Builder curl-threaded-solaris11-sparc Build #4474

Results:

Build successful

SourceStamp:

Project	curl
Repository	https://github.com/curl/curl.git
Branch	master
Revision	f32451c12bb7fa4738d8c9cf6d7cd09ee876434b
Got Revision	f32451c12bb7fa4738d8c9cf6d7cd09ee876434b
Changes	505 changes

BuildSlave:

unstable11s

Reason:

The SingleBranchScheduler scheduler named 'schedule-curl-threaded-solaris11-sparc' triggered this build

Steps and Logfiles:

git update ( 30 secs )
1. stdio
Runtest './tests/testcurl.pl --nogitpull ...' ( 46 mins, 46 secs )
1. stdio
2. resultlog
Mail result 'cat resultlog ...' ( 1 secs )
1. stdio

Build Properties:

Name	Value	Source
branch	master	Build
builddir	/export/home/buildbot/slave/curl-threaded-solaris11-sparc	slave
buildername	curl-threaded-solaris11-sparc	Builder
buildnumber	4474	Build
codebase		Build
got_revision	f32451c12bb7fa4738d8c9cf6d7cd09ee876434b	Git
osplatform	SPARC	SetPropertyFromCommand Step
osrelease	11	SetPropertyFromCommand Step
project	curl	Build
repository	https://github.com/curl/curl.git	Build
revision	f32451c12bb7fa4738d8c9cf6d7cd09ee876434b	Build
scheduler	schedule-curl-threaded-solaris11-sparc	Scheduler
slavename	unstable11s	BuildSlave
workdir	/export/home/buildbot/slave/curl-threaded-solaris11-sparc	slave (deprecated)

Forced Build Properties:

Name	Label	Value

Responsible Users:

Christian Schmitz
supportohnoyoudont@monkeybreadsoftware.de
Dan Fandrich
danohnoyoudont@coneharvesters.com
Daniel Stenberg
danielohnoyoudont@haxx.se
Emre Çalışkan
bilgiohnoyoudont@emrecaliskan.com.tr
Ethan Everett
84542561+eeverettrbxohnoyoudont@users.noreply.github.com
Jay Satiro
raysatiroohnoyoudont@yahoo.com
Joshua Rogers
MegaManSecohnoyoudont@users.noreply.github.com
Michael Osipov
michael.osipovohnoyoudont@innomotics.com
Patrick Monnerat
patrickohnoyoudont@monnerat.net
Samuel Henrique
samuelophohnoyoudont@debian.org
Stefan Eissing
stefanohnoyoudont@eissing.org
Viktor Szakats
commitohnoyoudont@vsz.me
dependabot[bot]
49699333+dependabot[bot]ohnoyoudont@users.noreply.github.com
renovate[bot]
29139614+renovate[bot]ohnoyoudont@users.noreply.github.com

Timing:

Start	Sat Oct 18 11:10:34 2025
End	Sat Oct 18 11:57:54 2025
Elapsed	47 mins, 20 secs

All Changes:

:

Change #244775

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 09 Sep 2025 15:17:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9863599d69b79d290928a89bf9160f4e4e023d4e

Comments

lib: introduce `CURL_ACCEPT()`
To avoid overriding the system symbol `accept`, which is a macro on some
systems (AIX), and thus can't be called via the `(function)` PP trick.

It's also problematic to reset such macro to its original value.

Follow-up to 3bb5e58c105d7be450b667858d1b8e7ae3ded555 #17827
Reported-by: Andrew Kirillov
Fixes #18500
Closes #18501
Closes #18502

Changed files

lib/cf-socket.c
lib/curl_mem_undef.h
lib/curl_setup.h
lib/memdebug.c
lib/memdebug.h
lib/socketpair.c
src/tool_doswin.c

Change #244784

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Tue 09 Sep 2025 15:28:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	522c991336f07b1b962f5d76077b2221fe87f302

Comments

Dockerfile: update debian:bookworm-slim Docker digest to df52e55
Closes #18499

Changed files

Dockerfile

Change #244793

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 09 Sep 2025 21:51:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c70f7b7a7cdf04067ef2b4be8cc2d92996bdd36d

Comments

GHA/codeql: scan GHA workflows and Python
Closes #18504

Changed files

.github/workflows/codeql.yml

Change #244801

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Tue 09 Sep 2025 23:47:41
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	82449d4d91a323a61392836bc80be64b0b57eb27

Comments

GHA: update github/codeql-action digest to d3678e2
Closes #18507

Changed files

.github/workflows/codeql.yml

Change #244808

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 10 Sep 2025 00:55:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	61759a9843d44d9001f6a3c1bc88731448da58f4

Comments

pytest: bind to localhost
Pointed out by CodeQL

Fixes https://github.com/curl/curl/security/code-scanning/298

Closes #18506

Changed files

tests/http/testenv/ports.py

Change #244816

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 10 Sep 2025 07:41:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	85ba1b8067cd15625262473a77960b2d5975c447

Comments

THANKS: names from the 8.16.0 cycle

Changed files

docs/THANKS
docs/THANKS-filter

Change #244824

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 10 Sep 2025 07:43:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bee4ee6141345d60bd8108f7a09b40b2ea36076b

Comments

VERSIONS: update past versions

Changed files

docs/VERSIONS.md

Change #244834

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 10 Sep 2025 07:43:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	11b991232fbcaa88e2b1faecac224416b0001e35

Comments

RELEASE-NOTES: synced
curl 8.16.0 release

Changed files

RELEASE-NOTES

Change #244843

Category	curl
Changed by	Ethan Everett <84542561+eeverettrbxohnoyoudont@users.noreply.github.com>
Changed at	Wed 10 Sep 2025 11:51:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f4758cd524907a921853c29a575fb78dcf267e54

Comments

quic: ignore EMSGSIZE on receive
Some OSes (Linux, macOS, more?) will generate an EMSGSIZE socket error
on the next recv all after receiving an ICMP Packet Too Big on an
unconnected UDP socket.

These can be safely ignored as QUIC's DPLPMTUD uses MTU probes that do
not rely on receiving ICMP packets.

Closes #18505

Changed files

lib/vquic/vquic.c

Change #244852

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 10 Sep 2025 12:06:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	80ac5fb2ec29203fd9d87d705f72e8cd2afee501

Comments

easy_getinfo: check magic, Curl_close safety
Check the easy handles magic in calls to curl_easy_getinfo().
In Curl_close() clear the magic after DNS shutdown since we'd
like to see tracing for this.
When clearing the magic, also clear the verbose flag so we
no longer call DEBUGFUNCTION on such a handle.

Closes #18511

Changed files

lib/easy.c
lib/url.c

Change #244860

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 10 Sep 2025 12:44:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a782867c9f966b2daeb67a4438bc4c26c6bbd46b

Comments

curl_easy_getinfo: error code on NULL arg
When passing an address to curl_easy_getinfo to retrieve a value and the
address is NULL, return CURLE_BAD_FUNCTION_ARGUMENT instead of
CURLE_UNKNOWN_OPTION.

Closes #18512

Changed files

lib/getinfo.c

Change #244868

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 10 Sep 2025 12:54:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	31f0f0a0609bc8cc4ce665907b58b90330f69f5c

Comments

RELEASE-NOTES: synced
and bump include/curl/curlver.h

Changed files

RELEASE-NOTES
include/curl/curlver.h

Change #244874

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 10 Sep 2025 13:08:54
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3ba74c43953087f441104f65918ed82f2078b4c3

Comments

curl_mem_undef.h: limit to `CURLDEBUG` for non-memalloc overrides
To fix non-`CURLDEBUG` builds on 32-bit AIX, where `fopen` is a system
macro.

Ref: #18502
Ref: https://github.com/curl/curl/pull/18502/commits/793a375ce3002454599ffe2d7b561b6340103306

Follow-up to 3bb5e58c105d7be450b667858d1b8e7ae3ded555 #17827
Reported-by: Andrew Kirillov
Fixes #18510
Closes #18514

Changed files

lib/curl_mem_undef.h

Change #244885

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 11 Sep 2025 03:07:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0455d8772a1af20ce63c46c5738582aa9b1b8441

Comments

GHA: minimize installed packages in http3-linux and Windows cross-builds
In the last couple of months some jobs started taking a lot of time and
often timing out due to slow `apt install` from the Azure Ubuntu mirror.

The jobs affected were those that installed large packages:
GHA/http3-linux and the 3 cross-build jobs in GHA/windows.

This patch reduces the installed packaged to the minimum required
to complete the jobs. Saving a minute+ for each http3-linux job (a total
of 20+ minutes for the workflow.) Also saving bandwidth and reducing
the chance for long downloads or timeouts with slow Azure repos.

Details:
- http3: delete redundant packages from the `build-cache` job.
- http3: install gnutls dependencies for gnutls jobs only.
- http3: do not install test dependencies in jobs not running tests.
- http3: drop redundant packages from the curl jobs.
- Windows-cross: replace `mingw-w64` with `gcc-mingw-w64-x86-64-win32`
  for the 3 Windows cross-build job. Dropping C++, 32-bit, and 64-bit
  POSIX-threaded parts. Saving time and significant bandwidth for each
  of the 3 jobs:
  Download size: 277 MB -> 65 MB (installed: 1300 MB -> 400 MB)
- Windows-cross: restore previous job time limit of 15m (from 45m)
  Follow-up to ff5140a25f42fef80325c6e28c4802fdb7e06386 #18163

Before:
https://github.com/curl/curl/actions/runs/17611514207 (http3)
https://github.com/curl/curl/actions/runs/17611514185/job/50034354923 (Windows cross)

After:
https://github.com/curl/curl/actions/runs/17628406362?pr=18509 (http3)
https://github.com/curl/curl/actions/runs/17627562551/job/50088055529?pr=18509 (Windows cross)

http3 job           |    Bef. |    Aft. |
:------------------ | ------: | ------: |
Build caches (hot)  |     10s |     12s |
AM awslc            |  3m  0s |  1m 54s |
CM awslc            |  4m 32s |  3m  4s |
AM boringssl        |  3m  9s |  1m 48s |
CM boringssl        |  3m 43s |  3m  2s |
AM gnutls           |  3m  9s |  2m 18s |
CM gnutls           |  4m 19s |  2m 55s |
AM libressl         |  2m 14s |  1m 24s |
CM libressl         |  5m 30s |  2m 57s |
AM openssl          |  5m 16s |  4m 17s |
CM openssl          |  1m 50s |  1m 47s |
AM openssl-quic     |  2m 58s |  1m  7s |
CM openssl-quic     |  4m 16s |  2m 43s |
AM quiche           |  2m 54s |  1m 34s |
CM quiche           |  5m  0s |  3m 15s |
AM quictls          |  2m 34s |  1m 13s |
CM quictls          |  4m 20s |  3m 17s |
AM wolfssl          |  2m 48s |  1m 30s |
CM wolfssl          |  4m 49s |  3m 22s |
Total:              | 66m 21s | 43m 27s |
Gain:               |         | 22m 54s |

Out of curiousity, build times as seen in the http3 build-cache job:
- TLS backends:
  - openssl: 2m25s
  - libressl: 27s
  - aws-lc: 41s
  - boringssl: 1m8s
  - quictls: 1m46s
  - gnutls: 6m30s
  - wolfssl: 51s
  - quiche + boringssl: 1m9s
- ng* libs (not yet optimized for build speed):
  - nghttp3: 13s
  - ngtcp2: 52s (with 6 backends, 3 runs)
  - ngtcp2: 19s (boringssl)
  - nghttp2: 21s
Ref: https://github.com/curl/curl/actions/runs/17626120054/job/50083344805

A similar effort in curl-for-win, affecting 2 GHA/curl-for-win Windows
jobs (though they use the default Debian repo, with no issues):
- with llvm/clang:
  Download size: 648 MB -> 430 MB (installed: 3344 MB -> 2333 MB)
- with gcc:
  Download size: 550 MB -> 328 MB (installed: 2815 MB -> 1804 MB)
Ref: https://github.com/curl/curl-for-win/commit/e19665d9486bdca60f996ed2e198a66128cfba38
Ref: https://github.com/curl/curl-for-win/commit/6b14c3946a8c89dc1d3847afc9501fc71f3ac628

Bug: https://github.com/curl/curl/pull/18502#issuecomment-3270259744

Closes #18509

Changed files

.github/workflows/http3-linux.yml
.github/workflows/windows.yml

Change #244891

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Thu 11 Sep 2025 08:40:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7417f14b93b2bcc4ed31696dee7e9404ab2897af

Comments

GHA: update rojopolis/spellcheck-github-actions digest to 739a1e3
Closes #18515

Changed files

.github/workflows/checkdocs.yml

Change #244898

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Thu 11 Sep 2025 08:40:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	39c2d4b54363609865fa49f0f0d7adff84a03d03

Comments

GHA: update github/codeql-action digest to 192325c
Closes #18516

Changed files

.github/workflows/codeql.yml

Change #244905

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 11 Sep 2025 12:53:54
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	aa8a44ecfa0e46a839affb58c6640b514b062995

Comments

GHA: fix and tweak installed packages for http3-linux and Windows-cross
- explicitly install `libldap-dev` to not rely on test-specific packages
  installing it implicitly, to have the same `curl -V` output for each
  TLS backend build pair.
  Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509

- install `libev-dev` for tests. It's a runtime dependency for
  the local build of `nghttpx`. Missing it made pytest skip 178 tests.
  Also skewing the 'Gain' time. I estimate it to account for 3 minutes,
  making the total gain ~20 minutes.
  Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509
  (It may be a better solution to disable libev for the local nghttp2
  build, to avoid this hidden dependency.)

- fix quiche jobs to use the local build of `libnghttp2`.

- stop installing the `clang` package for Windows-cross. `clang` and
  `clang-tidy` tools are preinstalled on the Ubuntu 24.04 runner.

Closes #18519

Changed files

.github/workflows/http3-linux.yml
.github/workflows/windows.yml

Change #244911

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 11 Sep 2025 15:02:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bf6ae59ab1586e3cd97f27341e4964a9316dc3d5

Comments

GHA/windows: drop repeated word from comment

Changed files

.github/workflows/windows.yml

Change #244917

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 11 Sep 2025 15:59:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b178d58266d4d9805de6da913b5be25c0485b6c2

Comments

quic: fix min TLS version handling
When switching to TSLv1.2 as default in
9d8998c99408e1adf8eba629fad9f87b3235bdfa, this led to an explicit
setting of 1.2 on QUIC connections when using quictls, overriding the
already set min version of 1.3.

This leads to a ClientHello with TLS 1.2+1.3 offered on a QUIC connect
which is rejected by the Caddy server. Using ngtcp2 with OpenSSL 3.5+,
GnuTLS or AWS-LC is not affected.

Fixes #18518
Reported-by: fds242 on github
Closes #18520

Changed files

lib/vtls/openssl.c

Change #244921

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 11 Sep 2025 16:00:58
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	115fe808f2346b9c02d2720d8f575098e473a5d2

Comments

ngtcp2: check error code on connect failure
Access the error codes of ngtcp2 when a connect attempt failes. Trace
the information for analysis. Treat errors as permanent failure by
default, trigger retrying only when the server refused without
indicating an error.

Closes #18521

Changed files

lib/vquic/curl_ngtcp2.c
tests/http/testenv/nghttpx.py

Change #244928

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 11 Sep 2025 17:01:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	839b22863e2f3dfdceab91e66c23257bc8726863

Comments

ssl-sessions.md: mark option experimental
Also make managen output the experimental text with the correct
prefix/margin for the ascii version.

Closes #18523

Changed files

docs/cmdline-opts/ssl-sessions.md
scripts/managen

Change #244933

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 11 Sep 2025 17:03:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	53f90cb3b5678de16a0129ff4f9f3f0e87dfd78b

Comments

GHA/http3-linux: fix nghttpx build and other tweaks
- fix `nghttp2` build to also build the `nghttpx` application.
  Restore required `libc-ares-dev`. Also confirm that `libev-dev` is
  required too. Document these requirements.
  Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509

- explicitly enable `nghttpx` for the `nghttp2` build to make it fail if
  requirements aren't met:
  ```
  configure: error: applications were requested (--enable-app) but dependencies are not met.
  ```

- explicitly install brotli, zstd, zlib for the dependency builds.
  Of these, zstd and zlib are preinstalled. zlib is required for
  `nghttpx`. zstd and brotli doesn't seem to be used, but keep them
  there just in case and to match the test env.
  Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509

- enable brotli for `nghttpx`. It doesn't change the tests, and also
  cost almost nothing, so I figure why not.

Closes #18522

Changed files

.github/workflows/http3-linux.yml

Change #244936

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 11 Sep 2025 19:46:41
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c184f464f795dbdf8db354b9b2bc01891ddc4fdd

Comments

CURLOPT_MAXLIFETIME_CONN: make default 24 hours
Set a default value to only reuse existing connections if less than 24
hours old. This makes the TLS certificate check get redone for the new
connection. An application can still set it to zero.

Closes #18527

Changed files

docs/libcurl/opts/CURLOPT_MAXLIFETIME_CONN.md
lib/url.c
lib/urldata.h

Change #244943

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 11 Sep 2025 22:46:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	16cd81ed69b9123584dd73a6924a8f852dc2372a

Comments

urldata: FILE is not a list-only protocol
The struct field thus does not depend on the presence of it

Closes #18525

Changed files

lib/urldata.h

Change #244948

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 12 Sep 2025 08:26:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	57b195bf51ae863d93f48257039c080be4e61359

Comments

CURLINFO_FTP_ENTRY_PATH.md: this is for SFTP as well
Closes #18531

Changed files

docs/libcurl/opts/CURLINFO_FTP_ENTRY_PATH.md

Change #244956

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 12 Sep 2025 08:27:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d7d32ad9b9e9dbf7a372689affd497dcec18df6e

Comments

docs/libcurl: remove ancient version references
To make the texts easier on the eye.

- Remove most free text references to curl versions before 7.60.0 (May
  2018)
- Leave those present in a HISTORY section

Most of them are already documented in symbols-in-versions anyway.

Closes #18530

Changed files

docs/libcurl/curl_easy_getinfo.md
docs/libcurl/curl_formadd.md
docs/libcurl/curl_global_init.md
docs/libcurl/curl_version_info.md
docs/libcurl/libcurl-errors.md
docs/libcurl/opts/CURLINFO_CONTENT_LENGTH_DOWNLOAD.md
docs/libcurl/opts/CURLINFO_TLS_SESSION.md
docs/libcurl/opts/CURLOPT_HTTP_VERSION.md
docs/libcurl/opts/CURLOPT_ISSUERCERT.md
docs/libcurl/opts/CURLOPT_OPENSOCKETDATA.md
docs/libcurl/opts/CURLOPT_OPENSOCKETFUNCTION.md
docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.md
docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.md
docs/libcurl/opts/CURLOPT_QUOTE.md
docs/libcurl/opts/CURLOPT_SOCKOPTFUNCTION.md
docs/libcurl/opts/CURLOPT_SSLVERSION.md
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.md
docs/libcurl/opts/CURLOPT_TCP_KEEPINTVL.md
docs/libcurl/opts/CURLSHOPT_SHARE.md

Change #244960

Category	curl
Changed by	Dan Fandrich <danohnoyoudont@coneharvesters.com>
Changed at	Fri 12 Sep 2025 09:20:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bbdb869ec7e708d12128784a13a1b9e34c67b450

Comments

libcurl-security.md: mention long-running connections
Some applications may want to periodically recheck the remote server
certificate, which doesn't happen on a long-running connection.

Ref: #18527
Closes #18533

Changed files

docs/libcurl/libcurl-security.md

Change #244965

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 12 Sep 2025 11:03:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cc50f05370981e4933504e8aaec6b15880ff847f

Comments

GHA/codeql: re-enable for C with the default query pack
Earlier we used `security-extended` and tried `security-and-quality`.
Try the default to see how it works.

CodeQL no longer uses the project's Actions cache, also fixing
the previously seen repeat cache entry issue.

- switch to `manual` build. It's 3x faster than the default `autobuild`.
- enable more dependencies to increase coverage.
- docs/tests/CI.md: re-add CodeQL.

Ref: https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites
Ref: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
Ref: #16263
Ref: 173805b2e76960de5c51fd5fe64286d8ac81f1ff #15798

Closes #18528

Changed files

.github/scripts/spellcheck.words
.github/workflows/codeql.yml
docs/tests/CI.md

Change #244969

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 13 Sep 2025 18:11:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	83c457f9f3244544c4f0f13051cd00e637c6de88

Comments

GHA: document permissions as required by zizmor 1.13.0
Ref: https://github.com/zizmorcore/zizmor/pull/1131
Ref: https://docs.zizmor.sh/audits/#undocumented-permissions

Bug: https://github.com/curl/curl/pull/18539#issuecomment-3288151910

Closes #18541

Changed files

.github/workflows/appveyor-status.yml
.github/workflows/codeql.yml
.github/workflows/hacktoberfest-accepted.yml
.github/workflows/label.yml

Change #244973

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 14 Sep 2025 10:33:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	eb319bf6ea4811e9ea19308d7f3d45f340cc7766

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #244977

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 14 Sep 2025 12:10:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d52af3c692943377a28a5bfa270248d009a9eed1

Comments

appveyor: bump to OpenSSL 3.5, adjust to dropped 1.1.1 on VS2019
- bump OpenSSL 3.4 to 3.5 on VS2022 runners.

- bump OpenSSL 1.1.1 to 3.0 on VS2019 runners.
  1.1.1 is documented to be present, but missing.
  Fixes:
  ```
  + cmake -G 'Visual Studio 16 2019' -A x64 [...] -DOPENSSL_ROOT_DIR=C:/OpenSSL-v111-Win64 [...]
  CMake Error at C:/Program Files/CMake/share/cmake-4.1/Modules/FindPackageHandleStandardArgs.cmake:227 (message):
    Could NOT find OpenSSL, try to set the path to OpenSSL root folder in the
    system variable OPENSSL_ROOT_DIR (missing: OPENSSL_CRYPTO_LIBRARY
    OPENSSL_INCLUDE_DIR)
  Call Stack (most recent call first):
    CMakeLists.txt:757 (find_package)
  ```
  Ref: https://ci.appveyor.com/project/curlorg/curl/builds/52740431/job/tq6h4xhqpa3vgq47?fullLog=true
  Ref: https://www.appveyor.com/docs/windows-images-software/
  Ref: https://github.com/appveyor/website/commit/9a739f7bce4a624b28ff382d58a9ebc507ab0f78

Closes #18543

Changed files

appveyor.sh
appveyor.yml

Change #244981

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 14 Sep 2025 13:46:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6bb53f29efb7c379f3d22f9e6298e001bf1ff7da

Comments

TODO: remove already implemented or bad items
- remove "connect to multiple IPs in parallel"
- remove "CURLOPT_RESOLVE for any port number", It can already be
  accomplished with CURLOPT_CONNECT_TO
- remove "dynamically load modules", we don't believe in this
- remove "netrc caching and sharing", we already cache it
- remove "Offer API to flush the connection pool", this is effectively
  what CURLMOPT_NETWORK_CHANGED now allows
- remove "WebSocket read callback", introduced in 8.16.0

Closes #18542

Changed files

docs/TODO

Change #244983

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 14 Sep 2025 14:02:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	07837204cdd18f470594fc0caea7fbb50de286df

Comments

GHA/distcheck: disable `man-db/auto-update`
Make sure to not rebuild man pages after purging system curl, to make
the job faster and avoid timeouts:
```
Sun, 14 Sep 2025 10:16:28 GMT Removing curl (8.5.0-2ubuntu10.6) ...
Sun, 14 Sep 2025 10:16:28 GMT Processing triggers for man-db (2.12.0-4build2) ...
Sun, 14 Sep 2025 10:21:22 GMT (Reading database ... 218629 files and directories currently installed.)
```
Ref: https://github.com/curl/curl/actions/runs/17709785947/job/50326910814?pr=18535#step:3:19

Closes #18544

Changed files

.github/workflows/distcheck.yml

Change #244986

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 14 Sep 2025 14:55:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c1be5459d9619163e26d5732ee732b417d697e9d

Comments

GHA/codeql: analyse Windows Schannel WinIDN build
Follow-up to cc50f05370981e4933504e8aaec6b15880ff847f #18528

Closes #18545

Changed files

.github/workflows/codeql.yml

Change #244993

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 14 Sep 2025 23:41:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	64347831684d3a7905fd7ef95bfab59df44b6aea

Comments

tool_getparam: split opt_filestring into two sep functions
One for file name arguments and one for "strings".

Closes #18546

Changed files

src/tool_getparam.c

Change #244997

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 14 Sep 2025 23:53:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	58bdfb4e1d643c4ba7bd8db855e3218ac7757e7c

Comments

CURLOPT_SSL_VERIFYHOST.md: add see-also to two other VERIFYHOST options
Closes #18548

Changed files

docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.md

Change #245001

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 14 Sep 2025 23:54:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f7cac7cc07a45481b246c875e8113d741ba2a6e1

Comments

setopt: accept *_SSL_VERIFYHOST set to 2L
... without outputing a verbose message about it. In the early days we
had 2L and 1L have different functionalities.

Reported-by: Jicea
Bug: https://curl.se/mail/lib-2025-09/0031.html
Closes #18547

Changed files

lib/setopt.c

Change #245005

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Mon 15 Sep 2025 09:25:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	de3fc1d7adb78c078e4cc7ccc48e550758094ad3

Comments

asyn-thrdd: drop pthread_cancel
Remove use of pthread_cancel in asnyc threaded resolving. While there
are system where this works, others might leak to resource leakage
(memory, files, etc.). The popular nsswitch is one example where resolve
code can be dragged in that is not prepared.

The overall promise and mechanism of pthread_cancel() is just too
brittle and the historcal design of getaddrinfo() continues to haunt us.

Fixes #18532
Reported-by: Javier Blazquez
Closes #18540

Changed files

docs/libcurl/libcurl-env-dbg.md
lib/asyn-thrdd.c
lib/curl_threads.c
lib/curl_threads.h
lib/hostip.c
lib/hostip.h
tests/data/Makefile.am
tests/data/test795
tests/libtest/Makefile.am
tests/libtest/test795.pl

Change #245009

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 15 Sep 2025 11:15:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e09f45fea4fca38c5e09f858a383ad5e45a92c24

Comments

dist: do not distribute `CI.md`
`CI.md` slipped into the 8.15.0, 8.16.0 tarballs by accident.
Remove it again and update the checker exception.

Follow-up to fa3f889752e6b5034966de61a372a60773a69ca8 #17463

Closes #18549

Changed files

.github/scripts/distfiles.sh
docs/Makefile.am

Change #245013

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 15 Sep 2025 11:56:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	8de37b8cda7342e54615a9a840c076def155b023

Comments

cmdline-docs: extended, clarified, refreshed
Closes #18550

Changed files

docs/cmdline-opts/abstract-unix-socket.md
docs/cmdline-opts/compressed-ssh.md
docs/cmdline-opts/disallow-username-in-url.md
docs/cmdline-opts/engine.md
docs/cmdline-opts/follow.md
docs/cmdline-opts/globoff.md
docs/cmdline-opts/http2.md
docs/cmdline-opts/http3.md
docs/cmdline-opts/junk-session-cookies.md
docs/cmdline-opts/location.md
docs/cmdline-opts/max-redirs.md
docs/cmdline-opts/proto-redir.md
docs/cmdline-opts/proxy.md
docs/cmdline-opts/request.md
docs/cmdline-opts/retry-connrefused.md
docs/cmdline-opts/retry.md
docs/cmdline-opts/sasl-ir.md
docs/cmdline-opts/tr-encoding.md
docs/cmdline-opts/trace-ids.md
docs/cmdline-opts/unix-socket.md

Change #245019

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 15 Sep 2025 13:58:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	61b79dee7966e979cb5ae950ea773ecf4c048a62

Comments

CURLOPT_TIMECONDITION.md: works for FILE and FTP as well
Closes #18551

Changed files

docs/libcurl/opts/CURLOPT_TIMECONDITION.md

Change #245024

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 15 Sep 2025 15:00:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a4196e22493b945bc61f51767105d5922c7feb93

Comments

tidy-up: whitespace
Closes #18553

Changed files

docs/examples/Makefile.example
docs/examples/ephiperfifo.c
docs/examples/evhiperfifo.c
docs/examples/hiperfifo.c
lib/ftp.c
lib/md4.c
lib/md5.c
lib/memdebug.c
lib/url.c
lib/vauth/digest_sspi.c
lib/vauth/krb5_sspi.c
lib/vauth/ntlm_sspi.c
lib/vauth/spnego_sspi.c
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c
lib/ws.c
scripts/checksrc.pl
src/terminal.c
tests/data/test1634
tests/data/test1635
tests/data/test612
tests/unit/unit1304.c

Change #245028

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 15 Sep 2025 15:49:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ac24e0a80e80f7a5f06aacd4696b185856fdb3ec

Comments

GHA/codeql: tidy up config names
Before this patch there was a single C config detected, named `build:`.

Closes #18555

Changed files

.github/workflows/codeql.yml

Change #245032

Category	curl
Changed by	dependabot[bot] <49699333+dependabot[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Mon 15 Sep 2025 23:15:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	56d3bb78bedf200ac093b0ec8f75845b3f7cbb7d

Comments

GHA: bump actions/checkout from 4.2.2 to 5.0.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.2.2...08c6903cd8c0fde910a37f88322edcfb5dd907a8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Closes #18556

Changed files

.github/workflows/codeql.yml

Change #245036

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Mon 15 Sep 2025 23:16:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	98d5321530e498d66756c1e2b2ef449b8cfc762c

Comments

GHA: Update nghttp2/nghttp2 to v1.67.1
Closes #18552

Changed files

.github/workflows/http3-linux.yml

Change #245040

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 16 Sep 2025 11:06:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	af7d67d3c03329116e593d999851d2cc3ebbf119

Comments

krb5: return appropriate error on send failures
Closes #18561

Changed files

lib/krb5.c

Change #245044

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 16 Sep 2025 11:23:26
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a333fd4411b95fc0c3061b2d675de9287b6123e0

Comments

GHA/codeql: enable more build options, build servers and tunits
- add HTTP/3 build with OpenSSL 3.5, nghttp3 and ngtcp2.
- enable GSASL, Heimdal, rtmp, SSLS-export.
- make one build MultiSSL with GnuTLS, mbedTLS, Rustls, wolfSSL.
- build servers (also on Windows), and tunits.
- use Linuxbrew to install build dependencies missing from Ubuntu.

Coverage is now 466 C files. (was: 446)

Closes #18557

Changed files

.github/workflows/codeql.yml

Change #245050

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 16 Sep 2025 11:25:55
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f6ddc1fc1e25ff8ea866f90942719af898d0ef0c

Comments

Makefile.example: simplify and make it configurable
- build in a single step.

- allow overriding all variables:
  source, target, compiler, libpaths, libs, flags.

Example:
```shell
LIBS= LDFLAGS= SRC=altsvc.c make -f Makefile.example
```

Closes #18554

Changed files

docs/examples/Makefile.example

Change #245054

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 16 Sep 2025 12:37:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	619307feb09fb48feb9a24bbe5655dfcc8f17a3a

Comments

cmake: fix building docs when the base directory contains `.3`
Fixing:
```
ninja: error: '<...>/basedir.md/_bld/docs/libcurl/libcurl-symbols.md',
  needed by 'docs/libcurl/curl_easy_cleanup.3', missing and no known rule to make it
```

Reported-by: Nir Azkiel
Fixes #18560
Follow-up to 898b012a9bf388590c4be7f526815b5ab74feca1 #1288
Closes #18563

Changed files

docs/libcurl/CMakeLists.txt

Change #245058

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 16 Sep 2025 13:34:51
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ea752b575c6ee984fb2a4d16a9dbf0d4f1e26282

Comments

sws: fix checking `sscanf()` return value
Closes #18565

Changed files

tests/server/sws.c

Change #245062

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 16 Sep 2025 16:55:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ff8dfd315c155960836105ad719185c3b4d547bd

Comments

aws-lc: re-enable large read-ahead with v1.61.0 again
AWS-LC fixed a bug with large read ahead buffers in v1.61.0. Check a
define introduced in that version to enable the large read ahead again.

AWS-LC issue: https://github.com/aws/aws-lc/issues/2650

Closes #18568

Changed files

lib/vtls/openssl.c

Change #245066

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 16 Sep 2025 16:57:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cdb56c6666e79fff211d91ee88b0c0e9a5a0dd23

Comments

docs/libcurl: clarify some timeout option behavior
Closes #18569

Changed files

docs/libcurl/opts/CURLOPT_ACCEPTTIMEOUT_MS.md
docs/libcurl/opts/CURLOPT_FTPPORT.md
docs/libcurl/opts/CURLOPT_SERVER_RESPONSE_TIMEOUT.md
docs/libcurl/opts/CURLOPT_SERVER_RESPONSE_TIMEOUT_MS.md

Change #245070

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Tue 16 Sep 2025 16:58:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	22ac7f30ad1075295234a8f74f59f9ce9b173b1c

Comments

GHA: update openssl/openssl to v3.5.3
Closes #18566

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml

Change #245074

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 16 Sep 2025 17:12:26
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3053a3e90f696dc1cfb481c61a2032dcc3b6c15c

Comments

docs/libcurl: use lowercase must
To shout less. Use bold in some places.

Closes #18570

Changed files

docs/libcurl/opts/CURLINFO_CONTENT_TYPE.md
docs/libcurl/opts/CURLINFO_EFFECTIVE_METHOD.md
docs/libcurl/opts/CURLINFO_EFFECTIVE_URL.md
docs/libcurl/opts/CURLINFO_FTP_ENTRY_PATH.md
docs/libcurl/opts/CURLINFO_LOCAL_IP.md
docs/libcurl/opts/CURLINFO_PRIMARY_IP.md
docs/libcurl/opts/CURLINFO_REFERER.md
docs/libcurl/opts/CURLINFO_RTSP_SESSION_ID.md
docs/libcurl/opts/CURLINFO_SCHEME.md
docs/libcurl/opts/CURLOPT_HEADERDATA.md
docs/libcurl/opts/CURLOPT_IOCTLFUNCTION.md
docs/libcurl/opts/CURLOPT_SHARE.md
docs/libcurl/opts/CURLOPT_SSH_HOSTKEYFUNCTION.md
docs/libcurl/opts/CURLOPT_SSH_KEYFUNCTION.md
docs/libcurl/opts/CURLOPT_TRANSFER_ENCODING.md
docs/libcurl/opts/CURLOPT_WRITEDATA.md

Change #245078

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 17 Sep 2025 08:58:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	92361999086712c7ae6ca59930cdac204e0db2a2

Comments

setopt: make CURLOPT_MAXREDIRS accept -1 (again)
Regression from b059f7d (shipped in 8.16.0)

Reported-by: Adam Light
Fixes #18571
Closes #18576

Changed files

lib/setopt.c

Change #245082

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 17 Sep 2025 10:30:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	04e08664a8e392b05a79cd710ef43fe0de7c1797

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245086

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 17 Sep 2025 15:47:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0a27a506b1f1ff926dd94766434dcc8ff4c12bb4

Comments

managen: ignore version mentions < 7.66.0
Only mention version specific details for versions from within the last
six years.

Closes #18583

Changed files

scripts/managen

Change #245090

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 17 Sep 2025 15:49:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dbe4e28d57f76b5ad96241bc5865d043679575d8

Comments

managen: render better manpage references/links
- When an option name is used in text, this script no longer outputs the
  short plus long version in the manpage output. It makes the text much
  more readable.

  This always showing both verions was previously done primarily to make
  sure roffit would linkify it correctly, but since roffit 0.17 it
  should link both long or short names correctly.

- When managen outputs generic text about options at the end of the
  description it now highlights them properly so that they too get
  linkified correctly in the HTML version. For consistency.

Closes #18580

Changed files

scripts/managen
tests/data/test1705

Change #245094

Category	curl
Changed by	Christian Schmitz <supportohnoyoudont@monkeybreadsoftware.de>
Changed at	Wed 17 Sep 2025 23:11:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0f067ba4aa30b681a0e92761e003936470340fd5

Comments

libcurl-multi.md: added curl_multi_get_offt mention
The multi interface page didn't mention the new curl_multi_get_offt
function.

Closes #18579

Changed files

docs/libcurl/libcurl-multi.md

Change #245100

Category	curl
Changed by	Michael Osipov <michael.osipovohnoyoudont@innomotics.com>
Changed at	Wed 17 Sep 2025 23:12:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	74fdc1185f40c2fe2253043ff3f563fbbd4b43ed

Comments

configure: add "-mt" for pthread support on HP-UX
HP-UX requires this compiler and linker flag to pass proper macros and
add required libraries.

Closes #18585

Changed files

configure.ac

Change #245104

Category	curl
Changed by	Christian Schmitz <supportohnoyoudont@monkeybreadsoftware.de>
Changed at	Wed 17 Sep 2025 23:14:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3031fae3bd5135853133b95cd5396e93925a23bf

Comments

multi.h: add CURLMINFO_LASTENTRY
For multiple enums, we use LASTENTRY values to do range checks when
receiving an option as integer. So I added LASTENTRY, so the check will
work, even if you add more options later.

Closes #18578

Changed files

include/curl/multi.h

Change #245108

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 18 Sep 2025 08:02:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a827e4294cee78e2169555d4d99c6c5d583d51bc

Comments

smtp: check EHLO responses case insensitively
Adjust test 980 to announce starttls in lowercase.

Fixes #18588
Reported-by: Joshua Rogers
Closes #18589

Changed files

lib/smtp.c
tests/data/test980

Change #245112

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Thu 18 Sep 2025 08:04:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	20f757ef140a8466e888e6f395461a3ea73daf41

Comments

tool_cb_hdr: fix fwrite check in header callback
Compare fwrite result to nmemb (items), not cb (bytes).

Closes #18593

Changed files

src/tool_cb_hdr.c

Change #245117

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Thu 18 Sep 2025 08:13:52
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4e74b9f592b7e0775800f212052c18c44128f89b

Comments

socks_sspi: restore non-blocking socket on error paths
Closes #18592

Changed files

lib/socks_sspi.c

Change #245121

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 18 Sep 2025 10:15:54
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ca034e839c92570b6cece09b63624af41f39e77b

Comments

tool: fix exponential retry delay
Also, show retry delay with decimals since it might be not be integer
seconds.

Regression from da27db068fc888d7091d347080 (shipped in 8.16.0)

Reported-by: Andrew Olsen
Fixes #18591
Assisted-by: Jay Satiro
Closes #18595

Changed files

src/tool_cfgable.c
src/tool_cfgable.h
src/tool_operate.c

Change #245125

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 18 Sep 2025 12:20:26
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0f0821133095cf8b6efdfd98c71a09fccb34ac78

Comments

cfilter: unlink and discard
Rewrite the code that removes a filter from the connection and discards
it. Always look at the connection, otherwise it will not work of the
filter is at the top of the chain.

Change QUIC filter setup code to always tear down the chain in
construction when an error occured.

HTTP proxy, do not remove the h1/h2 sub filter on close. Leave it to be
discarded with the connection. Avoids keeping an additional pointer that
might become dangling.

Triggered by a reported on a code bug in discard method.

Reported-by: Joshua Rogers
Closes #18596

Changed files

lib/cfilters.c
lib/cfilters.h
lib/http_proxy.c
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c
lib/vtls/vtls.c

Change #245129

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 18 Sep 2025 16:05:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5cc2b8344675140efc660d7a67958274c9caf590

Comments

smb: adjust buffer size checks
The checks did not account for the **two byte** 16bit read so risked
reading one more byte than what actually was received.

Reported-by: Joshua Rogers

Closes #18599

Changed files

lib/smb.c

Change #245134

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 18 Sep 2025 16:06:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	232d5a2ed9c091c88e3b724a1e7d6d6e6cac0079

Comments

openldap: avoid indexing the result at -1 for blank responses
Reported-by: Joshua Rogers

Closes #18600

Changed files

lib/openldap.c

Change #245137

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 18 Sep 2025 16:48:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b4922b1295333dc6679eb1d588ddc2fb6b7fd5b7

Comments

GHA/codeql: enable cares, debug, build curlinfo, examples
Also build examples, out of curiousity, as an experiment, possibly
temporary. It needs around 40 seconds.

Closes #18564

Changed files

.github/workflows/codeql.yml

Change #245142

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 18 Sep 2025 17:15:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	44a586472b42a288836f730b4b3b7dd5490057f6

Comments

ldap: do not base64 encode zero length string
Reported-by: Joshua Rogers
Closes #18602

Changed files

lib/ldap.c

Change #245147

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Thu 18 Sep 2025 17:27:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a80abc45a572132b7f425e526cd60c0cf49f28e2

Comments

sasl: clear canceled mechanism instead of toggling it
Use &= ~authused in SASL_CANCEL (was ^=) to actually remove the offending
mechanism and avoid re-enabling a disabled mech on retry.

Closes #18573

Changed files

lib/curl_sasl.c

Change #245151

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Thu 18 Sep 2025 17:29:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f8175b1536610ec60a9d2dce5a055d59287af4d5

Comments

socks_sspi: Fix some memory cleanup calls
- Ensure memory allocated by malloc() is freed by free().

Prior to this change SSPI's FreeContextBuffer() was sometimes used to
free malloc'd memory. I can only assume the reason we have no crash
reports about this is because the underlying heap free is probably the
same for both.

Reported-by: Joshua Rogers

Fixes https://github.com/curl/curl/issues/18587
Closes https://github.com/curl/curl/pull/18594

Changed files

lib/socks_sspi.c

Change #245156

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Thu 18 Sep 2025 17:34:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ad147ec53de822a18b5dec63b72f43688ae53869

Comments

tftp: propagate expired timer from tftp_state_timeout()
When Curl_timeleft() < 0 we used to return 0, masking the expiry and
skipping the caller’s (timeout_ms < 0) path. Now we set FIN and return
the negative value so tftp_multi_statemach() aborts with
CURLE_OPERATION_TIMEDOUT as intended.

Closes #18574

Changed files

lib/tftp.c

Change #245160

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 18 Sep 2025 17:54:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	54aff4db3c620fd1fcd7c7a7f949fd8ca3773eb8

Comments

tftp: check and act on tftp_set_timeouts() returning error
Reported-by: Joshua Rogers
Ref: https://github.com/curl/curl/pull/18574#issuecomment-3300183302
Closes #18603

Changed files

lib/tftp.c

Change #245164

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Thu 18 Sep 2025 18:09:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ce354d0f4d251371f65f1770d95bba1d926de421

Comments

tool_operate: Improve wording in retry message
- Use the plural 'seconds' for anything other than exactly 1 second.

Before: Will retry in 1.250 second.
After: Will retry in 1.250 seconds.

Follow-up to ca034e83.

Closes https://github.com/curl/curl/pull/18604

Changed files

src/tool_operate.c

Change #245168

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 18 Sep 2025 20:14:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f13250edf11312ab8c0425cf39b182a31b53c6f7

Comments

examples: fix two issues found by CodeQL
- http2-upload: use `fstat()` to query file length to fix TOCTOU.

- ftpuploadresume: fix checking `sscanf()` return value.

Follow-up to b4922b1295333dc6679eb1d588ddc2fb6b7fd5b7 #18564
Closes #18605

Changed files

docs/examples/ftpuploadresume.c
docs/examples/http2-upload.c

Change #245171

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 18 Sep 2025 20:26:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cec6c1cd9c3923e2b583ba2f0756a733ad25293e

Comments

GHA/codeql: make it run on docs updates, to verify examples
Follow-up to b4922b1295333dc6679eb1d588ddc2fb6b7fd5b7 #18564

Changed files

.github/workflows/codeql.yml

Change #245175

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 18 Sep 2025 22:01:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9f18cb6544bbf47e2e2fad6564bc03098273c7bc

Comments

libssh2: error check and null-terminate in ssh_state_sftp_readdir_link()
- null-terminate the result to match the other getter
  `libssh2_sftp_symlink_ex()` call.

- check negative result and bail out early.

Reported-by: Joshua Rogers

Closes #18598

Changed files

lib/vssh/libssh2.c

Change #245179

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 09:13:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9fb8d567ca96659dc0d35cc82f160a721adf6edd

Comments

tool_operate: keep the progress meter for --out-null
Fixes #18607
Closes #18609

Changed files

src/tool_operate.c

Change #245182

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 19 Sep 2025 09:46:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0d9a07abb731cc52a220f48430f66b546965594f

Comments

libssh2: drop two redundant null-terminations
The null-termination was first added in the initial SFTP commit in 2006:
a634f644005cbe2b3dea2b84328d605ec3474054

At that time this was a reasonable concern because libssh2 started
null-terminating this string just one year prior, in 2005:
https://github.com/libssh2/libssh2/commit/efc3841fd2c2c945e96492e9089e4d1810709d53

This fix was released in libssh2 v0.13 (2006-03-02).

curl requires libssh2 v1.2.8, making this workaround no longer necessary.

Follow-up to 9f18cb6544bbf47e2e2fad6564bc03098273c7bc #18598

Closes #18606

Changed files

lib/vssh/libssh2.c

Change #245186

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 19 Sep 2025 11:30:39
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9618c337d1c876df04599462fbdb73d370162dbf

Comments

GHA/codeql: try disabling the TRAP cache
The `cpp` CodeQL job is adding a cache entry for each run on the master
branch. One for Linux, another for Windows. Size: 68MB + 180MB = 248MB.
In one week we got 50+ such entries, almost filling the available cache
space.

Following the recommendation in an open issue thread, this patch tries
to disable this cache. Since it only affects master, the effect can only
be verified after merging.

The latest cache is picked up in PRs. The performance impact is also to
be seen after merge.

Bug: https://github.com/curl/curl/pull/18528#issuecomment-3288950880
Ref: https://github.com/github/codeql-action/pull/1172
Ref: https://github.com/github/codeql-action/issues/2030
Ref: https://github.com/github/codeql-action/issues/2885#issuecomment-2879069087

Follow-up to cc50f05370981e4933504e8aaec6b15880ff847f #18528

Closes #18613

Changed files

.github/workflows/codeql.yml

Change #245190

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 19 Sep 2025 14:20:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b2356a31974e137e304c35f2c0f7c7a4a988eeb6

Comments

GHA: tidy up actions/checkout version in comments [ci skip]

Changed files

.github/workflows/checkdocs.yml
.github/workflows/codeql.yml

Change #245194

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 14:38:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4f5528675a1bc1008748c3c0f636ab4c1ec6d9c0

Comments

libssh: react on errors from ssh_scp_read
Reported in Joshua's sarif data

Closes #18616

Changed files

lib/vssh/libssh.c

Change #245198

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 14:39:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	df60e8fe701e189e7629fd08b61950a0fb1b697a

Comments

cf_socket_recv: don't count reading zero bytes as first byte
Reported in Joshua's sarif data

Closes #18615

Changed files

lib/cf-socket.c

Change #245201

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 14:40:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1055864b03beee1615c04421854e5e927a0cdb5d

Comments

telnet: make printsub require another byte input
Reported in Joshua's sarif data

Closes #18618

Changed files

lib/telnet.c

Change #245206

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 16:40:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	fd6eb8d6e77d95e71c0c55678b46173b21edd1e9

Comments

cookie: avoid saving a cookie file if no transfer was done
Because parts of the cookie loading happens on transfer start the
in-memory cookie jar risks being incomplete and then a save might
wrongly truncate the target file.

Added test 1902 to verify.

Reported-by: divinity76 on github
Fixes #18621
Closes #18622

Changed files

lib/cookie.c
tests/data/Makefile.am
tests/data/test1902
tests/libtest/Makefile.inc
tests/libtest/lib1902.c

Change #245210

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 16:47:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b0c823b86fa00e6a41a61614b45999e94b573eaf

Comments

RELEASE-NOTES: synced
and bump to 8.17.0

Changed files

RELEASE-NOTES
include/curl/curlver.h

Change #245214

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 22:54:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	58f071dbe4be8dfc95dad4ac4c9574502966d1dd

Comments

tool_getparam/set_rate: skip the multiplication on overflow
The code detected the problem but didn't avoid the calculation
correctly.

Fixes #18624
Reported-by: BobodevMm on github
Closes #18625

Changed files

src/tool_getparam.c

Change #245218

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 22:55:52
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a0369e1705b536279313c11dd54d490cf6f9ea3d

Comments

gtls: avoid potential use of uninitialized variable in trace output
Reported in Joshua's sarif data

Closes #18620

Changed files

lib/vtls/gtls.c

Change #245221

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 19 Sep 2025 22:57:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5e2d4d790575d4ad0381c4862f5e435a3b6532d1

Comments

base64: accept zero length argument to base64_encode
We used to treat 0 as "call strlen() to get the length" for
curlx_base64_encode, but it turns out this is rather fragile as we
easily do the mistake of passing in zero when the data is actually not
there and then calling strlen() is wrong.

Force the caller to pass in the correct size. A zero length input string
now returns a zero length output and a NULL pointer.

Closes #18617

Changed files

lib/curlx/base64.c
tests/unit/unit1302.c

Change #245224

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 01:20:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	8d004781a577fc2fae72873c4a45b2fb3f366d98

Comments

build: drop the winbuild build system
In favor of CMake.

Closes #18040

Changed files

.github/labeler.yml
.github/scripts/codespell.sh
.github/scripts/spacecheck.pl
.github/scripts/typos.toml
.github/workflows/checksrc.yml
.github/workflows/curl-for-win.yml
.github/workflows/fuzz.yml
.github/workflows/http3-linux.yml
.github/workflows/linux-old.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/non-native.yml
.github/workflows/windows.yml
.gitignore
Makefile.am
appveyor.sh
appveyor.yml
docs/DEPRECATE.md
docs/INSTALL-CMAKE.md
docs/INSTALL.md
projects/README.md
winbuild/.gitignore
winbuild/Makefile.vc
winbuild/MakefileBuild.vc
winbuild/README.md
winbuild/makedebug.bat

Change #245227

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 01:28:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1c49f2f26d0f200bb9de61f795f06a1bc56845e9

Comments

windows: replace `_beginthreadex()` with `CreateThread()`
Replace `_beginthreadex()` C runtime calls with native win32 API
`CreateThread()`. The latter was already used in `src/tool_doswin.c`
and in UWP and Windows CE builds before this patch. After this patch
all Windows flavors use it. To drop PP logic and simplify code.

While working on this it turned out that `src/tool_doswin.c` calls
`TerminateThread()`, which isn't recommended by the documentation,
except for "the most extreme cases". This patch makes no attempt
to change that code.
Ref: 9a2663322c330ff11275abafd612e9c99407a94a #17572
Ref: https://learn.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminatethread

Also:
- use `WaitForSingleObjectEx()` on all desktop Windows.
  Ref: 4be80d5109a340973dc6ce0221ec5c5761587df0
  Ref: https://sourceforge.net/p/curl/feature-requests/82/
  Ref: https://learn.microsoft.com/windows/win32/api/synchapi/nf-synchapi-waitforsingleobjectex
- tests: drop redundant casts.
- lib3207: fix to not rely on thread macros when building without thread
  support.

Assisted-by: Jay Satiro
Assisted-by: Marcel Raad
Assisted-by: Michał Petryka
Follow-up to 38029101e2d78ba125732b3bab6ec267b80a0e72 #11625

Closes #18451

Changed files

lib/curl_threads.c
lib/curl_threads.h
tests/libtest/lib3026.c
tests/libtest/lib3207.c
tests/server/sockfilt.c
tests/server/util.c

Change #245231

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 01:28:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dc3f4fd89b7700a920597630d43e6c2702c6cc46

Comments

autotools: make `--enable-code-coverage` support llvm/clang
Cherry-picked from #18468

Closes #18473

Changed files

configure.ac
m4/curl-functions.m4

Change #245234

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 01:28:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	91720b620e802748d2e1629f43e29b76736542f9

Comments

cmake: add `CURL_CODE_COVERAGE` option
To sync up with the `--enable-code-coverage` `./configure` option.

Ref: https://gcc.gnu.org/onlinedocs/gcc/Invoking-Gcov.html
Ref: https://gcc.gnu.org/onlinedocs/gcc/Cross-profiling.html
Ref: https://clang.llvm.org/docs/SourceBasedCodeCoverage.html

Closes #18468

Changed files

CMakeLists.txt
docs/INSTALL-CMAKE.md
lib/CMakeLists.txt
src/CMakeLists.txt

Change #245237

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 01:28:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	096fc4325b895b507defd387aed0d021a3ea0a02

Comments

digest_sspi: fix two memory leaks in error branches
Closes #18488

Changed files

lib/vauth/digest_sspi.c

Change #245240

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 02:27:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ad26a6cb99b6a5a98cfb3856743f0cea14657895

Comments

tidy-up: avoid using the reserved macro namespace
To avoid hitting `-Wreserved-macro-identifier` where possible.

- amigaos: introduce local macro instead of reusing `__request()`.
- easy_lock: avoid redefining `__has_builtin()`.
  Follow-up to 33fd57b8fff8c0d873da2316a2a7f911caac2bae #9062
- rand: drop interim macro `_random()`.
- windows: rename local macro `_tcsdup()` to `Curl_tcsdup()`.
  To avoid using the reserved macro namespace and to avoid
  colliding with `_tcsdup()` as defined by Windows headers.
- checksrc: ban `_tcsdup()` in favor of `Curl_tcsdup()`.
- tool_doswin: avoid redefining `_use_lfn()` (MS-DOS).
- tool_findfile: limit `__NO_NET_API` hack to AmigaOS.
  Syncing this pattern with `lib/netrc.c`.
  Follow-up to 784a8ec2c1a3cc4bd676077a28a0d5f6ee7786a5 #16279
- examples/http2-upload: avoid reserved namespace for local macro.

More cases will be removed when dropping WinCE support via #17927.

Cases remain when defining external macros out of curl's control.

Ref: #18477
Closes #18482

Changed files

docs/examples/http2-upload.c
docs/internals/CODE_STYLE.md
lib/amigaos.c
lib/curl_mem_undef.h
lib/curl_memory.h
lib/curl_setup.h
lib/curl_sspi.c
lib/easy_lock.h
lib/memdebug.h
lib/rand.c
lib/vauth/digest_sspi.c
lib/vauth/vauth.c
lib/vtls/schannel.c
scripts/checksrc.pl
src/tool_doswin.c
src/tool_findfile.c

Change #245244

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 02:27:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	87cbeecee4118fa3dcc8a0179b1c3b43e4775cb4

Comments

windows: stop passing unused, optional argument for Win9x compatibility
Expiry timestamp in `AcquireCredentialsHandle()` (SSPI) and
`InitializeSecurityContext()` (Schannel) calls. The argument is optional
in both. The returned value was never used in curl. The reason for
passing it was Windows 95 compatibility, according to comments in
the SSPI code. curl no longer supports Windows 95.

Ref: https://learn.microsoft.com/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea
Ref: https://learn.microsoft.com/windows/win32/secauthn/initializesecuritycontext--schannel

Ref: 3fe531196771c8e81f917eebca4a06e062ab3a19
Ref: aaa42aa0d594b95c6c670a373ba30c507aa0a5ed

Closes #18490

Changed files

lib/socks_sspi.c
lib/vauth/digest_sspi.c
lib/vauth/krb5_sspi.c
lib/vauth/ntlm_sspi.c
lib/vauth/spnego_sspi.c
lib/vtls/schannel.c
lib/vtls/schannel_int.h

Change #245247

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 10:16:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	92f215fea1aa8bd5b1709d38f42aab77ab3fc662

Comments

build: address some `-Weverything` warnings, update picky warnings
`-Weverything` is not enabled by curl, and not recommended by LLVM,
because it may enable experimental options, and will result in new
fallouts after toolchain upgrades. This patch aims to fix/silence as much
as possible as found with llvm/clang 21.1.0. It also permanently enables
warnings that were fixed in source and deemed manageable in the future.
`-Wformat` warnings are addressed separately via #18343.

Fix/silence warnings in the source:
- typecheck-gcc.h: fix `-Wreserved-identifier`.
- lib: silence `-Wcast-function-type-strict`.
  For llvm 16+ or Apple clang 16+.
- asyn-ares: limit `HAPPY_EYEBALLS_DNS_TIMEOUT` to old c-ares versions.
- curl_trc: fix `-Wc++-hidden-decl`.
- doh: fix `-Wc++-keyword`.
- ftp: fix `-Wreserved-identifier`.
- ldap: fix `-Wreserved-identifier`.
- mqtt: comment unused macro to avoid warning.
- multi_ev: drop unused macros to avoid warnings.
- setopt: fix useless `break;` after `return;`.
- gtls, mbedtls, rustls: silence `-Wconditional-uninitialized`.
- socks_sspi, schannel, x509asn1: fix `-Wimplicit-int-enum-cast`.
- x509asn1: fix `-Wc++-keyword`.
- openssl: scope `OSSL_UI_METHOD_CAST` to avoid unused macro warning.
- libssh2, wolfssl: drop unused macros.
- curl_ngtcp2, curl_quiche, httpsrr, urlapi: drop/limit unused macros.
- tool_getparam: fix useless `break;` after `return;` or `break;`.
  Not normally enabled because it doesn't work with unity.
  https://github.com/llvm/llvm-project/issues/71046
- tool_operate: fix `-Wc++-keyword`.
- curlinfo: fix a `-Wunsafe-buffer-usage`.
- tests: silence `-Wformat-non-iso`.
- lib557: fix `-Wreserved-identifier`.
- lib1565: silence `-Wconditional-uninitialized`.

Enable the above clang warnings permanently in picky mode:
- `-Wc++-hidden-decl`
- `-Wc++-keyword` (except for Windows, where it collides with `wchar_t`)
- `-Wcast-function-type-strict`
- `-Wcast-function-type`
- `-Wconditional-uninitialized`
- `-Wformat-non-iso` (except for clang-cl)
- `-Wreserved-identifier`
- `-Wtentative-definition-compat`

Silence problematic `-Weverything` warnings globally (in picky mode):
- `-Wused-but-marked-unused` (88000+ hits) and
  `-Wdisabled-macro-expansion` (2600+ hits).
  Triggered by `typecheck-gcc.h` when building with clang 14+.
  Maybe there exists a way to fix within that header?
  Ref: https://discourse.llvm.org/t/removing-wused-but-marked-unused/55310
- `-Wunsafe-buffer-usage`. clang 16+. 7000+ hits.
  May be useful in theory, but such high volume of hits makes it
  impractical to review and possibly address. Meant for C++.
  Ref: https://clang.llvm.org/docs/SafeBuffers.html
  Ref: https://stackoverflow.com/questions/77017567/how-to-fix-code-to-avoid-warning-wunsafe-buffer-usage
  Ref: https://discourse.llvm.org/t/rfc-c-buffer-hardening/65734
  Ref: https://github.com/llvm/llvm-project/pull/111624
- `-Wimplicit-void-ptr-cast`. clang 21+. 1700+ hits.
  C++ warning, deemed pure noise.
  Ref: https://github.com/curl/curl/issues/18470#issuecomment-3253506266
- `-Wswitch-default` (180+ hits), `-Wswitch-enum` (190+ hits),
  `-Wcovered-switch-default` (20+ hits).
  Next to impossible to fix cleanly, esp. when the covered `case`
  branches depend on compile-time options.
- `-Wdocumentation-unknown-command` (8+ hits).
  Triggered in a few sources. Seems arbitrary and bogus.
- `-Wpadded` (550+ hits).
- `-Wc++-keyword` on Windows, where it collides with `wchar_t`.
  (100+ hits)
  Ref: https://github.com/llvm/llvm-project/issues/155988
- `-Wreserved-macro-identifier`. clang 13+. 5+ hits.
  Sometimes it's necessary to set external macros that use
  the reserved namespace. E.g. `_CRT_NONSTDC_NO_DEPRECATE`,
  `__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__`, `__NO_NET_API`,
  possibly `_REENTRANT`, and more.
  It's not worth trying to silence them individually.
- `-Wnonportable-system-include-path` with `clang-cl`.
  It'd be broken by doing what the warning suggests.
- `-Wformat-non-iso` for clang-cl.

CMake `PICKY_COMPILER=ON` (the default) or `./configure`
`--enable-warnings` (not the default) is required to enable these
silencing rules.

Also:
- autotools, cmake: fix Apple clang and mainline llvm version translations.
  Ref: https://en.wikipedia.org/wiki/Xcode#Toolchain_versions
- autotools, cmake: enable `-Warray-compare` for clang 20+.
  Follow-up to 4b7accda5ae3f2e663aa3f3853805241ef87c2fe #17196
- cmake: fix to enable `-Wmissing-variable-declarations` at an earlier
  clang version.
- cmake: update internal logic to handle warning options with `+` in
  them.
- cmake: fix internal logic to match the whole option when looking
  into `CMAKE_C_FLAGS` for custom-disabled warnings.

Follow-up to b85cb8cb4e143d1615d4fcc1ce8f2f7b66453995 #18485

Closes #18477

Changed files

CMake/PickyWarnings.cmake
include/curl/typecheck-gcc.h
lib/asyn-ares.c
lib/curl_trc.c
lib/curl_trc.h
lib/curlx/version_win32.c
lib/doh.c
lib/formdata.c
lib/ftp.c
lib/httpsrr.c
lib/ldap.c
lib/mqtt.c
lib/multi_ev.c
lib/sendf.c
lib/setopt.c
lib/socks_sspi.c
lib/url.c
lib/urlapi.c
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_quiche.c
lib/vssh/libssh2.c
lib/vtls/gtls.c
lib/vtls/mbedtls.c
lib/vtls/openssl.c
lib/vtls/rustls.c
lib/vtls/schannel.c
lib/vtls/wolfssl.c
lib/vtls/x509asn1.c
lib/vtls/x509asn1.h
m4/curl-compilers.m4
src/curlinfo.c
src/tool_getparam.c
src/tool_operate.c
tests/libtest/lib1565.c
tests/libtest/lib557.c
tests/unit/unit1398.c

Change #245250

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 11:49:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1429858bcea20a022ce7e21d0f6a9c826332b95e

Comments

tidy-up: update MS links, allow long URLs via `checksrc`
- update Microsoft documentation links.
  (also drop language designator where present.)

- checksrc: allow longer than 78 character lines if they
  contain a https URL. To make these links easier to use and parse.

- merge links that were split into two lines.

Closes #18626

Changed files

docs/CIPHERS.md
docs/INSTALL.md
docs/TODO
lib/cf-socket.c
lib/cf-socket.h
lib/curlx/multibyte.c
lib/select.h
lib/vauth/ntlm_sspi.c
lib/vauth/spnego_sspi.c
lib/vtls/openssl.c
lib/vtls/schannel.c
lib/vtls/schannel_verify.c
scripts/checksrc.pl
src/tool_doswin.c
tests/server/sockfilt.c
tests/server/util.c

Change #245254

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 12:04:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7a26304a95baecc32405099c0628f0a76a700a20

Comments

curl_slist_append.md: clarify that a NULL pointer is not acceptable
Closes #18627

Changed files

docs/libcurl/curl_slist_append.md

Change #245257

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 12:05:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	335d16e944c86a0f7d9c52e3932e1f0ccca39feb

Comments

libssh: error on bad chgrp number
To avoid it continuing with a zero gid.

Reported in Joshua's sarif data

Closes #18629

Changed files

lib/vssh/libssh.c

Change #245260

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 12:06:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0209e087c6989d7b6df49d3e090414eeccdda8ef

Comments

tool_cb_hdr: size is always 1
- add comment in the header that the argument 'size' is always 1,
  as guaranteed by the libcurl API

- then fix the call to fwrite() to avoid using "size, etag_length" which
  would be wrong if size was something else than 1, and use a fixed
  number there instead.

Reported in Joshua's sarif data

Closes #18630

Changed files

src/tool_cb_hdr.c

Change #245263

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 12:07:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2fe95cb0e320db0c6034d154ab175002d23b936d

Comments

rustls: typecast variable for safer trace output
This is a variadic function call with a mismatched argument type; on
platforms where uintptr_t and size_t differ, this invokes undefined
behavior.

Reported in Joshua's sarif data

Closes #18628

Changed files

lib/vtls/rustls.c

Change #245266

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 13:44:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bf7375ecc50e857760b0d0a668c436e208a400bd

Comments

build: avoid overriding system symbols for socket functions
Before this patch `accept4()`, `socket()`, `socketpair()`, `send()` and
`recv()` system symbols were remapped via macros, using the same name,
to local curl debug wrappers. This patch replaces these overrides by
introducing curl-namespaced macros that map either to the system symbols
or to their curl debug wrappers in `CURLDEBUG` (TrackMemory) builds.

This follows a patch that implemented the same for `accept()`.

The old method required tricks to make these redefines work in unity
builds, and avoid them interfering with system headers. These tricks
did not work for system symbols implemented as macros.

The new method allows to setup these mappings once, without interfering
with system headers, upstream macros, or unity builds. It makes builds
more robust.

Also:
- checksrc: ban all mapped functions.
- docs/examples: tidy up checksrc rules.

Follow-up to 9863599d69b79d290928a89bf9160f4e4e023d4e #18502
Follow-up to 3bb5e58c105d7be450b667858d1b8e7ae3ded555 #17827

Closes #18503

Changed files

REUSE.toml
docs/examples/.checksrc
docs/examples/Makefile.am
docs/examples/http2-upload.c
docs/examples/synctime.c
lib/cf-socket.c
lib/curl_addrinfo.c
lib/curl_mem_undef.h
lib/curl_setup.h
lib/hostip.c
lib/if2ip.c
lib/memdebug.c
lib/memdebug.h
lib/multi.c
lib/socketpair.c
lib/vquic/vquic.c
packages/OS400/os400sys.c
scripts/checksrc.pl
src/tool_cb_rea.c
src/tool_cb_soc.c
src/tool_doswin.c
tests/libtest/lib1960.c
tests/libtest/lib500.c
tests/server/.checksrc

Change #245269

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 20 Sep 2025 15:07:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ca75476a5c9ff3066cfcc3af0a2f33b936466501

Comments

GHA/codeql: drop winbuild references [ci skip]
Follow-up to 8d004781a577fc2fae72873c4a45b2fb3f366d98 #18040

Changed files

.github/workflows/codeql.yml

Change #245272

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 15:15:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2a5da01e422f0853a2ea3764cde5fa08189d5b91

Comments

socks: make Curl_blockread_all return CURLcode
Reported in Joshua's sarif data

Closes #18635

Changed files

lib/socks.c
lib/socks.h
lib/socks_sspi.c

Change #245274

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:24:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	277ebca61009ac6618cd598aa81a9cf5f2b245f7

Comments

ftp: fix port number range loop for PORT commands
If the last port to test is 65535, the loop would previously wrongly
wrap the counter and start over at 0, which was not intended.

Reported in Joshua's sarif data

Closes #18636

Changed files

lib/ftp.c

Change #245277

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:25:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ca8ec6e033eb6b733d123495db18b5c99bf4208a

Comments

tftp: handle tftp_multi_statemach() return code
Previously just ignored.

Reported in Joshua's sarif data

Closes #18638

Changed files

lib/tftp.c

Change #245280

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:26:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	df8244c30fa80cc9310a096f9c4c024a76ad1bc6

Comments

libssh: error on bad chown number and store the value
To avoid continuing with an unintended zero uid. Also actually use the
value, which was omitted before!

Reported in Joshua's sarif data

Closes #18639

Changed files

lib/vssh/libssh.c

Change #245283

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:27:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	82eeda104144b23de1bc89641d5a41f8a57eba6e

Comments

CURLOPT_HEADER/WRITEFUNCTION.md: drop '* size' since size is always 1
Closes #18640

Changed files

docs/libcurl/opts/CURLOPT_HEADERFUNCTION.md
docs/libcurl/opts/CURLOPT_WRITEFUNCTION.md

Change #245286

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:30:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	94eec0a788dbc80e87d7168be1bfb10d734d0ab3

Comments

schannel: assign result before using it
curl_easy_strerror(result) was called *before* result was assigned.

Reported in Joshua's sarif data

Closes #18642

Changed files

lib/vtls/schannel.c

Change #245289

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:34:18
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d27d9c7ef1a37230ace8cc841027e6622c885df7

Comments

cf-socket: use the right byte order for ports in bindlocal
Reported in Joshua's sarif data

Closes #18641

Changed files

lib/cf-socket.c

Change #245292

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 17:49:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e2d3b832445a05ed2e590fa5a40b0914f932bc42

Comments

libssh: return out of memory correctly if aprintf fails
The code called set sshc->nextstate and returned SSH_OK without setting
sshc->actualcode to an error code.

Reported in Joshua's sarif data

Closes #18637

Changed files

lib/vssh/libssh.c

Change #245295

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 22:35:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	66d6075af9c9bb5e4ef7985c7bc46942c9d4ae99

Comments

tftp: return error when sendto() fails
The code just called failf() and then continued without returning error.

Reported in Joshua's sarif data

Closes #18643

Changed files

lib/tftp.c

Change #245298

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 22:37:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	979366a62568ca2ea0f8bed19fd901499c8dc178

Comments

openldap: improve check for receiving blank data
It can't access the first byte either unless it has length.

Followup to 232d5a2ed9c091c88e3b724a1e7d6

Closes #18632

Changed files

lib/openldap.c

Change #245300

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 22:38:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	50968d0378ebf05c90e8f1d167592797bbd258ba

Comments

httpsrr: free old pointers when storing new
In case we get "funny" input and the same field is provided several
times, free the old pointer before stored a new memdup.

Reported in Joshua's sarif data

Closes #18631

Changed files

lib/httpsrr.c

Change #245302

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 22:39:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cf3b9657bcb7acd3525ca081b4ed16e860604d6d

Comments

libssh2: up the minimum requirement to 1.9.0
Released on June 20 2019

Changed files

.github/workflows/linux-old.yml
configure.ac
docs/INTERNALS.md
lib/vssh/libssh2.c

Change #245304

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 23:12:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bb46d42407cd0503a9c499b4646af594a4db4947

Comments

openssl: make the asn1_object_dump name null terminated
In case the buffer is too small.

Reported in Joshua's sarif data

Closes #18647

Changed files

lib/vtls/openssl.c

Change #245306

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 20 Sep 2025 23:58:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5ab120bc4e6d9706efde14b37f8bd80c20981ac2

Comments

krb5: drop support for Kerberos FTP
It was accidentally broken in commit 0f4c439fc7347f499cf5, shipped since
8.8.0 (May 2024) and yet not a single person has noticed or reported,
indicating that we might as well drop support for FTP Kerberos.

Krb5 support was added in 54967d2a3ab55596314 (July 2007), and we have
been carrying the extra license information around since then for this
code. This commit removes the last traces of that code and thus we can
remove the extra copyright notices along with it.

Reported-by: Joshua Rogers
Closes #18577

Changed files

.github/scripts/spellcheck.words
LICENSES/BSD-3-Clause.txt
README
README.md
docs/cmdline-opts/krb.md
docs/libcurl/curl_easy_setopt.md
docs/libcurl/opts/CURLOPT_KRBLEVEL.md
docs/libcurl/symbols-in-versions
include/curl/curl.h
lib/Makefile.inc
lib/curl_krb5.h
lib/ftp.c
lib/ftp.h
lib/krb5.c
lib/pingpong.c
lib/setopt.c
lib/url.c
lib/urldata.h
src/config2setopts.c
src/tool_getparam.c
src/tool_listhelp.c
tests/data/test1282

Change #245308

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 00:00:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3dad0cfd779413866a2a0a8353ee9a98212673f8

Comments

write-out: make %header{} able to output *all* occurances of a header
By appending `:all:[separator]` to the header name. The `[separator]` string
is output between each header value if there are more than one to output.

Test 764 and 765 verify

Idea-by: kapsiR on github
Ref: #18449
Closes #18491

Changed files

docs/cmdline-opts/write-out.md
src/tool_writeout.c
tests/data/Makefile.am
tests/data/test764
tests/data/test765

Change #245310

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 00:05:55
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4189c2c0fe15b3a6afecadb56fd50b6875d7170b

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245312

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 01:59:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0513f9f8786e0cc4246e05d56bd264d0292d9c92

Comments

build: show llvm/clang in platform flags and `buildinfo.txt`
Show these flags:
- `LLVM-CLANG` for mainline llvm/clang.
- `APPLE-CLANG` for Apple clang.
- `CLANG-CL` for clang-cl. (cmake only)

Also:
- GHA/linux: fix a job to build with clang, to match its descriptions.

Closes #18645

Changed files

.github/workflows/linux.yml
CMakeLists.txt
acinclude.m4

Change #245314

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:41:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4e8dfe2093c83c708d4ee0b6952a8495608d708d

Comments

RELEASE-NOTES: spellcheck!

Changed files

RELEASE-NOTES

Change #245316

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:41:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	fd61ed062bdad9ad9abdcc839f1c6c51b88e1c05

Comments

ws: clarify an error message
Instead of:

 "[WS] frame length longer than 64 signed not supported"

Use:

 "[WS] frame length longer than 63 bit not supported"

Closes #18654

Changed files

lib/ws.c

Change #245318

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:43:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3d8e15650ccc02cb7384f3b991478363e9498f3f

Comments

vtls_int.h: clarify data_pending
Suggested-by: Joseph Birr-Pixton

Closes #18644

Changed files

lib/vtls/vtls_int.h

Change #245320

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:45:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3b22ed999ef046cbd7a3503746bf9acf927623e7

Comments

telnet: return error on crazy TTYPE or XDISPLOC lengths
Also use the packet size msnprintf() stores instead of calculating it
separately.

Reported in Joshua's sarif data

Closes #18648

Changed files

lib/telnet.c

Change #245322

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:47:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a9baf82a9b4291a948c908bce3f843c556d67deb

Comments

ftp: fix ftp_do_more returning with *completep unset
Specifically, when ftpc->wait_data_conn was true and
Curl_conn_connect(...) returned with serv_conned == false the code
called ftp_check_ctrl_on_data_wait and returned without setting
*completep.

Now set it to 0 at function start to avoid this happening again.

Reported in Joshua's sarif data

Closes #18650

Changed files

lib/ftp.c

Change #245324

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:48:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	05930f304bbf1492951b71d828f0de9fe253d4ea

Comments

rustls: use %zu for size_t in failf() format string
Reported in Joshua's sarif data

Closes #18651

Changed files

lib/vtls/rustls.c

Change #245326

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:49:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ab3a293fd0cca2045cc2e3bf1a73f75b1bd7d4bc

Comments

libssh: fix range parsing error handling mistake
The range-parsing returned CURLE_RANGE_ERROR directly on one error
instead of calling myssh_to_ERROR() like it should and like it does for
all other errors.

Reported in Joshua's sarif data

Closes #18652

Changed files

lib/vssh/libssh.c

Change #245328

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 09:50:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0c53a5e5dcca82dfa57a209c350c77db1572a7c6

Comments

openldap: check ldap_get_option() return codes
Do not just assume that they always work.

Reported in Joshua's sarif data

Closes #18653

Changed files

lib/openldap.c

Change #245330

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 11:15:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d57e7cf20d805032740a8b173ea53ea0da1cce62

Comments

ws: reject curl_ws_recv called with NULL buffer with a buflen
Arguably this is just a bad application.

Reported in Joshua's sarif data

Closes #18656

Changed files

lib/ws.c

Change #245332

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 14:36:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c23d7e7a980d172e2134225933440b05404a1f14

Comments

GHA/codeql: enable ECH and HTTPS-RR
Switch to Linuxbrew c-ares to hit the minimum version.
(Ubuntu offers 1.27.0, HTTPS-RR requires 1.28.0.)

Closes #18661

Changed files

.github/workflows/codeql.yml

Change #245334

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 15:26:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	06d00e3879bbfe167972ee45f1dad0ec591a04fb

Comments

cmake: clang detection tidy-ups
Follow-up to 0513f9f8786e0cc4246e05d56bd264d0292d9c92 #18645
Follow-up to fe5225b5eaf3a1a0ce149023d38a9922a114798b #18209

Closes #18659

Changed files

CMakeLists.txt
docs/examples/CMakeLists.txt

Change #245335

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 16:50:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e5d9c871f0b54c8382b2f417b5923ac78d6a4e12

Comments

tidy-up: assortment of small fixes
- examples/headerapi: fix wrong cast.
- curl_ngtcp2: delete stray character from error message.
- rustls: fix inline variable declaration.
- sendf: drop redundant `int` cast.
- libtest/cli_ws_data: drop cast with mismatched signedness.

Cherry-picked from #18343

Closes #18664

Changed files

docs/examples/headerapi.c
lib/sendf.c
lib/vquic/curl_ngtcp2.c
lib/vtls/rustls.c
tests/libtest/cli_ws_data.c

Change #245337

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 18:51:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e21cc7844db33fe6b77e8dbe687cd720ec9d738e

Comments

autotools: fix silly mistake in clang detection for `buildinfo.txt`
Follow-up to 0513f9f8786e0cc4246e05d56bd264d0292d9c92 #18645

Closes #18666

Changed files

acinclude.m4

Change #245339

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 18:51:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	374c23c617322ecd76794d058461f69b8abbef0e

Comments

autotools: fix duplicate `UNIX` and `BSD` flags in `buildinfo.txt`
Follow-up to 2a292c39846107228201674d686be5b3ed96674d #15975

Closes #18667

Changed files

acinclude.m4

Change #245341

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 21 Sep 2025 21:20:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	989a274e45318b290b7ddf28d7562ff6ec0cba4a

Comments

autotools: add support for libgsasl auto-detection via pkg-config
Enable with `--with-gsasl`, as before.

Cherry-picked from #18660
Closes #18669

Changed files

configure.ac

Change #245343

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 23:00:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a72e1552f224f3785d8aafc9819cd4ad0821c01d

Comments

telnet: refuse IAC codes in content
Ban the use of IAC (0xff) in telnet options set by the application. They
need to be escaped when sent but I can't see any valid reason for an
application to send them.

Of course, an application sending such data basically ask for trouble.

Reported in Joshua's sarif data

Closes #18657

Changed files

lib/telnet.c

Change #245345

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 21 Sep 2025 23:01:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c4f9977c66bbb05a837a7eb03004dd79c3cc9b44

Comments

tftp: pin the first used address
Store the used remote address on the first receive call and then make
sure that it remains the same address on subsequent calls to reduce the
risk of tampering. Doesn't make the transfer secure because it is still
unauthenticated and clear text.

Reported in Joshua's sarif data

Closes #18658

Changed files

lib/tftp.c

Change #245347

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 22 Sep 2025 09:06:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1f0f0bdb192a71b6b8b654115ee2c08f8411e356

Comments

managen: strict protocol check
- protocols MUST match one in the accept-list
- protocols are typically all uppercase
- drop All
- use SCP and SFTP instead of SSH
- add Protocols: to some options previously missing one

Closes #18675

Changed files

docs/cmdline-opts/doh-cert-status.md
docs/cmdline-opts/doh-insecure.md
docs/cmdline-opts/doh-url.md
docs/cmdline-opts/follow.md
docs/cmdline-opts/form-escape.md
docs/cmdline-opts/ip-tos.md
docs/cmdline-opts/key.md
docs/cmdline-opts/pass.md
docs/cmdline-opts/sasl-authzid.md
docs/cmdline-opts/sasl-ir.md
docs/cmdline-opts/socks5-gssapi-nec.md
docs/cmdline-opts/socks5-gssapi.md
docs/cmdline-opts/telnet-option.md
docs/cmdline-opts/upload-flags.md
docs/cmdline-opts/url-query.md
docs/cmdline-opts/vlan-priority.md
scripts/managen

Change #245349

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 10:11:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c9eff26c179222e7de077c0f59a6dfd9ba6dcce8

Comments

tool_doswin: fix to use curl socket functions
Replace `WSASocketW()` with `CURL_SOCKET()`. Also replace a call
to `socketclose()` with `sclose()`. According to a comment,
`socketclose()` was chosen to silence test 1498 (and 2300) reporting
`MEMORY FAILURE`. These reports were accurate, and were caused by
calling `WSASocketW()` instead of `socket()` (now `CURL_SOCKET()`).

This also fixes the curl `sclose()` call on an error branch, which is
now correctly paired with a curl socket open. The mismatched open/close
calls caused an issue in TrackMemory-enabled (aka `CURLDEBUG`) builds.

Docs confirm that `socket()` is defaulting to overlapped I/O, matching
the replaced `WSASocketW()` call:
https://learn.microsoft.com/windows/win32/api/winsock2/nf-winsock2-socket#remarks

Also:
- checksrc: ban `WSASocket*()` functions.
- report `SOCKERRNO` instead of `GetLastError()` for socket calls,
  to match the rest of the codebase.

Follow-up to 9a2663322c330ff11275abafd612e9c99407a94a #17572

Closes #18633

Changed files

scripts/checksrc.pl
src/tool_doswin.c

Change #245351

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 10:11:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	aa9fa4d68e1f0e059c3df8d01838a650136e6f6f

Comments

rustls: fix clang-tidy warning
Seen with v21.1.1, non-debug-enabled build:
```
lib/vtls/rustls.c:415:23: error: File position of the stream might be 'indeterminate'
after a failed operation. Can cause undefined behavior [clang-analyzer-unix.Stream,-warnings-as-errors]
  415 |     const size_t rr = fread(buf, 1, sizeof(buf), f);
      |                       ^
```
Ref: https://github.com/curl/curl/actions/runs/17898248031/job/50887746633?pr=18660#step:11:174

Cherry-picked from #18660
Closes #18670

Changed files

lib/vtls/rustls.c

Change #245353

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 10:11:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7f5ff8f2769a0d771bbc0f5cad513cd07de79d08

Comments

autotools: capitalize 'Rustls' in the log output
To match the rest of the codebase.

Follow-up to 548d8a842123c854ba92aac90a24c6191e2a8bd4
Cherry-picked from #18660
Closes #18671

Changed files

configure.ac
m4/curl-rustls.m4

Change #245355

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 10:11:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	330129c836b3ff9d904d4c0083ec4d71ac2c67c6

Comments

GHA/linux: install zlib in all jobs by default
Cherry-picked from #18660
Closes #18672

Changed files

.github/workflows/linux.yml

Change #245357

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 13:02:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cd20f7b6532198162ddd5bfa816a284c1ad66a7e

Comments

libssh: drop two unused assigments
Reported in macOS clang-tidy v21.1.1 build, after enabling libssh in it:
```
lib/vssh/libssh.c
lib/vssh/libssh.c:1342:9: error: Value stored to 'to_t' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
 1342 |         to_t = STRE_OK;
      |         ^
lib/vssh/libssh.c:1342:9: note: Value stored to 'to_t' is never read
lib/vssh/libssh.c:1349:9: error: Value stored to 'from_t' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
 1349 |         from_t = STRE_OK;
      |         ^
lib/vssh/libssh.c:1349:9: note: Value stored to 'from_t' is never read
2 warnings generated.
```
Ref: https://github.com/curl/curl/actions/runs/17909917954/job/50918955923?pr=18660#step:11:182

Cherry-picked from #18660
Closes #18684

Changed files

lib/vssh/libssh.c

Change #245359

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 13:10:51
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d75785c7dea214d12525beb659694d3fcc483731

Comments

GHA: enable more options in static analyzer jobs
This is an effort to pass more code through clang-tidt and scan-build
static analyzers. Following CodeQL Linux jobs.

GHA/codeql:
- also build with libssh.
- disable verbose output in build steps.

GHA/linux:
- enable more build options for the clang-tidy and scan-build jobs:
  libidn2, nghttp2, ldap, kerberos, rtmp, gnutls, gsasl, rustls,
  mbedtls, wolfssl
  Use Linuxbrew where necessary.
- also enable ECH, gssapi in the scan-build job.
- fix 'scanbuild' to be 'scan-build' in the job name.

GHA/macos:
- build with Rustls in the clang-tidy job.
- add a new clang-tidy job to test HTTP/3 (with openssl + ngtcp2).
- build with libssh in one of the clang-tidy jobs.
- build with LibreSSL in the MultiSSL clang-tidy job.
- build with heimdal and kerberos in the clang-tidy jobs respectively.
- build with OpenLDAP in one clang-tidy job.
- add support for `skipall`, `skiprun` job options, and use it.

Closes #18660

Changed files

.github/workflows/codeql.yml
.github/workflows/linux.yml
.github/workflows/macos.yml

Change #245361

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 22 Sep 2025 20:01:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f833d5d1fb0cabaaf646e4c630a2cf7b80f55d0f

Comments

cmake: use modern alternatives for `get_filename_component()`
- use `cmake_path()` to query filenames, with CMake 3.20 or upper.
  https://cmake.org/cmake/help/v4.1/command/cmake_path.html#query

- use `cmake_host_system_information()` to query the registry,
  with CMake 3.24 or upper.
  https://cmake.org/cmake/help/v4.1/command/cmake_host_system_information.html#query-windows-registry
  Replacing the undocumented method.

- also quote the value passed to `get_filename_component()` where
  missing. (Could not cause an actual issue as used in the code.)

Closes #18688

Changed files

CMake/FindGSS.cmake
CMake/FindNGTCP2.cmake
CMakeLists.txt

Change #245363

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 23 Sep 2025 00:34:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	051839eb8fcac5ed384e9c3911cb2511119c2c8a

Comments

tidy-up: URLs
Closes #18689

Changed files

docs/BINDINGS.md
docs/BUG-BOUNTY.md
docs/ECH.md
docs/HTTP-COOKIES.md
docs/HTTPSRR.md
docs/INSTALL.md
docs/RUSTLS.md

Change #245365

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 23 Sep 2025 11:48:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	71fc11e6bbf530b90bf6e93a02cb32bdaecc933b

Comments

GHA/codeql: build `units` on Linux
Closes #18695

Changed files

.github/workflows/codeql.yml

Change #245367

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 23 Sep 2025 12:39:48
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b326293619996ff88f965cc3baf90cee2038ba36

Comments

GHA/linux: fix address sanitizer error output
Same issue as seen earlier in the tsan job. Fix it the same way, by
switching to cmake to avoid autotools' libtool confusing the analyzer.
Ref: 2a46df31fdb91851895bc46d81f0065e6cafc80b #18274

Configuration remains identical. I removed libssh2 from the installed
packages, because it was unused before, but cmake enabled it by default
and libssh2 has memory leaks:
Ref: https://github.com/curl/curl/actions/runs/17941312820/job/51018425159

Fixing:
```
/usr/bin/llvm-symbolizer-18: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: no version information available (required by /usr/bin/llvm-symbolizer-18)
/usr/bin/llvm-symbolizer-18: symbol lookup error: /home/runner/work/curl/curl/bld/lib/.libs/libcurl.so.4: undefined symbol: __asan_option_detect_stack_use_after_return
==33900==WARNING: Can't read from symbolizer at fd 3
[..]
==33900==WARNING: Can't write to symbolizer at fd 6
==33900==WARNING: Failed to use and restart external symbolizer
```
Ref: https://github.com/curl/curl/actions/runs/17939949191/job/51013953675?pr=18693

Cherry-picked from #18693
Closes #18696

Changed files

.github/workflows/linux.yml

Change #245369

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 23 Sep 2025 13:02:52
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	67de9924eb9dfcff009271b1fe9c901fc8a52807

Comments

GHA/linux: enable libidn2 and libssh in asan job
Closes #18697

Changed files

.github/workflows/linux.yml

Change #245371

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 23 Sep 2025 20:24:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1acdf3bd64b6344ff818621155acf4cf5c3d1f50

Comments

GHA/macos: add macos-26, llvm20, gcc15, drop macos-14, gcc14
Number of combo jobs down to 22 from 24.

Also:
- update the version matrix.
- update exclusion matrix.
- include verbose compiler configuration dump.
  It makes the Apple-included, default `-I/usr/local/include` visible.
  Ref: #18683

Closes #18698

Changed files

.github/workflows/macos.yml

Change #245373

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Wed 24 Sep 2025 01:04:18
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	135e4ec1ddd664d3274447553db71f4959331858

Comments

GHA: update dependency awslabs/aws-lc to v1.61.3
Closes #18690

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml

Change #245375

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 24 Sep 2025 10:40:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bdbb50a63e0d713102ffb3a29fd4d3544ff7d90d

Comments

GHA/dist: fix number of parallel jobs on macos runner
It was using the global parallel value in cmake integration tests, while
on macos runners, this should be lower by one, as used in other macos
jobs. Performance impact is minimal.

Follow-up to fb70812437ad28b74dbdc1031e46c1d86bc9db3c #16126
Closes #18701

Changed files

.github/workflows/distcheck.yml

Change #245377

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 24 Sep 2025 11:25:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cc157b49635f3d8d16f445d7af3c8152ff47ae18

Comments

GHA/distcheck: bump timeout for the cmake integration
It may take 1.5 minutes to find the C compiler on macos with old cmake.
The build is also slow due to no unity and Ninja support.

```
Wed, 24 Sep 2025 04:56:51 GMT -- Using CMake version 3.11.4
Wed, 24 Sep 2025 04:58:01 GMT -- The C compiler identification is AppleClang 17.0.0.17000013
Wed, 24 Sep 2025 04:58:02 GMT -- Check for working C compiler: /Applications/Xcode_16.4.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
Wed, 24 Sep 2025 04:59:33 GMT -- Check for working C compiler: /Applications/Xcode_16.4.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang -- works
Wed, 24 Sep 2025 04:59:33 GMT -- Detecting C compiler ABI info
Wed, 24 Sep 2025 04:59:35 GMT -- Detecting C compiler ABI info - done
```
Ref: https://github.com/curl/curl/actions/runs/17966736478/job/51100678487?pr=18700#step:10:50

Closes #18702

Changed files

.github/workflows/distcheck.yml

Change #245379

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Wed 24 Sep 2025 14:03:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a99d79616b5df3442dac5598303179e33163a851

Comments

GHA: update ngtcp2/nghttp3 to v1.12.0
Closes #18705

Changed files

.github/workflows/http3-linux.yml

Change #245381

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Wed 24 Sep 2025 14:03:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f8f84b40ccf6e73b89f6f27e2831d6ba1c70e334

Comments

GHA: Update ngtcp2/ngtcp2 to v1.16.0
Closes #18706

Changed files

.github/workflows/http3-linux.yml

Change #245383

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 24 Sep 2025 14:06:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	976a08985a93e105cdffc1a581e8b0a7f9ebc4c8

Comments

ares: fix leak in tracing
When DNS tracing is enabled, a string allocated by ares was not freed.

Reported-by: jmaggard10 on github
Bug: https://github.com/curl/curl/pull/18251#pullrequestreview-3255785083
Closes #18691

Changed files

lib/asyn-ares.c
lib/curl_trc.h

Change #245385

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 24 Sep 2025 14:07:03
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7cb5e39f3682daf99d21a25c61841e1bf05ea693

Comments

socks_gssapi: reject too long tokens
If GSS returns a token to use that is longer than 65535 bytes, it can't
be transmitted since the length field is an unisgned 16 bit field and
thus needs to trigger an error.

Reported in Joshua's sarif data

Closes #18681

Changed files

lib/socks_gssapi.c

Change #245387

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 24 Sep 2025 14:09:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	66c7e92ae4ab824d5c838a207f742af1df6edaec

Comments

Revert "cf_socket_recv: don't count reading zero bytes as first byte"
This reverts commit df60e8fe701e189e7629fd08b61950a0fb1b697a.

The "first byte" checkpoint is not strictly the first byte received, but
the sign of first traffic from the server, which a closed connection
also is.

Closes #18676

Changed files

lib/cf-socket.c

Change #245389

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 24 Sep 2025 14:11:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	470611d76c118995c64d3b738f02b89b76da6c43

Comments

hostip: remove unnecessary leftover INT_MAX check in Curl_dnscache_prune
The math already uses timediff_t so no need for the extra logic

Ref: #18678
Closes #18680

Changed files

lib/hostip.c

Change #245391

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 24 Sep 2025 15:16:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	acd0aa2c9d58c4aa849aa17ad6ff3f76ace02692

Comments

docs: fix/tidy code fences
- INSTALL.md: fence code to avoid wrong rendering.
  Reported-by: rinsuki on github
  Fixes: https://github.com/curl/curl-www/issues/480

- use `sh` instead of `bash` as fence language, for less visual noise.

- INSTALL.md: drop stray shebang.

- ECH.md: drop indent from fenced code.

- minor tidy-ups.

Ref: https://curl.se/docs/install.html

Closes #18707

Changed files

docs/ECH.md
docs/INSTALL.md

Change #245393

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 24 Sep 2025 19:00:03
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	22b9f77e38cda5d7721059664140b37c74ed1d3f

Comments

GHA/curl-for-win: use `DOCKER_IMAGE_STABLE`
Replacing the hard-wired stable image. After this patch, it
will automatically follow upstream updates.

Follow-up to https://github.com/curl/curl-for-win/commit/6870bc1b35baff03168af1d0506ec8610851a819
Follow-up to https://github.com/curl/curl-for-win/commit/5a25df253da4f68de52b14a2e612df5fc60b8aa6

Closes #18709

Changed files

.github/workflows/curl-for-win.yml

Change #245395

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 24 Sep 2025 22:59:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b011e3fcfb06d6c0278595ee2ee297036fbe9793

Comments

vssh: drop support for wolfSSH
The implementation was incomplete and lesser than the other backends. No
one ever reported a bug or requested enhancements for this, indicating
that this backend was never used.

Closes #18700

Changed files

.circleci/config.yml
.github/scripts/cmp-config.pl
.github/workflows/linux.yml
.github/workflows/macos.yml
CMake/FindWolfSSH.cmake
CMakeLists.txt
Makefile.am
configure.ac
docs/INSTALL-CMAKE.md
docs/KNOWN_BUGS
docs/tests/FILEFORMAT.md
lib/Makefile.inc
lib/curl_config.h.cmake
lib/curl_setup.h
lib/url.c
lib/version.c
lib/vssh/ssh.h
lib/vssh/wolfssh.c
packages/OS400/ccsidcurl.c
scripts/schemetable.c
tests/runtests.pl

Change #245397

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 24 Sep 2025 23:03:03
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9a5810f6c1ebac17dae149c517cb520d4abaa4bf

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245399

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 24 Sep 2025 23:48:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	977595772c6e650b538da965cde676c9bc15cfd8

Comments

RELEASE-NOTES: codespell

Changed files

RELEASE-NOTES

Change #245401

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Thu 25 Sep 2025 00:54:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9d3f878e59d155ee2b916550bdca531424643710

Comments

GHA: update actions/cache digest to 0057852
Closes #18710

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/windows.yml

Change #245403

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 09:06:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	97e5a471e0d7a6ade6476c71801ae2a89961919b

Comments

KNOWN_BUGS: Access violation sending client cert with SChannel
It seems we can select between crashing or leaking sensitive files
because Schannel is buggy.

Closes #17626
Closes #18679

Changed files

docs/KNOWN_BUGS

Change #245405

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 09:07:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0f1657ca75fcca4dbdbccf31d9d6cf4fae4a98e5

Comments

mbedtls: handle WANT_WRITE from mbedtls_ssl_read()
The mbedtls_ssl_read() function is documented to be able to also return
MBEDTLS_ERR_SSL_WANT_WRITE, so act on that accordingly instead of
returning error for it.

Assisted-by: Stefan Eissing

Reported in Joshua's sarif data
Closes #18682

Changed files

lib/vtls/mbedtls.c

Change #245407

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 09:08:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	aaa39873ea7cd2a5031cfaa16b54fa3b09af7ff1

Comments

socks_gssapi: make the gss_context a local variable
Reported-by: Stanislav Fort
Closes #18711

Changed files

lib/socks_gssapi.c

Change #245409

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 10:11:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	98dae1d992aa1b048230f9d4934aefe8128b2f6c

Comments

socks_gssapi: remove the forced "no protection"
If a protected connection is requested, don't claim to drop down to "no
protection".

Reported in Joshua's sarif data

Closes #18712

Changed files

lib/socks_gssapi.c

Change #245411

Category	curl
Changed by	Patrick Monnerat <patrickohnoyoudont@monnerat.net>
Changed at	Thu 25 Sep 2025 10:18:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7f38bf51ad42506b5e4bf3a4c8ad6075a61b566b

Comments

OS400: fix a use-after-free/double-free case
Closes #18713

Changed files

packages/OS400/ccsidcurl.c

Change #245413

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 25 Sep 2025 10:45:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7d5f8be532c19ec73063aaa4f27057047bdae5ac

Comments

GHA: use pip `requirements.txt` with pins, and more venv
- requirements.txt: shorten copyright headers.

- requirements.txt: pin packages to versions.

- GHA/windows: use `tests/requirements.txt`.
  Pick a `cryptography` package version that satifies both `impacket`
  and pytests dependencies.

- GHA/checksrc: move pip deps into a new `requirements.txt`.
  To make Dependabot detect and bump them.

- GHA/checksrc: replace apt packages for python test deps with pip
  install `tests/**/requirements.txt` to a venv.

- GHA/checksrc: use venv and drop `--break-system-packages`.

- GHA/linux: fix to actually activate venvs.
  Follow-up to 2638570241cb9e68240d7621f0213916334a4765 #15578

- GHA/linux: fixup (did not cause an issue)
  Follow-up to d75785c7dea214d12525beb659694d3fcc483731 #18660

- GHA: create venvs later, simplify commands.

- GHA: sync pip command-line options, e.g. drop progress-bar,
  everywhere.

Assisted-by: Dan Fandrich

Closes #18708

Changed files

.github/scripts/requirements.txt
.github/workflows/checksrc.yml
.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/windows.yml
tests/http/requirements.txt
tests/requirements.txt

Change #245415

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 11:22:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c9fce97dcb190eac5591ecab683d49ffd30b1c71

Comments

cf-h2-proxy: break loop on edge case
nghttp2 always consumes the memory, but be safe in case it ever decideds
to not to.

Fixes J2
Reported in Joshua's sarif data
Closes #18715

Changed files

lib/cf-h2-proxy.c

Change #245417

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 11:23:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	20d1c6e92ebb19a78e9b6848a210cac15cc14540

Comments

socks_gssapi: remove superfluous releases of the gss_recv_token
Reported in Joshua's sarif data

Closes #18714

Changed files

lib/socks_gssapi.c

Change #245419

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Thu 25 Sep 2025 11:42:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	8e13e4258373e8f58f269f62f38637302a46f8f1

Comments

GHA: update dependency ruff to v0.13.1

Changed files

.github/scripts/requirements.txt

Change #245421

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 25 Sep 2025 12:06:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6796147910168476a5ca9c22fbf297e544b577a7

Comments

GHA/checksrc: run `reuse` directly, merge into the linters workflow
To eliminate dependencies on an Action, Docker Hub and to simplify.

Closes #18721

Changed files

.github/scripts/requirements.txt
.github/workflows/checksrc.yml

Change #245423

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 13:35:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	943166fed3d1b8ce6a73b6a1de5de5338dda1428

Comments

socks_sspi: bail out on too long fields
A probably unnecessary precaution but since the field sizes are 16 bit in the
protocol this makes sure to fail if they would ever be larger as that would go
wrong.

Reported in Joshua's sarif data

Closes #18719

Changed files

lib/socks_sspi.c

Change #245425

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:00:37
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b3fc692568ad3f01528e726223126e3fe870b1c1

Comments

lib: upgrade/multiplex handling
Improvements around HTTP Upgrade: and multiplex hanndling:

* add `Curl_conn_set_multiplex()` to set connection's multiplex
  bit and trigger "connchanged" events
* call `Curl_conn_set_multiplex()` in filters' `CF_CTRL_CONN_INFO_UPDATE`
  implementation where other connection properties are updated.
  This prevents connection updates before the final filter chain
  is chosen.
* rename enum `UPGR101_INIT` to `UPGR101_NONE`
* rename connection bit `asks_multiplex` to `upgrade_in_progress`
* trigger "connchanged" when `upgrade_in_progress` clears
* rename `WebSockets` to `WebSocket` as it is the common term
  used in documentation

Closes #18227

Changed files

lib/connect.c
lib/connect.h
lib/curl_config.h.cmake
lib/http.c
lib/http2.c
lib/request.c
lib/request.h
lib/url.c
lib/urldata.h
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c
lib/ws.c

Change #245427

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:03:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ccd2b03b0d32536c909ca056ba84216b3c5efaf5

Comments

socks: rewwork, cleaning up socks state handling
Restructured the code in the following ways:

* add terminal states SUCCESS and FAILED
* split SOCK4 and SOCK5 states to be more clear
* use `bufq` for send/recv of SOCK messages
* reduce SOCKS4 states, more speaking names
* for most states, move code into static function
* reduce SOCKS5 states, more speaking names
* add helpers for traversing to FAILED state
* add helper to flush bufq
* add hepler to read minimum amount into bufq

Closes #18401

Changed files

lib/bufq.h
lib/socks.c
tests/libtest/lib564.c

Change #245429

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:04:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cbc30d4ed2720a18ccf86a24eb3659a9cff74a1b

Comments

vtls: alpn setting, check proto parameter
When setting the negotiated alpn protocol, either then length
must be 0 or a pointer must be passed.

Reported in Joshua's sarif data

Closes #18717

Changed files

lib/vtls/vtls.c

Change #245431

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:05:50
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9e8b05fb995ed36dee08e19953faa2ab48d9304b

Comments

wolfssl: check BIO read parameters
Check parameters passed more thoroughly and assure that current 'data'
also exists.

Reported in Joshua's sarif data

Closes #18718

Changed files

lib/vtls/wolfssl.c

Change #245433

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:07:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b0f65932191df13148032fed307c15557723da48

Comments

openssl-quic: check results better
Fail on errors from SSL_handle_events().
Force quit Caddy test instance that is left hanging longer with
openssl-quic tests for unknown reasons.

Reported in Joshua's sarif data

Closes #18720

Changed files

lib/vquic/curl_osslq.c
tests/http/testenv/caddy.py

Change #245435

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:09:15
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5f4f70e06d688e34a6079a81db1794d76c465fdb

Comments

ngtcp2: fix early return
On a failed tls handshake, the receive function returned without
restoring the current data.

Reported in Joshua's sarif data

Closes #18723

Changed files

lib/vquic/curl_ngtcp2.c

Change #245438

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:10:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	887b863b00b9893c20eb9e1f3987ceaeade1f774

Comments

openssl: clear retry flag on x509 error
When loading the trust anchors and encountering an error, clear
a possibly set retry flag.

Reported in Joshua's sarif data

Closes #18724

Changed files

lib/vtls/openssl.c

Change #245440

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:11:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ee2dd2d6cb9b50dbf7ffd3ada106ba5c09229fa5

Comments

openssl-quic: handle error in SSL_get_stream_read_error_code
The return code of SSL_get_stream_read_error_code() was not checked
in one location, but others. Make that consistent.

Reported in Joshua's sarif data

Closes #18725

Changed files

lib/vquic/curl_osslq.c

Change #245442

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:12:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	36eb26381c1c46098a7c0e4b8a12e7102001c721

Comments

quiche: fix verbose message when ip quadruple cannot be obtained.
Reported in Joshua's sarif data

Closes #18726

Changed files

lib/vquic/curl_quiche.c

Change #245444

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:13:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e02cbe94ff92310b2bb4ba3ad622063b0d34ce0a

Comments

mbedtls: check result of setting ALPN
The result of setting the negotiated ALPN was not checked, leading
to reporting success when it should not have.

Reported in Joshua's sarif data

Closes #18727

Changed files

lib/vtls/mbedtls.c

Change #245446

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:14:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	15b4b9618879318ffcd7d8b95f9b2692b14c8e8b

Comments

rustls: fix comment describing cr_recv()
The comments on `cf_recv()` function were outdated and described
calling conventions that no longer are true.

Reported in Joshua's sarif data

Closes #18728

Changed files

lib/vtls/rustls.c

Change #245448

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:16:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dec661c81cb0bc55e089b67112ab995eeba350eb

Comments

wolfssl: fix error check in shutdown
When trying to send the TLS shutdown, use the return code
to check for the cause.

Reported in Joshua's sarif data

Closes #18729

Changed files

lib/vtls/wolfssl.c

Change #245450

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:17:39
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	771dd9d9e7cda15be4d99a4c50a04b4d6c46b765

Comments

quiche: when ingress processing fails, return that error code
Instead of a general CURLE_RECV_ERROR.

Reported in Joshua's sarif data

Closes #18730

Changed files

lib/vquic/curl_quiche.c

Change #245452

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:18:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	221b7dda3837940532b03fbc5f7c54d8a6edd266

Comments

transfer: avoid busy loop with tiny speed limit
When a transfer has a speed limit less than 4, the receive loop early
exits without receiving anything, causing a busy loop for that transfer.

Perform that check only after the first receive has been done.

Reported in Joshua's sarif data

Closes #18732

Changed files

lib/transfer.c

Change #245454

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 14:19:50
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	442943fb8e9a0e7bd9ae0e5976e4e52792af9739

Comments

openssl: set io_need always
When OpenSSL reports SSL_ERROR_WANT_READ, set the io_need explicitly.
It should have already been set by the BIO, but be safe.

Reported in Joshua's sarif data

Closes #18733

Changed files

lib/vtls/openssl.c

Change #245456

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 25 Sep 2025 14:22:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e08211b1ca35b9d6fbc5e4a898af0738516ad1ec

Comments

GHA: bump pip `cryptography`, relax `impacket` version requirement
Bump `cryptography` to a newer version that fixes two known OpenSSL
vulnerabilities reported by Dependabot.

To make it work, also allow `impacket` 0.11.0, because it allows any
pyOpenSSL version, while 0.12.0 pinned it to a single version that
happens to be incompatible with the bugfixed `cryptography` version.

Also: drop spaces from `requirements.txt` files. Bots don't add them,
though they seem to be preferred in the official documentation:
https://pip.pypa.io/en/stable/reference/requirements-file-format/

https://github.com/fortra/impacket/blob/impacket_0_11_0/requirements.txt
https://github.com/fortra/impacket/blob/impacket_0_12_0/requirements.txt

Follow-up to 7d5f8be532c19ec73063aaa4f27057047bdae5ac #18708

Closes #18731

Changed files

.github/scripts/requirements.txt
tests/http/requirements.txt
tests/requirements.txt

Change #245458

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 14:42:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	882293cc81c0c384c30288c24111e45e6de4cd39

Comments

KNOWN_BUGS: telnet code does not handle partial writes properly
Reported in Joshua's sarif data

Closes #18735

Changed files

docs/KNOWN_BUGS

Change #245460

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 25 Sep 2025 15:37:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5b8c80684b5b39c4d4fde2a7c4f2e3247c391fac

Comments

GHA/checksrc: drop no longer used `DEBIAN_FRONTEND` env
Follow-up to 7d5f8be532c19ec73063aaa4f27057047bdae5ac #18708
Cherry-picked from #18736

Changed files

.github/workflows/checksrc.yml

Change #245462

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 25 Sep 2025 15:37:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	edbf610c6a55ee9776f85352f9ad182cd52559b0

Comments

GHA: set `HOMEBREW_NO_AUTO_UPDATE=1` for Linuxbrew
In an attempt to make `brew install` commands initialize faster.

Often this command started with 20-50 seconds of delay before this
patch. This is an attempt to make it launch faster.

Cherry-picked from #18736

Changed files

.github/workflows/checksrc.yml
.github/workflows/codeql.yml
.github/workflows/linux.yml

Change #245464

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 16:53:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bebc8df0f733468377fbb5cc2a68dbb1239a4b73

Comments

schannel_verify: use more human friendly error messages
Closes #18737

Changed files

lib/vtls/schannel_verify.c

Change #245467

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 16:54:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9f75603d4fefacceed2e368638a1f7f12194d3ed

Comments

tftp: only check address if it was stored
If recvfrom() fails, it might not have stored an address.

Follow-up to c4f9977c66bbb05a837a7eb03004dd79c3cc9b44

Pointed out by CodeSonar

Closes #18738

Changed files

lib/tftp.c

Change #245469

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 25 Sep 2025 16:55:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f5bae285f321063a3d48774915bb38187b4511ac

Comments

socks: handle error in verbose trace gracefully
Adjust the flow to always succeed in verbose trace of connect.

Reported in Joshua's sarif data

Closes #18722

Changed files

lib/socks.c

Change #245471

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 25 Sep 2025 16:59:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e48c1ea415d5076082bd2349d066c0df16dc9993

Comments

GHA: use `pyspelling` directly
To avoid depending on Docker Hub, an Docker image and a GitHub Action.
Also to simplify running this check on a local machine.

Pending question if Dependabot and Mend/Renovate will automatically pick
up `requirements-docs.txt`.

Also:
- enable parallel spellchecking. (also to win back the time lost with
  installing components directly from Debian and pip.)
- pin `pyspelling`.
- link to official `pyspelling` docs.

Closes #18736

Changed files

.github/scripts/requirements-docs.txt
.github/scripts/spellcheck.yaml
.github/workflows/checkdocs.yml

Change #245473

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 17:26:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9595921b06c911af278a645be1d298cb83e32df0

Comments

libssh: clarify myssh_block2waitfor
Fixed misleading comment. Simplified the bit setup.

Reported in Joshua's sarif data

Closes #18739

Changed files

lib/vssh/libssh.c

Change #245475

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 17:26:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b8f10be4f205665552a2dfd276889896e0c3116b

Comments

libssh: acknowledge SSH_AGAIN in the SFTP state machine
Reported in Joshua's sarif data

Closes #18740

Changed files

lib/vssh/libssh.c

Change #245477

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Thu 25 Sep 2025 21:53:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e27853d36b964e91baaa03d4a87802a2c4ba6eca

Comments

GHA: update dependency ruff and github/codeql-action
- update github/codeql-action digest to 303c0ae
- update dependency ruff to v0.13.2

Closes #18716
Closes #18734

Changed files

.github/scripts/requirements.txt
.github/workflows/codeql.yml

Change #245478

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 22:25:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	16e0a2098d91c87ab77ce568acdeda724baf753a

Comments

openssl: fail the transfer if ossl_certchain() fails
Since it would indicate errors to the degree that continuing would just
risk hiding the earlier errors or make things weird.

Inspired by a report in Joshua's sarif data

Closes #18646

Changed files

lib/vtls/openssl.c

Change #245480

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 25 Sep 2025 23:35:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	500ea90829c825e9c19d2d4290d4d130e9ac42bd

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245482

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 26 Sep 2025 09:27:50
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	061e265502fc2f605f0d87453b8b1167ba16839d

Comments

http: handle user-defined connection headers
When there is more than one user-supplied 'Connection: ' header, add
values that curl needs internally to the first one and emit all
subsequent ones thereafter.

Fixes #18662
Reported-by: Evgeny Grin (Karlson2k)
Closes #18686

Changed files

docs/libcurl/opts/CURLOPT_HTTPHEADER.md
lib/http.c
tests/data/Makefile.am
tests/data/test1617

Change #245484

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 26 Sep 2025 10:53:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	84d96275319869e1f0e6c374e39b54a7d892d146

Comments

tool_progress: handle possible integer overflows
The progress meters max out at 2^63 bytes.

Reported-by: BobodevMm on github
Fixes #18744
Closes #18746

Changed files

src/tool_progress.c

Change #245487

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 26 Sep 2025 14:29:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	72f72f678d1669d9758ad3f948321ee4dfc71330

Comments

openldap: check ber_sockbuf_add_io() return code
The man page says nothing about what the return code means but Howard
Chu tells me it is 0 on success, -1 on fail.

Help-by: Howard Chu

Closes #18747

Changed files

lib/openldap.c

Change #245488

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 26 Sep 2025 14:47:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	34b1e146e42f2dbac5c89414a2a0458a8729a255

Comments

perlcheck: add script, run in CI, fix fallouts
Add script to run all Perl sources through `perl -c` to ensure no
issues, and run this script via GHA/checksrc in CI.

Fallouts:
- fix two repeated declarations.
- move `shell_quote()` from `testutil.pm` to `pathhelp.pm`, to
  avoid circular dependency in `globalconfig.pm`.

Closes #18745

Changed files

.github/workflows/checksrc.yml
scripts/Makefile.am
scripts/perlcheck.sh
tests/globalconfig.pm
tests/pathhelp.pm
tests/runner.pm
tests/runtests.pl
tests/servers.pm
tests/test745.pl
tests/testcurl.pl
tests/testutil.pm

Change #245491

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 26 Sep 2025 17:29:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b5ffe30e5b7e79d51ec96c266538eb5586c6a0dd

Comments

cf-ip-happy: mention unix domain path, not port number
In the connect error message if a unix domain socket was used.

Reported-by: kuchara on github
Ref: #18748
Closes #18749

Changed files

lib/cf-ip-happy.c

Change #245493

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 26 Sep 2025 23:50:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	8538856662460fdcb38bafde3218ee3022e64807

Comments

perlcheck: parallelize
Follow-up to 34b1e146e42f2dbac5c89414a2a0458a8729a255 #18745

Closes #18750

Changed files

scripts/perlcheck.sh

Change #245495

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 27 Sep 2025 12:59:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	95e50ad69473d8229b85478a3f2138b7e632fbe8

Comments

tidy-up: miscellaneous
- GHA/checkdocs: rename `spellcheck` job to `pyspelling` to say
  the exact tool used.
- GHA/checkdocs: restore a comment.
- GHA/linux: add `-B .` to a cmake configure to avoid warning, and
  future breakage.
- autotools: use correct casing for `Schannel`.
- doh: update RFC URL.
- drop redundant parenthesis.
- fix indentation, whitespace.

Closes #18756

Changed files

.github/workflows/checkdocs.yml
configure.ac
docs/libcurl/libcurl.m4
lib/curl_threads.c
lib/curlx/version_win32.c
lib/doh.c
lib/system_win32.c
lib/telnet.c
lib/vtls/openssl.c
lib/vtls/schannel.c
lib/ws.c

Change #245497

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 27 Sep 2025 16:29:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	16f721443aee235014f3d17e623c5c5eeb24b83e

Comments

GHA/linux: tidy up AWS-LC local build
To sync with other builds and to use `-B` to avoid a cmake warning and
future breakage.

Closes #18757

Changed files

.github/workflows/linux.yml

Change #245499

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Sat 27 Sep 2025 16:31:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b5c9c858d53072ae6e5a2388d488d2f691f7cd32

Comments

GHA: update dependency awslabs/aws-lc to v1.61.4
Closes #18752

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml

Change #245501

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 27 Sep 2025 19:03:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	75d5424979a8effac331c4924edb1a8be458cdce

Comments

GHA/windows: tidy up Cygwin jobs
- drop unnecessary installed packages.
- sync built type name with other jobs.

Closes #18758

Changed files

.github/workflows/windows.yml

Change #245503

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 28 Sep 2025 00:20:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	660d915ebda4ea44c4422a647e09693d6fb6a9ee

Comments

ci: use `--enable-option-checking=fatal` in autotools jobs
To avoid typos and non-existing options passed to `./configure` in CI
builds.

Also delete obsolete option `--enable-test-bundles` from Circle CI jobs.

Closes #18759

Changed files

.circleci/config.yml
.github/workflows/distcheck.yml
.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/non-native.yml
.github/workflows/windows.yml

Change #245505

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 28 Sep 2025 00:43:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a6182865d0c8cfb9dbfe8d6444b428d17ecc677c

Comments

CI: make pip use `tests/requirements.txt` in Circle CI
Also sync `pip` options with those used in GHA.

Closes #18760

Changed files

.circleci/config.yml

Change #245507

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 28 Sep 2025 12:33:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	81a9197102472a03a873c0d59d150223f5ed8840

Comments

GHA/linux-old: make one cmake v3.7.2 job verbose
To show the details in cmake builds using the oldest supported version.
Use a legacy method. `--verbose` became supported later, in 3.14.

Closes #18764

Changed files

.github/workflows/linux-old.yml

Change #245509

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 29 Sep 2025 13:07:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e17aa98bfe3799723cec978661cad4079bfa4dd7

Comments

cmake: use more `COMPILER_OPTIONS`, `LINK_OPTIONS` / `LINK_FLAGS`
- replace `COMPILE_FLAGS` with `COMPILE_OPTIONS` that superceded it.

  Follow-up to 6140dfcf3e7845f11dee755de6865379aa96dab7
  https://cmake.org/cmake/help/v4.1/prop_sf/COMPILE_FLAGS.html

- replace `target_link_libraries()` with `LINK_FLAGS` property for
  CMake <=3.12, because we are passing linker options (not libs).

  Follow-up to 91720b620e802748d2e1629f43e29b76736542f9 #18468
  Follow-up to 548873921cde197aa1d40216c594c76738031374 #17670
  Follow-up to 95aea798dbd785c4daee2b2e24f2c8c94f3e3cf4 #5843
  https://cmake.org/cmake/help/v3.7/command/target_link_libraries.html
  https://cmake.org/cmake/help/v3.7/prop_tgt/LINK_FLAGS.html

- replace `target_link_options()` with `LINK_OPTIONS` propery for
  CMake 3.13+, to use the modern style.

  Follow-up to 91720b620e802748d2e1629f43e29b76736542f9 #18468
  Follow-up to 548873921cde197aa1d40216c594c76738031374 #17670
  https://cmake.org/cmake/help/v3.13/command/target_link_options.html
  https://cmake.org/cmake/help/v3.13/prop_tgt/LINK_OPTIONS.html

Also:

- fix to append to, not override, previously set linker options when
  using `CURL_LIBCURL_VERSIONED_SYMBOLS=ON`. Before this patch, it was
  overwriting linker options when using `CURL_CODE_COVERAGE=ON`.

  Follow-up to 91720b620e802748d2e1629f43e29b76736542f9 #18468

Closes #18762

Changed files

lib/CMakeLists.txt
src/CMakeLists.txt

Change #245511

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 01:10:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	10bac43b873fe45869e15b36aac1c1e5bc89b6e0

Comments

tests/server: drop unsafe `open()` override in signal handler (Windows)
Turns out the signal handler on Windows still wasn't signal safe after
the previous round of fix. There is an `open()` call made from there,
and `open` happens to be unconditionally overridden via `curl_setup.h`
on Windows, to its local implementation (`curlx_win32_open()`), which
does memory allocations and potentially other things that are not signal
safe.

This is a temporary fix, till avoiding the override of system symbols
`open` and `stat` on Windows.

FTR this did not fix the CI 2304 errors, diskspace fail or job hangs due
to 0xC0000142 fork failure (it's rare all three occurs in the same run):
https://github.com/curl/curl/actions/runs/18110523584?pr=18774

Ref: #18634
Follow-up e95f509c66abdd88ae02e3243cdc217f19c4a330 #16852
Closes #18774

Changed files

tests/server/util.c

Change #245513

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 01:10:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	20142f5d06f7120ba94cbcc25c998e8d81aec85b

Comments

build: avoid overriding system symbols for fopen functions
By introducing wrappers for them in the curlx namespace:
`curlx_fopen()`, `curlx_fdopen()`, `curlx_fclose()`.

The undefine/redefine/`(function)()` methods broke on systems
implementing these functions as macros. E.g. AIX 32-bit's `fopen()`.

Also:
- rename `lib/fopen.*` to `lib/curl_fopen.*` (for `Curl_fopen()`)
  to make room for the newly added `curlx/fopen.h`.
- curlx: move file-related functions from `multibyte.c` to `fopen.c`.
- tests/server: stop using the curl-specific `fopen()` implementation
  on Windows. Unicode isn't used by runtests, and it isn't critical to
  run tests on longs path. It can be re-enabled if this becomes
  necessary, or if the wrapper receives a feature that's critical for
  test servers.

Reported-by: Andrew Kirillov
Bug: https://github.com/curl/curl/issues/18510#issuecomment-3274393640

Follow-up to bf7375ecc50e857760b0d0a668c436e208a400bd #18503
Follow-up to 9863599d69b79d290928a89bf9160f4e4e023d4e #18502
Follow-up to 3bb5e58c105d7be450b667858d1b8e7ae3ded555 #17827

Closes #18634

Changed files

.github/scripts/verify-examples.pl
docs/examples/.checksrc
docs/internals/CHECKSRC.md
lib/Makefile.inc
lib/altsvc.c
lib/cookie.c
lib/curl_fopen.c
lib/curl_fopen.h
lib/curl_mem_undef.h
lib/curl_setup.h
lib/curlx/curlx.h
lib/curlx/fopen.c
lib/curlx/fopen.h
lib/curlx/multibyte.c
lib/fopen.c
lib/fopen.h
lib/hsts.c
lib/memdebug.c
lib/memdebug.h
lib/mime.c
lib/netrc.c
lib/vtls/gtls.c
lib/vtls/keylog.c
lib/vtls/rustls.c
lib/vtls/schannel.c
lib/vtls/vtls.c
scripts/checksrc.pl
src/Makefile.inc
src/tool_cb_dbg.c
src/tool_cb_wrt.c
src/tool_cfgable.c
src/tool_easysrc.c
src/tool_formparse.c
src/tool_getparam.c
src/tool_ipfs.c
src/tool_operate.c
src/tool_parsecfg.c
src/tool_ssls.c
src/tool_stderr.c
src/tool_util.c
src/tool_writeout.c
src/var.c
tests/data/test1185
tests/libtest/Makefile.inc
tests/libtest/cli_h2_serverpush.c
tests/libtest/cli_hx_download.c
tests/libtest/cli_hx_upload.c
tests/libtest/lib500.c
tests/libtest/lib505.c
tests/libtest/lib518.c
tests/libtest/lib525.c
tests/libtest/lib537.c
tests/libtest/lib541.c
tests/libtest/lib566.c
tests/libtest/lib568.c
tests/libtest/lib569.c
tests/libtest/lib571.c
tests/libtest/lib572.c
tests/libtest/lib578.c
tests/libtest/lib579.c
tests/libtest/lib582.c
tests/libtest/lib591.c
tests/libtest/lib599.c
tests/libtest/lib678.c
tests/server/.checksrc
tests/server/Makefile.inc
tests/unit/unit3200.c

Change #245515

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 11:32:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dd37d6970cfd8b4cf47ebd469f03772813b92c23

Comments

checksrc: fix possible endless loop when detecting `BANNEDFUNC`
If the source line had square brackets before the match, the stripping
of the banned function left the original line intact, and repeated the
check on it forever. E.g. with banned function `open` in `lib518.c`:
```c
t518_testfd[0] = open(DEV_NULL, O_RDONLY);
```

Closes #18775

Changed files

scripts/checksrc.pl

Change #245517

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Tue 30 Sep 2025 11:32:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5b086ba18833a3970919e692865ebabc00166869

Comments

Dockerfile: update debian:bookworm-slim digest to 7e49091
Closes #18777

Changed files

Dockerfile

Change #245519

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 12:28:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c478c7efdf4ebbc8d768ae4cdfdcecf49b68cf94

Comments

examples: fix two more cases of `stat()` TOCTOU
Also:
- ftpupload: bump an intermediate variable size.

Follow-up to f13250edf11312ab8c0425cf39b182a31b53c6f7 #18605

Closes #18778

Changed files

docs/examples/ftpupload.c
docs/examples/httpput.c

Change #245521

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 13:16:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	684f4cdd3ef0cc41c547fce0e45d8a059a3058b3

Comments

checksrc: catch banned functions when preceded by `(`
Also add a test case.

Closes #18779

Changed files

scripts/checksrc.pl
tests/data/test1185

Change #245523

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 16:30:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9678ff5b1bfea1c847aee4f9edf023e8f01c9293

Comments

build: avoid overriding system `open` and `stat` symbols
Replace them by `curlx_open()` and `curlx_stat()`.

To make it obvious in the source code what is being executed.

Also:
- tests/server: stop overriding `open()` for test servers.
  This is critical for the call made from the signal handler.
  For other calls, it's an option to use `curlx_open()`, but
  doesn't look important enough to do it, following the path
  taken with `fopen()`.

Follow-up to 10bac43b873fe45869e15b36aac1c1e5bc89b6e0 #18774
Follow-up to 20142f5d06f7120ba94cbcc25c998e8d81aec85b #18634
Follow-up to bf7375ecc50e857760b0d0a668c436e208a400bd #18503

Closes #18776

Changed files

docs/examples/.checksrc
docs/examples/anyauthput.c
docs/examples/fileupload.c
docs/examples/ftpupload.c
docs/examples/http2-upload.c
docs/examples/httpput.c
lib/config-win32.h
lib/curl_fopen.c
lib/curl_setup.h
lib/curlx/fopen.h
lib/file.c
lib/mime.c
lib/vquic/vquic.c
lib/vssh/libssh2.c
scripts/checksrc.pl
src/tool_cb_wrt.c
src/tool_doswin.c
src/tool_filetime.c
src/tool_findfile.c
src/tool_getpass.c
src/tool_operate.c
tests/libtest/lib505.c
tests/libtest/lib518.c
tests/libtest/lib525.c
tests/libtest/lib537.c
tests/libtest/lib541.c
tests/libtest/lib568.c
tests/libtest/lib572.c
tests/libtest/lib582.c
tests/server/.checksrc
tests/server/util.c

Change #245525

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Tue 30 Sep 2025 21:57:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	583b1ad881daef798cd717c431de7f582a2a622c

Comments

GHA: update dependency openssl/openssl to v3.5.4
Closes #18781

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml

Change #245527

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 30 Sep 2025 21:57:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f97aa8d7ed029ee99e097d9b0c9bd01570574478

Comments

tidy-up: `fcntl.h` includes
- drop from source files without obvious users.
- include in `curlx/fopen.h` also for Windows.

Follow-up to 9678ff5b1bfea1c847aee4f9edf023e8f01c9293 #18776

Closes #18782

Changed files

lib/cf-ip-happy.c
lib/cf-socket.c
lib/connect.c
lib/curlx/fopen.h
lib/rand.c
lib/vtls/vtls.c
lib/vtls/vtls_scache.c

Change #245529

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 01 Oct 2025 07:59:41
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d8823e855c2698e840f6a1faf9aad3adbe4b9fdc

Comments

asyn-thrdd resolver: clear timeout when done
When the async threaded resolver thread returned, clear the
started EXPIRE_ASYNC_NAME timeout.

Closes #18769

Changed files

lib/asyn-thrdd.c

Change #245531

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 01 Oct 2025 08:01:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b02238975768d0bcbf8c7ef00eaaee3ec379f4ff

Comments

ip-happy: do not set unnecessary timeout
When attempts on all addresses have been started, do no longer set any
EXPIRE_HAPPY_EYEBALLS timeouts.

Fixes #18767
Reported-by: Johannes Schindelin
Closes #18768

Changed files

docs/libcurl/curl_global_trace.md
lib/cf-ip-happy.c
lib/cf-socket.c
lib/curl_trc.c
lib/curl_trc.h
lib/multi.c
tests/http/test_06_eyeballs.py
tests/http/testenv/curl.py

Change #245533

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 01 Oct 2025 08:26:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f284222ffc852c2d908bf5e8397cf4ac7fc91a42

Comments

TODO: fix a typo
Closes #18788

Changed files

docs/TODO

Change #245535

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 01 Oct 2025 09:03:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a2b7a4157c2b83b523ed6e6886e28d48208e33fb

Comments

typos.toml: exclude more from typo checks
- exclude visual studio project templates
- exclude test cases
- allow 'proxys' which is used for "secure proxy" in test code
- allow Tru64 and secur32

Closes #18789

Changed files

.github/scripts/typos.toml

Change #245537

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 01 Oct 2025 09:12:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	205758d7eaad31b256812ce4da64c2ca01951cc1

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245539

Category	curl
Changed by	Samuel Henrique <samuelophohnoyoudont@debian.org>
Changed at	Wed 01 Oct 2025 09:26:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a5a17b8ddb69195595b145d3b985a080a87acdc9

Comments

wcurl: import v2025.09.27
Closes #18754

Changed files

docs/wcurl.md
scripts/wcurl

Change #245541

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Wed 01 Oct 2025 12:10:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0e67d97b831e94bd17128a172860e1b9111ea239

Comments

GHA: update dependency libressl/portable to v4.1.1
Closes #18785
Closes #18786

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml

Change #245543

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 01 Oct 2025 12:55:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	150567b0d25b519873800ac883ae43833e8f6aca

Comments

tidy-up: LibreSSL Git repository URLs and local CI builds
Also:
- point the source tarball to a working URL.
  The GitHub release page misses the official source tarball for 4.1.1.
- GHA/linux: switch LibreSSL build to cmake (syncing with http3-linux.)
- GHA/macos: drop no longer needed LibreSSL build workaround.

Closes #18792

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
plan9/README

Change #245545

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 01 Oct 2025 15:50:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b2ae19eed4073349ec8bee84007556ab8ded2ad0

Comments

tool_getparam: warn if provided header looks malformed
URL: https://fosstodon.org/@galdor/115298664084113519
Closes #18793

Changed files

src/tool_getparam.c

Change #245547

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 01 Oct 2025 15:51:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bc37765466e659f1d0bafe131735f2379f3b20ae

Comments

form.md: drop reference to MANUAL
Since it isn't linked and users might not understand what it refers to.

Ref: #18755
Closes #18790

Changed files

docs/cmdline-opts/form.md

Change #245549

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 01 Oct 2025 15:52:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e891b4195fdc133e975d86bda865720cafd6add0

Comments

cf-socket: tweak a memcpy() to read better
By checking the size of the actual buffer and using that as memcpy
target instead of another union member, this helps readers and static
code analyzers to determine that this is not a buffer overflow.

Ref: #18677
Closes #18787

Changed files

lib/cf-socket.c
lib/cf-socket.h

Change #245551

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 01 Oct 2025 15:56:58
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d71ec36d1b6ec2feeb3811f143e7e98fceb95be1

Comments

openssl-quic: ignore unexpected streams opened by server
HTTP/3 defines "reserved stream types" that are intended to be ignored
by a receiver. This is part of the "greasing" effort that flexes parts
of the protocol that are needed for future extensions.

curl's OpenSSL-QUIC implementation treated all unexpected streams as
an error. Which seems the right thing to do *but* for these reserved types.
However OpenSSL does not expose this type and thus, curl needs to silently
discard all unexpected streams opened by the server to allow interop
with servers that flex the GREASE parts.

Fixes #18780
Reported-by: Pocs Norbert
Closes #18791

Changed files

lib/vquic/curl_osslq.c

Change #245553

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 01 Oct 2025 21:53:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	285f64d3a033e33ad0f0805fa6f5d72150b59333

Comments

GHA/macos: also update LibreSSL source tarball URL
Follow-up to 150567b0d25b519873800ac883ae43833e8f6aca #18792

Changed files

.github/workflows/macos.yml

Change #245555

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Wed 01 Oct 2025 22:37:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e234c0942648297dd15c265d359f91e7425b24fc

Comments

GHA: update dependency openssl/openssl to v3.6.0
Closes #18796

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml

Change #245557

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 10:41:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9ebf778e824007f1aad83ba79f5af802ee77c884

Comments

GHA/linux: add HTTP/3 c-ares scan-build and asan jobs
They use Linuxbrew instead of locally built components.

Linuxbrew limitations compared to the locally built components in
GHA/http3-linux:
- libngtcp2 currently supports OpenSSL only.
- wolfssl can't coexist with openssl.
- somewhat tricky configuration with autotools.

Upside is easy of use, always the latest versions (may be downside),
and availability of almost all packages.

Closes #18693

Changed files

.github/workflows/linux.yml

Change #245558

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 10:41:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e43aea3049ae50e9297d45cf5d96f3ac78999b69

Comments

lib: fix build error and compiler warnings with verbose strings disabled
- asyn-ares: fix compiler warning:
  ```
  lib/asyn-ares.c:751:17: error: code will never be executed [clang-diagnostic-unreachable-code,-warnings-as-errors]
    751 |     char *csv = ares_get_servers_csv(ares->channel);
        |                 ^~~~~~~~~~~~~~~~~~~~
  ```

- curl_trc: fix missing symbol:
  ```
  /usr/bin/ld: ../lib/.libs/libcurl.so: undefined reference to `Curl_trc_timer'
  collect2: error: ld returned 1 exit status
  ```
  Ref: https://app.circleci.com/pipelines/github/curl/curl/15446/workflows/67afa113-9c49-4249-9180-f6f01fc7dfdd/jobs/149177
  Ref: https://github.com/curl/curl/actions/runs/18174250400/job/51736249444#step:33:623
  Follow-up to b02238975768d0bcbf8c7ef00eaaee3ec379f4ff #18768

- multi: fix `-Wunreachable-code`:
  ```
  lib/multi.c:1107:28: error: code will never be executed [-Werror,-Wunreachable-code]
   1107 |     size_t timeout_count = Curl_llist_count(&data->state.timeoutlist);
        |                            ^~~~~~~~~~~~~~~~
  lib/multi.c:3054:35: error: code will never be executed [-Werror,-Wunreachable-code]
   3054 |       struct Curl_llist_node *e = Curl_llist_head(&data->state.timeoutlist);
        |                                   ^~~~~~~~~~~~~~~
  lib/multi.c:3380:7: error: code will never be executed [-Werror,-Wunreachable-code]
   3380 |       Curl_llist_head(&data->state.timeoutlist);
        |       ^~~~~~~~~~~~~~~
  ```

Cherry-picked from #18797
Closes #18799

Changed files

lib/asyn-ares.c
lib/curl_trc.c
lib/multi.c

Change #245560

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 10:41:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	632c5ee8971e3ff1293367d9d034975f068aa4fa

Comments

runtests: tag tests that require curl verbose strings
To skip them when curl has verbose strings disabled, instead of failing.

Cherry-picked from #18797
Closes #18800

Changed files

tests/data/test1007
tests/data/test1287
tests/data/test1506
tests/data/test1538
tests/data/test1542
tests/data/test1559
tests/data/test1652
tests/data/test2402
tests/data/test2404
tests/data/test2502

Change #245562

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 10:41:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	34dc762ceff13250a2338242dfea6f9ce7f061fd

Comments

pytest: skip specific tests for no-verbose builds
Detect via curlinfo if curl has verbose strings disabled, and skip
tests that require it.

Also:
- cmake: make pytests depend on curlinfo.

Cherry-picked from #18797
Closes #18801

Changed files

tests/CMakeLists.txt
tests/http/test_02_download.py
tests/http/test_06_eyeballs.py
tests/http/test_10_proxy.py
tests/http/test_13_proxy_auth.py
tests/http/test_15_tracing.py
tests/http/test_17_ssl_use.py
tests/http/test_19_shutdown.py
tests/http/test_30_vsftpd.py
tests/http/test_31_vsftpds.py
tests/http/test_32_ftps_vsftpd.py
tests/http/testenv/env.py

Change #245564

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 02 Oct 2025 14:21:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e49698925c7f90e8f1e70c2a71fb5d2b67918409

Comments

tool_progress: make max5data() use an algorithm
Instead of a list of conditions. Makes a unified decimal output when the
value is less than 100. Prepares for > 64 bit data type.

Closes #18807

Changed files

src/tool_progress.c

Change #245566

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 02 Oct 2025 14:22:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7f0fd14d9f6b1c28b3b3e2276e4937a24ec3997e

Comments

tool_getparam: always disable "lib-ids" for tracing
Since the tool code itself adds the ids (controlled with "ids"), getting
them (also) added by the library adds nothing good. Always disable the
lib-ids even when "--trace-config all" is selected.

Also: change "== Info:" into just "* " to reduce output redundancy.

Ref: #18755
Reported-by: Alice Lee Poetics
Closes #18805

Changed files

src/tool_cb_dbg.c
src/tool_getparam.c

Change #245568

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 02 Oct 2025 14:22:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ea4ba6d9ef21a271bfbccedb0456d09a1ed57173

Comments

lib: remove personal names from comments
- it's just too random who got mentioned
- we can't mention all, so better consistently mention none
- make sure they all are mentioned in THANKS
- also remove some unnecessary comment ramblings

Closes #18803

Changed files

docs/THANKS
lib/cf-socket.c
lib/curlx/inet_ntop.c
lib/if2ip.h
lib/md4.c
lib/md5.c
lib/sha256.c
lib/vtls/openssl.c

Change #245570

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 02 Oct 2025 14:25:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dba87aea7d0a54a6a8318363a397dcf9c0fd071a

Comments

multi_ev: remove unnecessary data check that confuses analysers
Closes #18804

Changed files

lib/multi_ev.c

Change #245572

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 14:58:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	af7900fb283dcfe20e628305d53070cd7c1f58ff

Comments

CI: move no-verbose build from Circle CI to existing GHA jobs, with tests
To test it in GHA and catch issues at PR time. Before this patch,
Circle CI caught them after pushing to master (or non-fork PR
branches.) GHA also run runtests, pytests and static analysis on
these builds, after this patch.

- GHA/linux: enable no-verbose in an existing job.
- GHA/linux: enable no-verbose in the H3 scan-build job too.
- GHA/macos: enable no-verbose in one build (= 3 jobs with different
  compilers).
- GHA/codeql: enable no-verbose in the MultiSSL Linux build.
- circleci: delete openssl no-verbose job in favor of the above.

Closes #18797

Changed files

.circleci/config.yml
.github/workflows/codeql.yml
.github/workflows/linux.yml
.github/workflows/macos.yml

Change #245574

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 14:58:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9ac3a9a670acc55674c420c11a222c1714bb9d55

Comments

INTERNALS: drop Winsock 2.2 from the dependency list
It's implied by the minimum requirement of Windows XP.
Also Windows CE is soon to be deleted via #17927.

Closes #18808

Changed files

docs/INTERNALS.md

Change #245576

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 14:58:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7682bd80e7d51c6d02e3279ea6b99c7d9e4296d0

Comments

cmake: drop exclamation in comment looking like a name
Ref: https://github.com/curl/curl/pull/3316#issuecomment-442343555
Follow-up to ea4ba6d9ef21a271bfbccedb0456d09a1ed57173 #18803
Follow-up to 558814e16d84aa202c5ccc0c8108a9d728e77a58

Closes #18810

Changed files

CMake/FindGSS.cmake

Change #245578

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 15:21:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b04137c1c6ed164594279c7d04b5e051634453ea

Comments

renovate: adjust commit message prefixes, try making CodeQL and AWS-LC updates monthly
Also:
- enable pip bumps in Dependabot.
- reduce dependabot to check monthly (was: weekly)
  Dependabot acts as a backup for mend/renovate.

Closes #18761

Changed files

.github/dependabot.yml
renovate.json

Change #245580

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 15:21:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	03fe4467894848fc58a82a30e25f0d70f793baa7

Comments

INTERNALS: specify minimum version for Heimdal: 7.1.0
Released on 2016-Dec-19, it's the first "revamped" stable version, and
the earliest available as a source tarball at the official repository:
https://github.com/heimdal/heimdal/releases/tag/heimdal-7.1.0

It's also the first version hosted by Homebrew. It builds fine locally
with curl, and also builds in CI with old linux: 7.1.0+dfsg-13+deb9u4.

Closes #18809

Changed files

docs/INTERNALS.md

Change #245582

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Thu 02 Oct 2025 17:33:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2a25ebe9580e52b375533a7d12a86dff29a36c44

Comments

vtls_scache: fix race condition
- Lock before counting the cache sessions.

Prior to this change when taking a session a trace command counted the
sessions but not under lock, which caused a race condition.

Reported by: Viktor Szakats

Fixes https://github.com/curl/curl/issues/18806
Closes https://github.com/curl/curl/pull/18813

Changed files

lib/vtls/vtls_scache.c

Change #245584

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 02 Oct 2025 19:31:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e5316069f13ec9189d9fe0499dc09afaa9fb5cee

Comments

GHA/macos: drop macos-13 runner image from combo jobs
- replace with macos-14.
- refresh tables, exceptions.
- apply a pending TODO.

Closes #18818

Changed files

.github/workflows/macos.yml

Change #245586

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 02 Oct 2025 22:53:58
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	95ac33fc4f8356b1c0685e70d1d8ab7842aecf3a

Comments

ip-happy: prevent event-based stall on retry
When delaying an IP happy eyeball restart, set an actual timer or the
connection will stall when running event based.

Closes #18815

Changed files

lib/cf-ip-happy.c

Change #245588

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 02 Oct 2025 23:23:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	06625975af40ddf6067f2105250555ba76b0a6ae

Comments

cmdline-opts/_PROGRESS.md: explain the suffixes
Closes #18817

Changed files

.github/scripts/spellcheck.words
docs/cmdline-opts/_PROGRESS.md

Change #245590

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 02 Oct 2025 23:24:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	18e4fbad4c08b85dcc5b37997d156b954820bbc5

Comments

tcp-nodelay.md: expand the documentation
Instead of referring to another document.

Closes #18811

Changed files

docs/cmdline-opts/tcp-nodelay.md

Change #245592

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 02 Oct 2025 23:25:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	84c4b485f38f339b71665f946216a2612a103e84

Comments

time-cond.md: refer to the singular curl_getdate man page
Closes #18816

Changed files

docs/cmdline-opts/time-cond.md

Change #245594

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 08:13:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	06c0f8c5cd5da1b2cfe616f03ae0a187cdee18e6

Comments

DEPRECATE.md: We remove the OpenSSL-QUIC backend in March 2026
URL: https://curl.se/mail/lib-2025-10/0000.html

Closes #18820

Changed files

docs/DEPRECATE.md

Change #245596

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 08:14:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0a3459ca51754ae54101c5aa0dab9a87a27a6aec

Comments

DEPRECATE.md: remove OpenSSL 1.1.1 support already in December 2025
No sponsors == remove it

Closes #18822

Changed files

docs/DEPRECATE.md

Change #245598

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 08:26:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2b1fda1fe6e91fee40dd70562fcb91d9ab1ba19b

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245600

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 08:31:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9cc1ee55a4a363e6a13408bfac58f4f7a17e625f

Comments

RELEASE-NOTES: synced
Add OpenSSL-QUIC as an item to get removed

Changed files

RELEASE-NOTES

Change #245602

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 03 Oct 2025 12:02:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	eefd03c572996e5de4dec4fe295ad6f103e0eefc

Comments

ssl: support Apple SecTrust configurations
- configure/cmake support for enabling the option
- supported in OpenSSL and GnuTLS backends
- when configured, Apple SecTrust is the default trust store
  for peer verification. When one of the CURLOPT_* for adding
  certificates is used, that default does not apply.
- add documentation of build options and SSL use

Closes #18703

Changed files

.github/scripts/spellcheck.words
.github/workflows/configure-vs-cmake.yml
.github/workflows/macos.yml
CMakeLists.txt
acinclude.m4
configure.ac
docs/INSTALL-CMAKE.md
docs/INSTALL.md
docs/SSLCERTS.md
docs/cmdline-opts/ca-native.md
lib/Makefile.inc
lib/curl_config.h.cmake
lib/setopt.c
lib/url.c
lib/urldata.h
lib/vquic/vquic-tls.c
lib/vtls/apple.c
lib/vtls/apple.h
lib/vtls/gtls.c
lib/vtls/gtls.h
lib/vtls/openssl.c
lib/vtls/openssl.h
lib/vtls/vtls.c
lib/vtls/vtls_scache.c
m4/curl-apple-sectrust.m4
tests/data/test305
tests/http/test_02_download.py
tests/http/test_07_upload.py
tests/http/test_17_ssl_use.py

Change #245604

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 03 Oct 2025 13:46:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9aa8e9a783c43ed3fad244a98455ac2d7288909f

Comments

vquic: handling of io improvements
- better tracing of what system call is used and how often
- ngtcp2: combine vquic_send into larger chunks
- ngtcp2: define own PMTU values and enable MTU probing
- ngtcp2: trace interesting remote transport parameters

Closes #18812

Changed files

lib/vquic/curl_ngtcp2.c
lib/vquic/vquic.c

Change #245606

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 13:47:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3b583ab7d72105e3bd80f602544e8c6795b13de3

Comments

docs/cmdline-opts: drop double quotes from GLOBBING and URL examples
It looks easier on the eye without them

Closes #18829

Changed files

docs/cmdline-opts/_GLOBBING.md
docs/cmdline-opts/_URL.md

Change #245608

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 13:47:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4e2edde102a46305edc498879c1188b58bcc8403

Comments

tool_progress: fix < 10000 output
Follow-up to e49698925c7f90e

Closes #18826

Changed files

src/tool_progress.c

Change #245610

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 03 Oct 2025 13:54:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2e5993ab0812fd1a983738f6d6efbc7bb0806144

Comments

GHA/checksrc: pass zizmor a GH token, fix warnings found
For a complete, online, check.

After this patch the check takes 30s, up from a fraction of a second.

Also bump CodeQL actions to their latest version.

Closes #18827

Changed files

.github/workflows/checksrc.yml
.github/workflows/codeql.yml
.github/workflows/distcheck.yml

Change #245612

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Fri 03 Oct 2025 14:03:03
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2313696e96c6c436f4b0c97361c45c5c0c8ae2b1

Comments

GHA: update actions/upload-artifact action to v4.6.2
Closes #18830

Changed files

.github/workflows/distcheck.yml

Change #245614

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 03 Oct 2025 14:08:41
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4b8278fb3d0a43fecf66caa23ad1cd28f759de71

Comments

progress: expand to use 6 characters per size
Previously the progress meter used a maximum of five digits+letter in
the progress meter output: up to 99999 bytes and then 9999k, 9999M etc.
The output then used two spaces after the size between the next field in
the display.

This new approach uses one letter more with only one space in between
the fields. It makes it possible to show up to 999999 bytes and then
99999k, 99999M etc. The function uses a single decimal when outputting a
value less than 1000 in any unit. Like 999.9M.

Closes #18828

Changed files

lib/progress.c

Change #245616

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 03 Oct 2025 16:34:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e73759f1a9cc32c70a0eaa7c2db2beef1fb2f124

Comments

GHA: show full versions next to pinned actions
Also quotes to a configuration entry.

Follow-up to 2e5993ab0812fd1a983738f6d6efbc7bb0806144 #18827

Closes #18832

Changed files

.github/workflows/checkdocs.yml
.github/workflows/checksrc.yml
.github/workflows/codeql.yml
.github/workflows/configure-vs-cmake.yml
.github/workflows/curl-for-win.yml
.github/workflows/distcheck.yml
.github/workflows/hacktoberfest-accepted.yml
.github/workflows/http3-linux.yml
.github/workflows/label.yml
.github/workflows/linux-old.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/non-native.yml
.github/workflows/windows.yml

Change #245618

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 03 Oct 2025 17:53:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	733c994b1e575d855a6bb59eb85e76a9f3884579

Comments

doh: inherit new custom ssl flags
The new custom_* flags in the SSL config need to be inherited when
setting up the doh easy handle, so that defaults apply the same way as
for the original easy handle.

Closes #18831

Changed files

lib/doh.c

Change #245620

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 03 Oct 2025 21:35:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7468faffc14e24a14e5f7badc6cc11e4459dc5aa

Comments

Makefile.example: fix option order [ci skip]
The `ld` linker is sensitive to this, and did not find libcurl symbol
with the order before this patch. Seen with mingw-w64 gcc.

Follow-up to f6ddc1fc1e25ff8ea866f90942719af898d0ef0c #18554

Closes #18835

Changed files

docs/examples/Makefile.example

Change #245622

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Fri 03 Oct 2025 21:36:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	99433d06e696a869879213cc1c741b77d5f34b21

Comments

GHA: update dependency google/boringssl to v0.20251002.0
Closes #18834

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml

Change #245624

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 03 Oct 2025 22:45:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	fff36a360ed781ff1073bfc918747828d57face2

Comments

checksrc: fix to handle `)` predecing a banned function
Fixing:
```
Unmatched ) in regex; marked by <-- HERE in m/  \*buffer_len = \(ssize_t) <-- HERE
  strtol\(/ at /home/runner/work/curl/curl/scripts/checksrc.pl line 916, <$R> line 380.
```
Ref: https://github.com/curl/curl/actions/runs/18209824275/job/51848079550#step:3:5

Also add a test case.

Follow-up to 684f4cdd3ef0cc41c547fce0e45d8a059a3058b3 #18779
Cherry-picked from #18823
Closes #18836

Changed files

scripts/checksrc.pl
tests/data/test1185

Change #245626

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 00:48:58
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	45438c8d6f8e70385d66c029568524e9e803c539

Comments

checksrc: reduce directory-specific exceptions
By making them defaults, then fixing and/or reshuffling remaining
exceptions as necessary.

- checksrc: ban by default: `snprintf`, `vsnprintf`, `sscanf`, `strtol`.
- examples: replace `strtol` with `atoi` to avoid a checksrc exception.
- tests/libtest: replace `strtol` with `atol`.
- tests/server: replace most `strtol` with `atol`.
- tests/server: replace most `strtoul` with `atol`/`atoi`.
- tests/server: drop no longer used `util_ultous`.
- fix typo in checksrc rules: `vsnprint` -> `vsnprintf`.
- update local exceptions.

Also:
- examples: ban curl printf functions. They're discouraged in user code.
- examples: replace curl printf with system printf.
  Add `snprintf` workaround for <VS2015.
- examples/synctime: fix `-Wfloat-equal`.
- examples/synctime: exclude for non-Windows and non-UWP Windows.
- examples/synctime: build by default.

Closes #18823

Changed files

docs/examples/.checksrc
docs/examples/Makefile.inc
docs/examples/chkspeed.c
docs/examples/cookie_interface.c
docs/examples/http2-download.c
docs/examples/http2-serverpush.c
docs/examples/http2-upload.c
docs/examples/synctime.c
docs/internals/CODE_STYLE.md
lib/.checksrc
lib/curlx/.checksrc
lib/vauth/.checksrc
lib/vquic/.checksrc
lib/vssh/.checksrc
lib/vtls/.checksrc
scripts/checksrc.pl
src/.checksrc
tests/libtest/cli_hx_download.c
tests/libtest/cli_hx_upload.c
tests/libtest/cli_ws_data.c
tests/libtest/first.c
tests/libtest/lib1560.c
tests/libtest/lib1568.c
tests/libtest/lib521.c
tests/libtest/lib562.c
tests/libtest/lib591.c
tests/server/.checksrc
tests/server/dnsd.c
tests/server/first.h
tests/server/mqttd.c
tests/server/rtspd.c
tests/server/sockfilt.c
tests/server/socksd.c
tests/server/sws.c
tests/server/tftpd.c
tests/server/util.c

Change #245628

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 00:51:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4deea9396bc7dd25c6362fa746a57bf309c74ada

Comments

tests: stop overriding system printf symbols
To make the source code match the functions called at runtime.
And to avoid the preprocessor trick that may introduces build issues.

Before this patch, libtests, tunits and units were calling a mixture
of curl and system printf calls, then transformed them all to curl
printf calls by including `curl_printf.h`.

Changes made:
- tests: stop including `curl_printf.h`.
- libtest: switch a couple of outlier system printf calls to curl
  printf.
- unit: use more curl printf to avoid casts and show whole values.
- unit: switch remaining calls to curl printf explicitly.
- tunit: switch to call curl printf explicitly.
- libtest, tunit, unit: ban system printf.
- unit1307, unit1607, unit1609, unit1652, unit1655, unit3214: bump
  types/masks to avoid casts.

After this patch:
- libtests, tunits, units: use exclusively curl printf.
  (as before, but explicitly, without relying on redefinitions.)
- servers: is unchanged (it can only use system printf).

Closes #18814

Changed files

REUSE.toml
tests/libtest/.checksrc
tests/libtest/Makefile.am
tests/libtest/first.h
tests/libtest/lib1549.c
tests/tunit/.checksrc
tests/tunit/Makefile.am
tests/tunit/tool1394.c
tests/tunit/tool1604.c
tests/tunit/tool1621.c
tests/unit/.checksrc
tests/unit/Makefile.am
tests/unit/unit1302.c
tests/unit/unit1307.c
tests/unit/unit1309.c
tests/unit/unit1323.c
tests/unit/unit1396.c
tests/unit/unit1607.c
tests/unit/unit1609.c
tests/unit/unit1652.c
tests/unit/unit1655.c
tests/unit/unit1658.c
tests/unit/unit1660.c
tests/unit/unit1664.c
tests/unit/unit2604.c
tests/unit/unit3214.c

Change #245630

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 11:34:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c9edc26afedefc9ce338a72910b8bd9616e8ebca

Comments

lib: drop unused include and duplicate guards
Closes #18839

Changed files

lib/curlx/winapi.c
lib/strerror.c

Change #245632

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 11:34:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	56026dae0245841380a5d96093e4451cfd77e0d7

Comments

openssl: fix build for v1.0.2
```
lib/vtls/openssl.c: In function 'asn1_object_dump':
lib/vtls/openssl.c:299:42: error: passing argument 3 of 'i2t_ASN1_OBJECT' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
  299 |   int i = i2t_ASN1_OBJECT(buf, (int)len, a);
      |                                          ^
In file included from /home/runner/djgpp/include/openssl/objects.h:965,
                 from /home/runner/djgpp/include/openssl/evp.h:94,
                 from /home/runner/djgpp/include/openssl/x509.h:73,
                 from /home/runner/djgpp/include/openssl/ssl.h:156,
                 from lib/curl_ntlm_core.c:71,
                 from bld/lib/CMakeFiles/libcurl_static.dir/Unity/unity_0_c.c:88:
/home/runner/djgpp/include/openssl/asn1.h:921:58: note: expected 'ASN1_OBJECT *' {aka 'struct asn1_object_st *'} but argument is of type 'const ASN1_OBJECT *' {aka 'const struct asn1_object_st *'}
  921 | int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a);
      |                                             ~~~~~~~~~~~~~^
```
Ref: https://github.com/curl/curl/actions/runs/18236773678/job/51931937131?pr=18039

Follow-up to bb46d42407cd0503a9c499b4646af594a4db4947 #18647

Closes #18841

Changed files

lib/vtls/openssl.c

Change #245634

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 11:34:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ed1e72143a08ede124ae93b43c803609f967fdcb

Comments

examples: drop unused `curl/mprintf.h` includes
Follow-up to 45438c8d6f8e70385d66c029568524e9e803c539 #18823

Closes #18842

Changed files

docs/examples/cookie_interface.c
docs/examples/http2-download.c
docs/examples/http2-serverpush.c
docs/examples/http2-upload.c

Change #245636

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 11:35:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4535532ed36d2129b107ab357262072f82c2b34a

Comments

examples: fix two build issues surfaced with WinCE
Both may apply to rare non-WinCE Windows builds too.

- fix gcc 4.4.0 preprocessor error:
  ```
  docs/examples/http2-upload.c:43:8: error: "_MSC_VER" is not defined
  ```
  Ref: https://github.com/curl/curl/actions/runs/18238150607/job/51935502616

- fix wrong header order:
  Inlcude `windows.h` after `winsock2.h` via `curl/curl.h`.

Regressions from 45438c8d6f8e70385d66c029568524e9e803c539 #18823

Closes #18843

Changed files

docs/examples/http2-upload.c
docs/examples/synctime.c

Change #245638

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 17:49:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c96bf36557ea2302e4cb838ee1e4bb9827fecee7

Comments

GHA: drop quictls 3.3.0 builds in favor of openssl 3.5+
- http3-linux: move local nghttpx (nghttp2) build to openssl (from
  quictls). Also tried LibreSSL, but it made some HTTP/2 tests fails.

- http3-linux: drop quictls ngtcp2 build.

- http3-linux: build local openssl with `no-deprecated`.
  (previously tested in the quictls local build.)

- http3-linux: explicitly disable LDAP in cmake openssl jobs.
  cmake builds auto-detect OpenLDAP (autotools don't), and when enabled,
  linking curl fails because system `libsasl.so` requires MD5 openssl
  functions, which are missing from openssl no-deprecated builds.

- macos: move options tested in quictls jobs to other ones.

- linux: drop unused quictls local build. (it was used for msh3.)
  Follow-up to 91138b014d960d2ef6ce9cd0ca237d0220b2458d #17729

- renovate: drop quictls bump detection.

Closes #18833

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
renovate.json

Change #245640

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 17:49:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	455d41d4605a3d7aacc97fd580a64648ca203698

Comments

unit1664: drop casts, expand masks to full values
Follow-up to 4deea9396bc7dd25c6362fa746a57bf309c74ada #18814

Closes #18838

Changed files

tests/unit/unit1664.c

Change #245642

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 04 Oct 2025 17:49:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c7fb5858a59dfc433d5eefa08be3db249738fd28

Comments

checksrc: fix possible endless loops/errors in the banned function logic
By quoting the search expression to be replaced. This avoid the issue
when the code leading up to a banned function contained regex characters
that the script did not explicitly handle, e.g. `+`.

Assisted-by: Daniel Stenberg

Ref: https://perldoc.perl.org/functions/quotemeta
Follow-up to dd37d6970cfd8b4cf47ebd469f03772813b92c23 #18775

Closes #18845

Changed files

scripts/checksrc.pl

Change #245644

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 05 Oct 2025 13:41:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bb4326d72b3486181be4dccafec53f6e3567ed7c

Comments

GHA: remove the hacktoberfest label action
No one cares about hacktoberfest anymore.

Closes #18849

Changed files

.github/workflows/hacktoberfest-accepted.yml

Change #245646

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Sun 05 Oct 2025 14:02:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c0febf66614d1468edecf6dab48333218b130ae1

Comments

cpool: make bundle->dest an array; fix UB
Replace `char *dest[1]` with a proper `char dest[1]` array in
cpool_bundle. This removes undefined behavior from memcpy (writing past
the declared object) while keeping the same key semantics: dest_len is
strlen+1 (includes NUL), and hash add/delete calls remain unchanged.

Closes #18850

Changed files

lib/conncache.c

Change #245648

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Sun 05 Oct 2025 14:02:41
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	eb8809270336225ef0266b01ca29191b88b1a3c7

Comments

telnet: use pointer[0] for "unknown" option instead of pointer[i]
i is taken from pointer[length-2] (often the IAC byte) before we do
length -= 2, so using pointer[i] indexes an arbitrary/stale byte
unrelated to the option code. pointer[0] is the suboption’s option code
per the telnet SB format, so printing pointer[0] yields correct, stable
diagnostics.

Closes #18851

Changed files

lib/telnet.c

Change #245650

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Sun 05 Oct 2025 14:03:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	da8f7ae096bc540dfc53c391b28229c885c31e99

Comments

telnet: print DISPlay LOCation in printsub without mutating buffer
Closes #18852

Changed files

lib/telnet.c

Change #245652

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 05 Oct 2025 14:07:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	08331213055abac4417bc4a470f350a41d1a7659

Comments

GHA/http3-linux: cleanup cache entry name after prev
To avoid duplicate `no-deprecated` in the cache entry name.

Follow-up to c96bf36557ea2302e4cb838ee1e4bb9827fecee7 #18833

Closes #18853

Changed files

.github/workflows/http3-linux.yml

Change #245654

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sun 05 Oct 2025 19:11:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1ae5e44effe36bbe136439735de49b1e8dbaca0b

Comments

strerror: drop workaround for SalfordC win32 header bug
Follow-up to ccf43ce91dd9a56f30a4029377126e4c83c7f08a #15957

Closes #18857

Changed files

lib/strerror.c

Change #245656

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 05 Oct 2025 22:58:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b54b4697cad23fcf81577ce9e8f1ea18b8449427

Comments

url: make Curl_init_userdefined return void
It cannot actually return an error, so the parent function does not need
to check for error and have an exit path that cannot be reached.

Pointed out by CodeSonar

Closes #18855

Changed files

lib/easy.c
lib/url.c
lib/url.h
tests/unit/unit1620.c

Change #245658

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 03:26:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c93457f1f62568fafc844b5070d06330ca7b0f67

Comments

tool_filetime: replace cast with the fitting printf mask (Windows)
Follow-up to d25b0503795f1fbf557632ce870298f52f2a78c1 #2204

Closes #18858

Changed files

src/tool_filetime.c

Change #245660

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 03:27:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4116e1d8028b30bfb0156b9b42042e0d930656f5

Comments

unit1323: sync time types and printf masks, drop casts
Closes #18860

Changed files

tests/unit/unit1323.c

Change #245662

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 09:44:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	eaf66f18b72ee7c2c6e5e1120b70b14975dd66bd

Comments

tests/server: replace banned functions with `curlx_str_hex`
Replace an `strtol()` and `strtoul()` call, both used in hex mode, with
`curlx_str_hex()`.

Follow-up to 45438c8d6f8e70385d66c029568524e9e803c539 #18823

Closes #18837

Changed files

tests/server/sockfilt.c
tests/server/sws.c

Change #245664

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 09:44:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	34ad78da89c614aafb21033bac456a1c0f54921a

Comments

curlx: move Curl_strerror, use in src and tests, ban `strerror` globally
Also:
- tests/server: replace local `sstrerror()` with `curlx_strerror()`.
- tests/server: show the error code next to the string, where missing.
- curlx: use `curl_msnprintf()` when building for src and tests.
  (units was already using it.)
- lib: drop unused includes found along the way.
- curlx_strerror(): avoid compiler warning (and another similar one):
  ```
  In file included from servers.c:14:
  ../../lib/../../lib/curlx/strerr.c: In function ‘curlx_strerror’:
  ../../lib/../../lib/curlx/strerr.c:328:32: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
    328 |       SNPRINTF(buf, buflen, "%s", msg);
        |                                ^
  ../../lib/../../lib/curlx/strerr.c:47:18: note: ‘snprintf’ output 1 or more bytes (assuming 2) into a destination of size 1
     47 | #define SNPRINTF snprintf
        |                  ^
  ../../lib/../../lib/curlx/strerr.c:328:7: note: in expansion of macro ‘SNPRINTF’
    328 |       SNPRINTF(buf, buflen, "%s", msg);
        |       ^~~~~~~~
  ```

Follow-up to 45438c8d6f8e70385d66c029568524e9e803c539 #18823

Closes #18840

Changed files

docs/examples/.checksrc
lib/.checksrc
lib/Makefile.inc
lib/cf-socket.c
lib/curl_setup.h
lib/curlx/.checksrc
lib/curlx/curlx.h
lib/curlx/strerr.c
lib/curlx/strerr.h
lib/curlx/winapi.c
lib/ftp.c
lib/strerror.c
lib/strerror.h
lib/tftp.c
lib/url.c
lib/vauth/.checksrc
lib/vquic/.checksrc
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c
lib/vquic/vquic.c
lib/vssh/.checksrc
lib/vtls/.checksrc
lib/vtls/openssl.c
lib/vtls/rustls.c
scripts/checksrc.pl
src/Makefile.inc
src/config2setopts.c
src/tool_cb_wrt.c
src/tool_filetime.c
src/tool_formparse.c
src/tool_operate.c
src/var.c
tests/libtest/Makefile.inc
tests/libtest/first.h
tests/libtest/lib505.c
tests/libtest/lib518.c
tests/libtest/lib525.c
tests/libtest/lib537.c
tests/libtest/lib541.c
tests/libtest/lib556.c
tests/libtest/lib582.c
tests/libtest/lib591.c
tests/server/Makefile.inc
tests/server/dnsd.c
tests/server/first.h
tests/server/mqttd.c
tests/server/rtspd.c
tests/server/sockfilt.c
tests/server/socksd.c
tests/server/sws.c
tests/server/tftpd.c
tests/server/util.c

Change #245666

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 09:46:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	db98daab05aec251bcb6615d2d38dfebec291736

Comments

src: stop overriding system printf symbols
Also:
- tool_operate: use the socket printf mask, drop cast.

Follow-up to 4deea9396bc7dd25c6362fa746a57bf309c74ada #18814

Closes #18844

Changed files

src/.checksrc
src/config2setopts.c
src/curlinfo.c
src/tool_cb_dbg.c
src/tool_cb_hdr.c
src/tool_cb_prg.c
src/tool_cfgable.h
src/tool_easysrc.c
src/tool_findfile.c
src/tool_getparam.c
src/tool_help.c
src/tool_ipfs.c
src/tool_main.c
src/tool_msgs.c
src/tool_operate.c
src/tool_operhlp.c
src/tool_paramhlp.c
src/tool_parsecfg.c
src/tool_progress.c
src/tool_setopt.c
src/tool_urlglob.c
src/tool_vms.c
src/tool_writeout.c
src/tool_writeout_json.c
src/tool_xattr.c

Change #245668

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 11:31:54
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e7a5184fa1ebcd68ead0e3e9b78340296acac350

Comments

openssl: call SSL_get_error() with proper error
The error function should be called with the return code from the
previous call to SSL_shutdown() as argument.

Closes #18872

Changed files

lib/vtls/openssl.c

Change #245670

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 12:12:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e9ababe9aa4c1f7d727494d660650af934db523b

Comments

windows: use native error code types more
- curlx_get_winapi_error: accept DWORD (was: int), move casts one level
  up the callstack.

- sspi: bump some types to `SECURITY_STATUS` (int -> LONG).

- digest_sspi: drop unnecessary cast.

Closes #18868

Changed files

lib/curlx/strerr.c
lib/curlx/winapi.c
lib/curlx/winapi.h
lib/strerror.c
lib/strerror.h
lib/vauth/digest_sspi.c
lib/vauth/spnego_sspi.c
lib/vauth/vauth.h

Change #245672

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Mon 06 Oct 2025 13:37:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	762ce8801b2ff8cad340797c71b18be17b6c4de2

Comments

quiche: fix possible leaks on teardown
When the close of the quiche filter was never called, the destroy function
did not release all allicated resources.

When closing a quiche filter, set the connected flag to FALSE.

Reported-by: Joshua Rogers
Closes #18880

Changed files

lib/vquic/curl_quiche.c

Change #245674

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 13:41:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	aae18c4bdc1a3bf5b6567825ef6439756f0c5b74

Comments

tool_getparam: add --knownhosts
To allow users to specify a known hosts file that is not the default
one: ~/.ssh/known_hosts

URL: https://github.com/curl/curl/discussions/18784
Closes #18859

Changed files

docs/cmdline-opts/Makefile.inc
docs/cmdline-opts/knownhosts.md
docs/options-in-versions
src/config2setopts.c
src/tool_cfgable.c
src/tool_cfgable.h
src/tool_getparam.c
src/tool_getparam.h
src/tool_listhelp.c
src/tool_operate.c
tests/data/test1459

Change #245676

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 13:42:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a80dcb04e39bbec88a4ce271de06673b2cbbc142

Comments

test1711: send a >64K mail with SMTP
A failed attempt to reproduce #18798

Closes #18861

Changed files

tests/data/Makefile.am
tests/data/test1711

Change #245678

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 13:46:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c3adf63ee7a26bae6c45ba0e0ae977c4cabd394e

Comments

libssh2: bail out on chgrp and chown number parsing errors
Reported-by: Joshua Rogers
Closes #18863

Changed files

lib/vssh/libssh2.c

Change #245680

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 13:57:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d4c033267740d8b2e65520c89f2c5b4e5a5ee174

Comments

libssh2: clarify that sshp->path is always at least one byte
Reported-by: Joshua Rogers
Closes #18864

Changed files

lib/vssh/curl_path.c
lib/vssh/ssh.h

Change #245682

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 13:58:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0d68f482052595887c2e3cc0b0fcf830a6dbf354

Comments

krb5_sspi: the chlg argument is NOT optional
Fix the comment, add assert.

Reported-by: Joshua Rogers
Closes #18865

Changed files

lib/vauth/krb5_sspi.c

Change #245684

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 14:00:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	51b85bdc6cd48a55c75b03afcf1f057839564ae8

Comments

windows: use consistent format when showing error codes
For `GetLastError()` and `SECURITY_STATUS`:
0x-prefixed, 8-digit, lowercase, hex: 0x1234abcd

Also: say `GetLastError()` instead of `errno` in one message.

Closes #18877

Changed files

lib/curlx/winapi.c
lib/strerror.c
lib/vauth/ntlm_sspi.c
lib/vtls/schannel.c
src/tool_doswin.c
src/tool_filetime.c
tests/libtest/lib3026.c

Change #245686

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 14:45:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	decd7e157c51c6bd5599b6000f57a4ecbdd0e2f3

Comments

cf-socket: always check Curl_cf_socket_peek() return code
Make it trigger a warning if not.

Reported-by: Joshua Rogers
Closes #18862

Changed files

lib/cf-socket.h
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c
lib/vquic/vquic.c

Change #245688

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Mon 06 Oct 2025 14:48:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2f3cf17e339bfc27c55be22c6c72703ed3e5d696

Comments

cf-socket: check params and remove accept procondition
- creating a socket filter with NULL addrinfo fails with
  CURLE_BAD_FUNCTION_ARGUMENT
- remove getsockname use before accept call, serves no purpose
  and did not lead to proper error before

Reported-by: Joshua Rogers
Closes #18882

Changed files

lib/cf-socket.c

Change #245690

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 14:49:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9e3c35a88e9433fcc7edae4323605025f232f0bb

Comments

ftp: fix the 213 scanner memchr buffer limit argument
Reported-by: Joshua Rogers
Closes #18867

Changed files

lib/ftp.c

Change #245692

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 15:48:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	172e190c798645b9d04dd97ae0cf51b35317971e

Comments

ftp: add extra buffer length check
This adds an extra check that the buffer really has data enough (at
least 4 bytes) to check for a status code before doing so. It *should*
not be necessary, but this was pointed out by an analyzer and it feels
better to make sure.

Reported-by: Joshua Rogers
Closes #18869

Changed files

lib/ftp.c

Change #245694

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 15:56:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6ef4871f5d56d5d7e99dfb65d69bf47e9861887b

Comments

ftp: improve fragile check for first digit > 3
In a case where rubbish would be sent in the line something that isn't a
digit could be first in line and treated as less than '3'. Prevent this
risk by first doing a check that the byte is a digit.

Reported-by: Joshua Rogers
Closes #18870

Changed files

lib/ftp.c

Change #245696

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 15:58:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2b0e7cb7c677cef10d4d1baf2fc2116ff909a407

Comments

ftp: remove misleading comments
They indicated that sockets would not be closed but they are.

Reported-by: Joshua Rogers
Closes #18871

Changed files

lib/ftp.c

Change #245698

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 16:00:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	92a212568403d985a2614a7d206bf34b7a8fb827

Comments

telnet: make bad_option() consider NULL a bad option too
Follow-up to a72e1552f22
Closes #18873

Changed files

lib/telnet.c

Change #245700

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 19:31:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ef1794e50e111dd4683b12875be7a685c63e44ca

Comments

ldap: tidy-up types, fix error code confusion
- fix `CURLcode` vs. LDAP result code confusion.
  Return `LDAP_NO_MEMORY` when `Curl_create_sspi_identity()` fails,
  since it can only return `CURLE_OUT_OF_MEMORY` as error.
- use `ULONG` for result code on Windows. Drop casts.
- use portable `curl_ldap_num_t`. Drop casts.
- replace magic number 0 with `LDAP_SUCCESS`.
- compare with `LDAP_SUCCESS` instead of assuming non-zero.
  (where necessary.)
- add/fix `#endif` comments.
- fix indentation.

Closes #18888

Changed files

lib/ldap.c

Change #245702

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 20:09:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	beeb1ae762d60ed84695d874d979e5095649d29d

Comments

GHA/configure-vs-cmake: reduce windows cross-toolchain apt installs
Download size: 277 MB -> 65 MB (installed: 1293 MB -> 401 MB)

Also as a workaround for Azure Ubuntu mirror slowdown issues:
https://github.com/curl/curl/actions/runs/18289326469/job/52072333582?pr=18866

Follow-up to 0455d8772a1af20ce63c46c5738582aa9b1b8441 #18509

Closes #18896

Changed files

.github/workflows/configure-vs-cmake.yml

Change #245704

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 20:54:26
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	13f10add17da864069dd1c1709cab7c4cdbb41cf

Comments

REUSE: bump reuse to v6, add more fences to fix issues
Closes #18895
Closes #18897

Changed files

.github/scripts/requirements.txt
scripts/cd2cd
scripts/cd2nroff
scripts/managen

Change #245706

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 20:57:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b12da22db1f11da51082977dc21a7edee7858911

Comments

lib: stop overriding system printf symbols
After this patch, the codebase no longer overrides system printf
functions. Instead it explicitly calls either the curl printf functions
`curl_m*printf()` or the system ones using their original names.

Also:
- drop unused `curl_printf.h` includes.
- checksrc: ban system printf functions, allow where necessary.

Follow-up to db98daab05aec251bcb6615d2d38dfebec291736 #18844
Follow-up to 4deea9396bc7dd25c6362fa746a57bf309c74ada #18814

Closes #18866

Changed files

REUSE.toml
docs/examples/.checksrc
lib/.checksrc
lib/Makefile.am
lib/altsvc.c
lib/asyn-ares.c
lib/asyn-thrdd.c
lib/bufq.c
lib/cf-h1-proxy.c
lib/cf-h2-proxy.c
lib/cf-haproxy.c
lib/cf-https-connect.c
lib/cf-ip-happy.c
lib/cf-socket.c
lib/cfilters.c
lib/conncache.c
lib/connect.c
lib/content_encoding.c
lib/cookie.c
lib/cshutdn.c
lib/curl_addrinfo.c
lib/curl_fopen.c
lib/curl_gssapi.c
lib/curl_ntlm_core.c
lib/curl_printf.h
lib/curl_rtmp.c
lib/curl_sasl.c
lib/curl_setup.h
lib/curl_trc.c
lib/curlx/.checksrc
lib/cw-out.c
lib/cw-pause.c
lib/dict.c
lib/dllmain.c
lib/doh.c
lib/dynhds.c
lib/easy.c
lib/escape.c
lib/fake_addrinfo.c
lib/file.c
lib/formdata.c
lib/ftp.c
lib/ftplistparser.c
lib/gopher.c
lib/hash.c
lib/headers.c
lib/hostip.c
lib/hostip4.c
lib/hostip6.c
lib/hsts.c
lib/http.c
lib/http1.c
lib/http2.c
lib/http_aws_sigv4.c
lib/http_chunks.c
lib/http_digest.c
lib/http_negotiate.c
lib/http_ntlm.c
lib/http_proxy.c
lib/httpsrr.c
lib/idn.c
lib/if2ip.c
lib/imap.c
lib/ldap.c
lib/md4.c
lib/md5.c
lib/memdebug.c
lib/mime.c
lib/mqtt.c
lib/multi.c
lib/multi_ev.c
lib/netrc.c
lib/noproxy.c
lib/openldap.c
lib/pingpong.c
lib/pop3.c
lib/progress.c
lib/psl.c
lib/rand.c
lib/rename.c
lib/request.c
lib/rtsp.c
lib/select.c
lib/sendf.c
lib/setopt.c
lib/sha256.c
lib/share.c
lib/smb.c
lib/smtp.c
lib/socketpair.c
lib/socks.c
lib/socks_gssapi.c
lib/socks_sspi.c
lib/telnet.c
lib/tftp.c
lib/transfer.c
lib/uint-bset.c
lib/uint-spbset.c
lib/uint-table.c
lib/url.c
lib/urlapi.c
lib/vauth/.checksrc
lib/vauth/cleartext.c
lib/vauth/cram.c
lib/vauth/digest.c
lib/vauth/gsasl.c
lib/vauth/krb5_gssapi.c
lib/vauth/ntlm.c
lib/vauth/oauth2.c
lib/vauth/vauth.c
lib/version.c
lib/vquic/.checksrc
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c
lib/vquic/vquic-tls.c
lib/vquic/vquic.c
lib/vssh/.checksrc
lib/vssh/libssh.c
lib/vssh/libssh2.c
lib/vtls/.checksrc
lib/vtls/cipher_suite.c
lib/vtls/gtls.c
lib/vtls/mbedtls.c
lib/vtls/mbedtls_threadlock.c
lib/vtls/openssl.c
lib/vtls/rustls.c
lib/vtls/schannel.c
lib/vtls/schannel_verify.c
lib/vtls/vtls.c
lib/vtls/vtls_scache.c
lib/vtls/wolfssl.c
lib/vtls/x509asn1.c
lib/ws.c
packages/OS400/curlcl.c
scripts/.checksrc
scripts/Makefile.am
scripts/checksrc.pl
src/.checksrc
tests/cmake/test.c
tests/libtest/.checksrc
tests/libtest/Makefile.am
tests/server/.checksrc
tests/tunit/.checksrc
tests/tunit/Makefile.am
tests/unit/.checksrc
tests/unit/Makefile.am

Change #245708

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 06 Oct 2025 22:33:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6f0e212f6e2746005fe63aab81f04d479bb8d01b

Comments

tidy-up: miscellaneous (cont.)
- examples: replace magic numbers with `sizeof()`.
- typos: drop rules no longer needed after excluding tests/data.
- typos: move an exception inline.
- alpha-sort lists.
- fix indentation, whitespace.

Closes #18898

Changed files

.github/scripts/typos.toml
.github/workflows/label.yml
configure.ac
docs/examples/multi-event.c
docs/examples/multi-uv.c
lib/amigaos.c
lib/cf-ip-happy.c
lib/curl_trc.c
lib/rtsp.c
lib/vauth/digest_sspi.c
lib/vauth/ntlm_sspi.c
lib/vquic/curl_ngtcp2.c
lib/vtls/openssl.c
src/Makefile.inc
src/tool_operate.c
tests/libtest/lib517.c
tests/server/sockfilt.c

Change #245710

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:12:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5090cce01c259ec6d01d907f71be9c27ac960f91

Comments

libssh2: fix return code for EAGAIN
In disconnect

Closes #18874

Changed files

lib/vssh/libssh2.c

Change #245712

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:13:53
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	22ae8ac8743beb396ed21bbf0a7245de87b81c29

Comments

libssh2/sftp_realpath: change state consistently
Change the state in this function at a single spot independent of
success or not to simplify.

Reported-by: Joshua Rogers
Closes #18875

Changed files

lib/vssh/libssh2.c

Change #245714

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:14:55
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3517053cf7d452e9be921ddfe58dfcd408216eb7

Comments

curl_osslq: error out properly if BIO_ADDR_rawmake() fails
Reported-by: Joshua Rogers
Closes #18878

Changed files

lib/vquic/curl_osslq.c

Change #245716

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:16:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	66f4c5699e8d1edc43717f11e203968db34b0a19

Comments

test766: verify CURLOPT_SOCKOPTFUNCTION error on accept
This test does active FTP with a socketopt callback that returns error
for the CURLSOCKTYPE_ACCEPT "purpose" to make sure we test and exercise
this error path - without leaks.

Closes #18879

Changed files

docs/libcurl/opts/CURLOPT_SOCKOPTFUNCTION.md
tests/data/Makefile.am
tests/data/test766
tests/libtest/Makefile.inc
tests/libtest/lib766.c

Change #245718

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:16:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6c7fc22f9dc43ded7a952e66597a379f294f9d29

Comments

pingpong: remove two old leftover debug infof() calls

Changed files

lib/pingpong.c

Change #245720

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:17:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3b18aeb8bdba4bcc7eb942e39c542778d1cffbfa

Comments

managen: verify the options used in example lines
Also fix the --knownhosts typo

Follow-up to aae18c4bdc1a3bf5

Reported-by: Daniel Terhorst-North
URL: https://mas.to/@tastapod/115327102344617386
Closes #18884

Changed files

docs/cmdline-opts/knownhosts.md
scripts/managen
tests/data/test1705
tests/data/test1706

Change #245722

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:35:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6d9636abd1deea39c7a79f042ca60652a815ddc8

Comments

telnet: return error if WSAEventSelect fails
Reported-by: Joshua Rogers
Closes #18886

Changed files

lib/telnet.c

Change #245724

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:37:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e214b1450186538e1336aa1f9c7b90e197bed092

Comments

telnet: send failure logged but not returned
Return error correctly when sending fails.

Reported-by: Joshua Rogers
Closes #18887

Changed files

lib/telnet.c

Change #245726

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:38:41
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	71b5e025903e2e6a7f4f2309a7e2930fed96fc0a

Comments

mdlinkcheck: reject URLs containing quotes
Those would be illegal anyway and would make the script misbehave

Reported-by: Stanislav Fort
Closes #18889

Changed files

scripts/mdlinkcheck

Change #245728

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:49:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1a3a5cb72038a0b70cb5721e9762734f1691aa6d

Comments

noproxy: fix the IPV6 network mask pattern match
It would mismatch if the network prefix length with was not divisible by
8.

Extended test 1614 to verify

Reported-by: Stanislav Fort

Closes #18891

Changed files

lib/noproxy.c
tests/unit/unit1614.c

Change #245730

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:50:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f1ed50a51707847825eb988cfc739f79b5ceadc9

Comments

tftp: don't pin or check address if recvfrom returns error
Follow-up to c4f9977c66bbb05a837a7eb0300
Reported-by: Joshua Rogers
Closes #18892

Changed files

lib/tftp.c

Change #245732

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:51:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bc90f80556a731d31a60cbe76b82b3060bda48bc

Comments

tftp: default timeout per block is now 15 seconds
Down from the previous (rather ridiculous) 3600.

Reported-by: Joshua Rogers
Closes #18893

Changed files

lib/tftp.c

Change #245734

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:52:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3660e6da80764b7dc184af51556d158d5a352a48

Comments

tftp: return error if it hits an illegal state
Reported-by: Joshua Rogers
Closes #18894

Changed files

lib/tftp.c

Change #245736

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:54:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	33380fa214d6ff9a0c1dc29b61aa6650b4ed3fa7

Comments

telnet: ignore empty suboptions
To avoid printing from en empty buffer

Reported-by: Joshua Rogers
Closes #18899

Changed files

lib/telnet.c

Change #245738

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 06 Oct 2025 23:59:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5e3725a7afe46fac093412f64193c807fcff1440

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245740

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 07 Oct 2025 00:23:54
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	752090b9638dcec16d9a773eaa62651681f093b2

Comments

examples/synctime: make the sscanf not overflow the local buffer
If the incoming Date: header has a funky format.

Bonus: remove bad null terminator assumptions for header

Reported-by: Stanislav Fort

Closes #18890

Changed files

docs/examples/synctime.c

Change #245742

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 07 Oct 2025 09:04:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f4e83a0adcc86abb9ecc8673e3abd91c215a6649

Comments

ngtcp2: fix returns when TLS verify failed
In both send/recv functions of the ngtcp2 filter, when TLS verification
has failed, jump out by skipping ingress/egress handling.

Reported-by: Joshua Rogers
Closes #18881

Changed files

lib/vquic/curl_ngtcp2.c

Change #245744

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 07 Oct 2025 10:55:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	357808f4addef44c2c48f17d067c114bc168a56d

Comments

multi: add notifications API
Add infrastructure to colled and dispatch notifications for transfers
and the multi handle in general. Applications can register a callback
and en-/disable notification type the are interested in.

Without a callback installed, notifications are not collected. Same when
a notification type has not been enabled.

Memory allocation failures on adding notifications lead to a general
multi failure state and result in CURLM_OUT_OF_MEMORY returned from
curl_multi_perform() and curl_multi_socket*() invocations.

Closes #18432

Changed files

.github/scripts/spellcheck.curl
docs/libcurl/Makefile.inc
docs/libcurl/curl_multi_notify_disable.md
docs/libcurl/curl_multi_notify_enable.md
docs/libcurl/curl_multi_setopt.md
docs/libcurl/opts/CURLMOPT_NOTIFYDATA.md
docs/libcurl/opts/CURLMOPT_NOTIFYFUNCTION.md
docs/libcurl/opts/Makefile.inc
docs/libcurl/symbols-in-versions
include/curl/multi.h
include/curl/typecheck-gcc.h
lib/Makefile.inc
lib/libcurl.def
lib/multi.c
lib/multi_ntfy.c
lib/multi_ntfy.h
lib/multihandle.h
scripts/singleuse.pl
src/tool_operate.c
tests/data/test1135
tests/data/test3207
tests/data/test500
tests/http/testenv/curl.py
tests/unit/unit3214.c

Change #245746

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Tue 07 Oct 2025 12:06:26
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0061b2bfaabd29a10cf63898a3cceb3ef4ad914a

Comments

vquic: fix idle-timeout checks (ngtcp2 ms<-->ns), 64-bit log & honor 0=no-timeout (osslquic)
Closes #18903

Changed files

lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c

Change #245748

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Tue 07 Oct 2025 12:06:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	783df22e596f46c989cadba016d144514b68654c

Comments

vquic/ngtcp2: compare idle timeout in ms to avoid overflow
Closes #18903

Changed files

lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c

Change #245750

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 07 Oct 2025 13:12:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4a6bdd5899005c25ce222dc21dcfd1a779544330

Comments

examples/usercertinmem: avoid stripping const
This API started accepting a const somewhere between OpenSSL 1.0.2b and
1.0.2t. It means this example, like the other similar one now works best
with those versions or newer:
```
docs/examples/usercertinmem.c:100:33: error: cast from 'const char *' to 'char *' drops const qualifier [-Werror,-Wcast-qual]
  100 |   bio = BIO_new_mem_buf((char *)mypem, -1);
      |                                 ^
docs/examples/usercertinmem.c:121:34: error: cast from 'const char *' to 'char *' drops const qualifier [-Werror,-Wcast-qual]
  121 |   kbio = BIO_new_mem_buf((char *)mykey, -1);
      |                                  ^
```

Closes #18908

Changed files

docs/examples/usercertinmem.c

Change #245752

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 07 Oct 2025 13:14:50
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	089afd78cb5897adf5a42d8ccff01d7c32c8fada

Comments

socks: handle premature close
When expecting to receive a number of bytes during socks connect,
treat an early connection close as error.

Reported-by: Joshua Rogers
Closes #18883

Changed files

lib/socks.c

Change #245754

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 07 Oct 2025 14:37:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7ddbde4f731d6694f940320fe50a80b7f351229d

Comments

cmake: build the "all" examples source list dynamically
To allow building conditional examples, and to simplify by avoiding
cmake-version dependent code.

Follow-up to fe5225b5eaf3a1a0ce149023d38a9922a114798b #18209
Cherry-picked from #18909
Closes #18911

Changed files

docs/examples/CMakeLists.txt

Change #245756

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 07 Oct 2025 14:54:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	53be8166b2b16d9682a173f505188a79ca30fb11

Comments

multi: notify rename, remove the last stragglers
in the public API.

Follow-up to 357808f4addef44c2c48f17d

Closes #18910

Changed files

docs/libcurl/curl_multi_notify_disable.md
docs/libcurl/curl_multi_notify_enable.md
docs/libcurl/opts/CURLMOPT_NOTIFYDATA.md
docs/libcurl/opts/CURLMOPT_NOTIFYFUNCTION.md
docs/libcurl/symbols-in-versions
include/curl/multi.h
lib/multi.c
lib/multi_ntfy.c
src/tool_operate.c

Change #245758

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 07 Oct 2025 17:15:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6bb77140322565ca17f5a66aa5d8500d8d469cca

Comments

examples: fix build issues in 'complicated' examples
- cacertinmem: build cleanly with BoringSSL/AWS-LC.
- cacertinmem: silence `-Wcast-function-type-strict`.
- multi-uv: fix callback prototypes.
- multithread, threaded-ssl: do not pass const as thread arg.
- sessioninfo: fix suppressing deprecated feature warning.
- usercertinmem: sync formatting with cacertinmem.

Follow-up to 4a6bdd5899005c25ce222dc21dcfd1a779544330 #18908
Cherry-picked from #18909
Closes #18914

Changed files

docs/examples/cacertinmem.c
docs/examples/multi-uv.c
docs/examples/multithread.c
docs/examples/sessioninfo.c
docs/examples/threaded-ssl.c
docs/examples/usercertinmem.c

Change #245760

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 07 Oct 2025 17:18:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	496802fdcf1b249bedb381b25d0c3b544dea569d

Comments

multi: use CURLMNOTIFY_ as notification id prefix
Since CURLM_ is already used as prefix for multi error codes, it makes
it easier to detect and understand the difference between identifiers -
and allows for scripts on the website and elsewhere to separate them
properly.

Follow-up to 53be8166b2b16d9682
Closes #18912

Changed files

docs/libcurl/curl_multi_notify_disable.md
docs/libcurl/curl_multi_notify_enable.md
docs/libcurl/opts/CURLMOPT_NOTIFYDATA.md
docs/libcurl/opts/CURLMOPT_NOTIFYFUNCTION.md
docs/libcurl/symbols-in-versions
include/curl/multi.h
lib/multi.c
lib/multi_ntfy.c
src/tool_operate.c

Change #245762

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 07 Oct 2025 17:20:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	352d1dc6ab0af5bc7f88746cd059ceca6c1e9c0a

Comments

CURLMOPT_NOTIFYFUNCTION.md: minor language polish
- mention the possibility of new types in the future
- s/a an/an

Closes #18913

Changed files

docs/libcurl/opts/CURLMOPT_NOTIFYFUNCTION.md

Change #245764

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 07 Oct 2025 17:23:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0d573969de269cb58d85c73ad12d63cccf7b33dd

Comments

osslq: set out idle timeout to 0
Similar to our ngtcp2 backend, set our idle timeout for the connection
to 0, meaning we have no such timeout from our side. The effective idle
timeout is then the one announced by the peer.

Closes #18907

Changed files

lib/vquic/curl_osslq.c

Change #245766

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 07 Oct 2025 17:24:01
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	88a1ab511ce0883c0c0429a74af754036cff5df8

Comments

ngtcp2: fix handling of blocked stream data
The stream blocking might not be the one of the current easy handle.
Look up the stream to be marked as blocking via its stream_id in the
internal hash. Theoretically, this does not have to be one of the h3
streams, so not finding it is not an error.

Fixes #18905
Reported-by: Joshua Rogers
Closes #18906

Changed files

lib/vquic/curl_ngtcp2.c

Change #245768

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 07 Oct 2025 19:09:02
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	df70a68984308952dcacf33d11593cb22ad80464

Comments

cmake: support building some complicated examples, build them in CI
Build these examples when the necessary dependencies are present:
- cacertinmem, usercertinmem (OpenSSL/fork)
- multi-uv (libuv)
- multithread, threaded-ssl (pthread)
- sessioninfo (GnuTLS)

Indicate the necessary dependency via a `Required:` comment placed in
the source file. A single dependency per source is supported as of now.
The name of the dependency should match the variable used within
the cmake scripts, which in turn matches the macro used in the config
header. E.g. for GnuTLS it's `USE_GNUTLS`.

Also:
- GHA/macos: build examples in two job to test GnuTLS and pthread ones.
- GHA/linux: enable libuv to test it with examples.

Follow-up to 6bb77140322565ca17f5a66aa5d8500d8d469cca #18914
Closes #18909

Changed files

.github/workflows/linux.yml
.github/workflows/macos.yml
docs/examples/CMakeLists.txt
docs/examples/Makefile.am
docs/examples/Makefile.inc
docs/examples/cacertinmem.c
docs/examples/multi-uv.c
docs/examples/multithread.c
docs/examples/sessioninfo.c
docs/examples/threaded-ssl.c
docs/examples/usercertinmem.c

Change #245770

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 07 Oct 2025 19:11:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9f52458e7d14a7185b39a8d1046e4935caeb0a54

Comments

notify: use 'notify' in public header and docs
Closes #18915

Changed files

docs/libcurl/opts/CURLMOPT_NOTIFYDATA.md
docs/libcurl/opts/CURLMOPT_NOTIFYFUNCTION.md
include/curl/typecheck-gcc.h

Change #245772

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 07 Oct 2025 21:01:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1103ccb73e316ee830c9dbfe95218974a32418a3

Comments

examples/sessioninfo: cast printf string mask length to int
Found via `-Wformat-signedness`:
```
docs/examples/sessioninfo.c: In function 'wrfu':
docs/examples/sessioninfo.c:75:53: error: field precision specifier '.*' expects argument of type 'int', but argument 4 has type 'unsigned int' [-Werror=format=]
  fprintf(stderr, "Certificate #%u: %.*s", i, dn.size, dn.data);
                                      ^
```
Ref: https://github.com/curl/curl/actions/runs/18320729052/job/52172864438?pr=18343#step:13:30
Ref: https://github.com/curl/curl/actions/runs/18320729095/job/52172886899?pr=18343#step:19:27

Also:
- drop unnecessary parenthesis.
- scope variables.

Ref: #18343
Closes #18918

Changed files

docs/examples/sessioninfo.c

Change #245774

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Tue 07 Oct 2025 23:56:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4bfd7a961521e1fd6aab7610e931d82a342781a8

Comments

openssl: skip session resumption when verifystatus is set
Resumed TLS sessions skip OCSP stapled-response verification.
Force a full handshake so verifystatus() runs.

Closes #18902

Changed files

lib/vtls/openssl.c

Change #245776

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Tue 07 Oct 2025 23:59:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4e77388a0bb3ff06e8f6c17995aaf943a019462f

Comments

h3/nghttp3: return NGHTTP3_ERR_CALLBACK_FAILURE from recv_header
Closes #18904

Changed files

lib/vquic/curl_ngtcp2.c

Change #245779

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Tue 07 Oct 2025 23:59:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	38ab421f60f79f8dfd85f24a03c358a7a8431018

Comments

h3/ngtcp2: close just-opened QUIC stream when submit_request fails
Closes #18904

Changed files

lib/vquic/curl_ngtcp2.c

Change #245781

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 12:53:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ab761794c1e6d124cd7c6dd2b337d7c433c1774e

Comments

tests/server: drop pointless memory allocation overrides
The code was overriding system memory allocation functions to a local
jump table (declared in `curl_setup.h`). And setup that jump table
to call the original system allocation functions.

Also tested fine with cegcc/WinCE. The `_strdup` fallback was possibly
required for an MSVC WinCE toolchain.

Closes #18922

Changed files

tests/server/Makefile.inc
tests/server/memptr.c

Change #245783

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 12:53:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	82fd9edb0e0313f206b23f90a000164b52412072

Comments

INSTALL-CMAKE.md: document useful build targets
Closes #18927

Changed files

docs/INSTALL-CMAKE.md

Change #245785

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 13:40:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0b54ce6ffc395148f2c43ce4664ecd9678f822bd

Comments

INSTALL-CMAKE.md: fix typo in prev
Not caught in original PR. Fixing it in CI separately.

Follow-up 82fd9edb0e0313f206b23f90a000164b52412072 #18927

Changed files

docs/INSTALL-CMAKE.md

Change #245787

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 14:33:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3800a26582af8b355e96cf80135ba7642e816ed6

Comments

GHA/checksrc: also run on .md file changes
To avoid missing e.g. codespell issue when updating Markdown files only,
as in 82fd9edb0e0313f206b23f90a000164b52412072 #18927

Follow-up to 0b54ce6ffc395148f2c43ce4664ecd9678f822bd

Closes #18935

Changed files

.github/workflows/checksrc.yml

Change #245789

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 14:46:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6a31e3137a1352aec528d768dee8d5a1c509f451

Comments

GHA/dependabot: find more pip deps, tweak commit prefix
Before this patch the Dependabot updater was only picking up
`tests/requirements.txt`:
https://github.com/curl/curl/network/updates/26616523/jobs

Also prefix commit messages with `GHA:`.

Bug: https://github.com/curl/curl/pull/18761#issuecomment-3381147189
Follow-up to b04137c1c6ed164594279c7d04b5e051634453ea #18761

Closes #18939

Changed files

.github/dependabot.yml

Change #245791

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 14:58:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c951fe7e6daadf545016900267ca990d6476786e

Comments

GHA/dependabot: tweak dir list to avoid a dupe, rename .txt file to avoid the bot
It correctly picked all pips, but also picked
`tests/http/requirements.txt` twice and also
`.github/scripts/codespell-ignore.txt`. Try avoid these issues with this
patch.

Follow-up to 6a31e3137a1352aec528d768dee8d5a1c509f451 #18939

Closes #18946

Changed files

.github/dependabot.yml
.github/scripts/codespell-ignore.txt
.github/scripts/codespell-ignore.words
.github/scripts/codespell.sh
.github/scripts/typos.toml

Change #245793

Category	curl
Changed by	dependabot[bot] <49699333+dependabot[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Wed 08 Oct 2025 16:07:58
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	29093f0ee832bbd65314f681429429e1840c6575

Comments

GHA: bump dependencies
- cryptography from 44.0.1 to 46.0.2 in tests/http
- ruff from 0.13.2 to 0.14.0 in .github/scripts
- reuse from 6.0.0 to 6.1.2 in .github/scripts
- github/codeql-action from 3.30.5 to 4.30.7

Closes #18941
Closes #18942
Closes #18943
Closes #18945
Closes #18947

Changed files

.github/scripts/requirements.txt
.github/workflows/codeql.yml
tests/http/requirements.txt

Change #245795

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 16:10:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bbce304c0bd4405cb2f5e484bded366764b1306e

Comments

GHA/linux-old: dump logs on configure failure
As done in other jobs, but here tailored to old cmake.

The logs generated by ancient CMake aren't super useful though.

Cherry-picked from #18932
Closes #18948

Changed files

.github/workflows/linux-old.yml

Change #245797

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Wed 08 Oct 2025 19:59:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1f112242323848d0ebfc88ae97b139d18e7987f6

Comments

cmake/FindGSS: fix `pkg-config` fallback logic for CMake <3.16
The documented `<prefix>_<moduleName>_VERSION` variables are empty in
all tested versions since 3.7.2 to 4.1.2. Stop using it as a fallback
for <3.16 versions, and replace with the undocumented, but working,
`FindPkgConfig` internal variable `_pkg_check_modules_pkg_name`. It
contains the module name which was found.

In practice it caused that with CMake <3.16 + `pkg-config`, curl always
detected the Heimdal flavor of GSS.

Also: Delete a fallback version detection method, which was already
marked with a question mark in comments, and used the same, always
empty, CMake variables.

Ref: https://cmake.org/cmake/help/v4.1/module/FindPkgConfig.html
Bug: https://github.com/curl/curl/pull/18932#issuecomment-3381807070

Closes #18950

Changed files

CMake/FindGSS.cmake

Change #245799

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 08 Oct 2025 23:15:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ca789e09b53420dbc24ababec1ab44c88618f6d6

Comments

wolfssl: no double get_error() detail
Code was calling wolfSSL_get_error() on code that it had
already retrieved with the same function. Remove that.

Reported-by: Joshua Rogers
Closes #18940

Changed files

lib/vtls/wolfssl.c

Change #245801

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 08 Oct 2025 23:16:50
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0f02744c41fa4da0f25091dcce5c1e9e0c2220b5

Comments

apple sectrust: check correct result on old OS versions
On ancient Apple OS versions where SecTrustEvaluateWithError() is not
available, the deprected SecTrustEvaluate() is used. In that code
branch, the code checked the wong variable for the verified result.

Closes #18929

Changed files

lib/vtls/apple.c

Change #245803

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 08 Oct 2025 23:18:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	008078fc38991dcb5cfbf4b850f9acbf832dc618

Comments

http: make Content-Length parser more WHATWG
Return error if there is something after the number other than
whitespace and newline.

Allow comma separated numbers and repeated headers as long as the new value is
the same as was set before.

Add test 767 to 771 to verify.

Reported-by: Ignat Loskutov
Fixes #18921
Closes #18925

Changed files

lib/http.c
tests/data/Makefile.am
tests/data/test767
tests/data/test768
tests/data/test769
tests/data/test770
tests/data/test771

Change #245805

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 08 Oct 2025 23:19:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e4645c86b5d0692c6fc4aa413eeeefe601da0aed

Comments

CURLOPT_COOKIEFILE.md: clarify when the cookies are loaded
Closes #18924

Changed files

docs/libcurl/opts/CURLOPT_COOKIEFILE.md

Change #245807

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 08 Oct 2025 23:35:37
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d58b6009df5eb6e946423b33ce3dc10fa3f5a37f

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245809

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 01:15:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7c021fd14af3a4558bab8cb256abac77ac6148de

Comments

cmake: minor Heimdal flavour detection fix
Do not detect Heimdal if a single `H` character appears in the vendor
string, require the full name: `Heimdal`.

Cherry-picked from #18932
Closes #18951

Changed files

CMake/FindGSS.cmake

Change #245811

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 01:21:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9fe8ba5c275002da7deb26f3d549fdda8944cf82

Comments

GHA/linux-old: sync terminology with other jobs [ci skip]
Cherry-picked from #18932

Changed files

.github/workflows/linux-old.yml

Change #245813

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 01:52:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cd7b45a3bbec0b43e87a9483a0fc8a82abaae956

Comments

cmake/FindGSS: whitespace/formatting
Sync format more with the rest of the Find modules.

Cherry-picked from #18932
Closes #18957

Changed files

CMake/FindGSS.cmake

Change #245815

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 02:27:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	8be9a26451d466571864a608bc48cc77746ff00d

Comments

build: drop Heimdal support, update docs, replace with MIT Kerberos in CI
The kerberos5 library Heimdal is one of three GSS libraries curl support.
It has a memory leak triggered by the new test in #18917 and the project
seems mostly abandoned.

Drop support and steer users to the MIT krb5 or GNU GSS libraries.

Co-authored-by: Daniel Stenberg

Ref: #18928
Closes #18928
Closes #18932

Changed files

.github/workflows/codeql.yml
.github/workflows/linux-old.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/non-native.yml
CMake/FindGSS.cmake
CMakeLists.txt
RELEASE-NOTES
configure.ac
docs/INSTALL-CMAKE.md
docs/INTERNALS.md
docs/KNOWN_BUGS
docs/TODO

Change #245817

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 08:26:39
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cc7b12347b06378cf5558636e15d3c19a48d836a

Comments

quiche: handle tls fail correctly
quiche receive may report a TLS failure after a verified handshake. That
needs to lead to a transfer receive error.

Reported-by: Joshua Rogers
Closes #18934

Changed files

lib/vquic/curl_quiche.c

Change #245819

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 08:27:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0b4a7045000e00cc7c8f657861bf0e717bb08ce0

Comments

vquic: sending non-gso packets fix for EAGAIN
The function returned OK on EAGAIN and not the correct code.

Reported-by: Joshua Rogers
Closes #18936

Changed files

lib/vquic/vquic.c

Change #245821

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 08:28:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c0a279a8e91a279f6942775073d21d0e93041af6

Comments

socks: deny server basic-auth if not configured
When the server proposes BASIC authentication and curl does
not have that configured, fail right away.

Reported-by: Joshua Rogers
Closes #18937

Changed files

lib/socks.c

Change #245823

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Thu 09 Oct 2025 08:30:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	391e3fbeeccb7311562f60fbd9db964bc5bf3ec7

Comments

libssh/sftp: fix resume corruption by avoiding O_APPEND with rresume
Opening the remote file with O_APPEND while attempting to resume causes
all writes to be forced to EOF on servers/implementations where O_APPEND
semantics override a prior seek(). As a result, sftp_seek64() is ignored
and the resumed data is appended, duplicating/corrupting the file.

Fix by:
- Using O_WRONLY (without O_APPEND) when resume_from > 0.
- Skipping the seek entirely if remote_append mode is requested.

Closes #18952

Changed files

lib/vssh/libssh.c

Change #245825

Category	curl
Changed by	Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
Changed at	Thu 09 Oct 2025 08:30:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dae19dd94a77dfc4568989cd84159b9502484b8b

Comments

libssh2/sftp: fix resume corruption by avoiding O_APPEND with rresume
Opening the remote file with O_APPEND while attempting to resume causes
all writes to be forced to EOF on servers/implementations where O_APPEND
semantics override a prior seek(). As a result, sftp_seek64() is ignored
and the resumed data is appended, duplicating/corrupting the file.

Fix by:
- Using O_WRONLY (without O_APPEND) when resume_from > 0.
- Skipping the seek entirely if remote_append mode is requested.

Closes #18952

Changed files

lib/vssh/libssh2.c

Change #245827

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 08:41:20
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	93e91e965e80b94b559293b93d4fb3360b8281a3

Comments

http2: check push header names by length first
Reported-by: Joshua Rogers
Closes #18930

Changed files

lib/http2.c

Change #245829

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 08:42:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	44a79d4f7afe52ca613516cf9dd5d83ac7d5c2c0

Comments

http2: cleanup pushed newhandle on fail
When nghttp2_session_set_stream_user_data() fails, clean up the
new handle.

Reported-by: Joshua Rogers
Closes #18931

Changed files

lib/http2.c

Change #245831

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 08:43:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f609b5738931d4fa9ef75e9f48a9d3a21dea1ffb

Comments

http2: ingress handling edge cases
Fix some edge cases around the `data_max_bytes` handling when
processing ingress.

Reported-by: Joshua Rogers
Closes #18933

Changed files

lib/http2.c

Change #245833

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 09:10:37
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1ce6dff01a7d38618273e6fe20b73c4bc661e6ed

Comments

openssl: fix peer certificate leak in channel binding
Reported-by: Stanislav Fort
Bug: https://hackerone.com/reports/3373640
Closes #18917

Changed files

lib/vtls/openssl.c

Change #245835

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 09:10:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5d32c4fc7b559528a562a390c230f627fec94376

Comments

test1582: verify the TLS channel binding cert memory leak fix

Changed files

tests/data/Makefile.am
tests/data/test1582
tests/libtest/Makefile.inc
tests/libtest/lib1582.c

Change #245837

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 10:42:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	29d0a308b4537b315849a70b0010f4b0aea6dccb

Comments

setopt: allow CURLOPT_DNS_CACHE_TIMEOUT set to -1
It is documented as valid. Regression from commit b059f7deaf3 shipped in
8.16.0

Reported-by: Andrei Kurushin
Fixes #18959
Closes #18960

Changed files

lib/setopt.c

Change #245839

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 10:42:40
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7ab9018ea70b1ced6737a755ac96b9a00eef4073

Comments

mk-lib1521: verify the setopt options that accept -1

Changed files

tests/libtest/mk-lib1521.pl

Change #245841

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 10:50:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b0db5f12b15aeaa7eec42463ff26c2c59898f3ab

Comments

hostip: don't store negative resolves due unrelated errors
Like for:

- OOM
- resolver_start() returns error
- DoH has problems

Fixes #18953
Fixes #18954
Reported-by: Joshua Rogers
Closes #18958

Changed files

lib/hostip.c

Change #245843

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 12:59:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	56c892af1f46c7b1c803304ee62e524340007ab2

Comments

examples/sessioninfo: do not disable security
Also make it return the curl result code.

Follow-up to df70a68984308952dcacf33d11593cb22ad80464 #18909
Closes #18969

Changed files

docs/examples/sessioninfo.c

Change #245845

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 12:59:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e78185625f149d89c56ef32af580f1d122c2f42b

Comments

examples: allow `vsnprintf` again
Ref: https://github.com/curl/curl/pull/18668#issuecomment-3383422410
Follow-up to b12da22db1f11da51082977dc21a7edee7858911 #18866
Closes #18970

Changed files

docs/examples/.checksrc

Change #245847

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 12:59:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	92ee9173685907ddf53eb57b61b5c4845ae00459

Comments

examples: update `.gitignore`
Follow-up to f6f62933e917b8b5c9a9394907ce4b69600214b4 #18264
Closes #18971

Changed files

docs/examples/.gitignore

Change #245849

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 09 Oct 2025 14:17:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	801ebf1e1a1415a869b00107a464a4492a98eb77

Comments

GHA: rename config files to match pyspelling
To make it more obvious what needs to be looked at when pyspelling is
reporting an issue.

Follow-up to 95e50ad69473d8229b85478a3f2138b7e632fbe8 #18756
Closes #18974

Changed files

.github/scripts/codespell.sh
.github/scripts/pyspelling.words
.github/scripts/pyspelling.yaml
.github/scripts/spacecheck.pl
.github/scripts/spellcheck.words
.github/scripts/spellcheck.yaml
.github/scripts/typos.toml
.github/workflows/checkdocs.yml

Change #245851

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 14:43:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	83bed97ad85d2fb7a0be8079318e2ce003bb34a0

Comments

rustls: pass the correct result to rustls_failf
Reported-by: Joshua Rogers
Closes #18961

Changed files

lib/vtls/rustls.c

Change #245853

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 14:43:56
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9e2c582d6c4d676d34c56406301886784021e263

Comments

memdup0: handle edge case
When length is already SIZE_MAX, fail without allocating.

Reported-by: Joshua Rogers
Closes #18966

Changed files

lib/strdup.c

Change #245855

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 09 Oct 2025 14:44:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d1d5855689a29ee0ebc3ee5abd34959cfc8530d4

Comments

openssl: add comments regarding OCSP verification
To allow future reviewers of "security" reports to more easily find out
why code is this way.

Closes #18962

Changed files

lib/vtls/openssl.c

Change #245857

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Thu 09 Oct 2025 20:39:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e7247d86971c5ff559d87ccc55b5355d4224f59a

Comments

tool_operate: keep failed partial download for retry auto-resume
- Keep data from a failed download instead of discarding it on retry in
  some limited cases when we know it's ok (currently only HTTP 200/206).

Prior to this change on failed transfer the tool truncated any outfile
data written before retrying the transfer. This change adds an exception
for HTTP downloads when the user requested auto-resume, because in that
case we can keep the outfile data and resume from the new position.

Reported-by: tkzv@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/18035
Closes https://github.com/curl/curl/pull/18665

Changed files

src/tool_operate.c
tests/data/Makefile.am
tests/data/test3035

Change #245859

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Thu 09 Oct 2025 20:40:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0780de2625bf8bb3bcb0f88bbbc401b2750ec1bb

Comments

examples: add an example for logging failed transfers
- Add an example that demonstrates per-transfer verbose logging to
  memory.

The transfer's log is written to disk only if the transfer fails.

Closes https://github.com/curl/curl/pull/18668

Changed files

docs/examples/.gitignore
docs/examples/Makefile.inc
docs/examples/log_failed_transfers.c

Change #245861

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 21:55:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1e6d507de779d52c6a614a8d50b561ed337bbef4

Comments

schannel_verify: fix mem-leak in Curl_verify_host
Reported-by: Stanislav Fort
Closes #18972

Changed files

lib/vtls/schannel_verify.c

Change #245863

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 22:01:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2a2a2e5d107f1ad7fbb5e88dab03ed37c8177e76

Comments

vauth/digest: improve the digest parser
Previously, if for example the nonce would end with "realm=" etc it
would get the wrong piece, due to the naive parser.

Reported-by: Joshua Rogers
Closes #18975

Changed files

lib/vauth/digest.c

Change #245865

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 22:02:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2c6505e0ef9c0368e9acbef5662eb15e43328b65

Comments

krb5_gssapi: fix memory leak on error path
If a non-compliant amount of bytes is received, the function would
return error without free.

Reported-by: Joshua Rogers
Closes #18976

Changed files

lib/vauth/krb5_gssapi.c

Change #245867

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 22:03:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	435da1f849ad9a5e91b8e348d6830b0c546ac15a

Comments

Curl_resolv: fix comment. 'entry' argument is not optional
Reported-by: Joshua Rogers
Closes #18979

Changed files

lib/hostip.c

Change #245869

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 22:03:59
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	71585f9894cf97ed6719487cb03aa97d2f94b7cd

Comments

asyn-ares: use the duped hostname pointer for all calls
In one c-ares call the passed in pointer was used and not the new
duplicated one. This is probably fine but might as well use the new
pointer as all the other calls do, which will survive longer.

Reported-by: Joshua Rogers
Closes #18980

Changed files

lib/asyn-ares.c

Change #245871

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 22:10:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	eb3a4314fee5e27dc815a6ef3df632718f6ea823

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245873

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 23:26:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6c0338115ae5f2cde96a9268f54e63fa725d0d7a

Comments

ftp: simplify the 150/126 size scanner
The file size is weirdly returned in a 150 or 126 response as "XXX
bytes" mentioned somewhere in the response string. This is a rewrite of
the size scanner to replace the strange strstr() + backwards search from
before with a plain forward search until '[number] + " bytes"' is a
match.

Triggered by a report by Joshua Rogers about the previous parser.

Closes #18984

Changed files

lib/ftp.c

Change #245875

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 23:27:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d35bdfa8f28d646166592f607b8100b6c60be0f0

Comments

openldap: fix memory-leak in error path
The 'ber' pointer could escape a free if an early error occurred.

Reported-by: Joshua Rogers
Closes #18985

Changed files

lib/openldap.c

Change #245878

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 09 Oct 2025 23:28:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	be5a5c10d49bfe35e7e2ccf63ae700abad786379

Comments

openldap: fix memory-leak on oldap_do's exit path
On SSL sockbuf setup failure in `oldap_do`, the 'lud' data would not be
freed and instead leak.

Reported-by: Joshua Rogers
Closes #18986

Changed files

lib/openldap.c

Change #245880

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 02:07:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0d560d00faaa6fa3ff3918d82c8fbd551452d17e

Comments

kerberos: drop logic for MIT Kerberos <1.2.3 (pre-2002) versions
curl requires 1.2.4 or newer.

Also:
- vms: stop defining `gss_nt_service_name`. Added in
  f9cf3de70b3a494f627eda6cccf6607616eaf449, symbol not used in curl code
  since 355bf01c828af16c47ab52bccb9ade769f8bf158.

Closes #18978

Changed files

CMakeLists.txt
configure.ac
docs/INSTALL-CMAKE.md
lib/curl_config.h.cmake
lib/curl_gssapi.h
packages/vms/generate_config_vms_h_curl.com

Change #245882

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 10 Oct 2025 08:24:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	69efbcaa03b99b927806af43752bcd5d667a676d

Comments

ldap: avoid null ptr deref on failure
ldap_get_dn() can return NULL on error

Reported-by: Joshua Rogers
Closes #18988

Changed files

lib/ldap.c

Change #245884

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 10 Oct 2025 08:26:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c049c37acd074a61bbd07eebe25fdf32af575a2a

Comments

libssh: make atime and mtime cap the timestamp instead of wrap
The libssh API uses a 32 bit type for datestamp, so instead of just
force-typecast it, make sure it gets capped at UINT_MAX if the value is
larger.

Reported-by: Joshua Rogers
Closes #18989

Changed files

lib/vssh/libssh.c

Change #245886

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 13:59:19
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e5950b2d372ac4f15f6b348227f462d4c3c4d37a

Comments

kerberos: stop including `gssapi/gssapi_generic.h`
It's a legacy MIT Kerberos header that's no longer used by curl since:
355bf01c828af16c47ab52bccb9ade769f8bf158 (2015-01-09)

There were still mentions of it after this patch, when using versions
<1.2.3, but those versions aren't supported since:
99185417952da30c8ddd82ab962fb58da96260b2 (2008-06-12)

This header remains in use by autotools and cmake to detect MIT Kerberos
(vs. Heimdal, which doesn't have it.)

Ref: https://github.com/curl/curl/pull/18978#issuecomment-3387414995

Closes #18990

Changed files

.github/scripts/cmp-config.pl
CMakeLists.txt
lib/curl_config.h.cmake
lib/urldata.h
lib/vauth/vauth.h

Change #245888

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 17:33:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9442dd480e9fe4ded646287b5116be27a0cb4efd

Comments

GHA/linux: test GNU GSS with autotools, cmake, valgrind and scan-build
The cmake build is running runtests with valgrind. The autotools one is
running scan-build.

Also:
- ignore two memleaks with GNU GSS detected by valgrind.
- add comment on support status of `GSS_C_DELEG_POLICY_FLAG`.

Closes #19008

Changed files

.github/workflows/linux.yml
lib/curl_gssapi.c

Change #245890

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 19:47:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	fc9b215fde7f359a5a323f906f26b87d35ac654e

Comments

CI.md: refresh
Closes #18973

Changed files

.github/scripts/pyspelling.words
docs/tests/CI.md

Change #245892

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 19:47:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	0855f3070931c57c27180c48f7ada0336be977fc

Comments

kerberos: bump minimum to 1.3 (2003-07-08), drop legacy logic
Previous minimum was: 1.2.4 (2002-02-28)

- assume `gssapi/gssapi.h` header for MIT Kerberos.

  Drop logic detecting this header, and drop alternate logic including
  a bare "gssapi.h". Bare `gssapi.h` is Heimdal-specific. MIT Kerberos
  added support for it for Heimdal compatibility on 2006-11-09,
  redirecting to `gssapi/gssapi.h`. MIT Kerberos supported the latter
  header in the 1990s already.

  Ref: 40e1a016f92903c731f07325bc1f9c6416ae1ac3 (2008-03-06)
  Ref: https://github.com/krb5/krb5/commit/d11935200186040132e05e2beaaba20a770ee3ef (2006-11-09)

- configure.ac: stop using `HAVE_GSSAPI_GSSAPI_H`.

  Added in 2010 to support "ancient distros such as RHEL-3" where
  `gssapi/gssapi_krb5.h` did not include `gssapi/gssapi.h`.

  MIT Kerberos includes it since commit:
  https://github.com/krb5/krb5/commit/d9e959edfa8da7cab3bde96c9c4ca39beaf8db69 (2003-03-06)
  Released in 1.3 (2003-07-08).

  Bump minimum required version to avoid this issue.

  Reverts cca192e58f9ed7c4b33c1c991f69ff830c58b38f (2010-04-16)

Ref: https://web.mit.edu/kerberos/dist/historic.html
Ref: https://sources.debian.org/src/krb5/

Closes #18992

Changed files

.github/scripts/cmp-config.pl
CMakeLists.txt
configure.ac
docs/INTERNALS.md
lib/curl_config.h.cmake
lib/urldata.h
lib/vauth/vauth.h

Change #245894

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 19:47:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	05aa61fb3d7f026aeedbdf23b0f267a159317b54

Comments

cmake/FindGSS: drop wrong header check for GNU GSS
GNU GSS offers `gss.h`; do not check for `gssapi.h`. `gssapi.h`
was originally published by Heimdal, and later MIT Kerberos also added it
for Heimdal compatibility.

Closes #18993

Changed files

CMake/FindGSS.cmake

Change #245896

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 10 Oct 2025 19:47:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	aeacf9a3e8efb6d93d33fe7cf7350e37c985a619

Comments

cmake/FindGSS: dedupe pkg-config module strings
Closes #18994

Changed files

CMake/FindGSS.cmake

Change #245898

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:40:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7fecc009eacf2bd4815b4dd7b9ec082bca7a1bcc

Comments

socks: advance iobuf instead of reset
During the SOCKS connect phase, the `iobuf` is used to receive repsonses
from the server. If the server sends more bytes than expected, the code
discarded them silently.

Fix this by advancing the iobuf only with the length consumed.

Reported-by: Joshua Rogers

Closes #18938

Changed files

lib/socks.c

Change #245900

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:41:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4cc476b37fc9f9f402e107f8ff85c60bad8c19ab

Comments

gnutls: check conversion of peer cert chain
Check the result when converting the peer certificate chain
into gnutls internal x590 data structure for errors.

Reported-by: Joshua Rogers
Closes #18964

Changed files

lib/vtls/gtls.c

Change #245902

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:42:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	a4d3c4e84720c3f2cb94fef1a4e680bb4b3e91a2

Comments

ws: fix some edge cases
Fix edge cases around handling of pending send frames and encoding
frames with size_t/curl_off_t possible flowy things.

Reported-by: Joshua Rogers
Closes #18965

Changed files

lib/ws.c

Change #245904

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:44:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9d7b532404181568de1611084bd9f446cd4a4d26

Comments

cf-socket: set FD_CLOEXEC on all sockets opened
Removed TODO item

Reported-by: Joshua Rogers
Closes #18968

Changed files

docs/TODO
lib/cf-socket.c

Change #245906

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:45:58
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	bf41be6292cf712315815c722aab2653a0ec827f

Comments

conn: fix hostname move on connection reuse
When reusing a connection, the `host` and `conn_to_host` hostname
structs are moved from the template connection onto the existing one.

There was a NULLing of a tempplate member missing in `conn_to_host`
which could then lead to a double free.

Make this struct move into a static function, doing the correct
thing for both `struct hostname` in a connection.

Reported-by: Joshua Rogers
Closes #18995

Changed files

lib/url.c

Change #245908

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:48:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	03448f477a0cfa3868dfd15a7b9278dcecf944a2

Comments

thread: errno on thread creation
When thread creation fails, the code uses `errno` to remember the cause.
But pthread_create() never sets errno and gives the error as return value.
Fix that by setting the return value into errno on failure.

Windows: I think the ifdef was the wrong way around. Also set a generic
Windows Error code on CE systems.

Reported-by: Joshua Rogers
Closes #18998

Changed files

lib/curl_threads.c

Change #245910

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 10 Oct 2025 23:49:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	05fbe85e628ca697e7f3c59bd677024e3cec125c

Comments

c-ares: when resolving failed, persist error
Repeated calls to `Curl_async_is_resolved()` after a failure
returned OK and not the error that was the result of the resolve
fail.

Reported-by: Joshua Rogers
Closes #18999

Changed files

lib/asyn-ares.c

Change #245912

Category	curl
Changed by	Patrick Monnerat <patrickohnoyoudont@monnerat.net>
Changed at	Fri 10 Oct 2025 23:58:48
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	67c75b67125d09029288dd490050471c46c50ece

Comments

os400: document threads handling in code.
This is to clarify threads unavaibility check and handling for security
bug busters unaware of OS400 specificities.

Fixes #18967
Closes #19009

Changed files

packages/OS400/os400sys.c

Change #245914

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 11 Oct 2025 01:04:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6e9246aeb321b3cbbe07a323dec39e6392a4cb71

Comments

cmake/FindGSS: simplify/de-dupe lib setup
- lib name is always `gss` with GNU GSS.
- move lib name assigments to the detection blocks.

Closes #19012

Changed files

CMake/FindGSS.cmake

Change #245916

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 11 Oct 2025 01:04:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f04e7a7eface29607981f81662d9dff429372134

Comments

cmake: pre-fill three more type sizes on Windows
Use `CMAKE_SIZEOF_VOID_P` to fill the size of three types that differ
on 32 and 64-bit Windows: `curl_socket_t`, `size_t`, and on mingw-w64:
`ssize_t`.

`time_t` remains the only type needing detection at configuration time,
with MSVC or mingw-w64.

Ref: https://cmake.org/cmake/help/v4.1/variable/CMAKE_SIZEOF_VOID_P.html

Closes #19013

Changed files

CMake/win32-cache.cmake

Change #245918

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 11 Oct 2025 01:04:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	16f0d4ae3ad0a113dde0488b5119ec7ad03cf7d7

Comments

curl_threads: delete WinCE fallback branch
Both WinCE and Windows use `CreateThread()` now, so the use of
`GetLastError()` works for both.

Follow-up to 03448f477a0cfa3868dfd15a7b9278dcecf944a2 #18998
Follow-up to 1c49f2f26d0f200bb9de61f795f06a1bc56845e9 #18451
Follow-up to af0216251b94e751baa47146ac9609db70793b8e #1589

Closes #19015

Changed files

lib/curl_threads.c

Change #245920

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 11 Oct 2025 01:04:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b419f1fd8779277e7bf8c97f58708cf466c3ffe0

Comments

examples/log_failed_transfers: make it build for WinCE
- include `windows.h` after `winsock2.h` via `curl/curl.h`.
- avoid `errno` for WinCE.
- avoid `_vscprintf` for WinCE.

Ref: 4535532ed36d2129b107ab357262072f82c2b34a #18843
Follow-up to 0780de2625bf8bb3bcb0f88bbbc401b2750ec1bb #18668
Closes #19016

Changed files

docs/examples/log_failed_transfers.c

Change #245922

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 11 Oct 2025 15:44:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	66753bc1203167c2a07737963149e83d93e3788c

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245924

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 10:29:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	142d61a0ee71b2c58f8f03495fb43d83b478db64

Comments

doswin: CloseHandle the thread on shutdown
As this is in the tool shutdown the impact of it was nothing.

Also, move two global variables to local.

Follow-up to 9a2663322c330ff11275abafd612e9c

Reported-by: Joshua Rogers
Closes #18996

Changed files

src/tool_doswin.c

Change #245926

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 10:30:54
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b3f9c837d3906c8f8214e848139f544c777240ab

Comments

asyn-ares: remove wrong comment about the callback argument
Both the c-ares documentation and the c-ares source code contradict the
previous comment (and mentions/contains no such restriction).

Ref: #19001
Closes #19014

Changed files

lib/asyn-ares.c

Change #245928

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 10:33:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1648f23ed367ecaaa66e4cc029dccf0733f52a9d

Comments

socksd: remove --bindonly mention, there is no such option
Reported-by: Joshua Rogers
Closes #19026

Changed files

tests/server/socksd.c

Change #245929

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 10:36:18
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d03a6b79b45921dead4d7848696bd1f1910d5970

Comments

lib1514: fix return code mixup
Reported-by: Joshua Rogers
Closes #19027

Changed files

tests/libtest/lib1514.c

Change #245930

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Sun 12 Oct 2025 15:27:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	44429da2e12ec660d000d3e3394900f03d4c3761

Comments

smb: transfer debugassert to real check
That also works for non-debug builds.

Reported-by: Joshua Rogers
Cloes #19003

Changed files

lib/smb.c

Change #245931

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Sun 12 Oct 2025 15:28:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dd7762c309d8e1f6c633825747be7ab812699940

Comments

libssh2: use sockindex consistently
Although the protocol should only run on index 0, there was a mix of
looked up sockindex and using constant 0 in tls send/recv.

Reported-by: Joshua Rogers
Closes #19004

Changed files

lib/vssh/libssh2.c

Change #245932

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Sun 12 Oct 2025 15:30:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6e35eb4879ec2ee97f43da295f52c6841beeafae

Comments

lib: SSL connection reuse
Protocol handlers not flagging PROTOPT_SSL that allow reuse of existing
SSL connections now need to carry the flag PROTOPT_SSL_REUSE.

Add PROTOPT_SSL_REUSE to imap, ldap, pop3, smtp and ftp.

Add tests the http: urls do not reuse https: connections and vice versa.

Reported-by: Sakthi SK
Fixes #19006
Closes #19007

Changed files

lib/ftp.c
lib/imap.c
lib/ldap.c
lib/openldap.c
lib/pop3.c
lib/smtp.c
lib/url.c
lib/urldata.h
tests/http/test_01_basic.py

Change #245933

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 15:33:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2b49d17cbacc6e919786c16019f3e330dc0f7605

Comments

docs: expand on quoting rules for file names in SFTP quote
Reported-by: Harry Sintonen
Closes #19025

Changed files

docs/cmdline-opts/quote.md
docs/libcurl/opts/CURLOPT_QUOTE.md

Change #245934

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 15:34:27
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	578706addec3d41cb5db64160d23795a95ca11d9

Comments

libssh/libssh2: reject quote command lines with too much data
If there is lingering letters left on the right side after the paths
have been parsed, they are syntactically incorrect so returning error is
the safe thing to do.

Reported-by: Harry Sintonen
Closes #19030

Changed files

lib/vssh/libssh.c
lib/vssh/libssh2.c

Change #245935

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 15:35:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1e90a63a49e9cbfea8ff52055576df1189b47a7d

Comments

sws: pass in socket reference to allow function to close it
The function service_connection() now passes in a reference to the
socket instead of by value since the sub function http_connect() might
close it and set *infdp = CURL_SOCKET_BAD. This would previously not be
detected when service_connection() returned and potentially cause a
double close of the socket.

Reported-by: Joshua Rogers

Closes #19031

Changed files

tests/server/sws.c

Change #245936

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 15:35:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1feeda422e4bf247d9181a06e5642ca5cc3bdfb2

Comments

examples/synctime: fix null termination assumptions
bonus: dont parse argv[0] for options

Reported-by: Joshua Rogers
Closes #19032

Changed files

docs/examples/synctime.c

Change #245937

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sun 12 Oct 2025 15:37:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e90b2aaa7e9dce64c3d7416b17a7c2feb7208db3

Comments

tftp: error requests for blank filenames
Reported-by: Joshua Rogers
Closes #19033

Changed files

lib/tftp.c

Change #245938

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 08:55:32
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	cde85412d03a52ed801b1e936f43ac033af65cf0

Comments

KNOWN_BUGS: We do not support auth-int for Digest using PUT or POST
Closes #19038

Changed files

docs/KNOWN_BUGS

Change #245939

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 08:56:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	56450ce26fa6ec05d1a1d63ee07efb9a204b656e

Comments

tool_msgs: make errorf() show if --show-error
Assisted-by: Mitchell Blank Jr
Ref: #19029
Closes #19035

Changed files

src/tool_msgs.c

Change #245940

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 10:38:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	27375ca36489475796a0e533bea6b040b0712da0

Comments

tool_getparam: make --fail and --fail-with-body override each other
This allows users to put one of them in their .curlrc and still easily
use the other one at will in command lines.

The --no-* versions disable both of them.

Reported-by: Mitchell Blank Jr
Fixes #19029
Closes #19034

Changed files

src/config2setopts.c
src/tool_cfgable.h
src/tool_getparam.c
src/tool_operate.c
tests/data/test360

Change #245941

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 10:40:48
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	67c4256f7e4f00d8e85b9a7da0b6004bfe5669e1

Comments

pop3: function could get the ->transfer field wrong
In pop3_perform(), pop3->transfer was derived from the old
data->req.no_body. Then, pop3_perform_command() re-computed
data->req.no_body.

Now we instead call pop3_perform_command() first.

Reported-by: Joshua Rogers
Closes #19039

Changed files

lib/pop3.c

Change #245942

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 10:41:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e003c0b25934bd8875ce34df2e4141fe518356ae

Comments

socks_sspi: remove the enforced mode clearing
Reported-by: Joshua Rogers
Closes #19040

Changed files

lib/socks_sspi.c

Change #245943

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 10:46:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	dee72fe31e3c07433b0f7c103bc416a65f572e03

Comments

libssh2: fix EAGAIN return in ssh_state_auth_agent
Reported-by: Joshua Rogers
Closes #19042

Changed files

lib/vssh/libssh2.c

Change #245944

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 13 Oct 2025 11:54:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5e74b2df345c702359926b78fa8c32a08689058e

Comments

REUSE: move copyright headers to `.checksrc`
To make it simpler to move them around, create and delete them without
syncing with `REUSE.toml`.

Also:
- checksrc: allow empty lines in `.checksrc`.
- comment on why curl printfs are disallowed in examples.

Closes #19024

Changed files

REUSE.toml
docs/examples/.checksrc
scripts/.checksrc
scripts/checksrc.pl
src/.checksrc
tests/server/.checksrc

Change #245945

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 12:27:39
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6d0fcdf2ed9942ad92665c2b96ab431c8829b53d

Comments

libssh: catch a resume point larger than the size
As it would otherwise trigger broken math

Reported-by: Joshua Rogers
Closes #19044

Changed files

lib/vssh/libssh.c

Change #245946

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 12:29:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f1828b54047dba804d04e4c0ebd402c6e9a11533

Comments

libssh2: avoid risking using an uninitialized local struct field
Reported-by: Joshua Rogers
Closes #19043

Changed files

lib/vssh/libssh2.c

Change #245947

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Mon 13 Oct 2025 16:03:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6deea19eb4396e68b42b2b7d3b32aaba8f30b03b

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245948

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 13 Oct 2025 16:11:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	497b3f022e9031eaa134697a5f5542b9d5ea3611

Comments

checksrc: allow disabling warnings on FIXME/TODO comments
Follow-up to 71ace9f3c16a434385fc27b3e8bffb52deb6ccd1

Closes #19048

Changed files

scripts/checksrc.pl

Change #245949

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 13 Oct 2025 17:52:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5cf0a6789da260518ed025d41d7dd6a7069fbfcd

Comments

examples: call `curl_global_cleanup()` where missing
Reported-by: Joshua Rogers (for `sepheaders.c`)

Closes #19051

Changed files

docs/examples/multi-uv.c
docs/examples/persistent.c
docs/examples/postit2-formadd.c
docs/examples/postit2.c
docs/examples/sepheaders.c
docs/examples/smooth-gtk-thread.c
docs/examples/synctime.c
docs/examples/threaded-ssl.c

Change #245950

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 13 Oct 2025 17:58:30
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3049c8e0a0c31174a482dbfa46586aaed6ed9c3f

Comments

examples: return `curl_easy_perform()` results
Where missing. Or explicitly `(void)` it where we ignore it on purpose.

Reported-by: Joshua Rogers (for `sepheaders.c`)

Closes #19052

Changed files

docs/examples/multithread.c
docs/examples/sepheaders.c
docs/examples/smooth-gtk-thread.c
docs/examples/threaded-ssl.c
docs/examples/url2file.c

Change #245951

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Mon 13 Oct 2025 23:02:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4c7507daf913c2e7f3ff96b1ff92e467a3d2ece5

Comments

examples: improve global init, error checks and returning errors
- add `curl_global_init()` and `curl_global_cleanup()` where missing.
- check the result of `curl_global_init()` where missing.
- return the last curl error from `main()`.
- drop Win32-specific socket initialization in favor of `curl_global_init()`.
- rename some outliers to `res` for curl result code.
- fix cleanup in some error cases.

Inspired by Joshua's report on examples.

Closes #19053

Changed files

docs/examples/10-at-a-time.c
docs/examples/address-scope.c
docs/examples/altsvc.c
docs/examples/anyauthput.c
docs/examples/block_ip.c
docs/examples/cacertinmem.c
docs/examples/certinfo.c
docs/examples/chkspeed.c
docs/examples/connect-to.c
docs/examples/cookie_interface.c
docs/examples/crawler.c
docs/examples/debug.c
docs/examples/default-scheme.c
docs/examples/ephiperfifo.c
docs/examples/evhiperfifo.c
docs/examples/externalsocket.c
docs/examples/fileupload.c
docs/examples/ftp-delete.c
docs/examples/ftp-wildcard.c
docs/examples/ftpget.c
docs/examples/ftpgetinfo.c
docs/examples/ftpgetresp.c
docs/examples/ftpsget.c
docs/examples/ftpupload.c
docs/examples/ftpuploadfrommem.c
docs/examples/ftpuploadresume.c
docs/examples/getinfo.c
docs/examples/getinmemory.c
docs/examples/getredirect.c
docs/examples/getreferrer.c
docs/examples/ghiper.c
docs/examples/headerapi.c
docs/examples/hiperfifo.c
docs/examples/hsts-preload.c
docs/examples/htmltidy.c
docs/examples/htmltitle.cpp
docs/examples/http-options.c
docs/examples/http-post.c
docs/examples/http2-download.c
docs/examples/http2-pushinmemory.c
docs/examples/http2-serverpush.c
docs/examples/http2-upload.c
docs/examples/http3-present.c
docs/examples/http3.c
docs/examples/httpcustomheader.c
docs/examples/httpput-postfields.c
docs/examples/httpput.c
docs/examples/https.c
docs/examples/imap-append.c
docs/examples/imap-authzid.c
docs/examples/imap-copy.c
docs/examples/imap-create.c
docs/examples/imap-delete.c
docs/examples/imap-examine.c
docs/examples/imap-fetch.c
docs/examples/imap-list.c
docs/examples/imap-lsub.c
docs/examples/imap-multi.c
docs/examples/imap-noop.c
docs/examples/imap-search.c
docs/examples/imap-ssl.c
docs/examples/imap-store.c
docs/examples/imap-tls.c
docs/examples/interface.c
docs/examples/ipv6.c
docs/examples/keepalive.c
docs/examples/localport.c
docs/examples/log_failed_transfers.c
docs/examples/maxconnects.c
docs/examples/multi-app.c
docs/examples/multi-debugcallback.c
docs/examples/multi-double.c
docs/examples/multi-event.c
docs/examples/multi-formadd.c
docs/examples/multi-legacy.c
docs/examples/multi-post.c
docs/examples/multi-single.c
docs/examples/multi-uv.c
docs/examples/multithread.c
docs/examples/netrc.c
docs/examples/persistent.c
docs/examples/pop3-authzid.c
docs/examples/pop3-dele.c
docs/examples/pop3-list.c
docs/examples/pop3-multi.c
docs/examples/pop3-noop.c
docs/examples/pop3-retr.c
docs/examples/pop3-ssl.c
docs/examples/pop3-stat.c
docs/examples/pop3-tls.c
docs/examples/pop3-top.c
docs/examples/pop3-uidl.c
docs/examples/post-callback.c
docs/examples/postinmemory.c
docs/examples/postit2-formadd.c
docs/examples/postit2.c
docs/examples/progressfunc.c
docs/examples/protofeats.c
docs/examples/range.c
docs/examples/resolve.c
docs/examples/rtsp-options.c
docs/examples/sendrecv.c
docs/examples/sepheaders.c
docs/examples/sessioninfo.c
docs/examples/sftpget.c
docs/examples/sftpuploadresume.c
docs/examples/shared-connection-cache.c
docs/examples/simple.c
docs/examples/simplepost.c
docs/examples/simplessl.c
docs/examples/smooth-gtk-thread.c
docs/examples/smtp-authzid.c
docs/examples/smtp-expn.c
docs/examples/smtp-mail.c
docs/examples/smtp-mime.c
docs/examples/smtp-multi.c
docs/examples/smtp-ssl.c
docs/examples/smtp-tls.c
docs/examples/smtp-vrfy.c
docs/examples/synctime.c
docs/examples/threaded-ssl.c
docs/examples/unixsocket.c
docs/examples/url2file.c
docs/examples/urlapi.c
docs/examples/usercertinmem.c
docs/examples/websocket-cb.c
docs/examples/websocket-updown.c
docs/examples/websocket.c
docs/examples/xmlstream.c

Change #245952

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Tue 14 Oct 2025 16:24:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1ea99afdc70e2e198c764ee05b794e505d776010

Comments

scorecard: add perf support on linux
When calling scorecard with --flame to produce a flamegraph, use
"perf" on linux platforms to do the measurements. Update the scorecard
documentation about it.

Closes #19058

Changed files

docs/internals/SCORECARD.md
tests/http/scorecard.py
tests/http/testenv/curl.py

Change #245953

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Tue 14 Oct 2025 16:25:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	61dcb56743e5e4a6a014b6e30b6d61c75355ff17

Comments

openldap: explain a const removing typecast
Closes #19056

Changed files

lib/openldap.c

Change #245954

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Tue 14 Oct 2025 16:33:00
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	64ed2ea1968e912439442dd3ad6addd8a2acfb84

Comments

examples: check more errors, fix cleanups, scope variables
Inspired by Joshua's report on examples.

Closes #19055

Changed files

docs/examples/10-at-a-time.c
docs/examples/anyauthput.c
docs/examples/cacertinmem.c
docs/examples/chkspeed.c
docs/examples/crawler.c
docs/examples/debug.c
docs/examples/ftpgetresp.c
docs/examples/ftpupload.c
docs/examples/ftpuploadresume.c
docs/examples/getinmemory.c
docs/examples/ghiper.c
docs/examples/htmltidy.c
docs/examples/http2-download.c
docs/examples/http2-pushinmemory.c
docs/examples/http2-serverpush.c
docs/examples/http2-upload.c
docs/examples/multi-app.c
docs/examples/multi-debugcallback.c
docs/examples/multi-double.c
docs/examples/multi-event.c
docs/examples/multi-formadd.c
docs/examples/multi-legacy.c
docs/examples/multi-post.c
docs/examples/multi-single.c
docs/examples/multi-uv.c
docs/examples/multithread.c
docs/examples/postinmemory.c
docs/examples/postit2.c
docs/examples/progressfunc.c
docs/examples/sftpuploadresume.c
docs/examples/smooth-gtk-thread.c
docs/examples/smtp-authzid.c
docs/examples/smtp-expn.c
docs/examples/smtp-mail.c
docs/examples/smtp-ssl.c
docs/examples/smtp-tls.c
docs/examples/smtp-vrfy.c
docs/examples/threaded-ssl.c
docs/examples/url2file.c
docs/examples/urlapi.c
docs/examples/usercertinmem.c
docs/examples/xmlstream.c

Change #245955

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Tue 14 Oct 2025 17:06:24
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	fe06127dedfc0047c9e748658f23d52f32117055

Comments

tool_operate: retry on HTTP response codes 522 and 524
- Treat HTTP response codes 522 and 524 as a transient error since
  Cloudflare may use them instead of 504 to signal timeout.

For example here is a 522 error message from Cloudflare:

"The initial connection between Cloudflare's network and the origin web
server timed out. As a result, the web page can not be displayed."

Prior to this change the curl tool did not retry on HTTP response codes
522 and 524 when --retry was used.

Fixes https://github.com/curl/curl/discussions/16143
Closes https://github.com/curl/curl/pull/19011

Changed files

docs/cmdline-opts/retry.md
src/tool_operate.c

Change #245956

Category	curl
Changed by	Jay Satiro <raysatiroohnoyoudont@yahoo.com>
Changed at	Tue 14 Oct 2025 17:06:49
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	97ae9ec8efe05bd0d82bbf9ee127c46bfae40c8c

Comments

ws: fix type conversion check
- Fix logic that checks whether a size_t will fit in a curl_off_t.

Reported-by: Viktor Szakats

Fixes https://github.com/curl/curl/issues/19017
Closes https://github.com/curl/curl/pull/19036

Changed files

lib/ws.c

Change #245957

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 08:02:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9441127394a697412f826c737b4e6e53bbc1a1c4

Comments

http: look for trailing 'type=' in ftp:// without strstr
- it could find a wrong string
- this is faster

Closes #19065

Changed files

lib/http.c

Change #245958

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 08:03:29
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	ae5fb4188deac102ee8d2b7cdd192f06340b04f0

Comments

lib: reduce use of data->conn->
If there are more than two of them in a function, use a local 'conn'
variable instead.

Closes #19063

Changed files

lib/cfilters.c
lib/connect.c
lib/http.c
lib/multi.c
lib/vssh/libssh.c
lib/vssh/libssh2.c

Change #245959

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 09:19:23
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5ac3541cb4ef3b721ce98cf0212b1195ff4c0568

Comments

ftp: replace strstr() in ;type= handling
Since it needs to be a trailing piece of the path avoiding strstr() is
faster and more reliable.

Also stopped checking the host name since it cannot actually be there
since quite a long while back. The URL parser doesn't allow such a
hostname.

Moved the check into its own subfunction too.

Closes #19069

Changed files

lib/ftp.c

Change #245960

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 09:59:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	be852e39b25a4abbb7e5ecbe89d72f410ccfb3a8

Comments

tftp: check for trailing ";mode=" in URL without strstr
RFC 3617 defines two specific modes, "netascii" and "octet". This code
now checks only for those trailing ones - and not in the hostname since
they can't be there anymore.

Assisted-by: Jay Satiro
Closes #19070

Changed files

docs/cmdline-opts/use-ascii.md
lib/tftp.c
src/tool_listhelp.c
tests/data/test1093

Change #245961

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Wed 15 Oct 2025 10:36:43
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	182a5a9aae7290332792b14100db1a9451f75ab5

Comments

quic: remove data_idle handling
The transfer loop used to check the socket and if no poll events
were seen, triggered a "DATA_IDLE" event into the filters to let
them schedule times/do things anyway.

Since we no longer check the socket, the filters have been called
already and the DATA_IDLE event is unnecessary work. Remove it.

Closes #19060

Changed files

lib/cfilters.c
lib/cfilters.h
lib/transfer.c
lib/vquic/curl_ngtcp2.c
lib/vquic/curl_osslq.c
lib/vquic/curl_quiche.c

Change #245962

Category	curl
Changed by	Emre Çalışkan <bilgiohnoyoudont@emrecaliskan.com.tr>
Changed at	Wed 15 Oct 2025 10:39:31
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5e46318414590c99fc98709598e5e3441d63648b

Comments

transfer: reset retry count on each request
Reported-by: plv1313 on github
Fixes #18926
Closes #19066

Changed files

lib/easy.c
lib/transfer.c

Change #245963

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 10:44:51
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	62961d6cc57deb9beeba32d0ccdbdeec40eea096

Comments

lib: stop NULL-checking conn->passwd and ->user
They always point to a string. The string might be zero length.

Closes #19059

Changed files

lib/ftp.c
lib/pop3.c
lib/vssh/libssh2.c

Change #245964

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 12:33:03
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b7f2355b8b5cfa137aa2848c4ace951a317718f9

Comments

urldata: make 'retrycount' a single byte
Since it only counts up to 5

Closes #19071

Changed files

lib/urldata.h

Change #245965

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Wed 15 Oct 2025 12:34:33
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f8cd64e3abaae0ea7289c380362571060d0a1160

Comments

urldata: make redirect counter 16 bit
Instead of long (up to 64-bit) as the maximum allowed value set since
b059f7deaf3 is 0x7fff. Saves 2 or 6 bytes.

Closes #19072

Changed files

lib/urldata.h

Change #245966

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 16 Oct 2025 08:56:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	71d5525113171903deb9b97cc1913c30f515cc63

Comments

connect: remove redundant condition in shutdown start
Pointed out by CodeSonar

Closes #19079

Changed files

lib/connect.c

Change #245967

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 16 Oct 2025 09:01:17
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	79553fb7c65668e0df4afade0f76a19a31dd1157

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #245968

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Thu 16 Oct 2025 10:58:45
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c37ed9a11e57c2f416ab29c5fda8d6bd813acd89

Comments

apple sectrust: add to features
It should be visible in the feature list that libcurl is build with
Apple SecTrust enabled.

Closes #19057

Changed files

CMakeLists.txt
configure.ac
docs/libcurl/curl_version_info.md
lib/version.c
lib/vtls/apple.c
lib/vtls/apple.h
lib/vtls/vtls.c
m4/curl-apple-sectrust.m4

Change #245969

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 16:19:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9c36eace607190d2e3931b04c8a36ee7c4b0120a

Comments

autotools: drop detection of ancient OpenSSL libs `RSAglue` and `rsaref`
Closes #19078

Changed files

m4/curl-openssl.m4

Change #245970

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 16:19:05
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1a81a8e478ec426316c98e24a30d16df483ed8db

Comments

version: add GSS backend name and version
MIT Kerberos version detection is implemented for autotools and cmake.

Examples:
```
curl 8.17.0-DEV (x86_64-pc-linux-gnu) ... mbedTLS/3.6.4 libidn2/2.3.7 nghttp2/1.59.0 libgss/1.0.4 OpenLDAP/2.6.7
curl 8.17.0-DEV (x86_64-pc-linux-gnu) ... LibreSSL/4.1.1 libidn2/2.3.7 nghttp2/1.59.0 mit-krb5/1.20.1 OpenLDAP/2.6.7
curl 8.17.0-DEV (x86_64-pc-linux-gnu) ... LibreSSL/4.1.1 libidn2/2.3.7 nghttp2/1.59.0 mit-krb5 OpenLDAP/2.6.7
curl 8.17.0-DEV (x86_64-pc-linux-gnu) ... LibreSSL/4.1.1 nghttp2/1.59.0 mit-krb5/1.20.1 OpenLDAP/2.6.7
curl 8.17.0-DEV (aarch64e-apple-darwin24.6.0) ... GnuTLS/3.8.10 libidn2/2.3.8 libssh2/1.11.1 nghttp2/1.67.1 mit-krb5/1.22.1
```

Also:
- cmake/FindGSS: strip project name ("Kerberos 5 release") from
  the version string when detected via `krb5-config`.

Closes #19073

Changed files

CMake/FindGSS.cmake
CMakeLists.txt
configure.ac
lib/curl_config.h.cmake
lib/version.c

Change #245971

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 16:51:08
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	800b0bec18e9c77e35912fac8321c791d7b57863

Comments

GHA: bump LibreSSL to 4.2.0
Also move back URLs to GitHub, sources are available there again.

Ref: https://github.com/libressl/portable/releases/tag/v4.2.0
Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-4.2.0-relnotes.txt
Ref: #19050
Ref: #19081

Closes #19082

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux.yml
.github/workflows/macos.yml

Change #245972

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 18:53:44
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c8d6643df212791edee705a94c890335dac8762b

Comments

GHA/windows: stop installing Perl `Win32-Process*` modules
It's complex and did not help stabilizing CI runs.

Hard to say, but I'm suspicious it's related to the CI errors
-1073741502, 0xC0000142, seen in the 'build examples' and
'disk space used' steps.

Ref: #18526
Reverts 52775a7fb4ba63d66d60067dea4a5293fb7c55a1 #18296
Closes #19083

Changed files

.github/workflows/windows.yml

Change #245973

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 20:18:25
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3c0604bba46286b7ac6915ed19bb47bc3273c97a

Comments

GHA: sync up `curl -V` step descriptions
Also to make it easier to recognize.

Also:
- GHA/linux-old: split steps to match other jobs.
- GHA: add `--disable` where missing.

Closes #19084

Changed files

.github/workflows/http3-linux.yml
.github/workflows/linux-old.yml
.github/workflows/linux.yml
.github/workflows/macos.yml
.github/workflows/windows.yml

Change #245974

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 20:45:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c8aaa5d2f21f9eba973f8cfac12621819502102f

Comments

scripts: pass `--` before passing xargs
Also:
- GHA/checkdocs: escape `.` in -E regex expression.

Closes #19076

Changed files

.github/workflows/appveyor-status.yml
.github/workflows/checkdocs.yml
scripts/cmakelint.sh
scripts/firefox-db2pem.sh
scripts/perlcheck.sh

Change #245975

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Thu 16 Oct 2025 20:53:28
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	da06621d617ab498a989afe75b7c2a4193d619e4

Comments

firefox-db2pem.sh: add macOS support, tidy-ups
Cherry-picked from #19076
Closes #19086

Changed files

scripts/firefox-db2pem.sh

Change #245976

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Thu 16 Oct 2025 22:23:37
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f91be14bfb79021e3b9ba769955c1f2c4351e9bf

Comments

openldap: limit max incoming size
Set the maximum allowed size of an incoming LDAP message, which to
OpenLDAP means that it allows malloc() up to this size. If not set,
there is no limit and we instead risk a malloc() failure.

The limit is arbitrarily set to 256K as I can't figure out what a
reasonable value should be.

OpenLDAP docs: https://openldap.org/software/man.cgi?query=lber-sockbuf&apropos=0&sektion=0&manpath=OpenLDAP+2.6-Release&arch=default&format=html

Bug: https://issues.oss-fuzz.com/issues/432441303
Closes #19087

Changed files

lib/openldap.c

Change #245977

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 10:15:07
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f5f4710a260699b85c3b2d09e5bf886e8884fb29

Comments

examples/websocket: fix use of uninitialized rlen
Pointed out by ZeroPath

Closes #19088

Changed files

docs/examples/websocket.c

Change #245978

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 10:40:37
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	7e12139719e310e68b7eb2729eff859b4a5d3883

Comments

imap: treat capabilities case insensitively
Reported-by: Joshua Rogers
Fixes #19089
Closes #19090

Changed files

lib/imap.c

Change #245979

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 17 Oct 2025 11:50:48
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3a305831d1a9d10b2bfd4fa3939ed41275fee7f7

Comments

mbedtls: add support for 4.0.0
After this patch libcurl requires (as already documented)
the `curl_global_init()` call when using the `curl_formadd()` API with
mbedTLS.

Note: NTLM is not supported with mbedTLS 4+, because it lacks
the necessary crypto primitive: DES.

Also:
- lib: de-dupe mbedTLS minimum version checks into `curl_setup.h`.
- lib: initialize PSA Crypto as part of `curl_global_init()`.
For MD5, SHA-256, `curl_formadd()`, and MultiSSL builds with mbedTLS
but where mbedTLS isn't the default backend.
- lib1308: fix to call `curl_global_init()` (for the Form API).
- curl_ntlm_core: disable with mbedTLS 4+.
- md4: disable mbedTLS implementation when building against 4.x.
- md5: use mbedTLS PSA Crypto API when available, otherwise use
the default local implementation.
- sha256: use mbedTLS PSA Crypto API when available, otherwise use
the default local implementation.
- vtls/mbedtls: drop PSA Crypto initialization in favor of
`curl_global_init()`.
- vtls/mbedtls: use PSA Crypto random API with all mbedTLS versions.
- vtls/mbedtls: do the same for the SHA-256 callback.
- autotools: detect mbedTLS 4+, and disable NTLM for 3.x.
- cmake: disable NTLM for mbedTLS 3.x.
- GHA/linux: keep building mbedTLS 3.x manually and use it in
an existing job, while also enabling pytest in it.
- GHA/linux: bump to mbedTLS 4.0.0.
Closes #19075
Closes #19074

Refs:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0
https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-4.0.0/docs/4.0-migration-guide.md
https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-4.0.0/tf-psa-crypto/docs/1.0-migration-guide.md [404]
https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/tf-psa-crypto-1.0.0/docs/1.0-migration-guide.md
https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/tf-psa-crypto-1.0.0/docs/psa-transition.md
https://github.com/Mbed-TLS/TF-PSA-Crypto/tree/627f727bbed3d9319ed548f1c0839a29c223414e/docs/4.0-migration-guide

Closes #19077

Changed files

.github/workflows/linux.yml
CMakeLists.txt
configure.ac
lib/curl_ntlm_core.c
lib/curl_setup.h
lib/easy.c
lib/md4.c
lib/md5.c
lib/sha256.c
lib/vtls/mbedtls.c
m4/curl-mbedtls.m4
tests/libtest/lib1308.c

Change #245980

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 12:38:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c4db9eb491b3652235ddb5b18425c08b29da0408

Comments

rustls: limit snprintf proper in cr_keylog_log_cb()
It should limit the size to the size of the target array, not the
incoming data.

Pointed out by ZeroPath
Closes #19095

Changed files

lib/vtls/rustls.c

Change #245981

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 12:41:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e2a4de8a607d3c7f52918ef50ab6411c753fa2ce

Comments

openssl: better return code checks when logging cert data
Pointed out by ZeroPath

Closes #19094

Changed files

lib/vtls/openssl.c

Change #245982

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 17 Oct 2025 13:35:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	2719aa36b5cf7e638b1b4a0e5c69eb3068d5689d

Comments

test_16: adjust timing expectations
In MOST protocols and runs, the 'pretransfer' time is less than the
'starttransfer'. E.g. request being sent before response comes in.

However, when curl is starved of cpu a server response might start
streaming in before the multi-state transitioned to DID (and recorded
the 'pretransfer' time).

Do no longer check that 'pretransfer' is less or equal 'starttransfer'.
Check that is is less or equal to the total time instead.

Closes #19096

Changed files

tests/http/test_16_info.py

Change #245983

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 17 Oct 2025 13:36:21
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f221cdeabe7d4f1b123b9306feed8e3b8fe6abb0

Comments

ngtcp2: add a comment explaining write result handling
The choice to continue processing incoming data although the
writeout of the headers/data failed is not obvious. Add a comment
explaining why this is done.

Closes #19093

Changed files

lib/vquic/curl_ngtcp2.c

Change #245984

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 13:36:57
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3df71e6dc23e80466c2d448ceb7dc070addbea67

Comments

openssl: fail if more than MAX_ALLOWED_CERT_AMOUNT certs
Detect and prevent abuse or mistakes. Limit set to 100.

Closes #19091

Changed files

lib/vtls/openssl.c

Change #245985

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Fri 17 Oct 2025 14:25:09
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	9568109f71be2625c0bb6c4883e01042819b0f36

Comments

GHA: update ngtcp2/ngtcp2 to v1.17.0
Closes #19092

Changed files

.github/workflows/http3-linux.yml

Change #245986

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 15:47:36
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	6296b9d383850bf603fb750e727dc2064b80fe69

Comments

tool_ipfs: simplify the ipfs gateway logic
- make sure memory allocated by libcurl is freed with curl_free()

- drop the ensure_trailing_slash complexity

Closes #19097

Changed files

src/tool_ipfs.c

Change #245987

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 15:48:47
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	fbff1d5b9071283024253ddf48e81547f6474394

Comments

openssl: avoid overwriting 'result' after error
Follow-up to eefd03c572996e5de4dec4fe295ad6f

Pointed out by ZeroPath https://zeropath.com/
Closes #19099

Changed files

lib/vtls/openssl.c

Change #245988

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 16:12:34
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c0564ceb3a51feb0f5c5236809aa8420644b1fc7

Comments

cf-socket: if FD_CLOEXEC fails on accepted socket, cleanup
Follow-up to 9d7b532404181568de1611084bd9f

Pointed out by ZeroPath

Closes #19098

Changed files

lib/cf-socket.c

Change #245989

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 16:13:35
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	4fb12f289189e8113967e9c9da09958fd8bfa4cb

Comments

mime: fix use of fseek()
Avoid the possible 64-bit offset truncation when used on systems with
small 'long', like Windows.

bonus: make mime_open_file() return bool

Pointed out by ZeroPath
Closes #19100

Changed files

lib/formdata.c
lib/mime.c
lib/mime.h

Change #245990

Category	curl
Changed by	renovate[bot] <29139614+renovate[bot]ohnoyoudont@users.noreply.github.com>
Changed at	Fri 17 Oct 2025 16:19:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	74147acd175d0faf7e1a8f04c905351fd43aad12

Comments

GHA: update dependency ruff to v0.14.1
Closes #19085

Changed files

.github/scripts/requirements.txt

Change #245991

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 17 Oct 2025 16:19:42
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	14e4d9c3c7fad13611a608fe2f9c4ed4139130e7

Comments

setopt: fix unused variable warning in minimal build
Found via: #17961

Closes #19102

Changed files

lib/setopt.c

Change #245992

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 17 Oct 2025 16:59:11
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	1d01d4975f540f3a363b38e1296aead62130fc6d

Comments

socks_sspi: use the correct free function
When freeing buffers allocated by SSPI, use its own function, not free().

Reported-by: Joshua Rogers
Closes #19046

Changed files

lib/socks_sspi.c

Change #245993

Category	curl
Changed by	Stefan Eissing <stefanohnoyoudont@eissing.org>
Changed at	Fri 17 Oct 2025 17:23:46
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	5cefb455d47db9965aa56288533489e495a123c5

Comments

quic: improve UDP GRO receives
Closes #19101

Changed files

lib/vquic/curl_ngtcp2.c
lib/vquic/curl_quiche.c
lib/vquic/vquic.c
lib/vquic/vquic_int.h

Change #245994

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 17 Oct 2025 17:27:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	373855a4da0882ccb07a1b80b3754c80acc0d502

Comments

GHA/curl-for-win: add minimal Linux build
A bit more minimal build than the one used for trurl. To stress test
a build with most features disabled.

Costs 40 seconds, of which 6 is the build, rest is installing tools.

Ref: https://github.com/curl/curl-for-win/commit/5b385001d5f89886553cf83aa3f2f24476a865f4
Ref: https://github.com/curl/curl-for-win/commit/3ee10692c73a61522cabb3a4d2e94eb228249250

Follow-up to 5af2457848357141b3b3c67f7a45a4964ec25233 #17818

Closes #17961

Changed files

.github/workflows/curl-for-win.yml

Change #245995

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 17:44:14
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e9455ea523d91c8f6f29c3ae1f37500f0b637204

Comments

rustls: make read_file_into not reject good files
For files with sizes using an exact multiple of 256 bytes, the final
successful read(s) filled the buffer(s) and the subsequent fread
returned 0 for EOF, which caused read_file_into to fail.

Now, it needs to return 0 and not be EOF to be an error.

Follow-up to dd95a49d493d55db38b352fdbda2

Pointed out by ZeroPath
Closes #19104

Changed files

lib/vtls/rustls.c

Change #245996

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 17:45:06
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	25eb34dd3e7fedb400d3e5b99920936db6711b1e

Comments

KNOWN_BUGS: SOCKS-SSPI discards the security context
Also make the verbose log say it

Pointed out by ZeroPath

Closes #19103

Changed files

docs/KNOWN_BUGS
lib/socks_sspi.c

Change #245997

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Fri 17 Oct 2025 17:47:22
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	87b72b81829f8ef8fc0a243667cb7aea9d0c1c6e

Comments

krb5: fix `output_token` allocators in the GSS debug stub (Windows)
Before this patch system `malloc()`/`free()` were used to allocate
the buffer returned in the `output_token` object from the debug stub
of `gss_init_sec_context()` when enabled via `CURL_STUB_GSS_CREDS` in
debug-enabled libcurl builds. This object is later released via stock
`gss_release_buffer()`, which, in the Windows builds of MIT Kerberos,
doesn't use the system `free()`, but the Win32 `HeapFree()`.

Fix it by using the GSS alloc/free macros: `gssalloc_malloc()` and
`gssalloc_free()` from `gssapi_alloc.h`.

To make this work without MIT Kerberos feature detection, use a canary
macro to detect a version which installs `gssapi_alloc.h` for Windows.
For <1.15 (2016-11-30) releases, that do not install it, disable the GSS
debug stub in libcurl.

Strictly speaking, non-Windows builds would also need to use GSS
allocators, but, detecting support for `gssapi_alloc.h` is impossible
without build-level logic. Built-level logic is complex and overkill,
and MIT Kerberos, as of 1.22.1, uses standard malloc/free on
non-Windows platforms anyway. (except in GSS debug builds.)

Follow-up to 73840836a51c443e6b5d385014ce1c8f5be3e02b #17752

Closes #19064

Changed files

lib/curl_gssapi.c

Change #245998

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 22:19:38
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	480ff0cf584413814955a45da84957f37ba02d1a

Comments

INSTALL: update the list of known operating systems
curl has run on

Closes #19106

Changed files

docs/INSTALL.md

Change #245999

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 22:23:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	d6c39cd2cb3a182f93f94cbff180dc29bfee461c

Comments

curl.h: remove incorrect comment about CURLOPT_PINNEDPUBLICKEY
Bug: https://curl.se/mail/lib-2025-10/0018.html
Reported-by: curl.stunt430
Closes #19105

Changed files

include/curl/curl.h

Change #246000

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 23:33:12
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	e29706d6e24f7327d3b3393b1f93b06aef642e7b

Comments

mbedtls: move the crypto init into the vtls init function
Follow-up to 3a305831d1a9d10b2bfd4fa3939

Closes #19108

Changed files

lib/easy.c
lib/vtls/mbedtls.c

Change #246001

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 23:34:04
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	c921f6d05271e83c62ee6b2e142d76198900c4a4

Comments

wolfssl: fix resource leak in verify_pinned error paths
Pointed out by ZeroPath

Closes #19110

Changed files

lib/vtls/wolfssl.c

Change #246002

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Fri 17 Oct 2025 23:39:16
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	3087511b0fb11ce9199aca0e7fe77ca3403b25b3

Comments

RELEASE-NOTES: synced

Changed files

RELEASE-NOTES

Change #246003

Category	curl
Changed by	Daniel Stenberg <danielohnoyoudont@haxx.se>
Changed at	Sat 18 Oct 2025 00:40:13
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	b9b8a7a5df552d4e5929d4d7e38490b9aef642a9

Comments

openssl: fix resource leak in provider error path
Pointed out by ZeroPath

Closes #19111

Changed files

lib/vtls/openssl.c

Change #246004

Category	curl
Changed by	Viktor Szakats <commitohnoyoudont@vsz.me>
Changed at	Sat 18 Oct 2025 02:25:10
Repository	https://github.com/curl/curl.git
Project	curl
Branch	master
Revision	f32451c12bb7fa4738d8c9cf6d7cd09ee876434b

Comments

curlx: promote `Curl_fseeko()` to `curlx_fseek()`, use it in `src`
- tool_formparse: replace truncated `fseek` with `curlx_fseek`.
- tool_operate: replace truncated `fseek` with `curlx_fseek`.
- tool_paramhlp: replace local duplicate `myfseek`, with `curlx_fseek`.

Follow-up to 4fb12f289189e8113967e9c9da09958fd8bfa4cb #19100

Closes #19107

Changed files

lib/curlx/fopen.c
lib/curlx/fopen.h
lib/formdata.c
lib/mime.c
lib/mime.h
src/tool_formparse.c
src/tool_operate.c
src/tool_paramhlp.c