Also:
- support per-directory and per-upper-directory whitelist entries.
- convert badlist input grep tweak into the above format.
(except for 'And' which had just a few hits.)
- fix many code exceptions, but do not enforce.
(there also remain about 350 'will' uses in lib)
- fix badwords in example code, drop exceptions.
- badwords-all: convert to Perl.
To make it usable from CMake.
- FAQ: reword to not use 'will'. Drop exception.
Closes#20886
- drop stray duplicate empty lines in docs, scripts, test data, include,
examples, tests.
- drop duplicate PP parenthesis.
- curl-functions.m4: move literals to the right side in if expressions,
to match rest of the source code.
- FAQ.md: delete language designator from an URL.
- packages: apply clang-format (OS400, VMS).
- scripts/schemetable.c: apply clang-format.
- data320: delete duplicate empty line that doesn't change the outcome.
- spacecheck: extend to check for duplicate empty lines
(with exceptions.)
- fix whitespace nits
Closes#19936
- curl_setup.h: replace `_CRT_SECURE_NO_DEPRECATE` with
`_CRT_SECURE_NO_WARNINGS`, which seems to be the preferred,
more recent macro for this. Also syncing with libssh2.
They are equivalent for curl sources with the supported compilers.
- cmake: stop setting `_CRT_SECURE_NO_DEPRECATE` globally for examples.
- examples: suppress CRT deprecation warnings on a per-file basis.
To make it work when compiling examples out of curl's build systems.
Use `_CRT_SECURE_NO_WARNINGS`.
- examples: document the functions requiring `_CRT_SECURE_NO_WARNINGS`.
- examples/block_ip: delete superfluous `_CRT_SECURE_NO_WARNINGS`.
- examples/block_ip: limit `_CRT_NONSTDC_NO_DEPRECATE` to MSVC.
- examples/log_failed_transfers: fix to set `_CRT_SECURE_NO_WARNINGS`
before headers and limit to MSVC.
- curl_setup.h: document which SDKs support `_CRT_NONSTDC_NO_DEPRECATE`.
Closes#19175
Windows CE support was limited to successful builds with ming32ce
(a toolchain that hasn't seen an update since 2009, using an ancient gcc
version and "old mingw"-style SDK headers, that curl deprecated earlier).
Builds with MSVC were broken for a long time. mingw32ce builds were never
actually tested and runtime and unlikely to work due to missing stubs.
Windows CE toolchains also miss to comply with C89. Paired with lack of
demand and support for the platform, curl deprecated it earlier.
This patch removes support from the codebase to ease maintaining Windows
codepaths.
Follow-up to f98c0ba834#17924
Follow-up to 8491e6574c#17379
Follow-up to 2a292c3984#15975Closes#17927
- badwords.pl: add `-a` option to check all lines in source code files.
Before this patch indented lines were skipped (to avoid Markdown code
fences.)
- GHA/checksrc: use `-a` when verifying the source code.
- GHA/checksrc: disable `So` and `But` rules for source code.
- GHA/checksrc: add docs/examples to the verified sources.
- badwords.txt: delete 4 duplicates.
- badwords.txt: group and sort contractions.
- badwords.txt: allow ` url = `, `DIR`, `<file name`.
Closes#19536
- 'CURL *' handles are called 'curl'
- 'CURLM *' handles are called 'multi'
- write callbacks are called 'write_cb'
- read callbacs are called 'read_cb'
- CURLcode variables are called 'res'
It makes the examples look and feel more consistent. It allows for
easier copy and pasting between examples.
Closes#19299
Also:
- delete dead code.
- sync `http2-download.c` and `http2-upload.c` sources.
- simplessl: fix constant expression.
- simplessl: avoid `expression is constant` VS2010 warning, drop pragma.
- replace large stack buffers with dynamic allocation.
- http2-download: fix to fill transfer number.
Some of these were pointed out by TIOBE scanner via Coverity 2025.3.0.
Closes#19292
- add `curl_global_init()` and `curl_global_cleanup()` where missing.
- check the result of `curl_global_init()` where missing.
- return the last curl error from `main()`.
- drop Win32-specific socket initialization in favor of `curl_global_init()`.
- rename some outliers to `res` for curl result code.
- fix cleanup in some error cases.
Inspired by Joshua's report on examples.
Closes#19053
Both may apply to rare non-WinCE Windows builds too.
- fix gcc 4.4.0 preprocessor error:
```
docs/examples/http2-upload.c:43:8: error: "_MSC_VER" is not defined
```
Ref: https://github.com/curl/curl/actions/runs/18238150607/job/51935502616
- fix wrong header order:
Inlcude `windows.h` after `winsock2.h` via `curl/curl.h`.
Regressions from 45438c8d6f#18823Closes#18843
By making them defaults, then fixing and/or reshuffling remaining
exceptions as necessary.
- checksrc: ban by default: `snprintf`, `vsnprintf`, `sscanf`, `strtol`.
- examples: replace `strtol` with `atoi` to avoid a checksrc exception.
- tests/libtest: replace `strtol` with `atol`.
- tests/server: replace most `strtol` with `atol`.
- tests/server: replace most `strtoul` with `atol`/`atoi`.
- tests/server: drop no longer used `util_ultous`.
- fix typo in checksrc rules: `vsnprint` -> `vsnprintf`.
- update local exceptions.
Also:
- examples: ban curl printf functions. They're discouraged in user code.
- examples: replace curl printf with system printf.
Add `snprintf` workaround for <VS2015.
- examples/synctime: fix `-Wfloat-equal`.
- examples/synctime: exclude for non-Windows and non-UWP Windows.
- examples/synctime: build by default.
Closes#18823
Replace them by `curlx_open()` and `curlx_stat()`.
To make it obvious in the source code what is being executed.
Also:
- tests/server: stop overriding `open()` for test servers.
This is critical for the call made from the signal handler.
For other calls, it's an option to use `curlx_open()`, but
doesn't look important enough to do it, following the path
taken with `fopen()`.
Follow-up to 10bac43b87#18774
Follow-up to 20142f5d06#18634
Follow-up to bf7375ecc5#18503Closes#18776
Before this patch `accept4()`, `socket()`, `socketpair()`, `send()` and
`recv()` system symbols were remapped via macros, using the same name,
to local curl debug wrappers. This patch replaces these overrides by
introducing curl-namespaced macros that map either to the system symbols
or to their curl debug wrappers in `CURLDEBUG` (TrackMemory) builds.
This follows a patch that implemented the same for `accept()`.
The old method required tricks to make these redefines work in unity
builds, and avoid them interfering with system headers. These tricks
did not work for system symbols implemented as macros.
The new method allows to setup these mappings once, without interfering
with system headers, upstream macros, or unity builds. It makes builds
more robust.
Also:
- checksrc: ban all mapped functions.
- docs/examples: tidy up checksrc rules.
Follow-up to 9863599d69#18502
Follow-up to 3bb5e58c10#17827Closes#18503
To avoid hitting `-Wreserved-macro-identifier` where possible.
- amigaos: introduce local macro instead of reusing `__request()`.
- easy_lock: avoid redefining `__has_builtin()`.
Follow-up to 33fd57b8ff#9062
- rand: drop interim macro `_random()`.
- windows: rename local macro `_tcsdup()` to `Curl_tcsdup()`.
To avoid using the reserved macro namespace and to avoid
colliding with `_tcsdup()` as defined by Windows headers.
- checksrc: ban `_tcsdup()` in favor of `Curl_tcsdup()`.
- tool_doswin: avoid redefining `_use_lfn()` (MS-DOS).
- tool_findfile: limit `__NO_NET_API` hack to AmigaOS.
Syncing this pattern with `lib/netrc.c`.
Follow-up to 784a8ec2c1#16279
- examples/http2-upload: avoid reserved namespace for local macro.
More cases will be removed when dropping WinCE support via #17927.
Cases remain when defining external macros out of curl's control.
Ref: #18477Closes#18482
- tests/libtest: move exception to `stub_gssapi.h`.
- tests/libtest: move remaining exception to `testtrace.c`.
- tests/server: drop obsolete exception.
- docs/examples: move `BANNEDFUNC` exceptions to local files (3 lines).
- docs/examples: move `ERRNOVAR` exception to `ephiperfifo.c`.
- docs/examples: drop `typedef struct` (8 files).
- lib/curlx: add `.checksrc` with banned funcs copied from lib.
- checksrc: ban `strncpy`, `strtok_r`, `strtoul` by default.
Drop local bans. Add exception for `strtoul` to `tests/server'.
- lib, src: sync banned funcs.
Also:
- REUSE: drop `stunnel.pem`, it no longer exists.
- docs/examples: formatting.
- docs/examples: simplify some `sizeof()`s.
Closes#17764
To avoid breaking the control flow and align to majority of code
already using `return`.
`exit()` has the side-effect of suppressing leak detection in cases.
Fix fallouts detected after switching to `return`.
- configure:
- fix `getaddrinfo` run test to call `freeaddrinfo()` to pacify ASAN,
and call `WSACleanup()` to deinit winsock2.
- fix `getifaddrs` run test to call `freeifaddrs()` to pacify ASAN.
- tests/server:
- setup `atexit(win32_cleanup)` via `win32_init()`.
- return 2 instead of 1 on winsock2 init failures.
- sws: goto cleanup instead of `exit()` in `http_connect()`.
Follow-up to 02dfe71937#7235
- tests/client/http:
- cleanup memory to pacify ASAN in `h2-upgrade-extreme`,
`tls-session-reuse`.
- examples:
- block_ip: fix memory leak reported by CI.
- http2-upload: avoid handle leaks.
Untouched `exit()` calls, made from callbacks:
- docs/examples: ephiperfifo.c, ghiper.c, hiperfifo.c
- tests/libtest: lib582.c, lib655.c, lib670.c
- tests/server: tftpd.c
Closes#16507
Make it possible to build curl for Windows CE using the CeGCC toolchain.
With both CMake and autotools, including tests and examples, also in CI.
The build configuration is the default one with Schannel enabled. No
3rd-party dependencies have been tested.
Also revive old code to make Schannel build with Windows CE, including
certificate verification.
Builds have been throughougly tested. But, I've made no functional tests
for this PR. Some parts (esp. file operations, like truncate and seek)
are stubbed out and likely broken as a result. Test servers build, but
they do not work on Windows CE. This patch substitutes `fstat()` calls
with `stat()`, which operate on filenames, not file handles. This may or
may not work and/or may not be secure.
About CeGCC: I used the latest available macOS binary build v0.59.1
r1397 from 2009, in native `mingw32ce` build mode. CeGCC is in effect
MinGW + GCC 4.4.0 + old/classic-mingw Windows headers. It targets
Windows CE v3.0 according to its `_WIN32_WCE` value. It means this PR
restores portions of old/classic-mingw support. It makes the Windows CE
codepath compatible with GCC 4.4.0. It also adds workaround for CMake,
which cannot identify and configure this toolchain out of the box.
Notes:
- CMake doesn't recognize CeGCC/mingw32ce, necessitating tricks as seen
with Amiga and MS-DOS.
- CMake doesn't set `MINGW` for mingw32ce. Set it and `MINGW32CE`
manually as a helper variable, in addition to `WINCE` which CMake sets
based on `CMAKE_SYSTEM_NAME`.
- CMake fails to create an implib for `libcurl.dll`, due to not
recognizing the platform as a Windowsy one. This patch adds the
necessary workaround to make it work.
- headers shipping with CeGCC miss some things curl needs for Schannel
support. Fixed by restoring and renovating code previously deleted
old-mingw code.
- it's sometime non-trivial to figure out if a fallout is WinCE,
mingw32ce, old-mingw, or GCC version-specific.
- WinCE is always Unicode. With exceptions: no `wmain`,
`GetProcAddress()`.
- `_fileno()` is said to convert from `FILE *` to `void *` which is
a Win32 file `HANDLE`. (This patch doesn't use this, but with further
effort it probably could be.)
https://stackoverflow.com/questions/3989545/how-do-i-get-the-file-handle-from-the-fopen-file-structure
- WinCE has no signals, current directory, stdio/CRT file handles, no
`_get_osfhandle()`, no `errno`, no `errno.h`. Some of this stuff is
standard C89, yet missing from this platform. Microsoft expects
Windows CE apps to use Win32 file API and `FILE *` exclusively.
- revived CeGCC here (not tested for this PR):
https://building.enlyze.com/posts/a-new-windows-ce-x86-compiler-in-2024/
On `UNDER_CE` vs. `_WIN32_WCE`: (This patch settled on `UNDER_CE`)
- A custom VS2008 WinCE toolchain does not set any of these.
The compiler binaries don't contain these strings, and has no compiler
option for targeting WinCE, hinting that a vanilla toolchain isn't
setting any of them either.
- `UNDER_CE` is automatically defined by the CeGCC compiler.
https://cegcc.sourceforge.net/docs/details.html
- `UNDER_CE` is similar to `_WIN32`, except it's not set automatically
by all compilers. It's not supposed to have any value, like a version.
(Though e.g. OpenSSL sets it to a version)
- `_WIN32_WCE` is the CE counterpart of the non-CE `_WIN32_WINNT` macro.
That does return the targeted Windows CE version.
- `_WIN32_WCE` is not defined by compilers, and relies on a header
setting it to a default, or the build to set it to the desired target
version. This is also how `_WIN32_WINNT` works.
- `_WIN32_WCE` default is set by `windef.h` in CeGCC.
- `_WIN32_WCE` isn't set to a default by MSVC Windows CE headers (the
ones I checked at least).
- CMake sets `_WIN32_WCE=<ver>`, `UNDER_CE`, `WINCE` for MSVC WinCE.
- `_WIN32_WCE` seems more popular in other projects, including CeGCC
itself. `zlib` is a notable exception amongst curl dependencies,
which uses `UNDER_CE`.
- Since `_WIN32_WCE` needs "certain" headers to have it defined, it's
undefined depending on headers included beforehand.
- `curl/curl.h` re-uses `_WIN32_WCE`'s as a self-guard, relying on
its not-(necessarily)-defined-by-default property:
25b445e479/include/curl/curl.h (L77)
Toolchain downloads:
- Windows:
https://downloads.sourceforge.net/cegcc/cegcc/0.59.1/cegcc_mingw32ce_cygwin1.7_r1399.tar.bz2
- macOS Intel:
https://downloads.sourceforge.net/cegcc/cegcc/0.59.1/cegcc_mingw32ce_snowleopard_r1397.tar.bz2Closes#15975
For MinGW this is `-DNO_OLDNAMES`, with MSVC it is
`-D_CRT_DECLARE_NONSTDC_NAMES=0`.
There have been some support for this before this patch.
After this patch this is extended to all examples.
(And also the standalone http/client programs, if here.)
Cherry-picked from #15652Closes#15789
- appveyor: add build-only job for clang-cl.
- cmake: `-pedantic-errors` enables `-Werror,-Wlanguage-extension-token`
automatically, which makes `__int64` detection fail.
Explictly disable this compiler warning for clang-cl to make the
feature detection work and to accept `__int64` in the source code.
- cmake: disable `-Wlanguage-extension-token` warning for clang-cl
to fix these when encountering `__int64`:
```
lib/formdata.c(797,29): error : extension used [-Werror,-Wlanguage-extension-token]
lib/warnless.c(117,33): error : extension used [-Werror,-Wlanguage-extension-token]
lib/warnless.c(60,28): message : expanded from macro 'CURL_MASK_SCOFFT'
lib/warnless.c(59,38): message : expanded from macro 'CURL_MASK_UCOFFT'
include\curl/system.h(352,40): message : expanded from macro 'CURL_TYPEOF_CURL_OFF_T'
```
- make `__GNUC__` warning suppressions apply to `__clang__` too.
Necessary for clang-cl, which defines the latter, but not the former.
(Regular clang defines both.)
- examples: fix clang-cl compiler warning in `http2-upload.c`.
```
docs\examples\http2-upload.c(56,5): error : no previous prototype for function 'my_gettimeofday' [-Werror,-Wmissing-prototypes]
docs\examples\http2-upload.c(56,1): message : declare 'static' if the function is not intended to be used outside of this translation unit
```
- unit2604: add missing `#pragma GCC diagnostic pop`.
Follow-up to e53523fef0#14859
- unit1652: limit compiler warning suppression to GCC.
They do not affect clang builds.
Follow-up to 71cf0d1fca#14772Closes#15449
Use these words and casing more consistently across text, comments and
one curl tool output:
AIX, ALPN, ANSI, BSD, Cygwin, Darwin, FreeBSD, GitHub, HP-UX, Linux,
macOS, MS-DOS, MSYS, MinGW, NTLM, POSIX, Solaris, UNIX, Unix, Unicode,
WINE, WebDAV, Win32, winbind, WinIDN, Windows, Windows CE, Winsock.
Mostly OS names and a few more.
Also a couple of other minor text fixups.
Closes#14360
- `websocket.c`: use `Sleep()` on Windows.
`sleep()` and `unistd.h` are not available in MSVC.
- `http2-upload.c`: use local `gettimeofday()` implementation when
compiled with MSVC.
(Alternate solution is to disable the trace function for MSVC.)
Public domain code copied and adapted from libssh2:
e973493f99/src/misc.c (L719-L743)
- silence compiler warning for deprecated `inet_addr()`.
Also drop duplicate winsock2 include.
```
curl\docs\examples\externalsocket.c(125,32): error C2220: the following warning is treated as an error [curl\bld\docs\examples\curl-example-externalsocket.vcxproj]
curl\docs\examples\externalsocket.c(125,32): warning C4996: 'inet_addr': Use inet_pton() or InetPton() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings [curl\bld\docs\examples\curl-example-e
```
Ref: https://github.com/curl/curl/actions/runs/9227337318/job/25389073450#step:4:95
- silence an MSVC compiler warning. This is in conflict with `checksrc`
rules, so silence the rule in favour of the warning-free C syntax.
```
curl\docs\examples\multi-legacy.c(152,1): error C2220: the following warning is treated as an error [curl\bld\docs\examples\curl-example-multi-legacy.vcxproj]
curl\docs\examples\multi-legacy.c(152,1): warning C4706: assignment within conditional expression [curl\bld\docs\examples\curl-example-multi-legacy.vcxproj]
```
Ref: https://github.com/curl/curl/actions/runs/9227337318/job/25389073450#step:4:226
- do not use `sys/time.h` and `unistd.h` in Windows builds.
Some of these includes look unnecessary. Subject to another PR.
Cherry-picked from #13766Closes#13771
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
as of 2023-11-29 [1].
Enable new recommended warnings (except `-Wsign-conversion`):
- enable `-Wformat=2` for clang (in both cmake and autotools).
- add `CURL_PRINTF()` internal attribute and mark functions accepting
printf arguments with it. This is a copy of existing
`CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible
with redefinting the `printf` symbol:
https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94
- fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for
mingw-w64 and enable it on this platform.
- enable `-Wimplicit-fallthrough`.
- enable `-Wtrampolines`.
- add `-Wsign-conversion` commented with a FIXME.
- cmake: enable `-pedantic-errors` the way we do it with autotools.
Follow-up to d5c0351055#2747
- lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format
checks. Previously it was always disabled due to the internal `printf`
macro.
Fix them:
- fix bug where an `set_ipv6_v6only()` call was missed in builds with
`--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`.
- add internal `FALLTHROUGH()` macro.
- replace obsolete fall-through comments with `FALLTHROUGH()`.
- fix fallthrough markups: Delete redundant ones (showing up as
warnings in most cases). Add missing ones. Fix indentation.
- silence `-Wformat-nonliteral` warnings with llvm/clang.
- fix one `-Wformat-nonliteral` warning.
- fix new `-Wformat` and `-Wformat-security` warnings.
- fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its
definition to `lib/curl_setup.h` allowing use in `tests/server`.
- lib: fix two wrongly passed string arguments in log outputs.
Co-authored-by: Jay Satiro
- fix new `-Wformat` warnings on mingw-w64.
[1] 56c0fde389/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.mdCloses#12489
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING
checksrc is updated to allow non-year using copyright statements
Closes#10205
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes#8869
The API is soon two years old and deserves being shown as the primary
way to drive multi code as it makes it much easier to write code.
multi-poll: removed
multi-legacy: add to show how we did multi API use before
curl_multi_wait/poll.
Closes#7352
If `index.html` does not exist in the directory from which the example
is invoked, the fopen(upload, "rb") invocation in `setup` would fail,
returning NULL. This value is subsequently passed as the FILE* argument
of the `fread` invocation in the `read_callback` function, which is the
actual cause of the crash (apparently `fread` assumes that argument to
be non-null).
In addition, mitigate some possible crashes of similar origin.
Closes#5463
