh2: fix to return error code on missing parameter
Reported by GitHub Code Quality

Follow-up to 0095f98464 #15250

Closes #22125
2026-06-22 12:08:35 +02:00
Daniel Stenberg
c35e2cb29f
setopt: cleanup the length check for COPYPOSTFIELDS handling
Make it more straight-forward

Closes #22127
2026-06-22 11:49:49 +02:00
Stefan Eissing
c5d0e93879
HTTP3.md: update quiche build
Fixes #22105
Reported-by: av223119 on github
Closes #22109
2026-06-22 10:15:27 +02:00
Stefan Eissing
d638eac189
libssh2: code and infof/trace cleanups
Give the libssh2 infof() messages a common format, add/clarify some to
make the connect/authentication flow more clear.

Closes #22101
2026-06-22 10:12:25 +02:00
Daniel Stenberg
ab779d4e4a
doh: stricter HTTPS RNAME parsing
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.

Verified in test 1658

Reported-by: netspacer.research
Closes #22124
2026-06-22 09:53:14 +02:00
Daniel Stenberg
e8e3af2abb
doh: cap the maximum TTL to 24 hours
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.

Verify in test 1650

Reported-by: netspacer.research
Closes #22122
2026-06-22 09:12:55 +02:00
Stefan Eissing
8ed285f06d
websockets: buffer ugprade data at connection level
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.

Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.

Fixes #22107
Reported-by: sideshowbarker on github
Closes #22111
2026-06-22 08:54:50 +02:00
Michael Kaufmann
810d9535e1
proxy: fix automatic tunnel mode with "connect to host"
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.

Follow-up to 73daec6

Closes #22110
2026-06-22 08:53:31 +02:00
Daniel Stenberg
cb7efe1c35
cd2nroff: handle TLS together with other protocols
To render CURLOPT_KEYPASSWD properly

Closes #22123
2026-06-22 08:09:08 +02:00
Daniel Stenberg
0d6e5944bc
setopt: make CURLOPT_KEYPASSWD work for SSH-only builds
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds

Mention this in the man page as well.

Follow-up to 52fa8d9
Pointed out by Codex Security
Closes #22121
2026-06-22 00:28:28 +02:00
Viktor Szakats
372401f969
INSTALL-CMAKE.md: document CMake environment variables
Closes #22114
2026-06-20 10:04:16 +02:00
Daniel Stenberg
52fa8d994d
setopt: refactor setopt_cptr into smaller helper functions
This takes down the longest function to sub 500 lines

Closes #22095
2026-06-19 23:43:24 +02:00
Viktor Szakats
acdeb7f50b
KNOWN_BUGS.md: drop outdated CMake issues
- "cmake outputs: no version information available"
  Ref: #11158

  Seems to be about missing support for autotools `--enable-versioned-symbols`.
  This was implemented for CMake in:
  14d4712db7 #17039
  7100c5bc9b #14818
  7b14449790 #14378

- "generated `.pc` file contains strange entries"
  Ref: #6167

  Fixed in:
  9f56bb608e #14681

- "CMake build with MIT Kerberos does not work"
  Ref: #6904

  The FindGSS module responsible for MIT Kerberos detection has seen 50
  updates since this report. In the last years I made many local tests
  with it, and it's also extensively CI-tested since (including Windows
  for a 1-year period), with no known issues.

If you see problems remaining, let us know in a new issue.

Closes #22108
2026-06-19 18:25:54 +02:00
renovate[bot]
94962a9b82
GHA: update dependency cloudflare/quiche to v0.29.2
Closes #22106
2026-06-19 15:26:18 +02:00
Viktor Szakats
93e2341e87
vquic: fix -Wunused-parameter with proxies disabled
Fixing:
```
lib/vquic/vquic.c:864:56: error: unused parameter 'conn' [-Werror,-Wunused-parameter]
  864 |                              const struct connectdata *conn,
      |                                                        ^
```

Closes #22104
2026-06-19 14:46:54 +02:00
Viktor Szakats
04305a3e40
runtests: drop orphaned, no-op -k option
And the corresponding internal variable.

This option became the always-enabled default earlier, via #4035.

Reported-by: Zartaj Majeed
Ref: #22098
Follow-up to 6617db6a7e #4035

Closes #22100
2026-06-19 14:46:49 +02:00
Viktor Szakats
2a993e2a4a
GHA: re-sync Linux CMake triplet with autotools builds
Follow-up to 8f5e4f020e #22097
2026-06-19 01:09:53 +02:00
Viktor Szakats
8f5e4f020e
GHA: fix Linux triplet passed to CMAKE_C_COMPILER_TARGET
Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.

Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu   CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae   && :
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66

Follow-up to 36bd807475 #15242
Follow-up to 232302f88a #14382
Cherry-picked from #22092

Closes #22097
2026-06-19 00:53:04 +02:00
Viktor Szakats
139ce4d37c
GHA: separate pytype from other checkers and pips
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.

Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.

Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092

Closes #22096
2026-06-19 00:14:18 +02:00
alhudz
fdd6ba3580
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.

Extended test 2311 to cover it.

Closes #22085
2026-06-18 23:58:07 +02:00
Viktor Szakats
e44f1a1446
smb: constify strchr() result variable
Fixing (as seen with gcc-15 on Ubuntu 26.04):
```
lib/smb.c: In function 'smb_connect':
lib/smb.c:491:9: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  491 |   slash = strchr(user, '/');
      |         ^
lib/smb.c:493:11: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  493 |     slash = strchr(user, '\\');
      |           ^
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462418?pr=22092

Follow-up to 4e5908306a #20428
Follow-up to 7dc60bdb90 #20425
Follow-up to 0e2507a3c6 #20421

Cherry-picked from #22092

Closes #22094
2026-06-18 21:12:17 +02:00
Viktor Szakats
950a30d762
GHA/http3-linux: bump to ubuntu-26.04
Before: https://github.com/curl/curl/actions/runs/27772068909
After: https://github.com/curl/curl/actions/runs/27772321661?pr=22089

Closes #22089
2026-06-18 19:27:15 +02:00
Viktor Szakats
c972583f6c
MANUAL.md: update apt-key example
To use `tee` instead, due to `apt-key` being deprecated, and missing
from recent distros.

Also lowercase `stdin` to match rest of the file.

Ref: https://documentation.ubuntu.com/release-notes/26.04/summary-for-lts-users/#package-management-apt-3

Follow-up to b13e9066b3 #16127
Follow-up to 54130a6cad #10170

Closes #22090
2026-06-18 19:26:19 +02:00
Viktor Szakats
adb4edd177
GHA: bump analyzer/sanitizer jobs to clang-22, and ubuntu-26.04
On Linux, and Windows cross-builds.

clang-tidy jobs look significantly faster. Other jobs remain around the
same (this feels nice after seeing the significant slowdowns in
Windows-2025, FreeBSD 15.)

Before: https://github.com/curl/curl/actions/runs/27770630688
After: https://github.com/curl/curl/actions/runs/27770913426?pr=22086

gcc-analyzer also got faster:
Before: https://github.com/curl/curl/actions/runs/27758865007/job/82127670883
After: https://github.com/curl/curl/actions/runs/27768696084/job/82162385765

Also:
- work around actionlint 1.7.12 not yet being aware of ubuntu-26.04:
  ```
  windows.yml:770:14: label "ubuntu-26.04" is unknown. available labels are [...]
  ```
  Ref: https://github.com/curl/curl/actions/runs/27769065782/job/82163700294#step:6:13
  Ref: https://github.com/rhysd/actionlint/issues/682
  Ref: https://github.com/rhysd/actionlint/pull/683

Follow-up to 5a2af800de #22084

Closes #22086
2026-06-18 17:54:10 +02:00
Daniel Stenberg
595d052923
curl_multi_assign.md: clarify lifetime
Closes #22088
2026-06-18 17:47:33 +02:00
Viktor Szakats
39628c5084
openssl: do not mix OpenSSL int result with CURLcode variable
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
 3538 |     result = SSL_ech_set1_server_names(octx->ssl,
      |            ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3539 |                                        peer->origin->hostname, outername,
      |                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3540 |                                        0 /* do send outer */);
      |                                        ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43

Cherry-picked from #22086

Closes #22087
2026-06-18 17:30:56 +02:00
Daniel Stenberg
b71d3d9aea
CURLMOPT_SOCKETFUNCTION.md: this sends *all* file descriptors
Since libcurl has more than just the main tranfer sockets to worry
about.

Closes #22081
2026-06-18 17:06:45 +02:00
Viktor Szakats
5a2af800de
GHA/linux: bump analyzer job to gcc-16, and ubuntu-26.04
To fix false positive gcc analyzer warning
`-Wanalyzer-deref-before-check`, seen with gcc-15 and lower.

Also bump its pair job.

Tests with #22082 applied:
gcc-13: https://github.com/curl/curl/actions/runs/27761999978/job/82138558662 (warning)
gcc-15: https://github.com/curl/curl/actions/runs/27767571050/job/82158465527 (warning)
gcc-16: https://github.com/curl/curl/actions/runs/27767332723/job/82157636394 (OK)

Ref: #22082
Fixes #22083

Closes #22084
2026-06-18 17:01:02 +02:00
alhudz
2f8fb98c5f
pingpong: reject nul byte in server response line
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.

Closes #21996
2026-06-18 14:17:27 +02:00
Daniel Stenberg
a7e35c9194
docs/VERIFY: expand with more things we do
Closes #22080
2026-06-18 12:55:22 +02:00
Viktor Szakats
2d70c815e4
GHA/linux: use default GCC compiler, drop CC/CXX envs
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.

Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.

Refs:
https://packages.ubuntu.com/jammy/gcc (ubuntu-22.04)
https://packages.ubuntu.com/noble/gcc (ubuntu-24.04)

Follow-up to 6079ff314b #22075
Follow-up to a8174176b5 #13841

Closes #22077
2026-06-18 10:56:12 +02:00
Viktor Szakats
6079ff314b
GHA/http3-linux: simplify setting CC/CXX envs
Replace `GITHUB_ENV` method by defining these envs at workflow-level.

Follow-up to a8174176b5 #13841

Closes #22075
2026-06-18 10:42:17 +02:00
Viktor Szakats
af94731a43
GHA/linux: drop arm runner home attribute workaround (fixed upstream)
Issue had been fixed in the ubuntu-24.04-arm runner image upstream.

now:
```
$ ls -l /home  # on arm
drwxr-x---  11 runner runner 4096 Jun 18 08:19 runner

$ ls -l /home  # on intel
drwxr-x---  11 runner runner 4096 Jun 18 08:19 runner
```

Follow-up to 2b0d8dcc16 #20231

Closes #22076
2026-06-18 10:42:17 +02:00
Stefan Eissing
f0be417635
multi: xfers_really_alive
Yes, we were counting the "live" transfers before, but were they
*really* alive?

When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.

For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.

The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.

Add two fields in multi and easy handle:

* `multi->xfers_really_alive`: counts the "alive" transfers that have
  passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted

Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.

Fixes #22050
Reported-by: Bryan Henderson
Closes #22066
2026-06-18 10:31:40 +02:00
Daniel Stenberg
abad1c9e48
RELEASE-PROCEDURE.md: update coming relese dates
Adjusted for the summer of bliss 2026
2026-06-18 08:31:39 +02:00
alhudz
4a86af9940
cookie: reject control octets in file-loaded cookies
Verified by test 2311

Closes #22070
2026-06-18 08:04:24 +02:00
Yedaya Katsman
9ccc80b192
url: don't log bits.close state
This doesn't seem useful to users, and there doesn't seem to be a
scenario where bits.close is set to 1 during this logging anyway.

Closes #22073
2026-06-18 08:03:43 +02:00
Viktor Szakats
e136694525
cmake/FindGSS: drop CMake <3.16 compatibility logic
Redundant since bumping minimum to 3.18.

Follow-up to 89043ba906 #20407
Follow-up to 1f11224232 #18950

Closes #22072
2026-06-17 18:38:46 +02:00
Viktor Szakats
6db0ba2a38
cmake/FindGSS: drop "MIT Unknown" version value, related tidy ups
After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).

Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
  of returning "unknown", which was not true and also not done by other
  Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
  guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.

Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```

Spotted by Copilot
Bug: https://github.com/curl/curl/pull/22052#discussion_r3429273238
Follow-up to 558814e16d

Closes #22071
2026-06-17 18:04:44 +02:00
Viktor Szakats
a36e979284
GHA/macos: enable krb5 in an autotools job
Cherry-picked from #22052

Closes #22069
2026-06-17 16:29:15 +02:00
Viktor Szakats
174cafb3e6
cmake: simplify LINK_ONLY imported target extraction
Suggested-by: Kai Pastor
Ref: https://github.com/curl/curl/pull/21654#discussion_r3425296606
Follow-up to 3c597ced16 #21654

Closes #22063
2026-06-17 15:16:19 +02:00
Viktor Szakats
e8b76773af
GHA/linux: give more time for apt-get install
3 minutes (was: 2).

IIn the hope it fixes timeouts, assuming the Ubuntu mirrors are only
somewhat slower sometimes (and not completely stalled).

Closes #22068
2026-06-17 15:16:19 +02:00
Viktor Szakats
766969be39
GHA: sync apt-get code between workflows/jobs
- delete 3rd-party apt sources, where missing.
- do `apt-get update`, where missing.

Closes #22067
2026-06-17 15:16:19 +02:00
Viktor Szakats
4e07b374dd
GHA/linux: allow more time for apt.repos.intel.com install
Whether the install is extreme slow and will fail anyway, or only slower
sometimes, and this fixes, we will see.

Example:
```
Need to get 1159 MB of archives.
After this operation, 4463 MB of additional disk space will be used.
Get:1 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2023.2.0 all 2023.2.0-49462 [30.4 kB]
Get:2 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2026.0 all 2026.0.0-235 [30.7 kB]
[...]
Get:21 https://apt.repos.intel.com/oneapi all/main amd64 intel-oneapi-dpcpp-debugger-2023.2.0 amd64 2023.2.0-49330 [201 MB]
Error: The action 'install Intel compilers' has timed out after 2 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/27683923870/job/81877924590

Follow-up to 50ff4f2927 #21414

Closes #22065
2026-06-17 14:37:54 +02:00
Viktor Szakats
0ffd2e7fde
GHA/windows: do apt-get update in clang-tidy cross-build job again
Syncing with most similar uses in other workflows.

Fixing, e.g.:
```
E: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/pool/universe/l/
  llvm-toolchain-20/llvm-20-linker-tools_20.1.2-0ubuntu1%7e24.04.2_amd64.deb
  404  Not Found [IP: 172.66.152.176 443]
```
Ref: https://github.com/curl/curl/actions/runs/27682974841/job/81877061033?pr=22061

Follow-up to 1b8449674a #14992

Closes #22064
2026-06-17 14:37:54 +02:00
Viktor Szakats
bdb1773536
INTERNALS.md: document minimum nghttp3 and ngtcp2 versions
Follow-up to 5eefdd71a3 #17027
Follow-up to 915f3981c9 #16320

Closes #22062
2026-06-17 14:37:54 +02:00
Viktor Szakats
4abe47e1f5
src: sync nghttp2 versions checks with current requirements
Also:
- drop a redundant check.
- make the in-source error informative.

Follow-up to 2900c29218 #11473

Closes #22061
2026-06-17 14:37:54 +02:00
Viktor Szakats
60381b2046
first.h reflow 2026-06-17 14:37:14 +02:00
Stefan Eissing
d2886c5ac4
http: for basic+digest auth, do not engage on empty user+passwd
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.

Verify a redirect to blank user+password in test 2208

Closes #22060
2026-06-17 14:05:03 +02:00
Stefan Eissing
8c3ef95adf
dns-httpsrr-lookup: use origin, not peer
Origin is the correct peer for lookup of HTTPS-RR records.

Closes #22059
2026-06-17 12:04:49 +02:00