The reason to use them seems to be that just (void) before a function
call is not enough to silence compiler warnings when return codes are
ignored and -Werror=unused-result is used.
While (void)! apparently works to silence those warnings, it is just too
weird and surprising to readers to use.
It is rather a reason to reconsider the usefulness of the warning.
Closes#22023
Now that `conn->origin` can be the proxy, we need to change how
Curl_xfer_is_secure() and some other places work.
Pointed out by Codex Security
Closes#22015
On Windows there is no `lstat()`, which was later substituted with
normal `stat()`, but on Windows `S_IFSOCK` is never defined, which meant
the output of stat was not actually used, reducing this to checking for
the presence of the file, and bailing out without retry if missing.
Follow-up to 30e491e5c9#7034
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22021
- fix property name in comment.
- rename `INTERFACE_CURL_GSS_FLAVOUR` ->
`INTERFACE_CURL_GSS_FLAVOR` to match preferred usage.
Follow-up to 8aeefd0b35 (subcommit)
Follow-up to 16f073ef49#16973Closes#22013
- `N byte` -> `N-byte` or `N bytes`.
- INTERNALS.md: language tweaks.
- schannel: language tweak in comment/error message.
- socks_gssapi, socks_sspi: simplify composing an error message.
(at a cost of 8 extra constant string bytes.)
- m4/curl-compilers.m4: fix typo in link (in comment).
- contrithanks.sh: fix indent, drop stray `;` terminator.
- lib, src, tests: drop/fix a bunch of badwords.
- fix typos in comments.
- fix indent, stray spaces.
Some of these spotted by GitHub Code Quality and Copilot
Closes#22009
Store the unwrapped protection level in `conn->socks5_gssapi_enctype` to
prevent the proxy from contuning unprotected. Matches the GSSAPI version
of the code.
Reported-by: Trail of Bits
Closes#22004
- sws: fix socket error code in `select()` failure message.
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/21998#discussion_r3409469444
- sws: do not call `SOCKERRNO` twice on error.
- dnsd: do not call `SOCKERRNO` twice on error.
- dnsd: replace `goto` with `while()` to sync with rest of code.
- dnsd: `sendto()` fail message fixes:
- replace `int` cast with `%zu` mask.
- drop redundant newline.
- show socket error string like rest of code.
- report not-fully-sent error separately from socket errors.
Closes#22007
Check for `!got_exit_signal` as part of the `while()` expression,
instead of doing it after calling `curlx_wait_ms()`. To simplify and
improve consistency with rest of code.
Follow-up to 0653fa107f
Follow-up to 123c92c904Closes#22006
The WinLDAP backend only base64 encoded LDAP values when the attribute
name ended in ;binary. This made attributes such as jpegPhoto get
written as raw bytes, producing malformed LDIF output.
Match the OpenLDAP backend by also base64 encoding values with leading
or trailing blanks or non-printable bytes.
Fixes#21926
Reported-by: oreadvanthink on github
Closes#21982
DecryptMessage() decrypts the buffer in place, overwriting the original
contents. It does not allocate any new buffer so the single original
buffer should be freed using the same memory "system" that allocated it.
Reported-by: Trail of Bits
Closes#21990
Add `data->state.origin` as the origin the transfer is sending the
current request to/gets the response from. Use it for request specific
properties like authentication, hsts and cookie handling, etc.
Unless talking to a forwarding HTTP proxy (e.g. not tunneling),
`data->state.origin` and `conn->origin` are the same.
With a forwarding HTTP proxy in play, `conn->origin` is set to
`conn->http_proxy.peer` and `conn->bits.origin_is_proxy` (a new bit) is
set.
Remove the connection bits, now replaced with:
* `conn->bits.socksproxy` -> `conn->socks_proy.peer`
* `conn->bits.httpproxy` -> `conn->http_proy.peer`
* `conn->bits.proxy` -> `(conn->socks_proy.peer || conn->http_proy.peer`)
* `conn->bits.tunnel_proxy` -> (`conn->http_proy.peer && !conn->bits.origin_is_proxy`)
* `(conn->bits.httpproxy && !conn->bits.tunnel_proxy)` -> `conn->bits.origin_is_proxy`
Rename `noproxy.[ch]` to `proxy.[ch]`. Move the connection proxy setup
code from `url.c` to `proxy.c`.
Remove `data->info.conn_remote_port` as no one uses it.
Add test_40_02b for a SOCKS connection to a forwarding HTTPS proxy.
Update internal documentation about peers and creds.
Closes#21967
To contain the logic of checking for both `EWOULDBLOCK` and/or `EAGAIN`
depending on platform/availability. Also to avoid checking for both if
they mapp to the same value, and to avoid PP guards around use.
This also ensures `EAGAIN` is consistently not checked on Windows, where
headers defined it, but `SOCKERRNO` never returns it, because curl maps
it to `WSAGetLastError()`.
If they map to the same value, checking them both in an `if` expression
trips GCC warning `-Wlogical-op` (the same way it triggers duplicate
case value error in `switch`).
Also:
- replace two `switch()` statements with the new macro.
- tests/server/sws: make two outliers use the new macro that were only
checking for `EWOULDBLOCK` before this patch, in `connect_to()`.
- move variables to the left-side of expressions, where missing.
- rustls: use a variant of this macro that uses raw `EWOULDBLOCK`.
Tried tracing it back to the origins, but I couldn't figure out if
this is working as expected on all supported Windows versions in
Rust. It seems to be using `GetLastError()`, according to
https://docs.rs/system_error/0.2.0/system_error/, which would be
probably incorrect.
Notes:
- it's probably a good idea to assign `SOCKERRNO` to a variable before
passing it to this macro.
Cherry-picked from #21893Closes#21992
Fix build issues:
- src: adjust `toolx_ftruncate()`.
- libtests/cli_ftp_upload: make `struct timeval` initialization portable.
- libtests/lib1960: do unconst in local `inet_pton()` macro.
- tests/server/dnsd: make it stub instead of failing the build.
- tests/server: make them link AmiSSL for `SocketBase`.
Also:
- bump AmiSSL to the latest release.
- add download hash checks and toolchain cache.
- sync restored code with local updates made since last year.
It takes 30 seconds per job, 1 minute in total.
Thanks-to: Bebbo
Thanks-to: Darren Banfi
Ref: https://github.com/curl/curl/pull/21989#issuecomment-4691380623
Follow-up to 7a14898264#17486Closes#21993
When schannel operates in front of a proxy, it needs to use the proxy
ssl configs, not the transfers ones. Choose the configs as it is done in
other TLS backends.
Prior to this change the client cert for the destination was mistakenly
also used as the client cert for the proxy.
Prior to this change the proxy server certificate info was mistakenly
saved as the destination cert info. However, if the destination was a
TLS connection, the real destination cert info would overwrite the
proxy cert info. libcurl currently does not support proxy server cert
info AFAICT (see discussion in #21986).
Closes https://github.com/curl/curl/pull/21986
This code lacks tests, though we agreed it looks plausible enough to
merge it based on surrounding code. Even though this line has been
present for a long time. If you use this code, please report any results
or issues.
Reported by GitHub Code Quality
Follow-up to ae1912cb0dCloses#21979
clib2 defines __NEWLIB__ after its system headers are included, but it
does not provide explicit_bzero().
curl therefore selects the explicit_bzero() path and fails to build with
m68k-amigaos-gcc:
```
../lib/curl_setup.h:1650:35: error: implicit declaration of function 'explicit_bzero' [-Werror=implicit-function-declaration]
1650 | #define curlx_memzero(buf, size) explicit_bzero(buf, size)
| ^~~~~~~~~~~~~~
curlx/strdup.c:115:5: note: in expansion of macro 'curlx_memzero'
115 | curlx_memzero(buf, size);
| ^~~~~~~~~~~~~
```
Excluding __CLIB2__ from the generic __NEWLIB__ branch makes curl use
its existing portable curlx_memzero() fallback. The full AmigaOS build
then completes successfully.
I've tested the following on Amiga OS 3.2.3 with this patch and latest
build.
- HTTP and HTTPS transfers
- AmiSSL certificate handling
- redirects
- downloads and file output
- timeout handling with the expected exit code 28
- repeated execution with clean exits
- no crashes or regressions observed
Follow-up to 066478f634#21598Closes#21989
This is an implementation of a CURLOPT_WRITEFUNCTION callback that just
throws away the content and returns success. Saves us from having to
reimplement it many times in different tests.
Closes#21971
... even though they use the curl option "--resolve".
This makes it more convenient to choose or skip the tests.
For example Privoxy's cts test framework relies on the "--resolve"
keyword when executing the "upstream-tests" scenario to skip curl
tests that aren't expected to work when the requests are made through
Privoxy. While some of the modified tests are already skipped for
other reasons through other means when testing Privoxy, it's good to
be consistent.
Closes#21930
