[1] Related parts in `m4/curl-functions.m4` and `configure.ac` might
also be deleted.
[2] Related comment can possibly be deleted in
`packages/vms/generate_config_vms_h_curl.com`.
[3] There are more instances of this in autotools, but I did not dare to
touch those. Looked like it's used to detect socket support.
[4] This is necessary for MFC (Microsoft Foundation Class) DLLs to
force linking MFC components statically to the DLL. `libcurl.dll`
does not use MFC, so we can delete this define.
Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc
Script that can help finding unused settings like above:
```shell
Patrick Monnerat [Tue, 12 Jul 2022 17:03:45 +0000 (19:03 +0200)]
base64: base64url encoding has no padding
See RFC4648 section 5 and RFC7540 section 3.2.1.
Suppress generation of '=' padding of base64url encoding. This is
accomplished by considering the string beginning at offset 64 in the
character table as the padding: this is "=" for base64, "" for base64url.
Also use strchr() to replace character search loops where possible.
Suppress erroneous comments about empty encoding results.
Adjust unit test 1302 to unpadded base64url encoding and add tests for
empty results.
A 'TE: Trailers' header is explicitly replaced by 'te: trailers'
(lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or
HTTP/3 headers. However, this is then replaced again by the original
value due to a bug, resulting in the uppercased version being sent. Some
HTTP/2 servers reject the whole HTTP/2 stream when this is the case.
Viktor Szakats [Sun, 17 Jul 2022 21:45:34 +0000 (21:45 +0000)]
Makefile.m32: stop trying to build libcares.a [ci skip]
Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in
`-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in
2007 [1]. The commit message doesn't specifically address this particular
change. This logic comes from the times when c-ares was part of the curl
source tree, hence the special treatment.
This feature creates problems when building c-ares first, using CMake
and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32`
is missing in such case. A sub-build for c-ares is undesired also when
c-ares had already been build via its own `Makefile.m32`.
To avoid the sub-build, this patch deletes its Makefile rule. After this
patch `libcares.a` needs to be manually built before using it in
`Makefile.m32`. Aligning it with the rest of dependencies.
Daniel Stenberg [Wed, 13 Jul 2022 21:53:05 +0000 (23:53 +0200)]
curl: writeout: fix repeated header outputs
The function stored a terminating zero into the buffer for convenience,
but when on repeated calls that would cause problems. Starting now, the
passed in buffer is not modified.
Reported-by: highmtworks on github
Fixes #9150
Closes #9152
Daniel Stenberg [Wed, 13 Jul 2022 21:46:16 +0000 (23:46 +0200)]
mprintf: make dprintf_formatf never return negative
This function no longer returns a negative value if the formatting
string is bad since the return value would sometimes be propagated as a
return code from the mprintf* functions and they are documented to
return the length of the output. Which cannot be negative.
Fixes #9149
Closes #9151 Reported-by: yiyuaner on github
Viktor Szakats [Thu, 14 Jul 2022 07:14:22 +0000 (07:14 +0000)]
openssl: fix BoringSSL symbol conflicts with LDAP and Schannel
Same issue as here [1], but this time when building curl with BoringSSL
for Windows with LDAP(S) or Schannel support enabled.
Apply the same fix [2] for these source files as well.
This can also be fixed by moving `#include "urldata.h"` _before_
including `winldap.h` and `schnlsp.h` respectively. This seems like
a cleaner fix, though I'm not sure why it works and if it has any
downside.
Daniel Stenberg [Tue, 12 Jul 2022 13:57:02 +0000 (15:57 +0200)]
easy_lock: fix build with icc
The Intel compiler tries to look like GCC *and* clang *and* it lies in
its __has_builtin() function (returns true when it should return false),
so override it.
Reported-by: Matthew Thompson
Fixes #9081
Closes #9144
Viktor Szakats [Mon, 11 Jul 2022 19:41:31 +0000 (19:41 +0000)]
build: improve OS string in CMake and `config-win32.h`
This patch makes CMake fill the "OS string" with the value of
`CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet,
the same we can pass to `./configure` via `--host=`.
For non-CMake, non-autotools, Windows builds, this patch adds the ability
to override the default `OS` value in `lib/config-win32.h`.
With these its possible to get the same OS string across the three build
systems.
Viktor Szakats [Sun, 10 Jul 2022 22:28:14 +0000 (22:28 +0000)]
Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip]
They allow to override the hardcoded values for the `windres` and `strip`
tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables.
`CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and
`CURL_CC=clang` set on current latest debian:unstable or earlier, where
`llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it.
Hopefully this will be fixed in the llvm package. FWIW `llvm-windres`
does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw.
Jay Satiro [Fri, 8 Jul 2022 06:04:35 +0000 (02:04 -0400)]
docs: explain curl_easy_escape/unescape curl handle is ignored
26101421 (precedes 7.82.0) removed character conversion support used by
very old legacy operating systems and since then the curl handle passed
to curl_easy_escape/unescape is always ignored.
Viktor Szakats [Fri, 8 Jul 2022 10:10:04 +0000 (10:10 +0000)]
openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL
BoringSSL doesn't keep a version number, and doesn't self-identify itself
via any other revision number via its own headers. We can identify
BoringSSL revisions by their commit hash. This hash is typically known by
the builder. This patch adds a way to pass this hash to libcurl, so that
it can display in the curl version string:
Viktor Szakats [Wed, 6 Jul 2022 09:22:42 +0000 (09:22 +0000)]
Makefile.m32: add `NGTCP2_LIBS` option [ci skip]
Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL.
Add `NGTCP2_LIBS` envvar to override them with a custom list,
making it possible to use BoringSSL, or any other backend.
Daniel Stenberg [Mon, 4 Jul 2022 21:22:36 +0000 (23:22 +0200)]
CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name
Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the
other way around.
Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias
but since the option is for more protocols than FTP the more "correct"
version of the option is the "server" one so now we switch.
Don [Tue, 28 Jun 2022 22:33:25 +0000 (15:33 -0700)]
cmake: support ngtcp2 boringssl backend
Update the ngtcp2 find module to detect the boringssl backend. Determine
if the underlying OpenSSL implementation is BoringSSL and if so use that
as the ngtcp2 backend.
Viktor Szakats [Mon, 4 Jul 2022 10:26:30 +0000 (10:26 +0000)]
makefile.m32: add support for custom ARCH [ci skip]
When building curl for target platform other than x64 and x86, it is now
possible to pass `ARCH=custom`, that will omit all hardcoded logic for
setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be
customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly
added one for the resource compiler: `CURL_RCFLAG_EXTRAS`.
This makes it possible to use `makefile.m32` to build for ARM64 for
example.
Viktor Szakats [Mon, 4 Jul 2022 09:40:55 +0000 (09:40 +0000)]
cmake: do not force Windows target versions
The goal of this patch is to avoid CMake forcing specific Windows
versions and rely on toolchain defaults or manual selection instead.
This gives back control to the user. This also brings CMake closer to
how autotools and `Makefile.m32` behaves in this regard.
- CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did
nothing else than fixing the Windows build target to Vista. This also
happened when the toolchain did not have Vista support (e.g. original
MinGW), breaking such builds.
In other environments it did not make a user-facing difference,
because libcurl has its own pton() implementation, so it works well
with or without Vista's inet_pton().
This patch drops this setting. inet_pton() is now used whenever
building for Vista or newer, either when requested manually or by
default with modern toolchains (e.g. mingw-w64). Older envs will fall
back to curl's pton().
- When the user did no select a Windows target version manually, stop
explicitly targeting Windows XP, and instead use the toolchain default.
This may pose an issue with old toolchains defaulting to pre-XP
targets. In such case you must manually target Windows XP via:
`-DCURL_TARGET_WINDOWS_VERSION=0x0501`
or
`-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501`
Reviewed-by: Jay Satiro Reviewed-by: Marcel Raad
Closes #9046
Viktor Szakats [Mon, 4 Jul 2022 09:38:24 +0000 (09:38 +0000)]
windows: improve random source
- Use the Windows API to seed the fallback random generator.
This ensures to always have a random seed, even when libcurl is built
with a vtls backend lacking a random generator API, such as rustls
(experimental), GSKit and certain mbedTLS builds, or, when libcurl is
built without a TLS backend. We reuse the Windows-specific random
function from the Schannel backend.
- Implement support for `BCryptGenRandom()` [1] on Windows, as a
replacement for the deprecated `CryptGenRandom()` [2] function.
It is used as the secure random generator for Schannel, and also to
provide entropy for libcurl's fallback random generator. The new
function is supported on Vista and newer via its `bcrypt.dll`. It is
used automatically when building for supported versions. It also works
in UWP apps (the old function did not).
- Clear entropy buffer before calling the Windows random generator.
This avoids using arbitrary application memory as entropy (with
`CryptGenRandom()`) and makes sure to return in a predictable state
when an API call fails.
Daniel Stenberg [Mon, 13 Jun 2022 07:30:45 +0000 (09:30 +0200)]
setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR
... as replacements for deprecated CURLOPT_PROTOCOLS and
CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
32 bit limit the old ones are facing.
CURLINFO_PROTCOOL is now deprecated.
The curl tool is updated to use the new options.
Added test 1597 to verify the libcurl protocol parser.
Kai Pastor [Sat, 2 Jul 2022 07:36:09 +0000 (09:36 +0200)]
cmake: fix build for mingw cross compile
- Change normaliz lib name to all lowercase.
This is from a standing patch in vcpkg:
Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross
builds from Linux), the spelling must match exactly.
Viktor Szakats [Thu, 30 Jun 2022 08:14:29 +0000 (08:14 +0000)]
Makefile.m32: do not set the libcurl.rc debug flag [ci skip]
Delete `-DDEBUGBUILD=0` windres option. This was likely meant to
disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled
it instead. Delete this unnecessary option and thus sync up with
how CMake compiles libcurl.rc by default.
Samuel Henrique [Mon, 27 Jun 2022 21:27:06 +0000 (22:27 +0100)]
libcurl-security.3: fix typo on macro "SH_"
During the packaging of the latest curl release for Debian, Lintian
warned me about a typo which causes the section name "Secrets in memory"
to not be rendered in the manpage due to "SH_" not being recognized as a
header.
Daniel Stenberg [Sun, 26 Jun 2022 09:01:01 +0000 (11:01 +0200)]
test444: test many received Set-Cookie:
The amount of sent cookies in the test is limited to 80 because hyper
has its own strict limits in how many headers it allows to be received
which triggers at some point beyond this number.
Daniel Stenberg [Sun, 26 Jun 2022 09:00:48 +0000 (11:00 +0200)]
cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
Bug: https://curl.se/docs/CVE-2022-32205.html
CVE-2022-32205 Reported-by: Harry Sintonen
Closes #9048
Daniel Stenberg [Thu, 23 Jun 2022 10:02:32 +0000 (12:02 +0200)]
easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro
clang 14 warns about its use. It is being deprecated by the working
group for the programming language C: "The macro ATOMIC_VAR_INIT is
basically useless for the purpose for which it was designed"
Tom Eccles [Thu, 23 Jun 2022 09:09:25 +0000 (10:09 +0100)]
ftp: restore protocol state after http proxy CONNECT
connect_init() (lib/http_proxy.c) swaps out the protocol state while
working on the proxy connection, this is then restored by
Curl_connect_done() after the connection completes.
ftp_do_more() extracted the protocol state pointer to a local variable
at the start of the function then calls Curl_proxy_connect(). If the proxy
connection completes, Curl_proxy_connect() will call Curl_connect_done()
(via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
protocol state instead of the http proxy protocol state, but the local
variable in ftp_do_more still pointed to the old value.
Ultimately this meant that the state worked on by ftp_do_more() was the
http proxy state not the ftp state initialised by ftp_connect(), but
subsequent calls to any ftp_ function would use the original state.
For my use-case, the visible consequence was that ftp->downloadsize was
never set and so downloaded data was never returned to the application.
This commit updates the ftp protocol state pointer in ftp_do_more() after
Curl_proxy_connect() returns, ensuring that the correct state pointer is
used.
Jay Satiro [Wed, 22 Jun 2022 07:35:19 +0000 (03:35 -0400)]
curl_setup: include _mingw.h
Prior to this change _mingw.h needed to be included in each unit before
evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
is included only in some mingw headers (eg stdio.h) and not others
(eg windows.h) so it's better to explicitly include it once.
Viktor Szakats [Wed, 22 Jun 2022 09:35:46 +0000 (09:35 +0000)]
rand: stop detecting /dev/urandom in cross-builds
- Prevent CMake to auto-detect /dev/urandom when cross-building.
Before this patch, it would detect it in a cross-build scenario on *nix
hosts with this device present. This was a problem for example with
Windows builds, but it could affect any target system with this device
missing. This also syncs detection behaviour with autotools, which also
skips it for cross-builds.
- Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
fallback random number generator on Windows. Windows does not have the
concept of reading a random stream from a filename, nor any guaranteed
non-world-writable path on disk. With this, a manual misconfiguration or
an overeager auto-detection can no longer result in a user-controllable
seed source.
Emanuele Torre [Wed, 15 Jun 2022 18:00:42 +0000 (20:00 +0200)]
ci: avoid `cmake -Hpath`
This is an undocumented option similar to the `-Spath' option introduced
in cmake 3.13.
Replace all instances of `-Hpath' with `-Spath' in macos workflow.
Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul
scripts since it runs an older version of cmake.
Viktor Szakats [Wed, 22 Jun 2022 00:06:48 +0000 (00:06 +0000)]
Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
XP when the `-ipv6` option is selected. Maybe this was added to support
pre-XP Windows versions (?). These days libcurl builds fine for both XP
and post-XP versions with IPv6 support enabled. The relevance of pre-XP
version is also low by now. Other build methods also do not impose such
limitation for a similar configuration. So, drop this hard-wired
`_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
Windows version set by the compiler. This is Vista for recent MinGW
versions.
Old behaviour can be restored by setting this envvar:
export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
projects / thirdparty / curl.git / log
