As a follow-up to commits ca7ef4b817 ("BUG-BOUNTY.md: we stop the
bug-bounty end of Jan 2026", 2026-01-22) and ed7bf43a08 ("BUG-BOUNTY.md:
minor rephrase to say there is no bug bounty", 2026-03-10), remove a
leftover mention of the reward for vulnerability reports, that no longer
exists, in file `VULN-DISCLOSURE-POLICY.md`.
Fixes#21571
Reported-by: Alan De Smet
Closes#21574
Authorizdation credentials are kept in `struct Curl_creds`. This contains:
* `user`: the username, maybe the empty string
* `passwd`: the password, maybe the empty string
* `sasl_authzid`: the SASL authz value, maybe the empty string
* `oauth_bearer`: the OAUTH bearer token, maybe the empty string
* `source`: where the credentials from from
* `refcount`: a reference counter to link/unkink creds
A `creds` with all values empty is equivalent to NULL, e.g. no `creds`
instance. With reference counting, `creds` can be linked/unlinked
in several places.
See docs/internals/CREDENTIALS.md for use.
Closes#21548
This bit was used to do Digest authentication like Internet Explorer
before version 7 (released on October 18, 2006). Presumably no one uses
this anymore and since it is hard to use and does broken auth, starting
in 8.21.0 this bit does nothing (except setting the actual Digest bit).
Closes#21486
It no longer requires "a special build" of OpenSSL, just OpenSSL 4+.
Emphasize the experimental part a little clearer.
Drop the caveat for wolfSSL from the main description.
Closes#21536
`struct Curl_peer` keeps information about a communication endpoint
together. It will replace `conn->host` and `conn->conn_to_host` and
proxyinfo host. It will also become part of `struct ssl_peer`.
It has a reference counter, so an instance can be shared between
connections and filters.
Elminiates `conn->host` and `conn->connect_to_host`, used in the
proxyinfo structures. Passed to DNS resolution and socks filters, etc.
Pass peer to http proxy and socks tunnel filters. Use peer in dns filter
and resolving. Make `Curl_peer` a member in the `struct ssl_peer`.
Add `docs/internals/PEERS.md` for documentation.
Closes#21472
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
- prefer `--branch` over `-b`, where missing.
- add `--depth 1` where missing.
- sync option order between docs and GHA.
- bump quiche and rustls-ffi versions in documentation.
- ECH.md: update for OpenSSL 4.
Closes#21447
- always assign the curl_easy_perform() return code (and declare
the necessary 'result' variable for it)
- always call curl_easy_cleanup() on the created easy handles
Closes#21364
When a user supplies an IP address to use for the HAPROXY protocol,
the IP version reported must be deduced from the address and has
no relation to the IP version used for the upstream connection.
Add test3220 to verify.
Fixes#21340
Reported-by: Fiona Klute
Closes#21341
Support HTTPS records in dnsd that have ALPN preferences.
Add pytest test_22_* to verify that HTTPS record ALPN
preferencces take effect if the HTTPS resolve arrives in time.
Fix HTTPS eyeballing use of timeouts for second attempt. Also,
make an initial HTTP/1.1 attempt switch off HTTP/2.
Closes#21329
Add "Delay-A: ms", "Delay-AAAA: ms" and "Delay-HTTPS: ms" to the test
dnsd config and implement delayed response handling.
Add test_21_09 and test_21_10 to check that delayed responses connect
using the undelayed address family.
Closes#21299
- enable three checks:
- bugprone-invalid-enum-default-initialization
- bugprone-sizeof-expression
- readability-inconsistent-declaration-parameter-name (strict)
- fix remaining discrepancies with arg names in prototypes
and implementation, in strict mode.
- document reason for some checks tested but not enabled.
Closes#20794
- examples: sync debug output printf masks.
- INSTALL-CMAKE.md: tidy up section for some options.
- curl_sha512_256: delete comment suggesting an optimization.
- vtls/keylog: scope a variable.
- vtls/openssl: make a source code URL a permalink.
- vtls/schannel: drop redundant parentheses.
- test1119.pl: robustify `$1` -> `$s`.
- sync arg names in comments to match the code.
- tidy up and minor fixes to comments.
- fix formatting/indenting/comment/newline/include nits.
- move `UNITTEST` protos next to definitions, sync their argument names.
- make variables static.
- add parentheses to Perl `open()` calls.
- drop unnecessary double quotes in Perl.
- clang-format.
Closes#21000
- convert `#` comments to `dnl`, except copyright headers, and inline
comments in `curl-complilers.m4`.
- drop empty comments.
- drop line-ending `dnl` markers. (except `zz40-xc-ovr.m4` where it's
used to produce a comment in `configure`.)
- replace `dnl` line with C comment in `AC_CHECK_HEADERS()`.
Verified to produce the same `configure` script except empty lines,
`#` comments, and C comments, with autoreconf 2.72.
Cherry-picked from #21000Closes#21246
... unless it is a POST and the user explicitly asked to keep doing
POST.
Add test1983/1984: verify --follow with 303 and PUT + custom GET
Fixes#20715
Reported-by: Dan Arnfield
Closes#21280
Introduce a limit on the concurrent connect attempts of 6:
- document this in CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- close the oldest attempt before opening a new one that would
exceed the limit
- closing failed attempts early to avoid sockets use beyong their
usefulness
- add tests for limits in unit2600
These changes are externally visible as file descriptors will be
reassigned where we previously kept the old one around and started a
new socket, allocating always a new descriptor.
Closes#21252
via env `CURL_TEST_SSH_KEYALGO`, `rsa` (default), `ecdsa`, `ed25519`.
To ease debugging and testing and to make these code paths more
universal.
Closes#21223
Now the logic for handling name duplicates and picking the longest
expiry and strictest subdomain is the same for the callback as for when
reading from file.
Also strip trailing dots from the hostname added by the callback.
A minor side-effect is that the hostname provided by the callback can
now enable subdomains by starting the name with a dot, but we discourage
using such hostnames in documentation.
Amended test 1915 to verify.
Closes#21201
Up from 1K.
Reduces the risk that someone could flush the list by tricking a user to
do many transfers to new hostnames.
Document the limit.
Follow-up to 03a792b186Closes#21200
