Commit graph

38362 commits

Author SHA1 Message Date
Viktor Szakats
912aa7c867
cmake: omit curl.rc from curltool lib
It's unnecessary for static libs, and saves one build step when building
tests on Windows.

Closes #20671
2026-02-22 13:51:02 +01:00
Viktor Szakats
e009beab89
clang-tidy: add missing parentheses to debug macro arguments
Follow-up to 139307865a #20647

Closes #20674
2026-02-22 13:51:02 +01:00
Viktor Szakats
25512ab34e
build: adjust minimum version for some clang picky warnings
Enable 3 warnings earlier with autotools, update comments for the rest.

Ref: https://godbolt.org/

Closes #20665
2026-02-22 00:58:04 +01:00
Viktor Szakats
139307865a
clang-tidy: check bugprone-macro-parentheses, fix fallouts
Also:
- lib/parsedate: avoid relying on side-effect of missing parentheses.
- lib/http: drop redundant parentheses.
- fix cases in headers missed by clang-tidy.

Ref: https://clang.llvm.org/extra/clang-tidy/checks/bugprone/macro-parentheses.html

Closes #20647
2026-02-22 00:58:04 +01:00
Daniel Stenberg
9ce9afa312
silent.md: also mention it shuts off warning messages
Closes #20664
2026-02-22 00:13:29 +01:00
Daniel Stenberg
f1a39f221d
url: fix copy and paste url_match_auth_nego mistake
Follow-up to 34fa034
Reported-by: dahmono on github
Closes #20662
2026-02-21 18:37:31 +01:00
Viktor Szakats
a0244c536e
inet_pton: scope an include
Closes #20661
2026-02-21 15:06:58 +01:00
Viktor Szakats
b35e58b24c
openssl: fix potential OOB read in debug/verbose logging
Reported-by: aisle-research-bot
Bug: https://github.com/curl/curl/pull/20654#discussion_r2834860711

Closes #20656
2026-02-21 15:06:58 +01:00
Viktor Szakats
020f48d00c
clang-tidy: drop some redundant conditions reported by misc-redundant-expression
Not enforced due to false positives, and because in cases a redundant
expression (e.g. encapsulated in a macro) may be preferred.

Ref: https://clang.llvm.org/extra/clang-tidy/checks/misc/redundant-expression.html

Closes #20644
2026-02-21 15:06:58 +01:00
Stefan Eissing
078b3031ea
easy: reset pausing when resetting request
When the easy handle's request is reset, this needs to also reset
any pausing/ratelimit state.

Reported-by: Natris on github
Fixes #20641
Closes #20643
2026-02-21 14:56:06 +01:00
Christian Schmitz
d19c9e4e63
request.h: rename parameter 'buf' to 'req' in Curl_req_send
Someone renamed the parameter, so we need to rename the documentation.

Closes #20660
2026-02-21 14:55:05 +01:00
Viktor Szakats
c81309479a
clang-tidy: link to main documentation page [ci skip] 2026-02-21 00:08:59 +01:00
Daniel Stenberg
7bcf877198
RELEASE-NOTES: synced 2026-02-20 23:06:43 +01:00
Viktor Szakats
2862cafb49
unit1654: fix clang-tidy bugprone-redundant-branch-condition
```
tests/unit/unit1654.c:41:5: warning: redundant condition 'result' [bugprone-redundant-branch-condition]
   41 |     fail_if(result, "Curl_altsvc_load");
      |     ^
tests/libtest/unitcheck.h:29:5: note: expanded from macro 'fail_if'
   29 |     if(expr) {                                                         \
      |     ^
```

Ref: https://clang.llvm.org/extra/clang-tidy/checks/bugprone/redundant-branch-condition.html

Closes #20648
2026-02-20 17:33:35 +01:00
Viktor Szakats
977ac0c06c
clang-tidy: check misc-header-include-cycle, fix in internal headers
Also opt-out `curl/curl.h` because it includes `curl/mprintf.h`, which
in turn includes `curl/curl.h` for `CURL_EXTERN`. Not changeable in
public headers to remain compatible. (Somehow only triggered for
examples.)

Ref: https://clang.llvm.org/extra/clang-tidy/checks/misc/header-include-cycle.html

Closes #20645
2026-02-20 17:33:02 +01:00
Viktor Szakats
947775a613
libtests: drop two redundant memset()s
Reported by clang-tidy `bugprone-sizeof-expression`.

Silencing:
```
tests/libtest/cli_h2_pausing.c:164:23: warning: suspicious usage of 'sizeof()' on an expression of pointer type [bugprone-sizeof-expression]
  164 |   memset(&resolve, 0, sizeof(resolve));
      |                       ^
tests/libtest/cli_upload_pausing.c:158:23: warning: suspicious usage of 'sizeof()' on an expression of pointer type [bugprone-sizeof-expression]
  158 |   memset(&resolve, 0, sizeof(resolve));
      |                       ^
```

Ref: https://clang.llvm.org/extra/clang-tidy/checks/bugprone/sizeof-expression.html

Closes #20649
2026-02-20 17:15:49 +01:00
Viktor Szakats
eabd452d27
tests: avoid assignment in if conditions in first.h
Found by clang-tidy `bugprone-assignment-in-if-condition`.

Ref: https://clang.llvm.org/extra/clang-tidy/checks/bugprone/assignment-in-if-condition.html

Closes #20646
2026-02-20 17:09:20 +01:00
Viktor Szakats
4b4637a445
build: disable typecheck via the command-line instead of curl_config.h
To make it apply to examples. This in turn makes analyzers run quicker
and with fewer false positives.

It's a special disable option, having its effect via `curl/curl.h`.

Bug: https://github.com/curl/curl/pull/20649#issuecomment-3934885021
Follow-up to 9e6f1c5efb #19637

Closes #20650
2026-02-20 16:32:37 +01:00
Viktor Szakats
1eb79cf54b
cmake: include curl/curl.h as system header in integration tests
Follow-up to fb70812437 #16126

Closes #20651
2026-02-20 16:32:37 +01:00
Viktor Szakats
dd82205bb2
memdebug: include backtrace.h as system header
Closes #20642
2026-02-20 16:32:37 +01:00
Daniel Lublin
d4234d9f46
docs: clarify --ipv4 and --ipv6
Try to make the wording more clear. It is the addresses in the resolver
result that are affected, not anything regarding *how* resolving is
done.

Closes #20585
2026-02-20 12:50:10 +01:00
Anna Liberty
3699976b79
docs: reword explanation of --variable option
Simplify the language expaining the --variable option, reducing
repetition. Also fix some minor grammar issues and makes language for
examples more consistent.

Closes #20636
2026-02-20 12:08:52 +01:00
Viktor Szakats
aa1854a8ff
tests/server/sockfilt: check for NULL tv to silence clang-tidy
A NULL dereference cannot happen with existing use of this code.

linux-mingw, CM clang-tidy:
```
/home/runner/work/curl/curl/tests/server/sockfilt.c:720:24: error: Access
 to field 'tv_sec' results in a dereference of a null pointer (loaded from
 variable 'tv') [clang-analyzer-core.NullDereference,-warnings-as-errors]
  720 |             tv->tv_sec = 0;
      |             ~~         ^
```
Ref: https://github.com/curl/curl/actions/runs/22191200093/job/64179197235?pr=20631#step:10:283

Cherry-picked from #20631

Closes #20639
2026-02-20 12:08:52 +01:00
Viktor Szakats
4042e7d9d8
clang-tidy: work around clang-tidy <=20 false positive (Windows)
clang-tidy <= v20 (as seen between 18.1.3 and 20.1.2) report
`readability-uppercase-literal-suffix` originating from mingw-w64 system
header `_mingw_mac.h` via `define __MSABI_LONG(x) x ## l`

Triggered by `SOCKENOMEM` (e.g. in tests/server/sockfilt.c):
```
warning: integer literal has suffix 'l', which is not uppercase [readability-uppercase-literal-suffix]
```

Work around by replacing Windows macro `WSA_NOT_ENOUGH_MEMORY`
with its literal value.

Bug: https://github.com/curl/curl/pull/20631#issuecomment-3930619868
Follow-up to c07c3cac74 #20629
Cherry-picked from #20631

Closes #20638
2026-02-20 12:08:52 +01:00
Viktor Szakats
c927b18d6b
INSTALL-CMAKE.md: document more settings requiring absolute paths
Cherry-picked from #20631

Closes #20637
2026-02-20 12:08:52 +01:00
Viktor Szakats
6dc5f2948c
cmake: improve clang-tidy invocation for tests in cross-builds
By passing to clang-tidy the C compiler with `--target` and sysroot
options, if any.

Fixing (GHA/windows, linux-mingw, CM clang-tidy):
```
lib/curl_setup.h:841:10: error: 'io.h' file not found [clang-diagnostic-error]
  841 | #include <io.h>
      |          ^~~~~~
Found compiler error(s).
FAILED: [code=1] tests/server/CMakeFiles/servers-clang-tidy bld/tests/server/CMakeFiles/servers-clang-tidy
cd tests/server && /usr/bin/clang-tidy --config-file=.clang-tidy.yml
--warnings-as-errors=* --checks=-clang-diagnostic-unused-function first.c getpart.c util.c dnsd.c [...]
-- <-D-options> <-I-options> <cflags>
```

For reference, this is CMake's built-in clang-tidy invocation:
```
/usr/local/bin/cmake -E __run_co_compile --tidy="/usr/bin/clang-tidy;--config-file=.clang-tidy.yml;
--warnings-as-errors=*;--extra-arg-before=--driver-mode=gcc" --source=lib/curl_fopen.c
-- /usr/bin/clang --target=x86_64-w64-mingw32 <-D-options> <-I-options> <cflags>
```

Also:
- bump cmakelint `--max-statements`. Needs 59 after this patch.
- use undocumented CMake variables:
  - `CMAKE_C_COMPILE_OPTIONS_TARGET` for `--target=`
  - `CMAKE_C_COMPILE_OPTIONS_SYSROOT` for `--sysroot=`

Cherry-picked from #20631

Closes #20640
2026-02-20 12:08:52 +01:00
Viktor Szakats
1858126cca
cmake: sync clang-tidy arg order in tests with C compiler
Pass macro definitions first. For uniformity, no functional difference.

To match:
```
CMAKE_C_COMPILE_OBJECT = '<CMAKE_C_COMPILER> <DEFINES> <INCLUDES> <FLAGS> [...]'
```

Closes #20635
2026-02-19 19:08:31 +01:00
Viktor Szakats
b5a6d617d1
clang-tidy: sort list [ci skip]
Follow-up to b7ecd14725 #20632
2026-02-19 16:34:01 +01:00
Viktor Szakats
b7ecd14725
clang-tidy: replace comma-separated string with list in config
Bump required clang-tidy version to v17.0.0 for this.

Ref: https://releases.llvm.org/17.0.1/tools/clang/tools/extra/docs/clang-tidy/index.html
Follow-up to 4497dbd9ac #20605

Closes #20632
2026-02-19 16:27:08 +01:00
Viktor Szakats
8712fac111
clang-tidy: drop redundant casts
Found via `readability-redundant-casting`. Prone to false positives, not
enabled.

Ref: https://clang.llvm.org/extra/clang-tidy/checks/readability/redundant-casting.html

Closes #20630
2026-02-19 15:27:17 +01:00
Viktor Szakats
c07c3cac74
clang-tidy: enable and fix readability-uppercase-literal-suffix
Ref: https://clang.llvm.org/extra/clang-tidy/checks/readability/uppercase-literal-suffix.html

Closes #20629
2026-02-19 15:27:17 +01:00
Viktor Szakats
3cdc167425
clang-tidy: check readability-redundant-preprocessor, fix fallouts
Also:
- cipher_suite: merge `USE_MBEDTLS` `#if` blocks.

Ref: https://clang.llvm.org/extra/clang-tidy/checks/readability/redundant-preprocessor.html

Closes #20628
2026-02-19 15:27:17 +01:00
Viktor Szakats
bd60df527c
clang-tidy: check readability-redundant-control-flow
Also fix fallouts.

Ref: https://clang.llvm.org/extra/clang-tidy/checks/readability/redundant-control-flow.html

Closes #20625
2026-02-19 12:44:52 +01:00
Viktor Szakats
c878160e9c
clang-tidy: sync argument names in prototype and definition
Discovered with clang-tidy checker
`readability-inconsistent-declaration-parameter-name`.

Also:
- do not enforce the above because of inconsistencies still present
  between public API prototypes and definitions. (Also betwen man page
  protos, and man page examples, and other parts of the code, e.g.
  `easy` vs `curl` vs `d` vs `handle`) Perhaps subject for a future
  effort:
  https://github.com/curl/curl/actions/runs/22166472728/job/64094691653
- enable and fix `readability-named-parameter` where missing.

Refs:
https://clang.llvm.org/extra/clang-tidy/checks/readability/inconsistent-declaration-parameter-name.html
https://clang.llvm.org/extra/clang-tidy/checks/readability/named-parameter.html

Closes #20624
2026-02-19 12:44:37 +01:00
Viktor Szakats
7c01bb23bc
rtspd: fix to check realloc() result
Also enable `bugprone-suspicious-realloc-usage` clang-tidy option
to verify.

Fixing:
```
tests/server/rtspd.c:328:37: error: 'req->rtp_buffer' may be set to null if 'realloc' fails,
 which may result in a leak of the original buffer
 [bugprone-suspicious-realloc-usage,-warnings-as-errors]
  328 |                   req->rtp_buffer = realloc(req->rtp_buffer,
      |                   ~~~~~~~~~~~~~~~   ^       ~~~~~~~~~~~~~~~
```

Ref: https://clang.llvm.org/extra/clang-tidy/checks/bugprone/suspicious-realloc-usage.html

Closes #20621
2026-02-19 12:38:49 +01:00
Viktor Szakats
7e203c15e6
cmake/FindMbedTLS: add workaround for missing static MSVC mbedcrypto.lib 4.0.0
Seen with mbedTLS 4.0.0. mbedTLS 4.0.0 renamed `mbedcrypto` lib to
`tfpsacrypto`, while also keeping a copy under the old name to aid
transition. However, this compatibility logic is broken for MSVC static
builds, and the old name missing.

Work around by looking for the new name in the raw detection codepath.

Note that using `pkg-config`-based detection also works as a workaround.

Reported-by: tawmoto on github
Fixes #20616
Ref: https://github.com/Mbed-TLS/mbedtls/blob/v4.0.0/library/CMakeLists.txt#L275-L282
Ref: https://github.com/Mbed-TLS/mbedtls/issues/10605

Closes #20617
2026-02-19 12:38:49 +01:00
Viktor Szakats
4497dbd9ac
clang-tidy: fixes and improvements
Fix bigger and smaller kinks in how clang-tidy is configured and used.
Sync behavior more between autotools and cmake, lib/src and tests. Bump
clang-tidy minimum version and prepare logic to allow using clang-tidy
to a fuller extent.

- move clang-tidy settings from builds to a new `.clang-tidy.yml`.
  To make it easy to see and edit checks at one place. Also to allow
  using the `--checks=` option internally to silence tests-specific
  checks. (clang-tidy does not support multiple `--check=` options via
  the command-line.)
  Use explicit `--config-file=` option to point to the configuration.
- .clang-tidy.yml: link to documentation.
- suppress `clang-diagnostic-nullability-extension` due to a false
  positive in libtests with `CURL_WERROR=ON` and `PICKY_COMPILER=OFF`.
- .clang-tidy.yml: enable `portability-*`, `misc-const-correctness`.
- drop `--quiet` clang-tidy option by default to make its working a bit
  more transparent. The extra output is minimial.
- consistently use double-dashes in clang-tidy command-line options.
  Supported by clang-tidy 9.0.0+ (2019-09-19). Before this patch single
  and double were used arbitrarily.
- src/tool_parsecfg: silence false positive `clang-analyzer-unix.Stream`.
  Seen with clang 18 + clang-tidy 19 and 20 (only with autotools.)
- INTERNALS: require clang-tidy 14.0.0+. For the `--config-file` option.
- INTERNALS: recommend clang-tidy 19.1.0+, to avoid bogus
  `clang-analyzer-valist.Uninitialized` warnings. (bug details below)

autotools:

- allow configuring the clang-tidy tool via `CLANG_TIDY` env.
  Also to use in GHA to point to a suffixed clang-tody tool.
- fix to pass CFLAGS to lib, src sources.
  (keep omitting them when using a non-clang compiler.)
- fix to pass `--warnings-as-errors=*` in quotes to avoid globbing.

cmake:

- fix to not pass an empty `-I` to clang-tidy.
- fix to pass CFLAGS (picky warnings) to clang-tidy for test sources.
  (keep omitting them when using a non-clang compiler.)
- fix to disable `clang-diagnostic-unused-function` for test sources.
  (tests have static entry points, which trigger this check when
  checking them as individidual sources.)
- fix forwarding `CURL_CLANG_TIDYFLAGS` to clang-tidy.
- force disable picky warnings when running clang-tidy with a non-clang
  compiler. To not pass these flags when checking lib and src.

CI:

- GHA/linux: avoid clang-tidy bug by upgrading to v19, and drop the
  workaround.
- GHA/linux: switch to clang from gcc in the clang-tidy job. Using gcc
  doesn't allow passing CFLAGS to clang-tidy, making it less effective.
  (My guess this was one factor contributing to this job often missing
  to find certain issues compared to GHA/macos.)

I recomment using clang-tidy with a clang compiler, preferably the same
version or one that's compatible. Other cases are best effort, and may
fail if a C flag is passed to clang-tidy that it does not understand.
Picky warnings are mostly omitted when using a non-clang compiler,
reducing its usefulness.

Details and reproducer for the v18 (and earlier) clang-tidy bug,
previously affecting the GHA/linux job:

clang-tidy <=18 emits false warnings way when passing multiple C sources
at once (as done with autotools):

```sh
cat > src1.c <<EOF
#include <string.h>
static void dummy(void *p) { memcmp(p, p, 0); }
EOF

cat > src2.c <<EOF
#include <stdarg.h>
void vafunc(int option, ...)
{
  va_list param;
  va_start(param, option);
  if(option)
    (void)va_arg(param, int);
  va_end(param);
}
EOF

/opt/homebrew/opt/llvm@18/bin/clang-tidy --checks=clang-analyzer-valist.Uninitialized src1.c src2.c

# src2.c:7:11: warning: va_arg() is called on an uninitialized va_list [clang-analyzer-valist.Uninitialized]
```

Follow-up to e86542038d #17047

Closes #20605
2026-02-19 00:02:11 +01:00
Viktor Szakats
5fa5cb3825
build: fix -Wunused-macros warnings, and related tidy-ups
- fix internal macro `AN_APPLE_OS` reused between sources without
  resetting it. It may potentially have left the system sha256
  function unused.
- fix to define `WOLFSSL_OPTIONS_IGNORE_SYS` so that it always applies
  to wolfSSL headers, also during feature detection.
- md4, md5, sha256: simplify fallback logic.
- delete 20+ unused macros.
- scope or move macros to avoid `-Wunused-macros` warnings.
- examples: delete unused code.

The warning detects macros defined but not used within the same C
source. It does not warn for macros defined in headers. It also works
with unity builds, but to a lesser extent.

Closes #20593
2026-02-19 00:00:48 +01:00
Viktor Szakats
633ec719d5
curl_ntlm_core: merge two #if blocks
Cherry-picked from #20593

Closes #20620
2026-02-18 22:04:45 +01:00
Viktor Szakats
dc08922a61
openssl: disable local keylog feature if built-in upstream
Reported-by: Paul Howarth
Fixes #20611

Closes #20614
2026-02-18 12:04:23 +01:00
Stefan Eissing
f1c9d5e484
easy: reset errorbuf on eyeballing success
Any failf() that fill the errorbuf need to be forgotten once happy
eyeballing finds a succssful winner. Because the errorbuf, once set, is
not overwritten with future error information.

Adds test_05_05 to verify.

Reported-by: Tim Friedrich Brüggemann
Fixes #20608

Closes #20613
2026-02-18 12:04:23 +01:00
Dan Fandrich
36c2c7626f libcurl-security.md: Fix typos and add a point about URLs 2026-02-17 12:38:26 -08:00
Viktor Szakats
970e59a82f
GHA/windows: mark 3023/3024 flaky
Same as the other two tests, but for Schannel.

Follow-up to dead29362a #20602
Follow-up to 3ae234b2a3 #20462

Closes #20609
2026-02-16 21:13:43 +01:00
Viktor Szakats
8fb87f5a4a
lib: delete unused local includes
Filtered from `clang-tidy` `misc-include-cleaner` hits.

Also:
- pingping: scope includes.
- doh: say the reason for an include.

Closes #20607
2026-02-16 21:13:43 +01:00
Viktor Szakats
daa6b27b4d
include: avoid recursive macros
To fix potential `-Wdisabled-macro-expansion` warnings when using these
macros within other macros. Fixing for example:
```
lib/doh.c:328:3: error: disabled expansion of recursive macro [clang-diagnostic-disabled-macro-expansion,-warnings-as-errors]
  328 |   ERROR_CHECK_SETOPT(CURLOPT_URL, url);
      |   ^
lib/doh.c:271:14: note: expanded from macro 'ERROR_CHECK_SETOPT'
  271 |     result = curl_easy_setopt((CURL *)doh, x, y);       \
      |              ^
include/curl/curl.h:3332:44: note: expanded from macro 'curl_easy_setopt'
 3332 | #define curl_easy_setopt(handle,opt,param) curl_easy_setopt(handle,opt,param)
      |                                            ^
[...]
```

Also update comments on why curl continues to disable
`-Wdisabled-macro-expansion` and `-Wused-but-marked-unused` warnings.

Follow-up to 92f215fea1 #18477

Closes #20597
2026-02-15 22:54:32 +01:00
Viktor Szakats
1eec8b8d03
mprintf: rename internal enum to avoid collision with AmigaOS symbol
Also:
- drop AmigaOS workaround.

Closes #20584
2026-02-15 22:54:31 +01:00
Viktor Szakats
dead29362a
GHA/windows: mark test 3000 flaky too
Similar to test 3001 marked flaky earlier.

Example:
https://github.com/curl/curl/actions/runs/22035738719/job/63668228484?pr=20597#step:14:4099

Follow-up to 3ae234b2a3 #20462

Closes #20602
2026-02-15 22:54:31 +01:00
Viktor Szakats
a55f160b13
src: simplify declaring curl_ca_embed
Also to avoid `-Wunused-macros` warnings.

Follow-up to 8a3740bc8e #14059
Cherry-picked from #20593

Closes #20601
2026-02-15 12:48:46 +01:00
Viktor Szakats
298f73f95b
cmake: enable binutils ld workaround for all toolchains at build-time (revert)
The change was valid, but caused an annoying warning with perfectly
working non-binutils ld linkers:
```
ld: warning: ignoring duplicate libraries: 'my/path/usr/local/lib/libcrypto.a'
```
(seen with Apple clang, when using static `libcrypto.a`)

It means that for the binutil ld hack to work at consumption-time, curl
must be built with the same picky binutils (gcc) toolchain.

Reverts 795433b923 #20434

Closes #20594
2026-02-15 12:48:46 +01:00
Viktor Szakats
9e1e5ea67c
curl_setup.h: update/expand OPENSSL_SUPPRESS_DEPRECATED comment
Document functions/features requiring it.

Follow-up to cab040248d #10543
Cherry-picked from #20593

Closes #20600
2026-02-15 12:48:46 +01:00