Commit graph

36756 commits

Author SHA1 Message Date
Daniel Stenberg
a6eaa67c55
mbedtls: fix potential use of uninitialized nread
When Curl_conn_cf_recv() returns error, the variable might not be
assigned and the tracing output may (harmlessly) use it uninitialized.

Also add a comment about the typecast from size_t to int being fine.

Pointed out by ZeroPath

Closes #19393
2025-11-07 11:09:51 +01:00
Daniel Stenberg
684af00181
setopt: when setting bad protocols, don't store them
Both CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR would
previously return error on bad input but would wrongly still store and
keep the partial (unacceptable) result in the handle.

Closes #19389
2025-11-07 08:15:42 +01:00
Daniel Stenberg
8e93a74a73
tool_paramhlp: refuse --proto remove all protocols
curl is for transfers so disabling all protocols has to be a mistake.
Previously it would allow this to get set (even if curl_easy_setopt()
returns an error for it) and then let libcurl return error instead.

Updated 1474 accordingly.

Closes #19388
2025-11-06 23:42:47 +01:00
Viktor Szakats
e108778db3
GHA/macos: replace deleted gcc-12 with gcc-13/gcc-14
GitHub dropped gcc-12 for the remaining two macos runner images.
Replace it with gcc-13 in normal jobs, and gcc-14 in combination jobs.

Ref: f7e2c3f34b
Ref: https://github.com/actions/runner-images/pull/13249

Ref: 1c1351b635
Ref: https://github.com/actions/runner-images/pull/13253

Closes #19387
2025-11-06 22:18:27 +01:00
Viktor Szakats
904e7ecb66
tests: replace remaining CR bytes with the new macro %CR
There is no more mixed-newline file in the repository after this patch.
Except for`.bat` and `.sln` files (4 in total), all files use LF
newlines.

Also:
- `spacecheck.pl`: drop mixed-EOL exception for test data.
- runtests: add option `-w` to check if test data has stray CR bytes in
  them.
- build: enable the option above in test targets, except the CI-specific
  one where `spacecheck.pl` does this job already.
- tested OK (with expected failures) in CI with stray CRs added.
- cmake: enable option `-a` for the `tests` target. To continue testing
  after a failed test.

Follow-up to 63e9721b63 #19313
Follow-up to 6cf3d7b1b1 #19318
Follow-up to 4d2a05d3fe #19284

Closes #19347
2025-11-06 20:45:45 +01:00
Juliusz Sosinowicz
672886f734
wolfSSL: able to differentiate between IP and DNS in alt names
Fix implemented in https://github.com/wolfSSL/wolfssl/pull/9380

Closes #19364
2025-11-06 15:45:02 +01:00
x2018
69622ff37d
tool_help: add checks to avoid unsigned wrap around
Closes #19377
2025-11-06 15:37:53 +01:00
Stefan Eissing
f12a81de4f
curl: fix progress meter in parallel mode
With `check_finished()` triggered by notifications now, the
`progress_meter()` was no longer called at regular intervals.

Move `progress_meter()` out of `check_finished()` into the perform loop
and event callbacks.

Closes #19383
2025-11-06 13:37:57 +01:00
Viktor Szakats
9825a3b708
cmake: disable CURL_CA_PATH auto-detection if USE_APPLE_SECTRUST=ON
Syncing behavior with `CURL_CA_BUNDLE` and autotools.

`/etc/ssl/certs` is empty by default on macOS systems, thus no likely
auto-detection finds something there.

Follow-up to eefd03c572 #18703

Closes #19380
2025-11-06 11:42:34 +01:00
Viktor Szakats
ede6a8e087
conncache: silence -Wnull-dereference on gcc 14 RISC-V 64
A false positive that appeared after a recent patch for no reason.

Seen in curl-for-win unity native Linux builds on debian:testing and
debian:trixie with gcc 14.3.0 and 14.2.0 respectively:
```
-- curl version=[8.17.1-DEV]
-- The C compiler identification is GNU 14.2.0
-- Cross-compiling: Linux/x86_64 -> Linux/riscv64
[...]
lib/conncache.c: In function 'Curl_cpool_conn_now_idle':
lib/conncache.c:539:11: error: null pointer dereference [-Werror=null-dereference]
  539 |   if(!data->multi->maxconnects) {
      |       ~~~~^~~~~~~
```
Ref: https://github.com/curl/curl-for-win/actions/runs/19111497271/job/54609512969#step:3:5788

```
-- The C compiler identification is GNU 14.3.0
```
Ref: https://github.com/curl/curl-for-win/actions/runs/19111497271/job/54609512899#step:3:5801

Patch confirmed silencing:
https://github.com/curl/curl-for-win/actions/runs/19112580362/job/54613288202

Follow-up to fbc4d59151 #19271

Closes #19378
2025-11-06 11:42:34 +01:00
Viktor Szakats
8e6149598b
gnutls: report accurate error when TLS-SRP is not built-in
With GnuTLS 3.8.0+ the build-time SRP feature detection always succeeds.
It's also disabled by default in these GnuTLS versions.

When using TLS-SRP without it being available in GnuTLS, report
the correct error code `CURLE_NOT_BUILT_IN`, replacing the out of memory
error reported before this patch.

Also add comments to autotools and cmake scripts about this feature
detection property.

Detecting it at build-time would need to run code which doesn't work
in cross-builds. Once curl requires 3.8.0 as minimum, the build-time
checks can be deleted.

```
# before:
curl: (27) gnutls_srp_allocate_client_cred() failed: An unimplemented or disabled feature has been requested.
# after:
curl: (4) GnuTLS: TLS-SRP support not built in: An unimplemented or disabled feature has been requested.
```

Ref: dab063fca2
Ref: a21e89edac

Closes #19365
2025-11-06 11:42:34 +01:00
Daniel Stenberg
66a66c596b
tool_operate: remove redundant condition
And avoid an early return.

Pointed out by CodeSonar

Closes #19381
2025-11-06 11:39:52 +01:00
Daniel Stenberg
56129718b8
tool_ipfs: check return codes better
Closes #19382
2025-11-06 11:38:54 +01:00
Viktor Szakats
58023ba522
docs: fix checksrc EQUALSPACE warnings
```
docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.md:86:16
docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.md:139:16
```

Also sync `CURL *` and result variable names with rest of docs.

Follow-up to 6d7e924e80 #19375

Closes #19379
2025-11-06 00:04:15 +01:00
Daniel Stenberg
d7d4de07c2
tests/Makefile.am: fix 'checksrc' target
Skip the http and client subdirs as they contain no code to check. The
http clients are in libtests/ now.

Closes #19376
2025-11-05 23:13:55 +01:00
Dan Fandrich
e6e1899b6e tests: Add tests to validate that path is ignored with -J
curl is correctly dropping the Content-Disposition: filename path, but
there was no test ensuring that.

Ref: https://hackerone.com/reports/3408126
2025-11-05 11:03:35 -08:00
Viktor Szakats
60dd72b1be
GHA/checksrc: add actionlint, fix or silence issues found
It also does shellcheck on `run:` elements, overlapping with
the homegrown `shellcheck-ci.sh` with the same purpose. But it also does
more and perhaps could replace the script too, especially in curl
sub-repos.

Also:
- GHA/macos: delete potentially useful, but commented, and ultimately
  unused, non-default Xcode-testing logic. It's causing unused matrix
  exceptions, upsetting actionlint.

Ref: https://github.com/rhysd/actionlint

Closes #19373
2025-11-05 15:59:43 +01:00
Viktor Szakats
403a2c2b06
tests: shorten space and tab macro names
Easier to write and read.

Follow-up to d29f14b9cf #19300

Closes #19349
2025-11-05 15:59:43 +01:00
renovate[bot]
87f448ed52
Dockerfile: update debian:bookworm-slim digest to 936abff
Closes #19348
2025-11-05 15:24:21 +01:00
Daniel Stenberg
6d7e924e80
checksrc.pl: detect assign followed by more than one space
And fix some code previously doing this.

Closes #19375
2025-11-05 15:18:28 +01:00
Daniel Stenberg
c12a1fdd0e
tests: remove trailing spaces in server responses
Allows us to drop lots of %spc% from test cases making them easier on
the eye.

Closes #19374
2025-11-05 15:17:29 +01:00
Daniel Stenberg
a8bef39036
openssl: remove code handling default version
Since it is no longer actually kept as default internally, that's just
dead code.

Follow-up to 9d8998c994
Closes #19354
2025-11-05 14:14:58 +01:00
Daniel Stenberg
33e7745eef
RELEASE-NOTES: synced
bumped to 8.17.1 for now

fixed typo in THANKS-filter
2025-11-05 14:12:23 +01:00
x2018
2db36f11b8
gtls: add return checks and optimize the code
This commit does the following things:

1. Update the description of gtls_init()

2. In gtls_client_init(), check the invaild SSLVERSION at first. Note
   that this part refactors the duplicate/incompatible checks and removes
   the useless local variable `sni`.

3. Check the return value of gnutls_ocsp_resp_init(). Although the
   original code is safe because gnutls_ocsp_resp_import() will check
   the validity of `ocsp_resp`, it is better to catch the error in time
   and record the proper message to output log.

Closes #19366
2025-11-05 14:09:34 +01:00
x2018
dd71f61ea2
lib: cleanup for some typos about spaces and code style
Closes #19370
2025-11-05 14:07:28 +01:00
Thomas Klausner
2e770b33e8
m4/sectrust: fix test(1) operator
'=' is the operator defined by POSIX, only bash supports '=='

Closes #19371
2025-11-05 12:47:16 +01:00
Viktor Szakats
8d00e28136
GHA/non-native: revert to OpenBSD 7.7 due to test hangs with 7.8
test 701 (SOCKS5) and 708 (SOCKS4) started hanging occasionally, and
most likely others too.

https://github.com/curl/curl/actions/runs/19081279902/job/54510279013 (701 hangs) https://github.com/curl/curl/actions/runs/19095657593/job/54555001348?pr=19370 (708 hangs)
https://github.com/curl/curl/actions/runs/19097996671/job/54562669865?pr=19371 (unknown test hangs)

Reverts c3b890b2c0 #19368

Closes #19372
2025-11-05 11:50:13 +01:00
Viktor Szakats
a39ff61a7b
GHA/windows: switch a dl-mingw job to skeeto/w64devkit gcc 15.1.0
To add another, so far untested standalone toolchain variant to the mix.
This distro is a fairly compact, GCC mingw-w64.

Replacing an existing 15.0.1 snapshot toolchain build job.

Ref: https://github.com/skeeto/w64devkit/releases

Closes #19369
2025-11-05 11:50:13 +01:00
Daniel Stenberg
400fffa90f
RELEASE-NOTES: synced
version 8.17.0 relese
2025-11-05 08:00:05 +01:00
Daniel Stenberg
6687379389
VERSIONS: 8.18.0 is now pending 2025-11-05 08:00:05 +01:00
Daniel Stenberg
7872ec968f
THANKS: add contributors from 8.17.0 2025-11-05 07:57:28 +01:00
Viktor Szakats
c3b890b2c0
GHA/non-native: bump to OpenBSD 7.8
Follow-up to e5cc5640b3 #19367

Closes #19368
2025-11-04 23:30:58 +01:00
renovate[bot]
e5cc5640b3
GHA: update cross-platform-actions/action action to v0.30.0
Closes #19367
2025-11-04 21:00:35 +01:00
x2018
8d4530537a
gtls: check the return value of gnutls_pubkey_init()
Closes #19362
2025-11-04 17:00:52 +01:00
Viktor Szakats
3806fd914b
cmake: fix HAVE_GNUTLS_SRP detection after adding local FindGnuTLS module
When GnuTLS is detected via pkg-config on a non-default path, e.g. with
Homebrew arm64 (`/opt/homebrew/`).

This was a regression from a commit made in this release cycle.

The Find module doesn't return an absolute path to the detected library
(as the former solution did), but a bare libname and a libpath. We thus
need to explicitly use the libpath while detecting a feature in GnuTLS
found this way. Syncing this with other dependencies.

Follow-up to 1966c86d71 #19163

Closes #19360
2025-11-04 16:41:34 +01:00
Daniel Stenberg
775add6e90
HISTORY: extend
With recent events and some more in the past

Closes #19361
2025-11-04 16:25:28 +01:00
Samuel Henrique
913c1f28c9
wcurl: import v2025.11.04
Closes #19353
2025-11-04 14:15:46 +01:00
x2018
11683f121d
tool_ipfs: check the return value of curl_url_get for gwpath
Closes #19358
2025-11-04 14:13:00 +01:00
Daniel Stenberg
0783ef2348
tests: remove most user-agent filters
Use the %VERSION instead. The user-agent stripping was introduced at the
time before we had %VERSION (introduced in e6b21d4). The tests would
then remove the user-agent header to make them possible to be compared
in a version independent way.

Fixes #19355
Reported-by: Stefan Eissing
Closes #19356
2025-11-04 13:05:11 +01:00
Daniel Stenberg
70a11c6f06
CURLOPT_COPYPOSTFIELDS.md: used with MQTT and RTSP as well
Follow-up to 5ec87346a9

Closes #19351
2025-11-04 09:08:16 +01:00
Daniel Stenberg
f8e7b1377b
BINDINGS: change dead link to archive.org version
The Hollywood binding host name www.hollywood-mal.com does not seem to
work anymore.

Closes #19352
2025-11-04 09:07:41 +01:00
Daniel Stenberg
e5299a1b87
README.md: use the first paragraph from the man page
Which also mentions all protocols

Closes #19335
2025-11-03 23:13:26 +01:00
Daniel Stenberg
5ec87346a9
CURLOPT_POSTFIELDSIZE*: these also work for MQTT and RTSP
Closes #19346
2025-11-03 22:29:28 +01:00
Joshua Rogers
feab390124
rtsp: use explicit postfieldsize if specified
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Closes #19345
2025-11-03 22:27:16 +01:00
Viktor Szakats
63e9721b63
tests: avoid hard-coded CRLFs in more sections
- `reply/data*`, `verify/stdout`, `verify/stderr`, `verify/file*`,
  `verify/proxy`:
  - make `crlf="yes"` force CRLF to all lines, instead of just applying
    to HTTP protocol headers.
  - add support for `crlf="headers"` that only converts HTTP protocol
    header lines to CRLF. (previously done via `crlf="yes"`.)
  - use `crlf="headers"` where possible.

- `reply/connect*`:
  - add support for `crlf="yes"` and `crlf="headers"`.
  - use them where possible.

- `client/file*`, `client/stdin`:
  - add support for `crlf="yes"`.
  - use it where possible.

- `reply/data*`, `verify/protocol`:
  - replace existing uses of `crlf="yes"` with `crlf="headers`" where it
    does not change the result.

Reducing the number of `tests/data/test*`:
- CRLF newlines from 10295 to 1985. (119985 lines total)
- files with mixed newlines from 656 to 113. (1890 files total)

After this patch there remain 141 sections with mixed newlines, where
the mixing is not split between headers/non-headers. There is no obvious
pattern here. Some of the CRLF uses might be accidental, or
non-significant. They will be tackled in a future patch.

Follow-up to 6cf3d7b1b1 #19318
Follow-up to 4d2a05d3fe #19284

Closes #19313
2025-11-03 21:15:12 +01:00
x2018
6adefe8ad0
multi: check the return value of strdup()
Closes #19344
2025-11-03 20:19:36 +01:00
x2018
231f0a2eec
http: check the return value of strdup
Closes #19343
2025-11-03 20:17:41 +01:00
Joshua Rogers
0d5e24281d
vtls: check final cfilter node in find_ssl_filter
find_ssl_filter used while(cf && cf->next) and skipped the last node.
If the SSL filter was last, channel binding lookup failed and we returned
CURLE_BAD_FUNCTION_ARGUMENT. Switch to while(cf) so the tail is examined.

This bug was found with ZeroPath.

Closes #19229
2025-11-03 18:21:57 +01:00
Devdatta Talele
8616e5aada
gssapi: make channel binding conditional on GSS_C_CHANNEL_BOUND_FLAG
Fixes #19109 - GSSAPI authentication fails on macOS with Apple's Heimdal
implementation which lacks GSS_C_CHANNEL_BOUND_FLAG support for TLS
channel binding.

Commit 0a5ea09a91 introduced TLS channel binding for SPNEGO/GSSAPI
authentication unconditionally, but Apple's Heimdal fork (used on macOS)
does not support this feature, causing "unsupported mechanism" errors
when authenticating to corporate HTTP services with Kerberos.

Solution:
- Add CURL_GSSAPI_HAS_CHANNEL_BINDING detection in curl_gssapi.h based
  on GSS_C_CHANNEL_BOUND_FLAG presence (MIT Kerberos >= 1.19)
- Make negotiatedata.channel_binding_data field conditional in vauth.h
- Guard channel binding collection/cleanup in http_negotiate.c
- Guard channel binding usage in spnego_gssapi.c

This follows the same pattern as GSS_C_DELEG_POLICY_FLAG detection and
ensures graceful degradation when channel binding is unavailable while
maintaining full support for implementations that have it.

Changes:
- lib/curl_gssapi.h: Add feature detection macro
- lib/vauth/vauth.h: Make struct field conditional
- lib/http_negotiate.c: Conditional init/cleanup (2 locations)
- lib/vauth/spnego_gssapi.c: Conditional channel binding usage

Tested on macOS with Apple Heimdal (no channel binding) and Linux with
MIT Kerberos (with channel binding). Both configurations authenticate
successfully without errors.

Closes #19164
2025-11-03 18:16:54 +01:00
Stefan Eissing
cccc65f051
openssl: check CURL_SSLVERSION_MAX_DEFAULT properly
The definition of these constants does not give a numeric ordering
and MAX_DEFAULT needs to be checked in addition of ciphers and QUIC
checks to apply correctly.

Fixes #19340
Reported-by: Peter Piekarski
Closes #19341
2025-11-03 16:31:22 +01:00