#
3829759b |
| 08-Dec-2023 |
Viktor Szakats |
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]. Enable new recommended warnings (except `-Wsign-conversion`): - enable `-Wformat=2` for clang (in both cmake and autotools). - add `CURL_PRINTF()` internal attribute and mark functions accepting printf arguments with it. This is a copy of existing `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible with redefinting the `printf` symbol: https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94 - fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for mingw-w64 and enable it on this platform. - enable `-Wimplicit-fallthrough`. - enable `-Wtrampolines`. - add `-Wsign-conversion` commented with a FIXME. - cmake: enable `-pedantic-errors` the way we do it with autotools. Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747 - lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format checks. Previously it was always disabled due to the internal `printf` macro. Fix them: - fix bug where an `set_ipv6_v6only()` call was missed in builds with `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`. - add internal `FALLTHROUGH()` macro. - replace obsolete fall-through comments with `FALLTHROUGH()`. - fix fallthrough markups: Delete redundant ones (showing up as warnings in most cases). Add missing ones. Fix indentation. - silence `-Wformat-nonliteral` warnings with llvm/clang. - fix one `-Wformat-nonliteral` warning. - fix new `-Wformat` and `-Wformat-security` warnings. - fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its definition to `lib/curl_setup.h` allowing use in `tests/server`. - lib: fix two wrongly passed string arguments in log outputs. Co-authored-by: Jay Satiro - fix new `-Wformat` warnings on mingw-w64. [1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895bfc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md Closes #12489
show more ...
|
#
7c992dd9 |
| 08-Dec-2023 |
Daniel Stenberg |
lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding Since the copy does not stop at a null byte, let's not call it anything that makes you think it works like the common s
lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding Since the copy does not stop at a null byte, let's not call it anything that makes you think it works like the common strndup() function. Based on feedback from Jay Satiro, Stefan Eissing and Patrick Monnerat Closes #12490
show more ...
|
#
7309b9cb |
| 05-Dec-2023 |
Daniel Stenberg |
lib: strndup/memdup instead of malloc, memcpy and null-terminate - bufref: use strndup - cookie: use strndup - formdata: use strndup - ftp: use strndup - gtls: use aprin
lib: strndup/memdup instead of malloc, memcpy and null-terminate - bufref: use strndup - cookie: use strndup - formdata: use strndup - ftp: use strndup - gtls: use aprintf instead of malloc + strcpy * 2 - http: use strndup - mbedtls: use strndup - md4: use memdup - ntlm: use memdup - ntlm_sspi: use strndup - pingpong: use memdup - rtsp: use strndup instead of malloc, memcpy and null-terminate - sectransp: use strndup - socks_gssapi.c: use memdup - vtls: use dynbuf instead of malloc, snprintf and memcpy - vtls: use strdup instead of malloc + memcpy - wolfssh: use strndup Closes #12453
show more ...
|
#
d3b3ba35 |
| 02-Nov-2023 |
Daniel Stenberg |
lib: add and use Curl_strndup() The Curl_strndup() function is similar to memdup(), but copies 'n' bytes then adds a terminating null byte ('\0'). Closes #12251
|
#
f4ff4108 |
| 19-Oct-2023 |
Daniel Stenberg |
configure: check for the fseeko declaration too ... and make the code require both symbol and declaration. This is because for Android, the symbol is always present in the lib at
configure: check for the fseeko declaration too ... and make the code require both symbol and declaration. This is because for Android, the symbol is always present in the lib at build-time even when not actually available in run-time. Assisted-by: Viktor Szakats Reported-by: 12932 on github Fixes #12086 Closes #12158
show more ...
|
#
3b6d18bb |
| 03-Oct-2023 |
Viktor Szakats |
spelling: fix codespell 2.2.6 typos Closes #12019
|
#
9c7165e9 |
| 22-Sep-2023 |
Natanael Copa |
lib: use wrapper for curl_mime_data fseek callback fseek uses long offset which does not match with curl_off_t. This leads to undefined behavior when calling the callback and caused fail
lib: use wrapper for curl_mime_data fseek callback fseek uses long offset which does not match with curl_off_t. This leads to undefined behavior when calling the callback and caused failure on arm 32 bit. Use a wrapper to solve this and use fseeko which uses off_t instead of long. Thanks to the nice people at Libera IRC #musl for helping finding this out. Fixes #11882 Fixes #11900 Closes #11918
show more ...
|
#
038c46f6 |
| 15-Nov-2022 |
Patrick Monnerat |
configure, cmake, lib: more form api deprecation Introduce a --enable-form-api configure option to control its inclusion in builds. The condition name defined for it is CURL_DISABLE_FORM
configure, cmake, lib: more form api deprecation Introduce a --enable-form-api configure option to control its inclusion in builds. The condition name defined for it is CURL_DISABLE_FORM_API. Form api code is dependent of MIME: configure and CMake handle this dependency automatically: CMake by making it a dependent option explicitly, configure by inheriting the MIME value by default and rejecting explicit incompatible values. "form-api" is now a new hidden test feature. Update libcurl modules to respect this option and adjust tests accordingly. Closes #9621
show more ...
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
eb559c80 |
| 16-Nov-2022 |
Patrick Monnerat |
mime: relax easy/mime structures binding Deprecation and removal of codeset conversion support from the library have released the strict need for an early binding of mime structures to
mime: relax easy/mime structures binding Deprecation and removal of codeset conversion support from the library have released the strict need for an early binding of mime structures to an easy handle (https://github.com/curl/curl/commit/2610142). This constraint currently forces to create the handle before the mime structure and the latter cannot be attached to another handle once created (see https://curl.se/mail/lib-2022-08/0027.html). This commit removes the handle pointers from the mime structures allowing more flexibility on their use. When an easy handle is duplicated, bound mime structures must however still be duplicated too as their components hold send-time dynamic information. Closes #9927
show more ...
|
#
f151ec6c |
| 28-Oct-2022 |
Rose <83477269+AtariDreams@users.noreply.github.com> |
lib: fix some type mismatches and remove unneeded typecasts Many of these castings are unneeded if we change the variables to work better with each other. Ref: https://github.co
lib: fix some type mismatches and remove unneeded typecasts Many of these castings are unneeded if we change the variables to work better with each other. Ref: https://github.com/curl/curl/pull/9823 Closes https://github.com/curl/curl/pull/9835
show more ...
|
#
4484270a |
| 26-Oct-2022 |
Ayesh Karunaratne |
misc: typo and grammar fixes - Replace `Github` with `GitHub`. - Replace `windows` with `Windows` - Replace `advice` with `advise` where a verb is used. - A few fixes on removing
misc: typo and grammar fixes - Replace `Github` with `GitHub`. - Replace `windows` with `Windows` - Replace `advice` with `advise` where a verb is used. - A few fixes on removing repeated words. - Replace `a HTTP` with `an HTTP` Closes #9802
show more ...
|
#
fd840cde |
| 13-Sep-2022 |
Daniel Stenberg |
formdata: typecast the va_arg return value To avoid "enumerated type mixed with another type" warnings Follow-up from 0f52dd5fd5aa3592691a Closes #9499
|
#
0f52dd5f |
| 22-Apr-2021 |
zhanghu on xiaomi |
formdata: fix warning: 'CURLformoption' is promoted to 'int' curl/lib/formdata.c: In function 'FormAdd': curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when p
formdata: fix warning: 'CURLformoption' is promoted to 'int' curl/lib/formdata.c: In function 'FormAdd': curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...' 249 | option = va_arg(params, CURLformoption); | ^ curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg') curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort Closes #9484
show more ...
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
26101421 |
| 03-Feb-2022 |
Daniel Stenberg |
lib: remove support for CURL_DOES_CONVERSIONS TPF was the only user and support for that was dropped. Closes #8378
|
#
8188ca91 |
| 09-Jan-2022 |
Daniel Stenberg |
formdata: avoid size_t => long typecast overflows Typically a problem for platforms with 32 bit long and 64 bit size_t Reported-by: Fabian Yamaguchi Bug: https://hackerone.com/r
formdata: avoid size_t => long typecast overflows Typically a problem for platforms with 32 bit long and 64 bit size_t Reported-by: Fabian Yamaguchi Bug: https://hackerone.com/reports/1444539 Closes #8272
show more ...
|
#
e081048c |
| 30-Jun-2021 |
Daniel Stenberg |
formdata: avoid "Argument cannot be negative" warning ... when converting a curl_off_t to size_t, by using CURL_ZERO_TERMINATED before passing the argument to the function. Dete
formdata: avoid "Argument cannot be negative" warning ... when converting a curl_off_t to size_t, by using CURL_ZERO_TERMINATED before passing the argument to the function. Detected by Coverity CID 1486590. Closes #7328 Assisted-by: Daniel Gustafsson
show more ...
|
#
e6caaa41 |
| 30-Jun-2021 |
Daniel Stenberg |
formdata: correct typecast in curl_mime_data call Coverity pointed out it the mismatch. CID 1486590 Closes #7327
|
Revision tags: curl-7_76_1, curl-7_76_0, curl-7_75_0, curl-7_74_0 |
|
#
4d2f8006 |
| 04-Nov-2020 |
Daniel Stenberg |
curl.se: new home Closes #6172
|
Revision tags: curl-7_73_0, tiny-curl-7_72_0, curl-7_72_0, curl-7_71_1 |
|
#
032e838b |
| 25-Jun-2020 |
Daniel Stenberg |
terminology: call them null-terminated strings Updated terminology in docs, comments and phrases to refer to C strings as "null-terminated". Done to unify with how most other C oriented
terminology: call them null-terminated strings Updated terminology in docs, comments and phrases to refer to C strings as "null-terminated". Done to unify with how most other C oriented docs refer of them and what users in general seem to prefer (based on a single highly unscientific poll on twitter). Reported-by: coinhubs on github Fixes #5598 Closes #5608
show more ...
|
Revision tags: curl-7_71_0 |
|
#
8df45547 |
| 13-May-2020 |
Daniel Stenberg |
source cleanup: remove all custom typedef structs - Stick to a single unified way to use structs - Make checksrc complain on 'typedef struct {' - Allow them in tests, public heade
source cleanup: remove all custom typedef structs - Stick to a single unified way to use structs - Make checksrc complain on 'typedef struct {' - Allow them in tests, public headers and examples - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually typedef different types/structs depending on build conditions. Closes #5338
show more ...
|
Revision tags: curl-7_70_0, curl-7_69_1 |
|
#
96972ec1 |
| 06-Mar-2020 |
Patrick Monnerat |
mime: latch last read callback status. In case a read callback returns a status (pause, abort, eof, error) instead of a byte count, drain the bytes read so far but remember this stat
mime: latch last read callback status. In case a read callback returns a status (pause, abort, eof, error) instead of a byte count, drain the bytes read so far but remember this status for further processing. Takes care of not losing data when pausing, and properly resume a paused mime structure when requested. New tests 670-673 check unpausing cases, with easy or multi interface and mime or form api. Fixes #4813 Reported-by: MrdUkk on github
show more ...
|
#
0b3e3644 |
| 02-Mar-2020 |
Daniel Stenberg |
formdata/mime: copyright year range update Due to the merge/revert cycle
|
#
8cd4e6d8 |
| 02-Mar-2020 |
Daniel Stenberg |
Revert "mime: latch last read callback status." This reverts commit 87869e38d7afdec3ef1bb4965711458b088e254f. Fixes #5014 Closes #5015 Reopens #4833
|