Memory returned from curl_easy_escape() should be fred with curl_free()
to avoid surprises.
Follow-up to f37840a46e
Spotted by Codex Security
Closes#21075
By passing command-line as separate arguments instead of using a single
string. This needs skipping the shell, so rework redirections to use
Perl `open3()`.
Also explored to use `-out` to avoid redirections, but it makes the
command-line incompatible with some OpenSSL implementations/versions
(e.g. on default macOS), and would still need a solution for
`2>/dev/null`.
Ref: https://perldoc.perl.org/IPC::Open3Closes#20971
Add test case 1673 to do repeated upload failures and verify there is no
leak. This proved a previous leak and now it verifies the fix.
Reported-by: James Fuller
Closes#21062
with `-DCURL_DISABLE_SOCKETPAIR=ON`.
```
lib/asyn-thrdd.c:227:5: error: Value stored to 'do_abort' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
227 | do_abort = addr_ctx->do_abort;
| ^ ~~~~~~~~~~~~~~~~~~
```
Closes#21061
with
`-DCURL_DISABLE_VERBOSE_STRINGS=ON -DCURL_USE_GNUTLS=ON -DCURL_CLANG_TIDY=ON`.
```
lib/vtls/gtls.c:268:7: error: Value stored to 'strerr' is never read [clang-analyzer-deadcode.DeadStores,-warnings-as-errors]
268 | strerr = gnutls_strerror(rc);
| ^ ~~~~~~~~~~~~~~~~~~~
```
Closes#21060
The two bitmask constants for *CLEAR_DNS and *CLEAR_CONNS were
duplicates (both set to 1), so they cannot be distinguished and both
actions fire.
This shipped in public releases since 8.16.0 to and include 8.19.0.
This fix adds CURLMNWC_CLEAR_ALL to be the new 1, and it now implies all
bits. The DNS and CONNS defines get two new bits (2, 4).
Follow-up to 55c045c863
Found by Codex Security
Closes#20968
This reverts commit 21fc17b265.
That was not properly thought through. PowerPC can run in either endian
and the preprocessor does not know which.
Ref: #20985Closes#21058
c-ares builds have been sped up within curl-for-win using, pre-fills. It
allows building it with acceptable performance, making it practical to
use it, alongside HTTPS-RR, in curl CI and possibly in curl-for-win. It
has been enabled in its dev branch for a while.
Ref: 61a7354120Closes#21032
Fixing (seen in curl-for-win dev branch):
```
In file included from _a64-linux-gnu-bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity_0_c.c:34:
lib/cf-https-connect.c:681:28: error: implicit conversion from 'unsigned char' to enumeration type 'enum alpnid' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
681 | enum alpnid alpn = rr->alpns[i];
| ~~~~ ^~~~~~~~~~~~e
```
Ref: #21032Closes#21057
PowerPC64 (both big-endian and little-endian) supports efficient
unaligned memory access, similar to x86. This extends the existing
fast path that avoids byte-by-byte loads in the MD5 and MD4 SET/GET
macros.
On POWER8 ppc64le, this eliminates 3 shifts + 3 ORs per 32-bit word
load, replacing them with a single lwz (or lwbrx on big-endian).
Co Authored By Claude Opus 4.6 (1M context)
Closes#20985
... and apply the CURLOPT_MAXFILESIZE limit (if set) on that as well.
This effectively protects the user against "zip bombs".
Test case 1618 verifies using a 14 byte brotli payload that otherwise
explodes to 102400 zero bytes.
Closes#20787
When skipping macdef lines inside netrc files, ignore it completely and
do not tokenize or bail out on bad quotes.
Verify in test 1672
Follow-up to 3b43a05e00
Spotted by Codex Security
Closes#21049
The code runs under different rules than documentation and these checks
cause too much friction with too little gain.
Leave checking of the public include files since they are almost
documentation.
Closes#21048
The code failed to check for the version, and could thus read memory
past the existing curl_version_info_data structure. This could lead to a
crash.
Closes#21050
After limiting `find_package()`/`find_dependency()` calls to curl local
Find modules via the `MODULES` keyword, it became possible to detect
dependencies via CMake Configs from within those local Find modules, by
calling `find_package()` again with the `CONFIG` keyword. This patch
implements this. Then maps detection results to the result variables and
curl-specific imported targets the rest of the build expects.
Also honor recently introduced `*_USE_STATIC_LIBS` (experimental) flags
to map to the static target when requested.
This adds CMake Configs as an alternative to the existing `pkg-config`
and `find_path()`/`find_library()` auto-detection methods.
Enabled by default for MSVC, outside vcpkg and when not cross-building.
To enable for other cases, or override the default, you can use
`-DCURL_USE_CMAKECONFIG=ON` or `OFF`.
When enabled, Config detection happens after `pkg-config` and before
`find_path()`/`find_library()`. Using CMake's built-in options, you may
also manually point to the absolute directory holding Config files:
`Libssh2_DIR`, `MbedTLS_DIR`, `NGHTTP2_DIR`, `NGHTTP3_DIR`,
`NGTCP2_DIR` v1.19.0+ (with non-fork OpenSSL only), `Zstd_DIR` v1.4.5+
E.g. `-DMbedTLS_DIR=/path/to/mbedtls/lib/cmake/MbedTLS`
These dependencies typically need to be built with CMake to support
this.
Tagged as experimental.
Refs:
#20013#19156#19117https://github.com/curl/curl/pull/20784#issuecomment-3984318492
Depends-on: fad1ebaecc#20840
Follow-up to 91e06fde1b#20784
Follow-up to 26c39d8df1#20015Closes#20814
- librtmp has no test cases, makes no proper releases and has not had a
single commit within the last year
- librtmp parses the URL itself and requires non-compliant URLs for this
- we have no RTMP tests
- RTMP was used by 2.2% of curl users (self-identified in the 2025
survey)
Closes#20673
As code checks `curltime` values for zero and interprets this
as not-initialized or "forever" in several places, make sure
`curlx_now()` never returns a zero timestamp.
Closes#21034
Replace the `volatile int dirty` with a reference counter
protected by a mutex when available.
Solve the problem of when to call application's lock function
by adding a volatile flag that indicates a share has been added
to easy handles in its lifetime. That flag ever goes from
FALSE to TRUE, so volatile might work (in the absence of a mutex).
(The problem is that the lock/unlock functions need 2-3
`curl_share_setopt()` invocations to become usable and there
is no way of telling if the third will ever happen. Calling
the lock function before the 3rd setopt may crash the
application.)
When removing a share from an easy handle (or replacing it with
another share), detach the easy connection on a share with a
connection pool.
When cleaning up a share, allow this even if it is still used in
easy handles. It will be destroyed when the reference count
drops to 0.
Closes#20870
When extracting the resolve case using alarm timers, the check for "we
are not allowed to use signals" was refactored wrong.
Follow-up to 96d5b5c688Closes#21047
- it was already required for `curl_*printf()` float/double support.
- some curl tests always fail without it.
- it was already assumed to be present to build test servers.
Source code did not check for `HAVE_SNPRINTF` detection variable.
- it was already required to build examples.
Windows builds stopped using this detection and the function via earlier
commits.
Follow-up to 64f28b8f88#20765
Follow-up to 935b1bd454#9570#9569Closes#20763
Require CMake 3.18 (2020-07-15) or newer, up from 3.7 (2016-11-11)
prior to this patch.
This requirement also applies to the distributed `curl-config.cmake`.
To allow dropping compatibility code maintained for old versions, and to
use features which were unpractical in separate code paths. Also to make
testing, documentation and development easier, CI builds faster due to
CMake performance improvements over time. (e.g. integration tests on
macOS run 8x faster (10 minutes is now under 1.5m) in CI, 2.5x faster on
Windows.)
CMake offers pre-built binaries for major platforms. They work without
an install step, just by unpacking and pointing the cmake command to
them. Making upgrades easy in many cases:
https://cmake.org/download/https://cmake.org/files/https://github.com/Kitware/CMake/releases
CMake 3.18 brings these feature as generally available when building or
consuming curl/libcurl:
LTO support, improved performance, `pkg-config` and interface target
support, `OBJECT` target (for faster libcurl builds), modern invocation
with `-S`/`-B` options, better support for custom linker options,
FetchContent, `GnuTLS::GnuTLS` target, `--verbose` and `--install`
options, `CMAKE_GENERATOR` env, last but not least unity mode and Ninja
generator.
For maximum build speed, use:
`-DCMAKE_UNITY_BUILD=ON -DCURL_DROP_UNUSED=ON`
As for deprecations, C++11 is required to build CMake itself, which may
be a limit on some platforms. autotools continues to cover them.
Follow-up to 9bcdfb3809#20408
Follow-up to a7c974e038#19902
Follow-up to dfbe035c8b#10161
Discussion: https://github.com/curl/curl/discussions/18704Closes#20407
