Daniel Stenberg [Tue, 24 Mar 2026 15:44:48 +0000 (16:44 +0100)]
tool: fix memory mixups
memory allocated by libcurl must be freed with curl_free() and vice versa,
memory allocated by the tool itself must be freed with curlx_free().
- dynbuf: free libcurl data with curl_free()
- tool_operate: make sure we get URL using the right memory
- tool_operhlp: free libcurl memory with curl_free()
- tool_operate: free curl_maprintf() pointer with curl_free
- var: data from curlx_base64_decode needs curlx_free
- tool_operate: fix memory juggling in etag handling
- tool_cb_hdr: fix memory area mixups
- tool_operate: another mixup in etag management
- tool_cb_hdr: more memory mixup fixes
- tool_cfgable.c: document some details
- tool_help: show global-mem-debug in -V output
Daniel Stenberg [Tue, 24 Mar 2026 15:25:03 +0000 (16:25 +0100)]
src: add curl_global_init_mem testing
Build with "configure --enable-init-mem-debug" to make the tool use
curl_global_init_mem() and a set of private memory funtion callbacks for
libcurl's memory management.
Using this setup, memory mixups in tool code is more likely to cause
crashes and thus get discovered while running tests.
This curl_global_init_mem debug mode can only be done when building
libcurl shared (not static) and without debugging enabled - since it
needs to use the custom memory funtion callbacks.
Daniel Stenberg [Thu, 26 Mar 2026 22:03:53 +0000 (23:03 +0100)]
src: use ftruncate() unconditionally
Systems without it need to provide a custom alternative just like we
have have for Windows. This adds an MSDOS version that fails if trying
to truncate a too large file.
Viktor Szakats [Thu, 26 Mar 2026 14:59:23 +0000 (15:59 +0100)]
GHA: try workaround for slow Azure Ubuntu distro server
It's been going on for almost a year, chances seem slim to have this
fixed upstream.
The observed issue is that on GitHub-supplied CI runner images,
sometimes, `apt-get install` using the stock distro server
`http://azure.archive.ubuntu.com/ubuntu` sees extreme slowness while
downloading data, then reaching the job timeout and aborting, making CI
red and necessitating a manual restart of the failed job(s).
In majority of cases the install step takes no longer than 8-40 seconds
(download + install), while in the failing case it takes 10-20+ minutes
just to download.
Earlier I slimmed down installs to avoid unnecessary packages, which
mitigated, but did not completely fix the issue.
Viktor Szakats [Thu, 26 Mar 2026 14:23:10 +0000 (15:23 +0100)]
GHA/curl-for-win: pass GH token to the containers
To avoid rate limits when accessing GH APIs during the build.
Aiming to avoid (while trying to retrieve a file timestamp):
```
++ [[ 2026-02-11-1a84aee6387d2f9c9531c655edeea4a80aa0fcfa =~ (.+)-([a-f0-9]{40,}) ]]
++ ver=2026-02-11
++ commit=1a84aee6387d2f9c9531c655edeea4a80aa0fcfa
++ set +x
curl: (22) The requested URL returned error: 403
curl: (22) The requested URL returned error: 403
curl: (22) The requested URL returned error: 403
curl: (22) The requested URL returned error: 403
[...]
```
Ref: https://github.com/curl/curl/actions/runs/23598912140/job/68723120977?pr=21104
Viktor Szakats [Wed, 25 Mar 2026 12:19:09 +0000 (13:19 +0100)]
spacecheck: verify filename lengths and characters
Maximum filename length 64, of which 48 maximum for the filename part.
Allowed characters: `A-Za-z0-9/._-`.
Also:
- rename a file to pass the check.
- init max constants outside the loop.
- minor fix to an error message.
Follow-up to 62d77b12fce55d3481bb0b2e70e0f921c8cbfe5e #21087
Stefan Eissing [Mon, 23 Mar 2026 10:05:07 +0000 (11:05 +0100)]
multi: multi_wait fixes after #20832
The refactoring in #20832 introduced some inconsistencies between
windows and posix handling, pointed out by reviews. Fix them:
- rename `wait_on_nop` back to `extrawait` as it was called before
- use multi_timeout() to shorten the user supplied timeout for
both windows/posix in the same way
- remove the extra multi_timeout() check in the posix function
- Add the multi's wakeup socket for monitoring only when there
are other sockets to poll on or when the caller wants the
extra waiting time.
Stefan Eissing [Tue, 24 Mar 2026 09:03:18 +0000 (10:03 +0100)]
proxy: chunked response, error code
Add test1715 to check proper handling of chunked transfer
encoding in CONNECT responses. Change proxy error code from
56 (RECV_ERROR) for everything to 7 (COULDNT_CONNECT) when
the server response could be read successfully, but establishing
the connection is not possible (http status code wrong).
Stefan Eissing [Tue, 24 Mar 2026 11:50:53 +0000 (12:50 +0100)]
async-thrdd: use thread queue for resolving
Use a thread queue and pool for asnyc threaded DNS resolves.
Add pytest test_21_* for verification.
Add `CURLMOPT_RESOLVE_THREADS_MAX` to allow applications to
resize the thread pool used.
Add `CURLMOPT_QUICK_EXIT` to allow applications to skip thread
joins when cleaning up a multi handle. Multi handles in
`curl_easy_perform()` inherit this from `CURLOPT_QUICK_EXIT`.
Add several debug environment variables for testing.
Viktor Szakats [Tue, 24 Mar 2026 13:42:39 +0000 (14:42 +0100)]
spacecheck: check long lines and repeat spaces, fix fallouts
Verify if lines are not longer than 192 characters. Also verify if lines
have less than 79 repeat spaces (and fix one fallout).
To improve readability by avoiding long lines and to prevent adding
overly long lines with text that may go unnoticed in an editor or diff
viewer.
In addition to pre-existing line length limits: 79 for C, 132 for CMake
sources.
Also:
- spacecheck: fix/harden allowlist regexes.
- spacecheck: tidy-up quotes and simplify escaping.
- spacecheck: allow folding strings with repeat spaces.
- GHA: fix a suppressed shellcheck warning.
- GHA/macos: simplify by dropping brew bundle.
- test1119.pl: precompile a regex.
- FAQ.md: delete very long link to a Windows 7/2008 support article
that's lost it relevance.
Stefan Eissing [Tue, 24 Mar 2026 12:41:51 +0000 (13:41 +0100)]
ratelimit: reset on start
On any `Curl_rlimit_start()` the rate limit needs to reset its
values before calculating the effective step duration and adjust
the tokens/burst per step.
Add two fields to the struct to remember the original values.
Viktor Szakats [Wed, 18 Mar 2026 00:39:18 +0000 (01:39 +0100)]
genserv.pl: make external calls safe
By passing command-line as separate arguments instead of using a single
string. This needs skipping the shell, so rework redirections to use
Perl `open3()`.
Also explored to use `-out` to avoid redirections, but it makes the
command-line incompatible with some OpenSSL implementations/versions
(e.g. on default macOS), and would still need a solution for
`2>/dev/null`.
Viktor Szakats [Sun, 22 Mar 2026 11:55:42 +0000 (12:55 +0100)]
asyn-thrdd: fix clang-tidy unused value warning
with `-DCURL_DISABLE_SOCKETPAIR=ON`.
```
lib/asyn-thrdd.c:227:5: error: Value stored to 'do_abort' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
227 | do_abort = addr_ctx->do_abort;
| ^ ~~~~~~~~~~~~~~~~~~
```
Viktor Szakats [Sun, 22 Mar 2026 11:40:23 +0000 (12:40 +0100)]
gnutls: fix clang-tidy warning with !verbose
with
`-DCURL_DISABLE_VERBOSE_STRINGS=ON -DCURL_USE_GNUTLS=ON -DCURL_CLANG_TIDY=ON`.
```
lib/vtls/gtls.c:268:7: error: Value stored to 'strerr' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
268 | strerr = gnutls_strerror(rc);
| ^ ~~~~~~~~~~~~~~~~~~~
```
Viktor Szakats [Fri, 20 Mar 2026 13:08:22 +0000 (14:08 +0100)]
GHA/curl-for-win: enable c-ares with HTTPS-RR in an existing job
c-ares builds have been sped up within curl-for-win using, pre-fills. It
allows building it with acceptable performance, making it practical to
use it, alongside HTTPS-RR, in curl CI and possibly in curl-for-win. It
has been enabled in its dev branch for a while.
Viktor Szakats [Fri, 20 Mar 2026 12:41:25 +0000 (13:41 +0100)]
cf-https-connect: silence `-Wimplicit-int-enum-cast` with HTTPS-RR + clang 21
Fixing (seen in curl-for-win dev branch):
```
In file included from _a64-linux-gnu-bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity_0_c.c:34:
lib/cf-https-connect.c:681:28: error: implicit conversion from 'unsigned char' to enumeration type 'enum alpnid' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
681 | enum alpnid alpn = rr->alpns[i];
| ~~~~ ^~~~~~~~~~~~e
```
Scott Boudreaux [Wed, 18 Mar 2026 15:56:09 +0000 (10:56 -0500)]
md5/md4: enable unaligned access fast path on powerpc64
PowerPC64 (both big-endian and little-endian) supports efficient
unaligned memory access, similar to x86. This extends the existing
fast path that avoids byte-by-byte loads in the MD5 and MD4 SET/GET
macros.
On POWER8 ppc64le, this eliminates 3 shifts + 3 ORs per 32-bit word
load, replacing them with a single lwz (or lwbrx on big-endian).
After limiting `find_package()`/`find_dependency()` calls to curl local
Find modules via the `MODULES` keyword, it became possible to detect
dependencies via CMake Configs from within those local Find modules, by
calling `find_package()` again with the `CONFIG` keyword. This patch
implements this. Then maps detection results to the result variables and
curl-specific imported targets the rest of the build expects.
Also honor recently introduced `*_USE_STATIC_LIBS` (experimental) flags
to map to the static target when requested.
This adds CMake Configs as an alternative to the existing `pkg-config`
and `find_path()`/`find_library()` auto-detection methods.
Enabled by default for MSVC, outside vcpkg and when not cross-building.
To enable for other cases, or override the default, you can use
`-DCURL_USE_CMAKECONFIG=ON` or `OFF`.
When enabled, Config detection happens after `pkg-config` and before
`find_path()`/`find_library()`. Using CMake's built-in options, you may
also manually point to the absolute directory holding Config files:
Stefan Eissing [Fri, 20 Mar 2026 13:55:53 +0000 (14:55 +0100)]
curlx_now(), prevent zero timestamp
As code checks `curltime` values for zero and interprets this
as not-initialized or "forever" in several places, make sure
`curlx_now()` never returns a zero timestamp.
Stefan Eissing [Mon, 9 Mar 2026 14:40:34 +0000 (15:40 +0100)]
share: concurrency handling, easy updates
Replace the `volatile int dirty` with a reference counter
protected by a mutex when available.
Solve the problem of when to call application's lock function
by adding a volatile flag that indicates a share has been added
to easy handles in its lifetime. That flag ever goes from
FALSE to TRUE, so volatile might work (in the absence of a mutex).
(The problem is that the lock/unlock functions need 2-3
`curl_share_setopt()` invocations to become usable and there
is no way of telling if the third will ever happen. Calling
the lock function before the 3rd setopt may crash the
application.)
When removing a share from an easy handle (or replacing it with
another share), detach the easy connection on a share with a
connection pool.
When cleaning up a share, allow this even if it is still used in
easy handles. It will be destroyed when the reference count
drops to 0.
Viktor Szakats [Fri, 27 Feb 2026 15:10:59 +0000 (16:10 +0100)]
build: assume `snprintf()` in `mprintf`, drop feature check
- it was already required for `curl_*printf()` float/double support.
- some curl tests always fail without it.
- it was already assumed to be present to build test servers.
Source code did not check for `HAVE_SNPRINTF` detection variable.
- it was already required to build examples.
Windows builds stopped using this detection and the function via earlier
commits.
Viktor Szakats [Wed, 26 Nov 2025 18:07:19 +0000 (19:07 +0100)]
cmake: drop support for CMake 3.17 and older
Require CMake 3.18 (2020-07-15) or newer, up from 3.7 (2016-11-11)
prior to this patch.
This requirement also applies to the distributed `curl-config.cmake`.
To allow dropping compatibility code maintained for old versions, and to
use features which were unpractical in separate code paths. Also to make
testing, documentation and development easier, CI builds faster due to
CMake performance improvements over time. (e.g. integration tests on
macOS run 8x faster (10 minutes is now under 1.5m) in CI, 2.5x faster on
Windows.)
CMake offers pre-built binaries for major platforms. They work without
an install step, just by unpacking and pointing the cmake command to
them. Making upgrades easy in many cases:
https://cmake.org/download/
https://cmake.org/files/
https://github.com/Kitware/CMake/releases
CMake 3.18 brings these feature as generally available when building or
consuming curl/libcurl:
LTO support, improved performance, `pkg-config` and interface target
support, `OBJECT` target (for faster libcurl builds), modern invocation
with `-S`/`-B` options, better support for custom linker options,
FetchContent, `GnuTLS::GnuTLS` target, `--verbose` and `--install`
options, `CMAKE_GENERATOR` env, last but not least unity mode and Ninja
generator.
For maximum build speed, use:
`-DCMAKE_UNITY_BUILD=ON -DCURL_DROP_UNUSED=ON`
As for deprecations, C++11 is required to build CMake itself, which may
be a limit on some platforms. autotools continues to cover them.
Viktor Szakats [Tue, 24 Feb 2026 11:45:59 +0000 (12:45 +0100)]
curl/curl.h: replace recursive macros with C++-friendly method to enforce 3 args
Certain uses may still trigger a C compiler warning
`-Wdisabled-macro-expansion` after this, e.g. when the call is wrapped
in the `CURL_IGNORE_DEPRECATION()` macro as seen in docs/examples.
Suggested-by: Kai Pastor
Ref: https://github.com/curl/curl/issues/20682#issuecomment-3949788664
Stefan Eissing [Fri, 6 Mar 2026 08:22:26 +0000 (09:22 +0100)]
dnscache: own source file, improvements
- Rename `Curl_resolv_unlink()` to `Curl_dns_entry_unlink()`.
- Change `Curl_dnscache_get()` to return CURLcode result. Returns
now `CURLE_COULDNT_RESOLVE_HOST` for "negative" cache entries.
- Add `Curl_dnscache_add_negative()` to put a "negative" entry
into the cache.
Stefan Eissing [Fri, 6 Mar 2026 09:10:55 +0000 (10:10 +0100)]
multi: improve wakeup and wait code
- Split WINSOCK and POSIX code in `multi_wait()` as the ifdef'ery
was becoming unreadable
- define `ENABLE_WAKEUP` to mean the wakeup socketpair is enabled,
no additional USE_WINSOCK check needed. Under WINSOCK
`ENABLE_WAKEUP` is not defined, so it's availability is as before
under the double defined() checks
- When the multi handle has "alive" transfers, the admin handle's
pollset include the wakeup receive socket. This results in the
admin handle running when someone uses `curl_multi_wakeup()`.
- Without any "alive" transfers, the wakeup socket is removed from
the pollset. Otherwise, event based processing would never finish,
eg. leave the event loop.
- The wakeup socket was never registered for event processing before,
e.g. `curl_multi_wakeup()` never worked in that mode.
- Adjust test exepectations on socket callback invocations and
number of sockets appearing in waitfds sets.
Stefan Eissing [Thu, 19 Mar 2026 09:33:08 +0000 (10:33 +0100)]
wolfssl: fix handling of abrupt connection close
A closed connection without TLS notify shutdowns, has been reported as a
correct EOF instead of an error. Fix the error handling in wolfSSL
backend receive handling.
Daniel Stenberg [Fri, 20 Mar 2026 16:28:03 +0000 (17:28 +0100)]
transfer: enable custom methods again on next transfer
`http_ignorecustom` is set on redirect handling but was not reset
between transfers, so once a redirect occurs in the new follow modes,
custom request methods were ignored for later transfers on the same
handle.
Daniel Stenberg [Thu, 19 Mar 2026 15:51:07 +0000 (16:51 +0100)]
x509asn1: fixed and adapted for ASN1tostr unit testing
- move defines to header file
- make bit2str require < 8 unused bits
- make bool strings stricter
- make UTime2str show + or - for custom time zones
- removed unused 'type' argument to ASN1tostr() function
- fix int2str for negative values. All values below 10000 are now shown
in decimal properly, also possibly negative values.
projects / thirdparty / curl.git / log
