Viktor Szakats [Sun, 7 Dec 2025 15:49:55 +0000 (16:49 +0100)]
tidy-up: miscellaneous
- drop stray duplicate empty lines in docs, scripts, test data, include,
examples, tests.
- drop duplicate PP parenthesis.
- curl-functions.m4: move literals to the right side in if expressions,
to match rest of the source code.
- FAQ.md: delete language designator from an URL.
- packages: apply clang-format (OS400, VMS).
- scripts/schemetable.c: apply clang-format.
- data320: delete duplicate empty line that doesn't change the outcome.
- spacecheck: extend to check for duplicate empty lines
(with exceptions.)
- fix whitespace nits
Viktor Szakats [Thu, 11 Dec 2025 01:46:24 +0000 (02:46 +0100)]
GHA/checkdocs: re-enable proselint, update setup, fix issues found
- update configuration and invocation.
- install via pip.
- drop a file exception.
- alpha sort proselint settings.
- FILEFORMAT: update text about XML compliance.
- CI job takes 22 seconds total.
Viktor Szakats [Wed, 10 Dec 2025 22:21:10 +0000 (23:21 +0100)]
runtests: add support for single-quoted attributes, use it
With this, all test data files are XML-compliant.
Also:
- test1158, test1186: use single quotes for the test filename attribute
containing a double quote. For XML-compliance.
- drop support for unquoted attributes. For XML-compliance.
Viktor Szakats [Tue, 5 Aug 2025 14:07:21 +0000 (16:07 +0200)]
autotools: tidy-up `if` expressions
- drop x-hacks for curl internal variables and certain autotools ones
that do not hold custom values.
- make x-hacks consistently use `"x$var" = "xval"` style.
- add a few x-hacks for input/external variables that may hold custom
values.
- prefer `-z` and `-n` to test empty/non-empty.
This also makes some x-hacks unnecessary.
- optimized negated test `-z` and `-n` options.
- prefer `&&` and `||` over `-a` and `-o`.
For better POSIX compatibility:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
- quote variables passed to `test`, where missing.
- quote string literals in comparisons.
- fix some indentation, whitespace.
Note that a few `case` statements also use the x-hack, which looks
unnecessary. This patch does not change them.
Verified by comparing feature detection results with a reference CI run
from before this patch (PR #19922).
Stefan Eissing [Wed, 10 Dec 2025 10:17:49 +0000 (11:17 +0100)]
pytest: quiche flakiness
Let nghttpx only use http/1.1 to backend. This reproduces the bug in
quiche with higher frequency. Allow test_14_05 to now return a 400 in
addition to the 431 we get from a h2 backend to nghttpx.
Skip test_05_02 in h3 on quiche not newer than version 0.24.4 in which
its bug is fixed: https://github.com/cloudflare/quiche/pull/2278
Viktor Szakats [Wed, 10 Dec 2025 10:47:40 +0000 (11:47 +0100)]
GHA/checkurls: add dry run on push
To verify if the basics work.
Downside is that the scheduled (live) runs are intermixed with the dry
runs and less obvious to find in the default list:
https://github.com/curl/curl/actions/workflows/checkurls.yml
This URL filters for scheduled runs only:
https://github.com/curl/curl/actions/workflows/checkurls.yml?query=event%3Aschedule
Seems fine, because we're only interested in red runs.
Stefan Eissing [Tue, 9 Dec 2025 14:48:52 +0000 (15:48 +0100)]
memdebug: fix realloc logging
Do the whole realloc and the subsequent logging under mutex lock. This
fixed log entries that state allocation a memory location before realloc
logs it as being freed.
Stefan Eissing [Tue, 9 Dec 2025 16:00:52 +0000 (17:00 +0100)]
test: increase altsvc test reliability
Move new tests from test_12 to test_06 (eyeballing) where they better
fit. Increase reliability by check Alt-Svc redirects from h3 to a lower
version for a port where no h3 is available.
Viktor Szakats [Tue, 9 Dec 2025 19:06:33 +0000 (20:06 +0100)]
build: set `-Wno-format-signedness`
Explicitly disable these warnings to allow using `-Weverything`.
There are around 600 of them across the codebase.
Silencing them has some drawbacks:
- enums (`CURLcode` mostly) would have to be cast to int to avoid
different signedness depending on C compiler.
(llvm/gcc: unsigned, MSVC/clang-cl: signed by default)
- hex masks need casts to unsigned to avoid the warning.
- fixing remaining warnings is annoying without fixing the above.
- without fixing all warnings the option cannot be enabled, to keep
the codebase warning free.
Viktor Szakats [Wed, 8 Oct 2025 14:20:54 +0000 (16:20 +0200)]
DEPRECATE: add CMake <3.18 deprecation for April 2026
CMake 3.18 was released on 2020-07-15.
It enables using (and/or dropping workarounds) for these features:
LTO support, better performance and pkg-config support, `OBJECT` target,
`-S`, `-B`, `--verbose`, `--install` on the command-line, lib directory
support in interface targets, target_link_options(), LINK_OPTIONS,
FetchContent, `list(PREPEND ...)`, unity, Ninja, fixed imported global
issues.
Viktor Szakats [Tue, 9 Dec 2025 09:31:20 +0000 (10:31 +0100)]
windows: assume `USE_WIN32_LARGE_FILES`
All Windows platforms support it. It was permanently enabled with most
build methods. The exception is autotools where it is enabled by
default, with an option to disable it. It changed the build in a few
places for rarely tested code paths, but not bringing other advantages
(and used some 64-bit APIs anyway). This patch makes autotools'
`--disable-largefile` option a no-op for Windows.
Stefan Eissing [Mon, 8 Dec 2025 12:36:19 +0000 (13:36 +0100)]
alt-svc: more flexibility on same destination
When the Alt-Svc points to the same host and port, add the destination
ALPN to the `wanted` versions and set it also as the `preferred` version
in negotiations.
This allows Alt-Svc for h3 to point to h2 and have it tried first. Also,
this allows Alt-Svc to say http/1.1 is preferred and changes the ALPN
protocol ordering for the TLS handshake.
Add tests in various combination to verify this works.
Reported-by: yushicheng7788 on github
Fixes #19740
Closes #19874
Viktor Szakats [Tue, 9 Dec 2025 13:27:44 +0000 (14:27 +0100)]
GHA/windows: re-enable `taskkill`
Nothing conclusive for the last ~30 days when `taskkill` was made
a no-op. Jobs remained flaky with all known failure modes. Sometimes
they finish green on the first run, sometimes they fail. Hard to say
more without comparing detailed stats for this period and the
preceding (or upcoming) one.
In almost all runs, the PID to be killed did not exist at the time of
check.
Yedaya Katsman [Tue, 2 Dec 2025 17:40:07 +0000 (19:40 +0200)]
test: add test 2090 for SSLKEYLOGFILE structure
Only the TLS 1.2 structure for now since it's simpler, and only has a
single label type. This has the bonus of also testing libressl that only
supports logging keys in TLS 1.2
Viktor Szakats [Mon, 8 Dec 2025 15:44:29 +0000 (16:44 +0100)]
tidy-up: URLs
- to avoid dupes.
- missing slashes.
- drop `.git` suffix from GitHub git repo URLs for a few outliers.
- use short YouTube URL like curl-www does.
- sync two RFC doc URLs with others.
Viktor Szakats [Sun, 7 Dec 2025 16:36:54 +0000 (17:36 +0100)]
CI/windows: add torture tests with Schannel
With Schannel and Unicode, `-shallow=13`. It finishes in 12 minutes,
making it the slowest Windows job. It's still on par with torture jobs
on other platforms (though they manage to fit `-shallow=25`).
Also `-shallow=13` still caught leaks in multiple tests.
Also:
- test2300: exclude from CI Windows torture tests.
- experimental.
The downside of going with deeper torture tests, is that it requires
increasing the job timeout. This in turns means that a hung job takes
more minutes to be killed (due to GitHub bugs where a hung step does not
honor the per-step timeout on Windows, another bug where a hung job gets
killed +5 minutes above the workflow timeout, and another bug (or
feature?) where other failed/hung jobs in the the workflow cannot be
restarted till the last job finishes or gets killed. And all this
probably related to a Perl bug which makes it hang on fork errors, which
is turn related to Cygwin/MSYS2 runtime bugs which breaks fork in case
of curl's mixed MSYS2-Perl/native-curl-binaries environment.)
The end result in longer forced waits before being able to restart flaky
jobs, which slows down iterations and annoying.
Also tried:
- non-c-ares job: detected known issues much less often.
- replaced libidn2 with WinIDN: detected known issues much less often.
- runtests -j9-j20 values: did not make a difference.
- other `-shallow` values: 20 is the max feasible, but comes with the
downside described above.
Viktor Szakats [Sun, 7 Dec 2025 19:03:38 +0000 (20:03 +0100)]
sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()`
Detected by Windows torture test 1072 (with `-shallow=20/13`),
test 579 (with `-shallow=18/14/13`), and test 1286 (with `-shallow=15`).
```
** MEMORY FAILURE
Leak detected: memory still allocated: 20 bytes
At 1a1e8136328, there is 18 bytes.
allocated by D:/a/curl/curl/lib/curl_sspi.c:133
At 1a1e8139368, there is 2 bytes.
allocated by D:/a/curl/curl/lib/curl_sspi.c:143
1072: torture FAILED: function number 207 in test.
invoke with "-t207" to repeat this single case.
Warning: http2 server unexpectedly alive
```
Ref: https://github.com/curl/curl/actions/runs/20008523913/job/57374427439?pr=19865
Daniel Stenberg [Sun, 7 Dec 2025 12:49:33 +0000 (13:49 +0100)]
cookie: when parsing a cookie header, delay all allocations until okay
To avoid wasting time allocating data for incoming cookies that are
discarded for one reason or another, delay allocations until after
verifications are done.
Daniel Stenberg [Sun, 7 Dec 2025 12:17:24 +0000 (13:17 +0100)]
cookie: allocate the main struct once cookie is fine
This delays the allocating of the cookie struct until after all the
checks have been done, as many cookies are received and discarded
instead of accepted and this then saves one allocation for every
discarded cookie.
Viktor Szakats [Fri, 5 Dec 2025 13:53:35 +0000 (14:53 +0100)]
wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds
Without this option `wolfSSL_get_app_data()` always returns NULL.
Disable codepaths using it (and its `set` pair) when curl is built
against a wolfSSL library with this option missing.
wolfSSL can be built with the `--enable-context-extra-user-data` or
`-DWOLFSSL_EX_DATA` option to enable this feature. Some higher-level
features also enable it automatically like QUIC, ASIO.
formdata: validate callback is non-NULL before use
curl_formget() accepts a user-provided callback function but does not
validate it is non-NULL before calling it. If a caller passes NULL,
the function will crash with SIGSEGV.
Add NULL check at the start of the function to return an appropriate
error code instead of crashing.
Signed-off-by: Robert W. Van Kirk <robert@rwvk.tech>
Closes #19858
Viktor Szakats [Fri, 5 Dec 2025 15:14:19 +0000 (16:14 +0100)]
test1498: disable 'HTTP PUT from stdin' test on Windows
Test became flaky with memanalyze errors after merging #19845,
in a TrackMemory Windows Unicode c-ares openssl-quic build:
GHA/windows: mingw, AM x86_64 c-ares U.
Disable it until further investigation.
This test uses the Windows-specific multi-threaded stdin code
that caused issues in the past. It's also using `TerminateThread()`,
that apps aren't supposed to.
Viktor Szakats [Thu, 4 Dec 2025 21:48:20 +0000 (22:48 +0100)]
tidy-up: avoid `(())`, clang-format fixes and more
- drop redundant parentheses from macro definitions.
- apply clang-format in some places missed earlier.
- wolfssl: fix a macro guard comment.
- curl_setup.h: drop empty lines
- FAQ: fix C formatting.
Viktor Szakats [Thu, 4 Dec 2025 22:54:25 +0000 (23:54 +0100)]
curlx: limit use of system allocators to the minimum possible
Clone a multibye conversion function into curlx/fopen, and use that
local copy from curlx/fopen functions. Adjust allocators in curlx/fopen
to use curl's in normal builds, and system allocators in TrackMemory
builds to avoid recursion.
This allows to switch curlx/multibyte functions to curl allocators in
all configurations, as they are no longer called by curlx/fopen, and
a recursive call can no longer happen.
After this patch the system allocator is only used in TrackMemory
Windows builds, within curlx `fopen`, `freopen`, `stat` and `open`
functions.
Also:
- test 1, 440, 767: raise allocation limitsto fit the extra allocations
in Windows Unicode builds.
- replace all uses of `curlx_unicodefree()` macro with `curlx_free()`
across the codebase.
- curlx/multibyte: delete `curlx_unicodefree()`.
- ldap: join Windows and non-Windows codepaths that became
identical after moving from `curlx_unicodefree()` to `curlx_free()`.
- vauth: drop a strdup from standard to curl allocator since
the original allocation is now already done by curl's.
- tool_doswin: drop now superfluous strdup from `FindWin32CACert()`.
- memanalyzer.pm: sync weirdo `calloc` log message with `malloc`'s.
Viktor Szakats [Fri, 5 Dec 2025 11:43:37 +0000 (12:43 +0100)]
ldap: improve detection of Apple LDAP
When detecting the Apple fork of "legacy" LDAP, replace the `__APPLE__`
macro (which can be present also when using an old mainline OpenLDAP
while building for an Apple platform) with `LDAP_OPT_X_TLS_PASSPHRASE`
which is an Apple-specific macro, merged by Apple in 2007, later adding
the comment 'Apple Specific code'. This macro hasn't been retrofitted
to OpenLDAP since then, and unlikely to happen in the future.
Stefan Eissing [Tue, 2 Dec 2025 14:53:29 +0000 (15:53 +0100)]
tests/servers: put unix-domain-path inside LOGDIR
Change Unix domain socket paths from `/tmp/curl-socksd-<random>` to
`/drive/path/to/LOGDIR/PIDDIR/*-uds` to avoid having to create and
delete them before use. Also to use a path which remains an absolute one
while passed from MSYS2 Perl to native Windows curl tool and test server
via the command-line, and keep pointing to the same location, fixing:
```
=== Start of file commands.log
../src/curl.exe -q --output log/3/curl1468.out --include --trace-ascii log/3/trace1468
--trace-time http://this.is.a.host.name:64405/1468
--proxy socks5h://localhost/tmp/curl-socksd-YnbvRo98 [...]
=== End of file commands.log
=== Start of file socks2_server.log
[...]
14:11:54.597968 Listening on Unix socket D:/a/_temp/msys64/tmp/curl-socksd-YnbvRo98
```
Ref: https://github.com/curl/curl/actions/runs/19896583933/job/57028545111?pr=19812
The curl tool is pending #19825 to fix accepting an absolute unix domain
socket path on Windows.
projects / thirdparty / curl.git / log
