Viktor Szakats [Sun, 5 Apr 2026 13:31:35 +0000 (15:31 +0200)]
libssh: fix 64-bit printf mask for mingw-w64 <=6.0.0
Fixing (dl-mingw, CM 6.4.0-i686 (mingw-w64 5.0.0) schannel !unity):
```
lib/vssh/libssh.c: In function 'myssh_in_SFTP_QUOTE_STATVFS':
lib/vssh/libssh.c:573:31: error: ISO C does not support the 'I' printf flag [-Werror=format=]
char *tmp = curl_maprintf("statvfs:\n"
^~~~~~~~~~~~
lib/vssh/libssh.c:573:31: error: format '%u' expects argument of type 'unsigned int', but argument 2 has type 'uint64_t {aka long long unsigned int}' [-Werror=format=]
lib/vssh/libssh.c:573:31: error: ISO C does not support the 'I' printf flag [-Werror=format=]
[...]
```
Ref: https://github.com/curl/curl/actions/runs/24002480364/job/70000685821
Daniel Stenberg [Sat, 4 Apr 2026 16:10:31 +0000 (18:10 +0200)]
sendf: fix CR detection if no LF is in the chunk
When doing line ending conversions, and a chunk contains no '\n', the
function returned early without updating prev_cr to reflect the last
byte. It could then lead to CRLFs sequences not get converted when
occuring right on the boundary border.
Viktor Szakats [Thu, 2 Apr 2026 15:03:16 +0000 (17:03 +0200)]
GHA/windows: restore libssh, fix to pass tests with 0.12.0
libssh 0.12.0 on Windows 64-bit Intel fails to connect to sshd (with SSH
state 30) when using the mlkem768x25519-sha256 KEX. (32-bit Intel, ARM64
and tested non-Windows platforms work fine.) Fix by disabling this KEX
for the libssh job.
I do not recommend libssh on Windows due to bugs an insecure behavior.
Also:
- fix libssh TFLAGS condition for mingw-w64.
Viktor Szakats [Sat, 4 Apr 2026 00:14:30 +0000 (02:14 +0200)]
libssh: fix `-Wsign-compare` in 32-bit builds
Seen with mingw-w64 i686 gcc 15.2.0 (mingw32):
```
D:/a/curl/curl/lib/vssh/libssh.c: In function 'myssh_in_SFTP_QUOTE_STAT':
D:/a/curl/curl/lib/vssh/libssh.c:1664:13: error: comparison of integer expressions
of different signedness: 'time_t' {aka 'long int'} and 'unsigned int' [-Werror=sign-compare]
1664 | if(date > UINT_MAX)
| ^
cc1.exe: all warnings being treated as errors
```
Ref: https://github.com/curl/curl/actions/runs/23966805891/job/69908216152
Samuel Henrique [Mon, 30 Mar 2026 05:18:52 +0000 (22:18 -0700)]
test 766: flag as timing-dependent
We have noticed this test as failing when run in parallel in Fedora and
Amazon Linux:
https://src.fedoraproject.org/rpms/curl/c/389f1409549178f639afa49f478c544fdaa87be2?branch=rawhide
Debian did not have issues but given there are other FTP tests flagged
as timing-dependent, it makes sense to flag this one too if we notice
failures in other OSes.
Daniel Stenberg [Thu, 2 Apr 2026 07:16:17 +0000 (09:16 +0200)]
hsts: make the HSTS read callback handle name dupes
Now the logic for handling name duplicates and picking the longest
expiry and strictest subdomain is the same for the callback as for when
reading from file.
Also strip trailing dots from the hostname added by the callback.
A minor side-effect is that the hostname provided by the callback can
now enable subdomains by starting the name with a dot, but we discourage
using such hostnames in documentation.
Viktor Szakats [Thu, 2 Apr 2026 09:46:22 +0000 (11:46 +0200)]
GHA/windows: drop building with libssh
Bumping `msys2/setup-msys2` from 2.30.0 to 2.31.0 also brought libssh
0.12.0 (after 0.11.3). libssh has been long known for loading OpenSSH
configuration from disk insecurely on Windows. 0.12.0 brings some fixes
to this (CVE-2025-14821), which in turn may be changing its behavior on
the default GH Windows runner to fail all curl SCP/SFTP tests.
Detecting what is the exact root cause, then defining exact runtime
conditions for it is difficult and fragile. Same for changing these
libssh defaults (if at all possible.)
But, since configuration loading remains insecure and broken on Windows
even after the mitigations made by 0.12.0 [0], this patch removes libssh
from the Windows CI job using it previously.
If someone figures out how to run in CI, it can be readded, though in
general, using libssh on Windows seems to be less than ideal.
Daniel Stenberg [Wed, 1 Apr 2026 13:44:02 +0000 (15:44 +0200)]
url: init req.no_body in DO so that it works for h2 push
req.no_body was only initialized in Curl_connect, while HTTP/2 server
push adds a duplicated handle via Curl_multi_add_perform and calls
Curl_init_do with conn==NULL, never invoking Curl_connect.
- update `actions/cache` from 5.0.3 to 5.0.4
- update `actions/download-artifact` from 7.0.0 to 8.0.1
- update `actions/upload-artifact` from 6.0.0 to 7.0.0
- update `msys2/setup-msys2` from 2.30.0 to 2.31.0
- update pip `ruff` from 0.15.7 to 0.15.8
Stefan Eissing [Tue, 31 Mar 2026 09:45:21 +0000 (11:45 +0200)]
lib: make resolving HTTPS DNS records reliable:
- allow to specify when they are wanted on starting a resolve
- match dns cache entries accordingly. An entry which never
tried to get HTTPS-RRs is no answer for a resolve that wants
it.
- fix late arrivals of resolve answers to match the "async"
records that started them - if it still exists.
- provide for multiple "async" resolves in a transfer at the
same time. We may need to resolve an IP interface while the
main connection resolve has not finished yet.
- allow lookup of HTTPS-RR information as soon as it is
available, even if A/AAAA queries are still ongoing.
For this, the "async" infrastructure is changed:
- Defined bits for DNS queries `CURL_DNSQ_A`, `CURL_DNSQ_AAAA`
and `CURL_DNSQ_HTTPS`. These replace `ip_version` which says
nothing about HTTPS.
Use them in dns cache entries for matching.
- enhance the `async->id` to be a unique `uint32_t` for
resolves inside one multi. This is weak, as the id may
wrap around. However it is combined with the `mid` of
the easy handle, making collisions highly unlikely.
`data->state.async` is only accessed in few places where
the mid/async-id match is performed.
- vtls: for ECH supporting TLS backends (openssl, rustls, wolfssl),
retrieve the HTTPS-RR information from the dns connection filter.
Delay the connect if the HTTPS-RR is needed, but has not
been resolved yet.
The implementation of all this is complete for the threaded
resolver. c-ares resolver and DoH do not take advantage of
all new async features yet. To be done in separate PRs.
Details:
c-ares: cleanup settings and initialisation. Any ares channel
is only being created on starting a resolve and propagating
operations in setopt.c to the channel are not helpful.
Changed threaded+ares pollset handling so that they do not
overwrite each others `ASYNC_NAME` timeouts.
Add trace name 'threads' for tracing thread queue and
pool used by threaded resolver.
Daniel Stenberg [Wed, 1 Apr 2026 08:24:06 +0000 (10:24 +0200)]
HSTS: cap the list at 1,000 entries
Avoid never-ending growth.
When adding more entries, it now deletes the first entry in the list,
which is the oldest added entry still held in memory. I decided to avoid
a Least Recently Used concept as I suspect with a list with this many
entries most entries have not been used, and we don't save the timestamp
of recent use anyway.
The net effect might (no matter what) be that the removed entry might
feel a bit "random" in the eyes of the user.
Daniel Stenberg [Wed, 1 Apr 2026 07:53:42 +0000 (09:53 +0200)]
altsvc: cap the list at 5,000 entries
Avoid never-ending growth.
When adding more entries, it now deletes the first entry in the list,
which is the oldest added entry still held in memory. I decided to avoid
a Least Recently Used concept as I suspect with a list with this many
entries most entries have not been used, and we don't save the timestamp
of recent use anyway.
The net effect might (no matter what) be that the removed entry might
feel a bit "random" in the eyes of the user.
Daniel Stenberg [Wed, 1 Apr 2026 06:09:47 +0000 (08:09 +0200)]
cookie: fix rejection when tabs in value
A previous refactor changed the TAB check so that the octet could be
accepted in the 'path', which would cause an invalid line in the saved
cookie file so not possible to read the cookie back. Not terrible
because the path cannot contain a raw tab anyway so it would never match
anyway.
Viktor Szakats [Tue, 31 Mar 2026 19:01:57 +0000 (21:01 +0200)]
GHA: try workaround for slow Azure Ubuntu distro server (cont.)
- fail if all retries failed.
- run `dpkg --configure -a` after an aborted slow attempt.
```
Selecting previously unselected package libsys-hostname-long-perl.
Error: slow server, retry
E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a' to correct the problem.
[...]
```
Viktor Szakats [Tue, 31 Mar 2026 04:18:57 +0000 (06:18 +0200)]
cmake: improve passing build options to `try_compile()`
Pass build options directly via `COMPILE_DEFINTIONS` and
`LINK_LIBRARIES`, instead of "tunneling" them through `CMAKE_FLAGS`.
The latter method breaks when passing `Threads::Threads` as library via
`CMAKE_REQUIRED_LIBRARIES`, while also being complex and fragile.
Example:
```
-- Performing Test HAVE_FSETXATTR_5
CMake Error at bld/CMakeFiles/CMakeTmp/CMakeLists.txt:27 (target_link_libraries):
Target "cmTC_3386e" links to:
Threads::Threads
but the target was not found. Possible reasons include:
* There is a typo in the target name.
* A find_package call is missing for an IMPORTED target.
* An ALIAS target is missing.
CMake Error at CMake/Macros.cmake:51 (try_compile):
Failed to generate test project build system.
Call Stack (most recent call first):
CMakeLists.txt:1684 (curl_internal_test)
```
Ref: https://github.com/curl/curl/actions/runs/23792043930/job/69329796592?pr=21168#step:38:318
Note: a side-effect is no longer passing C compiler flags (e.g.
`CMAKE_REQUIRED_FLAGS`) to the _linker_. This should not be an issue,
though CMake is passing them during its built-in detections.
Daniel Stenberg [Mon, 30 Mar 2026 21:34:14 +0000 (23:34 +0200)]
tool_operhlp: iterate through all slashes to find name
If there is no trailing file name for -O or --remote-name-all, continue
searching until there is no more to search. A URL ending with multiple
slashes would previously make it do wrong.
Also:
- enable HTTPS-RR by default in curl-for-win to test it with clang 21.
Ref: https://github.com/curl/curl-for-win/commit/dc65c449f313a16279dde7eb243367b77986ddf1
Viktor Szakats [Sat, 28 Mar 2026 22:23:01 +0000 (23:23 +0100)]
cmake: use `Threads::Threads` imported target for POSIX Threads
- use `Threads::Threads` imported target, replacing
`CMAKE_THREAD_LIBS_INIT`. To use the modern form and to allow using
`THREADS_PREFER_PTHREAD_FLAG` option.
- only add Threads library/options if POSIX Threads was detected (not
any other threading backend FindThreads may detect, e.g. the HP one.)
- curl-config.in.cmake: detect and define `Threads::Threads`.
Viktor Szakats [Sat, 28 Mar 2026 22:39:41 +0000 (23:39 +0100)]
build: drop redundant `HAVE_PTHREAD_H` guard
Prior to this patch code used either `HAVE_PTHREAD_H`, or
`HAVE_THREADS_POSIX`, or both, to decide if POSIX Threads support is
present. In effect requiring both to be defined for a consistent build.
Drop detecting and guarding for `pthread.h`, and assume it present when
`HAVE_THREADS_POSIX` is set.
OS/400 had `HAVE_PTHREAD_H` set, but not `HAVE_THREADS_POSIX`, which
possibly left threading disabled in most sources.
Stefan Eissing [Wed, 25 Mar 2026 09:35:28 +0000 (10:35 +0100)]
fopen: for temp files, inherit permissions only for owner
When creating a temp file in order to later replace an original, copying
over the existing permissions can not be considered safe when the user
running libcurl is not the owner of the existing file.
MarkLee131 [Sun, 29 Mar 2026 16:59:24 +0000 (00:59 +0800)]
tool: fix two more allocator mismatches
memory allocated by libcurl (curl_maprintf) must be freed with
curl_free(), and memory allocated by the tool (curlx_strdup via
findfile) must be freed with curlx_free().
- tool_cfgable: ech_config is allocated with curl_maprintf, free it
with curl_free() instead of tool_safefree()
- config2setopts: known hosts from findfile() is allocated with
curlx_strdup, free it with curlx_free() instead of curl_free()
Kaixuan Li [Mon, 30 Mar 2026 11:12:55 +0000 (19:12 +0800)]
socks: add assertion for hostname length in SOCKS5 connect
socks5_req0_init() rejects hostnames longer than 255 bytes, but the
later cast to unsigned char in socks5_req1_init() has no local
indication that it is safe. Add a DEBUGASSERT and comment to document
the invariant and guard against future refactoring.
socks: reject zero-length GSSAPI/SSPI tokens from proxy
A "broken" SOCKS5 proxy can send an invalid length of the encryption
token, which could cause malloc(0) to be called, which is a "platform
can do what it wants" potential problem.
Resolve this by explicitly checking the length and rejecting the invalid
token before ever attempting to allocate any memory.
Stefan Eissing [Wed, 25 Mar 2026 14:07:10 +0000 (15:07 +0100)]
cf-dns: connection filter for DNS queries
New connection filter `cf-dns` that manages DNS queries. If hands
out addresses and HTTPS-RR records to anyone interested. Used by
HTTPS and IP happy eyeballing.
Information may become available *before* the libcurl "dns entry"
is complete, e.g. all queries have been answered. The cf-ip-happy
filter uses this information to start connection attempts as soon
as the first address is available.
The multi MSTATE_RESOLVING was removed. A new connection always
goes to MSTATE_CONNECTING. The connectdata bit `dns_resolved`
indicates when DNS information is complete. This is used for
error reporting and starting the progress meter.
Removed dns entries `data->state.dns[i]`, as the `cf-dns` filter
now keeps the reference now.
Many minor tweaks for making this work and pass address information
around safely.
Dexter Gerig [Sat, 28 Mar 2026 04:29:23 +0000 (23:29 -0500)]
configure: remove superfluous experimental warning for HTTP/3
This warning was created at a time when all backends for HTTP/3 were
experimental. Since there are now non-experimental backends this warning
is incorrect in some cases and was already handled by backends that were
added to the experimental list.
Viktor Szakats [Sat, 28 Mar 2026 01:29:32 +0000 (02:29 +0100)]
boringssl: fix more coexist cases with Schannel/WinCrypt
By moving the coexist workaround from vtls/openssl.c to vtls/openssl.h.
This way it also applies to vtls.c (and possibly other sources including
`vtls/openssl.h`), which may need it in unity builds before BoringSSL
header `openssl/ssl.h` pulling in the conflicting symbols and causing
conflicts otherwise.
Seen with build config:
```
-DCURL_USE_SCHANNEL=ON -DCURL_USE_OPENSSL=ON
-DCMAKE_UNITY_BUILD=ON -DCMAKE_UNITY_BUILD_BATCH_SIZE=30
```
Fixing:
```
In file included from _cm-win-boringssl/lib/CMakeFiles/libcurl_object.dir/Unity/unity_5_c.c:7:
In file included from lib/vtls/vtls.c:54:
In file included from lib/vtls/openssl.h:33:
In file included from /path/to/boringssl/_x64-win-ucrt/usr/include/openssl/opensslv.h:18:
In file included from /path/to/boringssl/_x64-win-ucrt/usr/include/openssl/crypto.h:18:
/path/to/boringssl/_x64-win-ucrt/usr/include/openssl/base.h:293:29: error: expected ')'
293 | typedef struct X509_name_st X509_NAME;
| ^
/path/to/llvm-mingw/x86_64-w64-mingw32/include/wincrypt.h:1515:29: note: expanded from macro 'X509_NAME'
1515 | #define X509_NAME ((LPCSTR) 7)
| ^
[...]
```
Daniel Stenberg [Fri, 27 Mar 2026 13:42:25 +0000 (14:42 +0100)]
libssh: propagate error back in SFTP function
The myssh_in_SFTP_READDIR_BOTTOM() function would not store the error
code correctly thus it could be ignored and missed when an error was
returned at that particular moment.
Daniel Stenberg [Fri, 27 Mar 2026 13:33:33 +0000 (14:33 +0100)]
multi: fix connection retry for non-http
non-HTTP protocols no longer retry after connection reuse failures
because multi_follow() now requires a handler->follow callback that is
NULL for those protocols. Provide a fallback for plain retries.
Viktor Szakats [Fri, 27 Mar 2026 08:26:15 +0000 (09:26 +0100)]
mk-ca-bundle.pl: drop reproducible timestamp feature
Mozilla may push to its repo much later than the commit date, which can
be a source of confusion when using the reproducible timestamp (which is
determined by the commit date) by default. Example:
https://curl.se/ca/cacert-2026-03-19.pem vs.
https://github.com/mozilla-firefox/firefox/commits/1a84aee6387d2f9c9531c655edeea4a80aa0fcfa/security/nss/lib/ckfw/builtins/certdata.txt
This feature had no actual user (or a planned one) from within curl at
the moment, and not requested by curl users. curl-for-win does this on
its own, which is the more practical way there since everything (not
just the CA bundle) needs to be reproducible anyway. I surmise this may
be true for most if not all reproducible use-cases.
Another limitation was that it could bump into GitHub's rate limiting,
needing further updates.
Viktor Szakats [Fri, 27 Mar 2026 10:29:30 +0000 (11:29 +0100)]
openssl: fix build with 4.0.0-beta1 no-deprecated
```
lib/vtls/openssl.c:4238:22: error: ‘SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED’ undeclared (first use in this function); did you mean ‘SSL_R_TLS_ALERT_CERTIFICATE_EXPIRED’?
4238 | (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| SSL_R_TLS_ALERT_CERTIFICATE_EXPIRED
lib/vtls/openssl.c:4238:22: note: each undeclared identifier is reported only once for each function it appears in
```
Ref: https://github.com/curl/curl/actions/runs/23641366299/job/68863072427#step:24:189
projects / thirdparty / curl.git / log
