Commit graph

39091 commits

Author SHA1 Message Date
Daniel Stenberg
bf5cc6ab8b
curl-functions.m4: verify working RFC 4291 zero prefixed IPv4 - mapped format
Detect incompatible inet_ntop() call for IPv6 output.

Closes #22136
2026-06-25 11:02:50 +02:00
Stefan Eissing
e9a2b0dc72
multi_ev: refresh sock entry after remove callback
This was missed in the fix for CVE-2026-9080.

Reported-by: stze on hackerone
URL: https://hackerone.com/reports/3823985
Closes #22163
2026-06-25 10:43:41 +02:00
alhudz
f746780a1e
mqtt: reject control bytes in the topic
Closes #22112
2026-06-25 09:35:01 +02:00
Daniel Stenberg
c10a7aa259
RELEASE-NOTES: synced
and bump curlver.h
2026-06-25 08:42:02 +02:00
Samuel Dainard
5232c16208
sws: allow connection-monitor to log all disconnects
Remove the suppression of connmon after the first disconnect event. The
connmon flag is set per-test via the 'connection-monitor' server command
and should remain active for the lifetime of that test's connections to
properly detect connection reuse failures.

The suppression was introduced in 510fdad to work around a connection
reuse regression that has since been resolved by the credentials
refactoring in 8f71d0f. With the underlying issue fixed, restoring full
disconnect logging strengthens tests like 338 to catch future
regressions in connection reuse logic.

Fixes #22158
Closes #22159
2026-06-25 08:37:19 +02:00
Jay Satiro
4ce309d968 ldap: support insecure mode for Windows native LDAP
- Bypass cert verification if verifypeer is disabled.

Prior to this change libcurl lacked the ability to bypass certificate
verification for Windows native LDAP (USE_WIN32_LDAP). A comment said
"Win32 LDAP SDK does not support insecure mode without CA!" but I found
that we can bypass the check by setting a verify callback to override
Windows' internal verify check.

Closes https://github.com/curl/curl/pull/22152
2026-06-24 14:36:16 -04:00
renovate[bot]
a1af38be09
GHA: update debian:bookworm-slim Docker digest to 60eac75
Closes #22151
2026-06-24 11:42:21 +02:00
Viktor Szakats
93235c1b52
GHA/linux: drop unused pip packages from Alpine job
py3-impacket, py3-asn1, py3-six and py3-pycryptodomex.

Number of tests run remain 1848 / 1847 for the two jobs respectively.
Number of installed packages go from 158 to 117, and from 177 to 142
(for the two jobs respectively; using different Alpine versions).

Closes #22153
2026-06-24 11:38:59 +02:00
Daniel Stenberg
68720b4837
RELEASE-NOTES: synced 2026-06-24 07:52:50 +02:00
Daniel Stenberg
9187ef7ec8
VERSIONS: 8.21.0 release 2026-06-24 07:52:50 +02:00
Daniel Stenberg
ec37b024d8
THANKS: added names from 8.21.0 release 2026-06-24 07:52:50 +02:00
Viktor Szakats
bf29c3e175
GHA/non-native: BSD overhaul, test more autotools, bump versions
- add autotools jobs for MidnightBSD, NetBSD, OpenBSD.
  Takes under 3 minutes per new job, under +6m in total.
  - comment out MidnightBSD to save CI time.
  - to make them as fast as possible, skip building tests and examples,
    and omit libidn2, openldap dependencies.
- add DragonFly BSD cmake job, which finally works.
  (keep it commented out since the package server fails frequently.)
- do `mport index/upgrade` to make MidnightBSD autotools builds work.
- rework filtering MidnightBSD package manager's excessive log output.
- fixup OpenBSD autotools job to uninstall system curl to avoid linking
  against it (and breaking debug builds).
- make OpenBSD package manager commands non-interactive.
- specify install packages for each matrix entry.
- make autotools build step verbose (to ease debugging).
- add link to DragonFly BSD package repo.
- bump cross-platform-actions from 1.1.0 to 1.3.0.
- bump FreeBSD 15.0 to 15.1.
- bump OpenBSD to 7.7 to 7.9.
  This did not go well last time with 7.8, let's see with 7.9.
  Ref: 8d00e28136 #19372
  Ref: c3b890b2c0 #19368
- sync test-skipper keywords with rest of workflows.
- drop installing impacket. It was unused.
  (also a slow install with many dependencies)

The original motivation was to prepare fixing OpenBSD's (and possibly
other platforms) `getaddrinfo()` thread-safety check.
Ref: https://github.com/curl/curl/pull/22138#issuecomment-4773617195

Closes #22145
2026-06-23 18:09:49 +02:00
Daniel Stenberg
9adc32a6e2
test 679: add a quoted string name in a netrc test
By using quotes a user name can have a space in netrc

Closes #22147
2026-06-23 17:23:11 +02:00
Viktor Szakats
78267398e5
GHA/linux: bump pizlonator/fil-c to v0.680, fixup quoting
Also put the version number in quotes to avoid GHA altering the number
into `0.68` (without rightmost zero) and ending up storing that in the
`FIL_C_VERSION` env.

Hopefully Renovate will honor this on future bumps.

Do the same for the rest of `x.y` format version numbers.

Fixing:
```
env:
[...]
    FIL_C_VERSION: 0.68
```
Ref: https://github.com/curl/curl/actions/runs/28006009260/job/82920767558?pr=22142#step:5:16

Fixes #22142

Closes #22143
2026-06-23 11:45:08 +02:00
Daniel Stenberg
7e37510c93
RELEASE-PROCEDURE.md: typo 2026-06-23 10:06:14 +02:00
Viktor Szakats
621176cbd5
GHA/windows: settle on windows-2025 image name
It's the final/stable image name and it's shipping with VS2026 now.

Ref: https://github.com/actions/runner-images/issues/14017
Follow-up to b0239417b3 #21713

Closes #22139
2026-06-23 01:14:57 +02:00
Viktor Szakats
364d6c18f7
cmake: add pre-fills for DragonFly BSD and MidnightBSD
Based on CI runs:
DragonFlyBSD: https://github.com/curl/curl/actions/runs/27978506617/job/82802332910 (autotools)
MidnightBSD: https://github.com/curl/curl/actions/runs/27977103321/job/82797523470 (cmake)

Also readd DragonFly BSD to GHA/non-native, but keep it commented.

Closes #22138
2026-06-22 22:57:07 +02:00
Viktor Szakats
560dc2985a
doh: drop redundant curlx_dyn_free() call in doh_probe_done()
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.

Reported-by: netspacer.research

Follow-up to 1ebd92d0fd #16384

Closes #22133
2026-06-22 21:04:45 +02:00
Viktor Szakats
b0d0f16d20
tidy-up: make 'CA' uppercase, where missing
```sh
git grep -w ca | grep -v -E -i 'ca[;"=/()%_.-]' | grep -v -E -i '[*$"=/()%_.-]ca'
```

Closes #22135
2026-06-22 21:04:45 +02:00
Viktor Szakats
5735540835
CURLOPT_SSLVERSION.md: drop stray space from 'SSLv*', 'TLSv*'
To match rest of codebase.

Closes #22131
2026-06-22 21:04:45 +02:00
Stefan Eissing
be1d976a2a
peer: fix ipv6 detection
When trying to detect ipv6 addresses, ipv4 addresses were also
flagged as ipv6.

Add test2413 to check.

Closes #22134
2026-06-22 17:16:07 +02:00
Viktor Szakats
d824266425
appveyor: pass --proto-redir =https option
Follow-up to 500820682c #21757

Closes #22130
2026-06-22 13:04:16 +02:00
Viktor Szakats
f7d4e11f4b
setopt: return error if received curl_blob->data is NULL
To avoid dereferencing in the function if `CURL_BLOB_COPY` is set, or
outside of the function if unset.

Reported-by: netspacer.research

Closes #22129
2026-06-22 12:08:35 +02:00
Viktor Szakats
b3675fe80a
libssh2: drop stray double-negative from strncmp() result
Just a tidy-up. Logic remains identical.

Spotted by GitHub Code Quality

Follow-up to a867314f4f #16382

Closes #22126
2026-06-22 12:08:35 +02:00
Viktor Szakats
2735ef3bae
libssh2: fix to return error code on missing parameter
Reported by GitHub Code Quality

Follow-up to 0095f98464 #15250

Closes #22125
2026-06-22 12:08:35 +02:00
Daniel Stenberg
c35e2cb29f
setopt: cleanup the length check for COPYPOSTFIELDS handling
Make it more straight-forward

Closes #22127
2026-06-22 11:49:49 +02:00
Stefan Eissing
c5d0e93879
HTTP3.md: update quiche build
Fixes #22105
Reported-by: av223119 on github
Closes #22109
2026-06-22 10:15:27 +02:00
Stefan Eissing
d638eac189
libssh2: code and infof/trace cleanups
Give the libssh2 infof() messages a common format, add/clarify some to
make the connect/authentication flow more clear.

Closes #22101
2026-06-22 10:12:25 +02:00
Daniel Stenberg
ab779d4e4a
doh: stricter HTTPS RNAME parsing
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.

Verified in test 1658

Reported-by: netspacer.research
Closes #22124
2026-06-22 09:53:14 +02:00
Daniel Stenberg
e8e3af2abb
doh: cap the maximum TTL to 24 hours
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.

Verify in test 1650

Reported-by: netspacer.research
Closes #22122
2026-06-22 09:12:55 +02:00
Stefan Eissing
8ed285f06d
websockets: buffer ugprade data at connection level
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.

Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.

Fixes #22107
Reported-by: sideshowbarker on github
Closes #22111
2026-06-22 08:54:50 +02:00
Michael Kaufmann
810d9535e1
proxy: fix automatic tunnel mode with "connect to host"
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.

Follow-up to 73daec6

Closes #22110
2026-06-22 08:53:31 +02:00
Daniel Stenberg
cb7efe1c35
cd2nroff: handle TLS together with other protocols
To render CURLOPT_KEYPASSWD properly

Closes #22123
2026-06-22 08:09:08 +02:00
Daniel Stenberg
0d6e5944bc
setopt: make CURLOPT_KEYPASSWD work for SSH-only builds
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds

Mention this in the man page as well.

Follow-up to 52fa8d9
Pointed out by Codex Security
Closes #22121
2026-06-22 00:28:28 +02:00
Viktor Szakats
372401f969
INSTALL-CMAKE.md: document CMake environment variables
Closes #22114
2026-06-20 10:04:16 +02:00
Daniel Stenberg
52fa8d994d
setopt: refactor setopt_cptr into smaller helper functions
This takes down the longest function to sub 500 lines

Closes #22095
2026-06-19 23:43:24 +02:00
Viktor Szakats
acdeb7f50b
KNOWN_BUGS.md: drop outdated CMake issues
- "cmake outputs: no version information available"
  Ref: #11158

  Seems to be about missing support for autotools `--enable-versioned-symbols`.
  This was implemented for CMake in:
  14d4712db7 #17039
  7100c5bc9b #14818
  7b14449790 #14378

- "generated `.pc` file contains strange entries"
  Ref: #6167

  Fixed in:
  9f56bb608e #14681

- "CMake build with MIT Kerberos does not work"
  Ref: #6904

  The FindGSS module responsible for MIT Kerberos detection has seen 50
  updates since this report. In the last years I made many local tests
  with it, and it's also extensively CI-tested since (including Windows
  for a 1-year period), with no known issues.

If you see problems remaining, let us know in a new issue.

Closes #22108
2026-06-19 18:25:54 +02:00
renovate[bot]
94962a9b82
GHA: update dependency cloudflare/quiche to v0.29.2
Closes #22106
2026-06-19 15:26:18 +02:00
Viktor Szakats
93e2341e87
vquic: fix -Wunused-parameter with proxies disabled
Fixing:
```
lib/vquic/vquic.c:864:56: error: unused parameter 'conn' [-Werror,-Wunused-parameter]
  864 |                              const struct connectdata *conn,
      |                                                        ^
```

Closes #22104
2026-06-19 14:46:54 +02:00
Viktor Szakats
04305a3e40
runtests: drop orphaned, no-op -k option
And the corresponding internal variable.

This option became the always-enabled default earlier, via #4035.

Reported-by: Zartaj Majeed
Ref: #22098
Follow-up to 6617db6a7e #4035

Closes #22100
2026-06-19 14:46:49 +02:00
Viktor Szakats
2a993e2a4a
GHA: re-sync Linux CMake triplet with autotools builds
Follow-up to 8f5e4f020e #22097
2026-06-19 01:09:53 +02:00
Viktor Szakats
8f5e4f020e
GHA: fix Linux triplet passed to CMAKE_C_COMPILER_TARGET
Before this patch it broke clang 20/21 cmake builds on ubuntu-26.04-arm
runner, failing at the beginning of the configure stage while probing
the compiler.

Seen in the 'CM openssl clang krb5 LTO' job:
```
: && /usr/bin/clang --target=aarch64-pc-linux-gnu   CMakeFiles/cmTC_3d9ae.dir/testCCompiler.c.o -o cmTC_3d9ae   && :
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find crtbeginS.o: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc: No such file or directory
    /usr/bin/aarch64-linux-gnu-ld.bfd: cannot find -lgcc_s: No such file or directory
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462687#step:38:66

Follow-up to 36bd807475 #15242
Follow-up to 232302f88a #14382
Cherry-picked from #22092

Closes #22097
2026-06-19 00:53:04 +02:00
Viktor Szakats
139ce4d37c
GHA: separate pytype from other checkers and pips
pytype is discontinued, does not receive further updates, and it
requires older python, offered by Ubuntu 24.04 or older.

Move it to its own GHA job to allow bumping the rest of checkers to.
newer runner images. Also move it out from the shared `requirements.txt`
and install directly from its separate GHA job, to avoid installing it
unnecessarily from others. Since it does not receive update, it's fine
to move out from Dependabot's view.

Ref: https://pypi.org/project/pytype/
Cherry-picked from #22092

Closes #22096
2026-06-19 00:14:18 +02:00
alhudz
fdd6ba3580
cookie: check __Secure- and __Host- case sensitively when read from file
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.

Extended test 2311 to cover it.

Closes #22085
2026-06-18 23:58:07 +02:00
Viktor Szakats
e44f1a1446
smb: constify strchr() result variable
Fixing (as seen with gcc-15 on Ubuntu 26.04):
```
lib/smb.c: In function 'smb_connect':
lib/smb.c:491:9: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  491 |   slash = strchr(user, '/');
      |         ^
lib/smb.c:493:11: error: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
  493 |     slash = strchr(user, '\\');
      |           ^
```
Ref: https://github.com/curl/curl/actions/runs/27778098314/job/82195462418?pr=22092

Follow-up to 4e5908306a #20428
Follow-up to 7dc60bdb90 #20425
Follow-up to 0e2507a3c6 #20421

Cherry-picked from #22092

Closes #22094
2026-06-18 21:12:17 +02:00
Viktor Szakats
950a30d762
GHA/http3-linux: bump to ubuntu-26.04
Before: https://github.com/curl/curl/actions/runs/27772068909
After: https://github.com/curl/curl/actions/runs/27772321661?pr=22089

Closes #22089
2026-06-18 19:27:15 +02:00
Viktor Szakats
c972583f6c
MANUAL.md: update apt-key example
To use `tee` instead, due to `apt-key` being deprecated, and missing
from recent distros.

Also lowercase `stdin` to match rest of the file.

Ref: https://documentation.ubuntu.com/release-notes/26.04/summary-for-lts-users/#package-management-apt-3

Follow-up to b13e9066b3 #16127
Follow-up to 54130a6cad #10170

Closes #22090
2026-06-18 19:26:19 +02:00
Viktor Szakats
adb4edd177
GHA: bump analyzer/sanitizer jobs to clang-22, and ubuntu-26.04
On Linux, and Windows cross-builds.

clang-tidy jobs look significantly faster. Other jobs remain around the
same (this feels nice after seeing the significant slowdowns in
Windows-2025, FreeBSD 15.)

Before: https://github.com/curl/curl/actions/runs/27770630688
After: https://github.com/curl/curl/actions/runs/27770913426?pr=22086

gcc-analyzer also got faster:
Before: https://github.com/curl/curl/actions/runs/27758865007/job/82127670883
After: https://github.com/curl/curl/actions/runs/27768696084/job/82162385765

Also:
- work around actionlint 1.7.12 not yet being aware of ubuntu-26.04:
  ```
  windows.yml:770:14: label "ubuntu-26.04" is unknown. available labels are [...]
  ```
  Ref: https://github.com/curl/curl/actions/runs/27769065782/job/82163700294#step:6:13
  Ref: https://github.com/rhysd/actionlint/issues/682
  Ref: https://github.com/rhysd/actionlint/pull/683

Follow-up to 5a2af800de #22084

Closes #22086
2026-06-18 17:54:10 +02:00
Daniel Stenberg
595d052923
curl_multi_assign.md: clarify lifetime
Closes #22088
2026-06-18 17:47:33 +02:00
Viktor Szakats
39628c5084
openssl: do not mix OpenSSL int result with CURLcode variable
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
 3538 |     result = SSL_ech_set1_server_names(octx->ssl,
      |            ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3539 |                                        peer->origin->hostname, outername,
      |                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 3540 |                                        0 /* do send outer */);
      |                                        ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43

Cherry-picked from #22086

Closes #22087
2026-06-18 17:30:56 +02:00