Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.
Closes#21996
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.
Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.
Refs:
https://packages.ubuntu.com/jammy/gcc (ubuntu-22.04)
https://packages.ubuntu.com/noble/gcc (ubuntu-24.04)
Follow-up to 6079ff314b#22075
Follow-up to a8174176b5#13841Closes#22077
Issue had been fixed in the ubuntu-24.04-arm runner image upstream.
now:
```
$ ls -l /home # on arm
drwxr-x--- 11 runner runner 4096 Jun 18 08:19 runner
$ ls -l /home # on intel
drwxr-x--- 11 runner runner 4096 Jun 18 08:19 runner
```
Follow-up to 2b0d8dcc16#20231Closes#22076
Yes, we were counting the "live" transfers before, but were they
*really* alive?
When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.
For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.
The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.
Add two fields in multi and easy handle:
* `multi->xfers_really_alive`: counts the "alive" transfers that have
passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted
Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.
Fixes#22050
Reported-by: Bryan Henderson
Closes#22066
After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).
Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
of returning "unknown", which was not true and also not done by other
Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.
Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/22052#discussion_r3429273238
Follow-up to 558814e16dCloses#22071
3 minutes (was: 2).
IIn the hope it fixes timeouts, assuming the Ubuntu mirrors are only
somewhat slower sometimes (and not completely stalled).
Closes#22068
Whether the install is extreme slow and will fail anyway, or only slower
sometimes, and this fixes, we will see.
Example:
```
Need to get 1159 MB of archives.
After this operation, 4463 MB of additional disk space will be used.
Get:1 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2023.2.0 all 2023.2.0-49462 [30.4 kB]
Get:2 https://apt.repos.intel.com/oneapi all/main all intel-oneapi-common-licensing-2026.0 all 2026.0.0-235 [30.7 kB]
[...]
Get:21 https://apt.repos.intel.com/oneapi all/main amd64 intel-oneapi-dpcpp-debugger-2023.2.0 amd64 2023.2.0-49330 [201 MB]
Error: The action 'install Intel compilers' has timed out after 2 minutes.
```
Ref: https://github.com/curl/curl/actions/runs/27683923870/job/81877924590
Follow-up to 50ff4f2927#21414Closes#22065
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.
Verify a redirect to blank user+password in test 2208
Closes#22060
- drop the old test_setopt() which did the same thing
- remove #if 0'ed macros from first.h
These macros now store results in 'result' more aggressively, but I
believe that is generally favorable.
Closes#22057
Allow creation of a `Curl_creds` instance with empty username and
password (not NULL username/password). There are authentication
schemes like <insert greek mythology'> that do not use the actual
values of username/password but trigger on the mere existance.
We have no test cases for this, so this is a shot in the dark
here.
Fixes#21943
Reported-by: Dan Fandrich
Closes#22044
The DNS filter knows the peer it resolves and the code parts that want
the results know the peer as well. Pass it to lookup methods to make
sure results match.
Background: when tunneling, the resolved peer is not always the one that
other filters are looking for. Especially when HTTPS-RR results are
accessed in TLS filters, those will differ.
This prevents a HTTPS-RR for a proxy to be used for the origin when ECH
is activated. To make ECH work through a tunnel, we need to start an
additional resolve. Something to be fixed after 8.21.
Closes#22042
The OS detection variable is not initialized at the time of assigning
its value to `OPT_APPLE_SECTRUST`. Replace the current empty value with
`no`. This keeps existing, desired, behavior.
Closes#22054
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.
The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).
Closes#22040
- Clarify that the tarball to verify should be put in the same dir you
run the script.
- Verify that the curl version number in the file name matches the
version number within the tarball. To reduce risk for mistakes.
- When verifying using git, do not unpack the tarball. It avoids the
security risk with malicious tarball contents playing tricks on git.
- Only unpack the tarball for git-less verfication.
- Move the source tarball into _tarballs/ instead of overwriting it,
which can be useful in case the verification fails
Closes#22032
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Closes#22033
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
Verified by test 3401
Follow-up to 73daec6620
Reported-by: daviey on hackerone
URL: https://hackerone.com/reports/3803415Closes#22024
This PR makes the wolfssl TLS backend work properly for PQC key
exchanges. The following issues are fixed:
* WOLFSSL_HAVE_KYBER is not present anymore in upstream wolfssl (for a
long time actually), so it has no use and the ML-KEM functionality was
never turned on properly.
* Key share group selection (via --curves) is now handled via the
generic wolfSSL_CTX_set1_groups_list() method instead of the prior
wolfSSL_CTX_set1_curves_list() and the additonal PQC handling. This
removes a lot of PQC related special handling and the behavior now
matches the OpenSSL backend.
* The default QUIC group setting has been removed. For QUIC, the key
share as well as the list in the supported_groups extension is now
handled all within wolfssl. This also supports --curves properly now.
Closes#22030
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b3
- lib650: drop an interim variable, and interim casts.
Follow-up to 60776a0515#2747
- curl_formdata.md: document `CURLFORM_NAMELENGTH` on man page.
- curl_formdata.md: pass `long` to `CURLFORM_BUFFERLENGTH` on man page.
- formdata: pass `long` to `CURLFORM_CONTENTSLENGTH` in comment.
Closes#22017
Some protocols (and servers) prefer to batch IO and will not send data
unless the window is of sufficient size. Set the burst rate for our
rate limits to a minimum of 32KB to prevent stalling.
Reported-by: Tatsuhiro Tsujikawa
Closes#22016
Move the setup filter into its own source file.
Move the main connect driving function, `Curl_conn_connect()`,
from cfilters.c to connect.c.
Closes#22022
For correctness. Did not cause an issue, because the null-terminator is
present.
Also:
- change a size type to avoid casts.
- reuse input length value.
Spotted by GitHub Code Quality
Follow-up to 1e4cb333ef#4826Closes#22027
