Viktor Szakats [Sun, 14 Dec 2025 08:42:59 +0000 (09:42 +0100)]
runtests: improve XML prolog check, enable `-w` permanently, fix two tests
To really verify the presence of the XML prolog, also in CI.
- move the prolog check from `loadtest` to `checktest`.
(load did a soft error, silently skipping the test instead of failing)
- runtests: enable `-w` functionality permanently for all test targets,
drop the option. It has no measurable performance impact.
- test 798, 1665: add XML prolog.
Follow-up to f0d277cb0e3712ae4edf8f51822ffa99e9b3ec54
Viktor Szakats [Fri, 12 Dec 2025 22:30:45 +0000 (23:30 +0100)]
renovate: leave bumping GitHub Actions to Dependabot
To avoid update noise. Renovate bumps everything instantly, meaning
a major version a couple hours after release, then all minor bugfix
releases throughout the next 1-2 days. Also putting major versions in
a different group than the bugfix release, and there is no support for
a cooldown period.
After this patch GitHub's Dependabot remains the single tool responsible
to bump GitHub Actions, once a month, grouped, with a cooldown period.
In sync with most other curl repos.
Both Renovate and Dependabot keep bumping pinned pips for now. Also
Renovate keeps updating C dependencies and Dockerfile.
Daniel Stenberg [Fri, 12 Dec 2025 15:36:08 +0000 (16:36 +0100)]
http: unfold response headers earlier
Make the low-level HTTP header "builder" unfold headers so that
everything else can keep pretending folding does not exist.
This code no longer tries to reduce repeated leading whitespace (in the
continued folded header) to a single one. To avoid having to have a
special state for that.
Viktor Szakats [Sat, 13 Dec 2025 11:35:36 +0000 (12:35 +0100)]
GHA/checksrc: fix `-z` position, also use `--output` with `xmllint`
Fixing:
```
fatal: option '-z' must come before non-option arguments
```
Ref: https://github.com/curl/curl/actions/runs/20183280533/job/57948203944#step:4:5
Daniel Stenberg [Sat, 13 Dec 2025 12:48:59 +0000 (13:48 +0100)]
tool_urlglob: support globs as long as config line lengths
libcurl supports up to 8MB string inputs, the config file accepts up to
10MB line lengths. It did not make sense to limit the globs to a maximum
of one megabyte.
Viktor Szakats [Fri, 12 Dec 2025 02:59:21 +0000 (03:59 +0100)]
GHA: enable libssh and libssh2 in 10 more Linux jobs
To run more pytest sshd tests, and for more static analysis.
Also:
- drop redundant option from `openssl libssh2 ...` config.
- GHA/linux: enable pytest in the LTO job (to test libssh2).
- avoid both with local builds of OpenSSL-forks, due to crypto lib
mixups causing a mixture of build error, crashes, test failures.
Viktor Szakats [Fri, 12 Dec 2025 00:55:30 +0000 (01:55 +0100)]
runtests: add options to set minimum number of tests, use them
To detect mistakes made in the runtests framework that reduce
the number of test runs. Before this patch it could go undetected with
a green CI.
The minimum thresholds will need light maintenance going forward (either
bumping them periodically, or adjust if some may fell below minimums for
justified reasons). We may also make minimums tighter or looser, or more
job-specific.
Latest number of test runs for each job can be seen at Test Clutch:
https://testclutch.curl.se/static/reports/feature-matrix.html
Stefan Eissing [Thu, 11 Dec 2025 15:02:41 +0000 (16:02 +0100)]
pytest: add tests using sshd
With either /usr/sbin/sshd found or configured via --with-test-sshd=path
add tests for SCP down- and uploads, insecure, with known hosts or not,
with authorized user key or unauthorized one.
Working now with libssh and libssh2, using a hashed known_hosts file.
Viktor Szakats [Sun, 7 Dec 2025 15:49:55 +0000 (16:49 +0100)]
tidy-up: miscellaneous
- drop stray duplicate empty lines in docs, scripts, test data, include,
examples, tests.
- drop duplicate PP parenthesis.
- curl-functions.m4: move literals to the right side in if expressions,
to match rest of the source code.
- FAQ.md: delete language designator from an URL.
- packages: apply clang-format (OS400, VMS).
- scripts/schemetable.c: apply clang-format.
- data320: delete duplicate empty line that doesn't change the outcome.
- spacecheck: extend to check for duplicate empty lines
(with exceptions.)
- fix whitespace nits
Viktor Szakats [Thu, 11 Dec 2025 01:46:24 +0000 (02:46 +0100)]
GHA/checkdocs: re-enable proselint, update setup, fix issues found
- update configuration and invocation.
- install via pip.
- drop a file exception.
- alpha sort proselint settings.
- FILEFORMAT: update text about XML compliance.
- CI job takes 22 seconds total.
Viktor Szakats [Wed, 10 Dec 2025 22:21:10 +0000 (23:21 +0100)]
runtests: add support for single-quoted attributes, use it
With this, all test data files are XML-compliant.
Also:
- test1158, test1186: use single quotes for the test filename attribute
containing a double quote. For XML-compliance.
- drop support for unquoted attributes. For XML-compliance.
Viktor Szakats [Tue, 5 Aug 2025 14:07:21 +0000 (16:07 +0200)]
autotools: tidy-up `if` expressions
- drop x-hacks for curl internal variables and certain autotools ones
that do not hold custom values.
- make x-hacks consistently use `"x$var" = "xval"` style.
- add a few x-hacks for input/external variables that may hold custom
values.
- prefer `-z` and `-n` to test empty/non-empty.
This also makes some x-hacks unnecessary.
- optimized negated test `-z` and `-n` options.
- prefer `&&` and `||` over `-a` and `-o`.
For better POSIX compatibility:
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html
- quote variables passed to `test`, where missing.
- quote string literals in comparisons.
- fix some indentation, whitespace.
Note that a few `case` statements also use the x-hack, which looks
unnecessary. This patch does not change them.
Verified by comparing feature detection results with a reference CI run
from before this patch (PR #19922).
Stefan Eissing [Wed, 10 Dec 2025 10:17:49 +0000 (11:17 +0100)]
pytest: quiche flakiness
Let nghttpx only use http/1.1 to backend. This reproduces the bug in
quiche with higher frequency. Allow test_14_05 to now return a 400 in
addition to the 431 we get from a h2 backend to nghttpx.
Skip test_05_02 in h3 on quiche not newer than version 0.24.4 in which
its bug is fixed: https://github.com/cloudflare/quiche/pull/2278
Viktor Szakats [Wed, 10 Dec 2025 10:47:40 +0000 (11:47 +0100)]
GHA/checkurls: add dry run on push
To verify if the basics work.
Downside is that the scheduled (live) runs are intermixed with the dry
runs and less obvious to find in the default list:
https://github.com/curl/curl/actions/workflows/checkurls.yml
This URL filters for scheduled runs only:
https://github.com/curl/curl/actions/workflows/checkurls.yml?query=event%3Aschedule
Seems fine, because we're only interested in red runs.
Stefan Eissing [Tue, 9 Dec 2025 14:48:52 +0000 (15:48 +0100)]
memdebug: fix realloc logging
Do the whole realloc and the subsequent logging under mutex lock. This
fixed log entries that state allocation a memory location before realloc
logs it as being freed.
Stefan Eissing [Tue, 9 Dec 2025 16:00:52 +0000 (17:00 +0100)]
test: increase altsvc test reliability
Move new tests from test_12 to test_06 (eyeballing) where they better
fit. Increase reliability by check Alt-Svc redirects from h3 to a lower
version for a port where no h3 is available.
Viktor Szakats [Tue, 9 Dec 2025 19:06:33 +0000 (20:06 +0100)]
build: set `-Wno-format-signedness`
Explicitly disable these warnings to allow using `-Weverything`.
There are around 600 of them across the codebase.
Silencing them has some drawbacks:
- enums (`CURLcode` mostly) would have to be cast to int to avoid
different signedness depending on C compiler.
(llvm/gcc: unsigned, MSVC/clang-cl: signed by default)
- hex masks need casts to unsigned to avoid the warning.
- fixing remaining warnings is annoying without fixing the above.
- without fixing all warnings the option cannot be enabled, to keep
the codebase warning free.
Viktor Szakats [Wed, 8 Oct 2025 14:20:54 +0000 (16:20 +0200)]
DEPRECATE: add CMake <3.18 deprecation for April 2026
CMake 3.18 was released on 2020-07-15.
It enables using (and/or dropping workarounds) for these features:
LTO support, better performance and pkg-config support, `OBJECT` target,
`-S`, `-B`, `--verbose`, `--install` on the command-line, lib directory
support in interface targets, target_link_options(), LINK_OPTIONS,
FetchContent, `list(PREPEND ...)`, unity, Ninja, fixed imported global
issues.
Viktor Szakats [Tue, 9 Dec 2025 09:31:20 +0000 (10:31 +0100)]
windows: assume `USE_WIN32_LARGE_FILES`
All Windows platforms support it. It was permanently enabled with most
build methods. The exception is autotools where it is enabled by
default, with an option to disable it. It changed the build in a few
places for rarely tested code paths, but not bringing other advantages
(and used some 64-bit APIs anyway). This patch makes autotools'
`--disable-largefile` option a no-op for Windows.
Stefan Eissing [Mon, 8 Dec 2025 12:36:19 +0000 (13:36 +0100)]
alt-svc: more flexibility on same destination
When the Alt-Svc points to the same host and port, add the destination
ALPN to the `wanted` versions and set it also as the `preferred` version
in negotiations.
This allows Alt-Svc for h3 to point to h2 and have it tried first. Also,
this allows Alt-Svc to say http/1.1 is preferred and changes the ALPN
protocol ordering for the TLS handshake.
Add tests in various combination to verify this works.
Reported-by: yushicheng7788 on github
Fixes #19740
Closes #19874
Viktor Szakats [Tue, 9 Dec 2025 13:27:44 +0000 (14:27 +0100)]
GHA/windows: re-enable `taskkill`
Nothing conclusive for the last ~30 days when `taskkill` was made
a no-op. Jobs remained flaky with all known failure modes. Sometimes
they finish green on the first run, sometimes they fail. Hard to say
more without comparing detailed stats for this period and the
preceding (or upcoming) one.
In almost all runs, the PID to be killed did not exist at the time of
check.
Yedaya Katsman [Tue, 2 Dec 2025 17:40:07 +0000 (19:40 +0200)]
test: add test 2090 for SSLKEYLOGFILE structure
Only the TLS 1.2 structure for now since it's simpler, and only has a
single label type. This has the bonus of also testing libressl that only
supports logging keys in TLS 1.2
Viktor Szakats [Mon, 8 Dec 2025 15:44:29 +0000 (16:44 +0100)]
tidy-up: URLs
- to avoid dupes.
- missing slashes.
- drop `.git` suffix from GitHub git repo URLs for a few outliers.
- use short YouTube URL like curl-www does.
- sync two RFC doc URLs with others.
Viktor Szakats [Sun, 7 Dec 2025 16:36:54 +0000 (17:36 +0100)]
CI/windows: add torture tests with Schannel
With Schannel and Unicode, `-shallow=13`. It finishes in 12 minutes,
making it the slowest Windows job. It's still on par with torture jobs
on other platforms (though they manage to fit `-shallow=25`).
Also `-shallow=13` still caught leaks in multiple tests.
Also:
- test2300: exclude from CI Windows torture tests.
- experimental.
The downside of going with deeper torture tests, is that it requires
increasing the job timeout. This in turns means that a hung job takes
more minutes to be killed (due to GitHub bugs where a hung step does not
honor the per-step timeout on Windows, another bug where a hung job gets
killed +5 minutes above the workflow timeout, and another bug (or
feature?) where other failed/hung jobs in the the workflow cannot be
restarted till the last job finishes or gets killed. And all this
probably related to a Perl bug which makes it hang on fork errors, which
is turn related to Cygwin/MSYS2 runtime bugs which breaks fork in case
of curl's mixed MSYS2-Perl/native-curl-binaries environment.)
The end result in longer forced waits before being able to restart flaky
jobs, which slows down iterations and annoying.
Also tried:
- non-c-ares job: detected known issues much less often.
- replaced libidn2 with WinIDN: detected known issues much less often.
- runtests -j9-j20 values: did not make a difference.
- other `-shallow` values: 20 is the max feasible, but comes with the
downside described above.
Viktor Szakats [Sun, 7 Dec 2025 19:03:38 +0000 (20:03 +0100)]
sspi: fix memory leaks on error paths in `Curl_create_sspi_identity()`
Detected by Windows torture test 1072 (with `-shallow=20/13`),
test 579 (with `-shallow=18/14/13`), and test 1286 (with `-shallow=15`).
```
** MEMORY FAILURE
Leak detected: memory still allocated: 20 bytes
At 1a1e8136328, there is 18 bytes.
allocated by D:/a/curl/curl/lib/curl_sspi.c:133
At 1a1e8139368, there is 2 bytes.
allocated by D:/a/curl/curl/lib/curl_sspi.c:143
1072: torture FAILED: function number 207 in test.
invoke with "-t207" to repeat this single case.
Warning: http2 server unexpectedly alive
```
Ref: https://github.com/curl/curl/actions/runs/20008523913/job/57374427439?pr=19865
projects / thirdparty / curl.git / log
