Viktor Szakats [Sun, 7 Sep 2025 10:32:54 +0000 (12:32 +0200)]
VULN-DISCLOSURE-POLICY: make it pass test 1275
```
test 1275...[Verify capital letters after period in markdown files]
../../docs/VULN-DISCLOSURE-POLICY.md:426:55:error: lowercase daily after period
* regular communication from communication leader (ex. daily update)
```
Ref: https://github.com/curl/curl/actions/runs/17527331816/job/49779555753?pr=18485
Stefan Eissing [Thu, 4 Sep 2025 14:09:05 +0000 (16:09 +0200)]
websocket: handling of PONG frames
The auto PONG frames were inserted into the connection at the time
a PING had been decoded, irregardless if an upstream frame was just
in the middle of being assembled.
Add PONG frames only to the buffer if there is no frame currently
assemebled and, if it is, set the control frame aside. This control
frame is then added on the first opportunity of a "clean" send buffer.
There is only a single control frame set aside at a time. This means
a double PING will, when the PONG cannot be sent right away, only
send the last PONG.
I imagine this is fine. We want to prevent the endless buffering of
PONG frames on a connection where the server sends but does no receives.
Stefan Eissing [Thu, 4 Sep 2025 10:00:48 +0000 (12:00 +0200)]
websocket: reset upload_done when sending data
Sending websocket data did not clear the "upload_done" flag of
the initial HTTP Upgrade request, leading to KEEP_SEND never be
cleared. This caused the socket to be polled for INOUT after all
the websocket data had been sent. A busy loop.
Viktor Szakats [Tue, 2 Sep 2025 13:40:12 +0000 (15:40 +0200)]
lib: drop `UNUSED_PARAM` macro
Added in 2011, but has seen little use in the code. The necessary
compiler feature is missing in some compilers (e.g. MSVC), thus in most
places the portable `(void)` cast is used in addition.
Also:
- vtls/rustls: silence unused argument warning with `(void)`.
Necessary for MSVC, for example.
Stefan Eissing [Tue, 2 Sep 2025 13:16:21 +0000 (15:16 +0200)]
multi: limit-rate revisited
Tweaks around handling of --limit-rate:
* tracing: trace outstanding timeouts by name
* multi: do not mark transfer as dirty that have
an EXPIRE_TOOFAST set
* multi: have one static function to asses speed limits
* multi: when setting EXPIRE_TOOFAST remove the transfers
from the dirty set
* progress: rename vars and comment on how speed limit
timeouts are calculated, for clarity
* transfer: when speed limiting, exit the receive loop
after a quarter of the limit has been received, not
on the first chunk received.
* cf-ip-happy.c: clear EXPIRE_HAPPY_EYEBALLS on connect
* scorecard: add --limit-rate parameter to test with
speed limits in effect
David Zhuang [Wed, 3 Sep 2025 00:28:21 +0000 (17:28 -0700)]
http: do the cookie list access under lock
A previous refactor of cookie logic changed Curl_cookie_getlist to no
longer return a list of copied cookies, but instead return a linked list
pointing to existing cookies. The returned linked list is accessed
outside of the scope of the cookie share lock in http_cookies, which
leads to issues if the shared cookie list is modified at the same time.
This is the relevant commit: be39ed1
Daniel Stenberg [Wed, 3 Sep 2025 07:52:36 +0000 (09:52 +0200)]
tool_getparam: warn on more unicode prefixes
If a string argument is expected and the first two bytes are 0xe2 ex80
and the third has the 7th bit set, that's enough for curl to warn.
Previously we tried to detect and warn only for the unicode double
quote, but users might use single quotes, other quotes or even lead the
argument with one of the "zero widths" characters. This is an attempt to
detect many of those. Without triggering for "normal" IDN hostnames.
Jay Satiro [Wed, 27 Aug 2025 07:35:01 +0000 (03:35 -0400)]
projects: fix Windows project 'clean' function
- Fix generate.bat "-clean" option.
- Change version template substitutes to match old files, eg go back to
using format version "11.00" instead of "11.0".
- Limit the vcxproj filters file types that are filtered to c, h, rc.
- Get rid of the tmpl extension from template files and add a README
to the tmpl directory explaining the purpose of the files.
- gitignore VCxx directories entirely rather than individual file types.
- Do not remove the VC directories during clean, instead remove just the
generated project files.
Removing the VC directories has the unwanted behavior of removing files
other than those generated. Visual Studio will generate its own
preference files (like if you have some debug arguments in your .suo)
and those files sit in the VC directories. We ignore those files since
they are the user's files and should not be deleted. Also the user may
have their own untracked files that we shouldn't be deleting.
Follow-up to 57d349fe which consolidated the project templates.
Assisted-by: Viktor Szakats
Closes https://github.com/curl/curl/pull/18412
Daniel Stenberg [Mon, 1 Sep 2025 14:36:53 +0000 (16:36 +0200)]
parsedate: make Curl_getdate_capped able to return epoch
By returning error separately on parse errors and avoiding magic
numbers, this function can now return 0 or -1 as proper dates when such
a date string is provided.
Stefan Eissing [Fri, 29 Aug 2025 15:38:45 +0000 (17:38 +0200)]
aws-lc: do not use large buffer
test_10_08, uploading larger files for a h2 proxy, sporadically fails
with a decrpytion error on received data in AWS-LC. The frequency can
be increased by simulated network receive blocks.
Not setting a 4 * TLS record sized buffer, leaving AWS-LC at its
default buffer size seems to mitigate this problem.
XCas13 [Fri, 29 Aug 2025 09:52:25 +0000 (13:52 +0400)]
ngtcp2: handshake timeout should be equal to --connect-timeout
Default timeout is hardcoded (10 seconds) and doesn't respect
--connect-timeout parameter. In some cases 10 seconds can be not enough
or too long to "establish a connection". Moreover the non-working
--connect-timeout parameter for http3 is confusing. This change makes
the handshake timeout equal to --connect-timeout, if it's set.
Discussion is here https://github.com/curl/curl/discussions/18427
Viktor Szakats [Thu, 28 Aug 2025 20:36:47 +0000 (22:36 +0200)]
GHA/windows: fix perl 5.40.3 bump fallout with custom-built modules
Perl got bumped from 5.38.4 to 5.40.3. The new version crashes when
loading the `Win32::Process*` modules built and cached in CI. The build
job uses Perl 5.38.4.
To avoid the crash, include the Perl version (hashed) in the cache key,
so that it's only loaded when the Perl version matches.
This solution is imperfect, because some of the jobs will not use the
Perl modules in transition periods, when different jobs use different
Perl versions. Anyway, can't think of a better one for now. Another
option is to drop the effort with these modules. After all they did not
help with crashes and hangs, nor with performance. While adding quite
a bit of CI complexity.
Also:
- test early if the modules load and log the result.
It's causing false-positives with clang-tidy v21, in cases in system
headers (seen in `FD_ISSET()` with macOS SDK). In some cases in
tests/server, there was no distinct source line that was triggering it.
Example:
```
/Applications/Xcode_16.4.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX15.5.sdk/usr/include/sys/_types/_fd_def.h:83:10: error: Potential out of bound access to 'fds_read.fds_bits' with tainted index [clang-analyzer-security.ArrayBound,-warnings-as-errors]
83 | return _p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] & ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS)));
| ^
[...]
/Users/runner/work/curl/curl/tests/server/socksd.c:679:5: note: Taking false branch
679 | if(rc < 0) {
| ^
```
Daniel Stenberg [Thu, 28 Aug 2025 09:42:49 +0000 (11:42 +0200)]
cookie: simplifications
- add Curl_secure_context(), to have it determined in a single place.
- tweak the Curl_cookie_getlist() proto. Move some logic into the
function - at is only called in a single place. Instead of forcing the
caller to do it.
Stefan Eissing [Mon, 18 Aug 2025 15:12:35 +0000 (17:12 +0200)]
websocket: improve handling of 0-len frames
Write out 9-length frames to client's WRITEFUNCTION
Read 0-length frames from READFUNCTION *if* the function
started a new frame via `curl_ws_start_frame()`.
Viktor Szakats [Wed, 27 Aug 2025 14:23:58 +0000 (16:23 +0200)]
HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility
Applied the same workaround to the build examples as used earlier in CI.
That is, drop `<path> from `--with-ngtcp2=<path>` and configure env
`PKG_CONFIG_PATH` instead.
Jay Satiro [Fri, 1 Aug 2025 07:57:12 +0000 (03:57 -0400)]
schannel: fix renegotiation
- Move the schannel_recv renegotiation code to function
schannel_recv_renegotiate.
- Save the state of a pending renegotiation.
- Pre-empt schannel_recv and schannel_send to continue a pending
renegotation.
- Partially block during renegotiation if necessary.
Prior to this change, since a1850ad7 (precedes 8.13.0), schannel_recv
did not properly complete renegotiation before attempting to decrypt
data. In some cases that could cause an error SEC_E_CONTEXT_EXPIRED.
Most of the time though DecryptMessage would succeed by chance and
return SEC_I_RENEGOTIATE which allowed the renegotiation to continue.
Reported-by: stephannn@users.noreply.github.com Reported-by: Dustin L. Howett
Fixes https://github.com/curl/curl/issues/18029
Closes https://github.com/curl/curl/pull/18125
Viktor Szakats [Thu, 14 Aug 2025 21:43:34 +0000 (23:43 +0200)]
GHA/linux: build `-O3` job with unity batches to save 10-15s
Before (build, test run):
https://github.com/curl/curl/actions/runs/16974205126/job/48118716664 25s, 12m56
https://github.com/curl/curl/actions/runs/16973102133/job/48114977897 24s, 12m51
After, with batch size 50 (build, test run):
https://github.com/curl/curl/actions/runs/17250901063/job/48952645881?pr=18293 16s, 12m51
https://github.com/curl/curl/actions/runs/17250901063/job/48953665204?pr=18293 17s, 12m42
Daniel Stenberg [Tue, 26 Aug 2025 14:03:24 +0000 (16:03 +0200)]
ftp: simplify
- Avoid checking what's always true. The ftpcode pointer is always
passed in, so use it.
- Simplified an indent level somewhat
- Split out two functions from the state machine
Daniel Stenberg [Mon, 18 Aug 2025 15:10:35 +0000 (17:10 +0200)]
socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate
This function returned error on MANY places, each with its own cleanup
sequence and by the look of it almost all of them were incomplete,
making them leak resources on errors.
This take now gotos to the error label where it cleans everything up
before returning error. This also simplifies the function a lot.
Daniel Stenberg [Fri, 22 Aug 2025 14:58:28 +0000 (16:58 +0200)]
tool_getparam: let --trace-config override -v
If --trace-config is used to set a level before -v is used, don't reset
the state on first -v (to "-all") as it otherwise does. This way,
--trace-config can be used to set specific trace items before -v on the
command line and it still works.
Previously, the first -v use would otherwise reset and undo the earlier
--trace-config items.
Viktor Szakats [Mon, 25 Aug 2025 15:44:47 +0000 (17:44 +0200)]
projects: generate from a single template
The three projects (VC10, VC11, VC12) are identical except 5 repeated
strings in them. They also require running `generate.bat` before use,
to populate source files. Reduce the 3 almost identical projects to
a single template project and populate the repeated strings also via
`generate.bat`. This reduces the maintenance burden to a single copy of
the project files. Also saving 10000 LOCs.
- curl_ntlm_core: document version thresholds for an AWS-LC-specific
workaround.
It was necessary between v1.2.0 2022-09-01 and v1.30.1 2024-06-21.
No longer necessary since v1.31.0 2024-07-01:
https://github.com/aws/aws-lc/commit/ba94617d99c18949711e8e405721ea85a2b38c3f
Follow-up to 34ef4fab22d93cf7ef1d6c2954a0bad19f323ea9 #10320
Stefan Eissing [Sat, 23 Aug 2025 12:15:13 +0000 (14:15 +0200)]
asyn-thrdd: more simplifications
- use wakeup sockets non-locked.
- send wakeup notify only in normal control flow (not cancel). close
wakeup sockets in unlink only.
- remove 5ms thread lifetime wait crutch before pthread_cancel().
projects / thirdparty / curl.git / log
