Daniel Stenberg [Thu, 30 Oct 2025 10:32:15 +0000 (11:32 +0100)]
base64: make base64_encode() error on too long input
The maximum size is set to 16MB.
It should not possible to call this function with this large input, but
this is a precaution to catch mistakes and replaces the earlier check on
architectures with small size_t.
TheBitBrine [Sun, 26 Oct 2025 04:39:02 +0000 (04:39 +0000)]
imap: fix custom FETCH commands to handle literal responses
Custom IMAP commands using -X (e.g. 'FETCH 123 BODY[1]') were only
returning the first line of responses containing literals, instead of
the full multi-line body data.
The issue was that custom commands route through imap_perform_list()
and imap_state_listsearch_resp(), which didn't detect or handle IMAP
literal syntax {size}.
This commit adds literal detection to imap_state_listsearch_resp():
- Detects literal syntax {size} in untagged responses
- Writes the response header line containing the literal marker
- Handles any literal body data already in the pingpong buffer
- Sets up transfer layer to read remaining literal data from socket
- Configures maxdownload and transfer size to include header + body
- Initializes pp->overflow to 0 when no buffered data present
- Modifies imap_done() to transition to FETCH_FINAL for custom
commands that set up downloads
Stefan Eissing [Wed, 29 Oct 2025 08:48:50 +0000 (09:48 +0100)]
ngtcp2: overwrite rate-limits defaults
In pytests test_08 with the Caddy server, the new rate-limiting in
ngtcp2 did close the connection because it found "too many" stream data
packet repeats.
It is unclear if this is some Caddy issue or if the ngtcp2 implementaton
is wrong. Or if curl can do anything here.
Reported as https://github.com/ngtcp2/ngtcp2/issues/1850
This PR overwrites the ratelimit defaults in ngtcp2 with ten times
increased values. This makes the errors disappear on macOS.
Enable test_08_04/05 in CI again to see if there are any issues
to be found there. (We had those disabled before having parallel
pytests.)
Stefan Eissing [Mon, 27 Oct 2025 09:33:41 +0000 (10:33 +0100)]
ssl-session-cache: check use on config and availability
Replace the check if a ssl session cache is configured with
a function checking if it is configured *and* if an ssl session
cache is available.
During normal operations, a session cache is always there, however
for "connect-only" transfers this might not be the case. When such
transfers receive new sessions/tickets, they need to silently
discard those and not fail.
Reported-by: Marc Aldorasi
Fixes https://github.com/curl/curl/issues/18983
Closes https://github.com/curl/curl/pull/19251
Jay Satiro [Sun, 19 Oct 2025 15:42:37 +0000 (11:42 -0400)]
tool_operate: move the checks that skip ca cert detection
- Move the checks into the function that needs them, cacertpaths().
Prior to this change the caller made the determination whether to skip
calling cacertpaths for cert detection. However for posterity it is
better to have the checks in cacertpaths since other code could call it.
Stefan Eissing [Mon, 27 Oct 2025 11:16:59 +0000 (12:16 +0100)]
TLS: IP address verification, extend test
Change the test certificate to carry a altname 'dns:127.0.0.1' which
should *not* match in test_17_05_bad_ip_addr.
wolfSSL: since `wolfSSL_check_domain_name()` does not differentiate
between DNS and IP names, use if only for DNS names. For IP addresses,
get the peer certificate after the handshake and check that using
wolfSSL_X509_check_ip_asc().
Unfortunately, this succeeds where it should not, as wolfSSL internally
used the same check code for both cases. So, skip the test case until
wolfSSL fixes that.
TheBitBrine [Sun, 26 Oct 2025 03:15:07 +0000 (03:15 +0000)]
pop3: fix CAPA response termination detection
The code was checking if a line starts with '.', which would
incorrectly match capability names starting with dots. Per RFC 2449,
the terminator must be a line containing only a single dot.
RFC 2449 also explicitly excludes '.' from valid capability name
starting characters, so this is purely theoretical, but the code
should match the spec.
Changed to check for exact match: line length of 3 with '.\r' or
length 2 with '.\n' to handle both CRLF and LF-only servers.
Daniel Stenberg [Thu, 23 Oct 2025 14:25:24 +0000 (16:25 +0200)]
schannel: lower the maximum allowed time to block to 7 seconds
During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.
Viktor Szakats [Fri, 24 Oct 2025 16:34:35 +0000 (18:34 +0200)]
mbedtls: fix building with sha-256 missing from PSA
Fixing:
```
lib/vtls/mbedtls.c:1505:10: error: call to undeclared function 'Curl_sha256it'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
1505 | return Curl_sha256it(sha256sum, input, inputlen);
| ^
1 error generated.
```
Viktor Szakats [Fri, 24 Oct 2025 11:44:44 +0000 (13:44 +0200)]
GHA/fuzz: try fixing concurrency group deadlock
```
Fuzzer
Canceling since a deadlock was detected for concurrency group:
'Fuzzer-82fa9862dfa3083d4014d6dcfb721a7278e66f0b' between a top level workflow and 'Fuzzing'
```
https://github.com/curl/curl/actions/runs/18778617351
Viktor Szakats [Fri, 24 Oct 2025 11:02:55 +0000 (13:02 +0200)]
GHA: set `concurrency:` where missing
To silence zizmor 1.16.0 warnings.
Also:
- http3-linux: replace hard-coded workflow name with variable.
Follow-up to a8174176b5425c5692b55b78e40aef3a2331155f #13841
- codeql: set `cancel-in-progress: true`.
zizmor apparently does not allow `false` in pedantic mode anymore:
https://github.com/zizmorcore/zizmor/pull/1227
- codeql: sync concurrency setting with the rest of the jobs.
(I'm not sure this is correct, or why it was previously special-cased.)
Expressions used (before and after this patch):
- `group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}`
for GHA/appveyor-status.
- `group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}`
for all the rest.
Viktor Szakats [Thu, 23 Oct 2025 20:08:53 +0000 (22:08 +0200)]
NTLM: disable if DES support missing from OpenSSL or mbedTLS
Make autotools and cmake detect DES support in OpenSSL and mbedTLS.
Forward feature macros to C and omit NTLM from the feature preview list.
Use the feature macros in source. This ensure that `-V` output matches
the preview.
OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`.
mbedTLS 4.x no longer supports it, and it's possible to disable it in
<4 with `scripts/config.py unset MBEDTLS_DES_C`.
Before this patch this worked for
mbedTLS 4 only, and with a regression for pending PR #16973.
Also:
- drop NTLM feature check from `curl_setup.h` in favour of autotools/
cmake feature macros. This makes `curl_setup.h` no longer need
to include an mbedTLS header, which in turn makes tests/server build
without depending on mbedTLS.
Fixing, in #16973:
```
In file included from tests/server/first.h:40,
from bld/tests/server/servers.c:3:
lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory
741 | #include <mbedtls/version.h>
| ^~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973
Ref: #19181 (initial fix idea)
Follow-up to 3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077
- move back mbedTLS header include and version check from
`curl_setup.h` to each source which consumes mbedTLS.
Viktor Szakats [Thu, 23 Oct 2025 22:55:37 +0000 (00:55 +0200)]
mbedtls: fix building with <3.6.1
```
lib/vtls/mbedtls.c:786:3: error: call to undeclared function 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
786 | mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
| ^
lib/vtls/mbedtls.c:787:5: error: use of undeclared identifier 'MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED'; did you mean 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH'?
787 | MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH
dep/mbedtls-3.4.0/_pkg/include/mbedtls/ssl.h:700:5: note: 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH' declared here
700 | MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH,
| ^
2 errors generated.
```
Daniel Stenberg [Thu, 23 Oct 2025 14:20:01 +0000 (16:20 +0200)]
connect: for CONNECT_ONLY, CURLOPT_TIMEOUT does not apply
Since using CONNECT_ONLY is by defintion only a connect, we make the
timeleft function return 0 after the connection is done so that it does
not - surprisingly - timeout later.
Daniel Stenberg [Thu, 23 Oct 2025 09:16:03 +0000 (11:16 +0200)]
http: only accept ';' as a separator for custom headers
When parsing incoming headers, they need to have a plain normal colon.
Previously out of convenience we used the same parser function for both
cases (incoming + custom set headers via the API) which made the
function too liberal for incoming HTTP traffic.
Theo Buehler [Thu, 23 Oct 2025 11:12:48 +0000 (13:12 +0200)]
vtls: remove call to PKCS12_PBE_add()
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop
since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE
algorithms to a static table:
https://github.com/openssl/openssl/commit/b8f702a0affa2087758230967b55df504a176774
Stefan Eissing [Wed, 22 Oct 2025 13:04:53 +0000 (15:04 +0200)]
smtp: fix EOB handling
SMTP automatically appends a \n.\n to an upload if there is not already
one at the end of the input. The implementation had a bug where this did
not happen, depending on read size and buffering.
Change test 900 to reproduce the failure. The bug only happened for mail
body input of known length, where EOS was known on the last chunk read.
Change test 900 to use an input file and make it large enough.
Fixes #18798
Closes #19193 Reported-by: madoe on github
Stefan Eissing [Wed, 22 Oct 2025 10:37:59 +0000 (12:37 +0200)]
transfer: fix retry for empty downloads on reuse
When a reused connection did transfer 0 bytes, it assumed the transfer
had failed and needed a retry. Add a check for data->red.done, so we can
successfully accept the transfer of a 0-length file via SFTP.
Add test case 1583 to verfiy.
Fix SFTP disconnect debug trace when there was nothing to
disconnect (like when reusing a connection).
Fixes #19165 Reported-by: Alexander Blach
Closes #19189
Stefan Eissing [Wed, 22 Oct 2025 08:12:54 +0000 (10:12 +0200)]
vquic: fix recvmsg loop for max_pkts
The parameter `max_pkts` was not checked in the recvmsg() implementation
of vquic_recv_packets() as the packter counter was never increased. This
led to the loop running until an EAGAIN was encountered. Which, in any
real case scenario, does no harm as long as libcurl is ingesting packets
faster than a server is able to send them.
However on a slow device and a fast network this could happen and allow
a denial of serice.
Not a real regression as the vulnerable code has never been released.
libcurl 8.16.0 does not have this bug.
Stefan Eissing [Wed, 22 Oct 2025 08:39:58 +0000 (10:39 +0200)]
gnutls: fix re-handshake comments
With GnuTLS, a GNUTLS_E_REHANDSHAKE can be a renegotiate in TLSv1.2 or a
key update in TLSv1.3. This had been made non-blocking in a1850ad7debe33fded6367e34d5c06be4d51f58e but the comment warning about a
blocking call was not updated.
Stefan Eissing [Wed, 22 Oct 2025 08:00:53 +0000 (10:00 +0200)]
ftp: check errors on remote ip for data connection
Obtaining the remote ip of the control connection to be used for the
data connection can fail. Check that and fail the transfer when that
does not work.
Daniel Stenberg [Mon, 20 Oct 2025 09:34:25 +0000 (11:34 +0200)]
cookie: only count accepted cookies in Curl_cookie_add
The counter used to stop accepting cookies after a certain amount has
been received in a single response would previously also count some
cookies that were not actually accepted as they were discarded after the
counter was increased.
Starting now, the counter is increased only for cookies that were
accepted.
Viktor Szakats [Mon, 20 Oct 2025 21:11:53 +0000 (23:11 +0200)]
cmake: say 'absolute path' in option descriptions and docs
To not have to guess. Also to sync with autotools, which already uses
this wording.
Also:
- replace the stray term 'folder' with 'directory' for consistency.
- store help text in a temp variable to avoid overly long strings
(mandatory in CMake <4.2.0 and can't be trivially split), also
to avoid repeating this string 4 times.
Viktor Szakats [Mon, 20 Oct 2025 13:51:39 +0000 (15:51 +0200)]
cmake: add and use local FindGnuTLS module
Replacing a combination of custom logic in the main script and relying
on CMake's built-in Find module, with code and behavior used for
the rest of dependencies.
Also to:
- add version detection in the non-pkg-config path.
- make `GNUTLS_INCLUDE_DIR` and `GNUTLS_LIBRARY` take precedence over
pkg-config. As with other dependencies.
- document the above two configuration options.
- prepare for #16973, which originally introduced this local Find
module.
The local module is doing largely the same as CMake's built-in
FindGnuTLS. Differences:
- honors `CURL_USE_PKGCONFIG`.
- returns GnuTLS version for non-pkg-config detection.
- consistently returns `GNUTLS_VERSION`.
(CMake's built-in uses s different name in <3.16.)
- CMake 3.16+ returns an imported target. curl supports 3.7,
therefore we may only use it conditionally, which isn't worth it.
projects / thirdparty / curl.git / log
