Viktor Szakats [Sat, 18 Oct 2025 11:08:53 +0000 (13:08 +0200)]
cmake: fix Linux pre-fills for non-glibc (when `_CURL_PREFILL=ON`)
- do not pre-fill `HAVE_LINUX_TCP_H` on Linux.
`linux/tcp.h` is a Linux kernel userspace header. It's likely
installed when using glibc and likely missing by default when using
something else, e.g. MUSL (e.g. on Alpine).
Therefore always detect it for Linux targets, and only pre-fill it for
non-Linux ones.
- do not pre-fill `HAVE_GLIBC_STRERROR_R` on Linux.
To fix it for non-glibc envs, e.g. MUSL (e.g. on Alpine).
Note, the pre-fill option is a disabled by default, internal option and
strongly not recommended outside of curl development.
Daniel Stenberg [Sat, 18 Oct 2025 09:58:36 +0000 (11:58 +0200)]
tool_formparse: rewrite the headers file parser
The -F option allows users to provide a file with a set of headers for a
specific formpost section. This code used old handcrafted parsing logic
that potentially could do wrong.
Rewrite to use my_get_line() and dynbuf. Supports longer lines and
should be more solid parsing code.
Gets somewhat complicated by the (unwise) feature that allows "folding"
of header lines in the file: if a line starts with a space it should be
appended to the previous.
The previous code trimmed spurious CR characters wherever they would
occur in a line but this version does not. It does not seem like
something we want or that users would expect.
Viktor Szakats [Tue, 14 Oct 2025 15:43:48 +0000 (17:43 +0200)]
krb5: fix `output_token` allocators in the GSS debug stub (Windows)
Before this patch system `malloc()`/`free()` were used to allocate
the buffer returned in the `output_token` object from the debug stub
of `gss_init_sec_context()` when enabled via `CURL_STUB_GSS_CREDS` in
debug-enabled libcurl builds. This object is later released via stock
`gss_release_buffer()`, which, in the Windows builds of MIT Kerberos,
doesn't use the system `free()`, but the Win32 `HeapFree()`.
Fix it by using the GSS alloc/free macros: `gssalloc_malloc()` and
`gssalloc_free()` from `gssapi_alloc.h`.
To make this work without MIT Kerberos feature detection, use a canary
macro to detect a version which installs `gssapi_alloc.h` for Windows.
For <1.15 (2016-11-30) releases, that do not install it, disable the GSS
debug stub in libcurl.
Strictly speaking, non-Windows builds would also need to use GSS
allocators, but, detecting support for `gssapi_alloc.h` is impossible
without build-level logic. Built-level logic is complex and overkill,
and MIT Kerberos, as of 1.22.1, uses standard malloc/free on
non-Windows platforms anyway. (except in GSS debug builds.)
Daniel Stenberg [Fri, 17 Oct 2025 15:05:08 +0000 (17:05 +0200)]
rustls: make read_file_into not reject good files
For files with sizes using an exact multiple of 256 bytes, the final
successful read(s) filled the buffer(s) and the subsequent fread
returned 0 for EOF, which caused read_file_into to fail.
Now, it needs to return 0 and not be EOF to be an error.
Stefan Eissing [Fri, 17 Oct 2025 08:59:11 +0000 (10:59 +0200)]
ngtcp2: add a comment explaining write result handling
The choice to continue processing incoming data although the
writeout of the headers/data failed is not obvious. Add a comment
explaining why this is done.
Stefan Eissing [Fri, 17 Oct 2025 09:48:35 +0000 (11:48 +0200)]
test_16: adjust timing expectations
In MOST protocols and runs, the 'pretransfer' time is less than the
'starttransfer'. E.g. request being sent before response comes in.
However, when curl is starved of cpu a server response might start
streaming in before the multi-state transitioned to DID (and recorded
the 'pretransfer' time).
Do no longer check that 'pretransfer' is less or equal 'starttransfer'.
Check that is is less or equal to the total time instead.
Viktor Szakats [Wed, 15 Oct 2025 19:01:46 +0000 (21:01 +0200)]
mbedtls: add support for 4.0.0
After this patch libcurl requires (as already documented)
the `curl_global_init()` call when using the `curl_formadd()` API with
mbedTLS.
Note: NTLM is not supported with mbedTLS 4+, because it lacks
the necessary crypto primitive: DES.
Also:
- lib: de-dupe mbedTLS minimum version checks into `curl_setup.h`.
- lib: initialize PSA Crypto as part of `curl_global_init()`.
For MD5, SHA-256, `curl_formadd()`, and MultiSSL builds with mbedTLS
but where mbedTLS isn't the default backend.
- lib1308: fix to call `curl_global_init()` (for the Form API).
- curl_ntlm_core: disable with mbedTLS 4+.
- md4: disable mbedTLS implementation when building against 4.x.
- md5: use mbedTLS PSA Crypto API when available, otherwise use
the default local implementation.
- sha256: use mbedTLS PSA Crypto API when available, otherwise use
the default local implementation.
- vtls/mbedtls: drop PSA Crypto initialization in favor of
`curl_global_init()`.
- vtls/mbedtls: use PSA Crypto random API with all mbedTLS versions.
- vtls/mbedtls: do the same for the SHA-256 callback.
- autotools: detect mbedTLS 4+, and disable NTLM for 3.x.
- cmake: disable NTLM for mbedTLS 3.x.
- GHA/linux: keep building mbedTLS 3.x manually and use it in
an existing job, while also enabling pytest in it.
- GHA/linux: bump to mbedTLS 4.0.0.
Closes #19075
Closes #19074
Daniel Stenberg [Thu, 16 Oct 2025 19:47:42 +0000 (21:47 +0200)]
openldap: limit max incoming size
Set the maximum allowed size of an incoming LDAP message, which to
OpenLDAP means that it allows malloc() up to this size. If not set,
there is no limit and we instead risk a malloc() failure.
The limit is arbitrarily set to 256K as I can't figure out what a
reasonable value should be.
Stefan Eissing [Tue, 14 Oct 2025 13:53:37 +0000 (15:53 +0200)]
quic: remove data_idle handling
The transfer loop used to check the socket and if no poll events
were seen, triggered a "DATA_IDLE" event into the filters to let
them schedule times/do things anyway.
Since we no longer check the socket, the filters have been called
already and the DATA_IDLE event is unnecessary work. Remove it.
Daniel Stenberg [Wed, 15 Oct 2025 06:42:20 +0000 (08:42 +0200)]
tftp: check for trailing ";mode=" in URL without strstr
RFC 3617 defines two specific modes, "netascii" and "octet". This code
now checks only for those trailing ones - and not in the hostname since
they can't be there anymore.
Stefan Eissing [Tue, 14 Oct 2025 12:39:50 +0000 (14:39 +0200)]
scorecard: add perf support on linux
When calling scorecard with --flame to produce a flamegraph, use
"perf" on linux platforms to do the measurements. Update the scorecard
documentation about it.
Viktor Szakats [Mon, 13 Oct 2025 14:30:18 +0000 (16:30 +0200)]
examples: improve global init, error checks and returning errors
- add `curl_global_init()` and `curl_global_cleanup()` where missing.
- check the result of `curl_global_init()` where missing.
- return the last curl error from `main()`.
- drop Win32-specific socket initialization in favor of `curl_global_init()`.
- rename some outliers to `res` for curl result code.
- fix cleanup in some error cases.
Daniel Stenberg [Sun, 12 Oct 2025 09:15:08 +0000 (11:15 +0200)]
sws: pass in socket reference to allow function to close it
The function service_connection() now passes in a reference to the
socket instead of by value since the sub function http_connect() might
close it and set *infdp = CURL_SOCKET_BAD. This would previously not be
detected when service_connection() returned and potentially cause a
double close of the socket.
Daniel Stenberg [Sun, 12 Oct 2025 09:05:46 +0000 (11:05 +0200)]
libssh/libssh2: reject quote command lines with too much data
If there is lingering letters left on the right side after the paths
have been parsed, they are syntactically incorrect so returning error is
the safe thing to do.
Viktor Szakats [Fri, 10 Oct 2025 21:11:14 +0000 (23:11 +0200)]
cmake: pre-fill three more type sizes on Windows
Use `CMAKE_SIZEOF_VOID_P` to fill the size of three types that differ
on 32 and 64-bit Windows: `curl_socket_t`, `size_t`, and on mingw-w64:
`ssize_t`.
`time_t` remains the only type needing detection at configuration time,
with MSVC or mingw-w64.
Stefan Eissing [Fri, 10 Oct 2025 08:15:38 +0000 (10:15 +0200)]
thread: errno on thread creation
When thread creation fails, the code uses `errno` to remember the cause.
But pthread_create() never sets errno and gives the error as return value.
Fix that by setting the return value into errno on failure.
Windows: I think the ifdef was the wrong way around. Also set a generic
Windows Error code on CE systems.
projects / thirdparty / curl.git / log
