A previous refactor of cookie logic changed Curl_cookie_getlist to no
longer return a list of copied cookies, but instead return a linked list
pointing to existing cookies. The returned linked list is accessed
outside of the scope of the cookie share lock in http_cookies, which
leads to issues if the shared cookie list is modified at the same time.
This is the relevant commit: be39ed1Closes#18457
If a string argument is expected and the first two bytes are 0xe2 ex80
and the third has the 7th bit set, that's enough for curl to warn.
Previously we tried to detect and warn only for the unicode double
quote, but users might use single quotes, other quotes or even lead the
argument with one of the "zero widths" characters. This is an attempt to
detect many of those. Without triggering for "normal" IDN hostnames.
Closes#18459
- Fix generate.bat "-clean" option.
- Change version template substitutes to match old files, eg go back to
using format version "11.00" instead of "11.0".
- Limit the vcxproj filters file types that are filtered to c, h, rc.
- Get rid of the tmpl extension from template files and add a README
to the tmpl directory explaining the purpose of the files.
- gitignore VCxx directories entirely rather than individual file types.
- Do not remove the VC directories during clean, instead remove just the
generated project files.
Removing the VC directories has the unwanted behavior of removing files
other than those generated. Visual Studio will generate its own
preference files (like if you have some debug arguments in your .suo)
and those files sit in the VC directories. We ignore those files since
they are the user's files and should not be deleted. Also the user may
have their own untracked files that we shouldn't be deleting.
Follow-up to 57d349fe which consolidated the project templates.
Assisted-by: Viktor Szakats
Closes https://github.com/curl/curl/pull/18412
By returning error separately on parse errors and avoiding magic
numbers, this function can now return 0 or -1 as proper dates when such
a date string is provided.
Closes#18445
Split out adding of individual request headers into a switch. Check
the connection http version only on fresh connections, use separate
methods.
Add TE: header directly without allocation. Add bit for indicating
Connection: header has been added and custom headers should not do
that again.
Closes#18444
The libcurl API for CURLINFO_FILETIME_T clearly says it contains -1 if
not set. Everything else is a valid time stamp so use that.
Follow-up to 54f1ef05d6Closes#18446
test_10_08, uploading larger files for a h2 proxy, sporadically fails
with a decrpytion error on received data in AWS-LC. The frequency can
be increased by simulated network receive blocks.
Not setting a 4 * TLS record sized buffer, leaving AWS-LC at its
default buffer size seems to mitigate this problem.
Closes#18434
Instead of checking it runtime. CodeSonar pointed out that if it
actually CAN legitimately be NULL here, then we need to do more checks
for it...
Closes#18440
This allows --remote-time to set dates before 1970.
Due to a minor omission in the API, it will still avoid setting the time
if it is indeed exactly epoch 0 (jan 1 1970).
Verified by test 762
Fixes#18424
Reported-by: Terence Eden
Closes#18443
- using {} with single entries makes little sense
- when using {} sets with two entry lists, there can only be 64 to reach
maximum number of URLs
Verify the max check in test 761
Default timeout is hardcoded (10 seconds) and doesn't respect
--connect-timeout parameter. In some cases 10 seconds can be not enough
or too long to "establish a connection". Moreover the non-working
--connect-timeout parameter for http3 is confusing. This change makes
the handshake timeout equal to --connect-timeout, if it's set.
Discussion is here https://github.com/curl/curl/discussions/18427Closes#18431
Perl got bumped from 5.38.4 to 5.40.3. The new version crashes when
loading the `Win32::Process*` modules built and cached in CI. The build
job uses Perl 5.38.4.
To avoid the crash, include the Perl version (hashed) in the cache key,
so that it's only loaded when the Perl version matches.
This solution is imperfect, because some of the jobs will not use the
Perl modules in transition periods, when different jobs use different
Perl versions. Anyway, can't think of a better one for now. Another
option is to drop the effort with these modules. After all they did not
help with crashes and hangs, nor with performance. While adding quite
a bit of CI complexity.
Also:
- test early if the modules load and log the result.
Follow-up to 52775a7fb4#18296Closes#18425
It's causing false-positives with clang-tidy v21, in cases in system
headers (seen in `FD_ISSET()` with macOS SDK). In some cases in
tests/server, there was no distinct source line that was triggering it.
Example:
```
/Applications/Xcode_16.4.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX15.5.sdk/usr/include/sys/_types/_fd_def.h:83:10: error: Potential out of bound access to 'fds_read.fds_bits' with tainted index [clang-analyzer-security.ArrayBound,-warnings-as-errors]
83 | return _p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] & ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS)));
| ^
[...]
/Users/runner/work/curl/curl/tests/server/socksd.c:679:5: note: Taking false branch
679 | if(rc < 0) {
| ^
```
Closes#18422
- add Curl_secure_context(), to have it determined in a single place.
- tweak the Curl_cookie_getlist() proto. Move some logic into the
function - at is only called in a single place. Instead of forcing the
caller to do it.
- make 'is_ip' a const
Closes#18419
Write out 9-length frames to client's WRITEFUNCTION
Read 0-length frames from READFUNCTION *if* the function
started a new frame via `curl_ws_start_frame()`.
Fixes#18286Closes#18332
Reported-by: Andriy Druk
Applied the same workaround to the build examples as used earlier in CI.
That is, drop `<path> from `--with-ngtcp2=<path>` and configure env
`PKG_CONFIG_PATH` instead.
Till the root cause is fixed.
Ref: 99500660af#18028
Reported-by: Pavel Kropachev
Fixes#18188Closes#18415
- Move the schannel_recv renegotiation code to function
schannel_recv_renegotiate.
- Save the state of a pending renegotiation.
- Pre-empt schannel_recv and schannel_send to continue a pending
renegotation.
- Partially block during renegotiation if necessary.
Prior to this change, since a1850ad7 (precedes 8.13.0), schannel_recv
did not properly complete renegotiation before attempting to decrypt
data. In some cases that could cause an error SEC_E_CONTEXT_EXPIRED.
Most of the time though DecryptMessage would succeed by chance and
return SEC_I_RENEGOTIATE which allowed the renegotiation to continue.
Reported-by: stephannn@users.noreply.github.com
Reported-by: Dustin L. Howett
Fixes https://github.com/curl/curl/issues/18029
Closes https://github.com/curl/curl/pull/18125
- Avoid checking what's always true. The ftpcode pointer is always
passed in, so use it.
- Simplified an indent level somewhat
- Split out two functions from the state machine
Closes#18403
Every time we first run runtests with -j and then again *without* -j,
this message was shown:
"Warning: $runnerid: cleardir(log) failed"
Not anymore.
Closes#18404
This function returned error on MANY places, each with its own cleanup
sequence and by the look of it almost all of them were incomplete,
making them leak resources on errors.
This take now gotos to the error label where it cleans everything up
before returning error. This also simplifies the function a lot.
Closes#18315
If --trace-config is used to set a level before -v is used, don't reset
the state on first -v (to "-all") as it otherwise does. This way,
--trace-config can be used to set specific trace items before -v on the
command line and it still works.
Previously, the first -v use would otherwise reset and undo the earlier
--trace-config items.
Fixes#18346Closes#18361
The three projects (VC10, VC11, VC12) are identical except 5 repeated
strings in them. They also require running `generate.bat` before use,
to populate source files. Reduce the 3 almost identical projects to
a single template project and populate the repeated strings also via
`generate.bat`. This reduces the maintenance burden to a single copy of
the project files. Also saving 10000 LOCs.
Closes#18396
