When building curl 8.20.0 with socketpair disabled, there is no
wakeup socket and the resolve results are not processed.
This fix performs result processing in the absence of a wakeup
socket before checking the resolve result.
Closes#21476
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
Pass all operations parameters to a SOCKS filter at creation
time, not relying on "global" connectdata values.
Eliminate modifications to `conn->ip_version` when local resolving
for SOCKS4.
Do not retrieve the socket for GSSAPI blocking calls from connectdata,
but from the filters "below" the SOCKS one.
Closes#21436
failf() needs an easy handle to work. This change removes the call since
there is normnally nowhere to show the output if init fails.
Bonus: improve language in an infof() call
Spotted by Copilot
Closes#21441
Several mbedTLS resources (entropy/CTR-DRBG, CA/client certs, keys, CRL)
are initialized and may allocate memory before initialized is set, and
must still be cleaned up.
Follow-up to 1c4813c769
Caught by Codex Security
Closes#21440
So that CURLcode failure is correct and not figured out later via
`conn->bits.proxy`. Add the flag to the async struct.
`for_proxy` is figured out by the caller of Curl_resolv() when it
figures out which host/proxy name it wants the addresses for.
Remove CONN_IS_PROXIED macro as no longer needed.
Closes#21423
Before this fix, Curl_tls_keylog_open() assigned the environment
variable result to a global keylog_file_name without freeing any prior
allocation. If the file cannot be opened (e.g., permission error)
keylog_file_fp stays NULL, so subsequent calls to Curl_tls_keylog_open
will overwrite keylog_file_name and leak the previous allocation.
Spotted by Codex Security
Closes#21427
Since we have a new struct instance for each async operation now and
async operation may happen in parallel, remove the connection bit
indicating doh is in progress.
Closes#21422
When trying to connect a pending transfer, remember the `mid` that was
last reactivated and start looking for future pending handles from the
last one forward through the pending bitset.
Background: when many pending handles exist, iterating the bitset always
from the start may become unfair to transfers that were assigned higher
`mid` values.
Fixes#21396
Reported-by: Juan Belón
Closes#21412
- unify the query and fragment separator logic
- read the bitflags directly instead of via a temp variable
- narrow the scope of a few variables
Closes#21417
When starting an c-ares query, the provided callback may be invoked
right away, leading to a decrement of `queries_ongoing`. Increment
the counter *before* call c-ares. Otherwise, the `async->done` bit
is not properly set.
Closes#21399
As 'flags' may already have been set to something when
parse_conversion() is called, make sure to only OR the new flags.
Follow-up to 4e0bfd8cf7Closes#21398
- httpsrr: drop redundant checks.
Follow-up to 809dda3a37#21354
- httpsrr.h: drop obsolete comment.
Follow-up to 2b3dfb4ad4#21175
- ws: drop redundant check in `curl_ws_start_frame()`.
Follow-up to 37cecfc7b9#17683
- ws: fix typo in comment.
- tool_operate: fix VMS build. (broken since 2019-07-20, v7.66.0)
Follow-up to b889408500#3804
Pointed out by Copilot Code Quality
Closes#21393
- introduce 'struct when' to hold the parser result
- initwhen() initializes a 'struct when'
- datestring() parses strings
- datenum() parses numbers
- datecheck() does some final checks
- tzadjust() adds the time zone offset
- convert math to 64 bit, squeeze into time_t only in the last step,
mktimet() does the time_t storing
Closes#21394
Seen with unity, H3, wolfssl with `HAVE_EX_DATA`.
Fixing:
```
lib/vtls/wolfssl.c:412:10: error: no previous prototype for function 'Curl_wssl_cache_session' [-Wmissing-prototypes]
412 | CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
| ^
lib/vtls/wolfssl.c:412:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
412 | CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
| ^
| static
1 error generated.
```
Follow-up to cc5c1553fb#19852Closes#21392
HEv3 describes conditions on when first connect attempts shall be
started.
https://www.ietf.org/archive/id/draft-ietf-happy-happyeyeballs-v3-01.html
Chapter 4.2
libcurl now waits 50ms for AAAA and HTTPS results (when requested) to
return before continuing with the connect.
Added HTTPS-RR to the "was resolved" information info message. Changed
logging of HTTPS-RR to a one-liner with RFC 9460 like formatting. This
way the user can see if/what was resolved and used in connecting.
Closes#21354
Track lock status of session cache, add DEBUGASSERT()s for proper
calling sequences. Add check of lock status.
Use lock status check to prevent reentry of import/export calls.
Deny such calls with CURLE_RECURSIVE_API_CALL.
Closes#21383
Also fix clang-tidy `readability-redundant-control-flow`.
```
lib/vtls/openssl.c:4055:46: error: unused parameter 'reason' [-Wunused-parameter]
4055 | int reason)
| ^
lib/vtls/openssl.c:4279:19: error: variable 'status' set but not used [-Wunused-but-set-variable]
4279 | const char *status = NULL;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/24641388439/job/72045859306?pr=21379
```
lib/vtls/openssl.c:4092:7: error: Value stored to 'rv' is never read [clang-analyzer-deadcode.DeadStores]
4092 | rv = SSL_ech_get1_status(ssl, &inner, &outer);
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/vtls/openssl.c:4092:7: note: Value stored to 'rv' is never read
4092 | rv = SSL_ech_get1_status(ssl, &inner, &outer);
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/vtls/openssl.c:4112:3: error: redundant return statement at the end of a function with a void return type [readability-redundant-control-flow]
4111 | #endif
| ~~~~~~
4112 | return;
| ^~~~~~~
4113 | }
```
Ref: https://github.com/curl/curl/actions/runs/24642154148/job/72047919525?pr=21379#step:42:186
Cherry-picked from #21379Closes#21380
When a user supplies an IP address to use for the HAPROXY protocol,
the IP version reported must be deduced from the address and has
no relation to the IP version used for the upstream connection.
Add test3220 to verify.
Fixes#21340
Reported-by: Fiona Klute
Closes#21341
Support HTTPS records in dnsd that have ALPN preferences.
Add pytest test_22_* to verify that HTTPS record ALPN
preferencces take effect if the HTTPS resolve arrives in time.
Fix HTTPS eyeballing use of timeouts for second attempt. Also,
make an initial HTTP/1.1 attempt switch off HTTP/2.
Closes#21329
Test has been flaky due to not waiting for the test server to be
listening. On slow CI systems, the started thread is late and the curl
command gets a refused connection.
Closes#21337
Add new internal `curl_url_same_origin()` to check if a href has the
same origin as a base URL. Add test cases in test1675 and use this in
http2 push handling.
Closes#21328
The function libssh2_userauth_keyboard_interactive_ex() calls the
callback and is documented to call free() on the memory returned to
libssh2 from the callback. libcurl can therefore not use the regular
curlx_strdup() for this, as that is not compatible in debug builds or
when curl_global_init_mem() is used.
Fixes#21336Closes#21338
- make sure all UNITTEST prototypes mark in which unit test they are used,
with "@unittest" markup
- make sure all UNITTEST functions do not use Curl_ prefix, as that is a
prefix we use for global private functions and these functions are static
and therefore not global and the prefix is wrong
- drop UNITTEST for functions not used in unit tests
- make the extract-unit-protos script highlight the above issues if found
- extract-unit-protos now also outputs the unit test number for all the
generated protos in lib/unitprotos.h to aid readers. It also adds the source
file and line number where the proto originates from.
- extract-unit-protos now exits with a non-zero value if any of the above
warnings are triggered
- cf-dns: Curl_cf_dns_result => static cf_dns_result
- hostip: Curl_ipv6works => static ipv6works
- url: remove Curl_setup_conn() - not used anymore
- connect: Curl_timeleft_now_ms => UNITTEST timeleft_now_ms
Closes#21330
