Commit graph

16797 commits

Author SHA1 Message Date
alhudz
bedeeaa4a7
smtp: reject CR and LF in the envelope address
Verified in test 2110

Closes #22119
2026-06-29 22:28:46 +02:00
Daniel Stenberg
ea71c3b6b6
openldap: handle Curl_sasl_continue() returns better
Similar to how it gets treated already in other protocol handlers.

Follow-up to eeca818b1e

Reported-by: Eunsoo Kim
Closes #22213
2026-06-29 22:22:52 +02:00
HwangRock
df350dd0d8
content_encoding: give a clear error on multi-member gzip
A gzip Content-Encoding response holding more than one gzip member made
curl decode the first member and then fail the transfer with a bare
CURLE_WRITE_ERROR and no hint about the cause. Detect the trailing
member and fail with a message that explains what happened.

Fixes #22156
Closes #22172
2026-06-29 22:21:34 +02:00
Viktor Szakats
2b5911880b
openssl: prefer modern API flavors for EVP_MD_CTX new/free
Available in all supported OpenSSL flavors and versions. They are
functionally identical to the legacy API calls.

Closes #22219
2026-06-29 20:04:57 +02:00
Viktor Szakats
1671ebd975
build: drop superfluous STDC_HEADERS macro
It is traditionally defined by autotools to detect the presence of set
of standard C89 headers. autoconf 2.70 (2020-12-08) reduced the headers
covered to `stdlib.h`, `string.h`. After 2.59d (2006-06-05) obsoleting
it earlier. CMake replicated this detection, and curl included
`curl/stdcheaders.h` if standard headers were missing. However, such
condition could never happen because curl sources already assume all
checked standard headers (`stdarg.h`, `stdlib.h`, `string.h`) and
include them unconditionally.

Since this is an unused feature detection and an impossible fallback
path, drop them from CMake and curl's source. autotools continues to do
the detection by default, but its result is unused after this patch.

This leaves public `curl/stdcheaders.h` unused from within the codebase.

Refs:
f0c7c42553
86c213d0e3

Follow-up to 65dae4ad80 #22191
Follow-up to 4c5307b456
Ref: ae1912cb0d

Closes #22206
2026-06-29 11:11:16 +02:00
Viktor Szakats
99859ecca8
cf-ngtcp2-cmn: initialize new callback ptr for ngtcp2 1.24.0+, bump in CI
Fixes #22205

Closes #22207
2026-06-28 13:57:31 +02:00
Viktor Szakats
39dec13ec0
build: always use local inet_pton()/inet_ntop() implementations
Also repurpose existing build-time feature checks into unit test 1961,
to verify.

Prior to this patch these functions were auto-detected with both
autotools and cmake. In case of autotools there was an extra
verification phase ensuring the functions work as expected. This step
required running the function, thus was limited to non-cross-builds. For
cross-builds and CMake it always used the system implementation if
present. On Windows it always used the local implementation, because
availability/use is complicated there.

After this patch all platforms, always use the local implementation,
which is known to be accurate. This makes curl behave more consistently,
and simplifies the build process, a fixes cross-builds and CMake
auto-detection differences.

Also:
- test1960: enable unconditionally.
- checksrc: disallow globally, allowlist in `block_ip.c` example.
- dnsd: verify ntop result for NULL before passing to printf.

Ref: https://github.com/curl/curl/pull/22137#issuecomment-4797440983
Ref: #22137
Ref: 8537a5b0bc #16577

Closes #22170
2026-06-27 01:24:39 +02:00
Viktor Szakats
a62e08c5eb
lib: fix 'ns' -> 'us' in trace messages
Closes #22200
2026-06-27 00:26:36 +02:00
Daniel Stenberg
996696621f
curl_trc: store callback info in a uint8, not a bool
The state is no longer just a bool so make sure to use a proper uint8_t
so that it gets restored properly.

Follow-up to a6af50c484

Closes #22199
2026-06-26 23:19:51 +02:00
alhudz
65d8eaeaa2
gopher: reject CR and LF in the selector
Verifed in test 1609

Closes #22116
2026-06-26 23:09:43 +02:00
Stefan Eissing
d786a85f19
lib: hostname related cleanups
* format `data->state.aptr.host` without crlf, so signatures do not need
  to strip it again. Add the crlf when adding the header to the request
  dynbuf
* check `connect-to` strings on normalized hostname and user supplied
  hostname (when those differ)
* libssh: always use the peer for setting ssh option SSH_OPTIONS_HOST,
  preserve ipv6 [] enclosure, use IDN converted hostname otherwise. This
  is the libssh documented expectation.
  Do NOT use strings from URL parsing.

Closes #22128
2026-06-26 22:50:38 +02:00
Viktor Szakats
9f9d2d10d9
lib1587: fix gcc -Wconversion with LibreSSL on Windows, test in CI
By exposing and reusing existing custom type via `vtls/openss.h`.

Also:
- GHA/curl-for-win: test in CI by enabling building tests.
  Cost is 45s per job, so limit it to the gcc job.

Seen with Windows x64 gcc (not tested in CI prior to this patch):
```
tests/libtest/lib1587.c:50:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
   50 |       SSL_CTX_set_options(info->internals, opts);
      |       ^~~~~~~~~~~~~~~~~~~
tests/libtest/lib1587.c:59:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
   59 |       SSL_set_options(info->internals, opts);
      |       ^~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/28258372229/job/83727170184?pr=22195#step:3:4884

Ref: da2f05e6f6 #22198
Ref: 6163566461 #22197
Follow-up to 3e40ccb875 #21290
Follow-up to 2db8ae480f #17809 #17801

Closes #22195
2026-06-26 22:44:53 +02:00
Viktor Szakats
6163566461
openssl: drop unused pre-OpenSSL3 ctx_option_t typedef
Follow-up to 69c89bf3d3 #18330

Closes #22197
2026-06-26 21:12:35 +02:00
Viktor Szakats
84c5dcdb05
tidy-up: syntax and code nits
- cmp-pkg-config.sh: replace `-r -f` with `-rf` to match rest of repo.
- configure.ac: add double quotes for robustness (not a bug).
- curl-openssl.m4: merge nested `if`s.
- CurlTests.c: drop `!= 0`, also to sync with m4.
- CurlTests.c: replace `example.com` with `localhost` in
  `gethostbyname()` feature test code. (compile-only, not a bug)
- GHA/http3-linux: drop literal `true` from bool expression.
- lib650: drop redundant `&`.
- move variable/call to left-hand side of equality checks, where
  missing.
- perl: detach `<`/`>` from filename in `open()`, where missing.
- schannel: apply two nit fixes lost in rebase.
- scripts/verify-release: drop redundant double quotes.
- scripts/verify-release: exit with error code on error.
- synctime: replace magic numbers with `sizeof()`.
- telnet: add missing parentheses to macro value.
- tests/Makefile.am: use single quotes.
- tool_operate: drop redundant `break` after `return` in VMS code.
- unit2413: drop unused NULL pointer + free call.
- unit2413: fix duplicate test case name.
- urlapi: drop redundant parentheses.
- urlapi: drop `CURL_UNCONST()` that became redundant.

Closes #22186
2026-06-26 15:45:24 +02:00
Alhuda Khan
a36384ab94
http: trim custom header name before the Authorization drop
A custom header name padded with blanks (`Authorization :`) missed the
exact-length compare and slipped past the cross-host Authorization and
Cookie drop, forwarding the header to the redirect target. Trim the
parsed name in both the request and proxy CONNECT header builders.

Closes #22178
2026-06-26 14:50:04 +02:00
Stefan Eissing
18475e662c
urlpieces: remove members that live in peers/creds
Remove members of `struct urlpieces` that now live in peers/creds.

Change all remaining uses of those urlpieces.

When comparing schemes, use the protocol constants.

Closes #22171
2026-06-26 14:39:40 +02:00
Stefan Eissing
cfc7922377
altsvc: use Curl_peer in processing
Use `data->state.origin` when processing alt-avc information.

Decomplexify parsing function.

Closes #22184
2026-06-26 14:12:53 +02:00
Stefan Eissing
2f1e94eaed
conncache: connection alive checks intervals
Do not check if a particular connection is alive or not more than once
every second. We did this on every connection reuse which is overkill
when sending many requests to the same host.

Closes #22169
2026-06-26 13:52:26 +02:00
Stefan Eissing
00d5562650
proxy: optimized env lookups
Optimize proxy env var lookups for the commen case of 'https' and 'http'
urls. We do this for every transfer.

Closes #22168
2026-06-26 13:50:20 +02:00
Daniel Stenberg
a6af50c484
multi: forbid curl_easy_pause from within multi socket callback
- there is a risk for a nasty recursive situation

- we avoid certain risks that the pause call changes things so that when
  returning from the callback, the state of some internals is undefined
  and we need to reload which is easy to miss

- we can't think of legitiate use cases for doing this. This is
  basically just the new favorite point for AI and security researchers
  to find hypothetical problems

Closes #22179
2026-06-26 13:43:48 +02:00
Viktor Szakats
397b8f0ec6
tidy-up: docs, comments, typos, whitespace
- GHA/windows: mention `IgnoreStandardErrorWarningFormat=true`
  in comment.
- cmake: fix MIT/GNU GSS order in messages.
- drop some exclamation marks from messages.
- drop redundant ending newlines from messages.
- fold/unfold where possible.
- fix indent, whitespace, typos and other nits.

Closes #22185
2026-06-26 11:36:09 +02:00
Viktor Szakats
231445df2a
cmake: drop logic for GNU/kFreeBSD systems
Adopting change made in CMake, with description: "kFreeBSD is no longer
maintained or supported and was never an officially-supported release
architecture for Debian."

This system name was also dropped by CMake 4.1+:
https://cmake.org/cmake/help/v4.2/variable/CMAKE_SYSTEM_NAME.html

Credits-to: Roger Leigh
Ref: 99c8abed55
Ref: https://gitlab.kitware.com/cmake/cmake/-/work_items/26742
Ref: https://gitlab.kitware.com/cmake/cmake/-/work_items/26722

Follow-up to 5de6848f10 #10023 #5935

Closes #22176
2026-06-26 10:17:00 +02:00
Daniel Stenberg
fdbc5beed3
urlapi: make two #defines instead of magic values/strings in code
Closes #22181
2026-06-26 09:57:21 +02:00
Stefan Eissing
26c6a4d898
urlapi: do not keep an internal port string
Do not allocated an internal port string, just keep and number and a bit
if it is present. Format the port string in a local buffer when someone
asks for it and copy that.

This avoid the format/alloc penalty when parsing URLs and no one ever
asking for the port string.

(And there will be a method to get the uint16_t value directly in
 another PR)

Closes #22167
2026-06-25 14:07:40 +02:00
Viktor Szakats
62e095cee0
ssh: dedupe ssh_pollset() functions
Closes #22115
2026-06-25 11:32:36 +02:00
Stefan Eissing
e9a2b0dc72
multi_ev: refresh sock entry after remove callback
This was missed in the fix for CVE-2026-9080.

Reported-by: stze on hackerone
URL: https://hackerone.com/reports/3823985
Closes #22163
2026-06-25 10:43:41 +02:00
alhudz
f746780a1e
mqtt: reject control bytes in the topic
Closes #22112
2026-06-25 09:35:01 +02:00
Jay Satiro
4ce309d968 ldap: support insecure mode for Windows native LDAP
- Bypass cert verification if verifypeer is disabled.

Prior to this change libcurl lacked the ability to bypass certificate
verification for Windows native LDAP (USE_WIN32_LDAP). A comment said
"Win32 LDAP SDK does not support insecure mode without CA!" but I found
that we can bypass the check by setting a verify callback to override
Windows' internal verify check.

Closes https://github.com/curl/curl/pull/22152
2026-06-24 14:36:16 -04:00
Viktor Szakats
560dc2985a
doh: drop redundant curlx_dyn_free() call in doh_probe_done()
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.

Reported-by: netspacer.research

Follow-up to 1ebd92d0fd #16384

Closes #22133
2026-06-22 21:04:45 +02:00
Viktor Szakats
b0d0f16d20
tidy-up: make 'CA' uppercase, where missing
```sh
git grep -w ca | grep -v -E -i 'ca[;"=/()%_.-]' | grep -v -E -i '[*$"=/()%_.-]ca'
```

Closes #22135
2026-06-22 21:04:45 +02:00
Stefan Eissing
be1d976a2a
peer: fix ipv6 detection
When trying to detect ipv6 addresses, ipv4 addresses were also
flagged as ipv6.

Add test2413 to check.

Closes #22134
2026-06-22 17:16:07 +02:00
Viktor Szakats
f7d4e11f4b
setopt: return error if received curl_blob->data is NULL
To avoid dereferencing in the function if `CURL_BLOB_COPY` is set, or
outside of the function if unset.

Reported-by: netspacer.research

Closes #22129
2026-06-22 12:08:35 +02:00
Viktor Szakats
b3675fe80a
libssh2: drop stray double-negative from strncmp() result
Just a tidy-up. Logic remains identical.

Spotted by GitHub Code Quality

Follow-up to a867314f4f #16382

Closes #22126
2026-06-22 12:08:35 +02:00
Viktor Szakats
2735ef3bae
libssh2: fix to return error code on missing parameter
Reported by GitHub Code Quality

Follow-up to 0095f98464 #15250

Closes #22125
2026-06-22 12:08:35 +02:00
Daniel Stenberg
c35e2cb29f
setopt: cleanup the length check for COPYPOSTFIELDS handling
Make it more straight-forward

Closes #22127
2026-06-22 11:49:49 +02:00
Stefan Eissing
d638eac189
libssh2: code and infof/trace cleanups
Give the libssh2 infof() messages a common format, add/clarify some to
make the connect/authentication flow more clear.

Closes #22101
2026-06-22 10:12:25 +02:00
Daniel Stenberg
ab779d4e4a
doh: stricter HTTPS RNAME parsing
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.

Verified in test 1658

Reported-by: netspacer.research
Closes #22124
2026-06-22 09:53:14 +02:00
Daniel Stenberg
e8e3af2abb
doh: cap the maximum TTL to 24 hours
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.

Verify in test 1650

Reported-by: netspacer.research
Closes #22122
2026-06-22 09:12:55 +02:00
Stefan Eissing
8ed285f06d
websockets: buffer ugprade data at connection level
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.

Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.

Fixes #22107
Reported-by: sideshowbarker on github
Closes #22111
2026-06-22 08:54:50 +02:00
Michael Kaufmann
810d9535e1
proxy: fix automatic tunnel mode with "connect to host"
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.

Follow-up to 73daec6

Closes #22110
2026-06-22 08:53:31 +02:00
Daniel Stenberg
0d6e5944bc
setopt: make CURLOPT_KEYPASSWD work for SSH-only builds
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds

Mention this in the man page as well.

Follow-up to 52fa8d9
Pointed out by Codex Security
Closes #22121
2026-06-22 00:28:28 +02:00
Daniel Stenberg
52fa8d994d
setopt: refactor setopt_cptr into smaller helper functions
This takes down the longest function to sub 500 lines

Closes #22095
2026-06-19 23:43:24 +02:00
Viktor Szakats
93e2341e87
vquic: fix -Wunused-parameter with proxies disabled
Fixing:
```
lib/vquic/vquic.c:864:56: error: unused parameter 'conn' [-Werror,-Wunused-parameter]
  864 |                              const struct connectdata *conn,
      |                                                        ^
```

Closes #22104
2026-06-19 14:46:54 +02:00
alhudz
fdd6ba3580
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.

Extended test 2311 to cover it.

Closes #22085
2026-06-18 23:58:07 +02:00
Viktor Szakats
e44f1a1446
smb: constify strchr() result variable
Fixing (as seen with gcc-15 on Ubuntu 26.04):
```
lib/smb.c: In function 'smb_connect':
lib/smb.c:491:9: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  491 |   slash = strchr(user, '/');
      |         ^
lib/smb.c:493:11: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  493 |     slash = strchr(user, '\\');
      |           ^
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462418?pr=22092

Follow-up to 4e5908306a #20428
Follow-up to 7dc60bdb90 #20425
Follow-up to 0e2507a3c6 #20421

Cherry-picked from #22092

Closes #22094
2026-06-18 21:12:17 +02:00
Viktor Szakats
39628c5084
openssl: do not mix OpenSSL int result with CURLcode variable
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
 3538 |     result = SSL_ech_set1_server_names(octx->ssl,
      |            ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3539 |                                        peer->origin->hostname, outername,
      |                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3540 |                                        0 /* do send outer */);
      |                                        ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43

Cherry-picked from #22086

Closes #22087
2026-06-18 17:30:56 +02:00
alhudz
2f8fb98c5f
pingpong: reject nul byte in server response line
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.

Closes #21996
2026-06-18 14:17:27 +02:00
Stefan Eissing
f0be417635
multi: xfers_really_alive
Yes, we were counting the "live" transfers before, but were they
*really* alive?

When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.

For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.

The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.

Add two fields in multi and easy handle:

* `multi->xfers_really_alive`: counts the "alive" transfers that have
  passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted

Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.

Fixes #22050
Reported-by: Bryan Henderson
Closes #22066
2026-06-18 10:31:40 +02:00
alhudz
4a86af9940
cookie: reject control octets in file-loaded cookies
Verified by test 2311

Closes #22070
2026-06-18 08:04:24 +02:00
Yedaya Katsman
9ccc80b192
url: don't log bits.close state
This doesn't seem useful to users, and there doesn't seem to be a
scenario where bits.close is set to 1 during this logging anyway.

Closes #22073
2026-06-18 08:03:43 +02:00