- update action `actions/cache` from 5.0.4 to 5.0.5
- update action `actions/upload-artifact` from 7.0.0 to 7.0.1
- update action `github/codeql-action` from 4.32.4 to 4.35.2
- update action `msys2/setup-msys2` from 2.31.0 to 2.31.1
- update pip `filelock` from 3.25.2 to 3.29.0
- update pip `impacket` to 0.13.0
- update pip `ruff` from 0.15.10 to 0.15.12
Closes#21483Closes#21482
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
Fix to create the top directory `foo` when specified as
`X:foo\bar\filename`, on Windows and MS-DOS. Add test to verify.
Caught by Codex Security
Follow-up to 787ee935ac#16566Closes#21449
To avoid difficult to track down crashes when a tested function ends up
outputing a message via `errorf()`, `warnf()` or siblings.
Cherry-picked from #21449Closes#21454
Necessary when the libssh2/libssh client library does not support KEX
algos offered by default by the OpenSSH server. E.g. libssh2 with WinCNG
combined with OpenSSH 10+.
Also: use this option in GHA/windows.
Follow-up to 3b8bb1a86a#21219
Follow-up to c98d0a2e9a#21220Closes#21438
- introduce 'struct when' to hold the parser result
- initwhen() initializes a 'struct when'
- datestring() parses strings
- datenum() parses numbers
- datecheck() does some final checks
- tzadjust() adds the time zone offset
- convert math to 64 bit, squeeze into time_t only in the last step,
mktimet() does the time_t storing
Closes#21394
The combination of a misspelled directory name and failing to check the
result of cd leads to infinite recursion as `make check` simply invokes
itself over and over.
Follow-up to 00887aee8c#18079Closes#21378
On platforms where struct sockaddr has a length field, the current code
leaves it uninitialized, resulting in a test failure when valgrind is
used.
Closes#21377
`ssh-keygen -t ed25519` does not support PEM key format, and it
defaults to `RFC4716` which is what we want.
It affected GHA/windows tests that explicitly used ed25519 keys.
Also:
- GHA/windows: bump minimums to hopefully catch this early next time.
1701a8319e#21353
- merge two Perl lines.
Reported-by: herbenderbler on github
Fixes#21360
Follow-up to acda4eae5e#21223Closes#21374
Add a "limit" handler to httpd that responds 429 after 5 requests and
then 429s all requests for 2 seconds. After which another 4 requests are
served before 429 strikes again.
Closes#21357
When a user supplies an IP address to use for the HAPROXY protocol,
the IP version reported must be deduced from the address and has
no relation to the IP version used for the upstream connection.
Add test3220 to verify.
Fixes#21340
Reported-by: Fiona Klute
Closes#21341
Support HTTPS records in dnsd that have ALPN preferences.
Add pytest test_22_* to verify that HTTPS record ALPN
preferencces take effect if the HTTPS resolve arrives in time.
Fix HTTPS eyeballing use of timeouts for second attempt. Also,
make an initial HTTP/1.1 attempt switch off HTTP/2.
Closes#21329
Test has been flaky due to not waiting for the test server to be
listening. On slow CI systems, the started thread is late and the curl
command gets a refused connection.
Closes#21337
Add new internal `curl_url_same_origin()` to check if a href has the
same origin as a base URL. Add test cases in test1675 and use this in
http2 push handling.
Closes#21328
- make sure all UNITTEST prototypes mark in which unit test they are used,
with "@unittest" markup
- make sure all UNITTEST functions do not use Curl_ prefix, as that is a
prefix we use for global private functions and these functions are static
and therefore not global and the prefix is wrong
- drop UNITTEST for functions not used in unit tests
- make the extract-unit-protos script highlight the above issues if found
- extract-unit-protos now also outputs the unit test number for all the
generated protos in lib/unitprotos.h to aid readers. It also adds the source
file and line number where the proto originates from.
- extract-unit-protos now exits with a non-zero value if any of the above
warnings are triggered
- cf-dns: Curl_cf_dns_result => static cf_dns_result
- hostip: Curl_ipv6works => static ipv6works
- url: remove Curl_setup_conn() - not used anymore
- connect: Curl_timeleft_now_ms => UNITTEST timeleft_now_ms
Closes#21330
To make it scoped for the single request appropriately.
Reported-by: Muhamad Arga Reksapati
Verify with libtest 2504: a custom Host *disabled* on reused handle
Closes#21312
Add "Delay-A: ms", "Delay-AAAA: ms" and "Delay-HTTPS: ms" to the test
dnsd config and implement delayed response handling.
Add test_21_09 and test_21_10 to check that delayed responses connect
using the undelayed address family.
Closes#21299
