A gzip Content-Encoding response holding more than one gzip member made
curl decode the first member and then fail the transfer with a bare
CURLE_WRITE_ERROR and no hint about the cause. Detect the trailing
member and fail with a message that explains what happened.
Fixes#22156Closes#22172
Also repurpose existing build-time feature checks into unit test 1961,
to verify.
Prior to this patch these functions were auto-detected with both
autotools and cmake. In case of autotools there was an extra
verification phase ensuring the functions work as expected. This step
required running the function, thus was limited to non-cross-builds. For
cross-builds and CMake it always used the system implementation if
present. On Windows it always used the local implementation, because
availability/use is complicated there.
After this patch all platforms, always use the local implementation,
which is known to be accurate. This makes curl behave more consistently,
and simplifies the build process, a fixes cross-builds and CMake
auto-detection differences.
Also:
- test1960: enable unconditionally.
- checksrc: disallow globally, allowlist in `block_ip.c` example.
- dnsd: verify ntop result for NULL before passing to printf.
Ref: https://github.com/curl/curl/pull/22137#issuecomment-4797440983
Ref: #22137
Ref: 8537a5b0bc#16577Closes#22170
By exposing and reusing existing custom type via `vtls/openss.h`.
Also:
- GHA/curl-for-win: test in CI by enabling building tests.
Cost is 45s per job, so limit it to the gcc job.
Seen with Windows x64 gcc (not tested in CI prior to this patch):
```
tests/libtest/lib1587.c:50:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
50 | SSL_CTX_set_options(info->internals, opts);
| ^~~~~~~~~~~~~~~~~~~
tests/libtest/lib1587.c:59:7: error: conversion from 'opt1587' {aka 'long long unsigned int'} to 'long int' may change value [-Werror=conversion]
59 | SSL_set_options(info->internals, opts);
| ^~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/28258372229/job/83727170184?pr=22195#step:3:4884
Ref: da2f05e6f6#22198
Ref: 6163566461#22197
Follow-up to 3e40ccb875#21290
Follow-up to 2db8ae480f#17809#17801Closes#22195
It fails as expected, with a list of errors:
```
In file included from _x64-win-ucrt-for-trurl-bld/tests/tunit/tunits.c:5:
tests/tunit/tool1394.c:76:11: error: call to undeclared function 'parse_cert_parameter'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
76 | err = parse_cert_parameter(p->param, &certname, &passphrase);
| ^
[...]
tests/tunit/tool1622.c:68:5: error: call to undeclared function 'timebuf'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
68 | timebuf(buffer, sizeof(buffer), secs);
| ^
[...]
tests/tunit/tool1623.c:104:26: error: call to undeclared function 'GetSizeParameter'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
104 | ParameterError err = GetSizeParameter(check[i].input, &output);
| ^
[...]
```
Ref: https://github.com/curl/curl/actions/runs/28256499057/job/83720797064?pr=22195
Ref: #22195
Ref: 640fed88b6Closes#22198
- cmp-pkg-config.sh: replace `-r -f` with `-rf` to match rest of repo.
- configure.ac: add double quotes for robustness (not a bug).
- curl-openssl.m4: merge nested `if`s.
- CurlTests.c: drop `!= 0`, also to sync with m4.
- CurlTests.c: replace `example.com` with `localhost` in
`gethostbyname()` feature test code. (compile-only, not a bug)
- GHA/http3-linux: drop literal `true` from bool expression.
- lib650: drop redundant `&`.
- move variable/call to left-hand side of equality checks, where
missing.
- perl: detach `<`/`>` from filename in `open()`, where missing.
- schannel: apply two nit fixes lost in rebase.
- scripts/verify-release: drop redundant double quotes.
- scripts/verify-release: exit with error code on error.
- synctime: replace magic numbers with `sizeof()`.
- telnet: add missing parentheses to macro value.
- tests/Makefile.am: use single quotes.
- tool_operate: drop redundant `break` after `return` in VMS code.
- unit2413: drop unused NULL pointer + free call.
- unit2413: fix duplicate test case name.
- urlapi: drop redundant parentheses.
- urlapi: drop `CURL_UNCONST()` that became redundant.
Closes#22186
A custom header name padded with blanks (`Authorization :`) missed the
exact-length compare and slipped past the cross-host Authorization and
Cookie drop, forwarding the header to the redirect target. Trim the
parsed name in both the request and proxy CONNECT header builders.
Closes#22178
- there is a risk for a nasty recursive situation
- we avoid certain risks that the pause call changes things so that when
returning from the callback, the state of some internals is undefined
and we need to reload which is easy to miss
- we can't think of legitiate use cases for doing this. This is
basically just the new favorite point for AI and security researchers
to find hypothetical problems
Closes#22179
- GHA/windows: mention `IgnoreStandardErrorWarningFormat=true`
in comment.
- cmake: fix MIT/GNU GSS order in messages.
- drop some exclamation marks from messages.
- drop redundant ending newlines from messages.
- fold/unfold where possible.
- fix indent, whitespace, typos and other nits.
Closes#22185
- Makefile.am: add root `test-quiet` target that maps to
`tests/quiet-test`, for completeness.
Ref: #22098
- tests/Makefile.am: drop unused remains of `MANFILES`.
Follow-up to fa3f889752#17463
Also replace the `distclean` target to delete `CLEANFILES`, otherwise
the CI dist job fails. (I'm not grokking why)
- tests/Makefile.am: sync up `tests` target with CMake, to pass `TFLAGS`
`-a`.
Follow-up to 904e7ecb66#19347
- tests/certs/Makefile.am: fix to clean generated certs via `CLEANFILES`
to comply with autotools documentation, which says the previously used
variable `DISTCLEANFILES` is meant for files created by `./configure`.
Ref: https://www.gnu.org/software/automake/manual/html_node/Clean.html
Follow-up to 44341e736a#16824
- tests/http/Makefile.am: add `./` prefix to glob passed to `rm -rf` on
clean, to avoid deleting unintented files, or pass unintended options.
Follow-up to 671158242d#10349
Cherry-picked from #22102
Cherry-picked from #22150Closes#22154
Where missing. To avoid passing an option by accident.
End-of-option marker (`--`) is not POSIX, but most of these scripts are
internal and/or CI-focused, where this is fine. `maketgz` and
`verify-release` are meant for public use, and I asses this is fine too,
but let us know if this causes issues in real world envs.
Also:
- maketgz: pass args with `:?` to `rm -rf`, where missing.
Cannot cause an actual issue with current code.
- verified `cp`, `rm` instances too, but none were affected.
- tests/cmake/test.sh: replace `$PWD` with `$(pwd)` for sturdiness.
- appveyor.sh: replace `$PWD` with `$(pwd)` for sturdiness.
Assisted-by: Dan Fandrich
Follow-up to 6aab1dc263#19450Closes#22150
Remove the suppression of connmon after the first disconnect event. The
connmon flag is set per-test via the 'connection-monitor' server command
and should remain active for the lifetime of that test's connections to
properly detect connection reuse failures.
The suppression was introduced in 510fdad to work around a connection
reuse regression that has since been resolved by the credentials
refactoring in 8f71d0f. With the underlying issue fixed, restoring full
disconnect logging strengthens tests like 338 to catch future
regressions in connection reuse logic.
Fixes#22158Closes#22159
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.
Verified in test 1658
Reported-by: netspacer.research
Closes#22124
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.
Verify in test 1650
Reported-by: netspacer.research
Closes#22122
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.
Follow-up to 73daec6Closes#22110
And the corresponding internal variable.
This option became the always-enabled default earlier, via #4035.
Reported-by: Zartaj Majeed
Ref: #22098
Follow-up to 6617db6a7e#4035Closes#22100
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.
Extended test 2311 to cover it.
Closes#22085
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.
Closes#21996
Yes, we were counting the "live" transfers before, but were they
*really* alive?
When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.
For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.
The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.
Add two fields in multi and easy handle:
* `multi->xfers_really_alive`: counts the "alive" transfers that have
passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted
Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.
Fixes#22050
Reported-by: Bryan Henderson
Closes#22066
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.
Verify a redirect to blank user+password in test 2208
Closes#22060
- drop the old test_setopt() which did the same thing
- remove #if 0'ed macros from first.h
These macros now store results in 'result' more aggressively, but I
believe that is generally favorable.
Closes#22057
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Closes#22033
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
Verified by test 3401
Follow-up to 73daec6620
Reported-by: daviey on hackerone
URL: https://hackerone.com/reports/3803415Closes#22024
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b3
- lib650: drop an interim variable, and interim casts.
Follow-up to 60776a0515#2747
- curl_formdata.md: document `CURLFORM_NAMELENGTH` on man page.
- curl_formdata.md: pass `long` to `CURLFORM_BUFFERLENGTH` on man page.
- formdata: pass `long` to `CURLFORM_CONTENTSLENGTH` in comment.
Closes#22017
For correctness. Did not cause an issue, because the null-terminator is
present.
Also:
- change a size type to avoid casts.
- reuse input length value.
Spotted by GitHub Code Quality
Follow-up to 1e4cb333ef#4826Closes#22027
In `bind_unix_socket()`, before retrying `bind()`.
This patch uses `ENOENT`. This was last time in source between
d25b050379 (2018) and
dffd996e3b (2023), and also earlier. Also
defined by supported Windows envs. Seems safe to use.
Reported-by CodeQL
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22028
The reason to use them seems to be that just (void) before a function
call is not enough to silence compiler warnings when return codes are
ignored and -Werror=unused-result is used.
While (void)! apparently works to silence those warnings, it is just too
weird and surprising to readers to use.
It is rather a reason to reconsider the usefulness of the warning.
Closes#22023
On Windows there is no `lstat()`, which was later substituted with
normal `stat()`, but on Windows `S_IFSOCK` is never defined, which meant
the output of stat was not actually used, reducing this to checking for
the presence of the file, and bailing out without retry if missing.
Follow-up to 30e491e5c9#7034
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22021