Viktor Szakats [Thu, 16 Apr 2026 13:13:25 +0000 (15:13 +0200)]
GHA: drop 3rd-party apt source `docker.list`
Seen on `ubuntu-slim` runners.
Also:
- extend to two jobs to `ls -l` package sources on both ubuntu-latest,
ubuntu-24.04-arm, and ubuntu-slim.
- drop former stray apt source `ondrej-ubuntu-php-noble.sources`.
It's no longer present on the image.
Stefan Eissing [Wed, 15 Apr 2026 08:43:12 +0000 (10:43 +0200)]
urlapi: same origin tests
Add new internal `curl_url_same_origin()` to check if a href has the
same origin as a base URL. Add test cases in test1675 and use this in
http2 push handling.
Daniel Stenberg [Thu, 16 Apr 2026 08:09:59 +0000 (10:09 +0200)]
libssh2: allocate libssh2-friendly memory in kbd_callback
The function libssh2_userauth_keyboard_interactive_ex() calls the
callback and is documented to call free() on the memory returned to
libssh2 from the callback. libcurl can therefore not use the regular
curlx_strdup() for this, as that is not compatible in debug builds or
when curl_global_init_mem() is used.
Daniel Stenberg [Wed, 15 Apr 2026 10:11:54 +0000 (12:11 +0200)]
unittests: cleanups
- make sure all UNITTEST prototypes mark in which unit test they are used,
with "@unittest" markup
- make sure all UNITTEST functions do not use Curl_ prefix, as that is a
prefix we use for global private functions and these functions are static
and therefore not global and the prefix is wrong
- drop UNITTEST for functions not used in unit tests
- make the extract-unit-protos script highlight the above issues if found
- extract-unit-protos now also outputs the unit test number for all the
generated protos in lib/unitprotos.h to aid readers. It also adds the source
file and line number where the proto originates from.
- extract-unit-protos now exits with a non-zero value if any of the above
warnings are triggered
Viktor Szakats [Tue, 14 Apr 2026 15:48:18 +0000 (17:48 +0200)]
GHA/linux: rename mbedtls-prev env to align with Renovate
- rename version env to stay compatible with Renovate `matchStrings`.
- also switch to manual bumps.
Bump rule was wrong, and deemed not worthy the complexity to fix.
Viktor Szakats [Tue, 3 Mar 2026 00:58:29 +0000 (01:58 +0100)]
clang-tidy: enable more checks, fix fallouts
- enable three checks:
- bugprone-invalid-enum-default-initialization
- bugprone-sizeof-expression
- readability-inconsistent-declaration-parameter-name (strict)
- fix remaining discrepancies with arg names in prototypes
and implementation, in strict mode.
- document reason for some checks tested but not enabled.
Viktor Szakats [Mon, 9 Mar 2026 11:27:12 +0000 (12:27 +0100)]
tidy-up: miscellaneous
- examples: sync debug output printf masks.
- INSTALL-CMAKE.md: tidy up section for some options.
- curl_sha512_256: delete comment suggesting an optimization.
- vtls/keylog: scope a variable.
- vtls/openssl: make a source code URL a permalink.
- vtls/schannel: drop redundant parentheses.
- test1119.pl: robustify `$1` -> `$s`.
- sync arg names in comments to match the code.
- tidy up and minor fixes to comments.
- fix formatting/indenting/comment/newline/include nits.
- move `UNITTEST` protos next to definitions, sync their argument names.
- make variables static.
- add parentheses to Perl `open()` calls.
- drop unnecessary double quotes in Perl.
- clang-format.
Stefan Eissing [Mon, 13 Apr 2026 08:32:48 +0000 (10:32 +0200)]
hostip: resolve user supplied ip addresses
When a user supplied an ip address in a URL as hostname, use that even
when address family restrictions like -4 or -6 are set.
Add test_10_15/16 to verify with a local proxy server.
Fixes #21146 Reported-by: Terrance Wong
How:
- cf-dns: on see the hostname is an ip(v6) address, add the respective
A/AAAA to the dns query bits
- cf-dns/hostip: only hand out addrinfos for a family if that family
is part of the DNS queries. That prevents for example ipv6 addresses
to show up from dns cache entries
- change cf-ip-happy to no longer check for "ip_version" and instead
use all addresses that cf-dns hands out
Jay Satiro [Fri, 10 Apr 2026 18:02:55 +0000 (14:02 -0400)]
schannel: increase renegotiation timeout to 60 seconds
Prior to this change the timeout was 7 seconds but that is too short for
enhanced-security users that have to fill out an interactive prompt on
Schannel renegotiation (PIN, smart card, etc).
Reported-by: Tim Omta
Fixes https://github.com/curl/curl/issues/21270
Closes https://github.com/curl/curl/pull/21291
Viktor Szakats [Thu, 19 Mar 2026 20:10:39 +0000 (21:10 +0100)]
configure: tidy up comments
- convert `#` comments to `dnl`, except copyright headers, and inline
comments in `curl-complilers.m4`.
- drop empty comments.
- drop line-ending `dnl` markers. (except `zz40-xc-ovr.m4` where it's
used to produce a comment in `configure`.)
- replace `dnl` line with C comment in `AC_CHECK_HEADERS()`.
Verified to produce the same `configure` script except empty lines,
`#` comments, and C comments, with autoreconf 2.72.
Stefan Eissing [Fri, 10 Apr 2026 09:17:36 +0000 (11:17 +0200)]
pytest: switch off h3 for pytest_07_22
Run test_07_22 only on http/1.1 and h2. For h3, we get unreliable tests
results in CI due to (probably) nghttpx not always reporting the RESET
from the backend and the test timing out.
Viktor Szakats [Wed, 8 Apr 2026 18:46:06 +0000 (20:46 +0200)]
build: skip detecting `pipe2()` for Apple targets
To avoid (mis-)detecting it via the internal Apple library
`/usr/lib/system/libsystem_sim_kernel.dylib` when targeting iPhone
Simulator (seen with iPhoneSimulator26.4.sdk).
Stefan Eissing [Wed, 8 Apr 2026 09:45:30 +0000 (11:45 +0200)]
dns: https-eyeballing async
Make cf-https-connect work async correctly:
- only start first baller when at least one A/AAAA address
is available
- select first connect attempt after that with HTTPS-RR info
there or not.
- select second connect attempt only when HTTPS-RR is resolved
(may have resolved to "not known") and select possible ALPN
from things known by then. May not select any second attempt
when first already covers everything.
This means when the HTTPS-RR is known at/before the first address
is resolved, everything behaves as before. When the HTTPS-RR is
late, a first connection attempt will have been started. Any
ALPN preference from the HTTPS-RR that is not already ongoing will
then start the second attempt.
For HTTPS-RRs that recommend 2 or more ALPNs, the first will always
be attempted: either it is already ongong or it will be the ALPN
for the second attempt. The 2nd ALPN recommendation from HTTPS-RR
*may* be honored or not, depending on what is already selected.
The difference in behaviour between early/late HTTPS-RR resolve
cannot be helped - unless we do not perform any attempts before
it arrives. Trade offs.
Dan Fandrich [Sun, 5 Apr 2026 16:00:55 +0000 (09:00 -0700)]
tests: make whitespace between functions and classes consistent
Mostly, this means two blank lines between classes and functions and one
line between methods. Since these checks are currently in preview, they
are done in a separate ruff invocation to avoid turning ALL the preview
checks on at the same time.
Dan Fandrich [Fri, 3 Apr 2026 00:49:37 +0000 (17:49 -0700)]
tests: enable more ruff checks
- Checks for missing explicit `return` statements at the end of functions
that can return non-`None` values.
- Checks for classes that inherit from `object`.
- Checks for useless expressions.
- Within an `except*` clause, raise exceptions with `raise ... from err`
or `raise ... from None` to distinguish them from errors in exception
handling
- Checks for variable assignments that immediately precede a `return` of the
assigned variable.
- Checks for `else` statements with a `return` statement in the preceding
`if` block.
- Checks for unnecessary parentheses on raised exceptions.
docs: use the correct CURLOPT_WRITEFUNCTION signature
In order to not encourage users to use incompatible function pointers,
change the callback function definitions to use `char *` instead of
`void *` for the first argument.
Triggered by https://stackoverflow.com/questions/79921871/curl-c-c-library-based-application-produces-erronious-response-for-http-post-r#comment141032037_79921871 :
"The code was mostly modified from
[this example code](https://curl.se/libcurl/c/postinmemory.html),
honestly I never knew this is wrong. Thanks for pointing it out."
Viktor Szakats [Tue, 7 Apr 2026 23:35:37 +0000 (01:35 +0200)]
GHA/linux: bump mbedTLS 3 to 3.6.5 (from 3.6.4), also verify hash
Also:
- fix incorrect version in cache id.
Follow-up to 3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077
- latest version 3.6.6 fails pytests. Seems similar to the v4.1.0
regression.
https://github.com/curl/curl/pull/21178
https://github.com/Mbed-TLS/mbedtls/issues/10668
Stefan Eissing [Tue, 7 Apr 2026 09:57:37 +0000 (11:57 +0200)]
cf-ip-happy: limit concurrent attempts
Introduce a limit on the concurrent connect attempts of 6:
- document this in CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- close the oldest attempt before opening a new one that would
exceed the limit
- closing failed attempts early to avoid sockets use beyong their
usefulness
- add tests for limits in unit2600
These changes are externally visible as file descriptors will be
reassigned where we previously kept the old one around and started a
new socket, allocating always a new descriptor.
Daniel Stenberg [Sun, 5 Apr 2026 16:23:35 +0000 (18:23 +0200)]
protocol: disable connection reuse for SMB(S)
Connections should only be reused when using the same "share" (and
perhaps some additional conditions), but instead of fixing this flaw,
this change completely disables connection reuse for SMB. This protocol
is about to get dropped soon anyway.
Viktor Szakats [Mon, 6 Apr 2026 15:09:10 +0000 (17:09 +0200)]
GHA/curl-for-win: drop certdata dependency and `GITHUB_TOKEN` with it
`certdata` dependency requires accessing api.github.com for
a reproducible timestamp, which in turn requires a GitHub token to avoid
errors due to rate limiting. Avoid all this by omitting this dependency,
which isn't necessary for these build tests anyway.
The `zero` job already did not use `certdata`, but disable explicitly
anyway just in case.
projects / thirdparty / curl.git / log
