Viktor Szakats [Thu, 29 Jan 2026 21:57:19 +0000 (22:57 +0100)]
tests/server/sockfilt: avoid possible endless loop on Windows
Seen to happen when run under WINE v10.0 on macOS.
```
$ CURL_TEST_EXE_EXT_SRV=.exe CURL_TEST_EXE_EXT_TOOL=.exe \
CURL_TEST_EXE_RUNNER=wine TFLAGS='951 -t' ninja tests
[...]
16:02:18.607002 [select_ws_wait_thread] PeekNamedPipe error: (0x00000032) - Request not supported.
[...endless repeat...]
```
Viktor Szakats [Thu, 29 Jan 2026 19:54:17 +0000 (20:54 +0100)]
tests/server: tidy-up error messages (Windows)
- show error description on `PeekNamedPipe()` error.
- show `GetLastError()` instead of socket error on non-socket failures
in the window handler.
- include full hex `GetLastError()` numbers in error messages, syncing
with Schannel code.
- drop internal `win32_perror()` function, in favor of direct
`curlx_*strerror()` calls.
Viktor Szakats [Wed, 28 Jan 2026 14:12:46 +0000 (15:12 +0100)]
GHA/windows: mark test 3001 flaky in native Windows jobs
It has been happening for a long time.
Example:
```
test 3001...[HTTPS localhost, last subject alt name matches, CN does not match]
3001: protocol FAILED!
There was no content at all in the file log/7/server.input.
Server glitch? Total curl failure? Returned: 56
== Contents of files in the log/7/ directory after test 3001
=== Start of file commands.log
../src/curl.exe -q --output log/7/curl3001.out --include --trace-ascii log/7/trace3001 --trace-time -4 --cacert ./certs/test-ca.crt https://localhost:64259/3001 > log/7/stdout3001 2> log/7/stderr3001
=== End of file commands.log
=== Start of file http_server.log
13:57:47.951283 Running HTTP IPv4 version on port 64256
=== End of file http_server.log
=== Start of file https_stunnel.log
2026.01.28 13:57:48 LOG5[ui]: stunnel 5.76 on x64-pc-mingw32-gnu platform
2026.01.28 13:57:48 LOG5[ui]: Compiled/running with OpenSSL 3.5.4 30 Sep 2025
[...]
2026.01.28 13:57:49 LOG5[0]: Service [curltest] accepted connection from 127.0.0.1:64281
2026.01.28 13:57:51 LOG3[0]: s_connect: connect 127.0.0.1:64256: Connection refused (WSAECONNREFUSED) (10061)
2026.01.28 13:57:51 LOG3[0]: No more addresses to connect
2026.01.28 13:57:51 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
=== End of file https_stunnel.log
=== Start of file server.cmd
Testnum 3001
=== End of file server.cmd
=== Start of file stderr3001
curl: (56) Recv failure: Connection was reset
=== End of file stderr3001
[...]
RUN: Unknown server on our https port: 64259 (56)
```
Viktor Szakats [Wed, 21 Jan 2026 15:20:51 +0000 (16:20 +0100)]
build: assume `stdint.h`
curl requires `stdint.h` from C99, and no longer builds without it since
v8.18.0 (after dropping VS2008 support). Assume it's available, drop
feature checks.
Also:
- drop duplicate `stdint.h` includes.
- introduce internal `HAVE_UINTPTR_T`, enabled by default.
- OS400: disable `HAVE_UINTPTR_T`.
- build: keep cmake pre-fill and `cmp-config.pl` exception because cmake
and autotools both detect `stdint.h` implicitly.
Stefan Eissing [Wed, 28 Jan 2026 08:46:18 +0000 (09:46 +0100)]
pytest: remove 03_02
The test for restarting the server during ongoing transfers does not
work reliably for HTTP/3. This seems due to the nature of UDP/QUIC where
the client may learn about a closed connection at any time, not only
when starting a new request.
Stefan Eissing [Wed, 7 Jan 2026 14:07:13 +0000 (15:07 +0100)]
h2+h3: align stream close handling
For HTTP/2, add error code description to close failures.
For HTTP/3, add special handling like in HTTP/2 when streams
have been rejected or an error comes during the response body
and we are not interested in the body.
Viktor Szakats [Tue, 27 Jan 2026 22:53:05 +0000 (23:53 +0100)]
windows: `USE_WINSOCK` to guard winsock2 code (where missing)
Replacing `_WIN32`.
Also:
- tool_doswin: guard possibly non-portable socket code with
`USE_WINSOCK`. The socket is cast to `HANDLE` and passed to
win32 API `SetStdHandle(STD_INPUT_HANDLE, ...)`.
- lib/setup-win32.h: move `#undef`s before their `#define` pair.
Viktor Szakats [Tue, 27 Jan 2026 23:46:37 +0000 (00:46 +0100)]
tool_doswin: avoid Windowsisms in socket code (cont.)
For general readability. Also to match the rest of the source code.
- bump `send()` result type from `int` to `ssize_t`.
- fix an `int` to be `curl_socklen_t`.
- `.S_un.S_addr` -> `.s_addr`.
- `SD_RECEIVE` -> `SHUT_RD`.
- `SD_SEND` -> `SHUT_WR`.
Viktor Szakats [Tue, 27 Jan 2026 23:15:45 +0000 (00:15 +0100)]
GHA/windows: fix shell, fix GHA fail to share cache between arm and intel Windows
A cache entry created by windows-2022 is not picked up by
windows-11-arm. Also a cache created by windows-11-arm is not picked up
by windows-2022. Possibly related to this filed in 2025 June:
https://github.com/actions/cache/issues/1622. Also tried
`enableCrossOsArchive` to no avail. Unclear if these two runners count
as distinct operating systems, I'd guess not. Cache entries are
identical on the web UI. Via GH API they show up with the same cache key
bot different "version" (hash) and different sizes, possibly due to the
zstd vs. gzip bug above.
Fixing (identical error text on either runner):
```
Error: Failed to restore cache entry. Exiting as fail-on-cache-miss is set. Input key: Windows-stunnel-5.76-amd64
```
Daniel Stenberg [Tue, 27 Jan 2026 15:59:32 +0000 (16:59 +0100)]
tls: remove checks for DEFAULT
Since 9d8998c99408e1adf, the setopt code changes input DEFAULT to an
actual more specific TLS version (1.2) for the backends to use and check
for.
This means that the default value (0L) cannot and should not actually be
used when the TLS backends run. This change adds asserts to verify that
and removes code that accepts the DEFAULT value as a valid version with
the TLS version functions' logic.
Applications can still set a specific lower version if they want (1, 1.0
or 1.1).
Stefan Eissing [Tue, 27 Jan 2026 12:28:09 +0000 (13:28 +0100)]
OpenSSL: check reuse of sessions for verify status
OpenSSL records its peer verification status inside its SSL_SESSION
objects. When a session is later reused, the SSL connection inherits
this verify status.
Session keys prevent reuse of sessions between connections that verify
the peer and those who do not. However, when Apple SecTrust is used
to verify a connection, this does not update the Sessions verify
status (and there is no setter). On session reuse, OpenSSL fails
the verification and Apple SecTrust cannot verify either since the
certificate peer chain is not available.
Fix this by checking the verification status on session reuse and
remove the session again if the peer needs to be verified, but the
session is not.
Reported-by: Christian Schmitza
Fixes #20435
Closes #20446
Billy O'Neal [Tue, 27 Jan 2026 00:03:33 +0000 (16:03 -0800)]
curl_multi_perform.md: resolve inconsistency
... between curl_multi_perform and curl_multi_wait/poll documentation
The `curl_multi_perform` documentation uses integer contextual
conversion to `bool` to test the resulting `CURLMcode`, while other
functions like `curl_multi_wait` and `curl_multi_poll` test against
`CURLM_OK`. (I was initially confused by this as it looked like some
docs call curl_multi_wait/poll on error, while some called only on
success. But that was my misread, not a docs problem.)
Also fixed the example to print which function call failed; previously
an error reported by `curl_multi_perform` was printed as a failure of
`curl_multi_wait`.
include: mask computed auth/proto bitmasks to 32 bits
GCC 15.2 warns when assigning computed "all" bitmask macros to 32-bit
flag types because negated masks expand to the full width of unsigned
long/long on 64-bit platforms.
Mask these macros to a 32-bit domain so they do not set high bits and
avoid -Woverflow/-Wconversion warnings in callers.
Reported-by: Patrick Monnerat
Fixes #20242
Closes #20416
Daniel Stenberg [Sun, 25 Jan 2026 15:35:53 +0000 (16:35 +0100)]
tool_cb_hdr: with -J, use the redirect name as a backup
The -J / --remote-header-name logic now records the file name part used
in the redirects so that it can use the last one as a name if no
Content-Disposition header arrives.
Add tests to verify:
1641: -J with a redirect and extract the CD contents in the second
response
1642: -J with a redirect but no Content-Disposition, use the name from
the Location: header
1643: -J with two redirects, using the last file name and also use
queries and fragments to verify them stripped off
Viktor Szakats [Sun, 25 Jan 2026 17:12:40 +0000 (18:12 +0100)]
tests: rename more `CURLcode` variables to `result`
For consistency.
Also:
- one remaining in `src/tool_writeout.c`.
- replace casting an `int` to `CURLcode`.
- lib758: rename `CURLMcode` `result` to `mresult`.
- move literals to the right side of if expressions.
When enabled, make a "best effort" finding static libs first and set
the "build static" macro (on Windows) as required by the dependency.
When doing `pkg-config`-based detections, make curl select the static
configuration, which shall set the "build static" macro also.
These options resemble CMake's `OPENSSL_USE_STATIC_LIBS` and
`ZLIB_USE_STATIC_LIBS` (the latter does not support `pkg-config` as of
CMake v4.2.2).
Shared/static library selection based on loose filename conventions is
fragile and prone to break if the non-static-suffixed library is found
and happens to be a shared library, or, if the linker decides to pick up
a shared copy (e.g. `.a.dll`) that shadows the static one. It may help
to provide either static or shared, but not both, on the disk, and match
that with this setting.
Viktor Szakats [Sun, 25 Jan 2026 13:10:16 +0000 (14:10 +0100)]
cmake: add `CURL_BUILD_EVERYTHING` option
To build all targets in a single go, meaning curl and libcurl as normal,
and tests and examples in addition. To build-test everything without
running multiple cmake commands.
Enable with:
- `-DCURL_BUILD_EVERYTHING=ON`
Special values: `QUICK` to build examples quickly for build test,
`NOEXAMPLES` to not build examples.
A well-equipped build takes 2.8s of configure time, and 1.7s to build
everything (shared, unity, ninja, prefill), 1.4s with `QUICK`. Without
this option it takes <1s to build curl/libcurl.
Viktor Szakats [Sun, 25 Jan 2026 12:04:58 +0000 (13:04 +0100)]
cmake: fix logic for openssl/zlib binutils ld workaround
While working #16973, the binutils ld lib order workaround logic
regressed so that it modified the wrong target, writing into the system
`ZLIB::ZLIB` and `OpenSSL::Crypto` ones a `INTERFACE_LINK_LIBRARIES`
property, instead of creating CURL-namespaced targets. Oddly enough,
this also fixed the binutils ld lib ordering issue. It seems this
property makes CMake insert each referenced library in two more
positions (not at the very end though), which allows ld to resolve all
symbols in the cases tested in CI.
Fix by creating the indented namespaced targets, and also creating
these in `curl-config.cmake` to be available when consuming libcurl.
Note that the logic continues doing `get_target_property()` on the two
system targets above. If these targets are defined manually and miss
the `LOCATION` propery, or are defined as aliases, this command may
fail. curl expects these targets be created by CMake's `FindZLIB` and
`FindOpenSSL` built-in Find modules (or ones compatible). Ref: #20419
The binutils ld issue is reproduced by these CI jobs:
- Linux gcc glibc (amd64, arm64)
- Windows gcc zlib-classic (x64)
Viktor Szakats [Sun, 25 Jan 2026 02:26:03 +0000 (03:26 +0100)]
build: constify `memchr()`/`strchr()`/etc result variables
And a few variables around.
There remain cases where the accepted pointer is const, yet the returned
pointer is written to.
Partly addressing (glibc 2.43):
```
* For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr,
strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return
pointers into their input arrays now have definitions as macros that
return a pointer to a const-qualified type when the input argument is
a pointer to a const-qualified type.
```
Ref: https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00005.html
Viktor Szakats [Sat, 24 Jan 2026 01:39:48 +0000 (02:39 +0100)]
GHA/codeql: improve perf on Windows, enable `CURL_WERROR=ON`, and more
- set `CURL_DROP_UNUSED=ON` for Windows (MSVC) to make the analysis step
faster: 1m30s -> 1m15s
- enable `CURL_WERROR=ON` in all builds, to catch potential build issues
in addition to running CodeQL. To make these builds useful as regular
build tests too.
- add links to CodeQL Actions documentation.
- delete test data C files after checkout in an attempt to remove them
from CodeQL code coverage stats.
Michał Antoniak [Fri, 23 Jan 2026 15:51:44 +0000 (16:51 +0100)]
setopt: fix checking range for CURLOPT_MAXCONNECTS
- Use upper limit INT_MAX instead of UINT_MAX.
UINT_MAX doesn't work as the max value for the variable since it is
passed as a long and becomes -1 on platforms that have same sized
int and long, like Windows.
Viktor Szakats [Fri, 23 Jan 2026 12:37:59 +0000 (13:37 +0100)]
GHA/windows: install stunnel manually, enable for Cygwin
Replace Chocolatey install with direct download and unpack. To reduce
CI dependencies (Chocolatey, NuGet), improve install performance
(10s -> 1s) and hopefully reliability. Last but not least to enable it
for the Cygwin CI job.
Caveats:
- Need to bump stunnel versions manually (2-3 times a year).
Renovate could likely do it, but I failed to understand its
documentation and miss tooling/interface to make tests.
- FIPS not enabled. (can be done if necessary)
- Possibly losing checksum verification (not sure if Chocolatey did it
automatically for this package.)
Also:
- Increase minimum tests by 100 for the Cygwin job.
Viktor Szakats [Fri, 23 Jan 2026 11:25:29 +0000 (12:25 +0100)]
GHA/windows: fail CI early on stunnel install failure
Before this patch CI silently ignored stunnel install failures. This
pushed the failure to the test run step due to not meeting the minimum
number of tests.
Make the root cause obvious by failing early in this case.
Viktor Szakats [Wed, 26 Nov 2025 18:11:16 +0000 (19:11 +0100)]
GHA/distcheck: bump old cmake, switch to arm64 for performance
Bump CMake version in CMake integration tests for better performance
(8x on macOS, 2-3x on Windows) and native arm64 binaries.
- bump old CMake in integration tests to v3.19.8 (was: v3.11.4)
- switch to native arm64 CMake binaries on macOS.
- switch Linux CMake integration job to arm64.
With this, CI is:
- no longer testing deprecated CMake versions.
Follow-up to a7c974e038572bd1d4a653afbd6de5fad5a10215 #19902
- not testing the next (from 2026 April) minimum 3.18, but going for
3.19 instead. For arm64 binaries on both macOS and Linux. There is
no 3.18-specific CMake code in curl.
Viktor Szakats [Tue, 20 Jan 2026 23:44:39 +0000 (00:44 +0100)]
tidy-up: Markdown, clang-format nits
- drop leading indent from Markdown.
- switch to Markdown section markers where missing.
- move `&&` and `||` to the end of the line (C, Perl).
- openssl: add parenthesis to an if sub-expression.
- misc clang-format nits.
- unfold Markdown links.
- SSL-PROBLEMS.md: drop stray half code-fence.
Kai Pastor [Wed, 21 Jan 2026 08:04:14 +0000 (09:04 +0100)]
cmake: always define `CURL::win32_winsock` on Windows in `curl-config.cmake`
The CMake config can be consumed by project which enable only language
`CXX`. `CMAKE_C_COMPILER_ID` isn't defined in this case, and the target
definition would be missing. But the check for compiler id isn't really
needed: The target is namespaced and valid, regardless of actual
compiler.
Noticed in https://github.com/microsoft/vcpkg/issues/49518, building cpr.
Viktor Szakats [Mon, 19 Jan 2026 11:34:59 +0000 (12:34 +0100)]
cmake: add `CURL_DROP_UNUSED` option to reduce binary sizes
To enable known linker options dropping unused, dead, code and data from
the executables built.
Useful to reduce binary sizes for curl, libcurl shared lib and apps
linking static libcurl. It's effective on both "unity" and non-unity
builds. Aligning "unity" build sizes with default, non-unity ones.
Supported platforms: Apple, MSVC, llvm/clang and GCC on all tested
platforms: Linux, BSDs, Windows, MSYS2/Cygwin, Android, MS-DOS.
Notes:
- Static libraries grow 20-30% with non-Apple toolchains.
This effect is controlled by separate, optional compiler flags on
non-Apple. This patch enables them automatically for public binaries
(libcurl and curl tool), and leaves them off for internal/test ones.
- MSVC enables this option by default for 'Release' configurations.
The curl build option has no effect on it.
- Observed effect on VS2010 is negligible. VS2012+ is recommended.
- Works with LTO, Fil-C.
- No observed/conclusive effect on build speed.
- On Windows with clang/gcc (mingw-w64/MSYS2/Cygwin) it also enables
`-fno-asynchronous-unwind-tables` as a workaround to make
the toolchain options actually work.
Ref: https://sourceware.org/bugzilla/show_bug.cgi?id=11539 Thanks-to: Andarwinux
Also:
- GHA: enable in Linux and MinGW jobs to test it. Size changes:
Jacek Migacz [Thu, 22 Jan 2026 10:36:44 +0000 (10:36 +0000)]
tool: enable header separation for HTTPS proxies
When using a proxy, --header specified headers were leaking into CONNECT
requests. This could break corporate proxies that reject custom
User-Agent headers in CONNECT.
Enable CURLHEADER_SEPARATE only for HTTPS through proxy or when
--proxytunnel is used, ensuring:
- --header affects only HTTP requests (not CONNECT)
- --proxy-header affects only CONNECT requests
- --user-agent affects both consistently
Fixes the redirect + proxy + custom UA issue while maintaining
compatibility with HTTP proxy scenarios.
Viktor Szakats [Wed, 21 Jan 2026 12:35:07 +0000 (13:35 +0100)]
build: opt-in MSVC to C99-style verbose logging logic
MSVC does not advertise itself as C99 via `__STDC_VERSION__`, but
supports variadic macros in all curl-supported versions. Fix by
explicitly enabling C99 verbose string logic for MSVC.
With verbose logging enabled (default), this makes logging perform
better, on par with clang/gcc (and other C99) builds. (With the cost
of extra binary size.) With verbose logging disabled, it excludes all
verbose logging related strings and code from the binary. Before this
patch, MSVC used the C89 fallback code in both configs, which used
a fixed function call, with the called function deciding to actually
log or not, while also retaining the verbose log string in both configs.
In CI with non-verbose:
Before:
``` 3274240 bytes: ./_bld/lib/Debug/libcurl-d.dll
```
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/53408629/job/htj7ps88q83ew9ww#L224
Viktor Szakats [Wed, 21 Jan 2026 15:41:42 +0000 (16:41 +0100)]
appveyor: simplify job configuration
Replace interim knobs with cmake options.
Also:
- use CMake env `CMAKE_GENERATOR` to select the generator.
(with workaround to make it work with CMake <3.15.)
- deduct some configuration from the job name.
- drop unused test runner logic.
- drop obsolete `BUILD_OPT` use.
- tidy-up job names and sync them with GHA ones.
- add newline between job configurations for readability.
Viktor Szakats [Mon, 19 Jan 2026 15:00:56 +0000 (16:00 +0100)]
GHA: strip Windows/MS-DOS/Android binaries to see their real size
Unstripped size hides effective binary sizes due to the added debug
information. E.g. `--gc-sections` may inflate unstripped binaries, while
their unstripped size decreases. To see if binary size optimization
options work, it's more useful to observe unstripped size.
Viktor Szakats [Wed, 21 Jan 2026 12:55:32 +0000 (13:55 +0100)]
windows: test non-verbose builds, fix fallouts
- schannel: fix mixed-up declaration. (originally fenced infof for
verbose, then changed to failf with the fence kept, then fence
removed and variable marked as verbose, when in fact it's not, but
not tested and caught in CI.
- fix two other fallouts.
- GHA/windows: disable verbose strings in a mingw job.
- appveyor: disable verbose strings in an MSVC job.
- appveyor: add way to pass any CMake option per-job.
Viktor Szakats [Mon, 19 Jan 2026 06:29:43 +0000 (07:29 +0100)]
build: fully omit verbose strings and code when disabled
When the compiler supports C99.
- map logging functions to macro stubs when verbose logging is disabled
and the compiler is C99. Make sure these stubs silence unused variable
warnings for non-variadic arguments.
Before this patch they mapped to function stubs, the same codepath
used for C89 compiler in this configuration.
- introduce new macros to tell the compiler which code to include
when verbose code is active, or inactive:
- `CURLVERBOSE`: defined when verbose code is active.
To enclose blocks of code only used for verbose logging.
- `VERBOSE(statement);`:
compile statement when verbose code is active.
To mark code lines only used for verbose logging.
- `NOVERBOSE(statement);`:
compile statement when verbose code is inactive.
To suppress warnings for arguments passed to logging functions via
printf masks, e.g. `NOVERBOSE((void)ipaddress);`, yet keeping
the warning in verbose builds.
Note these macros are not the same as `CURL_DISABLE_VERBOSE_STRINGS`.
Verbose code is always active in C89 mode (without variadic macro
support).
- drop existing uses of `CURL_DISABLE_VERBOSE_STRINGS` where redundant,
or replace with the above macros. Ending up reducing the number of
`#ifdef`s, and also the number of lines.
Assisted-by: Daniel Stenberg Assisted-by: Jay Satiro Reported-by: Dan Fandrich
Fixes #20341
Refs: #12105 #12167
Daniel Stenberg [Wed, 21 Jan 2026 08:14:40 +0000 (09:14 +0100)]
multi: probe for IPv6 functionality in multi_init()
In some legacy systems IPv6 might dynamically work/not work and thus
curl needs to check/probe to see if it should indeed be used.
This change moves the probe that checks for working IPv6 to the multi
handle setup function instead of delaying it to when the first name
resolve is performed. This avoids a later tricky error path if the
socket cannot be created due to OOM.
dEajL3kA [Fri, 16 Jan 2026 10:20:48 +0000 (11:20 +0100)]
winapi: use FormatMessageA instead of FormatMessageW
Use FormatMessageA() to get the error message as multibyte-character
string (local codepage) directly, instead of using FormatMessageW()
and then convert the string from Unicode (UTF-16) to multi-byte (local
codepage) manually.
Prior to this change we used FormatMessageW + conversion because some
Windows CE did not have FormatMessageA. Since curl no longer supports
Windows CE, FormatMessageA can be used.
Viktor Szakats [Wed, 7 Jan 2026 18:37:02 +0000 (19:37 +0100)]
build: update to not need `_CRT_NONSTDC_NO_DEPRECATE` with MSVC
Use non-deprecated CRT function variants on Windows.
- introduce `curlx_fdopen()`, `curlx_close()` and use them. Map them to
non-deprecated, underscored, CRT functions on Windows.
- replace `close()` uses with either `sclose()` (for sockets) or
`curlx_close()` (for files).
- map `fileno`, `unlink`, `isatty` to their non-deprecated, underscored,
versions on Windows.
- tool_dirhie: map `mkdir` to `_mkdir` on Windows.
- easy: use `_strdup()` on Windows, regardless of how `HAVE_STRDUP` is
set.
- cmake: assume `HAVE_STRDUP` on Windows. To allow dropping a detection
hack using `_CRT_NONSTDC_NO_DEPRECATE` with MSVC. Windows always has
`_strdup()` which the code uses, but also needs `HAVE_STRDUP` defined
to disable curl's own `strdup()` implementation.
- curl_setup.h: drop `_CRT_NONSTDC_NO_DEPRECATE` as no longer necessary.
Stefan Eissing [Mon, 19 Jan 2026 10:38:35 +0000 (11:38 +0100)]
timeout handling: auto-detect effective timeout
When checking a transfer for being expired via `Curl_timeleft_ms()`,
eleminate the `bool connecting` parameter and have the function check
the `mstate` of the transfer instead.
Advantages:
* eleminate the caller needing awareness if the transfer is
connecting or in a later state
* fix pingpong timeout handling to check the correct timeout
during "proto_connect" phases
* avoid using "connecting" timeouts during establishing a secondary
connection (e.g. FTP) since this would use the timestamp from
the original, primary connect and thus be wrong
Reported-by: Wyuer on github
Fixes #20347
Closes #20354
Stefan Eissing [Tue, 20 Jan 2026 10:09:58 +0000 (11:09 +0100)]
socket: check result of SO_NOSIGPIPE
New define USE_SO_NOSIGPIPE in curl_setup.h, for now set whenever
SO_NOSIGPIPE is defined. Maybe overridden in the future on systems where
this does not work.
With USE_SO_NOSIGPIPE defined, set SO_NOSIGPIPE on all sockets created
by libcurl and fail the creation when setsockopt() fails.
Viktor Szakats [Mon, 19 Jan 2026 22:24:47 +0000 (23:24 +0100)]
cmake: silence silly Apple clang warnings in C89 mode, test in CI
- `stdbool.h` is also included via system headers. Disabling it from curl
does not fix it. Silencing lots of these:
```
curl/lib/curlx/warnless.h:64:1: warning: '_Bool' is a C99 extension [-Wc99-extensions]
64 | bool curlx_sztouz(ssize_t sznum, size_t *puznum);
| ^
/Library/Developer/CommandLineTools/usr/lib/clang/17/include/stdbool.h:24:14: note: expanded from macro 'bool'
24 | #define bool _Bool
| ^
```
- silence `-Wcomma` warnings.
in favor of the global silencing approach, since a couple of more of
these were hit (in vquic, tool1622, unit1309, unit1636), and it seems
silly to update them all.
Revert e8189c44201db6bff987a8771df90f853d93dec5 #20362
Also:
- cmake: include C standard in 'platform flags' log line.
- GHA/macos: switch a job to C89 to verify.
- GHA/linux: show 'C89' in job names.
Viktor Szakats [Tue, 20 Jan 2026 01:52:53 +0000 (02:52 +0100)]
build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
Extend two existing local suppressions to GCC, and add another
GCC-specific one as a replacement.
Before this patch suppressing this warning was odd with clang, because
after this option, `-Wformat=2` is used, which re-enables it.
Also:
- mprintf: minimize scope of a warning suppression.
- tests/server: suppress this warning for a system `vsnprintf()` call
where it could trigger in C89 builds or with
`CFLAGS=-DCURL_NO_FMT_CHECKS` set. Seen with Apple clang 17:
```
curl/tests/server/util.c:114:37: warning: format string is not a string literal [-Wformat-nonliteral]
114 | vsnprintf(buffer, sizeof(buffer), msg, ap);
| ^~~
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/secure/_stdio.h:124:69: note: expanded from macro 'vsnprintf'
124 | #define vsnprintf(str, len, ...) __vsnprintf_chk_func (str, len, 0, __VA_ARGS__)
| ^~~~~~~~~~~
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/secure/_stdio.h:81:65: note: expanded from macro '__vsnprintf_chk_func'
81 | __builtin___vsnprintf_chk (str, len, flag, __darwin_obsz(str), format, ap)
| ^~~~~~
```
Viktor Szakats [Tue, 20 Jan 2026 02:30:24 +0000 (03:30 +0100)]
rtsp: fix missing variable declaration
```
lib/rtsp.c:1073:26: error: no previous extern declaration for non-static variable 'Curl_scheme_rtsp' [-Werror,-Wmissing-variable-declarations]
1073 | const struct Curl_scheme Curl_scheme_rtsp = {
| ^
lib/rtsp.c:1073:7: note: declare 'static' if the variable is not intended to be used outside of this translation unit
1073 | const struct Curl_scheme Curl_scheme_rtsp = {
| ^
```
Ref: https://github.com/curl/trurl/actions/runs/21157411659/job/60844860592?pr=425#step:3:3036
Daniel Stenberg [Tue, 20 Jan 2026 10:01:31 +0000 (11:01 +0100)]
libcurl docs: reduce 'since ...' in descriptions
Reduce mentions of libcurl versions like "since 7.xx ..." in option
descriptions to reduce clutter and make the texts easier to read. Keep
them in, or move them to, the HISTORY or DEPRECATED sections
The last version 7 release (7.88.1) shipped on Februrary 20, 2023.
projects / thirdparty / curl.git / log
