Pass build options directly via `COMPILE_DEFINTIONS` and
`LINK_LIBRARIES`, instead of "tunneling" them through `CMAKE_FLAGS`.
The latter method breaks when passing `Threads::Threads` as library via
`CMAKE_REQUIRED_LIBRARIES`, while also being complex and fragile.
Example:
```
-- Performing Test HAVE_FSETXATTR_5
CMake Error at bld/CMakeFiles/CMakeTmp/CMakeLists.txt:27 (target_link_libraries):
Target "cmTC_3386e" links to:
Threads::Threads
but the target was not found. Possible reasons include:
* There is a typo in the target name.
* A find_package call is missing for an IMPORTED target.
* An ALIAS target is missing.
CMake Error at CMake/Macros.cmake:51 (try_compile):
Failed to generate test project build system.
Call Stack (most recent call first):
CMakeLists.txt:1684 (curl_internal_test)
```
Ref: https://github.com/curl/curl/actions/runs/23792043930/job/69329796592?pr=21168#step:38:318
Note: a side-effect is no longer passing C compiler flags (e.g.
`CMAKE_REQUIRED_FLAGS`) to the _linker_. This should not be an issue,
though CMake is passing them during its built-in detections.
Ref: https://cmake.org/cmake/help/v3.18/command/try_compile.htmlCloses#21176
If there is no trailing file name for -O or --remote-name-all, continue
searching until there is no more to search. A URL ending with multiple
slashes would previously make it do wrong.
Add test 1639 and 1644 to verify.
Follow-up to e26eefd9ce
Reported-by: James Fuller
Closes#21165
Seen on macOS:
```
CMake Warning at CMakeLists.txt:2158 (message):
Bad lib in library list: Threads::Threads
```
Follow-up to 2d546d239e#21163Closes#21170
- use `Threads::Threads` imported target, replacing
`CMAKE_THREAD_LIBS_INIT`. To use the modern form and to allow using
`THREADS_PREFER_PTHREAD_FLAG` option.
- only add Threads library/options if POSIX Threads was detected (not
any other threading backend FindThreads may detect, e.g. the HP one.)
- curl-config.in.cmake: detect and define `Threads::Threads`.
Refs:
https://cmake.org/cmake/help/v3.18/module/FindThreads.htmlhttps://cmake.org/cmake/help/v4.3/module/FindThreads.htmlCloses#21163
Prior to this patch code used either `HAVE_PTHREAD_H`, or
`HAVE_THREADS_POSIX`, or both, to decide if POSIX Threads support is
present. In effect requiring both to be defined for a consistent build.
Drop detecting and guarding for `pthread.h`, and assume it present when
`HAVE_THREADS_POSIX` is set.
OS/400 had `HAVE_PTHREAD_H` set, but not `HAVE_THREADS_POSIX`, which
possibly left threading disabled in most sources.
Ref: https://pubs.opengroup.org/onlinepubs/009695399/basedefs/pthread.h.html
Ref: 930f2e8227#21144Closes#21158
When creating a temp file in order to later replace an original, copying
over the existing permissions can not be considered safe when the user
running libcurl is not the owner of the existing file.
Closes#21092
memory allocated by libcurl (curl_maprintf) must be freed with
curl_free(), and memory allocated by the tool (curlx_strdup via
findfile) must be freed with curlx_free().
- tool_cfgable: ech_config is allocated with curl_maprintf, free it
with curl_free() instead of tool_safefree()
- config2setopts: known hosts from findfile() is allocated with
curlx_strdup, free it with curlx_free() instead of curl_free()
Follow-up to b71973c115Closes#21150
socks5_req0_init() rejects hostnames longer than 255 bytes, but the
later cast to unsigned char in socks5_req1_init() has no local
indication that it is safe. Add a DEBUGASSERT and comment to document
the invariant and guard against future refactoring.
Closes#21157
A "broken" SOCKS5 proxy can send an invalid length of the encryption
token, which could cause malloc(0) to be called, which is a "platform
can do what it wants" potential problem.
Resolve this by explicitly checking the length and rejecting the invalid
token before ever attempting to allocate any memory.
Closes#21159
When used together with `USE_OPENSSL`. `USE_QUICHE` always implies
`USE_OPENSSL`.
Also: merge two (now identical) `#if` blocks in `openssl.c`.
Closes#21135
Introduce `toolx_ftruncate()` macro and map it to existing replacements
for non-mingw-w64 Windows and DJGPP, or to `ftruncate` otherwise.
Follow-up to 6041b9b11b#21109Closes#21130
New connection filter `cf-dns` that manages DNS queries. If hands
out addresses and HTTPS-RR records to anyone interested. Used by
HTTPS and IP happy eyeballing.
Information may become available *before* the libcurl "dns entry"
is complete, e.g. all queries have been answered. The cf-ip-happy
filter uses this information to start connection attempts as soon
as the first address is available.
The multi MSTATE_RESOLVING was removed. A new connection always
goes to MSTATE_CONNECTING. The connectdata bit `dns_resolved`
indicates when DNS information is complete. This is used for
error reporting and starting the progress meter.
Removed dns entries `data->state.dns[i]`, as the `cf-dns` filter
now keeps the reference now.
Many minor tweaks for making this work and pass address information
around safely.
Closes#21027
It was wrongly previously only used in debug code for event based
transfer and not in the "normal" parallel transfer case.
Follow-up to 4654493fedCloses#21147
This warning was created at a time when all backends for HTTP/3 were
experimental. Since there are now non-experimental backends this warning
is incorrect in some cases and was already handled by backends that were
added to the experimental list.
Follow-up to 0535f6ec71Closes#21139
By moving the coexist workaround from vtls/openssl.c to vtls/openssl.h.
This way it also applies to vtls.c (and possibly other sources including
`vtls/openssl.h`), which may need it in unity builds before BoringSSL
header `openssl/ssl.h` pulling in the conflicting symbols and causing
conflicts otherwise.
Seen with build config:
```
-DCURL_USE_SCHANNEL=ON -DCURL_USE_OPENSSL=ON
-DCMAKE_UNITY_BUILD=ON -DCMAKE_UNITY_BUILD_BATCH_SIZE=30
```
Fixing:
```
In file included from _cm-win-boringssl/lib/CMakeFiles/libcurl_object.dir/Unity/unity_5_c.c:7:
In file included from lib/vtls/vtls.c:54:
In file included from lib/vtls/openssl.h:33:
In file included from /path/to/boringssl/_x64-win-ucrt/usr/include/openssl/opensslv.h:18:
In file included from /path/to/boringssl/_x64-win-ucrt/usr/include/openssl/crypto.h:18:
/path/to/boringssl/_x64-win-ucrt/usr/include/openssl/base.h:293:29: error: expected ')'
293 | typedef struct X509_name_st X509_NAME;
| ^
/path/to/llvm-mingw/x86_64-w64-mingw32/include/wincrypt.h:1515:29: note: expanded from macro 'X509_NAME'
1515 | #define X509_NAME ((LPCSTR) 7)
| ^
[...]
```
Ref: 2a92c39a21#20567Closes#21136
- update `filelock` from 3.24.3 to 3.25.2
- update `ruff` from 0.15.2 to 0.15.7
- update `cryptography` from 46.0.5 to 46.0.6 (CVE-2026-34073)
Closes#21138
The myssh_in_SFTP_READDIR_BOTTOM() function would not store the error
code correctly thus it could be ignored and missed when an error was
returned at that particular moment.
Follow-up to 3c26e6a896
Found by Codex Security
Closes#21122
non-HTTP protocols no longer retry after connection reuse failures
because multi_follow() now requires a handler->follow callback that is
NULL for those protocols. Provide a fallback for plain retries.
Follow-up to 1213c31272
Spotted by Codex Security
Closes#21121
When assembling the URL of a pushed resource over a not-secured
connection, require the scheme to be known and not secure.
Reported-by: xkilua on hackerone
Closes#21113
Mozilla may push to its repo much later than the commit date, which can
be a source of confusion when using the reproducible timestamp (which is
determined by the commit date) by default. Example:
https://curl.se/ca/cacert-2026-03-19.pem vs.
1a84aee638/security/nss/lib/ckfw/builtins/certdata.txt
This feature had no actual user (or a planned one) from within curl at
the moment, and not requested by curl users. curl-for-win does this on
its own, which is the more practical way there since everything (not
just the CA bundle) needs to be reproducible anyway. I surmise this may
be true for most if not all reproducible use-cases.
Another limitation was that it could bump into GitHub's rate limiting,
needing further updates.
Also: code had some unintented leftovers.
Reported-by: Daniel Stenberg
Bug: https://github.com/curl/curl/pull/20528#issuecomment-4140610008
Follow-up to ca92e20123#20528Closes#21116
```
lib/vtls/openssl.c:4238:22: error: ‘SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED’ undeclared (first use in this function); did you mean ‘SSL_R_TLS_ALERT_CERTIFICATE_EXPIRED’?
4238 | (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| SSL_R_TLS_ALERT_CERTIFICATE_EXPIRED
lib/vtls/openssl.c:4238:22: note: each undeclared identifier is reported only once for each function it appears in
```
Ref: https://github.com/curl/curl/actions/runs/23641366299/job/68863072427#step:24:189
Cherry-picked from #21118Closes#21119
