Daniel Stenberg [Thu, 23 Apr 2026 19:49:50 +0000 (21:49 +0200)]
rustls: fix memory leak on repeated SSLKEYLOGFILE fails
Before this fix, Curl_tls_keylog_open() assigned the environment
variable result to a global keylog_file_name without freeing any prior
allocation. If the file cannot be opened (e.g., permission error)
keylog_file_fp stays NULL, so subsequent calls to Curl_tls_keylog_open
will overwrite keylog_file_name and leak the previous allocation.
Stefan Eissing [Thu, 23 Apr 2026 12:43:11 +0000 (14:43 +0200)]
doh: remove conn->bits.doh
Since we have a new struct instance for each async operation now and
async operation may happen in parallel, remove the connection bit
indicating doh is in progress.
Stefan Eissing [Wed, 22 Apr 2026 13:00:14 +0000 (15:00 +0200)]
multi: enhance pending handles fairness
When trying to connect a pending transfer, remember the `mid` that was
last reactivated and start looking for future pending handles from the
last one forward through the pending bitset.
Background: when many pending handles exist, iterating the bitset always
from the start may become unfair to transfers that were assigned higher
`mid` values.
Fixes #21396 Reported-by: Juan Belón
Closes #21412
Viktor Szakats [Wed, 22 Apr 2026 16:03:32 +0000 (18:03 +0200)]
GHA: delete all apt sources except `ubuntu.sources`
GitHub runners are getting new 3rd-party sources frequntly now, last
week `docker.list`, this week: `google-chrome.sources`. To avoid
playing catch up, allowlist the only one we use: `ubuntu.sources`. If
this is renamed, CI would break. Let's hope this happens much less
often than new sources.
Stefan Eissing [Tue, 21 Apr 2026 13:06:46 +0000 (15:06 +0200)]
async-ares: fix query counter handling
When starting an c-ares query, the provided callback may be invoked
right away, leading to a decrement of `queries_ongoing`. Increment
the counter *before* call c-ares. Otherwise, the `async->done` bit
is not properly set.
Daniel Stenberg [Tue, 21 Apr 2026 07:19:53 +0000 (09:19 +0200)]
parsedate: refactor
- introduce 'struct when' to hold the parser result
- initwhen() initializes a 'struct when'
- datestring() parses strings
- datenum() parses numbers
- datecheck() does some final checks
- tzadjust() adds the time zone offset
- convert math to 64 bit, squeeze into time_t only in the last step,
mktimet() does the time_t storing
Viktor Szakats [Tue, 21 Apr 2026 07:46:45 +0000 (09:46 +0200)]
wolfssl: fix `-Wmissing-prototypes`
Seen with unity, H3, wolfssl with `HAVE_EX_DATA`.
Fixing:
```
lib/vtls/wolfssl.c:412:10: error: no previous prototype for function 'Curl_wssl_cache_session' [-Wmissing-prototypes]
412 | CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
| ^
lib/vtls/wolfssl.c:412:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
412 | CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
| ^
| static
1 error generated.
```
Stefan Eissing [Fri, 17 Apr 2026 08:26:25 +0000 (10:26 +0200)]
Happy Eyeballs: add resolution time delay
HEv3 describes conditions on when first connect attempts shall be
started.
https://www.ietf.org/archive/id/draft-ietf-happy-happyeyeballs-v3-01.html
Chapter 4.2
libcurl now waits 50ms for AAAA and HTTPS results (when requested) to
return before continuing with the connect.
Added HTTPS-RR to the "was resolved" information info message. Changed
logging of HTTPS-RR to a one-liner with RFC 9460 like formatting. This
way the user can see if/what was resolved and used in connecting.
Viktor Szakats [Sun, 19 Apr 2026 23:12:34 +0000 (01:12 +0200)]
openssl: fix unused variable warnings in !verbose builds
Also fix clang-tidy `readability-redundant-control-flow`.
```
lib/vtls/openssl.c:4055:46: error: unused parameter 'reason' [-Wunused-parameter]
4055 | int reason)
| ^
lib/vtls/openssl.c:4279:19: error: variable 'status' set but not used [-Wunused-but-set-variable]
4279 | const char *status = NULL;
| ^
```
Ref: https://github.com/curl/curl/actions/runs/24641388439/job/72045859306?pr=21379
```
lib/vtls/openssl.c:4092:7: error: Value stored to 'rv' is never read [clang-analyzer-deadcode.DeadStores]
4092 | rv = SSL_ech_get1_status(ssl, &inner, &outer);
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/vtls/openssl.c:4092:7: note: Value stored to 'rv' is never read
4092 | rv = SSL_ech_get1_status(ssl, &inner, &outer);
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
lib/vtls/openssl.c:4112:3: error: redundant return statement at the end of a function with a void return type [readability-redundant-control-flow]
4111 | #endif
| ~~~~~~
4112 | return;
| ^~~~~~~
4113 | }
```
Ref: https://github.com/curl/curl/actions/runs/24642154148/job/72047919525?pr=21379#step:42:186
The combination of a misspelled directory name and failing to check the
result of cd leads to infinite recursion as `make check` simply invokes
itself over and over.
Stefan Eissing [Fri, 17 Apr 2026 13:21:12 +0000 (15:21 +0200)]
pytest: check 429 handling
Add a "limit" handler to httpd that responds 429 after 5 requests and
then 429s all requests for 2 seconds. After which another 4 requests are
served before 429 strikes again.
Stefan Eissing [Thu, 16 Apr 2026 11:44:13 +0000 (13:44 +0200)]
haproxy: use correct ip version on client supplied address
When a user supplies an IP address to use for the HAPROXY protocol,
the IP version reported must be deduced from the address and has
no relation to the IP version used for the upstream connection.
Stefan Eissing [Thu, 16 Apr 2026 07:14:58 +0000 (09:14 +0200)]
pytest_05_09: increase reliability
Test has been flaky due to not waiting for the test server to be
listening. On slow CI systems, the started thread is late and the curl
command gets a refused connection.
Viktor Szakats [Thu, 16 Apr 2026 13:13:25 +0000 (15:13 +0200)]
GHA: drop 3rd-party apt source `docker.list`
Seen on `ubuntu-slim` runners.
Also:
- extend to two jobs to `ls -l` package sources on both ubuntu-latest,
ubuntu-24.04-arm, and ubuntu-slim.
- drop former stray apt source `ondrej-ubuntu-php-noble.sources`.
It's no longer present on the image.
Stefan Eissing [Wed, 15 Apr 2026 08:43:12 +0000 (10:43 +0200)]
urlapi: same origin tests
Add new internal `curl_url_same_origin()` to check if a href has the
same origin as a base URL. Add test cases in test1675 and use this in
http2 push handling.
Daniel Stenberg [Thu, 16 Apr 2026 08:09:59 +0000 (10:09 +0200)]
libssh2: allocate libssh2-friendly memory in kbd_callback
The function libssh2_userauth_keyboard_interactive_ex() calls the
callback and is documented to call free() on the memory returned to
libssh2 from the callback. libcurl can therefore not use the regular
curlx_strdup() for this, as that is not compatible in debug builds or
when curl_global_init_mem() is used.
Daniel Stenberg [Wed, 15 Apr 2026 10:11:54 +0000 (12:11 +0200)]
unittests: cleanups
- make sure all UNITTEST prototypes mark in which unit test they are used,
with "@unittest" markup
- make sure all UNITTEST functions do not use Curl_ prefix, as that is a
prefix we use for global private functions and these functions are static
and therefore not global and the prefix is wrong
- drop UNITTEST for functions not used in unit tests
- make the extract-unit-protos script highlight the above issues if found
- extract-unit-protos now also outputs the unit test number for all the
generated protos in lib/unitprotos.h to aid readers. It also adds the source
file and line number where the proto originates from.
- extract-unit-protos now exits with a non-zero value if any of the above
warnings are triggered
Viktor Szakats [Tue, 14 Apr 2026 15:48:18 +0000 (17:48 +0200)]
GHA/linux: rename mbedtls-prev env to align with Renovate
- rename version env to stay compatible with Renovate `matchStrings`.
- also switch to manual bumps.
Bump rule was wrong, and deemed not worthy the complexity to fix.
Viktor Szakats [Tue, 3 Mar 2026 00:58:29 +0000 (01:58 +0100)]
clang-tidy: enable more checks, fix fallouts
- enable three checks:
- bugprone-invalid-enum-default-initialization
- bugprone-sizeof-expression
- readability-inconsistent-declaration-parameter-name (strict)
- fix remaining discrepancies with arg names in prototypes
and implementation, in strict mode.
- document reason for some checks tested but not enabled.
Viktor Szakats [Mon, 9 Mar 2026 11:27:12 +0000 (12:27 +0100)]
tidy-up: miscellaneous
- examples: sync debug output printf masks.
- INSTALL-CMAKE.md: tidy up section for some options.
- curl_sha512_256: delete comment suggesting an optimization.
- vtls/keylog: scope a variable.
- vtls/openssl: make a source code URL a permalink.
- vtls/schannel: drop redundant parentheses.
- test1119.pl: robustify `$1` -> `$s`.
- sync arg names in comments to match the code.
- tidy up and minor fixes to comments.
- fix formatting/indenting/comment/newline/include nits.
- move `UNITTEST` protos next to definitions, sync their argument names.
- make variables static.
- add parentheses to Perl `open()` calls.
- drop unnecessary double quotes in Perl.
- clang-format.
projects / thirdparty / curl.git / log
