Stefan Eissing [Mon, 15 Jun 2026 15:13:00 +0000 (17:13 +0200)]
cf-https-connect: do not engage on proxy origin
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Dave Walker [Mon, 15 Jun 2026 11:57:42 +0000 (12:57 +0100)]
cookie: use origin scheme for secure context check
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
This PR makes the wolfssl TLS backend work properly for PQC key
exchanges. The following issues are fixed:
* WOLFSSL_HAVE_KYBER is not present anymore in upstream wolfssl (for a
long time actually), so it has no use and the ML-KEM functionality was
never turned on properly.
* Key share group selection (via --curves) is now handled via the
generic wolfSSL_CTX_set1_groups_list() method instead of the prior
wolfSSL_CTX_set1_curves_list() and the additonal PQC handling. This
removes a lot of PQC related special handling and the behavior now
matches the OpenSSL backend.
* The default QUIC group setting has been removed. For QUIC, the key
share as well as the list in the supported_groups extension is now
handled all within wolfssl. This also supports --curves properly now.
Viktor Szakats [Mon, 15 Jun 2026 19:27:51 +0000 (21:27 +0200)]
servers: silence `-Wunused-result` with pragma
In some configurations the `write()` functions gets the
`warn_unused_result` attribute, that makes casting to `(void)`
ineffective to silence this warning. Seen with glibc, in 5 CI jobs.
The warning option appeared in GCC 4.5 and comes enabled by default.
```
tests/server/util.c:329:5: error: ignoring return value of ‘write’ declared with attribute ‘warn_unused_result’ [-Werror=unused-result]
329 | write(STDERR_FILENO, msg, sizeof(msg) - 1);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/27548333990/job/81427544632
Viktor Szakats [Mon, 15 Jun 2026 09:47:05 +0000 (11:47 +0200)]
curl_formdata: fix to pass long where missing, document `CURLFORM_NAMELENGTH`
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b312476f1e63b298106f942079b5afe8
Viktor Szakats [Mon, 15 Jun 2026 09:18:14 +0000 (11:18 +0200)]
servers: accept `lstat()` failing due to the file missing
In `bind_unix_socket()`, before retrying `bind()`.
Before this patch the code wanted to check if the to-be-deleted unix
socket path was indeed a socket, before deleting it and retrying to
bind. If `lstat()` failed for any reason, it skipped retry. Fix to retry
if `lstat()` failed because of the file missing.
Stefan Eissing [Mon, 15 Jun 2026 08:19:56 +0000 (10:19 +0200)]
ratelimits: use minimal burst rate
Some protocols (and servers) prefer to batch IO and will not send data
unless the window is of sufficient size. Set the burst rate for our
rate limits to a minimum of 32KB to prevent stalling.
Daniel Stenberg [Mon, 15 Jun 2026 11:52:52 +0000 (13:52 +0200)]
src/test: avoid (void)! constructs
The reason to use them seems to be that just (void) before a function
call is not enough to silence compiler warnings when return codes are
ignored and -Werror=unused-result is used.
While (void)! apparently works to silence those warnings, it is just too
weird and surprising to readers to use.
It is rather a reason to reconsider the usefulness of the warning.
Viktor Szakats [Mon, 15 Jun 2026 11:11:30 +0000 (13:11 +0200)]
servers: drop unix socket path attribute check on Windows
On Windows there is no `lstat()`, which was later substituted with
normal `stat()`, but on Windows `S_IFSOCK` is never defined, which meant
the output of stat was not actually used, reducing this to checking for
the presence of the file, and bailing out without retry if missing.
Viktor Szakats [Thu, 11 Jun 2026 22:33:40 +0000 (00:33 +0200)]
tidy-up: miscellaneous
- `N byte` -> `N-byte` or `N bytes`.
- INTERNALS.md: language tweaks.
- schannel: language tweak in comment/error message.
- socks_gssapi, socks_sspi: simplify composing an error message.
(at a cost of 8 extra constant string bytes.)
- m4/curl-compilers.m4: fix typo in link (in comment).
- contrithanks.sh: fix indent, drop stray `;` terminator.
- lib, src, tests: drop/fix a bunch of badwords.
- fix typos in comments.
- fix indent, stray spaces.
Some of these spotted by GitHub Code Quality and Copilot
Daniel Stenberg [Sun, 14 Jun 2026 10:44:44 +0000 (12:44 +0200)]
socks_sspi: store socks5_gssapi_enctype
Store the unwrapped protection level in `conn->socks5_gssapi_enctype` to
prevent the proxy from contuning unprotected. Matches the GSSAPI version
of the code.
Viktor Szakats [Sun, 14 Jun 2026 12:36:24 +0000 (14:36 +0200)]
servers: minor socket error handling fixes
- sws: fix socket error code in `select()` failure message.
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/21998#discussion_r3409469444
- sws: do not call `SOCKERRNO` twice on error.
- dnsd: do not call `SOCKERRNO` twice on error.
- dnsd: replace `goto` with `while()` to sync with rest of code.
- dnsd: `sendto()` fail message fixes:
- replace `int` cast with `%zu` mask.
- drop redundant newline.
- show socket error string like rest of code.
- report not-fully-sent error separately from socket errors.
Viktor Szakats [Sun, 14 Jun 2026 12:29:13 +0000 (14:29 +0200)]
rtspd: sync up sleep loop with sws
Check for `!got_exit_signal` as part of the `while()` expression,
instead of doing it after calling `curlx_wait_ms()`. To simplify and
improve consistency with rest of code.
Spotted by Copilot in `socksd.c`
Bug: https://github.com/curl/curl/pull/21998#discussion_r3409395013
Follow-up to 80eb71a3f5146f2ab5c5f8d8655d6861b5472668 #8687
Saud Alshareef [Fri, 12 Jun 2026 02:02:04 +0000 (05:02 +0300)]
ldap: base64 encode binary LDIF values with WinLDAP
The WinLDAP backend only base64 encoded LDAP values when the attribute
name ended in ;binary. This made attributes such as jpegPhoto get
written as raw bytes, producing malformed LDIF output.
Match the OpenLDAP backend by also base64 encoding values with leading
or trailing blanks or non-printable bytes.
Fixes #21926 Reported-by: oreadvanthink on github
Closes #21982
Daniel Stenberg [Fri, 12 Jun 2026 12:37:55 +0000 (14:37 +0200)]
sspi: free libcurl allocated memory with curlx_free
DecryptMessage() decrypts the buffer in place, overwriting the original
contents. It does not allocate any new buffer so the single original
buffer should be freed using the same memory "system" that allocated it.
Stefan Eissing [Fri, 12 Jun 2026 10:02:08 +0000 (12:02 +0200)]
lib: transfer origin and proxy handling
Add `data->state.origin` as the origin the transfer is sending the
current request to/gets the response from. Use it for request specific
properties like authentication, hsts and cookie handling, etc.
Unless talking to a forwarding HTTP proxy (e.g. not tunneling),
`data->state.origin` and `conn->origin` are the same.
With a forwarding HTTP proxy in play, `conn->origin` is set to
`conn->http_proxy.peer` and `conn->bits.origin_is_proxy` (a new bit) is
set.
Viktor Szakats [Sun, 7 Jun 2026 23:21:44 +0000 (01:21 +0200)]
socket: introduce `SOCK_EAGAIN()` and use it
To contain the logic of checking for both `EWOULDBLOCK` and/or `EAGAIN`
depending on platform/availability. Also to avoid checking for both if
they mapp to the same value, and to avoid PP guards around use.
This also ensures `EAGAIN` is consistently not checked on Windows, where
headers defined it, but `SOCKERRNO` never returns it, because curl maps
it to `WSAGetLastError()`.
If they map to the same value, checking them both in an `if` expression
trips GCC warning `-Wlogical-op` (the same way it triggers duplicate
case value error in `switch`).
Also:
- replace two `switch()` statements with the new macro.
- tests/server/sws: make two outliers use the new macro that were only
checking for `EWOULDBLOCK` before this patch, in `connect_to()`.
- move variables to the left-side of expressions, where missing.
- rustls: use a variant of this macro that uses raw `EWOULDBLOCK`.
Tried tracing it back to the origins, but I couldn't figure out if
this is working as expected on all supported Windows versions in
Rust. It seems to be using `GetLastError()`, according to
https://docs.rs/system_error/0.2.0/system_error/, which would be
probably incorrect.
Notes:
- it's probably a good idea to assign `SOCKERRNO` to a variable before
passing it to this macro.
Viktor Szakats [Fri, 12 Jun 2026 15:51:22 +0000 (17:51 +0200)]
AmigaOS: fix build fallouts, re-add to CI
Fix build issues:
- src: adjust `toolx_ftruncate()`.
- libtests/cli_ftp_upload: make `struct timeval` initialization portable.
- libtests/lib1960: do unconst in local `inet_pton()` macro.
- tests/server/dnsd: make it stub instead of failing the build.
- tests/server: make them link AmiSSL for `SocketBase`.
Also:
- bump AmiSSL to the latest release.
- add download hash checks and toolchain cache.
- sync restored code with local updates made since last year.
Stefan Eissing [Fri, 12 Jun 2026 10:33:44 +0000 (12:33 +0200)]
schannel: fix https proxy for client cert and certinfo
When schannel operates in front of a proxy, it needs to use the proxy
ssl configs, not the transfers ones. Choose the configs as it is done in
other TLS backends.
Prior to this change the client cert for the destination was mistakenly
also used as the client cert for the proxy.
Prior to this change the proxy server certificate info was mistakenly
saved as the destination cert info. However, if the destination was a
TLS connection, the real destination cert info would overwrite the
proxy cert info. libcurl currently does not support proxy server cert
info AFAICT (see discussion in #21986).
Viktor Szakats [Thu, 11 Jun 2026 22:42:55 +0000 (00:42 +0200)]
telnet: fix old copy-paste typo in variable name
This code lacks tests, though we agreed it looks plausible enough to
merge it based on surrounding code. Even though this line has been
present for a long time. If you use this code, please report any results
or issues.
Darren Banfi [Fri, 12 Jun 2026 11:12:06 +0000 (12:12 +0100)]
AmigaOS: curl_setup.h avoid explicit_bzero with clib2
clib2 defines __NEWLIB__ after its system headers are included, but it
does not provide explicit_bzero().
curl therefore selects the explicit_bzero() path and fails to build with
m68k-amigaos-gcc:
```
../lib/curl_setup.h:1650:35: error: implicit declaration of function 'explicit_bzero' [-Werror=implicit-function-declaration]
1650 | #define curlx_memzero(buf, size) explicit_bzero(buf, size)
| ^~~~~~~~~~~~~~
curlx/strdup.c:115:5: note: in expansion of macro 'curlx_memzero'
115 | curlx_memzero(buf, size);
| ^~~~~~~~~~~~~
```
Excluding __CLIB2__ from the generic __NEWLIB__ branch makes curl use
its existing portable curlx_memzero() fallback. The full AmigaOS build
then completes successfully.
I've tested the following on Amiga OS 3.2.3 with this patch and latest
build.
- HTTP and HTTPS transfers
- AmiSSL certificate handling
- redirects
- downloads and file output
- timeout handling with the expected exit code 28
- repeated execution with clean exits
- no crashes or regressions observed
Viktor Szakats [Fri, 12 Jun 2026 00:13:03 +0000 (02:13 +0200)]
GHA: drop `brew update` from all jobs
After adding it a month ago (where missing) to fix a failure.
Removing this time to fix a different failure (on Linux), and also to
improve CI performance. Some install steps take over a minute, most of
that spent on `brew update`.
GH runner images also enabled extra taps which may contribute to further
delays, and seen to make it more fragile if GH itself struggles (taps
are hosted there.)
Daniel Stenberg [Thu, 11 Jun 2026 14:58:28 +0000 (16:58 +0200)]
libtests: add and use tutil_throwaway_cb
This is an implementation of a CURLOPT_WRITEFUNCTION callback that just
throws away the content and returns success. Saves us from having to
reimplement it many times in different tests.
Fabian Keil [Sun, 7 Jun 2026 11:52:46 +0000 (13:52 +0200)]
tests: add the "--resolve" keyword to tests that lack it
... even though they use the curl option "--resolve".
This makes it more convenient to choose or skip the tests.
For example Privoxy's cts test framework relies on the "--resolve"
keyword when executing the "upstream-tests" scenario to skip curl
tests that aren't expected to work when the requests are made through
Privoxy. While some of the modified tests are already skipped for
other reasons through other means when testing Privoxy, it's good to
be consistent.
Viktor Szakats [Thu, 11 Jun 2026 15:41:21 +0000 (17:41 +0200)]
GHA/windows: bump Cygwin Action and adjust version number
It seems the commit hash behind the v6.1 tag is changing, and the latest
version is actually v6.0.2, which is currently mapped to the v6.1 hash.
Fixing:
```
warning[ref-version-mismatch]: action's hash pin has mismatched or missing version comment
--> .github/workflows/windows.yml:98:87
|
98 | - uses: cygwin/cygwin-install-action@711d29f3da23c9f4a1798e369a6f01198c13b11a # v6.1
| --------------------------------------------------------------------------- ^^^^ points to commit 3f0a3f9f988f
| |
| is pointed to by tag v6.0.1
```
Stefan Eissing [Thu, 11 Jun 2026 07:37:46 +0000 (09:37 +0200)]
h3proxy: no stream userdata
Do not set the easy handle opening a proxy tunnel as userdata on the
stream. The ease handle might go out of scope long before the tunnel
stream is closed.
Viktor Szakats [Thu, 16 Apr 2026 08:52:57 +0000 (10:52 +0200)]
build: enable `-Wformat-signedness`, fix issues found
Adjust code to avoid `-Wformat-signedness` warnings, while making sure
that enums are always cast to a known type when passing them to `printf`
functions, to support compilers and compiler settings where enums are
not default-size signed ints.
- cast integers printed as hex to `unsigned`. (63 times, 20 of them in
`mbedtls.c`)
- cast misc enums to `int` for printing. (31 times)
- cast `CURL_LOCK_DATA_*` enums to `int`. (4 times)
- cast `CURL_FORMADD_*` enums to `int`. (13 times)
- cast `CURLSHE_*` enums to `int`. (3 times)
- cast `CURLUE_*` enums to `int`. (33 times)
- cast `CURLMSG_*` enums to `int`. (6 times)
- cast `CURLE_*` enums to `int`. (~380 times)
- unit1675: fix mask.
Follow-up to 7c34365ccea19949317878c7fcd5f7376e2e09f1 #21879
Stefan Eissing [Fri, 5 Jun 2026 10:55:50 +0000 (12:55 +0200)]
ngtcp2: share common functionality
Share common functions/structs between ngtcp2 HTTP/3 and the proxy
version.
Fix bugs in proxy implementation when it comes to stream and pollset
handling and transfer lifetimes.
Curl_multi_xfer_sockbuf_borrow: work without multi
When a connection gets shutdown by a share, the easy handle used is
share->admin and it does not have a multi handle. In that case let
Curl_multi_xfer_sockbuf_borrow() allocate a buffer to be freed on
release.
This happens when a TLS filter sends its last notify through a HTTP/3
proxy tunnel.
Viktor Szakats [Tue, 9 Jun 2026 17:57:38 +0000 (19:57 +0200)]
appveyor: bump 3 VS2022 jobs to VS2026
Also:
- install CMake 4.2.1 manually for VS2026 jobs, because the preinstalled
version (4.1.2) does not yet support the compatible generator.
- VisualStudioSolution VS2010 job to VS2015 worker image (from VS2013).
VS2013 is no longer listed on the AppVeyor support page.
- downgrade OpenSSL to 3.5 (from 3.6) for the VS2022 job, to add
variation.
Note: the jobs run much slower after bumping to VS2026. This seems to be
due slower configure and build steps.
Daniel Stenberg [Tue, 9 Jun 2026 12:25:51 +0000 (14:25 +0200)]
tests: enhance names, remove duplicates
- test 1030: remove, duplicate of 154
- test 1105: make name unique
- test 161: make name reflect what it tests
- test 2074: correct the name
- test 310: improve name
- test 358: correct the name
- test 409: removed, duplicate of 401
- test 472: clarify the test name (how it differs from 439)
- test 1509: update name
- test 527: duplicate of 526
- test 758: separate the name from 530
- test 611: duplicate of 608, remove
- test 639: adjust the name
- test 688: minor name tweak to clarify
- test 708: enhance name
- test 800/847: clarify the names
- test 1520: dedupe the name
- test 962: enhance name
- test 1196/2203: enhanced names
- test 1211: name tweak
- test 1256/1257: enhance the names
- test 1483: fix name
- test 1541: fix name
- test 1553: fix name
- test 1609: removed, exact duplicate of 1607
- test 2200: fix name
- test 3031: corret the name
- test 3016/3203: fix names and keywords
- test 3201/3220: enhance names
- test 3212: fix name
- add missing FILE keywords
- drop FAILURE as keyword
projects / thirdparty / curl.git / log
