Reported-by: Kai Pastor Reported-by: Tal Regev
Bug: https://github.com/microsoft/vcpkg/pull/46444#pullrequestreview-3026575393
Ref: https://github.com/microsoft/vcpkg/pull/46444/commits/3a845c4b15066e8167bb4708007180fb6bedf40d
Stefan Eissing [Wed, 16 Jul 2025 09:10:13 +0000 (11:10 +0200)]
openssl: some small cleanups
- rename Curl_oss_check_peer_cert() to Curl_ossl_check_peer_cert()
- leave altname match loop after the first success when the match
was an ip address
- remove static subj_alt_hostcheck() since it did not really do much
- use length based infof() output of altname, even though it does
seem always to be nul terminated
Viktor Szakats [Fri, 11 Jul 2025 16:02:32 +0000 (18:02 +0200)]
test1706: pass include directory to `managen` for out-of-tree builds
Fixing:
```
readline() on closed filehandle INC at ../../curl-99.98.97/tests/../scripts/managen line 1299.
```
Ref: https://github.com/curl/curl/actions/runs/16224106087/job/45811979199?pr=17877#step:3:8545
Stefan Eissing [Mon, 14 Jul 2025 09:41:59 +0000 (11:41 +0200)]
connection: clarify `transport`
The `transport` to use for a transfer, e.g. TCP/QUIC/UNIX/UDP, is
initially selected by options and protocol used. This is set at the
`struct connectdata` as `transport` member.
During connection establishment, this transport may change due to
Alt-Svc or Happy-Eyeballing. Most common is the switch from TCP to QUIC.
Rename the connection member to `transport_wanted` and add a way to
query the connection for the transport in use via a new connection
filter query.
The filter query can also be used in the happy eyeballing attempts when
code needs to know which transport is used by the "filter below". This
happens in wolfssl initialization, as one example.
When using winbuild or Visual Studio IDE Project Files.
To simplify and prepare for dropping support for VS2008.
Details:
- fix VS2012 default target to be Windows 8 (was Vista).
Confirmed by CI:
```
-- The C compiler identification is MSVC 17.0.61030.0
-- Found _WIN32_WINNT=0x0602
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/51594696/job/elbl0w5n7fmoos2f#L45
It also aligns with the default being Windows 7 for VS2010,
and Windows Vista for VS2008.
- bump minimum target to XP (was Windows 2000) when using VS2008.
curl requires XP.
- add Windows release names to comments for clarity.
- add hex Windows version to a comment for clarity.
- merge VS2008/VS2012 minimum/default logic and comments.
- reduce scope of local minimum/default macros.
- shorten comments to fit within line limit.
Daniel Stenberg [Mon, 14 Jul 2025 06:59:04 +0000 (08:59 +0200)]
VULN-DISCLOSURE-POLICY.md: 7 days embargo is max
It was recently updated in this doc to seven, but there were *two*
numbers mentioned and only one of them was updated leaving the paragraph
quite confusing.
Viktor Szakats [Sun, 13 Jul 2025 01:28:19 +0000 (03:28 +0200)]
GHA: minor tidy-ups
- GHA/checksrc: make a step name more accurate.
- cmakelint.sh: make sure to run from project root.
To make it easier to run locally.
- cmakelint.sh: use `set -eu`.
Viktor Szakats [Sat, 12 Jul 2025 16:07:51 +0000 (18:07 +0200)]
GHA/checksrc: use Linux for CI checks, merge job into misc checks
CI check used macOS before this patch, but with the help of Linuxbrew,
latest zizmor and shellcheck are also available on Linux.
Also:
- migrate CI checks to the misc check workflow, to make both shellcheck
use the same, latest, shellcheck version, and to save the overhead of
an extra workflow.
Daniel McCarney [Fri, 11 Jul 2025 20:19:12 +0000 (16:19 -0400)]
lib/vts: fix a copy-pasted early data comment typo
In gtls.c there was a typo'd comment that I think was missing the word
"no" to indicate there's "no GnuTLS way to signal no EarlyData".
This commit fixes that typo, and also updates a copy-pasted instance
that made it into wolfssl.c where it should refer to the WolfSSL API
missing the capability, not GnuTLS.
Viktor Szakats [Wed, 9 Jul 2025 22:36:03 +0000 (00:36 +0200)]
test1175: fix to run, and fix documentation issues detected
Fix test 1175 by passing the source root directory (was: tests).
Before this patch this caused silent Perl warnings and returning success
without executing the tests, due to:
```
readline() on closed filehandle $f at ../../tests/test1175.pl line 55.
readline() on closed filehandle $f at ../../tests/test1175.pl line 39.
```
Running the test revealed these issues:
```
CURLE_FUNCTION_NOT_FOUND is not in libcurl-errors.md
CURLE_HTTP_POST_ERROR is not in libcurl-errors.md
CURLE_TELNET_OPTION_SYNTAX is not in libcurl-errors.md
CURLM_CALL_MULTI_SOCKET is not in libcurl-errors.md
```
Apply fixes:
- mark `CURLE_FUNCTION_NOT_FOUND` deprecated by 7.53.0
- mark `CURLE_HTTP_POST_ERROR` deprecated by 7.56.0
- mark `CURLE_TELNET_OPTION_SYNTAX` deprecated by 7.78.0
- document `CURLM_CALL_MULTI_SOCKET` as a synonym for
`CURLM_CALL_MULTI_PERFORM`
- test1477: exclude `CURLM_CALL_MULTI_SOCKET`.
But, these weren't officially deprecated. It may need more updates
to reflect that in other places, or fix the issues differently.
Viktor Szakats [Thu, 10 Jul 2025 07:55:02 +0000 (09:55 +0200)]
checksrc-all: rewrite in Perl, remove `checksrc.bat`
`checksrc.bat` was outdated and required Perl for `checksrc.pl` anyway.
Rewrite `checksrc-all.sh` in Perl, making it usable in envs without
a POSIX shell.
Viktor Szakats [Wed, 9 Jul 2025 14:33:17 +0000 (16:33 +0200)]
libtests: more header tidy-ups
- make `test*` sources include `first.h`, like all others.
- drop redundant `curlx/*` includes after the above.
- merge `test.h` into `first.h`, now that no other file uses it.
(and `first.h` had almost no content.)
To simplify and sync header structure with other tests.
Viktor Szakats [Wed, 9 Jul 2025 11:01:57 +0000 (13:01 +0200)]
test1499, 1599: use `%LOGDIR`
Fixing test 1599 also fixes these warnings in the test log:
```
Use of uninitialized value in join or string at /home/runner/work/curl/curl/tests/runner.pm line 774.
```
https://github.com/curl/curl/actions/runs/16157402085/job/45602590085?pr=17768#step:39:743
Assisted-by: Daniel Stenberg
Fixes #17871
Closes #17874
Viktor Szakats [Tue, 8 Jul 2025 22:43:44 +0000 (00:43 +0200)]
tests: move `curlcheck.h` to libtest as `unitcheck.h`
To simplify dependencies, and sync tunits and units builds further.
`curlcheck.h` already depended on logic implemented within libtests:
it referenced a global variable (`unitfail`) defined in `first.c` and
declared in `test.h`.
Also:
- rename to `unitcheck.h` to indicate it's meant for unit tests.
- make `unitcheck.h` include `first.h` instead of `test.h`.
This brings header use closer to libtests. It also includes
`curlx/curlx.h` for all unit tests by default now.
- move `unitfail` declaration from `test.h` to `first.h`.
To match its definition in `first.c`.
- drop now redundant per-test curlx header includes.
Viktor Szakats [Tue, 8 Jul 2025 20:38:02 +0000 (22:38 +0200)]
tests: fix 1301, 1308 to fail on error
They were using a macro designed for unit tests. It does not fail when
used in libtests. Make similar macros for these tests, and make them
return a failure.
Also:
- makes these two tests align with the rest of libtests, by including
`first.h` instead of `curlcheck.h`.
- since libtests no longer need to depend on tests/unit, drop this
dependency from build scripts.
Viktor Szakats [Mon, 7 Jul 2025 09:46:26 +0000 (11:46 +0200)]
windows: drop redundant `curl_wcsdup_callback` callback
This callback was permanently mapped to libcurl's internal
`Curl_wcsdup()`, which always uses the customizable malloc for
allocation, thus making a custom mapping redundant anyway.
To simplify, drop the callback and map `_tcsdup()` in Unicode mode
directly to `Curl_wcsdup()`.
Also fixes:
- `curl_global_init()` which, before this patch, (re)initialized its
mapping to `_wcsdup()`, returning buffers potentially incompatible
with a custom allocator.
Bug: https://github.com/curl/curl/pull/17840#issuecomment-3044361245
Bug: https://github.com/curl/curl/pull/7540#issuecomment-2380995349 Co-reported-by: Luca Kellermann
Follow-up to 76e047fc27b3a0b9e6d6d00cacf536e7b7c1b532 #7540 Assisted-by: Jay Satiro
Closes #17843
Daniel Stenberg [Fri, 4 Jul 2025 21:57:03 +0000 (23:57 +0200)]
runtests: support memory-limits per test
The idea here is to set limits per test how many allocations and maximum
amount of memory it is allowed to use. This is a means to make sure the
number and total size of allocations are kept in check and don't
mistakenly "blow up".
If runtests.pl detects that the given limits have been exceeded it fails
the test case with an error.
The `<verify>` part now supports `<limits>`, and in this section two
limits can be set for each test (verified in debug builds only):
Allocations: [number of allocation calls]
Maximum allocated: [maximum concurrent memory allocated]
Default limits (used if nothing is set in the test file):
Viktor Szakats [Mon, 7 Jul 2025 14:19:24 +0000 (16:19 +0200)]
CI: sync curl download command-line options
- circleci: pipe to tar.
- use long options uniformly.
- sync option order.
- set timeout where missing.
- set retry where missing.
- set `--retry-connrefused` where missing.
- set `--disable` where missing.
- lower 999s timeouts to 120s.
projects / thirdparty / curl.git / log
