Closed
Conversation
- make sure memory allocated by libcurl is freed with curl_free() - drop the ensure_trailing_slash complexity Closes curl#19097
Follow-up to eefd03c Pointed out by ZeroPath https://zeropath.com/ Closes curl#19099
Follow-up to 9d7b532 Pointed out by ZeroPath Closes curl#19098
Avoid the possible 64-bit offset truncation when used on systems with small 'long', like Windows. bonus: make mime_open_file() return bool Pointed out by ZeroPath Closes curl#19100
Found via: curl#17961 Closes curl#19102
When freeing buffers allocated by SSPI, use its own function, not free(). Reported-by: Joshua Rogers Closes curl#19046
A bit more minimal build than the one used for trurl. To stress test a build with most features disabled. Costs 40 seconds, of which 6 is the build, rest is installing tools. Ref: curl/curl-for-win@5b38500 Ref: curl/curl-for-win@3ee1069 Follow-up to 5af2457 curl#17818 Closes curl#17961
For files with sizes using an exact multiple of 256 bytes, the final successful read(s) filled the buffer(s) and the subsequent fread returned 0 for EOF, which caused read_file_into to fail. Now, it needs to return 0 and not be EOF to be an error. Follow-up to dd95a49 Pointed out by ZeroPath Closes curl#19104
Also make the verbose log say it Pointed out by ZeroPath Closes curl#19103
Before this patch system `malloc()`/`free()` were used to allocate the buffer returned in the `output_token` object from the debug stub of `gss_init_sec_context()` when enabled via `CURL_STUB_GSS_CREDS` in debug-enabled libcurl builds. This object is later released via stock `gss_release_buffer()`, which, in the Windows builds of MIT Kerberos, doesn't use the system `free()`, but the Win32 `HeapFree()`. Fix it by using the GSS alloc/free macros: `gssalloc_malloc()` and `gssalloc_free()` from `gssapi_alloc.h`. To make this work without MIT Kerberos feature detection, use a canary macro to detect a version which installs `gssapi_alloc.h` for Windows. For <1.15 (2016-11-30) releases, that do not install it, disable the GSS debug stub in libcurl. Strictly speaking, non-Windows builds would also need to use GSS allocators, but, detecting support for `gssapi_alloc.h` is impossible without build-level logic. Built-level logic is complex and overkill, and MIT Kerberos, as of 1.22.1, uses standard malloc/free on non-Windows platforms anyway. (except in GSS debug builds.) Follow-up to 7384083 curl#17752 Closes curl#19064
curl has run on Closes curl#19106
Bug: https://curl.se/mail/lib-2025-10/0018.html Reported-by: curl.stunt430 Closes curl#19105
Follow-up to 3a30583 Closes curl#19108
Pointed out by ZeroPath Closes curl#19110
Pointed out by ZeroPath Closes curl#19111
- tool_formparse: replace truncated `fseek` with `curlx_fseek`. - tool_operate: replace truncated `fseek` with `curlx_fseek`. - tool_paramhlp: replace local duplicate `myfseek`, with `curlx_fseek`. Follow-up to 4fb12f2 curl#19100 Closes curl#19107
The -F option allows users to provide a file with a set of headers for a specific formpost section. This code used old handcrafted parsing logic that potentially could do wrong. Rewrite to use my_get_line() and dynbuf. Supports longer lines and should be more solid parsing code. Gets somewhat complicated by the (unwise) feature that allows "folding" of header lines in the file: if a line starts with a space it should be appended to the previous. The previous code trimmed spurious CR characters wherever they would occur in a line but this version does not. It does not seem like something we want or that users would expect. Test 646 uses this feature. Closes curl#19113
In providercheck(), when failing to open the "store", the exit path would not previously free the created UI_METHOD and instead leak this resource. Pointed out by ZeroPath Closes curl#19114
- do not pre-fill `HAVE_LINUX_TCP_H` on Linux. `linux/tcp.h` is a Linux kernel userspace header. It's likely installed when using glibc and likely missing by default when using something else, e.g. MUSL (e.g. on Alpine). Therefore always detect it for Linux targets, and only pre-fill it for non-Linux ones. - do not pre-fill `HAVE_GLIBC_STRERROR_R` on Linux. To fix it for non-glibc envs, e.g. MUSL (e.g. on Alpine). Note, the pre-fill option is a disabled by default, internal option and strongly not recommended outside of curl development. Closes curl#19116
…L=ON`) It depends on C library. Follow-up to f30f130 curl#19116
Discovered by ZeroPath Closes curl#19123
Discovered by ZeroPath Closes curl#19122
Discovered by ZeroPath Closes curl#19119
Discovered by ZeroPath Closes curl#19120
The function does not take positive number as input. It takes TLS version strings. Pointed out by ZeroPath Closes curl#19115
'=' is the operator defined by POSIX, only bash supports '==' Closes curl#19371
This commit does the following things: 1. Update the description of gtls_init() 2. In gtls_client_init(), check the invaild SSLVERSION at first. Note that this part refactors the duplicate/incompatible checks and removes the useless local variable `sni`. 3. Check the return value of gnutls_ocsp_resp_init(). Although the original code is safe because gnutls_ocsp_resp_import() will check the validity of `ocsp_resp`, it is better to catch the error in time and record the proper message to output log. Closes curl#19366
bumped to 8.17.1 for now fixed typo in THANKS-filter
Since it is no longer actually kept as default internally, that's just dead code. Follow-up to 9d8998c Closes curl#19354
Allows us to drop lots of %spc% from test cases making them easier on the eye. Closes curl#19374
And fix some code previously doing this. Closes curl#19375
Easier to write and read. Follow-up to d29f14b curl#19300 Closes curl#19349
It also does shellcheck on `run:` elements, overlapping with the homegrown `shellcheck-ci.sh` with the same purpose. But it also does more and perhaps could replace the script too, especially in curl sub-repos. Also: - GHA/macos: delete potentially useful, but commented, and ultimately unused, non-default Xcode-testing logic. It's causing unused matrix exceptions, upsetting actionlint. Ref: https://github.com/rhysd/actionlint Closes curl#19373
curl is correctly dropping the Content-Disposition: filename path, but there was no test ensuring that. Ref: https://hackerone.com/reports/3408126
Skip the http and client subdirs as they contain no code to check. The http clients are in libtests/ now. Closes curl#19376
``` docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.md:86:16 docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.md:139:16 ``` Also sync `CURL *` and result variable names with rest of docs. Follow-up to 6d7e924 curl#19375 Closes curl#19379
And avoid an early return. Pointed out by CodeSonar Closes curl#19381
With GnuTLS 3.8.0+ the build-time SRP feature detection always succeeds. It's also disabled by default in these GnuTLS versions. When using TLS-SRP without it being available in GnuTLS, report the correct error code `CURLE_NOT_BUILT_IN`, replacing the out of memory error reported before this patch. Also add comments to autotools and cmake scripts about this feature detection property. Detecting it at build-time would need to run code which doesn't work in cross-builds. Once curl requires 3.8.0 as minimum, the build-time checks can be deleted. ``` # before: curl: (27) gnutls_srp_allocate_client_cred() failed: An unimplemented or disabled feature has been requested. # after: curl: (4) GnuTLS: TLS-SRP support not built in: An unimplemented or disabled feature has been requested. ``` Ref: gnutls/gnutls@dab063f Ref: gnutls/gnutls@a21e89e Closes curl#19365
A false positive that appeared after a recent patch for no reason.
Seen in curl-for-win unity native Linux builds on debian:testing and
debian:trixie with gcc 14.3.0 and 14.2.0 respectively:
```
-- curl version=[8.17.1-DEV]
-- The C compiler identification is GNU 14.2.0
-- Cross-compiling: Linux/x86_64 -> Linux/riscv64
[...]
lib/conncache.c: In function 'Curl_cpool_conn_now_idle':
lib/conncache.c:539:11: error: null pointer dereference [-Werror=null-dereference]
539 | if(!data->multi->maxconnects) {
| ~~~~^~~~~~~
```
Ref: https://github.com/curl/curl-for-win/actions/runs/19111497271/job/54609512969#step:3:5788
```
-- The C compiler identification is GNU 14.3.0
```
Ref: https://github.com/curl/curl-for-win/actions/runs/19111497271/job/54609512899#step:3:5801
Patch confirmed silencing:
https://github.com/curl/curl-for-win/actions/runs/19112580362/job/54613288202
Follow-up to fbc4d59 curl#19271
Closes curl#19378
Syncing behavior with `CURL_CA_BUNDLE` and autotools. `/etc/ssl/certs` is empty by default on macOS systems, thus no likely auto-detection finds something there. Follow-up to eefd03c curl#18703 Closes curl#19380
With `check_finished()` triggered by notifications now, the `progress_meter()` was no longer called at regular intervals. Move `progress_meter()` out of `check_finished()` into the perform loop and event callbacks. Closes curl#19383
Fix implemented in wolfSSL/wolfssl#9380 Closes curl#19364
There is no more mixed-newline file in the repository after this patch. Except for`.bat` and `.sln` files (4 in total), all files use LF newlines. Also: - `spacecheck.pl`: drop mixed-EOL exception for test data. - runtests: add option `-w` to check if test data has stray CR bytes in them. - build: enable the option above in test targets, except the CI-specific one where `spacecheck.pl` does this job already. - tested OK (with expected failures) in CI with stray CRs added. - cmake: enable option `-a` for the `tests` target. To continue testing after a failed test. Follow-up to 63e9721 curl#19313 Follow-up to 6cf3d7b curl#19318 Follow-up to 4d2a05d curl#19284 Closes curl#19347
GitHub dropped gcc-12 for the remaining two macos runner images. Replace it with gcc-13 in normal jobs, and gcc-14 in combination jobs. Ref: actions/runner-images@f7e2c3f Ref: actions/runner-images#13249 Ref: actions/runner-images@1c1351b Ref: actions/runner-images#13253 Closes curl#19387
curl is for transfers so disabling all protocols has to be a mistake. Previously it would allow this to get set (even if curl_easy_setopt() returns an error for it) and then let libcurl return error instead. Updated 1474 accordingly. Closes curl#19388
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.