Viktor Szakats [Mon, 19 Jan 2026 15:00:56 +0000 (16:00 +0100)]
GHA: strip Windows/MS-DOS/Android binaries to see their real size
Unstripped size hides effective binary sizes due to the added debug
information. E.g. `--gc-sections` may inflate unstripped binaries, while
their unstripped size decreases. To see if binary size optimization
options work, it's more useful to observe unstripped size.
Viktor Szakats [Wed, 21 Jan 2026 12:55:32 +0000 (13:55 +0100)]
windows: test non-verbose builds, fix fallouts
- schannel: fix mixed-up declaration. (originally fenced infof for
verbose, then changed to failf with the fence kept, then fence
removed and variable marked as verbose, when in fact it's not, but
not tested and caught in CI.
- fix two other fallouts.
- GHA/windows: disable verbose strings in a mingw job.
- appveyor: disable verbose strings in an MSVC job.
- appveyor: add way to pass any CMake option per-job.
Viktor Szakats [Mon, 19 Jan 2026 06:29:43 +0000 (07:29 +0100)]
build: fully omit verbose strings and code when disabled
When the compiler supports C99.
- map logging functions to macro stubs when verbose logging is disabled
and the compiler is C99. Make sure these stubs silence unused variable
warnings for non-variadic arguments.
Before this patch they mapped to function stubs, the same codepath
used for C89 compiler in this configuration.
- introduce new macros to tell the compiler which code to include
when verbose code is active, or inactive:
- `CURLVERBOSE`: defined when verbose code is active.
To enclose blocks of code only used for verbose logging.
- `VERBOSE(statement);`:
compile statement when verbose code is active.
To mark code lines only used for verbose logging.
- `NOVERBOSE(statement);`:
compile statement when verbose code is inactive.
To suppress warnings for arguments passed to logging functions via
printf masks, e.g. `NOVERBOSE((void)ipaddress);`, yet keeping
the warning in verbose builds.
Note these macros are not the same as `CURL_DISABLE_VERBOSE_STRINGS`.
Verbose code is always active in C89 mode (without variadic macro
support).
- drop existing uses of `CURL_DISABLE_VERBOSE_STRINGS` where redundant,
or replace with the above macros. Ending up reducing the number of
`#ifdef`s, and also the number of lines.
Assisted-by: Daniel Stenberg Assisted-by: Jay Satiro Reported-by: Dan Fandrich
Fixes #20341
Refs: #12105 #12167
Daniel Stenberg [Wed, 21 Jan 2026 08:14:40 +0000 (09:14 +0100)]
multi: probe for IPv6 functionality in multi_init()
In some legacy systems IPv6 might dynamically work/not work and thus
curl needs to check/probe to see if it should indeed be used.
This change moves the probe that checks for working IPv6 to the multi
handle setup function instead of delaying it to when the first name
resolve is performed. This avoids a later tricky error path if the
socket cannot be created due to OOM.
dEajL3kA [Fri, 16 Jan 2026 10:20:48 +0000 (11:20 +0100)]
winapi: use FormatMessageA instead of FormatMessageW
Use FormatMessageA() to get the error message as multibyte-character
string (local codepage) directly, instead of using FormatMessageW()
and then convert the string from Unicode (UTF-16) to multi-byte (local
codepage) manually.
Prior to this change we used FormatMessageW + conversion because some
Windows CE did not have FormatMessageA. Since curl no longer supports
Windows CE, FormatMessageA can be used.
Viktor Szakats [Wed, 7 Jan 2026 18:37:02 +0000 (19:37 +0100)]
build: update to not need `_CRT_NONSTDC_NO_DEPRECATE` with MSVC
Use non-deprecated CRT function variants on Windows.
- introduce `curlx_fdopen()`, `curlx_close()` and use them. Map them to
non-deprecated, underscored, CRT functions on Windows.
- replace `close()` uses with either `sclose()` (for sockets) or
`curlx_close()` (for files).
- map `fileno`, `unlink`, `isatty` to their non-deprecated, underscored,
versions on Windows.
- tool_dirhie: map `mkdir` to `_mkdir` on Windows.
- easy: use `_strdup()` on Windows, regardless of how `HAVE_STRDUP` is
set.
- cmake: assume `HAVE_STRDUP` on Windows. To allow dropping a detection
hack using `_CRT_NONSTDC_NO_DEPRECATE` with MSVC. Windows always has
`_strdup()` which the code uses, but also needs `HAVE_STRDUP` defined
to disable curl's own `strdup()` implementation.
- curl_setup.h: drop `_CRT_NONSTDC_NO_DEPRECATE` as no longer necessary.
Stefan Eissing [Mon, 19 Jan 2026 10:38:35 +0000 (11:38 +0100)]
timeout handling: auto-detect effective timeout
When checking a transfer for being expired via `Curl_timeleft_ms()`,
eleminate the `bool connecting` parameter and have the function check
the `mstate` of the transfer instead.
Advantages:
* eleminate the caller needing awareness if the transfer is
connecting or in a later state
* fix pingpong timeout handling to check the correct timeout
during "proto_connect" phases
* avoid using "connecting" timeouts during establishing a secondary
connection (e.g. FTP) since this would use the timestamp from
the original, primary connect and thus be wrong
Reported-by: Wyuer on github
Fixes #20347
Closes #20354
Stefan Eissing [Tue, 20 Jan 2026 10:09:58 +0000 (11:09 +0100)]
socket: check result of SO_NOSIGPIPE
New define USE_SO_NOSIGPIPE in curl_setup.h, for now set whenever
SO_NOSIGPIPE is defined. Maybe overridden in the future on systems where
this does not work.
With USE_SO_NOSIGPIPE defined, set SO_NOSIGPIPE on all sockets created
by libcurl and fail the creation when setsockopt() fails.
Viktor Szakats [Mon, 19 Jan 2026 22:24:47 +0000 (23:24 +0100)]
cmake: silence silly Apple clang warnings in C89 mode, test in CI
- `stdbool.h` is also included via system headers. Disabling it from curl
does not fix it. Silencing lots of these:
```
curl/lib/curlx/warnless.h:64:1: warning: '_Bool' is a C99 extension [-Wc99-extensions]
64 | bool curlx_sztouz(ssize_t sznum, size_t *puznum);
| ^
/Library/Developer/CommandLineTools/usr/lib/clang/17/include/stdbool.h:24:14: note: expanded from macro 'bool'
24 | #define bool _Bool
| ^
```
- silence `-Wcomma` warnings.
in favor of the global silencing approach, since a couple of more of
these were hit (in vquic, tool1622, unit1309, unit1636), and it seems
silly to update them all.
Revert e8189c44201db6bff987a8771df90f853d93dec5 #20362
Also:
- cmake: include C standard in 'platform flags' log line.
- GHA/macos: switch a job to C89 to verify.
- GHA/linux: show 'C89' in job names.
Viktor Szakats [Tue, 20 Jan 2026 01:52:53 +0000 (02:52 +0100)]
build: drop global suppression of `-Wformat-nonliteral`, fix fallouts
Extend two existing local suppressions to GCC, and add another
GCC-specific one as a replacement.
Before this patch suppressing this warning was odd with clang, because
after this option, `-Wformat=2` is used, which re-enables it.
Also:
- mprintf: minimize scope of a warning suppression.
- tests/server: suppress this warning for a system `vsnprintf()` call
where it could trigger in C89 builds or with
`CFLAGS=-DCURL_NO_FMT_CHECKS` set. Seen with Apple clang 17:
```
curl/tests/server/util.c:114:37: warning: format string is not a string literal [-Wformat-nonliteral]
114 | vsnprintf(buffer, sizeof(buffer), msg, ap);
| ^~~
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/secure/_stdio.h:124:69: note: expanded from macro 'vsnprintf'
124 | #define vsnprintf(str, len, ...) __vsnprintf_chk_func (str, len, 0, __VA_ARGS__)
| ^~~~~~~~~~~
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/secure/_stdio.h:81:65: note: expanded from macro '__vsnprintf_chk_func'
81 | __builtin___vsnprintf_chk (str, len, flag, __darwin_obsz(str), format, ap)
| ^~~~~~
```
Viktor Szakats [Tue, 20 Jan 2026 02:30:24 +0000 (03:30 +0100)]
rtsp: fix missing variable declaration
```
lib/rtsp.c:1073:26: error: no previous extern declaration for non-static variable 'Curl_scheme_rtsp' [-Werror,-Wmissing-variable-declarations]
1073 | const struct Curl_scheme Curl_scheme_rtsp = {
| ^
lib/rtsp.c:1073:7: note: declare 'static' if the variable is not intended to be used outside of this translation unit
1073 | const struct Curl_scheme Curl_scheme_rtsp = {
| ^
```
Ref: https://github.com/curl/trurl/actions/runs/21157411659/job/60844860592?pr=425#step:3:3036
Daniel Stenberg [Tue, 20 Jan 2026 10:01:31 +0000 (11:01 +0100)]
libcurl docs: reduce 'since ...' in descriptions
Reduce mentions of libcurl versions like "since 7.xx ..." in option
descriptions to reduce clutter and make the texts easier to read. Keep
them in, or move them to, the HISTORY or DEPRECATED sections
The last version 7 release (7.88.1) shipped on Februrary 20, 2023.
Daniel Stenberg [Sun, 18 Jan 2026 23:15:41 +0000 (00:15 +0100)]
lib: separate scheme info from protocol implementation
This allows builds know about all schemes - but only have the protocol
implementations for those actually built-in.
It further allows multiple protocols to reuse the same protocol setup
and functions for both TLS and non-TLS implementations instead of
needing two (or more) structs.
The scheme information is now in 'struct Curl_scheme' and all the
function pointers for each scheme/protocol implementation are in struct
Curl_protocol.
The URL API now always work with all known protocols.
Viktor Szakats [Thu, 15 Jan 2026 13:04:05 +0000 (14:04 +0100)]
build: merge TrackMemory (`CURLDEBUG`) into debug-enabled option
Drop separate `TrackMemory` (aka `CURLDEBUG`) debug feature.
After recent changes (thread-safety, 193cb00ce9b47e75d42157c650cc3de3fd96d35d, and updates leading up to
it), `TrackMemory` is unlikely to cause build or runtime issues.
To simplify builds and debug options, enable `TrackMemory`
unconditionally for debug-enabled (aka `DEBUGBUILD`) builds. Before
this patch, this was already the default, with an option to disable
it, or enable it in non-debug-enabled builds.
Note, in practice these two debug options already went hand in hand. It
was not possible to toggle them separately for a long time due to bugs,
before 59dc9f7e69c399102e9ebe3670360ef52706ff23 (2024-05-28) fixed it.
This patch also removes/deprecates separate knobs and feature flags for
`TrackMemory`:
- autotools: `--enable-curldebug`/`--disable-curldebug`
- cmake: `-DENABLE_CURLDEBUG=ON`/`OFF`
- C macro: `CURLDEBUG`
- libcurl: `CURL_VERSION_CURLDEBUG` symbol deprecated in favor
of `CURL_VERSION_DEBUG`. They always return the same value after this
patch.
Also:
- drop `TrackMemory` from `curl -V` output.
- rename internal `CURLDEBUG` macro to `CURL_MEMDEBUG` internally.
To avoid confusion with `DEBUGBUILD`, but to keep guarding
`TrackMemory`-related internals for readability.
- runtests: bind `TrackMemory` to debug feature. Keep it a separate
test feature requirement, for clarity.
- CI: drop test builds for combinations of the two options.
- GHA/linux: no longer disable TrackMemory in the TSAN job.
Stefan Eissing [Thu, 15 Jan 2026 12:24:05 +0000 (13:24 +0100)]
lib: make sigpipe handling more lazy
Define `struct Curl_sigpipe_ctx` that can be passed as argunent
to "lower" functions so that applying a transfers 'no_signal'
setting can be delayed as much as possible and sometimes avoided
alltogether.
Fixes #20326
Closes #20329 Reported-by: Dag Haavi Finstad
Viktor Szakats [Sun, 18 Jan 2026 17:06:33 +0000 (18:06 +0100)]
INSTALL.md: suggest `-Wl,-dead_strip` for Apple targets
For reducing binary size. Also to remove (or greatly mitigate)
the side-effect of using "unity" builds. Similar to `-Wl,--gc-sections`
on non-Apple platforms.
For example with curl-for-win builds, macOS arm+intel:
Viktor Szakats [Sun, 18 Jan 2026 06:19:47 +0000 (07:19 +0100)]
hostip: fix unreachable code in rare build configuration
with cmake options:
```
-DCMAKE_UNITY_BUILD=OFF -DCURL_DISABLE_HTTP=ON -DENABLE_THREADED_RESOLVER=OFF
```
Fixing (seen with Apple clang 17):
```
lib/hostip.c:939:16: error: code will never be executed [-Werror,-Wunreachable-code]
940 | *entry = dns;
| ^~~
```
Daniel Stenberg [Sat, 17 Jan 2026 21:49:28 +0000 (22:49 +0100)]
vquic: drop support for OpenSSL-QUIC
- It is slower and uses more memory than the alternatives and is only
experimental in curl.
- We disable a few tests for OpenSSL-QUIC because of flakiness
- It gets little attention from OpenSSL and we have no expectation of the
major flaws getting corrected anytime soon.
- No one has spoken up for keeping it
- curl users building with vanilla OpenSSL can still use QUIC through the
means of ngtcp2
Viktor Szakats [Wed, 13 Aug 2025 22:48:00 +0000 (00:48 +0200)]
windows: add build option to use the native CA store
With the same semantics as Apple SecTrust, in both libcurl and the curl
tool, when using non-Schannel TLS backends. In practice it means that
it makes TLS work without manually or implicitly configuring a CA bundle
`.crt` file, such as `curl-ca-bundle.crt`.
When enabled:
- enables `CURLSSLOPT_NATIVE_CA` (libcurl) / `--ca-native`
and `--proxy-ca-native` (curl tool) options by default.
- unsafe search for an on-disk CA bundle gets disabled by default.
Equivalent to `--disable-ca-search` with autotools,
`-DCURL_DISABLE_CA_SEARCH=ON` with CMake.
- build-time detection of CA bundle and CA path gets disabled. As with
Apple SecTrust. This was already the default for Windows.
- native CA can be disabled at run-time with the `--no-ca-native`
and/or `--no-proxy-ca-native` command-line options.
Rationale: This build option:
- has a repeat and active interest from packagers and users.
- helps integrating curl with Windows for those who need this.
- it also applies to macOS: #17525
Shipped in curl 8.17.0.
- makes it trivial to use custom certs configured on the OS.
- frees applications/packagers/users from the task of securely
distributing, and keeping up-to-date, a CA bundle.
- frees potentially many curl tool from configuring a CA bundle manually
to access HTTPS (and other TLS) URLs. This is traditionally difficult
on Windows because there is no concept of a universal, protected,
non-world-writable, location on the file system to securely store
a CA bundle.
- allows using modern features regardless of Windows version. Some of
these features are not supported with Schannel (e.g. HTTP/3, ECH) on
any Windows version.
- is necessary for HTTP/3 builds, where bootstrapping a CA bundle is not
possible with Schannel, because MultiSSL is not an option, and HTTP/3
is not supported with Schannel.
Viktor Szakats [Thu, 1 Jan 2026 15:38:56 +0000 (16:38 +0100)]
msvc: drop exception, make `BIT()` a bitfield with Visual Studio
Add casts to `bool`, or use `bit` type in local variables, where
neccessary to avoid MSVC compiler warnings C4242.
Note: There may remain places needing the above updates, where not
tested in CI, and missed in manual review.
Also:
- urldata: convert struct field `connect_only` to bitfield to match its
counterpart in another struct.
- rename curl-specific `bit` type to `curl_bit`.
Viktor Szakats [Thu, 24 Jul 2025 01:06:39 +0000 (03:06 +0200)]
windows: bump minimum to Vista (from XP)
After this patch curl requires targeting Vista or newer, and a toolchain
with Vista support.
Supported MSVC compilers (VS2010+) all support Vista:
- VS2012+ target Win8 (or later) by default.
- VS2010 targets Win7 by default.
Supported mingw-w64 versions (v3+) all support Vista:
- mingw-w64 v9+ target Win10 by default.
- mingw-w64 v8 and older target Server 2003 (~XP) by default.
After this patch it may be necessary to override the default Windows
target version to Vista (or newer) via:
autotools: `CPPFLAGS=-D_WIN32_WINNT=0x0600`
cmake: `-DCURL_TARGET_WINDOWS_VERSION=0x0600`
- mingw-w64 v6+ allow changing the default at toolchain build-time.
Notes:
- For non-MSVC, non-mingw-w64 toolchains, `if_nametoindex` needs to be
allowlisted in `curl_setup.h`, if they do support it.
Stefan Eissing [Thu, 15 Jan 2026 10:58:56 +0000 (11:58 +0100)]
ratelimit: download finetune
When a download size is known and rate limiting is in effect, adjust the
duration of each measurement step and its rate for maximum precision.
Since it is unpredictable how long the last bytes of a download will
take, download speed can be thrown off if the "last bytes" are a
significant amount of the total download. Make the "last bytes" small in
comparision to the rest and "stretch" the rate limit intervals to
accommodate the difference.
Fix ngtcp2 receive data acknowldgements to be based on a local window
size tracking. This allows window updates controlled by rate limits.
Fix ratelimit wait time calculation to accomodate negative tokens.
h3 rate limit, update timeers
Make download rate limits work correctly in ngtcp2. Fix multi handling
of rate limits to set a timer for when limits will update again.
Without running the transfer on limit updates, protocols like h2/h3 may
stall if the server does not send due to stream windows being too small.
scorecard: measure download speedlimits
When running scorecard with --limit-rate=n, show the reported download
speed averages plus percentage deviation from the limit.
Viktor Szakats [Fri, 16 Jan 2026 12:13:27 +0000 (13:13 +0100)]
GHA: silence fresh zizmor 1.21.0 warnings
- MSYS2/Cygwin bash shells are now tagged "misfeature".
It is not something we can fix. We need these shells, and using
documented/necessary settings to use these environments should be
allowed without workarounds.
- untagged actions within curl's own organization are now also flagged
as "action is not pinned to a hash (required by blanket policy)". This
seems overkill. Making internal releases would not be helpful or
practical. Also considering that the referred internal action uses an
unpinned external action anyway (google/oss-fuzz/infra/cifuzz), with
near-zero chance to fix.
Viktor Szakats [Wed, 14 Jan 2026 22:50:42 +0000 (23:50 +0100)]
checksrc: do not apply `BANNEDFUNC` to struct member functions
Omit this warning, when `close()` is banned:
```
./lib/vtls/vtls.c:947:13: warning: use of close is banned (BANNEDFUNC)
Curl_ssl->close(cf, data);
^
```
Ref: https://github.com/curl/curl/actions/runs/21012427938/job/60410334312?pr=20212#step:3:6
Viktor Szakats [Wed, 14 Jan 2026 16:11:55 +0000 (17:11 +0100)]
build: drop more forward function declarations
Most by moving functions around. Also delete unused ones.
Reducing their number from 83 to 33.
Remaining ones due to:
- circular dependencies.
- H3 code, that I did not attempt to update and likely the above applies.
- static declarations with attributes (`CURL_PRINTF`, `WARN_UNUSED_RESULT`).
- OS400 code.
Viktor Szakats [Wed, 14 Jan 2026 12:04:18 +0000 (13:04 +0100)]
cmake: avoid setting custom property on built-in interface targets
In some cases `ZLIB::ZLIB` and/or `OpenSSL::SSL` may be aliases, which
prevents setting a curl-specific property (.pc module name) in them:
```
CMake Error at [...]/curl/CMakeLists.txt:910 (set_target_properties):
set_target_properties can not be used on an ALIAS target.
```
Fix by special-casing these built-in targets and manually converting
them to .pc module names, without using the targets themselves
to carry this information throughout curl's internal build logic.
Daniel Stenberg [Tue, 13 Jan 2026 14:31:06 +0000 (15:31 +0100)]
digest: handle quotes in the path
- The 'uri' component needs to be escaped as well
- Rewrote the quote function to use dynbuf
- Build the digest at least partly with dynbuf
- Use goto as a general error mechanism
- Make test 64 use a double quote in the URL
dependabot[bot] [Tue, 13 Jan 2026 22:04:33 +0000 (22:04 +0000)]
GHA: bump pip-dependencies
- update `ruff` from 0.14.10 to 0.14.11
- update `filelock` from 3.20.1 to 3.20.3 (CVE-2026-22701) (used in pytests)
- update `psutil` from 7.2.0 to 7.2.1
- reorder functions to not need forward declarations.
- sync `ephiperfifo.c` and `evhiperfifo.c`.
- drop redundant casts for `calloc()` return value.
- ephiperfifo: silence unused variable warning.
- fix indent and apply clang-format more.
Viktor Szakats [Tue, 13 Jan 2026 16:56:02 +0000 (17:56 +0100)]
url.h: fix `-Wdocumentation`
Seen when testing `-Weverything`:
```
lib/url.h:84:11: warning: parameter 'nowp' not found in the function declaration [-Wdocumentation]
84 | * @param nowp NULL or pointer to time being checked against.
| ^~~~
```
Daniel Stenberg [Mon, 12 Jan 2026 23:13:59 +0000 (00:13 +0100)]
top-complexity: always show the top-25
Accept argument as a custom amount. Previously it showed all functions
with a complexity score above 57. This way it adapts better as we
gradually decrease complexity in functions.
projects / thirdparty / curl.git / log
