Unix domain socket paths need to be compared case-senstive, in contrast
to DNS hostnames.
Follow-up to bc40e09f63
Pointed out by Codex Security
Closes#21511
No production code function is allowed to be longer than 500 lines.
The lib/setopt.c:setopt_cptr function is currently exempt, as a single
exception until we make it smaller.
Closes#21492
`struct Curl_peer` keeps information about a communication endpoint
together. It will replace `conn->host` and `conn->conn_to_host` and
proxyinfo host. It will also become part of `struct ssl_peer`.
It has a reference counter, so an instance can be shared between
connections and filters.
Elminiates `conn->host` and `conn->connect_to_host`, used in the
proxyinfo structures. Passed to DNS resolution and socks filters, etc.
Pass peer to http proxy and socks tunnel filters. Use peer in dns filter
and resolving. Make `Curl_peer` a member in the `struct ssl_peer`.
Add `docs/internals/PEERS.md` for documentation.
Closes#21472
This allows the unit tests to have a prototype involving such a struct
pointer - even when the build is done without threaded resolver.
Follow-up to 117d50b4bfCloses#21503
The longest header lines accepted for the -F option is now a define
instead of a magic number. I also bumped it to be an even 8K.
When fixing, I noticed that for some OOM errors curl would display two
error messages. Also fixed here.
Closes#21501
- explain the get_param_part() function
- make it parse only blanks like the rest of this code
- check for commas explicitly when scanning multiple files (to help code
understanding)
Closes#21489
- update action `actions/cache` from 5.0.4 to 5.0.5
- update action `actions/upload-artifact` from 7.0.0 to 7.0.1
- update action `github/codeql-action` from 4.32.4 to 4.35.2
- update action `msys2/setup-msys2` from 2.31.0 to 2.31.1
- update pip `filelock` from 3.25.2 to 3.29.0
- update pip `impacket` to 0.13.0
- update pip `ruff` from 0.15.10 to 0.15.12
Closes#21483Closes#21482
When building curl 8.20.0 with socketpair disabled, there is no
wakeup socket and the resolve results are not processed.
This fix performs result processing in the absence of a wakeup
socket before checking the resolve result.
Closes#21476
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
```
The following packages have unmet dependencies:
[...]
E: Unable to satisfy dependencies. Reached two conflicting assignments:
1. musl-dev:amd64=1.2.5-3+b1 is selected for install
2. musl-dev:amd64 is not selected for install because:
1. musl-dev:riscv64=1.2.5-3 is selected for install
2. musl-dev:amd64 Breaks musl-dev:riscv64 (!= 1.2.5-3+b1)
```
Ref: https://github.com/curl/curl/actions/runs/25168601672/job/73785600341#step:3:154Closes#21475
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
Fix to create the top directory `foo` when specified as
`X:foo\bar\filename`, on Windows and MS-DOS. Add test to verify.
Caught by Codex Security
Follow-up to 787ee935ac#16566Closes#21449
To avoid difficult to track down crashes when a tested function ends up
outputing a message via `errorf()`, `warnf()` or siblings.
Cherry-picked from #21449Closes#21454
