Stefan Eissing [Wed, 22 Oct 2025 08:12:54 +0000 (10:12 +0200)]
vquic: fix recvmsg loop for max_pkts
The parameter `max_pkts` was not checked in the recvmsg() implementation
of vquic_recv_packets() as the packter counter was never increased. This
led to the loop running until an EAGAIN was encountered. Which, in any
real case scenario, does no harm as long as libcurl is ingesting packets
faster than a server is able to send them.
However on a slow device and a fast network this could happen and allow
a denial of serice.
Not a real regression as the vulnerable code has never been released.
libcurl 8.16.0 does not have this bug.
Stefan Eissing [Wed, 22 Oct 2025 08:39:58 +0000 (10:39 +0200)]
gnutls: fix re-handshake comments
With GnuTLS, a GNUTLS_E_REHANDSHAKE can be a renegotiate in TLSv1.2 or a
key update in TLSv1.3. This had been made non-blocking in a1850ad7debe33fded6367e34d5c06be4d51f58e but the comment warning about a
blocking call was not updated.
Stefan Eissing [Wed, 22 Oct 2025 08:00:53 +0000 (10:00 +0200)]
ftp: check errors on remote ip for data connection
Obtaining the remote ip of the control connection to be used for the
data connection can fail. Check that and fail the transfer when that
does not work.
Daniel Stenberg [Mon, 20 Oct 2025 09:34:25 +0000 (11:34 +0200)]
cookie: only count accepted cookies in Curl_cookie_add
The counter used to stop accepting cookies after a certain amount has
been received in a single response would previously also count some
cookies that were not actually accepted as they were discarded after the
counter was increased.
Starting now, the counter is increased only for cookies that were
accepted.
Viktor Szakats [Mon, 20 Oct 2025 21:11:53 +0000 (23:11 +0200)]
cmake: say 'absolute path' in option descriptions and docs
To not have to guess. Also to sync with autotools, which already uses
this wording.
Also:
- replace the stray term 'folder' with 'directory' for consistency.
- store help text in a temp variable to avoid overly long strings
(mandatory in CMake <4.2.0 and can't be trivially split), also
to avoid repeating this string 4 times.
Viktor Szakats [Mon, 20 Oct 2025 13:51:39 +0000 (15:51 +0200)]
cmake: add and use local FindGnuTLS module
Replacing a combination of custom logic in the main script and relying
on CMake's built-in Find module, with code and behavior used for
the rest of dependencies.
Also to:
- add version detection in the non-pkg-config path.
- make `GNUTLS_INCLUDE_DIR` and `GNUTLS_LIBRARY` take precedence over
pkg-config. As with other dependencies.
- document the above two configuration options.
- prepare for #16973, which originally introduced this local Find
module.
The local module is doing largely the same as CMake's built-in
FindGnuTLS. Differences:
- honors `CURL_USE_PKGCONFIG`.
- returns GnuTLS version for non-pkg-config detection.
- consistently returns `GNUTLS_VERSION`.
(CMake's built-in uses s different name in <3.16.)
- CMake 3.16+ returns an imported target. curl supports 3.7,
therefore we may only use it conditionally, which isn't worth it.
Stefan Eissing [Mon, 20 Oct 2025 09:51:20 +0000 (11:51 +0200)]
cf-socket: give information when unable to open socket
Give ERRNO explanation in a failf() when unable to open a socket.
Helps in finding out what the issue preventing your curl to work
really is. Just had a wrong ulimit after a sys update.
Viktor Szakats [Fri, 10 Oct 2025 15:44:25 +0000 (17:44 +0200)]
socks_gssapi: replace `gss_release_buffer()` with curl free for buffers owned by libcurl
Before this patch, this code used to call `gss_release_buffer()` on
objects with buffers allocated via curl's allocator.
`gss_release_buffer()` calls system (or Win32) free on these buffers,
which may mismatch with curl's allocator. To fix it, align these calls
with the pattern used in vauth modules, by replacing
`gss_release_buffer()` with curl free to release the buffers.
Use `Curl_safefree()` to set the freed pointer to NULL, as
`gss_release_buffer()` did.
Viktor Szakats [Mon, 20 Oct 2025 12:02:06 +0000 (14:02 +0200)]
GHA/curl-for-win: drop libssh
Switch back to default libssh2.
The distribution server has reliability issues (this time it works
locally though):
```
++ curl [...] --output pkg.bin https://www.libssh.org/files/0.11/libssh-0.11.3.tar.xz --output pkg.sig https://www.libssh.org/files/0.11/libssh-0.11.3.tar.xz.asc
curl: (92) HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2) [4x]
```
Ref: https://github.com/curl/curl/actions/runs/18651134321/job/53169147048#step:3:2391
Daniel Stenberg [Sun, 19 Oct 2025 14:12:56 +0000 (16:12 +0200)]
tool_operate: return error on strdup() failure
In src/tool_operate.c inside the Windows safe-search branch (#ifdef
CURL_CA_SEARCH_SAFE), the code assigns config->cacert = strdup(cacert);
at line 2076 without checking whether strdup returned NULL.
This would allow the code to continue with the wrong value set, causing
possible confusion.
Daniel Stenberg [Sun, 19 Oct 2025 14:40:11 +0000 (16:40 +0200)]
lib: add asserts that hostname has content
For all network related protocols there must be a non-blank hostname
used. This change adds a few asserts in some places to make debug/tests
catch mistakes if any such would slip in.
Viktor Szakats [Sun, 19 Oct 2025 19:15:55 +0000 (21:15 +0200)]
GHA/windows: drop `git config core.autocrlf input` steps
CI works without it now. For an inexplicable reason, this single `git`
command took 9 seconds per job, making this patch save more than
2 minutes per workflow run. It was also the only step using PowerShell.
Viktor Szakats [Mon, 13 Oct 2025 20:46:49 +0000 (22:46 +0200)]
mod_curltest: tidy-ups and small fixes
- honor request id (`id=<number>`) in `curltest/put` and
`curltest/sslinfo` handlers.
- do not truncate `max_upload` input parameter.
- delete unused variables.
- formatting.
ngtcp2: adopt ngtcp2_conn_get_stream_user_data if available
Adopt ngtcp2_conn_get_stream_user_data which has been available since
ngtcp2 v1.17.0. This improves the time complexity of searching
h3_stream_ctx from O(n) to O(1) where n is the number of stream.
Viktor Szakats [Sat, 18 Oct 2025 11:08:53 +0000 (13:08 +0200)]
cmake: fix Linux pre-fills for non-glibc (when `_CURL_PREFILL=ON`)
- do not pre-fill `HAVE_LINUX_TCP_H` on Linux.
`linux/tcp.h` is a Linux kernel userspace header. It's likely
installed when using glibc and likely missing by default when using
something else, e.g. MUSL (e.g. on Alpine).
Therefore always detect it for Linux targets, and only pre-fill it for
non-Linux ones.
- do not pre-fill `HAVE_GLIBC_STRERROR_R` on Linux.
To fix it for non-glibc envs, e.g. MUSL (e.g. on Alpine).
Note, the pre-fill option is a disabled by default, internal option and
strongly not recommended outside of curl development.
Daniel Stenberg [Sat, 18 Oct 2025 09:58:36 +0000 (11:58 +0200)]
tool_formparse: rewrite the headers file parser
The -F option allows users to provide a file with a set of headers for a
specific formpost section. This code used old handcrafted parsing logic
that potentially could do wrong.
Rewrite to use my_get_line() and dynbuf. Supports longer lines and
should be more solid parsing code.
Gets somewhat complicated by the (unwise) feature that allows "folding"
of header lines in the file: if a line starts with a space it should be
appended to the previous.
The previous code trimmed spurious CR characters wherever they would
occur in a line but this version does not. It does not seem like
something we want or that users would expect.
Viktor Szakats [Tue, 14 Oct 2025 15:43:48 +0000 (17:43 +0200)]
krb5: fix `output_token` allocators in the GSS debug stub (Windows)
Before this patch system `malloc()`/`free()` were used to allocate
the buffer returned in the `output_token` object from the debug stub
of `gss_init_sec_context()` when enabled via `CURL_STUB_GSS_CREDS` in
debug-enabled libcurl builds. This object is later released via stock
`gss_release_buffer()`, which, in the Windows builds of MIT Kerberos,
doesn't use the system `free()`, but the Win32 `HeapFree()`.
Fix it by using the GSS alloc/free macros: `gssalloc_malloc()` and
`gssalloc_free()` from `gssapi_alloc.h`.
To make this work without MIT Kerberos feature detection, use a canary
macro to detect a version which installs `gssapi_alloc.h` for Windows.
For <1.15 (2016-11-30) releases, that do not install it, disable the GSS
debug stub in libcurl.
Strictly speaking, non-Windows builds would also need to use GSS
allocators, but, detecting support for `gssapi_alloc.h` is impossible
without build-level logic. Built-level logic is complex and overkill,
and MIT Kerberos, as of 1.22.1, uses standard malloc/free on
non-Windows platforms anyway. (except in GSS debug builds.)
Daniel Stenberg [Fri, 17 Oct 2025 15:05:08 +0000 (17:05 +0200)]
rustls: make read_file_into not reject good files
For files with sizes using an exact multiple of 256 bytes, the final
successful read(s) filled the buffer(s) and the subsequent fread
returned 0 for EOF, which caused read_file_into to fail.
Now, it needs to return 0 and not be EOF to be an error.
Stefan Eissing [Fri, 17 Oct 2025 08:59:11 +0000 (10:59 +0200)]
ngtcp2: add a comment explaining write result handling
The choice to continue processing incoming data although the
writeout of the headers/data failed is not obvious. Add a comment
explaining why this is done.
Stefan Eissing [Fri, 17 Oct 2025 09:48:35 +0000 (11:48 +0200)]
test_16: adjust timing expectations
In MOST protocols and runs, the 'pretransfer' time is less than the
'starttransfer'. E.g. request being sent before response comes in.
However, when curl is starved of cpu a server response might start
streaming in before the multi-state transitioned to DID (and recorded
the 'pretransfer' time).
Do no longer check that 'pretransfer' is less or equal 'starttransfer'.
Check that is is less or equal to the total time instead.
projects / thirdparty / curl.git / log
