protcol.h: fix the CURLPROTO_MASK

It had an 'f' too few. Also provide CURLPROTO_WS* unconditionally internally, so that code can depend on them in all builds. Follow-up to cd5ca80f00 Spotted by Codex Security Test case 3219 added to catch this next time. Closes #21031
2026-04-11 12:01:42 +08:00 · 2026-03-20 13:55:47 +01:00 · 2026-03-20 13:55:47 +01:00 · f2ba8f0613
commit f2ba8f0613
parent 07c10f09a5
5 changed files with 68 additions and 11 deletions
--- a/lib/protocol.h
+++ b/lib/protocol.h
@ -57,7 +57,6 @@ struct easy_pollset;
 #define PORT_MQTT   1883
 #define PORT_MQTTS  8883

-#ifndef CURL_DISABLE_WEBSOCKETS
 /* CURLPROTO_GOPHERS (29) is the highest publicly used protocol bit number,
 * the rest are internal information. If we use higher bits we only do this on
 * platforms that have a >= 64-bit type and then we use such a type for the
@ -65,11 +64,6 @@ struct easy_pollset;
 */
 #define CURLPROTO_WS     (1L << 30)
 #define CURLPROTO_WSS    ((curl_prot_t)1 << 31)
-#else
-#define CURLPROTO_WS     0L
-#define CURLPROTO_WSS    0L
-#endif
-
 #define CURLPROTO_MQTTS  (1LL << 32)

 #define CURLPROTO_64ALL ((uint64_t)0xffffffffffffffff)
@ -83,7 +77,7 @@ typedef curl_off_t curl_prot_t;
 /* This mask is for all the old protocols that are provided and defined in the
   public header and shall exclude protocols added since which are not exposed
   in the API */
-#define CURLPROTO_MASK   0x3ffffff
+#define CURLPROTO_MASK   0x3fffffff

 /* Convenience defines for checking protocols or their SSL based version. Each
   protocol scheme should only ever have a single CURLPROTO_ in its protocol
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -282,9 +282,10 @@ test3032 test3033 test3034 test3035 test3036 \
 \
 test3100 test3101 test3102 test3103 test3104 test3105 \
 \
-test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 test3208 \
-test3209 test3210 test3211 test3212 test3213 test3214 test3215 test3216 test3217 \
-test3218 \
+test3200 test3201 test3202 test3203 test3204 test3205 test3206 test3207 \
+test3208 test3209 test3210 test3211 test3212 test3213 test3214 test3215 \
+test3216 test3217 test3218 test3219 \
+\
 test4000 test4001

 EXTRA_DIST = $(TESTCASES) DISABLED data-xml1 data320.html \
--- a/tests/data/test3219
+++ b/tests/data/test3219
@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+unittest
+define
+</keywords>
+</info>
+
+<client>
+<features>
+unittest
+</features>
+<name>
+CURLPROTO_MASK checks
+</name>
+</client>
+
+</testcase>
--- a/tests/unit/Makefile.inc
+++ b/tests/unit/Makefile.inc
@ -45,4 +45,4 @@ TESTS_C = \
  unit1979.c unit1980.c \
  unit2600.c unit2601.c unit2602.c unit2603.c unit2604.c unit2605.c \
  unit3200.c                                             unit3205.c \
-  unit3211.c unit3212.c unit3213.c unit3214.c            unit3216.c
+  unit3211.c unit3212.c unit3213.c unit3214.c            unit3216.c unit3219.c
--- a/tests/unit/unit3219.c
+++ b/tests/unit/unit3219.c
@ -0,0 +1,43 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "unitcheck.h"
+#include "protocol.h"
+
+static CURLcode test_unit3219(const char *arg)
+{
+  UNITTEST_BEGIN_SIMPLE
+
+  fail_unless((CURLPROTO_MASK & CURLPROTO_HTTP) == CURLPROTO_HTTP,
+              "mask should include HTTP");
+  fail_unless((CURLPROTO_MASK & CURLPROTO_GOPHERS) == CURLPROTO_GOPHERS,
+              "mask should include the highest public protocol bit");
+  fail_unless((CURLPROTO_MASK & CURLPROTO_WS) == 0,
+              "mask should exclude websocket protocol bits");
+  fail_unless((CURLPROTO_MASK & CURLPROTO_WSS) == 0,
+              "mask should exclude secure websocket protocol bits");
+  fail_unless((CURLPROTO_MASK & CURLPROTO_MQTTS) == 0,
+              "mask should exclude internal-only protocols");
+
+  UNITTEST_END_SIMPLE
+}