Viktor Szakats [Fri, 27 Feb 2026 15:10:59 +0000 (16:10 +0100)]
build: assume `snprintf()` in `mprintf`, drop feature check
- it was already required for `curl_*printf()` float/double support.
- some curl tests always fail without it.
- it was already assumed to be present to build test servers.
Source code did not check for `HAVE_SNPRINTF` detection variable.
- it was already required to build examples.
Windows builds stopped using this detection and the function via earlier
commits.
Viktor Szakats [Wed, 26 Nov 2025 18:07:19 +0000 (19:07 +0100)]
cmake: drop support for CMake 3.17 and older
Require CMake 3.18 (2020-07-15) or newer, up from 3.7 (2016-11-11)
prior to this patch.
This requirement also applies to the distributed `curl-config.cmake`.
To allow dropping compatibility code maintained for old versions, and to
use features which were unpractical in separate code paths. Also to make
testing, documentation and development easier, CI builds faster due to
CMake performance improvements over time. (e.g. integration tests on
macOS run 8x faster (10 minutes is now under 1.5m) in CI, 2.5x faster on
Windows.)
CMake offers pre-built binaries for major platforms. They work without
an install step, just by unpacking and pointing the cmake command to
them. Making upgrades easy in many cases:
https://cmake.org/download/
https://cmake.org/files/
https://github.com/Kitware/CMake/releases
CMake 3.18 brings these feature as generally available when building or
consuming curl/libcurl:
LTO support, improved performance, `pkg-config` and interface target
support, `OBJECT` target (for faster libcurl builds), modern invocation
with `-S`/`-B` options, better support for custom linker options,
FetchContent, `GnuTLS::GnuTLS` target, `--verbose` and `--install`
options, `CMAKE_GENERATOR` env, last but not least unity mode and Ninja
generator.
For maximum build speed, use:
`-DCMAKE_UNITY_BUILD=ON -DCURL_DROP_UNUSED=ON`
As for deprecations, C++11 is required to build CMake itself, which may
be a limit on some platforms. autotools continues to cover them.
Viktor Szakats [Tue, 24 Feb 2026 11:45:59 +0000 (12:45 +0100)]
curl/curl.h: replace recursive macros with C++-friendly method to enforce 3 args
Certain uses may still trigger a C compiler warning
`-Wdisabled-macro-expansion` after this, e.g. when the call is wrapped
in the `CURL_IGNORE_DEPRECATION()` macro as seen in docs/examples.
Suggested-by: Kai Pastor
Ref: https://github.com/curl/curl/issues/20682#issuecomment-3949788664
Stefan Eissing [Fri, 6 Mar 2026 08:22:26 +0000 (09:22 +0100)]
dnscache: own source file, improvements
- Rename `Curl_resolv_unlink()` to `Curl_dns_entry_unlink()`.
- Change `Curl_dnscache_get()` to return CURLcode result. Returns
now `CURLE_COULDNT_RESOLVE_HOST` for "negative" cache entries.
- Add `Curl_dnscache_add_negative()` to put a "negative" entry
into the cache.
Stefan Eissing [Fri, 6 Mar 2026 09:10:55 +0000 (10:10 +0100)]
multi: improve wakeup and wait code
- Split WINSOCK and POSIX code in `multi_wait()` as the ifdef'ery
was becoming unreadable
- define `ENABLE_WAKEUP` to mean the wakeup socketpair is enabled,
no additional USE_WINSOCK check needed. Under WINSOCK
`ENABLE_WAKEUP` is not defined, so it's availability is as before
under the double defined() checks
- When the multi handle has "alive" transfers, the admin handle's
pollset include the wakeup receive socket. This results in the
admin handle running when someone uses `curl_multi_wakeup()`.
- Without any "alive" transfers, the wakeup socket is removed from
the pollset. Otherwise, event based processing would never finish,
eg. leave the event loop.
- The wakeup socket was never registered for event processing before,
e.g. `curl_multi_wakeup()` never worked in that mode.
- Adjust test exepectations on socket callback invocations and
number of sockets appearing in waitfds sets.
Stefan Eissing [Thu, 19 Mar 2026 09:33:08 +0000 (10:33 +0100)]
wolfssl: fix handling of abrupt connection close
A closed connection without TLS notify shutdowns, has been reported as a
correct EOF instead of an error. Fix the error handling in wolfSSL
backend receive handling.
Daniel Stenberg [Fri, 20 Mar 2026 16:28:03 +0000 (17:28 +0100)]
transfer: enable custom methods again on next transfer
`http_ignorecustom` is set on redirect handling but was not reset
between transfers, so once a redirect occurs in the new follow modes,
custom request methods were ignored for later transfers on the same
handle.
Daniel Stenberg [Thu, 19 Mar 2026 15:51:07 +0000 (16:51 +0100)]
x509asn1: fixed and adapted for ASN1tostr unit testing
- move defines to header file
- make bit2str require < 8 unused bits
- make bool strings stricter
- make UTime2str show + or - for custom time zones
- removed unused 'type' argument to ASN1tostr() function
- fix int2str for negative values. All values below 10000 are now shown
in decimal properly, also possibly negative values.
Viktor Szakats [Thu, 19 Mar 2026 13:47:12 +0000 (14:47 +0100)]
x509asn1: move declaration to header
Fixing clang-tidy warning:
```
tests/unit/unit1666.c:50:12: error: call to undeclared function 'encodeOID'; ISO C99 and later do not support implicit function declarations [clang-diagnostic-implicit-function-declaration]
50 | result = encodeOID(dbuf, oid, oid + spec->size);
| ^
```
Ref: https://github.com/curl/curl/actions/runs/23297585235/job/67749144361?pr=21008#step:46:736
Daniel Stenberg [Thu, 19 Mar 2026 08:55:46 +0000 (09:55 +0100)]
x509asn1: improve encodeOID
- return error on zero length input
- return error on OOM or doing too large output
- fix full 32-bit number support
- fix the broken handling of the first and second numbers
- support up to 32-bit minus 80 for the second number
- a field with a leading 0x80 is now considered an error, since it only
works as padding and is then no longer the shortest possible version
Add unit tests in 1666
Bonus: removed the last argument to OID2str() as it was always set TRUE.
Viktor Szakats [Wed, 18 Mar 2026 13:13:07 +0000 (14:13 +0100)]
rand: use `BCryptGenRandom()` in UWP builds
Also:
- fix build configuration to correctly set Win10 target in the mingw-w64
CI build, to enable the `BCryptGenRandom()` prototype in v6+ SDK
headers.
Stefan Eissing [Wed, 18 Mar 2026 10:37:18 +0000 (11:37 +0100)]
lib: always use Curl_1st_fatal instead of Curl_1st_err
Curl_1st_err() does not return the second error if the first result is
CURLE_AGAIN. This may cause errors to not become noticeable when they
should be.
Replace all use of Curl_1st_err() with Curl_1st_fatal(), which handles
CURLE_AGAIN as a not-a-real-error case.
Viktor Szakats [Thu, 12 Mar 2026 09:58:35 +0000 (10:58 +0100)]
gcc: guard `#pragma diagnostic` in core code for <4.6, disable picky warnings
Extend `#pragma diagnostic push`/`pop` guards to the whole codebase
(from tests and examples only) to disable it for GCC <4.6. Rename guard
to `CURL_HAVE_DIAG` and make it include llvm/clang to be interchangeable
with `__GNUC__ || __clang__` in this context.
The above means no longer disabling certain warnings locally, so pair
this with disabling all picky warnings for GCC <4.6.
Also:
- drop global workarounds for misbehaving GCC <4.6 compiler warnings.
Not needed with picky warnings disabled.
Ercan Ermis [Tue, 17 Mar 2026 08:47:24 +0000 (09:47 +0100)]
ftp: reject PWD responses containing control characters
A malicious or compromised FTP server could include control characters
(e.g. bare \r, or bytes 0x01-0x1f/0x7f) inside the quoted directory path
of its 257 PWD response. That string is stored verbatim as
ftpc->entrypath and later sent unescaped in a CWD command on connection
reuse via Curl_pp_sendf(), which performs no sanitization before
appending \r\n.
Reject the entire path if any control character is encountered during
extraction so that tainted data never reaches a subsequent FTP command.
Add test case 3217 and 3218 to verify. Adjusted test 1152 accordingly.
Daniel Stenberg [Tue, 17 Mar 2026 15:22:54 +0000 (16:22 +0100)]
tool_formparse: propagate my_get_line errors when reading headers
The read_field_headers() function would return "ok" even if the
underlying file read returned error, thus would the parent not become
aware of the problem.
Daniel Stenberg [Tue, 17 Mar 2026 12:23:30 +0000 (13:23 +0100)]
strerr: correct the strerror_s() return code condition
In curlx_strerror on Windows, the condition checks `!strerror_s(...)`
(true on success) and therefore always evaluates the fallback block.
Even when strerror_s successfully produced a valid errno message.
Viktor Szakats [Fri, 13 Mar 2026 15:34:57 +0000 (16:34 +0100)]
configure: fix `--with-ngtcp2=<path>` option for crypto libs
ngtcp2 1.14.0 added module dependencies to `ngtcp2_crypto_*.pc` files.
This broke certain build cases in curl, because configure was is
querying pkg-config modules by setting `PKG_CONFIG_LIBDIR` to the
directory specified via `--with-*=` options, including `--with-ngtcp2=`.
Setting `PKG_CONFIG_LIBDIR` tells pkg-config (and pkgconf) to ignore
system locations. This caused that `ngtcp2_crypto_gnutls.pc` could no
longer find its indirect dependencies, if those were present at system
locations (where they typically are). Another fallout was BoringSSL,
because it does not provide `openssl.pc` on its own, and successful
detection relied on finding a non-BoringSSL copy, typically at a system
location (also fixed in ngtcp2 main branch).
Fix `ngtcp2_crypto_*` detections to not touch `PKG_CONFIG_LIBDIR` and
instead prepend `<path>` set via `--with-ngtcp2=` to `PKG_CONFIG_PATH`.
This ensures to pick up any dependent modules from system locations.
Note the side-effect is that potentially undesired modules may be
detected this way from system locations, i.e. it makes this particular
detection less "hermetic" than the rest used in curl configure.
(Configurations using a bare `--with-ngtcp2` with no path were not
affected, and served as a workaround before this patch. It remains a
valid way of configuration after.)
Both `pkgconf` and `pkg-config` use this logic to calculate their search
directory list:
```pseudo
search = {}
if PKG_CONFIG_PATH is set
search += PKG_CONFIG_PATH
endif
if PKG_CONFIG_LIBDIR is set (even if empty)
search += PKG_CONFIG_LIBDIR
else
search += built-in-pkg-config-dirs
endif
```
Refs:
https://github.com/curl/curl/pull/18028/commits (earlier attempt. Failed due to using `PKG_CONFIG_DIR` instead of the correct `PKG_CONFIG_PATH`)
https://github.com/curl/curl/pull/18028/commits/c0874ce8242d42a1ae1d570d6b70b8360da56482
https://man.archlinux.org/man/pkgconf.1.en
https://manpages.debian.org/unstable/pkgconf/pkgconf.1.en.html
https://manpages.debian.org/unstable/pkg-config/pkg-config.1.en.html
https://github.com/ngtcp2/ngtcp2/commit/10e27fd63cc7dd87236ab15de4a02eca6801e234
Flavio Amieiro [Wed, 4 Mar 2026 02:37:49 +0000 (23:37 -0300)]
curl_ctype.h: fix spelling in a couple of locally used macros
The `ISLOWHEXALHA` and `ISUPHEXALHA` macros were introduced in commit f65f750 and seem to be only referenced locally by the `ISXDIGIT` macro.
Judging by the `ISALPHA` macro defined in the same file, it seems like
the intention was to spell them as `IS.*HEXALPHA`.
I noticed this while reading through the code and decided to open a PR,
even if it is only a tiny change, just because I was already looking at
it and it might be useful. If there is any reason not to merge this,
please do close the PR.
Viktor Szakats [Mon, 16 Mar 2026 19:00:44 +0000 (20:00 +0100)]
HTTP3.md: minor improvements
- document building curl with CMake.
- mention all supported forks in the OpenSSL section. Delete dedicated
quictls section.
- add TLS-backend pkgconfig dir to `PKG_CONFIG_PATH` for correctness.
OpenSSL-based ones often work without this, by finding system
`openssl.pc`. For GnuTLS and wolfSSL this has a lesser chance. Best to
point to them explicitly. (configure may technically be able to do
this automatically, but it isn't implemented.)
- use `--with-ngtcp2=<path>` again, where possible.
GnuTLS is the exception, pending fix in #20910.
Same for BoringSSL, but not documented in `HTTP3.md`.
- replace `<somewhereN>` with `/path/to/depname` for clarity.
- move `LDFLAGS` after `./configure` for curl, to match dep builds.
- move `--with-ngtcp2` next to the TLS-backend option.
Viktor Szakats [Sun, 15 Mar 2026 14:07:35 +0000 (15:07 +0100)]
GHA/http3-linux: add CI reproducer for `--with-ngtcp2=<path>` regression
Configure LibreSSL autotools job with `--with-ngtcp=<path>` instead of
adding ngtcp2 to `PKG_CONFIG_PATH`. To test this way of configuration in
CI and test for the regression reported in #20889.
Turns out this way of configuration isn't affected by the detection
issue in this particular case.
It also works for other backends except for these two, subject to
separate fixes:
- BoringSSL fix: https://github.com/ngtcp2/ngtcp2/pull/2070
- GnuTLS fix and BoringSSL workaround: #20920
Viktor Szakats [Mon, 16 Mar 2026 12:36:17 +0000 (13:36 +0100)]
build: drop `openssl` module dependency for BoringSSL from `libcurl.pc`
BoringSSL does not provide pc files, as of v0.20260211.0 (and its latest
main branch.) It also did not provide them in the past.
Its sibling fork, AWS-LC does provide them since v1.18.0 (2023-12-04):
https://github.com/aws/aws-lc/commit/7e6aef83ecf7bec3a0c6d38e38c64ac079647c78
https://github.com/aws/aws-lc/pull/1310
Introduce internal variable `OPENSSL_IS_AWSLC` to make this possible.
Viktor Szakats [Mon, 16 Mar 2026 17:39:53 +0000 (18:39 +0100)]
curl-wolfssl.m4: fix to use the correct value for pkg-config directory
Before this patch the `$withval` variable may have contained `yes` or
other unrelated values, instead of the wolfSSL directory configured via
`--with-wolfssl=`.
Fixing:
```
checking for wolfssl options with pkg-config... found
configure: pkg-config --exists wolfssl trace:
---- begin
PKG_CONFIG_PATH: |/home/runner/wolfssl/build/lib/pkgconfig:/home/runner/nghttp3/build/lib/pkgconfig:/home/runner/ngtcp2/build/lib/pkgconfig:/home/runner/nghttp2/build/lib/pkgconfig|
PKG_CONFIG_LIBDIR: |yes/lib/pkgconfig| <=============== 'yes' used as base directory
trying path: /home/runner/wolfssl/build/lib/pkgconfig for wolfssl
---- end
```
Ref: https://github.com/curl/curl/actions/runs/23146424326/job/67235762794?pr=20920#step:18:245
Daniel Stenberg [Mon, 16 Mar 2026 13:51:52 +0000 (14:51 +0100)]
tool_cb_wrt: fix no-clobber error handling
When saving a file with --no-clobber, make sure the existing file name
remains set when creating the name fails. In a retry scenario, it comes
back and uses that variable again.
Viktor Szakats [Fri, 6 Mar 2026 14:43:59 +0000 (15:43 +0100)]
cmake: rework binutils ld hack to not read `LOCATION` property
Instead hook up the upstream target name as-is to the local wrapper
target.
To:
- make the hack work regardless of how the upstream target was created.
- make it work the same way in `curl-config.cmake`.
Before this patch it had no guard for `IMPORTED` targets even though
`find_dependencies()` is not guaranteed to create the target expected
if it already existed and was potentially created differently.
projects / thirdparty / curl.git / log
