Commit graph

39051 commits

Author SHA1 Message Date
Viktor Szakats
2a993e2a4a
GHA: re-sync Linux CMake triplet with autotools builds
Follow-up to 8f5e4f020e #22097
2026-06-19 01:09:53 +02:00
Viktor Szakats
8f5e4f020e
GHA: fix Linux triplet passed to CMAKE_C_COMPILER_TARGET
Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.

Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu   CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae   && :
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66

Follow-up to 36bd807475 #15242
Follow-up to 232302f88a #14382
Cherry-picked from #22092

Closes #22097
2026-06-19 00:53:04 +02:00
Viktor Szakats
139ce4d37c
GHA: separate pytype from other checkers and pips
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.

Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.

Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092

Closes #22096
2026-06-19 00:14:18 +02:00
alhudz
fdd6ba3580
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.

Extended test 2311 to cover it.

Closes #22085
2026-06-18 23:58:07 +02:00
Viktor Szakats
e44f1a1446
smb: constify strchr() result variable
Fixing (as seen with gcc-15 on Ubuntu 26.04):
```
lib/smb.c: In function 'smb_connect':
lib/smb.c:491:9: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  491 |   slash = strchr(user, '/');
      |         ^
lib/smb.c:493:11: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  493 |     slash = strchr(user, '\\');
      |           ^
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462418?pr=22092

Follow-up to 4e5908306a #20428
Follow-up to 7dc60bdb90 #20425
Follow-up to 0e2507a3c6 #20421

Cherry-picked from #22092

Closes #22094
2026-06-18 21:12:17 +02:00
Viktor Szakats
950a30d762
GHA/http3-linux: bump to ubuntu-26.04
Before: https://github.com/curl/curl/actions/runs/27772068909
After: https://github.com/curl/curl/actions/runs/27772321661?pr=22089

Closes #22089
2026-06-18 19:27:15 +02:00
Viktor Szakats
c972583f6c
MANUAL.md: update apt-key example
To use `tee` instead, due to `apt-key` being deprecated, and missing
from recent distros.

Also lowercase `stdin` to match rest of the file.

Ref: https://documentation.ubuntu.com/release-notes/26.04/summary-for-lts-users/#package-management-apt-3

Follow-up to b13e9066b3 #16127
Follow-up to 54130a6cad #10170

Closes #22090
2026-06-18 19:26:19 +02:00
Viktor Szakats
adb4edd177
GHA: bump analyzer/sanitizer jobs to clang-22, and ubuntu-26.04
On Linux, and Windows cross-builds.

clang-tidy jobs look significantly faster. Other jobs remain around the
same (this feels nice after seeing the significant slowdowns in
Windows-2025, FreeBSD 15.)

Before: https://github.com/curl/curl/actions/runs/27770630688
After: https://github.com/curl/curl/actions/runs/27770913426?pr=22086

gcc-analyzer also got faster:
Before: https://github.com/curl/curl/actions/runs/27758865007/job/82127670883
After: https://github.com/curl/curl/actions/runs/27768696084/job/82162385765

Also:
- work around actionlint 1.7.12 not yet being aware of ubuntu-26.04:
  ```
  windows.yml:770:14: label "ubuntu-26.04" is unknown. available labels are [...]
  ```
  Ref: https://github.com/curl/curl/actions/runs/27769065782/job/82163700294#step:6:13
  Ref: https://github.com/rhysd/actionlint/issues/682
  Ref: https://github.com/rhysd/actionlint/pull/683

Follow-up to 5a2af800de #22084

Closes #22086
2026-06-18 17:54:10 +02:00
Daniel Stenberg
595d052923
curl_multi_assign.md: clarify lifetime
Closes #22088
2026-06-18 17:47:33 +02:00
Viktor Szakats
39628c5084
openssl: do not mix OpenSSL int result with CURLcode variable
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
 3538 |     result = SSL_ech_set1_server_names(octx->ssl,
      |            ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3539 |                                        peer->origin->hostname, outername,
      |                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3540 |                                        0 /* do send outer */);
      |                                        ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43

Cherry-picked from #22086

Closes #22087
2026-06-18 17:30:56 +02:00
Daniel Stenberg
b71d3d9aea
CURLMOPT_SOCKETFUNCTION.md: this sends *all* file descriptors
Since libcurl has more than just the main tranfer sockets to worry
about.

Closes #22081
2026-06-18 17:06:45 +02:00
Viktor Szakats
5a2af800de
GHA/linux: bump analyzer job to gcc-16, and ubuntu-26.04
To fix false positive gcc analyzer warning
`-Wanalyzer-deref-before-check`, seen with gcc-15 and lower.

Also bump its pair job.

Tests with #22082 applied:
gcc-13: https://github.com/curl/curl/actions/runs/27761999978/job/82138558662 (warning)
gcc-15: https://github.com/curl/curl/actions/runs/27767571050/job/82158465527 (warning)
gcc-16: https://github.com/curl/curl/actions/runs/27767332723/job/82157636394 (OK)

Ref: #22082
Fixes #22083

Closes #22084
2026-06-18 17:01:02 +02:00
alhudz
2f8fb98c5f
pingpong: reject nul byte in server response line
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.

Closes #21996
2026-06-18 14:17:27 +02:00
Daniel Stenberg
a7e35c9194
docs/VERIFY: expand with more things we do
Closes #22080
2026-06-18 12:55:22 +02:00
Viktor Szakats
2d70c815e4
GHA/linux: use default GCC compiler, drop CC/CXX envs
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.

Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.

Refs:
https://packages.ubuntu.com/jammy/gcc (ubuntu-22.04)
https://packages.ubuntu.com/noble/gcc (ubuntu-24.04)

Follow-up to 6079ff314b #22075
Follow-up to a8174176b5 #13841

Closes #22077
2026-06-18 10:56:12 +02:00
Viktor Szakats
6079ff314b
GHA/http3-linux: simplify setting CC/CXX envs
Replace `GITHUB_ENV` method by defining these envs at workflow-level.

Follow-up to a8174176b5 #13841

Closes #22075
2026-06-18 10:42:17 +02:00
Viktor Szakats
af94731a43
GHA/linux: drop arm runner home attribute workaround (fixed upstream)
Issue had been fixed in the ubuntu-24.04-arm runner image upstream.

now:
```
$ ls -l /home  # on arm
drwxr-x---  11 runner runner 4096 Jun 18 08:19 runner

$ ls -l /home  # on intel
drwxr-x---  11 runner runner 4096 Jun 18 08:19 runner
```

Follow-up to 2b0d8dcc16 #20231

Closes #22076
2026-06-18 10:42:17 +02:00
Stefan Eissing
f0be417635
multi: xfers_really_alive
Yes, we were counting the "live" transfers before, but were they
*really* alive?

When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.

For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.

The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.

Add two fields in multi and easy handle:

* `multi->xfers_really_alive`: counts the "alive" transfers that have
  passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted

Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.

Fixes #22050
Reported-by: Bryan Henderson
Closes #22066
2026-06-18 10:31:40 +02:00
Daniel Stenberg
abad1c9e48
RELEASE-PROCEDURE.md: update coming relese dates
Adjusted for the summer of bliss 2026
2026-06-18 08:31:39 +02:00
alhudz
4a86af9940
cookie: reject control octets in file-loaded cookies
Verified by test 2311

Closes #22070
2026-06-18 08:04:24 +02:00
Yedaya Katsman
9ccc80b192
url: don't log bits.close state
This doesn't seem useful to users, and there doesn't seem to be a
scenario where bits.close is set to 1 during this logging anyway.

Closes #22073
2026-06-18 08:03:43 +02:00
Viktor Szakats
e136694525
cmake/FindGSS: drop CMake <3.16 compatibility logic
Redundant since bumping minimum to 3.18.

Follow-up to 89043ba906 #20407
Follow-up to 1f11224232 #18950

Closes #22072
2026-06-17 18:38:46 +02:00
Viktor Szakats
6db0ba2a38
cmake/FindGSS: drop "MIT Unknown" version value, related tidy ups
After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).

Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
  of returning "unknown", which was not true and also not done by other
  Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
  guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.

Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```

Spotted by Copilot
Bug: https://github.com/curl/curl/pull/22052#discussion_r3429273238
Follow-up to 558814e16d

Closes #22071
2026-06-17 18:04:44 +02:00
Viktor Szakats
a36e979284
GHA/macos: enable krb5 in an autotools job
Cherry-picked from #22052

Closes #22069
2026-06-17 16:29:15 +02:00
Viktor Szakats
174cafb3e6
cmake: simplify LINK_ONLY imported target extraction
Suggested-by: Kai Pastor
Ref: https://github.com/curl/curl/pull/21654#discussion_r3425296606
Follow-up to 3c597ced16 #21654

Closes #22063
2026-06-17 15:16:19 +02:00
Viktor Szakats
e8b76773af
GHA/linux: give more time for apt-get install
3 minutes (was: 2).

IIn the hope it fixes timeouts, assuming the Ubuntu mirrors are only
somewhat slower sometimes (and not completely stalled).

Closes #22068
2026-06-17 15:16:19 +02:00
Viktor Szakats
766969be39
GHA: sync apt-get code between workflows/jobs
- delete 3rd-party apt sources, where missing.
- do `apt-get update`, where missing.

Closes #22067
2026-06-17 15:16:19 +02:00
Viktor Szakats
4e07b374dd
GHA/linux: allow more time for apt.repos.intel.com install
Whether the install is extreme slow and will fail anyway, or only slower
sometimes, and this fixes, we will see.

Example:
```
Need to get 1159 MB of archives.
After this operation, 4463 MB of additional disk space will be used.
Get:1 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2023.2.0 all 2023.2.0-49462 [30.4 kB]
Get:2 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2026.0 all 2026.0.0-235 [30.7 kB]
[...]
Get:21 https://apt.repos.intel.com/oneapi all/main amd64 intel-oneapi-dpcpp-debugger-2023.2.0 amd64 2023.2.0-49330 [201 MB]
Error: The action 'install Intel compilers' has timed out after 2 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/27683923870/job/81877924590

Follow-up to 50ff4f2927 #21414

Closes #22065
2026-06-17 14:37:54 +02:00
Viktor Szakats
0ffd2e7fde
GHA/windows: do apt-get update in clang-tidy cross-build job again
Syncing with most similar uses in other workflows.

Fixing, e.g.:
```
E: Failed to fetch http://azure.archive.ubuntu.com/ubuntu/pool/universe/l/
  llvm-toolchain-20/llvm-20-linker-tools_20.1.2-0ubuntu1%7e24.04.2_amd64.deb
  404  Not Found [IP: 172.66.152.176 443]
```
Ref: https://github.com/curl/curl/actions/runs/27682974841/job/81877061033?pr=22061

Follow-up to 1b8449674a #14992

Closes #22064
2026-06-17 14:37:54 +02:00
Viktor Szakats
bdb1773536
INTERNALS.md: document minimum nghttp3 and ngtcp2 versions
Follow-up to 5eefdd71a3 #17027
Follow-up to 915f3981c9 #16320

Closes #22062
2026-06-17 14:37:54 +02:00
Viktor Szakats
4abe47e1f5
src: sync nghttp2 versions checks with current requirements
Also:
- drop a redundant check.
- make the in-source error informative.

Follow-up to 2900c29218 #11473

Closes #22061
2026-06-17 14:37:54 +02:00
Viktor Szakats
60381b2046
first.h reflow 2026-06-17 14:37:14 +02:00
Stefan Eissing
d2886c5ac4
http: for basic+digest auth, do not engage on empty user+passwd
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.

Verify a redirect to blank user+password in test 2208

Closes #22060
2026-06-17 14:05:03 +02:00
Stefan Eissing
8c3ef95adf
dns-httpsrr-lookup: use origin, not peer
Origin is the correct peer for lookup of HTTPS-RR records.

Closes #22059
2026-06-17 12:04:49 +02:00
Daniel Stenberg
39caaff7b3
libtest: unify on easy_setopt macro
- drop the old test_setopt() which did the same thing
- remove #if 0'ed macros from first.h

These macros now store results in 'result' more aggressively, but I
believe that is generally favorable.

Closes #22057
2026-06-17 12:03:41 +02:00
Stefan Eissing
74ac8e74ec
creds: create with empty user+pass
Allow creation of a `Curl_creds` instance with empty username and
password (not NULL username/password). There are authentication
schemes like <insert greek mythology'> that do not use the actual
values of username/password but trigger on the mere existance.

We have no test cases for this, so this is a shot in the dark
here.

Fixes #21943
Reported-by: Dan Fandrich
Closes #22044
2026-06-17 07:54:11 +02:00
Daniel Stenberg
7806fb36c5
RELEASE-NOTES: synced 2026-06-16 23:22:58 +02:00
Stefan Eissing
92db819714
cf-dns: pass peer for result lookups
The DNS filter knows the peer it resolves and the code parts that want
the results know the peer as well. Pass it to lookup methods to make
sure results match.

Background: when tunneling, the resolved peer is not always the one that
other filters are looking for. Especially when HTTPS-RR results are
accessed in TLS filters, those will differ.

This prevents a HTTPS-RR for a proxy to be used for the origin when ECH
is activated. To make ECH work through a tunnel, we need to start an
additional resolve. Something to be fixed after 8.21.

Closes #22042
2026-06-16 23:15:43 +02:00
dependabot[bot]
73d060950e
GHA: bump pip cryptography from 46.0.7 to 48.0.1
Closes #22055
2026-06-16 22:18:43 +02:00
Viktor Szakats
528c05a987
configure: tidy up OPT_APPLE_SECTRUST initialization
The OS detection variable is not initialized at the time of assigning
its value to `OPT_APPLE_SECTRUST`. Replace the current empty value with
`no`. This keeps existing, desired, behavior.

Closes #22054
2026-06-16 22:18:43 +02:00
Dan Fandrich
6125d5d6c5 CI: improve labeler tag detection 2026-06-16 10:53:17 -07:00
Viktor Szakats
aacb90bee9
cmake/FindGSS: prioritize MIT over GNU in pkg-config detection
To match the non-pkg-config path, and also suspected user expectation.

This comes with a small incompatibility in return for more consistency.

Bug: https://github.com/curl/curl/pull/22052#discussion_r3422424979
Follow-up to 9e19a577eb #15176

Closes #22053
2026-06-16 19:11:15 +02:00
Viktor Szakats
be8f24323e
perl: open... || -> open... or (cont.)
Also: unfold a few lines, fix a space, add a missing parentheses.

Follow-up to 678e63934c #22036

Closes #22047
2026-06-16 19:11:15 +02:00
renovate[bot]
1bb75af8e9
GHA: update google/boringssl to v0.20260616.0
Closes #22046
2026-06-16 16:28:02 +02:00
Daniel Stenberg
b56cb3b71e
_URL.md: remove the zone-id mention
While correct, it felt random and misplaced there.

Closes #22048
2026-06-16 16:21:22 +02:00
Stefan Eissing
bd10924b47
url: connection credentials origin
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.

The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).

Closes #22040
2026-06-16 15:57:10 +02:00
Viktor Szakats
c2b050e4e4
servers: deduplicate storerequest() across two servers
Closes #22041
2026-06-16 12:42:59 +02:00
Daniel Stenberg
e0c6f4d4d6
tool_writeout: fix %time{} output for %s
Now testing both %s and %% in test 1981

Reported-by: wulin-nudt on github
Fixes #22038
Closes #22039
2026-06-16 10:17:43 +02:00
Viktor Szakats
678e63934c
perl: || die -> or die
Usage was fifty-fifty between these syntaxes before this patch.

Closes #22036
2026-06-16 00:41:29 +02:00
Daniel Stenberg
5d1ac48088
setopt: mark function argument as unused *properly*
Closes #22035
2026-06-15 23:08:59 +02:00