Viktor Szakats [Fri, 12 Dec 2025 00:55:30 +0000 (01:55 +0100)]
runtests: add options to set minimum number of tests, use them
To detect mistakes made in the runtests framework that reduce
the number of test runs. Before this patch it could go undetected with
a green CI.
The minimum thresholds will need light maintenance going forward (either
bumping them periodically, or adjust if some may fell below minimums for
justified reasons). We may also make minimums tighter or looser, or more
job-specific.
Latest number of test runs for each job can be seen at Test Clutch:
https://testclutch.curl.se/static/reports/feature-matrix.html
Stefan Eissing [Thu, 11 Dec 2025 15:02:41 +0000 (16:02 +0100)]
pytest: add tests using sshd
With either /usr/sbin/sshd found or configured via --with-test-sshd=path
add tests for SCP down- and uploads, insecure, with known hosts or not,
with authorized user key or unauthorized one.
Working now with libssh and libssh2, using a hashed known_hosts file.
Viktor Szakats [Sun, 7 Dec 2025 15:49:55 +0000 (16:49 +0100)]
tidy-up: miscellaneous
- drop stray duplicate empty lines in docs, scripts, test data, include,
examples, tests.
- drop duplicate PP parenthesis.
- curl-functions.m4: move literals to the right side in if expressions,
to match rest of the source code.
- FAQ.md: delete language designator from an URL.
- packages: apply clang-format (OS400, VMS).
- scripts/schemetable.c: apply clang-format.
- data320: delete duplicate empty line that doesn't change the outcome.
- spacecheck: extend to check for duplicate empty lines
(with exceptions.)
- fix whitespace nits
Viktor Szakats [Thu, 11 Dec 2025 01:46:24 +0000 (02:46 +0100)]
GHA/checkdocs: re-enable proselint, update setup, fix issues found
- update configuration and invocation.
- install via pip.
- drop a file exception.
- alpha sort proselint settings.
- FILEFORMAT: update text about XML compliance.
- CI job takes 22 seconds total.
Viktor Szakats [Wed, 10 Dec 2025 22:21:10 +0000 (23:21 +0100)]
runtests: add support for single-quoted attributes, use it
With this, all test data files are XML-compliant.
Also:
- test1158, test1186: use single quotes for the test filename attribute
containing a double quote. For XML-compliance.
- drop support for unquoted attributes. For XML-compliance.
Viktor Szakats [Tue, 5 Aug 2025 14:07:21 +0000 (16:07 +0200)]
autotools: tidy-up `if` expressions
- drop x-hacks for curl internal variables and certain autotools ones
that do not hold custom values.
- make x-hacks consistently use `"x$var" = "xval"` style.
- add a few x-hacks for input/external variables that may hold custom
values.
- prefer `-z` and `-n` to test empty/non-empty.
This also makes some x-hacks unnecessary.
- optimized negated test `-z` and `-n` options.
- prefer `&&` and `||` over `-a` and `-o`.
For better POSIX compatibility:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
- quote variables passed to `test`, where missing.
- quote string literals in comparisons.
- fix some indentation, whitespace.
Note that a few `case` statements also use the x-hack, which looks
unnecessary. This patch does not change them.
Verified by comparing feature detection results with a reference CI run
from before this patch (PR #19922).
Stefan Eissing [Wed, 10 Dec 2025 10:17:49 +0000 (11:17 +0100)]
pytest: quiche flakiness
Let nghttpx only use http/1.1 to backend. This reproduces the bug in
quiche with higher frequency. Allow test_14_05 to now return a 400 in
addition to the 431 we get from a h2 backend to nghttpx.
Skip test_05_02 in h3 on quiche not newer than version 0.24.4 in which
its bug is fixed: https://github.com/cloudflare/quiche/pull/2278
Viktor Szakats [Wed, 10 Dec 2025 10:47:40 +0000 (11:47 +0100)]
GHA/checkurls: add dry run on push
To verify if the basics work.
Downside is that the scheduled (live) runs are intermixed with the dry
runs and less obvious to find in the default list:
https://github.com/curl/curl/actions/workflows/checkurls.yml
This URL filters for scheduled runs only:
https://github.com/curl/curl/actions/workflows/checkurls.yml?query=event%3Aschedule
Seems fine, because we're only interested in red runs.
Stefan Eissing [Tue, 9 Dec 2025 14:48:52 +0000 (15:48 +0100)]
memdebug: fix realloc logging
Do the whole realloc and the subsequent logging under mutex lock. This
fixed log entries that state allocation a memory location before realloc
logs it as being freed.
Stefan Eissing [Tue, 9 Dec 2025 16:00:52 +0000 (17:00 +0100)]
test: increase altsvc test reliability
Move new tests from test_12 to test_06 (eyeballing) where they better
fit. Increase reliability by check Alt-Svc redirects from h3 to a lower
version for a port where no h3 is available.
Viktor Szakats [Tue, 9 Dec 2025 19:06:33 +0000 (20:06 +0100)]
build: set `-Wno-format-signedness`
Explicitly disable these warnings to allow using `-Weverything`.
There are around 600 of them across the codebase.
Silencing them has some drawbacks:
- enums (`CURLcode` mostly) would have to be cast to int to avoid
different signedness depending on C compiler.
(llvm/gcc: unsigned, MSVC/clang-cl: signed by default)
- hex masks need casts to unsigned to avoid the warning.
- fixing remaining warnings is annoying without fixing the above.
- without fixing all warnings the option cannot be enabled, to keep
the codebase warning free.
Viktor Szakats [Wed, 8 Oct 2025 14:20:54 +0000 (16:20 +0200)]
DEPRECATE: add CMake <3.18 deprecation for April 2026
CMake 3.18 was released on 2020-07-15.
It enables using (and/or dropping workarounds) for these features:
LTO support, better performance and pkg-config support, `OBJECT` target,
`-S`, `-B`, `--verbose`, `--install` on the command-line, lib directory
support in interface targets, target_link_options(), LINK_OPTIONS,
FetchContent, `list(PREPEND ...)`, unity, Ninja, fixed imported global
issues.
Viktor Szakats [Tue, 9 Dec 2025 09:31:20 +0000 (10:31 +0100)]
windows: assume `USE_WIN32_LARGE_FILES`
All Windows platforms support it. It was permanently enabled with most
build methods. The exception is autotools where it is enabled by
default, with an option to disable it. It changed the build in a few
places for rarely tested code paths, but not bringing other advantages
(and used some 64-bit APIs anyway). This patch makes autotools'
`--disable-largefile` option a no-op for Windows.
Stefan Eissing [Mon, 8 Dec 2025 12:36:19 +0000 (13:36 +0100)]
alt-svc: more flexibility on same destination
When the Alt-Svc points to the same host and port, add the destination
ALPN to the `wanted` versions and set it also as the `preferred` version
in negotiations.
This allows Alt-Svc for h3 to point to h2 and have it tried first. Also,
this allows Alt-Svc to say http/1.1 is preferred and changes the ALPN
protocol ordering for the TLS handshake.
Add tests in various combination to verify this works.
Reported-by: yushicheng7788 on github
Fixes #19740
Closes #19874
Viktor Szakats [Tue, 9 Dec 2025 13:27:44 +0000 (14:27 +0100)]
GHA/windows: re-enable `taskkill`
Nothing conclusive for the last ~30 days when `taskkill` was made
a no-op. Jobs remained flaky with all known failure modes. Sometimes
they finish green on the first run, sometimes they fail. Hard to say
more without comparing detailed stats for this period and the
preceding (or upcoming) one.
In almost all runs, the PID to be killed did not exist at the time of
check.
Yedaya Katsman [Tue, 2 Dec 2025 17:40:07 +0000 (19:40 +0200)]
test: add test 2090 for SSLKEYLOGFILE structure
Only the TLS 1.2 structure for now since it's simpler, and only has a
single label type. This has the bonus of also testing libressl that only
supports logging keys in TLS 1.2
Viktor Szakats [Mon, 8 Dec 2025 15:44:29 +0000 (16:44 +0100)]
tidy-up: URLs
- to avoid dupes.
- missing slashes.
- drop `.git` suffix from GitHub git repo URLs for a few outliers.
- use short YouTube URL like curl-www does.
- sync two RFC doc URLs with others.
Viktor Szakats [Sun, 7 Dec 2025 16:36:54 +0000 (17:36 +0100)]
CI/windows: add torture tests with Schannel
With Schannel and Unicode, `-shallow=13`. It finishes in 12 minutes,
making it the slowest Windows job. It's still on par with torture jobs
on other platforms (though they manage to fit `-shallow=25`).
Also `-shallow=13` still caught leaks in multiple tests.
Also:
- test2300: exclude from CI Windows torture tests.
- experimental.
The downside of going with deeper torture tests, is that it requires
increasing the job timeout. This in turns means that a hung job takes
more minutes to be killed (due to GitHub bugs where a hung step does not
honor the per-step timeout on Windows, another bug where a hung job gets
killed +5 minutes above the workflow timeout, and another bug (or
feature?) where other failed/hung jobs in the the workflow cannot be
restarted till the last job finishes or gets killed. And all this
probably related to a Perl bug which makes it hang on fork errors, which
is turn related to Cygwin/MSYS2 runtime bugs which breaks fork in case
of curl's mixed MSYS2-Perl/native-curl-binaries environment.)
The end result in longer forced waits before being able to restart flaky
jobs, which slows down iterations and annoying.
Also tried:
- non-c-ares job: detected known issues much less often.
- replaced libidn2 with WinIDN: detected known issues much less often.
- runtests -j9-j20 values: did not make a difference.
- other `-shallow` values: 20 is the max feasible, but comes with the
downside described above.
Viktor Szakats [Sun, 7 Dec 2025 19:03:38 +0000 (20:03 +0100)]
sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()`
Detected by Windows torture test 1072 (with `-shallow=20/13`),
test 579 (with `-shallow=18/14/13`), and test 1286 (with `-shallow=15`).
```
** MEMORY FAILURE
Leak detected: memory still allocated: 20 bytes
At 1a1e8136328, there is 18 bytes.
allocated by D:/a/curl/curl/lib/curl_sspi.c:133
At 1a1e8139368, there is 2 bytes.
allocated by D:/a/curl/curl/lib/curl_sspi.c:143
1072: torture FAILED: function number 207 in test.
invoke with "-t207" to repeat this single case.
Warning: http2 server unexpectedly alive
```
Ref: https://github.com/curl/curl/actions/runs/20008523913/job/57374427439?pr=19865
Daniel Stenberg [Sun, 7 Dec 2025 12:49:33 +0000 (13:49 +0100)]
cookie: when parsing a cookie header, delay all allocations until okay
To avoid wasting time allocating data for incoming cookies that are
discarded for one reason or another, delay allocations until after
verifications are done.
Daniel Stenberg [Sun, 7 Dec 2025 12:17:24 +0000 (13:17 +0100)]
cookie: allocate the main struct once cookie is fine
This delays the allocating of the cookie struct until after all the
checks have been done, as many cookies are received and discarded
instead of accepted and this then saves one allocation for every
discarded cookie.
Viktor Szakats [Fri, 5 Dec 2025 13:53:35 +0000 (14:53 +0100)]
wolfssl: fix possible assert with `!HAVE_NO_EX` wolfSSL builds
Without this option `wolfSSL_get_app_data()` always returns NULL.
Disable codepaths using it (and its `set` pair) when curl is built
against a wolfSSL library with this option missing.
wolfSSL can be built with the `--enable-context-extra-user-data` or
`-DWOLFSSL_EX_DATA` option to enable this feature. Some higher-level
features also enable it automatically like QUIC, ASIO.
formdata: validate callback is non-NULL before use
curl_formget() accepts a user-provided callback function but does not
validate it is non-NULL before calling it. If a caller passes NULL,
the function will crash with SIGSEGV.
Add NULL check at the start of the function to return an appropriate
error code instead of crashing.
Signed-off-by: Robert W. Van Kirk <robert@rwvk.tech>
Closes #19858
projects / thirdparty / curl.git / log
