Daniel Stenberg [Mon, 9 Mar 2026 12:32:14 +0000 (13:32 +0100)]
badwords: move into ./scripts, speed up
- 'badwords' is now a target in Makefile.am
- change badwords.txt to specify plain "words" instead of regexes so the
script can build single regexes when scanning, which makes the script
perform much faster (~6 times faster)
Daniel Stenberg [Sat, 7 Mar 2026 10:24:18 +0000 (11:24 +0100)]
cf-socket: ignore SOCK_CLOEXEC etc for socktype equality checks
As the SOCK_CLOEXEC and SOCK_NONBLOCK get ORed to the socktype, this
introduces the cf_socktype() function to use when checking for the
specific socket type: DGRAM or STREAM. The function filters off the
non-type related bits to enable the comparison.
Andrei Rybak [Wed, 4 Mar 2026 09:11:58 +0000 (10:11 +0100)]
FAQ: syntax improvements
During conversion of `docs/FAQ` into Markdown, 'man ld' has incorrectly
kept one of its quotes when it was surrounded by backticks for inline
code formatting. A space on the left of it was lost as well.
Stefan Eissing [Thu, 5 Mar 2026 12:56:49 +0000 (13:56 +0100)]
openssl+ech: workaround for insecure handshakes
OpenSSL 4.0.0-dev supports ECH with one flaw. If peer verification
is not enabled, it will report SSL_ECH_STATUS_BAD_NAME on the ECH
status.
Provide a workaround in libcurl that checks the inner name used in
ECH was the peer's hostname, both verify peer and host are disabled
and then accept the BAD_NAME without failing the connect.
Perform the actual timeout calculation in the blocking resolv
loop each time in the same way, keeping the logic simpler.
The previous version calculated the timeout once, and then
reduced it by the elapsed time spent in polling/processing.
This is unnecessarily complicated.
Viktor Szakats [Fri, 6 Mar 2026 00:51:30 +0000 (01:51 +0100)]
cmake: improve clang-tidy test command-line reproduction
- also query `INTERFACE_COMPILE_DEFINITIONS` and
`INTERFACE_COMPILE_OPTIONS`.
To further sync clang-tidy manual command-lines with the C compiler
command-lines generated by CMake. In practice this adds `-I` options
(via `INTERFACE_COMPILE_OPTIONS`) to the end of the command-line for
dependency header directories. It does not change the outcome of
clang-tidy runs.
- limit querying `COMPILE_DEFINITIONS` and `COMPILE_OPTIONS` to the top
target, the test itself. To not include options such as
`-DCURL_HIDDEN_SYMBOLS` and `-fvisibility=hidden` (when set) via
the libcurl shared lib.
To sync with the actual C compiler command-line.
Viktor Szakats [Fri, 6 Mar 2026 02:42:41 +0000 (03:42 +0100)]
cmake: fix `LOCATION` property read errors in target debug function
Exclude reading certain props for certain target types to avoid these errors:
```
CMake Error at CMake/Utilities.cmake:71 (get_property):
The LOCATION property may not be read from target "...". Use the target
name directly with add_custom_command, or use the generator expression
$<TARGET_FILE>, as appropriate.
```
(and the same in line 78.)
Viktor Szakats [Tue, 3 Mar 2026 17:44:29 +0000 (18:44 +0100)]
examples: improve OpenSSL certificate examples
- add/fix/synchronize error messages and comments.
- consistently return error from the callback on failure.
- fix potential leaks on OpenSSL API failures.
- fix to not pass the nul-terminator to BIO read.
- scope a variable.
- sync code/formatting between the two examples.
Daniel Stenberg [Tue, 3 Mar 2026 16:55:37 +0000 (17:55 +0100)]
curl.h: remove CURLPROTO_MQTTS from the public header
- the value collided with the internal one used for WebSocket
- we add all new ones as internal bits
- bump to 64-bit internal type
- introduce new define for setting all protocols (CURLPROTO_64ALL)
Viktor Szakats [Sun, 1 Mar 2026 15:19:33 +0000 (16:19 +0100)]
cmake: fix building with `CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON`
This CMake global custom option tells it to find dependencies as cmake
Configs first, and only then look for `Find*` modules. This may result
in `find_package()` succeeding, but without actually creating `CURL::*`
imported targets the curl build scripts are expecting.
For dependencies with curl-specific, local, `Find*` modules, we always
want to use them, via the module detection method, and never a
Config-based detection. Ensure this by passing the `MODULE` option to
`find_package()` and `find_dependency()` to make them use `Find*`
modules unconditionally, making them work as expected with the
`CMAKE_FIND_PACKAGE_PREFER_CONFIG=ON` option set.
curl uses local Find modules for all dependencies except OpenSSL and
ZLIB. The latter two keep using either CMake's built-in Find modules or
Config method as before this patch.
Also:
- apply the same change to `curl-config.cmake`. To fix consuming curl
with this option set. Authored-by: Valerie Snyder
Ref: #20764
Follow-up to 16f073ef49f94412000218c9f6ad04e3fd7e4d01 #16973
- GHA/distcheck: add a job testing both building and consuming curl with
this option set. (takes 15 seconds)
Use custom NGHTTP2 configuration for an extra twist (not required
to trigger this issue.)
Follow-up to fcde8d7e3745df3b4d83c86d0a1f0caef398511b #20773
Daniel Stenberg [Sat, 28 Feb 2026 09:48:59 +0000 (10:48 +0100)]
urlapi: use U_CURLU_URLDECODE when toggling it off unsigned
In this use case 'unsigned value &= ~DEFINE;
As otherwise the right side is treated as signed, which annoyingly
triggers UBSan. The U_* defines are local versions of the public define,
only typecast to unsigned.
Reported-by: xmoezzz on github
Fixes #20753
Closes #20769
Viktor Szakats [Mon, 2 Mar 2026 21:47:06 +0000 (22:47 +0100)]
cmake: stop disabling C4774 after replacing `snprintf()`, update comment (MSVC)
- update comment for `-wd4710` option.
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/53627545
- stop suppressing C4774. Not triggered by the replacement call
`vsnprintf()`, as also confirmed by local tests.
Follow-up to https://github.com/curl/curl/commit/192b9214a7cf9082665ce460617308cb4836850b
Ref: https://devblogs.microsoft.com/cppblog/format-specifiers-checking/
Ref: https://learn.microsoft.com/cpp/error-messages/compiler-warnings/compiler-warnings-c4600-through-c4799
If TLS 1.3 is not supported, the call to
`mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets()` fails
during compilation:
```
curl-8.18.0/lib/vtls/mbedtls.c: In function 'mbed_connect_step1':
curl-8.18.0/lib/vtls/mbedtls.c:809:3: error: implicit declaration of function 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets' [-Werror=implicit-function-declaration]
mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
^
curl-8.18.0/lib/vtls/mbedtls.c:809:3: warning: nested extern declaration of 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets' [-Wnested-externs]
```
Protect this call inside the `#ifdef` block by making sure that support
for TLS 1.3 is defined.
Viktor Szakats [Fri, 27 Feb 2026 15:43:16 +0000 (16:43 +0100)]
curlx: add local `snprintf()` helper that always nul-terminates (Windows)
Make the helper use `vsnprintf()` internally on all supported Windows
toolchains (dropping `_snprintf()` and `snprintf()`), ensure to
nul-terminate. Omit the return value to avoid complexity.
Use the helper from `mprintf.c` / `out_double()`, from tests/server code
and the tests/server-specific build of `curlx_inet_ntop()`,
`curlx_strerror()` functions. In the single call (in tests) where the
returned length was used previously, determine it with `strlen()`.
Viktor Szakats [Sat, 28 Feb 2026 18:28:42 +0000 (19:28 +0100)]
cmake: minor improvements to integration test framework
- add support for separate provider / consumer cmake options in
`find_package` tests. To help test more integration scenarios.
Refs: #20784 #20729 #20764
dependabot[bot] [Sun, 1 Mar 2026 14:58:16 +0000 (14:58 +0000)]
GHA: bump actions and pip dependencies
- update action `actions/cache` from 5.0.1 to 5.0.3
- update action `github/codeql-action` from 4.31.9 to 4.32.4
- update pip `filelock` from 3.20.3 to 3.24.3
- update pip `ruff` from 0.14.14 to 0.15.2
Florian Imdahl [Thu, 26 Feb 2026 18:48:57 +0000 (19:48 +0100)]
docs: some nitpicks
- replaced double spaces with single space where applicable
- replaced "favourite" with "favorite"
- added language identifiers to code blocks in markdown files
- added extra line after code blocks and after headings in markdown
files
Viktor Szakats [Thu, 26 Feb 2026 23:38:07 +0000 (00:38 +0100)]
mprintf: use `_snprintf()` when compiled with VS2013 and older
To support floats and doubles when using these old compilers.
Before this patch, these tests most likely failed with them:
```
FAIL 557: 'curl_mprintf() testing' printf, unittest
FAIL 566: 'HTTP GET with CURLINFO_CONTENT_LENGTH_DOWNLOAD and 0 bytes transfer' HTTP, HTTP GET
FAIL 599: 'HTTP GET with progress callback and redirects changing content sizes' HTTP, HTTP POST, chunked Transfer-Encoding
FAIL 1148: 'progress-bar' HTTP, progressbar
```
Also:
- mention `_snprintf()` in the `_CRT_SECURE_NO_WARNINGS` comment.
Viktor Szakats [Fri, 27 Feb 2026 12:43:51 +0000 (13:43 +0100)]
cmake: convert `curl_add_clang_tidy_test_target()` macro to function
I thought a macro is necessary to have `get_directory_property()` and
`CMAKE_CURRENT_SOURCE_DIR` work on the correct directory, but it turns
out they do work the same when used in a function.
Viktor Szakats [Fri, 27 Feb 2026 00:09:14 +0000 (01:09 +0100)]
GHA/linux: replace scan-build with clang-tidy
`scan-build` is a (Perl) wrapper around clang's built-in `--analyze`
option. Which look similar or identical to clang-tidy checkers under
the `clang-analyzer-*` namespace:
https://clang.llvm.org/docs/ClangStaticAnalyzer.html
Unless somebody has other information, it appears redundant to run
scan-build in parallel with clang-tidy in CI, now that the latter is
working reliably and with good performance for all curl components.
Another scan-build issue is the lack of a markup to suppress false
positives. It ignores `NOLINT`, yet finds the same false positives as
clang-tidy. This happens with scan-build v20+. v18 is silent, but it's
a blocker to upgrade to a newer version.
scan-build may still be a useful when combined with autotools, where
clang-tidy support is incomplete, slow (no parallelism), and uses
a distinct make target, which does not build binaries in the same pass.
But, scan-build also lacks extra checkers that are now enabled for
clang-tidy.
The clang-tidy job is also 30-40s faster than the one it replaced.
Also:
- drop scan-build job configured the same way as a clang-tidy one.
CI time saved: 6m30s
- bump to clang-20 (from 18) in the replacement job.
- build tests in the replacement job.
To verify a cmake command-line reconstruction issue only hit in this
job in CI.
CI time cost: 1m40s
- replacement job caught a minor, new, issue.
Ref: b2076d3c2f5386068d9b0199f25a81147784d8ac #20752
- drop unused scan-build logic.
Viktor Szakats [Fri, 27 Feb 2026 03:08:06 +0000 (04:08 +0100)]
cmake: fix system include directory position for clang-tidy in tests
To avoid a system include masking a custom directory, and e.g. picking
up system OpenSSL headers from `/usr/include` on Linux, instead of the
correct ones from a custom header directory, move system include
directories to the back of the header path list. Also to match what
CMake seems to be doing for the C compiler command-lines it generates.
CMake seems to use `-I`, while for these invocations we stick with
`-isystem` just in case.
This area remains fragile and likely not the final issue.
Fixing (seen in GHA/linux H3 c-ares):
```
Error while processing bld/tests/libtest/lib1521.c.
/usr/include/openssl/macros.h:147:4: error: "OPENSSL_API_COMPAT expresses an impossible API compatibility level" [clang-diagnostic-error]
Found compiler error(s).
147 | # error "OPENSSL_API_COMPAT expresses an impossible API compatibility level"
| ^
FAILED: [code=1] tests/libtest/CMakeFiles/libtests-clang-tidy
```
Ref: https://github.com/curl/curl/actions/runs/22468472670/job/65079885471?pr=20751
Bug: https://github.com/curl/curl/pull/20751#issuecomment-3970180687
Cherry-picked from #20751
Viktor Szakats [Thu, 26 Feb 2026 11:35:51 +0000 (12:35 +0100)]
cmake: fix confusing error when a dependency is undetected in `curl-config.cmake`
Fixing:
```
CMake Error at /path/to/CURL/CURLConfig.cmake:190 (get_target_property):
get_target_property() called with non-existent target "CURL::libssh2".
```
and replacing it with the clearer message:
```
CMake Error at /path/to/CURL/CURLTargets.cmake:61 (set_target_properties):
The link interface of target "CURL::libcurl_static" contains:
CURL::libssh2
but the target was not found. Possible reasons include:
[...]
```
projects / thirdparty / curl.git / log
