Also put the version number in quotes to avoid GHA altering the number
into `0.68` (without rightmost zero) and ending up storing that in the
`FIL_C_VERSION` env.
Hopefully Renovate will honor this on future bumps.
Do the same for the rest of `x.y` format version numbers.
Fixing:
```
env:
[...]
FIL_C_VERSION: 0.68
```
Ref: https://github.com/curl/curl/actions/runs/28006009260/job/82920767558?pr=22142#step:5:16Fixes#22142Closes#22143
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.
Reported-by: netspacer.research
Follow-up to 1ebd92d0fd#16384Closes#22133
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.
Verified in test 1658
Reported-by: netspacer.research
Closes#22124
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.
Verify in test 1650
Reported-by: netspacer.research
Closes#22122
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.
Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.
Fixes#22107
Reported-by: sideshowbarker on github
Closes#22111
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.
Follow-up to 73daec6Closes#22110
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds
Mention this in the man page as well.
Follow-up to 52fa8d9
Pointed out by Codex Security
Closes#22121
- "cmake outputs: no version information available"
Ref: #11158
Seems to be about missing support for autotools `--enable-versioned-symbols`.
This was implemented for CMake in:
14d4712db7#170397100c5bc9b#148187b14449790#14378
- "generated `.pc` file contains strange entries"
Ref: #6167
Fixed in:
9f56bb608e#14681
- "CMake build with MIT Kerberos does not work"
Ref: #6904
The FindGSS module responsible for MIT Kerberos detection has seen 50
updates since this report. In the last years I made many local tests
with it, and it's also extensively CI-tested since (including Windows
for a 1-year period), with no known issues.
If you see problems remaining, let us know in a new issue.
Closes#22108
And the corresponding internal variable.
This option became the always-enabled default earlier, via #4035.
Reported-by: Zartaj Majeed
Ref: #22098
Follow-up to 6617db6a7e#4035Closes#22100
Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.
Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae && :
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
/usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66
Follow-up to 36bd807475#15242
Follow-up to 232302f88a#14382
Cherry-picked from #22092Closes#22097
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.
Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.
Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092Closes#22096
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.
Extended test 2311 to cover it.
Closes#22085
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
3538 | result = SSL_ech_set1_server_names(octx->ssl,
| ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3539 | peer->origin->hostname, outername,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3540 | 0 /* do send outer */);
| ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43
Cherry-picked from #22086Closes#22087
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.
Closes#21996
At the time of the original commit, the runner was ubuntu-22.04 with
a default GCC 11. It made sense to bump to 12 manually. Since 2025,
the default is ubuntu-24.04 with GCC 13, when this became a downgrade.
Drop manual envs and bump to GCC 13 with it. Other options available are
14, 15 and 16.
Refs:
https://packages.ubuntu.com/jammy/gcc (ubuntu-22.04)
https://packages.ubuntu.com/noble/gcc (ubuntu-24.04)
Follow-up to 6079ff314b#22075
Follow-up to a8174176b5#13841Closes#22077
Issue had been fixed in the ubuntu-24.04-arm runner image upstream.
now:
```
$ ls -l /home # on arm
drwxr-x--- 11 runner runner 4096 Jun 18 08:19 runner
$ ls -l /home # on intel
drwxr-x--- 11 runner runner 4096 Jun 18 08:19 runner
```
Follow-up to 2b0d8dcc16#20231Closes#22076
Yes, we were counting the "live" transfers before, but were they
*really* alive?
When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.
For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.
The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.
Add two fields in multi and easy handle:
* `multi->xfers_really_alive`: counts the "alive" transfers that have
passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted
Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.
Fixes#22050
Reported-by: Bryan Henderson
Closes#22066
After this patch the `GSS_VERSION` value is left empty in all cases when
there is known version number (potentially on Windows).
Also:
- sync `GSS_FOUND` comment with other Find modules.
- sync `GSS_VERSION` comment with other Find modules, drop the promise
of returning "unknown", which was not true and also not done by other
Find modules.
- tidy up Windows-registry-based MIT `GSS_VERSION` detection, by
guarding the whole block for `WIN32`.
- drop fallback version value `MIT Unknown` used for MIT.
- fix vertical alignment in comment block.
Changing CMake log output like so (in affected config):
```
-- Found GSS: MIT (found version "MIT Unknown")
```
->
```
-- Found GSS: MIT
```
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/22052#discussion_r3429273238
Follow-up to 558814e16dCloses#22071