Viktor Szakats [Thu, 2 Oct 2025 19:33:48 +0000 (21:33 +0200)]
checksrc: reduce directory-specific exceptions
By making them defaults, then fixing and/or reshuffling remaining
exceptions as necessary.
- checksrc: ban by default: `snprintf`, `vsnprintf`, `sscanf`, `strtol`.
- examples: replace `strtol` with `atoi` to avoid a checksrc exception.
- tests/libtest: replace `strtol` with `atol`.
- tests/server: replace most `strtol` with `atol`.
- tests/server: replace most `strtoul` with `atol`/`atoi`.
- tests/server: drop no longer used `util_ultous`.
- fix typo in checksrc rules: `vsnprint` -> `vsnprintf`.
- update local exceptions.
Also:
- examples: ban curl printf functions. They're discouraged in user code.
- examples: replace curl printf with system printf.
Add `snprintf` workaround for <VS2015.
- examples/synctime: fix `-Wfloat-equal`.
- examples/synctime: exclude for non-Windows and non-UWP Windows.
- examples/synctime: build by default.
Viktor Szakats [Fri, 3 Oct 2025 01:12:39 +0000 (03:12 +0200)]
checksrc: fix to handle `)` predecing a banned function
Fixing:
```
Unmatched ) in regex; marked by <-- HERE in m/ \*buffer_len = \(ssize_t) <-- HERE
strtol\(/ at /home/runner/work/curl/curl/scripts/checksrc.pl line 916, <$R> line 380.
```
Ref: https://github.com/curl/curl/actions/runs/18209824275/job/51848079550#step:3:5
Stefan Eissing [Fri, 3 Oct 2025 12:15:04 +0000 (14:15 +0200)]
doh: inherit new custom ssl flags
The new custom_* flags in the SSL config need to be inherited when
setting up the doh easy handle, so that defaults apply the same way as
for the original easy handle.
Daniel Stenberg [Fri, 3 Oct 2025 08:51:46 +0000 (10:51 +0200)]
progress: expand to use 6 characters per size
Previously the progress meter used a maximum of five digits+letter in
the progress meter output: up to 99999 bytes and then 9999k, 9999M etc.
The output then used two spaces after the size between the next field in
the display.
This new approach uses one letter more with only one space in between
the fields. It makes it possible to show up to 999999 bytes and then
99999k, 99999M etc. The function uses a single decimal when outputting a
value less than 1000 in any unit. Like 999.9M.
Stefan Eissing [Thu, 2 Oct 2025 12:20:05 +0000 (14:20 +0200)]
vquic: handling of io improvements
- better tracing of what system call is used and how often
- ngtcp2: combine vquic_send into larger chunks
- ngtcp2: define own PMTU values and enable MTU probing
- ngtcp2: trace interesting remote transport parameters
Stefan Eissing [Wed, 24 Sep 2025 08:19:46 +0000 (10:19 +0200)]
ssl: support Apple SecTrust configurations
- configure/cmake support for enabling the option
- supported in OpenSSL and GnuTLS backends
- when configured, Apple SecTrust is the default trust store
for peer verification. When one of the CURLOPT_* for adding
certificates is used, that default does not apply.
- add documentation of build options and SSL use
Viktor Szakats [Thu, 2 Oct 2025 11:39:35 +0000 (13:39 +0200)]
INTERNALS: specify minimum version for Heimdal: 7.1.0
Released on 2016-Dec-19, it's the first "revamped" stable version, and
the earliest available as a source tarball at the official repository:
https://github.com/heimdal/heimdal/releases/tag/heimdal-7.1.0
It's also the first version hosted by Homebrew. It builds fine locally
with curl, and also builds in CI with old linux: 7.1.0+dfsg-13+deb9u4.
Viktor Szakats [Wed, 1 Oct 2025 20:07:37 +0000 (22:07 +0200)]
CI: move no-verbose build from Circle CI to existing GHA jobs, with tests
To test it in GHA and catch issues at PR time. Before this patch,
Circle CI caught them after pushing to master (or non-fork PR
branches.) GHA also run runtests, pytests and static analysis on
these builds, after this patch.
- GHA/linux: enable no-verbose in an existing job.
- GHA/linux: enable no-verbose in the H3 scan-build job too.
- GHA/macos: enable no-verbose in one build (= 3 jobs with different
compilers).
- GHA/codeql: enable no-verbose in the MultiSSL Linux build.
- circleci: delete openssl no-verbose job in favor of the above.
Daniel Stenberg [Thu, 2 Oct 2025 06:30:52 +0000 (08:30 +0200)]
lib: remove personal names from comments
- it's just too random who got mentioned
- we can't mention all, so better consistently mention none
- make sure they all are mentioned in THANKS
- also remove some unnecessary comment ramblings
Daniel Stenberg [Thu, 2 Oct 2025 08:20:59 +0000 (10:20 +0200)]
tool_getparam: always disable "lib-ids" for tracing
Since the tool code itself adds the ids (controlled with "ids"), getting
them (also) added by the library adds nothing good. Always disable the
lib-ids even when "--trace-config all" is selected.
Also: change "== Info:" into just "* " to reduce output redundancy.
Ref: #18755 Reported-by: Alice Lee Poetics
Closes #18805
Viktor Szakats [Tue, 23 Sep 2025 08:17:29 +0000 (10:17 +0200)]
GHA/linux: add HTTP/3 c-ares scan-build and asan jobs
They use Linuxbrew instead of locally built components.
Linuxbrew limitations compared to the locally built components in
GHA/http3-linux:
- libngtcp2 currently supports OpenSSL only.
- wolfssl can't coexist with openssl.
- somewhat tricky configuration with autotools.
Upside is easy of use, always the latest versions (may be downside),
and availability of almost all packages.
Stefan Eissing [Wed, 1 Oct 2025 09:23:27 +0000 (11:23 +0200)]
openssl-quic: ignore unexpected streams opened by server
HTTP/3 defines "reserved stream types" that are intended to be ignored
by a receiver. This is part of the "greasing" effort that flexes parts
of the protocol that are needed for future extensions.
curl's OpenSSL-QUIC implementation treated all unexpected streams as
an error. Which seems the right thing to do *but* for these reserved types.
However OpenSSL does not expose this type and thus, curl needs to silently
discard all unexpected streams opened by the server to allow interop
with servers that flex the GREASE parts.
Daniel Stenberg [Fri, 26 Sep 2025 12:10:30 +0000 (14:10 +0200)]
cf-socket: tweak a memcpy() to read better
By checking the size of the actual buffer and using that as memcpy
target instead of another union member, this helps readers and static
code analyzers to determine that this is not a buffer overflow.
Viktor Szakats [Wed, 1 Oct 2025 10:12:30 +0000 (12:12 +0200)]
tidy-up: LibreSSL Git repository URLs and local CI builds
Also:
- point the source tarball to a working URL.
The GitHub release page misses the official source tarball for 4.1.1.
- GHA/linux: switch LibreSSL build to cmake (syncing with http3-linux.)
- GHA/macos: drop no longer needed LibreSSL build workaround.
Daniel Stenberg [Wed, 1 Oct 2025 06:19:35 +0000 (08:19 +0200)]
typos.toml: exclude more from typo checks
- exclude visual studio project templates
- exclude test cases
- allow 'proxys' which is used for "secure proxy" in test code
- allow Tru64 and secur32
Viktor Szakats [Mon, 29 Sep 2025 23:27:10 +0000 (01:27 +0200)]
build: avoid overriding system `open` and `stat` symbols
Replace them by `curlx_open()` and `curlx_stat()`.
To make it obvious in the source code what is being executed.
Also:
- tests/server: stop overriding `open()` for test servers.
This is critical for the call made from the signal handler.
For other calls, it's an option to use `curlx_open()`, but
doesn't look important enough to do it, following the path
taken with `fopen()`.
Viktor Szakats [Mon, 29 Sep 2025 23:46:33 +0000 (01:46 +0200)]
checksrc: fix possible endless loop when detecting `BANNEDFUNC`
If the source line had square brackets before the match, the stripping
of the banned function left the original line intact, and repeated the
check on it forever. E.g. with banned function `open` in `lib518.c`:
```c
t518_testfd[0] = open(DEV_NULL, O_RDONLY);
```
Viktor Szakats [Sun, 14 Sep 2025 13:34:18 +0000 (15:34 +0200)]
build: avoid overriding system symbols for fopen functions
By introducing wrappers for them in the curlx namespace:
`curlx_fopen()`, `curlx_fdopen()`, `curlx_fclose()`.
The undefine/redefine/`(function)()` methods broke on systems
implementing these functions as macros. E.g. AIX 32-bit's `fopen()`.
Also:
- rename `lib/fopen.*` to `lib/curl_fopen.*` (for `Curl_fopen()`)
to make room for the newly added `curlx/fopen.h`.
- curlx: move file-related functions from `multibyte.c` to `fopen.c`.
- tests/server: stop using the curl-specific `fopen()` implementation
on Windows. Unicode isn't used by runtests, and it isn't critical to
run tests on longs path. It can be re-enabled if this becomes
necessary, or if the wrapper receives a feature that's critical for
test servers.
Reported-by: Andrew Kirillov
Bug: https://github.com/curl/curl/issues/18510#issuecomment-3274393640
Viktor Szakats [Mon, 29 Sep 2025 20:48:55 +0000 (22:48 +0200)]
tests/server: drop unsafe `open()` override in signal handler (Windows)
Turns out the signal handler on Windows still wasn't signal safe after
the previous round of fix. There is an `open()` call made from there,
and `open` happens to be unconditionally overridden via `curl_setup.h`
on Windows, to its local implementation (`curlx_win32_open()`), which
does memory allocations and potentially other things that are not signal
safe.
This is a temporary fix, till avoiding the override of system symbols
`open` and `stat` on Windows.
FTR this did not fix the CI 2304 errors, diskspace fail or job hangs due
to 0xC0000142 fork failure (it's rare all three occurs in the same run):
https://github.com/curl/curl/actions/runs/18110523584?pr=18774
- fix to append to, not override, previously set linker options when
using `CURL_LIBCURL_VERSIONED_SYMBOLS=ON`. Before this patch, it was
overwriting linker options when using `CURL_CODE_COVERAGE=ON`.
Viktor Szakats [Tue, 16 Sep 2025 17:28:27 +0000 (19:28 +0200)]
tidy-up: miscellaneous
- GHA/checkdocs: rename `spellcheck` job to `pyspelling` to say
the exact tool used.
- GHA/checkdocs: restore a comment.
- GHA/linux: add `-B .` to a cmake configure to avoid warning, and
future breakage.
- autotools: use correct casing for `Schannel`.
- doh: update RFC URL.
- drop redundant parenthesis.
- fix indentation, whitespace.
Viktor Szakats [Wed, 24 Sep 2025 23:54:28 +0000 (01:54 +0200)]
perlcheck: add script, run in CI, fix fallouts
Add script to run all Perl sources through `perl -c` to ensure no
issues, and run this script via GHA/checksrc in CI.
Fallouts:
- fix two repeated declarations.
- move `shell_quote()` from `testutil.pm` to `pathhelp.pm`, to
avoid circular dependency in `globalconfig.pm`.
Stefan Eissing [Mon, 22 Sep 2025 13:48:07 +0000 (15:48 +0200)]
http: handle user-defined connection headers
When there is more than one user-supplied 'Connection: ' header, add
values that curl needs internally to the first one and emit all
subsequent ones thereafter.
Viktor Szakats [Thu, 25 Sep 2025 12:50:15 +0000 (14:50 +0200)]
GHA: use `pyspelling` directly
To avoid depending on Docker Hub, an Docker image and a GitHub Action.
Also to simplify running this check on a local machine.
Pending question if Dependabot and Mend/Renovate will automatically pick
up `requirements-docs.txt`.
Also:
- enable parallel spellchecking. (also to win back the time lost with
installing components directly from Debian and pip.)
- pin `pyspelling`.
- link to official `pyspelling` docs.
Viktor Szakats [Thu, 25 Sep 2025 11:14:36 +0000 (13:14 +0200)]
GHA: bump pip `cryptography`, relax `impacket` version requirement
Bump `cryptography` to a newer version that fixes two known OpenSSL
vulnerabilities reported by Dependabot.
To make it work, also allow `impacket` 0.11.0, because it allows any
pyOpenSSL version, while 0.12.0 pinned it to a single version that
happens to be incompatible with the bugfixed `cryptography` version.
Also: drop spaces from `requirements.txt` files. Bots don't add them,
though they seem to be preferred in the official documentation:
https://pip.pypa.io/en/stable/reference/requirements-file-format/
Stefan Eissing [Tue, 26 Aug 2025 13:54:32 +0000 (15:54 +0200)]
socks: rewwork, cleaning up socks state handling
Restructured the code in the following ways:
* add terminal states SUCCESS and FAILED
* split SOCK4 and SOCK5 states to be more clear
* use `bufq` for send/recv of SOCK messages
* reduce SOCKS4 states, more speaking names
* for most states, move code into static function
* reduce SOCKS5 states, more speaking names
* add helpers for traversing to FAILED state
* add helper to flush bufq
* add hepler to read minimum amount into bufq
projects / thirdparty / curl.git / log
