From 61dcb56743e5e4a6a014b6e30b6d61c75355ff17 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 14 Oct 2025 10:49:53 +0200
Subject: [PATCH] openldap: explain a const removing typecast

Closes #19056
---
 lib/openldap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/openldap.c b/lib/openldap.c
index fb771161d6..b8afe99529 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -468,6 +468,10 @@ static CURLcode oldap_perform_mechs(struct Curl_easy *data)
 
   if(!li)
     return CURLE_FAILED_INIT;
+  /* Casting away the const for the 3rd parameter that the LDAP API expects as
+     a non-const char ** is potentially unsafe but we believe the lack of
+     const in the API was an oversight and that no LDAP implementation
+     actually modifies the input. */
   rc = ldap_search_ext(li->ld, "", LDAP_SCOPE_BASE, "(objectclass=*)",
                        (char **)CURL_UNCONST(supportedSASLMechanisms), 0,
                        NULL, NULL, NULL, 0, &li->msgid);
-- 
2.47.3