Introduce `Curl_xfer_is_secure(data)` that returns TRUE for transfers
that happen(ed) over a end-to-end secured connection, e.g. SSL.
Add test1586 to verify behaviour for http: transfers via a https: proxy.
Reported-by: lg_oled77c5pua on hackerone
Closes#20951
When .curlrc is parsed successfully but the tool exits early before
parse_args() executes; the allocated path was not freed.
Spotted by Codex Security
Closes#20954
In curlx_strerror on Windows, the condition checks `!strerror_s(...)`
(true on success) and therefore always evaluates the fallback block.
Even when strerror_s successfully produced a valid errno message.
Follow-up to 1eca08a541
Pointed out by Codex Security
Closes#20955
ngtcp2 1.14.0 added module dependencies to `ngtcp2_crypto_*.pc` files.
This broke certain build cases in curl, because configure was is
querying pkg-config modules by setting `PKG_CONFIG_LIBDIR` to the
directory specified via `--with-*=` options, including `--with-ngtcp2=`.
Setting `PKG_CONFIG_LIBDIR` tells pkg-config (and pkgconf) to ignore
system locations. This caused that `ngtcp2_crypto_gnutls.pc` could no
longer find its indirect dependencies, if those were present at system
locations (where they typically are). Another fallout was BoringSSL,
because it does not provide `openssl.pc` on its own, and successful
detection relied on finding a non-BoringSSL copy, typically at a system
location (also fixed in ngtcp2 main branch).
Fix `ngtcp2_crypto_*` detections to not touch `PKG_CONFIG_LIBDIR` and
instead prepend `<path>` set via `--with-ngtcp2=` to `PKG_CONFIG_PATH`.
This ensures to pick up any dependent modules from system locations.
Note the side-effect is that potentially undesired modules may be
detected this way from system locations, i.e. it makes this particular
detection less "hermetic" than the rest used in curl configure.
(Configurations using a bare `--with-ngtcp2` with no path were not
affected, and served as a workaround before this patch. It remains a
valid way of configuration after.)
Both `pkgconf` and `pkg-config` use this logic to calculate their search
directory list:
```pseudo
search = {}
if PKG_CONFIG_PATH is set
search += PKG_CONFIG_PATH
endif
if PKG_CONFIG_LIBDIR is set (even if empty)
search += PKG_CONFIG_LIBDIR
else
search += built-in-pkg-config-dirs
endif
```
Refs:
https://github.com/curl/curl/pull/18028/commits (earlier attempt. Failed due to using `PKG_CONFIG_DIR` instead of the correct `PKG_CONFIG_PATH`)
https://github.com/curl/curl/pull/18028/commits/c0874ce8242d42a1ae1d570d6b70b8360da56482https://man.archlinux.org/man/pkgconf.1.enhttps://manpages.debian.org/unstable/pkgconf/pkgconf.1.en.htmlhttps://manpages.debian.org/unstable/pkg-config/pkg-config.1.en.html10e27fd63c
Bug: https://github.com/curl/curl/pull/18022#issuecomment-3120587041
Bug: https://github.com/ngtcp2/ngtcp2/pull/1689#issuecomment-3120593664
Follow-up to 04d90b5deb#20931
Follow-up to 3c64ffaff4#18415#18188
Follow-up to 99500660af#18028#18022Closes#20920
The `ISLOWHEXALHA` and `ISUPHEXALHA` macros were introduced in commit
f65f750 and seem to be only referenced locally by the `ISXDIGIT` macro.
Judging by the `ISALPHA` macro defined in the same file, it seems like
the intention was to spell them as `IS.*HEXALPHA`.
I noticed this while reading through the code and decided to open a PR,
even if it is only a tiny change, just because I was already looking at
it and it might be useful. If there is any reason not to merge this,
please do close the PR.
Closes#20810
- document building curl with CMake.
- mention all supported forks in the OpenSSL section. Delete dedicated
quictls section.
- add TLS-backend pkgconfig dir to `PKG_CONFIG_PATH` for correctness.
OpenSSL-based ones often work without this, by finding system
`openssl.pc`. For GnuTLS and wolfSSL this has a lesser chance. Best to
point to them explicitly. (configure may technically be able to do
this automatically, but it isn't implemented.)
- use `--with-ngtcp2=<path>` again, where possible.
GnuTLS is the exception, pending fix in #20910.
Same for BoringSSL, but not documented in `HTTP3.md`.
- replace `<somewhereN>` with `/path/to/depname` for clarity.
- move `LDFLAGS` after `./configure` for curl, to match dep builds.
- move `--with-ngtcp2` next to the TLS-backend option.
Follow-up to 1e3c2bec7e#20926
Follow-up to 3c64ffaff4#18415#18188
Cherry-picked from #20920Closes#20947
Configure LibreSSL autotools job with `--with-ngtcp=<path>` instead of
adding ngtcp2 to `PKG_CONFIG_PATH`. To test this way of configuration in
CI and test for the regression reported in #20889.
Turns out this way of configuration isn't affected by the detection
issue in this particular case.
It also works for other backends except for these two, subject to
separate fixes:
- BoringSSL fix: https://github.com/ngtcp2/ngtcp2/pull/2070
- GnuTLS fix and BoringSSL workaround: #20920
Follow-up to 666db80196#20891
Follow-up to 8db0e286b3#18189
Follow-up to 99500660af#18028#18022Closes#20926
For cases where the user puts a double quote or backspace in the user
name.
Adjusted test 907 to verify
Reported-by: am-perip on hackerone
Closes#20940
Before this patch the `$withval` variable may have contained `yes` or
other unrelated values, instead of the wolfSSL directory configured via
`--with-wolfssl=`.
Fixing:
```
checking for wolfssl options with pkg-config... found
configure: pkg-config --exists wolfssl trace:
---- begin
PKG_CONFIG_PATH: |/home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig|
PKG_CONFIG_LIBDIR: |yes/lib/pkgconfig| <=============== 'yes' used as base directory
trying path: /home/runner/wolfssl/build/lib/pkgconfig for wolfssl
---- end
```
Ref: https://github.com/curl/curl/actions/runs/23146424326/job/67235762794?pr=20920#step:18:245
Cherry-picked from #20920Closes#20943
`PKG_CONFIG_LIBDIR` and `PKG_CONFIG_PATH`.
To help debugging dependency issues. Example:
```
configure: pkg-config --exists openssl trace:
---- begin
PKG_CONFIG_LIBDIR: '/home/runner/libressl/build/lib/pkgconfig'
PKG_CONFIG_PATH: '/home/runner/libressl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig'
trying path: /home/runner/libressl/build/lib/pkgconfig for openssl
trying path: /home/runner/libressl/build/lib/pkgconfig for libssl
trying path: /home/runner/libressl/build/lib/pkgconfig for libcrypto
---- end
```
Cherry-picked from #20920
Follow-up to 04d90b5deb#20931Closes#20942
When saving a file with --no-clobber, make sure the existing file name
remains set when creating the name fails. In a retry scenario, it comes
back and uses that variable again.
Add test 3036 to verify.
Reported-by: James Fuller
Closes#20939
Instead hook up the upstream target name as-is to the local wrapper
target.
To:
- make the hack work regardless of how the upstream target was created.
- make it work the same way in `curl-config.cmake`.
Before this patch it had no guard for `IMPORTED` targets even though
`find_dependencies()` is not guaranteed to create the target expected
if it already existed and was potentially created differently.
Depends-on: #20840
Follow-up to 4f1646ef8a#20486#20419Closes#20839
Already set after `ldap_sslinit()`/`ldap_init()` and before
`ldap_ssl`-specific initialization.
Follow-up to 39d1976b7f#19830
Follow-up to b41e65a8e3
Follow-up to b91421b107Closes#20930
To include what's actually used.
Also:
- drop unused includes.
- scope includes where possible.
- drop `curlx/curlx.h` umbrella header.
- config2setopts: include `netinet/in.h` for Cygwin/MSYS2.
Previously included by chance via an unused curlx include.
Closes#20776
With default invocation, make generated file timestamps deterministic
by looking up (via the GitHub API) the last commit that modified
`certdata.txt`, along with its commit timestamp.
Also:
- show the URL used to download `certdata.txt` from.
- make `ca-bundle.crt` timestamp match `certdata.txt`'s.
Closes#20528
To allow simplifying the binutils ld hack, by chaining the original
imported target to curl's local duplicate target. Also to allow linking
to dependencies' native imported targets via their CMake Configs, which
will always be hooked up to a `CURL::` interface, and may also be
chained upstream.
Fixing (seen on Linux with simplified binutils hack via #20839):
```
Requires:
Requires.private: libzstd openssl zlib
Libs: -L${libdir} -lcurl
-Libs.private: -lcrypto -lssl -lz -lzstd
+Libs.private: -lOpenSSL::Crypto -lZLIB::ZLIB -lcrypto -lssl -lz -lzstd
Cflags: -I${includedir}
Cflags.private: -DCURL_STATICLIB
Error: Process completed with exit code
```
Ref: https://github.com/curl/curl/actions/runs/22768301699/job/66041980258?pr=20839
Note this makes it possible to run into an infinite loop because CMake
allows cyclic dependencies. It isn't added by curl's CMake script nor by
any dependencies as defined by default, but may happen in theory with
custom-created targets. In such case CMake automatically stops with
an error at 1000 iterations. I find it overkill to add custom protection
for it.
Cherry-picked from #20814
Cherry-picked from #20839Closes#20840
Fix potential inifinite loop reading file content with `Curl_get_line()`
when a filename passed via these options are pointing to a directory
entry (on non-Windows):
- `--alt-svc` / `CURLOPT_ALTSVC`
- `-b` / `--cookie` / `CURLOPT_COOKIEFILE`
- `--hsts` / `CURLOPT_HSTS`
- `--netrc-file` / `CURLOPT_NETRC_FILE`
Fix by checking for this condition and silently skipping such filename
without attempting to read content. Add test 1713 to verify.
Mention in cookie documentation as an accepted case, also show a verbose
message when a directory is detected. Extend test 46 to verify if such
failure lets the logic continue to the next cookie file.
Reported-and-based-on-patch-by: Richard Tollerton
Fixes#20823Closes#20826 (originally-based-on)
Follow-up to 769ccb4d42#19140Closes#20873
To aid debugging cases when dependency detection acts unexpectedly.
Sprung from spending days trying to figure out behavior of ngtcp2 crypto
modules and their dependencies.
You can enable by setting env `CURL_TRACE_PKG_CONFIG` to a non-empty
value. When enabled, details are logged for both successful and
unsuccessful detections. Logging of unsuccessful ones is automatically
enabled when `CURL_CI` env is set, which is the case for all CI jobs.
It works by asking for `--debug` output and grepping for lines that seem
useful for this purpose. Output is different for classic pkg-config and
pkgconf, and may depending on tool version. Also append `--print-errors`
output if any.
Examples (with pkgconf):
Fail, before:
```
checking for libngtcp2_crypto_boringssl options with pkg-config... no
configure: error: --with-ngtcp2 was specified but could not find ngtcp2_crypto_boringssl pkg-config file.
```
Fail, after:
```
checking for libngtcp2_crypto_boringssl options with pkg-config... no
configure: pkg-config --exists libngtcp2_crypto_boringssl trace:
---- begin
trying path: /home/runner/nghttp3/build/lib/pkgconfig for libngtcp2_crypto_boringssl
trying path: /home/runner/ngtcp2-boringssl/build/lib/pkgconfig for libngtcp2_crypto_boringssl
trying path: /home/runner/nghttp3/build/lib/pkgconfig for libngtcp2
trying path: /home/runner/ngtcp2-boringssl/build/lib/pkgconfig for libngtcp2
trying path: /home/runner/nghttp3/build/lib/pkgconfig for openssl
trying path: /home/runner/ngtcp2-boringssl/build/lib/pkgconfig for openssl
trying path: /home/runner/nghttp2/build/lib/pkgconfig for openssl
==== error:
Package openssl was not found in the pkg-config search path.
Perhaps you should add the directory containing `openssl.pc'
to the PKG_CONFIG_PATH environment variable
Package 'openssl', required by 'libngtcp2_crypto_boringssl', not found
---- end
configure: error: --with-ngtcp2 was specified but could not find ngtcp2_crypto_boringssl pkg-config file.
```
Success, after:
```
checking for libngtcp2_crypto_boringssl options with pkg-config... found
configure: pkg-config --exists libngtcp2_crypto_boringssl trace:
---- begin
trying path: /home/runner/awslc/build/lib/pkgconfig for libngtcp2_crypto_boringssl
trying path: /home/runner/nghttp3/build/lib/pkgconfig for libngtcp2_crypto_boringssl
trying path: /home/runner/nghttp2/build/lib/pkgconfig for libngtcp2_crypto_boringssl
trying path: /home/runner/ngtcp2/build/lib/pkgconfig for libngtcp2_crypto_boringssl
trying path: /home/runner/awslc/build/lib/pkgconfig for libngtcp2
trying path: /home/runner/nghttp3/build/lib/pkgconfig for libngtcp2
trying path: /home/runner/nghttp2/build/lib/pkgconfig for libngtcp2
trying path: /home/runner/ngtcp2/build/lib/pkgconfig for libngtcp2
trying path: /home/runner/awslc/build/lib/pkgconfig for openssl
trying path: /home/runner/awslc/build/lib/pkgconfig for libssl
trying path: /home/runner/awslc/build/lib/pkgconfig for libcrypto
---- end
```
More examples:
https://github.com/curl/curl/pull/20926#issuecomment-4064259935
If there is an externally enablable, built-in feature like this in
classic pkg-config or pkgconf, I could not find it.
Also:
- GHA/http3-linux: set `CURL_TRACE_PKG_CONFIG` to log detection details.
H3 builds are prone to hard-to-debug dependency issues.
Ref: #20920
Follow-up to 3c64ffaff4#18415#18188
Follow-up to 99500660af#18028#18022
Cherry-picked from #20926Closes#20931
Add protocol.h and protocol.c containing all about libcurl's
known URI schemes and their protocol handlers (so they exist).
Moves the scheme definitions from the various sources files into
protocol.c. Schemes are known and used, even of the protocol
handler is not build or just not implemented at all.
Closes#20906
Improve the name, type and handling of `data->req.keepon`:
- Rename `keepon` to `io_flags`
- make `io_flags` and `uint8_t` and reposition in struct
- Rename `KEEP_*` defines to `REQ_IO_*`, move to request.h
- Replace all direct bit tests to `CURL_REQ_WANT_*` use
- Replace all direct bit manipulations with new macros
Closes#20905
Convert more `int port` to `uint16_t` port types. Reshuffle ports in
connectdata to save some bytes. Change `conn->destination` format to
- make it more readable and thus usable in tracing
- add the IPv6 scope_id only when not default (global)
and make it resemble more the textual format for IPv6
(e.g. suffix '%<scope_id>')
Closes#20918
Eliminate `conn->bits.ipv6_ip`
The bit was only correct for the first transfer using a connection. Use
`data->state.up.hostname` instead in places that need the URL hostname
in its original form.
Fix parseurlandfillconn() to not modify `data->state.up.hostname` before
copying the connection's hostname, but modify the copy instead, leaving
the URL hostname intact.
Closes#20919
The file is almost entirely made up by first-lines of previous git
commits, and we usually push it without a PR cycle, making it annoying
to trigger on typos later as they then show in independent PRs by other
people.
Closes#20917
- when scanning source code, this now only checks source code comments
and double-quote strings. No more finding bad words as part of code
- this allows the full scan to be done in a single invocation
- detects source code or markdown by file name extension
- moved the whitelist words config into the single `badwords.txt` file,
no more having them separately (see top of file for syntax)
- all whitelisted words are checked case insensitively now
- removed support for whitelisting words on a specific line number. We
did not use it and it is too fragile
Removing the actual code from getting scanned made the script take an
additional 0.5 seconds on my machine.
Scanning 1525 files now takes a little under 1.7 seconds for me.
Closes#20909
