Also repurpose existing build-time feature checks into unit test 1961,
to verify.
Prior to this patch these functions were auto-detected with both
autotools and cmake. In case of autotools there was an extra
verification phase ensuring the functions work as expected. This step
required running the function, thus was limited to non-cross-builds. For
cross-builds and CMake it always used the system implementation if
present. On Windows it always used the local implementation, because
availability/use is complicated there.
After this patch all platforms, always use the local implementation,
which is known to be accurate. This makes curl behave more consistently,
and simplifies the build process, a fixes cross-builds and CMake
auto-detection differences.
Also:
- test1960: enable unconditionally.
- checksrc: disallow globally, allowlist in `block_ip.c` example.
- dnsd: verify ntop result for NULL before passing to printf.
Ref: https://github.com/curl/curl/pull/22137#issuecomment-4797440983
Ref: #22137
Ref: 8537a5b0bc#16577Closes#22170
* format `data->state.aptr.host` without crlf, so signatures do not need
to strip it again. Add the crlf when adding the header to the request
dynbuf
* check `connect-to` strings on normalized hostname and user supplied
hostname (when those differ)
* libssh: always use the peer for setting ssh option SSH_OPTIONS_HOST,
preserve ipv6 [] enclosure, use IDN converted hostname otherwise. This
is the libssh documented expectation.
Do NOT use strings from URL parsing.
Closes#22128
By exposing and reusing existing custom type via `vtls/openss.h`.
Also:
- GHA/curl-for-win: test in CI by enabling building tests.
Cost is 45s per job, so limit it to the gcc job.
Seen with Windows x64 gcc (not tested in CI prior to this patch):
```
tests/libtest/lib1587.c:50:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
50 | SSL_CTX_set_options(info->internals, opts);
| ^~~~~~~~~~~~~~~~~~~
tests/libtest/lib1587.c:59:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
59 | SSL_set_options(info->internals, opts);
| ^~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/28258372229/job/83727170184?pr=22195#step:3:4884
Ref: da2f05e6f6#22198
Ref: 6163566461#22197
Follow-up to 3e40ccb875#21290
Follow-up to 2db8ae480f#17809#17801Closes#22195
- cmp-pkg-config.sh: replace `-r -f` with `-rf` to match rest of repo.
- configure.ac: add double quotes for robustness (not a bug).
- curl-openssl.m4: merge nested `if`s.
- CurlTests.c: drop `!= 0`, also to sync with m4.
- CurlTests.c: replace `example.com` with `localhost` in
`gethostbyname()` feature test code. (compile-only, not a bug)
- GHA/http3-linux: drop literal `true` from bool expression.
- lib650: drop redundant `&`.
- move variable/call to left-hand side of equality checks, where
missing.
- perl: detach `<`/`>` from filename in `open()`, where missing.
- schannel: apply two nit fixes lost in rebase.
- scripts/verify-release: drop redundant double quotes.
- scripts/verify-release: exit with error code on error.
- synctime: replace magic numbers with `sizeof()`.
- telnet: add missing parentheses to macro value.
- tests/Makefile.am: use single quotes.
- tool_operate: drop redundant `break` after `return` in VMS code.
- unit2413: drop unused NULL pointer + free call.
- unit2413: fix duplicate test case name.
- urlapi: drop redundant parentheses.
- urlapi: drop `CURL_UNCONST()` that became redundant.
Closes#22186
A custom header name padded with blanks (`Authorization :`) missed the
exact-length compare and slipped past the cross-host Authorization and
Cookie drop, forwarding the header to the redirect target. Trim the
parsed name in both the request and proxy CONNECT header builders.
Closes#22178
Remove members of `struct urlpieces` that now live in peers/creds.
Change all remaining uses of those urlpieces.
When comparing schemes, use the protocol constants.
Closes#22171
Do not check if a particular connection is alive or not more than once
every second. We did this on every connection reuse which is overkill
when sending many requests to the same host.
Closes#22169
- there is a risk for a nasty recursive situation
- we avoid certain risks that the pause call changes things so that when
returning from the callback, the state of some internals is undefined
and we need to reload which is easy to miss
- we can't think of legitiate use cases for doing this. This is
basically just the new favorite point for AI and security researchers
to find hypothetical problems
Closes#22179
- GHA/windows: mention `IgnoreStandardErrorWarningFormat=true`
in comment.
- cmake: fix MIT/GNU GSS order in messages.
- drop some exclamation marks from messages.
- drop redundant ending newlines from messages.
- fold/unfold where possible.
- fix indent, whitespace, typos and other nits.
Closes#22185
Do not allocated an internal port string, just keep and number and a bit
if it is present. Format the port string in a local buffer when someone
asks for it and copy that.
This avoid the format/alloc penalty when parsing URLs and no one ever
asking for the port string.
(And there will be a method to get the uint16_t value directly in
another PR)
Closes#22167
- Bypass cert verification if verifypeer is disabled.
Prior to this change libcurl lacked the ability to bypass certificate
verification for Windows native LDAP (USE_WIN32_LDAP). A comment said
"Win32 LDAP SDK does not support insecure mode without CA!" but I found
that we can bypass the check by setting a verify callback to override
Windows' internal verify check.
Closes https://github.com/curl/curl/pull/22152
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.
Reported-by: netspacer.research
Follow-up to 1ebd92d0fd#16384Closes#22133
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.
Verified in test 1658
Reported-by: netspacer.research
Closes#22124
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.
Verify in test 1650
Reported-by: netspacer.research
Closes#22122
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.
Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.
Fixes#22107
Reported-by: sideshowbarker on github
Closes#22111
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.
Follow-up to 73daec6Closes#22110
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds
Mention this in the man page as well.
Follow-up to 52fa8d9
Pointed out by Codex Security
Closes#22121
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.
Extended test 2311 to cover it.
Closes#22085
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
3538 | result = SSL_ech_set1_server_names(octx->ssl,
| ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3539 | peer->origin->hostname, outername,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3540 | 0 /* do send outer */);
| ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43
Cherry-picked from #22086Closes#22087
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.
Closes#21996
Yes, we were counting the "live" transfers before, but were they
*really* alive?
When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.
For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.
The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.
Add two fields in multi and easy handle:
* `multi->xfers_really_alive`: counts the "alive" transfers that have
passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted
Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.
Fixes#22050
Reported-by: Bryan Henderson
Closes#22066
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.
Verify a redirect to blank user+password in test 2208
Closes#22060
Allow creation of a `Curl_creds` instance with empty username and
password (not NULL username/password). There are authentication
schemes like <insert greek mythology'> that do not use the actual
values of username/password but trigger on the mere existance.
We have no test cases for this, so this is a shot in the dark
here.
Fixes#21943
Reported-by: Dan Fandrich
Closes#22044
The DNS filter knows the peer it resolves and the code parts that want
the results know the peer as well. Pass it to lookup methods to make
sure results match.
Background: when tunneling, the resolved peer is not always the one that
other filters are looking for. Especially when HTTPS-RR results are
accessed in TLS filters, those will differ.
This prevents a HTTPS-RR for a proxy to be used for the origin when ECH
is activated. To make ECH work through a tunnel, we need to start an
additional resolve. Something to be fixed after 8.21.
Closes#22042
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.
The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).
Closes#22040