Closed
Conversation
Turns out the cause of CodeQL hangs (or probably just extreme long compile) is the header `curl/typecheck-gcc.h`. By accident I noticed that the preprocessed output of libtests.c is 75 MB (megabytes). This is much higher than the amounf of source code hinted, also compared to e.g. units.c or other build targets. The reason for the extreme size is each easy option call pulling in the large checker logic defined in this header. By compiling with `-DCURL_DISABLE_TYPECHECK`, preprocessed output drops to 2.2 MB (34x), and the libtests target builds without issues. Also build all tests and examples with the Linux HTTP/3 config, covering 3 more files. With these, CodeQL C coverage is 893 out of 930 (96%) (was: 645 69%) Follow-up to 71fc11e curl#18695 Follow-up to a333fd4 curl#18557 Follow-up to b4922b1 curl#18564 Closes vszakats#11 Closes curl#19632
macOS was chosen because xmllint comes preinstalled, saving the prereq install step. But, macOS's xmllint jobs sometimes doesn't finish in 1m (instead of under 1 second) and gets cancelled, causing flaky failures. Go with Linux and an install phase (of 15s) instead. Examples: https://github.com/curl/curl/actions/runs/19558021722/job/56004334495 Closes curl#19634
`memdebug.h` must be included last within each source. This breaks when including it in a header, which ends up being included in the middle of other headers, and `memdebug.h` also ending up in the middle of includes. Follow-up to c255d2f curl#19602 Closes curl#19629
This adds support for in-memory CA certs using CURLOPT_CAINFO_BLOB to the GnuTLS backend. Closes curl#19612
Release date 2018-12-01. Has TLS 1.3 support. Closes curl#19609
There are no supported TLS libraries left in "stretch".
If verifypeer and verifyhost are disabled, to not generate a failf() message for failed verifications. Fixes curl#19615 Reported-by: ncaklovic on github Closes curl#19625
…ndows) Replace: - curl_sspi: macro `_tcsncpy()` with `_tcsncpy_s()`. - curlx/fopen: `wcsncpy()` with `wcsncpy_s()`. - curlx/fopen: `wcscpy()` with `wcscpy_s()`. Use of the pre-existing functions were safe. This patch aims to use the recommended Windows CRT functions. Handle errors returned by them. Also to avoid the compiler warnings silenced via `_CRT_SECURE_NO_WARNINGS`: ``` lib/curl_sspi.c(152): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. lib/curlx/fopen.c(161): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. lib/curlx/fopen.c(162): warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. lib/curlx/fopen.c(174): warning C4996: 'wcsncpy': This function or variable may be unsafe. Consider using wcsncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. lib/curlx/fopen.c(175): warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. ``` Refs: https://learn.microsoft.com/cpp/c-runtime-library/reference/strncpy-strncpy-l-wcsncpy-wcsncpy-l-mbsncpy-mbsncpy-l https://learn.microsoft.com/cpp/c-runtime-library/reference/strncpy-s-strncpy-s-l-wcsncpy-s-wcsncpy-s-l-mbsncpy-s-mbsncpy-s-l https://learn.microsoft.com/cpp/c-runtime-library/security-features-in-the-crt Cherry-picked from curl#19581 (in part) Closes curl#19589
Usage: - autotools: `--disable-typecheck` (or `--enable-typecheck` (default)) - cmake: `-DCURL_DISABLE_TYPECHECK=ON`. To disable `curl_easy_setopt()`/`curl_easy_getinfo()` type checking with supported (new) gcc and clang compilers. It is useful to improve build performance for the `tests/libtest` target. In particular the CodeQL analyzer may take above an hour to compile with type checking enabled, and disabling it brings it down to seconds. On local machines it may also cut build times in half when build testdeps, depending on platform and compiler. Other than these cases, we recommend leaving type checking enabled. Ref: fdacf34 curl#19632 Also: - GHA/codeql: use it. - test1165: check in `include/curl`. - lib1912: delete stray todo comment. - spelling and comment nits. Closes curl#19637
When OpenSSL fails to verify the peer certificate, we checked for one specific reason code and did not ask Apple SecTrust for any other failure. Always ask Apple SecTrust after OpenSSL fails when the `native_ca_store` is enabled. If the user configures a CAfile or CApath, the native store is disabled, so this does not affect use cases where users asks curl to use a specific set of trust anchors. Do the same for GnuTLS Fixes curl#19636 Reported-by: ffath-vo on github Closes curl#19638
In smb_send_message, although it could never actually overflow it might as well be done correctly. Also do the check earlier. Closes curl#19640
Check size_t conversion on setting these members via CURLMIPT_*. Use members without casting. Closes curl#19618
Follow-up to eaa7651 curl#19589 Closes curl#19641
They are used in Windows-specific `fopen()`, `freopen`, `open()` and `curlx_get_winapi_error()` calls, and in `fix_excessive_path()` in Unicode builds. Refs: https://learn.microsoft.com/cpp/c-runtime-library/reference/mbstowcs-mbstowcs-l https://learn.microsoft.com/cpp/c-runtime-library/reference/mbstowcs-s-mbstowcs-s-l https://learn.microsoft.com/cpp/c-runtime-library/reference/wcstombs-wcstombs-l https://learn.microsoft.com/cpp/c-runtime-library/reference/wcstombs-s-wcstombs-s-l Also ban these functions via checksrc. Co-authored-by: Jay Satiro Closes curl#19581
This reverts commit a439fc0. It requires a version of libnettle that is not included in these Ubuntu versions: "Libnettle 3.10 was not found" Closes curl#19642
When glob_url() returns error, stop. Closes curl#19649
If get_args() returns error, do not overwrite the variable in the next call. Also, avoid allocating memory for the default user-agent. Closes curl#19650
For printf()ing the message to show. Closes curl#19651
The freeing of the already allocated hostname is done by Curl_async_shutdown(). This extra free in the RR code path made a double-free. Presumably not detected because the CI torture tests don't run HTTPS-RR enabled? Follow-up to 8d0bfe7 Closes curl#19658
- adjust cipher list in infof() statement for min/max TLS version - skip test_17_07 for wolfSSL 5.8.4 when CHACHA20 is negotiated due to regression with homebrew build on ARM systems. Fixes curl#19644 Reported-by: Viktor Szakats Closes curl#19662
…ADFUNC_PAUSE When a trasfer is paused from a read callback with a CURL_READFUNC_PAUSE code, it should be excluded from the speedcheck. Currently only transfers paused from write callbacks are excluded, because the code only checks for "recv direction" of the transfer. This commit adds a check for "send direction". Issue similar to curl#6358 Closes curl#19653
Enable with "configure --enable-backtrace", inserts a backtrace in the memdump log when a torture test limit is reached. Closes curl#19657
Also: - memdebug: fix symbol collision in unity builds. - memdebug: fix compiler warning by making a variable static. Follow-up to c77bed8 curl#19657 Closes curl#19666
Instead of writing each line to file immediately, this now stores them in an in-memory buffer until that gets full or curl exits. To make it run faster and write to file less often. Closes curl#19750
Rework the way curl's custom Find modules advertise their properties. Before this patch, Find modules returned detected dependency properties (header dirs, libs, libdirs, C flags, etc.) via global variables. curl's main `CMakeLists.txt` copied their values into global lists, which it later applied to targets. This solution worked internally, but it was unsuited for the public, distributed `CURLConfig.cmake` and publishing curl's Find modules with it, due to polluting the namespace of consumer projects. It's also impractical to apply the many individual variables to every targets depending on libcurl. To allow using Find modules in consumer projects, this patch makes them define as imported interface targets, named `CURL::<dependency>`. Then store dependency information as target properties. It avoids namespace pollution and makes the dependency information apply automatically to all targets using `CURL::libcurl_static`. Find modules continue to return `*_FOUND` and `*_VERSION` variables. For dependencies detected via `pkg-config`, CMake 3.16+ is recommended. Older CMake versions have a varying degree of support for propagating/handling library directories. This may cause issues in envs where dependencies reside in non-system locations and detected via `pkg-config` (e.g. macOS + Homebrew). Use `CURL_USE_PKGCONFIG=OFF` to fix these issues. Or upgrade to newer CMake, or link libcurl dynamically. Also: - re-enable `pkg-config` for old cmake `find_library()` integration tests. - make `curlinfo` build after these changes. - distribute local Find modules. - export the raw list of lib dependencies via `CURL_LIBRARIES_PRIVATE`. - `CURLconfig.cmake`: use curl's Find modules to detect dependencies in the consumer env. - add custom property to target property debug function. - the curl build process no longer modifies `CMAKE_C_FLAGS`. Follow-up to e865420 curl#17047 Ref: curl#14930 Ref: libssh2/libssh2#1535 Ref: libssh2/libssh2#1571 Ref: libssh2/libssh2#1581 Ref: libssh2/libssh2#1623 Closes curl#16973
Reported-by: Kai Pastor Bug: curl#16973 (comment) Follow-up to 16f073e curl#16973 Closes curl#19758
To fix non-unity builds using certain header orders (seen in ntlm.c with
the include order changed):
```
lib/vauth/../sendf.h:117:27: error: ‘struct Curl_cwriter’ declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
117 | struct Curl_cwriter *writer);
| ^~~~~~~~~~~~
lib/vauth/../sendf.h:215:54: error: ‘struct Curl_creader’ declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
215 | CURLcode (*do_init)(struct Curl_easy *data, struct Curl_creader *reader);
| ^~~~~~~~~~~~
[...]
```
Ref: https://github.com/curl/curl/actions/runs/19785420705/job/56691185397?pr=19760
Ref: curl#19760
Closes curl#19761
Since this function returns allocated resources there is probably at least a theoretical risk this can return NULL. Pointed out by ZeroPath Closes curl#19756
Also move from `int` to `size_t` for index variables. Closes curl#19762
From `lib/a*` to `lib/cs*`. Closes curl#19764
Bringing down non-XML-compliant files to 50 (from 58). Follow-up to 7f3731c curl#19595 Closes curl#19765
Move check logic from postchecks to `test613.pl`. To make these test data files XML-compliant. Also to avoid POSIX/bash-shellisms in postcheck. Closes curl#19766
To avoid potentially executing a different Perl than used by the rest of the build and tests. Also to be more portable by not relying on shebang support, though these particular tests require POSIX shell anyway. Closes curl#19767
Before this patch it added Windows-specific casts. In unity builds this also affected other source files. `setsockopt()` is called without special casts in other places in the code, and passing a non-const char ptr to a const char ptr arg also should work. Basic compile test with mingw-w64 confirms. In case of issues, a cast to `curl_socklen_t` can be used, or do the special case in an `#if` branch. Also: merge Windows-specific guards for `SET_RCVTIMEO()`. Follow-up to 639d052 curl#3155 Follow-up to 04cb15a Closes curl#19768
The macro is present in all supported Windows toolchains. It's present in mingw-w64 v3+, and in MS SDK 6.0A+ (maybe earlier). Also: - restrict this logic to `USE_WINSOCK` (was: `_WIN32`), to exclude alternate socket libraries (i.e. lwIP). lwIP supports `IPV6_V6ONLY` since its 2.0.0 (2016-11-10) release and it's disabled by default, unlike in Winsock. Ref: lwip-tcpip/lwip@e65202f - delete interim setter function/dummy macro `set_ipv6_v6only()`. Follow-up to a28f5f6 curl#18010 Follow-up to ca3f6de curl#10975 Closes curl#19769
Use the macros set by autotools and cmake, to simplify. Closes curl#19772
``` CMakeConfigurableFile.in cmake_uninstall.cmake.in curl-config.cmake.in ``` Follow-up to 16f073e curl#16973 Closes curl#19773
Follow-up to 16f073e curl#16973 Follow-up to 554dfa5 curl#17927 Closes curl#19775
Set it only while using local Find modules, leave it as-is while using system ones. Follow-up to 16f073e curl#16973 Cherry-picked from curl#19776
Follow-up to c1e3a76. The previous update missed an addition that also can wrap and cause confusion. Fixing this by calling Curl_pgrsSetDownloadSize() after the overflow check. Reported-by: Deniz Parlak Closes curl#19774
Also: - apply it to the local copy of this code in `lib/CMakeLists.txt`. - replace 'CURL' with `@PROJECT_NAME@` in a message. Closes curl#19777
Use the already detected `gssapi/gssapi_krb5.h` MIT Kerberos header to pull in `gssapi_ext.h`, which in turn sets `GSS_C_CHANNEL_BOUND_FLAG` if supported. Channel binding is present in MIT Kerberos 1.19+. Also: - lib: de-duplicate GSS-API header includes. - vauth: de-duplicate `urldata.h` includes. - drop interim feature macro in favor of the native GSS one. Assisted-by: Max Faxälv Reported-by: Max Faxälv Bug: curl#19164 (comment) Follow-up to 8616e5a curl#19164 Closes curl#19603 Closes curl#19760
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.