Previously it was not compiled if CURL_DISABLE_BINDLOCAL is set, but the
FTP code is also using this function.
Easily found by using configure --disable-bindlocal without disabling
FTP.
Closes#16933
Enable eventfd code consistently when both `HAVE_EVENTFD` and
`HAVE_SYS_EVENTFD_H` macros are defined.
Before this patch `HAVE_EVENTFD` guarded it alone, though the code
also required the header, which was guarded by `HAVE_SYS_EVENTFD_H`.
These should normally be detected in pairs. When they aren't, omit using
`eventfd()` to avoid calling it without a known matching header.
If this disables valid cases (e.g. some system declares this function
via a different header), feature detection and the code may be extended
for those cases. If these are known to come in pairs, always, another
option is detect them both at build stage, and forward a single macro
to C.
Reported-by: Abhinav Singhal
Bug: https://curl.se/mail/lib-2025-04/0000.htmlCloses#16909
Curl_hexbyte - output a byte as a two-digit ASCII hex number
Curl_hexval - convert an ASCII hex digit to its binary value
... instead of duplicating similar code and hexdigit strings in numerous
places.
Closes#16888
The condition required to reach this call could not happen, because
cf_ssl_scache_get() already checks the same condition and returns NULL
for 'scache' prior to this.
Found by CodeSonar
Closes#16896
When a PUSH_PROMISE was received, the h2_stream object was assigned
to the wrong `newhandle->mid` and was thereafter not found. This led
to internal confusion, because the nghttp2 stream user_data was not
cleared and an invalid easy handle was use for trace messages,
resulting in a crash.
Reported-by: Viktor Szakats
Fixes#16881Closes#16905
With libssh2 1.11.0 or newer.
Different crypto backends may offer different features, e.g. in the keys
and algos they support.
Examples:
```
* Trying 127.0.0.1:22...
* Connected to localhost (127.0.0.1) port 22
* libssh2 crypto backend: openssl compatible
[or]
* libssh2 crypto backend: WinCNG
```
Also fix indentation and drop redundant curly braces.
Closes#16790
Treat %2e and %2E to be "dot equivalents" in the function and remove
such sequences as well, according to RFC 3986 section 5.2.4. That is
also what the browsers do.
This DOES NOT consider %2f sequences in the path to be actual slashes,
so there is no removal of dots for those.
This function does not decode nor encode any percent sequences.
Also switched the code to use dynbuf.
Extends test 1395 and 1560 to verify.
Assisted-by: Demi Marie Obenour
Fixes#16869Closes#16870
When multiple headers share the same name, AWS SigV4 expects them to be
merged into a single header line, with values comma-delimited in the
order they appeared.
Add libtest 1978 to verify.
Closes#16743
Before this patch the signal handler called `logmsg()` which in turn
called `printf()` variants (internal implementations), and `FILE *`
functions, `localtime()`. Some of these called `malloc`/`free`, which
isn't supported in s signal handler. Replace them with `write` calls,
losing some logging functionality.
Also:
- De-dupe and move `STD*_FILENO` macros to `lib/curl_setup.h`. Revert
the `src` definition to point to `stderr`, instead of `tool_stderr`.
Follow-up to e5bb88b8f8#11958
POSIX specs with list of functions allowed in a signal handler:
2004: https://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html#tag_02_04_03
2017: https://pubs.opengroup.org/onlinepubs/9699919799/functions/V2_chap02.html#tag_15_04_03
2024: https://pubs.opengroup.org/onlinepubs/9799919799/functions/V2_chap02.html#tag_16_04_03
Linux CI run with the thread sanitizer going crazy when
hitting the signal handler in test 1238 and 1242 (TFTP):
```
WARNING: ThreadSanitizer: signal-unsafe call inside of a signal (pid=12582)
#0 malloc <null> (servers+0x5ed70)
#1 _IO_file_doallocate <null> (libc.so.6+0x851b4)
#2 formatf /home/runner/work/curl/curl/bld/tests/server/../../lib/../../lib/mprintf.c:886:9 (servers+0xdff77)
[...]
WARNING: ThreadSanitizer: signal-unsafe call inside of a signal (pid=12582)
#0 free <null> (servers+0x5f453)
#1 fclose <null> (libc.so.6+0x8532f)
#2 logmsg /home/runner/work/curl/curl/bld/tests/server/../../../tests/server/util.c:134:5 (servers+0xe684d)
```
Ref: https://github.com/curl/curl/actions/runs/14118903372/job/39555309490?pr=16851Closes#16852
With rustls-ffi 0.15+ we can set up a callback for writing TLS secrets
hooked up to call Curl_tls_keylog_write. To make sure the associated
file is cleaned up we update the Curl_ssl struct for the rustls-ffi vtls
backend to have a cleanup callback.
Closes#16828
- Return 0 for password length if OpenSSL is expecting a certificate
password but the user did not provide one.
Prior to this change libcurl would crash if OpenSSL called the certificate
password callback in libcurl but no password was provided (NULL).
Reported-by: Roman Zharkov
Fixes https://github.com/curl/curl/issues/16806
Closes https://github.com/curl/curl/pull/16807
- Use 'td->' in more places instead of the full thing.
- Remove an assert that is always true since the extra dynamic malloc
was removed
- Ignore Curl_ares_perform() errors to prioritize the "real" resolver
info and leave RR as "less important"
Closes#16808
The callback, provided from url.c did the work that the cshutdn
functionality also implemented. Remove it.
Change some DEBUGF(infof()) to CURL_TRC_M().
Closes#16810
When handling connections (not transfers) related events, always use the
passed `conn` and not `data->conn` as the transfer does not need to have
the same connection.
Fix handling of conn pollset diffs to disregard the transfer.
Closes#16782
Before this patch, autotools disabled building unit tests for
non-debug-enabled (`DEBUGBUILD`) builds. runtests skipped running this
combination, though they were built in cmake builds. There seems to be
no technical reason anymore for these restrictions. This patch removes
them, allowing to build and run unit tests for non-debug-enabled builds.
To improve unit test build and run coverage.
- autotools: do not disable building unit tests for non-debug-enabled
build. Bringing behavior closer to cmake builds. (There are still
exceptions in autotools, something for another PR)
- runtests: run unit tests for non-debug-enabled builds.
It extends coverage by 50 tests.
- `lib/altsvc.c`: fix to include `CURL_TIME` support in libcurlu, for
unit tests. It fixes test 1654, and syncs `CURL_TIME` behavior with
test 1660 and `lib/hsts.c`.
Ref: 10a7d05be3
Ref: fc8e0dee30#13694
Ref: 99f78cbf6e#16770Closes#16771
While adding support for key blobs, a check and error code update moved
after some logic, resulting in the updated code not checked anymore.
Detected by clang-tidy:
```
lib/vtls/mbedtls.c:768:7: error: Value stored to 'ret' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
768 | ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/13953249156/job/39057979349?pr=16764#step:12:178
Regression from 05e0453050#7157
Cherry-picked from #16764Closes#16766
- cmake: disable test bundles for clang-tidy builds.
clang-tidy ignores #included .c sources, and incompatible with unity
and bundles. It caused clang-tidy ignoring all test sources. It also
means this is the first time tests sources are checked with
clang-tidy. (autotools doesn't run it on tests.)
- cmake: update description for `CURL_TEST_BUNDLES` option.
- fix tests using special `CURLE_*` enums that were missing from
`curl/curl.h`. Add them as reserved codes.
- fix about ~50 other issues detected by clang-tidy: unchecked results,
NULL derefs, memory leaks, casts to enums, unused assigments,
uninitialized `errno` uses, unchecked `open`, indent, and more.
- drop unnecessary casts (lib1533, lib3207).
- suppress a few impossible cases with detailed `NOLINT`s.
- lib/escape.c: drop `NOLINT` no longer necessary.
Follow-up to 72abf7c13a#13862 (possibly)
- extend two existing `NOLINT` comments with details.
Follow-up to fabfa8e402#15825Closes#16756
resolver may call destroy_async_data after the name is resolved and
corresponding socketpair is already closed at this point. Any following
call to Curl_resolver_getsock should not set the fd.
Fixes#16799Closes#16802
Add a DEBUGASSERT() in Curl_dyn_free() that checks that Curl_dyn_init()
has been performed before.
Fix code places that did it wrong.
Fixes#16725Closes#16775
Syncing behavior with MD5 host public keys.
libcurl implemented to force a host key type for hosts is present in
`known_hosts`, and disabled this logic when an MD5 host public key is
explicitly set. libcurl later received support for SHA256 host public
keys. This update missed to extend the `known_hosts` logic with the new
key type.
This caused test 3022 to fail if a pre-existing `known_hosts` listed
the test server IP (127.0.0.1) with a non-RSA host key algo.
Follow-up to d1e7d9197b#7646
Follow-up to 272282a054#4747Closes#16805
These attributes were causing unexplained warnings while playing with
PR #16738: In `CURLDEBUG` builds with mingw, gcc (14.2.0), and `-O3`,
while building `libcurlu`. `-O3` is required. May be related to having
the `CURLDEBUG` allocators in the same source file as their callers
(unity mode). PR #16738 moves `memdebug.c` into the main unity unit.
Unclear why it doesn't affect `libcurl`.
E.g. CI job `mingw, CM ucrt-x86_64 schannel R TrackMemory` CI job:
https://github.com/curl/curl/actions/runs/13888662354/job/38856868429
It also reproduces in an isolated example.
Drop this attribute till we learn more about it.
Ref: https://github.com/curl/curl/pull/16737#issuecomment-2727681306
Partial revert of d5b403074e#16737Closes#16740
seen with mingw-w64 gcc 14.2.0 while playing with other modifications:
```
lib/asyn-thread.c: In function 'init_resolve_thread':
lib/asyn-thread.c:447:5: warning: 'free' called on pointer 'data' with nonzero offset 3264 [-Wfree-nonheap-object]
447 | free(td);
| ^~~~~~~~
```
Where `td` is:
```c
struct thread_data *td = &data->state.async.thdata;
```
Follow-up to d9fc64d3ab#16241Closes#16734
Fix the broken implementation to have `data->state` carry pointers into
connectdata members. Always dup the memory and free when easy handle
closes.
Closes#16733
