When an application install its own OpenSSL verify callback and that
callback invokes `SSL_set_retry_verify()`, the transfer is automatically
paused and does not progress the connect attempt any further until
unpaused via `curl_easy_pause().
Added test758 to verify.
Ref: #18284
Original PR by @Natris
Bug: https://curl.se/mail/lib-2025-08/0012.htmlCloses#18288
Easily triggered when doing an FTP ranged download with the end range
larger than the file size.
A regression since 30de937bda (shipped in curl 8.9.0)
Add test 2307 to verify.
Reported-by: kupavcevdenis on github
Fixes#18283Closes#18295
Add support for CURLOPT_READFUNCTION with WebSocket urls when *not* in
connect-only mode, e.g. when using curl_multi_perform.
Install the callback function and set CURLOPT_UPLOAD. Return
CURL_READFUNC_PAUSE when having nothing more to send and unpause the
transfer when more data is ready.
This will send the read bytes in a WebSocket BINARY frame.
Add support for this mode in the pytest "ws_data" client and have all
tests run in 'curl_ws_send/recv' and 'peform' mode as well.
Add `curl_ws_start_frame()`. Document, cover in libcurl-ws.md and
explain the READFUNCTION mode for websockets.
Add example `websocket-updown` for this.
Closes#17683
in the user home directory.
Before this patch, the curl tool found the system curlrc first, ignoring
the custom one set by the test via `CURL_HOME`.
Closes#18242
Instead of doing malloc/free every time and "manual" buffer population.
This reuses the dynbuf for this purpose for the duration of parsing the
file.
Closes#18230
The GlobalConfig only exists in a single instance and it has worked like
this since the dawn of time. It is about time we stop passing around
pointers to what was already essentially a global object and instead
just use a... global.
It simplifies things.
Closes#18213
curl_easy_reset() did not reset the `rewind_read` flag. This caused any
handles that previously had a CURLE_SEND_FAIL_REWIND error to get stuck
with that error, failing any subsequent requests, even if they didn't
have any body at all.
Verified in test 3034
Fixes#18206Closes#18207
Hold them for half the normal lifetime. Helps when told to transfer N
URLs in quick succession that all use the same non-resolving hostname.
Done by storing a DNS entry with a NULL pointer for 'addr'.
Previously an attempt was made in #12406 by Björn Stenberg that was
ultimately never merged.
Closes#18157
Adds `curl_off_t curl_multi_get_offt(CURLM *multi_handle, CURLMinfo_offt
info)` to the multi interface with enums:
* CURLMINFO_XFERS_CURRENT: current number of transfers
* CURLMINFO_XFERS_RUNNING: number of running transfers
* CURLMINFO_XFERS_PENDING: number of pending transfers
* CURLMINFO_XFERS_DONE: number of finished transfers to read
* CURLMINFO_XFERS_ADDED: total number of transfers added, ever
Add documentation for functions and info enums.
Add use in the curl command line tool to replace two static
variables counting the same "from the outside".
refs #17870Closes#17992
Output the current UTC time using strftime format. %f is an extra curl
specific flag to output the microsecond fraction of the current second.
Verified by test 1981
Closes#18119
Makes curl follow redirects an act on the response code and change a
custom method accordingly, contrary to --location.
Potential future command line to send QUERY and following a redirect
according to the status code:
curl -d "request-body" -X QUERY --follow https://example.com
add test 794,796,797
Assisted-by: Daniel Böhmer <post@daniel-boehmer.de>
Closes#16543
Some tests make a hard-coded call to the libtest binary in the precheck
step. With bundle builds the binary changed name and calling convention.
Before this patch these tests failed the pre-check and did not run for
the 5 affected tests: 518, 537, 678, 1517, 1960
Fixing, e.g.:
```
test 1517 SKIPPED: precheck command error
```
https://github.com/curl/curl/actions/runs/16611990422/job/46996698437?pr=18039#step:13:4832
It also fixes builds with a custom `CURL_DIRSUFFIX` set.
Follow-up to 2c27a67daa#17590
Follow-up to 71cf0d1fca#14772Closes#18099
New multi option CURLMOPT_NETWORK_CHANGED with a long bitmask value:
- CURLM_NWCOPT_CLEAR_CONNS: do not reuse existing connections, close all
idle connections.
- CURLM_NWCOPT_CLEAR_DNS: clear the multi's DNS cache.
All other bits reserved for future extensions.
Fixes#17225
Reported-by: ウさん
Closes#17613
Add a new commandline option --out-null that discards all
response bytes into the void. Replaces non-portable use of
'-o /dev/null' with more efficiency.
Feature added in 8.16.0
Closes#17800
When a multiplex connection (h2/h3) is shutdown by the server, the
reported number of parallel transfers allowed drops to 0.
Determine that when the last transfer is done and terminate the
connection instead of keeping it in the cache.
We detect the drop to 0 also when we try to reuse such a connection, but
if we know this at the time the last transfer is done, we better
terminate it right away.
Have a consistent trace logging to this with the connections current
hostname and port. Adjust test expectations to carry port numbers.
Closes#17884
If the long option name ends with an equals sign (`=`), the argument is
the text following on its right side.
This makes the command line parser accept this common style in addition
to the existing way to accept option arguments more similar to how other
command line tools do.
Example: `curl --user-agent=curl-2000 https://example.com/`
Change a few existing tests to use this syntax: 206, 1333, 1335, 1442
Closes#17789
This still allows users to explictily ask for 1.0 or 1.1 as the minimum
version. If the TLS library allows it.
Starting with this change, the CURL_SSLVERSION_DEFAULT value is no
longer used as minimum version when the TLS backend are called.
This also makes curl set the minimum version to 1.2 independently of
libcurl for the rare case where a newer curl tool would use an older
libcurl.
URL: https://curl.se/mail/lib-2025-07/0007.html
Assisted-by: Stefan Eissing
Closes#17894
After 7cf8414fab#12862, `VAR=` no longer
removes the env variable, but sets it to an empty/blank value instead.
To remove an env, `VAR` shall be used (without the assigment operator.)
`SSL_CERT_FILE`, `CURL_HOME`, `HOME`, `XDG_CONFIG_HOME`, were added
before the change above. Make tests unset these envs again, as their
commit messages suggest, instead of blanking them. It does not change
the outcome of the tests.
Ref: 764e4f066d#8213
Ref: e992770e8d#6600
Folllow-up to 7cf8414fab#12862
Cherry-picked from #17988Closes#17994
The unexplained error in AppVeyor CI tests are not hit in CI after
moving those tests to GHA. Re-enable to run this test on Windows.
Revisit if the error is seen again on Windows.
Errors seen earlier in AppVeyor CI:
https://ci.appveyor.com/project/curlorg/curl/builds/49120834https://ci.appveyor.com/project/curlorg/curl/builds/49123802 (with debug lines)
In these jobs:
CMake, VS2010, Debug, x64, no SSL, Static
CMake, mingw-w64, gcc 7, Debug, x64, Schannel, Static, Unicode
CMake, mingw-w64, gcc 9, Debug, x64, Schannel, Static, Unity
CMake, mingw-w64, gcc 6, Debug, x86, Schannel, Static
Test log from the 'gcc 9` job above (with debug lines):
```
test 0428...[Expand environment variables within config file]
428: protocol FAILED!
There was no content at all in the file log/server.input.
Server glitch? Total curl failure? Returned: 26
== Contents of files in the log/ dir after test 428
=== Start of file cmd
--variable %FUNVALUE
--variable %VALUE2
--variable %BLANK
--variable %curl_NOT_SET=default
--expand-data 1{{FUNVALUE}}2{{VALUE2}}3{{curl_NOT_SET}}4{{BLANK}}5\{{verbatim}}6{{not.good}}7{{}}
=== End of file cmd
=== Start of file commands.log
../src/curl.exe --output log/curl428.out --include --trace-ascii log/trace428 --trace-time http://127.0.0.1:1593/428 -K log/cmd > log/stdout428 2> log/stderr428
=== End of file commands.log
=== Start of file server.cmd
Testnum 428
=== End of file server.cmd
=== Start of file stderr428
getenv of 'FUNVALUE' returned 0xee65d2
getenv of 'VALUE2' returned 0xee7a42
getenv of 'BLANK' returned (nil)
curl: Variable 'BLANK' import fail, not set
curl: log/cmd:3: '--variable' variable expansion failure
curl: cannot read config from 'log/cmd'
curl: option -K: error encountered when reading a file
curl: try 'curl --help' for more information
=== End of file stderr428
```
Env comparison:
Fail: https://ci.appveyor.com/project/curlorg/curl/builds/49123802/job/2a4w7i21npys9pd3
```
-- curl version=[8.6.1-DEV]
-- The C compiler identification is GNU 9.1.0
-- Found Perl: C:/msys64/usr/bin/perl.exe (found version "5.30.0").
-- Found _WIN32_WINNT=0x0601
* curl 8.6.1-DEV (Windows).
* libcurl/8.6.1-DEV Schannel zlib/1.2.11
* Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Kerberos Largefile libz NTLM SPNEGO SSL SSPI threadsafe TrackMemory UnixSockets
* Disabled: xattr
* System: MSYS_NT-10.0-14393 APPVYR-WIN 3.0.7-338.x86_64 2019-07-11 10:58 UTC x86_64 Msys
```
OK (this PR): https://github.com/curl/curl/actions/runs/16439564668/job/46456976494
```
-- curl version=[8.15.1-DEV]
-- The C compiler identification is GNU 9.5.0
-- Found Perl: C:/msys64/usr/bin/perl.exe (found version "5.38.4")
-- Found _WIN32_WINNT=0x0601
* curl 8.15.1-DEV (Windows).
* libcurl/8.15.1-DEV Schannel libpsl/0.21.5
* Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
* Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Kerberos Largefile NTLM PSL SPNEGO SSL SSPI threadsafe TrackMemory UnixSockets
* Disabled: xattr, win32-ca-search-safe, override-dns
* System: MINGW64_NT-10.0-20348 runnervm51nrn 3.6.3-ab81aae6.x86_64 2025-07-01 18:20 UTC x86_64 Msys
```
Follow-up to 7cf8414fab
Ref: https://github.com/curl/curl/pull/12862#issuecomment-1929548070
Ref: 0f0edc283c#12862Closes#17991
- runtests: fix `codeset-utf8` feature detection. Before this patch it
detected if the calling environment had UTF-8 enabled. If not, UTF-8
tests were all skipped. After this patch, it detects if UTF-8 is
supported by the calling environment regardless of what's currently
enabled.
Follow-up to 0b70b23ef4#15039
- GHA/linux: sync `codeset-test` to also reset `LC_CTYPE` and
`LC_NUMBER`. To give it more spin.
Follow-up to c221c0ee59#17938
- GHA/macos: fix to actually enable `codeset-test`. Also set `LC_ALL`,
which seems necessary to trigger issues.
Follow-up to c221c0ee59#17938
- tests/data: replace `LC_CTYPE` env with `LC_ALL` in all tests
requiring a locale. Also to avoid potential issues with a blank or
unset `LC_ALL`, as seen earlier. And to ensure that the override works
on all platforms (as tested in CI.)
Slight downside is that this now resets the language/culture to `C`.
Ref: b4c9982382#4743
Ref: 23208e330a#4738
- replace `en_US.UTF-8` with `C.UTF-8` to be language/culture-agnostic.
- TEST-SUITE.md: drop `UTF-8` as a requirement for tests.
Tests shall work (or least be skipped) without UTF-8 support.
Tests requiring UTF-8 locale:
165, 962, 963, 964, 965, 966, 967, 1448, 1560, 2046, 2047
Tests requiring UTF-8 locale, but passing without one anyway:
955, 956, 957, 958, 959, 960, 961, 968, 1034, 1035
Spec 1997: https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html
Spec 2008: https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html
Ref: c221c0ee59#17938
Ref: 7cf8414fab
Ref: 4c140a5628
Ref: 28faaacee2#2436
Ref: ecd1d020abCloses#17988
No longer necessary after a previous change made sure to strip
the '100.0%' number from the result, before checking it. The dot is
a regex character catching any decimal separator.
Follow-up to 17c18fbc30#5194
Ref: #2436
Cherry-picked from #17988Closes#17993
When transfers read client input without an upload file, the check if
upload file is '.' strcompared a NULL.
Add test 1548 to reproduce and verify fix.
Reported-by: d1r3ct0r
Fixes#17978Closes#17987
To fix running test 1560 when `LC_ALL` is set to something unexpected
(e.g. `C`). Also syncing it with the rest of tests.
Also:
- GHA/linux: enable `libidn2` in more jobs.
Also to enable test 1560 reproducing this issue in more jobs.
- GHA/linux: run tests with `LC_ALL=C` in one of the jobs.
- GHA/linux: switch to the non-deprecated package name for libidn2.
- GHA/macos: run tests with non-default locale settings in one job.
- GHA/macos: enable AppleIDN in that job.
Ref: https://github.com/curl/curl/pull/17933#issuecomment-3074582840
Follow-up to f27262b179#10196Closes#17938
- codespell: break logic out into its own runnable script. Allowing
to run it on local machines.
- codespell: install via `pip`, bump to latest version.
- codespell: show version number in CI log.
- codespell: drop no longer needed word exception: `msdos`.
- codespell: include all curl source tree, except `packages` and
`winbuild`. Drop an obsolete file exclusion.
- add new spellchecker job using the `typos` tool. It includes
the codespell dictionary and a couple more. Use linuxbrew to install
it. This takes 10 seconds, while installing via `cargo` from source
would take over a minute.
- codespell: introduce an inline ignore filter compatible with `cspell`
Make `typos` recognize it, too. Move single exceptions inline.
Fix new typos found. Also rename variables and words to keep
spellchecking exceptions at minumum. This involves touching some tests.
Also switch base64 strings to `%b64[]` to avoid false positives.
Ref: https://github.com/crate-ci/typos/blob/master/docs/reference.md
Ref: https://github.com/codespell-project/codespell?tab=readme-ov-file#inline-ignore
Ref: https://github.com/codespell-project/codespell/issues/1212#issuecomment-1721152455
Ref: https://cspell.org/docs/Configuration/document-settingsCloses#17905
Setting `CURL_ENTROPY` in debug-enabled builds overrides the code paths
responsible for random number generation. To avoid masking issue there,
this patch moves `CURL_ENTROPY` settings to each test that requires it,
and stop setting it by default for all tests (in `runner.pm`).
This makes it possible to catch random generator issues in debug-enabled
builds; extending test coverage.
To keep offering a well-defined state for tests, make `runner.pm` delete
the `CURL_ENTROPY` env, if present.
Ref: #17970Closes#17971
Runing the tests locally without valgrind test 518 and 537 would run
over their limits.
Plus init a variable in runtests.pl to avoid a warning output.
Closes#17919
Before this patch this test succeeded silently and unconditionally,
when run on an out-of-tree curl build.
Also fix to exit gracefully if no libcurl manuals are found.
Fixing:
```
readline() on closed filehandle $m at ../../tests/test1222.pl line 153.
```
Cherry-picked from #17877Closes#17892
Fix test 1175 by passing the source root directory (was: tests).
Before this patch this caused silent Perl warnings and returning success
without executing the tests, due to:
```
readline() on closed filehandle $f at ../../tests/test1175.pl line 55.
readline() on closed filehandle $f at ../../tests/test1175.pl line 39.
```
Running the test revealed these issues:
```
CURLE_FUNCTION_NOT_FOUND is not in libcurl-errors.md
CURLE_HTTP_POST_ERROR is not in libcurl-errors.md
CURLE_TELNET_OPTION_SYNTAX is not in libcurl-errors.md
CURLM_CALL_MULTI_SOCKET is not in libcurl-errors.md
```
Apply fixes:
- mark `CURLE_FUNCTION_NOT_FOUND` deprecated by 7.53.0
- mark `CURLE_HTTP_POST_ERROR` deprecated by 7.56.0
- mark `CURLE_TELNET_OPTION_SYNTAX` deprecated by 7.78.0
- document `CURLM_CALL_MULTI_SOCKET` as a synonym for
`CURLM_CALL_MULTI_PERFORM`
- test1477: exclude `CURLM_CALL_MULTI_SOCKET`.
But, these weren't officially deprecated. It may need more updates
to reflect that in other places, or fix the issues differently.
Follow-up to 66ec950004#12424
Follow-up to 74f441c6d3#4628
Cherry-picked from #17877Closes#17880
Use 'config' for pointing to a OperationConfig
Use 'global' for pointing to GlobalConfig
Bonus: add config_alloc(), an easier way to allocate + init a new
OperationConfig struct.
Closes#17888
The idea here is to set limits per test how many allocations and maximum
amount of memory it is allowed to use. This is a means to make sure the
number and total size of allocations are kept in check and don't
mistakenly "blow up".
If runtests.pl detects that the given limits have been exceeded it fails
the test case with an error.
The `<verify>` part now supports `<limits>`, and in this section two
limits can be set for each test (verified in debug builds only):
Allocations: [number of allocation calls]
Maximum allocated: [maximum concurrent memory allocated]
Default limits (used if nothing is set in the test file):
Allocations: 1000
Maximum allocated: 1000000
Closes#17821
This was spotted by Debian's lintian tool. It adds an informational
warning at every run, so my OCD was kicking in and I had to fix it :-)
Closes#17787
This test makes sure that a number of internal and public structs are
within their maximum allowed size limits.
The public structs can only grow in controlled ways, while the internal
ones may be allowed to grow if deemed right.
The idea here is to control, to know and make sure all important struct
growth is intentional.
Closes#17823
Replace the `libstubgss.so`-based overload solution with one built into
libcurl at compile-time.
The previous, `LD_PRELOAD`-based, solution was non-portable, allowlisted
for Linux, BSD and Solaris. It also required non-debug builds, which
turned out to be an accidental condition:
7d342c723c. It also required a curl tool
built against a shared libcurl. Detecting this condition wasn't always
accurate, e.g. with certain cmake configurations.
The overload solution also didn't work on macOS, though it theoretically
should have:
- #17653
- #2394
Experiments on making the overload solution work in more envs:
- #17759
That revealed that it also did not work on NetBSD, in CI.
The replacement solution is overloading the necessary GSS-API functions
for test 2056 and 2057 at compile time. It requires a debug-enabled curl
build (due to its insecure nature).
This makes these tests run on all platforms. Including most GSS jobs in
CI, that are running tests. (the exception is old-linux, non-debug jobs,
where it felt overkill to enable debug for this.)
The refactored GSS stub code needs to overload less than before because
it's free to use the official GSS API. (This didn't work with
the overload solution on Alpine for example). It can also use libcurl
functions, allowing to replace `snprintf()` with `msnprintf()`.
OS/400 is also overloading GSS API functions. I haven't tested how this
works after this PR. In theory it should, because this PR doesn't rely
on preprocessor overrides.
Note that for future GSS tests, it may be necessary to stub these GSS
API functions: `gss_inquire_context()`, `gss_unwrap()`, `gss_wrap()`.
They are on codepaths not (yet) touched by tests.
Also:
- stub-gss: check for token buffer overrun.
- stub-gss: replace size macros with `sizeof()`.
- GHA: enable debug for some jobs with GSS.
- GHA/linux: ignore results for 2056 and 2057 in the valgrind job.
They leak the same way as seen with 2077 and 2078.
Ref: 7020ba7979#17462
Ref: 146759716c#14430
- GHA/linux: fix to ignore `gss_import_name()` leaks in valgrind builds.
only.
- lib/vauth/krb5_gssapi: reduce variable scope.
- lib/vauth/spnego_gssapi: reduce variable scope.
- tests/libtest: drop code and build logic dealing with `libstubgss`.
- runtests:
- drop `ld_preload` feature.
- drop special handling of `LD_PRELOAD` env in tests.
- drop logic dealing with shared curl tool detection.
- drop `LD_PRELOAD` envs from tests.
Follow-up to 56d949d31a#1687Closes#17752
For consistency. RFC 3986 section 2.1 says:
"URI producers and normalizers should use uppercase hexadecimal digits
for all percent-encodings."
Reported-by: Jeroen Ooms
Fixes#17685Closes#17739
