When building curl 8.20.0 with socketpair disabled, there is no
wakeup socket and the resolve results are not processed.
This fix performs result processing in the absence of a wakeup
socket before checking the resolve result.
Closes#21476
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
```
The following packages have unmet dependencies:
[...]
E: Unable to satisfy dependencies. Reached two conflicting assignments:
1. musl-dev:amd64=1.2.5-3+b1 is selected for install
2. musl-dev:amd64 is not selected for install because:
1. musl-dev:riscv64=1.2.5-3 is selected for install
2. musl-dev:amd64 Breaks musl-dev:riscv64 (!= 1.2.5-3+b1)
```
Ref: https://github.com/curl/curl/actions/runs/25168601672/job/73785600341#step:3:154Closes#21475
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
Fix to create the top directory `foo` when specified as
`X:foo\bar\filename`, on Windows and MS-DOS. Add test to verify.
Caught by Codex Security
Follow-up to 787ee935ac#16566Closes#21449
To avoid difficult to track down crashes when a tested function ends up
outputing a message via `errorf()`, `warnf()` or siblings.
Cherry-picked from #21449Closes#21454
- prefer `--branch` over `-b`, where missing.
- add `--depth 1` where missing.
- sync option order between docs and GHA.
- bump quiche and rustls-ffi versions in documentation.
- ECH.md: update for OpenSSL 4.
Closes#21447
Pass all operations parameters to a SOCKS filter at creation
time, not relying on "global" connectdata values.
Eliminate modifications to `conn->ip_version` when local resolving
for SOCKS4.
Do not retrieve the socket for GSSAPI blocking calls from connectdata,
but from the filters "below" the SOCKS one.
Closes#21436
failf() needs an easy handle to work. This change removes the call since
there is normnally nowhere to show the output if init fails.
Bonus: improve language in an infof() call
Spotted by Copilot
Closes#21441
Necessary when the libssh2/libssh client library does not support KEX
algos offered by default by the OpenSSH server. E.g. libssh2 with WinCNG
combined with OpenSSH 10+.
Also: use this option in GHA/windows.
Follow-up to 3b8bb1a86a#21219
Follow-up to c98d0a2e9a#21220Closes#21438
Several mbedTLS resources (entropy/CTR-DRBG, CA/client certs, keys, CRL)
are initialized and may allocate memory before initialized is set, and
must still be cleaned up.
Follow-up to 1c4813c769
Caught by Codex Security
Closes#21440
So that CURLcode failure is correct and not figured out later via
`conn->bits.proxy`. Add the flag to the async struct.
`for_proxy` is figured out by the caller of Curl_resolv() when it
figures out which host/proxy name it wants the addresses for.
Remove CONN_IS_PROXIED macro as no longer needed.
Closes#21423
