curl: use curl_getenv instead of the curlx_ version

The curlx one was once introduced when we still considered dropping the
libcurl function at some point. To reduce confusion and to mak

curl: use curl_getenv instead of the curlx_ version

The curlx one was once introduced when we still considered dropping the
libcurl function at some point. To reduce confusion and to make it
easier to understand when curl_free() should be used, use the actual
libcurl function call directly instead.

Closes #13230

show more ...

windows: use built-in `_WIN32` macro to detect Windows

Windows compilers define `_WIN32` automatically. Windows SDK headers
or build env defines `WIN32`, or we have to take care of it. T

windows: use built-in `_WIN32` macro to detect Windows

Windows compilers define `_WIN32` automatically. Windows SDK headers
or build env defines `WIN32`, or we have to take care of it. The
agreement seems to be that `_WIN32` is the preferred practice here.
Make the source code rely on that to detect we're building for Windows.

Public `curl.h` was using `WIN32`, `__WIN32__` and `CURL_WIN32` for
Windows detection, next to the official `_WIN32`. After this patch it
only uses `_WIN32` for this. Also, make it stop defining `CURL_WIN32`.

There is a slight chance these break compatibility with Windows
compilers that fail to define `_WIN32`. I'm not aware of any obsolete
or modern compiler affected, but in case there is one, one possible
solution is to define this macro manually.

grepping for `WIN32` remains useful to discover Windows-specific code.

Also:

- extend `checksrc` to ensure we're not using `WIN32` anymore.

- apply minor formatting here and there.

- delete unnecessary checks for `!MSDOS` when `_WIN32` is present.

Co-authored-by: Jay Satiro
Reviewed-by: Daniel Stenberg

Closes #12376

show more ...

checksrc: disallow spaces before labels

Out of 415 labels throughout the code base, 86 of those labels were
not at the start of the line. Which means labels always at the start of
th

checksrc: disallow spaces before labels

Out of 415 labels throughout the code base, 86 of those labels were
not at the start of the line. Which means labels always at the start of
the line is the favoured style overall with 329 instances.

Out of the 86 labels not at the start of the line:
* 75 were indented with the same indentation level of the following line
* 8 were indented with exactly one space
* 2 were indented with one fewer indentation level then the following
line
* 1 was indented with the indentation level of the following line minus
three space (probably unintentional)

Co-Authored-By: Viktor Szakats

Closes #11134

show more ...

src/tool_operhlp.c: fix value stored to 'uerr' is never read

Ref: https://github.com/curl/curl/pull/10974#issuecomment-1510461343
Reported-by: Viktor Szakats
Closes #10982

curl: do NOT append file name to path for upload when there's a query

Added test 425 to verify.

Reported-by: Dirk Rosenkranz
Bug: https://curl.se/mail/archive-2023-04/0008.html

curl: do NOT append file name to path for upload when there's a query

Added test 425 to verify.

Reported-by: Dirk Rosenkranz
Bug: https://curl.se/mail/archive-2023-04/0008.html
Closes #10969

show more ...

tool_operate: Fix error codes during DOS filename sanitize

It would return CURLE_URL_MALFORMAT in an OOM condition.

Closes #10414

tool_operate: Fix error codes on bad URL & OOM

curl would erroneously report CURLE_OUT_OF_MEMORY in some cases instead
of CURLE_URL_MALFORMAT. In other cases, it would erroneously return

tool_operate: Fix error codes on bad URL & OOM

curl would erroneously report CURLE_OUT_OF_MEMORY in some cases instead
of CURLE_URL_MALFORMAT. In other cases, it would erroneously return
CURLE_URL_MALFORMAT instead of CURLE_OUT_OF_MEMORY. Add a test case to
test the former condition.

Fixes #10130
Closes #10414

show more ...

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

tool_operate: more transfer cleanup after parallel transfer fail

In some circumstances when doing parallel transfers, the
single_transfer_cleanup() would not be called and then 'inglob'

tool_operate: more transfer cleanup after parallel transfer fail

In some circumstances when doing parallel transfers, the
single_transfer_cleanup() would not be called and then 'inglob' could
leak.

Test 496 verifies

Reported-by: Trail of Bits
Closes #9749

show more ...

curl/get_url_file_name: use libcurl URL parser

To avoid URL tricks, use the URL parser for this.

This update changes curl's behavior slightly in that it will ignore the
possible

curl/get_url_file_name: use libcurl URL parser

To avoid URL tricks, use the URL parser for this.

This update changes curl's behavior slightly in that it will ignore the
possible query part from the URL and only use the file name from the
actual path from the URL. I consider it a bugfix.

"curl -O localhost/name?giveme-giveme" will now save the output in the
local file named 'name'

Updated test 1210 to verify

Assisted-by: Jay Satiro

Closes #9684

show more ...

curl/add_file_name_to_url: use the libcurl URL parser

instead of the custom error-prone parser, to extract and update the path
of the given URL

Closes #9683

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

lib: remove support for CURL_DOES_CONVERSIONS

TPF was the only user and support for that was dropped.

Closes #8378

metalink: remove

Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems an

metalink: remove

Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.

2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.

3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.

4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.

5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.

6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.

Cloes #7176

show more ...

curl.se: new home

Closes #6172

tool_operhlp: Copyright year out of date, should be 2020

Follow-up from 2bc373740a3

curl: avoid using strlen for testing if a string is empty

Closes #4873

curl: improved cleanup in upload error path

Memory leak found by torture test 58

Closes #4705

curl: create easy handles on-demand and not ahead of time

This should again enable crazy-large download ranges of the style
[1-10000000] that otherwise easily ran out of memory starting

curl: create easy handles on-demand and not ahead of time

This should again enable crazy-large download ranges of the style
[1-10000000] that otherwise easily ran out of memory starting in 7.66.0
when this new handle allocating scheme was introduced.

Reported-by: Peter Sumatra
Fixes #4393
Closes #4438

show more ...

curl: support parallel transfers

This is done by making sure each individual transfer is first added to a
linked list as then they can be performed serially, or at will, in
parallel.

curl: support parallel transfers

This is done by making sure each individual transfer is first added to a
linked list as then they can be performed serially, or at will, in
parallel.

Closes #3804

show more ...

snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differen

snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297

show more ...

strcasecompare: all case insensitive string compares ignore locale now

We had some confusions on when each function was used. We should not act
differently on different locales anyway.

strcasecompare: is the new name for strequal()

... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the

strcasecompare: is the new name for strequal()

... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").

show more ...

tool_operhlp: Check for backslashes in get_url_file_name

Extract the filename from the last slash or backslash. Prior to this
change backslashes could be part of the filename.

T

tool_operhlp: Check for backslashes in get_url_file_name

Extract the filename from the last slash or backslash. Prior to this
change backslashes could be part of the filename.

This change needed for the curl tool built for Cygwin. Refer to the
CYGWIN addendum in advisory 20160127B.

Bug: https://curl.haxx.se/docs/adv_20160127B.html

show more ...

tool_doswin: Improve sanitization processing

- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

tool_doswin: Improve sanitization processing

- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.


Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder

show more ...