Commit graph

39078 commits

Author SHA1 Message Date
Viktor Szakats
78267398e5
GHA/linux: bump pizlonator/fil-c to v0.680, fixup quoting
Also put the version number in quotes to avoid GHA altering the number
into `0.68` (without rightmost zero) and ending up storing that in the
`FIL_C_VERSION` env.

Hopefully Renovate will honor this on future bumps.

Do the same for the rest of `x.y` format version numbers.

Fixing:
```
env:
[...]
    FIL_C_VERSION: 0.68
```
Ref: https://github.com/curl/curl/actions/runs/28006009260/job/82920767558?pr=22142#step:5:16

Fixes #22142

Closes #22143
2026-06-23 11:45:08 +02:00
Daniel Stenberg
7e37510c93
RELEASE-PROCEDURE.md: typo 2026-06-23 10:06:14 +02:00
Viktor Szakats
621176cbd5
GHA/windows: settle on windows-2025 image name
It's the final/stable image name and it's shipping with VS2026 now.

Ref: https://github.com/actions/runner-images/issues/14017
Follow-up to b0239417b3 #21713

Closes #22139
2026-06-23 01:14:57 +02:00
Viktor Szakats
364d6c18f7
cmake: add pre-fills for DragonFly BSD and MidnightBSD
Based on CI runs:
DragonFlyBSD: https://github.com/curl/curl/actions/runs/27978506617/job/82802332910 (autotools)
MidnightBSD: https://github.com/curl/curl/actions/runs/27977103321/job/82797523470 (cmake)

Also readd DragonFly BSD to GHA/non-native, but keep it commented.

Closes #22138
2026-06-22 22:57:07 +02:00
Viktor Szakats
560dc2985a
doh: drop redundant curlx_dyn_free() call in doh_probe_done()
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.

Reported-by: netspacer.research

Follow-up to 1ebd92d0fd #16384

Closes #22133
2026-06-22 21:04:45 +02:00
Viktor Szakats
b0d0f16d20
tidy-up: make 'CA' uppercase, where missing
```sh
git grep -w ca | grep -v -E -i 'ca[;"=/()%_.-]' | grep -v -E -i '[*$"=/()%_.-]ca'
```

Closes #22135
2026-06-22 21:04:45 +02:00
Viktor Szakats
5735540835
CURLOPT_SSLVERSION.md: drop stray space from 'SSLv*', 'TLSv*'
To match rest of codebase.

Closes #22131
2026-06-22 21:04:45 +02:00
Stefan Eissing
be1d976a2a
peer: fix ipv6 detection
When trying to detect ipv6 addresses, ipv4 addresses were also
flagged as ipv6.

Add test2413 to check.

Closes #22134
2026-06-22 17:16:07 +02:00
Viktor Szakats
d824266425
appveyor: pass --proto-redir =https option
Follow-up to 500820682c #21757

Closes #22130
2026-06-22 13:04:16 +02:00
Viktor Szakats
f7d4e11f4b
setopt: return error if received curl_blob->data is NULL
To avoid dereferencing in the function if `CURL_BLOB_COPY` is set, or
outside of the function if unset.

Reported-by: netspacer.research

Closes #22129
2026-06-22 12:08:35 +02:00
Viktor Szakats
b3675fe80a
libssh2: drop stray double-negative from strncmp() result
Just a tidy-up. Logic remains identical.

Spotted by GitHub Code Quality

Follow-up to a867314f4f #16382

Closes #22126
2026-06-22 12:08:35 +02:00
Viktor Szakats
2735ef3bae
libssh2: fix to return error code on missing parameter
Reported by GitHub Code Quality

Follow-up to 0095f98464 #15250

Closes #22125
2026-06-22 12:08:35 +02:00
Daniel Stenberg
c35e2cb29f
setopt: cleanup the length check for COPYPOSTFIELDS handling
Make it more straight-forward

Closes #22127
2026-06-22 11:49:49 +02:00
Stefan Eissing
c5d0e93879
HTTP3.md: update quiche build
Fixes #22105
Reported-by: av223119 on github
Closes #22109
2026-06-22 10:15:27 +02:00
Stefan Eissing
d638eac189
libssh2: code and infof/trace cleanups
Give the libssh2 infof() messages a common format, add/clarify some to
make the connect/authentication flow more clear.

Closes #22101
2026-06-22 10:12:25 +02:00
Daniel Stenberg
ab779d4e4a
doh: stricter HTTPS RNAME parsing
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.

Verified in test 1658

Reported-by: netspacer.research
Closes #22124
2026-06-22 09:53:14 +02:00
Daniel Stenberg
e8e3af2abb
doh: cap the maximum TTL to 24 hours
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.

Verify in test 1650

Reported-by: netspacer.research
Closes #22122
2026-06-22 09:12:55 +02:00
Stefan Eissing
8ed285f06d
websockets: buffer ugprade data at connection level
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.

Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.

Fixes #22107
Reported-by: sideshowbarker on github
Closes #22111
2026-06-22 08:54:50 +02:00
Michael Kaufmann
810d9535e1
proxy: fix automatic tunnel mode with "connect to host"
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.

Follow-up to 73daec6

Closes #22110
2026-06-22 08:53:31 +02:00
Daniel Stenberg
cb7efe1c35
cd2nroff: handle TLS together with other protocols
To render CURLOPT_KEYPASSWD properly

Closes #22123
2026-06-22 08:09:08 +02:00
Daniel Stenberg
0d6e5944bc
setopt: make CURLOPT_KEYPASSWD work for SSH-only builds
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds

Mention this in the man page as well.

Follow-up to 52fa8d9
Pointed out by Codex Security
Closes #22121
2026-06-22 00:28:28 +02:00
Viktor Szakats
372401f969
INSTALL-CMAKE.md: document CMake environment variables
Closes #22114
2026-06-20 10:04:16 +02:00
Daniel Stenberg
52fa8d994d
setopt: refactor setopt_cptr into smaller helper functions
This takes down the longest function to sub 500 lines

Closes #22095
2026-06-19 23:43:24 +02:00
Viktor Szakats
acdeb7f50b
KNOWN_BUGS.md: drop outdated CMake issues
- "cmake outputs: no version information available"
  Ref: #11158

  Seems to be about missing support for autotools `--enable-versioned-symbols`.
  This was implemented for CMake in:
  14d4712db7 #17039
  7100c5bc9b #14818
  7b14449790 #14378

- "generated `.pc` file contains strange entries"
  Ref: #6167

  Fixed in:
  9f56bb608e #14681

- "CMake build with MIT Kerberos does not work"
  Ref: #6904

  The FindGSS module responsible for MIT Kerberos detection has seen 50
  updates since this report. In the last years I made many local tests
  with it, and it's also extensively CI-tested since (including Windows
  for a 1-year period), with no known issues.

If you see problems remaining, let us know in a new issue.

Closes #22108
2026-06-19 18:25:54 +02:00
renovate[bot]
94962a9b82
GHA: update dependency cloudflare/quiche to v0.29.2
Closes #22106
2026-06-19 15:26:18 +02:00
Viktor Szakats
93e2341e87
vquic: fix -Wunused-parameter with proxies disabled
Fixing:
```
lib/vquic/vquic.c:864:56: error: unused parameter 'conn' [-Werror,-Wunused-parameter]
  864 |                              const struct connectdata *conn,
      |                                                        ^
```

Closes #22104
2026-06-19 14:46:54 +02:00
Viktor Szakats
04305a3e40
runtests: drop orphaned, no-op -k option
And the corresponding internal variable.

This option became the always-enabled default earlier, via #4035.

Reported-by: Zartaj Majeed
Ref: #22098
Follow-up to 6617db6a7e #4035

Closes #22100
2026-06-19 14:46:49 +02:00
Viktor Szakats
2a993e2a4a
GHA: re-sync Linux CMake triplet with autotools builds
Follow-up to 8f5e4f020e #22097
2026-06-19 01:09:53 +02:00
Viktor Szakats
8f5e4f020e
GHA: fix Linux triplet passed to CMAKE_C_COMPILER_TARGET
Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.

Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu   CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae   && :
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66

Follow-up to 36bd807475 #15242
Follow-up to 232302f88a #14382
Cherry-picked from #22092

Closes #22097
2026-06-19 00:53:04 +02:00
Viktor Szakats
139ce4d37c
GHA: separate pytype from other checkers and pips
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.

Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.

Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092

Closes #22096
2026-06-19 00:14:18 +02:00
alhudz
fdd6ba3580
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.

Extended test 2311 to cover it.

Closes #22085
2026-06-18 23:58:07 +02:00
Viktor Szakats
e44f1a1446
smb: constify strchr() result variable
Fixing (as seen with gcc-15 on Ubuntu 26.04):
```
lib/smb.c: In function 'smb_connect':
lib/smb.c:491:9: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  491 |   slash = strchr(user, '/');
      |         ^
lib/smb.c:493:11: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  493 |     slash = strchr(user, '\\');
      |           ^
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462418?pr=22092

Follow-up to 4e5908306a #20428
Follow-up to 7dc60bdb90 #20425
Follow-up to 0e2507a3c6 #20421

Cherry-picked from #22092

Closes #22094
2026-06-18 21:12:17 +02:00
Viktor Szakats
950a30d762
GHA/http3-linux: bump to ubuntu-26.04
Before: https://github.com/curl/curl/actions/runs/27772068909
After: https://github.com/curl/curl/actions/runs/27772321661?pr=22089

Closes #22089
2026-06-18 19:27:15 +02:00
Viktor Szakats
c972583f6c
MANUAL.md: update apt-key example
To use `tee` instead, due to `apt-key` being deprecated, and missing
from recent distros.

Also lowercase `stdin` to match rest of the file.

Ref: https://documentation.ubuntu.com/release-notes/26.04/summary-for-lts-users/#package-management-apt-3

Follow-up to b13e9066b3 #16127
Follow-up to 54130a6cad #10170

Closes #22090
2026-06-18 19:26:19 +02:00
Viktor Szakats
adb4edd177
GHA: bump analyzer/sanitizer jobs to clang-22, and ubuntu-26.04
On Linux, and Windows cross-builds.

clang-tidy jobs look significantly faster. Other jobs remain around the
same (this feels nice after seeing the significant slowdowns in
Windows-2025, FreeBSD 15.)

Before: https://github.com/curl/curl/actions/runs/27770630688
After: https://github.com/curl/curl/actions/runs/27770913426?pr=22086

gcc-analyzer also got faster:
Before: https://github.com/curl/curl/actions/runs/27758865007/job/82127670883
After: https://github.com/curl/curl/actions/runs/27768696084/job/82162385765

Also:
- work around actionlint 1.7.12 not yet being aware of ubuntu-26.04:
  ```
  windows.yml:770:14: label "ubuntu-26.04" is unknown. available labels are [...]
  ```
  Ref: https://github.com/curl/curl/actions/runs/27769065782/job/82163700294#step:6:13
  Ref: https://github.com/rhysd/actionlint/issues/682
  Ref: https://github.com/rhysd/actionlint/pull/683

Follow-up to 5a2af800de #22084

Closes #22086
2026-06-18 17:54:10 +02:00
Daniel Stenberg
595d052923
curl_multi_assign.md: clarify lifetime
Closes #22088
2026-06-18 17:47:33 +02:00
Viktor Szakats
39628c5084
openssl: do not mix OpenSSL int result with CURLcode variable
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
 3538 |     result = SSL_ech_set1_server_names(octx->ssl,
      |            ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3539 |                                        peer->origin->hostname, outername,
      |                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3540 |                                        0 /* do send outer */);
      |                                        ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43

Cherry-picked from #22086

Closes #22087
2026-06-18 17:30:56 +02:00
Daniel Stenberg
b71d3d9aea
CURLMOPT_SOCKETFUNCTION.md: this sends *all* file descriptors
Since libcurl has more than just the main tranfer sockets to worry
about.

Closes #22081
2026-06-18 17:06:45 +02:00
Viktor Szakats
5a2af800de
GHA/linux: bump analyzer job to gcc-16, and ubuntu-26.04
To fix false positive gcc analyzer warning
`-Wanalyzer-deref-before-check`, seen with gcc-15 and lower.

Also bump its pair job.

Tests with #22082 applied:
gcc-13: https://github.com/curl/curl/actions/runs/27761999978/job/82138558662 (warning)
gcc-15: https://github.com/curl/curl/actions/runs/27767571050/job/82158465527 (warning)
gcc-16: https://github.com/curl/curl/actions/runs/27767332723/job/82157636394 (OK)

Ref: #22082
Fixes #22083

Closes #22084
2026-06-18 17:01:02 +02:00
alhudz
2f8fb98c5f
pingpong: reject nul byte in server response line
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.

Closes #21996
2026-06-18 14:17:27 +02:00
Daniel Stenberg
a7e35c9194
docs/VERIFY: expand with more things we do
Closes #22080
2026-06-18 12:55:22 +02:00
Viktor Szakats
2d70c815e4
GHA/linux: use default GCC compiler, drop CC/CXX envs
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.

Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.

Refs:
https://packages.ubuntu.com/jammy/gcc (ubuntu-22.04)
https://packages.ubuntu.com/noble/gcc (ubuntu-24.04)

Follow-up to 6079ff314b #22075
Follow-up to a8174176b5 #13841

Closes #22077
2026-06-18 10:56:12 +02:00
Viktor Szakats
6079ff314b
GHA/http3-linux: simplify setting CC/CXX envs
Replace `GITHUB_ENV` method by defining these envs at workflow-level.

Follow-up to a8174176b5 #13841

Closes #22075
2026-06-18 10:42:17 +02:00
Viktor Szakats
af94731a43
GHA/linux: drop arm runner home attribute workaround (fixed upstream)
Issue had been fixed in the ubuntu-24.04-arm runner image upstream.

now:
```
$ ls -l /home  # on arm
drwxr-x---  11 runner runner 4096 Jun 18 08:19 runner

$ ls -l /home  # on intel
drwxr-x---  11 runner runner 4096 Jun 18 08:19 runner
```

Follow-up to 2b0d8dcc16 #20231

Closes #22076
2026-06-18 10:42:17 +02:00
Stefan Eissing
f0be417635
multi: xfers_really_alive
Yes, we were counting the "live" transfers before, but were they
*really* alive?

When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.

For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.

The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.

Add two fields in multi and easy handle:

* `multi->xfers_really_alive`: counts the "alive" transfers that have
  passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted

Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.

Fixes #22050
Reported-by: Bryan Henderson
Closes #22066
2026-06-18 10:31:40 +02:00
Daniel Stenberg
abad1c9e48
RELEASE-PROCEDURE.md: update coming relese dates
Adjusted for the summer of bliss 2026
2026-06-18 08:31:39 +02:00
alhudz
4a86af9940
cookie: reject control octets in file-loaded cookies
Verified by test 2311

Closes #22070
2026-06-18 08:04:24 +02:00
Yedaya Katsman
9ccc80b192
url: don't log bits.close state
This doesn't seem useful to users, and there doesn't seem to be a
scenario where bits.close is set to 1 during this logging anyway.

Closes #22073
2026-06-18 08:03:43 +02:00
Viktor Szakats
e136694525
cmake/FindGSS: drop CMake <3.16 compatibility logic
Redundant since bumping minimum to 3.18.

Follow-up to 89043ba906 #20407
Follow-up to 1f11224232 #18950

Closes #22072
2026-06-17 18:38:46 +02:00
Viktor Szakats
6db0ba2a38
cmake/FindGSS: drop "MIT Unknown" version value, related tidy ups
After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).

Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
  of returning "unknown", which was not true and also not done by other
  Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
  guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.

Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```

Spotted by Copilot
Bug: https://github.com/curl/curl/pull/22052#discussion_r3429273238
Follow-up to 558814e16d

Closes #22071
2026-06-17 18:04:44 +02:00