Stefan Eissing [Wed, 1 Oct 2025 09:23:27 +0000 (11:23 +0200)]
openssl-quic: ignore unexpected streams opened by server
HTTP/3 defines "reserved stream types" that are intended to be ignored
by a receiver. This is part of the "greasing" effort that flexes parts
of the protocol that are needed for future extensions.
curl's OpenSSL-QUIC implementation treated all unexpected streams as
an error. Which seems the right thing to do *but* for these reserved types.
However OpenSSL does not expose this type and thus, curl needs to silently
discard all unexpected streams opened by the server to allow interop
with servers that flex the GREASE parts.
Daniel Stenberg [Fri, 26 Sep 2025 12:10:30 +0000 (14:10 +0200)]
cf-socket: tweak a memcpy() to read better
By checking the size of the actual buffer and using that as memcpy
target instead of another union member, this helps readers and static
code analyzers to determine that this is not a buffer overflow.
Viktor Szakats [Wed, 1 Oct 2025 10:12:30 +0000 (12:12 +0200)]
tidy-up: LibreSSL Git repository URLs and local CI builds
Also:
- point the source tarball to a working URL.
The GitHub release page misses the official source tarball for 4.1.1.
- GHA/linux: switch LibreSSL build to cmake (syncing with http3-linux.)
- GHA/macos: drop no longer needed LibreSSL build workaround.
Daniel Stenberg [Wed, 1 Oct 2025 06:19:35 +0000 (08:19 +0200)]
typos.toml: exclude more from typo checks
- exclude visual studio project templates
- exclude test cases
- allow 'proxys' which is used for "secure proxy" in test code
- allow Tru64 and secur32
Viktor Szakats [Mon, 29 Sep 2025 23:27:10 +0000 (01:27 +0200)]
build: avoid overriding system `open` and `stat` symbols
Replace them by `curlx_open()` and `curlx_stat()`.
To make it obvious in the source code what is being executed.
Also:
- tests/server: stop overriding `open()` for test servers.
This is critical for the call made from the signal handler.
For other calls, it's an option to use `curlx_open()`, but
doesn't look important enough to do it, following the path
taken with `fopen()`.
Viktor Szakats [Mon, 29 Sep 2025 23:46:33 +0000 (01:46 +0200)]
checksrc: fix possible endless loop when detecting `BANNEDFUNC`
If the source line had square brackets before the match, the stripping
of the banned function left the original line intact, and repeated the
check on it forever. E.g. with banned function `open` in `lib518.c`:
```c
t518_testfd[0] = open(DEV_NULL, O_RDONLY);
```
Viktor Szakats [Sun, 14 Sep 2025 13:34:18 +0000 (15:34 +0200)]
build: avoid overriding system symbols for fopen functions
By introducing wrappers for them in the curlx namespace:
`curlx_fopen()`, `curlx_fdopen()`, `curlx_fclose()`.
The undefine/redefine/`(function)()` methods broke on systems
implementing these functions as macros. E.g. AIX 32-bit's `fopen()`.
Also:
- rename `lib/fopen.*` to `lib/curl_fopen.*` (for `Curl_fopen()`)
to make room for the newly added `curlx/fopen.h`.
- curlx: move file-related functions from `multibyte.c` to `fopen.c`.
- tests/server: stop using the curl-specific `fopen()` implementation
on Windows. Unicode isn't used by runtests, and it isn't critical to
run tests on longs path. It can be re-enabled if this becomes
necessary, or if the wrapper receives a feature that's critical for
test servers.
Reported-by: Andrew Kirillov
Bug: https://github.com/curl/curl/issues/18510#issuecomment-3274393640
Viktor Szakats [Mon, 29 Sep 2025 20:48:55 +0000 (22:48 +0200)]
tests/server: drop unsafe `open()` override in signal handler (Windows)
Turns out the signal handler on Windows still wasn't signal safe after
the previous round of fix. There is an `open()` call made from there,
and `open` happens to be unconditionally overridden via `curl_setup.h`
on Windows, to its local implementation (`curlx_win32_open()`), which
does memory allocations and potentially other things that are not signal
safe.
This is a temporary fix, till avoiding the override of system symbols
`open` and `stat` on Windows.
FTR this did not fix the CI 2304 errors, diskspace fail or job hangs due
to 0xC0000142 fork failure (it's rare all three occurs in the same run):
https://github.com/curl/curl/actions/runs/18110523584?pr=18774
- fix to append to, not override, previously set linker options when
using `CURL_LIBCURL_VERSIONED_SYMBOLS=ON`. Before this patch, it was
overwriting linker options when using `CURL_CODE_COVERAGE=ON`.
Viktor Szakats [Tue, 16 Sep 2025 17:28:27 +0000 (19:28 +0200)]
tidy-up: miscellaneous
- GHA/checkdocs: rename `spellcheck` job to `pyspelling` to say
the exact tool used.
- GHA/checkdocs: restore a comment.
- GHA/linux: add `-B .` to a cmake configure to avoid warning, and
future breakage.
- autotools: use correct casing for `Schannel`.
- doh: update RFC URL.
- drop redundant parenthesis.
- fix indentation, whitespace.
Viktor Szakats [Wed, 24 Sep 2025 23:54:28 +0000 (01:54 +0200)]
perlcheck: add script, run in CI, fix fallouts
Add script to run all Perl sources through `perl -c` to ensure no
issues, and run this script via GHA/checksrc in CI.
Fallouts:
- fix two repeated declarations.
- move `shell_quote()` from `testutil.pm` to `pathhelp.pm`, to
avoid circular dependency in `globalconfig.pm`.
Stefan Eissing [Mon, 22 Sep 2025 13:48:07 +0000 (15:48 +0200)]
http: handle user-defined connection headers
When there is more than one user-supplied 'Connection: ' header, add
values that curl needs internally to the first one and emit all
subsequent ones thereafter.
Viktor Szakats [Thu, 25 Sep 2025 12:50:15 +0000 (14:50 +0200)]
GHA: use `pyspelling` directly
To avoid depending on Docker Hub, an Docker image and a GitHub Action.
Also to simplify running this check on a local machine.
Pending question if Dependabot and Mend/Renovate will automatically pick
up `requirements-docs.txt`.
Also:
- enable parallel spellchecking. (also to win back the time lost with
installing components directly from Debian and pip.)
- pin `pyspelling`.
- link to official `pyspelling` docs.
Viktor Szakats [Thu, 25 Sep 2025 11:14:36 +0000 (13:14 +0200)]
GHA: bump pip `cryptography`, relax `impacket` version requirement
Bump `cryptography` to a newer version that fixes two known OpenSSL
vulnerabilities reported by Dependabot.
To make it work, also allow `impacket` 0.11.0, because it allows any
pyOpenSSL version, while 0.12.0 pinned it to a single version that
happens to be incompatible with the bugfixed `cryptography` version.
Also: drop spaces from `requirements.txt` files. Bots don't add them,
though they seem to be preferred in the official documentation:
https://pip.pypa.io/en/stable/reference/requirements-file-format/
Stefan Eissing [Tue, 26 Aug 2025 13:54:32 +0000 (15:54 +0200)]
socks: rewwork, cleaning up socks state handling
Restructured the code in the following ways:
* add terminal states SUCCESS and FAILED
* split SOCK4 and SOCK5 states to be more clear
* use `bufq` for send/recv of SOCK messages
* reduce SOCKS4 states, more speaking names
* for most states, move code into static function
* reduce SOCKS5 states, more speaking names
* add helpers for traversing to FAILED state
* add helper to flush bufq
* add hepler to read minimum amount into bufq
Stefan Eissing [Fri, 8 Aug 2025 10:15:25 +0000 (12:15 +0200)]
lib: upgrade/multiplex handling
Improvements around HTTP Upgrade: and multiplex hanndling:
* add `Curl_conn_set_multiplex()` to set connection's multiplex
bit and trigger "connchanged" events
* call `Curl_conn_set_multiplex()` in filters' `CF_CTRL_CONN_INFO_UPDATE`
implementation where other connection properties are updated.
This prevents connection updates before the final filter chain
is chosen.
* rename enum `UPGR101_INIT` to `UPGR101_NONE`
* rename connection bit `asks_multiplex` to `upgrade_in_progress`
* trigger "connchanged" when `upgrade_in_progress` clears
* rename `WebSockets` to `WebSocket` as it is the common term
used in documentation
Daniel Stenberg [Thu, 25 Sep 2025 09:30:24 +0000 (11:30 +0200)]
socks_sspi: bail out on too long fields
A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.
Daniel Stenberg [Mon, 22 Sep 2025 09:27:27 +0000 (11:27 +0200)]
mbedtls: handle WANT_WRITE from mbedtls_ssl_read()
The mbedtls_ssl_read() function is documented to be able to also return
MBEDTLS_ERR_SSL_WANT_WRITE, so act on that accordingly instead of
returning error for it.
Assisted-by: Stefan Eissing
Reported in Joshua's sarif data
Closes #18682
Daniel Stenberg [Wed, 24 Sep 2025 04:52:52 +0000 (06:52 +0200)]
vssh: drop support for wolfSSH
The implementation was incomplete and lesser than the other backends. No
one ever reported a bug or requested enhancements for this, indicating
that this backend was never used.
Viktor Szakats [Wed, 24 Sep 2025 12:53:18 +0000 (14:53 +0200)]
docs: fix/tidy code fences
- INSTALL.md: fence code to avoid wrong rendering. Reported-by: rinsuki on github Fixes: https://github.com/curl/curl-www/issues/480
- use `sh` instead of `bash` as fence language, for less visual noise.
Daniel Stenberg [Mon, 22 Sep 2025 09:08:43 +0000 (11:08 +0200)]
socks_gssapi: reject too long tokens
If GSS returns a token to use that is longer than 65535 bytes, it can't
be transmitted since the length field is an unisgned 16 bit field and
thus needs to trigger an error.
Viktor Szakats [Wed, 24 Sep 2025 08:16:05 +0000 (10:16 +0200)]
GHA/distcheck: bump timeout for the cmake integration
It may take 1.5 minutes to find the C compiler on macos with old cmake.
The build is also slow due to no unity and Ninja support.
```
Wed, 24 Sep 2025 04:56:51 GMT -- Using CMake version 3.11.4
Wed, 24 Sep 2025 04:58:01 GMT -- The C compiler identification is AppleClang 17.0.0.17000013
Wed, 24 Sep 2025 04:58:02 GMT -- Check for working C compiler: /Applications/Xcode_16.4.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Wed, 24 Sep 2025 04:59:33 GMT -- Check for working C compiler: /Applications/Xcode_16.4.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -- works
Wed, 24 Sep 2025 04:59:33 GMT -- Detecting C compiler ABI info
Wed, 24 Sep 2025 04:59:35 GMT -- Detecting C compiler ABI info - done
```
Ref: https://github.com/curl/curl/actions/runs/17966736478/job/51100678487?pr=18700#step:10:50
Viktor Szakats [Wed, 24 Sep 2025 08:29:30 +0000 (10:29 +0200)]
GHA/dist: fix number of parallel jobs on macos runner
It was using the global parallel value in cmake integration tests, while
on macos runners, this should be lower by one, as used in other macos
jobs. Performance impact is minimal.
Viktor Szakats [Tue, 23 Sep 2025 13:45:49 +0000 (15:45 +0200)]
GHA/macos: add macos-26, llvm20, gcc15, drop macos-14, gcc14
Number of combo jobs down to 22 from 24.
Also:
- update the version matrix.
- update exclusion matrix.
- include verbose compiler configuration dump.
It makes the Apple-included, default `-I/usr/local/include` visible.
Ref: #18683
Viktor Szakats [Tue, 23 Sep 2025 09:50:23 +0000 (11:50 +0200)]
GHA/linux: fix address sanitizer error output
Same issue as seen earlier in the tsan job. Fix it the same way, by
switching to cmake to avoid autotools' libtool confusing the analyzer.
Ref: 2a46df31fdb91851895bc46d81f0065e6cafc80b #18274
Configuration remains identical. I removed libssh2 from the installed
packages, because it was unused before, but cmake enabled it by default
and libssh2 has memory leaks:
Ref: https://github.com/curl/curl/actions/runs/17941312820/job/51018425159
Fixing:
```
/usr/bin/llvm-symbolizer-18: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: no version information available (required by /usr/bin/llvm-symbolizer-18)
/usr/bin/llvm-symbolizer-18: symbol lookup error: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: undefined symbol: __asan_option_detect_stack_use_after_return
==33900==WARNING: Can't read from symbolizer at fd 3
[..]
==33900==WARNING: Can't write to symbolizer at fd 6
==33900==WARNING: Failed to use and restart external symbolizer
```
Ref: https://github.com/curl/curl/actions/runs/17939949191/job/51013953675?pr=18693
Viktor Szakats [Mon, 22 Sep 2025 16:02:49 +0000 (18:02 +0200)]
cmake: use modern alternatives for `get_filename_component()`
- use `cmake_path()` to query filenames, with CMake 3.20 or upper.
https://cmake.org/cmake/help/v4.1/command/cmake_path.html#query
- use `cmake_host_system_information()` to query the registry,
with CMake 3.24 or upper.
https://cmake.org/cmake/help/v4.1/command/cmake_host_system_information.html#query-windows-registry
Replacing the undocumented method.
- also quote the value passed to `get_filename_component()` where
missing. (Could not cause an actual issue as used in the code.)
Viktor Szakats [Sat, 20 Sep 2025 09:43:59 +0000 (11:43 +0200)]
GHA: enable more options in static analyzer jobs
This is an effort to pass more code through clang-tidt and scan-build
static analyzers. Following CodeQL Linux jobs.
GHA/codeql:
- also build with libssh.
- disable verbose output in build steps.
GHA/linux:
- enable more build options for the clang-tidy and scan-build jobs:
libidn2, nghttp2, ldap, kerberos, rtmp, gnutls, gsasl, rustls,
mbedtls, wolfssl
Use Linuxbrew where necessary.
- also enable ECH, gssapi in the scan-build job.
- fix 'scanbuild' to be 'scan-build' in the job name.
GHA/macos:
- build with Rustls in the clang-tidy job.
- add a new clang-tidy job to test HTTP/3 (with openssl + ngtcp2).
- build with libssh in one of the clang-tidy jobs.
- build with LibreSSL in the MultiSSL clang-tidy job.
- build with heimdal and kerberos in the clang-tidy jobs respectively.
- build with OpenLDAP in one clang-tidy job.
- add support for `skipall`, `skiprun` job options, and use it.
Viktor Szakats [Mon, 22 Sep 2025 09:27:10 +0000 (11:27 +0200)]
libssh: drop two unused assigments
Reported in macOS clang-tidy v21.1.1 build, after enabling libssh in it:
```
lib/vssh/libssh.c
lib/vssh/libssh.c:1342:9: error: Value stored to 'to_t' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
1342 | to_t = STRE_OK;
| ^
lib/vssh/libssh.c:1342:9: note: Value stored to 'to_t' is never read
lib/vssh/libssh.c:1349:9: error: Value stored to 'from_t' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
1349 | from_t = STRE_OK;
| ^
lib/vssh/libssh.c:1349:9: note: Value stored to 'from_t' is never read
2 warnings generated.
```
Ref: https://github.com/curl/curl/actions/runs/17909917954/job/50918955923?pr=18660#step:11:182
projects / thirdparty / curl.git / log
