Stefan Eissing [Wed, 28 Jan 2026 16:20:57 +0000 (17:20 +0100)]
url.c: code/comment cleanup around conn creation
Several comments were outdated and parameters to create_conn() and
ConnectionExists() were not needed. Give functions better names and
consistently use terms `needle` and `conn`.
Stefan Eissing [Tue, 3 Feb 2026 09:18:13 +0000 (10:18 +0100)]
multi: update timer unconditionally in multi_remove_handle
When removing an easy handle from a multi, there was an optimization
to update the timer only when the removed handle had any timers.
With the introduction of the "dirty" bitset, easy handles can now cause
a timeout of 0 to be set without having anything in their timer list.
Removing such a handle needs to update the timer now always, so that
it may get cleared when there is nothing more to wait for.
The previous "not clearing a 0 timer" should not have any effect on
application's logic. Without clearing, the timer will fire and then
adjust itself to the proper value. But it would cause one more timer
fire than necessary.
Reported-by: Jan Macku
Fixes https://github.com/curl/curl/issues/20498
Closes https://github.com/curl/curl/pull/20502
Viktor Szakats [Mon, 2 Feb 2026 18:02:34 +0000 (19:02 +0100)]
build: require POSIX `strdup()`
Stop detecting this function and drop the local fallback.
Let us know if this update is causing an issue.
Notes:
- on Windows `_strdup()` is required instead.
- `strdup()/_strdup()` were required before this patch to build one of
the examples: `block_ip`.
- `strdup()/_strdup()` were required in 8.18.0 and earlier to build
tests.
Viktor Szakats [Mon, 2 Feb 2026 13:08:14 +0000 (14:08 +0100)]
build: tidy up and dedupe `strdup` functions
- de-dupe lib/src strdup/memdup functions into curlx.
- introduce `CURLX_STRDUP_LOW()` for mapping `strdup()`, and to do it at
one place within the code, in `curl_setup.h`.
- tests/server: use `curlx_strdup()`. (Also to fix building without
a system `strdup()`.)
- curlx/curlx.h: shorten and tidy up.
- adjust Windows build path to not need `HAVE_STRDUP`.
- build: stop detecting `HAVE_STRDUP` on Windows.
Stefan Eissing [Thu, 29 Jan 2026 10:59:05 +0000 (11:59 +0100)]
hostip.c: fix leak of addrinfo
When creating a dns entry, the addrinfo is passed into the entry on
success and needed deallocation by the caller on failure.
Change the signature to have Curl_dnscache_mk_entry() *always* take
ownership of the addrinfo, even on failure. Change parameter to address
of pointer so that call always clears it.
This makes the handling of failures to Curl_dnscache_mk_entry() simpler.
Viktor Szakats [Mon, 2 Feb 2026 12:14:30 +0000 (13:14 +0100)]
build: tidy up curl-specific fstat calls and stat struct type
To avoid redefining the `fstat` system symbol, and to clarify
`struct_stat` is a curl symbol.
- introduce `curlx_fstat()` macro and use it.
- rename `struct_stat` to `curl_struct_stat`.
Also:
- tests: replace direct `curlx_win32_stat()` call with `curlx_stat()`.
- checksrc: disallow direct `_fstati64` and `fstat()` calls, except in
examples.
Viktor Szakats [Sat, 31 Jan 2026 20:15:51 +0000 (21:15 +0100)]
cmake: skip binutils ld hack if zlib/openssl target is not `IMPORTED`
The binutils ld hack requires reading the targets' `LOCATION` property.
This property exists in `IMPORTED` targets. `ZLIB::ZLIB` and
`OpenSSL::Crypto` are normally `IMPORTED` targets defined by CMake's
built-in Find modules. However, in some cases (e.g. in "superbuilds"),
they may be regular targets, defined manually, without a `LOCATION`
property. To avoid a CMake warning in such case, verify if the target is
`IMPORTED` before reading this property.
This also mean that in such case the binutils/ld/gcc hack is not
enabled, and libcurl may fail linking in static mode.
Viktor Szakats [Sun, 1 Feb 2026 00:04:58 +0000 (01:04 +0100)]
build: tidy up local `lseek()` mappings
- stop redefining system symbol `lseek`, by introducing `curl_lseek()`.
- handle AmigaOS quirk within the macro mapping.
- add missing parenthesis to `LSEEK_ERROR` values.
- tool_util: use curl `lseek` macros in `tool_ftruncate64()`.
- move `LSEEK_ERROR` to right-hand side of if expressions.
- checksrc: disallow direct uses of `_lseeki64`, `llseek`, `lseek`.
dependabot[bot] [Sun, 1 Feb 2026 14:55:09 +0000 (14:55 +0000)]
GHA: bump GHA and pip dependencies
- update `actions/checkout` from 6.0.1 to 6.0.2
- update `ruff` from 0.14.11 to 0.14.14
- update `cryptography` from 46.0.3 to 46.0.4
- update `psutil` from 7.2.1 to 7.2.2
- update `websockets` from 15.0.1 to 16.0
Viktor Szakats [Thu, 29 Jan 2026 21:57:19 +0000 (22:57 +0100)]
tests/server/sockfilt: avoid possible endless loop on Windows
Seen to happen when run under WINE v10.0 on macOS.
```
$ CURL_TEST_EXE_EXT_SRV=.exe CURL_TEST_EXE_EXT_TOOL=.exe \
CURL_TEST_EXE_RUNNER=wine TFLAGS='951 -t' ninja tests
[...]
16:02:18.607002 [select_ws_wait_thread] PeekNamedPipe error: (0x00000032) - Request not supported.
[...endless repeat...]
```
Viktor Szakats [Thu, 29 Jan 2026 19:54:17 +0000 (20:54 +0100)]
tests/server: tidy-up error messages (Windows)
- show error description on `PeekNamedPipe()` error.
- show `GetLastError()` instead of socket error on non-socket failures
in the window handler.
- include full hex `GetLastError()` numbers in error messages, syncing
with Schannel code.
- drop internal `win32_perror()` function, in favor of direct
`curlx_*strerror()` calls.
Viktor Szakats [Wed, 28 Jan 2026 14:12:46 +0000 (15:12 +0100)]
GHA/windows: mark test 3001 flaky in native Windows jobs
It has been happening for a long time.
Example:
```
test 3001...[HTTPS localhost, last subject alt name matches, CN does not match]
3001: protocol FAILED!
There was no content at all in the file log/7/server.input.
Server glitch? Total curl failure? Returned: 56
== Contents of files in the log/7/ directory after test 3001
=== Start of file commands.log
../src/curl.exe -q --output log/7/curl3001.out --include --trace-ascii log/7/trace3001 --trace-time -4 --cacert ./certs/test-ca.crt https://localhost:64259/3001 > log/7/stdout3001 2> log/7/stderr3001
=== End of file commands.log
=== Start of file http_server.log
13:57:47.951283 Running HTTP IPv4 version on port 64256
=== End of file http_server.log
=== Start of file https_stunnel.log
2026.01.28 13:57:48 LOG5[ui]: stunnel 5.76 on x64-pc-mingw32-gnu platform
2026.01.28 13:57:48 LOG5[ui]: Compiled/running with OpenSSL 3.5.4 30 Sep 2025
[...]
2026.01.28 13:57:49 LOG5[0]: Service [curltest] accepted connection from 127.0.0.1:64281
2026.01.28 13:57:51 LOG3[0]: s_connect: connect 127.0.0.1:64256: Connection refused (WSAECONNREFUSED) (10061)
2026.01.28 13:57:51 LOG3[0]: No more addresses to connect
2026.01.28 13:57:51 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
=== End of file https_stunnel.log
=== Start of file server.cmd
Testnum 3001
=== End of file server.cmd
=== Start of file stderr3001
curl: (56) Recv failure: Connection was reset
=== End of file stderr3001
[...]
RUN: Unknown server on our https port: 64259 (56)
```
Viktor Szakats [Wed, 21 Jan 2026 15:20:51 +0000 (16:20 +0100)]
build: assume `stdint.h`
curl requires `stdint.h` from C99, and no longer builds without it since
v8.18.0 (after dropping VS2008 support). Assume it's available, drop
feature checks.
Also:
- drop duplicate `stdint.h` includes.
- introduce internal `HAVE_UINTPTR_T`, enabled by default.
- OS400: disable `HAVE_UINTPTR_T`.
- build: keep cmake pre-fill and `cmp-config.pl` exception because cmake
and autotools both detect `stdint.h` implicitly.
Stefan Eissing [Wed, 28 Jan 2026 08:46:18 +0000 (09:46 +0100)]
pytest: remove 03_02
The test for restarting the server during ongoing transfers does not
work reliably for HTTP/3. This seems due to the nature of UDP/QUIC where
the client may learn about a closed connection at any time, not only
when starting a new request.
Stefan Eissing [Wed, 7 Jan 2026 14:07:13 +0000 (15:07 +0100)]
h2+h3: align stream close handling
For HTTP/2, add error code description to close failures.
For HTTP/3, add special handling like in HTTP/2 when streams
have been rejected or an error comes during the response body
and we are not interested in the body.
Viktor Szakats [Tue, 27 Jan 2026 22:53:05 +0000 (23:53 +0100)]
windows: `USE_WINSOCK` to guard winsock2 code (where missing)
Replacing `_WIN32`.
Also:
- tool_doswin: guard possibly non-portable socket code with
`USE_WINSOCK`. The socket is cast to `HANDLE` and passed to
win32 API `SetStdHandle(STD_INPUT_HANDLE, ...)`.
- lib/setup-win32.h: move `#undef`s before their `#define` pair.
Viktor Szakats [Tue, 27 Jan 2026 23:46:37 +0000 (00:46 +0100)]
tool_doswin: avoid Windowsisms in socket code (cont.)
For general readability. Also to match the rest of the source code.
- bump `send()` result type from `int` to `ssize_t`.
- fix an `int` to be `curl_socklen_t`.
- `.S_un.S_addr` -> `.s_addr`.
- `SD_RECEIVE` -> `SHUT_RD`.
- `SD_SEND` -> `SHUT_WR`.
Viktor Szakats [Tue, 27 Jan 2026 23:15:45 +0000 (00:15 +0100)]
GHA/windows: fix shell, fix GHA fail to share cache between arm and intel Windows
A cache entry created by windows-2022 is not picked up by
windows-11-arm. Also a cache created by windows-11-arm is not picked up
by windows-2022. Possibly related to this filed in 2025 June:
https://github.com/actions/cache/issues/1622. Also tried
`enableCrossOsArchive` to no avail. Unclear if these two runners count
as distinct operating systems, I'd guess not. Cache entries are
identical on the web UI. Via GH API they show up with the same cache key
bot different "version" (hash) and different sizes, possibly due to the
zstd vs. gzip bug above.
Fixing (identical error text on either runner):
```
Error: Failed to restore cache entry. Exiting as fail-on-cache-miss is set. Input key: Windows-stunnel-5.76-amd64
```
Daniel Stenberg [Tue, 27 Jan 2026 15:59:32 +0000 (16:59 +0100)]
tls: remove checks for DEFAULT
Since 9d8998c99408e1adf, the setopt code changes input DEFAULT to an
actual more specific TLS version (1.2) for the backends to use and check
for.
This means that the default value (0L) cannot and should not actually be
used when the TLS backends run. This change adds asserts to verify that
and removes code that accepts the DEFAULT value as a valid version with
the TLS version functions' logic.
Applications can still set a specific lower version if they want (1, 1.0
or 1.1).
Stefan Eissing [Tue, 27 Jan 2026 12:28:09 +0000 (13:28 +0100)]
OpenSSL: check reuse of sessions for verify status
OpenSSL records its peer verification status inside its SSL_SESSION
objects. When a session is later reused, the SSL connection inherits
this verify status.
Session keys prevent reuse of sessions between connections that verify
the peer and those who do not. However, when Apple SecTrust is used
to verify a connection, this does not update the Sessions verify
status (and there is no setter). On session reuse, OpenSSL fails
the verification and Apple SecTrust cannot verify either since the
certificate peer chain is not available.
Fix this by checking the verification status on session reuse and
remove the session again if the peer needs to be verified, but the
session is not.
Reported-by: Christian Schmitza
Fixes #20435
Closes #20446
Billy O'Neal [Tue, 27 Jan 2026 00:03:33 +0000 (16:03 -0800)]
curl_multi_perform.md: resolve inconsistency
... between curl_multi_perform and curl_multi_wait/poll documentation
The `curl_multi_perform` documentation uses integer contextual
conversion to `bool` to test the resulting `CURLMcode`, while other
functions like `curl_multi_wait` and `curl_multi_poll` test against
`CURLM_OK`. (I was initially confused by this as it looked like some
docs call curl_multi_wait/poll on error, while some called only on
success. But that was my misread, not a docs problem.)
Also fixed the example to print which function call failed; previously
an error reported by `curl_multi_perform` was printed as a failure of
`curl_multi_wait`.
include: mask computed auth/proto bitmasks to 32 bits
GCC 15.2 warns when assigning computed "all" bitmask macros to 32-bit
flag types because negated masks expand to the full width of unsigned
long/long on 64-bit platforms.
Mask these macros to a 32-bit domain so they do not set high bits and
avoid -Woverflow/-Wconversion warnings in callers.
Reported-by: Patrick Monnerat
Fixes #20242
Closes #20416
Daniel Stenberg [Sun, 25 Jan 2026 15:35:53 +0000 (16:35 +0100)]
tool_cb_hdr: with -J, use the redirect name as a backup
The -J / --remote-header-name logic now records the file name part used
in the redirects so that it can use the last one as a name if no
Content-Disposition header arrives.
Add tests to verify:
1641: -J with a redirect and extract the CD contents in the second
response
1642: -J with a redirect but no Content-Disposition, use the name from
the Location: header
1643: -J with two redirects, using the last file name and also use
queries and fragments to verify them stripped off
Viktor Szakats [Sun, 25 Jan 2026 17:12:40 +0000 (18:12 +0100)]
tests: rename more `CURLcode` variables to `result`
For consistency.
Also:
- one remaining in `src/tool_writeout.c`.
- replace casting an `int` to `CURLcode`.
- lib758: rename `CURLMcode` `result` to `mresult`.
- move literals to the right side of if expressions.
When enabled, make a "best effort" finding static libs first and set
the "build static" macro (on Windows) as required by the dependency.
When doing `pkg-config`-based detections, make curl select the static
configuration, which shall set the "build static" macro also.
These options resemble CMake's `OPENSSL_USE_STATIC_LIBS` and
`ZLIB_USE_STATIC_LIBS` (the latter does not support `pkg-config` as of
CMake v4.2.2).
Shared/static library selection based on loose filename conventions is
fragile and prone to break if the non-static-suffixed library is found
and happens to be a shared library, or, if the linker decides to pick up
a shared copy (e.g. `.a.dll`) that shadows the static one. It may help
to provide either static or shared, but not both, on the disk, and match
that with this setting.
Viktor Szakats [Sun, 25 Jan 2026 13:10:16 +0000 (14:10 +0100)]
cmake: add `CURL_BUILD_EVERYTHING` option
To build all targets in a single go, meaning curl and libcurl as normal,
and tests and examples in addition. To build-test everything without
running multiple cmake commands.
Enable with:
- `-DCURL_BUILD_EVERYTHING=ON`
Special values: `QUICK` to build examples quickly for build test,
`NOEXAMPLES` to not build examples.
A well-equipped build takes 2.8s of configure time, and 1.7s to build
everything (shared, unity, ninja, prefill), 1.4s with `QUICK`. Without
this option it takes <1s to build curl/libcurl.
Viktor Szakats [Sun, 25 Jan 2026 12:04:58 +0000 (13:04 +0100)]
cmake: fix logic for openssl/zlib binutils ld workaround
While working #16973, the binutils ld lib order workaround logic
regressed so that it modified the wrong target, writing into the system
`ZLIB::ZLIB` and `OpenSSL::Crypto` ones a `INTERFACE_LINK_LIBRARIES`
property, instead of creating CURL-namespaced targets. Oddly enough,
this also fixed the binutils ld lib ordering issue. It seems this
property makes CMake insert each referenced library in two more
positions (not at the very end though), which allows ld to resolve all
symbols in the cases tested in CI.
Fix by creating the indented namespaced targets, and also creating
these in `curl-config.cmake` to be available when consuming libcurl.
Note that the logic continues doing `get_target_property()` on the two
system targets above. If these targets are defined manually and miss
the `LOCATION` propery, or are defined as aliases, this command may
fail. curl expects these targets be created by CMake's `FindZLIB` and
`FindOpenSSL` built-in Find modules (or ones compatible). Ref: #20419
The binutils ld issue is reproduced by these CI jobs:
- Linux gcc glibc (amd64, arm64)
- Windows gcc zlib-classic (x64)
Viktor Szakats [Sun, 25 Jan 2026 02:26:03 +0000 (03:26 +0100)]
build: constify `memchr()`/`strchr()`/etc result variables
And a few variables around.
There remain cases where the accepted pointer is const, yet the returned
pointer is written to.
Partly addressing (glibc 2.43):
```
* For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return
pointers into their input arrays now have definitions as macros that
return a pointer to a const-qualified type when the input argument is
a pointer to a const-qualified type.
```
Ref: https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00005.html
Viktor Szakats [Sat, 24 Jan 2026 01:39:48 +0000 (02:39 +0100)]
GHA/codeql: improve perf on Windows, enable `CURL_WERROR=ON`, and more
- set `CURL_DROP_UNUSED=ON` for Windows (MSVC) to make the analysis step
faster: 1m30s -> 1m15s
- enable `CURL_WERROR=ON` in all builds, to catch potential build issues
in addition to running CodeQL. To make these builds useful as regular
build tests too.
- add links to CodeQL Actions documentation.
- delete test data C files after checkout in an attempt to remove them
from CodeQL code coverage stats.
Michał Antoniak [Fri, 23 Jan 2026 15:51:44 +0000 (16:51 +0100)]
setopt: fix checking range for CURLOPT_MAXCONNECTS
- Use upper limit INT_MAX instead of UINT_MAX.
UINT_MAX doesn't work as the max value for the variable since it is
passed as a long and becomes -1 on platforms that have same sized
int and long, like Windows.
Viktor Szakats [Fri, 23 Jan 2026 12:37:59 +0000 (13:37 +0100)]
GHA/windows: install stunnel manually, enable for Cygwin
Replace Chocolatey install with direct download and unpack. To reduce
CI dependencies (Chocolatey, NuGet), improve install performance
(10s -> 1s) and hopefully reliability. Last but not least to enable it
for the Cygwin CI job.
Caveats:
- Need to bump stunnel versions manually (2-3 times a year).
Renovate could likely do it, but I failed to understand its
documentation and miss tooling/interface to make tests.
- FIPS not enabled. (can be done if necessary)
- Possibly losing checksum verification (not sure if Chocolatey did it
automatically for this package.)
Also:
- Increase minimum tests by 100 for the Cygwin job.
projects / thirdparty / curl.git / log
